Expand SI (System and Information Integrity) family coverage

Add 22 unmapped rules to SI family controls across rhel8, rhel9, and rhel10.
Focused on malware protection, flaw remediation, system monitoring, and
input validation. These rules were identified through semantic analysis
of rule descriptions.

Changes:

SI-2 (Flaw Remediation):
- Added GPG key verification rules: ensure_gpgcheck_globally_activated,
  ensure_gpgcheck_never_disabled, ensure_gpgcheck_local_packages,
  ensure_redhat_gpgkey_installed
- Added ABRT package removal rule
Total: 5 rules (2-3 new per product)

SI-3 (Malicious Code Protection):
- Added SELinux antivirus booleans: sebool_antivirus_can_scan_system,
  sebool_antivirus_use_jit
- Added GNOME automount/autorun prevention: dconf_gnome_disable_automount,
  dconf_gnome_disable_automount_open, dconf_gnome_disable_autorun
- Added secure_boot_enabled
Total: 8 rules (6 new per product)

SI-4 (System Monitoring):
- Added rsyslog rules: rsyslog_cron_logging, rsyslog_logging_configured
- Added journald rules: journald_compress, journald_forward_to_syslog,
  journald_storage, package_systemd-journal-remote_installed
Total: 11 rules (6 new per product)

SI-10 (Information Input Validation):
- Added kernel hardening: kernel_config_fortify_source,
  kernel_config_randomize_base, kernel_config_stackprotector
- Added SELinux memory protection: sebool_selinuxuser_execheap,
  sebool_selinuxuser_execstack
Total: 5 rules (all new)

Total new mappings: 62 (across 3 products)

Author: ggbecker

products/rhel10/controls/nist_800_53/si.yml

@@ -1,3 +1,4 @@
+# NIST 800-53 SI Family: System and Information Integrity
 controls:
   - id: si-1
     title: Policy and Procedures
@@ -15,7 +16,10 @@ controls:
       - high
     rules:
       - ensure_gpgcheck_globally_activated
+      - ensure_gpgcheck_local_packages
+      - ensure_gpgcheck_never_disabled
       - ensure_redhat_gpgkey_installed
+      - package_abrt_removed
     status: automated
   - id: si-2.1
     title: Central Management
@@ -62,7 +66,13 @@ controls:
       - moderate
       - high
     rules:
+      - dconf_gnome_disable_automount
+      - dconf_gnome_disable_automount_open
+      - dconf_gnome_disable_autorun
       - install_mcafee_antivirus
+      - sebool_antivirus_can_scan_system
+      - sebool_antivirus_use_jit
+      - secure_boot_enabled
       - service_nails_enabled
     status: automated
   - id: si-3.1
@@ -113,10 +123,16 @@ controls:
       - moderate
       - high
     rules:
+      - journald_compress
+      - journald_forward_to_syslog
+      - journald_storage
       - kernel_module_dccp_disabled
       - kernel_module_rds_disabled
       - kernel_module_sctp_disabled
       - kernel_module_tipc_disabled
+      - package_systemd-journal-remote_installed
+      - rsyslog_cron_logging
+      - rsyslog_logging_configured
       - service_avahi-daemon_disabled
     status: automated
   - id: si-4.1
@@ -411,8 +427,13 @@ controls:
     levels:
       - moderate
       - high
-    rules: []
-    status: pending
+    rules:
+      - kernel_config_fortify_source
+      - kernel_config_randomize_base
+      - kernel_config_stackprotector
+      - sebool_selinuxuser_execheap
+      - sebool_selinuxuser_execstack
+    status: automated
   - id: si-10.1
     title: Manual Override Capability
     rules: []

products/rhel8/controls/nist_800_53/si.yml

@@ -1,3 +1,4 @@
+# NIST 800-53 SI Family: System and Information Integrity
 controls:
   - id: si-1
     title: Policy and Procedures
@@ -15,8 +16,10 @@ controls:
       - high
     rules:
       - ensure_gpgcheck_globally_activated
+      - ensure_gpgcheck_local_packages
       - ensure_gpgcheck_never_disabled
       - ensure_redhat_gpgkey_installed
+      - package_abrt_removed
     status: automated
   - id: si-2.1
     title: Central Management
@@ -63,7 +66,13 @@ controls:
       - moderate
       - high
     rules:
+      - dconf_gnome_disable_automount
+      - dconf_gnome_disable_automount_open
+      - dconf_gnome_disable_autorun
       - install_mcafee_antivirus
+      - sebool_antivirus_can_scan_system
+      - sebool_antivirus_use_jit
+      - secure_boot_enabled
       - service_nails_enabled
     status: automated
   - id: si-3.1
@@ -114,10 +123,16 @@ controls:
       - moderate
       - high
     rules:
+      - journald_compress
+      - journald_forward_to_syslog
+      - journald_storage
       - kernel_module_dccp_disabled
       - kernel_module_rds_disabled
       - kernel_module_sctp_disabled
       - kernel_module_tipc_disabled
+      - package_systemd-journal-remote_installed
+      - rsyslog_cron_logging
+      - rsyslog_logging_configured
       - service_avahi-daemon_disabled
     status: automated
   - id: si-4.1
@@ -412,8 +427,13 @@ controls:
     levels:
       - moderate
       - high
-    rules: []
-    status: pending
+    rules:
+      - kernel_config_fortify_source
+      - kernel_config_randomize_base
+      - kernel_config_stackprotector
+      - sebool_selinuxuser_execheap
+      - sebool_selinuxuser_execstack
+    status: automated
   - id: si-10.1
     title: Manual Override Capability
     rules: []

products/rhel9/controls/nist_800_53/si.yml

@@ -1,3 +1,4 @@
+# NIST 800-53 SI Family: System and Information Integrity
 controls:
   - id: si-1
     title: Policy and Procedures
@@ -15,8 +16,10 @@ controls:
       - high
     rules:
       - ensure_gpgcheck_globally_activated
+      - ensure_gpgcheck_local_packages
       - ensure_gpgcheck_never_disabled
       - ensure_redhat_gpgkey_installed
+      - package_abrt_removed
     status: automated
   - id: si-2.1
     title: Central Management
@@ -63,7 +66,13 @@ controls:
       - moderate
       - high
     rules:
+      - dconf_gnome_disable_automount
+      - dconf_gnome_disable_automount_open
+      - dconf_gnome_disable_autorun
       - install_mcafee_antivirus
+      - sebool_antivirus_can_scan_system
+      - sebool_antivirus_use_jit
+      - secure_boot_enabled
       - service_nails_enabled
     status: automated
   - id: si-3.1
@@ -114,10 +123,16 @@ controls:
       - moderate
       - high
     rules:
+      - journald_compress
+      - journald_forward_to_syslog
+      - journald_storage
       - kernel_module_dccp_disabled
       - kernel_module_rds_disabled
       - kernel_module_sctp_disabled
       - kernel_module_tipc_disabled
+      - package_systemd-journal-remote_installed
+      - rsyslog_cron_logging
+      - rsyslog_logging_configured
       - service_avahi-daemon_disabled
     status: automated
   - id: si-4.1
@@ -412,8 +427,13 @@ controls:
     levels:
       - moderate
       - high
-    rules: []
-    status: pending
+    rules:
+      - kernel_config_fortify_source
+      - kernel_config_randomize_base
+      - kernel_config_stackprotector
+      - sebool_selinuxuser_execheap
+      - sebool_selinuxuser_execstack
+    status: automated
   - id: si-10.1
     title: Manual Override Capability
     rules: []