• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: [Fed-Talk] Security Guides -> SCAP
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fed-Talk] Security Guides -> SCAP

  • Subject: Re: [Fed-Talk] Security Guides -> SCAP
  • From: John Oliver <email@hidden>
  • Date: Mon, 28 Jan 2013 12:06:50 -0800
  • Thread-topic: [Fed-Talk] Security Guides -> SCAP
The STIG / NSA hardening checklist approach has always worked for me… publish one document that hardens the system as much as possible, even to the point of making it useless, and allow those who are using it to decide exactly which steps are appropriate for their mission.  Now, automating that process, like the Gold Disk, was taking it too far… :-)  But any command that inflexibly demands that every single step be taken, no matter the consequences, deserves what it'll get.  But if we start with something that's all-inclusive, we can have a discussion about how many of those steps work for us.



From: Ron Colvin <email@hidden>
Reply-To: <email@hidden>
Date: Monday, January 28, 2013 11:55 AM
To: "Rowe, Walter" <email@hidden>
Cc: Apple Fed-Talk <email@hidden>
Subject: Re: [Fed-Talk] Security Guides -> SCAP

The discussion on what the right settings are to implement a secure or compliant configuration baseline, and many of those will be contested and be different depending on what the Agency or Organization's mission is, does need to happen. What is in many ways more important is what are the flags that exist in the Operating System and can be tweaked, that info we need from the vendor, ideally in a more easily consumable list of settings.

As mentioned below I think the available controls and which OS uses them can certainly be discussed but if we had a better control listing I think we would have security guidelines published by now on both 10.7 and 10.8. I certainly think there would be a 10.7 CIS Benchmark if that information was more available.

On 1/28/13 2:27 PM, Rowe, Walter wrote:
Perhaps part of the problem is that "committees" only write / agree / disagree with documents. There needs to be a consolidated laboratory where content and tools are actually produced, and in a timely manner. With appropriate resources (cough, cough), and corresponding vendor NDAs, this "laboratory" could work with vendors a priori to be ahead of the product releases or at least very soon after versus years after or not at all. I will use JAMF Casper Suite as an example. I know they participate in the Apple Developer program in some fashion. They have updates for OS X within days of official OS X releases. What they don't have is formal guidance on necessary controls for these OS X releases that would be required / recommended for use in the Civilian / Defense arenas. The point is that someone(s) have to evaluate these new releases, with the assistance of the vendors who know their own products, and generate the new control guidelines and the methods for implementing these controls. Even if the Government would pay someone like Mitre to staff such a laboratory and do this work that would be an improvement over today.
--
Walter Rowe, System Hosting
Enterprise Systems / OISM
email@hidden
301-975-2885

On Jan 28, 2013, at 2:16 PM, Shawn Geddis <email@hidden> wrote:

On Jan 28, 2013, at 1:34 PM, "Rowe, Walter" <email@hidden> wrote:
Shawn,

That's a nice thought, but the SCAP content is no more up-to-date than the STIGs / CIS docs / etc. The latest OS X SCAP content is 10.6.8. The latest iOS SCAP content is 4.3.5. See the attached screenshot. How will the SCAP content be maintained in a more timely manner than the STIGs, etc? If that isn't answered, then the process is no better other than potentially providing tools to implement the controls versus writing our own scripts for Casper, for example.

Walter

Walter,

I can't fix every broken process by myself.... :-)
If it takes a village to raise a child, it will take.... to fix the process.

• There are additional repositories help by various third-parties.
• There are also some US Federal Agencies who apparently choose 
to not share that content outside of their building walls - not sure why.

In working with NSA, there was already iOS 5 guidance along with associated SCAP Content that will be submitted to the SCAP-On-Apple project.

• Sec Config Recommendations for Apple iOS 5 Devices 
• Associated SCAP Content

I guess I will reiterate my previous closing question:
Are you going to take the role of a Player or remain a Monday Morning Quarterback ?

- Shawn
________________________________________
Shawn Geddis   
Security Consulting Engineer 
Apple Enterprise Division 




--


********************************************************
Ron Colvin CISSP, CAP, CEH
Certified Security Analyst
NASA - Goddard Space Flight Center
<email@hidden>
Direct phone 301-286-2451
NASA Jabber (email@hidden) AIM rcolvin13
NASA LCS (email@hidden)
********************************************************
_______________________________________________ Do not post admin requests to the list. They will be ignored. Fed-talk mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: This email sent to email@hidden 
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >Re: [Fed-Talk] Security Guides -> SCAP (From: Ron Colvin <email@hidden>)

  • Prev by Date: Re: [Fed-Talk] Security Guides -> SCAP
  • Next by Date: Re: [Fed-Talk] SCAP-On-Apple: I cannot find any automated SCAP content on the site.
  • Previous by thread: Re: [Fed-Talk] Security Guides -> SCAP
  • Next by thread: Re: [Fed-Talk] Fed-talk Digest, Vol 10, Issue 17
  • Index(es):
    • Date
    • Thread