Re: [Fed-Talk] Draft DISA STIG for OSX 10.6 now available
Re: [Fed-Talk] Draft DISA STIG for OSX 10.6 now available
- Subject: Re: [Fed-Talk] Draft DISA STIG for OSX 10.6 now available
- From: "Marcus, Allan B" <email@hidden>
- Date: Sat, 15 Oct 2011 00:04:18 +0000
- Thread-topic: [Fed-Talk] Draft DISA STIG for OSX 10.6 now available
I believe what you are looking for already exists, but has been stalled
for a while on the Mac. it's called the Center for Internet Security.
--
Thanks,
Allan Marcus
505-667-5666
email@hidden
On 10/5/11 10:40 AM, "Jeffrey Blank" <email@hidden> wrote:
>I agree with your observations.
>
>A few clarifications/notes:
>
>A STIG is a production of DISA FSO, for the DoD. It is not a creation
>of NIST. Publication of a STIG can be a step toward NIST's USGCB
>process, but does not imply it. NIST SP 800-70, Appendix E, describes
>the process for USGCB.
>
>I will leave as an exercise to the reader whether they believe this will
>be happening, as far as arriving at "NIST-approved content" for this
>draft STIG for Mac OS X 10.6.
>
>Multiple parties were involved in meetings regarding this STIG
>development effort, but this document is a draft and does not represent
>a consensus (and some of the issues noted below have been communicated
>to DISA weeks ago). The message below also includes contact
>information, where you can send feedback on this STIG document if you
>wish. (Obviously, submission of issues via email provides little
>awareness to other contributors.)
>
>I believe future consensus guidance efforts will be best achieved by
>collaboration in an open forum, particularly since there are several
>elements that must be properly synchronized for any USGCB submission to
>NIST, per 800-70. I also believe that better quality can be achieved
>through such openness. I am investigating the most appropriate
>mechanism to accomplish this within the cultural and technical
>constraints.
>
>Jeff
>
>
>
>
>___________________________
>Jeffrey Blank
>410-854-8675
>Global Mitigations
>NSA Information Assurance
>
>
>
>
>
>On 10/05/2011 09:01 AM, Rowe, Walter wrote:
>> Are the Configuration Profiles in 10.7 supposed to help with this? I
>> don't know if these are "SCAP" compliant profiles. I know a person in
>> the NIST group that is participating in this SCAP project. I will try
>> to find some news on that front. -- Walter Rowe, System Hosting
>> Enterprise Systems / OISM
>> email@hidden<mailto:email@hidden> 301-975-2885
>>
>> On Oct 4, 2011, at 7:02 PM, Link, Peter R. wrote:
>>
>> William, Installation is one thing, making sure the configuration
>> stays that was is another. That's what the STIG is supposed to be
>> used for and what SCAP, as a protocol, os supposed to be able to
>> maintain.
>>
>> I agree, working on a 10.7 anything is worth anyone's effort although
>> I would love to see any NIST-approved content before next year.
>>
>>
>> On Oct 4, 2011, at 3:57 PM, William Cerniuk wrote:
>>
>> Pls don't take as critical.
>>
>> All new machines are shipping with Lion 10.7 now by default. 10.7.2
>> will be released soon (today?) and we still have a draft STIG for
>> 10.6...
>>
>> Would it make more sense to mod this STIG for 10.7 and move forward
>> to completion, then consider working backwards to the legacy version?
>> What are the odds that 10.6 will be fully deprecated by the time the
>> STIG is ready?
>>
>> Last note, I would second the suggestion to automate the STIG using
>> the native installer and installer packages. A package install
>> framework could be easily built (technically) to accommodate
>> cascading installs and config setting injection. If designed
>> properly, it could be simply tweaked as new OS revs come out. No
>> software cost/procurement in the implementation, only time.
>> Subsequent mods very fast to support OS revs.
>>
>> My 2 cents adjusted to 25 for inflation.
>>
>> Best Regards, Wm. Cerniuk
>>
>>
>>
>>
>>
>> On Oct 4, 2011, at 18:31, "Link, Peter
>> R."<email@hidden<mailto:email@hidden>> wrote:
>>
>> The whole Apple/NIST/Army/? SCAP project is supposed to be dealing
>> with this. They are supposed to be working on the configuration
>> settings, creating the various SCAP content stuff, then giving us
>> some status. From what I've seen, the DoD STIG only contains the
>> XCCDF content, which isn't enough for full automated SCAP usage. I
>> know there are people on this list that have knowledge of this
>> project who could update us on it, however, they seen to be keeping
>> pretty quiet lately.
>>
>> I personally don't know the status of this project.
>>
>>
>> On Oct 4, 2011, at 3:11 PM, Dan Beatty wrote:
>>
>> Greetings Allan and gang, Does anybody know what the channels (proper
>> or otherwise) to get on the contributing side of this NIST STIG?
