Clone this wiki locally
The Certifiable Linux Integration Platform (CLIP) project provides a security hardened operating system platform to host secure applications. CLIP defines a specific configuration of Security Enhanced Linux (SELinux) designed to provide the foundation for hosting secure applications. This configuration consist of a separation of roles, mandatory access control (MAC), discretionary access control (DAC), and data separation. With this foundation in place, the hosted application need only concern itself with the specific security details of its task and not necessarily those associated with these overhead functions. By using CLIP, implementers can provide evidence of compliance with established operating system security requirements. These established operating system security requirements are:
- Director of Central Intelligence Directive 6/3 “Protecting Sensitive Compartmented Information within Information Systems” (DCID 6/3) Protection Level 4 (PL4)
- National Security Systems (NSS) Instruction 1253 “Security Controls Catalog for National Security Systems” High Impact requirements
- Department of Defense (DoD) Instruction Number 8500.2 “Information Assurance (IA) Implementation” MAC I Classified requirements
- Defense Information System Agency (DISA) Information Assurance Support Environment (IASE) Security Technical Implementation Guides (STIG) Unix V5R1
The requirements identify the following four areas: Confidentiality, Integrity, Availability and Accountability. CLIP is designed to support these areas in the following manner.
- Confidentiality: SELinux policy is used in CLIP to guarantee that only those entities with sufficient access approval may process sensitive data. The extensible nature of SELinux policy enables a developer to manage sensitive data, and create a security policy that exposes this data on a need-to-know basis. An example of a secure application which would benefit using CLIP is a Cross Domain Solutions, which needs to have fine-grained control over the disclosure of information, most of which could be managed by proper configuration of SELinux policy.
- Integrity: A secure system must protect against unauthorized modification of data. Data integrity need not be limited to system security relevant information, but all information contained on the system. The mandatory access controls provided by SELinux ensures the integrity of the data. CLIP also uses AIDE to create an initial database of files on the system after installation. A configurable cron job runs every 24 hours and reports file changes to /var/log/aide.log. Configurations to /etc/aide.conf may be made in the kickstart script to meet your requirements.
- Availability: SELinux policy isolates data into separate security domains. CLIP provides a utility to backup file security labels, allowing overall filesystem backup to occur without affecting the security relevant state of the filesystem.
- Accountability: In any type of secure system, it is essential to maintain accountability for security relevant events. CLIP uses system call auditing, combined with the auditing and user authentication capabilities of SELinux, to provide administrators with detailed information about all security relevant changes to a system's state.
CLIP currently consists of the following two instances:
- The initial release configured a SELinux installation on a RHEL 4 system to support developers in meeting the Director of Central Intelligence Directive 6/3 “Protecting Sensitive Compartmented Information within Information Systems” (DCID 6/3) Protection Level 4 (PL4) requirements.
- The second release targeted RHEL 5 and supports developers in meeting both the DCID 6/3 PL4 and the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 “Recommended Security Controls for Federal Information Systems” High Impact requirements.
The goals for the the CLIP Project are to provide the following items:
- A mapping between security requirements and operating system functions.
- A configuration of an operating system which satisfies the security target as defined by the security requirements.
- An enumeration of the evidence to support the claims that the configuration meets the security requirements.