[PATCH] added more CCI references to Rules, to support documentation of OS SRG satisfaction
Also, I need to add Rules for automatic account expiration to handle some of the OS SRG reqs. Oddly, we seem to have OVAL for this and it's in the USGCB but not in our XCCDF. (This means adding a Rule (plus Value) to discuss EXPIRE= in /etc/default/useradd.)
Jeffrey Blank (1): added CCIs to move OS SRG mapping forward
rhel6/src/input/auxiliary/srg_support.xml | 19 +++++++++++++------ rhel6/src/input/services/ssh.xml | 2 +- rhel6/src/input/system/auditing.xml | 7 ++++--- rhel6/src/input/system/software/updating.xml | 4 ++-- 4 files changed, 20 insertions(+), 12 deletions(-)
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- rhel6/src/input/auxiliary/srg_support.xml | 19 +++++++++++++------ rhel6/src/input/services/ssh.xml | 2 +- rhel6/src/input/system/auditing.xml | 7 ++++--- rhel6/src/input/system/software/updating.xml | 4 ++-- 4 files changed, 20 insertions(+), 12 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index ac50bbd..c1bdf83 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -12,7 +12,7 @@ not clearly relate. Red Hat Enterprise Linux meets this requirement by design. <!-- We could include discussion of Common Criteria Testing if so desired here. --> </description> -<ref disa="131,130,132,133,134,159,1694,162,163,164,345,346,872" /> +<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872" /> </Group> <!-- end met_inherently -->
<Group id="unmet_impractical_guidance"> @@ -21,14 +21,21 @@ Red Hat Enterprise Linux meets this requirement by design. The guidance does not meet this requirement. The requirement is impractical or out of scope. </description> -<ref disa="354,1094,371,372,535,537,539,780,1682,1383,370,66,37,213,221" /> +<ref disa="165,21,354,1094,371,372,535,537,539,780,1682,1383,370,66,37,213,221" /> </Group> <!-- end unmet_impractical_guidance -->
-<Group id="unmet_impractical_product"> -<title>Product Does Not Meet this Requirement Due to Impracticality or Scope</title> +<Group id="requirement_unclear"> +<title>Implementation of the Requirement is Unclear</title> <description> -The product does not meet this requirement. -The requirement is impractical or out of scope. +It is unclear how to satisfy this requirement. +</description> +<ref disa="20,31,218,219,224" /> +</Group> <!-- end unmet_impractical_product --> + +<Group id="new_rule_needed"> +<title>A New Policy/Manual Rule is Needed</title> +<description> +A new Rule needs to be created in the scap-security-guide content. </description> </Group> <!-- end unmet_impractical_product -->
diff --git a/rhel6/src/input/services/ssh.xml b/rhel6/src/input/services/ssh.xml index ad21cee..c673e76 100644 --- a/rhel6/src/input/services/ssh.xml +++ b/rhel6/src/input/services/ssh.xml @@ -8,7 +8,7 @@ implementation included with the system is called OpenSSH, and more detailed documentation is available from its website, http://www.openssh.org. Its server program is called <tt>sshd</tt> and provided by the RPM package <tt>openssh-server</tt>.</description> -<ref disa="1453" /> +<ref disa="1453,877" />
<Value id="sshd_idle_timeout_value" type="number" operator="equals" interactive="0"> diff --git a/rhel6/src/input/system/auditing.xml b/rhel6/src/input/system/auditing.xml index 676b333..927cb60 100644 --- a/rhel6/src/input/system/auditing.xml +++ b/rhel6/src/input/system/auditing.xml @@ -55,7 +55,7 @@ and impacting other services. This also minimizes the risk of the audit daemon temporarily disabling the system if it cannot write audit log (which it can be configured to do). </description> -<ref disa="120,166,1338,1339,157" /> +<ref disa="120,135,136,166,1338,1339,157" />
<Rule id="enable_auditd_service"> <title>Enable auditd Service</title> @@ -272,6 +272,7 @@ Setting this to <tt>email</tt> is recommended over the default <rationale>Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.</rationale> <oval id="auditd_data_retention_space_left_action" value="var_auditd_space_left_action"/> +<ref disa="140,144" /> </Rule>
@@ -295,7 +296,7 @@ audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. </rationale> <oval id="auditd_data_retention_admin_space_left_action" value="var_auditd_admin_space_left_action" /> -<ref disa="140" /> +<ref disa="140,144" /> </Rule>
@@ -626,7 +627,7 @@ unusual activity. </rationale> <ident cce="14296-8" /> <oval id="audit_rules_privileged_commands" /> -<ref nist="AU-2" /> +<ref nist="AU-2" disa="40" /> </Rule>
<Rule id="audit_media_exports"> diff --git a/rhel6/src/input/system/software/updating.xml b/rhel6/src/input/system/software/updating.xml index efc7834..a759d62 100644 --- a/rhel6/src/input/system/software/updating.xml +++ b/rhel6/src/input/system/software/updating.xml @@ -93,7 +93,7 @@ protects against malicious tampering. </rationale> <ident cce="14914-6" /> <oval id="yum_gpgcheck_global_activation" /> -<ref nist="SI-2" disa="352" /> +<ref nist="SI-2" disa="352,663" /> </Rule>
<Rule id="ensure_gpgcheck_never_disabled"> @@ -110,6 +110,6 @@ protects against malicious tampering. </rationale> <ident cce="14813-0" /> <oval id="yum_gpgcheck_never_disabled" /> -<ref nist="SI-2" disa="352"/> +<ref nist="SI-2" disa="352,663"/> </Rule> </Group>
Ack. I really like the new_rule_needed.
-- Shawn Wells Technical Director, U.S. Intelligence Programs (e) shawn@redhat.com (c) 443-534-0130
On Jun 26, 2012, at 5:06 PM, Jeffrey Blank blank@eclipse.ncsc.mil wrote:
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil
rhel6/src/input/auxiliary/srg_support.xml | 19 +++++++++++++------ rhel6/src/input/services/ssh.xml | 2 +- rhel6/src/input/system/auditing.xml | 7 ++++--- rhel6/src/input/system/software/updating.xml | 4 ++-- 4 files changed, 20 insertions(+), 12 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index ac50bbd..c1bdf83 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -12,7 +12,7 @@ not clearly relate. Red Hat Enterprise Linux meets this requirement by design.
<!-- We could include discussion of Common Criteria Testing if so desired here. -->
</description> -<ref disa="131,130,132,133,134,159,1694,162,163,164,345,346,872" /> +<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872" /> </Group> <!-- end met_inherently -->
<Group id="unmet_impractical_guidance"> @@ -21,14 +21,21 @@ Red Hat Enterprise Linux meets this requirement by design. The guidance does not meet this requirement. The requirement is impractical or out of scope. </description> -<ref disa="354,1094,371,372,535,537,539,780,1682,1383,370,66,37,213,221" /> +<ref disa="165,21,354,1094,371,372,535,537,539,780,1682,1383,370,66,37,213,221" /> </Group> <!-- end unmet_impractical_guidance -->
-<Group id="unmet_impractical_product"> -<title>Product Does Not Meet this Requirement Due to Impracticality or Scope</title> +<Group id="requirement_unclear"> +<title>Implementation of the Requirement is Unclear</title>
<description> -The product does not meet this requirement. -The requirement is impractical or out of scope. +It is unclear how to satisfy this requirement. +</description> +<ref disa="20,31,218,219,224" /> +</Group> <!-- end unmet_impractical_product --> + +<Group id="new_rule_needed"> +<title>A New Policy/Manual Rule is Needed</title> +<description> +A new Rule needs to be created in the scap-security-guide content. </description> </Group> <!-- end unmet_impractical_product -->
diff --git a/rhel6/src/input/services/ssh.xml b/rhel6/src/input/services/ssh.xml index ad21cee..c673e76 100644 --- a/rhel6/src/input/services/ssh.xml +++ b/rhel6/src/input/services/ssh.xml @@ -8,7 +8,7 @@ implementation included with the system is called OpenSSH, and more detailed documentation is available from its website, http://www.openssh.org. Its server program is called <tt>sshd</tt> and provided by the RPM package <tt>openssh-server</tt>.</description> -<ref disa="1453" /> +<ref disa="1453,877" />
<Value id="sshd_idle_timeout_value" type="number" operator="equals" interactive="0"> diff --git a/rhel6/src/input/system/auditing.xml b/rhel6/src/input/system/auditing.xml index 676b333..927cb60 100644 --- a/rhel6/src/input/system/auditing.xml +++ b/rhel6/src/input/system/auditing.xml @@ -55,7 +55,7 @@ and impacting other services. This also minimizes the risk of the audit daemon temporarily disabling the system if it cannot write audit log (which it can be configured to do).
</description> -<ref disa="120,166,1338,1339,157" /> +<ref disa="120,135,136,166,1338,1339,157" />
<Rule id="enable_auditd_service"> <title>Enable auditd Service</title> @@ -272,6 +272,7 @@ Setting this to <tt>email</tt> is recommended over the default <rationale>Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.</rationale> <oval id="auditd_data_retention_space_left_action" value="var_auditd_space_left_action"/> +<ref disa="140,144" /> </Rule>
@@ -295,7 +296,7 @@ audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.
</rationale> <oval id="auditd_data_retention_admin_space_left_action" value="var_auditd_admin_space_left_action" /> -<ref disa="140" /> +<ref disa="140,144" /> </Rule>
@@ -626,7 +627,7 @@ unusual activity.
</rationale> <ident cce="14296-8" /> <oval id="audit_rules_privileged_commands" /> -<ref nist="AU-2" /> +<ref nist="AU-2" disa="40" /> </Rule>
<Rule id="audit_media_exports"> diff --git a/rhel6/src/input/system/software/updating.xml b/rhel6/src/input/system/software/updating.xml index efc7834..a759d62 100644 --- a/rhel6/src/input/system/software/updating.xml +++ b/rhel6/src/input/system/software/updating.xml @@ -93,7 +93,7 @@ protects against malicious tampering. </rationale> <ident cce="14914-6" /> <oval id="yum_gpgcheck_global_activation" /> -<ref nist="SI-2" disa="352" /> +<ref nist="SI-2" disa="352,663" /> </Rule>
<Rule id="ensure_gpgcheck_never_disabled"> @@ -110,6 +110,6 @@ protects against malicious tampering. </rationale> <ident cce="14813-0" /> <oval id="yum_gpgcheck_never_disabled" /> -<ref nist="SI-2" disa="352"/> +<ref nist="SI-2" disa="352,663"/> </Rule> </Group> -- 1.7.1
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org
-
Jeffrey Blank -
Shawn Wells