Re: [Fed-Talk] Draft DISA STIG for OSX 10.6 now available
Re: [Fed-Talk] Draft DISA STIG for OSX 10.6 now available
- Subject: Re: [Fed-Talk] Draft DISA STIG for OSX 10.6 now available
- From: "Marcus, Allan B" <email@hidden>
- Date: Sat, 15 Oct 2011 00:07:00 +0000
- Thread-topic: [Fed-Talk] Draft DISA STIG for OSX 10.6 now available
To reduce redundancy, here's what I reported to email@hidden
I have received no response. Not even a confirmation that they received my
input.
--
Thanks,
Allan Marcus
505-667-5666
email@hidden
On 10/5/11 10:53 AM, "Dan Beatty" <email@hidden> wrote:
>Greetings Jeff,
>I tend to agree with you, and appreciate the feedback of all.
>
>You mention forums such as a USGCB. Is there a way that a humble computer
>scientist such as myself can obtain participation with this group?
>Similarly, does DISA and its IASE have such a channel?
>
>The ideas in the OSX 10.6 STIG have merit. It is simply a matter of
>refinement. That simplicity seems really hard to accomplish.
>
>I am currently compiling a list of portions of the STIG that are
>incorrect.
>This list is expected to contain a set of proposed corrections to achieve
>the desired result, at least what from what I can determine. If one of
>those forums such as USGCB, DISA, IASE, etc would willing to entertain
>such
>an effort, I think that would be highly productive.
>
>Thank you,
>
>--
>Daniel Beatty
>Information Assurance Officer (IAO), Energetics Research Division
>Code 474300D
>1 Administration Circle M/S 1109
>China Lake, CA 93555
>email@hidden
>(LandLine) (760)939-7097
>(iPhone) (806)438-6620
>
>
>
>On 10/5/11 9:40 AM, "Jeffrey Blank" <email@hidden> wrote:
>
>> I agree with your observations.
>>
>> A few clarifications/notes:
>>
>> A STIG is a production of DISA FSO, for the DoD. It is not a creation
>> of NIST. Publication of a STIG can be a step toward NIST's USGCB
>> process, but does not imply it. NIST SP 800-70, Appendix E, describes
>> the process for USGCB.
>>
>> I will leave as an exercise to the reader whether they believe this will
>> be happening, as far as arriving at "NIST-approved content" for this
>> draft STIG for Mac OS X 10.6.
>>
>> Multiple parties were involved in meetings regarding this STIG
>> development effort, but this document is a draft and does not represent
>> a consensus (and some of the issues noted below have been communicated
>> to DISA weeks ago). The message below also includes contact
>> information, where you can send feedback on this STIG document if you
>> wish. (Obviously, submission of issues via email provides little
>> awareness to other contributors.)
>>
>> I believe future consensus guidance efforts will be best achieved by
>> collaboration in an open forum, particularly since there are several
>> elements that must be properly synchronized for any USGCB submission to
>> NIST, per 800-70. I also believe that better quality can be achieved
>> through such openness. I am investigating the most appropriate
>> mechanism to accomplish this within the cultural and technical
>>constraints.
>>
>> Jeff
>>
>>
>>
>>
>> ___________________________
>> Jeffrey Blank
>> 410-854-8675
>> Global Mitigations
>> NSA Information Assurance
>>
>>
>>
>>
>>
>> On 10/05/2011 09:01 AM, Rowe, Walter wrote:
>>> Are the Configuration Profiles in 10.7 supposed to help with this? I
>>> don't know if these are "SCAP" compliant profiles. I know a person in
>>> the NIST group that is participating in this SCAP project. I will try
>>> to find some news on that front. -- Walter Rowe, System Hosting
>>> Enterprise Systems / OISM
>>> email@hidden<mailto:email@hidden> 301-975-2885
>>>
>>> On Oct 4, 2011, at 7:02 PM, Link, Peter R. wrote:
>>>
>>> William, Installation is one thing, making sure the configuration
>>> stays that was is another. That's what the STIG is supposed to be
>>> used for and what SCAP, as a protocol, os supposed to be able to
>>> maintain.
>>>
>>> I agree, working on a 10.7 anything is worth anyone's effort although
>>> I would love to see any NIST-approved content before next year.
>>>
>>>
>>> On Oct 4, 2011, at 3:57 PM, William Cerniuk wrote:
>>>
>>> Pls don't take as critical.
>>>
>>> All new machines are shipping with Lion 10.7 now by default. 10.7.2
>>> will be released soon (today?) and we still have a draft STIG for
>>> 10.6...
>>>
>>> Would it make more sense to mod this STIG for 10.7 and move forward
>>> to completion, then consider working backwards to the legacy version?
>>> What are the odds that 10.6 will be fully deprecated by the time the
>>> STIG is ready?
>>>
>>> Last note, I would second the suggestion to automate the STIG using
>>> the native installer and installer packages. A package install
>>> framework could be easily built (technically) to accommodate
>>> cascading installs and config setting injection. If designed
>>> properly, it could be simply tweaked as new OS revs come out. No
>>> software cost/procurement in the implementation, only time.
>>> Subsequent mods very fast to support OS revs.
>>>
>>> My 2 cents adjusted to 25 for inflation.
>>>
>>> Best Regards, Wm. Cerniuk
>>>
>>>
>>>
>>>
>>>
>>> On Oct 4, 2011, at 18:31, "Link, Peter
>>> R."<email@hidden<mailto:email@hidden>> wrote:
>>>
>>> The whole Apple/NIST/Army/? SCAP project is supposed to be dealing
>>> with this. They are supposed to be working on the configuration
>>> settings, creating the various SCAP content stuff, then giving us
>>> some status. From what I've seen, the DoD STIG only contains the
>>> XCCDF content, which isn't enough for full automated SCAP usage. I
>>> know there are people on this list that have knowledge of this
>>> project who could update us on it, however, they seen to be keeping
>>> pretty quiet lately.
>>>
>>> I personally don't know the status of this project.
>>>
>>>
>>> On Oct 4, 2011, at 3:11 PM, Dan Beatty wrote:
>>>
>>> Greetings Allan and gang, Does anybody know what the channels (proper
>>> or otherwise) to get on the contributing side of this NIST STIG?
>>> Obviously, there are a lot of errors. They could be attributed to
>>> Linux v/s Mac OSX differences. They could be attributed to a
>>> particular distribution of Linux. Whatever the case, it helps for us
>>> to get it right.
>>>
>>> It would be even better for us to come up with a project to make an
>>> automated Cocoa STIG configuration tool that will help us manage
>>> these things. Naturally, having an install package would be good,
>>> too. We can build that. What we need are the contacts at NIST to
>>> help make this happen.
>>>
>>> Is there anyone that can help?
>>>
>>> Thank you,
>>>
>>> -- Daniel Beatty Information Assurance Officer (IAO), Energetics
>>> Research Division Code 474300D 1 Administration Circle M/S 1109 China
>>> Lake, CA 93555 email@hidden<mailto:email@hidden>
>>> (LandLine) (760)939-7097 (iPhone) (806)438-6620
>>>
>>>
>>>
>>> On 9/16/11 3:02 PM, "Marcus, Allan
>>> B"<email@hidden<mailto:email@hidden>> wrote:
>>>
>>> Wow, lot's a technical errors. Much of it is good, but lots was
>>> copied over from a Linux STIG with no Mac knowledge. I just submitted
>>> technical comments. I got up to V-25204 and conked out.
>>>
>>> -Allan
>>>
>>> From: "O'Donnell, Dan"<email@hidden<mailto:email@hidden>>
>>> Date: Fri, 2 Sep 2011 17:43:49 -0600 To:
>>>
>>>"email@hidden<mailto:email@hidden>"<fed-talk@lis
>>>ts.ap
>>> ple.com<mailto:email@hidden>>
>>>
>>>
>> Subject: [Fed-Talk] Draft DISA STIG for OSX 10.6 now available
>>>
>>>
>>> New draft DISA Secure Technical Implementation Guideline for OSX
>>> 10.6, version 1.0, UNCLAS has been released on DISA's public internet
>>> site. <http://iase.disa.mil/stigs/os/mac/mac.html> (Note that this
>>> set of documents was prepared before the recent DigiNotar
>>> vulnerability.)
>>>
>>> 1. DISA FSO has developed the draft MAC OSX 10.6 STIG. The STIG is
>>> available on the NIPRNet at
>>> http://iase.disa.millstigs/os/mac/mac.html
>>> <http://iase.disa.millstigs/os/mac/mac.html> for your review and
>>> comments.
>>>
>>> 2. The STIG requirements were derived from the MAC OSX 10.6 Snow
>>> Leopard Security Guide published by Apple Corporation and in
>>> collaboration with DoD consensus team. DISA FSO is disseminating the
>>> draft STIG to provide an opportunity for your review and
>>> feedback/comments prior to the STIG release. Please note, any
>>> requests for changes to a baseline requirement must be
>>> coordinated/approved by the DoD consensus group before we can
>>> implement the change in the STIG.
>>>
>>> 3. Please provide comments, recommended changes, and/or additions to
>>> the draft STIG by 19 September 2011 on the Comment Matrix
>>> spreadsheet. The spreadsheet is available at:
>>> http://iase.disa.millstigs/os/mac/mac.html. Comments should be sent
>>> via NIPRNet email to: email@hidden<mailto:email@hidden>.
>>> Include the title and version of the STIG in the subject line of your
>>> email.
>>>
>>>
>>>
>>>
>>>
>>>
>>>________________________________________________________________________
>>>__
>>>
>>> This email message is for the sole use of the intended recipient(s)
>>> and may contain confidential information. Any unauthorized review,
>>> use, disclosure or distribution is prohibited. If you are not the
>>> intended recipient, please contact the sender by reply email and
>>> destroy all copies of the original message.
>>>
>>> _______________________________________________ Do not post admin
>>> requests to the list. They will be ignored. Fed-talk mailing list
>>> (email@hidden<mailto:email@hidden>)
>>> Help/Unsubscribe/Update your Subscription:
>>>
>>>
>>> This email sent to
>>> email@hidden<mailto:email@hidden>
>>>
>>> _______________________________________________ Do not post admin
>>> requests to the list. They will be ignored. Fed-talk mailing list
>>> (email@hidden<mailto:email@hidden>)
>>> Help/Unsubscribe/Update your Subscription:
>>>
>>> This email sent to email@hidden<mailto:email@hidden>
>>>
>>> Peter Link Cyber Security Analyst Cyber Security Program Lawrence
>>> Livermore National Laboratory PO Box 808, L-315 Livermore, CA 94550
>>> email@hidden<mailto:email@hidden>
>>>
>>>
>>>
>>> _______________________________________________ Do not post admin
>>> requests to the list. They will be ignored. Fed-talk mailing list
>>> (email@hidden<mailto:email@hidden>)
>>> Help/Unsubscribe/Update your Subscription:
>>>
>>> This email sent to email@hidden<mailto:email@hidden>
>>>
>>> Peter Link Cyber Security Analyst Cyber Security Program Lawrence
>>> Livermore National Laboratory PO Box 808, L-315 Livermore, CA 94550
>>> email@hidden<mailto:email@hidden>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________ Do not post admin
>>> requests to the list. They will be ignored. Fed-talk mailing list
>>> (email@hidden) Help/Unsubscribe/Update your
>>> Subscription:
>>>
>>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
> _______________________________________________
>Do not post admin requests to the list. They will be ignored.
>Fed-talk mailing list (email@hidden)
>Help/Unsubscribe/Update your Subscription:
>
>This email sent to email@hidden
Attachment:
u_draft_mac 10-6_stig_v1_comment matrix.xls
Description: u_draft_mac 10-6_stig_v1_comment matrix.xls
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden