Heck, ANY reasonable method of disabling various items like that would be nice.
As it is, how to do it depends upon the version of the OS and the hardware platform. And even then, there is no way to disable the microphone without killing the whole sound system. I really don't know what we're going to do with a stack of MacBook pros that need to go in a SCIF. A drop of Superglue? Everyone acts horrified. Open them up to try to find a wire? Everyone is horrified. Shouldn't we have ordered them with this stuff disabled? Sure, but that ship has sailed.
I've written a script to go through disabling various items like IR, BlueTooth, Firewire, Wi-Fi, camera, etc. It just gets messier and messier as I discover yet another exception… "Oh, yeah, in THIS case disabling this kext winds up killing the keyboard, we really need to disable this OTHER kext that we've never seen before!"
I'm sure there aren't a whole lot of Macs going into secure areas, as opposed to Windows, Linux, UNIX, etc. Still.
From: "Rowe, Walter" < email@hidden> Date: Monday, January 28, 2013 9:40 AM To: Apple Fed-Talk < email@hidden> Subject: Re: [Fed-Talk] Fed-talk Digest, Vol 10, Issue 17
I agree. For example, rather than saying disable iSight camera / built-in microphone / FaceTime / etc. Just say "disable all audio/video recording devices and services. Examples include …". That addresses the intent rather than the specific item and let's agencies document more specific controls that meet their own governing body's IT Security requirements. -- Walter Rowe, System Hosting Enterprise Systems / OISM 301-975-2885 On Jan 28, 2013, at 11:34 AM, Matt Linton < email@hidden> wrote:
That's sort of the hidden problem we (The Feds) have with deploying
version-specific guides to security stuff. We're obsolete before
our guides are through committee. :)
It would be much better perhaps, if we came up with generalized
security guides (Security on Apple OSX) and then try to rapid-fire
appendices/addendums that certify only the changes between OS's
(e.g, "For 10.8, the following changes are recommended to the
standard").
On 01/28/2013 05:10 AM, Rowe, Walter
wrote:
It isn't going to get any better with Apple now on an annual OS X
/ iOS release cycle.
--
Walter
Rowe, System Hosting
Enterprise
Systems / OISM
301-975-2885
On Jan 26, 2013, at 2:51 PM, "Link, Peter R." < email@hidden>
wrote:
They don't, http://usgcb.nist.gov/usgcb_content.html
If you look here, http://web.nvd.nist.gov/view/ncp/repository,
the only OSX guidelines are Tier 1 and 2 guidelines from
CIS, DISA and NSA (old stuff, 10.6 latest). Don't try
searching using Apple in the Keyword field since it only
finds a few listing.
DISAs latest STIGs available to everyone, http://iase.disa.mil/stigs/a-z.html,
stops at 10.6 v1, r1. I don't have a DoD PKI so I can't
see anything else. There used to be a draft STIG page
but I'm not seeing it anymore.
CIS has a 10.7 project going on but I haven't seen
anything about a 10.8 project.
On Jan 26, 2013, at 7:46 AM, "Rowe, Walter" < email@hidden>
wrote:
Look at the USGCB
info. I think they have Mac OS configuration
guidelines.
--
Walter Rowe, System Hosting
Enterprise Systems / OISM
301-975-2885
On Jan 25, 2013, at 3:46 PM, David Solin
< email@hidden>
wrote:
I cannot believe that
DISA is still maintaining a manual STIG for
MacOS! Are they unaware of the availability
of Mac-compatible open-source tools for SCAP
scanning?
On 1/25/2013
2:35 PM, Christopher Thomas wrote:
DISA released
an update to their STIG for Mac OS
10.6, has there been any talk between
Apple and DISA on a security guideline
for Lion or Mountain Lion? In this
arena, does anyone know of any
automated tool to manage Mac OS to
comply with STIG Guidelines or has
anyone created scripts to effect the
guidelines? The steps for
implementing STIG’s on Mac OS are
manual and must be re-done with each
update to the OS to insure the update
did not reset settings.
Further, is there any current
information on FIPS compliance for
Apple implementation of whole disk
encryption in Lion or Mountain Lion?
Assuming that Apple has some internal
clock on ending support to Snow
Leopard, Lion/Mountain Lion need to
get into the reviewed arena.
For reference on STIG’s
http://iase.disa.mil/stigs/os/mac/mac.html
“The
Security Technical Implementation
Guides (STIGs) and the NSA Guides
are the configuration standards for
DOD IA and IA-enabled
devices/systems. Since 1998, DISA
Field Security Operations (FSO) has
played a critical role enhancing the
security posture of DoD's security
systems by providing the Security
Technical Implementation Guides
(STIGs). The STIGs contain technical
guidance to "lock down" information
systems/software that might
otherwise be vulnerable to a
malicious computer attack. DISA FSO
is in the process of moving the
STIGs towards the use of the NIST
Security Content Automation Protocol
(S-CAP) in order to be able to
“automate” compliance reporting of
the STIGs.
