From shawn at redhat.com Thu Aug 20 11:36:43 2015 Content-Type: multipart/mixed; boundary="===============8284768542000944102==" MIME-Version: 1.0 From: Shawn Wells To: scap-security-guide at lists.fedorahosted.org Subject: Re: MLS_CSCF profile Date: Thu, 03 Apr 2014 00:48:44 -0400 Message-ID: <533CE82C.4060305@redhat.com> In-Reply-To: EBDE6A904AEF60448F36706839FFB5250B8B15D2@HVXDSP21.us.lmco.com --===============8284768542000944102== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable On 3/28/14, 3:56 PM, Kordell, Luke T wrote: > Here is a profile I have been developing. Some of the rules within the pr= ofile contradict each other, but the future plan is to break-up this profil= e into a few different releases. We will eventually have an HPC, Cluster, U= S and generic version of this profile each with slightly different rule sel= ections. The selinux ploicy rule will always be refined to check that selin= ux is implementing the mls policy type. Let me know if you have any questio= ns or suggestions! > > Luke K > From ef47e8e213acb0f72830096d01d48db93d125573 Mon Sep 17 00:00:00 2001 > From: lukek1 > Date: Thu, 27 Mar 2014 13:19:21 -0400 > Subject: [PATCH] MLS_CSCF-profile > > --- > RHEL/6/input/profiles/MLS_CSCF.xml | 32 = > +++++++++++++++++--------------- > 1 file changed, 17 insertions(+), 15 deletions(-) > > diff --git a/RHEL/6/input/profiles/MLS_CSCF.xml = > b/RHEL/6/input/profiles/MLS_CSCF.xml > index 1a1c321..9819835 100644 > --- a/RHEL/6/input/profiles/MLS_CSCF.xml > +++ b/RHEL/6/input/profiles/MLS_CSCF.xml > @@ -1,5 +1,5 @@ > - > -CSCF baseline-launchpoint > + > +CSCF baseline general use > this is an incomplete profile > > > > + selector=3D"keep_logs" /> > selected=3D"true" /> > > > - > + > > @@ -83,11 +84,12 @@ > > selected=3D"true" /> > + > > > > > selected=3D"true" /> > + selected=3D"true" /> > - > + selector=3D"3" /> > > > > + > > > > + > > @@ -150,7 +151,9 @@ > > > + selector=3D"12" /> > > > > - > - > + > > > > > > > - > > > > - > > @@ -264,6 +265,7 @@ > > > > Hey Luke! This is a great start! A few small things: (1) Patch Stream Do you have the full patch stream (or, ideally, a single commit/patch) = of the profile? Your attached patch reflects it is a patch to a patch, = that is to say, there must be a commit that previously created the = profile. Ensure any desired changes are committed locally then issue: $ git format-patch origin This should generate patches outlining all commits local to your repo = that are not upstream yet. (2) Patch title & description What do you think of elaborating the and <description>? Perhaps: Profile ID: "MLS_CSCF" --> "CSCF-RHEL6-MLS" Reasoning: We'll want to include RHEL6 in the profile name as other OS' = ship within SSG. While we've yet to officialize style guides, = underscores are frowned upon and inconsistent with other profile names. Title: "CSCF Baseline General Use" --> "CSCF RHEL6 MLS Core Baseline" Reasoning: Again, reinforcement of RHEL6. The term 'general use' = reflects, well, general use (non-MLS). Given your reference to future = deviations, e.g. HPC, what about the term "core" or even more generic = "server"? Description: A bit more elaboration would be welcome. What about = something like: "This profile reflects the Centralized Super Computing Facility (CSCF) = baseline for Red Hat Enterprise Linux 6. This baseline has received = government ATO through the ICD 503 process, utilizing the CNSSI 1253 = cross domain overlay. This profile should be considered in active = development. Additional tailoring will be needed, such as the creation = of RBAC roles, for production deployment." This is a really, really great start. Looking forward to the full patch set! Shawn --===============8284768542000944102==--