Published on March 4, 2014
Common Criteria Conﬁg & Admin Industry Standard InfoSec - MacWorld 2007 Dan O’Donnell 1
Common Criteria Tools Go > iDisk > Other User’s Public Folder > odonnells 2 presentation and related materials available on my iDisk
Today’s CC Tools talk is... Common Criteria - what is it? NISPOM - US Govt, Mil, FFRDC, other Prior to setup Preliminary setup and installation Defaults and customizing the setup some recommendations 3 checklist for what we’ll cover
Common Criteria is...? (according to) Apple U.S. Government (NIST, NSA) Common Criteria Organization Wikipedia plain language 4 Common Criteria is a proper noun, and many organizations use it. It’s a joint collaboration between NIST and NSA, and has its own organization. Wikipedia has the best deﬁnition.
Apple deﬁnition www.apple.com/support/security/ commoncriteria/ “...internationally approved set of standards...” “...clear, reliable evaluation of the security capabilities of IT products...” “...independent assessment of a product’s ability to meet security standards...” “international scope... fourteen nations...” CC Tools = Conﬁguration Guide + software 5 tested for Apple by SAIC - Science Applications International Corp. Apple’s CC Tools installer includes the Conﬁg Guide with the software.
The CC Guide Common Criteria Conﬁguration and Administration Guide v1.0.1 is the manual. www.apple.com/support/security/ commoncriteria “We’re the M in RTFM.” - macshome, AFP548 6
U.S. Govt. deﬁnition NIST, NSA joint project for CCEVS in NIAP CCEVS - Common Criteria Evaluation and Validation Scheme, is part of NIAP. NIAP - Nat’l Info Assurance Program is to... “...meet the security testing, evaluation, and assessment needs of IT producers and consumers.” niap.nist.gov niap.bahialab.com/cc-scheme 7
Wikipedia deﬁnition Wikipedia deﬁnition - useful and decipherable 8
Common Criteria Org. Common Criteria Organization Portal comprehensive thorough jargon-rich (jargon-heavy) http://www.commoncriteriaportal.org/ public/consumer/index.php?menu=4 9 Usefulness is questionable - at least for me.
signatory countries North America US, Canada Western Europe UK, France, Germany, Spain, Netherlands, Norway Asia-Paciﬁc Australia, New Zealand, Japan, South Korea 10
“plain language” An internationally accepted and agreed upon standard for computer security in a given product. Approved - may be required - by your inspectors (DISA or DSS?) Apple’s CC Tools is BSM auditing and includes common sense OS hardening 11
What is BSM? BSM = Solaris’ Basic Security Module This is the auditing system. Apple BSM is almost identical to Solaris BSM. minor differences in directory and initialization naming executables and conﬁg ﬁles are the same same names, same functions (cool!) 12
BSM is UNIX Buy your UNIX sysadmin a beer. (maybe a lot of beer) Learn a little UNIX. 13 Tuning the masks, ﬁlters, stdin and stdout is very UNIXy. Get some help. The cartoon (reversed) in the top R corner will include a Terminal:sudo operation.
BSM resources Sun’s Solaris documentation Basic Security Module (BSM) Administering Auditing 50 pages of detail docs.sun.com (free) PDF on my iDisk 14 Available on the iDisk.
more BSM resources SysAdmin Mag article (late 2004) “Solaris BSM Auditing” Solaris, not OS X very useful! www.samag.com PDF on my iDisk 15 Most useful document - also on the iDisk.
CC Tools talk is... Common Criteria - what is it? NISPOM - .gov, .mil, FFRDC, other Prior to setup Preliminary setup and installation Defaults and customizing the setup some recommendations 16 In our shop, Common Criteria was a subset of NISPOM. You may or may not have to conform to NISPOM, so here’s a brief.
NISPOM For us, CCT is a subset of NISPOM. What is this? National Industrial Security Program Operating Manual www.dss.mil/isec/ nispom.htm PDF on my iDisk 17 (DSS) Defense Security Systems guide to Information Security, available on the public internet. NISPOM deﬁnes security for *everything*, not just information systems.
NISPOM Ch. 8, InfoSys Security Deﬁnes what and how “we” do what we do Ch.8-100.a: “Information systems (IS) used to capture, create, store, process, or distribute classiﬁed information must be properly managed to protect against unauthorized disclosure of classiﬁed information...” Ch.8-100.b: “Protection requires ... but is not limited to administrative, operational, physical, computer ... controls. Protective measures commensurate with [security level] are required.” NISPOM Ch.8 requires OS security + auditing 18 two opening paragraphs on Ch.8, which is the InfoSec section of NISPOM.
CC Tools talk is... Common Criteria - what is it? NISPOM - .gov, .mil, FFRDC, other Prior to setup Preliminary setup and installation Defaults and customizing the setup some recommendations 19
Qualiﬁed h/w, OSes PPC: G3, G4, G5 only no Intel Intel (32-, 64-bit) coming soon (Leopard?) warning: don’t use PPC Common Criteria Tools on Intel lists.apple.com/archive/Fed-talk 20 Fed-talk for updates and discussion, maybe get on the beta list
Qualiﬁed OSes OSX or OSXS 10.3.6 only, is certiﬁed all other OSX, OSXS >10.3.6, 10.4.x are compliant but not certiﬁed startup Cmd-v to verify 21 This is a “marker” for a system that is ready to have CCT installed. Only 10.3.6 or later will display the “auditing” lines. Note how early in the boot sequence this shows up.
other Peripherals see list in CC Admin Guide, pg.10 Environment and physical security Controlled access Network and connected systems also secured Personnel limited authorized admins; all others ‘user’ 22 Other factors mentioned in the Guide. Note: limit the number of admins for a system.
Verify the CC .dmg SHA-1 digest =8717a9c935ba0920cb182cffe3a516b4eb5cf7b9 Doing a SHA-1 digest check Required? Recommended? Be safe and do it. Terminal: /usr/bin/openssl sha1 [path] Compare your digest to Apple’s (above). info.apple.com/kbnum/n75510 Document your work. (All of it.) 23 Document your work: 1) memory aid 2) legal proof 3) for your own protection Most of us don’t do digest checks. This is an occasion when you should.
CC Tools talk is... Common Criteria - what is it? NISPOM - .gov, .mil, FFRDC, other Prior to setup Installation and setup GUI conﬁg Audit conﬁg Defaults and customizing the setup 24 Things you DO, and things you INSTALL. Some are easy, some are complex.
Host Installation Prep the host machine format and fresh install of 10.3.6 or later install all relevant updates Install the OS OS X and Server slightly different Install Common Criteria Tools from dmg 25
Common Criteria Panther vs. Tiger 26 Panther and Tiger are nearly identical (a few ﬁles are slightly different). Operations are identical. Talk will treat them as the same animal.
CC Tools talk is... Common Criteria - what is it? NISPOM - .gov, .mil, FFRDC, other Prior to setup Installation and setup GUI conﬁg - use the checklist, pp. 29, 73 Audit conﬁg Defaults and customizing the setup 27
Securing the system System Preferences - straightforward, easy System Setup mostly familiar, some GUI, CLI, OF Remove Classic 28 Screenshot of the Guide TOC.
System Prefs Security - password to wake from sleep, no autologin Screen Saver - less than :15 min. (we use :10) Optical Disks, CD DVD - no auto-open Sharing - rlogin, ﬁrewall ON, all else OFF Accounts - no auto-login; no FUS; hide buttons to Sleep, Restart, Shut Down Date & Time - use a NTP server Energy Saver - no auto-restart 29 Easy GUI steps for better general security.
System Setup (1) Directory Access - all off YMMV - we authenticate to Active Directory Set ﬁrmware password (PPC and FPU) problematic if you switch boot disks PPC: OFPW on installer DVD, or from www.apple.com/support/ downloads/openﬁrmwarepassword.html Apple “how to” at docs.info.apple.com/article.html?artnum=106482 Intel: Firmware Password Utility on installer DVD Disable password hints (plist ﬁle) 30
System Setup (2) Removing Classic is a MUST Classic does not recognize UNIX permissions. It’s CLI and it’s fun! Tiger has less to remove for removal from Panther, see pp. 35-36 This may mean updating ﬁles or apps. 31 Check user’s workﬂow. They may use some old Classic app. Important also is 1990s-era PPT which cannot be updated with v.X or 2004, must be updated in two steps with older Classic MS Office.
On passwords Password policy can be managed from pwpolicy, see man pwpolicy based in netinfo Works better from AD or LDAP YMMV Apple’s guide is okay, but check with mgmt policy for your reqs. - aging, min. chrxrs, complexity, etc. 32 pwpolicy does not enforce upper and lower case letters, even though it says it does. That is, you can conﬁgure pwpolicy to require upper and lower, but it doesn’t do the enforcement itself. It will do so when driven by a directory server however.
sshd_conﬁg /etc/sshd_conﬁg is a unix text ﬁle default all are commented out uncomment all with BBEdit or vi 33
Global umask Global umask sets ﬁle permissions for all new ﬁles created by all users. “Global” because it is in /Library. It’s a hidden “dot ﬁle”. /Library/Preferences/.GlobalPreferences.plist Setting umask is like chown, but before the ﬁle is created. umask is subtracted from the chown mask. e.g. (chown) 777 - (umask) 077 = 700, so that owner can rwx, group and other have no rights set in numerical, displayed in octal Check with mgmt policy (and SysAdmin) 34 explain what umask and Global umask are. Explain how to get to it (dot ﬁle). Explain how to assign values and how it’s complementary with chown.
audit & hostconﬁg Auditing is off by default. /etc/hostconfig Edit ﬁle to add... AUDIT=-YES- other options see your sysadmin NO, FAILHALT, FAILSTOP 35 Auditing is turned on by a line in /etc/hostconﬁg. This is read by startup rc.audit and handed off to auditd.
CC Tools talk is... Common Criteria - what is it? NISPOM - .gov, .mil, FFRDC, other Prior to setup Installation and setup GUI conﬁg - use the checklist Auditing & audit conﬁg Defaults and customizing the setup 36
Review of Audit Tools Viewer (GUI) audit log directory /var/audit/ binary utilities /usr/sbin/ conﬁguration ﬁles /etc/security/ 37 We won’t discuss the man pages, you all know what they are.
rc.audit & auditd rc.audit - script that interprets etc/hostconﬁg auditd - daemon that audits, according to rc.audit man auditd options - start, debug, stop, halt 38 The rc.audit script is not very interesting, but you should see it to conﬁrm it is what they tell us it is.
Audit log ﬁle (1) Location /var/audit/ All info goes into this ﬁle. qualities binary naming convention sizes and growth 39 Naming convention is YYYYMMDDhhmmss.YYYYMMDDhhmmss Audit log can grow very large, very fast. Plan ahead (strategize) for rotating and moving the log ﬁles.
Audit log ﬁle (2) What to do with the audit log ﬁles? (root access only) Script to... rotate (roll) the ﬁle compress it move it to a server 40 For security - the point of auditing - only root should have access. Cron script to rotate the ﬁle. Rotation schedule determined by policy. Compress the ﬁle and move it to another machine...?
Audit log ﬁle (3) Input to the audit log can (should) be masked use audit to set the conﬁg ﬁles 41 Auditing is control (masking) of a speciﬁed collection of events, users and classes. Masking is done by the conﬁg ﬁles which are modiﬁed by audit. These are not XML conﬁg ﬁles, they are standard text. Modify them with vi or BBEdit.
CC Tools talk is... Common Criteria - what is it? NISPOM - .gov, .mil, FFRDC, other Prior to setup Installation and setup GUI conﬁg - use the checklist Auditing, audit conﬁg, presentation Defaults and customizing the setup 42
Audit process utils rc.audit auditd - initialization and startup - the auditing process audit - masks (tunes) what is audited and written to the audit log ﬁle auditreduce - ﬁlters a subset out of the audit log ﬁle for output, presentation praudit - presentation to stdout, Audit Log Viewer, txt, lp 43
audit ﬂow 44
BSM Audit Tuning audit_control - manages audit system parameters “...The real difﬁculty with BSM is tuning the level of auditing on the system.” - Hal Pomeranz 45
OS X Audit Tuning “The actual events being captured are only those required for certiﬁcation.” Shawn Geddis, Security Consulting Engineer, Apple default is displayed YMMV 46 Note different ﬂags being captured by Apple’s default versus Sun default in previous slide.
OS X Audit Tuning ﬂags: lo = log in/out ad = all admin events -all, ^-fc, ^-cl = all failures except creating or closing ﬁles naﬂags: log in/out 47 interpretation of Apple’s default ﬂags You will probably want to set your own ﬂags according to policy deﬁned by management.
Audit Event Classes Classes used in: audit_control flags naflags audit_user alwaysaudit neveraudit Roll your own too, with custom audit classes! 48 Standard set of ﬂags. All can be modiﬁed with [+ - ^].
More on tuning See the OS X man pages man audit_control man audit_event man audit_class man audit_user See Pomeranz, “Solaris BSM Auditing” See Sun docs - Administering Auditing 49 See Pomeranz ﬁrst, then Sun.
Audit presentation Converts audit log ﬁle from binary to humanreadable GUI - /Apps/Utils/Audit Log Viewer display only (currently), no manipulation CLI - auditreduce | praudit output to .txt or lp manipulable - sed, awk, perl... 50 The log ﬁle is binary and not human-readable. Filtering of output from log ﬁle is done by auditreduce, which pipes to praudit. Conversion to HR is done by praudit which outputs stdout.
Audit Log Viewer 51 For interpreting the entries see Apple’s Guide, Appendix C.
Log ﬁle management Last word: Don’t forget that these ﬁles can get big fast. Zip them, or move them, roll them or delete them, or else... UNIX sysadmin... 52
Understanding CC Conﬁg & Admin “In reality we are not super-uber-geeks by some natural ability. No, we are just the ones who took the time to understand the tools and technologies we use. Sometimes we are the only ones who actually read the manual. N + 1 = Expert ” - chuck goolsbee, Mac Mgrs’ listmom 53 We all build on those who came before us. You here today will take something and build on it. I am barely one half-step ahead of you.
Common Criteria Tools Go > iDisk > Other User’s Public Folder > odonnells 54
Common Criteria and BSM in OSX (10.3.6 and 10.4.x) - How to Install and Use
Common Criteria and BSM in OSX (10.3.6 and 10.4.x) - How to Install and Use
Subject: Re: [Fed-Talk] Common Criteria Tools Install Questions; ... Mac OS X Server 10.3.6. ... (based on Sun's BSM) into Mac OS X 10.3.x, 10.4.x and beyond.
Common Criteria certification means ... OpenBSM > OpenBSM auditing on Mac OS X ... and data protection. 10.3.6 and 10.3.6 Server ...
OpenBSM is derived from the BSM audit implementation found in Apple's open ... and has been announced as a Mac OS X Snow Leopard ... Common Criteria;
Mac OS X 10.4 Tiger is the fifth major release ... Old World ROM Macs require the use of XPostFacto to install Tiger. ... Remote Install Mac OS X ...