>> Obviously, there are a lot of errors. They could be attributed to
>> Linux v/s Mac OSX differences. They could be attributed to a
>> particular distribution of Linux. Whatever the case, it helps for us
>> to get it right.
>>
>> It would be even better for us to come up with a project to make an
>> automated Cocoa STIG configuration tool that will help us manage
>> these things. Naturally, having an install package would be good,
>> too. We can build that. What we need are the contacts at NIST to
>> help make this happen.
>>
>> Is there anyone that can help?
>>
>> Thank you,
>>
>> -- Daniel Beatty Information Assurance Officer (IAO), Energetics
>> Research Division Code 474300D 1 Administration Circle M/S 1109 China
>> Lake, CA 93555 email@hidden<mailto:email@hidden>
>> (LandLine) (760)939-7097 (iPhone) (806)438-6620
>>
>>
>>
>> On 9/16/11 3:02 PM, "Marcus, Allan
>> B"<email@hidden<mailto:email@hidden>> wrote:
>>
>> Wow, lot's a technical errors. Much of it is good, but lots was
>> copied over from a Linux STIG with no Mac knowledge. I just submitted
>> technical comments. I got up to V-25204 and conked out.
>>
>> -Allan
>>
>> From: "O'Donnell, Dan"<email@hidden<mailto:email@hidden>>
>> Date: Fri, 2 Sep 2011 17:43:49 -0600 To:
>>
>>"email@hidden<mailto:email@hidden>"<fed-talk@list
>>s.apple.com<mailto:email@hidden>>
>>
>>
>Subject: [Fed-Talk] Draft DISA STIG for OSX 10.6 now available
>>
>>
>> New draft DISA Secure Technical Implementation Guideline for OSX
>> 10.6, version 1.0, UNCLAS has been released on DISA's public internet
>> site. <http://iase.disa.mil/stigs/os/mac/mac.html> (Note that this
>> set of documents was prepared before the recent DigiNotar
>> vulnerability.)
>>
>> 1. DISA FSO has developed the draft MAC OSX 10.6 STIG. The STIG is
>> available on the NIPRNet at
>> http://iase.disa.millstigs/os/mac/mac.html
>> <http://iase.disa.millstigs/os/mac/mac.html> for your review and
>> comments.
>>
>> 2. The STIG requirements were derived from the MAC OSX 10.6 Snow
>> Leopard Security Guide published by Apple Corporation and in
>> collaboration with DoD consensus team. DISA FSO is disseminating the
>> draft STIG to provide an opportunity for your review and
>> feedback/comments prior to the STIG release. Please note, any
>> requests for changes to a baseline requirement must be
>> coordinated/approved by the DoD consensus group before we can
>> implement the change in the STIG.
>>
>> 3. Please provide comments, recommended changes, and/or additions to
>> the draft STIG by 19 September 2011 on the Comment Matrix
>> spreadsheet. The spreadsheet is available at:
>> http://iase.disa.millstigs/os/mac/mac.html. Comments should be sent
>> via NIPRNet email to: email@hidden<mailto:email@hidden>.
>> Include the title and version of the STIG in the subject line of your
>> email.
>>
>>
>>
>>
>>
>>
>>_________________________________________________________________________
>>_
>>
>> This email message is for the sole use of the intended recipient(s)
>> and may contain confidential information. Any unauthorized review,
>> use, disclosure or distribution is prohibited. If you are not the
>> intended recipient, please contact the sender by reply email and
>> destroy all copies of the original message.
>>
>> _______________________________________________ Do not post admin
>> requests to the list. They will be ignored. Fed-talk mailing list
>> (email@hidden<mailto:email@hidden>)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to
>> email@hidden<mailto:email@hidden>
>>
>> _______________________________________________ Do not post admin
>> requests to the list. They will be ignored. Fed-talk mailing list
>> (email@hidden<mailto:email@hidden>)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden<mailto:email@hidden>
>>
>> Peter Link Cyber Security Analyst Cyber Security Program Lawrence
>> Livermore National Laboratory PO Box 808, L-315 Livermore, CA 94550
>> email@hidden<mailto:email@hidden>
>>
>>
>>
>> _______________________________________________ Do not post admin
>> requests to the list. They will be ignored. Fed-talk mailing list
>> (email@hidden<mailto:email@hidden>)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden<mailto:email@hidden>
>>
>> Peter Link Cyber Security Analyst Cyber Security Program Lawrence
>> Livermore National Laboratory PO Box 808, L-315 Livermore, CA 94550
>> email@hidden<mailto:email@hidden>
>>
>>
>>
>>
>>
>>
>> _______________________________________________ Do not post admin
>> requests to the list. They will be ignored. Fed-talk mailing list
>> (email@hidden) Help/Unsubscribe/Update your
>> Subscription:
>>
>
> _______________________________________________
>Do not post admin requests to the list. They will be ignored.
>Fed-talk mailing list (email@hidden)
>Help/Unsubscribe/Update your Subscription:
>
>This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden