[SCAP-On-Apple] Where/When do we start?

Link, Peter R. link1 at llnl.gov
Thu Nov 1 07:08:27 PDT 2012

In light of recent postings asking about iOS6, bluetooth, and SCAP content I am reposting my email from early October (below). It was my understanding this project would replace or be in addition to efforts managed by NIST as the main project site for the creation of all aspects of SCAP content for Apple products. I am hoping it won't simply turn into another fed-talk email list.

When are we going to start working on OVAL and XCCDF content? Will we simply take what DISA and CIS have done, fixing/enhancing their code and adding the additional parts necessary for full SCAP compliance? How will this be done? The SCAP-on-Apple website has a ticketing system but who is going to start? What are the ground rules?

CIS has an OSX 10.8 project started and DISA has draft iOS6 content. I now CIS is more or less a private company while DISA is a federal organization. Both of these entities can complicate matters so I'd like to get the direction of SCAP-on-Apple out in the open. I also know there is work being done by OVAL but how will we make use of their contributions? Or do we contribute to them?

As for device configuration, LLNL is really pressing for expanded use of the new Profiles capability so we'd like to see configuration settings pushed in that direction instead of creating a lot of scripts. Profiles will be a whole lot easier to manage and test than scripts.

(repost from October 9)

Now that the SCAP on Apple working group has been created, I would like to know if any initial guidelines were discussed at the BoF meeting.

Who's going to start? With what configuration information?

Will this site be the primary working area for SCAP content for Apple (OSX and iOS)? Will people still use OVAL's repository for Apple products as the primary source or duplicate content between the two?

I know some work has been done by various people. Will any of that be submitted to this site or is everything starting from the ground up?

Not that anyone has asked but my ultimate goal for this project is to provide complete SCAP content for tools (including OCIL) necessary to create, validate, and remediate a USGCB baseline configuration for OSX and secondarily, for iOS. This is a multistep process but having a USGCB configuration has been on my list for many years.

Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94551-0808
link1 at llnl.gov<mailto:link1 at llnl.gov>

The contents of this message are mine personally and do not reflect the views or position of the U.S. Department of Energy, Federal Government, National Nuclear Security Administration, Lawrence Livermore National Security, or Lawrence Livermore National Laboratory.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/scap-on-apple/attachments/20121101/86362fae/attachment.html>

More information about the SCAP-On-Apple mailing list