Android OVAL schema development

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Android OVAL schema development

Chandrashekhar B

Hello All,

 

We are working on creating the OVAL schema for Android devices in the Sandbox. Apart from devising the schema, we intend to produce a POC code, along with some test content. If anyone is interested in this exercise, willing to participate or if you have already done some work in this area, please express your willingness, will be happy to collaborate.

 

Thanks,

Chandra.

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Android OVAL schema development

joval
Do you have any ideas on how to collect meaningful information without rooting the device?

On 5/11/2012 7:12 AM, Chandrashekhar B wrote:

Hello All,

 

We are working on creating the OVAL schema for Android devices in the Sandbox. Apart from devising the schema, we intend to produce a POC code, along with some test content. If anyone is interested in this exercise, willing to participate or if you have already done some work in this area, please express your willingness, will be happy to collaborate.

 

Thanks,

Chandra.

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Reply | Threaded
Open this post in threaded view
|

Re: Android OVAL schema development

Chandrashekhar B

David,

 

We have identified some new probes and all of those can be collected without rooting. We have looked at the SDK and they are all available. And there are some probes that look to be usable from Unix and Linux schemas, which may need deep system level access. We are analyzing that part.

 

Chandra.

 

From: David Solin [mailto:[hidden email]]
Sent: Friday, May 11, 2012 6:16 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Android OVAL schema development

 

Do you have any ideas on how to collect meaningful information without rooting the device?

On 5/11/2012 7:12 AM, Chandrashekhar B wrote:

Hello All,

 

We are working on creating the OVAL schema for Android devices in the Sandbox. Apart from devising the schema, we intend to produce a POC code, along with some test content. If anyone is interested in this exercise, willing to participate or if you have already done some work in this area, please express your willingness, will be happy to collaborate.

 

Thanks,

Chandra.

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Android OVAL schema development

Luis Nunez
In reply to this post by joval
some thoughts on ways.  
1. Onboard the device.
Issues - Feasibility of running oval as an app in the android sandbox environment or running as a android root process???
2. Leverage a Mobile Device Management (MDM) application to collect system info. "Offline" analysis.
3. Similar to MDM but direct OVAL connection to Mobile OS using:
NETCONF
REST
or other protocols?

Use cases to start with:
1.Configuration Hygiene
2.Vulnerability check

-ln

On May 11, 2012, at 8:46 AM, David Solin wrote:

Do you have any ideas on how to collect meaningful information without rooting the device?

On 5/11/2012 7:12 AM, Chandrashekhar B wrote:

Hello All,

 

We are working on creating the OVAL schema for Android devices in the Sandbox. Apart from devising the schema, we intend to produce a POC code, along with some test content. If anyone is interested in this exercise, willing to participate or if you have already done some work in this area, please express your willingness, will be happy to collaborate.

 

Thanks,

Chandra.

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Android OVAL schema development

Nary, Timothy [USA]

My team has been working on tackling this problem from the MDM perspective.  We’ve written a proof-of-concept middleware application to interface with the MDMs and use XCCDF/OVAL content to scan the MDM databases for device configuration (using the sql57 independent definitions).  We’d be to share some of our lessons learned and help out with this effort.

 

Cheers,

Tim

 

Timothy J. Nary

Consultant

Booz | Allen | Hamilton

Airport Square II
900 Elkridge Landing Road
Linthicum, MD 21090

Lab: (301) 575-3252
Work: (410) 865-3809
Mobile: (440) 667-4250

 

From: Luis Nunez [mailto:[hidden email]]
Sent: Friday, May 11, 2012 9:25 AM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Android OVAL schema development

 

some thoughts on ways.  

1. Onboard the device.

                Issues - Feasibility of running oval as an app in the android sandbox environment or running as a android root process???

2. Leverage a Mobile Device Management (MDM) application to collect system info. "Offline" analysis.

3. Similar to MDM but direct OVAL connection to Mobile OS using:

                NETCONF

                REST

                or other protocols?

 

Use cases to start with:

1.Configuration Hygiene

2.Vulnerability check

 

-ln

 

On May 11, 2012, at 8:46 AM, David Solin wrote:



Do you have any ideas on how to collect meaningful information without rooting the device?

On 5/11/2012 7:12 AM, Chandrashekhar B wrote:

Hello All,

 

We are working on creating the OVAL schema for Android devices in the Sandbox. Apart from devising the schema, we intend to produce a POC code, along with some test content. If anyone is interested in this exercise, willing to participate or if you have already done some work in this area, please express your willingness, will be happy to collaborate.

 

Thanks,

Chandra.

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Android OVAL schema development

joval
That sounds like a very interesting approach.  I imagine that these MDM tools must already have their own version of compliance or security reporting already.  So, I'd love to understand what value is added by implementing these checks in OVAL.  Also, are there not any concerns about the portability (or lack thereof) of these checks across different MDM vendors?  One of the big advantages of having a standards-based compliance language is portability, but that is lost in the specificity that must be required of the SQL objects.

I think it would be great for users if MDM vendors had tools that could consume OVAL definitions directly, but naturally to do so we'd need to be able to point them to which schemas to implement.  The rapidly-evolving landscape will make this a real challenge.

Regards,
--David Solin

On 5/14/2012 8:38 AM, Nary, Timothy [USA] wrote:

My team has been working on tackling this problem from the MDM perspective.  We’ve written a proof-of-concept middleware application to interface with the MDMs and use XCCDF/OVAL content to scan the MDM databases for device configuration (using the sql57 independent definitions).  We’d be to share some of our lessons learned and help out with this effort.

 

Cheers,

Tim

 

Timothy J. Nary

Consultant

Booz | Allen | Hamilton


Airport Square II
900 Elkridge Landing Road
Linthicum, MD 21090

Lab: (301) 575-3252
Work: (410) 865-3809
Mobile: (440) 667-4250

 

From: Luis Nunez [[hidden email]]
Sent: Friday, May 11, 2012 9:25 AM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Android OVAL schema development

 

some thoughts on ways.  

1. Onboard the device.

                Issues - Feasibility of running oval as an app in the android sandbox environment or running as a android root process???

2. Leverage a Mobile Device Management (MDM) application to collect system info. "Offline" analysis.

3. Similar to MDM but direct OVAL connection to Mobile OS using:

                NETCONF

                REST

                or other protocols?

 

Use cases to start with:

1.Configuration Hygiene

2.Vulnerability check

 

-ln

 

On May 11, 2012, at 8:46 AM, David Solin wrote:



Do you have any ideas on how to collect meaningful information without rooting the device?

