|
 |
54c0d5 |
From af199c3ea2772fd30b47410c2b7aeff08d54103e Mon Sep 17 00:00:00 2001
|
|
|
54c0d5 |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
54c0d5 |
Date: Wed, 5 Feb 2020 10:23:44 +0100
|
|
|
54c0d5 |
Subject: [PATCH 1/4] Add and fix few entries of SRG mapping.
|
|
|
54c0d5 |
|
|
|
54c0d5 |
---
|
|
|
54c0d5 |
.../network-uncommon/kernel_module_dccp_disabled/rule.yml | 1 +
|
|
|
54c0d5 |
.../permissions/partitions/mount_option_var_log_nodev/rule.yml | 1 +
|
|
|
54c0d5 |
.../dconf_gnome_screensaver_lock_delay/rule.yml | 2 +-
|
|
|
54c0d5 |
.../dconf_gnome_screensaver_lock_enabled/rule.yml | 2 +-
|
|
|
54c0d5 |
4 files changed, 4 insertions(+), 2 deletions(-)
|
|
|
54c0d5 |
|
|
|
54c0d5 |
diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
|
|
|
54c0d5 |
index 1b42b7233b..4dcbc458d1 100644
|
|
|
54c0d5 |
--- a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
|
|
|
54c0d5 |
+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
|
|
|
54c0d5 |
@@ -37,6 +37,7 @@ references:
|
|
|
54c0d5 |
cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06
|
|
|
54c0d5 |
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
|
|
|
54c0d5 |
cis-csc: 11,14,3,9
|
|
|
54c0d5 |
+ srg: SRG-OS-000096-GPOS-00050
|
|
|
54c0d5 |
|
|
|
54c0d5 |
{{{ complete_ocil_entry_module_disable(module="dccp") }}}
|
|
|
54c0d5 |
|
|
|
54c0d5 |
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
|
|
|
54c0d5 |
index 298f17d2d8..d1ec9f644e 100644
|
|
|
54c0d5 |
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
|
|
|
54c0d5 |
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
|
|
|
54c0d5 |
@@ -28,6 +28,7 @@ identifiers:
|
|
|
54c0d5 |
references:
|
|
|
54c0d5 |
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
|
|
|
54c0d5 |
nist-csf: PR.IP-1,PR.PT-2,PR.PT-3
|
|
|
54c0d5 |
+ srg: SRG-OS-000368-GPOS-00154
|
|
|
54c0d5 |
|
|
|
54c0d5 |
platform: machine
|
|
|
54c0d5 |
|
|
|
54c0d5 |
diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml
|
|
|
54c0d5 |
index b20323c1af..39aa044941 100644
|
|
|
54c0d5 |
--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml
|
|
|
54c0d5 |
+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml
|
|
|
54c0d5 |
@@ -34,7 +34,7 @@ references:
|
|
|
54c0d5 |
nist-csf: PR.AC-7
|
|
|
54c0d5 |
ospp: FMT_MOF_EXT.1
|
|
|
54c0d5 |
pcidss: Req-8.1.8
|
|
|
54c0d5 |
- srg: OS-SRG-000029-GPOS-00010
|
|
|
54c0d5 |
+ srg: SRG-OS-000029-GPOS-00010
|
|
|
54c0d5 |
stigid@rhel7: "010110"
|
|
|
54c0d5 |
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
|
|
|
54c0d5 |
isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9
|
|
|
54c0d5 |
diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml
|
|
|
54c0d5 |
index 0380f0149f..7742b8d862 100644
|
|
|
54c0d5 |
--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml
|
|
|
54c0d5 |
+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml
|
|
|
54c0d5 |
@@ -35,7 +35,7 @@ references:
|
|
|
54c0d5 |
nist-csf: PR.AC-7
|
|
|
54c0d5 |
ospp: FMT_MOF_EXT.1
|
|
|
54c0d5 |
pcidss: Req-8.1.8
|
|
|
54c0d5 |
- srg: SRG-OS-000028-GPOS-00009,OS-SRG-000030-GPOS-00011
|
|
|
54c0d5 |
+ srg: SRG-OS-000028-GPOS-00009,SRG-OS-000030-GPOS-00011
|
|
|
54c0d5 |
stigid@rhel7: "010060"
|
|
|
54c0d5 |
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
|
|
|
54c0d5 |
isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9
|
|
|
54c0d5 |
|
|
|
54c0d5 |
From 2dd70b7464873b0996e788d546d7c557e5c702d1 Mon Sep 17 00:00:00 2001
|
|
|
54c0d5 |
From: Watson Sato <wsato@redhat.com>
|
|
|
54c0d5 |
Date: Wed, 5 Feb 2020 10:33:54 +0100
|
|
|
54c0d5 |
Subject: [PATCH 2/4] Map strong entopy rules to SRG-OS-000480-GPOS-00227
|
|
|
54c0d5 |
|
|
|
54c0d5 |
The SRG is about configuring the system in accordance with security
|
|
|
54c0d5 |
baselines defined by DoD, including STIG,NSA guides, CTOs and DTMs.
