User:Taakebre/sandbox

Security Readiness Reviews (SRR)

SRR BIOGRAPHIAL INFORMATION

Security Readiness Review (SRRs) are supplemental Security Content Automation Protocol (SCAP) test products, which are used to ensure Security Technical Implementation Guideline (STIG) compliance. All information technology systems, which operate on the Department of Defense Global Information Grid, must always remain in compliance with the requirements of the STIG. DISA Field Security Office (FSO), which is located in Chambersburg, Pennsylvania, is responsible for creating and maintaining SRR scripts. SRR scripts are created based on requirements of the correlating STIG and associated checklist. These scripts are available for all operating systems and databases that have STIGs, and web servers using Internet Information Services (IIS).

Purpose

The purpose of the DISA SRR is to provide administrators and security personnel an automated tool for validating STIG compliance. The Department of Defense uses STIGs to strengthen and assess the security posture of a system or component. Findings resulting from running the Gold Disks and SRR scripts are indications of weaknesses in the security posture of the system or component. Findings from the STIG are grouped into three Categories (CAT) based on the severity of the weakness. CAT I findings are those that allow an attacker to gain immediate access to a component, allow the elevation of a user’s rights to administrator (or super user) level, or allow the bypassing of a firewall. These are the most severe findings. Systems or components having multiple CAT I findings may not be accepted for additional testing or for placement on the Unified Capability (UC) Approved Products List (APL]. CAT II findings are those that provide identifiable information about the system or component and therefore have a high potential of allowing unauthorized access to an external user. CAT III findings are those that give away enough information for an intruder to compromise the system or component. High numbers of CAT II and III findings may indicate an overall weakness in the security posture of the system or component and may preclude placement on the UCAPL.

Potential Issues

All SRR/Gold Disk scripts require root or administrative level access to the target system. Once the scripts have been executed, potential vulnerabilities that may adversely affect the system will have root level access to the device. “In 2009 DISA discovered that a release of the UNIX SRR provided untrusted applications root level access. Currently, Unix SRRs run the following applications: Java, OpenSSL, PHP, Snort, Tshark, VNCserver, and Wireshark. If an attacker were able to install a malicious file labeled as one of the above-mentioned programs, the SRR would launch the file with root level access. DISA was able to quickly remediate this vulnerability by releasing an update to the script. “

References

Jackson, W. (2009, December 8). Vulnerability in DISA security scripts could leave systems at risk. Retrieved July 16, 2012, from Government Computer News: http://gcn.com/articles/2009/12/08/disa-rss-vulnerability-120809.aspx