Common Criteria and BSM in OSX (10.3.6 and 10.4.x) - How to Install and Use

80 %
20 %
Information about Common Criteria and BSM in OSX (10.3.6 and 10.4.x) - How to Install and Use
Technology

Published on March 4, 2014

Author: dano45

Source: slideshare.net

Description

In 2006 Apple introduced BSM into OSX, and had it certified according to Common Criteria. This presentation at Macworld 2007 describes how to install, configure and use BSM according to Apple's instructions, and why it satisfies Common Criteria standards.

Common Criteria Config & Admin Industry Standard InfoSec - MacWorld 2007 Dan O’Donnell 1

Common Criteria Tools Go > iDisk > Other User’s Public Folder > odonnells 2 presentation and related materials available on my iDisk

Today’s CC Tools talk is... Common Criteria - what is it? NISPOM - US Govt, Mil, FFRDC, other Prior to setup Preliminary setup and installation Defaults and customizing the setup some recommendations 3 checklist for what we’ll cover

Common Criteria is...? (according to) Apple U.S. Government (NIST, NSA) Common Criteria Organization Wikipedia plain language 4 Common Criteria is a proper noun, and many organizations use it. It’s a joint collaboration between NIST and NSA, and has its own organization. Wikipedia has the best definition.

Apple definition www.apple.com/support/security/ commoncriteria/ “...internationally approved set of standards...” “...clear, reliable evaluation of the security capabilities of IT products...” “...independent assessment of a product’s ability to meet security standards...” “international scope... fourteen nations...” CC Tools = Configuration Guide + software 5 tested for Apple by SAIC - Science Applications International Corp. Apple’s CC Tools installer includes the Config Guide with the software.

The CC Guide Common Criteria Configuration and Administration Guide v1.0.1 is the manual. www.apple.com/support/security/ commoncriteria “We’re the M in RTFM.” - macshome, AFP548 6

U.S. Govt. definition NIST, NSA joint project for CCEVS in NIAP CCEVS - Common Criteria Evaluation and Validation Scheme, is part of NIAP. NIAP - Nat’l Info Assurance Program is to... “...meet the security testing, evaluation, and assessment needs of IT producers and consumers.” niap.nist.gov niap.bahialab.com/cc-scheme 7

Wikipedia definition Wikipedia definition - useful and decipherable 8

Common Criteria Org. Common Criteria Organization Portal comprehensive thorough jargon-rich (jargon-heavy) http://www.commoncriteriaportal.org/ public/consumer/index.php?menu=4 9 Usefulness is questionable - at least for me.

signatory countries North America US, Canada Western Europe UK, France, Germany, Spain, Netherlands, Norway Asia-Pacific Australia, New Zealand, Japan, South Korea 10

“plain language” An internationally accepted and agreed upon standard for computer security in a given product. Approved - may be required - by your inspectors (DISA or DSS?) Apple’s CC Tools is BSM auditing and includes common sense OS hardening 11

What is BSM? BSM = Solaris’ Basic Security Module This is the auditing system. Apple BSM is almost identical to Solaris BSM. minor differences in directory and initialization naming executables and config files are the same same names, same functions (cool!) 12

BSM is UNIX Buy your UNIX sysadmin a beer. (maybe a lot of beer) Learn a little UNIX. 13 Tuning the masks, filters, stdin and stdout is very UNIXy. Get some help. The cartoon (reversed) in the top R corner will include a Terminal:sudo operation.

BSM resources Sun’s Solaris documentation Basic Security Module (BSM) Administering Auditing 50 pages of detail docs.sun.com (free) PDF on my iDisk 14 Available on the iDisk.

more BSM resources SysAdmin Mag article (late 2004) “Solaris BSM Auditing” Solaris, not OS X very useful! www.samag.com PDF on my iDisk 15 Most useful document - also on the iDisk.