A STIG Security Checklist, typically
a companion of a STIG, is
essentially a document that contains
instructions or procedures to
manually verify compliance to a
STIG. STIGs have been under
optimization efforts since 2008 to
begin to combine the STIG and STIG
Security Checklist into one
document. Currently, however, you
will still find instances where
there are still STIGs with
accompanying STIG Checklists.”
On 1/25/13 3:00 PM, "email@hidden"
<email@hidden>
wrote:
Send Fed-talk mailing list
submissions to
email@hidden
To subscribe or unsubscribe via the
World Wide Web, visit
https://lists.apple.com/mailman/listinfo/fed-talk
or, via email, send a message with
subject or body 'help' to
email@hidden
You can reach the person managing
the list at
email@hidden
When replying, please edit your
Subject line so it is more specific
than "Re: Contents of Fed-talk
digest..."
Today's Topics:
1. Re: EAP-TLS Authentication
with CAC on iPad or iPhone (Matt
Stier)
----------------------------------------------------------------------
Message: 1
Date: Fri, 25 Jan 2013 14:55:23
-0500
From: Matt Stier <email@hidden>
To: Shawn Geddis <email@hidden>
Cc: "email@hidden
Talk" <email@hidden>
Subject: Re: [Fed-Talk] EAP-TLS
Authentication with CAC on iPad or
iPhone
Message-ID: <email@hidden>
Content-Type: text/plain;
charset="windows-1252"
Thank you for the links, but that is
not what I was referring to earlier.
Maybe my mind is not serving me as
well as it normally does, but I
could have sworn there was one or
two products from Apple on the
Modules In-Process list in block 1
for several months and then all of a
sudden they were removed from the
process altogether. It may have
been two years ago. Again, it may
just be I am not remembering it
correctly.
On a separate note, do you know if
apple plans to support smart cards
natively in the future?
-Matt
Matt Stier, CISSP/CWNA/ACMA
SPAWAR, Atlantic
Phone: 843.321.WLAN (9526) | Fax
843.218.6605
Email: email@hidden
On Jan 25, 2013, at 1:32 PM, Shawn
Geddis wrote:
> On Jan 25, 2013, at 1:07 PM,
Matt Stier <email@hidden>
wrote:
>> If I am not mistaken, Apple
(cannot remember if it was OSX or
iOS related) was on the list roughly
a year ago, but was removed for some
reason either by Apple or another
entity. That is what I was
referring to in my "thankfully" the
comment.
>
> Matt,
>
> I believe what you may be
referring to is the completion of
the FIPS 140-2 Conformance
Validation for Apple's CDSA/CSP
module still available in OS X Lion
v10.7 for use by Third-Party
Developers. OS X Lion was using the
newer CoreCrypto / CoreCrypto Kernel
modules, but we intentionally
re-validated the CDSA/CSP module for
third-party developers still using
it at the time. Another example of
Apple following through with
commitments to the US Federal
Government.
>
> Modules appear on the Modules
In-Process List [1][2] until they
are complete and then move to the
Validated Modules list [3][4] by
CMVP.
>
> Apple FIPS Cryptographic Module
(Software Version: 1.1)
> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2012.htm#1701
> ...on 3/30/2012
>
>
> This was a re-validation of the
same module used by Mac OS X
SnowLeopard v10.6.
>
> Apple FIPS Cryptographic Module
(Software Version: 1.0)
> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2011.htm#1514
> ...on 03/09/2011
>
>
> [1] http://csrc.nist.gov/groups/STM/cmvp/inprocess.html
> [2]
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf
> [3] http://csrc.nist.gov/groups/STM/cmvp/validation.html
> [4]
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm
>
>
> - Shawn
>
________________________________________
> Shawn Geddis
T
(703) 264-5103
> Security Consulting Engineer
C (703) 623-9329
> Apple Enterprise Division
email@hidden
>
> 11921 Freedom Drive, Suite 600,
Reston VA 20190-5634
>
-------------- next part
--------------
An HTML attachment was scrubbed...
URL: <https://lists.apple.com/mailman/private/fed-talk/attachments/20130125/b8130619/attachment-0001.html>
------------------------------
_______________________________________________
Fed-talk mailing list
email@hidden
https://lists.apple.com/mailman/listinfo/fed-talk
End of Fed-talk Digest, Vol 10,
Issue 17
****************************************
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be
ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94551-0808
email@hidden
--
-------------------------------
Matt Linton - GCIH, EZ2C
Security Operations Lead
NASA Ames Research Center
email@hidden : (c)650.380.4281
|