Red Hat Enterprise Linux (RHEL) 5.3 Certified Linux Integration Platform (CLIP) Security Requirements Analysis
Prepared By: Tresys Technology, LLC March 17, 2009
Certifiable Linux Integration Platform (CLIP)
Table of Contents 1
2
Introduction ..................................................................................................................................... 1 1.1.
Security Requirement Set Selection ....................................................................................................1
1.2.
Analysis Overview .................................................................................................................................1
1.3.
Document Organization........................................................................................................................2
Requirement Set Analysis .............................................................................................................. 2 2.1.
NSSI-1253v4 Mapping and Analysis ...................................................................................................2
2.1.1. NSSI-1253v4 Mapping Tables ........................................................................................................................... 2 2.1.2. NSSI-1253v4 Analysis ..................................................................................................................................... 27 2.1.2.1. Access Control ....................................................................................................................................... 27 2.1.2.2. Awareness and Training ......................................................................................................................... 48 2.1.2.3. Audit and Accountability ....................................................................................................................... 51 2.1.2.4. Certification, Accreditation and Security ............................................................................................... 62 2.1.2.5. Configuration Management .................................................................................................................... 68 2.1.2.6. Contingency Planning ............................................................................................................................ 74 2.1.2.7. Identification and Authentication ........................................................................................................... 82 2.1.2.8. Incident Response .................................................................................................................................. 89 2.1.2.9. Maintenance ........................................................................................................................................... 93 2.1.2.10. Media Protection .................................................................................................................................... 98 2.1.2.11. Physical and Environmental Protection ................................................................................................ 104 2.1.2.12. Planning................................................................................................................................................ 115 2.1.2.13. Personnel Security ................................................................................................................................ 118 2.1.2.14. Risk Assessment ................................................................................................................................... 122 2.1.2.15. System and Services Acquisition ......................................................................................................... 126 2.1.2.16. System and Communications Protection .............................................................................................. 136 2.1.2.17. System and Information Integrity ......................................................................................................... 153
3
Overview of the CLIP Toolkit.................................................................................................... 163 3.1.
Installation .........................................................................................................................................163
3.2.
Backups ..............................................................................................................................................163
3.3.
Auditing..............................................................................................................................................163
3.4.
Authentication ...................................................................................................................................164
3.5.
Object Labeling .................................................................................................................................165
3.6.
Additional Information.....................................................................................................................165
4
Summary of Analysis .................................................................................................................. 166
5
Acronyms ..................................................................................................................................... 167
6
Bibliography ................................................................................................................................ 169
Table of Tables Table 1 NSSI-1253v4 Security Control Classes, Families, and Identifiers ........................................ 2 Table 2 The CLIP Toolkit v3.1.0 for RHEL 5.3 Coverage of the NSSI-1253v4 Requirements........................................................................................................................................... 4
Tresys Technology
i
Certifiable Linux Integration Platform (CLIP)
Tresys Technology
ii
Certifiable Linux Integration Platform (CLIP)
1 Introduction Tresys’ Certifiable Linux Integration Platform (CLIP) is designed to provide a solid foundation for building secure solutions and to facilitate and expedite the certification and accreditation (C&A) of those solutions. This document describes the prototype CLIP toolkit v3.1.0 that targets Red Hat Enterprise Linux 5.3 (RHEL 5.3) to create a system that is compliant for the Security Control Catalog for National Security Systems Instruction 1253 (NSSI-1253v4)1 High Impact requirement set. For the security analysis of RHEL 5.3, Tresys has mapped each applicable requirement to operating system functionality. In areas where the operating system requires additional configuration or security policy updates to meet the requirement, the analysis provides details of these changes. The changes include modification of configuration files, tightening of security policy implementation, turning on or off features of the operating system, installation of new packages, and utilization of a kickstart file to assist in secure installation. These changes are the basis for the CLIP toolkit. The CLIP toolkit v3.1.0 for RHEL 5.3 builds on previous toolkit releases and provides an updated SELinux Reference Policy and updated SELinux toolchain. It includes initial infrastructure for full Security Content Automation Protocol (SCAP) support. With CLIP versionv3.1.0 for RHEL 5.3, RHEL meets the majority of requirements, allowing developers to make only minor changes to the platform and instead focus their efforts on creating innovative and secure applications.
1.1.
Security Requirement Set Selection Tresys focused on the requirement set that represents the most comprehensive and precise requirements relevant for a wide range of cross domain and perimeter defense solutions: •
The Security Control Catalog for National Security Systems NSSI-1253v4
Previous versions of the CLIP toolkit included other security requirement sets, including the Department of Defense (DoD) Instruction Number 8500.2 “Information Assurance (IA) Implementation” MAC I Classified requirements, but the NSSI-1253v4 encompasses the requirements and as such is sufficient on its own.
1.2.
Analysis Overview The analysis examined the default configuration for the CLIP toolkit v3.1.0 for RHEL 5.3 against the selected security requirements. For each requirement, the analysis describes the operating system's ability to fulfill the requirement as configured, as well as whether or not the operating system has the capability of fulfilling the requirement. To have the capability means that the system may need, for instance, configuration changes or additional security policy to fulfill a requirement but that the operating system is capable of supporting these changes. If the CLIP toolkit for RHEL 5.3 includes the modifications to satisfy the requirement (i.e. configuration changes, security policychanges), that requirement is deemed to be satisfied for the purposes of this analysis. 1
Security Control Catalog for National Security Systems, NSS Instruction No. 1253 (ODNI/CIO) Draft Version 4, December 2007
Tresys Technology
1
Certifiable Linux Integration Platform (CLIP) This analysis uses the baseline requirements and controls defined in the NSSI-1253v4. It should be noted that the Designated Approval Authority (DAA) determines the requirements and controls that should be applied to a specific system and may take into account many factors including the environment in which the system will be placed.
1.3.
Document Organization The remainder of this document is comprised of the following sections: •
REQUIREMENT SET ANALYSIS o NSSI-1253v4 Mapping and Analysis
•
SUMMARY OF ANALYSIS
•
ACRONYMS
•
BIBLIOGRAPHY
2 Requirement Set Analysis 2.1.
NSSI-1253v4 Mapping and Analysis The Security Control Catalog for Committee on National Security Systems 1253 (NSSI-1253v4) contains requirements broken up into seventeen families and categorized into three classes: technical, operational and management. These families are closely related to the seventeen security areas found in the Federal Information Processing Standard 200 (FIPS 200) document, which is used to secure federal information and information systems.
2.1.1.
NSSI-1253v4 Mapping Tables Table 1 lists the identifier and class for each of the families used in the NSSI-1253v4 requirements. A family’s class represents the dominant characteristic of that family, but may not represent its only characteristic. Therefore, for example, a family labeled as operational also may have management characteristics. The CLIP toolkit generally addresses the requirements for families in the technical class, which usually are specific to operating system security. Requirements for families in the operational or management classes frequently contain procedural requirements and therefore are outside the scope of the toolkit. However, the CLIP toolkit may also fulfill some of the requirements within families labeled as operational or management that have technical characteristics. Table 1 NSSI-1253v4 Security Control Classes, Families, and Identifiers
Identifier
Family
Class
AC
Access Control
Technical
AT
Awareness and Training
Operational
AU
Audit and Accountability
Technical
CA
Certification, Accreditation, and Security Assessments
Management
Tresys Technology
2
Certifiable Linux Integration Platform (CLIP)
Identifier
Family
Class
CM
Configuration Management
Operational
CP
Contingency Planning
Operational
IA
Identification and Authentication
Technical
IR
Incident Response
Operational
MA
Maintenance
Operational
MP
Media Protection
Operational
PE
Physical and Environmental Protection
Operational
PL
Planning
Management
PS
Personnel Security
Operational
RA
Risk Assessment
Management
SA
System and Service Acquisition
Management
SC
System and Communications Protection
Technical
SI
System and Information Integrity
Operational
Table 2 summarizes the coverage of the NSSI-1253v4 requirements. Each row represents an area of responsibility for meeting a specific requirement, including a Requirement Control of the operating system and optionally a Control Enhancement, represented parenthetically. The Requirement Control is the core requirement for a particular area and may have additional associated requirements. These additional associated requirements are called Control Enhancements and enhance the security of the core control. The core control and its enhancements are associated with three impact levels: low, moderate, and high. For each impact level, a control or enhancement is selected if it is required at that impact level; not-selected controls and enhancements may be required on an per-instance basis according to the security needs of that instance. In Table 2 each row represents a unique control and enhancement pair, and the three columns display information about the impact levels for that pair. These results are discussed in detail in the sections following the table. Table 2 uses the following conventions:
Selected Not Selected Meets Partially Meets Does Not Meet
Tresys Technology
3
Certifiable Linux Integration Platform (CLIP) Outside Scope 2
For partially met or non-capability controls/enhancements, the following letter codes indicate the type of effort required to supplement the base system to satisfy the requirements of that control/enhancement: P – Procedural – Organizational procedure is needed to satisfy the requirements. This is used for requirements that deal with the network structure to which the system is attached or the system hardware configuration. C – Configuration – The system needs additional configuration changes to fully satisfy the requirement. D – Development – Additional applications must be developed and/or installed to satisfy the requirements. Table 2 The CLIP Toolkit v3.1.0 for RHEL 5.3 Coverage of the NSSI-1253v4 Requirements
Requirement
Low
Moderate
High
Control Number Access Control AC-1
P
P
P
AC-2
P
P
P
AC-2(1)
P
P
P
AC-2(2)
C
C
C
AC-2(3)
D
D
D
AC-2(4)
P
P
P
AC-2(5)
P
P
P
AC-3
D
D
D
AC-3(1) AC-3(2) AC-3(3)
2
All or part of the requirement falls outside of features that can be provided by the base operating system, and therefore cannot be addressed by the CLIP toolkit.
Tresys Technology
4
Certifiable Linux Integration Platform (CLIP)
Requirement
Low
Moderate
High
Control Number AC-3(4) AC-3(5) AC-3(6) AC-3(7) AC-4 AC-4(1) AC-4(2) AC-4(3) AC-4(4)
P
P
P
AC-4(5)
P
P
P
AC-4(6)
P
P
P
AC-4(7)
P
P
P
AC-5
P
P
P
AC-6(1)
P
P
P
AC-7
C
C
C
AC-7(1)
C
C
C
AC-9(1)
D
D
D
AC-10
C
C
C
AC-11
D
D
D
AC-11(1)
D
D
D
AC-6
AC-7(2) AC-8 AC-9
Tresys Technology
5
Certifiable Linux Integration Platform (CLIP)
Requirement
Low
Moderate
High
Control Number AC-12
C
C
C
AC-13
P
P
P
AC-13(1)
P
P
P
AC-14
P
P
P
AC-14(1)
P
P
P
AC-15
C
C
C
AC-15(1)
C
C
C
AC-16
C
C
C
AC-17
P
P
P
AC-17(2)
D
D
D
AC-17(3)
P
P
P
AC-17(4)
P
P
P
AC-17(5)
C
C
C
AC-17(6)
P
P
P
AC-17(7)
C
C
C
AC-18
P
P
P
AC-18(1)
P
P
P
AC-18(2)
P
P
P
AC-18(3)
P
P
P
AC-18(4)
P
P
P
AC-18(5)
C
C
C
AC-12(1) AC-12(2)
AC-17(1)
Tresys Technology
6
Certifiable Linux Integration Platform (CLIP)
Requirement
Low
Moderate
High
Control Number AC-19
P
P
P
AC-19(1)
P
P
P
AC-20
P
P
P
AC-20(1)
P
P
P
AC-22
P
P
P
AC-23
P
P
P
AC-23(1)
P
P
P
AC-21
AC-23(2) AC-23(3) AC-23(4) Awareness and Training AT-1
P
P
P
AT-2
P
P
P
AT-3
P
P
P
AT-4
P
P
P
AT-5
P
P
P
AT-6
P
P
P
Audit and Accountability AU-1
P
P
P
AU-1(1)
C
C
C
AU-2
C
C
C
AU-2(1)
C
C
C
AU-2(2)
Tresys Technology
7
Certifiable Linux Integration Platform (CLIP)
Requirement
Low
Moderate
High
Control Number AU-2(3)
P
P
P
AU-2(4)
C
C
C
AU-2(6)
C
C
C
AU-2(7)
C
C
C
AU-2(8)
D
D
D
AU-2(9)
D
D
D
AU-4
P
P
P
AU-5
C
C
C
AU-5(1)
C
C
C
AU-5(2)
D
D
D
AU-5(3)
C
C
C
AU-6
P
P
P
AU-6(1)
D
D
D
AU-6(2)
D
D
D
AU-6(3)
P
P
P
AU-6(4)
D
D
D
AU-2(5)
AU-2(10) AU-3 AU-3(1) AU-3(2) AU-3(3) AU-3(4) AU-3(5)
Tresys Technology
8
Certifiable Linux Integration Platform (CLIP)
Requirement
Low
Moderate
High
Control Number AU-6(5)
D
D
D
D
D
D
AU-8(1)
D
D
D
AU-8(2)
D
D
D
AU-9(1)
C
C
C
AU-9(2)
C
C
C
AU-10
C
C
C
AU-10(1)
C
C
C
AU-11
P
P
P
AU-11(1)
P
P
P
AU-11(2)
P
P
P
AU-11(3)
P
P
P
AU-11(4)
P
P
P
AU-7 AU-7(1) AU-7(2) AU-8
AU-9
AU-10(2) AU-10(3) AU-10(4)
AU-12 AU-12(1) AU-12(2) Certification, Accreditation, and Security Assessments
Tresys Technology
9
Certifiable Linux Integration Platform (CLIP)
Requirement
Low
Moderate
High
Control Number CA-1
P
P
P
CA-2
P
P
P
CA-3
P
P
P
CA-4
P
P
P
CA-4(1)
P
P
P
CA-4(2)
P
P
P
CA-4(3)
P
P
P
CA-5
P
P
P
CA-6
P
P
P
CA-7
P
P
P
CA-7(1)
P
P
P
CA-7(2)
P
P
P
Configuration Management CM-1
P
P
P
CM-2
P
P
P
CM-2(1)
P
P
P
CM-2(2)
P
P
P
CM-2(3)
P
P
P
CM-2(4)
P
P
P
CM-3
C
C
C
CM-3(1)
P
P
P
CM-3(2)
P
P
P
CM-3(3)
P
P
P
CM-4
P
P
P
Tresys Technology
10
Certifiable Linux Integration Platform (CLIP)
Requirement
Low
Moderate
High
Control Number CM-5
P
P
P
CM-5(1)
P
P
P
CM-5(2)
P
P
P
CM-5(3)
P
P
P
CM-6
P
P
P
CM-6(1)
P
P
P
CM-6(2)
P
P
P
CM-7
P
P
P
CM-7(1)
P
P
P
CM-7(2)
C
C
C
CM-8
P
P
P
CM-8(1)
P
P
P
CM-8(2)
P
P
P
CM-5(4)
Contingency Planning CP-1
P
P
P
CP-1(1)
P
P
P
CP-2
P
P
P
CP-2(1)
P
P
P
CP-2(2)
P
P
P
CP-2(3)
P
P
P
CP-2(4)
P
P
P
CP-2(5)
P
P
P
CP-2(6)
P
P
P
Tresys Technology
11
Certifiable Linux Integration Platform (CLIP)
Requirement
Low
Moderate
High
Control Number CP-2(7)
P
P
P
CP-3
P
P
P
CP-3(1)
P
P
P
CP-3(2)
P
P
P
CP-4
P
P
P
CP-4(1)
P
P
P
CP-4(2)
P
P
P
CP-4(3)
P
P
P
CP-4(4)
P
P
P
CP-5
P
P
P
CP-6
P
P
P
CP-6(1)
P
P
P
CP-6(2)
P
P
P
CP-6(3)
P
P
P
CP-6(4)
P
P
P
CP-6(5)
P
P
P
CP-6(6)
P
P
P
CP-7
P
P
P
CP-7(1)
P
P
P
CP-7(2)
P
P
P
CP-7(3)
P
P
P
CP-7(4)
P
P
P
CP-7(5)
P
P
P
CP-7(6)
P
P
P
Tresys Technology
12
Certifiable Linux Integration Platform (CLIP)
Requirement
Low
Moderate
High
Control Number CP-8
P
P
P
CP-8(1)
P
P
P
CP-8(2)
P
P
P
CP-8(3)
P
P
P
CP-8(4)
P
P
P
CP-9
P
P
P
CP-9(1)
P
P
P
CP-9(2)
P
P
P
CP-9(3)
P
P
P
CP-9(4)
P
P
P
CP-10
P
P
P
CP-10(1)
P
P
P
CP-10(2)
P
P
P
CP-10(3)
P
P
P
Identification and Authentication IA-1
P
P
P
IA-2(1)
C
C
C
IA-2(2)
C
C
C
IA-2(3)
C
C
C
IA-2(4)
C
C
C
IA-2(5)
D
D
D
IA-2(6)
D
D
D
IA-2(7)
C
C
C
IA-2
Tresys Technology
13
Certifiable Linux Integration Platform (CLIP)
Requirement
Low
Moderate
High
Control Number IA-2(8)
C
C
C
IA-2(9)
P
P
P
IA-3(1)
C
C
C
IA-3(2)
C
C
C
IA-4
P
P
P
IA-4(1)
P
P
P
IA-4(2)
P
P
P
IA-4(3)
P
P
P
IA-4(4)
P
P
P
IA-5
P
P
P
IA-5(2)
P
P
P
IA-5(3)
P
P
P
IA-5(4)
C
C
C
IA-5(5)
C
C
C
D
D
D
IA-3
IA-5(1)
IA-6 IA-7
Incident Response IR-1
P
P
P
IR-1(1)
P
P
P
IR-2
P
P
P
IR-2(1)
P
P
P
IR-2(2)
P
P
P
Tresys Technology
14
Certifiable Linux Integration Platform (CLIP)
Requirement
Low
Moderate
High
Control Number IR-3
P
P
P
IR-3(1)
P
P
P
IR-3(2)
P
P
P
IR-4
P
P
P
IR-4(1)
P
P
P
IR-5
P
P
P
IR-5(1)
P
P
P
IR-6
P
P
P
IR-6(1)
P
P
P
IR-7
P
P
P
IR-7(1)
P
P
P
Maintenance MA-1
P
P
P
MA-2
P
P
P
MA-2(1)
P
P
P
MA-2(2)
P
P
P
MA-3
P
P
P
MA-3(1)
P
P
P
MA-3(2)
P
P
P
MA-3(3)
P
P
P
MA-3(4)
P
P
P
MA-4
P
P
P
MA-4(1)
P
P
P
MA-4(2)
P
P
P
Tresys Technology
15
Certifiable Linux Integration Platform (CLIP)
Requirement
Low
Moderate
High
Control Number MA-4(3)
P
P
P
MA-4(4)
P
P
P
MA-4(5)
P
P
P
MA-4(6)
P
P
P
MA-5
P
P
P
MA-5(1)
P
P
P
MA-5(2)
P
P
P
MA-5(3)
P
P
P
MA-5(4)
P
P
P
MA-5(5)
P
P
P
MA-6
P
P
P
MA-6(1)
P
P
P
MA-6(2)
P
P
P
Media Protection MP-1
P
P
P
MP-2
P
P
P
MP-2(1)
P
P
P
MP-3
P
P
P
MP-3(1)
D
D
D
MP-4
P
P
P
MP-4(1)
P
P
P
MP-4(2)
P
P
P
MP-5
P
P
P
MP-5(1)
P
P
P
Tresys Technology
16
Certifiable Linux Integration Platform (CLIP)
Requirement
Low
Moderate
High
Control Number MP-5(2)
P
P
P
MP-5(3)
P
P
P
MP-5(4)
P
P
P
MP-6
P
P
P
MP-6(1)
P
P
P
MP-6(2)
P
P
P
MP-6(3)
P
P
P
MP-6(4)
P
P
P
Physical and Environmental Protection PE-1
P
P
P
PE-2
P
P
P
PE-2(1)
P
P
P
PE-2(2)
P
P
P
PE-3
P
P
P
PE-3(1)
P
P
P
PE-3(2)
P
P
P
PE-3(3)
P
P
P
PE-3(4)
D
D
D
PE-4
P
P
P
PE-5
P
P
P
PE-6
P
P
P
PE-6(1)
P
P
P
PE-6(2)
P
P
P
PE-7
P
P
P
Tresys Technology
17
Certifiable Linux Integration Platform (CLIP)
Requirement
Low
Moderate
High
Control Number PE-7(1)
P
P
P
PE-7(2)
P
P
P
PE-8
P
P
P
PE-8(1)
P
P
P
PE-8(2)
P
P
P
PE-9
P
P
P
PE-9(1)
P
P
P
PE-9(2)
P
P
P
PE-10
P
P
P
PE-10(1)
P
P
P
PE-11
P
P
P
PE-11(1)
P
P
P
PE-11(2)
P
P
P
PE-12
P
P
P
PE-12(1)
P
P
P
PE-13
P
P
P
PE-13(1)
P
P
P
PE-13(2)
P
P
P
PE-13(3)
P
P
P
PE-13(4)
P
P
P
PE-14
P
P
P
PE-14(1)
P
P
P
PE-15
P
P
P
PE-15(1)
P
P
P
Tresys Technology
18
Certifiable Linux Integration Platform (CLIP)
Requirement
Low
Moderate
High
Control Number PE-16
P
P
P
PE-17
P
P
P
PE-18
P
P
P
PE-18(1)
P
P
P
PE-19
P
P
P
PE-19(1)
P
P
P
PE-20
P
P
P
PE-20(1)
P
P
P
PE-20(2)
P
P
P
PE-20(3)
P
P
P
PE-21
P
P
P
Planning PL-1
P
P
P
PL-2
P
P
P
PL-2(1)
P
P
P
PL-2(2)
P
P
P
PL-2(3)
P
P
P
PL-3
P
P
P
PL-4
P
P
P
PL-5
P
P
P
PL-6
P
P
P
Personnel Security PS-1
P
P
P
PS-2
P
P
P
Tresys Technology
19
Certifiable Linux Integration Platform (CLIP)
Requirement
Low
Moderate
High
Control Number PS-3
P
P
P
PS-3(1)
P
P
P
PS-3(2)
P
P
P
PS-4
P
P
P
PS-5
P
P
P
PS-6
P
P
P
PS-6(1)
P
P
P
PS-6(2)
P
P
P
PS-7
P
P
P
PS-7(1)
P
P
P
PS-8
P
P
P
Risk Assessment RA-1
P
P
P
RA-2
P
P
P
RA-3
P
P
P
RA-4
P
P
P
RA-5
P
P
P
RA-5(1)
P
P
P
RA-5(2)
P
P
P
RA-5(3)
P
P
P
RA-5(4)
P
P
P
RA-5(5)
P
P
P
P
P
System and Services Acquisition SA-1
Tresys Technology
P
20
Certifiable Linux Integration Platform (CLIP)
Requirement
Low
Moderate
High
Control Number SA-2
P
P
P
SA-3
P
P
P
SA-4
P
P
P
SA-4(1)
P
P
P
SA-4(2)
P
P
P
SA-4(3)
P
P
P
SA-4(4)
P
P
P
SA-4(5)
P
P
P
SA-4(6)
P
P
P
SA-4(7)
P
P
P
SA-4(8)
P
P
P
SA-5
P
P
P
SA-5(1)
P
P
P
SA-5(2)
P
P
P
SA-5(3)
P
P
P
SA-5(4)
P
P
P
SA-5(5)
P
P
P
SA-5(6)
P
P
P
SA-5(7)
P
P
P
SA-6
P
P
P
SA-6(1)
P
P
P
SA-6(2)
P
P
P
SA-7
C
C
C
SA-8
P
P
P
Tresys Technology
21
Certifiable Linux Integration Platform (CLIP)
Requirement
Low
Moderate
High
Control Number SA-9
P
P
P
SA-9(1)
P
P
P
SA-10
P
P
P
SA-11
P
P
P
SA-11(1)
P
P
P
SA-11(2)
P
P
P
SA-11(3)
P
P
P
SA-12
P
P
P
SA-12(1)
P
P
P
SA-12(2)
P
P
P
SA-12(3)
P
P
P
SA-12(4)
P
P
P
SA-12(5)
P
P
P
SA-10(1)
System and Communications Protection SC-1
P
P
P
SC-1(1)
P
P
P
SC-2 SC-3 SC-3(1) SC-3(2) SC-3(3) SC-3(4) SC-3(5)
Tresys Technology
22
Certifiable Linux Integration Platform (CLIP)
Requirement
Low
Moderate
High
Control Number SC-4 SC-5
D
D
D
SC-5(1)
D
D
D
SC-5(2)
D
D
D
SC-5(3)
D
D
D
SC–7
C
C
C
SC–7(1)
P
P
P
SC–7(2)
P
P
P
SC–7(3)
P
P
P
SC–7(4)
P
P
P
SC–7(6)
P
P
P
SC-7(7)
P
P
P
SC-7(8)
P
P
P
SC-7(9)
C
C
C
SC-8
C
C
C
SC-8(1)
P
P
P
SC-8(2)
C
C
C
SC-9
C
C
C
SC-9(1)
P
P
P
C
C
C
SC-6
SC–7(5)
SC-9(2) SC-9(3) SC-9(4)
Tresys Technology
23
Certifiable Linux Integration Platform (CLIP)
Requirement
Low
Moderate
High
Control Number SC-9(5)
C
C
C
SC-10
D
D
D
SC-11
D
D
D
SC-12
P
P
P
SC-12(1)
P
P
P
SC-12(2)
P
P
P
SC-12(3)
P
P
P
SC-12(4)
P
P
P
SC-15(1)
P
P
P
SC-15(2)
C
C
C
SC-15(3)
P
P
P
SC-16(1)
C
C
C
SC-16(2)
D
D
D
SC-17
P
P
P
SC-18
P
P
P
SC-18(1)
P
P
P
SC-18(2)
D
D
D
SC-19
P
P
P
SC-20
D
D
D
SC-20(1)
C
C
C
SC-13 SC-14 SC-15
SC-16
Tresys Technology
24
Certifiable Linux Integration Platform (CLIP)
Requirement
Low
Moderate
High
Control Number SC-21
D
D
D
SC-21(1)
D
D
D
SC-22
C
C
C
SC-23 System and Information Integrity Policy and Procedures SI-1
P
P
P
SI-2
P
P
P
SI-2(1)
P
P
P
SI-2(2)
P
P
P
SI-2(3)
P
P
P
SI-3
D
D
D
SI-3(1)
P
P
P
SI-3(2)
D
D
D
SI-3(3)
P
P
P
SI-3(4)
P
P
P
SI-3(5)
P
P
P
SI-3(6)
C
C
C
SI-3(7)
P
P
P
SI-3(8)
D
D
D
SI-4
P
P
P
SI-4(1)
P
P
P
SI-4(2)
P
P
P
SI-4(3)
P
P
P
SI-4(4)
D
D
D
Tresys Technology
25
Certifiable Linux Integration Platform (CLIP)
Requirement
Low
Moderate
High
Control Number SI-4(5)
D
D
D
SI-4(6)
D
D
D
SI-4(7)
C
C
C
SI-4(8)
P
P
P
SI-5
P
P
P
SI-5(1)
P
P
P
SI-6
C
C
C
SI-6(1)
P
P
P
SI-6(2)
P
P
P
SI-7
C
C
C
SI-7(1)
P
P
P
SI-7(2)
P
P
P
SI-7(3)
P
P
P
SI-8
D
D
D
SI-8(1)
P
P
P
SI-8(2)
D
D
D
SI-8(3)
P
P
P
SI-8(4)
P
P
P
SI-8(5)
P
P
P
SI-8(6)
D
D
D
SI-10
D
D
D
SI-11
D
D
D
SI-12
P
P
P
SI-9
Tresys Technology
26
Certifiable Linux Integration Platform (CLIP)
2.1.2.
NSSI-1253v4 Analysis This section examines each of the NSSI-1253v4 security requirements. The analysis is divided into 17 sections, one for each family: 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Certification, Accreditation and Security 5. Configuration Management 6. Contigency Planning 7. Identification and Authentication 8. Incident Response 9. Maintenance 10. Media Protection 11. Physical and Environmental Protection 12. Planning 13. Personnel Security 14. Risk Assessment 15. System and Services Acquisition 16. System and Communications Protection 17. System and Information Integrity Each individual requirement is presented, followed by an analysis of the capability of RHEL 5.3 and the CLIP toolkit to meet the requirement, provided in the shaded boxed text. Each requirement explains how the requirement is met, partially met, cannot be met, or is outside the scope of the base platform.
2.1.2.1.
Access Control
AC-1 Access Control Policies and Procedures
LOW: AC-1 MODERATE: AC-1 HIGH: AC-1
Control: The organization develops, disseminates, and periodically reviews/updates: a) a formal, documented, access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
Tresys Technology
27
Certifiable Linux Integration Platform (CLIP) b) formal, documented procedures to facilitate the implementation of the access control policy and associated access controls. Supplemental Guidance: The access control policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards and guidance. The access control policy can be included as part of the general information security policy for the organization. Access control procedures can be developed for the security program in general, and for a particular information system when required. Control Enhancements: None Control - Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform.
AC-2 Account Management
LOW: AC-2(5) MODERATE: AC-2 (1)(2)(3)(4)(5) HIGH: AC-2 (1)(2)(3)(4)(5)
Control: The organization manages information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. The organization will: a) Reviews information system accounts [Assignment organization defined frequency], or at least annually. b) Identifies authorized users of the information system accounts and specifies access rights/privileges. c) Requires proper identification for requests to establish information system accounts and approves all such requests. d) Authorizes and monitors the use of guest/anonymous accounts and removes, disables or otherwise secures unnecessary accounts. e) Notify account managers when information system users are terminated or transferred and associated accounts are removed, disabled or otherwise secured. f) Notify account managers when users’ information system usage or need-toknow/need to share changes. Supplemental Guidance: Account management includes the identification of account types (i.e., individual, group, and system), establishment of conditions for group membership, and assignment of associated authorizations. The organization should consider the following aspects when granting access to the information and information systems: (i) A valid access authorization that is determined by assigned official duties and satisfying all personnel security criteria and (ii) Intended system usage. Control Enhancements: 1) The organization employs automated mechanisms to support the management of information system accounts.
Tresys Technology
28
Certifiable Linux Integration Platform (CLIP) 2) The information system automatically terminates temporary and emergency accounts after [Assignment: organization-defined time period for each type of account], not to exceed 72 hours. 3) The information system automatically disables inactive accounts after [Assignment: organization-defined time period], not to exceed 30 days. 4) The organization employs automated mechanisms to audit account creation, modification, disabling, and termination actions and to notify, as required, appropriate individuals. 5) The organization establishes and administers all privileged user accounts in accordance with a role based access scheme that organizes all system and network privileges into roles (e.g., key management, network, system administration, database administration, web administration). The Information System Security Manager (ISSM), Information Assurance Manager (IAM) tracks privileged role assignments Control - Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 - Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 2 - Partially Meets Requirement – Configuration Linux user management allows an expiration date to be set for an account. This could be used when creating temporary or emergency accounts to terminate them after some period of time. Control Enhancement 3 – Partially Meets Requirement – Development Linux user management tools could be updated to monitor account inactivity (i.e., last login) and disable an account after the given period of inactivity. Control Enhancement 4 – Outside Scope - Procedural These requirements are procedural in nature and are outside the scope of the base platform. Control Enhancement 5 – Partially Meets Requirement – Procedural Standard Linux DAC with SELinux policy separates user roles for privileged and non-privileged accounts.