CC Tools talk is... Common Criteria - what is it? NISPOM - .gov, .mil, FFRDC, other Prior to setup Preliminary setup and installation Defaults and customizing the setup some recommendations 16 In our shop, Common Criteria was a subset of NISPOM. You may or may not have to conform to NISPOM, so here’s a brief.

NISPOM For us, CCT is a subset of NISPOM. What is this? National Industrial Security Program Operating Manual www.dss.mil/isec/ nispom.htm PDF on my iDisk 17 (DSS) Defense Security Systems guide to Information Security, available on the public internet. NISPOM defines security for *everything*, not just information systems.

NISPOM Ch. 8, InfoSys Security Defines what and how “we” do what we do Ch.8-100.a: “Information systems (IS) used to capture, create, store, process, or distribute classified information must be properly managed to protect against unauthorized disclosure of classified information...” Ch.8-100.b: “Protection requires ... but is not limited to administrative, operational, physical, computer ... controls. Protective measures commensurate with [security level] are required.” NISPOM Ch.8 requires OS security + auditing 18 two opening paragraphs on Ch.8, which is the InfoSec section of NISPOM.

CC Tools talk is... Common Criteria - what is it? NISPOM - .gov, .mil, FFRDC, other Prior to setup Preliminary setup and installation Defaults and customizing the setup some recommendations 19

Qualified h/w, OSes PPC: G3, G4, G5 only no Intel Intel (32-, 64-bit) coming soon (Leopard?) warning: don’t use PPC Common Criteria Tools on Intel lists.apple.com/archive/Fed-talk 20 Fed-talk for updates and discussion, maybe get on the beta list

Qualified OSes OSX or OSXS 10.3.6 only, is certified all other OSX, OSXS >10.3.6, 10.4.x are compliant but not certified startup Cmd-v to verify 21 This is a “marker” for a system that is ready to have CCT installed. Only 10.3.6 or later will display the “auditing” lines. Note how early in the boot sequence this shows up.

other Peripherals see list in CC Admin Guide, pg.10 Environment and physical security Controlled access Network and connected systems also secured Personnel limited authorized admins; all others ‘user’ 22 Other factors mentioned in the Guide. Note: limit the number of admins for a system.

Verify the CC .dmg SHA-1 digest =8717a9c935ba0920cb182cffe3a516b4eb5cf7b9 Doing a SHA-1 digest check Required? Recommended? Be safe and do it. Terminal: /usr/bin/openssl sha1 [path] Compare your digest to Apple’s (above). info.apple.com/kbnum/n75510 Document your work. (All of it.) 23 Document your work: 1) memory aid 2) legal proof 3) for your own protection Most of us don’t do digest checks. This is an occasion when you should.

CC Tools talk is... Common Criteria - what is it? NISPOM - .gov, .mil, FFRDC, other Prior to setup Installation and setup GUI config Audit config Defaults and customizing the setup 24 Things you DO, and things you INSTALL. Some are easy, some are complex.

Host Installation Prep the host machine format and fresh install of 10.3.6 or later install all relevant updates Install the OS OS X and Server slightly different Install Common Criteria Tools from dmg 25

Common Criteria Panther vs. Tiger 26 Panther and Tiger are nearly identical (a few files are slightly different). Operations are identical. Talk will treat them as the same animal.

CC Tools talk is... Common Criteria - what is it? NISPOM - .gov, .mil, FFRDC, other Prior to setup Installation and setup GUI config - use the checklist, pp. 29, 73 Audit config Defaults and customizing the setup 27

Securing the system System Preferences - straightforward, easy System Setup mostly familiar, some GUI, CLI, OF Remove Classic 28 Screenshot of the Guide TOC.

System Prefs Security - password to wake from sleep, no autologin Screen Saver - less than :15 min. (we use :10) Optical Disks, CD DVD - no auto-open Sharing - rlogin, firewall ON, all else OFF Accounts - no auto-login; no FUS; hide buttons to Sleep, Restart, Shut Down Date & Time - use a NTP server Energy Saver - no auto-restart 29 Easy GUI steps for better general security.

System Setup (1) Directory Access - all off YMMV - we authenticate to Active Directory Set firmware password (PPC and FPU) problematic if you switch boot disks PPC: OFPW on installer DVD, or from www.apple.com/support/ downloads/openfirmwarepassword.html Apple “how to” at docs.info.apple.com/article.html?artnum=106482 Intel: Firmware Password Utility on installer DVD Disable password hints (plist file) 30

System Setup (2) Removing Classic is a MUST Classic does not recognize UNIX permissions. It’s CLI and it’s fun! Tiger has less to remove for removal from Panther, see pp. 35-36 This may mean updating files or apps. 31 Check user’s workflow. They may use some old Classic app. Important also is 1990s-era PPT which cannot be updated with v.X or 2004, must be updated in two steps with older Classic MS Office.

On passwords Password policy can be managed from pwpolicy, see man pwpolicy based in netinfo Works better from AD or LDAP YMMV Apple’s guide is okay, but check with mgmt policy for your reqs. - aging, min. chrxrs, complexity, etc. 32 pwpolicy does not enforce upper and lower case letters, even though it says it does. That is, you can configure pwpolicy to require upper and lower, but it doesn’t do the enforcement itself. It will do so when driven by a directory server however.

sshd_config /etc/sshd_config is a unix text file default all are commented out uncomment all with BBEdit or vi 33

Global umask Global umask sets file permissions for all new files created by all users. “Global” because it is in /Library. It’s a hidden “dot file”. /Library/Preferences/.GlobalPreferences.plist Setting umask is like chown, but before the file is created. umask is subtracted from the chown mask. e.g. (chown) 777 - (umask) 077 = 700, so that owner can rwx, group and other have no rights set in numerical, displayed in octal Check with mgmt policy (and SysAdmin) 34 explain what umask and Global umask are. Explain how to get to it (dot file). Explain how to assign values and how it’s complementary with chown.

audit & hostconfig Auditing is off by default. /etc/hostconfig Edit file to add... AUDIT=-YES- other options see your sysadmin NO, FAILHALT, FAILSTOP 35 Auditing is turned on by a line in /etc/hostconfig. This is read by startup rc.audit and handed off to auditd.

CC Tools talk is... Common Criteria - what is it? NISPOM - .gov, .mil, FFRDC, other Prior to setup Installation and setup GUI config - use the checklist Auditing & audit config Defaults and customizing the setup 36

Review of Audit Tools Viewer (GUI) audit log directory /var/audit/ binary utilities /usr/sbin/ configuration files /etc/security/ 37 We won’t discuss the man pages, you all know what they are.

rc.audit & auditd rc.audit - script that interprets etc/hostconfig auditd - daemon that audits, according to rc.audit man auditd options - start, debug, stop, halt 38 The rc.audit script is not very interesting, but you should see it to confirm it is what they tell us it is.

Audit log file (1) Location /var/audit/ All info goes into this file. qualities binary naming convention sizes and growth 39 Naming convention is YYYYMMDDhhmmss.YYYYMMDDhhmmss Audit log can grow very large, very fast. Plan ahead (strategize) for rotating and moving the log files.

Audit log file (2) What to do with the audit log files? (root access only) Script to... rotate (roll) the file compress it move it to a server 40 For security - the point of auditing - only root should have access. Cron script to rotate the file. Rotation schedule determined by policy. Compress the file and move it to another machine...?

Audit log file (3) Input to the audit log can (should) be masked use audit to set the config files 41 Auditing is control (masking) of a specified collection of events, users and classes. Masking is done by the config files which are modified by audit. These are not XML config files, they are standard text. Modify them with vi or BBEdit.

