Announcing the RHEL7 FBI CJIS Profile!

Over the past 1-2 years we’ve been working across Public cjis_logoSector to open source security┬ábaselines used within our defense, intelligence, and civilian communities. These baselines ultimately end up shipping natively in RHEL (and it’s derivatives, such as CentOS), which greatly reduces the time it takes to get Red Hat-based systems accredited on government networks.

Today (Fri 24-JUNE-2016) we publicly released the RHEL7 baseline for the FBI Criminal Justice Information Systems, or FBI CJIS, in SCAP Security Guide v0.1.30. The FBI CJIS policy applies to all systems which access criminal justice data — including contractor, private entity, court system, law enforcement, and federal justice agencies.

Not familiar with FBI CJIS? Think of it this way: The U.S. Military follows the DoD STIG. The justice community follows the FBI CJIS baseline. You can read more at┬áthe FBI’s CJIS Security Policy Resource center.

As a community, OpenSCAP/SCAP Security Guide has developed baselines for DoD STIG, CIA’s C2S, FISMA Moderate, Certified Cloud Providers, and now FBI CJIS. Credit for this baseline goes to Robin Price, who spent over a month developing this. There are some 50 government agencies that fall under CJIS guidance, making Robin’s contribution incredibly impactful!

    • How do I test the draft RHEL7 CJIS baseline?
      $ wget https://github.com/OpenSCAP/scap-security-guide/releases/download/v0.1.30/scap-security-guide-0.1.30.zip
      
      $ unzip scap-security-guide-0.1.30.zip 
      $ sudo oscap xccdf eval 
      --profile xccdf_org.ssgproject.content_profile_cjis-rhel7-server 
      --report /root/cjis-report.html 
      scap-security-guide-0.1.30/ssg-rhel7-ds.xml

      Once the scan completes, view /root/cjis-report.html in your favorite web browser.

    • When will this ship natively in RHEL?
      It is hard to publicly guarantee a shipping date/version for RHEL. Generally speaking, this profile should ship in the next RHEL 7 service pack (e.g. RHEL 7.3).