AC-3 Access Enforcement
LOW: AC- 3 MODERATE: AC- 3 (1) (2) HIGH: AC- 3 (1) (2)
Control: The information system enforces assigned authorizations for controlling access to the system in accordance with applicable policy. Supplemental Guidance: Access Control policies (e.g., identity-based policies, role-based policies, rule-based policies) and associated access enforcement mechanisms (access control
Tresys Technology
29
Certifiable Linux Integration Platform (CLIP) lists, access control matrices, cryptography) are employed by organizations to control access between users (or processes acting on behalf of uses) and objects (e.g., devices, files, records, processes, programs, domains) in the information system. In addition to controlling access at the information system level, access enforcement mechanisms are employed at the application level, when necessary, to provide increased information security for the organization. Consideration is given to the implementation of a controlled, audited, and manual override of automated mechanisms in the event of emergencies or other serious events. If encryption of stored information is employed as an access enforcement mechanism, the cryptography used is largely dependent upon the classification level of the information. Related security controls: AC-16, AC21, SC-13. Control Enhancements: 1) The information system restricts access to privileged functions (deployed in hardware, software, and firmware) and security-relevant information to explicitly authorized personnel. Enhancement Supplemental Guidance: Explicitly authorized personnel include, for example, security administrators, system and network administrators, and other privileged users. Privileged users are individuals who have access to system control, monitoring, or administration functions (e.g., system administrators, information system security officers, maintainers, system programmers). 2) The Discretionary Access Control (DAC), policies of the information system are implemented and configured to ensure only authorized users are able to perform security functions. The enforcement mechanism shall allow users to specify and control sharing by named individuals or groups of individuals, or by both, and shall provide controls to limit propagation of access rights. The DAC mechanism shall, either by explicit user action or by default, provide that information is protected from unauthorized access. These access controls shall be capable of including or excluding access to the granularity of a single user. 3) The information system implements [and configures] and enforces a Role Based Access Control (RBAC) policy over all users and resources that ensures that access rights are grouped by role name, and access to resources is restricted to users who have been authorized to assume the associated role. 4) The information system implements [and configures] and enforces a MAC policy over all subjects and objects under its control to ensure that each user receives only that information to which the user is authorized access based on classification of the information, and user clearance; and need-to-know. The information system assigns labels/security domains/types to subjects and objects, and uses these labels as the basis for MAC decisions. 5) The security policies of the information system are implemented and configured to protect security relevant objects from unauthorized access, modification and deletion. 6) The MAC policies of the information system are implemented and configured to protect security relevant objects from unauthorized access, modification, and deletion. 7) The security policies of the information system are implemented and configured to ensure only authorized user are able to perform security functions.
Tresys Technology
30
Certifiable Linux Integration Platform (CLIP) Control –Partially Meets Requirement – Development Traditional Linux DAC permissions control user, group, and world access. SELinux MAC allows system administrators to create defined access for users within the system. Although CLIP meets this requirement for the base platform, enforcement at the application level is outside scope. Control Enhancement 1 – Meets Requirement Traditional Linux DAC permissions combined with CLIP SELinux policy enforce a least privilege model that restricts users to only the information explicitly allowed. Control Enhancement 2 –Meets Requirement The default CLIP system is designed to meet the STIGs which addresses this requirement. Control Enhancement 3- Meets Requirement SELinux implements RBAC, thereby meeting this requirement. Control Enhancement 4- Meets Requirement MAC enforcement is provided by the standard CLIP SELinux policy. Control Enhancement 5 – Meets Requirement Traditional Linux DAC permissions combined with SELinux policy restricts the access to authorized users for read and/or modification of security related objects. Control Enhancement 6 – Meets Requirement The SELinux labels on all objects are check for any access to the object and only the access explicitly granted in the policy is permitted. Control Enhancement 7 – Meets Requirement Traditional Linux DAC permissions combined with SELinux policy restricts the execution of applications or tools performing security functions to authorized users.
AC-4 Information Flow Enforcement
LOW: AC- 4 MODERATE: AC- 4 (2) HIGH: AC-4 (2)
Control: The information system enforces assigned authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy. Supplemental Guidance: Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and within explicit regard to subsequent access to that information. A few, of many, generalized examples of possible restrictions that are better expressed as flow control that access control are: keeping export controlled information from being transmitted in the clear to the Internet, clocking outside traffic that claims to be from within the organization, and not passing any web requests to the Internet that are not from the
Tresys Technology
31
Certifiable Linux Integration Platform (CLIP) internal web proxy. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destination (e.g., networks, individuals, devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/ or the information path. Specific examples of flow control enforcement can be found in boundary protection devices (e.g., proxies, gateways, guards, encrypted tunnels, firewalls, and routers) that employ rule sets or establish configuration settings that restrict information system services or provide a packet filtering capability. Related security control: SC-7. Control Enhancements: 1) The information system implements information flow control enforcement using explicit labels on information, source, and destination objects as a basis for flow control decisions. Enhancement Supplemental Guidance: Information flow control enforcement using explicit labels is used, for example, to control the release of certain types of information. The controlled interface (CI) examines the label of all data (data content and data structure) traversing the CI and reacts appropriately (e.g., block, quarantine, send alert to the administrator, etc.) when it encounters data not explicitly allowed by the configured transfer policy. Examples of data content and or data structure transfers that should not be allowed include, but are not limited to: sending a “high classification” object to “low classification” domain, sending a “high classification” object to a user with a “low classification” clearance, attempting to cut and paste text from a “high classification” terminal window into a terminal window with a “low classification”, etc. 2) The information system implements information flow control enforcement using protected processing domains (e.g., domain type-enforcement) as a basis for flow control decisions. 3) The information system implements information flow control enforcement using dynamic security policy mechanisms as a basis for flow control decisions. 4) The information system implements information flow control enforcement using [Assignment: organization-defined security policy mechanisms] security policy mechanisms as a basis for flow control decisions. Enhancement Supplemental Guidance: Examples of “organization-defined security policy mechanisms” (i.e., filters) include dirty word filter, file type checking filter, structured data filter, unstructured data filter, metadata content filter, and hidden content filter. Structured data permits the interpretation of its content by virtue of atomic elements that are understandable by an application and indivisible. Unstructured data refers to masses of (usually) computerized information that either (1) do not have a data structure or (2) have a data structure that is not easily readable by a machine. Unstructured data consists of two basic categories: (1) bitmap objects: inherently non-language based, such as image, video, or audio files; (2) textual objects: based on a written or printed language, such as Microsoft Word documents, Microsoft Excel documents, or e-mails. 5) The information system enforces the use of human review for [Assignment: organization-defined security policy mechanisms] security policy mechanisms when it is not capable of making a policy flow control decision.
Tresys Technology
32
Certifiable Linux Integration Platform (CLIP) 6) The information system provides the capability for an appropriately privileged administrator to enable/ disable [Assignment: organization-defined security policy mechanisms]security policy mechanisms. 7) The information system provides the capability for an appropriately privileged administrator to configure the [Assignment: organization-defined security policy mechanisms]security policy mechanisms to support different security policies. Enhancement Supplemental Guidance: For example, to reflect changes in security policy, the administrator will have the capability to change the list of “dirty words” that organization d-defined dirty word policy mechanism checks against. Control –Meets Requirement SELinux MAC assigns labels to all subjects and objects on a system and uses those labels to make access decisions that enforces information flow. Labels are assigned to IP addresses to control information flow between interconnected systems. Control Enhancement 1 –Meets Requirement SELinux MAC assigns labels to all subjects and objects on a system and uses those labels to make access decisions. Labels are assigned to network interfaces, IP addresses, and port numbers to control information flow between interconnected systems. Additionally, SELinux supports labeled IPSEC which controls communications between systems. Only systems that have equivalent security labels assigned to security associations can communicate with each other. Another benefit of labeled IPSEC is that all communications are encrypted; this ensures confidentiality and integrity during data transit. Control Enhancement 2 – Meets Requirement SELinux MAC assigns labels to all domains on a system and uses those labels to make access decisions. Labels are assigned to network interfaces, IP addresses, and port numbers to control information flow between interconnected systems. Control Enhancement 3 – Meets Requirement SELinux features Booleans used to dynamically enable or disable parts of the policy. Control Enhancement 4 – Partially Meets Requirement – Procedural SELinux assigns labels to all subjects and objects on a system and uses those labels to make access decisions, including flow control decisions. The SELinux policy may need to be configured to meet organizational policy decisions. Control Enhancement 5 – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base system. Control Enhancement 6 – Partially Meets Requirement – Procedural SELinux policy and user controls can limit the enabling/disabling of security mechanisms to sufficiently privileged users. Control Enhancement 7 – Partially Meets Requirement – Procedural
Tresys Technology
33
Certifiable Linux Integration Platform (CLIP) SELinux policy and user controls can limit the ability to change security policies to sufficiently privileged users.
AC-5 Separation of Duties
LOW: AC- 5 MODERATE: AC-5 HIGH: AC-5
Control: The information system enforces separation of duties through assigned access authorizations. The organization establishes appropriate divisions of responsibility and separates duties as needed to eliminate conflicts of interest in the responsibilities and duties of individuals. Access control software resides on the information system that prevents users from having all of the necessary authority or information access to perform fraudulent activity without collusion. Supplemental Guidance: Examples of separation of duties include: (i) mission functions and distinct information system support functions are divided among different individuals/roles; (ii) different individuals perform information system support functions (e.g., system management, systems programming, quality assurance/testing, configuration management, and network Control Enhancements: None Control – Partially Meets Requirement – Configuration SELinux policy can enforce divisions of responsibility based on roles and type enforcement. The organization can take various divisions or roles within the organization and create a SELinux policy that gives the appropriate privileges to the divisions through the policy.
AC-6 Least Privilege
LOW: AC- 6 (1) MODERATE: AC-6 (1) HIGH: AC-6 (1)
Control: The information system enforces the most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) for the performance of specified tasks. Supplemental Guidance: The organization employs the concept of least privilege for specific duties and information systems (including specific ports, protocols, and services) in accordance with risk assessments as necessary to adequately mitigate risk to organizational operations, organizational assets, and individuals. Control Enhancement: (1) The organization ensures that privileged accounts are created for users to perform privileged functions only; that is, privileged users use non-privileged accounts for all nonprivileged functions. Control –Meets Requirement Security Enhanced Linux (SELinux) denies all interactions between subjects and objects except for those that are permitted by the security policy. The CLIP SELinux policy fulfills this
Tresys Technology
34
Certifiable Linux Integration Platform (CLIP) requirement by only allowing the least amount of privileges needed for a user to perform their tasks. The users are also placed into roles such as system, staff and basic user roles. SELinux enforces accesses through these roles and the associated types. Because SELinux implements Mandatory Access Control (MAC) all access is denied unless explicitly allowed and in addition, these denials are logged into the audit subsystem Control Enhancement 1 – Partially Meets Requirement – Procedural Administrators in SELinux can use the newrole command to switch into a more privileged role (sysadm_r & secadm_r) to perform privileged functions.
AC-7 Unsuccessful Logon Attempts
LOW: AC-7 MODERATE: AC-7 (2) HIGH: AC-7 (1)
Control: The information system enforces a limit of consecutive invalid access attempts [Assignment: organization-defined number, or a maximum of 3] by a user during a [Assignment: organization-defined time period, or at least 15 minutes]. The information system automatically [Selection: locks the account/node for an [Assignment: organization-defined time period at least 10 minutes], delays next login prompt according to [Assignment: organization defined delay algorithm] when the maximum number of unsuccessful attempts is exceeded. This control also applies to remote access logon attempts. Supplemental Guidance: Due to the potential for denial of service, automatic lockouts initiated by the information system are usually temporary and automatically release after a predetermined time period established by the organization. The “delay algorithm” discussed in the control is dependent upon the Operating System or remote access solution in place at that organization. Control Enhancements: 1) The information system enforces a limit of 3 consecutive invalid access attempts by a user. The account remains locked until released by an authorized administrator. 2) The information system enforces a limit of 3 consecutive invalid access attempts by a user. The account remains locked for a period of 15 minutes or more. Control- Partially Meets Requirement - Configuration The PAM library and associated modules offer fine grained control over such parameters as timeout value, number of retries, and action to perform on unsuccessful login attempts. The /var/log/messages file contains information about logins to the system as well as information about users that have already logged in and change to different users (e.g., using the su command to become root). Control Enhancement 1 – Partially Meets Requirement - Configuration The pam_tally module that is part of the PAM library included in CLIP allows for a user to be denied access after a three failed login attempts and it remains locked for 15 minutes. If 15 minutes have not elapsed, it requires an administrator to reset the account. The configuration can be changed to remove the 15 minute lock so that only an administrator can unlock the account. Control Enhancement 2 –Meets Requirement
Tresys Technology
35
Certifiable Linux Integration Platform (CLIP) The pam_tally module that is part of the PAM library included in CLIP allows for a user to be denied access after a three failed login attempts and it remains locked for 15 minutes. If 15 minutes have not elapsed, it requires an administrator to reset the account. The PAM library and associated modules offer fine grained control over such parameters as timeout value, number of retries, and action to perform on unsuccessful login attempts.
AC-8 System Use Notification
LOW: AC-8 MODERATE: AC-8 HIGH: AC-8
Control: The information system displays an approved, system use notification message before granting system access informing potential users that: a. The user is accessing a U.S. Government information system; b. System usage may be monitored, recorded, and subject to audit; c. Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and d. Use of the system indicates consent to monitoring and recording. The system use notification message provides appropriate privacy and security notices (based on associated privacy and security policies or summaries) and remains on the screen until the user takes explicit actions to log on to the information system. Supplemental Guidance: Privacy and security policies are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notification messages can be implemented in the form of warning banners displayed when individuals log in to the information system. For publicly accessible systems: (i) the system use information is available and when appropriate, is displayed before granting access; (ii) any references to monitoring, recording, or auditing are in keeping with privacy accommodations for such systems that generally prohibit those activities; and (iii) the notice given to public users of the information system includes a description of the authorized uses of the system. Control Enhancements: None. Control – Meets Requirement The /etc/issue file can be used to give an unauthenticated user a message before logging into the system. The Message of the Day (MOTD) can be used to give messages to authenticated users. The May 2008 DoD Consent to Monitor banner is provided by the CLIP KickStart file.
Tresys Technology
36
Certifiable Linux Integration Platform (CLIP) AC-9 Previous Logon Notification
LOW: AC-9 MODERATE: AC-9 HIGH: AC-9
Control: The information system notifies the user, upon successful logon, of the date and time of the last logon.. Supplemental Guidance: None. Control Enhancements: 1) The information system notifies the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon. Control – Meets Requirement This requirement is met by a standard Linux system. The information system notifies the user, upon successful logon, of the date and time of the last logon. Control Enhancements: Partially Meets Requirement- Development Adding a call to faillog in /etc/profile provides each user a display of the failed login attempts. In addition, pam_tally can be used to display user login counts. . AC-10 Concurrent Session Control
LOW: Tailoring MODERATE: AC- 10 HIGH: AC- 10
Control: The information system limits the number of concurrent sessions for any user to [Assignment: organization-defined number, or a maximum of three(3), sessions]. Supplemental Guidance: For purposes of this control, concurrent sessions are defined as when a user is logged onto an information system more than once. Control Enhancements: None. Control – Partially Meets Requirement - Configuration The PAM library and associated modules offer fine grained control over such parameters as maximum number of logins, specifically the pam_limits.so module.
AC-11 Session Lock
LOW: AC- 11 (1) MODERATE: AC-11 (1) HIGH: AC-11 (1)
Control: The information system prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period, not to exceed 30 minutes] of inactivity, and
Tresys Technology
37
Certifiable Linux Integration Platform (CLIP) the session lock remains in effect until the user reestablishes access using appropriate identification and authentication procedures. Supplemental Guidance: Users can directly initiate session lock mechanisms. A session lock is not a substitute for logging out of the information system. Organization-defined time periods of inactivity shall comply with federal policy; for example, in accordance with OMB Memorandum 06-16, the organization-defined time period is no greater than 30 minutes for remote access and portable devices. Control Enhancements: 1) The information system associates a workstation screen-lock functionality with each workstation. When activated, the screen-lock function places an unclassified pattern onto the entire screen of the workstation, totally hiding what was previously visible on the screen. Such a capability is enabled either by explicit user action or a specified period of workstation inactivity (e.g., 15 minutes). Once the workstation screen-lock software is activated, access to the workstation requires knowledge of a unique authenticator. A screen lock function is not considered a substitute for logging out unless a mechanism actually logs out the user when the user idle time is exceeded. Control – Partially Meets Requirement - Development The vlock package can be installed to meet this requirement. Vlock can be configured to lock the user console after a specified period of inactivity. When the predefined period of inactivity has been reached, vlock will blank and lock the console; the console can be unlocked by entering the appropriate password. Control Enhancement 1 – Partially Meets Requirement – Development The vlock package can be installed to meet this requirement. Vlock can be configured to lock the user console after a specified period of inactivity. When the predefined period of inactivity has been reached, vlock will blank and lock the console; the console can be unlocked by entering the appropriate password.
AC-12 Session Termination
LOW: AC- 12 (1) MODERATE: AC-12 (1) HIGH: AC-12(1) (2)
Control: The information system automatically terminates a remote session after [Assignment: organization- defined time period, not to exceed 60 minutes] of inactivity. Supplemental Guidance: A remote session is initiated whenever an organizational information system is accessed by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet or some other network that is outside the control of the organization that owns/controls the information system). An organization’s oncampus inter-building sessions are not considered remote sessions unless part of the session has traverses networks that are no under the control (i.e., authorized by) the organization. Control Enhancements:
Tresys Technology
38
Certifiable Linux Integration Platform (CLIP) 1) Automatic session termination applies to local and remote sessions. 2) Time period will not exceed 30 minutes. Control- Partially Meets Requirement- Configuration The Linux subsystem, specifically /etc/profile, sets a default timeout value of 15 minutes for a session. Control Enhancement 1 – Meets Requirement The Linux subsystem, specifically /etc/profile, sets a default timeout value for all sessions, local and remote. Control Enhancement 2 – Meets Requirement The CLIP KickStart file contains operating system configuration settings that enforce idle session termination after 15 minutes.
AC-13 Supervision and review - Access Control
LOW: AC-13 MODERATE: AC-13(1) HIGH: AC-13(1)
Control: The organization supervises and reviews the activities of users with respect to the enforcement and usage of information system access controls. The organization reviews audit records (e.g., user activity) for inappropriate activities in accordance with organizational policies. The organization investigates any unusual information system-related activities and periodically reviews changes to access authorizations. The organization reviews more frequently the activities of users with significant information system roles and responsibilities. The extent of the audit record reviews is based on the Impact Levels of the information system. Supplemental Guidance: For example, for low-impact systems, it is not intended that security logs be reviewed frequently for every workstation, but rather at central points such as a web proxy or email servers and when specific circumstances warrant review of other audit records. Related security control: AU-6. Control Enhancements: 1) The organization employs automated mechanisms to facilitate the review of user activities. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 – Partially Meets - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
Tresys Technology
39
Certifiable Linux Integration Platform (CLIP) AC-14 Permitted actions without identification or authentication
LOW: AC-14 MODERATE: AC-14(1) HIGH: AC-14(1)
Control: The organization identifies and documents specific user actions that can be performed on the information system without identification or authentication. Supplemental Guidance: The organization allows limited user activity without identification and authentication for public websites or other publicly available information systems (e.g., individuals accessing a federal information system at http://www.firstgov.gov). Another instance where identification and authentication is not required would be individuals already authenticated to the LAN can then do a search on the Web site without additional identification and authentication. Related security control: IA-2. Control Enhancement: 1) The organization permits actions to be performed without identification and authentication only to the extent necessary to accomplish mission objectives (e.g., weapons system). Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
AC-15 Automated Marking
LOW: Tailoring MODERATE: AC-15 HIGH: AC-15(1)
Control: The information system marks output to identify any special dissemination, handling, or distribution instructions. Supplemental Guidance: Automated marking refers to markings employed on external media (e.g., hardcopy documents output from the information system). The markings used in external marking are distinguished from the labels used on internal data structures described in AC-16. Control Enhancements: 1) The information system will invoke marking procedures and mechanisms to ensure that either the user or the system marks all data transmitted or stored by the system to reflect the classification and sensitivity of the data (e.g., classification level, classification category, and handling caveats). Markings shall be retained with the data. Control – Partially Meets Requirement - Configuration
Tresys Technology
40
Certifiable Linux Integration Platform (CLIP) The Linux printing system CUPS can be configured to label output that can accomplish this requirement. Control Enhancement 1- Partially Meets Requirement- Configuration The Linux printing system CUPS can be configured to label output that can accomplish this requirement.
AC-16 Automated Labeling
LOW: Tailoring MODERATE: Tailoring HIGH: Tailoring
Control: The information system appropriately labels information in storage, in process, and in transmission. Information labeling is accomplished in accordance with: a. Access control requirements b. Special dissemination, handling, or distribution instructions; or c. As otherwise required to enforce information system security policy. d. System shall ensure that all labels are appropriately bound to the information. Supplemental Guidance: Automated labeling refers to labels employed on internal data structures (e.g., records, files) within the information system, Such labels are often used in support of MAC policies and some forms of flow controls. Related security controls: AC-3 and AC-4. Control Enhancements: None. Control – Partially Meets Requirement – Configuration SELinux type enforcement assigns labels to all objects and subjects on the system and ensures the labels are appropriately bound to the objects. It also implicitly labels objects it receives on network interfaces. SELinux supports labeled IPSEC security associations; this provides the system with the ability to encrypt and label communications between systems. The SELinux policy must be configured according to the specific system’s access control requirements and special needs for the information.
AC-17 Remote Access
LOW: AC-17 (2) (3) (4)(5) (6) MODERATE: AC17(1)(2)(3)(4)(5)(6) HIGH: AC17(1)(2)(3)(4)(5)(6)(7)
Control: The organization authorizes, monitors, and controls all methods of remote access to the information system. Supplemental Guidance: Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organizationcontrolled network (e.g., the Internet). Examples of remote access methods include dial-up,
Tresys Technology
41
Certifiable Linux Integration Platform (CLIP) broadband, and wireless. Remote access controls are applicable to information systems other than public web servers or systems specifically designed for public access. The organization restricts access achieved through dial-up connections (e.g., limiting dial-up access based upon source of request) or protects against unauthorized connections or subversion of authorized connections (e.g., using virtual private network technology). Control Enhancements: 1) The organization employs automated mechanisms to facilitate the monitoring and control of remote access methods. 2) The organization uses cryptography to protect the confidentiality and integrity of remote access sessions. 3) The organization controls all remote accesses through a limited number of managed access control points. 4) The organization permits remote access for privileged functions only for compelling operational needs and documents the rationale for such access in the security plan for the information system. 5) The information system restricts all remote access sessions by privileged users to those with strong authentication. Related to IA2. Enhancement Supplemental Guidance: Strong authentication is defined as the information system employs a multifactor authentication process and/or device to generate a one-time password that is highly resistant to replay attacks. Related security control: IA-2. 6) The organization ensures that users protect information about the remote access mechanisms from unauthorized use and disclosure. 7) The organization ensures that remote sessions for privileged user functions employ additional security measures and that each remote session is comprehensively audited. Enhancement Supplemental Guidance: Additional security measures are typically above and beyond standard bulk or session layer encryption (e.g., Secure Shell (SSH), or Virtual Private Networking with blocking mode enabled. See also SC-8 and SC-9. Control – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 –Meets Requirement CLIP by default only provides remote access via ssh. Ssh uses PAM, which meets this requirement. Control Enhancement 2 – Partially Meets Requirement – Development CLIP permits only the ssh version 2 protocol for remote connections; any additional methods of remote access added to the system (such as a web server) would need to implement similar mechanisms. Control Enhancement 3 and 4 – Outside Scope - Procedural These requirements are procedural in nature and are outside the scope of the base platform. Control Enhancement 5 – Partially Meets Requirement – Configuration
Tresys Technology
42
Certifiable Linux Integration Platform (CLIP) CLIP can be configured to require strong authentication when using SSH for remote administration. Control Enhancement 6– Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 7 – Partially Meets Requirement – Configuration CLIP can be configured to require strong authentication when using SSH for remote administration.
AC-18 Wireless Access Restrictions
LOW: AC-18 (1)(2)(3) MODERATE: AC18(1)(2)(3)(4)(5) HIGH: AC-18(1)(2)(3)(4)(5)
Control: The organization: a. Establishes usage restrictions and implementation guidance for wireless technologies; and b. Authorizes, monitors, controls wireless access to the information system. Supplemental Guidance: None. Control Enhancements: 1) The organization uses authentication and encryption to protect wireless access to the information system. Enhancement Supplemental Guidance: The appropriate level of encryption strength will be selected based on the classification and/ or sensitivity of the data. Related controls: SC-8, SC-9. 2) The organization scans for unauthorized wireless access points [Assignment: organization defined frequency, or at least every 30 days] and takes appropriate action if such an access points are discovered. Enhancement Supplemental Guidance: Organizations conduct a thorough scan for unauthorized wireless access points in facilities containing high-impact information systems. The scan is not limited to only those areas within the facility containing the high-impact information systems. 3) The organization ensures that wireless computing and networking capabilities within all IT resources are implemented in accordance with organizational wireless policies and technical guidelines. 4) Unused wireless computing and networking capabilities internally embedded interconnected IT assets are normally disabled by changing factory defaults, settings or configurations prior to issue to end users. 5) Wireless computing and networking capabilities are not independently configured by end users.
Tresys Technology
43
Certifiable Linux Integration Platform (CLIP) Control – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancements 1 through 4 – Outside Scope – Procedural These requirements are procedural in nature and are outside the scope of the operating system. Control Enhancement 5 – Partially Meets Requirement – Configuration The SELinux policy can be configured to prevent users from configuring wireless capabilities.
AC-19 Access Control For Portable and Mobile Devices
LOW: AC-19 (1) MODERATE: AC-19 (1) HIGH: AC-19 (1)
Control: The organization: a. Establishes usage restrictions and implementation guidance for organization controlled portable and mobile devices; and b. Authorizes, monitors, and controls device access to organizational information systems. Supplemental Guidance: Portable and mobile devices (e.g., notebook computers, personal digital assistants, cellular telephones, and other computing and communications devices with network connectivity and the capability of periodically operating in different physical locations) are only allowed access to organizational information systems in accordance with organizational security policies and procedures. Security policies and procedures include device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), configuration management, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Protecting information residing on portable and mobile devices (e.g., employing cryptographic mechanisms to provide confidentiality and integrity protections during storage and while in transit when outside of controlled areas) is covered in the media protection family. Related security controls: MP-4 and MP-5. Control Enhancements: 1) An unclassified portable IS (including personally owned ISs) is prohibited in a SCIF unless the DAA specifically permits its use. If permitted, all personnel shall adhere to the following procedures: (a) Connection of an unclassified portable IS to a classified IS is prohibited. (b) Connection of an unclassified IS to another unclassified IS requires written approval from DAA. (c) Use of an internal or external modem with the IS device is prohibited within the SCIF without the DAA's written approval. (d) The portable ISs and the contained data are subject to random reviews and inspections by the Information System Security Manager (ISSM), Information
Tresys Technology
44
Certifiable Linux Integration Platform (CLIP) Assurance Manager (IAM) or Information System Security Officer (ISSO). If classified information is found on the portable IS it shall be handled in accordance with the incident handling policy. Control – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform.
AC-20 Use of External Information Systems
LOW: Tailoring MODERATE: Tailoring HIGH: Tailoring
Control: The organization establishes terms and conditions for authorized individuals to: a. Access the information system from an external information system; and b. Process, store, and/or transmit organization-controlled information using an external information system. Supplemental Guidance: External information systems are information systems or components of information systems that are outside of the accreditation boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness. External information systems include, but are not limited to, personally owned information systems (e.g., computers, cellular telephones, or personal digital assistants); privately owned computing and communications devices resident in commercial or public facilities (e.g., hotels, convention centers, or airports); information systems owned or controlled by nonfederal governmental organizations; and federal information systems that are not owned by, operated by, or under the direct control of the organization. Authorized individuals include organizational personnel, contractors, or any other individuals with authorized access to the organizational information system. This control does not apply to the use of external information systems to access organizational information systems and information that are intended for public access (e.g., individuals accessing federal information through public interfaces to organizational information systems). The organization establishes terms and conditions for the use of external information systems in accordance with organizational security policies and procedures. The terms and conditions address as a minimum; (i) the types of applications that can be accessed on the organizational information system from the external information system; and (ii) the maximum Impact Level and security impact category of information that can be processed, stored, and transmitted on the external information system. Control Enhancements: 1) The organization prohibits authorized individuals from using an external information system to access the information system or to process, store, or transmit organization controlled information except in situations where the organization:
Tresys Technology
45
Certifiable Linux Integration Platform (CLIP) (a) Can verify the employment of required security controls on the external system as specified in the organization's information security policy and system security plan; or (b) Has approved information system connection or processing agreements with the organizational entity hosting the external information system. Control – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform.
AC-21 Confidentiality of Data at Rest
LOW: Tailoring MODERATE: AC-21 HIGH: AC-21
Control: The information system encrypts data at rest if required by the information owner. a. The information system employs FIPS-validated cryptography to protect controlled unclassified data at rest. b. The information system employs FIPS-validated cryptography to protect collateral classified data at rest within classified information systems or networks. c. The information system employs NSA approved cryptography to protect sensitive compartmented information (SCI) at rest within classified information systems or networks. Supplemental Guidance: The correct level of encryption would be chosen based on the level of classification and/or sensitivity of the data requiring encryption at rest. Control Enhancements: None Control – Does Not Meet Requirement The Linux 2.6 kernel, included in RHEL 5.3, provides support for encrypting block devices using the dm-crypt library. This is not a FIPS-validated or NSA-approved encryption method but is currently under review at the time of this writing.
AC-22 Distinct Levels of Access
LOW: AC-22 MODERATE: AC-22 HIGH: AC-22
Control: The organization organizes all internal classified, sensitive, and unclassified information to provide at least three distinct levels of access, regardless of user interface. a. Open access to general information that is accessible to all authorized users with network access. Access does not require an audit transaction. b. Controlled access to information that is accessible to all authorized users upon the presentation of an individual authenticator. Access is recorded in an audit transaction.
Tresys Technology
46
Certifiable Linux Integration Platform (CLIP) c. Restricted access to need to know information that is accessible only to an authorized community. Authorized users must present an individual authenticator and have either a demonstrated or validated need to know. All access to need to know information and all failed access attempts are recorded in audit transactions. Supplemental Guidance: None. Control Enhancements: None. Control – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform.
