scap-security-guide/SOURCES/scap-security-guide-0.1.49-add-few-srg-mappings.patch

151 lines
7.2 KiB
Diff
Raw Normal View History

From af199c3ea2772fd30b47410c2b7aeff08d54103e Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 5 Feb 2020 10:23:44 +0100
Subject: [PATCH 1/4] Add and fix few entries of SRG mapping.
---
.../network-uncommon/kernel_module_dccp_disabled/rule.yml | 1 +
.../permissions/partitions/mount_option_var_log_nodev/rule.yml | 1 +
.../dconf_gnome_screensaver_lock_delay/rule.yml | 2 +-
.../dconf_gnome_screensaver_lock_enabled/rule.yml | 2 +-
4 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
index 1b42b7233b..4dcbc458d1 100644
--- a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
@@ -37,6 +37,7 @@ references:
cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
cis-csc: 11,14,3,9
+ srg: SRG-OS-000096-GPOS-00050
{{{ complete_ocil_entry_module_disable(module="dccp") }}}
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
index 298f17d2d8..d1ec9f644e 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml
@@ -28,6 +28,7 @@ identifiers:
references:
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
nist-csf: PR.IP-1,PR.PT-2,PR.PT-3
+ srg: SRG-OS-000368-GPOS-00154
platform: machine
diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml
index b20323c1af..39aa044941 100644
--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml
+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml
@@ -34,7 +34,7 @@ references:
nist-csf: PR.AC-7
ospp: FMT_MOF_EXT.1
pcidss: Req-8.1.8
- srg: OS-SRG-000029-GPOS-00010
+ srg: SRG-OS-000029-GPOS-00010
stigid@rhel7: "010110"
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9
diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml
index 0380f0149f..7742b8d862 100644
--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml
+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml
@@ -35,7 +35,7 @@ references:
nist-csf: PR.AC-7
ospp: FMT_MOF_EXT.1
pcidss: Req-8.1.8
- srg: SRG-OS-000028-GPOS-00009,OS-SRG-000030-GPOS-00011
+ srg: SRG-OS-000028-GPOS-00009,SRG-OS-000030-GPOS-00011
stigid@rhel7: "010060"
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9
From 2dd70b7464873b0996e788d546d7c557e5c702d1 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 5 Feb 2020 10:33:54 +0100
Subject: [PATCH 2/4] Map strong entopy rules to SRG-OS-000480-GPOS-00227
The SRG is about configuring the system in accordance with security
baselines defined by DoD, including STIG,NSA guides, CTOs and DTMs.
---
.../guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml | 1 +
.../integrity/crypto/openssl_use_strong_entropy/rule.yml | 1 +
2 files changed, 2 insertions(+)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
index 4bfb72702b..62b2d01924 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
@@ -25,6 +25,7 @@ identifiers:
references:
ospp: FIA_AFL.1
+ srg: SRG-OS-000480-GPOS-00227
ocil: |-
To determine whether the SSH service is configured to use strong entropy seed,
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
index 8a958e93b0..47dc8953e4 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
@@ -25,6 +25,7 @@ identifiers:
references:
ospp: FIA_AFL.1
+ srg: SRG-OS-000480-GPOS-00227
ocil: |-
To determine whether OpenSSL is wrapped by a shell function that ensures that every invocation
From 31101d115f8eb436a6a7e9462235e921a2727517 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 5 Feb 2020 11:12:02 +0100
Subject: [PATCH 3/4] Same SRG mapping as
package_subscription-manager_installed
The package provides an interface for automation of package updates
---
.../package_dnf-plugin-subscription-manager_installed/rule.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
index 6b0144fd54..8f081d9a3c 100644
--- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml
@@ -20,6 +20,7 @@ identifiers:
references:
ospp: FPT_TUD_EXT.1,FPT_TUD_EXT.2
+ srg: SRG-OS-000366-GPOS-00153
ocil_clause: 'the package is not installed'
From 477eb05fa4b105c9c49973c23d8875d1714a487d Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 5 Feb 2020 11:14:35 +0100
Subject: [PATCH 4/4] Map package_pigz_removed to ADSLR SRG item
From rule's rationale:
Binaries in pigz package are compiled without sufficient stack
protection and its ADSLR is weak.
---
.../system/software/system-tools/package_pigz_removed/rule.yml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml
index 595b78e768..bb724d916d 100644
--- a/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml
@@ -18,6 +18,9 @@ severity: low
identifiers:
cce@rhel8: 82397-1
+references:
+ srg: SRG-OS-000433-GPOS-00192
+
{{{ complete_ocil_entry_package(package="pigz") }}}
template: