From 7ce17f8fcbb0369935d462753043c13e7a505a58 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 3 Jan 2025 14:58:09 +0100 Subject: [PATCH 1/2] Enable OSPP profile in RHEL 10 Currently, the data stream in RHEL 10 daily productization contains OSPP profile and therefore differs from upstream defaults. We still want to run tests with OSPP profile in daily productization. At the same time, we don't want to test different data stream in daily productization than in upstream tests and CI. This will be solved by enabling the OSPP profile by default. --- .../bootloader-grub2/grub2_init_on_alloc_argument/rule.yml | 1 + .../system/bootloader-zipl/zipl_bls_entries_only/rule.yml | 1 + .../bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml | 1 + .../bootloader-zipl/zipl_init_on_alloc_argument/rule.yml | 1 + .../zipl_page_alloc_shuffle_argument/rule.yml | 1 + products/rhel10/profiles/ospp.profile | 2 +- shared/references/cce-redhat-avail.txt | 5 ----- 7 files changed, 6 insertions(+), 6 deletions(-) diff --git a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml index 2e721d99c54..bc3f5508cf8 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml @@ -18,6 +18,7 @@ severity: medium identifiers: cce@rhel9: CCE-85867-0 + cce@rhel10: CCE-86953-7 ocil_clause: 'the kernel is not configured to zero out memory before allocation' diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml index c115ba0ecd5..e2ec1168f44 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml @@ -16,6 +16,7 @@ severity: medium identifiers: cce@rhel8: CCE-83485-3 cce@rhel9: CCE-84092-6 + cce@rhel10: CCE-87335-6 ocil_clause: 'a non BLS boot entry is configured' diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml index 6f4626639b6..82a0242e256 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml @@ -18,6 +18,7 @@ severity: medium identifiers: cce@rhel8: CCE-83486-1 cce@rhel9: CCE-84098-3 + cce@rhel10: CCE-87515-3 ocil_clause: 'the bootmap is outdated' diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml index e679e43b431..d0f21b0957e 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml @@ -22,6 +22,7 @@ severity: medium identifiers: cce@rhel9: CCE-85868-8 + cce@rhel10: CCE-88443-7 ocil_clause: 'the kernel is not configured to zero out memory before allocation' diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml index b82d08e0614..8abdaaf0822 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml @@ -27,6 +27,7 @@ severity: medium identifiers: cce@rhel9: CCE-85880-3 + cce@rhel10: CCE-89057-4 ocil_clause: 'randomization of the page allocator is not enabled in the kernel' diff --git a/products/rhel10/profiles/ospp.profile b/products/rhel10/profiles/ospp.profile index 9abfd024e29..0642cbab2ec 100644 --- a/products/rhel10/profiles/ospp.profile +++ b/products/rhel10/profiles/ospp.profile @@ -1,4 +1,4 @@ -documentation_complete: false +documentation_complete: true metadata: version: 4.3 diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index c4686286517..71dddd11669 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -224,7 +224,6 @@ CCE-86935-4 CCE-86936-2 CCE-86937-0 CCE-86952-9 -CCE-86953-7 CCE-86955-2 CCE-86956-0 CCE-86958-6 @@ -446,7 +445,6 @@ CCE-87325-7 CCE-87326-5 CCE-87327-3 CCE-87334-9 -CCE-87335-6 CCE-87342-2 CCE-87343-0 CCE-87346-3 @@ -553,7 +551,6 @@ CCE-87510-4 CCE-87511-2 CCE-87512-0 CCE-87513-8 -CCE-87515-3 CCE-87516-1 CCE-87517-9 CCE-87519-5 @@ -1129,7 +1126,6 @@ CCE-88431-2 CCE-88432-0 CCE-88434-6 CCE-88442-9 -CCE-88443-7 CCE-88445-2 CCE-88446-0 CCE-88447-8 @@ -1503,7 +1499,6 @@ CCE-89050-9 CCE-89052-5 CCE-89053-3 CCE-89054-1 -CCE-89057-4 CCE-89065-7 CCE-89066-5 CCE-89067-3 From 4847da106b84536b0d1b6be0e2342a319eef45a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 3 Jan 2025 16:23:32 +0100 Subject: [PATCH 2/2] Add missing OSPP references Based on contest test `/static-checks/rule-identifiers/ospp/` --- controls/ospp.yml | 1 - .../auditd_data_retention_flush/rule.yml | 1 + .../services/fapolicyd/package_fapolicyd_installed/rule.yml | 1 + .../ssh/ssh_server/sshd_use_directory_configuration/rule.yml | 1 + .../services/usbguard/package_usbguard_installed/rule.yml | 1 + .../bootloader-grub2/grub2_init_on_alloc_argument/rule.yml | 2 ++ .../grub2_page_alloc_shuffle_argument/rule.yml | 2 ++ .../system/bootloader-zipl/zipl_bls_entries_only/rule.yml | 3 +++ .../system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml | 3 +++ .../bootloader-zipl/zipl_init_on_alloc_argument/rule.yml | 3 +++ .../bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml | 3 +++ .../network-uncommon/kernel_module_sctp_disabled/rule.yml | 1 + .../kernel_module_bluetooth_disabled/rule.yml | 1 + .../partitions/mount_option_var_log_audit_nodev/rule.yml | 1 + .../partitions/mount_option_var_log_audit_noexec/rule.yml | 1 + .../partitions/mount_option_var_log_audit_nosuid/rule.yml | 1 + .../sysctl_kernel_kptr_restrict/rule.yml | 1 + .../restrictions/sysctl_kernel_dmesg_restrict/rule.yml | 1 + .../restrictions/sysctl_kernel_kexec_load_disabled/rule.yml | 1 + .../restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml | 1 + linux_os/guide/system/selinux/selinux_policytype/rule.yml | 1 + linux_os/guide/system/selinux/selinux_state/rule.yml | 1 + .../integrity/crypto/configure_openssl_crypto_policy/rule.yml | 1 + .../software/updating/package_dnf-automatic_installed/rule.yml | 1 + 24 files changed, 33 insertions(+), 1 deletion(-) diff --git a/controls/ospp.yml b/controls/ospp.yml index 8e3f400ed27..20ae9fa45e5 100644 --- a/controls/ospp.yml +++ b/controls/ospp.yml @@ -378,7 +378,6 @@ controls: - chronyd_client_only - package_chrony_installed - configure_usbguard_auditbackend - - package_fapolicyd_installed - package_usbguard_installed - service_usbguard_enabled - usbguard_allow_hid_and_hub diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml index 87e1b08b5b4..6964921722d 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml @@ -36,6 +36,7 @@ references: nerc-cip: CIP-004-6 R2.2.3,CIP-004-6 R3.3,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3,CIP-007-3 R6.5 nist: AU-11,CM-6(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 + ospp: FAU_GEN.1 srg: SRG-OS-000480-GPOS-00227 ocil_clause: 'auditd is not configured to synchronously write audit event data to disk' diff --git a/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml b/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml index 5b602d1963d..5149ccb54bc 100644 --- a/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml +++ b/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml @@ -21,6 +21,7 @@ identifiers: references: disa: CCI-001774,CCI-001764 nist: CM-6(a),SI-4(22) + ospp: FMT_SMF_EXT.1 srg: SRG-OS-000370-GPOS-00155,SRG-OS-000368-GPOS-00154,SRG-OS-000480-GPOS-00230 stigid@ol8: OL08-00-040135 stigid@rhel8: RHEL-08-040135 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml index 45d7813fcba..9f10f37ec75 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml @@ -20,6 +20,7 @@ identifiers: references: hipaa: 164.312(a) + ospp: FCS_SSH_EXT.1 ocil_clause: "you don't include other configuration files from the main configuration file" diff --git a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml index 2e8ab4691bb..0ee95605233 100644 --- a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml +++ b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml @@ -47,6 +47,7 @@ references: disa: CCI-001958,CCI-003959 ism: "1418" nist: CM-8(3),IA-3 + ospp: FMT_SMF_EXT.1 srg: SRG-OS-000378-GPOS-00163,SRG-APP-000141-CTR-000315 stigid@ol8: OL08-00-040139 stigid@rhel8: RHEL-08-040139 diff --git a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml index bc3f5508cf8..3f61c7dec7d 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml @@ -25,6 +25,8 @@ ocil_clause: 'the kernel is not configured to zero out memory before allocation' ocil: |- {{{ ocil_grub2_argument("init_on_alloc=1") | indent(4) }}} +references: + ospp: AVA_VAN.1 template: name: grub2_bootloader_argument diff --git a/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml index f94c8556847..49212c0bc28 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml @@ -31,6 +31,8 @@ ocil_clause: 'randomization of the page allocator is not enabled in the kernel' ocil: |- {{{ ocil_grub2_argument("page_alloc.shuffle=1") | indent(4) }}} +references: + ospp: AVA_VAN.1 template: name: grub2_bootloader_argument diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml index e2ec1168f44..52506c41173 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml @@ -18,6 +18,9 @@ identifiers: cce@rhel9: CCE-84092-6 cce@rhel10: CCE-87335-6 +references: + ospp: FPT_TST_EXT.1 + ocil_clause: 'a non BLS boot entry is configured' ocil: |- diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml index 82a0242e256..dfebe5b96c0 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml @@ -20,6 +20,9 @@ identifiers: cce@rhel9: CCE-84098-3 cce@rhel10: CCE-87515-3 +references: + ospp: FPT_TST_EXT.1 + ocil_clause: 'the bootmap is outdated' ocil: |- diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml index d0f21b0957e..ce431bdcea8 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml @@ -24,6 +24,9 @@ identifiers: cce@rhel9: CCE-85868-8 cce@rhel10: CCE-88443-7 +references: + ospp: AVA_VAN.1 + ocil_clause: 'the kernel is not configured to zero out memory before allocation' ocil: |- diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml index 8abdaaf0822..6cbbc0b821b 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml @@ -29,6 +29,9 @@ identifiers: cce@rhel9: CCE-85880-3 cce@rhel10: CCE-89057-4 +references: + ospp: AVA_VAN.1 + ocil_clause: 'randomization of the page allocator is not enabled in the kernel' ocil: |- diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml index c594719aab0..5894d44b876 100644 --- a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml +++ b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml @@ -41,6 +41,7 @@ references: iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2 nist: CM-7(a),CM-7(b),CM-6(a) nist-csf: PR.IP-1,PR.PT-3 + ospp: FMT_SMF_EXT.1 pcidss: Req-1.4.2 srg: SRG-OS-000095-GPOS-00049,SRG-OS-000480-GPOS-00227 stigid@ol8: OL08-00-040023 diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml index e14d31803f3..69f5aac256d 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml +++ b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml @@ -34,6 +34,7 @@ references: iso27001-2013: A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.9.1.2 nist: AC-18(a),AC-18(3),CM-7(a),CM-7(b),CM-6(a),MP-7 nist-csf: PR.AC-3,PR.IP-1,PR.PT-3,PR.PT-4 + ospp: FMT_SMF_EXT.1 srg: SRG-OS-000095-GPOS-00049,SRG-OS-000300-GPOS-00118 stigid@ol8: OL08-00-040111 stigid@rhel8: RHEL-08-040111 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml index 1a14ae6615e..a0afbcf7298 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml @@ -30,6 +30,7 @@ references: nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2 nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 nist-csf: PR.IP-1,PR.PT-2,PR.PT-3 + ospp: FMT_SMF_EXT.1 srg: SRG-OS-000368-GPOS-00154 stigid@ol8: OL08-00-040129 stigid@rhel8: RHEL-08-040129 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml index 12fd9b470b6..eeb5906df3f 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml @@ -28,6 +28,7 @@ references: nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2 nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 nist-csf: PR.IP-1,PR.PT-2,PR.PT-3 + ospp: FMT_SMF_EXT.1 srg: SRG-OS-000368-GPOS-00154 stigid@ol8: OL08-00-040131 stigid@rhel8: RHEL-08-040131 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml index 06d864887ed..bd5ed3cea05 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml @@ -29,6 +29,7 @@ references: nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2 nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 nist-csf: PR.IP-1,PR.PT-2,PR.PT-3 + ospp: FMT_SMF_EXT.1 srg: SRG-OS-000368-GPOS-00154 stigid@ol8: OL08-00-040130 stigid@rhel8: RHEL-08-040130 diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml index 772868e5300..95f13e13b18 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml @@ -26,6 +26,7 @@ references: disa: CCI-000366,CCI-002824,CCI-001082 nerc-cip: CIP-002-5 R1.1,CIP-002-5 R1.2,CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 4.1,CIP-004-6 4.2,CIP-004-6 R2.2.3,CIP-004-6 R2.2.4,CIP-004-6 R2.3,CIP-004-6 R4,CIP-005-6 R1,CIP-005-6 R1.1,CIP-005-6 R1.2,CIP-007-3 R3,CIP-007-3 R3.1,CIP-007-3 R5.1,CIP-007-3 R5.1.2,CIP-007-3 R5.1.3,CIP-007-3 R5.2.1,CIP-007-3 R5.2.3,CIP-007-3 R8.4,CIP-009-6 R.1.1,CIP-009-6 R4 nist: SC-30,SC-30(2),SC-30(5),CM-6(a) + ospp: FMT_SMF_EXT.1 srg: SRG-OS-000132-GPOS-00067,SRG-OS-000433-GPOS-00192,SRG-OS-000480-GPOS-00227 stigid@ol8: OL08-00-040283 stigid@rhel8: RHEL-08-040283 diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml index 7ad7a4b5fd0..651e3bc35c7 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml @@ -25,6 +25,7 @@ references: disa: CCI-001082,CCI-001090 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e) nist: SI-11(a),SI-11(b) + ospp: FMT_SMF_EXT.1 srg: SRG-OS-000132-GPOS-00067,SRG-OS-000138-GPOS-00069,SRG-APP-000243-CTR-000600 stigid@ol7: OL07-00-010375 stigid@ol8: OL08-00-010375 diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml index ae651f6dfeb..c763c7d057c 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml @@ -20,6 +20,7 @@ identifiers: references: disa: CCI-003992,CCI-000366 nist: CM-6 + ospp: FMT_SMF_EXT.1 srg: SRG-OS-000480-GPOS-00227,SRG-OS-000366-GPOS-00153 stigid@ol8: OL08-00-010372 stigid@rhel8: RHEL-08-010372 diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml index fd00ea142d3..498e93e15fd 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml @@ -24,6 +24,7 @@ identifiers: references: disa: CCI-000366,CCI-001082 nist: SC-7(10) + ospp: FMT_SMF_EXT.1 srg: SRG-OS-000132-GPOS-00067,SRG-OS-000480-GPOS-00227 stigid@ol8: OL08-00-040282 stigid@rhel8: RHEL-08-040282 diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml index 3369554bc90..0ce6648a9ec 100644 --- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml +++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml @@ -47,6 +47,7 @@ references: nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.2,CIP-003-8 R5.3,CIP-004-6 R2.2.3,CIP-004-6 R2.3,CIP-004-6 R3.3,CIP-007-3 R5.1,CIP-007-3 R5.1.2,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3,CIP-007-3 R6.5 nist: AC-3,AC-3(3)(a),AU-9,SC-7(21) nist-csf: DE.AE-1,ID.AM-3,PR.AC-4,PR.AC-5,PR.AC-6,PR.DS-5,PR.PT-1,PR.PT-3,PR.PT-4 + ospp: FMT_MOF_EXT.1 srg: SRG-OS-000445-GPOS-00199,SRG-APP-000233-CTR-000585 stigid@ol7: OL07-00-020220 stigid@ol8: OL08-00-010450 diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml index 237064080e1..ba0a43a4a0a 100644 --- a/linux_os/guide/system/selinux/selinux_state/rule.yml +++ b/linux_os/guide/system/selinux/selinux_state/rule.yml @@ -40,6 +40,7 @@ references: nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.2,CIP-003-8 R5.3,CIP-004-6 R2.2.3,CIP-004-6 R2.3,CIP-004-6 R3.3,CIP-007-3 R5.1,CIP-007-3 R5.1.2,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3,CIP-007-3 R6.5 nist: AC-3,AC-3(3)(a),AU-9,SC-7(21) nist-csf: DE.AE-1,ID.AM-3,PR.AC-4,PR.AC-5,PR.AC-6,PR.DS-5,PR.PT-1,PR.PT-3,PR.PT-4 + ospp: FMT_MOF_EXT.1 srg: SRG-OS-000445-GPOS-00199,SRG-OS-000134-GPOS-00068 stigid@ol7: OL07-00-020210 stigid@ol8: OL08-00-010170 diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml index de245380fea..20101a46a84 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml @@ -42,6 +42,7 @@ references: disa: CCI-001453 nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1,CIP-007-3 R7.1 nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3) + ospp: FCS_CKM.1,FCS_CKM.1.1,FCS_CKM.2,FCS_COP.1/ENCRYPT,FCS_COP.1/HASH,FCS_COP.1/SIGN,FCS_COP.1/KEYHMAC,FCS_TLSC_EXT.1,FCS_TLSC_EXT.1.1 pcidss: Req-2.2 srg: SRG-OS-000250-GPOS-00093 stigid@ol8: OL08-00-010293 diff --git a/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml b/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml index 05d7f63da06..aab38c322a0 100644 --- a/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml +++ b/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml @@ -20,6 +20,7 @@ identifiers: cce@sle15: CCE-91163-6 references: + ospp: FPT_TUD_EXT.1,FPT_TUD_EXT.2 srg: SRG-OS-000191-GPOS-00080 ocil_clause: 'the package is not installed'