Add NIST 800-53 Rev 5 control framework with OSCAL metadata and CIS mappings (Split per product)#14648
Draft
ggbecker wants to merge 20 commits intoComplianceAsCode:masterfrom
Draft
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
ggbecker
changed the title
Add toolkit for generating and maintaining product-specific NIST 800-53 control files with CIS benchmark mappings. Components: - Sync toolkit: Scripts to generate control files from CIS benchmarks and NIST OSCAL catalog - Documentation: README files explaining architecture and workflows - Weekly automation: GitHub Actions workflow for keeping files up to date Control files are organized by product (rhel8, rhel9, rhel10) and split into 21 family files (AC, AU, CM, IA, SC, SI, etc.).
Add NIST 800-53 Revision 5 control files for rhel8, rhel9, and rhel10. Each product has 21 family files containing rule mappings derived from CIS benchmark to NIST 800-53 control mappings. Product control files (used in builds): - products/rhel8/controls/nist_800_53.yml + 21 family files - products/rhel9/controls/nist_800_53.yml + 21 family files - products/rhel10/controls/nist_800_53.yml + 21 family files Reference files (auto-generated for comparison): - shared/references/controls/nist_800_53_cis_reference_rhel8.yml + 21 family files - shared/references/controls/nist_800_53_cis_reference_rhel9.yml + 21 family files - shared/references/controls/nist_800_53_cis_reference_rhel10.yml + 21 family files
ggbecker
force-pushed
the
nist-800-53-control-split-per-product
branch
from
db61766 to
59cd001
Compare
Add interactive web-based viewer for NIST 800-53 control files with comprehensive gap analysis, statistics dashboard, and backlog management. Features: - Dashboard view with coverage statistics and product comparison - Gap analysis showing controls without rules - Interactive filtering by family, baseline level, status, and gaps - Select All/Deselect All checkboxes for all filter categories - Full OSCAL metadata integration (description, guidance, parameters) - TODO/backlog management per control with localStorage persistence - Self-contained HTML with embedded data (works with file:// protocol) Components: - utils/nist_sync/generate_nist_viewer.py: Data generator script - utils/nist_sync/nist_viewer_template.html: Interactive HTML template - utils/nist_sync/VIEWER_README.md: Comprehensive documentation - cmake/SSGCommon.cmake: CMake macro for building viewer - .github/workflows/gh-pages.yaml: GitHub Pages integration Build with: ninja nist-viewer Published at: https://complianceascode.github.io/content-pages/nist-viewer/
Replace single-page viewer with multi-page web application for better organization and navigation. Changes: - Create templates/ directory with 6 HTML page templates and 2 shared components - index.html: Dashboard with overview stats and charts - controls.html: Controls browser with advanced filtering - control-detail.html: Individual control details with OSCAL metadata and TODO management - gaps.html: Gap analysis by priority and family - statistics.html: Detailed metrics and cross-product comparison - family.html: Control family breakdown and family-specific views - _shared_styles.html: Common CSS for all pages - _shared_header.html: Navigation header and product selector - Update generate_nist_viewer.py to generate multiple HTML files instead of single file - Embed data in all pages for offline access (no CORS issues) - Pages communicate via URL parameters and localStorage - Update VIEWER_README.md with multi-page architecture documentation Benefits: - Better separation of concerns (each page has focused functionality) - Easier to maintain and extend (modify individual pages without affecting others) - Clearer navigation with dedicated pages for each view - Improved user experience with logical page organization
