Another set of CCI mappings.
Willy Santos (25): Mapped CCI-1127 to network_ssl. Mapped CCI-001154 to set_iptables_default_rule Mapped CCI-001250 to kernel_module_usb-storage_disabled. Mapped CCI-001250 to kernel_module_usb-storage_removed. Mapped CCI-001250 to bootloader_nousb_argument. Mapped CCI-001250 to kernel_module_usb-storage_removed. Mapped CCI-001250 to service_autofs_disabled. Mapped CCI-001343 to new_rule_needed. Mapped CCI-001348 to rsyslog_remote_loghost. Mapped CCI-001493 to met_inherently. Mapped CCI-001494 to met_inherently. Mapped CCI-001495 to met_inherently. Mapped CCI-001557 to service_rsyslog_enabled Mapped CCI-000017 to new_rule_needed. Mapped CCI-000052 to new_rule_needed. Mapped CCI-000053 to new_rule_needed. Mapped CCI-000226 to met_inherently. Mapped CCI-000386 to requirement_unclear. Mapped CCI-001092 to requirement_unclear. Mapped CCI-00197 to requirement_unclear. Mapped CCI-001096 to met_inherently. Mapped CCI-001128 to network_ssl. Mapped CCI-001135 to network_ssl. Mapped CCI-001135 to package_openswan_installed. Mapped CCI-001135 to sshd_allow_only_protocol2.
rhel6/src/input/auxiliary/srg_support.xml | 5 +++-- rhel6/src/input/services/ssh.xml | 2 +- rhel6/src/input/system/logging.xml | 4 ++-- rhel6/src/input/system/network/ipsec.xml | 2 +- rhel6/src/input/system/network/iptables.xml | 2 +- rhel6/src/input/system/network/ssl.xml | 2 +- rhel6/src/input/system/permissions/mounting.xml | 10 +++++----- 7 files changed, 14 insertions(+), 13 deletions(-)
CCI-1127 requires integrity protection of transmitted information. Using SSL/TLS encryption for transmission meets this requirement.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/network/ssl.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/network/ssl.xml b/rhel6/src/input/system/network/ssl.xml index 1f1b554..d1d7e14 100644 --- a/rhel6/src/input/system/network/ssl.xml +++ b/rhel6/src/input/system/network/ssl.xml @@ -34,7 +34,7 @@ can be appropriate. The major steps in this process are: <li>Enable client support by distributing the CA’s certificate</li> </ol> </description> -<ref disa="1141,1148,1130,1131" /> +<ref disa="1141,1148,1130,1131,1127" />
<Rule id="network_ssl_create_ca"> <title>Create a CA to Sign Certificates</title>
CCI-001154 requires blocking inbound and outbound traffic between instant messaging clients. set_iptables_default_rule cofigures the hosts firewall to drop any incoming packet not explicitly allowed by a preceding rule.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/network/iptables.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/network/iptables.xml b/rhel6/src/input/system/network/iptables.xml index 5918507..d5ae221 100644 --- a/rhel6/src/input/system/network/iptables.xml +++ b/rhel6/src/input/system/network/iptables.xml @@ -145,7 +145,7 @@ any packets which are not explicitly permitted should not be accepted.</rationale> <ident cce="14264-6" /> <oval id="iptables_default_policy_drop" /> -<ref nist="AC-4, CM-6" disa="1109" /> +<ref nist="AC-4, CM-6" disa="1109,1154" /> </Rule>
<Rule id="set_iptables_default_rule_forward">
CCI-001250 requires the OS to not allow users to introduce removable media into the information system. Disabling the usb-storage kernel module to be automatically loaded on-demand, preventing the use of USB storage devices by users.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/permissions/mounting.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/permissions/mounting.xml b/rhel6/src/input/system/permissions/mounting.xml index d1aafae..c9d5bf9 100644 --- a/rhel6/src/input/system/permissions/mounting.xml +++ b/rhel6/src/input/system/permissions/mounting.xml @@ -57,7 +57,7 @@ software and other vulnerabilities. Support for these devices should be disabled the devices themselves should be tightly controlled.</rationale> <ident cce="4187-1" /> <oval id="kernel_module_usb-storage_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="1250" /> </Rule>
<Rule id="kernel_module_usb-storage_removed">
On 6/27/12 6:18 PM, Willy Santos wrote:
CCI-001250 requires the OS to not allow users to introduce removable media into the information system. Disabling the usb-storage kernel module to be automatically loaded on-demand, preventing the use of USB storage devices by users.
I would also map this to the disablement of automounter.
CCI-001250 requires the OS to not allow users to introduce removable media into the information system. Removing the usb-storage kernel module prevent the use of USB storage devices on the system.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/permissions/mounting.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/permissions/mounting.xml b/rhel6/src/input/system/permissions/mounting.xml index c9d5bf9..4f28c76 100644 --- a/rhel6/src/input/system/permissions/mounting.xml +++ b/rhel6/src/input/system/permissions/mounting.xml @@ -78,7 +78,7 @@ software and other vulnerabilities. Support for these devices should be disabled the devices themselves should be tightly controlled.</rationale> <ident cce="4006-3" /> <oval id="kernel_module_usb-storage_removed" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="1250" /> </Rule>
<Rule id="bootloader_nousb_argument">
CCI-001250 requires the OS to not allow users to introduce removable media into the information system. Disabling USB support via the bootloader prevents the use of USB storage devices on the system.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/permissions/mounting.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/permissions/mounting.xml b/rhel6/src/input/system/permissions/mounting.xml index 4f28c76..20d4307 100644 --- a/rhel6/src/input/system/permissions/mounting.xml +++ b/rhel6/src/input/system/permissions/mounting.xml @@ -96,7 +96,7 @@ disable USB storage devices if they are plugged into the sytem. Support for thes should be disabled and the devices themselves should be tightly controlled.</rationale> <ident cce="4173-1" /> <oval id="bootloader_nousb_argument" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="1250" /> </Rule>
<Rule id="bios_disable_usb_boot">
CCI-001250 requires the OS to not allow users to introduce removable media into the information system. Disabling USB boot in BIOS prevent the use of USB storage devices to boot the system.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/permissions/mounting.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/permissions/mounting.xml b/rhel6/src/input/system/permissions/mounting.xml index 20d4307..e77e404 100644 --- a/rhel6/src/input/system/permissions/mounting.xml +++ b/rhel6/src/input/system/permissions/mounting.xml @@ -111,7 +111,7 @@ any security measures offered by the native OS. Attackers could mount partitions configuration of the native OS. The BIOS should be configured to disallow booting from USB media.</rationale> <ident cce="3944-6" /> <!-- <oval id="bios_disable_usb_boot" /> --> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="1250" /> </Rule>
<Rule id="service_autofs_disabled">
CCI-001250 requires the OS to not allow users to introduce removable media into the information system. Disabling the Automounter prevents users from automatically mounting filesystems in removable media such as CD-ROMs.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/permissions/mounting.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/permissions/mounting.xml b/rhel6/src/input/system/permissions/mounting.xml index e77e404..5e10374 100644 --- a/rhel6/src/input/system/permissions/mounting.xml +++ b/rhel6/src/input/system/permissions/mounting.xml @@ -133,7 +133,7 @@ should be explicitly listed in /etc/fstab by and administrator. New filesystems not be arbitrarily introduced via the automounter.</rationale> <ident cce="4072-5" /> <oval id="service_autofs_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="1250" /> </Rule>
<Rule id="gconf_gnome_disable_automount">
On 6/27/12 6:18 PM, Willy Santos wrote:
CCI-001250 requires the OS to not allow users to introduce removable media into the information system. Disabling the Automounter prevents users from automatically mounting filesystems in removable media such as CD-ROMs.
Hah. Ignore my last email!
CCI-001343 requires the OS to invoke a system shutdown on audit failure. Default setting is to suspend.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/auxiliary/srg_support.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index c1bdf83..b8308a4 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -37,6 +37,7 @@ It is unclear how to satisfy this requirement. <description> A new Rule needs to be created in the scap-security-guide content. </description> +<ref disa="1343" /> </Group> <!-- end unmet_impractical_product -->
</Group>
CCI-001348 requires the backup of audit records to a different system or media than the system being audited. rsyslog_remote_loghost satisfies this requirement for system logs.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/logging.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/logging.xml b/rhel6/src/input/system/logging.xml index b13304f..be62cc7 100644 --- a/rhel6/src/input/system/logging.xml +++ b/rhel6/src/input/system/logging.xml @@ -233,7 +233,7 @@ place to view the status of multiple hosts within the enterprise. </rationale> <ident cce="17248-6" /> <oval id="rsyslog_remote_loghost" /> -<ref nist="AU-2, AU-9" /> +<ref nist="AU-2, AU-9" disa="1348" /> </Rule> </Group>
CCI-001493 requires the protection of audit tools from unauthorized access. RHEL6's default behavior is for only the root user to have access to audit tools.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index b8308a4..b330b2e 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -12,7 +12,7 @@ not clearly relate. Red Hat Enterprise Linux meets this requirement by design. <!-- We could include discussion of Common Criteria Testing if so desired here. --> </description> -<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872" /> +<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872,1493" /> </Group> <!-- end met_inherently -->
<Group id="unmet_impractical_guidance">
CCI-001494 requires the protection of audit tools from unauthorized modification. RHEL6's default behavior is for only the root user to have access to audit tools.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index b330b2e..b200475 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -12,7 +12,7 @@ not clearly relate. Red Hat Enterprise Linux meets this requirement by design. <!-- We could include discussion of Common Criteria Testing if so desired here. --> </description> -<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872,1493" /> +<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872,1493,1494" /> </Group> <!-- end met_inherently -->
<Group id="unmet_impractical_guidance">
CCI-001495 requires the protection of audit tools from unauthorized deletion. RHEL6's default behavior is for only the root user to have access to audit tools.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index b200475..f86db40 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -12,7 +12,7 @@ not clearly relate. Red Hat Enterprise Linux meets this requirement by design. <!-- We could include discussion of Common Criteria Testing if so desired here. --> </description> -<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872,1493,1494" /> +<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872,1493,1494,1495" /> </Group> <!-- end met_inherently -->
<Group id="unmet_impractical_guidance">
CCI-001557 requires tracking problems associated with information transfer. Rsyslog logs system problems which could include transfer errors depending on the application generating the error.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/logging.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/logging.xml b/rhel6/src/input/system/logging.xml index be62cc7..a8284cd 100644 --- a/rhel6/src/input/system/logging.xml +++ b/rhel6/src/input/system/logging.xml @@ -47,7 +47,7 @@ logging services, which are essential to system administration. </rationale> <ident cce="17698-2" /> <oval id="service_rsyslog_enabled" /> -<ref nist="AU-12, CM-6" /> +<ref nist="AU-12, CM-6" disa="1557" /> </Rule>
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index f86db40..a23bfaf 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -37,7 +37,7 @@ It is unclear how to satisfy this requirement. <description> A new Rule needs to be created in the scap-security-guide content. </description> -<ref disa="1343" /> +<ref disa="1343,17" /> </Group> <!-- end unmet_impractical_product -->
</Group>
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index a23bfaf..d44bafa 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -37,7 +37,7 @@ It is unclear how to satisfy this requirement. <description> A new Rule needs to be created in the scap-security-guide content. </description> -<ref disa="1343,17" /> +<ref disa="1343,17,52" /> </Group> <!-- end unmet_impractical_product -->
</Group>
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index d44bafa..c9d046e 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -37,7 +37,7 @@ It is unclear how to satisfy this requirement. <description> A new Rule needs to be created in the scap-security-guide content. </description> -<ref disa="1343,17,52" /> +<ref disa="1343,17,52,53" /> </Group> <!-- end unmet_impractical_product -->
</Group>
CCI-000226 requires prioviding access to a priviledged administrator to configure security policies. RHEL6 by default grants the root user access to manage all security mechanisms.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index c9d046e..138fe05 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -12,7 +12,7 @@ not clearly relate. Red Hat Enterprise Linux meets this requirement by design. <!-- We could include discussion of Common Criteria Testing if so desired here. --> </description> -<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872,1493,1494,1495" /> +<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872,1493,1494,1495,226" /> </Group> <!-- end met_inherently -->
<Group id="unmet_impractical_guidance">
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index 138fe05..c070e02 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -29,7 +29,7 @@ The requirement is impractical or out of scope. <description> It is unclear how to satisfy this requirement. </description> -<ref disa="20,31,218,219,224" /> +<ref disa="20,31,218,219,224,386" /> </Group> <!-- end unmet_impractical_product -->
<Group id="new_rule_needed">
On 6/27/12 6:18 PM, Willy Santos wrote:
Signed-off-by: Willy Santos wsantos@redhat.com
rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index 138fe05..c070e02 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -29,7 +29,7 @@ The requirement is impractical or out of scope.
<description> It is unclear how to satisfy this requirement. </description> -<ref disa="20,31,218,219,224" /> +<ref disa="20,31,218,219,224,386" /> </Group> <!-- end unmet_impractical_product -->
<Group id="new_rule_needed">
SRG-OS-000097 CCI-000386 The operating system must employ automated mechanisms to prevent program execution in accordance with the organization defined specifications.
I wouldn't think to hard about this one. I would argue that the OS provides the mechanisms for this by default through DAC policies (DAC policies being the "organization defined" piece).
On 06/27/2012 06:25 PM, Shawn Wells wrote:
On 6/27/12 6:18 PM, Willy Santos wrote:
Signed-off-by: Willy Santoswsantos@redhat.com
rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index 138fe05..c070e02 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -29,7 +29,7 @@ The requirement is impractical or out of scope.
<description> It is unclear how to satisfy this requirement. </description> -<ref disa="20,31,218,219,224" /> +<ref disa="20,31,218,219,224,386" /> </Group> <!-- end unmet_impractical_product -->
<Group id="new_rule_needed">
SRG-OS-000097 CCI-000386 The operating system must employ automated mechanisms to prevent program execution in accordance with the organization defined specifications.
I wouldn't think to hard about this one. I would argue that the OS provides the mechanisms for this by default through DAC policies (DAC policies being the "organization defined" piece).
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
Agreed. I'll make the change. -Willy
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index c070e02..6167107 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -29,7 +29,7 @@ The requirement is impractical or out of scope. <description> It is unclear how to satisfy this requirement. </description> -<ref disa="20,31,218,219,224,386" /> +<ref disa="20,31,218,219,224,386,1092" /> </Group> <!-- end unmet_impractical_product -->
<Group id="new_rule_needed">
On 6/27/12 6:18 PM, Willy Santos wrote:
Signed-off-by: Willy Santos wsantos@redhat.com
rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index c070e02..6167107 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -29,7 +29,7 @@ The requirement is impractical or out of scope.
<description> It is unclear how to satisfy this requirement. </description> -<ref disa="20,31,218,219,224,386" /> +<ref disa="20,31,218,219,224,386,1092" /> </Group> <!-- end unmet_impractical_product -->
<Group id="new_rule_needed">
SRG-OS-000140 CCI-001092 The operating system must protect against or must limit the effects of the organization-defined or referenced types of Denial of Service attacks. A variety of technologies exist to limit, or in some cases, eliminate the effects of Denial of Service attacks. Employing increased capacity combined with service redundancy may reduce the susceptibility to some Denial of Service attacks.
Could we argue that this is met by: - Enabling IPTables - Setting account password retries in PAM - Turning off standard icmp responses
We certainly can't provide comprehensive protection against this at the OS layer, but the above "limits the effects" enough for a mapping.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index 6167107..5e295dc 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -29,7 +29,7 @@ The requirement is impractical or out of scope. <description> It is unclear how to satisfy this requirement. </description> -<ref disa="20,31,218,219,224,386,1092" /> +<ref disa="20,31,218,219,224,386,1092,1097" /> </Group> <!-- end unmet_impractical_product -->
<Group id="new_rule_needed">
On 6/27/12 6:18 PM, Willy Santos wrote:
Signed-off-by: Willy Santos wsantos@redhat.com
rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index 6167107..5e295dc 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -29,7 +29,7 @@ The requirement is impractical or out of scope.
<description> It is unclear how to satisfy this requirement. </description> -<ref disa="20,31,218,219,224,386,1092" /> +<ref disa="20,31,218,219,224,386,1092,1097" /> </Group> <!-- end unmet_impractical_product -->
<Group id="new_rule_needed">
SRG-OS-000074 CCI-000197 The operating system must enforce password encryption for transmission. Passwords need to be protected at all times and encryption is the standard method for protecting passwords during transmission to ensure unauthorized users/processes do not gain access to them.
Configure OpenSSH Server if Necessary If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file|/etc/ssh/sshd_config|. The following recommendations can be applied to this file. See the|sshd_config(5)|man page for more detailed information.
I'm interpreting that as we must enforce password encryption for /operating system/ passwords, which the use of SSH would do for us.
On 06/27/2012 06:27 PM, Shawn Wells wrote:
On 6/27/12 6:18 PM, Willy Santos wrote:
Signed-off-by: Willy Santoswsantos@redhat.com
rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index 6167107..5e295dc 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -29,7 +29,7 @@ The requirement is impractical or out of scope.
<description> It is unclear how to satisfy this requirement. </description> -<ref disa="20,31,218,219,224,386,1092" /> +<ref disa="20,31,218,219,224,386,1092,1097" /> </Group> <!-- end unmet_impractical_product -->
<Group id="new_rule_needed">
SRG-OS-000074 CCI-000197 The operating system must enforce password encryption for transmission. Passwords need to be protected at all times and encryption is the standard method for protecting passwords during transmission to ensure unauthorized users/processes do not gain access to them.
Configure OpenSSH Server if Necessary If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file|/etc/ssh/sshd_config|. The following recommendations can be applied to this file. See the|sshd_config(5)|man page for more detailed information.
I'm interpreting that as we must enforce password encryption for /operating system/ passwords, which the use of SSH would do for us.
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
That is the way I'm looking at it. I can always add SSL/TLS to address webapp logins.
-Willy
CCI-001096 requires the OS to limit the use of resources by priority. In RHEL6 process priority can be adjusted as necessary at any time.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index 5e295dc..14e7931 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -12,7 +12,7 @@ not clearly relate. Red Hat Enterprise Linux meets this requirement by design. <!-- We could include discussion of Common Criteria Testing if so desired here. --> </description> -<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872,1493,1494,1495,226" /> +<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872,1493,1494,1495,226,1096" /> </Group> <!-- end met_inherently -->
<Group id="unmet_impractical_guidance">
CCI-001128 requires using cryptographic mechanisms to recognize changes to information during transmission. SSL/TLS can be used for that purpose.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/network/ssl.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/network/ssl.xml b/rhel6/src/input/system/network/ssl.xml index d1d7e14..4674347 100644 --- a/rhel6/src/input/system/network/ssl.xml +++ b/rhel6/src/input/system/network/ssl.xml @@ -34,7 +34,7 @@ can be appropriate. The major steps in this process are: <li>Enable client support by distributing the CA’s certificate</li> </ol> </description> -<ref disa="1141,1148,1130,1131,1127" /> +<ref disa="1141,1148,1130,1131,1127,1128" />
<Rule id="network_ssl_create_ca"> <title>Create a CA to Sign Certificates</title>
CCI-001135 requires establishing a trusted communication path between user and security functions (e.g. login). SSL/TLS can be used for this purpose.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/network/ssl.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/network/ssl.xml b/rhel6/src/input/system/network/ssl.xml index 4674347..f66914e 100644 --- a/rhel6/src/input/system/network/ssl.xml +++ b/rhel6/src/input/system/network/ssl.xml @@ -34,7 +34,7 @@ can be appropriate. The major steps in this process are: <li>Enable client support by distributing the CA’s certificate</li> </ol> </description> -<ref disa="1141,1148,1130,1131,1127,1128" /> +<ref disa="1141,1148,1130,1131,1127,1128,1135" />
<Rule id="network_ssl_create_ca"> <title>Create a CA to Sign Certificates</title>
CCI-001135 requires establishing a trusted communication path between user and security functions (e.g. login). OpenSwan can be used for this purpose.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/network/ipsec.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/network/ipsec.xml b/rhel6/src/input/system/network/ipsec.xml index 2b145a5..a9bc1a7 100644 --- a/rhel6/src/input/system/network/ipsec.xml +++ b/rhel6/src/input/system/network/ipsec.xml @@ -18,7 +18,7 @@ transmitted over a wide area network. </rationale> <!--<ident cce="TODO" />--> <oval id="package_openswan_installed" /> -<ref nist="AC-17, MA-4, SC-9" disa="1130,1131" /> +<ref nist="AC-17, MA-4, SC-9" disa="1130,1131,1135" /> </Rule> </Group>
CCI-001135 requires establishing a trusted communication path between user and security functions (e.g. login). Using SSH in protocol version 2 for remote login satisfies this requirement.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/services/ssh.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/services/ssh.xml b/rhel6/src/input/services/ssh.xml index c673e76..c23907d 100644 --- a/rhel6/src/input/services/ssh.xml +++ b/rhel6/src/input/services/ssh.xml @@ -56,7 +56,7 @@ should not be used. </rationale> <ident cce="4325-7" /> <oval id="sshd_protocol_2" /> -<ref disa="776,774" /> +<ref disa="776,774,1135" /> </Rule>
<!-- FIXME: figure out whether/how to say something discrete here -->
On 6/27/12 6:18 PM, Willy Santos wrote:
Another set of CCI mappings.
Willy Santos (25): Mapped CCI-1127 to network_ssl. Mapped CCI-001154 to set_iptables_default_rule Mapped CCI-001250 to kernel_module_usb-storage_disabled. Mapped CCI-001250 to kernel_module_usb-storage_removed. Mapped CCI-001250 to bootloader_nousb_argument. Mapped CCI-001250 to kernel_module_usb-storage_removed. Mapped CCI-001250 to service_autofs_disabled. Mapped CCI-001343 to new_rule_needed. Mapped CCI-001348 to rsyslog_remote_loghost. Mapped CCI-001493 to met_inherently. Mapped CCI-001494 to met_inherently. Mapped CCI-001495 to met_inherently. Mapped CCI-001557 to service_rsyslog_enabled Mapped CCI-000017 to new_rule_needed. Mapped CCI-000052 to new_rule_needed. Mapped CCI-000053 to new_rule_needed. Mapped CCI-000226 to met_inherently. Mapped CCI-000386 to requirement_unclear. Mapped CCI-001092 to requirement_unclear. Mapped CCI-00197 to requirement_unclear. Mapped CCI-001096 to met_inherently. Mapped CCI-001128 to network_ssl. Mapped CCI-001135 to network_ssl. Mapped CCI-001135 to package_openswan_installed. Mapped CCI-001135 to sshd_allow_only_protocol2.
rhel6/src/input/auxiliary/srg_support.xml | 5 +++-- rhel6/src/input/services/ssh.xml | 2 +- rhel6/src/input/system/logging.xml | 4 ++-- rhel6/src/input/system/network/ipsec.xml | 2 +- rhel6/src/input/system/network/iptables.xml | 2 +- rhel6/src/input/system/network/ssl.xml | 2 +- rhel6/src/input/system/permissions/mounting.xml | 10 +++++----- 7 files changed, 14 insertions(+), 13 deletions(-)
nack to the following - I think we can hash them out a bit:
- [PATCH 18/25] Mapped CCI-000386 to requirement_unclear - [PATCH 19/25] Mapped CCI-001092 to requirement_unclear. - [PATCH 20/25] Mapped CCI-00197 to requirement_unclear.
I responded directly to those patches to start the conversation on them.
On 06/27/2012 06:34 PM, Shawn Wells wrote:
On 6/27/12 6:18 PM, Willy Santos wrote:
Another set of CCI mappings.
Willy Santos (25): Mapped CCI-1127 to network_ssl. Mapped CCI-001154 to set_iptables_default_rule Mapped CCI-001250 to kernel_module_usb-storage_disabled. Mapped CCI-001250 to kernel_module_usb-storage_removed. Mapped CCI-001250 to bootloader_nousb_argument. Mapped CCI-001250 to kernel_module_usb-storage_removed. Mapped CCI-001250 to service_autofs_disabled. Mapped CCI-001343 to new_rule_needed. Mapped CCI-001348 to rsyslog_remote_loghost. Mapped CCI-001493 to met_inherently. Mapped CCI-001494 to met_inherently. Mapped CCI-001495 to met_inherently. Mapped CCI-001557 to service_rsyslog_enabled Mapped CCI-000017 to new_rule_needed. Mapped CCI-000052 to new_rule_needed. Mapped CCI-000053 to new_rule_needed. Mapped CCI-000226 to met_inherently. Mapped CCI-000386 to requirement_unclear. Mapped CCI-001092 to requirement_unclear. Mapped CCI-00197 to requirement_unclear. Mapped CCI-001096 to met_inherently. Mapped CCI-001128 to network_ssl. Mapped CCI-001135 to network_ssl. Mapped CCI-001135 to package_openswan_installed. Mapped CCI-001135 to sshd_allow_only_protocol2.
rhel6/src/input/auxiliary/srg_support.xml | 5 +++-- rhel6/src/input/services/ssh.xml | 2 +- rhel6/src/input/system/logging.xml | 4 ++-- rhel6/src/input/system/network/ipsec.xml | 2 +- rhel6/src/input/system/network/iptables.xml | 2 +- rhel6/src/input/system/network/ssl.xml | 2 +- rhel6/src/input/system/permissions/mounting.xml | 10 +++++----- 7 files changed, 14 insertions(+), 13 deletions(-)
nack to the following - I think we can hash them out a bit:
- [PATCH 18/25] Mapped CCI-000386 to requirement_unclear - [PATCH 19/25] Mapped CCI-001092 to requirement_unclear. - [PATCH 20/25] Mapped CCI-00197 to requirement_unclear.I responded directly to those patches to start the conversation on them. _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
Are the rest ACK'd? Just want to make sure before pushing. I'll fix the nack'd ones based on our discussion today.
-Willy
On 6/28/12 4:47 PM, Willy Santos wrote:
On 06/27/2012 06:34 PM, Shawn Wells wrote:
On 6/27/12 6:18 PM, Willy Santos wrote:
Another set of CCI mappings.
Willy Santos (25): Mapped CCI-1127 to network_ssl. Mapped CCI-001154 to set_iptables_default_rule Mapped CCI-001250 to kernel_module_usb-storage_disabled. Mapped CCI-001250 to kernel_module_usb-storage_removed. Mapped CCI-001250 to bootloader_nousb_argument. Mapped CCI-001250 to kernel_module_usb-storage_removed. Mapped CCI-001250 to service_autofs_disabled. Mapped CCI-001343 to new_rule_needed. Mapped CCI-001348 to rsyslog_remote_loghost. Mapped CCI-001493 to met_inherently. Mapped CCI-001494 to met_inherently. Mapped CCI-001495 to met_inherently. Mapped CCI-001557 to service_rsyslog_enabled Mapped CCI-000017 to new_rule_needed. Mapped CCI-000052 to new_rule_needed. Mapped CCI-000053 to new_rule_needed. Mapped CCI-000226 to met_inherently. Mapped CCI-000386 to requirement_unclear. Mapped CCI-001092 to requirement_unclear. Mapped CCI-00197 to requirement_unclear. Mapped CCI-001096 to met_inherently. Mapped CCI-001128 to network_ssl. Mapped CCI-001135 to network_ssl. Mapped CCI-001135 to package_openswan_installed. Mapped CCI-001135 to sshd_allow_only_protocol2.
rhel6/src/input/auxiliary/srg_support.xml | 5 +++-- rhel6/src/input/services/ssh.xml | 2 +- rhel6/src/input/system/logging.xml | 4 ++-- rhel6/src/input/system/network/ipsec.xml | 2 +- rhel6/src/input/system/network/iptables.xml | 2 +- rhel6/src/input/system/network/ssl.xml | 2 +- rhel6/src/input/system/permissions/mounting.xml | 10 +++++----- 7 files changed, 14 insertions(+), 13 deletions(-)
nack to the following - I think we can hash them out a bit:
- [PATCH 18/25] Mapped CCI-000386 to requirement_unclear - [PATCH 19/25] Mapped CCI-001092 to requirement_unclear. - [PATCH 20/25] Mapped CCI-00197 to requirement_unclear.I responded directly to those patches to start the conversation on them. _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
Are the rest ACK'd? Just want to make sure before pushing. I'll fix the nack'd ones based on our discussion today.
-Willy
Yes! Ack to the rest and awesome of you to be knocking so many of these out!
scap-security-guide@lists.fedorahosted.org
-
Shawn Wells -
Willy Santos