On 5/11/2012 7:12 AM, Chandrashekhar B wrote:

Hello All,

 

We are working on creating the OVAL schema for Android devices in the Sandbox. Apart from devising the schema, we intend to produce a POC code, along with some test content. If anyone is interested in this exercise, willing to participate or if you have already done some work in this area, please express your willingness, will be happy to collaborate.

 

Thanks,

Chandra.

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Reply | Threaded
Open this post in threaded view
|

Re: Android OVAL schema development

Harrison, Timothy [USA]

For the short-term leveraging databases of current MDM products gets you relatively good coverage.  You are correct that the database structure will vary from one MDM tool to another so you either lock yourself into a single vendor or create vendor specific content.  I believe some MDM tool databases are also encrypted, for good reason, which presents another challenge for the MDM tool approach.

 

Another challenge is changing the configuration.  One example would be attempting to remove or disable any vendor bundled applications (bloatware) and though the Ice Cream Sandwich (ICS) version of Android provides some level control without root access most mobile Android devices lag behind.

 

Timothy Harrison

Booz | Allen | Hamilton


Mobile: 717-372-5768

harrison_timothy@...


From: David Solin [[hidden email]]
Sent: Monday, May 14, 2012 10:07 AM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Android OVAL schema development

That sounds like a very interesting approach.  I imagine that these MDM tools must already have their own version of compliance or security reporting already.  So, I'd love to understand what value is added by implementing these checks in OVAL.  Also, are there not any concerns about the portability (or lack thereof) of these checks across different MDM vendors?  One of the big advantages of having a standards-based compliance language is portability, but that is lost in the specificity that must be required of the SQL objects.

I think it would be great for users if MDM vendors had tools that could consume OVAL definitions directly, but naturally to do so we'd need to be able to point them to which schemas to implement.  The rapidly-evolving landscape will make this a real challenge.

Regards,
--David Solin

On 5/14/2012 8:38 AM, Nary, Timothy [USA] wrote:

My team has been working on tackling this problem from the MDM perspective.  We’ve written a proof-of-concept middleware application to interface with the MDMs and use XCCDF/OVAL content to scan the MDM databases for device configuration (using the sql57 independent definitions).  We’d be to share some of our lessons learned and help out with this effort.

 

Cheers,

Tim

 

Timothy J. Nary

Consultant

Booz | Allen | Hamilton


Airport Square II
900 Elkridge Landing Road
Linthicum, MD 21090

Lab: (301) 575-3252
Work: (410) 865-3809
Mobile: (440) 667-4250

 

From: Luis Nunez [[hidden email]]
Sent: Friday, May 11, 2012 9:25 AM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Android OVAL schema development

 

some thoughts on ways.  

1. Onboard the device.

                Issues - Feasibility of running oval as an app in the android sandbox environment or running as a android root process???

2. Leverage a Mobile Device Management (MDM) application to collect system info. "Offline" analysis.

3. Similar to MDM but direct OVAL connection to Mobile OS using:

                NETCONF

                REST

                or other protocols?

 

Use cases to start with:

1.Configuration Hygiene

2.Vulnerability check

 

-ln

 

On May 11, 2012, at 8:46 AM, David Solin wrote:



Do you have any ideas on how to collect meaningful information without rooting the device?

On 5/11/2012 7:12 AM, Chandrashekhar B wrote:

Hello All,

 

We are working on creating the OVAL schema for Android devices in the Sandbox. Apart from devising the schema, we intend to produce a POC code, along with some test content. If anyone is interested in this exercise, willing to participate or if you have already done some work in this area, please express your willingness, will be happy to collaborate.

 

Thanks,

Chandra.

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Android OVAL schema development

Peltzman, Alan N CIV DISA FSO
Even in a weakened, hobbled state, you are still putting out SCAP information.

You are dedicated.

- Alan

Alan Peltzman, CISSP, IT Specialist(INFOSEC)
Lean Six σ Green Belt
DISA/FSO/FS51
717-267-9953, DSN: 570-9953
[hidden email]



-----Original Message-----
From: Harrison, Timothy [USA] [mailto:[hidden email]]
Sent: Monday, May 14, 2012 10:24 AM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Android OVAL schema development

For the short-term leveraging databases of current MDM products gets you relatively good coverage.  You are correct that the database structure will vary from one MDM tool to another so you either lock yourself into a single vendor or create vendor specific content.  I believe some MDM tool databases are also encrypted, for good reason, which presents another challenge for the MDM tool approach.

 

Another challenge is changing the configuration.  One example would be attempting to remove or disable any vendor bundled applications (bloatware) and though the Ice Cream Sandwich (ICS) version of Android provides some level control without root access most mobile Android devices lag behind.

 

Timothy Harrison

Booz | Allen | Hamilton <https://webmail.bah.com/OWA/UrlBlockedError.aspx>

________________________________

Mobile: 717-372-5768

[hidden email] <https://webmail.bah.com/OWA/redir.aspx?C=834e17c7b54f4a65a89d661becdf38fe&URL=mailto%3aharrison_timothy%40bah.com>

________________________________

From: David Solin [[hidden email]]
Sent: Monday, May 14, 2012 10:07 AM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Android OVAL schema development


That sounds like a very interesting approach.  I imagine that these MDM tools must already have their own version of compliance or security reporting already.  So, I'd love to understand what value is added by implementing these checks in OVAL.  Also, are there not any concerns about the portability (or lack thereof) of these checks across different MDM vendors?  One of the big advantages of having a standards-based compliance language is portability, but that is lost in the specificity that must be required of the SQL objects.

I think it would be great for users if MDM vendors had tools that could consume OVAL definitions directly, but naturally to do so we'd need to be able to point them to which schemas to implement.  The rapidly-evolving landscape will make this a real challenge.

Regards,
--David Solin

On 5/14/2012 8:38 AM, Nary, Timothy [USA] wrote:

        My team has been working on tackling this problem from the MDM perspective.  We've written a proof-of-concept middleware application to interface with the MDMs and use XCCDF/OVAL content to scan the MDM databases for device configuration (using the sql57 independent definitions).  We'd be to share some of our lessons learned and help out with this effort.

         

        Cheers,

        Tim

         

        Timothy J. Nary

        Consultant

        Booz | Allen | Hamilton

       
________________________________


        Airport Square II
        900 Elkridge Landing Road
        Linthicum, MD 21090

        Lab: (301) 575-3252
        Work: (410) 865-3809
        Mobile: (440) 667-4250

         

        From: Luis Nunez [mailto:[hidden email]]
        Sent: Friday, May 11, 2012 9:25 AM
        To: [hidden email] <mailto:[hidden email]>
        Subject: Re: [OVAL-DEVELOPER-LIST] Android OVAL schema development

         

        some thoughts on ways.  

        1. Onboard the device.

                        Issues - Feasibility of running oval as an app in the android sandbox environment or running as a android root process???

        2. Leverage a Mobile Device Management (MDM) application to collect system info. "Offline" analysis.

        3. Similar to MDM but direct OVAL connection to Mobile OS using:

                        NETCONF

                        REST

                        or other protocols?

         

        Use cases to start with:

        1.Configuration Hygiene

        2.Vulnerability check

         

        -ln

         

        On May 11, 2012, at 8:46 AM, David Solin wrote:

       
       
       

        Do you have any ideas on how to collect meaningful information without rooting the device?
       
        On 5/11/2012 7:12 AM, Chandrashekhar B wrote:

        Hello All,

         

        We are working on creating the OVAL schema for Android devices in the Sandbox. Apart from devising the schema, we intend to produce a POC code, along with some test content. If anyone is interested in this exercise, willing to participate or if you have already done some work in this area, please express your willingness, will be happy to collaborate.

         

        Thanks,

        Chandra.

         

        To unsubscribe, send an email message to [hidden email] <mailto:[hidden email]>  with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

         

        --

        jOVAL.org <http://joval.org/> : OVAL implemented in Java.
        Scan any machine from any machine. For free!
        Learn More <http://www.joval.org/>  | Features <http://www.joval.org/features/>  | Download <http://www.joval.org/download/>  

        To unsubscribe, send an email message to [hidden email] <mailto:[hidden email]>  with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

         

        To unsubscribe, send an email message to [hidden email] <mailto:[hidden email]>  with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

        To unsubscribe, send an email message to [hidden email] <mailto:[hidden email]>  with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email] <mailto:[hidden email]> .



--


jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More <http://www.joval.org/>  | Features <http://www.joval.org/features/>  | Download <http://www.joval.org/download/>  

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Android OVAL schema development

Nary, Timothy [USA]
In reply to this post by joval

Portability is lost with this solution, but we initially chose to go for the lowest hanging fruit.  We created vendor specific content for MDMs which utilized SQL databases.  As Tim H. eluded, there are MDM vendors which have implemented their own NoSQL solutions, many of which are encrypted.  Without the vendor providing APIs, there really was no way for us to leverage the information they collected.

 

One of our goals is to influence MDM vendors to embrace SCAP standards.  We’re hoping that in demonstrating our proof-of-concept application and showing them some of the benefits, future versions of their products will ingest XCCDF/OVAL and will be able to assess mobile devices managed within the MDM.

 

--Tim Nary

 

From: David Solin [mailto:[hidden email]] On Behalf Of David Solin
Sent: Monday, May 14, 2012 10:07 AM
To: OVAL Developer List (Closed Public Discussion)
Cc: Nary, Timothy [USA]
Subject: Re: [OVAL-DEVELOPER-LIST] Android OVAL schema development

 

That sounds like a very interesting approach.  I imagine that these MDM tools must already have their own version of compliance or security reporting already.  So, I'd love to understand what value is added by implementing these checks in OVAL.  Also, are there not any concerns about the portability (or lack thereof) of these checks across different MDM vendors?  One of the big advantages of having a standards-based compliance language is portability, but that is lost in the specificity that must be required of the SQL objects.

I think it would be great for users if MDM vendors had tools that could consume OVAL definitions directly, but naturally to do so we'd need to be able to point them to which schemas to implement.  The rapidly-evolving landscape will make this a real challenge.

Regards,
--David Solin

On 5/14/2012 8:38 AM, Nary, Timothy [USA] wrote:

My team has been working on tackling this problem from the MDM perspective.  We’ve written a proof-of-concept middleware application to interface with the MDMs and use XCCDF/OVAL content to scan the MDM databases for device configuration (using the sql57 independent definitions).  We’d be to share some of our lessons learned and help out with this effort.

 

Cheers,

Tim

 

Timothy J. Nary

Consultant

Booz | Allen | Hamilton

Airport Square II
900 Elkridge Landing Road
Linthicum, MD 21090

Lab: (301) 575-3252
Work: (410) 865-3809
Mobile: (440) 667-4250

 

From: Luis Nunez [[hidden email]]
Sent: Friday, May 11, 2012 9:25 AM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Android OVAL schema development

 

some thoughts on ways.  

1. Onboard the device.

                Issues - Feasibility of running oval as an app in the android sandbox environment or running as a android root process???

2. Leverage a Mobile Device Management (MDM) application to collect system info. "Offline" analysis.

3. Similar to MDM but direct OVAL connection to Mobile OS using:

                NETCONF

                REST

                or other protocols?

 

Use cases to start with:

1.Configuration Hygiene

2.Vulnerability check

 

-ln

 

On May 11, 2012, at 8:46 AM, David Solin wrote:




Do you have any ideas on how to collect meaningful information without rooting the device?

On 5/11/2012 7:12 AM, Chandrashekhar B wrote:

Hello All,

 

We are working on creating the OVAL schema for Android devices in the Sandbox. Apart from devising the schema, we intend to produce a POC code, along with some test content. If anyone is interested in this exercise, willing to participate or if you have already done some work in this area, please express your willingness, will be happy to collaborate.

 

Thanks,

Chandra.

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Android OVAL schema development

Chandrashekhar B
In reply to this post by Nary, Timothy [USA]

Thanks Tim! Lot of progress already. I’ll initiate a discussion.

 

Chandra.

 

From: Nary, Timothy [USA] [mailto:[hidden email]]
Sent: Monday, May 14, 2012 7:08 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Android OVAL schema development

 

My team has been working on tackling this problem from the MDM perspective.  We’ve written a proof-of-concept middleware application to interface with the MDMs and use XCCDF/OVAL content to scan the MDM databases for device configuration (using the sql57 independent definitions).  We’d be to share some of our lessons learned and help out with this effort.

 

Cheers,

Tim

 

Timothy J. Nary

Consultant

Booz | Allen | Hamilton

Airport Square II
900 Elkridge Landing Road
Linthicum, MD 21090

Lab: (301) 575-3252
Work: (410) 865-3809
Mobile: (440) 667-4250

 

From: Luis Nunez [hidden email]
Sent: Friday, May 11, 2012 9:25 AM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Android OVAL schema development

 

some thoughts on ways.  

1. Onboard the device.

                Issues - Feasibility of running oval as an app in the android sandbox environment or running as a android root process???

2. Leverage a Mobile Device Management (MDM) application to collect system info. "Offline" analysis.

3. Similar to MDM but direct OVAL connection to Mobile OS using:

                NETCONF

                REST

                or other protocols?

 

Use cases to start with:

1.Configuration Hygiene

2.Vulnerability check

 

-ln

 

On May 11, 2012, at 8:46 AM, David Solin wrote:

 

Do you have any ideas on how to collect meaningful information without rooting the device?

On 5/11/2012 7:12 AM, Chandrashekhar B wrote:

Hello All,

 

We are working on creating the OVAL schema for Android devices in the Sandbox. Apart from devising the schema, we intend to produce a POC code, along with some test content. If anyone is interested in this exercise, willing to participate or if you have already done some work in this area, please express your willingness, will be happy to collaborate.

 

Thanks,

Chandra.

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Android OVAL schema development

Chandrashekhar B
In reply to this post by Nary, Timothy [USA]

Thanks for sharing the info. It certainly is a good idea to have MDM vendors support OVAL. I thought for a moment that the existing sql57 probe meets the need but, looks like we need to continue the exercise of standardization for Android.

 

Chandra.

 

From: Nary, Timothy [USA] [mailto:[hidden email]]
Sent: Monday, May 14, 2012 10:09 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Android OVAL schema development

 

Portability is lost with this solution, but we initially chose to go for the lowest hanging fruit.  We created vendor specific content for MDMs which utilized SQL databases.  As Tim H. eluded, there are MDM vendors which have implemented their own NoSQL solutions, many of which are encrypted.  Without the vendor providing APIs, there really was no way for us to leverage the information they collected.

 

One of our goals is to influence MDM vendors to embrace SCAP standards.  We’re hoping that in demonstrating our proof-of-concept application and showing them some of the benefits, future versions of their products will ingest XCCDF/OVAL and will be able to assess mobile devices managed within the MDM.

 

--Tim Nary

 

From: David Solin [hidden email] On Behalf Of David Solin
Sent: Monday, May 14, 2012 10:07 AM
To: OVAL Developer List (Closed Public Discussion)
Cc: Nary, Timothy [USA]
Subject: Re: [OVAL-DEVELOPER-LIST] Android OVAL schema development

 

That sounds like a very interesting approach.  I imagine that these MDM tools must already have their own version of compliance or security reporting already.  So, I'd love to understand what value is added by implementing these checks in OVAL.  Also, are there not any concerns about the portability (or lack thereof) of these checks across different MDM vendors?  One of the big advantages of having a standards-based compliance language is portability, but that is lost in the specificity that must be required of the SQL objects.

I think it would be great for users if MDM vendors had tools that could consume OVAL definitions directly, but naturally to do so we'd need to be able to point them to which schemas to implement.  The rapidly-evolving landscape will make this a real challenge.

Regards,
--David Solin

On 5/14/2012 8:38 AM, Nary, Timothy [USA] wrote:

My team has been working on tackling this problem from the MDM perspective.  We’ve written a proof-of-concept middleware application to interface with the MDMs and use XCCDF/OVAL content to scan the MDM databases for device configuration (using the sql57 independent definitions).  We’d be to share some of our lessons learned and help out with this effort.

 

Cheers,

Tim

 

Timothy J. Nary

Consultant

Booz | Allen | Hamilton

Airport Square II
900 Elkridge Landing Road
Linthicum, MD 21090

Lab: (301) 575-3252
Work: (410) 865-3809
Mobile: (440) 667-4250

 

From: Luis Nunez [[hidden email]]
Sent: Friday, May 11, 2012 9:25 AM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Android OVAL schema development

 

some thoughts on ways.  

1. Onboard the device.

                Issues - Feasibility of running oval as an app in the android sandbox environment or running as a android root process???

2. Leverage a Mobile Device Management (MDM) application to collect system info. "Offline" analysis.

3. Similar to MDM but direct OVAL connection to Mobile OS using:

                NETCONF

                REST

                or other protocols?

 

Use cases to start with:

1.Configuration Hygiene

2.Vulnerability check

 

-ln

 

On May 11, 2012, at 8:46 AM, David Solin wrote:



Do you have any ideas on how to collect meaningful information without rooting the device?

On 5/11/2012 7:12 AM, Chandrashekhar B wrote:

Hello All,

 

We are working on creating the OVAL schema for Android devices in the Sandbox. Apart from devising the schema, we intend to produce a POC code, along with some test content. If anyone is interested in this exercise, willing to participate or if you have already done some work in this area, please express your willingness, will be happy to collaborate.

 

Thanks,

Chandra.

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Android OVAL schema development

Jeffrey Blank
Related: for Apple iOS devices, the situation is simplified since most
of the relevant MDM-provided settings are quite literally put into an
XML file and sent to the devices. Here are some plist tests which
leverage this, and could be run against an exemplar configuration
profile.  It's in "Associated SCAP Content" along with prose guidance
(also in XCCDF) at:

http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml

This is meant to be an MDM vendor-neutral tech demonstration, in keeping
with the purpose of SCAP.  There are of course several issues with this
OVAL content (and why the OVAL is only a demo, and not yet truly usable
for scalable compliance checking):

1) iOS Configuration Profiles can also be encrypted for transmission; in
fact, being able to check that the MDM server is configured to do so is
highly desirable as noted in section 2.3.1.
2) Some iOS settings (such as whether devices "check out" from the MDM
server when a config profile is removed) are not part of the
configuration profile.  But the MDM itself should have insight into
which settings it has sent to the device.  Additional definitions for
these items, if created, could results in tests to be executed on the
MDM server.
3) Multiple configuration profiles (from different sources) can be
deployed to an iOS device.  Strictest setting wins.
4) The example OVAL plist tests here could only be run on a Mac OS X
system, since that is the only place where the plist test can be used.

The iOS platform is clearly designed in a way that leads implementors
to carry out any "scanning" as execution on the MDM server, and not the
endpoint devices (and this also conserves battery life).  This is
somewhat analogous to the situation with network devices such as
routers, in which the configuration is not scanned on the device itself.

Lest this post be entirely OT, here are some
suggestions/observations/questions for Android schema:
1) Limit the creation of definitions to those which are covered in the
Device Admin API, or which are truly common.  Determining "common" MDM
features across Android devices is very challenging (especially in a
harshly competitive market).  That said, targeting only ICS makes sense
given the rate at which the market advances.

2) Consider OVAL definitions that may not actually care about whether
they are executed on the MDM server or the client (unless truly
necessary).  This could be left entirely as an implementation decision
for the MDM vendor.  Or a preference could be expressed, and the locale
of the actual scan could be noted in results.  Are there situations in
which we care one way or the other?  Do we believe there is an
integrity/freshness argument for on-device scanning?

