skyler / rpms / scap-security-guide

Forked from rpms/scap-security-guide 3 years ago
Clone
Source Code
GIT

Files

  1.   54c0d5dc78b388a1495f9a584882fbb0ebba34bc
  2.   SOURCES
  3.   scap-security-guide-0.1.49-add-few-srg-mappings.patch
Blob Blame History Raw 
From af199c3ea2772fd30b47410c2b7aeff08d54103e Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 5 Feb 2020 10:23:44 +0100
Subject: [PATCH 1/4] Add and fix few entries of SRG mapping.

---
 .../network-uncommon/kernel_module_dccp_disabled/rule.yml       | 1 +
 .../permissions/partitions/mount_option_var_log_nodev/rule.yml  | 1 +
 .../dconf_gnome_screensaver_lock_delay/rule.yml                 | 2 +-
 .../dconf_gnome_screensaver_lock_enabled/rule.yml               | 2 +-
 4 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
index 1b42b7233b..4dcbc458d1 100644
--- a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
@@ -37,6 +37,7 @@ references:
     cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06
     iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
     cis-csc: 11,14,3,9
+    srg: SRG-OS-000096-GPOS-00050
 
 {{{ complete_ocil_entry_module_disable(module="dccp") }}}
 
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
index 298f17d2d8..d1ec9f644e 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
@@ -28,6 +28,7 @@ identifiers:
 references:
     nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
     nist-csf: PR.IP-1,PR.PT-2,PR.PT-3
+    srg: SRG-OS-000368-GPOS-00154
 
 platform: machine
 
diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml
index b20323c1af..39aa044941 100644
--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml
+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml
@@ -34,7 +34,7 @@ references:
     nist-csf: PR.AC-7
     ospp: FMT_MOF_EXT.1
     pcidss: Req-8.1.8
-    srg: OS-SRG-000029-GPOS-00010
+    srg: SRG-OS-000029-GPOS-00010
     stigid@rhel7: "010110"
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
     isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9
diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml
index 0380f0149f..7742b8d862 100644
--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml
+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml
@@ -35,7 +35,7 @@ references:
     nist-csf: PR.AC-7
     ospp: FMT_MOF_EXT.1
     pcidss: Req-8.1.8
-    srg: SRG-OS-000028-GPOS-00009,OS-SRG-000030-GPOS-00011
+    srg: SRG-OS-000028-GPOS-00009,SRG-OS-000030-GPOS-00011
     stigid@rhel7: "010060"
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
     isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9

From 2dd70b7464873b0996e788d546d7c557e5c702d1 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 5 Feb 2020 10:33:54 +0100
Subject: [PATCH 2/4] Map strong entopy rules to SRG-OS-000480-GPOS-00227

The SRG is about configuring the system in accordance with security
baselines defined by DoD, including STIG,NSA guides, CTOs and DTMs.
---
 .../guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml   | 1 +
 .../integrity/crypto/openssl_use_strong_entropy/rule.yml         | 1 +
 2 files changed, 2 insertions(+)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
index 4bfb72702b..62b2d01924 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
@@ -25,6 +25,7 @@ identifiers:
 
 references:
     ospp: FIA_AFL.1
+    srg: SRG-OS-000480-GPOS-00227
 
 ocil: |-
     To determine whether the SSH service is configured to use strong entropy seed,
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
index 8a958e93b0..47dc8953e4 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
@@ -25,6 +25,7 @@ identifiers:
 
 references:
     ospp: FIA_AFL.1
+    srg: SRG-OS-000480-GPOS-00227
 
 ocil: |-
     To determine whether OpenSSL is wrapped by a shell function that ensures that every invocation

From 31101d115f8eb436a6a7e9462235e921a2727517 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 5 Feb 2020 11:12:02 +0100
Subject: [PATCH 3/4] Same SRG mapping as
 package_subscription-manager_installed

The package provides an interface for automation of package updates
---
 .../package_dnf-plugin-subscription-manager_installed/rule.yml   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
index 6b0144fd54..8f081d9a3c 100644
--- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
@@ -20,6 +20,7 @@ identifiers:
 
 references:
     ospp: FPT_TUD_EXT.1,FPT_TUD_EXT.2
+    srg: SRG-OS-000366-GPOS-00153
 
 ocil_clause: 'the package is not installed'
 

From 477eb05fa4b105c9c49973c23d8875d1714a487d Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 5 Feb 2020 11:14:35 +0100
Subject: [PATCH 4/4] Map package_pigz_removed to ADSLR SRG item

From rule's rationale:
Binaries in pigz package are compiled without sufficient stack
protection and its ADSLR is weak.
---
 .../system/software/system-tools/package_pigz_removed/rule.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml
index 595b78e768..bb724d916d 100644
--- a/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml
@@ -18,6 +18,9 @@ severity: low
 identifiers:
     cce@rhel8: 82397-1
 
+references:
+    srg: SRG-OS-000433-GPOS-00192
+
 {{{ complete_ocil_entry_package(package="pigz") }}}
 
 template:

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation