rev5 additions

2026-03-05 01:23:18 +00:00 · 2021-06-02 10:29:31 -04:00
parent b5eae8e760
commit ebde472bf0
4 changed files with 128 additions and 0 deletions
--- a/rules/audit/audit_record_reduction_report_generation.yaml
+++ b/rules/audit/audit_record_reduction_report_generation.yaml
@@ -0,0 +1,33 @@
+id: audit_record_reduction_report_generation
+title: "Audit Record Reduction and Report Generation"
+discussion: |
+  Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient.
+
+  Audit record reduction and report generation can be done with tools built into macOS such as auditreduce and praudit. These tools are protected by System Integrity Protection (SIP).
+check: |
+  The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
+fix: |
+  The technology inherently meets this requirement. No fix is required.
+references:
+  cce:
+    - N/A
+  cci: 
+    - N/A
+  800-53r5:
+    - AU-7
+  800-53r4: 
+    - N/A
+  srg: 
+    - N/A
+  disa_stig: 
+    - N/A
+  800-171r2:
+    - N/A
+macOS:
+  - "11.0"
+tags:
+  - 800-53r5_moderate
+  - 800-53r4_high
+  - inherent
+mobileconfig: false
+mobileconfig_info:
--- a/rules/audit/audit_records_processing.yaml
+++ b/rules/audit/audit_records_processing.yaml
@@ -0,0 +1,31 @@
+id: audit_records_processing
+title: "Audit Record Reduction and Report Generation"
+discussion: |
+  Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component.
+check: |
+  The technology does not support this requirement. This is an applicable-does not meet finding.
+fix: |
+  This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
+references:
+  cce:
+    - N/A
+  cci: 
+    - N/A
+  800-53r5:
+    - AU-7(1)
+  800-53r4: 
+    - N/A
+  srg: 
+    - N/A
+  disa_stig: 
+    - N/A
+  800-171r2:
+    - N/A
+macOS:
+  - "11.0"
+tags:
+  - 800-53r5_moderate
+  - 800-53r4_high
+  - permanent
+mobileconfig: false
+mobileconfig_info:
--- a/rules/os/os_access_control_mobile_devices.yaml
+++ b/rules/os/os_access_control_mobile_devices.yaml
@@ -0,0 +1,34 @@
+id: os_access_control_mobile_devices
+title: "Access Control for Mobile Devices"
+discussion: |
+  A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.
+
+  Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.
+
+  Usage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system.
+check: |
+  The technology does not support this requirement. This is an applicable-does not meet finding.
+fix: |
+  This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
+references:
+  cce:
+    - N/A
+  cci:
+    - N/A
+  800-53r5:
+    - AC-19
+  800-53r4:
+    - N/A
+  disa_stig:
+    - N/A
+  srg:
+    - N/A
+macOS:
+  - "11.0"
+tags:
+  - 800-53r5_low
+  - 800-53r5_moderate
+  - 800-53r5_high
+  - n_a
+mobileconfig: false
+mobileconfig_info:
--- a/rules/os/os_malicious_code_prevention.yaml
+++ b/rules/os/os_malicious_code_prevention.yaml
@@ -0,0 +1,30 @@
+id: os_verify_remote_disconnection
+title: "Verify remote disconnection of sessions"
+discussion: |
+  XProtect and MRT
+check: |
+  The technology supports this requirement and cannot be configured to be out of compliance. The technology inherently meets this requirement.
+fix: |
+  The technology inherently meets this requirement. No fix is required.
+references:
+  cce:
+    - N/A
+  cci:
+    - N/A
+  800-53r5:
+    - SI-3
+  800-53r4:
+    - N/A
+  disa_stig:
+    - N/A
+  srg:
+    - N/A
+macOS:
+  - "11.0"
+tags:
+  - inherent
+  - 800-53r5_low
+  - 800-53r5_moderate
+  - 800-53r5_high
+mobileconfig: false
+mobileconfig_info: