|
just so we have the Apple references for each OS--
If you run the test command without having installed the test applications, you'll get a file not found error. All this means is it couldn't find the file, it doesn't necessarily mean the OS isn't in FIPS mode (which it should be by default).
This is the part that concerns me--
Important: Before performing any OS X Lion updates, such as via Software Update, you should disable “FIPS Mode”. Otherwise, the computer may not start up successfully after the restart. After performing the software update, the Crypto Officer will need
to re-enable “FIPS-Mode” following the instructions in the Crypto Officer Role Guide.
For those sites managing software installation, a little test script would be required to disable FIPS mode, update the software, then re-enable it after restart. For those sites without an adequate
level of Mac support, you get to hope things don't get messed up. Testing the existence of FIPS-mode should be part of the software update process from Apple, not something we have to remember to do ourselves. Of course, having the OS in FIPS-mode by default
should be the way Apple protects its users.
On Aug 28, 2012, at 7:15 AM, Marcus, Allan B wrote:
Yes, those articles reference the FIPS mode that I was referring to.
I also wonder if SL, Lion, and ML are FIPS compliant even when the Administrator tools are not installed. It appears the administrator tools are just a validation of the integrity and logging of the system, but there is no data to support this claim.
Shawn, can you please clarify?
--
Thanks,
Allan Marcus
505-667-5666
Allan,
Which FIPS mode are you talking about?
**I always thought OSX was in FIPS mode and the extra applications were only used to confirm it but after reading the second article, I'm not so sure (have to disable FIPS mode before updating OS--this could cause all sorts of problems with users).
On Aug 28, 2012, at 5:56 AM, Miller, Timothy J. wrote:
Yes.
-- T
Oh, you wanted an explanation? :)
FIPS validation is required of Federal systems for all cryptographic
modules. Crypto is pervasive in OS X in general and in applications you
need to deploy and interact with, many of which rely on the platform's
FIPS validation to support their own FIPS validation.
-- T (redux)
On 8/27/12 5:29 PM, "Marcus, Allan B" < email@hidden> wrote:
Is there any reason to use FIPS mode when not using FileVault?
--
Thanks,
Allan Marcus
505-667-5666
email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list ( email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94551-0808
email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94551-0808
email@hidden
|