Red Hat Virtualization Host - Access Control

Control responses for NIST 800-53 rev4.


Requirements Traceability Matrix

Control Name Status
AC-1 Access Control Policy And Procedures

not applicable

AC-2 Account Management

complete

AC-2 (1) Automated System Account Management
AC-2 (2) Removal Of Temporary / Emergency Accounts
AC-2 (3) Disable Inactive Accounts
AC-2 (4) Automated Audit Actions
AC-2 (5) Inactivity Logout
AC-2 (6) Dynamic Privilege Management
AC-2 (7) Role-Based Schemes
AC-2 (8) Dynamic Account Creation
AC-2 (9) Restrictions On Use Of Shared / Group Accounts
AC-2 (10) Shared / Group Account Credential Termination
AC-2 (11) Usage Conditions
AC-2 (12) Account Monitoring / Atypical Usage
AC-2 (13) Disable Accounts For High-Risk Individuals
AC-3 Access Enforcement

complete

AC-3 (1) Restricted Access To Privileged Functions
AC-3 (2) Dual Authorization
AC-3 (3) Mandatory Access Control
AC-3 (4) Discretionary Access Control
AC-3 (5) Security-Relevant Information
AC-3 (6) Protection Of User And System Information
AC-3 (7) Role-Based Access Control
AC-3 (8) Revocation Of Access Authorizations
AC-3 (9) Controlled Release
AC-3 (10) Audited Override Of Access Control Mechanisms
AC-4 Information Flow Enforcement
AC-4 (1) Object Security Attributes
AC-4 (2) Processing Domains
AC-4 (3) Dynamic Information Flow Control
AC-4 (4) Content Check Encrypted Information
AC-4 (5) Embedded Data Types
AC-4 (6) Metadata
AC-4 (7) One-Way Flow Mechanisms
AC-4 (8) Security Policy Filters
AC-4 (9) Human Reviews
AC-4 (10) Enable / Disable Security Policy Filters
AC-4 (11) Configuration Of Security Policy Filters
AC-4 (12) Data Type Identifiers
AC-4 (13) Decomposition Into Policy-Relevant Subcomponents
AC-4 (14) Security Policy Filter Constraints
AC-4 (15) Detection Of Unsanctioned Information
AC-4 (16) Information Transfers On Interconnected Systems
AC-4 (17) Domain Authentication
AC-4 (18) Security Attribute Binding
AC-4 (19) Validation Of Metadata
AC-4 (20) Approved Solutions
AC-4 (21) Physical / Logical Separation Of Information Flows
AC-4 (22) Access Only
AC-5 Separation Of Duties
AC-6 Least Privilege
AC-6 (1) Authorize Access To Security Functions
AC-6 (2) Non-Privileged Access For Nonsecurity Functions
AC-6 (3) Network Access To Privileged Commands
AC-6 (4) Separate Processing Domains
AC-6 (5) Privileged Accounts
AC-6 (6) Privileged Access By Non-Organizational Users
AC-6 (7) Review Of User Privileges
AC-6 (8) Privilege Levels For Code Execution
AC-6 (9) Auditing Use Of Privileged Functions
AC-6 (10) Prohibit Non-Privileged Users From Executing Privileged Functions
AC-7 Unsuccessful Logon Attempts

partial

AC-7 (1) Automatic Account Lock
AC-7 (2) Purge / Wipe Mobile Device
AC-8 System Use Notification

complete

AC-9 Previous Logon (Access) Notification
AC-9 (1) Unsuccessful Logons
AC-9 (2) Successful / Unsuccessful Logons
AC-9 (3) Notification Of Account Changes
AC-9 (4) Additional Logon Information
AC-10 Concurrent Session Control
AC-11 Session Lock
AC-11 (1) Pattern-Hiding Displays
AC-12 Session Termination
AC-12 (1) User-Initiated Logouts / Message Displays
AC-13 Supervision And Review - Access Control
AC-14 Permitted Actions Without Identification Or Authentication

complete

AC-14 (1) Necessary Uses
AC-15 Automated Marking
AC-16 Security Attributes
AC-16 (1) Dynamic Attribute Association
AC-16 (2) Attribute Value Changes By Authorized Individuals
AC-16 (3) Maintenance Of Attribute Associations By Information System
AC-16 (4) Association Of Attributes By Authorized Individuals
AC-16 (5) Attribute Displays For Output Devices
AC-16 (6) Maintenance Of Attribute Association By Organization
AC-16 (7) Consistent Attribute Interpretation
AC-16 (8) Association Techniques / Technologies
AC-16 (9) Attribute Reassignment
AC-16 (10) Attribute Configuration By Authorized Individuals
AC-17 Remote Access

