Yep. Tresys is the current "flag bearer" for selinux as well. The clip project is heavy selinux plus a bunch of system configuration tweaks to harden the environment against sloppy users.<br><br><div class="gmail_quote">
On Thu, Feb 16, 2012 at 3:18 PM, George Allen <span dir="ltr"><<a href="mailto:glallen01@gmail.com">glallen01@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
This was another, similar project: <a href="http://oss.tresys.com/projects/clip" target="_blank">http://oss.tresys.com/projects/clip</a><br>
Has a RHEL kickstart to apply the following:<br>
• Director of Central Intelligence Directive 6/3 “Protecting Sensitive<br>
Compartmented Information within Information Systems” (DCID 6/3)<br>
Protection Level 4 (PL4)<br>
• National Security Systems (NSS) Instruction 1253 “Security Controls<br>
Catalog for National Security Systems” High Impact requirements<br>
• Department of Defense (DoD) Instruction Number 8500.2 “Information<br>
Assurance (IA) Implementation” MAC I Classified requirements<br>
• Defense Information System Agency (DISA) Information Assurance<br>
Support Environment (IASE) Security Technical Implementation Guides<br>
(STIG) Unix V5R1<br>
<br>
Haven't tried it yet. Attempted to feed the kickstart link from here:<br>
<a href="http://oss.tresys.com/projects/clip/wiki/GettingStarted" target="_blank">http://oss.tresys.com/projects/clip/wiki/GettingStarted</a> into CentOS...<br>
but it turns out I don't know anything about RedHat/Centos or<br>
rpm/yum... it was actually easier for me to play with freebsd the<br>
other day than when I was banging my head against yum, having grown up<br>
on solaris, slackware and debian.<br>
<div class="HOEnZb"><div class="h5"><br>
On Thu, Feb 16, 2012 at 2:40 PM, Jim Kinney <<a href="mailto:jim.kinney@gmail.com">jim.kinney@gmail.com</a>> wrote:<br>
> Cool!<br>
><br>
> I used a series of postinstall kickstart scripts that accomplished the<br>
> security lockdown when I was at GTRI. I did not write them but was happy to<br>
> see the powers that be that performed security analysis were very happy with<br>
> their output. That entire process should be fairly easy to dump into puppet<br>
> for change control.<br>
><br>
> When I left, RHEL6 was under development for similar treatment.<br>
><br>
><br>
> On Thu, Feb 16, 2012 at 2:17 PM, George Allen <<a href="mailto:glallen01@gmail.com">glallen01@gmail.com</a>> wrote:<br>
>><br>
>> There is a project on Forge.mil to build configs for Puppet to apply<br>
>> the DISA STIGs and NSA Guides. So far they're only setup to apply to a<br>
>> RHEL 5.x box from what I understand, and I haven't played with them<br>
>> yet... but I would definitely like to start learning puppet as soon as<br>
>> I get some time.<br>
>><br>
>> On Tue, Feb 14, 2012 at 1:38 PM, <a href="mailto:mike@trausch.us">mike@trausch.us</a> <<a href="mailto:mike@trausch.us">mike@trausch.us</a>> wrote:<br>
>> > On 02/14/2012 09:56 AM, <a href="mailto:mike@trausch.us">mike@trausch.us</a> wrote:<br>
>> >> I am finding myself somewhat happy with it. I'm still allergic to<br>
>> >> things written in Ruby, of course. If there were a drop-in Puppet<br>
>> >> clone<br>
>> >> in Python, I'd be all over that like white on rice, and I may not stay<br>
>> >> with puppet forever, but for the time being, I am rather liking it. I<br>
>> >> have a master on Linode, a server here at the house, and a VM on my<br>
>> >> desktop that I am using to play with it for the time being.<br>
>> ><br>
>> > At this point, I have a working setup that manages SSH and NTP<br>
>> > configuration (yeah, I know, stupid easy for those who do Puppet in<br>
>> > their sleep) for both Gentoo and Debian systems, including handling some<br>
>> > interesting differences between the two distributions.<br>
>> ><br>
>> > One thing that I am finding that is annoying is that it seems that you<br>
>> > can say things like "debian" in selectors, but if you use a regex it<br>
>> > refuses to allow it (because it won't match "Debian"). There is a bug<br>
>> > in Puppet's Redmine instance (#3229), but it seems to have been<br>
>> > summarily closed without action.<br>
>> ><br>
>> > It seems that the "case" command matches case-insensitive whereas<br>
>> > selectors using regular expressions do not. Of course a character class<br>
>> > can be used to work around that, but I don't see a way to tell Puppet's<br>
>> > regular expression system to simply match case-insensitive.<br>
>> ><br>
>> > I think that it may be possible for me to Puppet-ize my production<br>
>> > domain within the next day or two. That in itself is fascinating to me.<br>
>> ><br>
>> > One thing I would like to do, though I haven't quite figured out how it<br>
>> > would fit into Puppet's framework, would be to enforce certain types of<br>
>> > policy, like "ensure that all systems have run their updates once per<br>
>> > week". There are other ways of doing that, of course, but I think it'd<br>
>> > be nice to have _all_ my configuration in a single system, and not just<br>
>> > most of it.<br>
>> ><br>
>> > Another thing I would like to be able to do is somehow give Puppet a<br>
>> > whitelist of packages that are allowed to be on various systems, such<br>
>> > that any package that (a) isn't in the whitelist and (b) isn't a<br>
>> > dependency of something in the whitelist will be removed by Puppet<br>
>> > automagically.<br>
>> ><br>
>> > Both of the last two things, though, seem to be outside of the scope of<br>
>> > Puppet's capabilities.<br>
>> ><br>
>> > --- Mike<br>
>> ><br>
>> > --<br>
>> > A man who reasons deliberately, manages it better after studying Logic<br>
>> > than he could before, if he is sincere about it and has common sense.<br>
>> > --- Carveth Read, “Logic”<br>
>> ><br>
>> ><br>
>> > _______________________________________________<br>
>> > Ale mailing list<br>
>> > <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
>> > <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
>> > See JOBS, ANNOUNCE and SCHOOLS lists at<br>
>> > <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
>> ><br>
>><br>
>> _______________________________________________<br>
>> Ale mailing list<br>
>> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
>> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
>> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
>> <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
><br>
><br>
><br>
><br>
> --<br>
> --<br>
> James P. Kinney III<br>
><br>
> As long as the general population is passive, apathetic, diverted to<br>
> consumerism or hatred of the vulnerable, then the powerful can do as they<br>
> please, and those who survive will be left to contemplate the outcome.<br>
> - 2011 Noam Chomsky<br>
><br>
> <a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a><br>
><br>
><br>
> _______________________________________________<br>
> Ale mailing list<br>
> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
> <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
><br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>-- <br>James P. Kinney III<br><br>As long as the general population is passive, apathetic, diverted to
consumerism or hatred of the vulnerable, then the powerful can do as
they please, and those who survive will be left to contemplate the
outcome.<br>- <i><i><i><i>2011 Noam Chomsky<br><br><a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a><br></i></i></i></i><br>