The Big Picture - Linux is Approved!

by Zourick

Those who are in "The Community" have long known the truth that Linux of any flavor beats the pants off of costly Mickysquish products.

The one major hurdle that we have had to jump and deal with is acceptance in the common marketplace.  Well friends, I am here to tell you that the day has finally come.

There was much vital information missed in the recent 2600 article about "DISA, UNIX Security, and Reality."

Let's take a closer look at the DISA security documents and find the truth.

First and foremost by far the most amazing thing that we need to understand is that the STIG is an acronym for Security Technical Implementation Guide.  Nowhere in its name does it say law or mandate.

The documents are created to help minimize the security risks associated with each computer hardware or software system that could become widely used within the federal government.  The documents are put out by DISA FSO (Field Security Operations), and NIST to help government and military system administrators close up the major holes in a wide variety of operating systems.

In no way does the STIG alone accomplish the establishment of a secure operating system.  What it does do is establish a baseline for operating guidelines.

The mere fact that Linux now has a place in the STIG means that it is now officially authorized for federal use.  Not only does the government authorize Linux as an approved operating system, it does not care what version you decide to use.

We must applaud the government for their final acceptance of our community sponsored operating system and hope that it will bring good things back to the community in the form of continued support, additional mainstream applications, and funding.

Taking a broader view of the STIG you will see that it is just one of many documents.

The outdated STIG talked about in 2600 previously (Version 4, Release 3) is a far cry from the new and improved UNIX STIG (Version 4, Release 4).

The new version released in mid February has so many updates that it is easily 300 pages larger than the previous version.  In addition it mentions Mandrake, Red Hat, SUSE, and FreeBSD as applicable distributions.

Keep in mind that the UNIX STIG is only one of many and not the only one that applies to Linux, Solaris, or AIX.  The documentation library consists of a STIG, an accompanying Security Checklist, and a Security Readiness Review as well as various applications and scripts to help a system administrator secure their systems.

All three documents and helper software must be considered by a system administrator when deploying an operating system or software application on a government network maintained and monitored by DISA.

In addition, depending on what the system is running for services or if it's functioning as a desktop there are additional STIGs and checklists that must be reviewed.  To be in compliance with the STIG (although not completely secure) is not a light task and can ruin any system administrator's Monday morning.

STIGs come in many forms:

Database STIGs for Oracle, SQL including MySQL Desktop Application STIGs for IM, SQL desktop, anti-virus, email, web browsers, office suites and more Domain Name System (DNS) STIG for Windows 2000 DNS and BIND Juniper Router STIGs Network Infrastructure STIG, including pen-tests and checking of remote compromises OS/390 Logical Partition STIG OS/390 MVS STIG V4R1 Secure Remote Computing STIG Tandem STIG Unisys STIG UNIX STIG with an updated Linux section Virtual Machine STIG VMS VAX Checklist Web Servers STIG including IIS, Apache, JSP, WSH, ASP, ASP.Net, ONE as well as FTP, SMTP, SOAP, LDAP and WAP Windows NT Guide STIG Windows XP STIG Windows 2000 STIG Wireless STIG

As you can see, implementing a STIG is not that easy.

You have to take multiple documents into consideration when securing your system.  Once a system administrator secures the system according to the STIGs, they have to become compliant with what is called Information Assurance Vulnerability Assessments (IAVAs).

IAVAs are issued from DISA to all system administrators in the federal government.  These IAVAs are security alerts that system administrators must comply with within by performing the actions required in the IAVA within a specified amount of time.

These IAVAs can consist of operating system patches, configurations, virus definition updates, firewall rules, or almost anything.  If a system administrator wants to go above and beyond all of this they are encouraged to do so.

For example, in Mandrake Linux the included msec (Mandrake Security) program does just this.

Although there are no guidelines for msec, some parts of the program exceed security standards as outlined in the UNIX STIG.

It is up to the system administrator to decide what is right for them, their organization, and what security means to them above and beyond the STIG.

We should be grateful for the fact that the government has taken the time to attempt to write a document, continually improve that document and then publish it as unclassified to help secure a system.

Last I checked, that is how people in the Linux community worked.  You use a product, improve it, and then release it back so everyone else can benefit from your improvements.

Be happy, Linux is approved!