common criteria and bsm in osx (10.3.6 and 10.4.x) - how to install and use
DESCRIPTION
In 2006 Apple introduced BSM into OSX, and had it certified according to Common Criteria. This presentation at Macworld 2007 describes how to install, configure and use BSM according to Apple's instructions, and why it satisfies Common Criteria standards.TRANSCRIPT
Common CriteriaConfig & Admin
Industry Standard InfoSec - MacWorld 2007Dan O’Donnell
1
Common Criteria Tools
Go > iDisk > Other User’s Public Folder > odonnells
2
presentation and related materials available on my iDisk
Common Criteria - what is it?
NISPOM - US Govt, Mil, FFRDC, other
Prior to setup
Preliminary setup and installation
Defaults and customizing the setup
some recommendations
Today’s CC Tools talk is...
3
checklist for what we’ll cover
Common Criteria is...?(according to)
Apple
U.S. Government (NIST, NSA)
Common Criteria Organization
Wikipedia
plain language
4
Common Criteria is a proper noun, and many organizations use it. It’s a joint collaboration between NIST and NSA, and has its own organization. Wikipedia has the best definition.
www.apple.com/support/security/commoncriteria/
“...internationally approved set of standards...”
“...clear, reliable evaluation of the security capabilities of IT products...”
“...independent assessment of a product’s ability to meet security standards...”
“international scope... fourteen nations...”
CC Tools = Configuration Guide + software
Apple definition
5
tested for Apple by SAIC - Science Applications International Corp.Apple’s CC Tools installer includes the Config Guide with the software.
The CC Guide
Common Criteria Configuration and Administration Guide v1.0.1 is the manual.
www.apple.com/support/security/commoncriteria
“We’re the M in RTFM.” - macshome, AFP548
6
U.S. Govt. definitionNIST, NSA joint project for CCEVS in NIAP
CCEVS - Common Criteria Evaluation and Validation Scheme, is part of NIAP.
NIAP - Nat’l Info Assurance Program is to...
“...meet the security testing, evaluation, and assessment needs of IT producers and consumers.”
niap.nist.gov
niap.bahialab.com/cc-scheme
7
Wikipedia definitionWikipedia definition - useful and decipherable
8
Common Criteria Org.
Common Criteria Organization Portal
comprehensive
thorough
jargon-rich (jargon-heavy)
http://www.commoncriteriaportal.org/public/consumer/index.php?menu=4
9
Usefulness is questionable - at least for me.
signatory countriesNorth America
US, Canada
Western EuropeUK, France, Germany, Spain, Netherlands, Norway
Asia-PacificAustralia, New Zealand, Japan, South Korea
10
“plain language”
An internationally accepted and agreed upon standard for computer security in a given product.
Approved - may be required - by your inspectors (DISA or DSS?)
Apple’s CC Tools is BSM auditing and includes common sense OS hardening
11
What is BSM?BSM = Solaris’ Basic Security Module
This is the auditing system.
Apple BSM is almost identical to Solaris BSM.
minor differences in directory and initialization naming
executables and config files are the same
same names, same functions (cool!)
12
BSM is UNIXBuy your UNIX sysadmin a beer.
(maybe a lot of beer)
Learn a little UNIX.
13
Tuning the masks, filters, stdin and stdout is very UNIXy. Get some help.The cartoon (reversed) in the top R corner will include a Terminal:sudo operation.
BSM resourcesSun’s Solaris documentation
Basic Security Module (BSM)
Administering Auditing
50 pages of detail
docs.sun.com (free)
PDF on my iDisk
14
Available on the iDisk.
more BSM resources
SysAdmin Mag article (late 2004)
“Solaris BSM Auditing”
Solaris, not OS X
very useful!
www.samag.com
PDF on my iDisk
15
Most useful document - also on the iDisk.
Common Criteria - what is it?
NISPOM - .gov, .mil, FFRDC, other
Prior to setup
Preliminary setup and installation
Defaults and customizing the setup
some recommendations
CC Tools talk is...
16
In our shop, Common Criteria was a subset of NISPOM. You may or may not have to conform to NISPOM, so here’s a brief.
NISPOMFor us, CCT is a subset of NISPOM.
What is this?
National Industrial Security Program Operating Manual
www.dss.mil/isec/nispom.htm
PDF on my iDisk
17
(DSS) Defense Security Systems guide to Information Security, available on the public internet.NISPOM defines security for *everything*, not just information systems.
Defines what and how “we” do what we do
Ch.8-100.a: “Information systems (IS) used to capture, create, store, process, or distribute classified information must be properly managed to protect against unauthorized disclosure of classified information...”
Ch.8-100.b: “Protection requires ... but is not limited to administrative, operational, physical, computer ... controls. Protective measures commensurate with [security level] are required.”
NISPOM Ch.8 requires OS security + auditing
NISPOM Ch. 8,InfoSys Security
18
two opening paragraphs on Ch.8, which is the InfoSec section of NISPOM.
Common Criteria - what is it?
NISPOM - .gov, .mil, FFRDC, other
Prior to setup
Preliminary setup and installation
Defaults and customizing the setup
some recommendations
CC Tools talk is...
19
Qualified h/w, OSes
PPC: G3, G4, G5 only - no Intel
Intel (32-, 64-bit) coming soon (Leopard?)
warning: don’t use PPC Common Criteria Tools on Intel
lists.apple.com/archive/Fed-talk
20
Fed-talk for updates and discussion, maybe get on the beta list
Qualified OSes
OSX or OSXS 10.3.6 only, is certified
all other OSX, OSXS >10.3.6, 10.4.x are compliant but not certified
startup Cmd-v to verify
21
This is a “marker” for a system that is ready to have CCT installed. Only 10.3.6 or later will display the “auditing” lines. Note how early in the boot sequence this shows up.
otherPeripherals
see list in CC Admin Guide, pg.10
Environment and physical security
Controlled access
Network and connected systems also secured
Personnel
limited authorized admins; all others ‘user’
22
Other factors mentioned in the Guide.Note: limit the number of admins for a system.
Verify the CC .dmg
Doing a SHA-1 digest check
Required? Recommended?
Be safe and do it.
Terminal: /usr/bin/openssl sha1 [path]
Compare your digest to Apple’s (above).
info.apple.com/kbnum/n75510
Document your work. (All of it.)
SHA-1 digest =8717a9c935ba0920cb182cffe3a516b4eb5cf7b9
23
Document your work: 1) memory aid 2) legal proof 3) for your own protection
Most of us don’t do digest checks. This is an occasion when you should.
Common Criteria - what is it?
NISPOM - .gov, .mil, FFRDC, other
Prior to setup
Installation and setup
GUI config
Audit config
Defaults and customizing the setup
CC Tools talk is...
24
Things you DO, and things you INSTALL.
Some are easy, some are complex.
Host InstallationPrep the host machine
format and fresh install of 10.3.6 or later
install all relevant updates
Install the OS
OS X and Server slightly different
Install Common Criteria Tools from dmg
25
Common CriteriaPanther vs. Tiger
26
Panther and Tiger are nearly identical (a few files are slightly different).Operations are identical. Talk will treat them as the same animal.
Common Criteria - what is it?
NISPOM - .gov, .mil, FFRDC, other
Prior to setup
Installation and setup
GUI config - use the checklist, pp. 29, 73
Audit config
Defaults and customizing the setup
CC Tools talk is...
27
Securing the system
System Preferences - straightforward, easy
System Setup - mostly familiar, some GUI, CLI, OF
Remove Classic
28
Screenshot of the Guide TOC.
Security - password to wake from sleep, no auto-login
Screen Saver - less than :15 min. (we use :10)
Optical Disks, CD DVD - no auto-open
Sharing - rlogin, firewall ON, all else OFF
Accounts - no auto-login; no FUS; hide buttons to Sleep, Restart, Shut Down
Date & Time - use a NTP server
Energy Saver - no auto-restart
System Prefs
29
Easy GUI steps for better general security.
System Setup (1)Directory Access - all off
YMMV - we authenticate to Active Directory
Set firmware password (PPC and FPU)
problematic if you switch boot disks
PPC: OFPW on installer DVD, or from www.apple.com/support/downloads/openfirmwarepassword.html
Apple “how to” at docs.info.apple.com/article.html?artnum=106482
Intel: Firmware Password Utility on installer DVD
Disable password hints (plist file)
30
System Setup (2)
Removing Classic is a MUST
Classic does not recognize UNIX permissions.
It’s CLI and it’s fun!
Tiger has less to remove
for removal from Panther, see pp. 35-36
This may mean updating files or apps.
31
Check user’s workflow. They may use some old Classic app. Important also is 1990s-era PPT which cannot be updated with v.X or 2004, must be updated in two steps with older Classic MS Office.
On passwordsPassword policy can be managed from pwpolicy, see man pwpolicy
based in netinfo
Works better from AD or LDAP
YMMV
Apple’s guide is okay, but check with mgmt policy for your reqs. - aging, min. chrxrs, complexity, etc.
32
pwpolicy does not enforce upper and lower case letters, even though it says it does. That is, you can configure pwpolicy to require upper and lower, but it doesn’t do the enforcement itself. It will do so when driven by a directory server however.
sshd_config
/etc/sshd_config is a unix text file
default all are commented out
uncomment all with BBEdit or vi
33
Global umaskGlobal umask sets file permissions for all new files created by all users.
“Global” because it is in /Library. It’s a hidden “dot file”.
/Library/Preferences/.GlobalPreferences.plist
Setting umask is like chown, but before the file is created.
umask is subtracted from the chown mask. e.g. (chown) 777 - (umask) 077 = 700, so that owner can rwx, group and other have no rights
set in numerical, displayed in octal
Check with mgmt policy (and SysAdmin)
34
explain what umask and Global umask are. Explain how to get to it (dot file). Explain how to assign values and how it’s complementary with chown.
audit & hostconfig
Auditing is off by default./etc/hostconfig
Edit file to add...AUDIT=-YES-
other options see your sysadminNO, FAILHALT, FAILSTOP
35
Auditing is turned on by a line in /etc/hostconfig. This is read by startup rc.audit and handed off to auditd.
Common Criteria - what is it?
NISPOM - .gov, .mil, FFRDC, other
Prior to setup
Installation and setup
GUI config - use the checklist
Auditing & audit config
Defaults and customizing the setup
CC Tools talk is...
36
Review of Audit Tools
Viewer (GUI)
audit log directory/var/audit/
binary utilities/usr/sbin/
configuration files/etc/security/
37
We won’t discuss the man pages, you all know what they are.
rc.audit & auditd
rc.audit - script that interprets etc/hostconfig
auditd - daemon that audits, according to rc.audit
man auditd
options - start, debug, stop, halt
38
The rc.audit script is not very interesting, but you should see it to confirm it is what they tell us it is.
Audit log file (1)
Location /var/audit/
All info goes into this file.
qualities
binary
naming convention
sizes and growth
39
Naming convention is YYYYMMDDhhmmss.YYYYMMDDhhmmssAudit log can grow very large, very fast.Plan ahead (strategize) for rotating and moving the log files.
Audit log file (2)What to do with the audit log files?
(root access only)
Script to...
rotate (roll) the file
compress it
move it to a server
40
For security - the point of auditing - only root should have access.Cron script to rotate the file.Rotation schedule determined by policy.Compress the file and move it to another machine...?
Audit log file (3)
Input to the audit log can (should) be masked
use audit to set the config files
41
Auditing is control (masking) of a specified collection of events, users and classes. Masking is done by the config files which are modified by audit. These are not XML config files, they are standard text. Modify them with vi or BBEdit.
Common Criteria - what is it?
NISPOM - .gov, .mil, FFRDC, other
Prior to setup
Installation and setup
GUI config - use the checklist
Auditing, audit config, presentation
Defaults and customizing the setup
CC Tools talk is...
42
Audit process utilsrc.audit - initialization and startup
auditd - the auditing process
audit - masks (tunes) what is audited and written to the audit log file
auditreduce - filters a subset out of the audit log file for output, presentation
praudit - presentation to stdout, Audit Log Viewer, txt, lp
43
audit flow
44
BSM Audit Tuningaudit_control - manages audit system parameters
“...The real difficulty with BSM is tuning the level of auditing on the system.” - Hal Pomeranz
45
OS X Audit Tuning“The actual events being captured are only those required for certification.” - Shawn Geddis, Security Consulting Engineer, Apple
default is displayed
YMMV
46
Note different flags being captured by Apple’s default versus Sun default in previous slide.
OS X Audit Tuningflags:
lo = log in/out
ad = all admin events
-all, ^-fc, ^-cl = all failures except creating or closing files
naflags: log in/out
47
interpretation of Apple’s default flagsYou will probably want to set your own flags according to policy defined by management.
Audit Event ClassesClasses used in:
audit_controlflags
naflags
audit_useralwaysaudit
neveraudit
Roll your own too, with custom audit classes!
48
Standard set of flags. All can be modified with [+ - ^].
More on tuning
See the OS X man pagesman audit_control
man audit_event
man audit_class
man audit_user
See Pomeranz, “Solaris BSM Auditing”
See Sun docs - Administering Auditing
49
See Pomeranz first, then Sun.
Audit presentationConverts audit log file from binary to human-readable
GUI - /Apps/Utils/Audit Log Viewer
display only (currently), no manipulation
CLI - auditreduce | praudit
output to .txt or lp
manipulable - sed, awk, perl...
50
The log file is binary and not human-readable. Filtering of output from log file is done by auditreduce, which pipes to praudit. Conversion to HR is done by praudit which outputs stdout.
Audit Log Viewer
51
For interpreting the entries see Apple’s Guide, Appendix C.
Log file management
Last word: Don’t forget that these files can get big fast.
Zip them, or move them, roll them or delete them, or else...
UNIX sysadmin...
52
Understanding CCConfig & Admin
“In reality we are not super-uber-geeks by some natural ability. No, we are just the ones who took the time to understand the tools and technologies
we use. Sometimes we are the only ones who actually read the manual. N + 1 = Expert ”
- chuck goolsbee, Mac Mgrs’ listmom
53
We all build on those who came before us.You here today will take something and build on it.I am barely one half-step ahead of you.
Common Criteria Tools
Go > iDisk > Other User’s Public Folder > odonnells
54