nist_800_53: fix sync script variable lookup and complete CIS→NIST mappings

shared/references/controls/nist_800_53_cis_reference_rhel10/ac.yml

@@ -41,12 +41,11 @@ controls:
       levels:
           - moderate
       rules:
+          - var_accounts_tmout=15_min
           - accounts_tmout
           - no_invalid_shell_accounts_unlocked
           - no_password_auth_for_systemaccounts
           - no_shelllogin_for_systemaccounts
-          - inactivity_timeout_value=15_minutes
-          - var_accounts_tmout=15_min
       status: automated
     - id: ac-2.6
       title: Dynamic Privilege Management
@@ -91,6 +90,9 @@ controls:
       levels:
           - low
       rules:
+          - var_selinux_policy_name=targeted
+          - var_pam_wheel_group_for_su=cis
+          - var_accounts_user_umask=027
           - accounts_umask_etc_bashrc
           - accounts_umask_etc_login_defs
           - accounts_umask_etc_profile
@@ -210,6 +212,7 @@ controls:
           - package_libselinux_installed
           - package_mcstrans_removed
           - package_setroubleshoot_removed
+          - rsyslog_filecreatemode
           - rsyslog_files_groupownership
           - rsyslog_files_ownership
           - rsyslog_files_permissions
@@ -219,9 +222,6 @@ controls:
           - sysctl_fs_protected_hardlinks
           - sysctl_fs_protected_symlinks
           - use_pam_wheel_group_for_su
-          - var_accounts_user_umask=027
-          - var_pam_wheel_group_for_su=cis
-          - var_selinux_policy_name=targeted
       status: automated
     - id: ac-3.1
       title: Restricted Access to Privileged Functions
@@ -495,15 +495,14 @@ controls:
       levels:
           - low
       rules:
+          - var_accounts_passwords_pam_faillock_root_unlock_time=60
+          - var_accounts_passwords_pam_faillock_deny=5
+          - var_accounts_passwords_pam_faillock_unlock_time=900
           - account_password_pam_faillock_password_auth
           - account_password_pam_faillock_system_auth
           - accounts_passwords_pam_faillock_deny
           - accounts_passwords_pam_faillock_even_deny_root_or_root_unlock_time
           - accounts_passwords_pam_faillock_unlock_time_with_zero
-          - var_accounts_passwords_pam_faillock_deny=5
-          - var_accounts_passwords_pam_faillock_dir=run
-          - var_accounts_passwords_pam_faillock_root_unlock_time=60
-          - var_accounts_passwords_pam_faillock_unlock_time=900
       status: automated
     - id: ac-7.1
       title: Automatic Account Lock
@@ -526,6 +525,8 @@ controls:
       levels:
           - low
       rules:
+          - dconf_login_banner_text=cis_banners
+          - dconf_login_banner_contents=cis_default
           - dconf_gnome_banner_enabled
           - dconf_gnome_login_banner_text
       status: automated
@@ -560,11 +561,12 @@ controls:
       levels:
           - moderate
       rules:
+          - inactivity_timeout_value=15_minutes
+          - var_screensaver_lock_delay=5_seconds
           - dconf_gnome_screensaver_idle_delay
           - dconf_gnome_screensaver_lock_delay
           - dconf_gnome_screensaver_user_locks
           - dconf_gnome_session_idle_user_locks
-          - var_screensaver_lock_delay=5_seconds
       status: automated
     - id: ac-11.1
       title: Pattern-hiding Displays

shared/references/controls/nist_800_53_cis_reference_rhel10/au.yml

@@ -11,6 +11,10 @@ controls:
       levels:
           - low
       rules:
+          - var_auditd_admin_space_left_action=cis_rhel10
+          - var_audit_backlog_limit=8192
+          - var_auditd_space_left_action=cis_rhel10
+          - var_auditd_action_mail_acct=root
           - aide_build_database
           - aide_periodic_cron_checking
           - audit_rules_execution_chacl
@@ -33,10 +37,6 @@ controls:
           - service_systemd-journal-upload_enabled
           - service_systemd-journald_enabled
           - socket_systemd-journal-remote_disabled
-          - var_audit_backlog_limit=8192
-          - var_auditd_action_mail_acct=root
-          - var_auditd_admin_space_left_action=cis_rhel10
-          - var_auditd_space_left_action=cis_rhel10
       status: automated
     - id: au-2.1
       title: Compilation of Audit Records from Multiple Sources
@@ -59,6 +59,10 @@ controls:
       levels:
           - low
       rules:
+          - sysctl_net_ipv4_conf_all_log_martians_value=enabled
+          - var_multiple_time_servers=rhel
+          - sysctl_net_ipv4_conf_default_log_martians_value=enabled
+          - sshd_max_auth_tries_value=4
           - audit_rules_dac_modification_chmod
           - audit_rules_dac_modification_chown
           - audit_rules_dac_modification_fchmod
@@ -125,8 +129,6 @@ controls:
           - sudo_custom_logfile
           - sysctl_net_ipv4_conf_all_log_martians
           - sysctl_net_ipv4_conf_default_log_martians
-          - sshd_max_auth_tries_value=4
-          - var_multiple_time_servers=rhel
       status: automated
     - id: au-3.1
       title: Additional Audit Information
@@ -158,10 +160,10 @@ controls:
       levels:
           - low
       rules:
+          - var_auditd_disk_full_action=cis_rhel10
+          - var_auditd_disk_error_action=cis_rhel10
           - auditd_data_disk_error_action
           - auditd_data_disk_full_action
-          - var_auditd_disk_error_action=cis_rhel10
-          - var_auditd_disk_full_action=cis_rhel10
       status: automated
     - id: au-5.1
       title: Storage Capacity Warning
@@ -262,10 +264,10 @@ controls:
       levels:
           - low
       rules:
-          - auditd_data_retention_max_log_file
-          - auditd_data_retention_max_log_file_action
           - var_auditd_max_log_file=8
           - var_auditd_max_log_file_action=keep_logs
+          - auditd_data_retention_max_log_file
+          - auditd_data_retention_max_log_file_action
       status: automated
     - id: au-8.1
       title: Synchronization with Authoritative Time Source
@@ -363,6 +365,8 @@ controls:
       levels:
           - low
       rules:
+          - var_accounts_passwords_pam_faillock_dir=run
+          - audit_rules_continue_loading
           - audit_rules_dac_modification_chmod
           - audit_rules_dac_modification_chown
           - audit_rules_dac_modification_fchmod
@@ -377,7 +381,6 @@ controls:
           - audit_rules_dac_modification_lsetxattr
           - audit_rules_dac_modification_removexattr
           - audit_rules_dac_modification_setxattr
-          - audit_rules_continue_loading
           - audit_rules_execution_chcon
           - audit_rules_file_deletion_events_rename
           - audit_rules_file_deletion_events_renameat

shared/references/controls/nist_800_53_cis_reference_rhel10/cm.yml

@@ -5,6 +5,12 @@ controls:
       levels:
           - low
       rules:
+          - var_user_initialization_files_regex=all_dotfiles
+          - var_sshd_set_maxstartups=10:30:60
+          - sshd_idle_timeout_value=5_minutes
+          - var_sshd_set_keepalive=1
+          - var_accounts_maximum_age_login_defs=365
+          - var_sshd_max_sessions=10
           - account_password_pam_faillock_password_auth
           - account_password_pam_faillock_system_auth
           - account_unique_id
@@ -55,20 +61,14 @@ controls:
           - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
           - sysctl_net_ipv4_ip_forward
           - sysctl_net_ipv4_tcp_syncookies
+          - sysctl_net_ipv4_tcp_syncookies_value=enabled
           - sysctl_net_ipv6_conf_all_accept_ra
           - sysctl_net_ipv6_conf_all_accept_redirects
           - sysctl_net_ipv6_conf_all_accept_source_route
           - sysctl_net_ipv6_conf_all_forwarding
           - sysctl_net_ipv6_conf_default_accept_ra
           - sysctl_net_ipv6_conf_default_accept_redirects
           - sysctl_net_ipv6_conf_default_accept_source_route
-          - sshd_idle_timeout_value=5_minutes
-          - sysctl_net_ipv4_tcp_syncookies_value=enabled
-          - var_accounts_maximum_age_login_defs=365
-          - var_sshd_max_sessions=10
-          - var_sshd_set_keepalive=1
-          - var_sshd_set_maxstartups=10:30:60
-          - var_user_initialization_files_regex=all_dotfiles
       status: automated
     - id: cm-2
       title: Baseline Configuration
@@ -215,6 +215,31 @@ controls:
       levels:
           - low
       rules:
+          - sysctl_net_ipv4_conf_default_rp_filter_value=enabled
+          - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled
+          - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled
+          - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled
+          - sysctl_net_ipv4_conf_default_forwarding_value=disabled
+          - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled
+          - sysctl_net_ipv6_conf_all_accept_ra_value=disabled
+          - sysctl_net_ipv4_conf_all_log_martians_value=enabled
+          - sysctl_net_ipv6_conf_all_forwarding_value=disabled
+          - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled
+          - cis_banner_text=cis
+          - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled
+          - var_accounts_user_umask=027
+          - sysctl_net_ipv4_conf_default_log_martians_value=enabled
+          - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled
+          - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled
+          - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled
+          - var_sshd_set_login_grace_time=60
+          - sysctl_net_ipv4_conf_all_rp_filter_value=enabled
+          - sysctl_net_ipv6_conf_default_forwarding_value=disabled
+          - sysctl_net_ipv6_conf_default_accept_ra_value=disabled
+          - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled
+          - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled
+          - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled
+          - accounts_password_pam_modules_in_authselect_profile
           - accounts_password_pam_pwquality_password_auth
           - accounts_password_pam_pwquality_system_auth
           - accounts_umask_etc_bashrc
@@ -225,6 +250,7 @@ controls:
           - banner_etc_issue_cis
           - banner_etc_issue_net_cis
           - banner_etc_motd_cis
+          - chronyd_run_as_chrony_user
           - coredump_disable_backtraces
           - coredump_disable_storage
           - dconf_db_up_to_date
@@ -285,32 +311,6 @@ controls:
           - sysctl_net_ipv6_conf_default_accept_redirects
           - sysctl_net_ipv6_conf_default_accept_source_route
           - sysctl_net_ipv6_conf_default_forwarding
-          - cis_banner_text=cis
-          - dconf_login_banner_contents=cis_default
-          - dconf_login_banner_text=cis_banners
-          - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled
-          - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled
-          - sysctl_net_ipv4_conf_all_log_martians_value=enabled
-          - sysctl_net_ipv4_conf_all_rp_filter_value=enabled
-          - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled
-          - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled
-          - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled
-          - sysctl_net_ipv4_conf_default_forwarding_value=disabled
-          - sysctl_net_ipv4_conf_default_log_martians_value=enabled
-          - sysctl_net_ipv4_conf_default_rp_filter_value=enabled
-          - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled
-          - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled
-          - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled
-          - sysctl_net_ipv6_conf_all_accept_ra_value=disabled
-          - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled
-          - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled
-          - sysctl_net_ipv6_conf_all_forwarding_value=disabled
-          - sysctl_net_ipv6_conf_default_accept_ra_value=disabled
-          - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled
-          - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled
-          - sysctl_net_ipv6_conf_default_forwarding_value=disabled
-          - var_accounts_user_umask=027
-          - var_sshd_set_login_grace_time=60
       status: automated
     - id: cm-6.1
       title: Automated Management, Application, and Verification
@@ -337,6 +337,7 @@ controls:
       levels:
           - low
       rules:
+          - var_postfix_inet_interfaces=loopback-only
           - dconf_gnome_disable_autorun
           - disable_weak_deps
           - file_ownership_var_log_audit_stig
@@ -394,7 +395,6 @@ controls:
           - sshd_disable_forwarding
           - wireless_disable_interfaces
           - xwayland_disabled
-          - var_postfix_inet_interfaces=loopback-only
       status: automated
     - id: cm-7.1
       title: Periodic Review

shared/references/controls/nist_800_53_cis_reference_rhel10/ia.yml

@@ -105,9 +105,9 @@ controls:
       levels:
           - low
       rules:
+          - var_account_disable_post_pw_expiration=45
           - account_disable_post_pw_expiration
           - accounts_set_post_pw_existing
-          - var_account_disable_post_pw_expiration=45
       status: automated
     - id: ia-4.1
       title: Prohibit Account Identifiers as Public Identifiers
@@ -152,6 +152,16 @@ controls:
       levels:
           - low
       rules:
+          - var_password_hashing_algorithm_pam=cis_rhel10
+          - var_password_hashing_algorithm=cis_rhel10
+          - var_accounts_minimum_age_login_defs=1
+          - var_password_pam_maxsequence=3
+          - var_password_pam_maxrepeat=3
+          - var_accounts_password_warn_age_login_defs=7
+          - var_password_pam_dictcheck=1
+          - var_password_pam_minclass=4
+          - var_password_pam_minlen=14
+          - var_password_pam_difok=2
           - accounts_minimum_age_login_defs
           - accounts_password_all_shadowed
           - accounts_password_last_change_is_in_past
@@ -174,28 +184,18 @@ controls:
           - set_password_hashing_algorithm_logindefs
           - set_password_hashing_algorithm_passwordauth
           - set_password_hashing_algorithm_systemauth
-          - var_accounts_minimum_age_login_defs=1
-          - var_accounts_password_warn_age_login_defs=7
-          - var_password_hashing_algorithm=cis_rhel10
-          - var_password_hashing_algorithm_pam=cis_rhel10
-          - var_password_pam_dictcheck=1
-          - var_password_pam_difok=2
-          - var_password_pam_maxrepeat=3
-          - var_password_pam_maxsequence=3
-          - var_password_pam_minclass=4
-          - var_password_pam_minlen=14
       status: automated
     - id: ia-5.1
       title: Password-based Authentication
       levels:
           - low
       rules:
+          - var_password_pam_remember_control_flag=requisite_or_required
+          - var_password_pam_remember=24
           - accounts_password_pam_pwhistory_remember_password_auth
           - accounts_password_pam_pwhistory_remember_system_auth
           - accounts_password_pam_unix_enabled
           - accounts_password_pam_unix_no_remember
-          - var_password_pam_remember=24
-          - var_password_pam_remember_control_flag=requisite_or_required
       status: automated
     - id: ia-5.2
       title: Public Key-based Authentication
@@ -338,8 +338,8 @@ controls:
       levels:
           - low
       rules:
-          - sudo_require_reauthentication
           - var_sudo_timestamp_timeout=15_minutes
+          - sudo_require_reauthentication
       status: automated
     - id: ia-12
       title: Identity Proofing

shared/references/controls/nist_800_53_cis_reference_rhel10/sc.yml

@@ -26,9 +26,9 @@ controls:
       levels:
           - high
       rules:
+          - var_selinux_state=enforcing
           - selinux_not_disabled
           - selinux_state
-          - var_selinux_state=enforcing
       status: automated
     - id: sc-3.1
       title: Hardware Separation
@@ -71,6 +71,7 @@ controls:
       levels:
           - low
       rules:
+          - sysctl_net_ipv4_tcp_syncookies_value=enabled
           - sysctl_net_ipv4_tcp_syncookies
       status: automated
     - id: sc-5.1