Changeset 140

Timestamp:

12/13/07 16:38:24 (1 year ago)

Author:

slawrence

Message:

Added stigs to kickstart

Files:

• trunk/RHEL5.1/kickstart/clip.ks (modified) (51 diffs)

trunk/RHEL5.1/kickstart/clip.ks

@@ -27 +27 @@
-## Version .02  Feburary 2007 ##
-## Version .03  December 2007 ##
+
+
-
-#The "install" command tells the system to install a fresh system
@@ -304 +306 @@
-#                    the mounting of each file system (/etc/fstab).
-
-        
-        ## (GEN002420: CAT II) (Previously – G086) The SA will ensure user filesystems,
-        ## removable media, and remote filesystems will be mounted with the nosuid
@@ -406 +407 @@
-                chown root /etc/syslog.conf
-                chmod 640 /etc/syslog.conf
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-                ## (GEN001260: CAT II) (Previously – G037) The SA will ensure all system log
-                ## files have permissions of 640, or more restrictive.
-                ## TODO: Is this correct?
-                perl -npe 's%chmod 0664 /var/run/utmp /var/log/wtmp%chmod 0644 /var/run/utmp /var/log/wtmp%g' -i /etc/rc.d/rc.sysinit
-
+
-        # 4.B.4.a(6)(c)
-        # KickStart Actions: Log rotation to 90 days (12 weeks) and turn compression on.
@@ -487 +500 @@
-                                -a exit,possible -S ftruncate -F success=0
-                                -a exit,possible -S ftruncate64 -F success=0
-
+
-                                # GEN002740
-                                ## Audit for files and programs deleted by user
@@ -494 +507 @@
-                                -a exit,possible -w /bin/rm -F success=0 -F success!=0
-                                -a exit,possible -S rename -F success!=0
-
+
-                                # GEN002760
-                                ## Audit all administrative actions
@@ -516 +529 @@
-                                -a exit,always -S settimeofday -F success!=0
-                                -a exit,always -S kill -F success=0 -F success!=0
-
+
-                                #Proc_privilege
-                                -a exit,always -w /bin/chgrp -F success=0 -F success!=0
@@ -524 +537 @@
-                                -a exit,always -w /usr/sbin/groupdel -F success=0 -F success!=0
-                                # Restore imports
-
+
-                                # TCBCK_delete
-                                -a exit,possible -w /usr/sbin/useradd -F success=0 -F success!=0
@@ -532 +545 @@
-                                -a exit,possible -S reboot -F success!=0
-                                # User_setenv
-
+
-                                ## 
-                                ## 4.B.4.a(6)(d)(1) 
@@ -543 +556 @@
-                                -a exit,possible -S delete_module -F success!=0
-                                -a exit,possible -w /bin/su -F success!=0
-
+
-                                # GEN002800
-                                ## Audit use of privileged commands
@@ -554 +567 @@
-                                #  Proc_realgid
-                                #  Proc_setuserids
-
+
-                                ## ???????????
-                                ## Audit application and session initiation
@@ -560 +573 @@
-                                #       
-                                # ????????????
-
+       
-
-                # 4.B.4.a(6)(d)(3)
@@ -569 +582 @@
-                        ## informational data is logged.
-                        echo "auth.notice           /var/log/messages" >> /etc/syslog.conf
+
+                        ## (GEN000440: CAT II) (Previously – G012) The SA will ensure all logon attempts (both
+                        ## successful and unsuccessful) are logged to a system log file.
+                        echo "
+                        # Log all authentication information
+                        auth.*                                  /var/log/authlog" >> /etc/syslog.conf
+
-
-# 4.B.4.a(7) 
@@ -622 +642 @@
-
-                # Passwd strength
+                ## FIXME: ask_oldauthok=update causes problems on RHEL5.1 (commented out for now)
+                ## FIXME: it is likely this could be split up into stigs or is already covered by stigs
-                cat <<-EOF > /etc/pam.d/system-auth
-                        # %PAM-1.0
@@ -646 +668 @@
-                sed -i "s/PASS_MIN_LEN[ \t]*[0-9]*/PASS_MIN_LEN\t8/" /etc/login.defs
-
+                ## (GEN000600: CAT II) (Previously – G019) The IAO will ensure passwords include at
+                ## least two alphabetic characters, one of which must be capitalized.
+                sed -i s/minlen\=8/minlen\=9/ /etc/pam.d/system-auth
+                sed -i "s/difok\=3/difok\=3 dcredit\=-2 ucredit\=-2 ocredit\=-2 lcredit\=-2/" /etc/pam.d/system-auth
+
+
+                # Running the authconfig tool WILL clobber these changes!
+                # Taking the executable permissions off of /usr/sbin/authconfig
+                chmod ugo-x /usr/sbin/authconfig
+
-        # 4.B.4.a(11)(d)
-        # KickStart Actions:  None - PROCEDURAL REQUIREMENT
@@ -665 +697 @@
-        #                    for non-replication. 
-
-
-
+
+
+
-
-        # 4.B.4.a(11)(g)
@@ -673 +706 @@
-        #                    integrity.  Red Hat encrypts authenticators using the MD5
-        #                    Message Digest.
+
+                # FIXME: Find a stig for this, maybe GEN000800
+                # Make sure rememberd password are safe
+                touch /etc/security/opasswd
+                chmod 600 /etc/security/opasswd
+
+                ## (GEN001380: CAT II) (Previously – G048) The SA will ensure the /etc/passwd 
+                ## file has permissions of 644, or more restrictive.
+                chmod 644 /etc/passwd
+
+                ## (GEN001400: CAT I) (Previously – G047) The SA will ensure the owner of the 
+                ## /etc/passwd and /etc/shadow files (or equivalent) is root.
+                chown root /etc/passwd
+                chown root /etc/shadow
+
+                ## (GEN001420: CAT II) (Previously – G050) The SA will ensure the /etc/shadow 
+                ## file (or equivalent) has permissions of 400.
+                chmod 400 /etc/shadow
+
-
-# 4.B.4.a(12) 
@@ -684 +736 @@
-                
-        perl -npe 's/\#\s+Cipher\s+3des/Ciphers aes256-cbc/' -i /etc/ssh/ssh_config 
+
+        ## (GEN005500: CAT I) (Previously – G701) The IAO and SA will ensure SSH 
+        ## Protocol version 1 is not used, nor will Protocol version 1 compatibility 
+        ## mode be used.
+        if [ `grep -c "^Protocol" /etc/ssh/sshd_config` -gt 0 ]
+        then
+                sed -i "/^Protocol/ c\Protocol 2" /etc/ssh/sshd_config
+        else
+                echo "Protocol 2" >> /etc/ssh/sshd_config
+fi
-
-
@@ -828 +890 @@
-                EOF
-                sed -i "/^#Banner/ c\Banner /etc/issue" /etc/ssh/sshd_config
-
-
-                # GEN000420: CAT II) (Previously – G011) The IAO will ensure the Legal Notice Logon
-                # Warning Banner includes the five points outlined in the CJCSM 6510.01. 
-                sed -i  "s/^\(PATH=.*\)/\/usr\/bin\/gdialog --yesno \"\`cat \/etc\/issue\`\"\nif( test 1 -eq \$\? ); then\n  \/usr\/bin\/gdialog --infobox \"Logging out in 10 Seconds\" 1 20 \&\n  sleep 10\n  exit 1\nfi\n\n\1/" /etc/gdm/PreSession/Default
-
@@ -852 +910 @@
-        # 4.B.4.a(24)(c)
-        # KickStart Actions: None
-
+
-                ## (GEN000460: CAT II) (Previously – G013) The SA will ensure, after three consecutive
-                ## failed logon attempts for an account, the account is locked for 15 minutes or until
@@ -898 +956 @@
-                # 4.B.4.a(26)(a)(3)
-                # KickStart Actions:
-
+
+
-                        echo 'Ciphers aes256-cbc,aes192-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,3des-cbc' >> /etc/ssh/ssh_config
-
@@ -957 +1016 @@
-
-                ## (GEN003600: CAT II) The SA will ensure network parameters are securely set.
+                ## FIXME: This should be a sed replace/append
-                cat <<-EOF > /etc/sysctl.conf
-                        net.ipv4.ip_forward = 0
@@ -965 +1025 @@
-                EOF
-
+                ## (GEN005600: CAT II) The SA will ensure IP forwarding is disabled if the
+                ## system is not dedicated as a router.
+                sed -i "/net\.ipv4\.ip_forward/ c\net.ipv4.ip_forward = 0" /etc/sysctl.conf
+
-                ## (GEN003960: CAT II) (Previously – G631) The SA will ensure the owner of 
-                ## the traceroute command is root.
-                chown root /bin/traceroute
-
+
-                ## (GEN003980: CAT II) (Previously – G632) The SA will ensure the group 
-                ## owner of the traceroute command is root, sys, or bin.
-                chgrp root /bin/traceroute
-
+
-                ## (GEN004000: CAT II) (Previously – G633) The SA will ensure the traceroute
-                ## command has permissions of 700, or more restrictive.
@@ -990 +1054 @@
-                /sbin/chkconfig xinetd off
-
+                ## (GEN003860: CAT III) (Previously – V046) The SA will ensure finger is not
+                ## enabled.
+                /sbin/chkconfig finger off
+
-                ## (GEN003740: CAT II) (Previously – G108) The SA will ensure the inetd.conf
-                ## (xinetd.conf for Linux) file has permissions of 440, or more restrictive.
@@ -998 +1066 @@
-                chmod 440 /etc/xinetd.conf
-
-
+
-        # 4.B.4.b(5)(b)
-        # KickStart Actions: Actions Listed Below
@@ -1010 +1078 @@
-                ## log on to their personal account and invoke the /bin/su - command to switch
-                ## user to root.
-
+
-                # Configure sshd and login to consult pam_access.so
-                sed -i '/^account/ a\account\t\trequired\tpam_access.so' /etc/pam.d/sshd
@@ -1097 +1165 @@
-                chown root:root /etc/cron.deny
-
+                ## (GEN003300: CAT II) (Previously – G212) The SA will ensure the at.deny file
+                ## is not empty.
+                awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/at.deny
+
+                ## (GEN003320: CAT II) (Previously – G213) The SA will ensure default system  
+                ## accounts (with the possible exception of root) are not listed in the       
+                ## at.allow file. If there is only an at.deny file, the default accounts      
+                ## (with the possible exception of root) will be listed there.
+                echo "root" > /etc/at.allow
+
+                ## (GEN003340: CAT II) (Previously – G214) The SA will ensure the at.allow and 
+                ## at.deny files have permissions of 600, or more restrictive.
+                chmod 600 /etc/at.allow
+                chmod 600 /etc/at.deny
+
+                ## (GEN003400: CAT II) (Previously – G625) The SA will ensure the at (or 
+                ## equivalent) directory has permissions of 755, or more restrictive.
+                chmod 755 /var/spool/at/spool
+
+                ## (GEN003420: CAT II) (Previously – G626) The SA will ensure the owner and 
+                ## group owner of the at (or equivalent) directory is root, sys, bin, or daemon.
+                chown root:root /var/spool/at/spool
+
+                ## (GEN003460: CAT II) (Previously – G629) The SA will ensure the owner and 
+                ## group owner of the at.allow file is root.
+                chown root:root /etc/at.allow
+
+                ## (GEN003480: CAT II) (Previously – G630) The SA will ensure the owner and 
+                ## group owner of the at.deny file is root.
+                chown root:root /etc/at.deny
+
-                ## (GEN001120: CAT II) (Previously – G500) The SA will configure the 
-                ## encryption program for direct root access only from the system console.
-                sed -i "/^#PermitRootLogin/ c\PermitRootLogin no" /etc/ssh/sshd_config
-
-                ## GEN002260: CAT III) (Previously – G076) The SA will ensure all local filesystems are
-                ## checked at least weekly against the system baseline to detect any extraneous device files.
-                ## FIXME: This doesn't satisfy the STIG 
-                find /dev -type b -or -type c -or -type s >> /root/blockdevices.`date +%Y:%m:%d644`.txt
-
-                ## (GEN002560: CAT II) (Previously – G089) The SA will ensure the system and
@@ -1133 +1227 @@
-                ## or more restrictive.
-                find /usr/share/man -type f -not -perm 644 -exec chmod 644 {} \;
+
+                ## (GEN003040: CAT II) The SA will ensure the owner of crontabs is root or the 
+                ## crontab creator.
+                chown root /etc/cron.hourly/*
+                chown root /etc/cron.daily/*
+                chown root /etc/cron.weekly/*
+                chown root /etc/cron.monthly/*
+                chown root /etc/cron.d/*
+                chown root /var/spool/cron/*
-
-                ## (GEN003080: CAT II) (Previously – G205) The SA will ensure crontabs have
@@ -1143 +1246 @@
-                chmod 600 /etc/crontab
-                chmod -R 600 /etc/cron.d
-
+
-                ## (GEN003100: CAT II) (Previously – G206) The SA will ensure cron and crontab 
-                ## directories have permissions of 755, or more restrictive.
@@ -1176 +1279 @@
-                chown root:root /var/crash
-                chmod -R 700 /var/crash
-
+
-                ## (GEN04540: CAT II) The SA will ensure the help sendmail command is
-                ## disabled.
@@ -1187 +1290 @@
-                ##   O SmtpGreetingMessage= Mail Server Ready ; $b
-                sed -i '/SmtpGreetingMessage/ c\O SmtpGreetingMessage= Mail Server Ready ; $b' /etc/mail/sendmail.cf
+
+                ## (GEN004360: CAT II) (Previously – G127) The SA will ensure the aliases file 
+                ## is owned by root.
+                chown root /etc/aliases
+
+                ## (GEN004380: CAT II) (Previously – G128) The SA will ensure the aliases file 
+                ## has permissions of 644, or more restrictive.
+                chmod 644 /etc/aliases
-
-                # GEN005360: CAT II - The SA will ensure the owner of the snmpd.conf file is root with a group 
@@ -1217 +1328 @@
-                find /dev -name "*ty*" -exec chmod 700 {} \;
-
+                ## (LNX00320: CAT I) (Previously – L140) The SA will delete accounts that
+                ## provide a special privilege such as shutdown and halt.
+                /usr/sbin/userdel shutdown
+                /usr/sbin/userdel halt
+                /usr/sbin/userdel sync
+
-                ## (LNX00340: CAT II) (Previously – L142) The SA will delete accounts that
-                ## provide no operational purpose, such as games or operator, and will delete
@@ -1225 +1342 @@
-                /usr/sbin/userdel gopher
-                /usr/sbin/userdel nfsnobody
-
+
-                ## (GEN004640: CAT I) (Previously – V126) The SA will ensure the decode entry
-                ## is disabled (deleted or commented out) from the alias file.
@@ -1231 +1348 @@
-                /usr/bin/newaliases
-
-                ## (GEN004500: CAT II) (Previously – G136) The SA will ensure the critical
-                ## sendmail log file has permissions of 644, or more restrictive.
-                chmod 644 /var/log/maillog
-
-                ## (LNX00440: CAT II) (Previously – L046) The SA will ensure /etc/login.access
-                ## or /etc/security/access.conf file will be 640, or more restrictive.
-                chmod 640 /etc/security/access.conf
-
+                ## (GEN006100: CAT II) (Previously – L050) The SA will ensure the owner of 
+                ## the/etc/samba/smb.conf file is root.
+                chown root /etc/samba/smb.conf
+
+                ## (GEN006120: CAT II) (Previously – L051) The SA will ensure the group owner 
+                ## of the /etc/samba/smb.conf file is root.
+                chgrp root /etc/samba/smb.conf
+
+                ## (GEN006140: CAT II) (Previously – L052) The SA will ensure the
+                ## /etc/samba/smb.conf file has permissions of 644, or more restrictive.
+                chmod 644 /etc/samba/smb.conf
+
-                ## (GEN006160: CAT II) (Previously – L054) The SA will ensure the owner of 
-                ## smbpasswd is root.
-                chown root /usr/bin/smbpasswd
-
+                ## (GEN006180: CAT II) (Previously – L055) The SA will ensure group owner of 
+                ## smbpasswd is root.
+                chgrp root /usr/bin/smbpasswd
+
+                ## (GEN006200: CAT II) (Previously – L057) The SA will configure permissions 
+                ## for smbpasswd to 600, or more restrictive.
+                chmod 600 /usr/bin/smbpasswd
+
+                ## (GEN003760: CAT II) (Previously – G109) The SA will ensure the owner of the 
+                ## services file is root or bin.
+                chown root /etc/services
+
+                ## (GEN003780: CAT II) (Previously – G110) The SA will ensure the services 
+                ## file has permissions of 644, or more restrictive.
+                chmod 644 /etc/services
+
+                ## (GEN005740: CAT II) (Previously – G178) The SA will ensure the owner of the 
+                ## export configuration file is root.
+                chown root /etc/exports
+
+                ## (GEN005760: CAT III) (Previously – G179) The SA will ensure the export 
+                ## configuration file has permissions of 644, or more restrictive.
+                chmod 644 /etc/exports
+
+                ## (GEN006260: CAT II) (Previously – L154) The SA will ensure the 
+                ## /etc/news/hosts.nntp file has permissions of 600, or more restrictive.
+                chmod 600 /etc/news/hosts.nntp
+
+                ## (GEN006280: CAT II) (Previously – L156) The SA will ensure the 
+                ## /etc/news/hosts.nntp.nolimit file has permissions of 600, or more 
+                ## restrictive.
+                chmod 600 /etc/news/hosts.nntp.nolimit
+
+                ## (GEN006300: CAT II) (Previously – L158) The SA will ensure the 
+                ## /etc/news/nnrp.access file has permissions of 600, or more restrictive.
+                chmod 600 /etc/news/nnrp.access
+        
+                ## (GEN006320: CAT II) (Previously – L160) The SA will ensure the 
+                # /etc/news/passwd.nntp file has permissions of 600, or more restrictive.
+                chmod 600 /etc/news/passwd.nntp
+
+                ## (GEN006340: CAT II) (Previously – L162) The SA will ensure the owner of all 
+                ## files under the /etc/news subdirectory is root or news.
+                chown -R root /etc/news/*
+
+                ## (GEN006360: CAT II) (Previously – L164) The SA will ensure the group owner 
+                ## of all files in /etc/news is root or news.
+                chgrp -R root /etc/news/*
+        
-                # GEN000960
-
+
+
-                # If we're not running an POP/IMAP server, remove the user dovecot
-                rpm -q dovecot 2>&1 > /dev/null
@@ -1263 +1438 @@
-                fi
-
-
-# 4.B.4.b(6)
-# KickStart Actions: None
@@ -1751 +1925 @@
-
-# AC-1: Access Control Policy and Procedures
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# AC-2: Account Management
+# Kickstart Actions:
+
+        # AC-2(1)
+        # Kickstart Actions:
+
+        # AC-2(2)
+        # Kickstart Actions:
+
+        # AC-2(3)
+        # Kickstart Actions:
+
+        # AC-2(4)
+        # Kickstart Actions:
-
-# AC-3: Access Enforcement
+# Kickstart Actions:
+
+        # AC-3(1)
+        # Kickstart Actions:
-
-# AC-4: Information Flow Enforcement
+# Kickstart Actions:
+
+        # AC-4(1)
+        # Kickstart Actions:
+
+        # AC-4(2)
+        # Kickstart Actions:
+
+        # AC-4(3)
+        # Kickstart Actions:
-
-# AC-5: Separation of Duties
+# Kickstart Actions:
-
-# AC-6: Least Privilege
+# Kickstart Actions:
-
-# AC-7: Unsuccessful Login Attempts
+# Kickstart Actions:
+
+        # AC-7(1)
+        # Kickstart Actions:
-
-# AC-8: System Use Notification
+# Kickstart Actions:
-
-# AC-9: Previous Logon Notification
+# Kickstart Actions:
-
-# AC-10: Concurrent Session Control
+# Kickstart Actions:
-
-# AC-11: Session Lock
+# Kickstart Actions:
-
-# AC-12: Session Termination
+# Kickstart Actions:
+
+        # AC-12(1)
+        # Kickstart Actions:
-
-# AC-13: Supervision and Review—Access Control
+# Kickstart Actions:
+
+        # AC-13(1)
+        # Kickstart Actions:
-
-# AC-14: Permitted Actions without Identification or Authentication
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # AC-14(1)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# AC-15: Automated Marking
+# Kickstart Actions:
-
-# AC-16: Automated Labeling
+# Kickstart Actions: None
-
-# AC-17: Remote Access
+# Kickstart Actions:
+
+        # AC-17(1)
+        # Kickstart Actions:
+
+        # AC-17(2)
+        # Kickstart Actions:
+
+        # AC-17(3)
+        # Kickstart Actions:
+
+        # AC-17(4)
+        # Kickstart Actions:
-
-# AC-18: Wireless Access Restrictions
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # AC-18(1)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # AC-18(2)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# AC-19: Access Control for Portable and Mobile Devices
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# AC-20: Use of External Information Systems
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # AC-20(1)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-
@@ -1795 +2046 @@
-
-# AT-1: Security Awareness and Training Policy and Procedures
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# AT-2: Security Awareness
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# AT-3: Security Training
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# AT-4: Security Training Records
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# AT-5: Contacts with Security Groups and Associations
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-
@@ -1809 +2065 @@
-
-# AU-1: Audit and Accountability Policy and Procedures
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# AU-2: Auditable Events
+# Kickstart Actions:
+
+        # AU-2(1)
+        # Kickstart Actions:
+
+        # AU-2(2)
+        # Kickstart Actions:
+
+        # AU-2(3)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# AU-3: Content of Audit Records
+# Kickstart Actions:
+
+        # AU-2(1)
+        # Kickstart Actions:
+
+        # AU-2(2)
+        # Kickstart Actions:
-
-# AU-4: Audit Storage Capacity
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# AU-5: Response to Audit Processing Failures
+# Kickstart Actions:
+
+        # AU-5(1)
+        # Kickstart Actions:
+
+        # AU-5(2)
+        # Kickstart Actions:
-
-# AU-6: Audit Monitoring, Analysis, and Reporting
+# Kickstart Actions:
+
+        # AU-6(1)
+        # Kickstart Actions:
+
+        # AU-6(2)
+        # Kickstart Actions:
-
-# AU-7: Audit Reduction and Report Generation
+# Kickstart Actions:
+
+        # AU-7(1)
+        # Kickstart Actions:
-
-# AU-8: Time Stamps
+# Kickstart Actions:
+
+        # AU-8(1)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# AU-9: Protection of Audit Information
+# Kickstart Actions:
+
+        # AU-9(1)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# AU-10: Non-repudiation
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# AU-11: Audit Record Retention
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-
@@ -1835 +2138 @@
-
-# CA-1: Certification, Accreditation, and Security Assessment Policies and Procedures
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# CA-2: Security Assessments
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# CA-3: Information System Connections
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# CA-4: Security Certification
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CA-4(1)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# CA-5: Plan of Action and Milestones
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# CA-6: Security Accreditation
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# CA-7: Continuous Monitoring
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CA-7(1)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-
@@ -1853 +2169 @@
-
-# CM-1: Configuration Management Policy and Procedures
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# CM-2: Baseline Configuration
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CM-2(1)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CM-2(2)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# CM-3: Configuration Change Control
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CM-3(1)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# CM-4: Monitoring Configuration Changes
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# CM-5: Access Restrictions for Change
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CM-5(1)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# CM-6: Configuration Settings
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CM-6(1)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# CM-7: Least Functionality
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CM-7(1)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# CM-8: Information System Component Inventory
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CM-8(1)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CM-8(2)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-
@@ -1873 +2221 @@
-
-# CP-1: Contingency Planning Policy and Procedures
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# CP-2: Contingency Plan
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CP-2(1)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CP-2(2)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# CP-3: Contingency Training
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CP-3(1)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CP-3(2)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# CP-4: Contingency Plan Testing and Exercises
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CP-4(1)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CP-4(2)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CP-4(3)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# CP-5: Contingency Plan Update
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# CP-6: Alternate Storage Site
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CP-6(1)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CP-6(2)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CP-6(3)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# CP-7: Alternate Processing Site
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CP-7(1)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CP-7(2)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CP-7(3)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CP-7(4)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# CP-8: Telecommunications Services
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CP-8(1)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CP-8(2)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CP-8(3)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CP-8(4)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# CP-9: Information System Backup
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CP-9(1)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CP-9(2)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CP-9(3)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CP-9(4)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# CP-10: Information System Recovery and Reconstitution Identification and Authentication
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # CP-10(1)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-
@@ -1897 +2324 @@
-
-# IA-1: Identification and Authentication Policy and Procedures
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# IA-2: User Identification and Authentication
+# Kickstart Actions:
+
+        # IA-2(1)
+        # Kickstart Actions:
+
+        # IA-2(2)
+        # Kickstart Actions:
+
+        # IA-2(3)
+        # Kickstart Actions:
-
-# IA-3: Device Identification and Authentication
+# Kickstart Actions:
-
-# IA-4: Identifier Management
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# IA-5: Authenticator Management
+# Kickstart Actions:
-
-# IA-6: Authenticator Feedback
+# Kickstart Actions:
-
-# IA-7: Cryptographic Module Authentication Incident Response
+# Kickstart Actions:
-
-
@@ -1915 +2358 @@
-
-# IR-1: Incident Response Policy and Procedures
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# IR-2: Incident Response Training
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # IR-2(1)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # IR-2(2)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# IR-3: Incident Response Testing and Exercises
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # IR-3(1)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# IR-4: Incident Handling
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # IR-4(1)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# IR-5: Incident Monitoring
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # IR-5(1)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# IR-6: Incident Reporting
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # IR-6(1)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# IR-7: Incident Response Assistance
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # IR-7(1)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-
@@ -1933 +2404 @@
-
-# MA-1: System Maintenance Policy and Procedures
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# MA-2: Controlled Maintenance
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # MA-2(1)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
+
+        # MA-2(2)
+        # Kickstart Actions: None - PROCEDURAL REQUIREMENT
-
-# MA-3: Maintenance Tools
+# Kickstart Actions: None - PROCEDURAL REQUIREMENT
+