Skip to content

Add NIST 800-53 Rev 5 control framework with OSCAL metadata and CIS mappings (Split per product) #14648

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
ggbecker wants to merge 11 commits into
base: master
Choose a base branch
from
Draft

Add NIST 800-53 Rev 5 control framework with OSCAL metadata and CIS mappings (Split per product) #14648

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
9640dff
Map rules to NIST 800-53 Access Control (AC) family
ggbecker Apr 14, 2026
ec084cd
Map rules to NIST 800-53 Audit and Accountability (AU) family
ggbecker Apr 14, 2026
ff22569
Map rules to NIST 800-53 Identification and Authentication (IA) family
ggbecker Apr 14, 2026
c6e516d
Map rules to NIST 800-53 Configuration Management (CM) family
ggbecker Apr 14, 2026
fc31bfe
Map rules to NIST 800-53 System and Communications Protection (SC) fa…
ggbecker Apr 14, 2026
a4cfb94
Map rules to NIST 800-53 System and Information Integrity (SI) family
ggbecker Apr 14, 2026
a18b54a
Add semantic mappings for rules without NIST references
ggbecker Apr 14, 2026
2bcd5ac
Expand SI (System and Information Integrity) family coverage
ggbecker Apr 14, 2026
8146153
Expand SC (System and Communications Protection) family coverage
ggbecker Apr 14, 2026
7e3c6fd
Expand CM (Configuration Management) family coverage
ggbecker Apr 14, 2026
308897c
Add initial mappings for IR and RA families
ggbecker Apr 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
617 changes: 430 additions & 187 deletions products/rhel10/controls/nist_800_53/ac.yml
View file
Open in desktop

Large diffs are not rendered by default.

331 changes: 217 additions & 114 deletions products/rhel10/controls/nist_800_53/au.yml
View file
Open in desktop

Large diffs are not rendered by default.

185 changes: 101 additions & 84 deletions products/rhel10/controls/nist_800_53/cm.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,14 +133,19 @@ controls:
status: pending
- id: cm-3.5
title: Automated Security Response
rules: []
status: pending
rules:
- aide_scan_notification
- package_mailx_installed
- package_s-nail_installed
status: automated
- id: cm-3.6
title: Cryptography Management
levels:
- high
rules: []
status: pending
rules:
- enable_fips_mode
- service_sshd_disabled
status: automated
- id: cm-3.7
title: Review System Changes
rules: []
Expand Down Expand Up @@ -177,16 +182,27 @@ controls:
title: Automated Access Enforcement and Audit Records
levels:
- high
rules: []
status: pending
rules:
- audit_rules_suid_privilege_function
status: automated
- id: cm-5.2
title: Review System Changes
rules: []
status: pending
- id: cm-5.3
title: Signed Components
rules: []
status: pending
rules:
- ensure_almalinux_gpgkey_installed
- ensure_amazon_gpgkey_installed
- ensure_fedora_gpgkey_installed
- ensure_gpgcheck_globally_activated
- ensure_gpgcheck_local_packages
- ensure_gpgcheck_never_disabled
- ensure_gpgcheck_repo_metadata
- ensure_oracle_gpgkey_installed
- ensure_redhat_gpgkey_installed
- ensure_suse_gpgkey_installed
status: automated
- id: cm-5.4
title: Dual Authorization
rules: []
Expand All @@ -197,8 +213,20 @@ controls:
status: pending
- id: cm-5.6
title: Limit Library Privileges
rules: []
status: pending
rules:
- dir_group_ownership_library_dirs
- dir_ownership_library_dirs
- dir_permissions_library_dirs
- dir_system_commands_group_root_owned
- dir_system_commands_root_owned
- file_groupownership_system_commands_dirs
- file_ownership_binary_dirs
- file_ownership_library_dirs
- file_permissions_binary_dirs
- file_permissions_library_dirs
- file_permissions_system_commands_dirs
- root_permissions_syslibrary_files
status: automated
- id: cm-5.7
title: Automatic Implementation of Security Safeguards
rules: []
Expand All @@ -208,74 +236,41 @@ controls:
levels:
- low
rules:
- accounts_password_pam_pwquality_password_auth
- accounts_password_pam_pwquality_system_auth
- accounts_umask_etc_bashrc
- accounts_umask_etc_login_defs
- accounts_umask_etc_profile
- accounts_user_interactive_home_directory_exists
- audit_rules_media_export
- banner_etc_issue_cis
- banner_etc_issue_net_cis
- banner_etc_motd_cis
- coredump_disable_backtraces
- coredump_disable_storage
- dconf_gnome_disable_user_list
- disable_host_auth
- disable_users_coredumps
- account_disable_post_pw_expiration
- account_emergency_expire_date
- account_temp_expire_date
- accounts_logon_fail_delay
- accounts_max_concurrent_login_sessions
- accounts_maximum_age_login_defs
- accounts_minimum_age_login_defs
- accounts_password_all_shadowed
- accounts_password_minlen_login_defs
- accounts_password_pam_dcredit
- accounts_password_pam_dictcheck
- accounts_password_pam_difok
- accounts_password_pam_enforce_root
- accounts_password_pam_lcredit
- accounts_password_pam_maxclassrepeat
- accounts_password_pam_maxrepeat
- accounts_password_pam_minclass
- accounts_password_pam_minlen
- accounts_password_pam_ocredit
- accounts_password_pam_retry
- accounts_password_pam_ucredit
- accounts_password_set_max_life_existing
- accounts_password_set_min_life_existing
- accounts_password_set_warn_age_existing
- accounts_password_warn_age_login_defs
- accounts_passwords_pam_faillock_deny
- accounts_passwords_pam_faillock_deny_root
- accounts_passwords_pam_faillock_interval
- accounts_passwords_pam_faillock_unlock_time
- accounts_passwords_pam_tally2_deny_root
- file_groupowner_boot_grub2
- file_groupownership_sshd_private_key
- file_groupownership_sshd_pub_key
- file_owner_boot_grub2
- file_ownership_home_directories
- file_ownership_sshd_private_key
- file_ownership_sshd_pub_key
- file_permissions_boot_grub2
- file_permissions_home_directories
- file_permissions_sshd_private_key
- file_permissions_sshd_pub_key
- no_empty_passwords
- no_empty_passwords_etc_shadow
- no_files_or_dirs_ungroupowned
- no_files_or_dirs_unowned_by_user
- package_pam_pwquality_installed
- package_rsync_removed
- package_samba_removed
- package_squid_removed
- partition_for_tmp
- partition_for_var_log
- service_nfs_disabled
- service_rpcbind_disabled
- sshd_disable_gssapi_auth
- sshd_set_login_grace_time
- sysctl_kernel_kptr_restrict
- sysctl_kernel_randomize_va_space
- sysctl_kernel_yama_ptrace_scope
- sysctl_net_ipv4_conf_all_accept_redirects
- sysctl_net_ipv4_conf_all_accept_source_route
- sysctl_net_ipv4_conf_all_forwarding
- sysctl_net_ipv4_conf_all_log_martians
- sysctl_net_ipv4_conf_all_rp_filter
- sysctl_net_ipv4_conf_all_secure_redirects
- sysctl_net_ipv4_conf_all_send_redirects
- sysctl_net_ipv4_conf_default_accept_redirects
- sysctl_net_ipv4_conf_default_accept_source_route
- sysctl_net_ipv4_conf_default_forwarding
- sysctl_net_ipv4_conf_default_log_martians
- sysctl_net_ipv4_conf_default_rp_filter
- sysctl_net_ipv4_conf_default_secure_redirects
- sysctl_net_ipv4_conf_default_send_redirects
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses
- sysctl_net_ipv4_ip_forward
- sysctl_net_ipv6_conf_all_accept_ra
- sysctl_net_ipv6_conf_all_accept_redirects
- sysctl_net_ipv6_conf_all_accept_source_route
- sysctl_net_ipv6_conf_all_forwarding
- sysctl_net_ipv6_conf_default_accept_ra
- sysctl_net_ipv6_conf_default_accept_redirects
- sysctl_net_ipv6_conf_default_accept_source_route
- sysctl_net_ipv6_conf_default_forwarding
- grub2_password
- grub2_uefi_password
status: automated
- id: cm-6.1
title: Automated Management, Application, and Verification
Expand Down Expand Up @@ -334,9 +329,11 @@ controls:
- package_kea_removed
- package_net-snmp_removed
- package_nginx_removed
- package_nis_removed
- package_openldap-clients_removed
- package_telnet-server_removed
- package_telnet_removed
- package_telnetd_removed
- package_tftp-server_removed
- package_tftp_removed
- package_vsftpd_removed
Expand All @@ -348,25 +345,33 @@ controls:
- partition_for_var_log_audit
- partition_for_var_tmp
- postfix_network_listening_disabled
- service_apport_disabled
- service_bluetooth_disabled
- service_cockpit_disabled
- service_cups_disabled
- service_dhcpd_disabled
- service_dnsmasq_disabled
- service_oddjobd_disabled
- service_quota_nld_disabled
- sshd_disable_forwarding
- wireless_disable_interfaces
status: automated
- id: cm-7.1
title: Periodic Review
levels:
- moderate
rules: []
status: pending
rules:
- chronyd_no_chronyc_network
status: automated
- id: cm-7.2
title: Prevent Program Execution
levels:
- moderate
rules: []
status: pending
rules:
- apparmor_configured
- network_sniffer_disabled
- package_pam_apparmor_installed
status: automated
- id: cm-7.3
title: Registration Compliance
rules: []
Expand All @@ -379,8 +384,10 @@ controls:
title: Authorized Software — Allow-by-exception
levels:
- moderate
rules: []
status: pending
rules:
- apparmor_configured
- package_pam_apparmor_installed
status: automated
- id: cm-7.6
title: Confined Environments with Limited Privileges
rules: []
Expand Down Expand Up @@ -419,8 +426,13 @@ controls:
title: Automated Unauthorized Component Detection
levels:
- moderate
rules: []
status: pending
rules:
- configure_usbguard_auditbackend
- package_usbguard_installed
- service_usbguard_enabled
- usbguard_allow_hid_and_hub
- usbguard_generate_policy
status: automated
- id: cm-8.4
title: Accountability Information
levels:
Expand Down Expand Up @@ -472,7 +484,12 @@ controls:
levels:
- low
rules:
- package_xorg-x11-server-Xwayland_removed
- clean_components_post_updating
- ensure_gpgcheck_globally_activated
- ensure_gpgcheck_local_packages
- ensure_gpgcheck_never_disabled
- ensure_gpgcheck_repo_metadata
- ensure_oracle_gpgkey_installed
status: automated
- id: cm-11.1
title: Alerts for Unauthorized Installations
Expand Down
7 changes: 5 additions & 2 deletions products/rhel10/controls/nist_800_53/cp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -204,8 +204,11 @@ controls:
title: System Backup
levels:
- low
rules: []
status: pending
rules:
- configure_user_data_backups
- file_groupowner_backup_etc_shadow
- httpd_remove_backups
status: automated
- id: cp-9.1
title: Testing for Reliability and Integrity
levels:
Expand Down
Loading
Loading