complete

AC-17 (1) Automated Monitoring / Control
AC-17 (2) Protection Of Confidentiality / Integrity Using Encryption
AC-17 (3) Managed Access Control Points
AC-17 (4) Privileged Commands / Access
AC-17 (5) Monitoring For Unauthorized Connections
AC-17 (6) Protection Of Information
AC-17 (7) Additional Protection For Security Function Access
AC-17 (8) Disable Nonsecure Network Protocols
AC-17 (9) Disconnect / Disable Access
AC-18 Wireless Access

not applicable

AC-18 (1) Authentication And Encryption
AC-18 (2) Monitoring Unauthorized Connections
AC-18 (3) Disable Wireless Networking
AC-18 (4) Restrict Configurations By Users
AC-18 (5) Antennas / Transmission Power Levels
AC-19 Access Control For Mobile Devices

not applicable

AC-19 (1) Use Of Writable / Portable Storage Devices
AC-19 (2) Use Of Personally Owned Portable Storage Devices
AC-19 (3) Use Of Portable Storage Devices With No Identifiable Owner
AC-19 (4) Restrictions For Classified Information
AC-19 (5) Full Device / Container-Based Encryption
AC-20 Use Of External Information Systems

not applicable

AC-20 (1) Limits On Authorized Use
AC-20 (2) Portable Storage Devices
AC-20 (3) Non-Organizationally Owned Systems / Components / Devices
AC-20 (4) Network Accessible Storage Devices
AC-21 Information Sharing
AC-21 (1) Automated Decision Support
AC-21 (2) Information Search And Retrieval
AC-22 Publicly Accessible Content

not applicable

AC-23 Data Mining Protection
AC-24 Access Control Decisions
AC-24 (1) Transmit Access Authorization Information
AC-24 (2) No User Or Process Identity
AC-25 Reference Monitor



AC-1: Access Control Policy And Procedures

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the access control policy and associated access controls; and b. Reviews and updates the current: 1. Access control policy [Assignment: organization-defined frequency]; and 2. Access control procedures [Assignment: organization-defined frequency].

AC-1 Control Response Information
Implementation Status:

not applicable

AC-1: What is the solution and how is it implemented?
AC-1(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

AC-1(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




AC-2: Account Management

The organization: a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; b. Assigns account managers for information system accounts; c. Establishes conditions for group and role membership; d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts; f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions]; g. Monitors the use of information system accounts; h. Notifies account managers: 1. When accounts are no longer required; 2. When users are terminated or transferred; and 3. When individual information system usage or need-to-know changes; i. Authorizes access to the information system based on: 1. A valid access authorization; 2. Intended system usage; and 3. Other attributes as required by the organization or associated missions/business functions; j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

AC-2 Control Response Information
Implementation Status:

complete

AC-2: What is the solution and how is it implemented?
AC-2(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

AC-2(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

AC-2(c):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

AC-2(d):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

AC-2(e):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

AC-2(f):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

AC-2(g):

‘The audit subsystem must be enabled to ensure audit and monitoring of Red Hat Virtualization Host (RHVH) information system accounts.

The following configuration checks must be satisfied to meet AC-2(g):

  • CCE-27407-6: Enable auditd Service

Additional controls, such as AU-2, provide organizational-defined events that the audit subsystem will be responsible for capturing.’

AC-2(h):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

AC-2(i):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

AC-2(j):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

AC-2(k):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




AC-2 (1): Automated System Account Management

“The organization employs automated mechanisms to support the management of information system accounts.”

AC-2 (1) Control Response Information
Implementation Status:
AC-2 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



AC-2 (2): Removal Of Temporary / Emergency Accounts

“The information system automatically [Selection: removes; disables] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account].”

AC-2 (2) Control Response Information
Implementation Status:
AC-2 (2): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



AC-2 (3): Disable Inactive Accounts

“The information system automatically disables inactive accounts after [Assignment: organization-defined time period].”

AC-2 (3) Control Response Information
Implementation Status:
AC-2 (3): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



AC-2 (4): Automated Audit Actions

“The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles].”

AC-2 (4) Control Response Information
Implementation Status:
AC-2 (4): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



AC-2 (5): Inactivity Logout

“The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out].”

AC-2 (5) Control Response Information
Implementation Status:
AC-2 (5): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



AC-2 (6): Dynamic Privilege Management

“The information system implements the following dynamic privilege management capabilities: [Assignment: organization-defined list of dynamic privilege management capabilities].”

AC-2 (6) Control Response Information
Implementation Status: