From 5ac4506313378730472f9d5eb46eb3975ba2ef81 Mon Sep 17 00:00:00 2001
From: Mike Ralph <mralph@redhat.com>
Date: Wed, 23 Oct 2019 08:13:40 -0400
Subject: [PATCH 1/2] DISA STIG SRG mappings

---
 .../permissions/files/sysctl_fs_protected_hardlinks/rule.yml  | 1 +
 .../permissions/files/sysctl_fs_protected_symlinks/rule.yml   | 1 +
 .../sysctl_kernel_kptr_restrict/rule.yml                      | 1 +
 .../restrictions/sysctl_kernel_core_pattern/rule.yml          | 1 +
 .../restrictions/sysctl_kernel_dmesg_restrict/rule.yml        | 1 +
 .../restrictions/sysctl_kernel_kexec_load_disabled/rule.yml   | 4 ++++
 .../restrictions/sysctl_kernel_perf_event_paranoid/rule.yml   | 1 +
 .../sysctl_kernel_unprivileged_bpf_disabled/rule.yml          | 1 +
 .../restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml     | 1 +
 .../restrictions/sysctl_net_core_bpf_jit_harden/rule.yml      | 1 +
 10 files changed, 13 insertions(+)

diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml
index ee558a1de744..9ec84e7ac67d 100644
--- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml
+++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml
@@ -21,6 +21,7 @@ references:
     anssi: NT28(R23)
     cis: 1.6.1
     nist: SI-11
+    srg: SRG-OS-000324-GPOS-00125
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="fs.protected_hardlinks", value="1") }}}
 
diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml
index d9c03c4bf497..bf32f936fbf9 100644
--- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml
+++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml
@@ -23,6 +23,7 @@ references:
     anssi: NT28(R23)
     cis: 1.6.1
     nist: SI-11
+    srg: SRG-OS-000324-GPOS-00125
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="fs.protected_symlinks", value="1") }}}
 
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
index d81f8e600bb6..6e722e3a1414 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
@@ -20,6 +20,7 @@ identifiers:
 references:
     anssi: NT28(R23)
     nist: SC-39
+    srg: SRG-OS-000480-GPOS-00227
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}}
 
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
index f671b038f264..1db983881e72 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
@@ -18,6 +18,7 @@ identifiers:
 
 references:
     ospp: FMT_SMF_EXT.1
+    srg: SRG-OS-000480-GPOS-00227
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.core_pattern", value="|/bin/false") }}}
 
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
index d01fba7a677e..8b85e06a8347 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
@@ -23,6 +23,7 @@ references:
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e)
     nist: SI-11
     anssi: NT28(R23)
+    srg: SRG-OS-000324-GPOS-00125
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.dmesg_restrict", value="1") }}}
 
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml
index 879d053c7c42..ba967d0c6bbf 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml
@@ -17,6 +17,10 @@ identifiers:
     cce@rhel7: 81056-4
     cce@rhel8: 80952-5
 
+references:
+    srg: SRG-OS-000480-GPOS-00227
+
+
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kexec_load_disabled", value="1") }}}
 
 platform: machine
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml
index 6e7857cb5858..c94098251caf 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml
@@ -18,6 +18,7 @@ identifiers:
 references:
     anssi: NT28(R23)
     ospp: FMT_SMF_EXT.1
+    srg: SRG-OS-000480-GPOS-00227
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.perf_event_paranoid", value="2") }}}
 
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml
index 898b55349c5a..197db100b246 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml
@@ -18,6 +18,7 @@ identifiers:
 
 references:
     ospp: FMT_SMF_EXT.1
+    srg: SRG-OS-000132-GPOS-00067
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="1") }}}
 
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
index 3b29bf8c45dc..029636626020 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
@@ -21,6 +21,7 @@ identifiers:
 
 references:
     anssi: NT28(R25)
+    srg: SRG-OS-000132-GPOS-00067
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.yama.ptrace_scope", value="1") }}}
 
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml
index 39f227d93f8f..7fbc423fa182 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml
@@ -18,6 +18,7 @@ identifiers:
 
 references:
     ospp: FMT_SMF_EXT.1
+    srg: SRG-OS-000433-GPOS-00193
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.core.bpf_jit_harden", value="2") }}}
 

From d63512fed5f29256549603e75646f674b9f5362b Mon Sep 17 00:00:00 2001
From: Mike Ralph <mralph@redhat.com>
Date: Fri, 1 Nov 2019 19:10:39 -0400
Subject: [PATCH 2/2] DISA STIG SRG mappings - updates

---
 .../sysctl_kernel_kptr_restrict/rule.yml                        | 2 +-
 .../restrictions/sysctl_kernel_dmesg_restrict/rule.yml          | 2 +-
 .../restrictions/sysctl_kernel_perf_event_paranoid/rule.yml     | 2 +-
 .../restrictions/sysctl_net_core_bpf_jit_harden/rule.yml        | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
index 6e722e3a1414..d1fd412dd45d 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
@@ -20,7 +20,7 @@ identifiers:
 references:
     anssi: NT28(R23)
     nist: SC-39
-    srg: SRG-OS-000480-GPOS-00227
+    srg: SRG-OS-000132-GPOS-00067
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}}
 
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
index 8b85e06a8347..6e7a9eb8519b 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
@@ -23,7 +23,7 @@ references:
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e)
     nist: SI-11
     anssi: NT28(R23)
-    srg: SRG-OS-000324-GPOS-00125
+    srg: SRG-OS-000132-GPOS-00067
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.dmesg_restrict", value="1") }}}
 
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml
index c94098251caf..b7d60772f99f 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml
@@ -18,7 +18,7 @@ identifiers:
 references:
     anssi: NT28(R23)
     ospp: FMT_SMF_EXT.1
-    srg: SRG-OS-000480-GPOS-00227
+    srg: SRG-OS-000132-GPOS-00067
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.perf_event_paranoid", value="2") }}}
 
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml
index 7fbc423fa182..ef994f298a78 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml
@@ -18,7 +18,7 @@ identifiers:
 
 references:
     ospp: FMT_SMF_EXT.1
-    srg: SRG-OS-000433-GPOS-00193
+    srg: SRG-OS-000480-GPOS-00227
 
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.core.bpf_jit_harden", value="2") }}}