On Dec 8, 2010, at 8:33 AM, Dan O'Donnell wrote:
In case you are interested in reading (and commenting) on DISA’s consideration of 10.5, here is their announcement of a draft STIG (Security Technical Implementation Guideline):
I was just browsing through this document (with my personal biases turned on high:). I like that they produced this document for the Mac, and it gives me a good idea of where their thinking is. Is it traditional for some contractor to come out with an application to apply these changes automatically?
Initial observations:
First, 10.5? Really? 10.6 has been out for more than a year.
Second, I don't think they test these things. For example, they provide the audit settings
flags:lo,ad,-all,-fr,fd,fm,^-fa,^- fc,^-cl
But the auditing (last I checked) was completely broken on 10.5. These settings pretty much do nothing, and at worse, provide a false sense of security. If you want auditing, move to 10.6.
Third, in a computer security document why did they need to redefine the acronym MAC to mean something other than Mandatory Access Controls? (they call it "Mission Assurance Category") I think this is going to lead to confusion down the road.
Fourth, there is a lot of stuff on changing permissions for directories and files. I wonder if these get "re-fixed" by Apple every time software updates are applied?
Any idea when one for 10.6 is coming out?
Todd
|