added and/or modified several NIST security control references
David Smith (1): added/changed NIST 800-53 references
RHEL6/input/system/accounts/banners.xml | 2 +- RHEL6/input/system/auditing.xml | 33 +++++++++++--------- RHEL6/input/system/selinux.xml | 8 ++-- RHEL6/input/system/software/disk_partitioning.xml | 2 +- RHEL6/input/system/software/integrity.xml | 10 +++--- RHEL6/input/system/software/updating.xml | 6 ++-- 6 files changed, 32 insertions(+), 29 deletions(-)
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil --- RHEL6/input/system/accounts/banners.xml | 2 +- RHEL6/input/system/auditing.xml | 33 +++++++++++--------- RHEL6/input/system/selinux.xml | 8 ++-- RHEL6/input/system/software/disk_partitioning.xml | 2 +- RHEL6/input/system/software/integrity.xml | 10 +++--- RHEL6/input/system/software/updating.xml | 6 ++-- 6 files changed, 32 insertions(+), 29 deletions(-)
diff --git a/RHEL6/input/system/accounts/banners.xml b/RHEL6/input/system/accounts/banners.xml index 157edc8..39b0b82 100644 --- a/RHEL6/input/system/accounts/banners.xml +++ b/RHEL6/input/system/accounts/banners.xml @@ -66,7 +66,7 @@ product are private and confidential. See User Agreement for details.</tt> <br /><br /> OR: <br /><br /> -<tt>I've read & consent to terms in IS user agreem't.</tt> +<tt>I've read & consent to terms in IS user agreement.</tt> </description> <ocil clause="it does not display the required banner"> To check if the system login banner is compliant, diff --git a/RHEL6/input/system/auditing.xml b/RHEL6/input/system/auditing.xml index f5e617a..1decfed 100644 --- a/RHEL6/input/system/auditing.xml +++ b/RHEL6/input/system/auditing.xml @@ -93,7 +93,7 @@ actions will be taken if other obstacles exist. </rationale> <ident cce="27058-7" /> <oval id="service_auditd_enabled" /> -<ref nist="CM-6, CM-7" disa="347,169,157,172,880,1353,1462,1487,1115,1454,067,158,831,1190,1312,1263,130,120,1589" /> +<ref nist="AU-1, CM-6" disa="347,169,157,172,880,1353,1462,1487,1115,1454,067,158,831,1190,1312,1263,130,120,1589" /> <tested by="DS" on="20121024"/> </Rule>
@@ -246,6 +246,7 @@ determine how many logs the system is configured to retain after rotation: log information over the period required. This is a function of the maximum log file size and the number of logs retained.</rationale> <oval id="auditd_data_retention_num_logs" value="var_auditd_num_logs" /> +<ref nist="AU-11, CM-6" /> <tested by="DS" on="20121024"/> </Rule>
@@ -270,6 +271,7 @@ determine how much data the system will retain in each audit log file: log information over the period required. This is a function of the maximum log file size and the number of logs retained.</rationale> <oval id="auditd_data_retention_max_log_file" value="var_auditd_max_log_file" /> +<ref nist="AU-11, CM-6" /> <tested by="DS" on="20121024"/> </Rule>
@@ -305,6 +307,7 @@ being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, <tt>keep_logs</tt> can be employed.</rationale> <oval id="auditd_data_retention_max_log_file_action" value="var_auditd_max_log_file_action" /> +<ref nist="AU-4, AU-11, CM-6" /> <tested by="DS" on="20121024"/> </Rule>
@@ -354,7 +357,7 @@ disk space is starting to run low: <rationale>Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.</rationale> <oval id="auditd_data_retention_space_left_action" value="var_auditd_space_left_action"/> -<ref disa="140,143,1339" /> +<ref nist="AU-4, CM-6" disa="140,143,1339" /> <tested by="DS" on="20121024"/> </Rule>
@@ -394,7 +397,7 @@ audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. </rationale> <oval id="auditd_data_retention_admin_space_left_action" value="var_auditd_admin_space_left_action" /> -<ref disa="140,143,1343" /> +<ref nist="AU-4, CM-6" disa="140,143,1343" /> <tested by="DS" on="20121024"/> </Rule>
@@ -416,7 +419,7 @@ account when it needs to notify an administrator: <rationale>Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.</rationale> <oval id="auditd_data_retention_action_mail_acct" value="var_auditd_action_mail_acct" /> -<ref disa="139,144" /> +<ref nist="AU-4, CM-6" disa="139,144" /> </Rule>
</Group> @@ -491,7 +494,7 @@ are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.</rationale> <ident cce="26242-8" /> <oval id="audit_rules_time_adjtimex" /> -<ref nist="AU-2(a)" /> +<ref nist="AU-2" /> <ref disa="1487,169" /> </Rule>
