Another batch of CCI-Mappings.
Willy Santos (8): Mapped CCI-001130 to install_openswan Mapped CCI-001130 to network_ssl Mapped CCI-001131 to install_openswan Mapped CCI-001131 to network_ssl Mapped CCI-001133 to sshd_idle_timeout Mapped CCI-001144 to sshd_use_approved_ciphers Mapped CCI-001145 to sshd_use_approved_ciphers Mapped CCI-001146 to sshd_use_approved_ciphers
rhel6/src/input/services/ssh.xml | 4 ++-- rhel6/src/input/system/network/ipsec.xml | 2 +- rhel6/src/input/system/network/ssl.xml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-)
CCI-001130 requires protecting the confidentiality of transmitted information. IPSec is one of the mechanisms that can be used for this purpose.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/network/ipsec.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/network/ipsec.xml b/rhel6/src/input/system/network/ipsec.xml index 32266a1..60ec23d 100644 --- a/rhel6/src/input/system/network/ipsec.xml +++ b/rhel6/src/input/system/network/ipsec.xml @@ -18,7 +18,7 @@ transmitted over a wide area network. </rationale> <!--<ident cce="TODO" />--> <oval id="package_openswan_installed" /> -<ref nist="AC-17, MA-4, SC-9" /> +<ref nist="AC-17, MA-4, SC-9" disa="1130" /> </Rule> </Group>
CCI-001130 requires protecting the confidentiality of transmitted information. SSL/TLS is one of the mechanisms that can be used for this purpose.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/network/ssl.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/network/ssl.xml b/rhel6/src/input/system/network/ssl.xml index eb68e11..34477a1 100644 --- a/rhel6/src/input/system/network/ssl.xml +++ b/rhel6/src/input/system/network/ssl.xml @@ -34,7 +34,7 @@ can be appropriate. The major steps in this process are: <li>Enable client support by distributing the CA’s certificate</li> </ol> </description> -<ref disa="1141,1148" /> +<ref disa="1141,1148,1130" />
<Rule id="network_ssl_create_ca"> <title>Create a CA to Sign Certificates</title>
CCI-001131 requires employing cryptographic mechanisms to protect information during transmission. IPSec is one of the mechanisms that can be used for this purpose.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/network/ipsec.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/network/ipsec.xml b/rhel6/src/input/system/network/ipsec.xml index 60ec23d..2b145a5 100644 --- a/rhel6/src/input/system/network/ipsec.xml +++ b/rhel6/src/input/system/network/ipsec.xml @@ -18,7 +18,7 @@ transmitted over a wide area network. </rationale> <!--<ident cce="TODO" />--> <oval id="package_openswan_installed" /> -<ref nist="AC-17, MA-4, SC-9" disa="1130" /> +<ref nist="AC-17, MA-4, SC-9" disa="1130,1131" /> </Rule> </Group>
CCI-001131 requires employing cryptographic mechanisms to protect information during transmission. SSL/TLS is one of the mechanisms that can be used for this purpose.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/network/ssl.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/network/ssl.xml b/rhel6/src/input/system/network/ssl.xml index 34477a1..1f1b554 100644 --- a/rhel6/src/input/system/network/ssl.xml +++ b/rhel6/src/input/system/network/ssl.xml @@ -34,7 +34,7 @@ can be appropriate. The major steps in this process are: <li>Enable client support by distributing the CA’s certificate</li> </ol> </description> -<ref disa="1141,1148,1130" /> +<ref disa="1141,1148,1130,1131" />
<Rule id="network_ssl_create_ca"> <title>Create a CA to Sign Certificates</title>
CCI-001133 requires the termination of a network connection at the end of a communication session or after a defined period of inactivity. In the case of inactivity of an SSH session, sshd_idle_timeout addresses this requirement.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/services/ssh.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/services/ssh.xml b/rhel6/src/input/services/ssh.xml index 5b07857..94e9b31 100644 --- a/rhel6/src/input/services/ssh.xml +++ b/rhel6/src/input/services/ssh.xml @@ -121,7 +121,7 @@ to compromises on another. </rationale> <ident cce="3845-5" /> <oval id="sshd_idle_timeout" value="sshd_idle_timeout_value"/> -<ref disa="879"/> +<ref disa="879,1133"/> </Rule>
CCI-001144 requires the use of cryptographic modules that comply with applicable laws, policies, standards, etc. For SSH communications, sshd_use_approved_ciphers addresses this requirement.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/services/ssh.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/services/ssh.xml b/rhel6/src/input/services/ssh.xml index 94e9b31..4748b66 100644 --- a/rhel6/src/input/services/ssh.xml +++ b/rhel6/src/input/services/ssh.xml @@ -270,7 +270,7 @@ implementation. These are also required for compliance. </rationale> <ident cce="14491-5" /> <oval id="sshd_use_approved_ciphers" /> -<ref disa="803" /> +<ref disa="803,1144" /> </Rule>
</Group>
CCI-001145 requires the use of FIPS-validated cryptography to protect unclassified information. For SSH communications, sshd_use_approved_ciphers addresses this requirement.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/services/ssh.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/services/ssh.xml b/rhel6/src/input/services/ssh.xml index 4748b66..9f5d531 100644 --- a/rhel6/src/input/services/ssh.xml +++ b/rhel6/src/input/services/ssh.xml @@ -270,7 +270,7 @@ implementation. These are also required for compliance. </rationale> <ident cce="14491-5" /> <oval id="sshd_use_approved_ciphers" /> -<ref disa="803,1144" /> +<ref disa="803,1144,1145" /> </Rule>
</Group>
CCI-001146 requires the use of NSA-approved cryptography to protect classified information. For SSH communications, sshd_use_approved_ciphers addresses this requirement.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/services/ssh.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/services/ssh.xml b/rhel6/src/input/services/ssh.xml index 9f5d531..ad21cee 100644 --- a/rhel6/src/input/services/ssh.xml +++ b/rhel6/src/input/services/ssh.xml @@ -270,7 +270,7 @@ implementation. These are also required for compliance. </rationale> <ident cce="14491-5" /> <oval id="sshd_use_approved_ciphers" /> -<ref disa="803,1144,1145" /> +<ref disa="803,1144,1145,1146" /> </Rule>
</Group>
On 6/22/12 5:00 PM, Willy Santos wrote:
Another batch of CCI-Mappings.
Willy Santos (8): Mapped CCI-001130 to install_openswan Mapped CCI-001130 to network_ssl Mapped CCI-001131 to install_openswan Mapped CCI-001131 to network_ssl Mapped CCI-001133 to sshd_idle_timeout Mapped CCI-001144 to sshd_use_approved_ciphers Mapped CCI-001145 to sshd_use_approved_ciphers Mapped CCI-001146 to sshd_use_approved_ciphers
rhel6/src/input/services/ssh.xml | 4 ++-- rhel6/src/input/system/network/ipsec.xml | 2 +- rhel6/src/input/system/network/ssl.xml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-)
Ack to the set
scap-security-guide@lists.fedorahosted.org
-
Shawn Wells -
Willy Santos