Red Hat Enterprise Linux (RHEL) 5.3 Certified Linux Integration Platform (CLIP) Security Requirements Analysis

Transcription

1 Red Hat Enterprise Linux (RHEL) 5.3 Certified Linux Integration Platform (CLIP) Security Requirements Analysis Prepared By: Tresys Technology, LLC March 17, 2009

2 Table of Contents 1 Introduction Security Requirement Set Selection Analysis Overview Document Organization Requirement Set Analysis NSSI-1253v4 Mapping and Analysis NSSI-1253v4 Mapping Tables NSSI-1253v4 Analysis Access Control Awareness and Training Audit and Accountability Certification, Accreditation and Security Configuration Management Contingency Planning Identification and Authentication Incident Response Maintenance Media Protection Physical and Environmental Protection Planning Personnel Security Risk Assessment System and Services Acquisition System and Communications Protection System and Information Integrity Overview of the CLIP Toolkit Installation Backups Auditing Authentication Object Labeling Additional Information Summary of Analysis Acronyms Bibliography Table of Tables Table 1 NSSI-1253v4 Security Control Classes, Families, and Identifiers... 2 Table 2 The CLIP Toolkit v3.1.0 for RHEL 5.3 Coverage of the NSSI-1253v4 Requirements... 4 Tresys Technology i

3 Tresys Technology ii

4 1 Introduction Tresys Certifiable Linux Integration Platform (CLIP) is designed to provide a solid foundation for building secure solutions and to facilitate and expedite the certification and accreditation (C&A) of those solutions. This document describes the prototype CLIP toolkit v3.1.0 that targets Red Hat Enterprise Linux 5.3 (RHEL 5.3) to create a system that is compliant for the Security Control Catalog for National Security Systems Instruction 1253 (NSSI-1253v4) 1 High Impact requirement set. For the security analysis of RHEL 5.3, Tresys has mapped each applicable requirement to operating system functionality. In areas where the operating system requires additional configuration or security policy updates to meet the requirement, the analysis provides details of these changes. The changes include modification of configuration files, tightening of security policy implementation, turning on or off features of the operating system, installation of new packages, and utilization of a kickstart file to assist in secure installation. These changes are the basis for the CLIP toolkit. The CLIP toolkit v3.1.0 for RHEL 5.3 builds on previous toolkit releases and provides an updated SELinux Reference Policy and updated SELinux toolchain. It includes initial infrastructure for full Security Content Automation Protocol (SCAP) support. With CLIP versionv3.1.0 for RHEL 5.3, RHEL meets the majority of requirements, allowing developers to make only minor changes to the platform and instead focus their efforts on creating innovative and secure applications Security Requirement Set Selection Tresys focused on the requirement set that represents the most comprehensive and precise requirements relevant for a wide range of cross domain and perimeter defense solutions: The Security Control Catalog for National Security Systems NSSI-1253v4 Previous versions of the CLIP toolkit included other security requirement sets, including the Department of Defense (DoD) Instruction Number Information Assurance (IA) Implementation MAC I Classified requirements, but the NSSI-1253v4 encompasses the requirements and as such is sufficient on its own Analysis Overview The analysis examined the default configuration for the CLIP toolkit v3.1.0 for RHEL 5.3 against the selected security requirements. For each requirement, the analysis describes the operating system's ability to fulfill the requirement as configured, as well as whether or not the operating system has the capability of fulfilling the requirement. To have the capability means that the system may need, for instance, configuration changes or additional security policy to fulfill a requirement but that the operating system is capable of supporting these changes. If the CLIP toolkit for RHEL 5.3 includes the modifications to satisfy the requirement (i.e. configuration changes, security policychanges), that requirement is deemed to be satisfied for the purposes of this analysis. 1 Security Control Catalog for National Security Systems, NSS Instruction No (ODNI/CIO) Draft Version 4, December 2007 Tresys Technology 1

5 This analysis uses the baseline requirements and controls defined in the NSSI-1253v4. It should be noted that the Designated Approval Authority (DAA) determines the requirements and controls that should be applied to a specific system and may take into account many factors including the environment in which the system will be placed Document Organization The remainder of this document is comprised of the following sections: REQUIREMENT SET ANALYSIS o NSSI-1253v4 Mapping and Analysis SUMMARY OF ANALYSIS ACRONYMS BIBLIOGRAPHY 2 Requirement Set Analysis 2.1. NSSI-1253v4 Mapping and Analysis The Security Control Catalog for Committee on National Security Systems 1253 (NSSI-1253v4) contains requirements broken up into seventeen families and categorized into three classes: technical, operational and management. These families are closely related to the seventeen security areas found in the Federal Information Processing Standard 200 (FIPS 200) document, which is used to secure federal information and information systems NSSI-1253v4 Mapping Tables Table 1 lists the identifier and class for each of the families used in the NSSI-1253v4 requirements. A family s class represents the dominant characteristic of that family, but may not represent its only characteristic. Therefore, for example, a family labeled as operational also may have management characteristics. The CLIP toolkit generally addresses the requirements for families in the technical class, which usually are specific to operating system security. Requirements for families in the operational or management classes frequently contain procedural requirements and therefore are outside the scope of the toolkit. However, the CLIP toolkit may also fulfill some of the requirements within families labeled as operational or management that have technical characteristics. Table 1 NSSI-1253v4 Security Control Classes, Families, and Identifiers Identifier Family Class AC Access Control Technical AT Awareness and Training Operational AU Audit and Accountability Technical CA Certification, Accreditation, and Security Assessments Management Tresys Technology 2

