Add NIST 800-53 Rev 5 control framework with OSCAL metadata and CIS mappings (Split per product)#14648
Draft
ggbecker wants to merge 11 commits into
Draft
Conversation
openshift-ci
Bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
ggbecker
changed the title
ggbecker
force-pushed
the
nist-800-53-control-split-per-product
branch
2 times, most recently
from
4a682d9 to
e054e25
Compare
ggbecker
force-pushed
the
nist-800-53-control-split-per-product
branch
from
e054e25 to
f844b66
Compare
ggbecker
force-pushed
the
nist-800-53-control-split-per-product
branch
7 times, most recently
from
a17c1cb to
c9e6d6e
Compare
ggbecker
force-pushed
the
nist-800-53-control-split-per-product
branch
from
c9e6d6e to
d03d4cf
Compare
Update AC family control files for rhel8, rhel9, and rhel10 with automated rule mappings. Map existing rules with NIST references to 33 AC controls including account management, access enforcement, session controls, and boundary protection. Changes: - Updated 33 controls from 'pending' to 'automated' status - Added rule mappings for controls ac-1 through ac-25 - Includes mappings for enhancements (e.g., ac-2.1, ac-2.3, ac-7.1) - Consistent mappings across rhel8, rhel9, and rhel10 Notable mappings: - ac-2: Account management (11 rules) - ac-7: Unsuccessful login attempts (4 rules) - ac-11: Session lock (5 rules) - ac-17: Remote access (7 rules)
Update AU family control files for rhel8, rhel9, and rhel10 with automated rule mappings. Map existing rules with NIST references to 28 AU controls covering audit generation, storage, review, and protection. Changes: - Updated 28 controls from 'pending' to 'automated' status - Added rule mappings for controls au-2 through au-14 - Includes mappings for enhancements (e.g., au-3.1, au-4.1, au-12.1) - Consistent mappings across rhel8, rhel9, and rhel10 Notable mappings: - au-2: Event logging (67 audit rules) - au-3: Content of audit records (35 rules) - au-12: Audit record generation (67 rules) - au-9: Protection of audit information (15 rules)
Update IA family control files for rhel8, rhel9, and rhel10 with automated rule mappings. Map existing rules with NIST references to 22 IA controls covering password policies, authentication mechanisms, and cryptographic requirements. Changes: - Updated 22 controls from 'pending' to 'automated' status - Added rule mappings for controls ia-2 through ia-12 - Includes mappings for enhancements (e.g., ia-2.1, ia-2.8, ia-5.1) - Consistent mappings across rhel8, rhel9, and rhel10 Notable mappings: - ia-5: Authenticator management (51 password/key rules) - ia-5.1: Password-based authentication (30 rules) - ia-2: Identification and authentication (8 rules) - ia-11: Re-authentication (5 rules)
Update CM family control files for rhel8, rhel9, and rhel10 with automated rule mappings. Map existing rules with NIST references to 11 CM controls covering baseline configurations, security settings, and least functionality. Changes: - Updated 11 controls from 'pending' to 'automated' status - Added rule mappings for controls cm-1, cm-6, cm-7, and cm-11 - Limited cm-6 (configuration settings) to 30 most relevant rules - Consistent mappings across rhel8, rhel9, and rhel10 Notable mappings: - cm-6: Configuration settings (30 curated rules) - cm-7: Least functionality (10 service/package rules) - cm-7.1: Periodic review (4 rules) - cm-11: User-installed software (5 package management rules) Note: CM-6 is a catch-all control that could technically map to hundreds of rules. Limited to high-impact configuration rules to maintain file readability.
…mily Update SC family control files for rhel8, rhel9, and rhel10 with automated rule mappings. Map existing rules with NIST references to 27 SC controls covering cryptography, network protection, and system partitioning. Changes: - Updated 27 controls from 'pending' to 'automated' status - Added rule mappings for controls sc-2 through sc-46 - Includes mappings for enhancements (e.g., sc-8.1, sc-13.1, sc-28.1) - Consistent mappings across rhel8, rhel9, and rhel10 Notable mappings: - sc-8: Transmission confidentiality/integrity (9 crypto rules) - sc-13: Cryptographic protection (14 encryption rules) - sc-28: Protection of information at rest (8 disk encryption rules) - sc-2: Separation of system and user functionality (7 partition rules) - sc-5: Denial-of-service protection (6 kernel parameter rules)
Update SI family control files for rhel8, rhel9, and rhel10 with automated rule mappings. Map existing rules with NIST references to 12 SI controls covering flaw remediation, malicious code protection, and system monitoring. Changes: - Updated 12 controls from 'pending' to 'automated' status - Added rule mappings for controls si-2 through si-16 - Includes mappings for enhancements (e.g., si-2.2, si-3.8, si-4.5) - Consistent mappings across rhel8, rhel9, and rhel10 Notable mappings: - si-2: Flaw remediation (12 update/patch rules) - si-3: Malicious code protection (6 antivirus/aide rules) - si-4: System monitoring (9 logging/audit rules) - si-6: Security and privacy function verification (8 aide/integrity rules) - si-11: Error handling (4 core dump rules)
Map 48 previously unmapped rules (without NIST references in metadata) to appropriate NIST 800-53 controls using semantic analysis of rule descriptions and rationales. These rules were identified through keyword matching and manual review. Changes across rhel8, rhel9, and rhel10: CP (Contingency Planning) family: - cp-9 (System Backup): +3 backup-related rules - configure_user_data_backups - file_groupowner_backup_etc_shadow - httpd_remove_backups SC (System and Communications Protection) family: - sc-7 (Boundary Protection): +25 firewall rules - firewalld, iptables, nftables, ufw configuration rules - Firewall zone, policy, and port management rules - Total rules in sc-7: 36 (11 existing + 25 new) AU (Audit and Accountability) family: - au-3 (Audit Record Content): +1 login event audit rule - au-3.1 (Additional Audit Information): +5 network config audit rules - au-5 (Audit Failure Response): +2 audit system resilience rules - au-9 (Protection of Audit Information): +3 audit protection rules - au-12 (Audit Record Generation): +9 additional syscall audit rules These mappings address rules that lacked explicit NIST references but provide technical controls that satisfy the control requirements. Total new mappings: 144 (48 unique rules × 3 products).
Add 22 unmapped rules to SI family controls across rhel8, rhel9, and rhel10. Focused on malware protection, flaw remediation, system monitoring, and input validation. These rules were identified through semantic analysis of rule descriptions. Changes: SI-2 (Flaw Remediation): - Added GPG key verification rules: ensure_gpgcheck_globally_activated, ensure_gpgcheck_never_disabled, ensure_gpgcheck_local_packages, ensure_redhat_gpgkey_installed - Added ABRT package removal rule Total: 5 rules (2-3 new per product) SI-3 (Malicious Code Protection): - Added SELinux antivirus booleans: sebool_antivirus_can_scan_system, sebool_antivirus_use_jit - Added GNOME automount/autorun prevention: dconf_gnome_disable_automount, dconf_gnome_disable_automount_open, dconf_gnome_disable_autorun - Added secure_boot_enabled Total: 8 rules (6 new per product) SI-4 (System Monitoring): - Added rsyslog rules: rsyslog_cron_logging, rsyslog_logging_configured - Added journald rules: journald_compress, journald_forward_to_syslog, journald_storage, package_systemd-journal-remote_installed Total: 11 rules (6 new per product) SI-10 (Information Input Validation): - Added kernel hardening: kernel_config_fortify_source, kernel_config_randomize_base, kernel_config_stackprotector - Added SELinux memory protection: sebool_selinuxuser_execheap, sebool_selinuxuser_execstack Total: 5 rules (all new) Total new mappings: 62 (across 3 products)
Add 14 unmapped rules to SC family controls across rhel8, rhel9, and rhel10. Focused on denial of service protection, transmission confidentiality, cryptographic protection, and secure name resolution. Changes: SC-5 (Denial of Service Protection): - Added SSH connection limits: sshd_set_max_sessions, sshd_set_maxstartups - Added PAM faillock for root: accounts_passwords_pam_faillock_root_unlock_time - Added kernel hardening: kernel_config_binfmt_misc, kernel_config_modify_ldt_syscall Total: 15 rules (5 new per product) SC-8 (Transmission Confidentiality): - Added HTTPD TLS configuration: httpd_configure_tls - Added Dovecot SSL: dovecot_enable_ssl, dovecot_configure_ssl_cert, dovecot_configure_ssl_key Total: 5 rules (4 new per product) SC-13 (Cryptographic Protection): - Added HTTPD authentication: httpd_digest_authentication, httpd_require_client_certs Total: 28 rules (2 new per product) SC-20 (Secure Name/Address Resolution): - Added Avahi restrictions: avahi_check_ttl, avahi_ip_only, avahi_restrict_published_information Total: 4 rules (3 new per product) Total new mappings: 42 (across 3 products)
Add 13 unmapped rules to CM family controls across rhel8, rhel9, and rhel10. Focused on bootloader security and disabling unnecessary services/packages for least functionality. Changes: CM-6 (Configuration Settings): - Added GRUB2 password protection: grub2_password, grub2_uefi_password - Added GRUB2 file permissions: file_groupowner_boot_grub2, file_owner_boot_grub2, file_permissions_boot_grub2 Total: 35 rules (5 new per product) CM-7 (Least Functionality): - Added service disablement: service_apport_disabled, service_cockpit_disabled, service_oddjobd_disabled, service_quota_nld_disabled, service_dhcpd_disabled, service_dnsmasq_disabled - Added package removal: package_nis_removed, package_telnetd_removed Total: 54-61 rules (6-7 new per product) CM-7 already had significant coverage from previous mappings. These additions focus on services that provide unnecessary network functionality or legacy protocols that increase attack surface. Total new mappings: 35 (across 3 products)
First mappings for Incident Response (IR) and Risk Assessment (RA) families across rhel8, rhel9, and rhel10. These families were previously at 0% coverage. Focused on incident handling, monitoring, and vulnerability scanning capabilities. IR (Incident Response) family: IR-4 (Incident Handling): - Added audit log forwarding: auditd_audispd_configure_remote_server, auditd_offload_logs - Added mail service for notifications: service_postfix_enabled Total: 3 rules (all new) IR-5 (Incident Monitoring and Reporting): - Added file deletion monitoring audit rules: audit_rules_file_deletion_events, audit_rules_file_deletion_events_rename, audit_rules_file_deletion_events_renameat, audit_rules_file_deletion_events_rmdir, audit_rules_file_deletion_events_unlink, audit_rules_file_deletion_events_unlinkat Total: 6 rules (all new) RA (Risk Assessment) family: RA-5 (Vulnerability Monitoring and Scanning): - Added insecure protocol kernel modules: kernel_module_dccp_disabled, kernel_module_rds_disabled, kernel_module_sctp_disabled, kernel_module_tipc_disabled - Added insecure filesystem kernel modules: kernel_module_cramfs_disabled, kernel_module_freevxfs_disabled, kernel_module_hfs_disabled, kernel_module_hfsplus_disabled, kernel_module_jffs2_disabled Total: 9 rules (all new) Coverage improvement: - IR: 0% → 4.8% (2/42 controls) - RA: 0% → 3.8% (1/26 controls) Total new mappings: 54 (across 3 products × 18 unique rules)
ggbecker
force-pushed
the
nist-800-53-control-split-per-product
branch
from
d03d4cf to
308897c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
Add NIST 800-53 / CIS synchronization toolkit and product-specific control files for rhel8, rhel9, and rhel10.
This PR introduces:
Each product (rhel8, rhel9, rhel10) now has dedicated NIST 800-53 control files in
products/{product}/controls/nist_800_53/that map CIS benchmark requirements to NIST controls.Rationale:
Enable NIST 800-53 compliance profiles based on CIS benchmark mappings. This allows users to assess and remediate systems against NIST 800-53 controls using the existing CIS benchmark rule base.
The product-specific architecture ensures:
Review Hints:
This PR consists of two commits that should be reviewed sequentially:
Infrastructure commit (
aec333de6d): Toolkit scripts, documentation, and GitHub Actions workflowutils/nist_sync/sync_nist_split.py,utils/nist_sync/README.md,controls/README_nist_800_53.mdControl files commit (
645e5aaaf9): Generated NIST 800-53 control filesproducts/rhel9/controls/nist_800_53/au.yml) to verify formatTesting the toolkit locally:
cd utils/nist_sync ./test_workflow_local.sh