% \iffalse meta-comment
% Copyright (c) 2015 Jared Jennings <jjennings@fastmail.fm>
%
% Permission is hereby granted, free of charge, to any person
% obtaining a copy of this software and associated documentation
% files (the "Software"), to deal in the Software without
% restriction, including without limitation the rights to use, copy,
% modify, merge, publish, distribute, sublicense, and/or sell copies
% of the Software, and to permit persons to whom the Software is
% furnished to do so, subject to the following conditions:
%
% The above copyright notice and this permission notice shall be
% included in all copies or substantial portions of the Software.
%
% THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
% EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
% MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
% NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
% BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
% ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
% CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
% SOFTWARE.
% \fi
%
% ^^A We cannot \usepackage{cyber}, because it pulls in index,
% ^^A which screws up Doc's attempts to index all the macros we use.
% ^^A Therefore we do not get \filedate and \fileversion for free.
% \def\filedate{2018/01/24}
% \def\fileversion{v2.2}
% \iffalse
%<package>\NeedsTeXFormat{LaTeX2e}
%<package>\ProvidesPackage{cyber}
%<package> [2018/01/24 v2.2 Add some semicolons in accordance with DTIC guidance]
%
%<*driver>
\documentclass{ltxdoc}
\usepackage{fancyvrb}
\DefineShortVerb{\|}
% Make PDF magic happen.
% Thanks, Patrick Joeckel:
% http://www.mpch-mainz.mpg.de/~joeckel/pdflatex/
% Note that I expect always to use pdflatex, not latex+dvipdf
\usepackage[bookmarks=true,bookmarksnumbered=true,breaklinks=true,pdftex]{hyperref}
\hypersetup{
colorlinks=false,
linkbordercolor={0.7 0.7 1.0}
}
\EnableCrossrefs
\RecordChanges
\CodelineIndex
\begin{document}
\DocInput{cyber.dtx}
\end{document}
%</driver>
% \fi
%
% \CheckSum{0}
%
% \CharacterTable
% {Upper-case \A\B\C\D\E\F\G\H\I\J\K\L\M\N\O\P\Q\R\S\T\U\V\W\X\Y\Z
% Lower-case \a\b\c\d\e\f\g\h\i\j\k\l\m\n\o\p\q\r\s\t\u\v\w\x\y\z
% Digits \0\1\2\3\4\5\6\7\8\9
% Exclamation \! Double quote \" Hash (number) \#
% Dollar \$ Percent \% Ampersand \&
% Acute accent \' Left paren \( Right paren \)
% Asterisk \* Plus \+ Comma \,
% Minus \- Point \. Solidus \/
% Colon \: Semicolon \; Less than \<
% Equals \= Greater than \> Question mark \?
% Commercial at \@ Left bracket \[ Backslash \\
% Right bracket \] Circumflex \^ Underscore \_
% Grave accent \` Left brace \{ Vertical bar \|
% Right brace \} Tilde \~}
%
% \changes{v1.0}{2011/07/18}{Renamed afseocmp to skiadoc}
% \changes{v1.1}{2012/06/06}{Made skiadoc into a \LaTeX\ package}
% \changes{v1.2}{2012/12/14}{Added support for other distribution statements
% besides D; organization logo must now be provided by the document being
% typeset}
% \changes{v1.3}{2012/12/17}{Renamed skiadoc to iadoc}
% \changes{v1.4}{2012/12/31}{Added indexing suppression macros}
% \changes{v1.5}{2013/02/01}{Flattened all compliance indices into one}
% \changes{v1.6}{2015/03/07}{Renamed iadoc to cyber: `IA' does not immediately mean anything outside the DoD, and the DoD has stopped using the term in preference to `cyber' anyway}
% \changes{v2.0}{2015/03/21}{Use index package instead of multind}
% \changes{v2.1}{2015/06/24}{Fix packaging issues}
% \changes{v2.2}{2018/01/24}{Add some semicolons in accordance with DTIC guidance}
%
% \title{The \textsf{cyber} package\thanks{This document corresponds to
% \textsf{cyber}~\fileversion, dated~\filedate.}}
% \author{Jared Jennings \\ \texttt{jjennings@fastmail.fm}}
%
% \maketitle
% \tableofcontents
% \clearpage
%
%
% \section{What \textsf{cyber} is for}
%
% This package helps you construct documents that talk about compliance with
% named requirements.
