From af199c3ea2772fd30b47410c2b7aeff08d54103e Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Wed, 5 Feb 2020 10:23:44 +0100 Subject: [PATCH 1/4] Add and fix few entries of SRG mapping. --- .../network-uncommon/kernel_module_dccp_disabled/rule.yml | 1 + .../permissions/partitions/mount_option_var_log_nodev/rule.yml | 1 + .../dconf_gnome_screensaver_lock_delay/rule.yml | 2 +- .../dconf_gnome_screensaver_lock_enabled/rule.yml | 2 +- 4 files changed, 4 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml index 1b42b7233b..4dcbc458d1 100644 --- a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml +++ b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml @@ -37,6 +37,7 @@ references: cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2 cis-csc: 11,14,3,9 + srg: SRG-OS-000096-GPOS-00050 {{{ complete_ocil_entry_module_disable(module="dccp") }}} diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml index 298f17d2d8..d1ec9f644e 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml @@ -28,6 +28,7 @@ identifiers: references: nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 nist-csf: PR.IP-1,PR.PT-2,PR.PT-3 + srg: SRG-OS-000368-GPOS-00154 platform: machine diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml index b20323c1af..39aa044941 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml @@ -34,7 +34,7 @@ references: nist-csf: PR.AC-7 ospp: FMT_MOF_EXT.1 pcidss: Req-8.1.8 - srg: OS-SRG-000029-GPOS-00010 + srg: SRG-OS-000029-GPOS-00010 stigid@rhel7: "010110" isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9' isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9 diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml index 0380f0149f..7742b8d862 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml @@ -35,7 +35,7 @@ references: nist-csf: PR.AC-7 ospp: FMT_MOF_EXT.1 pcidss: Req-8.1.8 - srg: SRG-OS-000028-GPOS-00009,OS-SRG-000030-GPOS-00011 + srg: SRG-OS-000028-GPOS-00009,SRG-OS-000030-GPOS-00011 stigid@rhel7: "010060" isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9' isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9 From 2dd70b7464873b0996e788d546d7c557e5c702d1 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 5 Feb 2020 10:33:54 +0100 Subject: [PATCH 2/4] Map strong entopy rules to SRG-OS-000480-GPOS-00227 The SRG is about configuring the system in accordance with security baselines defined by DoD, including STIG,NSA guides, CTOs and DTMs. --- .../guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml | 1 + .../integrity/crypto/openssl_use_strong_entropy/rule.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml index 4bfb72702b..62b2d01924 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml @@ -25,6 +25,7 @@ identifiers: references: ospp: FIA_AFL.1 + srg: SRG-OS-000480-GPOS-00227 ocil: |- To determine whether the SSH service is configured to use strong entropy seed, diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml index 8a958e93b0..47dc8953e4 100644 --- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml @@ -25,6 +25,7 @@ identifiers: references: ospp: FIA_AFL.1 + srg: SRG-OS-000480-GPOS-00227 ocil: |- To determine whether OpenSSL is wrapped by a shell function that ensures that every invocation From 31101d115f8eb436a6a7e9462235e921a2727517 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 5 Feb 2020 11:12:02 +0100 Subject: [PATCH 3/4] Same SRG mapping as package_subscription-manager_installed The package provides an interface for automation of package updates --- .../package_dnf-plugin-subscription-manager_installed/rule.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml index 6b0144fd54..8f081d9a3c 100644 --- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml @@ -20,6 +20,7 @@ identifiers: references: ospp: FPT_TUD_EXT.1,FPT_TUD_EXT.2 + srg: SRG-OS-000366-GPOS-00153 ocil_clause: 'the package is not installed' From 477eb05fa4b105c9c49973c23d8875d1714a487d Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 5 Feb 2020 11:14:35 +0100 Subject: [PATCH 4/4] Map package_pigz_removed to ADSLR SRG item From rule's rationale: Binaries in pigz package are compiled without sufficient stack protection and its ADSLR is weak. --- .../system/software/system-tools/package_pigz_removed/rule.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml index 595b78e768..bb724d916d 100644 --- a/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml +++ b/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml @@ -18,6 +18,9 @@ severity: low identifiers: cce@rhel8: 82397-1 +references: + srg: SRG-OS-000433-GPOS-00192 + {{{ complete_ocil_entry_package(package="pigz") }}} template: