See, that's why I prefer to mitigate risk by using platforms that no
one in their right mind would use, or ancient platforms that no one
can remember how to write shellcode or exploits for.
Sent from my Palm Treo
On 01/28/2013 10:34 AM, Rowe, Walter
wrote:
Shawn,
That's a nice thought, but the SCAP content is no more
up-to-date than the STIGs / CIS docs / etc. The latest OS X SCAP
content is 10.6.8. The latest iOS SCAP content is 4.3.5. See the
attached screenshot. How will the SCAP content be maintained in
a more timely manner than the STIGs, etc? If that isn't
answered, then the process is no better other than potentially
providing tools to implement the controls versus writing our own
scripts for Casper, for example.
Walter
--
Walter
Rowe, System Hosting
Enterprise
Systems / OISM
301-975-2885
On Jan 28, 2013, at 1:21 PM, Shawn Geddis < email@hidden>
wrote:
Unfortunately, what everyone is confirming in this
thread is that the age old approach of writing a "committee
agreed upon document" has long lost its
value and capability to keep up with the pace of
platforms and their advancements.
Documents have fallen way to driving SCAP content and
Tools for all platforms, applications, services, etc.
Ask this of your DISA and NSA contacts. As was even
noted in the message from Christopher Thomas:
DISA FSO is in
the process of moving the STIGs towards
the use of the NIST Security Content
Automation Protocol (S-CAP) in order to
be able to “automate” compliance
reporting of the STIGs.
Many may have missed the launch of the
SCAP-On-Apple Project...
Useful SCAP content, scanning tools, as well
as baselines, have already begun to emerge throughout
the community for OS X and iOS. We are excited to help
accelerate and guide these community activities
targeting the Apple Platforms. Resources for open
collaboration will be provided under the " SCAP-On-Apple"
Project @ MacOSForge.org. The
Project went live on THU 4 OCT, 2012 just before
the BoF where we discussed the Project's Mission, Goals,
and Resources for interested individuals and
organizations to immediately engage.
Original Announcement made at ITSAC 2012 in
Baltimore, MD
I would encourage those who have any interest or
concern in the current state of affairs to focus their
resources and efforts towards SCAP rather than being
shackled to the generation and use of 20th century
documents. They were widely helpful in their days, but
those days have long passed - by the way, we all live in
the 21st century now :-) With the emerging SCAP Tools /
Content along with the use of Configuration Profiles and
Profile Management, you have methods for rapid and
verifiable configuration updates to meet security needs.
Are you going to take the role of a Player or
remain a Monday Morning Quarterback ?
-Shawn
_______________________________________________________________________
Enterprise Security Consulting Engineer, Apple
( email@hidden)
_______________________________________________________________________
[see attached file: Apple
SCAP Content.png]
--
-------------------------------
Matt Linton - GCIH, EZ2C
Security Operations Lead
NASA Ames Research Center
email@hidden : (c)650.380.4281
|