Expand SC (System and Communications Protection) family coverage

ggbecker · ggbecker · commit bc9d08277bdc · 2026-04-30T13:37:26.000+02:00
Add 14 unmapped rules to SC family controls across rhel8, rhel9, and rhel10.
Focused on denial of service protection, transmission confidentiality,
cryptographic protection, and secure name resolution.

Changes:

SC-5 (Denial of Service Protection):
- Added SSH connection limits: sshd_set_max_sessions, sshd_set_maxstartups
- Added PAM faillock for root: accounts_passwords_pam_faillock_root_unlock_time
- Added kernel hardening: kernel_config_binfmt_misc, kernel_config_modify_ldt_syscall
Total: 15 rules (5 new per product)

SC-8 (Transmission Confidentiality):
- Added HTTPD TLS configuration: httpd_configure_tls
- Added Dovecot SSL: dovecot_enable_ssl, dovecot_configure_ssl_cert,
  dovecot_configure_ssl_key
Total: 5 rules (4 new per product)

SC-13 (Cryptographic Protection):
- Added HTTPD authentication: httpd_digest_authentication,
  httpd_require_client_certs
Total: 28 rules (2 new per product)

SC-20 (Secure Name/Address Resolution):
- Added Avahi restrictions: avahi_check_ttl, avahi_ip_only,
  avahi_restrict_published_information
Total: 4 rules (3 new per product)

Total new mappings: 42 (across 3 products)
diff --git a/products/rhel10/controls/nist_800_53/sc.yml b/products/rhel10/controls/nist_800_53/sc.yml
@@ -71,7 +71,12 @@ controls:
     levels:
       - low
     rules:
+      - accounts_passwords_pam_faillock_root_unlock_time
       - firewalld-backend
+      - kernel_config_binfmt_misc
+      - kernel_config_modify_ldt_syscall
+      - sshd_set_max_sessions
+      - sshd_set_maxstartups
       - sysctl_net_ipv4_conf_all_accept_source_route
       - sysctl_net_ipv4_conf_all_send_redirects
       - sysctl_net_ipv4_conf_default_accept_source_route
@@ -307,6 +312,10 @@ controls:
     levels:
       - moderate
     rules:
+      - dovecot_configure_ssl_cert
+      - dovecot_configure_ssl_key
+      - dovecot_enable_ssl
+      - httpd_configure_tls
       - libreswan_approved_tunnels
     status: automated
   - id: sc-8.1
@@ -463,6 +472,8 @@ controls:
       - harden_openssl_crypto_policy
       - harden_ssh_client_crypto_policy
       - harden_sshd_crypto_policy
+      - httpd_digest_authentication
+      - httpd_require_client_certs
       - installed_OS_is_FIPS_certified
       - is_fips_mode_enabled
       - package_dracut-fips-aesni_installed
@@ -573,6 +584,9 @@ controls:
     levels:
       - low
     rules:
+      - avahi_check_ttl
+      - avahi_ip_only
+      - avahi_restrict_published_information
       - network_configure_name_resolution
     status: automated
   - id: sc-20.1
diff --git a/products/rhel8/controls/nist_800_53/sc.yml b/products/rhel8/controls/nist_800_53/sc.yml
@@ -71,7 +71,12 @@ controls:
     levels:
       - low
     rules:
+      - accounts_passwords_pam_faillock_root_unlock_time
       - firewalld-backend
+      - kernel_config_binfmt_misc
+      - kernel_config_modify_ldt_syscall
+      - sshd_set_max_sessions
+      - sshd_set_maxstartups
       - sysctl_net_ipv4_conf_all_accept_source_route
       - sysctl_net_ipv4_conf_all_send_redirects
       - sysctl_net_ipv4_conf_default_accept_source_route
@@ -307,6 +312,10 @@ controls:
     levels:
       - moderate
     rules:
+      - dovecot_configure_ssl_cert
+      - dovecot_configure_ssl_key
+      - dovecot_enable_ssl
+      - httpd_configure_tls
       - libreswan_approved_tunnels
     status: automated
   - id: sc-8.1
@@ -463,6 +472,8 @@ controls:
       - harden_openssl_crypto_policy
       - harden_ssh_client_crypto_policy
       - harden_sshd_crypto_policy
+      - httpd_digest_authentication
+      - httpd_require_client_certs
       - installed_OS_is_FIPS_certified
       - is_fips_mode_enabled
       - package_dracut-fips-aesni_installed
@@ -573,6 +584,9 @@ controls:
     levels:
       - low
     rules:
+      - avahi_check_ttl
+      - avahi_ip_only
+      - avahi_restrict_published_information
       - network_configure_name_resolution
     status: automated
   - id: sc-20.1
diff --git a/products/rhel9/controls/nist_800_53/sc.yml b/products/rhel9/controls/nist_800_53/sc.yml
@@ -70,7 +70,12 @@ controls:
     levels:
       - low
     rules:
+      - accounts_passwords_pam_faillock_root_unlock_time
       - firewalld-backend
+      - kernel_config_binfmt_misc
+      - kernel_config_modify_ldt_syscall
+      - sshd_set_max_sessions
+      - sshd_set_maxstartups
       - sysctl_net_ipv4_conf_all_accept_source_route
       - sysctl_net_ipv4_conf_all_send_redirects
       - sysctl_net_ipv4_conf_default_accept_source_route
@@ -306,6 +311,10 @@ controls:
     levels:
       - moderate
     rules:
+      - dovecot_configure_ssl_cert
+      - dovecot_configure_ssl_key
+      - dovecot_enable_ssl
+      - httpd_configure_tls
       - libreswan_approved_tunnels
     status: automated
   - id: sc-8.1
@@ -462,6 +471,8 @@ controls:
       - harden_openssl_crypto_policy
       - harden_ssh_client_crypto_policy
       - harden_sshd_crypto_policy
+      - httpd_digest_authentication
+      - httpd_require_client_certs
       - installed_OS_is_FIPS_certified
       - is_fips_mode_enabled
       - package_dracut-fips-aesni_installed
@@ -572,6 +583,9 @@ controls:
     levels:
       - low
     rules:
+      - avahi_check_ttl
+      - avahi_ip_only
+      - avahi_restrict_published_information
       - network_configure_name_resolution
     status: automated
   - id: sc-20.1
