Apple

Hi Danny,

Thanks for replying.

As, far as SCAP Evaluations go, do you foresee any of these new OS’s (Mac or otherwise) being incorporated into the Validation scheme in the near or even not so near future? By this I mean do you know of any government push for these OS’s to be tested against the scheme? Also, as far as Macintosh products go, it is my understanding that they are hardware dependant and that might make content writing difficult and hard to keep on top of. Each Mac OSX release seems to be a new OS rather than a delta to the previous OS release, is my take on this correct?

Thanks.

Richee

From: Haynes, Dan [mailto:email@hidden]
Sent: June-06-12 8:25 PM
To: Richard Adams; email@hidden
Cc: OVAL
Subject: RE: [Fed-Talk] Up to speed...

* PGP - S/MIME Signed by an unverified key: 06/06/2012 at 8:25:01 PM

Hi Richard,

Sorry for the delay in responding. There are quite a few things to note related to Apple and SCAP that I have seen on this list as well as others which may be of interest to the group.

As you noted below, NSA published a security guide and SCAP content for Apple iOS 5. This is great to see! I would like to point out that there has been additional discussion about this SCAP content and assessing mobile devices in general on the oval-developer-list. You can find these discussion threads at the following links.

http://making-security-measurable.1364806.n2.nabble.com/Android-OVAL-schema-development-tp7550285p7562050.html

http://making-security-measurable.1364806.n2.nabble.com/Re-iOS-OVAL-schema-tp7574411.html

Given that mobile devices are a new area for the security automation community, if anyone has any thoughts on this, it would be great to have you participate.

DISA has been creating STIGs for various Apple products and posting them to their site (http://iase.disa.mil/stigs/) and the National Checklist Program Repository (http://web.nvd.nist.gov/view/ncp/repository). I have seen some announcements for these over the list. Some of these STIGs are prose text while others are standalone XCCDF Benchmarks. At the moment, I don’t think there are any Apple-related STIGs that are fully expressed as SCAP, but, I am sure they are working to get there. As a side note, it looks like DISA just posted SCAP content for some of their other STIGs (Red Hat 5, HP-UX, AIX, and Solaris) this week.

Recently, there has also been some community discussion related to improving the plist_test which is key towards automating the assessment of Apple devices. You can find these discussions at the following links.

http://making-security-measurable.1364806.n2.nabble.com/Proposed-modification-to-the-plist510-test-in-the-Apple-Macintosh-Schema-tp7471496.html

http://making-security-measurable.1364806.n2.nabble.com/PLIST5-tp7506464.html

Last year, we also created a few OVAL Definitions, as a proof of concept, that checked for vulnerabilities on Mac OSX and if certain software was installed. You can find that content here.

http://oval.mitre.org/repository/data/SearchDefinitionAdv?id=&title=&description=&platform=0&product=0&contributor=0&organization=0&class=0&source=0&family=2&reference=&status=0&advsearch=Search

It would be great, if we could get even more content out there for the community to see and use.

Lastly, I would just like to encourage anyone who is interested to get involved. One of the biggest challenges for us (OVAL team at MITRE) is that we do not have the domain expertise with Apple products that many on this list have. Specifically, understanding the challenges that you face in the field and identifying the gaps in what you need to check on Apple devices which can be used to improve security automation capabilities. We can also use help with schema development, content creation, and tool development.

Thanks,

Danny

From: fed-talk-bounces+dhaynes=email@hidden [mailto:fed-talk-bounces+dhaynes=email@hidden] On Behalf Of Richard Adams
Sent: Wednesday, May 30, 2012 3:48 PM
To: email@hidden
Subject: [Fed-Talk] Up to speed...

Hello all,

I was wondering if there is anyone that would be willing to bring me up to speed on the question I posed to Doug in the trail below.

Thanks.

Sincerely,

Richard P. Adams

Lead SCAP Tester; FIPS 140-2 Tester; CC Tester

IT Security Specialist

Electronic Warfare Associates – Canada

-------------------------------------------------

E: email@hidden

P: 613-230-6067 x.1236

F: 613-230-4933

-------------------------------------------------

Enabling a More Secure Future

-----Original Message-----
From: Doug Kruth [mailto:email@hidden]
Sent: May-30-12 3:31 PM
To: Richard Adams
Subject: Re: Your Request to Subscribe to FedTalk

You can just post that question to the list. I'm certain that there will be many participants that will get you up to speed ;-)

Doug Kruth

Systems Engineering Manager

 Apple Enterprise Sales

m: 571.218.0805

o: 703.264.3236

On May 30, 2012, at 3:21 PM, Richard Adams wrote:

> Doug,

> "I am not sure if you follow Apple Fed-Talk mailing list, but, NSA published a security guide and SCAP content for Apple iOS 5 yesterday." Was a quote from the other list.

> Since I am in the dark, so to speak, regarding this specific topic (being new to the list and all); would it be possible to get a rundown of what has been happening on this list regarding this or anything else in regards to SCAP?

> Thanks.

> Richee

* Haynes.Daniel.31853 <email@hidden>
* Issuer: CN=MITRE Corporation PE CA-1 - Unverified