From af199c3ea2772fd30b47410c2b7aeff08d54103e Mon Sep 17 00:00:00 2001

From: Gabriel Becker <ggasparb@redhat.com>

Date: Wed, 5 Feb 2020 10:23:44 +0100

Subject: [PATCH 1/4] Add and fix few entries of SRG mapping.

---

 .../network-uncommon/kernel_module_dccp_disabled/rule.yml       | 1 +

 .../permissions/partitions/mount_option_var_log_nodev/rule.yml  | 1 +

 .../dconf_gnome_screensaver_lock_delay/rule.yml                 | 2 +-

 .../dconf_gnome_screensaver_lock_enabled/rule.yml               | 2 +-

 4 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml

index 1b42b7233b..4dcbc458d1 100644

--- a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml

+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml

@@ -37,6 +37,7 @@ references:

     cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06

     iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2

     cis-csc: 11,14,3,9

+    srg: SRG-OS-000096-GPOS-00050

 {{{ complete_ocil_entry_module_disable(module="dccp") }}}

diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml

index 298f17d2d8..d1ec9f644e 100644

--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml

+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml

@@ -28,6 +28,7 @@ identifiers:

 references:

     nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7

     nist-csf: PR.IP-1,PR.PT-2,PR.PT-3

+    srg: SRG-OS-000368-GPOS-00154

 platform: machine

diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml

index b20323c1af..39aa044941 100644

--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml

+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml

@@ -34,7 +34,7 @@ references:

     nist-csf: PR.AC-7

     ospp: FMT_MOF_EXT.1

     pcidss: Req-8.1.8

-    srg: OS-SRG-000029-GPOS-00010

+    srg: SRG-OS-000029-GPOS-00010

     stigid@rhel7: "010110"

     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9'

     isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9

diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml

index 0380f0149f..7742b8d862 100644

--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml

+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml

@@ -35,7 +35,7 @@ references:

     nist-csf: PR.AC-7

     ospp: FMT_MOF_EXT.1

     pcidss: Req-8.1.8

-    srg: SRG-OS-000028-GPOS-00009,OS-SRG-000030-GPOS-00011

+    srg: SRG-OS-000028-GPOS-00009,SRG-OS-000030-GPOS-00011

     stigid@rhel7: "010060"

     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9'

     isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9

From 2dd70b7464873b0996e788d546d7c557e5c702d1 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Wed, 5 Feb 2020 10:33:54 +0100

Subject: [PATCH 2/4] Map strong entopy rules to SRG-OS-000480-GPOS-00227

The SRG is about configuring the system in accordance with security

baselines defined by DoD, including STIG,NSA guides, CTOs and DTMs.

---

 .../guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml   | 1 +

 .../integrity/crypto/openssl_use_strong_entropy/rule.yml         | 1 +

 2 files changed, 2 insertions(+)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml

index 4bfb72702b..62b2d01924 100644

--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml

@@ -25,6 +25,7 @@ identifiers:

 references:

     ospp: FIA_AFL.1

+    srg: SRG-OS-000480-GPOS-00227

 ocil: |-

     To determine whether the SSH service is configured to use strong entropy seed,

diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml

index 8a958e93b0..47dc8953e4 100644

--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml

+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml

@@ -25,6 +25,7 @@ identifiers:

 references:

     ospp: FIA_AFL.1

+    srg: SRG-OS-000480-GPOS-00227

 ocil: |-

     To determine whether OpenSSL is wrapped by a shell function that ensures that every invocation

From 31101d115f8eb436a6a7e9462235e921a2727517 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Wed, 5 Feb 2020 11:12:02 +0100

Subject: [PATCH 3/4] Same SRG mapping as

 package_subscription-manager_installed

The package provides an interface for automation of package updates

---

 .../package_dnf-plugin-subscription-manager_installed/rule.yml   | 1 +

 1 file changed, 1 insertion(+)

diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml

index 6b0144fd54..8f081d9a3c 100644

--- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml

+++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml

@@ -20,6 +20,7 @@ identifiers:

 references:

     ospp: FPT_TUD_EXT.1,FPT_TUD_EXT.2

+    srg: SRG-OS-000366-GPOS-00153

 ocil_clause: 'the package is not installed'

From 477eb05fa4b105c9c49973c23d8875d1714a487d Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Wed, 5 Feb 2020 11:14:35 +0100

Subject: [PATCH 4/4] Map package_pigz_removed to ADSLR SRG item

From rule's rationale:

Binaries in pigz package are compiled without sufficient stack

protection and its ADSLR is weak.

---

 .../system/software/system-tools/package_pigz_removed/rule.yml | 3 +++

 1 file changed, 3 insertions(+)

diff --git a/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml

index 595b78e768..bb724d916d 100644

--- a/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml

+++ b/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml

@@ -18,6 +18,9 @@ severity: low

 identifiers:

     cce@rhel8: 82397-1

+references:

+    srg: SRG-OS-000433-GPOS-00192

+

 {{{ complete_ocil_entry_package(package="pigz") }}}

 template: