Thursday, January 7, 2010

DISA SRR tools need CAC in order to get them

I know that DISA periodically makes part of their site unavailable while they make changes to their regulations (checklists, STIGS, etc.) So, for the past couple of days I've been waiting for the new checklists to be posted so as to prepare for a new trip. Yesterday, a bunch of the checklists updated: MS SQL Server has been split into SQL Server 2000 and 2005. The Oracle checklists have been split up by Oracle version. I notice that three of the Windows checklists have been updated: Windows 2000, 2003, and 2008. Curiously, there is not a checklist posted for Windows XP or Vista. I supposed they are forth-coming.

However, I was highly surprised to see that the SRR scripts have been moved to a site that requires CAC authentication. And at this, I have to wonder why. In my opinion, the scripts do a great job of testing configurations against what the DoD expects items under their purview to be configured. Was that such a bad thing that everyone had access to the tools? It only makes the community safer. I'm hoping this is a temporary measure, and that all will return to normal as I would hate to see valuable tools be available only to a select few.

5 comments:

  1. I hope they didn't move them just because of this:
    http://www.kb.cert.org/vuls/id/433821

    ReplyDelete
  2. I don't know. I knew about the issues with the Unix SRRs, however I thought that was fixed. (I'm not 100% positive on that.) However, I went to the SRR tools page this morning, and saw the following sentence:

    "The SRR scripts are unlicensed tools developed by the Field Security Office (FSO) and the use of these tools on products is completely at the user's own risk. "

    I don't know why that's not good enough to keep them in the public domain. I will certainly add more when I find out more information.

    ReplyDelete
  3. We received an internal corporate memo that mentions the Unix SRR vulnerability as the reason all of the tools were placed on the CAC enabled site. However, there is a Unix SRR script that has been released since the date of the vulnerability; allegedly patching the issue.

    Independently, I sent a note to the FSO, and was not given a reason for the tools being moved to another site.

    ReplyDelete
  4. Uncle Sam's IT guy.January 19, 2010 at 2:57 AM

    DISA's goal in requiring us to use PKI is to limit the number of people who can see what the government is using on their systems. If a hacker knows what tools we're using to patch, they can see what we missed and find an exploit or use an exploit they have already discovered that is not included in the SRR.

    ReplyDelete
  5. The SRR Scripts were restricted due to a non-DOD contractor reporting security flaws in the UNIX SRR Scripts in a shotgun email to CERT, NIST, MITRE, JTF-GNO and NSA (ironically, DISA was not included on the initial email barrage).

    This restriction is not temporary... and Checklists marked FOUO are being restricted as well.

    ReplyDelete