6 Identifier Family Class CM Configuration Management Operational CP Contingency Planning Operational IA Identification and Authentication Technical IR Incident Response Operational MA Maintenance Operational MP Media Protection Operational PE Physical and Environmental Protection Operational PL Planning Management PS Personnel Security Operational RA Risk Assessment Management SA System and Service Acquisition Management SC System and Communications Protection Technical SI System and Information Integrity Operational Table 2 summarizes the coverage of the NSSI-1253v4 requirements. Each row represents an area of responsibility for meeting a specific requirement, including a Requirement Control of the operating system and optionally a Control Enhancement, represented parenthetically. The Requirement Control is the core requirement for a particular area and may have additional associated requirements. These additional associated requirements are called Control Enhancements and enhance the security of the core control. The core control and its enhancements are associated with three impact levels: low, moderate, and high. For each impact level, a control or enhancement is selected if it is required at that impact level; not-selected controls and enhancements may be required on an per-instance basis according to the security needs of that instance. In Table 2 each row represents a unique control and enhancement pair, and the three columns display information about the impact levels for that pair. These results are discussed in detail in the sections following the table. Table 2 uses the following conventions: Selected Not Selected Meets Partially Meets Does Not Meet Tresys Technology 3

7 Outside Scope 2 For partially met or non-capability controls/enhancements, the following letter codes indicate the type of effort required to supplement the base system to satisfy the requirements of that control/enhancement: P Procedural Organizational procedure is needed to satisfy the requirements. This is used for requirements that deal with the network structure to which the system is attached or the system hardware configuration. C Configuration The system needs additional configuration changes to fully satisfy the requirement. D Development Additional applications must be developed and/or installed to satisfy the requirements. Table 2 The CLIP Toolkit v3.1.0 for RHEL 5.3 Coverage of the NSSI-1253v4 Requirements Requirement Control Number Low Moderate High Access Control AC-1 P P P AC-2 P P P AC-2(1) P P P AC-2(2) C C C AC-2(3) D D D AC-2(4) P P P AC-2(5) P P P AC-3 D D D AC-3(1) AC-3(2) AC-3(3) 2 All or part of the requirement falls outside of features that can be provided by the base operating system, and therefore cannot be addressed by the CLIP toolkit. Tresys Technology 4

8 Requirement Control Number Low Moderate High AC-3(4) AC-3(5) AC-3(6) AC-3(7) AC-4 AC-4(1) AC-4(2) AC-4(3) AC-4(4) P P P AC-4(5) P P P AC-4(6) P P P AC-4(7) P P P AC-5 P P P AC-6 AC-6(1) P P P AC-7 C C C AC-7(1) C C C AC-7(2) AC-8 AC-9 AC-9(1) D D D AC-10 C C C AC-11 D D D AC-11(1) D D D Tresys Technology 5

9 Requirement Control Number Low Moderate High AC-12 C C C AC-12(1) AC-12(2) AC-13 P P P AC-13(1) P P P AC-14 P P P AC-14(1) P P P AC-15 C C C AC-15(1) C C C AC-16 C C C AC-17 P P P AC-17(1) AC-17(2) D D D AC-17(3) P P P AC-17(4) P P P AC-17(5) C C C AC-17(6) P P P AC-17(7) C C C AC-18 P P P AC-18(1) P P P AC-18(2) P P P AC-18(3) P P P AC-18(4) P P P AC-18(5) C C C Tresys Technology 6

10 Requirement Control Number Low Moderate High AC-19 P P P AC-19(1) P P P AC-20 P P P AC-20(1) P P P AC-21 AC-22 P P P AC-23 P P P AC-23(1) P P P AC-23(2) AC-23(3) AC-23(4) Awareness and Training AT-1 P P P AT-2 P P P AT-3 P P P AT-4 P P P AT-5 P P P AT-6 P P P Audit and Accountability AU-1 P P P AU-1(1) C C C AU-2 C C C AU-2(1) C C C AU-2(2) Tresys Technology 7

11 Requirement Control Number Low Moderate High AU-2(3) P P P AU-2(4) C C C AU-2(5) AU-2(6) C C C AU-2(7) C C C AU-2(8) D D D AU-2(9) D D D AU-2(10) AU-3 AU-3(1) AU-3(2) AU-3(3) AU-3(4) AU-3(5) AU-4 P P P AU-5 C C C AU-5(1) C C C AU-5(2) D D D AU-5(3) C C C AU-6 P P P AU-6(1) D D D AU-6(2) D D D AU-6(3) P P P AU-6(4) D D D Tresys Technology 8

12 Requirement Control Number Low Moderate High AU-6(5) D D D AU-7 AU-7(1) AU-7(2) D D D AU-8 AU-8(1) D D D AU-8(2) D D D AU-9 AU-9(1) C C C AU-9(2) C C C AU-10 C C C AU-10(1) C C C AU-10(2) AU-10(3) AU-10(4) AU-11 P P P AU-11(1) P P P AU-11(2) P P P AU-11(3) P P P AU-11(4) P P P AU-12 AU-12(1) AU-12(2) Certification, Accreditation, and Security Assessments Tresys Technology 9

13 Requirement Control Number Low Moderate High CA-1 P P P CA-2 P P P CA-3 P P P CA-4 P P P CA-4(1) P P P CA-4(2) P P P CA-4(3) P P P CA-5 P P P CA-6 P P P CA-7 P P P CA-7(1) P P P CA-7(2) P P P Configuration Management CM-1 P P P CM-2 P P P CM-2(1) P P P CM-2(2) P P P CM-2(3) P P P CM-2(4) P P P CM-3 C C C CM-3(1) P P P CM-3(2) P P P CM-3(3) P P P CM-4 P P P Tresys Technology 10

14 Requirement Control Number Low Moderate High CM-5 P P P CM-5(1) P P P CM-5(2) P P P CM-5(3) P P P CM-5(4) CM-6 P P P CM-6(1) P P P CM-6(2) P P P CM-7 P P P CM-7(1) P P P CM-7(2) C C C CM-8 P P P CM-8(1) P P P CM-8(2) P P P Contingency Planning CP-1 P P P CP-1(1) P P P CP-2 P P P CP-2(1) P P P CP-2(2) P P P CP-2(3) P P P CP-2(4) P P P CP-2(5) P P P CP-2(6) P P P Tresys Technology 11

15 Requirement Control Number Low Moderate High CP-2(7) P P P CP-3 P P P CP-3(1) P P P CP-3(2) P P P CP-4 P P P CP-4(1) P P P CP-4(2) P P P CP-4(3) P P P CP-4(4) P P P CP-5 P P P CP-6 P P P CP-6(1) P P P CP-6(2) P P P CP-6(3) P P P CP-6(4) P P P CP-6(5) P P P CP-6(6) P P P CP-7 P P P CP-7(1) P P P CP-7(2) P P P CP-7(3) P P P CP-7(4) P P P CP-7(5) P P P CP-7(6) P P P Tresys Technology 12

16 Requirement Control Number Low Moderate High CP-8 P P P CP-8(1) P P P CP-8(2) P P P CP-8(3) P P P CP-8(4) P P P CP-9 P P P CP-9(1) P P P CP-9(2) P P P CP-9(3) P P P CP-9(4) P P P CP-10 P P P CP-10(1) P P P CP-10(2) P P P CP-10(3) P P P Identification and Authentication IA-1 P P P IA-2 IA-2(1) C C C IA-2(2) C C C IA-2(3) C C C IA-2(4) C C C IA-2(5) D D D IA-2(6) D D D IA-2(7) C C C Tresys Technology 13

17 Requirement Control Number Low Moderate High IA-2(8) C C C IA-2(9) P P P IA-3 IA-3(1) C C C IA-3(2) C C C IA-4 P P P IA-4(1) P P P IA-4(2) P P P IA-4(3) P P P IA-4(4) P P P IA-5 P P P IA-5(1) IA-5(2) P P P IA-5(3) P P P IA-5(4) C C C IA-5(5) C C C IA-6 IA-7 D D D Incident Response IR-1 P P P IR-1(1) P P P IR-2 P P P IR-2(1) P P P IR-2(2) P P P Tresys Technology 14

18 Requirement Control Number Low Moderate High IR-3 P P P IR-3(1) P P P IR-3(2) P P P IR-4 P P P IR-4(1) P P P IR-5 P P P IR-5(1) P P P IR-6 P P P IR-6(1) P P P IR-7 P P P IR-7(1) P P P Maintenance MA-1 P P P MA-2 P P P MA-2(1) P P P MA-2(2) P P P MA-3 P P P MA-3(1) P P P MA-3(2) P P P MA-3(3) P P P MA-3(4) P P P MA-4 P P P MA-4(1) P P P MA-4(2) P P P Tresys Technology 15

19 Requirement Control Number Low Moderate High MA-4(3) P P P MA-4(4) P P P MA-4(5) P P P MA-4(6) P P P MA-5 P P P MA-5(1) P P P MA-5(2) P P P MA-5(3) P P P MA-5(4) P P P MA-5(5) P P P MA-6 P P P MA-6(1) P P P MA-6(2) P P P Media Protection MP-1 P P P MP-2 P P P MP-2(1) P P P MP-3 P P P MP-3(1) D D D MP-4 P P P MP-4(1) P P P MP-4(2) P P P MP-5 P P P MP-5(1) P P P Tresys Technology 16

20 Requirement Control Number Low Moderate High MP-5(2) P P P MP-5(3) P P P MP-5(4) P P P MP-6 P P P MP-6(1) P P P MP-6(2) P P P MP-6(3) P P P MP-6(4) P P P Physical and Environmental Protection PE-1 P P P PE-2 P P P PE-2(1) P P P PE-2(2) P P P PE-3 P P P PE-3(1) P P P PE-3(2) P P P PE-3(3) P P P PE-3(4) D D D PE-4 P P P PE-5 P P P PE-6 P P P PE-6(1) P P P PE-6(2) P P P PE-7 P P P Tresys Technology 17

21 Requirement Control Number Low Moderate High PE-7(1) P P P PE-7(2) P P P PE-8 P P P PE-8(1) P P P PE-8(2) P P P PE-9 P P P PE-9(1) P P P PE-9(2) P P P PE-10 P P P PE-10(1) P P P PE-11 P P P PE-11(1) P P P PE-11(2) P P P PE-12 P P P PE-12(1) P P P PE-13 P P P PE-13(1) P P P PE-13(2) P P P PE-13(3) P P P PE-13(4) P P P PE-14 P P P PE-14(1) P P P PE-15 P P P PE-15(1) P P P Tresys Technology 18

22 Requirement Control Number Low Moderate High PE-16 P P P PE-17 P P P PE-18 P P P PE-18(1) P P P PE-19 P P P PE-19(1) P P P PE-20 P P P PE-20(1) P P P PE-20(2) P P P PE-20(3) P P P PE-21 P P P Planning PL-1 P P P PL-2 P P P PL-2(1) P P P PL-2(2) P P P PL-2(3) P P P PL-3 P P P PL-4 P P P PL-5 P P P PL-6 P P P Personnel Security PS-1 P P P PS-2 P P P Tresys Technology 19

