[Clip] [ANN] CLIP for RHEL 6.2 Alpha Release

Spencer R. Shimko sshimko at tresys.com
Thu Jul 19 16:12:13 CDT 2012


Tresys is pleased to announced the alpha release of the Certifiable Linux
Integration Platform (CLIP) for RHEL 6.2. This release includes the
following features:

- Remediation content (generated by Tresys and others in the remediation
content community and contributed to the Aqueduct project [1])
- SCAP audit content (generated by a group of folks from NSA, Red Hat, and
a bit from Tresys and contributed to the SCAP Security Guide project [2])
- SecState (for managing and interpreting SCAP audit content and
remediation content as well as generating reports - a Tresys project over
at Fedora hosted)
- A customized RHEL 6 kickstart with a trimmed package list and a %post
that runs audit content and applies remediation content using SecState
- A new build system for rolling RPMs in mock and generating ISOs with
Pungi and LiveCD creator

The CLIP release and git repo contain numerous Help-*.txt files providing
guidance on generating packages and ISOs. Good places to start are
Help-Getting-Started.txt and Help-Use-Cases.txt.

As an alpha release not everything is complete. These issues are
documenting in Help-Known-Issues but as a quick summary here are the known
- SELinux policy needs more work to boot in enforcing mode. This is a
blocker for our beta release thus the beta will include a policy that
supports a default CLIP configuration in enforcing mode.
- We have the ability to roll LiveCDs which are great for stateless
solutions. While the system works for RHEL 5, we are having issues with
dracut in RHEL 6. I hope to have these addressed by the beta release but
this is not a blocker.
- We have not updated the oss.tresys.com/projects/clip website (aside
adding links to the new releases). This will be done for beta and final
- There is a bug in openscap, a library leveraged by SecState, that causes
segfaults when interpreting a subset of the total audit content from
scap-security-guide.  As a result you must select a subset of the total
audit content using secstate.  You can find the commands used to select
the appropriate content in kickstarts/clip-rhel6/clip-rhel6.ks and in

I encourage those interested to clone the git repo and roll an ISO [4] or
snag the release ISO [5] and start kicking the tires a bit. Please use
this mailing list to report any issues, contribute patches, or provide
general suggestions and feedback.


Spencer Shimko
Lead Engineer, Linux Solutions Practice
Tresys Technology
8840 Stanford Boulevard, Suite 2100
Columbia, MD 21045
Phone: +1 410-290-1411 x125
FAX: +1 410 953-0494

[1] https://fedorahosted.org/aqueduct/
[2] https://fedorahosted.org/scap-security-guide/
[3] https://fedorahosted.org/secstate/
[4] '$ git clone http://oss.tresys.com/git/clip.git'
[5] http://oss.tresys.com/files/clip/clip-rhel6-2-x86_64-alpha.iso (careful - this installation image asks no questions and will destroy existing data)

More information about the Clip mailing list