AC-23 User Based Collaboration and Information Sharing Control
LOW: Tailoring MODERATE: Tailoring HIGH: Tailoring
Control: The organization ensures some manual process or automated mechanism(s) is in place that allows users to determine:. a. The information access authorizations or formal access approvals granted to another user for the purposes of information sharing; and b. The classification/sensitivity level, information category, handling caveats or other formal markings, labels or restrictions associated with the information.. Supplemental Guidance: The purpose of this control is to ensure organizations have some process or mechanism (manual or automated) in place that enables a user to make the appropriate decisions (e.g., based on sharing partner clearance level and formal SCI indoctrination to compartmented information, if required), for the sharing of information among National Security Community partners, which could include representatives from industry, academia, NonGovernmental Organizations (NGO), allies, etc. The control and control enhancements apply to information that may be restricted in some manner (e.g., classification/compartmentalization, privileged medical or personal identifiable information). Control Enhancements: 1) The organization specifies circumstances where the process or mechanism shall be employed and mandates its use. 2) The system employs an automated mechanism that allows users to determine the access authorizations (e.g., compartments into which they are briefed, communities with which they are members) granted to another user. 3) The system employs an automated mechanism that allows users to determine the classification level, classification category, handling caveats or other formal markings, labels or restrictions associated with the information. 4) The system employs an automated mechanism that ensures that only users with the appropriate authorization are granted access to information consistent with the classification level, information category, handling caveats or other formal markings, labels or restrictions associated with the information. Control – Partially Meets Requirement – Procedural
Tresys Technology
47
Certifiable Linux Integration Platform (CLIP) The SELinux labeling mechanism provides sufficient information to allow a user to determine what data sharing actions are appropriate. Control Enhancement 1 – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base system. Control Enhancement 2 – Do Not Meet Requirement The SELinux labeling mechanism does not permit a user to determine what authorizations are granted to another user. Control Enhancement 3 – Meets Requirement The SELinux labeling mechanism provides sufficient information to allow a user to determine what data sharing actions are appropriate. Control Enhancement 4 – Meets Requirement SELinux MAC assigns labels to all subjects and objects on a system and uses those labels to make access decisions for the defined users.
2.1.2.2.
Awareness and Training
AT-1 Security Awareness and Training Policy and Procedures
LOW: AT-1 MODERATE: AT-1 HIGH: AT-1
Control: The organization develops, disseminates, and periodically reviews/updates: a. A formal, documented, security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls. Supplemental Guidance: The security awareness and training policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The security awareness and training policy can be included as part of the general information security policy for the organization. Security awareness and training procedures can be developed for the security program in general, and for a particular information system, when required. Control Enhancements: None. Control – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform.
Tresys Technology
48
Certifiable Linux Integration Platform (CLIP) AT-2 Security Awareness
LOW: AT-2 MODERATE: AT-2 HIGH: AT-2
Control: The organization provides basic security awareness training to all information system users (including managers and senior executives) before authorizing access to the system, when required by system changes, and [Assignment: organization-defined frequency, at least annually] thereafter. Supplemental Guidance: The organization determines the appropriate content of security awareness training based on the specific requirements of the organization and the information systems to which personnel have authorized access. The organization’s security awareness program is consistent with the requirements contained in C.F.R. Part 5 Subpart C (5 C.F.R 930.301). Control Enhancements: None. Control – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform.
AT-3 Security Training
LOW: AT-3 MODERATE: AT-3 HIGH: AT-3
Control: The organization identifies personnel that have significant information system security roles and responsibilities during the system development life cycle, documents those roles and responsibilities, and provides appropriate information system security training: a. before authorizing access to the system or performing assigned duties; b. when required by system changes; and c. [Assignment: Organization-defined frequency, or at least annually] thereafter.. Supplemental Guidance: The organization determines the appropriate content of security training based on the specific requirements of the organization and the information systems to which personnel have authorized access. In addition, the organization provides system managers, system and network administrators, and other personnel having access to system-level software, adequate technical training to perform their assigned duties. The organization’s security training program is consistent with the requirements contained in C.F.R. Part 5 Subpart C (5 C.F.R 930.301). Control Enhancements: None. Control – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform.
Tresys Technology
49
Certifiable Linux Integration Platform (CLIP) AT-4 Security Training Records
LOW: AT-4 MODERATE: AT-4 HIGH: AT-4
Control: The organization documents and monitors individual information system security training activities including basic security awareness training and specific information system security training. Supplemental Guidance: None. Control Enhancements: None. Control – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform.
AT-5 Contacts with Security Groups and Associations
LOW: Tailoring MODERATE: AT- 5 HIGH: AT- 5
Control: The organization establishes and maintains contacts with special interest groups, specialized forums, professional associations, news groups, and/or peer groups of security professionals in similar organizations to stay up to date with the latest recommended security practices, techniques, and technologies and to share the latest security-related information including threats, vulnerabilities, and incidents. Supplemental Guidance: To facilitate ongoing security education and training for organizational personnel in an environment of rapid technology changes and dynamic threats, the organization establishes and institutionalizes contacts with selected groups and associations within the security community. The groups and associations selected are in accordance with the organization’s mission requirements. Information sharing activities regarding threats, vulnerabilities, and incidents related to information systems are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. Control Enhancements: None. Control – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform.
AT-6 Certifier Training by Developers
LOW: Tailoring MODERATE: Tailoring HIGH: Tailoring
Control: The organization requires information system developers to develop and present security-related training that provides sufficient understanding of the security controls implemented within a system to permit independent analysis and testing of the controls.
Tresys Technology
50
Certifiable Linux Integration Platform (CLIP) Supplemental Guidance: Developer security-related training is intended for independent testers (e.g., certification team, IV&V team). Depth and breadth of training is commensurate with the complexity of the information system and the testing rigor. Related security control: SA-5. Control Enhancements: None. Control – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform.
2.1.2.3.
Audit and Accountability
AU-1 Audit and Accountability Policy and Procedures
LOW: AU-1 MODERATE: AU-1 (1) HIGH: AU-1 (1)
Control: The organization develops, disseminates, and periodically reviews/updates: a. A formal, documented, audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls. Supplemental Guidance: The audit and accountability policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The audit and accountability policy can be included as part of the general information security policy for the organization. Audit and accountability procedures can be developed for the security program in general, and for a particular information system, when required. Control Enhancement: 1) The organization specifies the permitted actions (e.g., read, write, append, delete, etc.) for each authorized process and/or role and/or user in the audit and accountability policy. Control – Partially Meets Requirement – Procedural While this requirement is largely procedural, the SELinux policy provides details of the auditing policy for the system and can be used in conjunction with additional documentation to fully describe a system’s auditing policy. Control Enhancement 1 – Outside Scope – Procedural
Tresys Technology
51
Certifiable Linux Integration Platform (CLIP) The SELinux MAC enforcement system automatically logs all denied access attempts and can be configured to audit successful access as well; the system will deny all access not directly permitted by the policy.
AU-2 Auditable Events
LOW: AU-2 (2)(3)(4) MODERATE: AU-2 (1)(2)(3)(4) HIGH: AU-2(1)(2)(3)(4)
Control: The information system generates audit records for the following events: [Assignment: organization-defined auditable events]. a. The information system generates audit records for the following events: [Assignment: organization defined auditable events]. b. The organization specifies which information system components carry out auditing activities. Supplemental Guidance: The purpose of this control is to identify important events which need to be audited as significant and relevant to the security of the information system. Therefore, the organization decides, based upon a risk assessment, which events require auditing on a continuous basis and which events require auditing in response to specific situations. Auditing activity can affect information system performance. Audit records can be generated at various levels of abstraction, including at the packet level as information traverse the network. Selecting the right level of abstraction for audit record generation is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Additionally, the security audit function is coordinated with the network health and status monitoring function to enhance the mutual support between the two functions. Control Enhancements: 1) The information system provides the capability to compile audit records from multiple components throughout the system into a system wide (logical or physical), time correlated audit trail. 2) The information system provides the capability to manage the selection of events to be audited by individual components of the system. 3) The organization periodically reviews and updates the list of organization defined auditable events. 4) The information system audits the following user/process events at a minimum: a) Successful and unsuccessful attempts to access, modify, or delete security objects, Enhancement Supplemental Guidance: Security objects include security labels, the linkage of security labels to information or data, audit data, system configuration files and file or users’ formal access permissions. b) Successful and unsuccessful logon attempts, c) Privileged activities or other system level access,
Tresys Technology
52
Certifiable Linux Integration Platform (CLIP) d) Starting and ending time for user access to the system, e) Concurrent logons from different workstations, f) Successful and unsuccessful accesses to objects, g) All program initiations, h) All direct access to the information system. 5) The information system audits user keystrokes (associated with a particular user(s)) where appropriate (i.e., "keystroke capture"). 6) The information system audits information downgrades, and overrides. 7) The information system audits data transfer failures. 8) The information system audits identity of user who reviewed and authorized transfer of data and what was reviewed and transferred. 9) The information system audits information flows from one security domain to another security domain. 10) The information system audits any changes to the list of user formal access authorizations. Control – Partially Meets Requirements – Configuration This requirement can be satisfied by the Linux audit subsystem. The audit subsystem provides a configurable interface for monitoring kernel and user space events. Processes attached to the audit subsystem can be audited at the system call level, which provides sufficient granularity for satisfying this requirement. Control Enhancement 1 – Partially Meets Requirement- Configuration The audit subsystem provides a configurable interface for monitoring kernel and user space events. Processes attached to the audit subsystem can be audited at the system call level, which provides sufficient granularity for satisfying this requirement. The audit entries also provide a timestamp for each event audited. Control Enhancement 2 – Meets Requirement The audit subsystem can be configured to audit specific events by modifying the /etc/audit.rules file. In this file, the system administrator adds a list of rules that determine which events are to be audited. The CLIP toolkit is pre-configured to audit security relevant events. Control Enhancement 3 – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 4 – Partially Meets Requirement- Configuration The CLIP toolkit is configured to audit login attempts, failures of attempts to perform privileged activities, and failed access to objects. The PAM (Pluggable Authentication Modules) library and related modules provide the audit subsystem with the necessary mechanism for recording login/logout events. Iptables supports logging of all packets sent and received by the system. The format of audit event records includes a standard message header, containing a UNIX timestamp, login ID, hostname, service name and system call name and arguments. The SELinux policy must be configured to audit successful access to desired objects based on their security labels.
Tresys Technology
53
Certifiable Linux Integration Platform (CLIP) Control Enhancement 5 – Does Not Meet Requirement CLIP does not audit keystrokes as part of the audit process. A third party application or development of a new tool could be installed to meet this requirement. Control Enhancement 6 – Partially Meets Requirement- Configuration SELinux policy can be configured to audit label changes to the objects of interest. Control Enhancement 7 – Partially Meets Requirement- Development SELinux audits attempts to access or transfer data that fail because the SELinux policy has denied access. Failed data transfer because of discretionary access control (DAC) failures or application level failures are not logged and need to be addressed during system development. Control Enhancement 8- Partially Meets Requirement – Development The RHEL 5.3 audit subsystem provides the ability for a program to send audit information when a user makes a decision about transferring data. This ability would need to be leveraged during the development of the application used for review and transfer. Control Enhancement 9 – Partially Meets Requirement – Development CLIP for RHEL 5.3 can be configured to audit successful access between selected security domains by adding auditallow rules to the policy. As policy changes require installing a new policy, this is considered development. Control Enhancement 10 – Meets Requirement CLIP for RHEL 5.3 is configured to audit changes to user access.
AU-3 Content of Audit Records
LOW: AU-3 (3) MODERATE: AU-3(1)(3) HIGH: AU-3(1)(2)(3)(4)
Control: The information system produces audit records that contain sufficient information to establish: (a) What event(s) occurred, (b) The source(s) of the event(s), and (c) The outcome of the event(s). Supplemental Guidance: Examples of audit record content includes: (i) date and time of the event; (ii) the component of the information system (e.g., software component, hardware component) where the event occurred; (iii) type of event; (iv) user/subject identity; and (v) the outcome (success or failure) of the event. Auditable events are defined under AU-2. Control Enhancements: 1) The information system provides the capability to include additional, more detailed information in the audit records for audit events identified by type, location, or subject.
Tresys Technology
54
Certifiable Linux Integration Platform (CLIP) 2) The information system provides the capability to centrally manage the content of audit records generated by individual components throughout the system. 3) The information system audit record will contain at a minimum: a. Date and time; b. Source of event; c. Type of event; d. User/subject identity; and e. Outcome (e.g., success or failure). 4) Audit records include data of starting and ending time for user access to the system. 5) Audit records include data required to audit the possible use of covert channel mechanisms. Control –Meets Requirement The format of audit event records includes a standard message header, containing a UNIX timestamp, login ID, hostname, service name, and system call name and arguments. Control Enhancement 1 – Meets Requirement RHEL configures auditd daemon to include a standard message header, containing a UNIX timestamp, login ID, hostname, service name and system call name and arguments for audit records. Control Enhancement 2 – Meets Requirement The auditd daemon can be used to centrally control auditing on the system. Control Enhancement 3 –Meets Requirement The format of audit event records includes a standard message header, containing a UNIX timestamp, login ID, hostname, service name and system call name and arguments. Control Enhancement 4 –Meets Requirement The standard login framework using PAM audits the starting and ending time for user access. Control Enhancement 5 – Does Not Meet Requirement Although the audit subsystem provides a wealth of data that is collected from throughout the system, it does not address covert channels. Direct audit log analysis by a system administrator is needed to meet this requirement.
AU-4 Audit Storage Capacity
LOW: AU-4 MODERATE: AU-4 HIGH: AU-4
Control: The organization allocates sufficient audit record storage capacity and configures auditing to reduce the likelihood of such capacity being exceeded.
Tresys Technology
55
Certifiable Linux Integration Platform (CLIP) Supplemental Guidance: The organization provides sufficient audit storage capacity, taking into account the auditing to be performed and the online audit processing requirements. Related security controls: AU-2, AU-5, AU-6, AU-7, and SI-4. Control Enhancements: None Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
AU-5 Response to Audit Processing Failures
LOW: AU-5 MODERATE: AU-5 (1)(2) HIGH: AU-5(1)(2)(3)
Control: The information system alerts appropriate organizational officials in the event of an audit processing failure and takes the following additional actions: [Assignment: organizationdefined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]. Supplemental Guidance: Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Related security control: AU-4. Control Enhancements: 1) The information system provides a warning when allocated audit record storage volume reaches [Assignment: organization-defined percentage of maximum audit record storage capacity, or at 75 percent]. 2) The information system provides a real-time alert when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring realtime alerts]. 3) The information system will invoke a system shutdown in the event of an audit failure, unless an alternative audit capability exists. Control – Partially Meets Requirement - Configuration The Linux audit subsystem keeps audit messages in a queue for dispatching by the kernel to the userspace audit daemon. When this queue becomes full, processes which are producing audit data can be put to sleep until the queue is not full. This way, execution is suspended until all auditable events are able to be received by the userspace audit daemon. The system can also be shutdown and or send an email notice to the proper authority. SELinux booleans can be used to deny access until the system can recover. The developer must determine which of these actions to enable, and configure the system accordingly. Control Enhancement 1 – Partially Meets Requirement – Configuration The Linux audit subsystem can be configured to send an email notice to the proper authority when disk usage reaches a certain capacity. Control Enhancement 2 – Partially Meets Requirement – Development
Tresys Technology
56
Certifiable Linux Integration Platform (CLIP) CLIP is configured to audit a predefined set of audit events; from this list, the organization can designate a number of audit events as high priority events for which the system will notify an administrator in real time. A tool such as logwatch or Nagios can be used to provide this functionality. Control Enhancement 3 – Partially Meets Requirement – Configuration The Linux audit subsystem in CLIP is configured to cause a kernel panic in the event that it is unable to write to the audit log. Alternative audit capabilities would need to be added and configured as appropriate for the system.
AU-6 Audit Monitoring, Analysis, and Reporting
LOW: AU-6 MODERATE: AU-6(2) HIGH: AU-6(1)(2)(3)
Control: The organization regularly reviews/analyzes information system audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions. Supplemental Guidance: Organizations increase the level of audit monitoring and analysis activity within the information system whenever there is an indication of increased risk to organizational operations, organizational assets, or individuals based on law enforcement information, intelligence information, or other credible sources of information. See also AC-13. Control Enhancements: 1) The organization employs automated mechanisms to integrate audit monitoring, analysis, and reporting into an overall process for investigation and response to suspicious activities. 2) The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [Assignment: organization defined list of inappropriate or unusual activities that are to result in alerts]. 3) The organization reviews the audit records at least on a weekly basis and reports findings to appropriate officials, and takes necessary actions. 4) The information system provides the ability for an administrator to set alert thresholds for all auditable events. Enhancement Supplemental Guidance: Alert thresholds should be measured in terms of a utilization level maintained for a defined time period. Short spikes in the system health metrics should not normally be cause for alarm, rather abnormal levels over time should be cause for alarm. 5) The information system enforces configurable thresholds to determine whether or not all network traffic can be handled and controlled. If a threshold has been met, the system shall process existing traffic until the threshold has been reduced before accepting new traffic for processing. Control – Outside Scope - Procedural
Tresys Technology
57
Certifiable Linux Integration Platform (CLIP) This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 – Partially Meets Requirement - Development Audit information is readily available, but tools would need to be installed and configured for processing the data. Control Enhancement 2 – Partially Meets Requirement - Development The audit subsystem provides enough information that an audit dispatcher could be added to generate appropriate alerts. A tool such as logwatch could be installed and used to send reports of activity to administrative users on a system. Control Enhancement 3- Outside Scope- Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 4 – Partially Meets Requirement - Development Tools such as Nagios can be installed to meet this requirement. Nagios plugins can be developed that can watch vital system statistics to determined system health and notify the system administrator when some threshold has been met. Implementation and configuration of these features is required during system development. Control Enhancement 5 – Partially Meets Requirement - Development System tools can be installed to monitor and respond to network traffic patterns.
AU-7 Audit Reduction and Report Generation
LOW: AU-7 MODERATE: AU-7(1) HIGH: AU-7(1)(2)
Control: The information system provides an audit reduction and report generation capability. Supplemental Guidance: Audit reduction, review and reporting tools support after-the-fact investigations of security incidents without altering original audit records. Control Enhancements: 1) The information system provides the capability to automatically process audit records for events of interest based upon selectable, event criteria. 2) The information system will provide an automated audit reduction tool that includes an audit analysis and report generation capability. Control – Meets Requirement Logwatch, SEAudit and ausearch, and aureport provide mechanisms to view audit logs and search, sort and filter. Control Enhancement 1 - Meets Requirement Tools such as ausearch, and aureport allow you to search the logs for specific selectable events. Control Enhancement 2 – Partially Meets Requirement- Development
Tresys Technology
58
Certifiable Linux Integration Platform (CLIP) The above mentioned tools can process and report on events but do not provide any automated analysis capabilities. Additional development would be needed to create tools to automate the analysis.
LOW: AU-8
AU-8 Time Stamps
MODERATE: AU-8(1) HIGH: AU-8(1) Control: The information system provides time stamps for use in audit record generation. Control Enhancements: 1) The organization synchronizes internal information system clocks [Assignment: organization- defined frequency or at least every 24 hours]. 2) The information system uses the time source associated with the highest classification level security domain in order to maintain the audit integrity. Control – Meets Requirement RHEL provides timestamps on audit records. Control Enhancement 1 – Outside Scope – Development CLIP can make use of time synchronization tools such as ntpdate to keep system time synchronized with the network’s time servers. Control Enhancement 2 – Partially Meets Requirement -- Development CLIP provides a way to remotely update the time using the ntp daemon. However the software would need to be updated to ensure that it uses the highest classifcation level security domain to receive the time updates.
AU-9 Protection of Audit Information
LOW: AU-9 MODERATE: AU-9 (2) HIGH: AU-9 (1) (2)
Control: The information system protects audit information and audit tools from unauthorized access, modification, and deletion. Supplemental Guidance: Audit information includes all information (e.., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Control Enhancements: 1) The information system produces audit records on hardware-enforced, write-once media. 2) The information system will back up the audit records not less than weekly onto a different system or media than the system being audited.
Tresys Technology
59
Certifiable Linux Integration Platform (CLIP) Control –Meets Requirement The SELinux policy protects the audit messages and the daemon from improper use. Control Enhancement 1 – Partially Meets Requirement -- Configuration CLIP does not currently log data to write once media by default; however, the system can be configured to do so. Control Enhancement 2 – Partially Meets Requirement – Configuration CLIP can back up audit records to a different system or media by using the cron or at facilities; these tools can be configured to move the audit files at preconfigured time intervals.
AU-10 NonRepudiation
LOW: AU- 10 MODERATE: AU- 10 HIGH: AU- 10
Control: The information system provides the capability to determine whether a given individual took a particular action. Supplemental Guidance: Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. Non repudiation protects against later false claims by an individual of not having taken a specific action. Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. Non-repudiation services can be used to determine if information originated from an individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Non-repudiation services are obtained by employing various techniques or mechanisms (e.g., digital signatures, digital message receipts, time stamps). Control Enhancements: 1) The information system associates the identity of the data producer with the data itself and the data’s label/marking. Enhancement Supplemental Guidance: Supports audit requirements that allow appropriate authorities the means to identify who produced the data, in the event of a data transfer. The nature and strength of the binding are determined and approved by the appropriate authorities based on the relevant risk factors and the assigned Impact Level. 2) The information system validates the binding of the producer's identity to the data and label/marking as part of the review process. Enhancement Supplemental Guidance: This mitigates the risk that data is modified between production and review. A typical approach is validation of a cryptographic checksum.
Tresys Technology
60
Certifiable Linux Integration Platform (CLIP) 3) The information system will maintain reviewer/releaser identity and credentials within the chain of custody, as well as the integrity of data labels and markings for all information that is reviewed/released. Enhancement Supplemental Guidance: If the reviewer is a human or if the review function is automated but separate from the release/transfer function, then the information system associates the identity of the reviewer of the data to be released with the data itself and the data’s label/marking. In the case of a human reviewer, this requirement provides appropriate authorities, the means to identify who reviewed and released the data, and in the case of automated reviewers, this helps ensure that only the approved review function was employed. 4) The information system validates the binding of the reviewer’s identity to the data and label/marking at the transfer/release point prior to release/transfer to another domain. Enhancement Supplemental Guidance: This mitigates the risk that data is modified between review and transfer/release. Control – Partially Meets Requirement - Configuration Within the boundary of the platform, non-repudiation can be accomplished via SELinux controls, ensuring that the appropriate SELinux user label is always bound to data. The audit subsystem can be configured to log actions allowing an auditor to determine the user that took an action. Control Enhancement 1 – Partially Meets Requirement - Configuration SELinux controls ensure that the appropriate SELinux user label is always bound to data. The policy must be configured to specify the users in the system. Control Enhancement 2 – Does Not Meet Requirement Neither RHEL 5.3 nor the CLIP toolkit perform user validation for review. Control Enhancement 3 – Does Not Meet Requirement Neither RHEL nor the CLIP toolkit provide releaser support. Control Enhancement 4 – Does Not Meet Requirement Neither RHEL nor the CLIP toolkit bind reviewer identities to data.
AU-11 Audit Record Retention
LOW: AU-11 (1) MODERATE: AU-11 (2) HIGH: AU-11 (2)
Control: The organization retains audit records for [Assignment: organization-defined time period] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. Supplemental Guidance: The organization retains audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoena, and law enforcement actions. Standard categorizations of audit records relative to such types of actions and standard response processes for each type of action are developed and disseminated. Audit retention time period will be in accordance with
Tresys Technology
61
Certifiable Linux Integration Platform (CLIP) applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance documents. Control Enhancements: 1) The organization retains audit records for at least 1 year. 2) The organization retains audit records for at least 5 years. 3) The organization retains audit records for at least 10 years. 4) The organization retains audit records for at least 25 years. Control – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancements 1 through 4 Outside Scope- Procedural These requirements are procedural in nature and are outside the scope of the base platform.
LOW: Tailoring
AU-12 Session Alert
MODERATE: Tailoring HIGH: Tailoring Control: The information system has the ability to remotely view, listen to, log, and capture all content related to a specific user in realtime. Supplemental Guidance: There are legal issues related to this ability, and thus it should be developed, integrated, and used under the guidance of legal counsel. Control Enhancements: 1) The information system provides the ability to capture the entire session data associated with a user in real-time. 2) The information system has the ability to initiate the audit processes at system startup. Control – Does Not Meet Requirement CLIP does not currently support remote, real-time audits. Control Enhancement 1- Does Not Meet Requirement CLIP does not currently support real-time audits. Control Enhancement 2- Meets Requirement The CLIP audit subsystem is configured to start at boot time.
2.1.2.4.
Certification, Accreditation and Security
Tresys Technology
62
Certifiable Linux Integration Platform (CLIP) CA-1 Certification, Accreditation, and Security Assessment Policies and Procedures
LOW: CA-1 MODERATE: CA-1 HIGH: CA-1
Control: The organization develops, disseminates, and periodically reviews/updates: a. Formal, documented, security assessment and certification and accreditation policies that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the security assessment and certification and accreditation policies and associated assessment, certification, and accreditation controls. Supplemental Guidance: The security assessment and certification and accreditation policies and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The security assessment and certification and accreditation policies can be included as part of the general information security policy for the organization. Security assessment and certification and accreditation procedures can be developed for the security program in general, and for a particular information system, when required. The organization defines what constitutes a significant change to the information system to achieve consistent security reaccreditations. Control Enhancements: None. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
CA-2 Security Assessments
LOW: CA-2 MODERATE: CA-2 HIGH: CA-2
Control: The organization conducts an assessment of the security controls in the information system [Assignment: organization-defined frequency, at least annually] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Supplemental Guidance: The security assessments referred to in this control, are with regards to FISMA mandated annual system life-cycle assessments, not the accreditation life cycle assessments. With respect to the FISMA mandated annual assessments, OMB does not require an annual assessment of all security controls employed in an organizational information system. In accordance with OMB policy, organizations must annually assess a subset of the security controls based on: (i) the NSS 1199 (ODNI/CIO Draft) security categorization of the information system; (ii) the specific security controls selected and employed by the organization to protect the information system; and (iii) the level of assurance (or confidence) that the organization must have in determining the effectiveness of the security controls in the information system. It is
Tresys Technology
63
Certifiable Linux Integration Platform (CLIP) expected that the organization will assess all of the security controls in the information system during the 3-year accreditation cycle. The organization can use the current year’s assessment results obtained during security certification to meet the annual FISMA assessment requirement (see CA-4). Related security controls: CA-4, CA-6, CA-7, and SA-11. Control Enhancements: None. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
CA-3 System Connections
LOW: CA-3 MODERATE: CA-3 HIGH: CA-3
Control: The organization authorizes all connections from the information system to other information systems outside of the accreditation boundary through the use of system connection agreements and monitors/controls the system connections on an ongoing basis. Supplemental Guidance: Organizations should carefully consider the risks that may be introduced when systems are connected to other information systems with different security requirements, different security controls and governed by different security policies, both within the organization and external to the organization. Risk considerations also include information systems sharing the same networks. Related security controls: SC-7 and SA-9. Control Enhancements: None. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
CA-4 Security Certification
LOW: CA-4(3) MODERATE: CA-4(1)(3) HIGH: CA-4(1)(3)
Control: The organization conducts an assessment of the security controls in the information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Supplemental Guidance: A security certification is conducted by the organization in support of the requirement for accrediting the information system. The security certification is a key factor in all security accreditation (i.e., authorization) decisions and is integrated into and spans the system development life cycle. The organization assesses all security controls in an information system during the initial security accreditation. Subsequent to the initial accreditation and in accordance with OMB policy, the organization assesses a subset of the controls annually during continuous monitoring (see CA-7). The organization can use the current year’s assessment results obtained during security certification to meet the annual FISMA assessment.
Tresys Technology
64
Certifiable Linux Integration Platform (CLIP) Control Enhancement: 1) The organization employs an independent certification agent or certification team to conduct an assessment of the security controls in the information system. Enhancement Supplemental Guidance: An independent certification agent or certification team is any individual or group capable of conducting an impartial assessment of an organizational information system. Impartiality implies that the assessors are free from any perceived or actual conflicts of interest with respect to the developmental, operational, and/or management chain of command associated with the information system or to the determination of security control effectiveness. Independent security certification services can be obtained from other elements within the organization or can be contracted to a public or private sector entity outside of the organization. Contracted certification services are considered independent if the information system owner is not directly involved in the contracting process or cannot unduly influence the independence of the certification agent or certification team conducting the assessment of the security controls in the information system. The authorizing official decides on the required level of certifier independence based on the criticality and sensitivity of the information system and the ultimate risk to organizational operations and organizational assets, and to individuals. The authorizing official determines if the level of certifier independence is sufficient to provide confidence that the assessment results produced are sound and can be used to make a credible, risk-based decision. In special situations, for example when the organization that owns the information system is small or the organizational structure requires that the assessment of the security controls be accomplished by individuals that are in the developmental, operational, and/or management chain of the system owner or authorizing official, independence in the certification process can be achieved by ensuring the assessment results are carefully reviewed and analyzed by an independent team of experts to validate the completeness, consistency, and veracity of the results. The authorizing official should consult with the Office of the Inspector General, the senior agency information security officer, and the chief information officer to fully discuss the implications of any decisions on certifier independence in the types of special circumstances described above. 2) The organization shall develop a security test plan and associated procedures that include: a. A test plan that articulates controls and enhancements for the system to be tested, the test environment, the testing boundary, the test team and roles and responsibilities. b. A test procedures document containing a detailed description of the controls and enhancements that have been implemented, and how the implementation will be verified during testing. Enhancement Supplemental Guidance: Refer to NSS Instruction 1253A (Draft), Guide for Assessing the Security Controls in National Security Systems, for further guidance. 3) The organization shall ensure that the results of the security assessment shall be provided, in writing, to the authorizing official or his/her agent. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
Tresys Technology
65
Certifiable Linux Integration Platform (CLIP)
CA-5 Plan of Action and Milestones
LOW: CA-5 MODERATE: CA-5 HIGH: CA-5
Control: The organization develops and updates [Assignment: organization-defined frequency], a plan of action and milestones (POA&M) for the information system that documents the organization’s planned, implemented, and evaluated remedial actions to correct deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system. Supplemental Guidance: The Plan of Action and Milestones (POA&M is a key document in the security accreditation package developed for the authorizing official and is subject to federal reporting requirements established by OMB. The POA&M updates are based on the findings from security control assessments, security impact analyses, and continuous monitoring activities. OMB FISMA reporting guidance contains instructions regarding organizational POA&M. Control Enhancements: None. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
CA-6 Security Accreditation
LOW: CA-6 MODERATE: CA-6 HIGH: CA-6
Control: The organization authorizes (i.e., accredits) the information system for processing before operations and updates the authorization [Assignment: organization-defined frequency, at least every three years] or when there is a significant change to the system. A senior organizational official signs and approves the security accreditation. The organization assesses the security controls employed within the information system before and in support of the security accreditation thus providing the authorizing official and the information system owner with an up-to-date status of the security state of the information system. Supplemental Guidance: Security assessments conducted in support of security accreditations are called security certifications. The security accreditation of an information system is not a static process. Through the employment of a comprehensive continuous monitoring process (the fourth and final phase of the certification and accreditation process), the critical information contained in the accreditation package (i.e., the system security plan, the security assessment report, and the plan of action and milestones) is updated on an ongoing basis providing the authorizing official and the information system owner with an up-to-date status of the security state of the information system. To reduce the administrative burden of the 3-year reaccreditation process, the authorizing official uses the results of the ongoing continuous monitoring process to the maximum extent possible as the basis for rendering a reaccreditation decision. Related security controls: CA-2, CA-4, and CA-7.
Tresys Technology
66
Certifiable Linux Integration Platform (CLIP) Control Enhancements: None. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
CA-7 Continuous Monitoring
LOW: CA-7 MODERATE: CA-7 (1)(2) HIGH: CA-7 (1)(2)
Control: The organization monitors the security controls in the information system on an ongoing basis. Those security controls that are volatile or critical to protecting the information system are assessed at least annually. All other controls are assessed at least once during the information system’s three year authorization cycle or throughout the organization’s continuous monitoring program. Supplemental Guidance: The use of the term critical in the control refers to those components of a system (hardware, software, firmware, data, interfaces, storage media, and communications media) that are essential to the enforcement of the system’s security policies. Examples might include those components responsible for enforcing I&A and auditing policies. Continuous monitoring activities include configuration management and control of information system components, security impact analysis of changes to the system, ongoing assessment of security controls, and status reporting. The organization assesses all security controls in an information system during the initial security accreditation. Subsequent to the initial accreditation and in accordance with national policy, the organization assesses a subset of the controls annually during continuous monitoring. The selection of an appropriate subset of security controls is based on: (i) the security categorization of the information system and risk to the information system; (ii) the specific security controls selected and employed by the organization to protect the information system; and (iii) the level of assurance (or grounds for confidence) that the organization must have in determining the effectiveness of the security controls in the information system. The organization also establishes the schedule for control monitoring to ensure adequate coverage is achieved. The organization can use the current year’s assessment results obtained during continuous monitoring to meet the annual FISMA assessment requirement (see CA-2). This control is closely related to and mutually supportive of the activities required in monitoring configuration changes to the information system. An effective continuous monitoring program results in ongoing updates to the information system security plan, the security assessment report, and the plan of action and milestones—the three principle documents in the security accreditation package. A rigorous and well executed continuous monitoring process significantly reduces the level of effort required for the reaccreditation of the information system. Related security controls: CA-2, CA¬4, CA-5, CA-6, and CM-4. Control Enhancements: 1) The organization employs an independent certification agent or certification team to monitor the security controls in the information system on an ongoing basis.
Tresys Technology
67
Certifiable Linux Integration Platform (CLIP) Enhancement Supplemental Guidance: Independent in this context means independent of the program management, other parts of the government or even the organization can provide satisfy this role. The organization can extend and maximize the value of the ongoing assessment of security controls during the continuous monitoring process by requiring an independent certification agent or team to assess all of the security controls during the information system’s 3-year accreditation cycle. Related security-controls: CA-2, CA-4, CA-5, CA-6, and CM-4. 2) The organization will plan, schedule, and conduct conformance testing that includes periodic, unannounced in depth monitoring and specific penetration testing to ensure compliance with all vulnerability mitigation procedures. Enhancement Supplemental Guidance: Examples of vulnerability mitigation procedures are contained in DoD IAVA or IA best practices. Testing is intended to ensure that the system’s IA capabilities continue to provide adequate assurance against constantly evolving threats and vulnerabilities. Conformance testing also provides independent validation. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 and 2– Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
2.1.2.5.
Configuration Management
CM-1 Configuration Management Policy and Procedures
LOW: CM-1 MODERATE: CM-1 HIGH: CM-1
Control: The organization develops, disseminates, and periodically reviews/updates: a. A formal, documented, configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. Supplemental Guidance: The configuration management policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The configuration management policy can be included as part of the general information security policy for the organization. Configuration management procedures can be developed for the security program in general, and for a particular information system, when required. Control Enhancements: None. Control – Outside Scope - Procedural
Tresys Technology
68
Certifiable Linux Integration Platform (CLIP) This requirement is procedural in nature and is outside the scope of the base platform.
CM-2 Baseline Configuration
LOW: CM-2 MODERATE: CM-2(1) HIGH: CM-2(1)(2)
Control: The organization develops, documents, and maintains a current baseline configuration of the information system. Supplemental Guidance: This control establishes a baseline configuration for the information system. The baseline configuration provides information about a particular component’s makeup (e.g., the standard software load for a workstation or notebook computer including updated patch information) and the component’s logical placement within the information system architecture. The baseline configuration also provides the organization with a well-defined and documented specification to which the information system is built and deviations, if required, are documented in support of mission needs/objectives. Related security controls: CM-6, CM-8. Control Enhancements: 1) The organization updates the baseline configuration of the information system as an integral part of the information system component installations. 2) The organization employs automated mechanisms to maintain an up-to-date, complete, accurate and readily available baseline configuration of the information system. 3) The organization provides, as part of the CM plan, procedures that address system connectivity, including any software, hardware, or firmware used for communication. 4) The organization tests and verifies the CM plan at least [Assignment: organization defined frequency, or at least annually]. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 and 2 – Outside Scope - Configuration Aide provides the capabilities but must be configured according to organizational policy. Control Enhancement 3 and 4 – Outside Scope - Procedural These requirements are procedural in nature and are outside the scope of the base platform.
CM-3 Configuration Change Control
LOW: CM-3 MODERATE: CM-3 (2)(3) HIGH: CM-3(1)(2)(3)
Control: The organization authorizes, documents, and controls changes to the information system. The organization manages configuration changes to the information system using an
Tresys Technology
69
Certifiable Linux Integration Platform (CLIP) organizationally approved process (e.g., a chartered Configuration Control Board). The organization includes emergency changes in the configuration change control process, including changes resulting from the mediation of flaws. The approvals to implement a change to the information system include successful results from the security analysis of the change. The organization audits activities associated with configuration changes to the information system. Supplemental Guidance: Configuration change control involves the systematic proposal, justification, implementation, test/evaluation, review, and disposition of changes to the information system, including upgrades and modifications. Configuration change control includes changes to the configuration settings for information technology products (e.g., operating systems, firewalls, routers). Related security controls: CM-4, CM-6, and SI-2. Control Enhancements: 1) The organization employs automated mechanisms to: a) Document proposed changes to the information system; b) Notify appropriate approval authorities; c) Highlight approvals that have not been received in a timely manner; d) Inhibit change until necessary approvals are receive; and e) Document completed changes to the information system. 2) The organization establishes a CM control board, which includes the Information System Security Manager (ISSM), Information Assurance Manager (IAM) or Information System Security Officer as a member(s). 3) All national Security systems (NSS) are under the control of a chartered configuration control board that meets regularly. The CCB reviews and approves all proposed information system changes, to include interconnections to other information systems. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancements 1 through 3 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
CM-4 Monitoring Configuration Changes
LOW: CM-4 MODERATE: CM-4 HIGH: CM-4
Control: The organization monitors changes to the information system conducting security impact analyses to determine the effects of the changes. After the information system is changed (including upgrades and modifications), the organization checks the security features to verify that features are still functioning properly. The organization audits activities associated with configuration changes to the information system. Supplemental Guidance: Prior to change implementation, and as part of the change approval process, the Information System Security Manager (ISSM), Information Assurance Manager
Tresys Technology
70
Certifiable Linux Integration Platform (CLIP) (IAM) or Information System Security Officer (ISSO) analyzes changes to the information system for potential security impacts. Monitoring configuration changes and conducting security impact analysis are important elements with regard to the ongoing assessment of security controls in the information system. Related security control: CA-7. Control Enhancements: None. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
CM-5 Access Restrictions for Change
LOW: Tailoring MODERATE: CM-5 (1)(2)(4) HIGH: CM-5(1)(3)(4)
Control: The organization: a. Approves individual access privileges and enforces physical and logical access restrictions associated with changes to the information system; and b. Generates, retains, and reviews records reflecting all such changes. Supplemental Guidance: Planned or unplanned changes to the hardware, software, and/or firmware components of the information system can have significant effects on the overall security of the system. Only qualified and authorized individuals can obtain access to information system components for purposes of initiating changes, including upgrades, and modifications. Control Enhancements: 1) The organization employs automated mechanisms to enforce access restriction and support auditing of the enforcement actions. 2) The organization limits and periodically reviews system developer privileges to change code and system data directly within a production environment. 3) The organization limits system developer privileges to change code and system data directly within a production environment and reevaluates them on a 90 day cycle. 4) System libraries are managed and maintained to protect privileged programs and to prevent or minimize the introduction of unauthorized code. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 – Partially Meets Requirement – Procedural Auditing can be configured to include changes to enforcement status; the SELinux policy can also restrict the access to tools with the ability to make changes to enforcement state. Physical access is not addressed by CLIP. Control Enhancement 2 and 3 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
Tresys Technology
71
Certifiable Linux Integration Platform (CLIP) Control Enhancement 4 – Meets Requirement The CLIP SELinux policy labels system libraries in a way that limits the ability to modify them.
CM-6 Configuration Settings
LOW: CM-6 MODERATE: CM-6 (2) HIGH: CM-6 (1)(2)
Control: The organization: a. Establishes mandatory configuration settings for information technology products employed within the information system; b. Configures the security settings of information technology products to the most restrictive mode consistent with operational requirements; c. Documents the configuration settings; and d. Enforces the configuration settings in all components of the information system. Supplemental Guidance: Configuration settings are the configurable parameters of the information technology products that compose the information system. Organizations monitor and control changes to the configuration settings in accordance with organizational policies and procedures. Configuration guides designed for the National Security Communication can be found at www.nsa.gov, however, organizations have the discretion to utilize locally developed guides (e.g., DOD Security Technical Implementation Guides (STIGs)). Related security controls: CM-2, CM-3, and SI-4. Control Enhancements: 1) The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings. 2) The information system and any modifications to the system baseline must demonstrate conformance to security configuration technical implementation guides prior to being introduced into a production environment. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 and 2– Outside Scope – Procedural These requirements are procedural in nature and are outside the scope of the base platform.
CM-7 Least Functionality
LOW: CM-7 MODERATE: CM-7 (1)(2) HIGH: CM-7(1)(2)
Control: The organization configures the information system to provide only essential capabilities and specifically prohibits and/or restricts the use of the following functions, ports,
Tresys Technology
72
Certifiable Linux Integration Platform (CLIP) protocols, and/or services: [Assignment: organization-defined list of prohibited and/or restricted functions, ports, protocols, and/or services]. Supplemental Guidance: Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from a single component of an information system, but doing so increases risk over limiting the services provided by any one component. Where feasible, the organization limits component functionality to a single function per device (e.g., email server or web server, not both). The functions and services provided by information systems, or individual components of information are carefully reviewed to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, File Transfer Protocol, Hyper Text Transfer Protocol, file sharing systems). Control Enhancements: 1) The organization reviews the information system [Assignment: organization-defined frequency, or at least annually], to identify and eliminate unnecessary functions, ports, protocols, and/or services. 2) The information system complies with ports, protocols, and services guidance and organizational registration requirements. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 2 – Partially Meets requirement – Configuration CLIP supports the configuration of ports, and the SELinux policy can be configured to limit the services and/or protocols used to communicate over them.
CM-8 Information System Component Inventory
LOW: CM-8 MODERATE: CM-8(1) HIGH: CM-8(1)(2)
Control: The organization develops, documents, and maintains a current inventory of the components of the information system and relevant ownership information. The organization determines the appropriate level of granularity for the information system components included in the inventory that are subject to management control (i.e., tracking and reporting). Supplemental Guidance: The inventory of information system components includes any information determined to be necessary by the organization to achieve effective property accountability (e.g., manufacturer, model number, serial number, software license information, system/component owner). The component inventory is consistent with the
Tresys Technology
73
Certifiable Linux Integration Platform (CLIP) accreditation boundary of the information system. Related security controls: CM-2 and CM6. Control Enhancements: 1) The organization updates the inventory of information system components as an integral part of component installations. 2) The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 and 2 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. 2.1.2.6.
Contingency Planning
CP-1 Contingency Planning Policy and Procedures
LOW: CP-1 MODERATE: CP-1 (1) HIGH: CP-1 (1)
Control: The organization develops, disseminates, and periodically reviews/updates: a. A formal, documented, contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls. Supplemental Guidance: The contingency planning policy and procedures are consistent with applicable federal laws, directives, policies, regulations, standards, and guidance. The contingency planning policy can be included as part of the general information security policy for the organization. Contingency planning procedures can be developed for the security program in general, and for a particular information system, when required. Control Enhancements: 1) The organization develops and implements procedures to assure the appropriate physical and technical protection of the backup and restoration hardware, firmware, and software, such as router tables, compliers, and other security related system software. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 – Partially Meets Requirement – Procedural
Tresys Technology
74
Certifiable Linux Integration Platform (CLIP) While the majority of this requirement is procedural in nature and outside the scope of the system, SELinux security policy can be configured to protect any backup software that is installed.
CP-2 Contingency Plan
LOW: CP-2 (4)(7) MODERATE: CP-2(1)(2)(3)(5) HIGH: CP-2(1)(2)(3)(6)
Control: The organization develops and implements a contingency plan for the information system addressing contingency roles, responsibilities, assigned individuals with contact information, and activities associated with restoring the system after a disruption or failure. Designated officials within the organization review and approve the contingency plan and distribute copies of the plan to key contingency personnel. Supplemental Guidance: None. Control Enhancements: 1) The organization coordinates contingency plan development with organizational elements responsible for related plans. 2) The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during crisis situations. Enhancement Supplemental Guidance: Examples of related plans include Business Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan, Business recovery Plan, Incident Response Plan, and Emergency Action Plan. 3) The organization explicitly identifies mission and business essential functions and establishes associated restoration priorities and metrics. 4) The organization plans and provides sufficient capacity for the partial resumption of mission or business essential functions within 5 days of Contingency Plan activiation. 5) The organization plans and provides sufficient capacity for full resumption of mission and business essential functions within 24 hours of Contingency Plan activation. 6) The organization plans and provides for the smooth transfer of all mission or business essential functions to alternate processing or facilities with little or no loss of operational continuity. Continuity is sustained through restoration to primary processing or facilities. 7) The organization plans and provides sufficient capacity to support partial restoration of mission or business essential functions. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1-7 – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform.
Tresys Technology
75
Certifiable Linux Integration Platform (CLIP)
CP-3 Contingency Training
LOW: Tailoring MODERATE: CP-3 HIGH: CP-3(1)(2)
Control: The organization trains personnel in their contingency roles and responsibilities with respect to the information system and provides refresher training [Assignment: organizationdefined frequency, or at least annually]. Supplemental Guidance: None. Control Enhancements: 1) The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations. 2) The organization employs automated mechanisms to provide a more thorough and realistic training environment. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 and 2 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
CP-4 Contingency Plan Testing and Exercises
LOW: Tailoring MODERATE: CP-4(1) HIGH: CP-4(1)(2)(3)(4)
Control: The organization: a. Tests and/or exercises the contingency plan for the information system [Assignment: organization-defined frequency, at least annually] using [Assignment: organizationdefined tests and/or exercises] to determine the plan’s effectiveness and the organization’s readiness to execute the plan; and b. Reviews the contingency plan test/exercise results and initiates corrective actions. Supplemental Guidance: There are several methods for testing and/or exercising contingency plans to identify potential weaknesses (e.g., full-scale contingency plan testing, functional/tabletop exercises). The depth and rigor of contingency plan testing and/or exercises increases with the Impact Level of the information system. Contingency plan testing and/or exercises also include a determination of the effects on organizational operations and assets (e.g., reduction in mission capability) and individuals arising due to contingency operations in accordance with the plan. Control Enhancements: 1) The organization coordinates contingency plan testing and/or exercises with organizational elements responsible for related plans.
Tresys Technology
76
Certifiable Linux Integration Platform (CLIP) Enhancement Supplemental Guidance: Examples of related plans include Business Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan, Business recovery Plan, Incident Response Plan, and Emergency Action Plan. 2) The organization tests/ exercises the contingency plan at the alternate processing site to familiarize contingency personnel with the facility and available resources and to evaluate the site’s capabilities to support contingency operations. 3) The organization employs automated mechanisms to more thoroughly and effectively test/exercise the contingency plan by providing more complete coverage of contingency issues, selecting more realistic test/exercise scenarios and environments, and more effectively stressing the information system and supported missions. 4) The organization exercises this plan on a semi-annual basis. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1-4 – Outside Scope – Procedural These requirements are procedural in nature and are outside the scope of the base platform.
CP-5 Contingency Plan Update
LOW: CP-5 MODERATE: CP-5 HIGH: CP-5
Control: The organization reviews the contingency plan for the information system [Assignment: organization-defined frequency, at least annually] and revises the plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing. the organization communicates changes too appropriate organizational elements responsible for related plans (e.g., Business Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan, Business Recovery Plan, Incident Response Plan and Emergency Action Plan). Supplemental Guidance: Organizational changes include changes in mission, functions, or business processes supported by the information system. Control Enhancements: None. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
CP-6 Alternate Storage Site
LOW: Tailoring MODERATE: CP-6(1)(3) HIGH: CP-6(1)(2)(3)(4)(5)
Control: The organization identifies an alternate storage site and initiates necessary agreements to permit the storage of information system backup information. The organization ensures that
Tresys Technology
77
Certifiable Linux Integration Platform (CLIP) the frequency of information system backups and the transfer rate of backup information to the alternate storage site (if so designated) are consistent with the organization’s recovery time objectives and recovery point objectives. Supplemental Guidance: None. Control Enhancements: 1) The organization identifies an alternate storage site that is geographically separated from the primary storage site so as not to be susceptible to the same hazards. 2) The organization configures the alternate storage site to facilitate timely and effective recovery operations. 3) The organization identifies potential accessibility problems to the alternate storage site in the event of an area wide disruption or disaster and outlines explicit mitigation actions. 4) The organization performs daily data backups and stores recovery media offsite at a location that affords protection of the data in accordance with its confidentiality, integrity, and availability levels. 5) The organization accomplishes data backup by maintaining a redundant secondary system, not collocated, that can be activated without loss of data or disruption to the operation. 6) The organization will consider alternative procedures, such as secure transmission of the data to an appropriate offsite location if regular offsite backup is not feasible. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1-6 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
CP-7 Alternate Processing Site
LOW: Tailoring MODERATE: CP-7(1)(2)(3)(5) HIGH: CP-7(1)(2)(3)(4)(6)
Control: The organization identifies an alternate processing site and initiates necessary agreements to permit the resumption of information system operations for critical mission/business functions within [Assignment: organization-defined time period, not to exceed 5 days] when the primary processing capabilities are unavailable. The organization ensures that equipment and supplies required to resume operations within the organization defined time period, or not to exceed 5 days, are either available at the alternate site or contracts are in place to support delivery to the site. The organization ensures that their timeframes to resume information system operations are consistent with organization established recovery time objectives. Supplemental Guidance: None. Control Enhancements:
Tresys Technology
78
Certifiable Linux Integration Platform (CLIP) 1) The organization identifies an alternate processing site that is geographically separated from the primary processing site so as not to be susceptible to the same hazards. 2) The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. 3) The organization develops alternate processing site agreements that contain priority of service provisions in accordance with the organization’s availability requirements. 4) The organization fully configures the alternate processing site so that it is ready to be used as the operational site supporting a minimum required operational capability. 5) The organization ensures that the alternate site provides security measures, to include boundary defense and user connectivity and access controls, equivalent to the primary site. 6) The organization ensures that the alternate site provides security measures, to include boundary defense and user connectivity and access controls that are configured identically to the primary site. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1-6 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the platform.
CP-8 Telecommunications Service
LOW: Tailoring MODERATE: CP-8(1)(2)(3) HIGH: CP-8(1)(2)(3)(4)
Control: The organization identifies primary and alternate telecommunications services to support the information system and initiates necessary agreements to permit the resumption of system operations for critical mission/business functions within [Assignment: organizationdefined time period, not to exceed 48 hours] when the primary telecommunications capabilities are unavailable. Supplemental Guidance: In the event that the primary and/or alternate telecommunications services are provided by a common carrier, the organization requests Telecommunications Service Priority (TSP) for all telecommunications services used for national security emergency preparedness. Control Enhancements: 1) The organization develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with the organization’s availability requirements.
Tresys Technology
79
Certifiable Linux Integration Platform (CLIP) 2) The organization obtains alternate telecommunications services that do not share a single point of failure with primary telecommunications services. 3) The organization obtains alternate telecommunications service providers that are sufficiently separated from primary service providers so as not to be susceptible to the same hazards. 4) The organization requires primary and alternate telecommunications service providers to have adequate contingency plans. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1-4 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
CP-9 Information System Backup
LOW: CP-9 (1) MODERATE: CP-9(1)(4) HIGH: CP-9(1)(2)(3)(4)
Control: The organization a. conducts backups of user-level and system-level information (including system state information) contained in the information system [Assignment: organization-defined frequency, or at least weekly], b. conducts backups of system-level information (including system state information) contained in the information system [Assignment: organization-defined frequency, or at least weekly], c. ensures that the frequency of information system backups and the transfer rate of backup information to alternate storage sites (if so designated) are consistent with the organization’s recovery time objectives and; d. protects backup information at the storage location. Supplemental Guidance: While integrity and availability are the primary concerns for system backup information, protecting backup information from unauthorized disclosure is also an important consideration depending on the type of information residing on the backup media and the associated risk level. An organizational assessment of risk guides the use of encryption for backup information. The protection of system backup information while in transit is beyond the scope of this control. Related security controls: MP-4, MP-5 and PE-7, and PE-17. Control Enhancements: 1) The organization tests backup information [Assignment: organization defined frequency, or at least weekly.] to verify media reliability and information integrity.
Tresys Technology
80
Certifiable Linux Integration Platform (CLIP) Enhancement Supplemental Guidance: Satisfaction of this requirement dictates that the operationally restored system maintains the same security posture and data integrity as before the backup procedure(s) have been implemented. 2) The organization selectively uses backup information in the restoration of information system functions as part of contingency plan testing. 3) The organization stores backup copies of the operating system and other critical information system software in a separate facility or in a fire rated container that is not collocated with the operational software. 4) The organization protects system backup information from unauthorized modification. The organization employs appropriate mechanisms (e.g., digital signatures, cryptographic hashes) to protect the integrity of information system backups. Enhancement Supplemental Guidance: Protecting the confidentiality of system backup information is beyond the scope of this control. However, the chain of custody from primary site to storage site and back to restoration site for the backup media must exist and sufficient evidence must be presented to provide confidentiality protection. There must be adequate protection mechanisms in place to prevent the data used in the backup and recovery process from being modified in an unauthorized manner. Related security controls: MP-4 and MP-5. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1-4 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
CP-10 Information System Recovery and Reconstitution
LOW: CP-10 (2) MODERATE: CP-10 (2) HIGH: CP-10(1)(2)(3)
Control: The organization employs mechanisms with supporting procedures to allow the information system to be recovered and reconstituted to a known secure state after a disruption or failure. Supplemental Guidance: Information system recovery and reconstitution to a known secure state means that all system parameters (either default or organization-established) are set to secure values, security-critical patches are reinstalled, security-related configuration settings are reestablished, system documentation and operating procedures are available, application and system software is reinstalled and configured with secure settings, information from the most recent, known secure backups is loaded, and the system is fully tested. Control Enhancements: 1) The organization includes a full recovery and reconstitution of the information system as part of contingency plan testing.
Tresys Technology
81
Certifiable Linux Integration Platform (CLIP) 2) The organization documents circumstances that can inhibit a recovery to a known, secure state and implements the appropriate mitigating controls. 3) Information systems that are transaction based (e.g., database management systems, transaction processing systems) will implement transaction rollback and transaction journaling, or technical equivalents. Control – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1-4 – Outside Scope – Procedural These requirements are procedural in nature and are outside the scope of the base platform. 2.1.2.7.
Identification and Authentication
IA-1 Identification and Authentication Policy and Procedures
LOW: IA-1 MODERATE: IA-1 HIGH: IA-1
Control: The organization develops, disseminates, and periodically reviews/updates: a. A formal, documented, identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls. Supplemental Guidance: The identification and authentication policy and procedures are consistent with other applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The identification and authentication policy can be included as part of the general information security policy for the organization. Identification and authentication procedures can be developed for the security program in general, and for a particular information system, when required. Users take reasonable measures to safeguard authenticators including maintaining possession of their individual authenticators, not loaning or sharing authenticators with others, and reporting lost or compromised authenticators immediately. Control Enhancements: None Control – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform.
IA-2 User Identification and Authentication
LOW: IA-2 (1)(7)(9) MODERATE: IA2(2)(4)(7)(8)(9) HIGH: IA-2(3)(6)(8)(9)
Tresys Technology
82
Certifiable Linux Integration Platform (CLIP) Control: The information system uniquely identifies and authenticates users (or processes acting on behalf of users). Supplemental Guidance: Users are uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization in accordance with security control AC-14. Authentication of user identities is accomplished through the use of passwords, tokens, biometrics, or in the case of multifactor authentication, some combination thereof. Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Local access is any access to an organizational information system by a user (or an information system) communicating through an internal organization-controlled network (e.g., local area network) or directly to a device without the use of a network. Scalability, practicality, and security issues are simultaneously considered in balancing the need to ensure ease of use for public access to such information and information systems with the need to protect organizational operations, organizational assets, and individuals. Related security controls: AC-14 and AC-17. Control Enhancements: 1) The information system employs passwords/PINs for non-privileged local and remote system access. 2) The information system passwords/PINs for local system access only. 3) The information system employs a multifactor authentication process or device that generates a one-time password, for local system access. Enhancement Supplemental Guidance: Multifactor authentication could include soft tokens, hard tokens, scratch card, grid cards, Personal Digital Assistants (PDAs) or phones that generate one time passwords. One-time passwords could include the type one gets from time synchronous devices (e.g., SecurID) from challenge response devices, or from the protocol handshake that underlies Public Key Infrastructure (PKI). 4) The information systems employ a multifactor authentication process or device that generates a one-time password, for remote system access. Enhancement Supplemental Guidance: The additional phrase is intended to eliminate concepts such as soft tokens. This is intended to address an OMB-06-16 requirement for remotely accessing systems containing Personal Identifiable Information (PII), and there is no NSS exception. 5) The information systems employs a multifactor authentication process or device, that generates a one time password, for local and remote system access, where one of the factors is separate from the system being used to gain access. 6) The information systems employ a multifactor authentication device that generates a onetime password, for local and remote system access, where one of the factors is separate from the system being used to gain access. Enhancement Supplemental Guidance: This essentially requires a hard token or device such as a Common Access Card, Personal Identification Card, or a time
Tresys Technology
83
Certifiable Linux Integration Platform (CLIP) synchronous devices (e.g., SecurID) separate from computer that generates a one-time password. 7) If passwords/PINs are employed they shall be compliant with the applicable controls enhancements in IA-5. 8) If certificate based authentication is employed it shall be compliant with the applicable control enhancements in IA-5. 9) Group authentication may only be used in conjunction with an individual authenticator; individuals must be authenticated with an individual authenticator prior to use of a group authenticator. Control – Meets Requirement CLIP gives each operating system user a unique identifier (uid). This audit uid is maintained for a user throughout the user's session. Even if the user changes to another user such as using the 'su' command to become root, all actions will still be associated with the original user's audit id. In addition to the uid, each user is given a group id (guid). This id also remains with the user throughout the session. The PAM library used by CLIP authenticates users and can be configured to support passwords, tokens, the use of cards from NSA and biometrics if necessary. Control Enhancements 1 through 4 – Partially Meets Requirement - Configuration The PAM library used by CLIP to authenticate users can be configured to support passwords, tokens, the use of cards from NSA, and biometrics if necessary. Control enhancements 5 and 6 – Partially Meets Requirement - Development The use of hardware tokens as part of multifactor authentication can be added but is not supported by default. Control Enhancements 7 – Partially Meets Requirement – Configuration The PAM library used by CLIP authenticates users and can be configured to support passwords, tokens, the use of cards from NSA and biometrics if necessary. Control Enhancements 8 – Outside Scope – Configuration CLIP does not currently use certificates. The PAM library used by CLIP authenticates users and can be configured to support passwords, tokens, the use of cards from NSA and biometrics if necessary. Control Enhancement 9- Partially Meets Requirement – Development By default authentication in Linux is individual; support for group authentication exists but is off by default, and would need to be updated for combination with individual authentication.
IA-3 Device Identification and Authentication
LOW: Tailoring MODERATE: IA-3 (1) HIGH: IA-3 (2)
Control: The information system identifies and authenticates specific devices before establishing a connection.
Tresys Technology
84
Certifiable Linux Integration Platform (CLIP) Supplemental Guidance: The information system typically uses either shared known information (e.g., physical address or Transmission Control Protocol/Internet Protocol (TCP/IP) address), organizational authentication solution (e.g., IEEE 802.1x and Extensible Authentication Protocol (EAP) or a Radius server with EAP-Transport Layer Security (TLS) authentication) to identify and authenticate devices on local and/or wide area networks. The required strength of the device authentication mechanism is determined by the Impact Level security categorization of the information system with higher risk levels requiring stronger authentication. Control Enhancements: 1) The information system employs bidirectional authentication that is cryptographically based between devices before establishing remote communication connections. 2) The information system employs bidirectional authentication that is cryptographically based between devices before establishing remote or local communication connections. Control – Meets Requirement CLIP uses the TCP/IP suite and supports 802.1x authentication. Control Enhancement 1 and 2 – Partially Meets Requirement - Configuration CLIP can be configured to use X.509 certificates or shared keys to authenticate remote connections.
IA-4 Identifier Management
LOW: IA-4 MODERATE: IA-4 (1)(3)(4) HIGH: IA-4 (1)(2)(3)(4)
Control: The organization manages user identifiers by: a. Uniquely identifying each user; b. Verifying the identity of each user; c. Receiving authorization to issue a user identifier from an appropriate organization official; d. Issuing the user identifier to the intended party; e. Disabling the user identifier after [Assignment: organization-defined time period] of inactivity; and f. Archiving user identifiers. Supplemental Guidance: Identifier management is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Control Enhancements: 1) The organization requires that registration to receive a user ID and password include authorization by a supervisor, and be done in person before a designated registration authority.
Tresys Technology
85
Certifiable Linux Integration Platform (CLIP) 2) The organization requires multiple forms of certification of individual identification such as documentary evidence or a combination of documents and biometrics be presented to the registration authority. 3) The organization manages user identifiers by uniquely identifying the user as a contractor. Enhancement Supplemental Guidance: For the purposes of information sharing contractors must be uniquely identified to indicate contractor affiliation. 4) The organization manages user identifiers by uniquely identifying each user’s nationality. Enhancement Supplemental Guidance: For the purposes of information sharing foreign nationals must be uniquely identified to indicate nationality. Country codes and guidance regarding their use are in FIPS 10-4. Control – Outside Scope - Procedural This is an organizational requirement concerning the organization managing user identification. Control Enhancements 1 – 4 Outside Scope – Procedural These are organizational requirements concerning the organization managing user identification.
IA-5 Authenticator Management
LOW: IA-5 (1)(2)(3)(4) MODERATE: IA-5 (1)(2)(3)(4) HIGH: IA-5 (1)(2)(3)(4)
Control: The organization manages information system authenticators by: a. Defining initial authenticator content; b. Establishing administrative procedures for initial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking authenticators; c. Changing default authenticators upon information system installation; and d. Changing/refreshing authenticators periodically. Supplemental Guidance: Information system authenticators include, for example, tokens, PKI certificates, biometrics, passwords, and key cards. Complies with all applicable laws, statutes, national policies and related E-authentication initiatives, authentication of public users accessing federal information systems (and associated authenticator management) may also be required to protect nonpublic or privacy-related information. Control Enhancements: 1) Information systems utilizing a logon ID and password for user identification and authentication enforce the following: a. Password complexity is not less than a case sensitive, 8 character mix of upper case letters, lower case letters, numbers, and special characters, including at least one of each (e.g. emPagd2!).
