Applied Cross Domain: Red Hat Foundations Shawn Wells Office of the Chief Technologist, Red Hat Public Sector shawn@redhat.com || 443-534-0130

100,000+ PROJECTS PARTICIPATE INTEGRATE STABILIZE CSCF participates in communitypowered upstream projects, such as SELinux, OpenSCAP and the SCAP Security Guide CSCF collaborates with Red Hat to integrate upstream projects into Enterprise Linux, fostering open community platforms. We commercialize these platforms together with a rich ecosystem of services and certifications, such as ICD 503 and CNSSI 12-53 accreditations.

SELinux ● Type Separation: How users, processes, and data are isolated ● Role Based Access Control (RBAC) ● MLS Policy

SELinux ● Type Separation: How users, processes, and data are isolated ● Role Based Access Control (RBAC) ● MLS Policy Security Automation ● Configuration Monitoring ● Compliance Reports ● Secure Provisioning ● Remediation

SELinux Refresher ● Type Separation: How users, processes, and data are isolated ● Role Based Access Control (RBAC) ● MLS Policy Certifications & Standards Security Automation Common Criteria & NIAP ● Configuration Monitoring ● Intelligence Community Directive 503 (ICD 503) ● Compliance Reports ● US Government Configuration Baseline (USGCB) ● Secure Provisioning ● Remediation ●

SELinux Refresher

Multi-Level Security (MLS) Policy •Focuses on confidentiality (i.e. separation of multiple classifications of data)

Multi-Level Security (MLS) Policy •Focuses on confidentiality (i.e. separation of multiple classifications of data) •Ability to manage {processes, users} with varying levels of access. (i.e. “the need to know”)

Multi-Level Security (MLS) Policy •Focuses on confidentiality (i.e. separation of multiple classifications of data) •Ability to manage {processes, users} with varying levels of access. (i.e. “the need to know”) •Uses category & sensitivity levels

Sensitivity Labels

Category Labels

Polyinstantiation # id –Z staff_u:WebServer_Admin_r:WebServer_Admin_t:s0:c0 # ls -l /data secret-file-1 secret-file 2 # id –Z staff_u:WebServer_Admin_r:WebServer_Admin_t:s1:c0 # ls -l /data secret-file-1 secret-file 2 top-secret-file-1

Certifications & Standards

NSA C63 (aka NIAP) & Red Hat: Where we’ve been… and next stop RHEL 3 CAPP / EAL3+ RHEL 4 CAPP / EAL3+ RHEL 5 LSPP / EAL4+ RHEL 6 OSPP / EAL4+ RHEL 7 OSPP v3.9 / EAL4+

FIPS 140-2 Certs

docs.redhat.com - Security Guide - Admin. Guide - Priv User Guide

Red Hat corporate development & responsibilities

We use Atsec http://red.ht/1kWN8ZZ

Common Criteria != Compliance Policy

ICD 503, STIG, FISMA

Compliance Policy

SCAP Security Guide http://open-scap.org, http://github.com/OpenSCAP

Shawn Wells Director, Innovation Programs Office of the Chief Technologist, Red Hat Public Sector shawn@redhat.com || 443-534-0130