23 Requirement Control Number Low Moderate High PS-3 P P P PS-3(1) P P P PS-3(2) P P P PS-4 P P P PS-5 P P P PS-6 P P P PS-6(1) P P P PS-6(2) P P P PS-7 P P P PS-7(1) P P P PS-8 P P P Risk Assessment RA-1 P P P RA-2 P P P RA-3 P P P RA-4 P P P RA-5 P P P RA-5(1) P P P RA-5(2) P P P RA-5(3) P P P RA-5(4) P P P RA-5(5) P P P System and Services Acquisition SA-1 P P P Tresys Technology 20

24 Requirement Control Number Low Moderate High SA-2 P P P SA-3 P P P SA-4 P P P SA-4(1) P P P SA-4(2) P P P SA-4(3) P P P SA-4(4) P P P SA-4(5) P P P SA-4(6) P P P SA-4(7) P P P SA-4(8) P P P SA-5 P P P SA-5(1) P P P SA-5(2) P P P SA-5(3) P P P SA-5(4) P P P SA-5(5) P P P SA-5(6) P P P SA-5(7) P P P SA-6 P P P SA-6(1) P P P SA-6(2) P P P SA-7 C C C SA-8 P P P Tresys Technology 21

25 Requirement Control Number Low Moderate High SA-9 P P P SA-9(1) P P P SA-10 P P P SA-10(1) SA-11 P P P SA-11(1) P P P SA-11(2) P P P SA-11(3) P P P SA-12 P P P SA-12(1) P P P SA-12(2) P P P SA-12(3) P P P SA-12(4) P P P SA-12(5) P P P System and Communications Protection SC-1 P P P SC-1(1) P P P SC-2 SC-3 SC-3(1) SC-3(2) SC-3(3) SC-3(4) SC-3(5) Tresys Technology 22

26 Requirement Control Number Low Moderate High SC-4 SC-5 D D D SC-5(1) D D D SC-5(2) D D D SC-5(3) D D D SC-6 SC 7 C C C SC 7(1) P P P SC 7(2) P P P SC 7(3) P P P SC 7(4) P P P SC 7(5) SC 7(6) P P P SC-7(7) P P P SC-7(8) P P P SC-7(9) C C C SC-8 C C C SC-8(1) P P P SC-8(2) C C C SC-9 C C C SC-9(1) P P P SC-9(2) SC-9(3) C C C SC-9(4) Tresys Technology 23

27 Requirement Control Number Low Moderate High SC-9(5) C C C SC-10 D D D SC-11 D D D SC-12 P P P SC-12(1) P P P SC-12(2) P P P SC-12(3) P P P SC-12(4) P P P SC-13 SC-14 SC-15 SC-15(1) P P P SC-15(2) C C C SC-15(3) P P P SC-16 SC-16(1) C C C SC-16(2) D D D SC-17 P P P SC-18 P P P SC-18(1) P P P SC-18(2) D D D SC-19 P P P SC-20 D D D SC-20(1) C C C Tresys Technology 24

28 Requirement Control Number Low Moderate High SC-21 D D D SC-21(1) D D D SC-22 C C C SC-23 System and Information Integrity Policy and Procedures SI-1 P P P SI-2 P P P SI-2(1) P P P SI-2(2) P P P SI-2(3) P P P SI-3 D D D SI-3(1) P P P SI-3(2) D D D SI-3(3) P P P SI-3(4) P P P SI-3(5) P P P SI-3(6) C C C SI-3(7) P P P SI-3(8) D D D SI-4 P P P SI-4(1) P P P SI-4(2) P P P SI-4(3) P P P SI-4(4) D D D Tresys Technology 25

29 Requirement Control Number Low Moderate High SI-4(5) D D D SI-4(6) D D D SI-4(7) C C C SI-4(8) P P P SI-5 P P P SI-5(1) P P P SI-6 C C C SI-6(1) P P P SI-6(2) P P P SI-7 C C C SI-7(1) P P P SI-7(2) P P P SI-7(3) P P P SI-8 D D D SI-8(1) P P P SI-8(2) D D D SI-8(3) P P P SI-8(4) P P P SI-8(5) P P P SI-8(6) D D D SI-9 SI-10 D D D SI-11 D D D SI-12 P P P Tresys Technology 26

30 NSSI-1253v4 Analysis This section examines each of the NSSI-1253v4 security requirements. The analysis is divided into 17 sections, one for each family: 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Certification, Accreditation and Security 5. Configuration Management 6. Contigency Planning 7. Identification and Authentication 8. Incident Response 9. Maintenance 10. Media Protection 11. Physical and Environmental Protection 12. Planning 13. Personnel Security 14. Risk Assessment 15. System and Services Acquisition 16. System and Communications Protection 17. System and Information Integrity Each individual requirement is presented, followed by an analysis of the capability of RHEL 5.3 and the CLIP toolkit to meet the requirement, provided in the shaded boxed text. Each requirement explains how the requirement is met, partially met, cannot be met, or is outside the scope of the base platform Access Control AC-1 Access Control Policies and Procedures LOW: AC-1 MODERATE: AC-1 HIGH: AC-1 Control: The organization develops, disseminates, and periodically reviews/updates: a) a formal, documented, access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Tresys Technology 27

31 b) formal, documented procedures to facilitate the implementation of the access control policy and associated access controls. Supplemental Guidance: The access control policy and procedures are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards and guidance. The access control policy can be included as part of the general information security policy for the organization. Access control procedures can be developed for the security program in general, and for a particular information system when required. None Control - Outside Scope Procedural AC-2 Account Management LOW: AC-2(5) MODERATE: AC-2 (1)(2)(3)(4)(5) HIGH: AC-2 (1)(2)(3)(4)(5) Control: The organization manages information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. The organization will: a) Reviews information system accounts [Assignment organization defined frequency], or at least annually. b) Identifies authorized users of the information system accounts and specifies access rights/privileges. c) Requires proper identification for requests to establish information system accounts and approves all such requests. d) Authorizes and monitors the use of guest/anonymous accounts and removes, disables or otherwise secures unnecessary accounts. e) Notify account managers when information system users are terminated or transferred and associated accounts are removed, disabled or otherwise secured. f) Notify account managers when users information system usage or need-toknow/need to share changes. Supplemental Guidance: Account management includes the identification of account types (i.e., individual, group, and system), establishment of conditions for group membership, and assignment of associated authorizations. The organization should consider the following aspects when granting access to the information and information systems: (i) A valid access authorization that is determined by assigned official duties and satisfying all personnel security criteria and (ii) Intended system usage. 1) The organization employs automated mechanisms to support the management of information system accounts. Tresys Technology 28

32 2) The information system automatically terminates temporary and emergency accounts after [Assignment: organization-defined time period for each type of account], not to exceed 72 hours. 3) The information system automatically disables inactive accounts after [Assignment: organization-defined time period], not to exceed 30 days. 4) The organization employs automated mechanisms to audit account creation, modification, disabling, and termination actions and to notify, as required, appropriate individuals. 5) The organization establishes and administers all privileged user accounts in accordance with a role based access scheme that organizes all system and network privileges into roles (e.g., key management, network, system administration, database administration, web administration). The Information System Security Manager (ISSM), Information Assurance Manager (IAM) tracks privileged role assignments Control - Outside Scope Procedural Control Enhancement 1 - Outside Scope Procedural Control Enhancement 2 - Partially Meets Requirement Configuration Linux user management allows an expiration date to be set for an account. This could be used when creating temporary or emergency accounts to terminate them after some period of time. Control Enhancement 3 Partially Meets Requirement Development Linux user management tools could be updated to monitor account inactivity (i.e., last login) and disable an account after the given period of inactivity. Control Enhancement 4 Outside Scope - Procedural These requirements are procedural in nature and are outside the scope of the base platform. Control Enhancement 5 Partially Meets Requirement Procedural Standard Linux DAC with SELinux policy separates user roles for privileged and non-privileged accounts. AC-3 Access Enforcement LOW: AC- 3 MODERATE: AC- 3 (1) (2) HIGH: AC- 3 (1) (2) Control: The information system enforces assigned authorizations for controlling access to the system in accordance with applicable policy. Supplemental Guidance: Access Control policies (e.g., identity-based policies, role-based policies, rule-based policies) and associated access enforcement mechanisms (access control Tresys Technology 29

33 lists, access control matrices, cryptography) are employed by organizations to control access between users (or processes acting on behalf of uses) and objects (e.g., devices, files, records, processes, programs, domains) in the information system. In addition to controlling access at the information system level, access enforcement mechanisms are employed at the application level, when necessary, to provide increased information security for the organization. Consideration is given to the implementation of a controlled, audited, and manual override of automated mechanisms in the event of emergencies or other serious events. If encryption of stored information is employed as an access enforcement mechanism, the cryptography used is largely dependent upon the classification level of the information. Related security controls: AC-16, AC- 21, SC-13. 1) The information system restricts access to privileged functions (deployed in hardware, software, and firmware) and security-relevant information to explicitly authorized personnel. Enhancement Supplemental Guidance: Explicitly authorized personnel include, for example, security administrators, system and network administrators, and other privileged users. Privileged users are individuals who have access to system control, monitoring, or administration functions (e.g., system administrators, information system security officers, maintainers, system programmers). 2) The Discretionary Access Control (DAC), policies of the information system are implemented and configured to ensure only authorized users are able to perform security functions. The enforcement mechanism shall allow users to specify and control sharing by named individuals or groups of individuals, or by both, and shall provide controls to limit propagation of access rights. The DAC mechanism shall, either by explicit user action or by default, provide that information is protected from unauthorized access. These access controls shall be capable of including or excluding access to the granularity of a single user. 3) The information system implements [and configures] and enforces a Role Based Access Control (RBAC) policy over all users and resources that ensures that access rights are grouped by role name, and access to resources is restricted to users who have been authorized to assume the associated role. 4) The information system implements [and configures] and enforces a MAC policy over all subjects and objects under its control to ensure that each user receives only that information to which the user is authorized access based on classification of the information, and user clearance; and need-to-know. The information system assigns labels/security domains/types to subjects and objects, and uses these labels as the basis for MAC decisions. 5) The security policies of the information system are implemented and configured to protect security relevant objects from unauthorized access, modification and deletion. 6) The MAC policies of the information system are implemented and configured to protect security relevant objects from unauthorized access, modification, and deletion. 7) The security policies of the information system are implemented and configured to ensure only authorized user are able to perform security functions. Tresys Technology 30

34 Control Partially Meets Requirement Development Traditional Linux DAC permissions control user, group, and world access. SELinux MAC allows system administrators to create defined access for users within the system. Although CLIP meets this requirement for the base platform, enforcement at the application level is outside scope. Control Enhancement 1 Meets Requirement Traditional Linux DAC permissions combined with CLIP SELinux policy enforce a least privilege model that restricts users to only the information explicitly allowed. Control Enhancement 2 Meets Requirement The default CLIP system is designed to meet the STIGs which addresses this requirement. Control Enhancement 3- Meets Requirement SELinux implements RBAC, thereby meeting this requirement. Control Enhancement 4- Meets Requirement MAC enforcement is provided by the standard CLIP SELinux policy. Control Enhancement 5 Meets Requirement Traditional Linux DAC permissions combined with SELinux policy restricts the access to authorized users for read and/or modification of security related objects. Control Enhancement 6 Meets Requirement The SELinux labels on all objects are check for any access to the object and only the access explicitly granted in the policy is permitted. Control Enhancement 7 Meets Requirement Traditional Linux DAC permissions combined with SELinux policy restricts the execution of applications or tools performing security functions to authorized users. AC-4 Information Flow Enforcement LOW: AC- 4 MODERATE: AC- 4 (2) HIGH: AC-4 (2) Control: The information system enforces assigned authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy. Supplemental Guidance: Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and within explicit regard to subsequent access to that information. A few, of many, generalized examples of possible restrictions that are better expressed as flow control that access control are: keeping export controlled information from being transmitted in the clear to the Internet, clocking outside traffic that claims to be from within the organization, and not passing any web requests to the Internet that are not from the Tresys Technology 31

35 internal web proxy. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destination (e.g., networks, individuals, devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/ or the information path. Specific examples of flow control enforcement can be found in boundary protection devices (e.g., proxies, gateways, guards, encrypted tunnels, firewalls, and routers) that employ rule sets or establish configuration settings that restrict information system services or provide a packet filtering capability. Related security control: SC-7. 1) The information system implements information flow control enforcement using explicit labels on information, source, and destination objects as a basis for flow control decisions. Enhancement Supplemental Guidance: Information flow control enforcement using explicit labels is used, for example, to control the release of certain types of information. The controlled interface (CI) examines the label of all data (data content and data structure) traversing the CI and reacts appropriately (e.g., block, quarantine, send alert to the administrator, etc.) when it encounters data not explicitly allowed by the configured transfer policy. Examples of data content and or data structure transfers that should not be allowed include, but are not limited to: sending a high classification object to low classification domain, sending a high classification object to a user with a low classification clearance, attempting to cut and paste text from a high classification terminal window into a terminal window with a low classification, etc. 2) The information system implements information flow control enforcement using protected processing domains (e.g., domain type-enforcement) as a basis for flow control decisions. 3) The information system implements information flow control enforcement using dynamic security policy mechanisms as a basis for flow control decisions. 4) The information system implements information flow control enforcement using [Assignment: organization-defined security policy mechanisms] security policy mechanisms as a basis for flow control decisions. Enhancement Supplemental Guidance: Examples of organization-defined security policy mechanisms (i.e., filters) include dirty word filter, file type checking filter, structured data filter, unstructured data filter, metadata content filter, and hidden content filter. Structured data permits the interpretation of its content by virtue of atomic elements that are understandable by an application and indivisible. Unstructured data refers to masses of (usually) computerized information that either (1) do not have a data structure or (2) have a data structure that is not easily readable by a machine. Unstructured data consists of two basic categories: (1) bitmap objects: inherently non-language based, such as image, video, or audio files; (2) textual objects: based on a written or printed language, such as Microsoft Word documents, Microsoft Excel documents, or s. 5) The information system enforces the use of human review for [Assignment: organization-defined security policy mechanisms] security policy mechanisms when it is not capable of making a policy flow control decision. Tresys Technology 32

36 6) The information system provides the capability for an appropriately privileged administrator to enable/ disable [Assignment: organization-defined security policy mechanisms]security policy mechanisms. 7) The information system provides the capability for an appropriately privileged administrator to configure the [Assignment: organization-defined security policy mechanisms]security policy mechanisms to support different security policies. Enhancement Supplemental Guidance: For example, to reflect changes in security policy, the administrator will have the capability to change the list of dirty words that organization d-defined dirty word policy mechanism checks against. Control Meets Requirement SELinux MAC assigns labels to all subjects and objects on a system and uses those labels to make access decisions that enforces information flow. Labels are assigned to IP addresses to control information flow between interconnected systems. Control Enhancement 1 Meets Requirement SELinux MAC assigns labels to all subjects and objects on a system and uses those labels to make access decisions. Labels are assigned to network interfaces, IP addresses, and port numbers to control information flow between interconnected systems. Additionally, SELinux supports labeled IPSEC which controls communications between systems. Only systems that have equivalent security labels assigned to security associations can communicate with each other. Another benefit of labeled IPSEC is that all communications are encrypted; this ensures confidentiality and integrity during data transit. Control Enhancement 2 Meets Requirement SELinux MAC assigns labels to all domains on a system and uses those labels to make access decisions. Labels are assigned to network interfaces, IP addresses, and port numbers to control information flow between interconnected systems. Control Enhancement 3 Meets Requirement SELinux features Booleans used to dynamically enable or disable parts of the policy. Control Enhancement 4 Partially Meets Requirement Procedural SELinux assigns labels to all subjects and objects on a system and uses those labels to make access decisions, including flow control decisions. The SELinux policy may need to be configured to meet organizational policy decisions. Control Enhancement 5 Outside Scope Procedural This requirement is procedural in nature and is outside the scope of the base system. Control Enhancement 6 Partially Meets Requirement Procedural SELinux policy and user controls can limit the enabling/disabling of security mechanisms to sufficiently privileged users. Control Enhancement 7 Partially Meets Requirement Procedural Tresys Technology 33

