More CCI Mappings.
Willy Santos (5): Mapped CCI-000381 to principle-minimize-software Mapped CCI-000382 to principle-minimize-software Mapped CCI-000776 to sshd_allow_only_protocol2 Mapped CCI-000774 to sshd_allow_only_protocol2 Mapped CCI-000872 to met_inherently
rhel6/src/input/auxiliary/srg_support.xml | 2 +- rhel6/src/input/intro/intro.xml | 1 + rhel6/src/input/services/ssh.xml | 1 + 3 files changed, 3 insertions(+), 1 deletions(-)
CCI-000381 requires configuring the OS to only provide essential capabilities. This is discussed in principle-minimize-software.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/intro/intro.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/intro/intro.xml b/rhel6/src/input/intro/intro.xml index 494eeec..09537c2 100644 --- a/rhel6/src/input/intro/intro.xml +++ b/rhel6/src/input/intro/intro.xml @@ -57,6 +57,7 @@ attack code to be run undetected. The number of software packages installed on a system can almost always be significantly pruned to include only the software for which there is an environmental or operational need. </description> +<ref disa="381" /> </Group>
<Group id="principle-separate-servers">
CCI-000382 requires configuring the OS to restrict the use of organization-defined functions, services, ports, and/or protocols. This is discussed in principle-minimize-software.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/intro/intro.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/intro/intro.xml b/rhel6/src/input/intro/intro.xml index 09537c2..1b67717 100644 --- a/rhel6/src/input/intro/intro.xml +++ b/rhel6/src/input/intro/intro.xml @@ -57,7 +57,7 @@ attack code to be run undetected. The number of software packages installed on a system can almost always be significantly pruned to include only the software for which there is an environmental or operational need. </description> -<ref disa="381" /> +<ref disa="381,382" /> </Group>
<Group id="principle-separate-servers">
CCI-000776 requires the use of replay-resistant authentication mechanisms for network access to non-priviledged accounts. Using SSH protocol version 2 satisfies this requirement.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/services/ssh.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/services/ssh.xml b/rhel6/src/input/services/ssh.xml index 3f447f2..fb4d5f5 100644 --- a/rhel6/src/input/services/ssh.xml +++ b/rhel6/src/input/services/ssh.xml @@ -56,6 +56,7 @@ should not be used. </rationale> <ident cce="4325-7" /> <oval id="sshd_protocol_2" /> +<ref disa="776" /> </Rule>
<!-- FIXME: figure out whether/how to say something discrete here -->
CCI-000774 requires the use of replay-resistant authentication mechanisms for network access to priviledged accounts. Using SSH protocol version 2 satisfies this requirement.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/services/ssh.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/services/ssh.xml b/rhel6/src/input/services/ssh.xml index fb4d5f5..5b07857 100644 --- a/rhel6/src/input/services/ssh.xml +++ b/rhel6/src/input/services/ssh.xml @@ -56,7 +56,7 @@ should not be used. </rationale> <ident cce="4325-7" /> <oval id="sshd_protocol_2" /> -<ref disa="776" /> +<ref disa="776,774" /> </Rule>
<!-- FIXME: figure out whether/how to say something discrete here -->
CCI-000872 requires the use of automated mechanisms to restrict the use of maintenance tools to authorized personnel only. By default, RHEL6 restricts the use of maintenance tools to the root user.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index 3649120..ac50bbd 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -12,7 +12,7 @@ not clearly relate. Red Hat Enterprise Linux meets this requirement by design. <!-- We could include discussion of Common Criteria Testing if so desired here. --> </description> -<ref disa="131,130,132,133,134,159,1694,162,163,164,345,346" /> +<ref disa="131,130,132,133,134,159,1694,162,163,164,345,346,872" /> </Group> <!-- end met_inherently -->
<Group id="unmet_impractical_guidance">
This is okay for an ACK, but some of it will get changed in a future revision. Please avoid mapping to anything in the "general principles" section.
This is simply text describing the general principles which drove the creation of much of the guidance, and is abstract in nature. The point of this mapping is to show something concrete in the "Rules Mapped" column.
When we had mapped to a Group for some of the OS SRG items (such as for CCI-001589), this was because the prose there was providing a factual description of the (audit) system's capabilities; the actual point is that the product met the requirements; we were just providing the Group description as evidence of this.
On 06/21/2012 05:18 PM, Willy Santos wrote:
More CCI Mappings.
Willy Santos (5): Mapped CCI-000381 to principle-minimize-software Mapped CCI-000382 to principle-minimize-software Mapped CCI-000776 to sshd_allow_only_protocol2 Mapped CCI-000774 to sshd_allow_only_protocol2 Mapped CCI-000872 to met_inherently
rhel6/src/input/auxiliary/srg_support.xml | 2 +- rhel6/src/input/intro/intro.xml | 1 + rhel6/src/input/services/ssh.xml | 1 + 3 files changed, 3 insertions(+), 1 deletions(-)
scap-security-guide@lists.fedorahosted.org
-
Jeffrey Blank -
Willy Santos