%
% For example, U.S. National Institute of Standards and Technology
% (NIST) Special Publication (SP) 800-53 sets out \emph{security
% controls} for U.S. Federal agency information systems, one of which
% is AC-2c, ``[The organization] establishes conditions for group and
% role membership.'' You may wish to write a document that says, ``We
% comply with AC-2c, and here's how.'' This package is for you.
%
%
% \section{Document identifiers}
%
% Your document may talk about compliance with named requirements from multiple
% sources. For example, besides compliance with NIST SP 800-53 you might want to
% also talk about compliance with the U.S. Defense Information Systems Agency
% (DISA) UNIX Operating System (OS) Security Requirements Guide (SRG). Now to
% fully identify a requirement, you need to identify both the requirement and
% the document it comes from, for example ``IA control IAAC-1,'' or ``UNIX SRG
% Potential Discrepancy Item (PDI) GEN006480.''
%
% At the beginning of your document, you must identify all sources of named
% requirements; then you can talk about those sources when you are identifying
% the requirements. As examples here we use NIST SP 800-53, and assign it the
% document identifier |secctrl|; and we use the UNIX SRG, identifying it by
% |unixsrg|. See~\S\ref{document_identifiers} for more.
%
%
% \section{Macros used in the body of your document}
%
% When you use the macros below to indicate requirements levied by policies
% handed down from above, or parts of code or documentation that relate to
% those requirements, you get some style for free, and an entry in an index.
% Also, other automated document features are made possible which are not
% strictly based on \LaTeX ; for example, a Puppet manifest annotated using
% \textsf{cyber} may have a table of compliance which a script constructs
% automatically by searching the manifest for uses of these macros.
%
% \subsection{Mentioning named requirements}
%
% Here are macros to use to indicate when you are talking about a specific
% requirement. These tags do not indicate any compliance posture, just that
% we're mentioning the requirement. So use these to refer to requirements in
% passing. Just like the names of celebrities are sometimes set in bold type in
% magazines, so that you can skip around and look for your favorite famous
% person, we want to make it easy to find all mentions of a given named
% requirement.
%
% \begin{itemize}
% \item
% \DescribeMacro{\secctrl}
% |\secctrl| \marg{control identifier}
% \item
% \DescribeMacro{\unixsrg}
% |\unixsrg| \marg{PDI}
% \end{itemize}
%
% The exact set of these macros depends on the set of requirements documents
% named at the beginning of your document; see~\S\ref{document_identifiers}.
%
% Example:
% \begin{Verbatim}[gobble=2]
% Compliance with such and such requirement is similar to compliance with
% \unixsrg{GEN002600}, \emph{q.v.}.
% \end{Verbatim}
%
%
% \subsection{Making assertions about compliance posture}
%
% Most mentions of named requirements are going to be something like, ``We
% comply with bla requirement,'' or ``We don't comply with this one, and here's
% why.'' The following tags make it quick and simple for you to write such
% assertions.
%
%
% \DescribeMacro{\documents}
% Use |\documents| for notating some text in your document that says a fact
% about a system which supports a requirement. It takes two parameters: the
% type of requirement, and the name of the requirement. Example:
%
% \begin{Verbatim}[gobble=2]
% \documents{secctrl}{SC-18} We use only JavaScript, which is Category I
% mobile code according to DoD guidelines.
% \end{Verbatim}
%
% Some requirements say something like, ``All \emph{mumble}s must be justified
% and documented with the Information Assurance Officer (IAO).'' Use
% |\documents| to assert either that those things are documented, right here,
% or that you should look in \emph{bla} document to find that documentation.
%
% For example, the UNIX SRG requires that UNIX systems unable to require a
% password to enter single-user mode must be documented with the IAO.
%
% \begin{Verbatim}[gobble=2]
% \documents{unixsrg}{GEN000040} UNIX hosts unable to require a password
% to enter single-user mode must be documented with the IAO. We administer
% no such UNIX hosts.
% \end{Verbatim}
% (This is written in a document which is produced under the IAO's purview
% and approval; otherwise it would have to point to another document which is
% ``with the IAO.'')
%
%
% \DescribeMacro{\notapplicable}
% Just before some discussion about why a requirement is not applicable in a
% certain situation, put the |\notapplicable| tag. For example:
%
% \begin{Verbatim}[gobble=2]
% \notapplicable{secctrl}{SC-18(5)} We do not use mobile code at all.
% \end{Verbatim}
%
% \DescribeMacro{\implements}
% The |\implements| tag notates a section of code or documentation which
% directly implements a requirement. It's usually used in automated policy. For
% example, the UNIX SRG says under GEN001362, ``The \Verb!/etc/resolv.conf!
% file must be owned by root.'' A piece of Puppet policy that implements this
% requirement may go like:
%
% \begin{Verbatim}[gobble=2]
% # \implements{unixsrg}{GEN001362} Make sure resolv.conf
% # is owned by root.
% file { '/etc/resolv.conf':
% owner => root,
% }
% \end{Verbatim}
%
%
% \DescribeMacro{\doneby}
% The |\doneby| tag is for requirements that are not fulfilled in an automated
% fashion: people are responsible for carrying them out on a day-by-day basis.
% It takes three parameters: who exactly does this thing, the kind of
% requirement, and the requirement's name. For example, the RHEL5 STIG requires
% that SELinux be turned on when installing RHEL5. Administrators have to make
% sure it's enabled during the install process.
%
% \begin{Verbatim}[gobble=2]
% \doneby{admins}{rhel5stig}{GEN000000-LNX00800} Make sure SELinux is
% enabled when installing RHEL5.
% \end{Verbatim}
%
% \DescribeMacro{\bydefault}
% Use the |\bydefault| tag to talk about how a product we use implements a
% given requirement in its default configuration. It takes three parameters:
% the product we're talking about, the kind of requirement, and the
% requirement's name.---For example, the UNIX SRG says under GEN001300 that all
% library files must have mode \Verb!0755! or less permissive. Both RHEL 5 and
% RHEL 6 systems have this property by default.
%
% \begin{Verbatim}[gobble=2]
% \bydefault{RHEL5, RHEL6}{unixsrg}{GEN001300} All library files under
% RHEL are mode \Verb!0755! or less permissive by default.
% \end{Verbatim}
%
%
% \DescribeMacro{\unimplemented}
% Use the |\unimplemented| tag to talk about a requirement we need to fulfill
% but haven't yet. (Don't use |\unimplemented| to talk about a requirement
% we don't intend ever to fulfill: it turns some things red to bring our
% attention to them; we don't want false alarms.)
%
% Note carefully that this tag has three parameters: the kind of
% requirement, the exact requirement, and \emph{the reason} the requirement
% is unimplemented. You can't use \Verb!\Verb! in the reason. Stick with plain
% text.
%
% \begin{Verbatim}[gobble=2]
% \unimplemented{unixsrg}{GEN008380}{Unless root kit checking
% functionality is provided by the virus scanner, we would likely
% want to deploy {\tt chkrootkit}. But this software is not yet
% approved...}
% \end{Verbatim}
%
%
%
%
% \section{Security labels}
%
% Some regulations require that documents be marked and labelled. These
% tags help you do that.
%
% \DescribeMacro{\articlesecuritylabel}
% When you are writing an article (|\documentclass{article}|), this tag helps
% you label it. It will put the text you give at the top of every page. Put
% the tag right after |\usepackage{cyber}|, as close to the top of the
% document source as possible. That way it will be visible to viewers of the
% document source as well.
%
% Most reStructuredText documents use the article class.
%
% Example, in \LaTeX :
% \begin{Verbatim}[gobble=2]
% \articlesecuritylabel{UNCLASSIFIED//FOUO}
% \end{Verbatim}
%
% \DescribeMacro{\booksecuritylabel}
% |\booksecuritylabel| acts the same as |\articlesecuritylabel|, but this is
% the one you should use if you are using the \textsf{book} document class.
%
% Part of marking a document properly is writing the distribution statement and
% statement of disposition on the title page.
%
% See \url{http://www.dtic.mil/dtic/submit/guidance/distribstatement.html} on
% distribution statements and on destruction of limited-distribution
% unclassified documents.
%
% \section{Distribution statements}
%
% Write the distribution statement right after the security label. Statements
% allowed by DoDI 5320.24 as of 23 August 2012 are A through F. Macros for
% these are provided. Dates are set to |\today|. For guidance on the reasons,
% see the DoD instruction.
%
% Just like you need |\maketitle| to make your |\title| show up, you need to
% (instead) use |\makedodtitle| to make your distribution statement show up.
%
% \DescribeMacro{\distributionA}
% To mark your document with Distro A (public release), write |\distributionA|
% \marg{other information}. Local policies may require that you include a
% reference number, or the name of the organization which cleared the document,
% or some such. That's ``other information.''
%
% \DescribeMacro{\distributionB}
% To U.S. Government agencies only: |\distributionB| \marg{reason why}
% \marg{controlling office}.
%
% \DescribeMacro{\distributionC}
% To U.S. Government agencies and their contractors: |\distributionC| \marg{reason
% why} \marg{controlling office}.
%
% \DescribeMacro{\distributionD}
% To DoD and DoD contractors only: |\distributionD| \marg{reason why}
% \marg{controlling office}.
%
% \DescribeMacro{\distributionE}
% To DoD Components only: |\distributionE| \marg{reason why} \marg{controlling
% office}.
%
% \DescribeMacro{\distributionF}
% Only as directed by the controlling office or higher DoD authority:
% |\distributionF| \marg{controlling office}.
%
% You are responsible for understanding what these statements mean and whether
% you're allowed to use them.
%
%
% \section{Document formatting aids}
%
% \subsection{DoD title page}
% \DescribeMacro{\makedodtitle} In a book-class document, use
% |\makedodtitle| instead of \Verb!\maketitle! and you will get an
% organization logo on your title page. You'll also get the distribution
% statement. You must provide the organization logo, as a graphics file of a
% suitable format (\emph{e.g.}, PNG or PDF if you're using \Verb!pdflatex!, EPS
% if you're using \Verb!latex!, that sort of thing), entitled \Verb!org_logo!,
% \emph{e.g.} \Verb!org_logo.png!.
%
% \subsection{Narrower margins}
% \DescribeMacro{\narrowermargins}
% Nobody appreciates the rules of typography these days. And making a bad
% impression on auditors by submitting a document that doesn't look how they
% expect is a needless risk.
%
% This macro narrows the margins, while leaving a sizable margin in which to
% write text. It probably only works on books (not articles). It takes the
% security label into account.
%
% In the top of your document, put |\narrowermargins| to make all of the
% margins narrower by a half inch, increasing the text area by one inch
% horizontally and one inch vertically. You have to put it above the security
% label.
%
% This has not been tested much, and only on a book-class document.
%
% \subsection{Change log}
%
% Most documents submitted in support of cybersecurity goals must
% indicate what version they are, and what changes have happened between
% versions. In software development terminology, these correspond to
% \emph{releases}, not \emph{revisions} or \emph{changesets}; that is to say,
% these versions are likely not to change more than once a month, and changes
% are likely to be, ``Added a new chapter about foo,'' rather than ``Corrected
% spelling on page 358.''
%
% Write a changelog and call it \Verb!changelog.tex!. Include it in your
% front matter just after the table of contents. Its format is like so:
%
% \begin{Verbatim}[gobble=2]
% \begin{changelog}
%
% \change{3 Aug 2011}{Jared Jennings}{Added Backup Plan}
%
% \change{2 Aug 2011}{Jared Jennings}{New server purchased; changed Hardware
% Baseline to match}
%
% \end{changelog}
% \end{Verbatim}
%
% Add new entries to the top of the changelog, not the bottom.
%
% \subsection{Executive summary}
% An ``executive summary'' is supported. This is just a section containing a
% table which lists the larger security controls this document is about.
% Its format is like so:
%
% \begin{Verbatim}[gobble=2]
% \begin{executivesummary}
% \executivesummaryiacontrol{IAIA-1}{Individual Authentication}
% \end{executivesummary}
% \end{Verbatim}
%
% Put it after the changelog, after the ToC.
%
%
% \section{Document identifiers}
% \label{document_identifiers}
%
% To identify a requirement you want to talk about without ambiguity,
% you need to give a name for both the requirement and the document it
% came from. Since document identifiers are written in potentially
% hundreds of compliance tags across a document, they need to be
% short, but unique. Here are some example document identifiers:
%
% \begin{description}
% \item[iacontrol] Information Assurance Controls, laid out in DoDI
% 8500.2, e.g. DCMC-1.
% \item[secctrl] Security Controls, laid out in NIST SP 800-53, e.g. SC-18c.
% \item[unixsrg] UNIX Security Requirements Guide (SRG) Potential
% Discrepancy Identifiers (PDIs), e.g. GEN008520.
% \item[rhel5stig] Red Hat Enterprise Linux (RHEL) 5 STIG PDIs.
% \end{description}
%
% \subsection{Defining requirements documents}
%
% In the preamble of your document, you must tell \textsf{cyber} from which
% documents your requirements will come. \DescribeMacro{\requirementsdocument}
% Use the |\requirementsdocument| macro to do this. For example,
%
% \begin{Verbatim}[gobble=2]
% \requirementsdocument{joesaidso}{Joe's Demands}{Demand }
% \end{Verbatim}
%
% The first parameter is the document identifier, which is used in the
% compliance tags. For example, after this |\requirementsdocument|, in the body
% of our document we could write
%
% \begin{Verbatim}[gobble=2]
% \documents{joesaidso}{Joe34} We close the door when going outside, because
% Joe said to. Door-closing logs are kept just inside the door.
% \end{Verbatim}
%
% The second parameter is the header under which all requirements from this
% document will be placed in the Compliance index. Given the above code, the
% index might look like:
%
% \begin{Verbatim}[gobble=2]
% Compliance
%
% Joe's Demands
% Joe34
% documented, 3
% \end{Verbatim}
%
% The third parameter is the prefix with which requirements from this document
% will be named. For example, if we were to write |\joesaidso{Joe34}| in the
% body of a document, we would see ``Demand Joe34'' in the rendering of that
% document.
%
%
% \section{Adding \textsf{cyber} to a document}
%
% If you are editing or adding to an existing document which already uses
% \textsf{cyber}, you need not concern yourself with this section.
%
% To use \textsf{cyber} in a new document: you should have the \textsf{cyber} package
% installed; see
% \url{http://en.wikibooks.org/wiki/LaTeX/Packages/Installing_Extra_Packages}.
%
% At the top of your document, in its preamble, put the following lines:
%
% \begin{Verbatim}[gobble=2]
% \usepackage{cyber}
% \end{Verbatim}
%
% This makes the indices that the \textsf{cyber} tags put entries into.
%
% Somewhere in the preamble of your document, after you use the \textsf{cyber}
% package, tell \textsf{cyber} about all your |\requirementsdocument|s.
%
% Somewhere at the end of your document, put
%
% \begin{Verbatim}[gobble=2]
% \printindex{cyber_compliance}{Compliance}
% \end{Verbatim}
%
% This grabs the index made and makes it part of the final document.
%
%
% \subsection{Controls in contents}
%
% If you want the IA controls covered in a section to be summarized in the
% section's title written in the table of contents, use this additional
% package:
%
% \begin{Verbatim}[gobble=2]
% \usepackage{iacic}
% \end{Verbatim}
%
% Write this after the usepackage directive for \textsf{cyber}. If you use the
% hyperref package, write this statement after the usepackage directive for
% hyperref.
%
% If you use iacic, your section titles cannot contain any formatting, and your
% document cannot be originally written in reStructuredText. Section titles
% written in the body text will not change: only the ones in the contents.
% Section titles written in page headers will vary. In general this is a buggy,
% wonky feature. See \url{http://tex.stackexchange.com/questions/29818}. Dive
% into the wonderful world of \TeX\ and \LaTeX . Learn you a fix for great
% good!
%
%
% \subsection{Temporarily suppressing index entries}
%
% If some part of your document is an auto-summary of another part of your
% document, to index mentions of requirements in the summarized part may be
% redundant and undesirable.
%
% \DescribeMacro{\Cyberindexingenabledfalse}
%
% \DescribeMacro{\Cyberindexingenabledtrue}
%
% Use these macros to turn off and on (respectively) indexing of compliance
% assertions for part of your document. For example:
%
% \begin{Verbatim}[gobble=2]
% \Cyberindexingenabledfalse
% \include{auto_summary}
% \Cyberindexingenabledtrue
% \end{Verbatim}
%
%
% \section{Interactions with other packages}
% If you use \textsf{hyperref}, do so \emph{before} you use \textsf{cyber}.
%
% Because \textsf{cyber} requires \textsf{longtable}, you can't use two
% columns in a document that uses \textsf{cyber}. The requirement for
% longtable stems from the executive summary and changelog, which may have
% enough rows to span pages.
%
% Because \textsf{cyber} requires \textsf{index}, any other package which
% automatically indexes things may not work in conjunction with
% \textsf{cyber}.
%
% \textsf{cyber} also pulls in \textsf{color}, \textsf{fancyhdr} and
% \textsf{graphicx}.
%
%
%
%
% \section{Implementation}
%
% \StopEventually{}
% \begin{macrocode}
\makeatletter
% \end{macrocode}
% We require longtable for the changelog and executive summary, which could span pages.
