More CCI mappings in support of the OS SRG compliance efforts. Note that any mapping to requirement_unclear is meant for discussion by the group and all suggestions are welcome.
Willy Santos (26): Changed mapping of CCI-000386 from requirement_unclear to met_inherently as suggested by Shawn Wells. Removed mapping of CCI-001092 from requirement_unclear, based on discussion/input from Shawn Wells. Mapped CCI-001092 to iptables_icmp_disabled and enable_iptables enable_ip6tables. Mapped CCI-001092 to password_retry. Mapped CCI-000024 to requirement_unclear. Mapped CCI-000025 to requirement_unclear. Mapped CCI-000026 to requirement_unclear. Mapped CCI-000027 to requirement_unclear. Mapped CCI-000028 to requirement_unclear. Mapped CCI-000029 to requirement_unclear. Mapped CCI-000030 to requirement_unclear. Mapped CCI-000032 to requirement_unclear. Mapped CCI-00034 to met_inherently. Mapped CCI-00035 to met_inherently. Mapped CCI-001250 to gconf_gnome_disable_automount. Mapped CCI-000085 to gconf_gnome_disable_automount. Mapped CCI-000085 to service_autofs_disabled. Mapped CCI-000085 to bios_disable_usb_boot. Mapped CCI-000085 to bootloader_nousb_argument. Mapped CCI-000085 to kernel_module_usb-storage_removed. Mapped CCI-000085 to gconf_gnome_disable_automount. Mapped CCI-000099 to requirement_unclear. Mapped CCI-000157 to met_inherently. Mapped CCI-000185 to network_ssl_enable_client_support. Made changes requested by Jeff Blank to accommodate changes made on his commit. Mapped CCI-000186 to met_inherently.
rhel6/src/input/auxiliary/srg_support.xml | 10 +++++----- rhel6/src/input/system/accounts/pam.xml | 2 +- rhel6/src/input/system/network/iptables.xml | 6 +++--- rhel6/src/input/system/network/ssl.xml | 2 +- rhel6/src/input/system/permissions/mounting.xml | 12 ++++++------ 5 files changed, 16 insertions(+), 16 deletions(-)
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/auxiliary/srg_support.xml | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index 14e7931..c803ec1 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -12,7 +12,7 @@ not clearly relate. Red Hat Enterprise Linux meets this requirement by design. <!-- We could include discussion of Common Criteria Testing if so desired here. --> </description> -<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872,1493,1494,1495,226,1096" /> +<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872,1493,1494,1495,226,1096,386" /> </Group> <!-- end met_inherently -->
<Group id="unmet_impractical_guidance"> @@ -29,7 +29,7 @@ The requirement is impractical or out of scope. <description> It is unclear how to satisfy this requirement. </description> -<ref disa="20,31,218,219,224,386,1092,1097" /> +<ref disa="20,31,218,219,224,1092,1097" /> </Group> <!-- end unmet_impractical_product -->
<Group id="new_rule_needed">
On 6/29/12 5:45 PM, Willy Santos wrote:
Signed-off-by: Willy Santos wsantos@redhat.com
rhel6/src/input/auxiliary/srg_support.xml | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index 14e7931..c803ec1 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -12,7 +12,7 @@ not clearly relate. Red Hat Enterprise Linux meets this requirement by design.
<!-- We could include discussion of Common Criteria Testing if so desired here. -->
</description> -<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872,1493,1494,1495,226,1096" /> +<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872,1493,1494,1495,226,1096,386" /> </Group> <!-- end met_inherently -->
<Group id="unmet_impractical_guidance"> @@ -29,7 +29,7 @@ The requirement is impractical or out of scope. <description> It is unclear how to satisfy this requirement. </description> -<ref disa="20,31,218,219,224,386,1092,1097" /> +<ref disa="20,31,218,219,224,1092,1097" /> </Group> <!-- end unmet_impractical_product -->
<Group id="new_rule_needed">
Ack
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index c803ec1..1abc2f7 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -29,7 +29,7 @@ The requirement is impractical or out of scope. <description> It is unclear how to satisfy this requirement. </description> -<ref disa="20,31,218,219,224,1092,1097" /> +<ref disa="20,31,218,219,224,1097" /> </Group> <!-- end unmet_impractical_product -->
<Group id="new_rule_needed">
On 6/29/12 5:45 PM, Willy Santos wrote:
Signed-off-by: Willy Santos wsantos@redhat.com
rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index c803ec1..1abc2f7 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -29,7 +29,7 @@ The requirement is impractical or out of scope.
<description> It is unclear how to satisfy this requirement. </description> -<ref disa="20,31,218,219,224,1092,1097" /> +<ref disa="20,31,218,219,224,1097" /> </Group> <!-- end unmet_impractical_product -->
<Group id="new_rule_needed">
Ack
CCI-001092 requires limiting the effects of a DoS attack. The referenced rules provide some protection agains these type of attacks.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/network/iptables.xml | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/rhel6/src/input/system/network/iptables.xml b/rhel6/src/input/system/network/iptables.xml index d5ae221..df8f390 100644 --- a/rhel6/src/input/system/network/iptables.xml +++ b/rhel6/src/input/system/network/iptables.xml @@ -79,7 +79,7 @@ capability for IPv6 and ICMPv6. </rationale> <ident cce="4167-3" /> <oval id="service_ip6tables_enabled" /> -<ref nist="CM-6, CM-7" disa="1115,1118"/> +<ref nist="CM-6, CM-7" disa="1115,1118,1092"/> </Rule>
<Rule id="enable_iptables"> @@ -95,7 +95,7 @@ capability for IPv4 and ICMP. </rationale> <ident cce="4189-7" /> <oval id="service_iptables_enabled" /> -<ref nist="CM-6, CM-7" disa="1115,1118" /> +<ref nist="CM-6, CM-7" disa="1115,1118,1092" /> </Rule> </Group><!--<Group id="iptables_activation">-->
@@ -188,7 +188,7 @@ could add another IPv6 address to the interface or alter important network setti ation of IPv6 depends heavily on ICMPv6. Thus, more care must be taken when blocking ICMPv6 types.</rationale> <!--<ident cce="14264-6" />--> <oval id="iptables_icmp_disabled" /> -<ref nist="AC-4, CM-6" /> +<ref nist="AC-4, CM-6" disa="1092" /> </Rule>
<Rule id="iptables_log_and_drop_suspicious">
On 6/29/12 5:45 PM, Willy Santos wrote:
CCI-001092 requires limiting the effects of a DoS attack. The referenced rules provide some protection agains these type of attacks.
Signed-off-by: Willy Santos wsantos@redhat.com
rhel6/src/input/system/network/iptables.xml | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/rhel6/src/input/system/network/iptables.xml b/rhel6/src/input/system/network/iptables.xml index d5ae221..df8f390 100644 --- a/rhel6/src/input/system/network/iptables.xml +++ b/rhel6/src/input/system/network/iptables.xml @@ -79,7 +79,7 @@ capability for IPv6 and ICMPv6.
</rationale> <ident cce="4167-3" /> <oval id="service_ip6tables_enabled" /> -<ref nist="CM-6, CM-7" disa="1115,1118"/> +<ref nist="CM-6, CM-7" disa="1115,1118,1092"/> </Rule>
<Rule id="enable_iptables"> @@ -95,7 +95,7 @@ capability for IPv4 and ICMP. </rationale> <ident cce="4189-7" /> <oval id="service_iptables_enabled" /> -<ref nist="CM-6, CM-7" disa="1115,1118" /> +<ref nist="CM-6, CM-7" disa="1115,1118,1092" /> </Rule> </Group><!--<Group id="iptables_activation">-->
@@ -188,7 +188,7 @@ could add another IPv6 address to the interface or alter important network setti ation of IPv6 depends heavily on ICMPv6. Thus, more care must be taken when blocking ICMPv6 types.</rationale>
<!--<ident cce="14264-6" />-->
<oval id="iptables_icmp_disabled" /> -<ref nist="AC-4, CM-6" /> +<ref nist="AC-4, CM-6" disa="1092" /> </Rule>
<Rule id="iptables_log_and_drop_suspicious">
Ack
CCI-001092 requires limiting the effects of a DoS attack. The reference rule provide some protection agains these type of attacks.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/accounts/pam.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/accounts/pam.xml b/rhel6/src/input/system/accounts/pam.xml index 5fa2d32..2820b56 100644 --- a/rhel6/src/input/system/accounts/pam.xml +++ b/rhel6/src/input/system/accounts/pam.xml @@ -163,7 +163,7 @@ is different from account lockout, which is provided by the pam_faillock module. </rationale> <ident cce="15054-0" /> <oval id="accounts_password_pam_cracklib_retry" value="var_password_pam_cracklib_retry"/> -<ref nist="IA-5" /> +<ref nist="IA-5" disa="1092" /> </Rule>
<Rule id="password_require_digits">
On 6/29/12 5:45 PM, Willy Santos wrote:
CCI-001092 requires limiting the effects of a DoS attack. The reference rule provide some protection agains these type of attacks.
Signed-off-by: Willy Santos wsantos@redhat.com
rhel6/src/input/system/accounts/pam.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/accounts/pam.xml b/rhel6/src/input/system/accounts/pam.xml index 5fa2d32..2820b56 100644 --- a/rhel6/src/input/system/accounts/pam.xml +++ b/rhel6/src/input/system/accounts/pam.xml @@ -163,7 +163,7 @@ is different from account lockout, which is provided by the pam_faillock module.
</rationale> <ident cce="15054-0" /> <oval id="accounts_password_pam_cracklib_retry" value="var_password_pam_cracklib_retry"/> -<ref nist="IA-5" /> +<ref nist="IA-5" disa="1092" /> </Rule>
<Rule id="password_require_digits">
Ack
CCI-000024 requires the OS to prevent access to security-relevant information except during non-operable system states (e.g. maintenance windows, etc.). This mapping is open to discussion and change.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index 1abc2f7..1f89742 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -29,7 +29,7 @@ The requirement is impractical or out of scope. <description> It is unclear how to satisfy this requirement. </description> -<ref disa="20,31,218,219,224,1097" /> +<ref disa="20,31,218,219,224,1097,24" /> </Group> <!-- end unmet_impractical_product -->
<Group id="new_rule_needed">
On 6/29/12 5:45 PM, Willy Santos wrote:
CCI-000024 requires the OS to prevent access to security-relevant information except during non-operable system states (e.g. maintenance windows, etc.). This mapping is open to discussion and change.
SRG-OS-000008 CCI-000024 The operating system must prevent access to organization-defined security-relevant information except during secure, non-operable system states. Security-relevant information is any information within the information system potentially impacting the operation of security functions in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Organizations may define specific security relevant information requiring protection. Filtering rules for routers and firewalls, cryptographic key management information, key configuration parameters for security services, and access control lists are examples of security-relevant information. Secure, non-operable system states are states in which the information system is not performing mission/business-related processing (e.g., the system is off-line for maintenance, troubleshooting, boot-up, shutdown). Access to these types of data is to be prevented unless the system is in a maintenance mode or has otherwise been brought off-line. The goal is to minimize the potential that a security configuration or data may be dynamically and perhaps surreptitiously overwritten or changed (without going through a formal system change process documenting the changes).
IMHO, this belongs to unmet_impractical_guidance as it conflicts with other requirements stating that we have to be able dynamically adjust the system. I'd also map this to unmet_impractical_product as it's impractical at this point of Linux's maturity to completely change the access policies to prevent system adjustments unless in runlevel 1 (which I see as the only true way to truly enforce something like this, which requires "non-operable system state").
CCI-000025 refers to enforcing information flow control based on explicit security attributes. This mapping is open to discussion and change.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index 1f89742..372e4f4 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -29,7 +29,7 @@ The requirement is impractical or out of scope. <description> It is unclear how to satisfy this requirement. </description> -<ref disa="20,31,218,219,224,1097,24" /> +<ref disa="20,31,218,219,224,1097,24,25" /> </Group> <!-- end unmet_impractical_product -->
<Group id="new_rule_needed">
On 6/29/12 5:45 PM, Willy Santos wrote:
CCI-000025 refers to enforcing information flow control based on explicit security attributes. This mapping is open to discussion and change.
SRG-OS-000009 CCI-000025 The operating system must enforce information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions. Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to the information. Examples of flow control restrictions include: keeping export controlled information from being transmitted in the clear to the Internet; and blocking outside traffic claiming to be from within the organization and not passing any web requests to the Internet that are not from the internal web proxy. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Information flow enforcement mechanisms compare security attributes on all information (data content and data structure), source and destination objects, and respond appropriately (e.g., block, quarantine, alert administrator) when the mechanisms encounter information flows not explicitly allowed by the information flow policy. Information flow enforcement using explicit security attributes can be used, for example, to control the release of certain types of information.
Source and destination are easy -- IPTables. It's when "security attributes" come into play that I get caught up. Technically we can enforce this by mandating MCS or MLS enablement. This requirement makes sense if we were to make a CNSS 12-53 profile, but I'm not convinced this makes sense for a general purpose security guide.
unmet_impractical_guidance in my opinion
CCI-000026 refers to enforcing information flow control using protected processing domains. This mapping is open to discussion and change.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index 372e4f4..2da140c 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -29,7 +29,7 @@ The requirement is impractical or out of scope. <description> It is unclear how to satisfy this requirement. </description> -<ref disa="20,31,218,219,224,1097,24,25" /> +<ref disa="20,31,218,219,224,1097,24,25,26" /> </Group> <!-- end unmet_impractical_product -->
<Group id="new_rule_needed">
On 6/29/12 5:45 PM, Willy Santos wrote:
CCI-000026 refers to enforcing information flow control using protected processing domains. This mapping is open to discussion and change.
SRG-OS-000010 CCI-000026 The operating system must enforce information flow control using protected processing domains (e.g., domain type-enforcement) as a basis for flow control decisions. Protected processing domains can be used to separate different data types. The operating system must enforce information flow control to ensure information does not pass into domains that are not authorized to process it.
We enforce information flow against processing domains via SELinux. By default we just run everything as unconfined_t. SysAdmins can change this if they want to alter the standard flow, but regardless we enforce it whenever selinux is enforced.
I'd map this to having to enable selinux.
CCI-000027 refers to enforcing dynamic information flow control based on policy upon changing conditions or operational considerations. This mapping is open to discussion and change.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index 2da140c..6d99a8c 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -29,7 +29,7 @@ The requirement is impractical or out of scope. <description> It is unclear how to satisfy this requirement. </description> -<ref disa="20,31,218,219,224,1097,24,25,26" /> +<ref disa="20,31,218,219,224,1097,24,25,26,27" /> </Group> <!-- end unmet_impractical_product -->
<Group id="new_rule_needed">
On 6/29/12 5:45 PM, Willy Santos wrote:
CCI-000027 refers to enforcing dynamic information flow control based on policy upon changing conditions or operational considerations. This mapping is open to discussion and change.
SRG-OS-000011 CCI-000027 The operating system must enforce dynamic information flow control based on policy that must allow or disallow information flows based upon changing conditions or operational considerations. Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to the information. The operating system must enforce flow control decisions based upon changing conditions.
Our security posture allows the dynamic adjustment of information flows through the realtime configuration of IPTables as conditions and operational considerations change. I'd map back to our enable_iptables group.
CCI-000028 requires the OS to prevent encrypted data from bypassing content checking mechanisms. This mapping is open to discussion and change.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index 6d99a8c..1d6d5d7 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -29,7 +29,7 @@ The requirement is impractical or out of scope. <description> It is unclear how to satisfy this requirement. </description> -<ref disa="20,31,218,219,224,1097,24,25,26,27" /> +<ref disa="20,31,218,219,224,1097,24,25,26,27,28" /> </Group> <!-- end unmet_impractical_product -->
<Group id="new_rule_needed">
On 6/29/12 5:45 PM, Willy Santos wrote:
CCI-000028 requires the OS to prevent encrypted data from bypassing content checking mechanisms. This mapping is open to discussion and change.
SRG-OS-000012 CCI-000028 The operating system must prevent encrypted data from bypassing content checking mechanisms. Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to the information. _When data is encrypted, mechanisms designed to examine data content to detect attacks or malicious code are unable to accomplish this task unless they are capable of unencrypting the data._
So... this requirement wants to the OS to mysteriously decrypt the data, pass it through an inspection tool, then re-encrypt it. My vote is /both/ unmet_impractical_guidance and unmet_impractical_product on this one.
CCI-000029 requires enforcing org-defined limitations on embedding of data within other data types. This mapping is open to discussion and change.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index 1d6d5d7..a72eff5 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -29,7 +29,7 @@ The requirement is impractical or out of scope. <description> It is unclear how to satisfy this requirement. </description> -<ref disa="20,31,218,219,224,1097,24,25,26,27,28" /> +<ref disa="20,31,218,219,224,1097,24,25,26,27,28,29" /> </Group> <!-- end unmet_impractical_product -->
<Group id="new_rule_needed">
On 6/29/12 5:45 PM, Willy Santos wrote:
CCI-000029 requires enforcing org-defined limitations on embedding of data within other data types. This mapping is open to discussion and change.
SRG-OS-000013 CCI-000029 The operating system must enforce organization-defined limitations on the embedding of data types within other data types. Embedding of data within other data is often used for the clandestine transfer of data. Embedding of data within other data can circumvent protections in place to protect information and systems.
unmet_impractical_guidance - Creating prose to do this is beyond the scope of a general security guide. And there's no requirement in NIST 800-53 that actually says to do this.
and unmet_impractical_product - I don't see this being technically feasible at an operating system level. That is what 3rd party ISVs are for.
CCI-000030 requires enforcing information flow control on metadata. This mapping is open to discussion and change.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index a72eff5..c1ed9c2 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -29,7 +29,7 @@ The requirement is impractical or out of scope. <description> It is unclear how to satisfy this requirement. </description> -<ref disa="20,31,218,219,224,1097,24,25,26,27,28,29" /> +<ref disa="20,31,218,219,224,1097,24,25,26,27,28,29,30" /> </Group> <!-- end unmet_impractical_product -->
<Group id="new_rule_needed">
On 6/29/12 5:45 PM, Willy Santos wrote:
CCI-000030 requires enforcing information flow control on metadata. This mapping is open to discussion and change.
SRG-OS-000014 CCI-000030 The operating system must enforce information flow control on metadata. Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to the information. Metadata is defined as data providing information about one or more other pieces of data, such as, purpose of the data, author/creator of the data, network location of where data was created, and application specific data information.
How would we create guidance against all the possible metadata types and repositories? How would we know that AuthorA can't share his information with AuthorB, even though they have the same clearance level? unmet_impractical_guidance
This isn't technically feasible at an OS level. unmet_impractical_product
CCI-000032 requires enforcing information flow control using org-defined security policy filters. This mapping is open to discussion and change.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index c1ed9c2..6c06926 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -29,7 +29,7 @@ The requirement is impractical or out of scope. <description> It is unclear how to satisfy this requirement. </description> -<ref disa="20,31,218,219,224,1097,24,25,26,27,28,29,30" /> +<ref disa="20,31,218,219,224,1097,24,25,26,27,28,29,30,32" /> </Group> <!-- end unmet_impractical_product -->
<Group id="new_rule_needed">
On 6/29/12 5:45 PM, Willy Santos wrote:
CCI-000032 requires enforcing information flow control using org-defined security policy filters. This mapping is open to discussion and change.
SRG-OS-000016 CCI-000032 The operating system must enforce information flow control using organization-defined security policy filters as a basis for flow control decisions. Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to the information. Organization-defined security policy filters may include, dirty word filters, file type checking filters, structured data filters, unstructured data filters, metadata content filters, and hidden content filters.
It's not practical for the OS to embed such filters into IPTables. Requirement may be legitimate, but not at an OS level. unmet_impractical_product.
CCI-000034 requires providing a privileged administrator the capability to enable/disable org-defined security policy filters. By default in RHEL6, the root account has privileges to manage all security functions on the system.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index 6c06926..c7df431 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -12,7 +12,7 @@ not clearly relate. Red Hat Enterprise Linux meets this requirement by design. <!-- We could include discussion of Common Criteria Testing if so desired here. --> </description> -<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872,1493,1494,1495,226,1096,386" /> +<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872,1493,1494,1495,226,1096,386,34" /> </Group> <!-- end met_inherently -->
<Group id="unmet_impractical_guidance">
On 6/29/12 5:45 PM, Willy Santos wrote:
CCI-000034 requires providing a privileged administrator the capability to enable/disable org-defined security policy filters. By default in RHEL6, the root account has privileges to manage all security functions on the system.
Signed-off-by: Willy Santos wsantos@redhat.com
rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index 6c06926..c7df431 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -12,7 +12,7 @@ not clearly relate. Red Hat Enterprise Linux meets this requirement by design.
<!-- We could include discussion of Common Criteria Testing if so desired here. -->
</description> -<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872,1493,1494,1495,226,1096,386" /> +<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872,1493,1494,1495,226,1096,386,34" /> </Group> <!-- end met_inherently -->
<Group id="unmet_impractical_guidance">
Ack
CCI-000035 requires providing a privileged administrator the capability to configure org-defined security policy filters. By default in RHEL6, the root account has privileges to manage all security functions on the system.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index c7df431..082f736 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -12,7 +12,7 @@ not clearly relate. Red Hat Enterprise Linux meets this requirement by design. <!-- We could include discussion of Common Criteria Testing if so desired here. --> </description> -<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872,1493,1494,1495,226,1096,386,34" /> +<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872,1493,1494,1495,226,1096,386,34,35" /> </Group> <!-- end met_inherently -->
<Group id="unmet_impractical_guidance">
On 6/29/12 5:45 PM, Willy Santos wrote:
CCI-000035 requires providing a privileged administrator the capability to configure org-defined security policy filters. By default in RHEL6, the root account has privileges to manage all security functions on the system.
Signed-off-by: Willy Santos wsantos@redhat.com
rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index c7df431..082f736 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -12,7 +12,7 @@ not clearly relate. Red Hat Enterprise Linux meets this requirement by design.
<!-- We could include discussion of Common Criteria Testing if so desired here. -->
</description> -<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872,1493,1494,1495,226,1096,386,34" /> +<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872,1493,1494,1495,226,1096,386,34,35" /> </Group> <!-- end met_inherently -->
<Group id="unmet_impractical_guidance">
Ack
CCI-001250 requires not allowing users to introduce removable media. The referenced rule disables the automatic mounting of media in Gnome.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/permissions/mounting.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/permissions/mounting.xml b/rhel6/src/input/system/permissions/mounting.xml index 5e10374..a2fec04 100644 --- a/rhel6/src/input/system/permissions/mounting.xml +++ b/rhel6/src/input/system/permissions/mounting.xml @@ -162,7 +162,7 @@ DVDs. </rationale> <ident cce="4231-7" /> <oval id="gconf_gnome_disable_automount" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="1250" /> </Rule>
<Rule id="disable_module_cramfs">
On 6/29/12 5:45 PM, Willy Santos wrote:
CCI-001250 requires not allowing users to introduce removable media. The referenced rule disables the automatic mounting of media in Gnome.
Signed-off-by: Willy Santos wsantos@redhat.com
rhel6/src/input/system/permissions/mounting.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/permissions/mounting.xml b/rhel6/src/input/system/permissions/mounting.xml index 5e10374..a2fec04 100644 --- a/rhel6/src/input/system/permissions/mounting.xml +++ b/rhel6/src/input/system/permissions/mounting.xml @@ -162,7 +162,7 @@ DVDs.
</rationale> <ident cce="4231-7" /> <oval id="gconf_gnome_disable_automount" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="1250" /> </Rule>
<Rule id="disable_module_cramfs">
Ack
CCI-000085 requires monitoring for unauthorized connections of mobile devices. The referenced rule disables the automatic mounting of media in Gnome.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/permissions/mounting.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/permissions/mounting.xml b/rhel6/src/input/system/permissions/mounting.xml index a2fec04..cbf2819 100644 --- a/rhel6/src/input/system/permissions/mounting.xml +++ b/rhel6/src/input/system/permissions/mounting.xml @@ -162,7 +162,7 @@ DVDs. </rationale> <ident cce="4231-7" /> <oval id="gconf_gnome_disable_automount" /> -<ref nist="CM-6, CM-7" disa="1250" /> +<ref nist="CM-6, CM-7" disa="1250,85" /> </Rule>
<Rule id="disable_module_cramfs">
On 6/29/12 5:45 PM, Willy Santos wrote:
CCI-000085 requires monitoring for unauthorized connections of mobile devices. The referenced rule disables the automatic mounting of media in Gnome.
Signed-off-by: Willy Santos wsantos@redhat.com
rhel6/src/input/system/permissions/mounting.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/permissions/mounting.xml b/rhel6/src/input/system/permissions/mounting.xml index a2fec04..cbf2819 100644 --- a/rhel6/src/input/system/permissions/mounting.xml +++ b/rhel6/src/input/system/permissions/mounting.xml @@ -162,7 +162,7 @@ DVDs.
</rationale> <ident cce="4231-7" /> <oval id="gconf_gnome_disable_automount" /> -<ref nist="CM-6, CM-7" disa="1250" /> +<ref nist="CM-6, CM-7" disa="1250,85" /> </Rule>
<Rule id="disable_module_cramfs">
Ack
CCI-000085 requires monitoring for unauthorized connections of mobile devices. The referenced rule disables the automatic mounting of media.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/permissions/mounting.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/permissions/mounting.xml b/rhel6/src/input/system/permissions/mounting.xml index cbf2819..8436498 100644 --- a/rhel6/src/input/system/permissions/mounting.xml +++ b/rhel6/src/input/system/permissions/mounting.xml @@ -133,7 +133,7 @@ should be explicitly listed in /etc/fstab by and administrator. New filesystems not be arbitrarily introduced via the automounter.</rationale> <ident cce="4072-5" /> <oval id="service_autofs_disabled" /> -<ref nist="CM-6, CM-7" disa="1250" /> +<ref nist="CM-6, CM-7" disa="1250,85" /> </Rule>
<Rule id="gconf_gnome_disable_automount">
On 6/29/12 5:45 PM, Willy Santos wrote:
CCI-000085 requires monitoring for unauthorized connections of mobile devices. The referenced rule disables the automatic mounting of media.
Signed-off-by: Willy Santos wsantos@redhat.com
rhel6/src/input/system/permissions/mounting.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/permissions/mounting.xml b/rhel6/src/input/system/permissions/mounting.xml index cbf2819..8436498 100644 --- a/rhel6/src/input/system/permissions/mounting.xml +++ b/rhel6/src/input/system/permissions/mounting.xml @@ -133,7 +133,7 @@ should be explicitly listed in /etc/fstab by and administrator. New filesystems not be arbitrarily introduced via the automounter.</rationale>
<ident cce="4072-5" /> <oval id="service_autofs_disabled" /> -<ref nist="CM-6, CM-7" disa="1250" /> +<ref nist="CM-6, CM-7" disa="1250,85" /> </Rule>
<Rule id="gconf_gnome_disable_automount">
Ack
CCI-000085 requires monitoring for unauthorized connections of mobile devices. The referenced rule disables booting from a USB device.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/permissions/mounting.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/permissions/mounting.xml b/rhel6/src/input/system/permissions/mounting.xml index 8436498..7df811a 100644 --- a/rhel6/src/input/system/permissions/mounting.xml +++ b/rhel6/src/input/system/permissions/mounting.xml @@ -111,7 +111,7 @@ any security measures offered by the native OS. Attackers could mount partitions configuration of the native OS. The BIOS should be configured to disallow booting from USB media.</rationale> <ident cce="3944-6" /> <!-- <oval id="bios_disable_usb_boot" /> --> -<ref nist="CM-6, CM-7" disa="1250" /> +<ref nist="CM-6, CM-7" disa="1250,85" /> </Rule>
<Rule id="service_autofs_disabled">
On 6/29/12 5:45 PM, Willy Santos wrote:
CCI-000085 requires monitoring for unauthorized connections of mobile devices. The referenced rule disables booting from a USB device.
Signed-off-by: Willy Santos wsantos@redhat.com
rhel6/src/input/system/permissions/mounting.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/permissions/mounting.xml b/rhel6/src/input/system/permissions/mounting.xml index 8436498..7df811a 100644 --- a/rhel6/src/input/system/permissions/mounting.xml +++ b/rhel6/src/input/system/permissions/mounting.xml @@ -111,7 +111,7 @@ any security measures offered by the native OS. Attackers could mount partitions configuration of the native OS. The BIOS should be configured to disallow booting from USB media.</rationale>
<ident cce="3944-6" /> <!-- <oval id="bios_disable_usb_boot" /> --> -<ref nist="CM-6, CM-7" disa="1250" /> +<ref nist="CM-6, CM-7" disa="1250,85" /> </Rule>
<Rule id="service_autofs_disabled">
Ack
CCI-000085 requires monitoring for unauthorized connections of mobile devices. The referenced rule disables all USB support in the kernel by the bootloader.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/permissions/mounting.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/permissions/mounting.xml b/rhel6/src/input/system/permissions/mounting.xml index 7df811a..f913f4b 100644 --- a/rhel6/src/input/system/permissions/mounting.xml +++ b/rhel6/src/input/system/permissions/mounting.xml @@ -96,7 +96,7 @@ disable USB storage devices if they are plugged into the sytem. Support for thes should be disabled and the devices themselves should be tightly controlled.</rationale> <ident cce="4173-1" /> <oval id="bootloader_nousb_argument" /> -<ref nist="CM-6, CM-7" disa="1250" /> +<ref nist="CM-6, CM-7" disa="1250,85" /> </Rule>
<Rule id="bios_disable_usb_boot">
On 6/29/12 5:45 PM, Willy Santos wrote:
CCI-000085 requires monitoring for unauthorized connections of mobile devices. The referenced rule disables all USB support in the kernel by the bootloader.
Signed-off-by: Willy Santos wsantos@redhat.com
rhel6/src/input/system/permissions/mounting.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/permissions/mounting.xml b/rhel6/src/input/system/permissions/mounting.xml index 7df811a..f913f4b 100644 --- a/rhel6/src/input/system/permissions/mounting.xml +++ b/rhel6/src/input/system/permissions/mounting.xml @@ -96,7 +96,7 @@ disable USB storage devices if they are plugged into the sytem. Support for thes should be disabled and the devices themselves should be tightly controlled.</rationale>
<ident cce="4173-1" /> <oval id="bootloader_nousb_argument" /> -<ref nist="CM-6, CM-7" disa="1250" /> +<ref nist="CM-6, CM-7" disa="1250,85" /> </Rule>
<Rule id="bios_disable_usb_boot">
Ack
CCI-000085 requires monitoring for unauthorized connections of mobile devices. The referenced rule removes the USB storage driver from the system.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/permissions/mounting.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/permissions/mounting.xml b/rhel6/src/input/system/permissions/mounting.xml index f913f4b..569fd7a 100644 --- a/rhel6/src/input/system/permissions/mounting.xml +++ b/rhel6/src/input/system/permissions/mounting.xml @@ -78,7 +78,7 @@ software and other vulnerabilities. Support for these devices should be disabled the devices themselves should be tightly controlled.</rationale> <ident cce="4006-3" /> <oval id="kernel_module_usb-storage_removed" /> -<ref nist="CM-6, CM-7" disa="1250" /> +<ref nist="CM-6, CM-7" disa="1250,85" /> </Rule>
<Rule id="bootloader_nousb_argument">
On 6/29/12 5:45 PM, Willy Santos wrote:
CCI-000085 requires monitoring for unauthorized connections of mobile devices. The referenced rule removes the USB storage driver from the system.
Signed-off-by: Willy Santos wsantos@redhat.com
rhel6/src/input/system/permissions/mounting.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/permissions/mounting.xml b/rhel6/src/input/system/permissions/mounting.xml index f913f4b..569fd7a 100644 --- a/rhel6/src/input/system/permissions/mounting.xml +++ b/rhel6/src/input/system/permissions/mounting.xml @@ -78,7 +78,7 @@ software and other vulnerabilities. Support for these devices should be disabled the devices themselves should be tightly controlled.</rationale>
<ident cce="4006-3" /> <oval id="kernel_module_usb-storage_removed" /> -<ref nist="CM-6, CM-7" disa="1250" /> +<ref nist="CM-6, CM-7" disa="1250,85" /> </Rule>
<Rule id="bootloader_nousb_argument">
Ack
CCI-000085 requires monitoring for unauthorized connections of mobile devices. The referenced rule disables the USB storage driver on the system.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/permissions/mounting.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/permissions/mounting.xml b/rhel6/src/input/system/permissions/mounting.xml index 569fd7a..ed270ed 100644 --- a/rhel6/src/input/system/permissions/mounting.xml +++ b/rhel6/src/input/system/permissions/mounting.xml @@ -57,7 +57,7 @@ software and other vulnerabilities. Support for these devices should be disabled the devices themselves should be tightly controlled.</rationale> <ident cce="4187-1" /> <oval id="kernel_module_usb-storage_disabled" /> -<ref nist="CM-6, CM-7" disa="1250" /> +<ref nist="CM-6, CM-7" disa="1250,85" /> </Rule>
<Rule id="kernel_module_usb-storage_removed">
On 6/29/12 5:45 PM, Willy Santos wrote:
CCI-000085 requires monitoring for unauthorized connections of mobile devices. The referenced rule disables the USB storage driver on the system.
Signed-off-by: Willy Santos wsantos@redhat.com
rhel6/src/input/system/permissions/mounting.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/permissions/mounting.xml b/rhel6/src/input/system/permissions/mounting.xml index 569fd7a..ed270ed 100644 --- a/rhel6/src/input/system/permissions/mounting.xml +++ b/rhel6/src/input/system/permissions/mounting.xml @@ -57,7 +57,7 @@ software and other vulnerabilities. Support for these devices should be disabled the devices themselves should be tightly controlled.</rationale>
<ident cce="4187-1" /> <oval id="kernel_module_usb-storage_disabled" /> -<ref nist="CM-6, CM-7" disa="1250" /> +<ref nist="CM-6, CM-7" disa="1250,85" /> </Rule>
<Rule id="kernel_module_usb-storage_removed">
Ack
CCI-000099 requires employing automated mechanisms to enable authorized users to make information sharing decisions based on access authorizations of sharing partners and access restrictions on information to be shared. This mapping is open to discussion and change.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index 082f736..625e783 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -29,7 +29,7 @@ The requirement is impractical or out of scope. <description> It is unclear how to satisfy this requirement. </description> -<ref disa="20,31,218,219,224,1097,24,25,26,27,28,29,30,32" /> +<ref disa="20,31,218,219,224,1097,24,25,26,27,28,29,30,32,99" /> </Group> <!-- end unmet_impractical_product -->
<Group id="new_rule_needed">
On 6/29/12 5:45 PM, Willy Santos wrote:
CCI-000099 requires employing automated mechanisms to enable authorized users to make information sharing decisions based on access authorizations of sharing partners and access restrictions on information to be shared. This mapping is open to discussion and change.
SRG-OS-000036 CCI-000099 The operating system must employ automated mechanisms to enable authorized users to make information sharing decisions based on access authorizations of sharing partners and access restrictions on information to be shared. Depending on the information sharing circumstance, the sharing partner may be defined at the individual, group, or organization level and information may be defined by specific content, type, or security categorization. The operating system must restrict data in some manner (e.g., privileged medical, contract-sensitive, proprietary, personally identifiable information, special access programs/compartments) and must provide the capability to automatically enable authorized users to make information sharing decisions based upon access authorizations.
met_inherently via DAC file permissions
CCI-000157 requires support for an audit reduction capability. RHEL6's audit system includes the ausearch and aureport tools which can be used for this purpose.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index 625e783..8b1b296 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -12,7 +12,7 @@ not clearly relate. Red Hat Enterprise Linux meets this requirement by design. <!-- We could include discussion of Common Criteria Testing if so desired here. --> </description> -<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872,1493,1494,1495,226,1096,386,34,35" /> +<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872,1493,1494,1495,226,1096,386,34,35,156" /> </Group> <!-- end met_inherently -->
<Group id="unmet_impractical_guidance">
On 6/29/12 5:45 PM, Willy Santos wrote:
CCI-000157 requires support for an audit reduction capability. RHEL6's audit system includes the ausearch and aureport tools which can be used for this purpose.
Signed-off-by: Willy Santos wsantos@redhat.com
rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index 625e783..8b1b296 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -12,7 +12,7 @@ not clearly relate. Red Hat Enterprise Linux meets this requirement by design.
<!-- We could include discussion of Common Criteria Testing if so desired here. -->
</description> -<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872,1493,1494,1495,226,1096,386,34,35" /> +<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872,1493,1494,1495,226,1096,386,34,35,156" /> </Group> <!-- end met_inherently -->
<Group id="unmet_impractical_guidance">
Ack
CCI-000185 requires, for PKI-based authentication, the validation of certificates using a certification path to an accepted trust anchor. For SSL/TLS the refenced rule addresses this requirement.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/network/ssl.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/network/ssl.xml b/rhel6/src/input/system/network/ssl.xml index f66914e..4a54343 100644 --- a/rhel6/src/input/system/network/ssl.xml +++ b/rhel6/src/input/system/network/ssl.xml @@ -115,7 +115,7 @@ To avoid this warning, and properly authenticate the servers, your CA certificat application on every client system that will be connecting to an SSL-enabled server.</description> <!--<ident cce="TODO" />--> <!--TODO:MANUAL<oval id="network_ssl_enable_client_support" />--> -<ref nist="AC-3, AC-17, CM-6, SC-12, SC-13" /> +<ref nist="AC-3, AC-17, CM-6, SC-12, SC-13" disa="185" /> </Rule>
<Rule id="network_ssl_add_ca_firefox">
On 6/29/12 5:45 PM, Willy Santos wrote:
CCI-000185 requires, for PKI-based authentication, the validation of certificates using a certification path to an accepted trust anchor. For SSL/TLS the refenced rule addresses this requirement.
Signed-off-by: Willy Santos wsantos@redhat.com
rhel6/src/input/system/network/ssl.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/system/network/ssl.xml b/rhel6/src/input/system/network/ssl.xml index f66914e..4a54343 100644 --- a/rhel6/src/input/system/network/ssl.xml +++ b/rhel6/src/input/system/network/ssl.xml @@ -115,7 +115,7 @@ To avoid this warning, and properly authenticate the servers, your CA certificat application on every client system that will be connecting to an SSL-enabled server.</description>
<!--<ident cce="TODO" />-->
<!--TODO:MANUAL<oval id="network_ssl_enable_client_support" />-->
-<ref nist="AC-3, AC-17, CM-6, SC-12, SC-13" /> +<ref nist="AC-3, AC-17, CM-6, SC-12, SC-13" disa="185" />
</Rule>
<Rule id="network_ssl_add_ca_firefox">
Ack
Removed CCI-17 from new_rule_needed and fixed closing-tag comments in srg_support.xml.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/auxiliary/srg_support.xml | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index 8b1b296..dfdfa96 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -30,14 +30,14 @@ The requirement is impractical or out of scope. It is unclear how to satisfy this requirement. </description> <ref disa="20,31,218,219,224,1097,24,25,26,27,28,29,30,32,99" /> -</Group> <!-- end unmet_impractical_product --> +</Group> <!-- end requirement_unclear -->
<Group id="new_rule_needed"> <title>A New Policy/Manual Rule is Needed</title> <description> A new Rule needs to be created in the scap-security-guide content. </description> -<ref disa="1343,17,52,53" /> -</Group> <!-- end unmet_impractical_product --> +<ref disa="1343,52,53" /> +</Group> <!-- end new_rule_needed -->
</Group>
On 6/29/12 5:45 PM, Willy Santos wrote:
Removed CCI-17 from new_rule_needed and fixed closing-tag comments in srg_support.xml.
Signed-off-by: Willy Santos wsantos@redhat.com
rhel6/src/input/auxiliary/srg_support.xml | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index 8b1b296..dfdfa96 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -30,14 +30,14 @@ The requirement is impractical or out of scope. It is unclear how to satisfy this requirement.
</description> <ref disa="20,31,218,219,224,1097,24,25,26,27,28,29,30,32,99" /> -</Group> <!-- end unmet_impractical_product --> +</Group> <!-- end requirement_unclear -->
<Group id="new_rule_needed"> <title>A New Policy/Manual Rule is Needed</title> <description> A new Rule needs to be created in the scap-security-guide content. </description> -<ref disa="1343,17,52,53" /> -</Group> <!-- end unmet_impractical_product --> +<ref disa="1343,52,53" /> +</Group> <!-- end new_rule_needed -->
</Group>
Ack
CCI-000186 requires enforcing authorized access to PKI-based private key.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index dfdfa96..2bc00f9 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -12,7 +12,7 @@ not clearly relate. Red Hat Enterprise Linux meets this requirement by design. <!-- We could include discussion of Common Criteria Testing if so desired here. --> </description> -<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872,1493,1494,1495,226,1096,386,34,35,156" /> +<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872,1493,1494,1495,226,1096,386,34,35,156,186" /> </Group> <!-- end met_inherently -->
<Group id="unmet_impractical_guidance">
On 6/29/12 5:45 PM, Willy Santos wrote:
CCI-000186 requires enforcing authorized access to PKI-based private key.
Signed-off-by: Willy Santos wsantos@redhat.com
rhel6/src/input/auxiliary/srg_support.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml b/rhel6/src/input/auxiliary/srg_support.xml index dfdfa96..2bc00f9 100644 --- a/rhel6/src/input/auxiliary/srg_support.xml +++ b/rhel6/src/input/auxiliary/srg_support.xml @@ -12,7 +12,7 @@ not clearly relate. Red Hat Enterprise Linux meets this requirement by design.
<!-- We could include discussion of Common Criteria Testing if so desired here. -->
</description> -<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872,1493,1494,1495,226,1096,386,34,35,156" /> +<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872,1493,1494,1495,226,1096,386,34,35,156,186" /> </Group> <!-- end met_inherently -->
<Group id="unmet_impractical_guidance">
Ack
On 6/29/12 5:45 PM, Willy Santos wrote:
Mapped CCI-000085 to gconf_gnome_disable_automount. Mapped CCI-000085 to service_autofs_disabled. Mapped CCI-000085 to bios_disable_usb_boot. Mapped CCI-000085 to bootloader_nousb_argument. Mapped CCI-000085 to kernel_module_usb-storage_removed. Mapped CCI-000085 to gconf_gnome_disable_automount.
SRG-OS-000034 CCI-000085 The operating system must monitor for unauthorized connections of mobile devices to organizational information systems. Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, audio recording devices). Organization-controlled mobile devices include those devices for which the organization has the authority to specify and the ability to enforce specific security requirements. Usage restrictions and implementation guidance related to mobile devices include, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). *In order to detect unauthorized mobile device connections, organizations must first identify and document what mobile devices are authorized.*
I ack'd those due to the line in bold -- your mappings are part of what defines what is allowed (ok, this may be a lose interpretation, but we can adjust later).
I would also map this to the audit configuration section, as these things would show up in dmsg and audit logs
scap-security-guide@lists.fedorahosted.org
-
Shawn Wells -
Willy Santos