usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-09 00:09:55 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

Consider adding a mapping for Common Criteria GPOS 4.2.1 #328

New Issue
Closed
opened 2026-01-19 18:30:05 +00:00 by michael · 3 comments
michael commented 2026-01-19 18:30:05 +00:00
Owner
Copy Link

Originally created by @cistone on GitHub.

The Common Criteria GPOS https://www.niap-ccevs.org/Profile/Info.cfm?PPID=442&id=442 lists configuration requirements that it maps to NIST Controls. Providing a mapping in this effort will let users who wish to deploy macOS with those settings an easy method to produce the required settings and documentation.

Originally created by @cistone on GitHub. The Common Criteria GPOS <https://www.niap-ccevs.org/Profile/Info.cfm?PPID=442&id=442> lists configuration requirements that it maps to NIST Controls. Providing a mapping in this effort will let users who wish to deploy macOS with those settings an easy method to produce the required settings and documentation.
michael commented 2026-01-19 18:30:05 +00:00
Author
Owner
Copy Link

@macblazer commented on GitHub:

I've generated an appropriate CSV file from the data in the CC GPOS Control Mappings.pdf at the above link. Running the scripts/generate_mapping.py on it produces a bunch of output in the build folder as expected.

What should become of the .csv file? It doesn't look like there are any others in this repo currently.

Should the data from the build folder be integrated into the rules themselves, or let consumers of this repo use the .csv file themselves?

@macblazer commented on GitHub: I've generated an appropriate CSV file from the data in the CC GPOS Control Mappings.pdf at the above link. Running the `scripts/generate_mapping.py` on it produces a bunch of output in the `build` folder as expected. What should become of the .csv file? It doesn't look like there are any others in this repo currently. Should the data from the build folder be integrated into the rules themselves, or let consumers of this repo use the .csv file themselves?
michael commented 2026-01-19 18:30:05 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

Closing issue. Without an owner of the baseline, we won't be implementing this.

@robertgendler commented on GitHub: Closing issue. Without an owner of the baseline, we won't be implementing this.
michael commented 2026-01-19 18:30:05 +00:00
Author
Owner
Copy Link

@macblazer commented on GitHub:

For whoever wants to pick this up, here is the contents of the mapping file. I named it CommonCriteria_GPOS_PP_421.csv.

pp_os_v4.2.1,800-53r5
FCS_CKM.1,SC-12(3)
FCS_CKM.2,SC-12(3)
FCS_CKM_EXT.4,"IA-5, SC-12"
FCS_COP.1(1),SC-13
FCS_COP.1(2),SC-13
FCS_COP.1(3),SC-13
FCS_COP.1(4),SC-13
FCS_RBG_EXT.1,SC-12
FCS_STO_EXT.1,"AC-3(11), IA-5(1), IA-5(2), SC-13, SC-28(1), SC-28(3)"
FCS_TLSC_EXT.1,"IA-5(2), SC-8(1), SC-11, SC-12(3), SC-13"
FDP_ACF_EXT.1,"AC-3(4), AC-3(7)"
FMT_MOF_EXT.1,"AC-2(5), AC-3(7), AC-14, AC-17, AY-4, AU-4(1), AU-9(4), AU-12, IA-4, IA-5(1), SC-7, SC-7(12), SC-7(14), SC-45(1), SI-2(5)"
FM_SMF_EXT.1,"AC-2(5), AC-7, AC-11, AC-12, AC-18, AU-2, IA-4, IA-5(1), SC-7(12), SI-2(5)"
FPT_ACF_EXT.1,"AC-3(4), AC-3(7), AC-6(10)"
FPT_ASLR_EXT.1,SI-16
FPT_SBOP_EXT.1,SI-16
FPT_TST_EXT.1,"SI-7(1), SI-7(6), SI-7(9)"
FPT_TUD_EXT.1,"CM-14, SI-7(1)"
FPT_TUD_EXT.2,CM-14
FAU_GEN.1,"AC-7, AU-2, AU-3, AU-12"
FIA_AFL.1,AC-7
FIA_UAU.5,"IA-2, IA-2(12), IA-5(1), IA-5(2)"
FIA_X509_EXT.1,"AI-5(2), SC-23(5)"
FIA_X509_EXT.2,"IA-2, IA-3"
FTP_ITC_EXT.1,"IA-3(1), SC-8(1)"
FTP_TRP.1,"SC-8(1), SC-11"
FCS_TLSC_EXT.4,IA-3(1)
FDP_IFC_EXT.1,"AC-4, AC-17"
FTA_TAB.1,"AC-8, AC-14, PL-4"
FCS_DTLS_EXT.1,"IA-5(2), SC-8(1), SC-11, SC-13"
FCS_TLSC_EXT.2,SC-12
FCS_TLSC_EXT.3,SC-12
FPT_SRP_EXT.1,CM-5(6)
FPT_W^X_EXT.1,SI-16
@macblazer commented on GitHub: For whoever wants to pick this up, here is the contents of the mapping file. I named it `CommonCriteria_GPOS_PP_421.csv`. ``` pp_os_v4.2.1,800-53r5 FCS_CKM.1,SC-12(3) FCS_CKM.2,SC-12(3) FCS_CKM_EXT.4,"IA-5, SC-12" FCS_COP.1(1),SC-13 FCS_COP.1(2),SC-13 FCS_COP.1(3),SC-13 FCS_COP.1(4),SC-13 FCS_RBG_EXT.1,SC-12 FCS_STO_EXT.1,"AC-3(11), IA-5(1), IA-5(2), SC-13, SC-28(1), SC-28(3)" FCS_TLSC_EXT.1,"IA-5(2), SC-8(1), SC-11, SC-12(3), SC-13" FDP_ACF_EXT.1,"AC-3(4), AC-3(7)" FMT_MOF_EXT.1,"AC-2(5), AC-3(7), AC-14, AC-17, AY-4, AU-4(1), AU-9(4), AU-12, IA-4, IA-5(1), SC-7, SC-7(12), SC-7(14), SC-45(1), SI-2(5)" FM_SMF_EXT.1,"AC-2(5), AC-7, AC-11, AC-12, AC-18, AU-2, IA-4, IA-5(1), SC-7(12), SI-2(5)" FPT_ACF_EXT.1,"AC-3(4), AC-3(7), AC-6(10)" FPT_ASLR_EXT.1,SI-16 FPT_SBOP_EXT.1,SI-16 FPT_TST_EXT.1,"SI-7(1), SI-7(6), SI-7(9)" FPT_TUD_EXT.1,"CM-14, SI-7(1)" FPT_TUD_EXT.2,CM-14 FAU_GEN.1,"AC-7, AU-2, AU-3, AU-12" FIA_AFL.1,AC-7 FIA_UAU.5,"IA-2, IA-2(12), IA-5(1), IA-5(2)" FIA_X509_EXT.1,"AI-5(2), SC-23(5)" FIA_X509_EXT.2,"IA-2, IA-3" FTP_ITC_EXT.1,"IA-3(1), SC-8(1)" FTP_TRP.1,"SC-8(1), SC-11" FCS_TLSC_EXT.4,IA-3(1) FDP_IFC_EXT.1,"AC-4, AC-17" FTA_TAB.1,"AC-8, AC-14, PL-4" FCS_DTLS_EXT.1,"IA-5(2), SC-8(1), SC-11, SC-13" FCS_TLSC_EXT.2,SC-12 FCS_TLSC_EXT.3,SC-12 FPT_SRP_EXT.1,CM-5(6) FPT_W^X_EXT.1,SI-16 ```
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#328
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?