[Clip] [ANN] CLIP for RHEL 6.2 Alpha Release

Spencer R. Shimko sshimko at tresys.com
Thu Jul 19 16:12:13 CDT 2012


All,

Tresys is pleased to announced the alpha release of the Certifiable Linux
Integration Platform (CLIP) for RHEL 6.2. This release includes the
following features:

- Remediation content (generated by Tresys and others in the remediation
content community and contributed to the Aqueduct project [1])
- SCAP audit content (generated by a group of folks from NSA, Red Hat, and
a bit from Tresys and contributed to the SCAP Security Guide project [2])
- SecState (for managing and interpreting SCAP audit content and
remediation content as well as generating reports - a Tresys project over
at Fedora hosted)
- A customized RHEL 6 kickstart with a trimmed package list and a %post
that runs audit content and applies remediation content using SecState
- A new build system for rolling RPMs in mock and generating ISOs with
Pungi and LiveCD creator

The CLIP release and git repo contain numerous Help-*.txt files providing
guidance on generating packages and ISOs. Good places to start are
Help-Getting-Started.txt and Help-Use-Cases.txt.

As an alpha release not everything is complete. These issues are
documenting in Help-Known-Issues but as a quick summary here are the known
issues:
- SELinux policy needs more work to boot in enforcing mode. This is a
blocker for our beta release thus the beta will include a policy that
supports a default CLIP configuration in enforcing mode.
- We have the ability to roll LiveCDs which are great for stateless
solutions. While the system works for RHEL 5, we are having issues with
dracut in RHEL 6. I hope to have these addressed by the beta release but
this is not a blocker.
- We have not updated the oss.tresys.com/projects/clip website (aside
adding links to the new releases). This will be done for beta and final
releases.
- There is a bug in openscap, a library leveraged by SecState, that causes
segfaults when interpreting a subset of the total audit content from
scap-security-guide.  As a result you must select a subset of the total
audit content using secstate.  You can find the commands used to select
the appropriate content in kickstarts/clip-rhel6/clip-rhel6.ks and in
Help-Known-Issues.txt

I encourage those interested to clone the git repo and roll an ISO [4] or
snag the release ISO [5] and start kicking the tires a bit. Please use
this mailing list to report any issues, contribute patches, or provide
general suggestions and feedback.

Thanks,
--Spencer

Spencer Shimko
Lead Engineer, Linux Solutions Practice
Tresys Technology
8840 Stanford Boulevard, Suite 2100
Columbia, MD 21045
Phone: +1 410-290-1411 x125
FAX: +1 410 953-0494

[1] https://fedorahosted.org/aqueduct/
[2] https://fedorahosted.org/scap-security-guide/
[3] https://fedorahosted.org/secstate/
[4] '$ git clone http://oss.tresys.com/git/clip.git'
[5] http://oss.tresys.com/files/clip/clip-rhel6-2-x86_64-alpha.iso (careful - this installation image asks no questions and will destroy existing data)






More information about the Clip mailing list