All,
I’ve been trying to get a response from Apple about some
issues I have where the audit subsystem doesn’t collect failed file
access attempts when the session logs in through SSH. Also,
certain SSH events themselves aren’t collected/reported properly,
and I suspect possibly the older OpenSSl and possibly an older non
audit-integrated ssh may be responsible, but I’ve had trouble getting a
response about this from the audit developers …
An earlier problem seemed to be in the way praudit was
converting the binary data (I could get info out of the binary data with “strings”,
but praudit neglected to extract the data properly), and now with the latest
version of Mac OSX and common criteria, I can’t even get the info I’m
expecting to see anymore with a “strings” command, so I think it’s
broken worse now than in previous release.
These problems are keeping us from using the latest version (and
some older ones) of Mac OSX in our closed areas because the auditing is so
broken, and I HAVE to be able to audit the system per NISPOM regulations.
I have been trying to get these and some older issues with auditing fixed now
since we were involved in the first non-disclosure evaluations of common
criteria back around 2004. I get the impression the audit developers
would like to fix some of the things I’ve reported, but aren’t
getting support from Apple. Doesn’t Apple realize that these kinds
of problem are taking away potential sales in the government contracting
community?
Any of you facing similar issues? If so,
PLEASE make your voices heard.
Karen Wieprecht
From:
fed-talk-bounces+karen.wieprecht=email@hidden
[mailto:fed-talk-bounces+karen.wieprecht=email@hidden] On
Behalf Of Nichols, Jared
Sent: Friday, May 08, 2009 9:07 AM
To: Trent Townsend; David Emery
Cc: email@hidden
Subject: Re: [Fed-Talk] re: OpenSSL on OS X old?
I don’t know any specifics, but for
any of our OS X-based servers to go production, modification to the SSL rules
needs to have weak ciphers disabled. I don’t know why Apple would
ever ship it default with that on...
j
On 5/8/09 09:03 , "Trent Townsend" <email@hidden> wrote:
To revisit an old topic, we are again
getting questioned about the
OpenSSL on OS X? It hasn't been updated since 2006 and probably
includes a number of IAVA related issues that are not fixed. Is
anyone else having this problem? Is Apple even aware?
Respectfully,
------------
Trent Townsend, CISSP
DoD Supercomputing Resource Center
US Army Engineer R&D Center
Email: email@hidden
Office: 601.634.4051
Cell: 601.631.1879
Fax: 601.634.3266
http://www.erdc.hpc.mil
On Jun 20, 2008, at 11:09 AM, David Emery wrote:
> One of the problems we discovered is that OpenSSL is often -built
> in- to
> other applications. So you could go and replace the OpenSSL library
> itself, but there's no guarantee that all COTS products (including web
> browsers) will use the default system SSL (dynamic) library.
>
> dave
>
> --
> David Emery, DSCI, supporting PdM FCS (BCT) SW Integration
> 703 298 3473 (office/cell), 703 272 7496 (fax)
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
---
Jared F. Nichols
Desktop Engineer, Infrastructure and Operations
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436