Skip to content

Commit 5698c4a

Browse files
ggbeckerggbecker
committed
Expand SC (System and Communications Protection) family coverage
Add 14 unmapped rules to SC family controls across rhel8, rhel9, and rhel10. Focused on denial of service protection, transmission confidentiality, cryptographic protection, and secure name resolution. Changes: SC-5 (Denial of Service Protection): - Added SSH connection limits: sshd_set_max_sessions, sshd_set_maxstartups - Added PAM faillock for root: accounts_passwords_pam_faillock_root_unlock_time - Added kernel hardening: kernel_config_binfmt_misc, kernel_config_modify_ldt_syscall Total: 15 rules (5 new per product) SC-8 (Transmission Confidentiality): - Added HTTPD TLS configuration: httpd_configure_tls - Added Dovecot SSL: dovecot_enable_ssl, dovecot_configure_ssl_cert, dovecot_configure_ssl_key Total: 5 rules (4 new per product) SC-13 (Cryptographic Protection): - Added HTTPD authentication: httpd_digest_authentication, httpd_require_client_certs Total: 28 rules (2 new per product) SC-20 (Secure Name/Address Resolution): - Added Avahi restrictions: avahi_check_ttl, avahi_ip_only, avahi_restrict_published_information Total: 4 rules (3 new per product) Total new mappings: 42 (across 3 products)
1 parent e3acbec commit 5698c4a

3 files changed

Lines changed: 42 additions & 0 deletions

File tree

  • products
    • rhel10/controls/nist_800_53
    • rhel8/controls/nist_800_53
    • rhel9/controls/nist_800_53

products/rhel10/controls/nist_800_53/sc.yml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -77,7 +77,12 @@ controls:
7777
- moderate
7878
- high
7979
rules:
80+
- accounts_passwords_pam_faillock_root_unlock_time
8081
- firewalld-backend
82+
- kernel_config_binfmt_misc
83+
- kernel_config_modify_ldt_syscall
84+
- sshd_set_max_sessions
85+
- sshd_set_maxstartups
8186
- sysctl_net_ipv4_conf_all_accept_source_route
8287
- sysctl_net_ipv4_conf_all_send_redirects
8388
- sysctl_net_ipv4_conf_default_accept_source_route
@@ -321,6 +326,10 @@ controls:
321326
- moderate
322327
- high
323328
rules:
329+
- dovecot_configure_ssl_cert
330+
- dovecot_configure_ssl_key
331+
- dovecot_enable_ssl
332+
- httpd_configure_tls
324333
- libreswan_approved_tunnels
325334
status: automated
326335
- id: sc-8.1
@@ -483,6 +492,8 @@ controls:
483492
- harden_openssl_crypto_policy
484493
- harden_ssh_client_crypto_policy
485494
- harden_sshd_crypto_policy
495+
- httpd_digest_authentication
496+
- httpd_require_client_certs
486497
- installed_OS_is_FIPS_certified
487498
- is_fips_mode_enabled
488499
- package_dracut-fips-aesni_installed
@@ -599,6 +610,9 @@ controls:
599610
- moderate
600611
- high
601612
rules:
613+
- avahi_check_ttl
614+
- avahi_ip_only
615+
- avahi_restrict_published_information
602616
- network_configure_name_resolution
603617
status: automated
604618
- id: sc-20.1

products/rhel8/controls/nist_800_53/sc.yml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -77,7 +77,12 @@ controls:
7777
- moderate
7878
- high
7979
rules:
80+
- accounts_passwords_pam_faillock_root_unlock_time
8081
- firewalld-backend
82+
- kernel_config_binfmt_misc
83+
- kernel_config_modify_ldt_syscall
84+
- sshd_set_max_sessions
85+
- sshd_set_maxstartups
8186
- sysctl_net_ipv4_conf_all_accept_source_route
8287
- sysctl_net_ipv4_conf_all_send_redirects
8388
- sysctl_net_ipv4_conf_default_accept_source_route
@@ -321,6 +326,10 @@ controls:
321326
- moderate
322327
- high
323328
rules:
329+
- dovecot_configure_ssl_cert
330+
- dovecot_configure_ssl_key
331+
- dovecot_enable_ssl
332+
- httpd_configure_tls
324333
- libreswan_approved_tunnels
325334
status: automated
326335
- id: sc-8.1
@@ -483,6 +492,8 @@ controls:
483492
- harden_openssl_crypto_policy
484493
- harden_ssh_client_crypto_policy
485494
- harden_sshd_crypto_policy
495+
- httpd_digest_authentication
496+
- httpd_require_client_certs
486497
- installed_OS_is_FIPS_certified
487498
- is_fips_mode_enabled
488499
- package_dracut-fips-aesni_installed
@@ -599,6 +610,9 @@ controls:
599610
- moderate
600611
- high
601612
rules:
613+
- avahi_check_ttl
614+
- avahi_ip_only
615+
- avahi_restrict_published_information
602616
- network_configure_name_resolution
603617
status: automated
604618
- id: sc-20.1

products/rhel9/controls/nist_800_53/sc.yml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -76,7 +76,12 @@ controls:
7676
- moderate
7777
- high
7878
rules:
79+
- accounts_passwords_pam_faillock_root_unlock_time
7980
- firewalld-backend
81+
- kernel_config_binfmt_misc
82+
- kernel_config_modify_ldt_syscall
83+
- sshd_set_max_sessions
84+
- sshd_set_maxstartups
8085
- sysctl_net_ipv4_conf_all_accept_source_route
8186
- sysctl_net_ipv4_conf_all_send_redirects
8287
- sysctl_net_ipv4_conf_default_accept_source_route
@@ -320,6 +325,10 @@ controls:
320325
- moderate
321326
- high
322327
rules:
328+
- dovecot_configure_ssl_cert
329+
- dovecot_configure_ssl_key
330+
- dovecot_enable_ssl
331+
- httpd_configure_tls
323332
- libreswan_approved_tunnels
324333
status: automated
325334
- id: sc-8.1
@@ -482,6 +491,8 @@ controls:
482491
- harden_openssl_crypto_policy
483492
- harden_ssh_client_crypto_policy
484493
- harden_sshd_crypto_policy
494+
- httpd_digest_authentication
495+
- httpd_require_client_certs
485496
- installed_OS_is_FIPS_certified
486497
- is_fips_mode_enabled
487498
- package_dracut-fips-aesni_installed
@@ -598,6 +609,9 @@ controls:
598609
- moderate
599610
- high
600611
rules:
612+
- avahi_check_ttl
613+
- avahi_ip_only
614+
- avahi_restrict_published_information
601615
- network_configure_name_resolution
602616
status: automated
603617
- id: sc-20.1

0 commit comments

Comments
 (0)