37 SELinux policy and user controls can limit the ability to change security policies to sufficiently privileged users. AC-5 Separation of Duties LOW: AC- 5 MODERATE: AC-5 HIGH: AC-5 Control: The information system enforces separation of duties through assigned access authorizations. The organization establishes appropriate divisions of responsibility and separates duties as needed to eliminate conflicts of interest in the responsibilities and duties of individuals. Access control software resides on the information system that prevents users from having all of the necessary authority or information access to perform fraudulent activity without collusion. Supplemental Guidance: Examples of separation of duties include: (i) mission functions and distinct information system support functions are divided among different individuals/roles; (ii) different individuals perform information system support functions (e.g., system management, systems programming, quality assurance/testing, configuration management, and network None Control Partially Meets Requirement Configuration SELinux policy can enforce divisions of responsibility based on roles and type enforcement. The organization can take various divisions or roles within the organization and create a SELinux policy that gives the appropriate privileges to the divisions through the policy. AC-6 Least Privilege LOW: AC- 6 (1) MODERATE: AC-6 (1) HIGH: AC-6 (1) Control: The information system enforces the most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) for the performance of specified tasks. Supplemental Guidance: The organization employs the concept of least privilege for specific duties and information systems (including specific ports, protocols, and services) in accordance with risk assessments as necessary to adequately mitigate risk to organizational operations, organizational assets, and individuals. Control Enhancement: (1) The organization ensures that privileged accounts are created for users to perform privileged functions only; that is, privileged users use non-privileged accounts for all nonprivileged functions. Control Meets Requirement Security Enhanced Linux (SELinux) denies all interactions between subjects and objects except for those that are permitted by the security policy. The CLIP SELinux policy fulfills this Tresys Technology 34

38 requirement by only allowing the least amount of privileges needed for a user to perform their tasks. The users are also placed into roles such as system, staff and basic user roles. SELinux enforces accesses through these roles and the associated types. Because SELinux implements Mandatory Access Control (MAC) all access is denied unless explicitly allowed and in addition, these denials are logged into the audit subsystem Control Enhancement 1 Partially Meets Requirement Procedural Administrators in SELinux can use the newrole command to switch into a more privileged role (sysadm_r & secadm_r) to perform privileged functions. AC-7 Unsuccessful Logon Attempts LOW: AC-7 MODERATE: AC-7 (2) HIGH: AC-7 (1) Control: The information system enforces a limit of consecutive invalid access attempts [Assignment: organization-defined number, or a maximum of 3] by a user during a [Assignment: organization-defined time period, or at least 15 minutes]. The information system automatically [Selection: locks the account/node for an [Assignment: organization-defined time period at least 10 minutes], delays next login prompt according to [Assignment: organization defined delay algorithm] when the maximum number of unsuccessful attempts is exceeded. This control also applies to remote access logon attempts. Supplemental Guidance: Due to the potential for denial of service, automatic lockouts initiated by the information system are usually temporary and automatically release after a predetermined time period established by the organization. The delay algorithm discussed in the control is dependent upon the Operating System or remote access solution in place at that organization. 1) The information system enforces a limit of 3 consecutive invalid access attempts by a user. The account remains locked until released by an authorized administrator. 2) The information system enforces a limit of 3 consecutive invalid access attempts by a user. The account remains locked for a period of 15 minutes or more. Control- Partially Meets Requirement - Configuration The PAM library and associated modules offer fine grained control over such parameters as timeout value, number of retries, and action to perform on unsuccessful login attempts. The /var/log/messages file contains information about logins to the system as well as information about users that have already logged in and change to different users (e.g., using the su command to become root). Control Enhancement 1 Partially Meets Requirement - Configuration The pam_tally module that is part of the PAM library included in CLIP allows for a user to be denied access after a three failed login attempts and it remains locked for 15 minutes. If 15 minutes have not elapsed, it requires an administrator to reset the account. The configuration can be changed to remove the 15 minute lock so that only an administrator can unlock the account. Control Enhancement 2 Meets Requirement Tresys Technology 35

39 The pam_tally module that is part of the PAM library included in CLIP allows for a user to be denied access after a three failed login attempts and it remains locked for 15 minutes. If 15 minutes have not elapsed, it requires an administrator to reset the account. The PAM library and associated modules offer fine grained control over such parameters as timeout value, number of retries, and action to perform on unsuccessful login attempts. AC-8 System Use Notification LOW: AC-8 MODERATE: AC-8 HIGH: AC-8 Control: The information system displays an approved, system use notification message before granting system access informing potential users that: a. The user is accessing a U.S. Government information system; b. System usage may be monitored, recorded, and subject to audit; c. Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and d. Use of the system indicates consent to monitoring and recording. The system use notification message provides appropriate privacy and security notices (based on associated privacy and security policies or summaries) and remains on the screen until the user takes explicit actions to log on to the information system. Supplemental Guidance: Privacy and security policies are consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notification messages can be implemented in the form of warning banners displayed when individuals log in to the information system. For publicly accessible systems: (i) the system use information is available and when appropriate, is displayed before granting access; (ii) any references to monitoring, recording, or auditing are in keeping with privacy accommodations for such systems that generally prohibit those activities; and (iii) the notice given to public users of the information system includes a description of the authorized uses of the system. None. Control Meets Requirement The /etc/issue file can be used to give an unauthenticated user a message before logging into the system. The Message of the Day (MOTD) can be used to give messages to authenticated users. The May 2008 DoD Consent to Monitor banner is provided by the CLIP KickStart file. Tresys Technology 36

40 AC-9 Previous Logon Notification LOW: AC-9 MODERATE: AC-9 HIGH: AC-9 Control: The information system notifies the user, upon successful logon, of the date and time of the last logon.. Supplemental Guidance: None. 1) The information system notifies the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon. Control Meets Requirement This requirement is met by a standard Linux system. The information system notifies the user, upon successful logon, of the date and time of the last logon. Partially Meets Requirement- Development Adding a call to faillog in /etc/profile provides each user a display of the failed login attempts. In addition, pam_tally can be used to display user login counts.. AC-10 Concurrent Session Control LOW: Tailoring MODERATE: AC- 10 HIGH: AC- 10 Control: The information system limits the number of concurrent sessions for any user to [Assignment: organization-defined number, or a maximum of three(3), sessions]. Supplemental Guidance: For purposes of this control, concurrent sessions are defined as when a user is logged onto an information system more than once. None. Control Partially Meets Requirement - Configuration The PAM library and associated modules offer fine grained control over such parameters as maximum number of logins, specifically the pam_limits.so module. AC-11 Session Lock LOW: AC- 11 (1) MODERATE: AC-11 (1) HIGH: AC-11 (1) Control: The information system prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period, not to exceed 30 minutes] of inactivity, and Tresys Technology 37

41 the session lock remains in effect until the user reestablishes access using appropriate identification and authentication procedures. Supplemental Guidance: Users can directly initiate session lock mechanisms. A session lock is not a substitute for logging out of the information system. Organization-defined time periods of inactivity shall comply with federal policy; for example, in accordance with OMB Memorandum 06-16, the organization-defined time period is no greater than 30 minutes for remote access and portable devices. 1) The information system associates a workstation screen-lock functionality with each workstation. When activated, the screen-lock function places an unclassified pattern onto the entire screen of the workstation, totally hiding what was previously visible on the screen. Such a capability is enabled either by explicit user action or a specified period of workstation inactivity (e.g., 15 minutes). Once the workstation screen-lock software is activated, access to the workstation requires knowledge of a unique authenticator. A screen lock function is not considered a substitute for logging out unless a mechanism actually logs out the user when the user idle time is exceeded. Control Partially Meets Requirement - Development The vlock package can be installed to meet this requirement. Vlock can be configured to lock the user console after a specified period of inactivity. When the predefined period of inactivity has been reached, vlock will blank and lock the console; the console can be unlocked by entering the appropriate password. Control Enhancement 1 Partially Meets Requirement Development The vlock package can be installed to meet this requirement. Vlock can be configured to lock the user console after a specified period of inactivity. When the predefined period of inactivity has been reached, vlock will blank and lock the console; the console can be unlocked by entering the appropriate password. AC-12 Session Termination LOW: AC- 12 (1) MODERATE: AC-12 (1) HIGH: AC-12(1) (2) Control: The information system automatically terminates a remote session after [Assignment: organization- defined time period, not to exceed 60 minutes] of inactivity. Supplemental Guidance: A remote session is initiated whenever an organizational information system is accessed by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet or some other network that is outside the control of the organization that owns/controls the information system). An organization s oncampus inter-building sessions are not considered remote sessions unless part of the session has traverses networks that are no under the control (i.e., authorized by) the organization. Tresys Technology 38

42 1) Automatic session termination applies to local and remote sessions. 2) Time period will not exceed 30 minutes. Control- Partially Meets Requirement- Configuration The Linux subsystem, specifically /etc/profile, sets a default timeout value of 15 minutes for a session. Control Enhancement 1 Meets Requirement The Linux subsystem, specifically /etc/profile, sets a default timeout value for all sessions, local and remote. Control Enhancement 2 Meets Requirement The CLIP KickStart file contains operating system configuration settings that enforce idle session termination after 15 minutes. AC-13 Supervision and review - Access Control LOW: AC-13 MODERATE: AC-13(1) HIGH: AC-13(1) Control: The organization supervises and reviews the activities of users with respect to the enforcement and usage of information system access controls. The organization reviews audit records (e.g., user activity) for inappropriate activities in accordance with organizational policies. The organization investigates any unusual information system-related activities and periodically reviews changes to access authorizations. The organization reviews more frequently the activities of users with significant information system roles and responsibilities. The extent of the audit record reviews is based on the Impact Levels of the information system. Supplemental Guidance: For example, for low-impact systems, it is not intended that security logs be reviewed frequently for every workstation, but rather at central points such as a web proxy or servers and when specific circumstances warrant review of other audit records. Related security control: AU-6. 1) The organization employs automated mechanisms to facilitate the review of user activities. Control Enhancement 1 Partially Meets - Procedural Tresys Technology 39

43 AC-14 Permitted actions without identification or authentication LOW: AC-14 MODERATE: AC-14(1) HIGH: AC-14(1) Control: The organization identifies and documents specific user actions that can be performed on the information system without identification or authentication. Supplemental Guidance: The organization allows limited user activity without identification and authentication for public websites or other publicly available information systems (e.g., individuals accessing a federal information system at Another instance where identification and authentication is not required would be individuals already authenticated to the LAN can then do a search on the Web site without additional identification and authentication. Related security control: IA-2. Control Enhancement: 1) The organization permits actions to be performed without identification and authentication only to the extent necessary to accomplish mission objectives (e.g., weapons system). Control Enhancement 1 Outside Scope - Procedural AC-15 Automated Marking LOW: Tailoring MODERATE: AC-15 HIGH: AC-15(1) Control: The information system marks output to identify any special dissemination, handling, or distribution instructions. Supplemental Guidance: Automated marking refers to markings employed on external media (e.g., hardcopy documents output from the information system). The markings used in external marking are distinguished from the labels used on internal data structures described in AC-16. 1) The information system will invoke marking procedures and mechanisms to ensure that either the user or the system marks all data transmitted or stored by the system to reflect the classification and sensitivity of the data (e.g., classification level, classification category, and handling caveats). Markings shall be retained with the data. Control Partially Meets Requirement - Configuration Tresys Technology 40