|
|
|
54c0d5 |
---
|
|
|
54c0d5 |
.../guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml | 1 +
|
|
|
54c0d5 |
.../integrity/crypto/openssl_use_strong_entropy/rule.yml | 1 +
|
|
|
54c0d5 |
2 files changed, 2 insertions(+)
|
|
|
54c0d5 |
|
|
|
54c0d5 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
|
|
|
54c0d5 |
index 4bfb72702b..62b2d01924 100644
|
|
|
54c0d5 |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
|
|
|
54c0d5 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
|
|
|
54c0d5 |
@@ -25,6 +25,7 @@ identifiers:
|
|
|
54c0d5 |
|
|
|
54c0d5 |
references:
|
|
|
54c0d5 |
ospp: FIA_AFL.1
|
|
|
54c0d5 |
+ srg: SRG-OS-000480-GPOS-00227
|
|
|
54c0d5 |
|
|
|
54c0d5 |
ocil: |-
|
|
|
54c0d5 |
To determine whether the SSH service is configured to use strong entropy seed,
|
|
|
54c0d5 |
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
|
|
|
54c0d5 |
index 8a958e93b0..47dc8953e4 100644
|
|
|
54c0d5 |
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
|
|
|
54c0d5 |
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
|
|
|
54c0d5 |
@@ -25,6 +25,7 @@ identifiers:
|
|
|
54c0d5 |
|
|
|
54c0d5 |
references:
|
|
|
54c0d5 |
ospp: FIA_AFL.1
|
|
|
54c0d5 |
+ srg: SRG-OS-000480-GPOS-00227
|
|
|
54c0d5 |
|
|
|
54c0d5 |
ocil: |-
|
|
|
54c0d5 |
To determine whether OpenSSL is wrapped by a shell function that ensures that every invocation
|
|
|
54c0d5 |
|
|
|
54c0d5 |
From 31101d115f8eb436a6a7e9462235e921a2727517 Mon Sep 17 00:00:00 2001
|
|
|
54c0d5 |
From: Watson Sato <wsato@redhat.com>
|
|
|
54c0d5 |
Date: Wed, 5 Feb 2020 11:12:02 +0100
|
|
|
54c0d5 |
Subject: [PATCH 3/4] Same SRG mapping as
|
|
|
54c0d5 |
package_subscription-manager_installed
|
|
|
54c0d5 |
|
|
|
54c0d5 |
The package provides an interface for automation of package updates
|
|
|
54c0d5 |
---
|
|
|
54c0d5 |
.../package_dnf-plugin-subscription-manager_installed/rule.yml | 1 +
|
|
|
54c0d5 |
1 file changed, 1 insertion(+)
|
|
|
54c0d5 |
|
|
|
54c0d5 |
diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
|
|
|
54c0d5 |
index 6b0144fd54..8f081d9a3c 100644
|
|
|
54c0d5 |
--- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
|
|
|
54c0d5 |
+++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
|
|
|
54c0d5 |
@@ -20,6 +20,7 @@ identifiers:
|
|
|
54c0d5 |
|
|
|
54c0d5 |
references:
|
|
|
54c0d5 |
ospp: FPT_TUD_EXT.1,FPT_TUD_EXT.2
|
|
|
54c0d5 |
+ srg: SRG-OS-000366-GPOS-00153
|
|
|
54c0d5 |
|
|
|
54c0d5 |
ocil_clause: 'the package is not installed'
|
|
|
54c0d5 |
|
|
|
54c0d5 |
|
|
|
54c0d5 |
From 477eb05fa4b105c9c49973c23d8875d1714a487d Mon Sep 17 00:00:00 2001
|
|
|
54c0d5 |
From: Watson Sato <wsato@redhat.com>
|
|
|
54c0d5 |
Date: Wed, 5 Feb 2020 11:14:35 +0100
|
|
|
54c0d5 |
Subject: [PATCH 4/4] Map package_pigz_removed to ADSLR SRG item
|
|
|
54c0d5 |
|
|
|
54c0d5 |
From rule's rationale:
|
|
|
54c0d5 |
Binaries in pigz package are compiled without sufficient stack
|
|
|
54c0d5 |
protection and its ADSLR is weak.
|
|
|
54c0d5 |
---
|
|
|
54c0d5 |
.../system/software/system-tools/package_pigz_removed/rule.yml | 3 +++
|
|
|
54c0d5 |
1 file changed, 3 insertions(+)
|
|
|
54c0d5 |
|
|
|
54c0d5 |
diff --git a/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml
|
|
|
54c0d5 |
index 595b78e768..bb724d916d 100644
|
|
|
54c0d5 |
--- a/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml
|
|
|
54c0d5 |
+++ b/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml
|
|
|
54c0d5 |
@@ -18,6 +18,9 @@ severity: low
|
|
|
54c0d5 |
identifiers:
|
|
|
54c0d5 |
cce@rhel8: 82397-1
|
|
|
54c0d5 |
|
|
|
54c0d5 |
+references:
|
|
|
54c0d5 |
+ srg: SRG-OS-000433-GPOS-00192
|
|
|
54c0d5 |
+
|
|
|
54c0d5 |
{{{ complete_ocil_entry_package(package="pigz") }}}
|
|
|
54c0d5 |
|
|
|
54c0d5 |
template:
|