@@ -519,7 +522,7 @@ are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.</rationale> <ident cce="27203-9" /> <oval id="audit_rules_time_settimeofday" /> -<ref nist="AU-2(a)" /> +<ref nist="AU-2" /> <ref disa="1487,169" /> </Rule>
@@ -545,7 +548,7 @@ are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.</rationale> <ident cce="27169-2" /> <oval id="audit_rules_time_stime" /> -<ref nist="AU-2(a)" /> +<ref nist="AU-2" /> <ref disa="1487,169" /> </Rule>
@@ -573,7 +576,7 @@ are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.</rationale> <ident cce="27170-0" /> <oval id="audit_rules_time_clock_settime" /> -<ref nist="AU-2(a)" /> +<ref nist="AU-2" /> <ref disa="1487,169" /> </Rule>
@@ -598,7 +601,7 @@ are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.</rationale> <ident cce="27172-6" /> <oval id="audit_rules_time_watch_localtime" /> -<ref nist="AU-2(a)" /> +<ref nist="AU-2" /> <ref disa="1487,169" /> </Rule> </Group><!--End <Group id="audit_time_rules"> --> @@ -627,7 +630,7 @@ unexpected users, groups, or modifications should be investigated for legitimacy.</rationale> <ident cce="26664-3" /> <oval id="audit_rules_usergroup_modification" /> -<ref nist="AU-2(a)" disa="18,1403,1404,1405,1684,1683,1685,1686"/> +<ref nist="AU-2" disa="18,1403,1404,1405,1684,1683,1685,1686"/> </Rule>
<Rule id="audit_network_modifications"> @@ -653,7 +656,7 @@ than administrator action. Any change to network parameters should be audited.</rationale> <ident cce="26648-6" /> <oval id="audit_rules_networkconfig_modification" /> -<ref nist="AU-2(a)" /> +<ref nist="AU-2" /> </Rule>
<Rule id="audit_logs_permissions"> @@ -671,7 +674,7 @@ Audit logs must be mode 0640 or less permissive. If users can write to audit logs, audit trails can be modified or destroyed. </rationale> <oval id="file_permissions_var_log_audit" /> -<ref disa="166" /> +<ref nist="AC-6, AU-9" disa="166" /> <tested by="DS" on="20121024"/> </Rule>
@@ -686,7 +689,7 @@ If users can write to audit logs, audit trails can be modified or destroyed. <rationale>Failure to give ownership of the audit log file(s) to root allows the designated owner, and unauthorized users, potential access to sensitive information.</rationale> <oval id="file_ownership_var_log_audit" /> -<ref nist="AU-2" disa="166" /> +<ref nist="AC-6, AU-9" disa="166" /> <tested by="DS" on="20121024"/> </Rule>
@@ -1138,7 +1141,7 @@ storing such process information, add the following to as an attacker attempting to remove evidence of an intrusion.</rationale> <ident cce="26610-6" /> <oval id="audit_rules_session_events" /> -<!--<ref nist="TODO" />--> +<ref nist="AU-2" /> </Rule>
<Rule id="audit_file_access"> @@ -1161,7 +1164,7 @@ To verify that the audit system collects unauthorized file accesses, run the fol these events could serve as evidence of potential system compromise.</rationale> <ident cce="26712-0" /> <oval id="audit_rules_unsuccessful_file_modification" /> -<ref nist="AU-2.1 (v),AU-2 d" disa="126" /> +<ref nist="AU-2" disa="126" /> </Rule>
<Rule id="audit_privileged_commands"> diff --git a/RHEL6/input/system/selinux.xml b/RHEL6/input/system/selinux.xml index c1f85a8..2eafd60 100644 --- a/RHEL6/input/system/selinux.xml +++ b/RHEL6/input/system/selinux.xml @@ -123,7 +123,7 @@ privileges. </rationale> <ident cce="26969-6" /> <oval id="selinux_mode" value="var_selinux_state_name"/> -<ref nist="CM-6, CM-7" disa="22,32,26"/> +<ref nist="AC-3, AC-6, CM-6" disa="22,32,26"/> <tested by="DS" on="20121024"/> </Rule>
@@ -149,7 +149,7 @@ targeted for exploitation, such as network or system services. </rationale> <ident cce="26875-5" /> <oval id="selinux_policytype" value="var_selinux_policy_name"/> -<ref nist="CM-6, CM-7" disa="22,32"/> +<ref nist="CM-6" disa="22,32"/> <tested by="DS" on="20121024"/> </Rule> </Group> @@ -168,7 +168,7 @@ file context is applied to files. This allows automatic correction of file contexts created by some programs.</rationale> <ident cce="26991-0" /> <oval id="service_restorecond_enabled" /> -<ref nist="AC-3, CM-6" /> +<ref nist="AC-3, AC-6, CM-6" /> </Rule>
@@ -244,7 +244,7 @@ cannot properly restrict access to the device file. </rationale> <ident cce="26774-0" /> <oval id="selinux_all_devicefiles_labeled" /> -<ref nist="CM-6, CM-7" disa="22,32"/> +<ref nist="AC-6, CM-6, CM-7" disa="22,32"/> <tested by="DS" on="20121024"/> </Rule> </Group> diff --git a/RHEL6/input/system/software/disk_partitioning.xml b/RHEL6/input/system/software/disk_partitioning.xml index 6af7172..c2d211a 100644 --- a/RHEL6/input/system/software/disk_partitioning.xml +++ b/RHEL6/input/system/software/disk_partitioning.xml @@ -158,7 +158,7 @@ The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost. </rationale> -<ref disa="1019,1199,1200" /> +<ref nist="SC-13, SC-28" disa="1019,1199,1200" /> </Rule>
</Group> diff --git a/RHEL6/input/system/software/integrity.xml b/RHEL6/input/system/software/integrity.xml index 6104100..184efdb 100644 --- a/RHEL6/input/system/software/integrity.xml +++ b/RHEL6/input/system/software/integrity.xml @@ -39,7 +39,7 @@ The AIDE package must be installed if it is to be available for integrity checki </rationale> <ident cce="27024-9" /> <oval id="package_aide_installed" /> -<ref nist="CM-6, CM-7, SC-28, SI-7" disa="1069"/> +<ref nist="CM-6, SC-28, SI-7" disa="1069"/> <tested by="DS" on="20121024"/> </Rule>
@@ -161,14 +161,14 @@ The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.</rationale> <ident cce="26731-0" /> <oval id="rpm_verify_permissions" /> -<ref nist="SI-7" disa="1493,1494,1495" /> +<ref nist="AC-3" disa="1493,1494,1495" /> </Rule>
<Rule id="rpm_verify_hashes"> <title>Verify File Hashes with RPM</title> <description>The RPM package management system can check the hashes of installed software packages, including many that are important to system -security. Run the following command to list which files on the system +security. Run thie following command to list which files on the system have hashes that differ from what is expected by the RPM database: <pre># rpm -Va | grep '^..5'</pre> A "c" in the second column indicates that a file is a configuration file, @@ -229,7 +229,7 @@ additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of system, which may not otherwise exist in an organization's systems management regime. </rationale> -<ref disa="1263"/> +<ref nist="SC-7" disa="1263"/> </Rule>
<Rule id="install_antivirus"> @@ -268,7 +268,7 @@ To check on the age of uvscan virus definition files, run the following command: Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. </rationale> -<ref disa="1239,1668"/> +<ref nist="SC-28, SI-3" disa="1239,1668"/> </Rule>
</Group> diff --git a/RHEL6/input/system/software/updating.xml b/RHEL6/input/system/software/updating.xml index 1c26f58..09513c5 100644 --- a/RHEL6/input/system/software/updating.xml +++ b/RHEL6/input/system/software/updating.xml @@ -38,7 +38,7 @@ are from Red Hat. </rationale> <ident cce="26506-6"/> <oval id="package_red_hat_gpgkeys_installed" /> -<ref nist="SI-2, SI-7, SC-13" disa="351"/> +<ref nist="SI-7" disa="351"/> <tested by="MM" on="20120928"/> </Rule>
@@ -70,7 +70,7 @@ protects against malicious tampering. </rationale> <ident cce="26709-6" /> <oval id="yum_gpgcheck_global_activation" /> -<ref nist="SI-2" disa="352,663" /> +<ref nist="SI-7" disa="352,663" /> <tested by="MM" on="20120928"/> </Rule>
@@ -95,7 +95,7 @@ protects against malicious tampering. </rationale> <ident cce="26647-8" /> <oval id="yum_gpgcheck_never_disabled" /> -<ref nist="SI-2" disa="352,663"/> +<ref nist="SI-7" disa="352,663"/> <tested by="MM" on="20120928"/> </Rule>
Cool, please push! This puts us closer to being able to claim soundness for the references.
(Ah, I see an ampersand needs an escape, and we need to revert to some "official" banner text with an odd contraction of agreement ... but I've FTFY.)
On 12/28/2012 01:56 PM, David Smith wrote:
added and/or modified several NIST security control references
David Smith (1): added/changed NIST 800-53 references
RHEL6/input/system/accounts/banners.xml | 2 +- RHEL6/input/system/auditing.xml | 33 +++++++++++--------- RHEL6/input/system/selinux.xml | 8 ++-- RHEL6/input/system/software/disk_partitioning.xml | 2 +- RHEL6/input/system/software/integrity.xml | 10 +++--- RHEL6/input/system/software/updating.xml | 6 ++-- 6 files changed, 32 insertions(+), 29 deletions(-)
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org