Update AU family control files for rhel8, rhel9, and rhel10 with
automated rule mappings. Map existing rules with NIST references
to 28 AU controls covering audit generation, storage, review,
and protection.

Changes:
- Updated 28 controls from 'pending' to 'automated' status
- Added rule mappings for controls au-2 through au-14
- Includes mappings for enhancements (e.g., au-3.1, au-4.1, au-12.1)
- Consistent mappings across rhel8, rhel9, and rhel10

Notable mappings:
- au-2: Event logging (67 audit rules)
- au-3: Content of audit records (35 rules)
- au-12: Audit record generation (67 rules)
- au-9: Protection of audit information (15 rules)

Update IA family control files for rhel8, rhel9, and rhel10 with
automated rule mappings. Map existing rules with NIST references
to 22 IA controls covering password policies, authentication
mechanisms, and cryptographic requirements.

Changes:
- Updated 22 controls from 'pending' to 'automated' status
- Added rule mappings for controls ia-2 through ia-12
- Includes mappings for enhancements (e.g., ia-2.1, ia-2.8, ia-5.1)
- Consistent mappings across rhel8, rhel9, and rhel10

Notable mappings:
- ia-5: Authenticator management (51 password/key rules)
- ia-5.1: Password-based authentication (30 rules)
- ia-2: Identification and authentication (8 rules)
- ia-11: Re-authentication (5 rules)

Update CM family control files for rhel8, rhel9, and rhel10 with
automated rule mappings. Map existing rules with NIST references
to 11 CM controls covering baseline configurations, security
settings, and least functionality.

Changes:
- Updated 11 controls from 'pending' to 'automated' status
- Added rule mappings for controls cm-1, cm-6, cm-7, and cm-11
- Limited cm-6 (configuration settings) to 30 most relevant rules
- Consistent mappings across rhel8, rhel9, and rhel10

Notable mappings:
- cm-6: Configuration settings (30 curated rules)
- cm-7: Least functionality (10 service/package rules)
- cm-7.1: Periodic review (4 rules)
- cm-11: User-installed software (5 package management rules)

Note: CM-6 is a catch-all control that could technically map to
hundreds of rules. Limited to high-impact configuration rules to
maintain file readability.

…mily

Update SC family control files for rhel8, rhel9, and rhel10 with
automated rule mappings. Map existing rules with NIST references
to 27 SC controls covering cryptography, network protection,
and system partitioning.

Changes:
- Updated 27 controls from 'pending' to 'automated' status
- Added rule mappings for controls sc-2 through sc-46
- Includes mappings for enhancements (e.g., sc-8.1, sc-13.1, sc-28.1)
- Consistent mappings across rhel8, rhel9, and rhel10

Notable mappings:
- sc-8: Transmission confidentiality/integrity (9 crypto rules)
- sc-13: Cryptographic protection (14 encryption rules)
- sc-28: Protection of information at rest (8 disk encryption rules)
- sc-2: Separation of system and user functionality (7 partition rules)
- sc-5: Denial-of-service protection (6 kernel parameter rules)

Update SI family control files for rhel8, rhel9, and rhel10 with
automated rule mappings. Map existing rules with NIST references
to 12 SI controls covering flaw remediation, malicious code
protection, and system monitoring.

Changes:
- Updated 12 controls from 'pending' to 'automated' status
- Added rule mappings for controls si-2 through si-16
- Includes mappings for enhancements (e.g., si-2.2, si-3.8, si-4.5)
- Consistent mappings across rhel8, rhel9, and rhel10

Notable mappings:
- si-2: Flaw remediation (12 update/patch rules)
- si-3: Malicious code protection (6 antivirus/aide rules)
- si-4: System monitoring (9 logging/audit rules)
- si-6: Security and privacy function verification (8 aide/integrity rules)
- si-11: Error handling (4 core dump rules)

Map 48 previously unmapped rules (without NIST references in metadata)
to appropriate NIST 800-53 controls using semantic analysis of rule
descriptions and rationales. These rules were identified through keyword
matching and manual review.

Changes across rhel8, rhel9, and rhel10:

CP (Contingency Planning) family:
- cp-9 (System Backup): +3 backup-related rules
  - configure_user_data_backups
  - file_groupowner_backup_etc_shadow
  - httpd_remove_backups

SC (System and Communications Protection) family:
- sc-7 (Boundary Protection): +25 firewall rules
  - firewalld, iptables, nftables, ufw configuration rules
  - Firewall zone, policy, and port management rules
  - Total rules in sc-7: 36 (11 existing + 25 new)

AU (Audit and Accountability) family:
- au-3 (Audit Record Content): +1 login event audit rule
- au-3.1 (Additional Audit Information): +5 network config audit rules
- au-5 (Audit Failure Response): +2 audit system resilience rules
- au-9 (Protection of Audit Information): +3 audit protection rules
- au-12 (Audit Record Generation): +9 additional syscall audit rules

These mappings address rules that lacked explicit NIST references but
provide technical controls that satisfy the control requirements. Total
new mappings: 144 (48 unique rules × 3 products).

Add 22 unmapped rules to SI family controls across rhel8, rhel9, and rhel10.
Focused on malware protection, flaw remediation, system monitoring, and
input validation. These rules were identified through semantic analysis
of rule descriptions.

Changes:

SI-2 (Flaw Remediation):
- Added GPG key verification rules: ensure_gpgcheck_globally_activated,
  ensure_gpgcheck_never_disabled, ensure_gpgcheck_local_packages,
  ensure_redhat_gpgkey_installed
- Added ABRT package removal rule
Total: 5 rules (2-3 new per product)

SI-3 (Malicious Code Protection):
- Added SELinux antivirus booleans: sebool_antivirus_can_scan_system,
  sebool_antivirus_use_jit
- Added GNOME automount/autorun prevention: dconf_gnome_disable_automount,
  dconf_gnome_disable_automount_open, dconf_gnome_disable_autorun
- Added secure_boot_enabled
Total: 8 rules (6 new per product)

SI-4 (System Monitoring):
- Added rsyslog rules: rsyslog_cron_logging, rsyslog_logging_configured
- Added journald rules: journald_compress, journald_forward_to_syslog,
  journald_storage, package_systemd-journal-remote_installed
Total: 11 rules (6 new per product)

SI-10 (Information Input Validation):
- Added kernel hardening: kernel_config_fortify_source,
  kernel_config_randomize_base, kernel_config_stackprotector
- Added SELinux memory protection: sebool_selinuxuser_execheap,
  sebool_selinuxuser_execstack
Total: 5 rules (all new)

Total new mappings: 62 (across 3 products)

Add 14 unmapped rules to SC family controls across rhel8, rhel9, and rhel10.
Focused on denial of service protection, transmission confidentiality,
cryptographic protection, and secure name resolution.

Changes:

SC-5 (Denial of Service Protection):
- Added SSH connection limits: sshd_set_max_sessions, sshd_set_maxstartups
- Added PAM faillock for root: accounts_passwords_pam_faillock_root_unlock_time
- Added kernel hardening: kernel_config_binfmt_misc, kernel_config_modify_ldt_syscall
Total: 15 rules (5 new per product)

SC-8 (Transmission Confidentiality):
- Added HTTPD TLS configuration: httpd_configure_tls
- Added Dovecot SSL: dovecot_enable_ssl, dovecot_configure_ssl_cert,
  dovecot_configure_ssl_key
Total: 5 rules (4 new per product)

SC-13 (Cryptographic Protection):
- Added HTTPD authentication: httpd_digest_authentication,
  httpd_require_client_certs
Total: 28 rules (2 new per product)

SC-20 (Secure Name/Address Resolution):
- Added Avahi restrictions: avahi_check_ttl, avahi_ip_only,
  avahi_restrict_published_information
Total: 4 rules (3 new per product)

Total new mappings: 42 (across 3 products)

Add 13 unmapped rules to CM family controls across rhel8, rhel9, and rhel10.
Focused on bootloader security and disabling unnecessary services/packages
for least functionality.

Changes:

CM-6 (Configuration Settings):
- Added GRUB2 password protection: grub2_password, grub2_uefi_password
- Added GRUB2 file permissions: file_groupowner_boot_grub2,
  file_owner_boot_grub2, file_permissions_boot_grub2
Total: 35 rules (5 new per product)

CM-7 (Least Functionality):
- Added service disablement: service_apport_disabled, service_cockpit_disabled,
  service_oddjobd_disabled, service_quota_nld_disabled, service_dhcpd_disabled,
  service_dnsmasq_disabled
- Added package removal: package_nis_removed, package_telnetd_removed
Total: 54-61 rules (6-7 new per product)

CM-7 already had significant coverage from previous mappings. These additions
focus on services that provide unnecessary network functionality or legacy
protocols that increase attack surface.

Total new mappings: 35 (across 3 products)

First mappings for Incident Response (IR) and Risk Assessment (RA)
families across rhel8, rhel9, and rhel10. These families were previously
at 0% coverage. Focused on incident handling, monitoring, and vulnerability
scanning capabilities.

IR (Incident Response) family:

IR-4 (Incident Handling):
- Added audit log forwarding: auditd_audispd_configure_remote_server,
  auditd_offload_logs
- Added mail service for notifications: service_postfix_enabled
Total: 3 rules (all new)

IR-5 (Incident Monitoring and Reporting):
- Added file deletion monitoring audit rules: audit_rules_file_deletion_events,
  audit_rules_file_deletion_events_rename, audit_rules_file_deletion_events_renameat,
  audit_rules_file_deletion_events_rmdir, audit_rules_file_deletion_events_unlink,
  audit_rules_file_deletion_events_unlinkat
Total: 6 rules (all new)

RA (Risk Assessment) family:

RA-5 (Vulnerability Monitoring and Scanning):
- Added insecure protocol kernel modules: kernel_module_dccp_disabled,
  kernel_module_rds_disabled, kernel_module_sctp_disabled,
  kernel_module_tipc_disabled
- Added insecure filesystem kernel modules: kernel_module_cramfs_disabled,
  kernel_module_freevxfs_disabled, kernel_module_hfs_disabled,
  kernel_module_hfsplus_disabled, kernel_module_jffs2_disabled
Total: 9 rules (all new)

Coverage improvement:
- IR: 0% → 4.8% (2/42 controls)
- RA: 0% → 3.8% (1/26 controls)

Total new mappings: 54 (across 3 products × 18 unique rules)