CoreOS 4.x - Access Control

Control responses for NIST 800-53 rev4.

NOTE: All CoreOS content is under active development through the ComplianceAsCode Project. Do not consider this content production ready!


Requirements Traceability Matrix

Control Name Status
AC-1 Access Control Policy And Procedures

not applicable

AC-2 Account Management

not applicable

AC-2 (1) Automated System Account Management

not applicable

AC-2 (2) Removal Of Temporary / Emergency Accounts

not applicable

AC-2 (3) Disable Inactive Accounts

not applicable

AC-2 (4) Automated Audit Actions

not applicable

AC-2 (5) Inactivity Logout

planned

AC-2 (6) Dynamic Privilege Management

planned

AC-2 (7) Role-Based Schemes

planned

AC-2 (8) Dynamic Account Creation

planned

AC-2 (9) Restrictions On Use Of Shared / Group Accounts

not applicable

AC-2 (10) Shared / Group Account Credential Termination

not applicable

AC-2 (11) Usage Conditions

not applicable

AC-2 (12) Account Monitoring / Atypical Usage

not applicable

AC-2 (13) Disable Accounts For High-Risk Individuals

not applicable

AC-3 Access Enforcement

planned

AC-3 (1) Restricted Access To Privileged Functions

not applicable

AC-3 (2) Dual Authorization
AC-3 (3) Mandatory Access Control

planned

AC-3 (4) Discretionary Access Control

planned

AC-3 (5) Security-Relevant Information

planned

AC-3 (6) Protection Of User And System Information

not applicable

AC-3 (7) Role-Based Access Control

planned

AC-3 (8) Revocation Of Access Authorizations

planned

AC-3 (9) Controlled Release

planned

AC-3 (10) Audited Override Of Access Control Mechanisms

complete

AC-4 Information Flow Enforcement

planned

AC-4 (1) Object Security Attributes

planned

AC-4 (2) Processing Domains

planned

AC-4 (3) Dynamic Information Flow Control

planned

AC-4 (4) Content Check Encrypted Information

not applicable

AC-4 (5) Embedded Data Types

not applicable

AC-4 (6) Metadata

planned

AC-4 (7) One-Way Flow Mechanisms

not applicable

AC-4 (8) Security Policy Filters

planned

AC-4 (9) Human Reviews
AC-4 (10) Enable / Disable Security Policy Filters

complete

AC-4 (11) Configuration Of Security Policy Filters

complete

AC-4 (12) Data Type Identifiers

planned

AC-4 (13) Decomposition Into Policy-Relevant Subcomponents

planned

AC-4 (14) Security Policy Filter Constraints

planned

AC-4 (15) Detection Of Unsanctioned Information

planned

AC-4 (16) Information Transfers On Interconnected Systems

not applicable

AC-4 (17) Domain Authentication

planned

AC-4 (18) Security Attribute Binding

planned

AC-4 (19) Validation Of Metadata

planned

AC-4 (20) Approved Solutions

planned

AC-4 (21) Physical / Logical Separation Of Information Flows

planned

AC-4 (22) Access Only

planned

AC-5 Separation Of Duties

not applicable

AC-6 Least Privilege

planned

AC-6 (1) Authorize Access To Security Functions

not applicable

AC-6 (2) Non-Privileged Access For Nonsecurity Functions

not applicable

AC-6 (3) Network Access To Privileged Commands

planned

AC-6 (4) Separate Processing Domains

planned

AC-6 (5) Privileged Accounts

planned

AC-6 (6) Privileged Access By Non-Organizational Users

planned

AC-6 (7) Review Of User Privileges

planned

AC-6 (8) Privilege Levels For Code Execution

planned

AC-6 (9) Auditing Use Of Privileged Functions

planned

AC-6 (10) Prohibit Non-Privileged Users From Executing Privileged Functions

planned

AC-7 Unsuccessful Logon Attempts

planned

AC-7 (1) Automatic Account Lock

not applicable

AC-7 (2) Purge / Wipe Mobile Device

not applicable

AC-8 System Use Notification

planned

AC-9 Previous Logon (Access) Notification

planned

AC-9 (1) Unsuccessful Logons

planned

AC-9 (2) Successful / Unsuccessful Logons

planned

AC-9 (3) Notification Of Account Changes

planned

AC-9 (4) Additional Logon Information

planned

AC-10 Concurrent Session Control

planned

AC-11 Session Lock

complete

AC-11 (1) Pattern-Hiding Displays

complete

AC-12 Session Termination

planned

AC-12 (1) User-Initiated Logouts / Message Displays

complete

AC-13 Supervision And Review - Access Control

not applicable

AC-14 Permitted Actions Without Identification Or Authentication

complete

AC-14 (1) Necessary Uses

not applicable

AC-15 Automated Marking

not applicable

AC-16 Security Attributes

not applicable

AC-16 (1) Dynamic Attribute Association

planned

AC-16 (2) Attribute Value Changes By Authorized Individuals

planned

AC-16 (3) Maintenance Of Attribute Associations By Information System

planned

AC-16 (4) Association Of Attributes By Authorized Individuals

planned

AC-16 (5) Attribute Displays For Output Devices

planned

AC-16 (6) Maintenance Of Attribute Association By Organization

planned

AC-16 (7) Consistent Attribute Interpretation

planned

AC-16 (8) Association Techniques / Technologies

planned

AC-16 (9) Attribute Reassignment

planned

AC-16 (10) Attribute Configuration By Authorized Individuals

planned

AC-17 Remote Access

planned

AC-17 (1) Automated Monitoring / Control

complete

AC-17 (2) Protection Of Confidentiality / Integrity Using Encryption

planned

AC-17 (3) Managed Access Control Points

planned

AC-17 (4) Privileged Commands / Access

planned

AC-17 (5) Monitoring For Unauthorized Connections

not applicable

AC-17 (6) Protection Of Information

planned

AC-17 (7) Additional Protection For Security Function Access

not applicable

AC-17 (8) Disable Nonsecure Network Protocols

not applicable

AC-17 (9) Disconnect / Disable Access

complete

AC-18 Wireless Access

not applicable

AC-18 (1) Authentication And Encryption

not applicable

AC-18 (2) Monitoring Unauthorized Connections

not applicable

AC-18 (3) Disable Wireless Networking

planned

AC-18 (4) Restrict Configurations By Users

planned

AC-18 (5) Antennas / Transmission Power Levels

planned

AC-19 Access Control For Mobile Devices

not applicable

AC-19 (1) Use Of Writable / Portable Storage Devices

not applicable

AC-19 (2) Use Of Personally Owned Portable Storage Devices

not applicable

AC-19 (3) Use Of Portable Storage Devices With No Identifiable Owner

not applicable

AC-19 (4) Restrictions For Classified Information

not applicable

AC-19 (5) Full Device / Container-Based Encryption

not applicable

AC-20 Use Of External Information Systems

not applicable

AC-20 (1) Limits On Authorized Use

not applicable

AC-20 (2) Portable Storage Devices

not applicable

AC-20 (3) Non-Organizationally Owned Systems / Components / Devices

not applicable

AC-20 (4) Network Accessible Storage Devices

not applicable

AC-21 Information Sharing

not applicable

AC-21 (1) Automated Decision Support

not applicable

AC-21 (2) Information Search And Retrieval

not applicable

AC-22 Publicly Accessible Content

not applicable

AC-23 Data Mining Protection

not applicable

AC-24 Access Control Decisions

planned

AC-24 (1) Transmit Access Authorization Information

planned

AC-24 (2) No User Or Process Identity

planned

AC-25 Reference Monitor

planned




AC-1: Access Control Policy And Procedures

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the access control policy and associated access controls; and b. Reviews and updates the current: 1. Access control policy [Assignment: organization-defined frequency]; and 2. Access control procedures [Assignment: organization-defined frequency].

AC-1 Control Response Information
Implementation Status:

not applicable

AC-1: What is the solution and how is it implemented?

AC-1 is an organizational control outside the scope of configuring CoreOS. Implementing AC-1 falls under technical controls, such as AC-2 (3) which disables inactive accounts.




AC-2: Account Management

The organization: a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; b. Assigns account managers for information system accounts; c. Establishes conditions for group and role membership; d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts; f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions]; g. Monitors the use of information system accounts; h. Notifies account managers: 1. When accounts are no longer required; 2. When users are terminated or transferred; and 3. When individual information system usage or need-to-know changes; i. Authorizes access to the information system based on: 1. A valid access authorization; 2. Intended system usage; and 3. Other attributes as required by the organization or associated missions/business functions; j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

AC-2 Control Response Information
Implementation Status:

not applicable

AC-2: What is the solution and how is it implemented?

AC-2 is an organizational control outside the scope of configuring CoreOS.’




AC-2 (1): Automated System Account Management

“The organization employs automated mechanisms to support the management of information system accounts.”

AC-2 (1) Control Response Information
Implementation Status:

not applicable

AC-2 (1): What is the solution and how is it implemented?

CoreOS components of the system support automated management through monitoring of accounts and system activity by logging of related information. While CoreOS can generate audit data, and securely transport the data to a SIEM, CoreOS does not provide automated mechanisms (e.g. email, text messages) after system events. This functionality would fall to third party software.




AC-2 (2): Removal Of Temporary / Emergency Accounts

“The information system automatically [Selection: removes; disables] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account].”

AC-2 (2) Control Response Information
Implementation Status:

not applicable

AC-2 (2): What is the solution and how is it implemented?

CoreOS does not have the capability to create guest/anonymous accounts or temporary accounts. Any external emergency or temporary accounts will be inherited from, and managed by, an external identity service (e.g. LDAP).




AC-2 (3): Disable Inactive Accounts

“The information system automatically disables inactive accounts after [Assignment: organization-defined time period].”

AC-2 (3) Control Response Information
Implementation Status:

not applicable

AC-2 (3): What is the solution and how is it implemented?

CoreOS end-user account management is inherited from the hosting environment.Automatic disabling of these accounts must happen at the centralized account management level; for example, within LDAP, Red Hat IdM, or Active Directory.




AC-2 (4): Automated Audit Actions

“The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles].”

AC-2 (4) Control Response Information
Implementation Status:

not applicable

AC-2 (4): What is the solution and how is it implemented?

To meet FISMA requirements, CoreOS must be configured to use centralized authentication (e.g. LDAP, Red Hat IdM, Active Directory). The audit of account creation, modification, enabling, disabling, and removal actions is the respinsibility of the centralized service. Additionally, notification of organization-defined personnel or roles is also the responsibility of the centralized authentication service.




AC-2 (5): Inactivity Logout

“The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out].”

AC-2 (5) Control Response Information
Implementation Status:

planned

AC-2 (5): What is the solution and how is it implemented?

A control response for AC-2 (5) is planned. Progress can be tracked via:

https://github.com/ComplianceAsCode/redhat/issues/739




AC-2 (6): Dynamic Privilege Management

“The information system implements the following dynamic privilege management capabilities: [Assignment: organization-defined list of dynamic privilege management capabilities].”

AC-2 (6) Control Response Information
Implementation Status:

planned

AC-2 (6): What is the solution and how is it implemented?

A control response for AC-2 (6) is planned. Progress can be tracked via:

https://github.com/ComplianceAsCode/redhat/issues/740




AC-2 (7): Role-Based Schemes

The organization: (7)(a). Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles; (7)(b). Monitors privileged role assignments; and (7)(c). Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate.

AC-2 (7) Control Response Information
Implementation Status:

planned

AC-2 (7): What is the solution and how is it implemented?
AC-2 (7)(a):

A control response to AC-2(7)(a) is planned. Progress can be tracked via:

https://github.com/ComplianceAsCode/redhat/issues/741

AC-2 (7)(b):

This is an organizational control and not applicble to the configuration of CoreOS.

AC-2 (7)(c):

This is an organizational control and not applicble to the configuration of CoreOS.




AC-2 (8): Dynamic Account Creation

“The information system creates [Assignment: organization-defined information system accounts] dynamically.”

AC-2 (8) Control Response Information
Implementation Status:

planned

AC-2 (8): What is the solution and how is it implemented?

A control response for AC-2 (6) is planned. Progress can be tracked via:

https://github.com/ComplianceAsCode/redhat/issues/742




AC-2 (9): Restrictions On Use Of Shared / Group Accounts

“The organization only permits the use of shared/group accounts that meet [Assignment: organization-defined conditions for establishing shared/group accounts].”

AC-2 (9) Control Response Information
Implementation Status:

not applicable

AC-2 (9): What is the solution and how is it implemented?

This control is applicable to the identity service provider and outside the scope of CoreOS configuration.




AC-2 (10): Shared / Group Account Credential Termination

“The information system terminates shared/group account credentials when members leave the group.”

AC-2 (10) Control Response Information
Implementation Status:

not applicable

AC-2 (10): What is the solution and how is it implemented?

CoreOS does not have the concept of group accounts.

Should the organization allow shared credentials, the creation and management of such accounts would be the responsibility of the shared identity service and not CoreOS.




AC-2 (11): Usage Conditions

“The information system enforces [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined information system accounts].”

AC-2 (11) Control Response Information
Implementation Status:

not applicable

AC-2 (11): What is the solution and how is it implemented?

This control is applicable to the identity service provider and outside the scope of CoreOS configuration.




AC-2 (12): Account Monitoring / Atypical Usage

The organization: (12)(a). Monitors information system accounts for [Assignment: organization-defined atypical usage]; and (12)(b). Reports atypical usage of information system accounts to [Assignment: organization-defined personnel or roles].

AC-2 (12) Control Response Information
Implementation Status:

not applicable

AC-2 (12): What is the solution and how is it implemented?
AC-2 (12)(a):

This control is applicable to the identity service provider and outside the scope of CoreOS configuration.

AC-2 (12)(b):

This control is applicable to the identity service provider and outside the scope of CoreOS configuration.




AC-2 (13): Disable Accounts For High-Risk Individuals

“The organization disables accounts of users posing a significant risk within [Assignment: organization-defined time period] of discovery of the risk.”

AC-2 (13) Control Response Information
Implementation Status:

not applicable

AC-2 (13): What is the solution and how is it implemented?

This control is applicable to the identity service provider, and outside the scope of CoreOS configuration.




AC-3: Access Enforcement

“The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.”

AC-3 Control Response Information
Implementation Status:

planned

AC-3: What is the solution and how is it implemented?

A response to AC-3 is planned. Progress can be tracked via:

https://github.com/ComplianceAsCode/redhat/issues/743




AC-3 (1): Restricted Access To Privileged Functions

“[Withdrawn: Incorporated into AC-6].”

AC-3 (1) Control Response Information
Implementation Status:

not applicable

AC-3 (1): What is the solution and how is it implemented?

This control was withdrawn by NIST, and incorporated into AC-6:

http://atopathways.redhatgov.io/product-documents/coreos4/nist-800-53/ac/#AC-6




AC-3 (2): Dual Authorization

“The information system enforces dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions].”

AC-3 (2) Control Response Information
Implementation Status:
AC-3 (2): What is the solution and how is it implemented?

CoreOS does not support the capability for dual authorization of commands. Authenticated users will be able to issue any command(s) they are authorized for.

It is recommended only organizationally trusted individuals receive authentication and authorization privileges to CoreOS systems.




AC-3 (3): Mandatory Access Control

The information system enforces [Assignment: organization-defined mandatory access control policy] over all subjects and objects where the policy: (3)(a). Is uniformly enforced across all subjects and objects within the boundary of the information system; (3)(b). Specifies that a subject that has been granted access to information is constrained from doing any of the following; (3)(b)(1). Passing the information to unauthorized subjects or objects; (3)(b)(2). Granting its privileges to other subjects; (3)(b)(3). Changing one or more security attributes on subjects, objects, the information system, or information system components; (3)(b)(4). Choosing the security attributes and attribute values to be associated with newly created or modified objects; or (3)(b)(5). Changing the rules governing access control; and (3)(c). Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints.

AC-3 (3) Control Response Information
Implementation Status:

planned

AC-3 (3): What is the solution and how is it implemented?

A response to AC-3 (3) is planned. Progress can be tracked via:

https://github.com/ComplianceAsCode/redhat/issues/744