Re: [Fed-Talk] Security Guides -> SCAP
Re: [Fed-Talk] Security Guides -> SCAP
- Subject: Re: [Fed-Talk] Security Guides -> SCAP
- From: "Villano, Paul Mr CIV USA TRADOC" <email@hidden>
- Date: Mon, 28 Jan 2013 13:41:57 -0500
-----Original Message-----
From: Villano, Paul A CIV USARMY TRADOC (US)
Sent: Monday, January 28, 2013 1:41 PM
To: 'Rowe, Walter'; email@hidden
Subject: RE: [Fed-Talk] Security Guides -> SCAP
Speaking of STIGS, I just got one that says it's for Chrome. I thought
Chrome was banned for official use because of security concerns?
-----Original Message-----
From: fed-talk-bounces+paul.villano=email@hidden
[mailto:fed-talk-bounces+paul.villano=email@hidden] On Behalf
Of Rowe, Walter
Sent: Monday, January 28, 2013 1:35 PM
To: email@hidden
Subject: Re: [Fed-Talk] Security Guides -> SCAP
Shawn,
That's a nice thought, but the SCAP content is no more up-to-date than the
STIGs / CIS docs / etc. The latest OS X SCAP content is 10.6.8. The latest
iOS SCAP content is 4.3.5. See the attached screenshot. How will the SCAP
content be maintained in a more timely manner than the STIGs, etc? If that
isn't answered, then the process is no better other than potentially
providing tools to implement the controls versus writing our own scripts for
Casper, for example.
Walter
--
Walter Rowe, System Hosting
Enterprise Systems / OISM
email@hidden
301-975-2885
On Jan 28, 2013, at 1:21 PM, Shawn Geddis <email@hidden> wrote:
Unfortunately, what everyone is confirming in this thread is that
the age old approach of writing a "committee agreed upon document" has long
lost its value and capability to keep up with the pace of platforms and
their advancements.
Documents have fallen way to driving SCAP content and Tools for all
platforms, applications, services, etc. Ask this of your DISA and NSA
contacts. As was even noted in the message from Christopher Thomas:
DISA FSO is in the process of moving the STIGs
towards the use of the NIST Security Content Automation Protocol (S-CAP) in
order to be able to "automate" compliance reporting of the STIGs.
Many may have missed the launch of the SCAP-On-Apple Project...
Useful SCAP content, scanning tools, as well as baselines, have
already begun to emerge throughout the community for OS X and iOS. We are
excited to help accelerate and guide these community activities targeting
the Apple Platforms. Resources for open collaboration will be provided
under the "SCAP-On-Apple" Project @ MacOSForge.org
<blockedhttp://macosforge.org/> . The Project went live on THU 4 OCT, 2012
just before the BoF where we discussed the Project's Mission, Goals, and
Resources for interested individuals and organizations to immediately
engage.
Original Announcement made at ITSAC 2012 in Baltimore, MD
I would encourage those who have any interest or concern in the
current state of affairs to focus their resources and efforts towards SCAP
rather than being shackled to the generation and use of 20th century
documents. They were widely helpful in their days, but those days have long
passed - by the way, we all live in the 21st century now :-) With the
emerging SCAP Tools / Content along with the use of Configuration Profiles
and Profile Management, you have methods for rapid and verifiable
configuration updates to meet security needs.
Are you going to take the role of a Player or remain a Monday
Morning Quarterback ?
-Shawn
_______________________________________________________________________
Enterprise Security Consulting Engineer, Apple (email@hidden)
SCAP-On-Apple Project/Dev Lead:
(SCAP-On-Apple.MacOSForge.Org <blockedhttp://scap-on-apple.macosforge.org/>
)
SmartCardServices Project/Dev Lead:
(SmartCardServices.MacOSForge.Org
<blockedhttp://smartcardservices.macosforge.org/> )
_______________________________________________________________________
[see attached file: Apple SCAP Content.png]
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
References: | |
| >Re: [Fed-Talk] Fed-talk Digest, Vol 10, Issue 17 (From: Christopher Thomas <email@hidden>) |
| >Re: [Fed-Talk] Fed-talk Digest, Vol 10, Issue 17 (From: David Solin <email@hidden>) |
| >Re: [Fed-Talk] Fed-talk Digest, Vol 10, Issue 17 (From: "Rowe, Walter" <email@hidden>) |
| >Re: [Fed-Talk] Fed-talk Digest, Vol 10, Issue 17 (From: "Link, Peter R." <email@hidden>) |
| >Re: [Fed-Talk] Fed-talk Digest, Vol 10, Issue 17 (From: "Rowe, Walter" <email@hidden>) |
| >Re: [Fed-Talk] Fed-talk Digest, Vol 10, Issue 17 (From: Matt Linton <email@hidden>) |
| >Re: [Fed-Talk] Fed-talk Digest, Vol 10, Issue 17 (From: "Rowe, Walter" <email@hidden>) |