Tresys Technology
86
Certifiable Linux Integration Platform (CLIP) b. At least four characters must be changed when a new password is created. c. Passwords are encrypted both for storage and for transmission. d. Enforces password minimum and maximum lifetime restrictions; and e. Prohibits password reuse for a specified number [Organization Defined] of generations. Enhancement Supplemental Guidance: Deployed/tactical systems with limited data input capabilities implement the password policy to the extent possible. 2) The organization ensures that passwords are protected commensurate with the classification or sensitivity of the information accessed. 3) The organization ensures that passwords are not embedded in access scripts or stored on function keys. 4) Information systems utilizing PKI based authentication: a. Validates certificates by constructing a certification path to a trusted certificate authority; b. Establishes user control of the corresponding private key; and c. Maps the authenticated identity to the user account. 5) The organization employs automated tools to validate that the passwords are sufficiently strong to resist cracking and other types of attacks intended to discover a user's password. Enhanced Supplemental Guidance: The Information System Security Manager (ISSM), Information Assurance Manager (IAM) or Information System Security Officer (ISSO) may employ these tools under the auspices of the Authorizing Official. This type of testing can be accomplished in association with RA-5. Control – Outside Scope - Procedural A portion of this requirement is concerned with the organization managing users' authentication. However, the supplemental guidance section does reference how the information system needs to support securing authentication. CLIP protects passwords using DAC permission and SELinux policy. Through proper configuration of the SELinux policy the password files can be protected from unauthorized users viewing and modifying the files. In addition, the password files can be further secured with the pam_unix module (PAM module). This module uses an MD5 hash by default to protect authenticators. PAM also can be used to further protect user authentication. PAM can be configured to increase password strength in ways such as enforcing minimum password strength and enforcing rules on the password's composition. This is handled by the pam_cracklib module. The pam_unix module can also place expiration dates on passwords and restrict a user from replicating the same password. Control Enhancement 1 – Meets Requirement CLIP meets this requirement by using the standard Linux login facility. The /etc/login.defs file is configured in the CLIP Kickstart file to require passwords that are at least eight characters long. CLIP is also configured to enforce rules on the password's
Tresys Technology
87
Certifiable Linux Integration Platform (CLIP) composition. This is configured by the kickstart file during installation. Kickstart modifies the /etc/pam.d/system-auth file to help satisfy this requirement. The pam_unix module also places expiration dates on passwords and restrict a user from replicating the same password. Control Enhancement 2 – Outside Scope – Procedural This is an organizational requirement concerning password protection. Control Enhancement 3 – Outside Scope – Procedural This is an organizational requirement concerning password protection. Control Enhancement 4 – Partially Meets Requirement – Configuration The PAM library used by CLIP can be configured to use PKI. Control Enhancement 5 – Partially Meets Requirement – Configuration PAM can be configured to increase password strength in ways such as enforcing minimum password strength and enforcing rules on the password's composition. This is handled by the pam_cracklib module.
IA-6 Authenticator Feedback
LOW: IA-6 MODERATE: IA-6 HIGH: IA-6
Control: The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. Supplemental Guidance: The feedback from the information system does not provide information that would allow an unauthorized user to compromise the authentication mechanism. For example, displaying asterisks when a user types in a password is an example of obscuring feedback of authentication information. Control Enhancements: None Control – Meets Requirement CLIP obscures feedback during authentication using the PAM subsystem.
IA-7 Cryptographic Module Authentication
LOW: IA-7 MODERATE: IA-7 HIGH: IA-7
Control: The information system employs authentication methods that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. Supplemental Guidance: None. Control Enhancements: None
Tresys Technology
88
Certifiable Linux Integration Platform (CLIP) Control – Partially Meets Requirement – Development The PAM authentication system supports the addition of authentication modules sufficient to meet this requirement, once the requirements have been determined.
2.1.2.8.
Incident Response
IR-1 Incident Response Policy and Procedures
LOW: IR-1 (1) MODERATE: IR-1 (1) HIGH: IR-1 (1)
Control: The organization develops, disseminates, and periodically reviews/updates: A formal, documented, incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Formal, documented procedures to facilitate the implementation of the incident response policy and associated incident response controls. Supplemental Guidance: The incident response policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The incident response policy can be included as part of the general information security policy for the organization. Incident response procedures can be developed for the security program in general, and for a particular information system, when required. Control Enhancements: 1) The organization establishes a relationship with its Computer Network Defense (CND) Service Provider and identifies its incident response team to them. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
IR-2 Incident Response Training
LOW: IR-2 MODERATE: IR-2 (1) HIGH: IR-2(1)(2)
Control: The organization trains personnel in their incident response roles and responsibilities with respect to the information system and provides refresher training [Assignment: organization-defined frequency, at least annually]. Supplemental Guidance: None.
Tresys Technology
89
Certifiable Linux Integration Platform (CLIP) Control Enhancements: 1) The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations. 2) The organization employs automated mechanisms to provide a more thorough and realistic training environment. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 and 2 – Outside Scope - Procedural These requirements are procedural in nature and are outside the scope of the base platform.
IR-3 Incident Response Testing and Exercises
LOW: Tailoring MODERATE: IR-3 HIGH: IR-3(1)(2)
Control: The organization tests and/or exercises the incident response capability for the information system [Assignment: organization-defined frequency, at least annually] using [Assignment: organization defined tests and/or exercises] to determine the incident response effectiveness and documents the results. Supplemental Guidance: None. Control Enhancements: 1) The organization employs automated mechanisms to more thoroughly and effectively test/exercise the incident response capability. Enhancement Supplemental Guidance: Automated mechanisms can provide the ability to more thoroughly and effectively test or exercise the capability by providing more complete coverage of incident response issues, selecting more realistic test/exercise scenarios and environments, and more effectively stressing the response capability. 2) The organization ensures that its incident response capabilities are exercised at least semiannually. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 and 2 – Outside Scope - Procedural These requirements are procedural in nature and are outside the scope of the base platform.
Tresys Technology
90
Certifiable Linux Integration Platform (CLIP) IR-4 Incident Handling
LOW: IR-4 MODERATE: IR-4(1) HIGH: IR-4(1)
Control: The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery. The organization incorporates the lessons learned from ongoing incident handling activities into the incident response procedures and implements the procedures accordingly. Control Enhancements: 1) The organization employs automated mechanisms to support the incident handling process. Enhanced Supplemental Guidance: Monitoring of online Computer Incident Response Centers (CIRCs) or other electronic databases of incidents is one example of an automated mechanism. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
IR-5 Incident Monitoring
LOW: IR-5 MODERATE: IR-5(1) HIGH: IR-5(1)
Control: The organization tracks and documents information system security incidents on an ongoing basis. Supplemental Guidance: None. Control Enhancements: 1) The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information. Enhanced Supplemental Guidance: Monitoring of online Computer Incident Response Centers (CIRCs) or other electronic databases of incidents is one example of an automated mechanism. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
Tresys Technology
91
Certifiable Linux Integration Platform (CLIP) LOW: IR-6
IR-6 Reporting
MODERATE: IR-6(1) HIGH: IR-6(1) Control: The organization promptly reports incident information to appropriate authorities. Supplemental Guidance: The types of incident information reported, the content and timeliness of the reports, and the list of designated reporting authorities or organizations are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. In addition to incident information, weaknesses and vulnerabilities in the information system are reported to appropriate organizational officials in a timely manner to prevent security incidents. Control Enhancements: 1) The organization employs automated mechanisms to assist in the reporting of security incidents. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
IR-7 Incident Response Assistance
LOW: IR-7 MODERATE: IR-7(1) HIGH: IR-7(1)
Control: The organization provides an incident response support resource that offers advice and assistance to users of the information system for the handling and reporting of security incidents. The support resource is an integral part of the organization’s incident response capability. Supplemental Guidance: Possible implementations of incident response support resources in an organization include a help desk or an assistance group and access to forensics services, when required. Control Enhancements: 1) The organization employs automated mechanisms to increase the availability of incident response-related information and support. Enhanced Supplemental Guidance: Automated mechanisms provide push and/or pull capability for providing assistance. For example, individuals might have a website they can go to that enables them to query the assistance capability. For example, the assistance capability may have the ability to proactively send information to users (general distribution or targeted) as part of increasing their understanding of current response capabilities and support. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
Tresys Technology
92
Certifiable Linux Integration Platform (CLIP) Control Enhancement 1 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
2.1.2.9.
Maintenance
MA-1 System Maintenance Policy and Procedures
LOW: MA-1 MODERATE: MA-1 HIGH: MA-1
Control: The organization develops, disseminates, and periodically reviews/updates: a.
A formal, documented, information system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
b.
Formal, documented procedures to facilitate the implementation of the information system maintenance policy and associated system maintenance controls.
Supplemental Guidance: The information system maintenance policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The information system maintenance policy can be included as part of the general information security policy for the organization. System maintenance procedures can be developed for the security program in general, and for a particular information system, when required. Control Enhancements: None. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
MA-2 Controlled Maintenance
LOW: MA-2 MODERATE: MA-2(1) HIGH: MA-2(1)(2)
Control: a. The organization schedules, performs, documents, and reviews records of routine preventative and regular maintenance (including repairs) on the components of the information system in accordance with manufacturer or vendor specifications and/or organizational requirements. b. All maintenance activities to include routine, scheduled maintenance and repairs are controlled; whether performed on site or remotely and whether the equipment is serviced on site or removed to another location.
Tresys Technology
93
Certifiable Linux Integration Platform (CLIP) c. Organizational officials approve the removal of the information system or information system components from the facility when repairs are necessary. d. If the information system or component of the system requires offsite repair, the organization removes all information from associated media using approved procedures. e. After maintenance is performed on the information system, the organization checks all potentially impacted security controls to verify that the controls are still functioning properly. Supplemental Guidance: None. Control Enhancements: 1) The organization maintains records for the information system that include: a. The date and time of maintenance; b. Name of the individual performing the maintenance; c. Name of escort, if necessary; d. A description of the maintenance performed; and e. A list of equipment removed or replaced (including identification numbers, if applicable). 2) The organization employs automated mechanisms to schedule and conduct maintenance as required, and to create up-to-date, accurate, and available record of all maintenance actions both needed and completed. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 and 2 – Outside Scope - Procedural These requirements are procedural in nature and are outside the scope of the base platform.
MA-3 Maintenance Tools
LOW: MA-3(2) MODERATE: MA-3(1)(2)(3)(4) HIGH: MA-3(1)(2)(3)(4)
Control: The organization approves, controls, and monitors the use of information system maintenance tools and maintains the tools on an ongoing basis. Supplemental Guidance: The intent of this control is to address hardware and software brought into the information system specifically for diagnostic/repair actions (e.g., a hardware or software packet sniffer that is introduced for the purpose of a particular maintenance activity). Hardware and/or software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch) are not covered by this control.
Tresys Technology
94
Certifiable Linux Integration Platform (CLIP) Control Enhancements: 1) The organization inspects all maintenance tools carried into a facility by maintenance personnel for obvious improper modifications. Enhancement Supplemental Guidance: Maintenance tools include, for example, diagnostic and test equipment used to conduct maintenance on the information system. 2) The organization checks all media containing diagnostic and test programs for malicious code before the media are used in the information system. 3) The organization checks all maintenance equipment with the capability of retaining information so that no organizational information is written on the equipment or the equipment is appropriately sanitized before release. In the event the equipment cannot be sanitized, the equipment remains within the facility or is destroyed, unless an appropriate organization official explicitly authorizes an exception. Enhancement Supplemental Guidance: The National Security Agency provides a listing of approved media sanitization products at http://www.nsa.gov/ia/government/mdg.cfm. 4) The organization employs automated mechanisms to restrict the use of maintenance tools to authorized personnel only. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancements 1 through 3– Outside Scope - Procedural These requirements are procedural in nature and are outside the scope of the base platform. Control Enhancement 4 – Partially Meets Requirement – Procedural The security policy on the system can limit the use software maintenance tools; protection of hardware is outside the scope of the base system.
MA-4 Remote Maintenance
LOW: MA-4(1)(2)(4) MODERATE: MA-4(1)(2)(5) HIGH: MA-4(1)(2)(3(5)
Control: a. The organization authorizes, monitors, and controls any remotely executed maintenance and diagnostic activities, if employed. b. The organization ensures that the use of remote maintenance and diagnostic tools is consistent with organizational policy and documented in the security plan for the information system. c. The organization maintains records for all remote maintenance and diagnostic activities.
Tresys Technology
95
Certifiable Linux Integration Platform (CLIP) d. When remote maintenance is completed, the organization (or information system in certain cases) terminates all sessions and remote connections invoked in the performance of that activity. Supplemental Guidance: Remote maintenance and diagnostic activities are conducted by individuals communicating through an external, non-organization-controlled network (e.g., the Internet). Related security controls: IA-2, MP-6. Other techniques and/or controls to consider for improving the security of remote maintenance include: (i) Encryption and decryption of communications; (ii) Strong identification and authentication techniques; and (iii) Remote disconnect verification. Control Enhancements: 1) The organization audits all remote maintenance and diagnostic sessions and appropriate organizational personnel review the maintenance records of the remote sessions. 2) The organization addresses the installation and use of remote maintenance and diagnostic links in the security plan for the information system. 3) The organization does not allow remote maintenance or diagnostic services to be performed by a provider that does not implement for its own information system, a level of security at least as high as that implemented on the system being serviced. Enhancement Supplemental Guidance: The organization should consider the following aspects depending upon the maintenance provider: (i) Removal and sanitization of the information system component prior to service. (ii) An inspection of the information system component should be accomplished prior to reconnecting the component to the information system to address vulnerabilities (e.g., malicious software, surreptitious implants, etc.). 4) If password based authentication is used to accomplish remote maintenance, the organization changes the passwords following each remote maintenance service. 5) When remote administration and maintenance of an information system is employed, the organization requires that the session is protected through the use of a strong authenticator tightly bound to the user (e.g., PKI where certificates are stored on a token protected by a password, passphrase or biometric); AND EITHER; a. Physically separate communications paths, OR b. Logically separated communications paths based upon EITHER 1. NSA approved cryptographic mechanisms used to protect classified information from individuals who lack the necessary clearance; OR 2. PAA/DAA approved cryptographic mechanisms (in consultation with the data steward) to separate compartments or provide "need-to-know" protection. 6) Maintenance personnel should notify the organization each time they plan to do remote maintenance (date/time). This notification should be with the appropriate system administrator and not be approved by someone without security system knowledge and control.
Tresys Technology
96
Certifiable Linux Integration Platform (CLIP) Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the operating system. Control Enhancements 1-6 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the operating system.
MA-5 Maintenance Personnel
LOW: MA-5(1)(2)(3)(4) MODERATE: MA-5(1)(2)(3)(4) HIGH: MA-5(1)(2)(3)(4)
Control: The organization allows only authorized personnel to perform maintenance on the information system. Supplemental Guidance: Maintenance personnel (whether performing maintenance locally or remotely) have appropriate access authorizations to the information system when maintenance activities allow access to organizational information or could result in a future compromise of confidentiality, integrity, or availability. Control Enhancements: 1) The organization establishes and documents the processes for maintenance personnel authorization and maintains a current list of authorized maintenance organizations or personnel. 2) Procedures for the use of maintenance personnel that are uncleared, lower cleared, or non-US citizens shall be outlined in the approved system security plan at a minimum address the following requirements: a. Escort: Maintenance personnel who do not have needed access authorizations: clearances or formal access approvals shall be escorted and supervised during the performance of maintenance activities on the information system b approved organizational personnel who are fully cleared, have appropriate access authorizations and are technically qualified. b. Prior Sanitization: Prior to maintenance by personnel who do not have needed access authorizations; clearances or formal access approvals, all volatile data storage components of the information system shall be completely sanitized and all nonvolatile data storage media shall be completely removed or physically disconnected and secured. In the event a system cannot be sanitized, the procedures contained in the approved system security plan shall be enforced. Enhancement Supplemental Guidance: The primary intent of this enhancement is to deny the uncleared or lower-cleared individual visual and electronic access to any classified or sensitive information contained on the system. 3) Personnel who perform maintenance on classified National Security Systems must be cleared to the highest level of information on the system to avoid imposition of the escort or prior sanitization requirements.
Tresys Technology
97
Certifiable Linux Integration Platform (CLIP) 4) Personnel who perform maintenance on National Security Systems must be US citizens to avoid imposition of the escort or prior sanitization requirements. 5) Cleared foreign nationals may be utilized as maintenance personnel for those systems jointly owned and operated by the US and foreign allied governments, or those owned and operated by foreign allied governments. Approvals, consents, and detailed operational conditions must be fully documented within a Memorandum of Agreement. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancements 1-5 – Outside Scope - Procedural These requirements are procedural in nature and are outside the scope of the base platform.
MA-6 Timely Maintenance
LOW: Tailoring MODERATE: MA-6(1) HIGH: MA-6(2)
Control: The organization obtains maintenance support and spare parts for [Assignment: organization defined list of key information system components] within [Assignment: organization-defined time period] of failure. Supplemental Guidance: None. Control Enhancements: 1) The organization ensures that key IT assets are identified, and that maintenance support for them, to include maintenance spares and spare parts, is available to respond within 24 hours of failure. 2) The organization ensures that key IT assets are identified, and that maintenance support for them, to include maintenance spares and spare parts, is available to respond 24 x 7 immediately upon failure. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancements 1 and 2 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
2.1.2.10.
Media Protection
Tresys Technology
98
Certifiable Linux Integration Platform (CLIP) MP-1 Media Protection Policy and Procedures
LOW: MP-1 MODERATE: MP-1 HIGH: MP-1
Control: The organization develops, disseminates, and periodically reviews/updates: a. A formal, documented, media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the media protection policy and associated media protection controls. Supplemental Guidance: The media protection policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The media protection policy can be included as part of the general information security policy for the organization. Media protection procedures can be developed for the security program in general, and for a particular information system, when required. Control Enhancements: None. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
MP-2 Media Access
LOW: MP-2 MODERATE: MP-2(1) HIGH: MP-2(1)
Control: The organization restricts access to information system media to authorized individuals. Organizations document in policy and procedures, the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. Supplemental Guidance: Information system media includes both digital media (e.g., diskettes, magnetic tapes, external/removable hard drives, flash/thumb drives, compact disks, and digital video disks) and non-digital media (e.g., paper, microfilm). This control also applies to portable and mobile computing and communications devices with information storage capability (e.g., notebook computers, personal digital assistants, cellular telephones). An organizational assessment of risk guides the selection of media and associated information contained on that media requiring restricted access. The rigor with which this control is applied is commensurate with the Impact Level security categorization of the information contained on the media. For example, fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on the organization or individuals if accessed by other than authorized personnel. In these situations, it is assumed that the physical access controls where the media resides provide adequate protection. Control Enhancement:
Tresys Technology
99
Certifiable Linux Integration Platform (CLIP) 1) The organization employs automated mechanisms to restrict access to media storage areas and to audit access attempts and access granted. Enhancement Supplemental Guidance: This control enhancement is primarily applicable to designated media storage areas within an organization where a significant volume of media is stored and is not intended to apply to every location where some media is stored (e.g., in individual offices). Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1– Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
MP-3 Medial Labeling
LOW: MP-3(1) MODERATE: MP-3(1) HIGH: MP-3(1)
Control: The organization: a. Affixes external labels to removable information system media and information system output indicating the distribution limitations, handling caveats and applicable security markings (if any) of the information; and b. Exempts [Assignment: organization-defined list of media types or hardware components] from labeling so long as they remain within [Assignment: organizationdefined protected environment]. c. Organizations document in policy and procedures, the media requiring labeling and the specific measures taken to afford such protection. Supplemental Guidance: None. Control Enhancement: 1) The information system shall mark human readable output appropriately on each human readable page, screen or equivalent. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base plaform. Control Enhancement 1 – Partially Meets Requirement - Development The CUPS printing system included in RHEL 5.3 can be configured to mark output. Output to the screen would be handled by the application developer.
Tresys Technology
100
Certifiable Linux Integration Platform (CLIP) MP-4 Media Storage
LOW: MP-4(1)(2) MODERATE: MP-4(1)(2) HIGH: MP-4(1)(2)
Control: a. The organization physically controls and securely stores information system media within controlled areas. b. Organizations document in policy and procedures, the media requiring physical protection and the specific measures taken to afford such protection. c. The organization protects information system media identified by the organization until the media are destroyed or sanitized using approved equipment, techniques and procedures. Supplemental Guidance: Information system media includes both digital media (e.g., diskettes, magnetic tapes, external/removable hard drives, flash/thumb drives, compact disks, and digital video disks) and non-digital media (e.g., paper, microfilm). A controlled area is any area or space for which the organization has confidence that the physical and procedural protections provided are sufficient to meet the requirements established for protecting the information and/or information system. This control applies to portable and mobile computing and communications devices with information storage capability (e.g., notebook computers, personal digital assistants, cellular telephones). Telephone systems are also considered information systems and may have the capability to store information on internal media (e.g., on voicemail systems). Since telephone systems do not have, in most cases, the identification, authentication, and access control mechanisms typically employed in other information systems, organizational personnel exercise extreme caution in the types of information stored on telephone voicemail systems. An organizational assessment of risk guides the selection of media and associated information contained on that media requiring physical protection. The rigor with which this control is applied is commensurate with the Impact Level security categorization of the information contained on the media. For example, fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on the organization or individuals if accessed by other than authorized personnel. In these situations, it is assumed that the physical access controls to the facility where the media resides provide adequate protection. As part of a defensein-depth protection strategy, the organization considers routinely encrypting information at rest on selected secondary storage devices. Impact Level security categorization guides the selection of appropriate candidates for secondary storage encryption. Related security controls: CP-9, RA2. Control Enhancements: 1) At the discretion of the information owner the organization employs cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical protection measures. The strength of the cryptographic mechanism is commensurate with the classification and sensitivity of the information:
Tresys Technology
101
Certifiable Linux Integration Platform (CLIP) a. The information system uses FIPS certified cryptography to encrypt sensitive or controlled unclassified data at rest. b. The information system uses FIPS certified cryptography to encrypt collateral classified (i.e., nonSAMI) data at rest. c. The information system uses NSA approved cryptography to encrypt Sensitive Compartmented Information (SCI) at rest. Enhancement Supplemental Guidance: The selection and strength of cryptographic mechanisms is based upon maintaining the confidentiality of the information (i.e., a lack of user clearance and/or need to know). Alternative physical protection measures include, for example, a Sensitive Compartmented Information Facility (SCIF). 2) The organization implements effective cryptographic key management in support of secondary storage encryption and provides protections to maintain the availability of the information in the event of the loss of cryptographic keys by users. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 and 2 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the operating system.
MP-5 Media Transport
LOW: MP-5(1) MODERATE: MP-5(1)(2) HIGH: MP-5(1)(2)(3)
Control: The organization protects and controls information system media during transport outside of controlled areas and restricts the activities associated with transport of such media to authorized personnel. Organizations document in policy and procedures, the media requiring protection during transport and the specific measures taken to protect such transported media. Supplemental Guidance: Information system media includes both digital media (e.g., diskettes, tapes, removable hard drives, flash/thumb drives, compact disks, and digital video disks) and non-digital media (e.g., paper, microfilm). A controlled area is any area or space for which the organization has confidence that the physical and procedural protections provided are sufficient to meet the requirements established for protecting the information and/or information system. This control also applies to portable and mobile computing and communications devices with information storage capability (e.g., notebook computers, personal digital assistants, cellular telephones) that are transported outside of controlled areas. Telephone systems are also considered information systems and may have the capability to store information on internal media (e.g., on voicemail systems). Since telephone systems do not have, in most cases, the identification, authentication, and access control mechanisms typically employed in other information systems, organizational personnel exercise extreme caution in the types of information stored on telephone voicemail systems that are transported outside of controlled areas. An organizational assessment of risk guides the selection of media and associated information contained on that media requiring protection during transport. The rigor with which
Tresys Technology
102
Certifiable Linux Integration Platform (CLIP) this control is applied is commensurate with the Impact Level security categorization of the information contained on the media. An organizational assessment of risk also guides the selection and use of appropriate storage containers for transporting non-digital media. Authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Control Enhancements: 1) The organization protects digital and non-digital media during transport outside of controlled areas using organization approved physical and technical security measures commensurate with the classification and sensitivity of the information residing on the media, and consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. 2) The organization documents activities associated with the transport of information system media using [Assignment: organization defined system of records] in accordance with the organizational assessment of risk. 3) The organization employs an identified custodian at all times to transport information system media. 4) At the discretion of the information owner the organization employs cryptographic mechanisms commensurate with the classification and sensitivity of the information residing on the media. Enhancement Supplemental Guidance: Cryptographic mechanisms support the confidentiality and/or integrity security objectives. Cryptographic mechanisms prevent unauthorized disclosure of information during transport. Related control MP-4 (2). Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancements 1-4 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
MP-6 Media Sanitization and Disposal
LOW: MP-6(1)(3)(4) MODERATE: MP-6(1)(2)(3)(4) HIGH: MP-6(1)(2)(3)(4)
Control: The organization sanitizes information system media, both digital and non-digital, prior to disposal or release for reuse. Supplemental Guidance: Sanitization is the process used to remove information from information system media such that there is reasonable assurance, in proportion to the confidentiality of the information, that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, and destroying media information, prevent the disclosure of organizational information to unauthorized individuals when such media is reused or disposed. The organization uses its discretion on sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on the organization or individuals if released for
Tresys Technology
103
Certifiable Linux Integration Platform (CLIP) reuse or disposed. The National Security Agency also provides media sanitization guidance and maintains a listing of approved media destruction guidance at http://www.nsa.gov/ia/government/mdg.cfm. Control Enhancements: 1) The organization tracks, documents, and verifies media sanitization and disposal actions. 2) The organization periodically tests sanitization equipment and procedures to verify correct performance. 3) The organization ensures that all information technology equipment and machine readable media are cleared and sanitized according to applicable standards before being released outside of organizational control. The strength and integrity of the clearing/sanitization mechanism is commensurate with the classification and sensitivity of the information: a) Information technology equipment and media containing controlled unclassified data are cleared and sanitized according to applicable organizational or national standards. b) Information technology equipment and media containing classified collateral data are cleared and sanitized according organizational or national standards. c) Information technology equipment and media containing SCI data are cleared and sanitized according to NSA standards. d) In those instances where sanitization is not possible, the media needs to be destroyed. 4) The organization ensures that the disposal of all documents, machine readable media and information technology equipment containing organization information is according to applicable NSA standards. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancements 1-4 – Outside Scope - Procedural These requirements are procedural in nature and are outside the scope of the base platform.
2.1.2.11.
Physical and Environmental Protection
PE-1 Physical Access Authorizations
LOW: PE-1 MODERATE: PE-1 HIGH: PE-1
Control: The organization develops, disseminates, and periodically reviews/updates:
Tresys Technology
104
Certifiable Linux Integration Platform (CLIP) a. Formal, documented, physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls. Supplemental Guidance: The physical and environmental protection policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The physical and environmental protection policy can be included as part of the general information security policy for the organization. Physical and environmental protection procedures can be developed for the security program in general, and for a particular information system, when required. Control Enhancements: None. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
PE-2 Physical Access Authorizations
LOW: PE-2(1)(2) MODERATE: PE-2(1)(2) HIGH: PE-2(1)(2)
Control: a. The organization develops and keeps current a list of personnel with authorized access to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible) and issues appropriate authorization credentials. b. Designated officials within the organization review and approve the access list and authorization credentials [Assignment: organization-defined frequency, at least annually]. Supplemental Guidance: Appropriate authorization credentials include, for example, badges, identification cards, and smart cards. The organization promptly removes from the access list personnel no longer requiring access to the facility where the information system resides. Control Enhancements: 1) The organization controls physical access to computing facilities that process controlled unclassified information. Enhancement Supplemental Guidance: Organizational position or role may be sufficient to dynamically establish authorized access. 2) The organization limits physical access to computing facilities that process classified information to authorized personnel with appropriate clearance and access authorizations.
Tresys Technology
105
Certifiable Linux Integration Platform (CLIP) Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancements 1 and 2 – Outside Scope - Procedural These requirements are procedural in nature and are outside the scope of the base platform.
PE-3 Access Control for Transmission Medium
LOW: PE-3(1) MODERATE: PE-3(1)(2) HIGH: PE-3(1)(2)
Control: The organization controls all physical access points (including designated entry/exit points) to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible) and verifies individual access authorizations before granting access to the facility. The organization controls access to areas officially designated as publicly accessible, as appropriate, in accordance with the organization’s assessment of risk. Supplemental Guidance: The organization uses physical access devices (e.g., keys, locks, combinations, card readers) and/or guards to control entry to facilities containing information systems. The organization secures keys, combinations, and other access devices and inventories those devices regularly. The organization changes combinations and keys: (i) periodically; and (ii) when keys are lost, combinations are compromised, or individuals are transferred or terminated. Workstations and associated peripherals connected to (and part of) an organizational information system may be located in areas designated as publicly accessible with access to such devices being appropriately controlled. Control Enhancements: 1) The organization controls physical access to the information system independent of the physical access controls for the facility. Enhancement Supplemental Guidance: This control enhancement, in general, applies to server rooms, communications centers, or any other areas within a facility containing large concentrations of information system components or components with a higher impact level than that of the majority of the facility. The intent is to provide an additional layer of physical security for those areas where the organization may be more vulnerable due to the concentration of information system components or the impact level of the components. The control enhancement is not intended to apply to workstations or peripheral devices that are typically dispersed throughout the facility and used routinely by organizational personnel. Requirements for securing facilities containing systems which process Sensitive Compartmented Information (SCI), are contained in DCID 6/9. This directive will remain in effect and applicable until rescinded by an appropriate IC Directive. See also PS-3, which discusses security requirements for personnel access to SCI, which are contained in DCID 6/4. 2) The organization ensures that every physical access point to facilities housing workstations that process or display classified information is guarded or alarmed and monitored 24 X 7.
Tresys Technology
106
Certifiable Linux Integration Platform (CLIP) 3) The organization employs lockable physical casings to protect internal components of the information system from unauthorized physical access. 4) The information system implements mechanisms that (1) allow detection of or (2) prevent physical tampering or alteration of hardware components within the system. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancements 1 through 3 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 4 – Partially Meets –Development While RHEL 5.3 does not directly contain applications to determine if hardware has been tampered with, it does contain the necessary functionality to develop an application that can.
PE-4 Access Control for Transmission Medium
LOW: Tailoring MODERATE: PE-4 HIGH: PE-4
Control: The organization controls physical access to information system distribution and transmission lines within organizational facilities. Supplemental Guidance: Physical protections applied to information system distribution and transmission lines help prevent accidental damage, disruption, and physical tampering. Additionally, physical protections are necessary to help prevent eavesdropping or in transit modification of unencrypted transmissions. Protective measures to control physical access to information system distribution and transmission lines include: (i) locked wiring closets; (ii) disconnected or locked spare jacks; and/or (iii) protection of cabling by conduit or cable trays. Control Enhancements: None. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
PE-5 Access Control for Display Medium
LOW: PE-5 MODERATE: PE-5 HIGH: PE-5
Control: The organization controls physical access to information system devices that display information to prevent unauthorized individuals from observing the display output. Supplemental Guidance: None. Control Enhancements: None. Control – Outside Scope - Procedural
Tresys Technology
107
Certifiable Linux Integration Platform (CLIP) This requirement is procedural in nature and is outside the scope of the base platform.
PE-6 Monitoring Physical Access
LOW: PE-6 MODERATE: PE-6(1) HIGH: PE-6(1)(2)
Control: The organization monitors physical access to the information system to detect and respond to physical security incidents. Supplemental Guidance: The organization reviews physical access logs periodically and investigates apparent security violations or suspicious physical access activities. Response to detected physical security incidents is part of the organization’s incident response capability. Control Enhancements: 1) The organization monitors real time physical intrusion alarms and surveillance equipment. 2) The organization employs automated mechanisms to recognize potential intrusions and initiate appropriate response actions. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancements 1 and 2 – Outside Scope - Procedural These requirements are procedural in nature and are outside the scope of the base platform.
PE-7 Visitor Control
LOW: PE-7(1) MODERATE: PE-7(1) HIGH: PE-7(1)
Control: The organization controls physical access to the information system by authenticating visitors before authorizing access to the facility where the information system resides other than areas designated as publicly accessible. Supplemental Guidance: Government contractors and others with permanent authorization credentials are not considered visitors. Personal Identity Verification (PIV) credentials for federal employees and contractors conform to FIPS 201, and the issuing organizations for the PIV credentials are accredited in accordance with the provisions of NIST Special Publication 800-79. Control Enhancements: 1) The organization escorts visitors and monitors visitor activity. 2) Two (2) forms of identification are required to gain access to the facility. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
Tresys Technology
108
Certifiable Linux Integration Platform (CLIP) Control Enhancements 1 and 2 – Outside Scope - Procedural These requirements are procedural in nature and are outside the scope of the base platform.
LOW: PE-8
PE-8 Access Records
MODERATE: PE-8 HIGH: PE-8(1) Control: The organization maintains visitor access records to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible) that includes: a. Name and organization of the person visiting; b. Signature of the visitor; c. Form of identification; d. Date of access; e. Time of entry and departure; f. Purpose of visit; and g. Name and organization of person visited. h. Designated officials within the organization review the visitor access records [Assignment: organization-defined frequency]. Supplemental Guidance: None. Control Enhancements: 1) The organization employs automated mechanisms to facilitate the maintenance and review of access records. 2) The organization maintains a record of all physical access to the area by authorized individuals. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancements 1 and 2 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
PE-9 Power Equipment and Power Cabling
LOW: Tailoring MODERATE: PE-9 HIGH: PE-9(1)(2)
Control: The organization protects power equipment and power cabling for the information system from damage and destruction. Supplemental Guidance: None.
Tresys Technology
109
Certifiable Linux Integration Platform (CLIP) Control Enhancements: 1) The organization employs redundant and parallel power cabling paths. 2) The organization will employ automatic voltage control for key IT assets. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancements 1 and 2 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
PE-10 Emergency Shutoff
LOW: Tailoring MODERATE: PE-10(1) HIGH: PE-10(1)
Control: The organization provides, for specific locations within a facility containing concentrations of information system resources, the capability of shutting off power to any information system component that may be malfunctioning or threatened without endangering personnel by requiring them to approach the equipment. Supplemental Guidance: Facilities containing concentrations of information system resources may include, for example, data centers, server rooms, and mainframe rooms. Control Enhancement: (1) The organization protects the emergency power-off capability from accidental or unauthorized activation. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
PE-11 Emergency Power
LOW: Tailoring MODERATE: PE-11 HIGH: PE-11(1)
Control: The organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss. Supplemental Guidance: None. Control Enhancements: 1) The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source.
Tresys Technology
110
Certifiable Linux Integration Platform (CLIP) 2) The organization provides a long-term alternate power supply for the information system that is self contained and not reliant on external power generation. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancements 1 and 2 – Outside Scope - Procedural These requirements are procedural in nature and are outside the scope of the base platform.
PE-12 Emergency Lighting
LOW: PE-12 MODERATE: PE-12(1) HIGH: PE-12(1)
Control: The organization employs and maintains automatic emergency lighting that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes. Supplemental Guidance: None. Control Enhancements: 1) The organization provides emergency lighting for all areas necessary to maintain ITenabled mission or business essential functions. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
PE-13 Fire Protection
LOW: PE-13(4) MODERATE: PE-13(1)(4) HIGH: PE-13(1)(2)(3)(4)
Control: The organization employs and maintains fire suppression and detection devices/systems that can be activated in the event of a fire. Supplemental Guidance: Fire suppression and detection devices/systems include, but are not limited to, sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors. Control Enhancements: 1) The organization employs fire detection devices/systems that activate automatically and notify the organization and emergency responders in the event of a fire. 2) The organization employs fire suppression devices/systems that provide automatic notification of any activation to the organization and emergency responders. 3) The organization employs an automatic fire suppression capability in facilities that are not staffed on a continuous basis.
Tresys Technology
111
Certifiable Linux Integration Platform (CLIP) 4) The organization ensures that computing facilities undergo a periodic fire marshal inspection, and promptly resolves identified deficiencies. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancements 1-4 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
PE-14 Temperature and Humidity Controls
LOW: PE-14 MODERATE: PE-14(1) HIGH: PE-14(1)
Control: The organization regularly maintains, within acceptable levels, and monitors the temperature and humidity within the facility where the information system resides. Supplemental Guidance: None. Control Enhancement: 1) The organization installs automatic humidity and temperature controls in computing facilities to prevent potentially harmful fluctuations. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
PE-15 Water Damage Protection
LOW: PE-15 MODERATE: PE-15 HIGH: PE-15(1)
Control: The organization protects the information system from water damage resulting from broken plumbing lines or other sources of water leakage by providing master shutoff valves that are accessible, working properly, and known to key personnel. Supplemental Guidance: The information systems referred to are servers, not individual workstations or laptops. Control Enhancement: 1) The organization employs mechanisms that, without the need for manual intervention, protect the information system from water damage in the event of a significant water leak. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
Tresys Technology
112
Certifiable Linux Integration Platform (CLIP) Control Enhancement 1 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
PE-16 Delivery and Removal
LOW: PE-16 MODERATE: PE-16 HIGH: PE-16
Control: The organization authorizes and controls information system-related items entering and exiting the facility and maintains appropriate records of those items. Supplemental Guidance: The organization controls delivery areas and, if possible, isolates the areas from the information system and media libraries to avoid unauthorized physical access. Related control MP-6. Control Enhancements: None. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
PE-17 Alternate Work Site
LOW: Tailoring MODERATE: PE-17 HIGH: PE-17
Control: The organization employs appropriate management, operational, and technical information system security controls at alternate work sites. Supplemental Guidance: The organization provides a means for employees to communicate with information system security staff in case of security problems. Control Enhancements: None. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
PE-18 Location of Information System Components
LOW: Tailoring MODERATE: PE-18 HIGH: PE-18(1)
Control: The organization positions information system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access. Supplemental Guidance: Physical and environmental hazards include, for example, flooding, fire, tornados, earthquakes, hurricanes, acts of terrorism, vandalism, electrical interference, and
Tresys Technology
113
Certifiable Linux Integration Platform (CLIP) electromagnetic radiation. Whenever possible, the organization also considers the location or site of the facility with regard to physical and environmental hazards. Control Enhancement: 1) The organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards and for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy. Control Enhancements: None. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
PE-19 Information Leakage
LOW: Tailoring MODERATE: PE-19 HIGH: PE-19
Control: The organization protects the information system from information leakage due to electromagnetic signals emanations. Supplemental Guidance: The Impact Level security categorization (for confidentiality) of the information system and organizational security policy guides the application of safeguards and countermeasures employed to protect the information system against information leakage due to electromagnetic signals emanations. Control Enhancements: 1) The organization ensures that components of the systems, associated data communications, and networks shall be protected in accordance with national emissions and tempest policies and procedures applicable to the sensitivity level of the data being transmitted. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
PE-20 Physical Security
LOW: PE-20(1)(2)(3) MODERATE: PE-20(1)(2)(3) HIGH: PE-20(1)(2)(3)
Tresys Technology
114
Certifiable Linux Integration Platform (CLIP) Control: The organization ensures that information and equipment are deployed or stored in approved facilities or containers with documented accountability procedures.. Supplemental Guidance: None. Control Enhancements: 1) The organization periodically tests the physical security of key computing facilities. 2) The organization implements procedures that ensure the proper handling and storage of information. Enhanced Supplemental Guidance: Measures can include scheduled and unscheduled security checks within the workplace or the implementation of a two-person rule within the computing facility. 3) The organization provides employees with periodic training in the operation of
physical security controls. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1-3 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
PE-21 Environmental Control Training
LOW: Tailoring MODERATE: PE-21 HIGH: PE-21
Control: The organization provides employees with initial and periodic training in the operation of environmental controls. Supplemental Guidance: Examples of environmental controls include but are not limited to fire suppression and detection devices/systems, sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors and temperature/humidity, HVAC, power, within the facility. Control Enhancements: None. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
2.1.2.12.
Planning
PL-1 Security Planning Policy and Procedures
Tresys Technology
LOW: PL-1 MODERATE: PL-1 HIGH: PL-1
115
Certifiable Linux Integration Platform (CLIP) Control: The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, security planning policy that addresses purpose, scope, roles, responsibilities, management formal, documented procedures to facilitate the implementation of the security planning policy and associated security planning controls. Supplemental Guidance: The security planning policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The security planning policy addresses the overall policy requirements for confidentiality, integrity, and availability and can be included as part of the general information security policy for the organization. Security planning procedures can be developed for the security program in general, and for a particular information system, when required. Control Enhancements: None. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
PL-2 System Security Plan
LOW: PL-2 MODERATE: PL-2(1)(2) HIGH: PL-2(1)(2)
Control: The organization develops and implements a security plan for the information system that provides an overview of the security requirements for the system and a description of the security controls in place or planned for meeting those requirements. Designated officials within the organization review and approve the plan. Supplemental Guidance: The security plan is aligned with the organization’s information system architecture and information security architecture. Control Enhancements: 1) The organization develops a security requirements traceability matrix (SRTM) as part of the system security plan. 2) The organization develops and periodically reviews/updates a Security Concept of Operations (CONOPS). The CONOPS shall at a minimum include: a. A description of the purpose of the system, b. A description of the system architecture, c. The system’s accreditation schedule, d. The system’s Impact Levels and Security Objectives, and e. A description of the factors that determine the system’s Impact Levels and Security Objectives. 3) The organization develops an information sharing plan or functional architecture that identifies and maintains the following: a. All external interfaces, the information being exchanged, and the protection mechanisms associated with each interface,
Tresys Technology
116
Certifiable Linux Integration Platform (CLIP) b. User roles and access privileges assigned to each role c. Unique security requirements (e.g., encryption of key data elements at rest) d. Categories of sensitive information processed or stored by the AIS application, and their specific protection needs (e.g., Privacy Act, HIPAA) e. Restoration priority of information or services Enhancement Supplemental Guidance: The Security CONOPS may be included in the System Security Plan. Related Controls: see CP-2. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancements 1 and 2 – Outside Scope - Procedural These requirements are procedural in nature and are outside the scope of the base platform.
PL-3 System Security Plan Update
LOW: PL-3 MODERATE: PL-3 HIGH: PL-3
Control: The organization reviews the security plan for the information system [Assignment: organization defined frequency, at least annually] and revises the plan to address system/organizational changes or problems identified during plan implementation or security control assessments. Supplemental Guidance: Significant changes are defined in advance by the organization and identified in the configuration management process. Control Enhancements: None. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
PL-4 Rules of Behavior
LOW: PL-4 MODERATE: PL-4 HIGH: PL-4
Control: The organization establishes and makes readily available to all information system users a set of rules that describes their responsibilities and expected behavior with regard to information and information system usage. The organization receives signed acknowledgment from users indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to the information system and its resident information. Supplemental Guidance: Electronic signatures are acceptable for use in acknowledging rules of behavior unless specifically prohibited by organizational policy. Control Enhancements: None.
Tresys Technology
117
Certifiable Linux Integration Platform (CLIP) Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
PL-5 Privacy Impact Assessment
LOW: Tailoring MODERATE: Tailoring HIGH: Tailoring
Control: The organization conducts a privacy impact assessment on the information system in accordance with OMB policy. Supplemental Guidance: OMB Memorandum 03-22 provides guidance for implementing the privacy provisions of the E-Government Act of 2002. Control Enhancements: None. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
PL-6 Security Related Activity Planning
LOW: Tailoring MODERATE: PL-6 HIGH: PL-6
Control: The organization plans and coordinates security-related activities affecting the information system before conducting such activities in order to reduce the impact on organizational operations (i.e., mission, functions, image, and reputation), organizational assets, and individuals. Supplemental Guidance: Routine security-related activities include, but are not limited to, security assessments, audits, system hardware and software maintenance, security certifications, and testing/exercises. Organizational advance planning and coordination includes both emergency and non-emergency (i.e., routine) situations. Control Enhancements: None. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
2.1.2.13.
Personnel Security
PS-1 Personnel Security Policy and Procedures
Tresys Technology
LOW: PS-1 MODERATE: PS-1 HIGH: PS-1
118
Certifiable Linux Integration Platform (CLIP) Control: The organization develops, disseminates, and periodically reviews/updates: a. A formal, documented, personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the personnel security policy and associated personnel security controls. Supplemental Guidance: The personnel security policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The personnel security policy can be included as part of the general information security policy for the organization. Personnel security procedures can be developed for the security program in general, and for a particular information system, when required. Control Enhancements: None. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
PS-2 Position Categorization
LOW: PS-2 MODERATE: PS-2 HIGH: PS-2
Control: The organization assigns a risk designation to all positions and establishes screening criteria for individuals filling those positions. The organization reviews and revises position risk designations [Assignment: organization-defined frequency, or at least annually]. Supplemental Guidance: None. Control Enhancements: None. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
PS-3 Personnel Screening
LOW: PS-3 MODERATE: PS-3(1) HIGH: PS-3(1)(2)
Control: The organization screens individuals requiring access to organizational information and information systems before authorizing access. Supplemental Guidance: Screening is consistent with: (i) 5 CFR 731.106; (ii) Office of Personnel Management policy, regulations, and guidance; (iii) Organizational policy, regulations, and guidance; (iv) FIPS 201 and (v) the criteria established for the risk designation of the assigned position. Control Enhancements:
Tresys Technology
119
Certifiable Linux Integration Platform (CLIP) 1) Every user who has access to a system processing National Security Information (NSI) must be cleared and indoctrinated for NSI. 2) Every user who has access to a system processing Sensitive Compartmented Information (SCI) must be cleared to the highest level (i.e., Top Secret) and formally indoctrinated for the SCI compartments processed by the system in accordance with DCID 6/4, Personnel Security Standards and Procedures Governing Eligibility for Access to Sensitive Compartmented Information. Enhancement Supplemental Guidance: DCID 6/4 is the policy of record until a replacement in the DNI/CIO DRAFTI 1000 series is published. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancements 1 and 2 – Outside Scope - Procedural These requirements are procedural in nature and are outside the scope of the base platform.
PS-4 Personnel Termination
LOW: PS-4 MODERATE: PS-4 HIGH: PS-4
Control: The organization, upon termination of individual employment, terminates information system access, conducts exit interviews, retrieves all organizational information system-related property, and provides appropriate personnel with access to official records created by the terminated employee that are stored on organizational information systems. Supplemental Guidance: Information system-related property includes, for example, keys, badges, identification cards, and building passes. Timely execution of this control is particularly essential for employees or contractors terminated for cause. Control Enhancements: None. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
PS-5 Personnel Transfer
LOW: PS-5 MODERATE: PS-5 HIGH: PS-5
Control: The organization reviews information systems/facilities access authorizations when personnel are reassigned or transferred to other positions within the organization and initiates appropriate actions. Supplemental Guidance: Appropriate actions that may be required include: (i) returning old and issuing new keys, identification cards, building passes; (ii) closing old accounts and establishing new accounts; (iii) changing system access authorizations; and (iv) providing for access to
Tresys Technology
120
Certifiable Linux Integration Platform (CLIP) official records created or controlled by the employee at the old work location and in the old accounts. Control Enhancements: None. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
PS-6 Access Agreements
LOW: PS-6 MODERATE: PS-6(1)(2) HIGH: PS-6(1)(2)
Control: The organization completes appropriate signed access agreements for individuals requiring access to organizational information and information systems before authorizing access and reviews/updates the agreements [Assignment: organization-defined frequency, or at least annually]. Supplemental Guidance: Access agreements include, for example, nondisclosure agreements, acceptable use agreements, and conflict-of-interest agreements. Electronic signatures are acceptable for use in acknowledging access agreements unless specifically prohibited by organizational policy. Control Enhancements: 1) The organization ensures that access to information with special protection measures (e.g., privacy or proprietary information) is granted only to individuals who: a. Have a valid need-to-know that is demonstrated by assigned official government duties, and b. Satisfy associated personnel security criteria (e.g., position sensitivity background screening requirements). 2) The organization ensures that access to classified information with special protection measures (e.g., collateral, SAP and SCI) are granted only to individuals who: a. Have a valid need-to-know that is demonstrated by assigned official government duties, and b. Satisfy associated personnel security criteria, relevant to applicable regulations, policies, and statutes, etc. c. Read, understand and signed a nondisclosure agreement. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancements 1 and 2 – Outside Scope - Procedural These requirements are procedural in nature and are outside the scope of the base platform.
Tresys Technology
121
Certifiable Linux Integration Platform (CLIP) PS-7 Third-Party Personnel Security
LOW: PS-7 MODERATE: PS-7(1) HIGH: PS-7(1)
Control: The organization establishes personnel security requirements including security roles and responsibilities for third-party providers and monitors provider compliance. Supplemental Guidance: Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. The organization explicitly includes personnel security requirements in acquisition-related documents. Control Enhancements: 1) The organization explicitly defines government oversight and end-user roles and responsibilities relative to third-party provided services. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
PS-8 Personnel Sanctions
LOW: PS-8 MODERATE: PS-8 HIGH: PS-8
Control: The organization employs a formal sanctions process for personnel failing to comply with established information security policies and procedures. Supplemental Guidance: The sanctions process is consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The sanctions process can be included as part of the general personnel policies and procedures for the organization. Control Enhancements: None. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
2.1.2.14.
Risk Assessment
Tresys Technology
122
Certifiable Linux Integration Platform (CLIP) RA-1 Risk Assessment Policy and Procedures
LOW: RA-1 MODERATE: RA-1 HIGH: RA-1
Control: The organization develops, disseminates, and periodically reviews/updates: a. A formal, documented risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls. Supplemental Guidance: The risk assessment policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The risk assessment policy can be included as part of the general information security policy for the organization. Risk assessment procedures can be developed for the security program in general, and for a particular information system, when required. Control Enhancements: None Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
RA-2 Security Categorization
LOW: RA-2 MODERATE: RA-2 HIGH: RA-2
Control: The organization categorizes the information system and the information processed, stored, or transmitted by the system in accordance with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance and documents the results (including supporting rationale) in the system security plan. Designated senior-level officials within the organization review and approve the security categorizations. Supplemental Guidance: The applicable instructions for security categorization of national security information and information systems are NSS Instruction 1260 (ODNI/CIO Draft) and NSS Instruction 1199 (ODNI/CIO Draft), when published. The organization conducts risk assessments and security categorizations as an organization-wide activity. The organization also considers potential impacts to other organizations, both locally and through interconnections, and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level impacts in categorizing the information system, re-assess the risks and adjusts the controls accordingly. As part of a defense-in-depth protection strategy, the organization considers partitioning higher-impact information systems into separate physical domains (or environments) and restricting or prohibiting network access in accordance with an organizational assessment of risk. Related security controls: MP-4 and SC-7. Control Enhancements: None.
Tresys Technology
123
Certifiable Linux Integration Platform (CLIP) Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
RA-3 Risk Assessment
LOW: RA-3 MODERATE: RA-3 HIGH: RA-3
Control: The organization conducts assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency (including information and information systems managed/operated by external parties in accordance with all applicable Laws, Statutes and national policies, standards and guidance). Supplemental Guidance: Risk assessments take into account vulnerabilities, threat sources, and security controls planned or in place to determine the resulting level of residual risk posed to organizational operations, organizational assets, or individuals based on the operation of the information system. The organization also considers potential impacts to other organizations, both locally and through interconnections, and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level impacts in categorizing the information system, re-assess the risks and adjusts the controls accordingly. Risk assessments also take into account risk posed to organizational operations, organizational assets, or individuals from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). Control Enhancements: None. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
RA-4 Risk Assessment Update
LOW: RA-4 MODERATE: RA-4 HIGH: RA-4
Control: The organization updates the risk assessment [Assignment: organization-defined frequency, at least every 3 years] or whenever there are significant changes to the information system, the facilities where the system resides, or other conditions that may impact the security or accreditation status of the system. The organization develops and documents specific criteria for what is considered significant change to the information system. Supplemental Guidance: None. Control Enhancements: None. Control – Outside Scope - Procedural
Tresys Technology
124
Certifiable Linux Integration Platform (CLIP) This requirement is procedural in nature and is outside the scope of the base platform.
RA-5 Vulnerability Scanning
LOW: RA-5 MODERATE: RA-5(1)(2)(3) HIGH: RA-5(1)(2)(3(4)
Control: a. The organization scans for vulnerabilities in the information system [Assignment: organization defined frequency, or no more than 45 days] or when significant new vulnerabilities potentially affecting the system are identified and reported. b. The information obtained from the vulnerability scanning process is shared with appropriate personnel throughout the organization to help eliminate similar vulnerabilities in other information systems. Supplemental Guidance: Vulnerability scanning is conducted using appropriate scanning tools and techniques. The organization trains selected personnel in the use and maintenance of vulnerability scanning tools and techniques. Vulnerability scans are scheduled and/or random in accordance with organizational policy and assessment of risk. Vulnerability analysis for custom software and applications may require additional, more specialized approaches (e.g.,vulnerability scanning tools for applications, source code reviews, and static analysis of source code). The organization gives preference to tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and use the Open Vulnerability Assessment Language (OVAL) to test for the presence of vulnerabilities. Related control IA-5. Control Enhancements: 1) The organization employs vulnerability scanning tools that include the capability to readily update the list of information system vulnerabilities scanned. 2) The organization updates the list of information system vulnerabilities scanned [Assignment: organization-defined frequency or at least every 45 days] or when significant new vulnerabilities are identified and reported. 3) The organization employs vulnerability scanning procedures that can demonstrate the breadth and depth of scan coverage, including vulnerabilities checked and information system components scanned. 4) The organization performs security testing to determine the level of difficulty ion circumventing the security controls of the system, with the concurrence of the Risk Executive. Enhancement Supplemental Guidance: Testing methods include, but not limited to Penetration Testing, Malicious User Testing, and Independent Verification &Validation (IV&V). Testing should be done in accordance with applicable laws, Executive Orders, directives, policies, regulations, and standards. 5) The Organization employs an independent penetration agent or penetration team to conduct a vulnerability analysis and then to perform penetration testing based on the vulnerability analysis to determine the exploitability of identified vulnerabilities.
Tresys Technology
125
Certifiable Linux Integration Platform (CLIP) Enhancement Supplemental Guidance: A standard method for Penetration Testing consists of; pre-test analysis based on full knowledge of the target system, pre-test identification of potential vulnerabilities based on pre-test analysis, and testing designed to determine exploitability of identified vulnerabilities. Detailed Rules of Engagement should be agreed to by all parties before the commencement of any Penetration Testing scenario. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancements 1-5 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
2.1.2.15.
System and Services Acquisition
SA-1 System and Services Acquisition Policy and Procedures
LOW: SA-1 MODERATE: SA-1 HIGH: SA-1
Control: The organization develops, disseminates, and periodically reviews/updates: a. A formal, documented, system and services acquisition policy that includes information security considerations and that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls. Supplemental Guidance: The system and services acquisition policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The system and services acquisition policy can be included as part of the general information security policy for the organization. System and services acquisition procedures can be developed for the security program in general, and for a particular information system, when required. Control Enhancements: None. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
SA-2 Allocation of Resources
LOW: SA-2 MODERATE: SA-2 HIGH: SA-2
Tresys Technology
126
Certifiable Linux Integration Platform (CLIP) Control: The organization determines, documents, and allocates as part of its capital planning and investment control process, the resources required to adequately protect the information system. The organization includes the determination of security requirements for the information system in mission/ business case planning and establishes a discrete line item for information system security in the organization’s programming and budgeting documentation. Supplemental Guidance: None. Control Enhancements: None. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
SA-3 Life Cycle Support
LOW: SA-3 MODERATE: SA-3 HIGH: SA-3
Control: The organization manages the information system using a system development life cycle methodology that includes information security considerations. Supplemental Guidance: DNI/CIO (DRAFT) 1237 will provide guidance when published. Control Enhancements: None. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
LOW: SA-4
SA-4 Acquisitions
MODERATE: SA-4(1) HIGH: SA-4(1) Control: The organization includes security requirements and/or security specifications, either explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable laws, Executive Orders, directives, policies, regulations, and standards. Supplemental Guidance: When security requirements are articulated by reference, the reference needs to be specific regarding which control is assigned. Solicitation Documents: The solicitation documents (e.g., Requests for Proposals) for information systems and services include, either explicitly or by reference, security requirements that describe: a. Required security capabilities (security needs and, as necessary, specific security controls and other specific Federal Information Security Management Act (FISMA) requirements); b. Required design and development processes;
Tresys Technology
127
Certifiable Linux Integration Platform (CLIP) c. Required test and evaluation procedures; and d. Required documentation. The requirements in the solicitation documents permit updating security controls as new threats/vulnerabilities are identified and as new technologies are implemented. The solicitation documents include requirements for appropriate information system documentation. The documentation addresses user and system administrator guidance and information regarding the implementation of the security controls in the information system. The level of detail required in the documentation is based on the security categorization and Impact Level determination for the information system. The information system required documentation includes security configuration settings and security implementation guidance. FISMA reporting instructions provide guidance on configuration requirements for federal information systems. Related to SA5 and SA-12. Control Enhancements: 1) The organization requires in solicitation documents that appropriate documentation be provided describing the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing of the controls (including functional interfaces among control components.) 2) The organization limits the acquisition of all IA- and IA enabled GOTS IT products to those that have been evaluated by the NSA or in accordance with NSA- approved processes. 3) The organization limits the acquisition of all IA-enabled COTS IT products to products which have been evaluated or validated through one of the following sources: a) The International Common Criteria (CC) for Information Technology Evaluation Mutual Recognition Arrangement, b) The NIAP Evaluation and Validation Program, or c) The FIPS validation program. Enhancement Supplemental Guidance: Robustness requirements, the mission, and customer needs will together enable an experienced information systems security engineer to recommend a particular evaluated product or a specific EAL for a product to be submitted for evaluation. 4) The organization ensures that , at a minimum, LOW robustness COTS IA and IAenabled IT products are used to protect publicly released information from malicious tampering or destruction and ensure its availability. 5) The organization ensures that, at a minimum, medium robustness COTS IAenabled IT products are used to protect sensitive information when the information transits public networks or the information is accessible by individuals who are not authorized to access the information on the system. The medium robustness requirements for products are defined in the Protection Profile Consistency Guidance for Medium Robustness published under the IATF.
Tresys Technology
128
Certifiable Linux Integration Platform (CLIP) Enhancement Supplemental Guidance: The LOW robustness requirements for products are defined in the Protection Profile Consistency Guidance for LOW Robustness published under the IATF. 6) The organization ensures that only high robustness GOTS or COTS IA and IAenabled IT products are used to protect classified information when the information transits networks that are at a lower classification level than the information being transported. High robustness products have been evaluated by NSA or in accordance with NSA-approved procedures. Enhancement Supplemental Guidance: COTS IA and IA-enabled IT products used for access control, data separation or privacy on sensitive systems already protected by approved medium robustness products, at a minimum, satisfy the requirements for LOW robustness. If these COTS IA and IA-enabled products are used to protect National Security Information by cryptographic means, NSA-approved key management may be required. 7) The organization ensures that only high robustness GOTS or COTS IA-enabled IT products are used to protect classified information when the information transits networks that are at a lower classification level that the information being transported. High robustness products have been evaluated by NSA or in accordance with NSA-approved procedures. Enhancement Supplemental Guidance: COTS IA and IA-enabled IT products used for access control, data separation or privacy on classified systems already protected by approved high robustness products, at a minimum, satisfy the requirements for LOW robustness. If COTS IA and IA-enabled products are used to protect National Security Information by cryptographic means (e.g., encrypted tunneling to safeguard highly classified data), NSA-approved key management may be required. 8) The organization requires in solicitation documents that all system components are delivered in a secure, documented configuration, and that the secure configuration is the default for any software reinstalls or upgrades. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancements 1-8 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
SA-5 Information System Documentation
LOW: SA-5 MODERATE: SA-5(1) HIGH: SA-5(1)(2)
Control: The organization obtains, protects as required, and makes available to authorized personnel, adequate documentation for the information system. The organization documents attempts to obtain such documentation and provides compensating security controls, if needed,
Tresys Technology
129
Certifiable Linux Integration Platform (CLIP) when adequate information system documentation is either unavailable or non-existent (e.g., due to the age of the system or lack of support form the vendor/ manufacturer). Supplemental Guidance: None. Control Enhancements: 1) The organization obtains, protects as required and makes available to authorized personnel user guidance that describes: a) Information on effectively using the system's security features, b) Methods for user interaction with the system, which enables the users to use the c) information system in a secure manner, d) User accessible security functions and effective use, and e) User's role in maintaining the security of the information. 2) The organization obtains, protects as required and makes available to authorized personnel administrator guidance that describes: a) Secure configuration, installation, and operation of the information system; and b) Effective use and maintenance of the system’s security features. 3) The organization obtains, protects as required and makes available to authorized personnel user guidance that describes system/manufacturer documentation that describes the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing of the controls. 4) The organization obtains, protects as required and makes available to authorized personnel system/ manufacturer documentation that describes the security-relevant external interfaces to the information system with sufficient detail to permit analysis and testing. 5) The organization obtains, protects as required and makes available to authorized personnel system/ manufacturer documentation that describes the high level design of the information system in terms of subsystems and implementation details of the security controls employed within the information system with sufficient detail to permit analysis and testing of the controls (including interfaces among the subsystems). Supplemental Guidance: An information system is comprised of one or more subsystems. 6) The organization obtains, protects as required and makes available to authorized personnel system/ manufacturer documentation that describes the low-level design of the information system in terms of modules and implementation details f the security controls employed within the information system with sufficient detail to permit analysis and testing of the controls (including interfaces among the modules). Supplemental Guidance: Each subsystem is comprised of one or more modules.