Update AC family control files for rhel8, rhel9, and rhel10 with automated rule mappings. Map existing rules with NIST references to 33 AC controls including account management, access enforcement, session controls, and boundary protection. Changes: - Updated 33 controls from 'pending' to 'automated' status - Added rule mappings for controls ac-1 through ac-25 - Includes mappings for enhancements (e.g., ac-2.1, ac-2.3, ac-7.1) - Consistent mappings across rhel8, rhel9, and rhel10 Notable mappings: - ac-2: Account management (11 rules) - ac-7: Unsuccessful login attempts (4 rules) - ac-11: Session lock (5 rules) - ac-17: Remote access (7 rules)
Update AU family control files for rhel8, rhel9, and rhel10 with automated rule mappings. Map existing rules with NIST references to 28 AU controls covering audit generation, storage, review, and protection. Changes: - Updated 28 controls from 'pending' to 'automated' status - Added rule mappings for controls au-2 through au-14 - Includes mappings for enhancements (e.g., au-3.1, au-4.1, au-12.1) - Consistent mappings across rhel8, rhel9, and rhel10 Notable mappings: - au-2: Event logging (67 audit rules) - au-3: Content of audit records (35 rules) - au-12: Audit record generation (67 rules) - au-9: Protection of audit information (15 rules)
Update IA family control files for rhel8, rhel9, and rhel10 with automated rule mappings. Map existing rules with NIST references to 22 IA controls covering password policies, authentication mechanisms, and cryptographic requirements. Changes: - Updated 22 controls from 'pending' to 'automated' status - Added rule mappings for controls ia-2 through ia-12 - Includes mappings for enhancements (e.g., ia-2.1, ia-2.8, ia-5.1) - Consistent mappings across rhel8, rhel9, and rhel10 Notable mappings: - ia-5: Authenticator management (51 password/key rules) - ia-5.1: Password-based authentication (30 rules) - ia-2: Identification and authentication (8 rules) - ia-11: Re-authentication (5 rules)
Update CM family control files for rhel8, rhel9, and rhel10 with automated rule mappings. Map existing rules with NIST references to 11 CM controls covering baseline configurations, security settings, and least functionality. Changes: - Updated 11 controls from 'pending' to 'automated' status - Added rule mappings for controls cm-1, cm-6, cm-7, and cm-11 - Limited cm-6 (configuration settings) to 30 most relevant rules - Consistent mappings across rhel8, rhel9, and rhel10 Notable mappings: - cm-6: Configuration settings (30 curated rules) - cm-7: Least functionality (10 service/package rules) - cm-7.1: Periodic review (4 rules) - cm-11: User-installed software (5 package management rules) Note: CM-6 is a catch-all control that could technically map to hundreds of rules. Limited to high-impact configuration rules to maintain file readability.
…mily Update SC family control files for rhel8, rhel9, and rhel10 with automated rule mappings. Map existing rules with NIST references to 27 SC controls covering cryptography, network protection, and system partitioning. Changes: - Updated 27 controls from 'pending' to 'automated' status - Added rule mappings for controls sc-2 through sc-46 - Includes mappings for enhancements (e.g., sc-8.1, sc-13.1, sc-28.1) - Consistent mappings across rhel8, rhel9, and rhel10 Notable mappings: - sc-8: Transmission confidentiality/integrity (9 crypto rules) - sc-13: Cryptographic protection (14 encryption rules) - sc-28: Protection of information at rest (8 disk encryption rules) - sc-2: Separation of system and user functionality (7 partition rules) - sc-5: Denial-of-service protection (6 kernel parameter rules)
Update SI family control files for rhel8, rhel9, and rhel10 with automated rule mappings. Map existing rules with NIST references to 12 SI controls covering flaw remediation, malicious code protection, and system monitoring. Changes: - Updated 12 controls from 'pending' to 'automated' status - Added rule mappings for controls si-2 through si-16 - Includes mappings for enhancements (e.g., si-2.2, si-3.8, si-4.5) - Consistent mappings across rhel8, rhel9, and rhel10 Notable mappings: - si-2: Flaw remediation (12 update/patch rules) - si-3: Malicious code protection (6 antivirus/aide rules) - si-4: System monitoring (9 logging/audit rules) - si-6: Security and privacy function verification (8 aide/integrity rules) - si-11: Error handling (4 core dump rules)
Map 48 previously unmapped rules (without NIST references in metadata) to appropriate NIST 800-53 controls using semantic analysis of rule descriptions and rationales. These rules were identified through keyword matching and manual review. Changes across rhel8, rhel9, and rhel10: CP (Contingency Planning) family: - cp-9 (System Backup): +3 backup-related rules - configure_user_data_backups - file_groupowner_backup_etc_shadow - httpd_remove_backups SC (System and Communications Protection) family: - sc-7 (Boundary Protection): +25 firewall rules - firewalld, iptables, nftables, ufw configuration rules - Firewall zone, policy, and port management rules - Total rules in sc-7: 36 (11 existing + 25 new) AU (Audit and Accountability) family: - au-3 (Audit Record Content): +1 login event audit rule - au-3.1 (Additional Audit Information): +5 network config audit rules - au-5 (Audit Failure Response): +2 audit system resilience rules - au-9 (Protection of Audit Information): +3 audit protection rules - au-12 (Audit Record Generation): +9 additional syscall audit rules These mappings address rules that lacked explicit NIST references but provide technical controls that satisfy the control requirements. Total new mappings: 144 (48 unique rules × 3 products).
Add 22 unmapped rules to SI family controls across rhel8, rhel9, and rhel10. Focused on malware protection, flaw remediation, system monitoring, and input validation. These rules were identified through semantic analysis of rule descriptions. Changes: SI-2 (Flaw Remediation): - Added GPG key verification rules: ensure_gpgcheck_globally_activated, ensure_gpgcheck_never_disabled, ensure_gpgcheck_local_packages, ensure_redhat_gpgkey_installed - Added ABRT package removal rule Total: 5 rules (2-3 new per product) SI-3 (Malicious Code Protection): - Added SELinux antivirus booleans: sebool_antivirus_can_scan_system, sebool_antivirus_use_jit - Added GNOME automount/autorun prevention: dconf_gnome_disable_automount, dconf_gnome_disable_automount_open, dconf_gnome_disable_autorun - Added secure_boot_enabled Total: 8 rules (6 new per product) SI-4 (System Monitoring): - Added rsyslog rules: rsyslog_cron_logging, rsyslog_logging_configured - Added journald rules: journald_compress, journald_forward_to_syslog, journald_storage, package_systemd-journal-remote_installed Total: 11 rules (6 new per product) SI-10 (Information Input Validation): - Added kernel hardening: kernel_config_fortify_source, kernel_config_randomize_base, kernel_config_stackprotector - Added SELinux memory protection: sebool_selinuxuser_execheap, sebool_selinuxuser_execstack Total: 5 rules (all new) Total new mappings: 62 (across 3 products)
Add 14 unmapped rules to SC family controls across rhel8, rhel9, and rhel10. Focused on denial of service protection, transmission confidentiality, cryptographic protection, and secure name resolution. Changes: SC-5 (Denial of Service Protection): - Added SSH connection limits: sshd_set_max_sessions, sshd_set_maxstartups - Added PAM faillock for root: accounts_passwords_pam_faillock_root_unlock_time - Added kernel hardening: kernel_config_binfmt_misc, kernel_config_modify_ldt_syscall Total: 15 rules (5 new per product) SC-8 (Transmission Confidentiality): - Added HTTPD TLS configuration: httpd_configure_tls - Added Dovecot SSL: dovecot_enable_ssl, dovecot_configure_ssl_cert, dovecot_configure_ssl_key Total: 5 rules (4 new per product) SC-13 (Cryptographic Protection): - Added HTTPD authentication: httpd_digest_authentication, httpd_require_client_certs Total: 28 rules (2 new per product) SC-20 (Secure Name/Address Resolution): - Added Avahi restrictions: avahi_check_ttl, avahi_ip_only, avahi_restrict_published_information Total: 4 rules (3 new per product) Total new mappings: 42 (across 3 products)
Add 13 unmapped rules to CM family controls across rhel8, rhel9, and rhel10. Focused on bootloader security and disabling unnecessary services/packages for least functionality. Changes: CM-6 (Configuration Settings): - Added GRUB2 password protection: grub2_password, grub2_uefi_password - Added GRUB2 file permissions: file_groupowner_boot_grub2, file_owner_boot_grub2, file_permissions_boot_grub2 Total: 35 rules (5 new per product) CM-7 (Least Functionality): - Added service disablement: service_apport_disabled, service_cockpit_disabled, service_oddjobd_disabled, service_quota_nld_disabled, service_dhcpd_disabled, service_dnsmasq_disabled - Added package removal: package_nis_removed, package_telnetd_removed Total: 54-61 rules (6-7 new per product) CM-7 already had significant coverage from previous mappings. These additions focus on services that provide unnecessary network functionality or legacy protocols that increase attack surface. Total new mappings: 35 (across 3 products)
First mappings for Incident Response (IR) and Risk Assessment (RA) families across rhel8, rhel9, and rhel10. These families were previously at 0% coverage. Focused on incident handling, monitoring, and vulnerability scanning capabilities. IR (Incident Response) family: IR-4 (Incident Handling): - Added audit log forwarding: auditd_audispd_configure_remote_server, auditd_offload_logs - Added mail service for notifications: service_postfix_enabled Total: 3 rules (all new) IR-5 (Incident Monitoring and Reporting): - Added file deletion monitoring audit rules: audit_rules_file_deletion_events, audit_rules_file_deletion_events_rename, audit_rules_file_deletion_events_renameat, audit_rules_file_deletion_events_rmdir, audit_rules_file_deletion_events_unlink, audit_rules_file_deletion_events_unlinkat Total: 6 rules (all new) RA (Risk Assessment) family: RA-5 (Vulnerability Monitoring and Scanning): - Added insecure protocol kernel modules: kernel_module_dccp_disabled, kernel_module_rds_disabled, kernel_module_sctp_disabled, kernel_module_tipc_disabled - Added insecure filesystem kernel modules: kernel_module_cramfs_disabled, kernel_module_freevxfs_disabled, kernel_module_hfs_disabled, kernel_module_hfsplus_disabled, kernel_module_jffs2_disabled Total: 9 rules (all new) Coverage improvement: - IR: 0% → 4.8% (2/42 controls) - RA: 0% → 3.8% (1/26 controls) Total new mappings: 54 (across 3 products × 18 unique rules)
Update the NIST viewer dashboard to make family names in the "Coverage by Control Family" section clickable links that navigate to the family detail page. Also add the family acronym in parentheses for clarity. Changes: - Family names now link to family.html?family=<family_id> - Added acronym in parentheses, e.g., "Access Control (AC)" - Link styled in blue (#0366d6) to indicate interactivity - Clicking a family name navigates to the family-specific view Example: "Access Control" → "Access Control (AC)" (clickable) This improves navigation and makes it easier to understand the relationship between full family names and their abbreviations.
Reorganize the NIST viewer to generate product-specific pages in
separate subdirectories instead of using a single set of pages with
localStorage-based product switching. This improves performance and
clarity.
Changes:
Generator (generate_nist_viewer.py):
- Generate pages in product-specific subdirectories: rhel8/, rhel9/, rhel10/
- Embed only that product's data in each page (reduces file size from 7.5MB to 2.5MB per page)
- Add CURRENT_PRODUCT constant to each page
- Create product selector with links to other product directories
- Generate redirect index.html that points to rhel9 by default
Template changes:
- _shared_header.html: Replace dropdown selector with static product links
- Remove localStorage-based product switching
- Replace getCurrentProduct() with CURRENT_PRODUCT constant
- Simplify data access since each page only has one product's data
Benefits:
- 67% smaller file sizes per page (only one product's data embedded)
- Faster page loads (less data to parse)
- Clearer separation between products
- Direct URLs to specific products (e.g., rhel9/index.html)
- No client-side state management needed
Structure:
build/nist-controls-viewer/
index.html (redirects to rhel9/)
rhel8/
index.html, controls.html, gaps.html, etc.
rhel9/
index.html, controls.html, gaps.html, etc.
rhel10/
index.html, controls.html, gaps.html, etc.
Product selector in header shows:
"Product: RHEL8 | RHEL9 | RHEL10" with current product in bold
Update documentation to reflect the new product-specific directory structure where each product (rhel8, rhel9, rhel10) has its own subdirectory with a complete set of viewer pages. Changes: - Updated directory tree showing product subdirectories - Documented file size improvement (2.5MB vs 7.5MB per page) - Added note about product-specific data embedding - Updated manual generation instructions - Clarified that index.html redirects to rhel9 by default - Removed references to localStorage-based product switching
Extend the NIST viewer to support all 6 status types defined in the control file format, not just the initial 3. This allows proper representation of controls that are inherently met, do not meet requirements, or are not applicable. Status types and their visual representation: 1. automated - Green (#28a745) - Technical controls implemented 2. manual - Blue (#0366d6) - Manual processes required 3. inherently met - Purple (#6f42c1) - Met by system design 4. does not meet - Red (#dc3545) - Does not satisfy requirement 5. not applicable - Gray (#6c757d) - Not relevant to this product 6. pending - Yellow (#ffd33d) - Not yet evaluated Changes: Generator (generate_nist_viewer.py): - Add is_inherently_met, is_does_not_meet, is_not_applicable flags - Track counts for all 6 statuses in statistics - Calculate percentages for progress bars Templates: - _shared_styles.html: Add badge styles for 3 new status types - index.html: Add stat cards for inherently met, not applicable, does not meet - index.html: Update family progress bars to show all 6 status types - controls.html, family.html, gaps.html, statistics.html: Update statusClass determination to handle all 6 types Dashboard now shows: - 7 stat cards (Total + 6 status types) - Multi-segment progress bars with up to 6 colors - Proper filtering and display for all status types Example control file usage: ```yaml - id: pe-1 title: Physical Protection Policy levels: [low, moderate, high] rules: [] status: not applicable notes: Physical security is managed at datacenter level ``` This allows organizations to properly track controls that are: - Satisfied through architectural choices (inherently met) - Not relevant to their deployment model (not applicable) - Identified as gaps that cannot be remediated (does not meet)
Update utils/nist_sync/README.md to streamline workflow documentation: - Simplify description and remove overly detailed architecture sections - Clarify that reference files are auto-generated - Simplify weekly automation and manual sync workflows - Remove references to change detection and manual additions tracking
ggbecker
force-pushed
the
nist-800-53-control-split-per-product
branch
from
4a682d9 to
e054e25
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
Add NIST 800-53 / CIS synchronization toolkit and product-specific control files for rhel8, rhel9, and rhel10.
This PR introduces:
Each product (rhel8, rhel9, rhel10) now has dedicated NIST 800-53 control files in
products/{product}/controls/nist_800_53/that map CIS benchmark requirements to NIST controls.Rationale:
Enable NIST 800-53 compliance profiles based on CIS benchmark mappings. This allows users to assess and remediate systems against NIST 800-53 controls using the existing CIS benchmark rule base.
The product-specific architecture ensures:
Review Hints:
This PR consists of two commits that should be reviewed sequentially:
Infrastructure commit (
aec333de6d): Toolkit scripts, documentation, and GitHub Actions workflowutils/nist_sync/sync_nist_split.py,utils/nist_sync/README.md,controls/README_nist_800_53.mdControl files commit (
645e5aaaf9): Generated NIST 800-53 control filesproducts/rhel9/controls/nist_800_53/au.yml) to verify formatTesting the toolkit locally:
cd utils/nist_sync ./test_workflow_local.sh