The following Powerpoint provides an overview of how automated FISMA compliance was enforced at a federal agency. For details see WWW.DATA4USA.COM

1. Compliance Overview
Monday, August 29, 2011

2. Special Publication 800-53
• In accordance with the provisions of FISMA, the
Secretary of Commerce shall, on the basis of standards
and guidelines developed by NIST, prescribe standards
and guidelines pertaining to federal information
systems. The Secretary shall make standards
compulsory and binding to the extent determined
necessary by the Secretary to improve the efficiency of
operation or security of federal information systems.
Standards prescribed shall include information security
standards that provide minimum information security
requirements and are otherwise necessary to improve
the security of federal information and information
systems

3. CM-6 CONFIGURATION SETTINGS
• Establishes and documents mandatory configuration settings for
information technology products employed within the
information system using Organization-defined security
configuration checklists that reflect the most restrictive mode
consistent with operational requirements;
• Implements the configuration settings;
• Identifies, documents, and approves exceptions from the
mandatory configuration settings for individual components
within the information system based on explicit operational
requirements;
• and Monitors and controls changes to the configuration settings
in accordance with organizational policies and procedures.

5. Organization-
defined security
configuration
checklists

6. Microsoft
check came
Target of Link is
installation instructions
1
from
Microsoft
Compliance
2
Manager

7. Assigning server
to a SCAP File
The compliance process will
Check every CPE setting and look
For match.
The CPE picks the SCAP file
“Not the user setting up”

8. <description xml:lang="en-US"> <definition class="compliance" id="oval:mil.army.us.rhel5:def:20000" version="1">
OVAL
The purpose of this guide is to provide security 1 <metadata> 9
configuration recommendations for the Red Hat Enterprise Linux (RHEL) 5 operating <title>Ensure that /tmp has its own partition or logical volume</title>
system. The guidance provided here should is applicable to desktop systems. Recommended <affected family ="unix">
settings for the basic operating system are provided , as well as for many commonly-used <platform>Red Hat Enterprise Linux 5</platform>
services that the system can host in a network environment .<xhtml:br /><xhtml:br /> </affected> 10
The guide is intended for system administrators . Readers are assumed to <reference ref _id="CCE-14161-4" source="CCE" />
possess basic system administration skills for Unix-like systems, as well as some <description>The /tmp directory is a world-writable directory used for temporary file storage .
familiarity with Red Hat's documentation and administration conventions. Some Verify that it has its own partition or logical volume .
instructions within this guide are complex. All directions should be followed completely </description> 11
and with understanding of their effects in order to avoid serious adverse effects on the </metadata>
system and its security . <criteria>
</description> <criterion test_ref="oval:mil.army.us.rhel5:tst:20000"
<Profile id="DOD_baseline_1.0.0.1" abstract="false"> comment="Check in /etc/fstab for a /tmp mount point" />
<title xml:lang="en-US">Department of Defense Baseline 1.0.0.1</title> </criteria> 12
<description xml:lang="en-US">TODO::INSERT</description> </definition>
2
<select idref="dcb-rhel5-2.1.1.1.1.a" selected="true" />
<tests>
<select idref="dcb-rhel5-2.1.1.1.2.a" selected="true" />
XCCDF
<ind-def:textfilecontent54_test id="oval:mil.army.us.rhel5:tst:20000" version="1" check="all"
.
.
comment="look for /tmp partition or logical volume in /etc/fstab" check_existence="at_least_one_exists">
.
</Profile> 13
<ind-def:object object_ref="oval:mil.army.us.rhel5:obj:20000" /> 15 14
<ind-def:state state _ref="oval:mil.army.us.rhel5:ste:20000" />
<Group id="dcb-rhel5-group-2.1.1.1.1" hidden="false">
3 </ind-def:textfilecontent54_test> 16
<title xml:lang="en-US">Create Separate Partition or Logical Volume for /tmp</title> </tests>
<description xml:lang="en-US"> 4
The /tmp directory is a world -writable
directory used for temporary file storage . Ensure that it has its own <states>
partition or logical volume.<xhtml:br /><xhtml:br /> <ind-def:textfilecontent54_state id="oval:mil.army.us.rhel5:ste:20000"
Because software may need to use /tmp to temporarily store version="1"
Large files, ensure that it is of adequate size . For a modern, comment="/tmp mount point is defined ">
general-purpose system, 10GB should be adequate. Smaller or larger sizes <ind-def:subexpression datatype="string" operation="equals" entity_check="all">
could be used, depending on the availability of space on the drive and /tmp
the system’s operating requirements </ind-def:subexpression>
</description> </ind-def:textfilecontent54_state>
5 </states>
<Rule id="dcb-rhel5-2.1.1.1.1.a" selected="false" weight="10.0">
<status date ="2010-07-01">draft</status>
<version update="1" />
<title xml:lang="en-US">Ensure that /tmp has its own partition or logical volume</title> <objects> 17
<description xml:lang="en-US">The /tmp directory is a world-writable <ind-def:textfilecontent54_object id="oval:mil.army.us.rhel5:obj:20000"
directory used for temporary file storage . Ensure that it has its own version="1" comment="look for the partition mount point in /etc/fstab"> 18
partition or logical volume.</description> <ind-def:path> /etc </ind-def:path>
6 <ind-def:filename> fstab </ind-def:filename>
<ident system="http://cce.mitre.org">CCE-14161-4</ident> 8
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <ind-def:pattern operation="pattern match ">^[s]*[S]+[s]+([S]+)[s]+[S]+[s]+[S]+[s]+[S]+[s]+[S]+</ind-
<check-content-ref href="dcb-rhel5_oval.xml" name="oval:mil.army.us.rhel5:def:20000" /> def:pattern>
</check> <ind-def:instance datatype="int" operation="greater than or equal ">1</ind-def:instance>
7 </ind-def:textfilecontent54_object>
</Rule>
</objects> 19
</Group>
Regular Expression : Testing if 6 strings (separated by tabs
^ = start of line or spaces ) exist in file and save the
[s]* = 0 to whitespace second string
[S]+ = 1 to many NOT whitespace
([S]) = Save this value

9. CCE – Common Configuration
Enumeration

11. Three Software Products

13. Why Custom Application?
Difficult to map the Task back to the status

14. One task = One job with Matching
Server name

15. Match Task to Results
TaskServer ‘SV-SERV1-TDP’ was O.K. with 100 Passed

16. Task verse Target

17. Trending – CIO Level Report
Magnus CIO Level reports missed the point did not easily answer the question
“Are we doing better?”
We developed general trending info that showed at the CIO level we were moving
In the right direction…
Once the “number of servers” “Flatlines”, we hope to see a general increase in percent
compliance over time.

18. Reporting Requirements
[Adding a server]
Adding a Server
Whenever a server is commissioned for production, the NIST Security Checklist Compliance Manager or
IT Services shall enter the server into Secutor Magnus and the associated scheduling and reporting tools
and conduct an initial manual scan and verify the scan produced reasonable results. Once this is complete,
they will inform the administrator and the DCIO that the scan results are ready to be reviewed. The DCIO
and the administrator shall review[1] the results of the scan, comparing the percent compliance for
any product instances on the server to the overall percent compliance for the product, taken over
all current instances of the product. Commissioning a server that will reduce overall percent compliance
for any product requires approval of the CIO.
[1]
See Compliance Trending Application, menu “Report” > “CIO Reports” > “servers compared to profile”

19. Review compliance of a server
Review of Compliance for a Server
Whenever the configuration of a server changes, the DCIO shall
review the percent compliance for all product instances measured in
the scan taken after the change to the latest previous measure of
percent compliance for each instance.[1] Should percent compliance
be reduced, the DCIO shall report this to the ISSO as a compliance
incident
[1]
See Compliance Trending Application, menu “Report” > “CIO Reports” >
“Compare to last snapshot”

20. Monthly Review of Overall Percent
Compliance
Monthly Review of Overall Percent Compliance
Each month, DCIO shall review the history of overall percent compliance for all products included
in the NIST Security Checklist Scanning process[1]. Should there be a reduction in overall percent
compliance for any product, the DCIO shall notify the ISSO and CIO that a compliance incident
exists.
[1]
See Compliance Trending Application, menu “Report” > “CIO Reports” > “Profile Summary”

21. Scheduling
Magnus could only schedule on:
Day:
Week:
Month Day:
We wanted to schedule based on “Tier” … So we “Inactivitiated” all magnus runs,
And set them to run everyday, then we made them “Active” based on the tier …

22. Reviewing the Results

23. Who has what problem