[PATCH 00/21] More CCI Mappings
by Willy Santos
More CCI mapping in support of the OS SRG compliance. This batch of CCI mappings were done with the help Cliff Trueman. As usual, these are open for discussion and change as necessary.
Willy Santos (21):
Remapped CCIs 764 and 804 from unmet_impractical_guidance to
met_inherently. Based on input from Shawn Wells and input from
Jeff Blank it was concluded that the use of unique identifiers
(UIDs) for all users (org or non-org) meets this requirement.
Mapped CCI-001159 to requirement unclear.
Mapped CCI-001125 to requirement_unclear.
Mapped CCI-001126 to requirement_unclear.
Mapped CCI-001140 to requirement_unclear.
Mapped CCI-001143 to requirement_unclear.
Mapped CCI-001149 to requirement_unclear.
Mapped CCI-001157 to requirement_unclear.
Mapped CCI-001158 to requirement_unclear.
Mapped CCI-001166 to requirement_unclear.
Mapped CCI-001695 to requirement_unclear.
Mapped CCI-001169 to requirement_unclear.
Mapped CCI-001170 to requirement_unclear.
Mapped CCI-001199 to new_rule_needed.
Mapped CCI-001123 to enable_ip6tables, enable_iptables, and
service_auditd_enabled.
Mapped CCI-001190 to enable_auditd_service.
Mapped CCI-001124 to enable_ip6tables, enable_iptables,
httpd_servertokens_prod, and httpd_serversignature_off.
Mapped CCI-001129 to network_ssl.
Mapped CCI-001132 to network_ssl.
Mapped CCI-001142 to network_ssl.
Mapped CCI-001147 to network_ssl.
rhel6/src/input/auxiliary/srg_support.xml | 8 ++++----
rhel6/src/input/services/http.xml | 4 ++--
rhel6/src/input/system/auditing.xml | 2 +-
rhel6/src/input/system/network/iptables.xml | 4 ++--
rhel6/src/input/system/network/ssl.xml | 2 +-
5 files changed, 10 insertions(+), 10 deletions(-)
--
1.7.7.6
11 years, 9 months
[PATCH 00/11] CCI Mapping changes based on list input
by Willy Santos
This batch of mappings are mostly "remaps" from requirement_unclear, based on input received from the list (mostly Shawn, thanks!).
Willy Santos (11):
Changed mapping of CCI-000099 from requirement_unclear to
met_inherently based on recommendation from Shawn Wells.
Added mapping of CCI-000085 to auditd_configure_rules based on
guidance from Shawn Wells.
Remapped CCI-000025 from requirement_unclear to
unmet_impractical_guidance, based on input from Shawn Wells.
Remapped CCI-000026 from requirement_unclear to enabling_selinux,
based on input from Shawn Wells.
Remapped CCI-000027 from requirement_unclear to enable_iptables,
based on input from Shawn Wells.
Added Group unmet_impractical_product, as discussed with Jeff Blank,
it was accidentally removed on an earlier commit.
Remapped CCI-000028 from requirement_unclear to
unmet_impractical_guidance and unmet_impractical_product, based on
input from Shawn Wells.
Remapped CCI-000029 from requirement_unclear to
unmet_impractical_guidance and unmet_impractical_product, based on
input from Shawn Wells.
Remapped CCI-000030 from requirement_unclear to
unmet_impractical_guidance and unmet_impractical_product, based on
input from Shawn Wells.
Remapped CCI-000032 from requirement_unclear to
unmet_impractical_product, based on input from Shawn Wells.
Remapped CCI-000024 from requirement_unclear to
unmet_impractical_guidance and unmet_impractical_product, based on
input from Shawn Wells.
rhel6/src/input/auxiliary/srg_support.xml | 15 ++++++++++++---
rhel6/src/input/system/auditing.xml | 2 +-
rhel6/src/input/system/network/iptables.xml | 2 +-
rhel6/src/input/system/selinux.xml | 1 +
4 files changed, 15 insertions(+), 5 deletions(-)
--
1.7.7.6
11 years, 9 months
[PATCH 00/25] More CCI Mappings
by Willy Santos
More CCI mapping in support of the OS SRG compliance. This batch of CCI mappings were done with the help Cliff Trueman. As usual, these are open for discussion and change as necessary.
Willy Santos (25):
Mapped CCI-000770 to new_rule_needed.
Mapped CCI-001083 to met_inherently.
Mapped CCI-001089 to met_inherently.
Mapped CCI-000804 to unmet_impractical_guidance.
Mapped CCI-001082 to met_inherently.
Mapped CCI-001112 to unmet_impractical_guidance.
Mapped CCI-001117 to enable_ip6tables and enable_iptables.
Mapped CCI-000764 to unmet_impractical_guidance.
Mapped CCIs 765, 766, 767 and 768 to new_rule_needed.
Mapped CCIs 771 and 772 to new_rule_needed.
Mapped CCIs 1009 and 1019 to new_rule_needed.
Mapped CCI-000779 to ssh_server.
Mapped CCI-000781 to ssh_server.
Mapped CCI-000884 to new_rule_needed.
Mapped CCI-000795 to account_disable_post_pw_expiration.
Mapped CCI-000831 to enable_auditd_service.
Mapped CCIs 1084, 1086 and 1087.
Mapped CCI-001090 to enabling_selinux.
Mapped CCI-001091 to enabling_selinux.
Mapped CCI-001098 to enable_ip6tables and enable_iptables.
Mapped CCI-001100 to enable_ip6tables and enable_iptables.
Mapped CCI-001097 to enable_ip6tables and enable_iptables.
Removed mapping of CCI-001092 from iptables_icmp_disabled, after some
discussion with Jeff Blank and Cliff Trueman.
Mapped CCIs 1092 and 1095 to set_sysctl_net_ipv4_tcp_syncookies.
Mapped CCI-001111 to unmet_impractical_guidance.
rhel6/src/input/auxiliary/srg_support.xml | 6 +++---
rhel6/src/input/services/ssh.xml | 2 +-
.../accounts/restrictions/account_expiration.xml | 2 +-
rhel6/src/input/system/auditing.xml | 2 +-
rhel6/src/input/system/network/iptables.xml | 6 +++---
rhel6/src/input/system/network/kernel.xml | 2 +-
rhel6/src/input/system/selinux.xml | 2 +-
7 files changed, 11 insertions(+), 11 deletions(-)
--
1.7.7.6
11 years, 9 months