RedHatProductSecurity · trestle-bot · Feb 16, 2024 · Feb 21, 2024
diff --git a/.github/workflows/autofix-profile.yml b/.github/workflows/autofix-profile.yml
@@ -31,7 +31,7 @@ jobs:
           token: ${{ steps.get_installation_token.outputs.token }}
       - name: Autofix profile
         id: autofix-profile
-        uses: RedHatProductSecurity/trestle-bot/actions/autosync@v0.5.0
+        uses: RedHatProductSecurity/trestle-bot/actions/autosync@v0.7.0
         with:
           markdown_path: "markdown/profiles"
           oscal_model: "profile"

diff --git a/.github/workflows/regenerate-profile.yml b/.github/workflows/regenerate-profile.yml
@@ -27,7 +27,7 @@ jobs:
           token: ${{ steps.get_installation_token.outputs.token }}
       - name: Regenerate profiles
         id: regenerate
-        uses: RedHatProductSecurity/trestle-bot/actions/autosync@v0.5.0
+        uses: RedHatProductSecurity/trestle-bot/actions/autosync@v0.7.0
         with:
           markdown_path: "markdown/profiles"
           oscal_model: "profile"

diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
@@ -23,7 +23,7 @@ jobs:
         uses: actions/checkout@v4
       - name: Check profile
         id: check-profile
-        uses: RedHatProductSecurity/trestle-bot/actions/autosync@v0.5.0
+        uses: RedHatProductSecurity/trestle-bot/actions/autosync@v0.7.0
         with:
           markdown_path: "markdown/profiles"
           oscal_model: "profile"

diff --git a/markdown/profiles/test_profile/ac/ac-1.md b/markdown/profiles/test_profile/ac/ac-1.md
@@ -0,0 +1,128 @@
+---
+x-trestle-set-params:
+  # You may set values for parameters in the assembled Profile by adding
+  #
+  # profile-values:
+  #   - value 1
+  #   - value 2
+  #
+  # below a section of values:
+  # The values list refers to the values in the catalog, and the profile-values represent values
+  # in SetParameters of the Profile.
+  #
+  ac-1_prm_1:
+    aggregates:
+      - ac-01_odp.01
+      - ac-01_odp.02
+  ac-01_odp.01:
+    profile-values:
+      - <REPLACE_ME>
+  ac-01_odp.02:
+    profile-values:
+      - <REPLACE_ME>
+  ac-01_odp.03:
+    alt-identifier: ac-1_prm_2
+    profile-values:
+      - <REPLACE_ME>
+  ac-01_odp.04:
+    alt-identifier: ac-1_prm_3
+    profile-values:
+      - <REPLACE_ME>
+  ac-01_odp.05:
+    alt-identifier: ac-1_prm_4
+    profile-values:
+      - <REPLACE_ME>
+  ac-01_odp.06:
+    alt-identifier: ac-1_prm_5
+    profile-values:
+      - <REPLACE_ME>
+  ac-01_odp.07:
+    alt-identifier: ac-1_prm_6
+    profile-values:
+      - <REPLACE_ME>
+  ac-01_odp.08:
+    alt-identifier: ac-1_prm_7
+    profile-values:
+      - <REPLACE_ME>
+x-trestle-global:
+  profile:
+    title: REPLACE_ME
+  sort-id: ac-01
+---
+
+# ac-1 - \[Access Control\] Policy and Procedures
+
+## Control Statement
+
+- \[a.\] Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}:
+
+  - \[1.\] {{ insert: param, ac-01_odp.03 }} access control policy that:
+
+    - \[(a)\] Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
+    - \[(b)\] Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
+
+  - \[2.\] Procedures to facilitate the implementation of the access control policy and the associated access controls;
+
+- \[b.\] Designate an {{ insert: param, ac-01_odp.04 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and
+
+- \[c.\] Review and update the current access control:
+
+  - \[1.\] Policy {{ insert: param, ac-01_odp.05 }} and following {{ insert: param, ac-01_odp.06 }} ; and
+  - \[2.\] Procedures {{ insert: param, ac-01_odp.07 }} and following {{ insert: param, ac-01_odp.08 }}.
+
+## Control Assessment Objective
+
+- \[AC-01a.\]
+
+  - \[AC-01a.[01]\] an access control policy is developed and documented;
+  - \[AC-01a.[02]\] the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};
+  - \[AC-01a.[03]\] access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;
+  - \[AC-01a.[04]\] the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};
+  - \[AC-01a.01\]
+
+    - \[AC-01a.01(a)\]
+
+      - \[AC-01a.01(a)[01]\] the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;
+      - \[AC-01a.01(a)[02]\] the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;
+      - \[AC-01a.01(a)[03]\] the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;
+      - \[AC-01a.01(a)[04]\] the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;
+      - \[AC-01a.01(a)[05]\] the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;
+      - \[AC-01a.01(a)[06]\] the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;
+      - \[AC-01a.01(a)[07]\] the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;
+
+    - \[AC-01a.01(b)\] the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
+
+- \[AC-01b.\] the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;
+
+- \[AC-01c.\]
+
+  - \[AC-01c.01\]
+
+    - \[AC-01c.01[01]\] the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};
+    - \[AC-01c.01[02]\] the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};
+
+  - \[AC-01c.02\]
+
+    - \[AC-01c.02[01]\] the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};
+    - \[AC-01c.02[02]\] the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}.
+
+## Control guidance
+
+Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
+
+# Editable Content
+
+<!-- Make additions and edits below -->
+<!-- The above represents the contents of the control as received by the profile, prior to additions. -->
+<!-- If the profile makes additions to the control, they will appear below. -->
+<!-- The above markdown may not be edited but you may edit the content below, and/or introduce new additions to be made by the profile. -->
+<!-- If there is a yaml header at the top, parameter values may be edited. Use --set-parameters to incorporate the changes during assembly. -->
+<!-- The content here will then replace what is in the profile for this control, after running profile-assemble. -->
+<!-- The current profile has no added parts for this control, but you may add new ones here. -->
+<!-- Each addition must have a heading either of the form ## Control my_addition_name -->
+<!-- or ## Part a. (where the a. refers to one of the control statement labels.) -->
+<!-- "## Control" parts are new parts added after the statement part. -->
+<!-- "## Part" parts are new parts added into the top-level statement part with that label. -->
+<!-- Subparts may be added with nested hash levels of the form ### My Subpart Name -->
+<!-- underneath the parent ## Control or ## Part being added -->
+<!-- See https://ibm.github.io/compliance-trestle/tutorials/ssp_profile_catalog_authoring/ssp_profile_catalog_authoring for guidance. -->
diff --git a/markdown/profiles/test_profile/ac/ac-10.md b/markdown/profiles/test_profile/ac/ac-10.md
@@ -0,0 +1,56 @@
+---
+x-trestle-set-params:
+  # You may set values for parameters in the assembled Profile by adding
+  #
+  # profile-values:
+  #   - value 1
+  #   - value 2
+  #
+  # below a section of values:
+  # The values list refers to the values in the catalog, and the profile-values represent values
+  # in SetParameters of the Profile.
+  #
+  ac-10_odp.01:
+    alt-identifier: ac-10_prm_1
+    profile-values:
+      - <REPLACE_ME>
+  ac-10_odp.02:
+    alt-identifier: ac-10_prm_2
+    profile-values:
+      - <REPLACE_ME>
+x-trestle-global:
+  profile:
+    title: REPLACE_ME
+  sort-id: ac-10
+---
+
+# ac-10 - \[Access Control\] Concurrent Session Control
+
+## Control Statement
+
+Limit the number of concurrent sessions for each {{ insert: param, ac-10_odp.01 }} to {{ insert: param, ac-10_odp.02 }}.
+
+## Control Assessment Objective
+
+the number of concurrent sessions for each {{ insert: param, ac-10_odp.01 }} is limited to {{ insert: param, ac-10_odp.02 }}.
+
+## Control guidance
+
+Organizations may define the maximum number of concurrent sessions for system accounts globally, by account type, by account, or any combination thereof. For example, organizations may limit the number of concurrent sessions for system administrators or other individuals working in particularly sensitive domains or mission-critical applications. Concurrent session control addresses concurrent sessions for system accounts. It does not, however, address concurrent sessions by single users via multiple system accounts.
+
+# Editable Content
+
+<!-- Make additions and edits below -->
+<!-- The above represents the contents of the control as received by the profile, prior to additions. -->
+<!-- If the profile makes additions to the control, they will appear below. -->
+<!-- The above markdown may not be edited but you may edit the content below, and/or introduce new additions to be made by the profile. -->
+<!-- If there is a yaml header at the top, parameter values may be edited. Use --set-parameters to incorporate the changes during assembly. -->
+<!-- The content here will then replace what is in the profile for this control, after running profile-assemble. -->
+<!-- The current profile has no added parts for this control, but you may add new ones here. -->
+<!-- Each addition must have a heading either of the form ## Control my_addition_name -->
+<!-- or ## Part a. (where the a. refers to one of the control statement labels.) -->
+<!-- "## Control" parts are new parts added after the statement part. -->
+<!-- "## Part" parts are new parts added into the top-level statement part with that label. -->
+<!-- Subparts may be added with nested hash levels of the form ### My Subpart Name -->
+<!-- underneath the parent ## Control or ## Part being added -->
+<!-- See https://ibm.github.io/compliance-trestle/tutorials/ssp_profile_catalog_authoring/ssp_profile_catalog_authoring for guidance. -->
diff --git a/markdown/profiles/test_profile/ac/ac-11.1.md b/markdown/profiles/test_profile/ac/ac-11.1.md
@@ -0,0 +1,37 @@
+---
+x-trestle-global:
+  profile:
+    title: REPLACE_ME
+  sort-id: ac-11.01
+---
+
+# ac-11.1 - \[Access Control\] Pattern-hiding Displays
+
+## Control Statement
+
+Conceal, via the device lock, information previously visible on the display with a publicly viewable image.
+
+## Control Assessment Objective
+
+information previously visible on the display is concealed, via device lock, with a publicly viewable image.
+
+## Control guidance
+
+The pattern-hiding display can include static or dynamic images, such as patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen with the caveat that controlled unclassified information is not displayed.
+
+# Editable Content
+
+<!-- Make additions and edits below -->
+<!-- The above represents the contents of the control as received by the profile, prior to additions. -->
+<!-- If the profile makes additions to the control, they will appear below. -->
+<!-- The above markdown may not be edited but you may edit the content below, and/or introduce new additions to be made by the profile. -->
+<!-- If there is a yaml header at the top, parameter values may be edited. Use --set-parameters to incorporate the changes during assembly. -->
+<!-- The content here will then replace what is in the profile for this control, after running profile-assemble. -->
+<!-- The current profile has no added parts for this control, but you may add new ones here. -->
+<!-- Each addition must have a heading either of the form ## Control my_addition_name -->
+<!-- or ## Part a. (where the a. refers to one of the control statement labels.) -->
+<!-- "## Control" parts are new parts added after the statement part. -->
+<!-- "## Part" parts are new parts added into the top-level statement part with that label. -->
+<!-- Subparts may be added with nested hash levels of the form ### My Subpart Name -->
+<!-- underneath the parent ## Control or ## Part being added -->
+<!-- See https://ibm.github.io/compliance-trestle/tutorials/ssp_profile_catalog_authoring/ssp_profile_catalog_authoring for guidance. -->
diff --git a/markdown/profiles/test_profile/ac/ac-11.md b/markdown/profiles/test_profile/ac/ac-11.md
@@ -0,0 +1,60 @@
+---
+x-trestle-set-params:
+  # You may set values for parameters in the assembled Profile by adding
+  #
+  # profile-values:
+  #   - value 1
+  #   - value 2
+  #
+  # below a section of values:
+  # The values list refers to the values in the catalog, and the profile-values represent values
+  # in SetParameters of the Profile.
+  #
+  ac-11_odp.01:
+    alt-identifier: ac-11_prm_1
+    profile-values:
+      - <REPLACE_ME>
+  ac-11_odp.02:
+    alt-identifier: ac-11_prm_2
+    profile-values:
+      - <REPLACE_ME>
+x-trestle-global:
+  profile:
+    title: REPLACE_ME
+  sort-id: ac-11
+---
+
+# ac-11 - \[Access Control\] Device Lock
+
+## Control Statement
+
+- \[a.\] Prevent further access to the system by {{ insert: param, ac-11_odp.01 }} ; and
+
+- \[b.\] Retain the device lock until the user reestablishes access using established identification and authentication procedures.
+
+## Control Assessment Objective
+
+- \[AC-11a.\] further access to the system is prevented by {{ insert: param, ac-11_odp.01 }};
+
+- \[AC-11b.\] device lock is retained until the user re-establishes access using established identification and authentication procedures.
+
+## Control guidance
+
+Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User-initiated device locking is behavior or policy-based and, as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, such as when organizations require users to log out at the end of workdays.
+
+# Editable Content
+
+<!-- Make additions and edits below -->
+<!-- The above represents the contents of the control as received by the profile, prior to additions. -->
+<!-- If the profile makes additions to the control, they will appear below. -->
+<!-- The above markdown may not be edited but you may edit the content below, and/or introduce new additions to be made by the profile. -->
+<!-- If there is a yaml header at the top, parameter values may be edited. Use --set-parameters to incorporate the changes during assembly. -->
+<!-- The content here will then replace what is in the profile for this control, after running profile-assemble. -->
+<!-- The current profile has no added parts for this control, but you may add new ones here. -->
+<!-- Each addition must have a heading either of the form ## Control my_addition_name -->
+<!-- or ## Part a. (where the a. refers to one of the control statement labels.) -->
+<!-- "## Control" parts are new parts added after the statement part. -->
+<!-- "## Part" parts are new parts added into the top-level statement part with that label. -->
+<!-- Subparts may be added with nested hash levels of the form ### My Subpart Name -->
+<!-- underneath the parent ## Control or ## Part being added -->
+<!-- See https://ibm.github.io/compliance-trestle/tutorials/ssp_profile_catalog_authoring/ssp_profile_catalog_authoring for guidance. -->
diff --git a/markdown/profiles/test_profile/ac/ac-12.md b/markdown/profiles/test_profile/ac/ac-12.md
@@ -0,0 +1,52 @@
+---
+x-trestle-set-params:
+  # You may set values for parameters in the assembled Profile by adding
+  #
+  # profile-values:
+  #   - value 1
+  #   - value 2
+  #
+  # below a section of values:
+  # The values list refers to the values in the catalog, and the profile-values represent values
+  # in SetParameters of the Profile.
+  #
+  ac-12_odp:
+    alt-identifier: ac-12_prm_1
+    profile-values:
+      - <REPLACE_ME>
+x-trestle-global:
+  profile:
+    title: REPLACE_ME
+  sort-id: ac-12
+---
+
+# ac-12 - \[Access Control\] Session Termination
+
+## Control Statement
+
+Automatically terminate a user session after {{ insert: param, ac-12_odp }}.
+
+## Control Assessment Objective
+
+a user session is automatically terminated after {{ insert: param, ac-12_odp }}.
+
+## Control guidance
+
+Session termination addresses the termination of user-initiated logical sessions (in contrast to [SC-10](#sc-10) , which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except for those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic termination of the session include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use.
+
+# Editable Content
+
+<!-- Make additions and edits below -->
+<!-- The above represents the contents of the control as received by the profile, prior to additions. -->
+<!-- If the profile makes additions to the control, they will appear below. -->
+<!-- The above markdown may not be edited but you may edit the content below, and/or introduce new additions to be made by the profile. -->
+<!-- If there is a yaml header at the top, parameter values may be edited. Use --set-parameters to incorporate the changes during assembly. -->
+<!-- The content here will then replace what is in the profile for this control, after running profile-assemble. -->
+<!-- The current profile has no added parts for this control, but you may add new ones here. -->
+<!-- Each addition must have a heading either of the form ## Control my_addition_name -->
+<!-- or ## Part a. (where the a. refers to one of the control statement labels.) -->
+<!-- "## Control" parts are new parts added after the statement part. -->
+<!-- "## Part" parts are new parts added into the top-level statement part with that label. -->
+<!-- Subparts may be added with nested hash levels of the form ### My Subpart Name -->
+<!-- underneath the parent ## Control or ## Part being added -->
+<!-- See https://ibm.github.io/compliance-trestle/tutorials/ssp_profile_catalog_authoring/ssp_profile_catalog_authoring for guidance. -->