Add initial mappings for IR and RA families

First mappings for Incident Response (IR) and Risk Assessment (RA)
families across rhel8, rhel9, and rhel10. These families were previously
at 0% coverage. Focused on incident handling, monitoring, and vulnerability
scanning capabilities.

IR (Incident Response) family:

IR-4 (Incident Handling):
- Added audit log forwarding: auditd_audispd_configure_remote_server,
  auditd_offload_logs
- Added mail service for notifications: service_postfix_enabled
Total: 3 rules (all new)

IR-5 (Incident Monitoring and Reporting):
- Added file deletion monitoring audit rules: audit_rules_file_deletion_events,
  audit_rules_file_deletion_events_rename, audit_rules_file_deletion_events_renameat,
  audit_rules_file_deletion_events_rmdir, audit_rules_file_deletion_events_unlink,
  audit_rules_file_deletion_events_unlinkat
Total: 6 rules (all new)

RA (Risk Assessment) family:

RA-5 (Vulnerability Monitoring and Scanning):
- Added insecure protocol kernel modules: kernel_module_dccp_disabled,
  kernel_module_rds_disabled, kernel_module_sctp_disabled,
  kernel_module_tipc_disabled
- Added insecure filesystem kernel modules: kernel_module_cramfs_disabled,
  kernel_module_freevxfs_disabled, kernel_module_hfs_disabled,
  kernel_module_hfsplus_disabled, kernel_module_jffs2_disabled
Total: 9 rules (all new)

Coverage improvement:
- IR: 0% → 4.8% (2/42 controls)
- RA: 0% → 3.8% (1/26 controls)

Total new mappings: 54 (across 3 products × 18 unique rules)

Author: ggbecker

products/rhel10/controls/nist_800_53/ir.yml

@@ -52,8 +52,11 @@ controls:
     title: Incident Handling
     levels:
       - low
-    rules: []
-    status: pending
+    rules:
+      - auditd_audispd_configure_remote_server
+      - auditd_offload_logs
+      - service_postfix_enabled
+    status: automated
   - id: ir-4.1
     title: Automated Incident Handling Processes
     levels:
@@ -124,8 +127,14 @@ controls:
     title: Incident Monitoring
     levels:
       - low
-    rules: []
-    status: pending
+    rules:
+      - audit_rules_file_deletion_events
+      - audit_rules_file_deletion_events_rename
+      - audit_rules_file_deletion_events_renameat
+      - audit_rules_file_deletion_events_rmdir
+      - audit_rules_file_deletion_events_unlink
+      - audit_rules_file_deletion_events_unlinkat
+    status: automated
   - id: ir-5.1
     title: Automated Tracking, Data Collection, and Analysis
     levels:

products/rhel10/controls/nist_800_53/ra.yml

@@ -48,8 +48,17 @@ controls:
     title: Vulnerability Monitoring and Scanning
     levels:
       - low
-    rules: []
-    status: pending
+    rules:
+      - kernel_module_cramfs_disabled
+      - kernel_module_dccp_disabled
+      - kernel_module_freevxfs_disabled
+      - kernel_module_hfs_disabled
+      - kernel_module_hfsplus_disabled
+      - kernel_module_jffs2_disabled
+      - kernel_module_rds_disabled
+      - kernel_module_sctp_disabled
+      - kernel_module_tipc_disabled
+    status: automated
   - id: ra-5.1
     title: Update Tool Capability
     rules: []

products/rhel8/controls/nist_800_53/ir.yml

@@ -52,8 +52,11 @@ controls:
     title: Incident Handling
     levels:
       - low
-    rules: []
-    status: pending
+    rules:
+      - auditd_audispd_configure_remote_server
+      - auditd_offload_logs
+      - service_postfix_enabled
+    status: automated
   - id: ir-4.1
     title: Automated Incident Handling Processes
     levels:
@@ -124,8 +127,14 @@ controls:
     title: Incident Monitoring
     levels:
       - low
-    rules: []
-    status: pending
+    rules:
+      - audit_rules_file_deletion_events
+      - audit_rules_file_deletion_events_rename
+      - audit_rules_file_deletion_events_renameat
+      - audit_rules_file_deletion_events_rmdir
+      - audit_rules_file_deletion_events_unlink
+      - audit_rules_file_deletion_events_unlinkat
+    status: automated
   - id: ir-5.1
     title: Automated Tracking, Data Collection, and Analysis
     levels:

products/rhel8/controls/nist_800_53/ra.yml

@@ -48,8 +48,17 @@ controls:
     title: Vulnerability Monitoring and Scanning
     levels:
       - low
-    rules: []
-    status: pending
+    rules:
+      - kernel_module_cramfs_disabled
+      - kernel_module_dccp_disabled
+      - kernel_module_freevxfs_disabled
+      - kernel_module_hfs_disabled
+      - kernel_module_hfsplus_disabled
+      - kernel_module_jffs2_disabled
+      - kernel_module_rds_disabled
+      - kernel_module_sctp_disabled
+      - kernel_module_tipc_disabled
+    status: automated
   - id: ra-5.1
     title: Update Tool Capability
     rules: []

products/rhel9/controls/nist_800_53/ir.yml

@@ -52,8 +52,11 @@ controls:
     title: Incident Handling
     levels:
       - low
-    rules: []
-    status: pending
+    rules:
+      - auditd_audispd_configure_remote_server
+      - auditd_offload_logs
+      - service_postfix_enabled
+    status: automated
   - id: ir-4.1
     title: Automated Incident Handling Processes
     levels:
@@ -124,8 +127,14 @@ controls:
     title: Incident Monitoring
     levels:
       - low
-    rules: []
-    status: pending
+    rules:
+      - audit_rules_file_deletion_events
+      - audit_rules_file_deletion_events_rename
+      - audit_rules_file_deletion_events_renameat
+      - audit_rules_file_deletion_events_rmdir
+      - audit_rules_file_deletion_events_unlink
+      - audit_rules_file_deletion_events_unlinkat
+    status: automated
   - id: ir-5.1
     title: Automated Tracking, Data Collection, and Analysis
     levels:

products/rhel9/controls/nist_800_53/ra.yml

@@ -48,8 +48,17 @@ controls:
     title: Vulnerability Monitoring and Scanning
     levels:
       - low
-    rules: []
-    status: pending
+    rules:
+      - kernel_module_cramfs_disabled
+      - kernel_module_dccp_disabled
+      - kernel_module_freevxfs_disabled
+      - kernel_module_hfs_disabled
+      - kernel_module_hfsplus_disabled
+      - kernel_module_jffs2_disabled
+      - kernel_module_rds_disabled
+      - kernel_module_sctp_disabled
+      - kernel_module_tipc_disabled
+    status: automated
   - id: ra-5.1
     title: Update Tool Capability
     rules: []