際際滷

際際滷Share a Scribd company logo

FISMA Compliance

A
anicewick

The following Powerpoint provides an overview of how automated FISMA compliance was enforced at a federal agency. For details see WWW.DATA4USA.COM

1 of 23
Compliance Overview Monday, August 29, 2011
Special Publication 800-53 In accordance with the provisions of FISMA, the Secretary of Commerce shall, on the basis of standards and guidelines developed by NIST, prescribe standards and guidelines pertaining to federal information systems. The Secretary shall make standards compulsory and binding to the extent determined necessary by the Secretary to improve the efficiency of operation or security of federal information systems. Standards prescribed shall include information security standards that provide minimum information security requirements and are otherwise necessary to improve the security of federal information and information systems
CM-6 CONFIGURATION SETTINGS Establishes and documents mandatory configuration settings for information technology products employed within the information system using Organization-defined security configuration checklists that reflect the most restrictive mode consistent with operational requirements; Implements the configuration settings; Identifies, documents, and approves exceptions from the mandatory configuration settings for individual components within the information system based on explicit operational requirements; and Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
FISMA Compliance
Organization- defined security configuration checklists
Microsoft check came Target of Link is installation instructions 1 from Microsoft Compliance 2 Manager
Assigning server to a SCAP File The compliance process will Check every CPE setting and look For match. The CPE picks the SCAP file Not the user setting up
<description xml:lang="en-US"> <definition class="compliance" id="oval:mil.army.us.rhel5:def:20000" version="1"> OVAL The purpose of this guide is to provide security 1 <metadata> 9 configuration recommendations for the Red Hat Enterprise Linux (RHEL) 5 operating <title>Ensure that /tmp has its own partition or logical volume</title> system. The guidance provided here should is applicable to desktop systems. Recommended <affected family ="unix"> settings for the basic operating system are provided , as well as for many commonly-used <platform>Red Hat Enterprise Linux 5</platform> services that the system can host in a network environment .<xhtml:br /><xhtml:br /> </affected> 10 The guide is intended for system administrators . Readers are assumed to <reference ref _id="CCE-14161-4" source="CCE" /> possess basic system administration skills for Unix-like systems, as well as some <description>The /tmp directory is a world-writable directory used for temporary file storage . familiarity with Red Hat's documentation and administration conventions. Some Verify that it has its own partition or logical volume . instructions within this guide are complex. All directions should be followed completely </description> 11 and with understanding of their effects in order to avoid serious adverse effects on the </metadata> system and its security . <criteria> </description> <criterion test_ref="oval:mil.army.us.rhel5:tst:20000" <Profile id="DOD_baseline_1.0.0.1" abstract="false"> comment="Check in /etc/fstab for a /tmp mount point" /> <title xml:lang="en-US">Department of Defense Baseline 1.0.0.1</title> </criteria> 12 <description xml:lang="en-US">TODO::INSERT</description> </definition> 2 <select idref="dcb-rhel5-2.1.1.1.1.a" selected="true" /> <tests> <select idref="dcb-rhel5-2.1.1.1.2.a" selected="true" /> XCCDF <ind-def:textfilecontent54_test id="oval:mil.army.us.rhel5:tst:20000" version="1" check="all" . . comment="look for /tmp partition or logical volume in /etc/fstab" check_existence="at_least_one_exists"> . </Profile> 13 <ind-def:object object_ref="oval:mil.army.us.rhel5:obj:20000" /> 15 14 <ind-def:state state _ref="oval:mil.army.us.rhel5:ste:20000" /> <Group id="dcb-rhel5-group-2.1.1.1.1" hidden="false"> 3 </ind-def:textfilecontent54_test> 16 <title xml:lang="en-US">Create Separate Partition or Logical Volume for /tmp</title> </tests> <description xml:lang="en-US"> 4 The /tmp directory is a world -writable directory used for temporary file storage . Ensure that it has its own <states> partition or logical volume.