It isn't going to get any better with Apple now on an annual OS X / iOS release cycle.
-- Walter Rowe, System Hosting Enterprise Systems / OISM 301-975-2885
On Jan 26, 2013, at 2:51 PM, "Link, Peter R." < email@hidden> wrote:
They don't, http://usgcb.nist.gov/usgcb_content.html
If you look here, http://web.nvd.nist.gov/view/ncp/repository, the only OSX guidelines are Tier 1 and 2 guidelines from CIS, DISA and NSA (old stuff, 10.6 latest). Don't try searching using Apple
in the Keyword field since it only finds a few listing.
DISAs latest STIGs available to everyone, http://iase.disa.mil/stigs/a-z.html, stops at 10.6 v1, r1. I don't have a DoD PKI so I can't see anything else. There used to be a draft STIG page but I'm not seeing
it anymore.
CIS has a 10.7 project going on but I haven't seen anything about a 10.8 project.
On Jan 26, 2013, at 7:46 AM, "Rowe, Walter" < email@hidden> wrote:
Look at the USGCB info. I think they have Mac OS configuration guidelines.
--
Walter Rowe, System Hosting
Enterprise Systems / OISM
301-975-2885
On Jan 25, 2013, at 3:46 PM, David Solin < email@hidden> wrote:
I cannot believe that DISA is still maintaining a manual STIG for MacOS! Are they unaware of the availability of Mac-compatible open-source tools for SCAP scanning?
On 1/25/2013 2:35 PM, Christopher Thomas wrote:
DISA released an update to their STIG for Mac OS 10.6, has there been any talk between Apple and DISA on a security guideline for Lion or Mountain Lion? In
this arena, does anyone know of any automated tool to manage Mac OS to comply with STIG Guidelines or has anyone created scripts to effect the guidelines? The steps for implementing STIG’s on Mac OS are manual and must be re-done with each update to the OS
to insure the update did not reset settings.
Further, is there any current information on FIPS compliance for Apple implementation of whole disk encryption in Lion or Mountain Lion?
Assuming that Apple has some internal clock on ending support to Snow Leopard, Lion/Mountain Lion need to get into the reviewed arena.
For reference on STIG’s
http://iase.disa.mil/stigs/os/mac/mac.html
“The Security Technical Implementation Guides (STIGs) and the NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA Field Security
Operations (FSO) has played a critical role enhancing the security posture of DoD's security systems by providing the Security Technical Implementation Guides (STIGs). The STIGs contain technical guidance to "lock down" information systems/software that might
otherwise be vulnerable to a malicious computer attack. DISA FSO is in the process of moving the STIGs towards the use of the NIST Security Content Automation Protocol (S-CAP) in order to be able to “automate” compliance reporting of the STIGs.
A STIG Security Checklist, typically a companion of a STIG, is essentially a document that contains instructions or procedures to manually verify compliance to a STIG. STIGs have been under optimization efforts since 2008 to begin to combine the STIG and STIG
Security Checklist into one document. Currently, however, you will still find instances where there are still STIGs with accompanying STIG Checklists.”
On 1/25/13 3:00 PM, "email@hidden" <email@hidden> wrote:
Send Fed-talk mailing list submissions to
email@hidden
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.apple.com/mailman/listinfo/fed-talk
or, via email, send a message with subject or body 'help' to
email@hidden
You can reach the person managing the list at
email@hidden
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Fed-talk digest..."
Today's Topics:
1. Re: EAP-TLS Authentication with CAC on iPad or iPhone (Matt Stier)
----------------------------------------------------------------------
Message: 1
Date: Fri, 25 Jan 2013 14:55:23 -0500
From: Matt Stier <email@hidden>
To: Shawn Geddis <email@hidden>
Cc: "email@hidden Talk" <email@hidden>
Subject: Re: [Fed-Talk] EAP-TLS Authentication with CAC on iPad or
iPhone
Message-ID: <email@hidden>
Content-Type: text/plain; charset="windows-1252"
Thank you for the links, but that is not what I was referring to earlier. Maybe my mind is not serving me as well as it normally does, but I could have sworn there was one or two products from Apple on the Modules In-Process list in block 1 for several months
and then all of a sudden they were removed from the process altogether. It may have been two years ago. Again, it may just be I am not remembering it correctly.
On a separate note, do you know if apple plans to support smart cards natively in the future?
-Matt
Matt Stier, CISSP/CWNA/ACMA
SPAWAR, Atlantic
Phone: 843.321.WLAN (9526) | Fax 843.218.6605
Email: email@hidden
On Jan 25, 2013, at 1:32 PM, Shawn Geddis wrote:
> On Jan 25, 2013, at 1:07 PM, Matt Stier <email@hidden> wrote:
>> If I am not mistaken, Apple (cannot remember if it was OSX or iOS related) was on the list roughly a year ago, but was removed for some reason either by Apple or another entity. That is what I was referring to in my "thankfully" the comment.
>
> Matt,
>
> I believe what you may be referring to is the completion of the FIPS 140-2 Conformance Validation for Apple's CDSA/CSP module still available in OS X Lion v10.7 for use by Third-Party Developers. OS X Lion was using the newer CoreCrypto / CoreCrypto Kernel
modules, but we intentionally re-validated the CDSA/CSP module for third-party developers still using it at the time. Another example of Apple following through with commitments to the US Federal Government.
>
> Modules appear on the Modules In-Process List [1][2] until they are complete and then move to the Validated Modules list [3][4] by CMVP.
>
> Apple FIPS Cryptographic Module (Software Version: 1.1)
>
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2012.htm#1701
> ...on 3/30/2012
>
>
> This was a re-validation of the same module used by Mac OS X SnowLeopard v10.6.
>
> Apple FIPS Cryptographic Module (Software Version: 1.0)
>
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2011.htm#1514
> ...on 03/09/2011
>
>
> [1] http://csrc.nist.gov/groups/STM/cmvp/inprocess.html
> [2]
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf
> [3] http://csrc.nist.gov/groups/STM/cmvp/validation.html
> [4]
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm
>
>
> - Shawn
> ________________________________________
> Shawn Geddis T (703) 264-5103
> Security Consulting Engineer C (703) 623-9329
> Apple Enterprise Division email@hidden
>
> 11921 Freedom Drive, Suite 600, Reston VA 20190-5634
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.apple.com/mailman/private/fed-talk/attachments/20130125/b8130619/attachment-0001.html>
------------------------------
_______________________________________________
Fed-talk mailing list
email@hidden
https://lists.apple.com/mailman/listinfo/fed-talk
End of Fed-talk Digest, Vol 10, Issue 17
****************************************
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94551-0808
email@hidden
|