CC Tools talk is... Common Criteria - what is it? NISPOM - .gov, .mil, FFRDC, other Prior to setup Installation and setup GUI config - use the checklist Auditing, audit config, presentation Defaults and customizing the setup 42

Audit process utils rc.audit auditd - initialization and startup - the auditing process audit - masks (tunes) what is audited and written to the audit log file auditreduce - filters a subset out of the audit log file for output, presentation praudit - presentation to stdout, Audit Log Viewer, txt, lp 43

audit flow 44

BSM Audit Tuning audit_control - manages audit system parameters “...The real difficulty with BSM is tuning the level of auditing on the system.” - Hal Pomeranz 45

OS X Audit Tuning “The actual events being captured are only those required for certification.” Shawn Geddis, Security Consulting Engineer, Apple default is displayed YMMV 46 Note different flags being captured by Apple’s default versus Sun default in previous slide.

OS X Audit Tuning flags: lo = log in/out ad = all admin events -all, ^-fc, ^-cl = all failures except creating or closing files naflags: log in/out 47 interpretation of Apple’s default flags You will probably want to set your own flags according to policy defined by management.

Audit Event Classes Classes used in: audit_control flags naflags audit_user alwaysaudit neveraudit Roll your own too, with custom audit classes! 48 Standard set of flags. All can be modified with [+ - ^].

More on tuning See the OS X man pages man audit_control man audit_event man audit_class man audit_user See Pomeranz, “Solaris BSM Auditing” See Sun docs - Administering Auditing 49 See Pomeranz first, then Sun.

Audit presentation Converts audit log file from binary to humanreadable GUI - /Apps/Utils/Audit Log Viewer display only (currently), no manipulation CLI - auditreduce | praudit output to .txt or lp manipulable - sed, awk, perl... 50 The log file is binary and not human-readable. Filtering of output from log file is done by auditreduce, which pipes to praudit. Conversion to HR is done by praudit which outputs stdout.

Audit Log Viewer 51 For interpreting the entries see Apple’s Guide, Appendix C.

Log file management Last word: Don’t forget that these files can get big fast. Zip them, or move them, roll them or delete them, or else... UNIX sysadmin... 52

Understanding CC Config & Admin “In reality we are not super-uber-geeks by some natural ability. No, we are just the ones who took the time to understand the tools and technologies we use. Sometimes we are the only ones who actually read the manual. N + 1 = Expert ” - chuck goolsbee, Mac Mgrs’ listmom 53 We all build on those who came before us. You here today will take something and build on it. I am barely one half-step ahead of you.

Common Criteria Tools Go > iDisk > Other User’s Public Folder > odonnells 54

Add a comment

Related presentations

Related pages

How to Install Mac OSX 10.4.6 on a PC [Dual Boot] - Documents

Common Criteria and BSM in OSX (10.3.6 and 10.4.x) - How to Install and Use
Read more

How To Install kasahorow Keyboard for Mac OSX - Self ...

Common Criteria and BSM in OSX (10.3.6 and 10.4.x) - How to Install and Use
Read more

Re: [Fed-Talk] Common Criteria Tools Install Questions

Subject: Re: [Fed-Talk] Common Criteria Tools Install Questions; ... Mac OS X Server 10.3.6. ... (based on Sun's BSM) into Mac OS X 10.3.x, 10.4.x and beyond.
Read more

OpenBSM auditing on Mac OS X | Der Flounder

Common Criteria certification means ... OpenBSM > OpenBSM auditing on Mac OS X ... and data protection. 10.3.6 and 10.3.6 Server ...
Read more

OpenBSM - Wikipedia, the free encyclopedia

OpenBSM is derived from the BSM audit implementation found in Apple's open ... and has been announced as a Mac OS X Snow Leopard ... Common Criteria;
Read more

Mac OS X Tiger - Wikipedia, the free encyclopedia

Mac OS X 10.4 Tiger is the fifth major release ... Old World ROM Macs require the use of XPostFacto to install Tiger. ... Remote Install Mac OS X ...
Read more