Tresys Technology
130
Certifiable Linux Integration Platform (CLIP) 7) The organization obtains, protects as required and makes available to authorized personnel the source code for the information system to permit analysis and testing.. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancements 1-7 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
SA-6 Software Usage Restrictions
LOW: SA-6 MODERATE: SA-6 HIGH: SA-6(1)
Control: The organization complies with software usage restrictions. Supplemental Guidance: Software and associated documentation are used in accordance with contract agreements and copyright laws. For software and associated documentation protected by quantity licenses, the organization employs tracking systems to control copying and distribution. Control Enhancements: 1) The organization ensures that binary or machine executable code without accompanying source code from the public domain or from sources with limited or no warranty such as those commonly known as freeware or shareware are not used in the information system unless they are necessary for mission accomplishment and there are no alternative IT solutions available. Enhancement Supplemental Guidance: Such products are assessed for information assurance impacts, and approved for use by the Authorizing Official. The assessment addresses the fact that such software products are difficult or impossible to review, repair, or extend, given that the Government does not have access to the original source code and there is no owner who could make such repairs on behalf of the Government. 2) The organization controls and documents the use of publicly accessible peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancements 1 and 2 – Outside Scope - Procedural These requirements are procedural in nature and are outside the scope of the operating system.
Tresys Technology
131
Certifiable Linux Integration Platform (CLIP) SA-7 User Installed Software
LOW: SA-7 MODERATE: SA-7 HIGH: SA-7
Control: The organization enforces explicit rules governing the installation of software by users. Control Enhancements: None. Control – Partially Meets Requirement – Configuration The SELinux policy can be configured to enforce rules for user installed software. For example, it can prevent non-administrative users from installing software.
SA-8 Security Engineering Principles
LOW: Tailoring MODERATE: SA-8 HIGH: SA-8
Control: The organization designs and implements the information system using security engineering principles. Supplemental Guidance: Examples of engineering principles for information systems include but, are not limited to: layered protections, establish sound security policy and controls as the foundation for design, treat security as an integral part of the system development life-cycle, delineate physical and logical security boundaries, ensure developers are trained on how to develop secure software for systems, tailor security controls to meet organizational and operational needs, reduce risk to acceptable levels thus, enabling risk executives to make informed decisions. The application of security engineering principles are primarily targeted at new development information systems or systems undergoing major upgrades and is integrated into the system development life cycle. For legacy information systems, the organization applies security engineering principles to system upgrades and modifications, to the extent feasible, given the current state of the hardware, software, and firmware components within the system. Control Enhancements: None. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
SA-9 External Information System Services
LOW: SA-9 MODERATE: SA-9 HIGH: SA-9(1)
Control: The organization: a. Requires that providers of external information system services employ adequate security controls in accordance with applicable laws, Executive Orders, directives,
Tresys Technology
132
Certifiable Linux Integration Platform (CLIP) policies, regulations, standards, guidance, and established service-level agreements; and b. Monitors security control compliance. Supplemental Guidance: An external information system service is a service that is implemented outside of the accreditation boundary of the organizational information system (i.e., a service that is used by, but not a part of, the organizational information system). Relationships with external service providers are established in a variety of ways, for example, through joint ventures, business partnerships, outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements), licensing agreements, and/or supply chain exchanges. Ultimately, the responsibility for adequately mitigating risks to the organization’s operations and assets, and to individuals, arising from the use of external information system services remains with the authorizing official. Authorizing officials must require that an appropriate chain of trust be established with external service providers when dealing with the many issues associated with information system security. For services external to the organization, a chain of trust requires that the organization establish and retain a level of confidence that each participating service provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered to the organization. Where a sufficient level of trust cannot be established in the external services and/or service providers, the organization employs compensating security controls or accepts the greater degree of risk to its operations and assets, or to individuals. The external information system services documentation includes government, service provider, and end user security roles and responsibilities, and any service-level agreements. Service-level agreements define the expectations of performance for each required security control, describe measurable outcomes, and identify remedies and response requirements for any identified instance of non-compliance. Control Enhancement: 1) The organization ensures that the acquisition or outsourcing of dedicated IA services such as incident monitoring, analysis and response; operation of IA devices such as firewalls; or key management services are supported by a formal risk analysis and approved by the Chief Information Officer. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
SA-10 Developer Configuration Management
LOW: Tailoring MODERATE: SA-10 HIGH: SA-10(1)
Control: The organization requires that information system developers create and implement a configuration management plan that controls changes to the system during development, tracks past security flaws and their resolution, maintains details on current security flaws, requires authorization of changes, and provides documentation of the plan and its implementation.
Tresys Technology
133
Certifiable Linux Integration Platform (CLIP) Supplemental Guidance: None. Control Enhancement: 1) The organization ensures that information system developers provide an integrity check of the information software that allows the organization to verify the integrity of the software after delivery. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1- Partially Meets Requirement - Procedural The integrity tool AIDE that comes with RHEL 5.3 supports this requirement. Organizational policy must enforce it.
SA-11 Developer Security Testing
LOW: Tailoring MODERATE: SA-11(1)(2) HIGH: SA-11(1)(2)
Control: The organization requires that information system developers create a security test and evaluation plan, implement the plan, and document the results. Supplemental Guidance: Developmental security test results are used to the greatest extent feasible after verification of the results and recognizing that these results are impacted whenever there have been security relevant modifications to the information system subsequent to developer testing. Test results may be used in support of the security certification and accreditation process for the delivered information system. Related security controls: CA-2 and CA-4. Control Enhancements: 1) The organization requires that information system developers create a security test and evaluation plan and implement the plan under the witness of an IV&V agent. 2) The organization requires that supplemental testing be performed. 3) The organization requires the information system developers to perform a vulnerability analysis, to document the identified vulnerabilities, and explain why each identified vulnerability cannot be exploited in the intended environment. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancements 1-3– Outside Scope - Procedural These requirements are procedural in nature and are outside the scope of the base platform.
Tresys Technology
134
Certifiable Linux Integration Platform (CLIP) SA-12 Special Acquisitions- Supply Chain Risk and Defense in Breadth
LOW: Tailoring MODERATE: SA-12 HIGH: SA-12
Control: The organization develops, disseminates, and periodically reviews/updates: c. A formal, documented risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and d. Formal, documented procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls. Supplemental Guidance: The system and services acquisition policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The system and services acquisition policy can be included as part of the general information security policy for the organization. System and services acquisition procedures can be developed for the security program in general, and for a particular information system, when required. Control Enhancements: 1) The organization uses anonymous contract and acquisition vehicles for information system components. Enhancement Supplemental Guidance: The organization can reduce the chance of targeted supply chain attacks during design, manufacture, or delivery by protecting the true identity of the ultimate customer through the use of anonymous contracting and acquisition vehicles. 2) The organization requires the upfront purchase of all anticipated system components. Enhancement Supplemental Guidance: Stockpiling avoids the need to use less trustworthy secondary or resale markets in future years. 3) The organization utilizes trusted cutouts for purchasing contract services, acquisitions, or logistical activities during the system’s lifecycle. Enhancement Supplemental Guidance: The organization can protect against an adversary targeting the manufacture or delivery of a product by encoding customer identity until the product arrives at the final stage of transport, at which point it can be handled by a trusted cutout. A “Trusted Cutout” is an individual or organization which can securely support logistical or acquisition activities without revealing the originator as the USG. 4) The organization conducts a due diligence review prior to entering into contractual agreements with companies that anticipate providing T hardware, software and firmware services to the USG. Enhancement Supplemental Guidance: The Federal Government has the authority to require that an offeror’s hardware and software products meet certain standards, including the use of appropriate security processes in the development and manufacture of the products, and it has the authority to reject products when companies offer nonconforming products. In acquiring information technology, agencies should identify their requirements pursuant to applicable laws, policies, regulations, statutes and guidelines.
Tresys Technology
135
Certifiable Linux Integration Platform (CLIP) 5) The organization uses trusted shipping and warehousing for all system components and/ or completed systems. Enhancement Supplemental Guidance: This CE is designed to reduce the opportunities for subversive activities or interception during transit. Organizations can consider the use of a geographically aware beacon to detect shipment diversions or delays. Related to PE-16. . Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancements 1-5– Outside Scope - Procedural These requirements are procedural in nature and are outside the scope of the base platform.
2.1.2.16.
System and Communications Protection
SC-1 System and Communications Protection Policy and Procedures
LOW: SC-1 MODERATE: SC-1(1) HIGH: SC-1(1)
Control: The organization develops, disseminates, and periodically reviews/updates: a. A formal, documented, system and communications protection policy that addresses purpose, scope, roles, compliance; and b. Formal, documented procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls. Supplemental Guidance: The system and communications protection policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The system and communications protection policy can be included as part of the general information security policy for the organization. System and communications protection procedures can be developed for the security program in general, and for a particular information system, when required. Control Enhancement: 1) The communications links connecting the components of the systems, associated data communications, and networks shall be protected in accordance with national policies and procedures applicable to the sensitivity level of the data being transmitted. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
Tresys Technology
136
Certifiable Linux Integration Platform (CLIP)
SC-2 Application Partitioning
LOW: SC-2 MODERATE: SC-2 HIGH: SC-2
Control: The information system separates user functionality (including user interface services) from information system management functionality. Supplemental Guidance: Separation may be accomplished through the use of different computers, different central processing units, different instances of the operating system, different network addresses, combinations of these methods, or other methods as appropriate. Control Enhancements: None Control – Meets Requirement User functionality and system management functionality is separated by the CLIP SELinux policy into separate domains. Users can only function within the domains based on the permissions granted by the policy.
SC-3 Security Function Isolation
LOW: SC-3 MODERATE: SC-3 HIGH: SC-3
Control: The information system isolates security functions from non-security functions. Supplemental Guidance: The information system isolates security functions from non-security functions by means of partitions, domains, etc., including control of access to and integrity of, the hardware, software, and firmware that perform those security functions. Control Enhancements: 1) The information system employs underlying hardware separation mechanisms to facilitate security function isolation. 2) The information system isolates critical security functions (i.e., functions enforcing access and information flow control) from both non-security functions and from other security functions. 3) The information system minimizes the number of non-security functions included within the isolation boundary containing security functions. 4) The information system security functions are implemented as largely independent modules that avoid unnecessary interactions between modules. 5) The information system security functions are implemented as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. Control – Meets Requirement
Tresys Technology
137
Certifiable Linux Integration Platform (CLIP) The SELinux policy used on RHEL 5.3 CLIP separates all critical security functions and security functions into their own domains. Control Enhancement 1 – Does Not Meet Requirement RHEL 5.3 CLIP does not employ hardware separation of security functions. Control Enhancement 2-4 – Meets Requirement The SELinux policy used on RHEL 5.3 CLIP separates all critical security functions, and security functions into their own domains. Control Enhancement 5 – Meets Requirement The Linux operating system segregates user space and kernel space applications and controls user access to kernel space through tightly controlled interfaces.
SC-4 Information Remnants
LOW: Tailoring MODERATE: SC-4 HIGH: SC-4
Control: The information system prevents unauthorized and unintended information transfer via shared system resources. Supplemental Guidance: Control of information system remnance, sometimes referred to as object reuse, or data remnance, prevents information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after that resource has been released back to the information system. Control Enhancements: None. Control – Meets Requirement The Linux kernel clears memory when allocated to a new process. It also clears out memory when a file tries to access at it (i.e. reading a newly allocated file).
SC-5 Denial of Service Protection
LOW: SC-5 (1)(2) MODERATE: SC-5 (1)(2) HIGH: SC-5 (1)(2)(3)
Control: The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined list of types of denial of service attacks or reference to source for current list]. Supplemental Guidance: A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect devices on an organization’s internal network from being directly
Tresys Technology
138
Certifiable Linux Integration Platform (CLIP) affected by denial of service attacks. Information systems that are publicly accessible can be protected by employing increased capacity and bandwidth combined with service redundancy. Control Enhancements: 1) The information system restricts the ability of users to launch denial of service attacks against other information systems or networks. 2) The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks. 3) The information system fails securely. Enhancement Supplemental Guidance: Fail secure is defined as information system mechanisms to ensure that in the event of the operational failure of a controlled interface, no information external to the interconnected information system shall enter the information system. An “operational failure” may be related to the failure of any process, service, or mechanism (hardware or software). A “failure” of any kind in a Controlled Interface cannot lead to, or cause information external to the CI to enter the CI, nor can a “failure” permit unauthorized information release. Control – Partially Meets Requirement - Development The Linux kernel since version 2.2 has contained a traffic shaping component, tc, which can be used to control traffic into and out of the device. RHEL 5.3 CLIP also uses TCP SYN cookies, which are used to guard against SYN Flood attacks. There are other alternatives available for TCP to assist in preventing DOS attacks such as the following: tcp_max_syn_backlog, tcp_synack_retries, and tcp_abort_on_overflow. Organizational policy determines how these must be applied to meet this requirement. Control Enhancement 1 – Partially Meets Requirement - Development The Linux kernel since version 2.2 has contained a traffic shaping component, tc, which can be used to control traffic into and out of the device. Such a component could be used to control the amount of data a user is able to send to the system, reducing the effectiveness of a DoS attack. SELinux booleans can be used to disable access once such an attack is detected, to prevent further access to the network. Control Enhancement 2 – Partially Meets Requirement - Development The Linux kernel since version 2.2 has contained a traffic shaping component, tc, which can be used to control traffic into and out of the device.RHEL 5.3 CLIP also uses TCP SYN cookies which are used to guard against SYN Flood attacks. There are other alternatives available for TCP to assist in preventing DOS attacks such as the following: tcp_max_syn_backlog, tcp_synack_retries, and tcp_abort_on_overflow. Control Enhancement 3 – Partially Meets Requirement- Development The SELinux policy can be configured using booleans that can be toggled to prevent access if a predetermined subsystem fails. The Linux firewall can be configured to deny traffic from hosts if bursts of heavy traffic exceed thresholds. The developer could also install an IDS application to detect attacks.
Tresys Technology
139
Certifiable Linux Integration Platform (CLIP) SC-6 Resource Priority
LOW: Tailoring MODERATE: SC-6 HIGH: SC-6
Control: The information system limits the use of resources by priority. Supplemental Guidance: Priority protection helps prevent a lower-priority process from delaying or interfering with the information system servicing any higher-priority process. Control Enhancements: None Control – Meets Requirement The scheduler included in RHEL 5.3 CLIP prioritizes processes on the system allowing higher priority processes greater access to resources than those of lesser priority.
SC-7 Boundary Protection
LOW: SC-7 (1)(2)(3)(4)(5)(7) MODERATE: SC7(1)(2)(3)(4)(5)(7)(8)(9) HIGH: SC7(1)(2)(3)(4)(5)(6)(7)(8)(9)
Control: a. The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system. b. Connections to external networks or information systems occur through managed interfaces consisting of appropriate boundary protection devices arranged in an effective architecture. Supplemental Guidance: Boundary protection devices can consist of proxies, gateways, routers, firewalls, guards, and encrypted tunnels. An effective approach for accomplishing this from an architectural standpoint is by using routers protecting firewalls and application gateways residing on a protected sub networks commonly referred to as a demilitarized zone (DMZ). As part of a defense-in-depth protection strategy, the organization considers partitioning higher-impact information systems into separate physical domains (or environments) and applying the concepts of managed interfaces described above to restrict or prohibit network access in accordance with an organizational assessment of risk. Risk and security categorization guides the selection of appropriate candidates for domain partitioning. The organization carefully considers the intrinsically shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may include third party provided access lines and other service elements. Consequently, such interconnecting transmission services may represent sources of increased risk despite contract security provisions. Therefore, when this situation occurs, the organization either implements appropriate compensating security controls or explicitly accepts the additional risk. Related security controls: MP-4, RA-2, and CA-3.
Tresys Technology
140
Certifiable Linux Integration Platform (CLIP) Control Enhancements: 1) The organization physically allocates publicly accessible information system components to separate sub-networks with separate, physical network interfaces. Enhancement Supplemental Guidance: Publicly accessible information system components include, for example, public web servers. 2) The organization prevents public access into the organization’s internal networks except as appropriately mediated. 3) The organization limits the number of access points to the information system to allow for better monitoring of inbound and outbound network traffic. 4) The organization implements a managed interface (boundary protection devices in an effective security architecture) with any external telecommunication service, implementing controls appropriate to the required protection of the confidentiality and integrity of the information being transmitted. 5) The information system denies network traffic by default and allows network traffic by exception (i.e., deny all, permit by exception). 6) The organization prevents the unauthorized release of information outside of the information system boundary or any unauthorized communication through the information system boundary when there is an operational failure of the boundary protection mechanisms. 7) The organization ensures that unclassified NSS information systems do not directly connect to the Internet. Enhancement Supplemental Guidance: The phrase “not directly connect to the Internet” means that an information system of an organization cannot connect to the Internet without the use of some boundary protection device (e.g., firewall) that mediates the communication between the information system and the Internet. 8) The organization ensures that classified NSS information systems do not directly connect to or allow any Internet access. Enhancement Supplemental Guidance: The phrase “not directly connect to or allow any Internet access” means that an information system of an organization cannot connect to the Internet without the use of some boundary protection device that mediates the communication between the information system and the Internet. In addition, that boundary device, typically a controlled interface/cross-domain system, would provide information flow enforcement from the information system to the Internet consistent with the direction of AC-4. 9) All incoming communications are checked to ensure they have an authorized user, and as applicable, authorized addresses as a destination. Control –Partially Meets Requirement – Configuration Iptables can be configured with a default setting of deny for network connections and to control access to the system. IPSec can be used to enforce that all communication outside of the system is encrypted. In addition, RHEL 5.3 CLIP supports labeled networking; this allows the system to
Tresys Technology
141
Certifiable Linux Integration Platform (CLIP) control network access to the system by only allowing connections that have been explicitly defined in the SELinux policy. Information flowing within the system can be controlled with SELinux policy. Control Enhancements 1-4 – Outside Scope - Procedural These requirements are procedural in nature and are outside the scope of the base platform. Control Enhancement 5 – Meets Requirement The IPtables configuration with the CLIP SELinux policy enforcing the labeling meets this requirement. Control Enhancements 6-8 – Outside Scope - Procedural These requirements are procedural in nature and are outside the scope of the base platform. Control Enhancement 9 – Meets Requirement The default CLIP install only includes ssh, which is configured to meet this requirement. SELinux enforces labeled network decisions. Furthermore, the default IPTables rules are configured to deny connections by default except for explicitly listed addresses.
SC-8 Transmission Integrity
LOW: SC-8 MODERATE: SC-8(2) HIGH: SC-8(1)(2)
Control: The information system protects the integrity of transmitted information. Supplemental Guidance: If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service, it may be more difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission integrity. When it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, the organization either implements appropriate compensating security controls or explicitly accepts the additional risk. Control Enhancements: 1) The organization employs cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures. Enhancement Supplemental Guidance: Alternative physical protection measures include, for example, protected distribution systems. 2) Information systems transmitting classified information will use NSA approved Type 1 encryption mechanisms commensurate for the classification and sensitivity of the information. Related AC-17, SC-9 and SC-13. Control – Partially Meets Requirement – Configuration
Tresys Technology
142
Certifiable Linux Integration Platform (CLIP) The Linux kernel supports TCP which does perform an integrity check on all packets. CLIP for RHEL 5.3 also supports integrity checking through the use of TLS via the NSS libraries. Additionally, the kernel has included support for IPSec since version 2.6. Control Enhancement 1 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 2 – Partially Meets Requirement – Configuration The Linux kernel supports TCP which does perform an integrity check on all packets. RHEL 5.3 CLIP also supports integrity checking through the use of TLS via the NSS libraries. Additionally, the kernel has included support for IPSec since version 2.6. These mechanisms support NSA approved Type 1 encryption mechanisms, but are not enabled by default.
SC-9 Transmission Confidentiality
LOW: SC-9(1)(2) MODERATE: SC9(1)(2)(3)(4)(5) HIGH: SC-9(1)(2)(3)(4)(5)
Control: The information system protects the confidentiality of transmitted information. Supplemental Guidance: If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service, it may be more difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality. When it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, the organization either implements appropriate compensating security controls or explicitly accepts the additional risk. Related security control: AC-17. Control Enhancements: 1) The organization employs cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures. Enhancement Supplemental Guidance: Alternative physical protection measures include, for example, protected distribution systems. 2) The information system uses FIPS-validated cryptography to encrypt controlled unclassified data to prevent unauthorized disclosure of information during transmission. Enhancement Supplemental Guidance: This control is typically applied where the communications infrastructure falls outside of organizational control. 3) The information system uses NSA approved cryptography to separately encrypt classified data transmitted through a network that is accredited to a lower level than the data being transmitted.
Tresys Technology
143
Certifiable Linux Integration Platform (CLIP) 4) The information system uses, at a minimum, FIPS-validated cryptography to encrypt information in transit through a network at the same classification level that must be separated for need to know or formal access reasons. 5) Information systems transmitting classified information will use NSA-approved Type-1 encryption mechanisms commensurate for the classification and sensitivity of the information. Related AC-17, S-C9 and SC-13. Control – Partially Meets Requirement - Configuration CLIP for RHEL 5.3 can be configured to use IPSec which can be configured to encrypt all data sent between two hosts. Control Enhancement 1 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 2 – Meets Requirement CLIP for RHEL 5.3 includes the NSS and SSL libraries which are FIPS 140-2 validated. Control Enhancement 3 – Partially Meets Requirement - Configuration CLIP for RHEL 5.3 can be configured to use NSA approved cryptography Control Enhancement 4 - Meets Requirement CLIP for RHEL 5.3 includes the NSS library which is FIPS 140-2 validated Control Enhancement 5 – Partially Meets Requirement - Configuration CLIP for RHEL 5.3 can be configured to use NSA approved cryptography.
SC-10 Network Disconnect
LOW: SC-10 MODERATE: SC-10 HIGH: SC-10
Control: The information system terminates a network connection at the end of a session or after [Assignment: organization-defined time period] of inactivity. Supplemental Guidance: The organization applies this control within the context of risk management that considers specific mission or operational requirements. Sessions internal to an information systems and not initiated externally (i.e., by an external user or external process) can remain active if necessary for the functional capability of the information system. Control Enhancements: None Control – Partially Meets Requirement - Development On Linux systems, a session timeout variable can be set as part of the shell given to user and will timeout the session after the given period of inactivity. However the existing shell will not terminate a session if a user is “inside” a program.
Tresys Technology
144
Certifiable Linux Integration Platform (CLIP) LOW: Tailoring
SC-11 Trusted Path
MODERATE: Tailoring HIGH: Tailoring Control: The information system establishes a trusted communications path between the user and the following security functions of the system: [Assignment: organization-defined security functions to include at a minimum, information system authentication and re-authentication]. Supplemental Guidance: A trusted path is employed for high-confidence connections between the security functions of the information system and the user (e.g., for login). Control Enhancements: None. Control – Partially Meets Requirement – Development The Linux kernel has rudimentary support for a Trusted Path mechanism but kernel development is required to implement the capability to a level that would satisfy the requirement.
SC-12 Cryptographic Key Establishment and Management
LOW: Tailoring MODERATE: SC-12(1)(2)(3) HIGH: SC-12(1)(2)(3)
Control: When cryptography is required and employed within the information system, the organization establishes and manages cryptographic keys using automated mechanisms with supporting procedures or manual procedures. Supplemental Guidance: This control only applies when cryptography is required and employed within the information system. Control Enhancements: 1) The organization implements effective cryptographic key management in support of encryption and provides protections to maintain the availability of the information in the event of the loss of cryptographic keys by users. 2) Symmetric Keys are produced, controlled and distributed using NIST-approved key management technology and processes. Enhancement Supplemental Guidance: Asymmetric Keys are produced, controlled, and distributed using approved PKI Class 3 certificates or prepositioned keying material. 3) Symmetric Keys are produced, controlled and distributed using NSA-approved key management technology and processes. Enhancement Supplemental Guidance: Asymmetric Keys are produced, controlled and distributed using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user’s private key. 4) Symmetric and asymmetric keys are produced, controlled and distributed using NSAapproved key management technology processes.
Tresys Technology
145
Certifiable Linux Integration Platform (CLIP) Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. The OS can be configured to provide support for cryptographic keys including the use of a TPM. Control Enhancement 1-4 – Outside Scope - Procedural These requirements are procedural in nature and are outside the scope of the base platform.
SC-13 Use of Cryptography
LOW: SC-13 MODERATE: SC-13 HIGH: SC-13
Control: For information requiring cryptographic protection, the information system implements cryptographic mechanisms that comply with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. Supplemental Guidance: This control only applies when the system is processing, storing or transmitting information requiring cryptographic protection. Control Enhancements: None Control – Meets Requirement CLIP for RHEL 5.3 includes FIPS 140-2 certified NSS libraries to provide cryptographic protection.
SC-14 Public Access Protections
LOW: SC-14 MODERATE: SC-14 HIGH: SC-14
Control: The information system protects the integrity and availability of publicly available information and applications. Supplemental Guidance: None. Control Enhancements: None Control – Meets Requirement The CLIP SELinux policy and aide integrity checker achievee this requirement for the applications and information present on the base platfor. Note that applications written to use CLIP as a base platform or information added in new locations that will be publicly available will require the developer to ensure that SELinux policy and aide are configured properly to meet this requirement.
Tresys Technology
146
Certifiable Linux Integration Platform (CLIP) SC-15 Collaborative Computing
LOW: SC-15(1)(2)(3) MODERATE: SC-15(1)(2)(3) HIGH: SC-15(1)(2)(3)
Control: The information system prohibits remote activation of collaborative computing mechanisms and provides an explicit indication of use to the local users. Supplemental Guidance: Collaborative computing mechanisms include, for example, video and audio conferencing capabilities. Explicit indication of use includes, for example, signals to local users when cameras and/or microphones are activated. Control Enhancements: 1) The information system provides physical disconnect of camera and microphone in a manner that supports ease of use. 2) The information system or supporting environment blocks both inbound and outbound traffic between instant messaging (IM) clients that are independently configured by end users and public service providers. Enhancement Supplemental Guidance: This does not include IM services that are configured by an organization IS application or enclave to perform an authorized and official function. 3) The organization ensures that information systems in secure work areas have cameras and microphone capabilities disabled or removed. Control – Meets Requirement The CLIP SELinux policy allows the system to achieve this requirement. Note that applications written to use CLIP as a base platform need to address this requirement during development. Control Enhancement 1– Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 2– Partially Meets Requirement – Configuration RHEL 5.3 CLIP can be configured to use IPTables rules that prevent inbound or outbound traffic between instant messaging applications. A properly configured SELinux policy will prevent any application from running unless explicitly allowed. Control Enhancement 3 – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
SC-16 Transmission of Security Parameters
LOW: Tailoring MODERATE: Tailoring HIGH: Tailoring
Control: The information system reliably associates security parameters with information exchanged between information systems.
Tresys Technology
147
Certifiable Linux Integration Platform (CLIP) Supplemental Guidance: Security parameters include, for example, security labels and markings. Security parameters may be explicitly or implicitly associated with the information contained within the information system. Control Enhancements: (1) The information system validates the integrity of all information exchanged between systems (including labels). (2) The information system data transfer integrity mechanism (i.e., digital signatures, hash) should only allow transfer once the integrity of the data has been verified and should react appropriately (i.e., block, quarantine, send alert to administrator, etc.) when it encounters data not explicitly allowed by the approved transfer policy. Enhancement Supplemental Guidance: Examples of transfers that should not be allowed include, but are not limited to: sending a valid message without a digital signature or hash when one is required, sending a message with an invalid digital signature or hash, etc. Control - Meets Requirement SELinux assigns implicit labels to network traffic by default in RHEL 5.3. Control Enhancement 1 – Partially Meets Requirement – Configuration Labeled networking has been developed on multiple fronts for RHEL 5.3. The first method is to label IPSec security associations. This makes it possible for multiple encrypted single level tunnels to be created on the fly. The second method is to add traditional CIPSO labels for transferring security contexts, which has the advantage of being compatible with legacy systems. Finally, a system can use implicit labels using the SELinux infrastructure built into RHEL 5.3. Control Enhancement 2 – Partially Meets Requirement – Development The implementation of IPSec provided in RHEL 5.3 provides integrity for data in transit; a program would have to be developed to send alerts to system administrators to fulfill this requirement.
SC-17 Public Key Infrastructure Certificates
LOW: Tailoring MODERATE: SC-17 HIGH: SC-17
Control: The organization issues public key certificates under an appropriate certificate policy or obtains public key certificates under an appropriate certificate policy from an approved service provider. Supplemental Guidance: For user certificates, each agency either establishes an agency certification authority cross certified with the Federal Bridge Certification Authority at medium assurance or higher or uses certificates from an approved, shared service provider, as required by OMB Memorandum 05-24.
Tresys Technology
148
Certifiable Linux Integration Platform (CLIP) Control Enhancements: None Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
LOW: SC-18
SC-18 Mobile Code
MODERATE: SC-18 HIGH: SC-18 Control: The organization: a. Establishes usage restrictions and implementation guidance for mobile code technologies based on the potential to cause damage to the information system if used maliciously; and b. Authorizes, monitors, and controls the use of mobile code within the information system. Supplemental Guidance: Mobile code technologies include, for example, Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations. Control procedures prevent the development, acquisition, or introduction of unacceptable mobile code within the information system. Control Enhancements: 1) The organization ensures the acquisition, development, and/or use of mobile code to be deployed in information systems meets the following requirements: a. Emerging mobile code technologies that have not undergone a risk assessment and been assigned to a Risk Category by the CIO are not used. b. Category 1 mobile code is signed with a code signing certificate; use of unsigned Category 1 mobile code is prohibited; use of Category 1 mobile code technologies that cannot block or disable unsigned mobile code (e.g., Windows Scripting Host) is prohibited. c. Category 2 mobile code which executes in a constrained environment without access to system resources (e.g., Windows registry, file system, system parameters, network connections to other than the originating host) may be used. d. Category 2 mobile code that does not execute in a constrained environment may be used when obtained from a trusted source over an assured channel (e.g., SIPRNet, SSL connection, S/MIME, code is signed with an approved code signing certificate). e. Category 3 mobile code may be used. f. All workstation and host software are configured, to the extent possible, to prevent the download and execution of mobile code that is prohibited.
Tresys Technology
149
Certifiable Linux Integration Platform (CLIP) g. The automatic execution of all mobile code in email is prohibited; email software is configured to prompt the user prior to executing mobile code in attachments. 2) The information system implements a mobile code detection and inspection mechanism to identify all data containing mobile code and reacts appropriately (e.g., block, quarantine, send alert to administrator, etc.) when it encounters mobile code not explicitly allowed by the policy. Enhancement Supplemental Guidance: Examples of disallowed transfers include: sending malicious code encoded in various formats (UUENCODE, Unicode, etc.), sending a compressed file containing malicious code, sending an uncompressed file containing malicious code. Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform, however, SELinux can be used to prevent mobile code from executing unless allowed by the policy. Control Enhancement 1 – Outside Scope – Procedural These requirements are procedural in nature and are outside the scope of the base platform. Control Enhancement 2 – Partially Meets Requirement – Development A mobile code detection and inspection mechanism would need to be installed and configured.
SC-19 Voice Over Internet Protocol
LOW: SC-19 MODERATE: SC-19 HIGH: SC-19
Control: The organization: a. Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and b. Authorizes, monitors, and controls the use of VoIP within the information system. Supplemental Guidance: None. Control Enhancements: None Control – Outside Scope - Procedural This requirement is procedural in nature and is outside the scope of the base platform.
SC-20 Secure Name / Address Resolution Service (Authoritative Source)
Tresys Technology
LOW: Tailoring MODERATE: SC-20 HIGH: SC-20
150
Certifiable Linux Integration Platform (CLIP) Control: The information system that provides name/address resolution service provides additional data origin and integrity artifacts along with the authoritative data it returns in response to resolution queries. Supplemental Guidance: This control enables remote clients to obtain origin authentication and integrity verification assurances for the name/address resolution information obtained through the service. A domain name system (DNS) server is an example of an information system that provides name/address resolution service; digital signatures and cryptographic keys are examples of additional artifacts; and DNS resource records are examples of authoritative data. Control Enhancement: 1) The information system, when operating as part of a distributed, hierarchical namespace, provides the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains. Enhancement Supplemental Guidance: An example means to indicate the security status of child subspaces is through the use of delegation signer resource records. Control – Partially Meets Requirement - Development CLIP can install and configure the bind software package, which supports the use of DNS Security. This feature allows for zones to be cryptographically signed with a zone key. It also supports SIG(0) as well at TSIG. Control Enhancement 1 – Partially Meets Requirement - Configuration RHEL 5.3 CLIP can be configured using the bind software package which supports the use of DNS Security. This feature allows for zones to be cryptographically signed with a zone key. It also supports SIG(0) as well at TSIG.
SC-21 Secure Name / Address Resolution Service (Recursive or Caching Resolver)
LOW: Tailoring MODERATE: Tailoring HIGH: SC-21(1)
Control: The information system that provides name/address resolution service for local clients performs data origin authentication and data integrity verification on the resolution responses it receives from authoritative sources when requested by client systems. Supplemental Guidance: A resolving or caching domain name system (DNS) server is an example of an information system that provides name/address resolution service for local clients and authoritative DNS servers are examples of authoritative sources. Control Enhancements: 1) The information system performs data origin authentication and data integrity verification on all resolution responses whether or not local clients explicitly request this service. Enhancement Supplemental Guidance: Local clients include, for example, DNS stub resolvers.
Tresys Technology
151
Certifiable Linux Integration Platform (CLIP) Control – Partially Meets Requirement - Development The bind package can be installed on RHEL 5.3 CLIP. DNS security extensions can be used to provide data integrity and data origin checks that are performed. In addition, the host file can be used for name resolution without the need for network access. Control Enhancement 1 – Partially Meets Requirement – Development See Control SC-21.
SC-22 Architecture and Provisioning For Name / Address Resolution Services
LOW: Tailoring MODERATE: SC-22 HIGH: SC-22
Control: The information systems that collectively provide name/address resolution service for an organization are fault tolerant and implement role separation. Supplemental Guidance: A domain name system (DNS) server is an example of an information system that provides name/address resolution service. To eliminate single points of failure and to enhance redundancy, there are typically at least two authoritative DNS servers, one configured as primary and the other as secondary. Additionally, the two servers are commonly located in two different network subnets and geographically separated (i.e., not located in the same physical facility). If organizational information technology resources are divided into those resources belonging to internal networks and those resources belonging to external networks, authoritative DNS servers with two roles (internal and external) are established. The DNS server with the internal role provides name/address resolution information pertaining to both internal and external information technology resources while the DNS server with the external role only provides name/address resolution information pertaining to external information technology resources. The list of clients who can access the authoritative DNS server of a particular role is also specified. Control Enhancements: None Control – Partially Meets Requirement – Configuration CLIP for RHEL 5.3 includes support for configuring DNS services as described in this control. They would need to be configured according to organizational network topology.
SC-23 Session Authenticity
LOW: Tailoring MODERATE: SC-23 HIGH: SC-23
Control: The information system provides mechanisms to protect the authenticity of communications sessions.
Tresys Technology
152
Certifiable Linux Integration Platform (CLIP) Supplemental Guidance: This control focuses on communications protection at the session, versus packet, level. The intent of this control is to implement session-level protection where needed (e.g., in service-oriented architectures providing web-based services). Control Enhancements: None Control – Meets Requirement CLIP for RHEL 5.3 provides integrity authentication verification through the use of TLS via the NSS libraries. Additionally, the kernel has included support for IPSec since version 2.6.
2.1.2.17.
System and Information Integrity
SI-1 System and Information Integrity Policy and Procedures
LOW: SI-1 MODERATE: SI-1 HIGH: SI-1
Control: The organization develops, disseminates, and periodically reviews/updates: a. A formal, documented, system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Formal, documented procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls. Supplemental Guidance: The system and information integrity policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. The system and information integrity policy can be included as part of the general information security policy for the organization. System and information integrity procedures can be developed for the security program in general, and for a particular information system, when required. Control Enhancements: None Control – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform.
SI-2 Flaw Remediation
LOW: SI-2(1) MODERATE: SI-2(1)(2) HIGH: SI-2(1)(2)(3)
Control: The organization identifies, reports, and corrects information system flaws. Supplemental Guidance: It is important for the organization to identify information systems containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws). The organization (or the software developer/vendor in the case of
Tresys Technology
153
Certifiable Linux Integration Platform (CLIP) software developed and maintained by a vendor/contractor) should consider promptly installing newly released security relevant patches, service packs, and hot fixes. It is strongly recommended that the organization test software flaw remediation fixes (e.g., patches, service packs, hot fixes, etc.) for effectiveness and potential side effects on the organization’s information systems prior to installation. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling are also addressed expeditiously. Flaw remediation is incorporated into configuration management as an emergency change. Related security controls: CA-2, CA-4, CA-7, CM-3, IR-4, and SI-11. Control Enhancements: 1) The organization centrally manages the flaw remediation process and installs updates manually or automatically. Enhancement Supplemental Guidance: Due to the system integrity and availability concerns organizations should give careful consideration to the methodology in complying with this requirement. 2) The organization employs automated mechanisms to periodically and upon demand determine the state of information system components with regard to flaw remediation. 3) The organization ensures that the software developers employ software quality and validation methods to minimize flawed or malformed software (e.g., buffer overruns) that can degrade integrity or availability. Control – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1-3 – Outside Scope – Procedural These requirements are procedural in nature and is outside the scope of the base platform.
SI-3 Malicious Code Protection
LOW: SI-3(2)(3) MODERATE: SI-3(1)(2)(3) HIGH: SI-3(1)(2)(3)
Control: The information system implements malicious code protection countermeasures within the information system at a minimum: a. Workstations b. Servers c. Boundary and perimeter devices, if applicable. Supplemental Guidance: At a minimum the organization should consider malicious code protection mechanisms at critical information system entry and exit points. Examples of entry and exit points are firewalls, mail servers, SMTP gateways, web servers, proxy servers and remote-access servers. The organization should consider using malicious code protection software products from multiple vendors (e.g., using one vendor for boundary devices and servers and another vendor for workstations). The organization should also consider the receipt
Tresys Technology
154
Certifiable Linux Integration Platform (CLIP) of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. Control Enhancements: 1) The organization centrally manages malicious code protection mechanisms. 2) The information system automatically updates malicious code protection mechanisms. 3) The organization updates malicious code protection mechanisms to include the latest virus definitions when new releases are available in accordance with organizational configuration management policy and procedures. 4) The organization employs implements and maintains malicious code protection countermeasures on mobile computing devices on the network. 5) The organization employs, implements and maintains malicious code protection countermeasures to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, Internet accesses and removable media. 6) The information system updates malicious code protection only when directed by appropriately privileged administrator. 7) Users are not allowed to introduce removable media to the system. 8) The information system implements a malicious code mechanism to identify all data containing malicious code and reacts appropriately (i.e., block, quarantine, send alert to administrator, etc,) when it encounters data not explicitly allowed by the configured policy. Enhancement Supplemental Guidance: Examples of disallowed transfers include: sending malicious code encoded in various formats (UUENCODE, Unicode, etc.), sending a compressed file containing malicious code, sending an uncompressed file containing malicious code. Control – Partially Meets Requirement – Development Many virus protection applications for Linux including ClamAV and McAfee LinuxShield can be installed onto RHEL 5.3 CLIP to provide protection against malicious code. Control Enhancement 1 – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 2 – Partially Meets Requirement – Development Many virus protection applications for Linux including ClamAV and McAfee LinuxShield can be configured to perform automatic updates when installed onto RHEL 5.3 CLIP. Control Enhancement 3-5 – Outside Scope – Procedural These requirements are procedural in nature and are outside the scope of the base platform. Control Enhancement 6 – Partially Meets – Configuration The SELinux policy can limit which users may update malicious code detection mechanisms. Control Enhancement 7 – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base system.
Tresys Technology
155
Certifiable Linux Integration Platform (CLIP) Control Enhancement 8 – Partially Meets Requirement – Development The above mentioned virus protection applications meet the code detection requirement if installed; the base system, will deny access to malicious code by default with the SELinux policy enforcement mechanism.
SI-4 Information system Monitoring Tools and Techniques
LOW: SI-4 MODERATE: SI-4(1)(4)(7) HIGH: SI-4(1)(4)(5)(7)
Control: a. The organization employs tools and techniques to monitor events on the information system, detect attacks, and provide identification of unauthorized use of the system. b. Organizations consult appropriate legal counsel with regard to all information system monitoring activities. c. Organizations heighten the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations, organizational assets, or individuals based on law enforcement information, intelligence information, or other credible sources of information. Supplemental Guidance: Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, audit record monitoring software, network monitoring software). Monitoring devices are strategically deployed within the information system (e.g., at selected perimeter locations, near server farms supporting critical applications) to collect essential information. Monitoring devices are also deployed at ad hoc locations within the system to track specific transactions. Additionally, these devices are used to track the impact of security changes to the information system. The granularity of the information collected is determined by the organization based upon its monitoring objectives and the capability of the information system to support such activities. Control Enhancements: 1) The organization interconnects and configures individual intrusion detection tools into a system wide intrusion detection system using common protocols. 2) The organization employs automated tools to support near-real-time analysis of events. 3) The organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination. 4) The information system monitors inbound and outbound communications for unusual or unauthorized activities or conditions. Enhancement Supplemental Guidance: Unusual/unauthorized activities or conditions include, for example, the presence of malicious code, the unauthorized export of
Tresys Technology
156
Certifiable Linux Integration Platform (CLIP) information, excessive exportation of information, or signaling to an external information system. 5) The information system provides a real-time alert when the following indications of compromise or potential compromise occur: [Assignment: organization-defined list of compromise indicators]. 6) The information system notifies the appropriate security personnel of suspicious events and takes the least disruptive action to terminate suspicious events. 7) Information obtained form intrusion monitoring tools shall be protected against unauthorized access, modification, and deletion. 8) Intrusion monitoring tools shall be exercised at least [Assignment: organizationdefined time period, at least monthly]. Enhancement Supplemental Guidance: The frequency of testing is dependent upon the type and method of deployment of the intrusion monitoring tools, e.g., enterprise or local. Control – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1-3 – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 4 – Partially Meets Requirement – Development An intrusion detection system such as Snort could be installed that allow for the detection of malicious inbound or outbound communication. Control Enhancement 5 – Partially Meets Requirement – Development An intrusion detection system such as Snort could be installed that allow for the detection of malicious inbound or outbound communication and alert a system administrator. Control Enhancement 6 – Partially Meets Requirement – Development An intrusion detection system such as Snort could be installed that allow for the detection of malicious inbound or outbound communication and take a predetermined action based on rules. Control Enhancement 7 – Partially Meets Requirement – Configuration The SELinux policy can be configured to label the information received from intrusion monitoring tools such that only users with sufficient privilege can access or modify it. Control Enhancement 8 – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base system.
SI-5 Security Alerts and Advisories
LOW: SI-5 MODERATE: SI-5 HIGH: SI-5(1)
Tresys Technology
157
Certifiable Linux Integration Platform (CLIP) Control: The organization receives information system security alerts/advisories on a regular basis, issues alerts/advisories to appropriate personnel, and takes appropriate actions in response. The organization documents the types of actions to be taken in response to security alerts/advisories and validates that the action was performed correctly. Supplemental Guidance: The organization should also maintain contact with special interest groups (e.g., information security forums) that: (i) facilitate sharing of security-related information (e.g., threats, vulnerabilities, and latest security technologies); (ii) provide access to advice from security professionals; and (iii) improve knowledge of security best practices. Control Enhancements: 1) The organization employs automated mechanisms to make security alert and advisory information available throughout the organization as needed. Control – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 1 – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform.
SI-6 Security Functionality Verification
LOW: Tailoring MODERATE: SI-6 HIGH: SI-6(1)
Control: The information system verifies the correct operation of security functions [Selection (one or more): upon system startup and restart, upon command by user with appropriate privilege, periodically every [Assignment: organization-defined time-period, at least every 90 days]] and [Selection (one or more): notifies system administrator, shuts the system down, restarts the system] when anomalies are discovered. Supplemental Guidance: The organization should also maintain contact with special interest groups (e.g., information security forums) that: (i) facilitate sharing of security-related information (e.g., threats, vulnerabilities, and latest security technologies); (ii) provide access to advice from security professionals; and (iii) improve knowledge of security best practices. Control Enhancements: 1) The organization employs automated mechanisms to provide notification of failed automated security tests. 2) The organization employs automated mechanisms to support management of distributed security testing. Control - Partially Meets Requirement – Configuration Checksums on individual files of interest can be calculated and frequently verified in order to ensure the integrity of security relevant programs and resources. The integrity tool AIDE that comes with RHEL 5.3 could be used to check the system integrity. Control Enhancement 1 and 2 – Outside Scope – Procedural
Tresys Technology
158
Certifiable Linux Integration Platform (CLIP) These requirements are procedural in nature and are outside the scope of the base platform.
SI-7 Software Information Integrity
LOW: Tailoring MODERATE: SI-7(1) HIGH: SI-7(1)(2)
Control: The information system detects and protects against unauthorized changes to software and information. The organization employs integrity verification applications on the information system to look for evidence of the information tampering, errors, and omissions. Supplemental Guidance: The organization employs good software engineering practices with regard to Commercial, off-the-Shelf integrity mechanisms (e.g., parity checks, cyclical redundancy checks, and cryptographic hashes) and uses tools to automatically monitor the integrity of the information system and the applications it hosts. Control Enhancements: 1) The organization reassesses the integrity of software and information by performing [Assignment: organization-defined frequency, not to exceed 180 days] integrity scans of the system. 2) The organization employs automated tools that provide notification to appropriate individuals upon discovering discrepancies during integrity verification. 3) The organization employs centrally managed integrity verification tools. Control – Partially Meets Requirement - Configuration The integrity checking mechanism Aide that is installed on CLIP for RHEL 5.3 can be configured to satisfy this requirement. Control Enhancement 1 -3 – Outside Scope – Procedural These requirement are procedural in nature and are outside the scope of the base platform.
LOW: Tailoring
SI-8 Spam Protection
MODERATE: Tailoring HIGH: Tailoring Control: The organization employs, implements and maintains spam protection mechanisms within the information system at a minimum: a. Workstations. b. Servers. c. Boundary and perimeter devices, if applicable. Supplemental Guidance: At a minimum the organization should consider spam protection mechanisms at critical information system entry and exit points. Examples of entry points firewalls, electronic SMTP gateways, mail servers, and remote-access servers. Consideration is
Tresys Technology
159
Certifiable Linux Integration Platform (CLIP) given to using spam protection software products from multiple vendors (e.g., using one vendor for boundary devices and servers and another vendor for workstations). Control Enhancements: 1) The organization centrally manages spam protection mechanisms. 2) The information system automatically updates spam protection mechanisms. 3) The organization updates spam protection mechanisms to include when new releases, updates are available in accordance with organizational configuration management policy and procedures. 4) The organization employs implements and maintains spam protection mechanisms on mobile computing devices on the network. 5) The organization employs, implements and maintains spam protection mechanisms to detect and take appropriate action on unsolicited messages transported by electronic mail, electronic mail attachments, Internet accesses, or other common means. 6) The information system updates spam protection mechanisms manually. Control – Partially Meets Requirement – Development The SpamAssassin package is a feature rich and robust spam protection application; it could be installed in order to meet this requirement. Control Enhancement 1 – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform. Control Enhancement 2 – Partially Meets Requirement – Development The SpamAssassin package is a feature rich and robust spam protection application; it could be installed in order to meet this requirement. Control Enhancement 3-5 – Outside Scope – Procedural These requirements are procedural in nature and are outside the scope of the base platform. Control Enhancement 5 and 6 – Partially Meets Requirement – Development After installing SpamAssassin, the System Administrator can optionally manually update SpamAssasin to make use of the latest signatures.
SI-9 Information Input Restriction
LOW: SI-9 MODERATE: SI-9 HIGH: SI-9
Control: The organization restricts the capability to input information to the information system to authorized personnel. Supplemental Guidance: Restrictions on personnel authorized to input information to the information system may extend beyond the typical access controls employed by the system and include limitations based on specific operational/project responsibilities. Control Enhancements: None
Tresys Technology
160
Certifiable Linux Integration Platform (CLIP) Control – Meets Requirement The Linux login mechanism authenticates all users before granting access to the system..
SI-10 Information Accuracy, Completeness, Validity, and Authenticity
LOW: Tailoring MODERATE: SI-10 HIGH: SI-10
Control: The information system checks information for accuracy, completeness, validity, and authenticity. Supplemental Guidance: Checks for accuracy, completeness, validity, and authenticity of information are accomplished as close to the point of origin as possible. Rules for checking the valid syntax of information system inputs (e.g., character set, length, numerical range, acceptable values) are in place to verify that inputs match specified definitions for format and content. Inputs passed to interpreters are prescreened to prevent the content from being unintentionally interpreted as commands. The extent to which the information system is able to check the accuracy, completeness, validity, and authenticity of information is guided by organizational policy and operational requirements. Control Enhancements: None Control – Partially Meets Requirement – Development The operating system provides support to the applications that provide these capabilities.
LOW: SI-11
SI-11 Error Handling
MODERATE: SI-11 HIGH: SI-11 Control: The information system identifies and handles error conditions in an expeditious manner without providing information that could be exploited by adversaries. The organization will carefully consider structure and content, to include sensitive information (e.g., account numbers, social security numbers, and credit card numbers) of error messages and that they are revealed only to authorized personnel. Supplemental Guidance: Error messages generated by the information system provide timely and useful information without revealing potentially harmful information that could be used by adversaries. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Control Enhancements: None Control – Partially Meets Requirement - Development
Tresys Technology
161
Certifiable Linux Integration Platform (CLIP) There are many applications that need to be configured to properly meet this requirement including the SELinux policy and the audit subsystem. The audit subsystem will audit major events on the system, including errors, and can be protected using a properly configured MAC system such as SELinux to allow only authorized personnel access. The developer is responsible for tailoring the SELinux policy and applications to meet solution requirements.
SI-12 Information Output Handling and Retention
LOW: SI-12 MODERATE: SI-12 HIGH: SI-12
Control: The organization handles and retains output from the information system in accordance with applicable laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. Supplemental Guidance: None. Control Enhancements: None Control – Outside Scope – Procedural This requirement is procedural in nature and is outside the scope of the base platform.
Tresys Technology
162
Certifiable Linux Integration Platform (CLIP)
3 Overview of the CLIP Toolkit In developing a NSSI-1253v4 compliant system, an unmodified installation of RHEL 5.3 does not address a number of the requirements. In many cases, updating the configuration file of a particular service (for example, to be more restrictive) is sufficient. In other cases, requirements need functionality beyond that which is provided by the RHEL 5.3 distribution. Specifically, the requirements pertaining to performing backups of the file system data and dynamic configuration of login timeouts require additional functionality. The CLIP toolkit provides or configures utilities to address these requirements. The following sections discuss these utilities and provide information about installing CLIP.
3.1.
Installation The CLIP toolkit consists of a series of RPMs and a Kickstart script. For step-by-step instructions on installing CLIP, refer to the CLIP website on http://oss.tresys.com/.
3.2.
Backups For certain requirement sets, backups must be able to separate the restoration of SELinux security labels from the restoration of file data. The xar utility addresses this requirement. This utility simply saves and restores a file’s SELinux security labels. This allows an administrator to use standard, SELinux-unaware versions of standard utilities like cp(1) and tar(1) to backup data separately from the security labels. CLIP for RHEL 5.3 installs the ‘xar’ utility to address the backup requirements related to labels.
3.3.
Auditing Auditing in CLIP is achieved using the Linux audit subsystem. The audit subsystem consists of a kernel framework for system call auditing and a userspace audit daemon, auditd, which listens for audit event data via the kernel’s netlink interface. Upon receiving a message via this interface, the audit daemon dispatches the message to one or more system logs. By default, auditd writes audit event data to /var/log/audit/audit.log. If auditd is not running, audit event data is sent to /var/log/messages. SELinux AVC (Access Vector Cache) messages are also sent to auditd, and consequently will also appear in the system logs. The audit daemon’s behavior is controlled by the configuration file, /etc/audit/auditd.conf. Refer to the auditd.conf(8) man page for more information about this file. For the audit subsystem to satisfy the requirements within the selected requirement sets, all auditable events must be captured. In the event of a failure of the audit subsystem, the rest of the system must be halted until the audit subsystem is again able to receive events. This is accomplished in the CLIP toolkit by configuring the audit daemon to halt the system when it is unable to receive events. The relevant settings in auditd.conf are: admin_space_left_action = HALT disk_full_action = HALT
Tresys Technology
163
Certifiable Linux Integration Platform (CLIP) disk_error_action = HALT Also, the audit daemon is configurable with respect to the frequency at which it flushes its internal buffer to disk using the flush setting in auditd.conf. Setting flush = SYNC is the most reliable option and will force a disk write for each record. However, a problem with this setting is that it can have significant performance consequences for applications that generate many audit events. Therefore, a less rigorous setting may be preferred here. Another possibility to increase performance is to set flush = INCREMENTAL and set a numeric number for the freq parameter. This setting causes a disk sync to occur after writing the specified number of records set in freq and will ultimately limit the number of records that would be lost should a crash occur. Note that it is advisable to dedicate a partition exclusively to audit log storage. This will ensure that auditd has exclusive control over disk usage. The subset of events that Linux will audit is controlled by the audit subsystem’s configuration file, /etc/audit/audit.rules. The CLIP toolkit provides a modified version of this configuration file, tailored to meet the selected requirement sets. Any changes made to this file should only increase the set of events that the kernel audits. The SELinux auditing capabilities complement the Linux audit subsystem in meeting the selected requirement sets. Using auditallow rules, a system administrator can configure which events will appear in system logs. The following example audits changes to security labels in the domain etc_t: auditallow domain etc_t: file { relabelto relabelfrom } This does not give relabel permissions to any domain for files of type, etc_t; however if the allow rule for this action exists within the policy; any time the rule is exercised the action will be audited. Therefore if both the allow rule and the auditallow rule exist, each time a relabel occurs, the event is audited. In the current implementation of the CLIP toolkit, a Boolean-enabled auditallow rule has been added to the security policy to audit relabeling actions.
3.4.
Authentication The Pluggable Authentication Module (PAM) framework for Linux is a modular mechanism for authenticating users, using a collection of shared libraries to provide authentication services. When programs link against PAM, they are able to attach to a particular authentication mechanism at run-time. PAM consists of a general framework and additional authentication modules that can be found in /lib/security/. The modules themselves are implementations of the particular authentication mechanisms. Selecting an authentication mechanism for use in an application is simply a matter of specifying the name of the module in the configuration file specific to that application and applying certain arguments to the specified modules. Each application utilizing PAM has its own configuration file, typically located in /etc/pam.d. A PAM configuration file consists of records containing four fields: module-type, control-flag, module-path and arguments. Using these fields, it is possible to specify which authentication mechanism a particular application will use. For instance, a configuration file for ssh can be added to the /etc/pam.d file. The configuration file can then refer to various PAM modules to harden the security. An example would be to add a line in this file such as the one below.
Tresys Technology
164
Certifiable Linux Integration Platform (CLIP) auth required pam_unix.so shadow This line specifies that authentication is required to gain entry to the operating system and the user will be prompted for their password. PAM will search for the password in the /etc/shadow file and if this password is found and can be associated with the particular user, entry is successful. In addition to the individual configuration files, the PAM framework allows for modules to be stacked upon each other, providing administrators a flexible mechanism with which to define system-wide authentication policies. So, if there is a security feature or features that are common to many of the programs secured by PAM, these features can be placed in one file and this file can be referred to within the configuration files of the individual programs. The ‘system_auth’ file is a configuration file for this purpose. It provides a common configuration file that can be referred to within other configuration files using the ‘include’ directive. Refer to pam(8) for further information about the structure and format of the PAM configuration files. The CLIP toolkit provides modified PAM configuration files to enhance the security of the authentication process. Along with configuration changes in the ‘system_auth’ file to further harden security, configuration changes are included to secure programs such as ssh and login. These modifications are introduced primarily to meet requirements regarding the accountability of users’ actions and to utilize the capabilities provided by SELinux.
3.5.
Object Labeling Various requirements in the NSSI-1253v4 specification require that data objects be marked with security labels. SELinux supports object labeling via file system extended attributes. The initial labeling of the file system occurs during the SELinux policy installation. These labels are retained unless the filesystem objects are explicitly relabeled. The relabeling of objects is a security relevant operation and is controlled by the security policy. Also all relabeling operations can easily be tracked using auditallow rules as described in section 3.3. Objects exported from the system by default are implicitly labeled with the label of the network interface from which the object was sent. RHEL 5.3 also includes features that can label objects explicitly as they cross the system’s perimeter, in either direction, based upon the security attributes of the communicating processes rather than the network interface used. This explicit labeled communication can be accomplished using labeled IPSec (IP Security) or CIPSO (Commercial IP Security Option). Using IPSec, security labels can be placed in the Security Association field of the Authentication Headers. In addition, the security associations can be encrypted to provide protection. If the contents of the message were changed, the receiving host would be able to detect this. Another possibility is to add traditional CIPSO labels for transferring MLS security labels. This has the advantage of being compatible with legacy systems.
3.6.
Additional Information The CLIP toolkit implements additional changes to the operating system to increase security, including: •
Hardening file permissions
•
Disabling unneeded services
Tresys Technology
165
Certifiable Linux Integration Platform (CLIP) •
Elimination of root login – a user must use the ‘su’ command to become root
•
Enforcing password complexity requirements on root
•
Limiting root access to one user at a time
•
Restrictions on how the system is shutdown and restarted (i.e. disable ctrl-alt-del)
•
Disabling accounts that do not require a login
•
Installing a modified SELinux policy
The CLIP toolkit’s Kickstart file implements many of the changes for securing the operating system. This file supplies various install-time parameters, updates system configuration, installs new packages, and limits the number of services that end up on the base operating system. It prevents unnecessary services from being loaded onto the system. The CLIP toolkit contains a number of configuration modifications to the base RHEL operating system. These configuration modifications were developed by the Defense Information Systems Agency (DISA) for the Department of Defense (DoD). They address widely accepted best practices for securing UNIX-based systems and provide a more robust and secure environment by limiting known security vulnerabilities. These changes address several requirements outlined in the selected requirement sets.
4 SUMMARY OF ANALYSIS RHEL 5.3 is designed for many different roles from servers to desktop machines. This flexibility leads to a large number of packages being installed by default, many of which are rarely used and reduce the security assurance of the system. The CLIP toolkit creates a minimal install of the RHEL 5.3 system with customizations to provide a known, secure platform upon which to build secure solutions. The CLIP toolkit for RHEL 5.3 was analyzed against selected criteria, including: •
Security Controls Catalog for National Security Systems (NSSI-1253v4)
The NSSI-1253v4 is a set of requirements introduced by the Unified Cross Domain Management Office with the intent to combine and eventually replace the DCID 6/3 and the DoD 8500.2. CLIP meets, or partially meets, a wide range of the NSSI-1253v4 requirements. The NSSI1253v4 has seventeen families of requirements divided amongst three classes. The Technical class is the most relevant and the majority of requirements are at least partially met for relevant Impact Levels. Generally, the requirements for the Technical class families that are not CLIP capabilities are procedural requirements. Generally, CLIP meets the Operational class family requirements, although in many cases some development is required for the end solution. For example, the SI-3(2) requirement for automatically updating malicious code mechanisms. CLIP partially meets the requirement but requires some development effort to install supported packages and to configure them to update in a trusted manner. The Management class families are procedural sets of requirements and largely out of scope for CLIP.
Tresys Technology
166
Certifiable Linux Integration Platform (CLIP) The CLIP toolkit for RHEL 5.3 provides a substantial head start for any security solution looking to be certified under the specified requirement sets. It tailors the overly configurable and customizable defaults needed to support the wide and varied RHEL customer base, thereby providing an excellent base platform for building certifiable systems: removing unneeded software, correctly configuring aspects of the system, and providing new applications to enhance RHEL 5.3.
5 ACRONYMS ACL AES AIDE AVC CDS CI CIPSO CLIP CM CONOPS COTS CPU CRC DAA DAC DCID DISA DNS DoD DoS FIPS FTP HTML HTTP I&A IDS IP IPSec IS ISSM ISSO LAN LSM MAC
Access Control List Advanced Encryption Standard Advanced Intrusion Detection Environment Access Vector Cache Cross Domain Solution Controlled Interface Commercial Internet Protocol Security Option Certifiable Linux Integration Platform Configuration Management Concept of Operations Commercial Off The Shelf Central Processing Unit Cyclical Redundancy Check Designated Approving Authority Discretionary Access Control Director of Central Intelligence Directive Defense Information Systems Agency Domain Name Service Department of Defense Denial of Service Federal Information Processing Standard File Transfer Protocol Hypertext Markup Language Hypertext Transfer Protocol Identification and Authentication Intrusion Detection System Internet Protocol Internet Protocol Security Information System Information Systems Security Manager Information Systems Security Officer Local Area Network Linux Security Modules Mandatory Access Control
Tresys Technology
167
Certifiable Linux Integration Platform (CLIP) MD5 MLS NIC NIST NSA OS OSPF PAM PDS PKI RAID RHEL RIP RPM SA SAK SELinux TCP TE TLS TPM UPS VPN VoIP WAN XML
Message Digest 5 Multi-Level Security Network Interface Card National Institute of Standards and Technology National Security Agency Operating System Open Shortest Path First Pluggable Authentication Modules Protected Distribution System Public Key Infrastructure Redundant Array of Inexpensive Disks Red Hat Enterprise Linux Routing Information Protocol RPM Package Manager Security Association Secure Attention Key Security Enhanced Linux Transmission Control Protocol Type Enforcement Transport Layer Security Trusted Platform Module Uninterruptable Power Supply Virtual Private Network Voice over Internet Protocol Wide Area Network eXtensible Markup Language
Tresys Technology
168
Certifiable Linux Integration Platform (CLIP)
6 BIBLIOGRAPHY [1] Windsor, David. "GettingStarted with CLIP." Tresys Open Source Server. 3 Nov. 2006 . [2] Lehti, Rami. "The AIDE Manual" Tampere University of Technology. 2006. 8 Dec. 2006 . [3] "OpenSSL: the Open Source Toolkit for SSL/TLS." OpenSSL. 10 Dec. 2004. 30 Oct. 2006 . [4] "OpenSSH." 27 Sept. 2006. OpenBSD. 30 Oct. 2006 . [5] Koch, Werner. "The GNU Privacy Guard - GnuPG.Org." 30 June 2006. Free Software Foundation. 30 Oct. 2006 .
Tresys Technology
169
