From 1b7bd47bd8fa3f828aca0bf0add7fc188893ef11 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 21 Sep 2021 07:44:29 -0500 Subject: [PATCH 1/2] Add STIG references for FIPS --- .../integrity/crypto/configure_bind_crypto_policy/rule.yml | 1 + .../software/integrity/crypto/configure_crypto_policy/rule.yml | 1 + .../integrity/crypto/configure_kerberos_crypto_policy/rule.yml | 1 + .../integrity/crypto/configure_libreswan_crypto_policy/rule.yml | 1 + .../software/integrity/fips/enable_dracut_fips_module/rule.yml | 1 + 5 files changed, 5 insertions(+) diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml index 5484e11ad9f..e58c9506083 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml @@ -29,6 +29,7 @@ identifiers: references: nerc-cip: CIP-003-3 R4.2,CIP-007-3 R5.1 nist: SC-13,SC-12(2),SC-12(3) + stigid@rhel8: RHEL-08-010020 srg: SRG-OS-000423-GPOS-00187,SRG-OS-000426-GPOS-00190 ocil_clause: |- diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml index d4ea4db6c14..5eea87ac006 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml @@ -65,6 +65,7 @@ references: nerc-cip: CIP-003-3 R4.2,CIP-007-3 R5.1,CIP-007-3 R7.1 nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3) ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4),FCS_CKM.1,FCS_CKM.2,FCS_TLSC_EXT.1 + stigid@rhel8: RHEL-08-010020 srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174 ocil_clause: 'cryptographic policy is not configured or is configured incorrectly' diff --git a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml index b219c9d2801..e1f5e55e8cd 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml @@ -28,6 +28,7 @@ references: nerc-cip: CIP-003-3 R4.2,CIP-007-3 R5.1 nist: SC-13,SC-12(2),SC-12(3) srg: SRG-OS-000120-GPOS-00061 + stigid@rhel8: RHEL-08-010020 ocil_clause: 'the symlink does not exist or points to a different target' diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml index cd03ecf30d1..1fffb2ad2b7 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml @@ -33,6 +33,7 @@ references: nist: CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3) ospp: FCS_IPSEC_EXT.1.4,FCS_IPSEC_EXT.1.6 srg: SRG-OS-000033-GPOS-00014 + stigid@rhel8: RHEL-08-010020 ocil_clause: |- Libreswan is installed and /etc/ipsec.conf does not contain include /etc/crypto-policies/back-ends/libreswan.config diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml index 9486031be54..fe20c1958a6 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml @@ -30,6 +30,7 @@ references: nerc-cip: CIP-003-3 R4.2,CIP-007-3 R5.1 nist: SC-12(2),SC-12(3),IA-7,SC-13,CM-6(a),SC-12 srg: SRG-OS-000478-GPOS-00223 + stigid@rhel8: RHEL-08-010020 vmmsrg: SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000396-VMM-001590 ocil_clause: 'the Dracut FIPS module is not enabled'