Re: [Fed-Talk] OS X < 10.10 a "Critical" finding in ACAS
Re: [Fed-Talk] OS X < 10.10 a "Critical" finding in ACAS
- Subject: Re: [Fed-Talk] OS X < 10.10 a "Critical" finding in ACAS
- From: "Miller, Timothy J." <email@hidden>
- Date: Fri, 24 Oct 2014 12:22:14 +0000
- Thread-topic: [Fed-Talk] OS X < 10.10 a "Critical" finding in ACAS
I'll speculate that the issue is likely that the Nessus scanner server doesn't have a credential to do a local check by remote access, or remote access is disabled. In this case the engine falls back on the OS fingerprint and open services to filter the findings list. This is typical behavior for agentless security tools.
Confidence in security scan results can only be had by combining agentless and agent-based (e.g., McAfee ePO with ACCM, or an SCAP auditing tool) reports. Note that this is exactly what DISA's CMRS does.
Problems arise when the auditing team doesn't understand this.
-- T
>-----Original Message-----
>From: fed-talk-bounces+tmiller=email@hidden [mailto:fed-talk-
>bounces+tmiller=email@hidden] On Behalf Of John Oliver
>Sent: Thursday, October 23, 2014 3:30 PM
>To: Apple Fed-Talk
>Subject: Re: [Fed-Talk] OS X < 10.10 a "Critical" finding in ACAS
>
>*Exactly* what I’m talking about :-) (ACAS *is* Tenable’s Security Center)
>
>It looks like the plugin author picked the highest category of
>vulnerability and assigned that to a test for “Is this Yosemite or not”
>I’ve made the point that ACAS is *not* testing for vulns, but merely
>testing for OS version.
>
>If you’re right, then this should be, at most, a Medium finding. And I
>can live with that… maybe Apple will fix more issues in the next few weeks
>or so, maybe not, but we have 90 days IIRC to address Mediums, which is
>far more reasonable to ensure that the operational challenges of Yosemite
>are addressed.
>
>
>
>
>On 10/23/14, 1:13 PM, "Taylor Armstrong - NOAA Affiliate"
><email@hidden> wrote:
>
>>Tenable (Nessus/Security Center) also are showing the same, but I'm
>>pushing
>>back by pointing out that the only CVE with a true "Critical" rating at
>>this point is Shellshock-related, and we've already patched that via other
>>means. We'll see how it goes....
>>
>>On Thu, Oct 23, 2014 at 3:53 PM, JEFFREY COMPTON
><email@hidden>
>>wrote:
>>
>>> Doug,
>>>
>>> I would venture to say that 99% of us have that page bookmarked.
>>>
>>> To John's original point - yes - we understand that a few critical CVE's
>>> have been addressed for 10.9.5 with 2014-005, but there is still a long
>>> list of other CVE's that are "not" addressed for 10.8 and 10.9.
>>>
>>> I think Tim's assumptions are probably most valid. But what is so
>>> frustrating is that every year we are left to do just that -- "assume."
>>>
>>> A policy statement would be most welcome. Just a statement. It can't
>>>be
>>> that hard.
>>>
>>> Sent from iCloud to
>>>
>>>
>>> On Oct 23, 2014, at 03:22 PM, Doug Kruth <email@hidden> wrote:
>>>
>>> I will chime in with the following KB Link for your reference:
>>> http://support.apple.com/kb/ht1222
>>>
>>>
>>> Doug Kruth
>>> Systems Engineering Manager
>>> Apple Enterprise Sales
>>> m: 571.218.0805
>>> o: 703.264.3236
>>>
>>>
>>>
>>>
>>>
>>>
>>> > On Oct 23, 2014, at 12:45 PM, John Oliver <email@hidden>
>>> wrote:
>>> >
>>> > Agreed. And I *just* pushed a SecUpdate to my Mavericks hosts at the
>>>same
>>> > time as this whole ballyhoo started. The problem is the indication /
>>> > possibility that Apple is not fixing every security problem, that they
>>> may
>>> > consider some as “unimportant” or unnecessary to fix if a fix is
>>>included
>>> > in a newer major release. My first push-back was because of the
>>> > perception that they were mandating a move simply because a newer OS
>>>was
>>> > available. That was not the case… they enumerated a couple of dozen
>>>or so
>>> > CVEs that they claim are unresolved in Mavericks, which moots your
>>>last
>>> > two paragraphs :-)
>>> >
>>> > As far as Apple chiming in, I think we all know that they’ve
>>>steadfastly
>>> > refused to provide any information on product lifecycles. So, while
>>>they
>>> > *should*, they won’t. Which is another problem.
>>> >
>>> >
>>> >
>>> >
>>> > On 10/23/14, 9:16 AM, "Miller, Timothy J." <email@hidden> wrote:
>>> >
>>> >> I couldn't find a concise FAQ on corporate support policy, but on
>>> Apple's
>>> >> OS X Support Downloads page I note that they've been actively
>>>updating
>>> >> Mavericks, Mountain Lion, and Lion with security critical updates;
>>>and
>>> >> Mavericks & Mountain Lion with regular Security Updates. From past
>>> >> behavior, tiny version updates have been released for the most-recent
>>> but
>>> >> not current version.
>>> >>
>>> >> From this I surmise the support policy is at least:
>>> >>
>>> >> Critical security -- current, current-1, current-2;
>>> >> Security -- current, current-1;
>>> >> All other updates -- current, current-1.
>>> >>
>>> >> Likely there's an age cutoff in there somewhere, but I don't know
>>>what
>>> it
>>> >> is. Previously, tiny versions of (current-1) were available for some
>>> >> period after the release of (current), but that seems to have tapered
>>> off
>>> >> in recent years.
>>> >>
>>> >> This would be a good place for Shaun or one of the other Apple guys
>>>to
>>> >> chime in. :)
>>> >>
>>> >> That said, yes, the availability through the App Store of the major
>>> >> updates certainly creates a pressure to update, but if your corporate
>>> >> governance and IT processes are in line that should only cause minor
>>> >> complaining and isn't a crisis. If they're not, you have more
>>>pressing
>>> >> problems that kvetching about the App Store.
>>> >>
>>> >> If your CND / IT Security people can't tell the difference between
>>> >> "public release" and "release to the organization" then you also have
>>> >> bigger problems. Even FDCC lags releases of Windows.
>>> >>
>>> >> -- T
>>> > _______________________________________________
>>> > Do not post admin requests to the list. They will be ignored.
>>> > Fed-talk mailing list (email@hidden)
>>> > Help/Unsubscribe/Update your Subscription:
>>> >
>>> > This email sent to email@hidden
>>>
>>> _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Fed-talk mailing list (email@hidden)
>>> Help/Unsubscribe/Update your Subscription:
>>>
>talk/email@hidden
>>>
>>> This email sent to email@hidden
>>>
>>>
>>> _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Fed-talk mailing list (email@hidden)
>>> Help/Unsubscribe/Update your Subscription:
>>>
>>>
>talk/taylor.armstrong@noaa.
>>>gov
>>>
>>> This email sent to email@hidden
>>>
>>
>>
>>
>>--
>>Taylor Armstrong
>>Contractor at NOAA
>>Macintosh Systems Administrator
>>Tel: 301-713-1156, ext 195
>> _______________________________________________
>>Do not post admin requests to the list. They will be ignored.
>>Fed-talk mailing list (email@hidden)
>>Help/Unsubscribe/Update your Subscription:
>>mil
>>
>>This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden