Red Hat Virtualization Host - System and Information Integrity

Control responses for NIST 800-53 rev4.


Requirements Traceability Matrix

Control Name Status
SI-1 System And Information Integrity Policy And Procedures

not applicable

SI-2 Flaw Remediation

not applicable

SI-2 (1) Central Management
SI-2 (2) Automated Flaw Remediation Status
SI-2 (3) Time To Remediate Flaws / Benchmarks For Corrective Actions
SI-2 (4) Automated Patch Management Tools
SI-2 (5) Automatic Software / Firmware Updates
SI-2 (6) Removal Of Previous Versions Of Software / Firmware
SI-3 Malicious Code Protection

not applicable

SI-3 (1) Central Management
SI-3 (2) Automatic Updates
SI-3 (3) Non-Privileged Users
SI-3 (4) Updates Only By Privileged Users
SI-3 (5) Portable Storage Devices
SI-3 (6) Testing / Verification
SI-3 (7) Nonsignature-Based Detection
SI-3 (8) Detect Unauthorized Commands
SI-3 (9) Authenticate Remote Commands
SI-3 (10) Malicious Code Analysis
SI-4 Information System Monitoring

not applicable

SI-4 (1) System-Wide Intrusion Detection System
SI-4 (2) Automated Tools For Real-Time Analysis
SI-4 (3) Automated Tool Integration
SI-4 (4) Inbound And Outbound Communications Traffic
SI-4 (5) System-Generated Alerts
SI-4 (6) Restrict Non-Privileged Users
SI-4 (7) Automated Response To Suspicious Events
SI-4 (8) Protection Of Monitoring Information
SI-4 (9) Testing Of Monitoring Tools
SI-4 (10) Visibility Of Encrypted Communications
SI-4 (11) Analyze Communications Traffic Anomalies
SI-4 (12) Automated Alerts
SI-4 (13) Analyze Traffic / Event Patterns
SI-4 (14) Wireless Intrusion Detection
SI-4 (15) Wireless To Wireline Communications
SI-4 (16) Correlate Monitoring Information
SI-4 (17) Integrated Situational Awareness
SI-4 (18) Analyze Traffic / Covert Exfiltration
SI-4 (19) Individuals Posing Greater Risk
SI-4 (20) Privileged Users
SI-4 (21) Probationary Periods
SI-4 (22) Unauthorized Network Services
SI-4 (23) Host-Based Devices
SI-4 (24) Indicators Of Compromise
SI-5 Security Alerts, Advisories, And Directives

not applicable

SI-5 (1) Automated Alerts And Advisories
SI-6 Security Function Verification
SI-6 (1) Notification Of Failed Security Tests
SI-6 (2) Automation Support For Distributed Testing
SI-6 (3) Report Verification Results
SI-7 Software, Firmware, And Information Integrity
SI-7 (1) Integrity Checks
SI-7 (2) Automated Notifications Of Integrity Violations
SI-7 (3) Centrally-Managed Integrity Tools
SI-7 (4) Tamper-Evident Packaging
SI-7 (5) Automated Response To Integrity Violations
SI-7 (6) Cryptographic Protection
SI-7 (7) Integration Of Detection And Response
SI-7 (8) Auditing Capability For Significant Events
SI-7 (9) Verify Boot Process
SI-7 (10) Protection Of Boot Firmware
SI-7 (11) Confined Environments With Limited Privileges
SI-7 (12) Integrity Verification
SI-7 (13) Code Execution In Protected Environments
SI-7 (14) Binary Or Machine Executable Code
SI-7 (15) Code Authentication
SI-7 (16) Time Limit On Process Execution W/O Supervision
SI-8 Spam Protection
SI-8 (1) Central Management
SI-8 (2) Automatic Updates
SI-8 (3) Continuous Learning Capability
SI-9 Information Input Restrictions
SI-10 Information Input Validation
SI-10 (1) Manual Override Capability
SI-10 (2) Review / Resolution Of Errors
SI-10 (3) Predictable Behavior
SI-10 (4) Review / Timing Interactions
SI-10 (5) Restrict Inputs To Trusted Sources And Approved Formats
SI-11 Error Handling
SI-12 Information Handling And Retention

not applicable

SI-13 Predictable Failure Prevention
SI-13 (1) Transferring Component Responsibilities
SI-13 (2) Time Limit On Process Execution Without Supervision
SI-13 (3) Manual Transfer Between Components
SI-13 (4) Standby Component Installation / Notification
SI-13 (5) Failover Capability
SI-14 Non-Persistence
SI-14 (1) Refresh From Trusted Sources
SI-15 Information Output Filtering
SI-16 Memory Protection
SI-17 Fail-Safe Procedures



SI-1: System And Information Integrity Policy And Procedures

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and b. Reviews and updates the current: 1. System and information integrity policy [Assignment: organization-defined frequency]; and 2. System and information integrity procedures [Assignment: organization-defined frequency].

SI-1 Control Response Information
Implementation Status:

not applicable

SI-1: What is the solution and how is it implemented?
SI-1(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

SI-1(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




SI-2: Flaw Remediation

The organization: a. Identifies, reports, and corrects information system flaws; b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and d. Incorporates flaw remediation into the organizational configuration management process.

SI-2 Control Response Information
Implementation Status:

not applicable

SI-2: What is the solution and how is it implemented?
SI-2(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

SI-2(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

SI-2(c):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

SI-2(d):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




SI-2 (1): Central Management

“The organization centrally manages the flaw remediation process.”

SI-2 (1) Control Response Information
Implementation Status:
SI-2 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



SI-2 (2): Automated Flaw Remediation Status

“The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation.”

SI-2 (2) Control Response Information
Implementation Status:
SI-2 (2): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



SI-2 (3): Time To Remediate Flaws / Benchmarks For Corrective Actions

The organization: (3)(a). Measures the time between flaw identification and flaw remediation; and (3)(b). Establishes [Assignment: organization-defined benchmarks] for taking corrective actions.

SI-2 (3) Control Response Information
Implementation Status:
SI-2 (3): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



SI-2 (4): Automated Patch Management Tools

“[Withdrawn: Incorporated into SI-2].”

SI-2 (4) Control Response Information
Implementation Status:
SI-2 (4): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



SI-2 (5): Automatic Software / Firmware Updates

“The organization installs [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined information system components].”

SI-2 (5) Control Response Information
Implementation Status:
SI-2 (5): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



SI-2 (6): Removal Of Previous Versions Of Software / Firmware

“The organization removes [Assignment: organization-defined software and firmware components] after updated versions have been installed.”

SI-2 (6) Control Response Information
Implementation Status:
SI-2 (6): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



SI-3: Malicious Code Protection

The organization: a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code; b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures; c. Configures malicious code protection mechanisms to: 1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.

SI-3 Control Response Information
Implementation Status:

not applicable

SI-3: What is the solution and how is it implemented?
SI-3(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

SI-3(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

SI-3(c):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

SI-3(d):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




SI-3 (1): Central Management

“The organization centrally manages malicious code protection mechanisms.”

SI-3 (1) Control Response Information
Implementation Status: