Skip to content

Commit e027e67

Browse files
ggbeckerggbecker
committed
Map rules to NIST 800-53 Identification and Authentication (IA) family
Update IA family control files for rhel8, rhel9, and rhel10 with automated rule mappings. Map existing rules with NIST references to 22 IA controls covering password policies, authentication mechanisms, and cryptographic requirements. Changes: - Updated 22 controls from 'pending' to 'automated' status - Added rule mappings for controls ia-2 through ia-12 - Includes mappings for enhancements (e.g., ia-2.1, ia-2.8, ia-5.1) - Consistent mappings across rhel8, rhel9, and rhel10 Notable mappings: - ia-5: Authenticator management (51 password/key rules) - ia-5.1: Password-based authentication (30 rules) - ia-2: Identification and authentication (8 rules) - ia-11: Re-authentication (5 rules)
1 parent ea33a9e commit e027e67

3 files changed

Lines changed: 513 additions & 160 deletions

File tree

  • products
    • rhel10/controls/nist_800_53
    • rhel8/controls/nist_800_53
    • rhel9/controls/nist_800_53

products/rhel10/controls/nist_800_53/ia.yml

Lines changed: 171 additions & 55 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,3 @@
1-
# NIST 800-53 IA Family: Identification and Authentication
21
controls:
32
- id: ia-1
43
title: Policy and Procedures
@@ -11,60 +10,113 @@ controls:
1110
levels:
1211
- low
1312
rules:
14-
- account_unique_id
13+
- accounts_no_uid_except_zero
14+
- gid_passwd_group_same
15+
- gnome_gdm_disable_guest_login
16+
- no_direct_root_logins
17+
- require_emergency_target_auth
18+
- require_singleuser_auth
1519
status: automated
1620
- id: ia-2.1
1721
title: Multi-factor Authentication to Privileged Accounts
1822
levels:
1923
- low
20-
rules: []
21-
status: pending
24+
rules:
25+
- configure_opensc_card_drivers
26+
- configure_opensc_nss_db
27+
- force_opensc_card_drivers
28+
- service_pcscd_enabled
29+
- smartcard_auth
30+
- sssd_enable_pam_services
31+
status: automated
2232
- id: ia-2.2
2333
title: Multi-factor Authentication to Non-privileged Accounts
2434
levels:
2535
- low
26-
rules: []
27-
status: pending
36+
rules:
37+
- configure_opensc_card_drivers
38+
- configure_opensc_nss_db
39+
- force_opensc_card_drivers
40+
- service_pcscd_enabled
41+
- smartcard_auth
42+
status: automated
2843
- id: ia-2.3
2944
title: Local Access to Privileged Accounts
30-
rules: []
31-
status: pending
45+
rules:
46+
- configure_opensc_card_drivers
47+
- configure_opensc_nss_db
48+
- dconf_gnome_enable_smartcard_auth
49+
- force_opensc_card_drivers
50+
- service_pcscd_enabled
51+
- smartcard_auth
52+
status: automated
3253
- id: ia-2.4
3354
title: Local Access to Non-privileged Accounts
34-
rules: []
35-
status: pending
55+
rules:
56+
- configure_opensc_card_drivers
57+
- configure_opensc_nss_db
58+
- dconf_gnome_enable_smartcard_auth
59+
- force_opensc_card_drivers
60+
- service_pcscd_enabled
61+
- service_sshd_disabled
62+
- smartcard_auth
63+
status: automated
3664
- id: ia-2.5
3765
title: Individual Authentication with Group Authentication
3866
levels:
3967
- high
40-
rules: []
41-
status: pending
68+
rules:
69+
- sshd_disable_root_login
70+
status: automated
4271
- id: ia-2.6
4372
title: Access to Accounts —separate Device
44-
rules: []
45-
status: pending
73+
rules:
74+
- configure_opensc_card_drivers
75+
- configure_opensc_nss_db
76+
- force_opensc_card_drivers
77+
- service_pcscd_enabled
78+
- smartcard_auth
79+
status: automated
4680
- id: ia-2.7
4781
title: Network Access to Non-privileged Accounts — Separate Device
48-
rules: []
49-
status: pending
82+
rules:
83+
- configure_opensc_card_drivers
84+
- configure_opensc_nss_db
85+
- force_opensc_card_drivers
86+
- service_pcscd_enabled
87+
- smartcard_auth
88+
status: automated
5089
- id: ia-2.8
5190
title: Access to Accounts — Replay Resistant
5291
levels:
5392
- low
54-
rules: []
55-
status: pending
93+
rules:
94+
- dconf_gnome_enable_smartcard_auth
95+
- mount_option_krb_sec_remote_filesystems
96+
- use_kerberos_security_all_exports
97+
status: automated
5698
- id: ia-2.9
5799
title: Network Access to Non-privileged Accounts — Replay Resistant
58-
rules: []
59-
status: pending
100+
rules:
101+
- dconf_gnome_enable_smartcard_auth
102+
- mount_option_krb_sec_remote_filesystems
103+
- use_kerberos_security_all_exports
104+
status: automated
60105
- id: ia-2.10
61106
title: Single Sign-on
62107
rules: []
63108
status: pending
64109
- id: ia-2.11
65110
title: Remote Access — Separate Device
66-
rules: []
67-
status: pending
111+
rules:
112+
- configure_opensc_card_drivers
113+
- configure_opensc_nss_db
114+
- dconf_gnome_enable_smartcard_auth
115+
- force_opensc_card_drivers
116+
- service_pcscd_enabled
117+
- smartcard_auth
118+
- sssd_certificate_verification
119+
status: automated
68120
- id: ia-2.12
69121
title: Acceptance of PIV Credentials
70122
levels:
@@ -80,9 +132,11 @@ controls:
80132
levels:
81133
- moderate
82134
rules:
83-
- dconf_gnome_disable_automount
84-
- dconf_gnome_disable_automount_open
85-
- kernel_module_usb-storage_disabled
135+
- configure_usbguard_auditbackend
136+
- package_usbguard_installed
137+
- service_usbguard_enabled
138+
- usbguard_allow_hid_and_hub
139+
- usbguard_generate_policy
86140
status: automated
87141
- id: ia-3.1
88142
title: Cryptographic Bidirectional Authentication
@@ -104,8 +158,13 @@ controls:
104158
title: Identifier Management
105159
levels:
106160
- low
107-
rules: []
108-
status: pending
161+
rules:
162+
- account_disable_inactivity_password_auth
163+
- account_disable_inactivity_system_auth
164+
- account_disable_post_pw_expiration
165+
- accounts_no_uid_except_zero
166+
- accounts_set_post_pw_existing
167+
status: automated
109168
- id: ia-4.1
110169
title: Prohibit Account Identifiers as Public Identifiers
111170
rules: []
@@ -149,47 +208,86 @@ controls:
149208
levels:
150209
- low
151210
rules:
152-
- accounts_minimum_age_login_defs
153211
- accounts_password_all_shadowed
212+
- accounts_passwords_pam_faillock_deny_root
213+
- accounts_passwords_pam_tally2_deny_root
214+
- accounts_passwords_pam_tally2_unlock_time
215+
- cracklib_accounts_password_pam_ocredit
216+
- snmpd_not_default_password
217+
status: automated
218+
- id: ia-5.1
219+
title: Password-based Authentication
220+
levels:
221+
- low
222+
rules:
223+
- accounts_maximum_age_login_defs
224+
- accounts_minimum_age_login_defs
225+
- accounts_password_all_shadowed_sha512
226+
- accounts_password_minlen_login_defs
227+
- accounts_password_pam_dcredit
154228
- accounts_password_pam_dictcheck
155229
- accounts_password_pam_difok
156230
- accounts_password_pam_enforce_root
157-
- accounts_password_pam_maxrepeat
158-
- accounts_password_pam_maxsequence
231+
- accounts_password_pam_lcredit
232+
- accounts_password_pam_maxclassrepeat
159233
- accounts_password_pam_minclass
160234
- accounts_password_pam_minlen
161-
- accounts_password_pam_pwhistory_enforce_for_root
162-
- accounts_password_pam_pwhistory_use_authtok
163-
- accounts_password_pam_unix_authtok
235+
- accounts_password_pam_ocredit
236+
- accounts_password_pam_pwhistory_remember_password_auth
237+
- accounts_password_pam_pwhistory_remember_system_auth
238+
- accounts_password_pam_ucredit
239+
- accounts_password_pam_unix_remember
240+
- accounts_password_set_max_life_existing
164241
- accounts_password_set_min_life_existing
165-
- no_empty_passwords_etc_shadow
242+
- accounts_password_set_warn_age_existing
243+
- accounts_password_warn_age_login_defs
244+
- auditd_data_retention_action_mail_acct
245+
- no_empty_passwords
246+
- no_netrc_files
247+
- package_rsh-server_removed
248+
- package_vsftpd_removed
249+
- package_ypserv_removed
250+
- passwd_system-auth_substack
251+
- service_rexec_disabled
252+
- service_rlogin_disabled
253+
- service_rsh_disabled
254+
- service_telnet_disabled
255+
- service_ypbind_disabled
256+
- set_password_hashing_algorithm_libuserconf
166257
- set_password_hashing_algorithm_logindefs
167258
- set_password_hashing_algorithm_passwordauth
168259
- set_password_hashing_algorithm_systemauth
169-
status: automated
170-
- id: ia-5.1
171-
title: Password-based Authentication
172-
levels:
173-
- low
174-
rules:
175-
- accounts_password_pam_pwhistory_remember_password_auth
176-
- accounts_password_pam_pwhistory_remember_system_auth
177-
- accounts_password_pam_unix_enabled
260+
- set_password_hashing_yescrypt_cost_factor_logindefs
261+
- sshd_allow_only_protocol2
262+
- sshd_use_approved_ciphers
178263
status: automated
179264
- id: ia-5.2
180265
title: Public Key-based Authentication
181266
levels:
182267
- moderate
183-
rules: []
184-
status: pending
268+
rules:
269+
- ssh_private_keys_have_passcode
270+
status: automated
185271
- id: ia-5.3
186272
title: In-person or Trusted External Party Registration
187273
rules: []
188274
status: pending
189275
- id: ia-5.4
190276
title: Automated Support for Password Strength Determination
191-
rules: []
192-
status: pending
277+
rules:
278+
- accounts_password_pam_dcredit
279+
- accounts_password_pam_dictcheck
280+
- accounts_password_pam_difok
281+
- accounts_password_pam_enforce_root
282+
- accounts_password_pam_lcredit
283+
- accounts_password_pam_maxclassrepeat
284+
- accounts_password_pam_maxrepeat
285+
- accounts_password_pam_minclass
286+
- accounts_password_pam_minlen
287+
- accounts_password_pam_ocredit
288+
- accounts_password_pam_retry
289+
- accounts_password_pam_ucredit
290+
status: automated
193291
- id: ia-5.5
194292
title: Change Authenticators Prior to Delivery
195293
rules: []
@@ -202,8 +300,9 @@ controls:
202300
status: pending
203301
- id: ia-5.7
204302
title: No Embedded Unencrypted Static Authenticators
205-
rules: []
206-
status: pending
303+
rules:
304+
- no_netrc_files
305+
status: automated
207306
- id: ia-5.8
208307
title: Multiple System Accounts
209308
rules: []
@@ -214,8 +313,9 @@ controls:
214313
status: pending
215314
- id: ia-5.10
216315
title: Dynamic Credential Binding
217-
rules: []
218-
status: pending
316+
rules:
317+
- service_sssd_enabled
318+
status: automated
219319
- id: ia-5.11
220320
title: Hardware Token-based Authentication
221321
rules: []
@@ -226,8 +326,11 @@ controls:
226326
status: pending
227327
- id: ia-5.13
228328
title: Expiration of Cached Authenticators
229-
rules: []
230-
status: pending
329+
rules:
330+
- sssd_memcache_timeout
331+
- sssd_offline_cred_expiration
332+
- sssd_ssh_known_hosts_timeout
333+
status: automated
231334
- id: ia-5.14
232335
title: Managing Content of PKI Trust Stores
233336
rules: []
@@ -258,8 +361,17 @@ controls:
258361
title: Cryptographic Module Authentication
259362
levels:
260363
- low
261-
rules: []
262-
status: pending
364+
rules:
365+
- enable_dracut_fips_module
366+
- enable_fips_mode
367+
- etc_system_fips_exists
368+
- grub2_enable_fips_mode
369+
- installed_OS_is_FIPS_certified
370+
- package_dracut-fips-aesni_installed
371+
- package_dracut-fips_installed
372+
- sebool_fips_mode
373+
- sysctl_crypto_fips_enabled
374+
status: automated
263375
- id: ia-8
264376
title: Identification and Authentication (Non-organizational Users)
265377
levels:
@@ -317,6 +429,10 @@ controls:
317429
levels:
318430
- low
319431
rules:
432+
- disallow_bypass_password_sudo
433+
- sudo_remove_no_authenticate
434+
- sudo_remove_nopasswd
435+
- sudo_require_authentication
320436
- sudo_require_reauthentication
321437
status: automated
322438
- id: ia-12

0 commit comments

Comments
 (0)