<xhtml:br /><xhtml:br /> <ind-def:textfilecontent54_state id="oval:mil.army.us.rhel5:ste:20000" Because software may need to use /tmp to temporarily store version="1" Large files, ensure that it is of adequate size . For a modern, comment="/tmp mount point is defined "> general-purpose system, 10GB should be adequate. Smaller or larger sizes <ind-def:subexpression datatype="string" operation="equals" entity_check="all"> could be used, depending on the availability of space on the drive and /tmp the systems operating requirements </ind-def:subexpression> </description> </ind-def:textfilecontent54_state> 5 </states> <Rule id="dcb-rhel5-2.1.1.1.1.a" selected="false" weight="10.0"> <status date ="2010-07-01">draft</status> <version update="1" /> <title xml:lang="en-US">Ensure that /tmp has its own partition or logical volume</title> <objects> 17 <description xml:lang="en-US">The /tmp directory is a world-writable <ind-def:textfilecontent54_object id="oval:mil.army.us.rhel5:obj:20000" directory used for temporary file storage . Ensure that it has its own version="1" comment="look for the partition mount point in /etc/fstab"> 18 partition or logical volume.</description> <ind-def:path> /etc </ind-def:path> 6 <ind-def:filename> fstab </ind-def:filename> <ident system="http://cce.mitre.org">CCE-14161-4</ident> 8 <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <ind-def:pattern operation="pattern match ">^[s]*[S]+[s]+([S]+)[s]+[S]+[s]+[S]+[s]+[S]+[s]+[S]+</ind- <check-content-ref href="dcb-rhel5_oval.xml" name="oval:mil.army.us.rhel5:def:20000" /> def:pattern> </check> <ind-def:instance datatype="int" operation="greater than or equal ">1</ind-def:instance> 7 </ind-def:textfilecontent54_object> </Rule> </objects> 19 </Group> Regular Expression : Testing if 6 strings (separated by tabs ^ = start of line or spaces ) exist in file and save the [s]* = 0 to whitespace second string [S]+ = 1 to many NOT whitespace ([S]) = Save this value
CCE Common Configuration Enumeration
FISMA Compliance
Three Software Products
FISMA Compliance
Why Custom Application? Difficult to map the Task back to the status
One task = One job with Matching Server name
Match Task to Results TaskServer SV-SERV1-TDP was O.K. with 100 Passed
Task verse Target
Trending CIO Level Report Magnus CIO Level reports missed the point did not easily answer the question Are we doing better? We developed general trending info that showed at the CIO level we were moving In the right direction Once the number of servers Flatlines, we hope to see a general increase in percent compliance over time.
Reporting Requirements [Adding a server] Adding a Server Whenever a server is commissioned for production, the NIST Security Checklist Compliance Manager or IT Services shall enter the server into Secutor Magnus and the associated scheduling and reporting tools and conduct an initial manual scan and verify the scan produced reasonable results. Once this is complete, they will inform the administrator and the DCIO that the scan results are ready to be reviewed. The DCIO and the administrator shall review[1] the results of the scan, comparing the percent compliance for any product instances on the server to the overall percent compliance for the product, taken over all current instances of the product. Commissioning a server that will reduce overall percent compliance for any product requires approval of the CIO. [1] See Compliance Trending Application, menu Report > CIO Reports > servers compared to profile
Review compliance of a server Review of Compliance for a Server Whenever the configuration of a server changes, the DCIO shall review the percent compliance for all product instances measured in the scan taken after the change to the latest previous measure of percent compliance for each instance.[1] Should percent compliance be reduced, the DCIO shall report this to the ISSO as a compliance incident [1] See Compliance Trending Application, menu Report > CIO Reports > Compare to last snapshot
Monthly Review of Overall Percent Compliance Monthly Review of Overall Percent Compliance Each month, DCIO shall review the history of overall percent compliance for all products included in the NIST Security Checklist Scanning process[1]. Should there be a reduction in overall percent compliance for any product, the DCIO shall notify the ISSO and CIO that a compliance incident exists. [1] See Compliance Trending Application, menu Report > CIO Reports > Profile Summary
Scheduling Magnus could only schedule on: Day: Week: Month Day: We wanted to schedule based on Tier So we Inactivitiated all magnus runs, And set them to run everyday, then we made them Active based on the tier
Reviewing the Results
Who has what problem

More Related Content

FISMA Compliance

  • 1. Compliance Overview Monday, August 29, 2011
  • 2. Special Publication 800-53 In accordance with the provisions of FISMA, the Secretary of Commerce shall, on the basis of standards and guidelines developed by NIST, prescribe standards and guidelines pertaining to federal information systems. The Secretary shall make standards compulsory and binding to the extent determined necessary by the Secretary to improve the efficiency of operation or security of federal information systems. Standards prescribed shall include information security standards that provide minimum information security requirements and are otherwise necessary to improve the security of federal information and information systems
  • 3. CM-6 CONFIGURATION SETTINGS Establishes and documents mandatory configuration settings for information technology products employed within the information system using Organization-defined security configuration checklists that reflect the most restrictive mode consistent with operational requirements; Implements the configuration settings; Identifies, documents, and approves exceptions from the mandatory configuration settings for individual components within the information system based on explicit operational requirements; and Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
  • 6. Microsoft check came Target of Link is installation instructions 1 from Microsoft Compliance 2 Manager
  • 7. Assigning server to a SCAP File The compliance process will Check every CPE setting and look For match. The CPE picks the SCAP file Not the user setting up
  • 8. <description xml:lang="en-US"> <definition class="compliance" id="oval:mil.army.us.rhel5:def:20000" version="1"> OVAL The purpose of this guide is to provide security 1 <metadata> 9 configuration recommendations for the Red Hat Enterprise Linux (RHEL) 5 operating <title>Ensure that /tmp has its own partition or logical volume</title> system. The guidance provided here should is applicable to desktop systems. Recommended <affected family ="unix"> settings for the basic operating system are provided , as well as for many commonly-used <platform>Red Hat Enterprise Linux 5</platform> services that the system can host in a network environment .<xhtml:br /><xhtml:br /> </affected> 10 The guide is intended for system administrators . Readers are assumed to <reference ref _id="CCE-14161-4" source="CCE" /> possess basic system administration skills for Unix-like systems, as well as some <description>The /tmp directory is a world-writable directory used for temporary file storage . familiarity with Red Hat's documentation and administration conventions. Some Verify that it has its own partition or logical volume . instructions within this guide are complex. All directions should be followed completely </description> 11 and with understanding of their effects in order to avoid serious adverse effects on the </metadata> system and its security . <criteria> </description> <criterion test_ref="oval:mil.army.us.rhel5:tst:20000" <Profile id="DOD_baseline_1.0.0.1" abstract="false"> comment="Check in /etc/fstab for a /tmp mount point" /> <title xml:lang="en-US">Department of Defense Baseline 1.0.0.1</title> </criteria> 12 <description xml:lang="en-US">TODO::INSERT</description> </definition> 2 <select idref="dcb-rhel5-2.1.1.1.1.a" selected="true" /> <tests> <select idref="dcb-rhel5-2.1.1.1.2.a" selected="true" /> XCCDF <ind-def:textfilecontent54_test id="oval:mil.army.us.rhel5:tst:20000" version="1" check="all" . . comment="look for /tmp partition or logical volume in /etc/fstab" check_existence="at_least_one_exists"> . </Profile> 13 <ind-def:object object_ref="oval:mil.army.us.rhel5:obj:20000" /> 15 14 <ind-def:state state _ref="oval:mil.army.us.rhel5:ste:20000" /> <Group id="dcb-rhel5-group-2.1.1.1.1" hidden="false"> 3 </ind-def:textfilecontent54_test> 16 <title xml:lang="en-US">Create Separate Partition or Logical Volume for /tmp</title> </tests> <description xml:lang="en-US"> 4 The /tmp directory is a world -writable directory used for temporary file storage . Ensure that it has its own <states> partition or logical volume.<xhtml:br /><xhtml:br /> <ind-def:textfilecontent54_state id="oval:mil.army.us.rhel5:ste:20000" Because software may need to use /tmp to temporarily store version="1" Large files, ensure that it is of adequate size . For a modern, comment="/tmp mount point is defined "> general-purpose system, 10GB should be adequate. Smaller or larger sizes <ind-def:subexpression datatype="string" operation="equals" entity_check="all"> could be used, depending on the availability of space on the drive and /tmp the systems operating requirements </ind-def:subexpression> </description> </ind-def:textfilecontent54_state> 5 </states> <Rule id="dcb-rhel5-2.1.1.1.1.a" selected="false" weight="10.0"> <status date ="2010-07-01">draft</status> <version update="1" /> <title xml:lang="en-US">Ensure that /tmp has its own partition or logical volume</title> <objects> 17 <description xml:lang="en-US">The /tmp directory is a world-writable <ind-def:textfilecontent54_object id="oval:mil.army.us.rhel5:obj:20000" directory used for temporary file storage . Ensure that it has its own version="1" comment="look for the partition mount point in /etc/fstab"> 18 partition or logical volume.</description> <ind-def:path> /etc </ind-def:path> 6 <ind-def:filename> fstab </ind-def:filename> <ident system="http://cce.mitre.org">CCE-14161-4</ident> 8 <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <ind-def:pattern operation="pattern match ">^[s]*[S]+[s]+([S]+)[s]+[S]+[s]+[S]+[s]+[S]+[s]+[S]+</ind- <check-content-ref href="dcb-rhel5_oval.xml" name="oval:mil.army.us.rhel5:def:20000" /> def:pattern> </check> <ind-def:instance datatype="int" operation="greater than or equal ">1</ind-def:instance> 7 </ind-def:textfilecontent54_object> </Rule> </objects> 19 </Group> Regular Expression : Testing if 6 strings (separated by tabs ^ = start of line or spaces ) exist in file and save the [s]* = 0 to whitespace second string [S]+ = 1 to many NOT whitespace ([S]) = Save this value
  • 9. CCE Common Configuration Enumeration
  • 13. Why Custom Application? Difficult to map the Task back to the status
  • 14. One task = One job with Matching Server name
  • 15. Match Task to Results TaskServer SV-SERV1-TDP was O.K. with 100 Passed
  • 17. Trending CIO Level Report Magnus CIO Level reports missed the point did not easily answer the question Are we doing better? We developed general trending info that showed at the CIO level we were moving In the right direction Once the number of servers Flatlines, we hope to see a general increase in percent compliance over time.
  • 18. Reporting Requirements [Adding a server] Adding a Server Whenever a server is commissioned for production, the NIST Security Checklist Compliance Manager or IT Services shall enter the server into Secutor Magnus and the associated scheduling and reporting tools and conduct an initial manual scan and verify the scan produced reasonable results. Once this is complete, they will inform the administrator and the DCIO that the scan results are ready to be reviewed. The DCIO and the administrator shall review[1] the results of the scan, comparing the percent compliance for any product instances on the server to the overall percent compliance for the product, taken over all current instances of the product. Commissioning a server that will reduce overall percent compliance for any product requires approval of the CIO. [1] See Compliance Trending Application, menu Report > CIO Reports > servers compared to profile
  • 19. Review compliance of a server Review of Compliance for a Server Whenever the configuration of a server changes, the DCIO shall review the percent compliance for all product instances measured in the scan taken after the change to the latest previous measure of percent compliance for each instance.[1] Should percent compliance be reduced, the DCIO shall report this to the ISSO as a compliance incident [1] See Compliance Trending Application, menu Report > CIO Reports > Compare to last snapshot
  • 20. Monthly Review of Overall Percent Compliance Monthly Review of Overall Percent Compliance Each month, DCIO shall review the history of overall percent compliance for all products included in the NIST Security Checklist Scanning process[1]. Should there be a reduction in overall percent compliance for any product, the DCIO shall notify the ISSO and CIO that a compliance incident exists. [1] See Compliance Trending Application, menu Report > CIO Reports > Profile Summary
  • 21. Scheduling Magnus could only schedule on: Day: Week: Month Day: We wanted to schedule based on Tier So we Inactivitiated all magnus runs, And set them to run everyday, then we made them Active based on the tier
  • 23. Who has what problem

Editor's Notes

  • #9: A XCCDF file contains the baseline This baseline includes a list of rules (Rule dcb-rhel5-2.1.1.1.1.a) This rule is Separate partition for /TMP The description of the rule is included in the rule The id in listed in the rule as Rule id The CCE Number is assigned and listed in the rule The rule points to the OVAL file that will contains the test (dcb-rhel5_oval.xml) The rule points to the compliance description id (oval:mil.army.us.rhel5:def:20000) The OVAL file contains the compliance description (oval:mil.army.us.rhel5:def:20000) The compliance description also contains a pointer to the CCE number The compliance description also contains a description of the test The compliance description contains to pointer to the test reference test_ref=&amp;quot;oval:mil.army.us.rhel5:tst:20000 . A separate section of the XML document contains the test reference The Test defines the test variable [State] in this case called /tmp The test case, also define the place it will look for the variable [Object] The Object id is referenced to find the location of the object The State id is referenced to find the location of the state , the State id is textfilecontent54_state id=&amp;quot;oval:mil.army.us.rhel5:ste:20000 The Object id is (textfilecontent54_object id=&amp;quot;oval:mil.army.us.rhel5:obj:20000) The location is defined the XML (/etc/fstab) The test condition is tested using a regular expression , and the result is saved