Are the Configuration Profiles in 10.7 supposed to help with this? I
don't know if these are "SCAP" compliant profiles. I know a person in
the NIST group that is participating in this SCAP project. I will try
to find some news on that front. -- Walter Rowe, System Hosting
Enterprise Systems / OISM
email@hidden<mailto:email@hidden> 301-975-2885
On Oct 4, 2011, at 7:02 PM, Link, Peter R. wrote:
William, Installation is one thing, making sure the configuration
stays that was is another. That's what the STIG is supposed to be
used for and what SCAP, as a protocol, os supposed to be able to
maintain.
I agree, working on a 10.7 anything is worth anyone's effort although
I would love to see any NIST-approved content before next year.
On Oct 4, 2011, at 3:57 PM, William Cerniuk wrote:
Pls don't take as critical.
All new machines are shipping with Lion 10.7 now by default. 10.7.2
will be released soon (today?) and we still have a draft STIG for
10.6...
Would it make more sense to mod this STIG for 10.7 and move forward
to completion, then consider working backwards to the legacy version?
What are the odds that 10.6 will be fully deprecated by the time the
STIG is ready?
Last note, I would second the suggestion to automate the STIG using
the native installer and installer packages. A package install
framework could be easily built (technically) to accommodate
cascading installs and config setting injection. If designed
properly, it could be simply tweaked as new OS revs come out. No
software cost/procurement in the implementation, only time.
Subsequent mods very fast to support OS revs.
My 2 cents adjusted to 25 for inflation.
Best Regards, Wm. Cerniuk
On Oct 4, 2011, at 18:31, "Link, Peter
R."<email@hidden<mailto:email@hidden>> wrote:
The whole Apple/NIST/Army/? SCAP project is supposed to be dealing
with this. They are supposed to be working on the configuration
settings, creating the various SCAP content stuff, then giving us
some status. From what I've seen, the DoD STIG only contains the
XCCDF content, which isn't enough for full automated SCAP usage. I
know there are people on this list that have knowledge of this
project who could update us on it, however, they seen to be keeping
pretty quiet lately.
I personally don't know the status of this project.
On Oct 4, 2011, at 3:11 PM, Dan Beatty wrote:
Greetings Allan and gang, Does anybody know what the channels (proper
or otherwise) to get on the contributing side of this NIST STIG?
Obviously, there are a lot of errors. They could be attributed to
Linux v/s Mac OSX differences. They could be attributed to a
particular distribution of Linux. Whatever the case, it helps for us
to get it right.
It would be even better for us to come up with a project to make an
automated Cocoa STIG configuration tool that will help us manage
these things. Naturally, having an install package would be good,
too. We can build that. What we need are the contacts at NIST to
help make this happen.
Is there anyone that can help?
Thank you,
-- Daniel Beatty Information Assurance Officer (IAO), Energetics
Research Division Code 474300D 1 Administration Circle M/S 1109 China
Lake, CA 93555 email@hidden<mailto:email@hidden>
(LandLine) (760)939-7097 (iPhone) (806)438-6620
On 9/16/11 3:02 PM, "Marcus, Allan
B"<email@hidden<mailto:email@hidden>> wrote:
Wow, lot's a technical errors. Much of it is good, but lots was
copied over from a Linux STIG with no Mac knowledge. I just submitted
technical comments. I got up to V-25204 and conked out.
-Allan
From: "O'Donnell, Dan"<email@hidden<mailto:email@hidden>>
Date: Fri, 2 Sep 2011 17:43:49 -0600 To:
"email@hidden<mailto:email@hidden>"<email@hidden<mailto:email@hidden>>
New draft DISA Secure Technical Implementation Guideline for OSX
10.6, version 1.0, UNCLAS has been released on DISA's public internet
site. <http://iase.disa.mil/stigs/os/mac/mac.html> (Note that this
set of documents was prepared before the recent DigiNotar
vulnerability.)
1. DISA FSO has developed the draft MAC OSX 10.6 STIG. The STIG is
available on the NIPRNet at
http://iase.disa.millstigs/os/mac/mac.html
<http://iase.disa.millstigs/os/mac/mac.html> for your review and
comments.
2. The STIG requirements were derived from the MAC OSX 10.6 Snow
Leopard Security Guide published by Apple Corporation and in
collaboration with DoD consensus team. DISA FSO is disseminating the
draft STIG to provide an opportunity for your review and
feedback/comments prior to the STIG release. Please note, any
requests for changes to a baseline requirement must be
coordinated/approved by the DoD consensus group before we can
implement the change in the STIG.
3. Please provide comments, recommended changes, and/or additions to
the draft STIG by 19 September 2011 on the Comment Matrix
spreadsheet. The spreadsheet is available at:
http://iase.disa.millstigs/os/mac/mac.html. Comments should be sent
via NIPRNet email to: email@hidden<mailto:email@hidden>.
Include the title and version of the STIG in the subject line of your
email.
__________________________________________________________________________
This email message is for the sole use of the intended recipient(s)
and may contain confidential information. Any unauthorized review,
use, disclosure or distribution is prohibited. If you are not the
intended recipient, please contact the sender by reply email and
destroy all copies of the original message.
_______________________________________________ Do not post admin
requests to the list. They will be ignored. Fed-talk mailing list
(email@hidden<mailto:email@hidden>)
Help/Unsubscribe/Update your Subscription:
This email sent to
email@hidden<mailto:email@hidden>
_______________________________________________ Do not post admin
requests to the list. They will be ignored. Fed-talk mailing list
(email@hidden<mailto:email@hidden>)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden<mailto:email@hidden>
Peter Link Cyber Security Analyst Cyber Security Program Lawrence
Livermore National Laboratory PO Box 808, L-315 Livermore, CA 94550
email@hidden<mailto:email@hidden>
_______________________________________________ Do not post admin
requests to the list. They will be ignored. Fed-talk mailing list
(email@hidden<mailto:email@hidden>)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden<mailto:email@hidden>
Peter Link Cyber Security Analyst Cyber Security Program Lawrence
Livermore National Laboratory PO Box 808, L-315 Livermore, CA 94550
email@hidden<mailto:email@hidden>
_______________________________________________ Do not post admin
requests to the list. They will be ignored. Fed-talk mailing list
(email@hidden) Help/Unsubscribe/Update your
Subscription: