This will require a quick change of the existing and significant CCIs as idents, which I will coordinate with Willy and Shawn. Again, my goof on originally keeping them as idents...
Jeffrey Blank (1): changed major transforms to handle CCIs as references instead of idents
rhel6/src/transforms/constants.xslt | 4 +- rhel6/src/transforms/shorthand2xccdf.xslt | 75 +++++++++++++++++++---------- rhel6/src/transforms/table-srgmap.xslt | 22 +++++++-- 3 files changed, 68 insertions(+), 33 deletions(-)
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- rhel6/src/transforms/constants.xslt | 4 +- rhel6/src/transforms/shorthand2xccdf.xslt | 75 +++++++++++++++++++---------- rhel6/src/transforms/table-srgmap.xslt | 22 +++++++-- 3 files changed, 68 insertions(+), 33 deletions(-)
diff --git a/rhel6/src/transforms/constants.xslt b/rhel6/src/transforms/constants.xslt index 6c0fe4a..a3b26b7 100644 --- a/rhel6/src/transforms/constants.xslt +++ b/rhel6/src/transforms/constants.xslt @@ -5,14 +5,12 @@
<!-- abbreviated as idents in the XCCDF--> <xsl:variable name="cceuri">http://cce.mitre.org</xsl:variable> -<xsl:variable name="cciuri">http://iase.disa.mil/cci/index.html</xsl:variable>
<!-- abbreviated as references in the XCCDF--> <xsl:variable name="nist800-53uri">http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.p...</xsl:variable> <xsl:variable name="cnss1253uri">http://www.cnss.gov/Assets/pdf/CNSSI-1253.pdf</xsl:variable> <xsl:variable name="dcid63uri">not_officially_available</xsl:variable> - - +<xsl:variable name="disa-cciuri">http://iase.disa.mil/cci/index.html</xsl:variable>
<xsl:variable name="ovaluri">http://oval.mitre.org/XMLSchema/oval-definitions-5</xsl:variable> </xsl:stylesheet> diff --git a/rhel6/src/transforms/shorthand2xccdf.xslt b/rhel6/src/transforms/shorthand2xccdf.xslt index 9127dd8..8cc2b96 100644 --- a/rhel6/src/transforms/shorthand2xccdf.xslt +++ b/rhel6/src/transforms/shorthand2xccdf.xslt @@ -2,7 +2,7 @@ <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml" -exclude-result-prefixes="xccdf"> +exclude-result-prefixes="xccdf xhtml">
<xsl:include href="constants.xslt"/>
@@ -39,7 +39,7 @@ exclude-result-prefixes="xccdf"> </xsl:copy> </xsl:template>
- <!-- expand reference to CCE ID --> + <!-- expand reference to ident types --> <xsl:template match="Rule/ident"> <xsl:for-each select="@*"> <ident> @@ -57,22 +57,6 @@ exclude-result-prefixes="xccdf"> </xsl:otherwise> </xsl:choose> </xsl:when> - - <!-- NOTE: use DISA's OS SRG to see these tied to more-concrete OS settings --> - <xsl:when test="name() = 'cci'"> - <xsl:attribute name="system"> - <xsl:value-of select="$cciuri" /> - <!-- <xsl:text>http://iase.disa.mil/cci/index.html</xsl:text> --> - </xsl:attribute> - xsl:choose - <xsl:when test="starts-with(translate(., 'ci', 'CI'), 'CCI')"> - <xsl:value-of select="." /> - </xsl:when> - xsl:otherwise - <xsl:value-of select="concat('CCI-', .)" /> - </xsl:otherwise> - </xsl:choose> - </xsl:when> xsl:otherwise <xsl:value-of select="." /> </xsl:otherwise> @@ -81,29 +65,68 @@ exclude-result-prefixes="xccdf"> </xsl:for-each> </xsl:template>
- <!-- expand ref attributes to appropriate XCCDF reference bodies --> + <!-- expand ref attributes to reference tags, one item per reference --> <xsl:template match="Rule/ref"> <xsl:for-each select="@*"> + <xsl:call-template name="ref-info" > + <xsl:with-param name="refsource" select="name()" /> + <xsl:with-param name="refitems" select="." /> + </xsl:call-template> + </xsl:for-each> + </xsl:template> + + <!-- expands individual reference source --> + <xsl:template name="ref-info"> + <xsl:param name="refsource"/> + <xsl:param name="refitems"/> + <xsl:variable name="delim" select="','" /> + xsl:choose + <xsl:when test="$delim and contains($refitems, $delim)"> + <!-- output the reference --> + <xsl:call-template name="ref-output" > + <xsl:with-param name="refsource" select="$refsource" /> + <xsl:with-param name="refitem" select="substring-before($refitems, $delim)" /> + </xsl:call-template> + <!-- recurse for additional refs --> + <xsl:call-template name="ref-info"> + <xsl:with-param name="refsource" select="$refsource" /> + <xsl:with-param name="refitems" select="substring-after($refitems, $delim)" /> + </xsl:call-template> + </xsl:when> + + xsl:otherwise + <xsl:call-template name="ref-output" > + <xsl:with-param name="refsource" select="$refsource" /> + <xsl:with-param name="refitem" select="$refitems" /> + </xsl:call-template> + </xsl:otherwise> + </xsl:choose> + </xsl:template> + + <!-- output individual reference --> + <xsl:template name="ref-output"> + <xsl:param name="refsource"/> + <xsl:param name="refitem"/> <reference> <xsl:attribute name="href"> <!-- populate the href attribute with a global reference--> - <xsl:if test="name() = 'nist'"> + <xsl:if test="$refsource = 'nist'"> <xsl:value-of select="$nist800-53uri" /> </xsl:if> - <xsl:if test="name() = 'cnss'"> + <xsl:if test="$refsource = 'cnss'"> <xsl:value-of select="$cnss1253uri" /> </xsl:if> - <xsl:if test="name() = 'dcid'"> + <xsl:if test="$refsource = 'dcid'"> <xsl:value-of select="$dcid63uri" /> </xsl:if> + <xsl:if test="$refsource = 'disa'"> + <xsl:value-of select="$disa-cciuri" /> + </xsl:if> </xsl:attribute> - <!-- the actual string specified --> - <xsl:value-of select="." /> + <xsl:value-of select="$refitem" /> </reference> - </xsl:for-each> </xsl:template>
- <!-- expand reference to OVAL ID --> <xsl:template match="Rule/oval"> <check> diff --git a/rhel6/src/transforms/table-srgmap.xslt b/rhel6/src/transforms/table-srgmap.xslt index a502d24..b7f68a7 100644 --- a/rhel6/src/transforms/table-srgmap.xslt +++ b/rhel6/src/transforms/table-srgmap.xslt @@ -2,7 +2,7 @@ <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml%22%3E
<!-- this style sheet is designed to take as input the OS SRG and a body of XCCDF content (e.g. draft STIG), - and to map the requirements from the SRG to Rules in the XCCDF (which include CCIs as idents). + and to map the requirements from the SRG to Rules in the XCCDF (which include CCIs as references). The output shows how a body of XCCDF meets SRG requirements. -->
<xsl:include href="constants.xslt"/> @@ -77,14 +77,17 @@ <td> <xsl:value-of select="$srg_id"/> </td> <td> <xsl:value-of select="$srg_cci"/> </td> <td> <xsl:value-of select="$srg_title"/> </td> - <td> <xsl:value-of select="$srg_desc"/> </td> + <td> <xsl:call-template name="extract-vulndiscussion"><xsl:with-param name="desc" select="$srg_desc"/></xsl:call-template> </td> <td> <!-- iterate over the Rules in the (externally-provided) XCCDF document --> <xsl:for-each select="$rules"> <xsl:variable name="rule" select="."/> + <xsl:if test="cdf:reference[@href=$disa-cciuri]" > <table> - <xsl:for-each select="cdf:ident[@system='http://iase.disa.mil/cci/index.html%27%5D%22%3E - <xsl:if test="self::node()[text()=$srg_cci]" > + <xsl:for-each select="cdf:reference[@href=$disa-cciuri]"> + <xsl:variable name="cci_formatted" select='format-number(self::node()[text()], "000000")' /> + <xsl:variable name="cci_expanded" select="concat('CCI-', $cci_formatted)" /> + <xsl:if test="$cci_expanded=$srg_cci" > <tr> <td> <xsl:value-of select="$rule/cdf:title"/> </td> <td> <xsl:apply-templates select="$rule/cdf:description"/> </td> @@ -92,11 +95,22 @@ </xsl:if> </xsl:for-each> </table> + </xsl:if> </xsl:for-each> </td> </tr> </xsl:template>
+ + <!-- return only the text between the "VulnDiscussion" (non-XCCDF) tags --> + <!-- this should be removed as soon as SRGs include only a description instead of odd tags --> + <xsl:template name="extract-vulndiscussion"> + <xsl:param name="desc"/> + <xsl:variable name="desc_info" select="substring-before($desc, '</VulnDiscussion>')"/> + <xsl:value-of select="substring-after($desc_info, '<VulnDiscussion>')"/> + </xsl:template> + + <!-- get rid of XHTML namespace since we're outputting to HTML --> <xsl:template match="xhtml:*"> <xsl:element name="{local-name()}">
ACK
Willy Santos, RHCE Consultant Red Hat Consulting Cell: +1 (301) 254-7077 Email: wsantos@redhat.com
On 04/27/2012 11:57 AM, Jeffrey Blank wrote:
Signed-off-by: Jeffrey Blankblank@eclipse.ncsc.mil
rhel6/src/transforms/constants.xslt | 4 +- rhel6/src/transforms/shorthand2xccdf.xslt | 75 +++++++++++++++++++---------- rhel6/src/transforms/table-srgmap.xslt | 22 +++++++-- 3 files changed, 68 insertions(+), 33 deletions(-)
diff --git a/rhel6/src/transforms/constants.xslt b/rhel6/src/transforms/constants.xslt index 6c0fe4a..a3b26b7 100644 --- a/rhel6/src/transforms/constants.xslt +++ b/rhel6/src/transforms/constants.xslt @@ -5,14 +5,12 @@
<!-- abbreviated as idents in the XCCDF-->
<xsl:variable name="cceuri">http://cce.mitre.org</xsl:variable> -<xsl:variable name="cciuri">http://iase.disa.mil/cci/index.html</xsl:variable>
<!-- abbreviated as references in the XCCDF-->
<xsl:variable name="nist800-53uri">http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.p...</xsl:variable> <xsl:variable name="cnss1253uri">http://www.cnss.gov/Assets/pdf/CNSSI-1253.pdf</xsl:variable> <xsl:variable name="dcid63uri">not_officially_available</xsl:variable>
+<xsl:variable name="disa-cciuri">http://iase.disa.mil/cci/index.html</xsl:variable>
<xsl:variable name="ovaluri">http://oval.mitre.org/XMLSchema/oval-definitions-5</xsl:variable> </xsl:stylesheet> diff --git a/rhel6/src/transforms/shorthand2xccdf.xslt b/rhel6/src/transforms/shorthand2xccdf.xslt index 9127dd8..8cc2b96 100644 --- a/rhel6/src/transforms/shorthand2xccdf.xslt +++ b/rhel6/src/transforms/shorthand2xccdf.xslt @@ -2,7 +2,7 @@ <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml" -exclude-result-prefixes="xccdf"> +exclude-result-prefixes="xccdf xhtml">
<xsl:include href="constants.xslt"/>
@@ -39,7 +39,7 @@ exclude-result-prefixes="xccdf"> </xsl:copy> </xsl:template>
-<!-- expand reference to CCE ID --> +<!-- expand reference to ident types --> <xsl:template match="Rule/ident"> <xsl:for-each select="@*"> <ident> @@ -57,22 +57,6 @@ exclude-result-prefixes="xccdf"> </xsl:otherwise> </xsl:choose> </xsl:when>
-<!-- NOTE: use DISA's OS SRG to see these tied to more-concrete OS settings --> -<xsl:when test="name() = 'cci'"> -<xsl:attribute name="system"> -<xsl:value-of select="$cciuri" /> -<!--<xsl:text>http://iase.disa.mil/cci/index.html</xsl:text> --> -</xsl:attribute> -xsl:choose -<xsl:when test="starts-with(translate(., 'ci', 'CI'), 'CCI')"> -<xsl:value-of select="." /> -</xsl:when> -xsl:otherwise -<xsl:value-of select="concat('CCI-', .)" /> -</xsl:otherwise> -</xsl:choose> -</xsl:when> xsl:otherwise <xsl:value-of select="." /> </xsl:otherwise> @@ -81,29 +65,68 @@ exclude-result-prefixes="xccdf"> </xsl:for-each> </xsl:template>
-<!-- expand ref attributes to appropriate XCCDF reference bodies --> +<!-- expand ref attributes to reference tags, one item per reference --> <xsl:template match="Rule/ref"> <xsl:for-each select="@*"> +<xsl:call-template name="ref-info"> +<xsl:with-param name="refsource" select="name()" /> +<xsl:with-param name="refitems" select="." /> +</xsl:call-template> +</xsl:for-each> +</xsl:template>
+<!-- expands individual reference source --> +<xsl:template name="ref-info"> +<xsl:param name="refsource"/> +<xsl:param name="refitems"/> +<xsl:variable name="delim" select="','" /> +xsl:choose +<xsl:when test="$delim and contains($refitems, $delim)"> +<!-- output the reference --> +<xsl:call-template name="ref-output"> +<xsl:with-param name="refsource" select="$refsource" /> +<xsl:with-param name="refitem" select="substring-before($refitems, $delim)" /> +</xsl:call-template> +<!-- recurse for additional refs --> +<xsl:call-template name="ref-info"> +<xsl:with-param name="refsource" select="$refsource" /> +<xsl:with-param name="refitems" select="substring-after($refitems, $delim)" /> +</xsl:call-template> +</xsl:when>
+xsl:otherwise +<xsl:call-template name="ref-output"> +<xsl:with-param name="refsource" select="$refsource" /> +<xsl:with-param name="refitem" select="$refitems" /> +</xsl:call-template> +</xsl:otherwise> +</xsl:choose> +</xsl:template>
+<!-- output individual reference --> +<xsl:template name="ref-output"> +<xsl:param name="refsource"/> +<xsl:param name="refitem"/> <reference> <xsl:attribute name="href"> <!-- populate the href attribute with a global reference--> -<xsl:if test="name() = 'nist'"> +<xsl:if test="$refsource = 'nist'"> <xsl:value-of select="$nist800-53uri" /> </xsl:if> -<xsl:if test="name() = 'cnss'"> +<xsl:if test="$refsource = 'cnss'"> <xsl:value-of select="$cnss1253uri" /> </xsl:if> -<xsl:if test="name() = 'dcid'"> +<xsl:if test="$refsource = 'dcid'"> <xsl:value-of select="$dcid63uri" /> </xsl:if> +<xsl:if test="$refsource = 'disa'"> +<xsl:value-of select="$disa-cciuri" /> +</xsl:if> </xsl:attribute> -<!-- the actual string specified --> -<xsl:value-of select="." /> +<xsl:value-of select="$refitem" /> </reference> -</xsl:for-each> </xsl:template>
<!-- expand reference to OVAL ID -->
<xsl:template match="Rule/oval"> <check>diff --git a/rhel6/src/transforms/table-srgmap.xslt b/rhel6/src/transforms/table-srgmap.xslt index a502d24..b7f68a7 100644 --- a/rhel6/src/transforms/table-srgmap.xslt +++ b/rhel6/src/transforms/table-srgmap.xslt @@ -2,7 +2,7 @@ <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml%22%3E
<!-- this style sheet is designed to take as input the OS SRG and a body of XCCDF content (e.g. draft STIG), - and to map the requirements from the SRG to Rules in the XCCDF (which include CCIs as idents). + and to map the requirements from the SRG to Rules in the XCCDF (which include CCIs as references). The output shows how a body of XCCDF meets SRG requirements. -->
<xsl:include href="constants.xslt"/> @@ -77,14 +77,17 @@ <td> <xsl:value-of select="$srg_id"/> </td> <td> <xsl:value-of select="$srg_cci"/> </td> <td> <xsl:value-of select="$srg_title"/> </td>
<td> <xsl:value-of select="$srg_desc"/> </td>
<td> <xsl:call-template name="extract-vulndiscussion"><xsl:with-param name="desc" select="$srg_desc"/></xsl:call-template> </td>
<td> <!-- iterate over the Rules in the (externally-provided) XCCDF document --> <xsl:for-each select="$rules"> <xsl:variable name="rule" select="."/>
<xsl:if test="cdf:reference[@href=$disa-cciuri]"> <table>
<xsl:for-each select="cdf:ident[@system='http://iase.disa.mil/cci/index.html']">
<xsl:if test="self::node()[text()=$srg_cci]">
<xsl:for-each select="cdf:reference[@href=$disa-cciuri]">
<xsl:variable name="cci_formatted" select='format-number(self::node()[text()], "000000")' />
<xsl:variable name="cci_expanded" select="concat('CCI-', $cci_formatted)" />
<xsl:if test="$cci_expanded=$srg_cci"> <tr> <td> <xsl:value-of select="$rule/cdf:title"/> </td> <td> <xsl:apply-templates select="$rule/cdf:description"/> </td>
@@ -92,11 +95,22 @@ </xsl:if> </xsl:for-each> </table>
</xsl:if> </xsl:for-each> </td>
</tr> </xsl:template>
<!-- return only the text between the "VulnDiscussion" (non-XCCDF) tags -->
<!-- this should be removed as soon as SRGs include only a description instead of odd tags -->
<xsl:template name="extract-vulndiscussion">
<xsl:param name="desc"/>
<xsl:variable name="desc_info" select="substring-before($desc, '</VulnDiscussion>')"/>
<xsl:value-of select="substring-after($desc_info, '<VulnDiscussion>')"/>
</xsl:template>
<!-- get rid of XHTML namespace since we're outputting to HTML -->
<xsl:template match="xhtml:*"> <xsl:element name="{local-name()}">
On 4/27/12 11:57 AM, Jeffrey Blank wrote:
+<xsl:if test="$refsource = 'disa'"> +<xsl:value-of select="$disa-cciuri" /> +</xsl:if>
I'm not a fan of using the string "disa" to reference the CCI controls. From my understanding CCI's are unique identifiers which can map back to several different policies. For example CCI-000370 maps to: - DISA SRG-OS-00022 - DISA Group V-30388 - DISA OS SRG Rule SV-40055r1 - NIST 800-53 CM-6 (1) - NIST 800-53 CM-6 (1).1
If we start tagging the CCI's as <ref disa..> I think it will get very confusing. Objections to a patch naming them CCI instead of DISA? This would allow a tag such as below which I think is cleaner.
<ref nist="CM-6 (1).1, CM-6" cci="000370" ossrg="00022">
I'm not a fan of using the string "disa" to reference the CCI controls. From my understanding CCI's are unique identifiers which can map back to several different policies. For example CCI-000370 maps to:
- DISA SRG-OS-00022
- DISA Group V-30388
- DISA OS SRG Rule SV-40055r1
- NIST 800-53 CM-6 (1)
- NIST 800-53 CM-6 (1).1
Not exactly. The actual CCI only maps back to the NIST 800-53 rules.
The other thing(s) (which are all redundant labels for the OS SRG item) are in fact derived from the CCI. The OS SRG is a selection of CCIs relevant to operating systems, with their language adjusted to make their applicability to operating systems more apparent. (Note that the CCI list and the OS SRG are separate documents.)
(The redundant labels for an SRG item are a result of the implementation of DISA's VMS, which seems peculiar in many ways.) I chose to use only the CCI number (notated as "disa=") as I believe it to be a longer-term identifier, and DISA's primary identifier.
You can think of the relationship between the different documents like this, with each one becoming more class/product specific:
800-53 => CCI List => SRG => STIG
If we start tagging the CCI's as <ref disa..> I think it will get very confusing. Objections to a patch naming them CCI instead of DISA? This would allow a tag such as below which I think is cleaner.
<ref nist="CM-6 (1).1, CM-6" cci="000370" ossrg="00022">
I don't object to renaming "disa=" as "cci=". Such a renaming would largely be for aesthetic purposes (though this conversation reveals that there may be some value in comprehensibility/disambiguation). That said, I do object to this particular tag since the "ossrg=" attribute is redundant to what you are calling "cci". It provides no value so long as there is a one-to-one function from OS SRG identifiers to CCIs.
On 5/1/12 10:16 AM, Jeffrey Blank wrote:
I'm not a fan of using the string "disa" to reference the CCI controls. From my understanding CCI's are unique identifiers which can map back to several different policies. For example CCI-000370 maps to:
- DISA SRG-OS-00022
- DISA Group V-30388
- DISA OS SRG Rule SV-40055r1
- NIST 800-53 CM-6 (1)
- NIST 800-53 CM-6 (1).1
Not exactly. The actual CCI only maps back to the NIST 800-53 rules.
"Not exactly"..... aka engineering speak for "you're completely effing wrong" ;)
The other thing(s) (which are all redundant labels for the OS SRG item) are in fact derived from the CCI. The OS SRG is a selection of CCIs relevant to operating systems, with their language adjusted to make their applicability to operating systems more apparent. (Note that the CCI list and the OS SRG are separate documents.)
(The redundant labels for an SRG item are a result of the implementation of DISA's VMS, which seems peculiar in many ways.) I chose to use only the CCI number (notated as "disa=") as I believe it to be a longer-term identifier, and DISA's primary identifier.
You can think of the relationship between the different documents like this, with each one becoming more class/product specific:
800-53 => CCI List => SRG => STIG
This breakdown helps me a lot.
If we start tagging the CCI's as<ref disa..> I think it will get very confusing. Objections to a patch naming them CCI instead of DISA? This would allow a tag such as below which I think is cleaner.
<ref nist="CM-6 (1).1, CM-6" cci="000370" ossrg="00022">
I don't object to renaming "disa=" as "cci=". Such a renaming would largely be for aesthetic purposes (though this conversation reveals that there may be some value in comprehensibility/disambiguation). That said, I do object to this particular tag since the "ossrg=" attribute is redundant to what you are calling "cci". It provides no value so long as there is a one-to-one function from OS SRG identifiers to CCIs.
This begs another question that Mike McConachie and I were discussing some yesterday.
Ultimately we want to authoritatively claim that we've addressed 800-53. It seems that by addressing all the CCI's we have a perfect mechanism to assert such a claim. We can quickly check this by reviewing the policytables/rhel6-table-srgmap.html [1] and verifying we have content in the last column. / (1) Who is the "authoritative source" on mapping CCIs back to 800-53? / For right or wrong it's been my experience that C&A teams care about 800-53 mappings and really haven't heard of CCIs. Because of this I believe it'd be incredibly beneficial for us to provide some mapping back to NIST 800-53. I know DISA did a CCI to OS SRG mapping, and kindly put some NIST 800-53 refs in there, but I have the understanding that is not "authoritative." I'd be more than happy to be wrong though!
Is there an authoritative source of CCI to NIST mappings, and if so, perhaps we could create some transformational pixie dust that takes our CCI mapping and correlates it back to 800-53? This would also free us from having to manually perform a <ref nist=*> for the rules.
[1] http://people.redhat.com/swells/scap-security-guide-0.1/policytables/rhel6-t...
(1) Who is the "authoritative source" on mapping CCIs back to 800-53? /
The CCI list defines all the CCIs, and maps them back to 800-53. The CCI is an invention of DISA FSO, and maintained by them. More explanation here: http://iase.disa.mil/cci/index.html
I also put the list in scap-security-guide in the references folder.
For right or wrong it's been my experience that C&A teams care about 800-53 mappings and really haven't heard of CCIs. Because of this I believe it'd be incredibly beneficial for us to provide some mapping back to NIST 800-53. I know DISA did a CCI to OS SRG mapping, and kindly put some NIST 800-53 refs in there, but I have the understanding that is not "authoritative." I'd be more than happy to be wrong though!
It all depends on what the C&A person wants to see (which likely depends on where they are in USG). A DoD C&A person probably wants to see guidance from a STIG applied. A STIG-compliant system (because the STIG satisfies the requirements listed in the SRG, which is really a selection of CCIs) can be mapped back to 800-53 controls.
Of course, we have some items that we've individually mapped back to 800-53 controls (which may be very platform specific or which may simply indicate a best practice which happens to comport with an 800-53 control). Not all of these may not fit into a CCI, which is why "nist=" also exists as a direct reference.
Is there an authoritative source of CCI to NIST mappings,
That's what the CCI list is.
and if so, perhaps we could create some transformational pixie dust that takes our CCI mapping and correlates it back to 800-53? This would also free us from having to manually perform a <ref nist=*> for the rules.
Yes -- that's exactly why I have the CCI list in references. It's so that we can write a transform to do exactly this.
If you want to write a ticket and assign it to me...
[1] http://people.redhat.com/swells/scap-security-guide-0.1/policytables/rhel6-t...
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org