The STIG / NSA hardening checklist approach has always worked for me… publish one document that hardens the system as much as possible, even to the point of making it useless, and allow those who are using it to decide exactly which steps are appropriate for their mission. Now, automating that process, like the Gold Disk, was taking it too far… :-) But any command that inflexibly demands that every single step be taken, no matter the consequences, deserves what it'll get. But if we start with something that's all-inclusive, we can have a discussion about how many of those steps work for us.
The discussion on what the right
settings are to implement a secure or compliant configuration
baseline, and many of those will be contested and be different
depending on what the Agency or Organization's mission is, does
need to happen. What is in many ways more important is what are
the flags that exist in the Operating System and can be tweaked,
that info we need from the vendor, ideally in a more easily
consumable list of settings.
As mentioned below I think the available controls and which OS
uses them can certainly be discussed but if we had a better
control listing I think we would have security guidelines
published by now on both 10.7 and 10.8. I certainly think there
would be a 10.7 CIS Benchmark if that information was more
available.
On 1/28/13 2:27 PM, Rowe, Walter wrote:
Perhaps part of the problem is that "committees" only write /
agree / disagree with documents. There needs to be a consolidated
laboratory where content and tools are actually produced, and in a
timely manner. With appropriate resources (cough, cough), and
corresponding vendor NDAs, this "laboratory" could work with
vendors a priori to be ahead of the product releases or at least
very soon after versus years after or not at all. I will use JAMF
Casper Suite as an example. I know they participate in the Apple
Developer program in some fashion. They have updates for OS X
within days of official OS X releases. What they don't have is
formal guidance on necessary controls for these OS X releases that
would be required / recommended for use in the Civilian / Defense
arenas. The point is that someone(s) have to evaluate these new
releases, with the assistance of the vendors who know their own
products, and generate the new control guidelines and the methods
for implementing these controls. Even if the Government would pay
someone like Mitre to staff such a laboratory and do this work
that would be an improvement over today.
--
Walter
Rowe, System Hosting
Enterprise
Systems / OISM
301-975-2885
On Jan 28, 2013, at 2:16 PM, Shawn Geddis < email@hidden>
wrote:
On Jan 28, 2013, at 1:34 PM, "Rowe, Walter" < email@hidden>
wrote:
Shawn,
That's a nice
thought, but the SCAP content is no more up-to-date
than the STIGs / CIS docs / etc. The latest OS X
SCAP content is 10.6.8. The latest iOS SCAP content
is 4.3.5. See the attached screenshot. How will the
SCAP content be maintained in a more timely manner
than the STIGs, etc? If that isn't answered, then
the process is no better other than potentially
providing tools to implement the controls versus
writing our own scripts for Casper, for example.
Walter
Walter,
I can't fix every broken process by myself.... :-)
If it takes a village to raise a child, it will
take.... to fix the process.
• There are additional repositories help by various
third-parties.
• There are also some US Federal Agencies who
apparently choose
to not share that content outside of their
building walls - not sure why.
In working with NSA, there was already iOS 5 guidance
along with associated SCAP Content that will be
submitted to the SCAP-On-Apple project.
I guess I will reiterate my previous closing
question:
Are you going to take the
role of a Player or remain a Monday
Morning Quarterback ?
- Shawn
________________________________________
Shawn Geddis
Security Consulting Engineer
Apple Enterprise Division
--
********************************************************
Ron Colvin CISSP, CAP, CEH
Certified Security Analyst
NASA - Goddard Space Flight Center
<email@hidden>
Direct phone 301-286-2451
NASA Jabber (email@hidden) AIM rcolvin13
NASA LCS (email@hidden)
********************************************************
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
|