Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

FISMA Compliance

1,573 views

Published on

The following Powerpoint provides an overview of how automated FISMA compliance was enforced at a federal agency. For details see WWW.DATA4USA.COM

Published in: Technology
  • Be the first to comment

  • Be the first to like this

FISMA Compliance

  1. 1. Compliance Overview Monday, August 29, 2011
  2. 2. Special Publication 800-53• In accordance with the provisions of FISMA, the Secretary of Commerce shall, on the basis of standards and guidelines developed by NIST, prescribe standards and guidelines pertaining to federal information systems. The Secretary shall make standards compulsory and binding to the extent determined necessary by the Secretary to improve the efficiency of operation or security of federal information systems. Standards prescribed shall include information security standards that provide minimum information security requirements and are otherwise necessary to improve the security of federal information and information systems
  3. 3. CM-6 CONFIGURATION SETTINGS• Establishes and documents mandatory configuration settings for information technology products employed within the information system using Organization-defined security configuration checklists that reflect the most restrictive mode consistent with operational requirements;• Implements the configuration settings;• Identifies, documents, and approves exceptions from the mandatory configuration settings for individual components within the information system based on explicit operational requirements;• and Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
  4. 4. Organization-defined security configuration checklists
  5. 5. Microsoftcheck came Target of Link is installation instructions 1 from MicrosoftCompliance 2 Manager
  6. 6. Assigning server to a SCAP FileThe compliance process willCheck every CPE setting and lookFor match.The CPE picks the SCAP file“Not the user setting up”
  7. 7. <description xml:lang="en-US"> <definition class="compliance" id="oval:mil.army.us.rhel5:def:20000" version="1"> OVAL The purpose of this guide is to provide security 1 <metadata> 9 configuration recommendations for the Red Hat Enterprise Linux (RHEL) 5 operating <title>Ensure that /tmp has its own partition or logical volume</title> system. The guidance provided here should is applicable to desktop systems. Recommended <affected family ="unix"> settings for the basic operating system are provided , as well as for many commonly-used <platform>Red Hat Enterprise Linux 5</platform> services that the system can host in a network environment .<xhtml:br /><xhtml:br /> </affected> 10 The guide is intended for system administrators . Readers are assumed to <reference ref _id="CCE-14161-4" source="CCE" /> possess basic system administration skills for Unix-like systems, as well as some <description>The /tmp directory is a world-writable directory used for temporary file storage . familiarity with Red Hats documentation and administration conventions. Some Verify that it has its own partition or logical volume . instructions within this guide are complex. All directions should be followed completely </description> 11 and with understanding of their effects in order to avoid serious adverse effects on the </metadata> system and its security . <criteria> </description> <criterion test_ref="oval:mil.army.us.rhel5:tst:20000" <Profile id="DOD_baseline_1.0.0.1" abstract="false"> comment="Check in /etc/fstab for a /tmp mount point" /> <title xml:lang="en-US">Department of Defense Baseline 1.0.0.1</title> </criteria> 12 <description xml:lang="en-US">TODO::INSERT</description> </definition> 2 <select idref="dcb-rhel5-2.1.1.1.1.a" selected="true" /> <tests> <select idref="dcb-rhel5-2.1.1.1.2.a" selected="true" /> XCCDF <ind-def:textfilecontent54_test id="oval:mil.army.us.rhel5:tst:20000" version="1" check="all" . . comment="look for /tmp partition or logical volume in /etc/fstab" check_existence="at_least_one_exists"> . </Profile> 13 <ind-def:object object_ref="oval:mil.army.us.rhel5:obj:20000" /> 15 14 <ind-def:state state _ref="oval:mil.army.us.rhel5:ste:20000" /><Group id="dcb-rhel5-group-2.1.1.1.1" hidden="false"> 3 </ind-def:textfilecontent54_test> 16 <title xml:lang="en-US">Create Separate Partition or Logical Volume for /tmp</title> </tests> <description xml:lang="en-US"> 4 The /tmp directory is a world -writable directory used for temporary file storage . Ensure that it has its own <states> partition or logical volume.<xhtml:br /><xhtml:br /> <ind-def:textfilecontent54_state id="oval:mil.army.us.rhel5:ste:20000" Because software may need to use /tmp to temporarily store version="1" Large files, ensure that it is of adequate size . For a modern, comment="/tmp mount point is defined "> general-purpose system, 10GB should be adequate. Smaller or larger sizes <ind-def:subexpression datatype="string" operation="equals" entity_check="all"> could be used, depending on the availability of space on the drive and /tmp the system’s operating requirements </ind-def:subexpression> </description> </ind-def:textfilecontent54_state> 5 </states> <Rule id="dcb-rhel5-2.1.1.1.1.a" selected="false" weight="10.0"> <status date ="2010-07-01">draft</status> <version update="1" /> <title xml:lang="en-US">Ensure that /tmp has its own partition or logical volume</title> <objects> 17 <description xml:lang="en-US">The /tmp directory is a world-writable <ind-def:textfilecontent54_object id="oval:mil.army.us.rhel5:obj:20000" directory used for temporary file storage . Ensure that it has its own version="1" comment="look for the partition mount point in /etc/fstab"> 18 partition or logical volume.</description> <ind-def:path> /etc </ind-def:path> 6 <ind-def:filename> fstab </ind-def:filename> <ident system="http://cce.mitre.org">CCE-14161-4</ident> 8 <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <ind-def:pattern operation="pattern match ">^[s]*[S]+[s]+([S]+)[s]+[S]+[s]+[S]+[s]+[S]+[s]+[S]+</ind- <check-content-ref href="dcb-rhel5_oval.xml" name="oval:mil.army.us.rhel5:def:20000" /> def:pattern> </check> <ind-def:instance datatype="int" operation="greater than or equal ">1</ind-def:instance> 7 </ind-def:textfilecontent54_object> </Rule> </objects> 19 </Group> Regular Expression : Testing if 6 strings (separated by tabs ^ = start of line or spaces ) exist in file and save the [s]* = 0 to whitespace second string [S]+ = 1 to many NOT whitespace ([S]) = Save this value
  8. 8. CCE – Common Configuration Enumeration
  9. 9. Three Software Products
  10. 10. Why Custom Application? Difficult to map the Task back to the status
  11. 11. One task = One job with Matching Server name
  12. 12. Match Task to ResultsTaskServer ‘SV-SERV1-TDP’ was O.K. with 100 Passed
  13. 13. Task verse Target
  14. 14. Trending – CIO Level ReportMagnus CIO Level reports missed the point did not easily answer the question“Are we doing better?”We developed general trending info that showed at the CIO level we were movingIn the right direction…Once the “number of servers” “Flatlines”, we hope to see a general increase in percentcompliance over time.
  15. 15. Reporting Requirements [Adding a server]Adding a ServerWhenever a server is commissioned for production, the NIST Security Checklist Compliance Manager orIT Services shall enter the server into Secutor Magnus and the associated scheduling and reporting toolsand conduct an initial manual scan and verify the scan produced reasonable results. Once this is complete,they will inform the administrator and the DCIO that the scan results are ready to be reviewed. The DCIOand the administrator shall review[1] the results of the scan, comparing the percent compliance forany product instances on the server to the overall percent compliance for the product, taken overall current instances of the product. Commissioning a server that will reduce overall percent compliancefor any product requires approval of the CIO.[1] See Compliance Trending Application, menu “Report” > “CIO Reports” > “servers compared to profile”
  16. 16. Review compliance of a server Review of Compliance for a Server Whenever the configuration of a server changes, the DCIO shall review the percent compliance for all product instances measured in the scan taken after the change to the latest previous measure of percent compliance for each instance.[1] Should percent compliance be reduced, the DCIO shall report this to the ISSO as a compliance incident [1] See Compliance Trending Application, menu “Report” > “CIO Reports” > “Compare to last snapshot”
  17. 17. Monthly Review of Overall Percent Compliance Monthly Review of Overall Percent Compliance Each month, DCIO shall review the history of overall percent compliance for all products included in the NIST Security Checklist Scanning process[1]. Should there be a reduction in overall percent compliance for any product, the DCIO shall notify the ISSO and CIO that a compliance incident exists. [1] See Compliance Trending Application, menu “Report” > “CIO Reports” > “Profile Summary”
  18. 18. SchedulingMagnus could only schedule on:Day:Week:Month Day: We wanted to schedule based on “Tier” … So we “Inactivitiated” all magnus runs, And set them to run everyday, then we made them “Active” based on the tier …
  19. 19. Reviewing the Results
  20. 20. Who has what problem

×