3) MDM server products are available for a variety of OSes.  I would
assume that any Android OVAL schema should not levy any requirements
about the MDM server platform.  Also, how much information about the MDM
server should be included in the results?

4) How to identify/name devices for reporting (or to specify scans for
only certain groups)?  Each MDM has some kind of identifier for the
endpoint device it is managing.  At least in the user interface, this is
often PII.


Thanks,
Jeff





On 05/15/2012 12:04 PM, Chandrashekhar B wrote:

> Thanks for sharing the info. It certainly is a good idea to have MDM
> vendors support OVAL. I thought for a moment that the existing sql57
> probe meets the need but, looks like we need to continue the exercise of
> standardization for Android.
>
>  
>
> Chandra.
>
>  
>
> *From:*Nary, Timothy [USA] [mailto:[hidden email]]
> *Sent:* Monday, May 14, 2012 10:09 PM
> *To:* [hidden email]
> *Subject:* Re: [OVAL-DEVELOPER-LIST] Android OVAL schema development
>
>  
>
> Portability is lost with this solution, but we initially chose to go for
> the lowest hanging fruit.  We created vendor specific content for MDMs
> which utilized SQL databases.  As Tim H. eluded, there are MDM vendors
> which have implemented their own NoSQL solutions, many of which are
> encrypted.  Without the vendor providing APIs, there really was no way
> for us to leverage the information they collected.
>
>  
>
> One of our goals is to influence MDM vendors to embrace SCAP standards.
> We’re hoping that in demonstrating our proof-of-concept application and
> showing them some of the benefits, future versions of their products
> will ingest XCCDF/OVAL and will be able to assess mobile devices managed
> within the MDM.
>
>  
>
> --Tim Nary
>
>  
>
> *From:*David Solin [mailto:[hidden email]]
> <mailto:[mailto:[hidden email]]> *On Behalf Of *David Solin
> *Sent:* Monday, May 14, 2012 10:07 AM
> *To:* OVAL Developer List (Closed Public Discussion)
> *Cc:* Nary, Timothy [USA]
> *Subject:* Re: [OVAL-DEVELOPER-LIST] Android OVAL schema development
>
>  
>
> That sounds like a very interesting approach.  I imagine that these MDM
> tools must already have their own version of compliance or security
> reporting already.  So, I'd love to understand what value is added by
> implementing these checks in OVAL.  Also, are there not any concerns
> about the portability (or lack thereof) of these checks across different
> MDM vendors?  One of the big advantages of having a standards-based
> compliance language is portability, but that is lost in the specificity
> that must be required of the SQL objects.
>
> I think it would be great for users if MDM vendors had tools that could
> consume OVAL definitions directly, but naturally to do so we'd need to
> be able to point them to which schemas to implement.  The
> rapidly-evolving landscape will make this a real challenge.
>
> Regards,
> --David Solin
>
> On 5/14/2012 8:38 AM, Nary, Timothy [USA] wrote:
>
> My team has been working on tackling this problem from the MDM
> perspective.  We’ve written a proof-of-concept middleware application to
> interface with the MDMs and use XCCDF/OVAL content to scan the MDM
> databases for device configuration (using the sql57 independent
> definitions).  We’d be to share some of our lessons learned and help out
> with this effort.
>
>  
>
> Cheers,
>
> Tim
>
>  
>
> *Timothy J. Nary*
>
> Consultant
>
> Booz | Allen | Hamilton
>
> *Airport Square II
> 900 Elkridge Landing Road
> Linthicum, MD 21090*
>
> *Lab: (301) 575-3252
> Work: (410) 865-3809
> Mobile: (440) 667-4250*
>
>  
>
> *From:*Luis Nunez [mailto:[hidden email]]
> *Sent:* Friday, May 11, 2012 9:25 AM
> *To:* [hidden email]
> <mailto:[hidden email]>
> *Subject:* Re: [OVAL-DEVELOPER-LIST] Android OVAL schema development
>
>  
>
> some thoughts on ways.  
>
> 1. Onboard the device.
>
>                 Issues - Feasibility of running oval as an app in the
> android sandbox environment or running as a android root process???
>
> 2. Leverage a Mobile Device Management (MDM) application to collect
> system info. "Offline" analysis.
>
> 3. Similar to MDM but direct OVAL connection to Mobile OS using:
>
>                 NETCONF
>
>                 REST
>
>                 or other protocols?
>
>  
>
> Use cases to start with:
>
> 1.Configuration Hygiene
>
> 2.Vulnerability check
>
>  
>
> -ln
>
>  
>
> On May 11, 2012, at 8:46 AM, David Solin wrote:
>
>
>
> Do you have any ideas on how to collect meaningful information without
> rooting the device?
>
> On 5/11/2012 7:12 AM, Chandrashekhar B wrote:
>
> Hello All,
>
>  
>
> We are working on creating the OVAL schema for Android devices in the
> Sandbox. Apart from devising the schema, we intend to produce a POC
> code, along with some test content. If anyone is interested in this
> exercise, willing to participate or if you have already done some work
> in this area, please express your willingness, will be happy to
> collaborate.
>
>  
>
> Thanks,
>
> Chandra.
>
>  
>
> To unsubscribe, send an email message to [hidden email]
> <mailto:[hidden email]> with SIGNOFF OVAL-DEVELOPER-LIST in
> the BODY of the message. If you have difficulties, write to
> [hidden email]
> <mailto:[hidden email]>.
>
>  
>
> --
>
> jOVAL.org <http://jOVAL.org>: OVAL implemented in Java.
> /Scan any machine from any machine. For free!/
> Learn More <http://www.joval.org/> | Features
> <http://www.joval.org/features/> | Download
> <http://www.joval.org/download/>
>
> To unsubscribe, send an email message to [hidden email]
> <mailto:[hidden email]> with SIGNOFF OVAL-DEVELOPER-LIST in
> the BODY of the message. If you have difficulties, write to
> [hidden email]
> <mailto:[hidden email]>.
>
>  
>
> To unsubscribe, send an email message to [hidden email]
> <mailto:[hidden email]> with SIGNOFF OVAL-DEVELOPER-LIST in
> the BODY of the message. If you have difficulties, write to
> [hidden email]
> <mailto:[hidden email]>.
>
> To unsubscribe, send an email message to [hidden email]
> <mailto:[hidden email]> with SIGNOFF OVAL-DEVELOPER-LIST in
> the BODY of the message. If you have difficulties, write to
> [hidden email]
> <mailto:[hidden email]>.
>
>  
>
> --
>
> jOVAL.org: OVAL implemented in Java.
> /Scan any machine from any machine. For free!/
> Learn More <http://www.joval.org> | Features
> <http://www.joval.org/features/> | Download
> <http://www.joval.org/download/>
>
> To unsubscribe, send an email message to [hidden email]
> <mailto:[hidden email]> with SIGNOFF OVAL-DEVELOPER-LIST in
> the BODY of the message. If you have difficulties, write to
> [hidden email]
> <mailto:[hidden email]>.
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have
> difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Android OVAL schema development

Luis Nunez
Related to Android: Eeye just released an app to do CVE scans
https://play.google.com/store/apps/details?id=com.eeye.mobile.android

Wondering if there are plans for OVAL/XCCDF???

-ln

On May 16, 2012, at 11:37 AM, Jeffrey Blank wrote:

> Related: for Apple iOS devices, the situation is simplified since most
> of the relevant MDM-provided settings are quite literally put into an
> XML file and sent to the devices. Here are some plist tests which
> leverage this, and could be run against an exemplar configuration
> profile.  It's in "Associated SCAP Content" along with prose guidance
> (also in XCCDF) at:
>
> http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml
>
> This is meant to be an MDM vendor-neutral tech demonstration, in keeping
> with the purpose of SCAP.  There are of course several issues with this
> OVAL content (and why the OVAL is only a demo, and not yet truly usable
> for scalable compliance checking):
>
> 1) iOS Configuration Profiles can also be encrypted for transmission; in
> fact, being able to check that the MDM server is configured to do so is
> highly desirable as noted in section 2.3.1.
> 2) Some iOS settings (such as whether devices "check out" from the MDM
> server when a config profile is removed) are not part of the
> configuration profile.  But the MDM itself should have insight into
> which settings it has sent to the device.  Additional definitions for
> these items, if created, could results in tests to be executed on the
> MDM server.
> 3) Multiple configuration profiles (from different sources) can be
> deployed to an iOS device.  Strictest setting wins.
> 4) The example OVAL plist tests here could only be run on a Mac OS X
> system, since that is the only place where the plist test can be used.
>
> The iOS platform is clearly designed in a way that leads implementors
> to carry out any "scanning" as execution on the MDM server, and not the
> endpoint devices (and this also conserves battery life).  This is
> somewhat analogous to the situation with network devices such as
> routers, in which the configuration is not scanned on the device itself.
>
> Lest this post be entirely OT, here are some
> suggestions/observations/questions for Android schema:
> 1) Limit the creation of definitions to those which are covered in the
> Device Admin API, or which are truly common.  Determining "common" MDM
> features across Android devices is very challenging (especially in a
> harshly competitive market).  That said, targeting only ICS makes sense
> given the rate at which the market advances.
>
> 2) Consider OVAL definitions that may not actually care about whether
> they are executed on the MDM server or the client (unless truly
> necessary).  This could be left entirely as an implementation decision
> for the MDM vendor.  Or a preference could be expressed, and the locale
> of the actual scan could be noted in results.  Are there situations in
> which we care one way or the other?  Do we believe there is an
> integrity/freshness argument for on-device scanning?
>
> 3) MDM server products are available for a variety of OSes.  I would
> assume that any Android OVAL schema should not levy any requirements
> about the MDM server platform.  Also, how much information about the MDM
> server should be included in the results?
>
> 4) How to identify/name devices for reporting (or to specify scans for
> only certain groups)?  Each MDM has some kind of identifier for the
> endpoint device it is managing.  At least in the user interface, this is
> often PII.
>
>
> Thanks,
> Jeff
>
>
>
>
>
> On 05/15/2012 12:04 PM, Chandrashekhar B wrote:
>> Thanks for sharing the info. It certainly is a good idea to have MDM
>> vendors support OVAL. I thought for a moment that the existing sql57
>> probe meets the need but, looks like we need to continue the exercise of
>> standardization for Android.
>>
>>
>>
>> Chandra.
>>
>>
>>
>> *From:*Nary, Timothy [USA] [mailto:[hidden email]]
>> *Sent:* Monday, May 14, 2012 10:09 PM
>> *To:* [hidden email]
>> *Subject:* Re: [OVAL-DEVELOPER-LIST] Android OVAL schema development
>>
>>
>>
>> Portability is lost with this solution, but we initially chose to go for
>> the lowest hanging fruit.  We created vendor specific content for MDMs
>> which utilized SQL databases.  As Tim H. eluded, there are MDM vendors
>> which have implemented their own NoSQL solutions, many of which are
>> encrypted.  Without the vendor providing APIs, there really was no way
>> for us to leverage the information they collected.
>>
>>
>>
>> One of our goals is to influence MDM vendors to embrace SCAP standards.
>> We’re hoping that in demonstrating our proof-of-concept application and
>> showing them some of the benefits, future versions of their products
>> will ingest XCCDF/OVAL and will be able to assess mobile devices managed
>> within the MDM.
>>
>>
>>
>> --Tim Nary
>>
>>
>>
>> *From:*David Solin [mailto:[hidden email]]
>> <mailto:[mailto:[hidden email]]> *On Behalf Of *David Solin
>> *Sent:* Monday, May 14, 2012 10:07 AM
>> *To:* OVAL Developer List (Closed Public Discussion)
>> *Cc:* Nary, Timothy [USA]
>> *Subject:* Re: [OVAL-DEVELOPER-LIST] Android OVAL schema development
>>
>>
>>
>> That sounds like a very interesting approach.  I imagine that these MDM
>> tools must already have their own version of compliance or security
>> reporting already.  So, I'd love to understand what value is added by
>> implementing these checks in OVAL.  Also, are there not any concerns
>> about the portability (or lack thereof) of these checks across different
>> MDM vendors?  One of the big advantages of having a standards-based
>> compliance language is portability, but that is lost in the specificity
>> that must be required of the SQL objects.
>>
>> I think it would be great for users if MDM vendors had tools that could
>> consume OVAL definitions directly, but naturally to do so we'd need to
>> be able to point them to which schemas to implement.  The
>> rapidly-evolving landscape will make this a real challenge.
>>
>> Regards,
>> --David Solin
>>
>> On 5/14/2012 8:38 AM, Nary, Timothy [USA] wrote:
>>
>> My team has been working on tackling this problem from the MDM
>> perspective.  We’ve written a proof-of-concept middleware application to
>> interface with the MDMs and use XCCDF/OVAL content to scan the MDM
>> databases for device configuration (using the sql57 independent
>> definitions).  We’d be to share some of our lessons learned and help out
>> with this effort.
>>
>>
>>
>> Cheers,
>>
>> Tim
>>
>>
>>
>> *Timothy J. Nary*
>>
>> Consultant
>>
>> Booz | Allen | Hamilton
>>
>> *Airport Square II
>> 900 Elkridge Landing Road
>> Linthicum, MD 21090*
>>
>> *Lab: (301) 575-3252
>> Work: (410) 865-3809
>> Mobile: (440) 667-4250*
>>
>>
>>
>> *From:*Luis Nunez [mailto:[hidden email]]
>> *Sent:* Friday, May 11, 2012 9:25 AM
>> *To:* [hidden email]
>> <mailto:[hidden email]>
>> *Subject:* Re: [OVAL-DEVELOPER-LIST] Android OVAL schema development
>>
>>
>>
>> some thoughts on ways.  
>>
>> 1. Onboard the device.
>>
>>                Issues - Feasibility of running oval as an app in the
>> android sandbox environment or running as a android root process???
>>
>> 2. Leverage a Mobile Device Management (MDM) application to collect
>> system info. "Offline" analysis.
>>
>> 3. Similar to MDM but direct OVAL connection to Mobile OS using:
>>
>>                NETCONF
>>
>>                REST
>>
>>                or other protocols?
>>
>>
>>
>> Use cases to start with:
>>
>> 1.Configuration Hygiene
>>
>> 2.Vulnerability check
>>
>>
>>
>> -ln
>>
>>
>>
>> On May 11, 2012, at 8:46 AM, David Solin wrote:
>>
>>
>>
>> Do you have any ideas on how to collect meaningful information without
>> rooting the device?
>>
>> On 5/11/2012 7:12 AM, Chandrashekhar B wrote:
>>
>> Hello All,
>>
>>
>>
>> We are working on creating the OVAL schema for Android devices in the
>> Sandbox. Apart from devising the schema, we intend to produce a POC
>> code, along with some test content. If anyone is interested in this
>> exercise, willing to participate or if you have already done some work
>> in this area, please express your willingness, will be happy to
>> collaborate.
>>
>>
>>
>> Thanks,
>>
>> Chandra.
>>
>>
>>
>> To unsubscribe, send an email message to [hidden email]
>> <mailto:[hidden email]> with SIGNOFF OVAL-DEVELOPER-LIST in
>> the BODY of the message. If you have difficulties, write to
>> [hidden email]
>> <mailto:[hidden email]>.
>>
>>
>>
>> --
>>
>> jOVAL.org <http://jOVAL.org>: OVAL implemented in Java.
>> /Scan any machine from any machine. For free!/
>> Learn More <http://www.joval.org/> | Features
>> <http://www.joval.org/features/> | Download
>> <http://www.joval.org/download/>
>>
>> To unsubscribe, send an email message to [hidden email]
>> <mailto:[hidden email]> with SIGNOFF OVAL-DEVELOPER-LIST in
>> the BODY of the message. If you have difficulties, write to
>> [hidden email]
>> <mailto:[hidden email]>.
>>
>>
>>
>> To unsubscribe, send an email message to [hidden email]
>> <mailto:[hidden email]> with SIGNOFF OVAL-DEVELOPER-LIST in
>> the BODY of the message. If you have difficulties, write to
>> [hidden email]
>> <mailto:[hidden email]>.
>>
>> To unsubscribe, send an email message to [hidden email]
>> <mailto:[hidden email]> with SIGNOFF OVAL-DEVELOPER-LIST in
>> the BODY of the message. If you have difficulties, write to
>> [hidden email]
>> <mailto:[hidden email]>.
>>
>>
>>
>> --
>>
>> jOVAL.org: OVAL implemented in Java.
>> /Scan any machine from any machine. For free!/
>> Learn More <http://www.joval.org> | Features
>> <http://www.joval.org/features/> | Download
>> <http://www.joval.org/download/>
>>
>> To unsubscribe, send an email message to [hidden email]
>> <mailto:[hidden email]> with SIGNOFF OVAL-DEVELOPER-LIST in
>> the BODY of the message. If you have difficulties, write to
>> [hidden email]
>> <mailto:[hidden email]>.
>>
>> To unsubscribe, send an email message to [hidden email] with
>> SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have
>> difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DEVELOPER-LIST
> in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Android OVAL schema development

Peck, Michael A
In reply to this post by Jeffrey Blank
Jeff and everybody - a few comments:

#1) The stock Android Device Admin API is very limited in its current state.
Rather than limiting ourselves to what it provides, I would think it would be useful to consider the threats we want to address and the different options of how to address those.

A couple examples:

USB debugging, if enabled, presents certain threats, so in many cases organizations will not want their users to turn it on.

Malicious applications present threats, so organizations may want to control what applications can be installed: perhaps a whitelist of allowed apps, or only allowing apps to be installed from an enterprise app store, or at the very least stopping the user from enabling the 'allow non-Market apps' checkbox.

The stock Device Admin API provides no ability to stop the device user from changing these settings.
However, some individual Android device vendors in partnership with MDM vendors have added proprietary Device Admin add-ons that do provide control over these kinds of things.
Can we write common, standardized rules to cover these settings?  Then each device/MDM vendor can still implement each rule in their own unique way as necessary?

One thing we CAN do now on all Android devices: Android applications, without root access, can gather some security-relevant state information using Android API calls.  For example, an Android app (such as an MDM agent) can query whether or not USB debugging is turned on, whether or not 'non-Market' apps are allowed, and query the list of installed apps (which could be compared with a whitelist or blacklist), and also gather information like what OS version is running (hopefully not just the Google Android version number but the vendor-specific version number too so we can get a real picture of what vulnerabilities may apply to the device).
Even though the user can't necessarily be stopped from configuring the device insecurely, we can at least detect that it happened and enforce some sort of consequence (for instance, check posture information when accessing enterprise resources & disallow access to those resources until compliant).

#2) I would lean towards actually performing compliance checks on the back-end because it's more likely to be up to date on what checks need to be done, has more processing power, and no battery life concerns - but I'm not sure why it matters from the perspective of defining the checks that should be done?  There's problems either way if the device is lying, but solutions to that problem may emerge in the future.  (for example http://mostconf.org/2012/papers/17.pdf )

#3) I'm not entirely sure why the MDM server platform matters except that we of course want to make sure the MDM system actually supports the ability to enforce the rules we want to enforce and monitor compliance - and writing those rules down is the first step.  That may help answer David's question below of how OVAL could be useful?  Right now each MDM vendor picks and chooses their own features - what policies can be enforced, what compliance checks should be done, etc.  Some MDM vendors also advertise the ability to detect if a device has been compromised but won't share what and how they check so there's easy way to know how robust the checks are.  So it's hard right now to pick and choose between the huge growing market of MDMs and know whether each product has the desired capabilities.

Mike


>-----Original Message-----
>From: Jeffrey Blank [mailto:[hidden email]]
>Sent: Wednesday, May 16, 2012 11:37 AM
>To: oval-developer-list OVAL Developer List/Closed Public Discussion
>Subject: Re: [OVAL-DEVELOPER-LIST] Android OVAL schema development
>
>Lest this post be entirely OT, here are some
>suggestions/observations/questions for Android schema:
>1) Limit the creation of definitions to those which are covered in the
>Device Admin API, or which are truly common.  Determining "common" MDM
>features across Android devices is very challenging (especially in a
>harshly competitive market).  That said, targeting only ICS makes sense
>given the rate at which the market advances.
>
>2) Consider OVAL definitions that may not actually care about whether
>they are executed on the MDM server or the client (unless truly
>necessary).  This could be left entirely as an implementation decision
>for the MDM vendor.  Or a preference could be expressed, and the locale
>of the actual scan could be noted in results.  Are there situations in
>which we care one way or the other?  Do we believe there is an
>integrity/freshness argument for on-device scanning?
>
>3) MDM server products are available for a variety of OSes.  I would
>assume that any Android OVAL schema should not levy any requirements
>about the MDM server platform.  Also, how much information about the
>MDM
>server should be included in the results?
>
>4) How to identify/name devices for reporting (or to specify scans for
>only certain groups)?  Each MDM has some kind of identifier for the
>endpoint device it is managing.  At least in the user interface, this is
>often PII.
>
>
>Thanks,
>Jeff
>
>
>
>
>
>On 05/15/2012 12:04 PM, Chandrashekhar B wrote:
>> Thanks for sharing the info. It certainly is a good idea to have MDM
>> vendors support OVAL. I thought for a moment that the existing sql57
>> probe meets the need but, looks like we need to continue the exercise of
>> standardization for Android.
>>
>>
>>
>> Chandra.
>>
>>
>>
>> *From:*Nary, Timothy [USA] [mailto:[hidden email]]
>> *Sent:* Monday, May 14, 2012 10:09 PM
>> *To:* [hidden email]
>> *Subject:* Re: [OVAL-DEVELOPER-LIST] Android OVAL schema
>development
>>
>>
>>
>> Portability is lost with this solution, but we initially chose to go for
>> the lowest hanging fruit.  We created vendor specific content for MDMs
>> which utilized SQL databases.  As Tim H. eluded, there are MDM vendors
>> which have implemented their own NoSQL solutions, many of which are
>> encrypted.  Without the vendor providing APIs, there really was no way
>> for us to leverage the information they collected.
>>
>>
>>
>> One of our goals is to influence MDM vendors to embrace SCAP standards.
>> We're hoping that in demonstrating our proof-of-concept application and
>> showing them some of the benefits, future versions of their products
>> will ingest XCCDF/OVAL and will be able to assess mobile devices managed
>> within the MDM.
>>
>>
>>
>> --Tim Nary
>>
>>
>>
>> *From:*David Solin [mailto:[hidden email]]
>> <mailto:[mailto:[hidden email]]> *On Behalf Of *David
>Solin
>> *Sent:* Monday, May 14, 2012 10:07 AM
>> *To:* OVAL Developer List (Closed Public Discussion)
>> *Cc:* Nary, Timothy [USA]
>> *Subject:* Re: [OVAL-DEVELOPER-LIST] Android OVAL schema
>development
>>
>>
>>
>> That sounds like a very interesting approach.  I imagine that these MDM
>> tools must already have their own version of compliance or security
>> reporting already.  So, I'd love to understand what value is added by
>> implementing these checks in OVAL.  Also, are there not any concerns
>> about the portability (or lack thereof) of these checks across different
>> MDM vendors?  One of the big advantages of having a standards-based
>> compliance language is portability, but that is lost in the specificity
>> that must be required of the SQL objects.
>>
>> I think it would be great for users if MDM vendors had tools that could
>> consume OVAL definitions directly, but naturally to do so we'd need to
>> be able to point them to which schemas to implement.  The
>> rapidly-evolving landscape will make this a real challenge.
>>
>> Regards,
>> --David Solin
>>
>> On 5/14/2012 8:38 AM, Nary, Timothy [USA] wrote:
>>
>> My team has been working on tackling this problem from the MDM
>> perspective.  We've written a proof-of-concept middleware application to
>> interface with the MDMs and use XCCDF/OVAL content to scan the MDM
>> databases for device configuration (using the sql57 independent
>> definitions).  We'd be to share some of our lessons learned and help out
>> with this effort.
>>
>>
>>
>> Cheers,
>>
>> Tim
>>
>>
>>
>> *Timothy J. Nary*
>>
>> Consultant
>>
>> Booz | Allen | Hamilton
>>
>> *Airport Square II
>> 900 Elkridge Landing Road
>> Linthicum, MD 21090*
>>
>> *Lab: (301) 575-3252
>> Work: (410) 865-3809
>> Mobile: (440) 667-4250*
>>
>>
>>
>> *From:*Luis Nunez [mailto:[hidden email]]
>> *Sent:* Friday, May 11, 2012 9:25 AM
>> *To:* [hidden email]
>> <mailto:[hidden email]>
>> *Subject:* Re: [OVAL-DEVELOPER-LIST] Android OVAL schema
>development
>>
>>
>>
>> some thoughts on ways.
>>
>> 1. Onboard the device.
>>
>>                 Issues - Feasibility of running oval as an app in the
>> android sandbox environment or running as a android root process???
>>
>> 2. Leverage a Mobile Device Management (MDM) application to collect
>> system info. "Offline" analysis.
>>
>> 3. Similar to MDM but direct OVAL connection to Mobile OS using:
>>
>>                 NETCONF
>>
>>                 REST
>>
>>                 or other protocols?
>>
>>
>>
>> Use cases to start with:
>>
>> 1.Configuration Hygiene
>>
>> 2.Vulnerability check
>>
>>
>>
>> -ln
>>
>>
>>
>> On May 11, 2012, at 8:46 AM, David Solin wrote:
>>
>>
>>
>> Do you have any ideas on how to collect meaningful information without
>> rooting the device?
>>
>> On 5/11/2012 7:12 AM, Chandrashekhar B wrote:
>>
>> Hello All,
>>
>>
>>
>> We are working on creating the OVAL schema for Android devices in the
>> Sandbox. Apart from devising the schema, we intend to produce a POC
>> code, along with some test content. If anyone is interested in this
>> exercise, willing to participate or if you have already done some work
>> in this area, please express your willingness, will be happy to
>> collaborate.
>>
>>
>>
>> Thanks,
>>
>> Chandra.
>>
>>
>>

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].