% \begin{macrocode}
\RequirePackage{longtable}
% \end{macrocode}
% We require color so that we can make red some text regarding unimplemented
% requirements.
% \begin{macrocode}
\RequirePackage{color}
% \end{macrocode}
% There are potentially hundreds of requirements with which to comply. So we
% want them in their own index.
% \begin{macrocode}
\RequirePackage{index}
% \end{macrocode}
% The \textsf{fancyhdr} package is how we add security labels.
% \begin{macrocode}
\RequirePackage{fancyhdr}
% \end{macrocode}
% And the graphicx package is needed so the organization's logo can be put on
% the front page.
% \begin{macrocode}
\RequirePackage{graphicx}
% \end{macrocode}
% Index entries are written into the compliance index.
% \begin{macrocode}
\newindex{cybercompliance}{cybercompliance.idx}{cybercompliance.ind}{Compliance}
% \end{macrocode}
% Notations of compliance throughout the document are written in compliance.aux
% and explanations.aux.
% \begin{macrocode}
\AtBeginDocument{
\newwrite\complianceaux
\immediate\openout\complianceaux=cyber_compliance.aux
\newwrite\explanationsaux
\immediate\openout\explanationsaux=cyber_explanations.aux
}
\AtEndDocument{
\immediate\closeout\complianceaux
\immediate\closeout\explanationsaux
}
% \end{macrocode}
% The foreach code below is from:
% \url{http://stackoverflow.com/questions/2402354/split-comma-separated-parameters-in-latex}
% and/or \url{http://maraist.org/comma-separated-lists-in-latex_08-2009/}.
% Added two extra pass-through parameters.
%
% \begin{macro}{\foreach}
% Functional foreach construct.
% Usage: |\foreach| \marg{macro} \marg{firstarg} \marg{secondarg}
% \marg{third1,third2,third3,...}. Evaluates to
% |\macro{firstarg}{secondarg}{third1}| |\macro{firstarg}{secondarg}{third2}|
% etc.
%
% Put another way: \meta{\#1} is a function to call once for each
% comma-separated item in \meta{\#4}. \meta{\#2} and \meta{\#3} are parameters to
% pass to function in \meta{\#1} as the first parameters. \meta{\#4} is a
% comma-separated list of items, each of which to pass as the third parameter
% to an invocation of function \meta{\#1}.
% \begin{macrocode}
\def\foreach#1#2#3#4{%
\@test@foreach{#1}{#2}{#3}#4,\@end@token%
}
% \end{macrocode}
% \end{macro}
% Internal helper function - Eats one input.
% \begin{macrocode}
\def\@swallow#1{}
% \end{macrocode}
% Internal helper function - Checks the next character after \#1 and \#2 and
% continues loop iteration if |\@end@token| is not found.
% \begin{macrocode}
\def\@test@foreach#1#2#3{%
\@ifnextchar\@end@token%
{\@swallow}%
{\@foreach{#1}{#2}{#3}}%
}
% \end{macrocode}
% Internal helper function - Calls |#1{#2}{#3}{#4}| and recurses.
% The magic of splitting the third parameter occurs in the pattern matching of
% the |\def|.
% \begin{macrocode}
\def\@foreach#1#2#3#4,#5\@end@token{%
#1{#2}{#3}{#4}%
\@test@foreach{#1}{#2}{#3}#5\@end@token%
}
% \end{macrocode}
% \begin{macro}{\requirementsdocument}
% Usage: |\requirementsdocument| \marg{tag} \marg{index heading}
% \marg{requirement title}. The tag is a one-word lowercase name, like
% iacontrol or unixsrg or rhel5stig, that you'll use in |\implements|
% and other tags to say from which document comes the requirement
% you're talking about. An index of compliance will be made;
% |index heading| is the title under which all compliance with this document
% will be listed in the compliance index, for example ``NIST SP 800-53
% Security Controls.'' The |requirement title| is how to name a
% requirement from that document. For example, the DISA UNIX SRG
% contains many requirements, called Potential Discrepancy Items
% (PDI). So you may give ``UNIX SRG PDI '' (note the space at the end)
% as the requirement title, and when a requirement is named using
% |\requirement| it will be prefixed with the title, e.g. ``UNIX SRG
% PDI GEN006480.''
%
% Write all |\requirementsdocument|s in the preamble of the document.
%
% \begin{macrocode}
\newcommand{\requirementsdocument}[3]{%
% Say how to name requirements that come from this document.
\expandafter\providecommand\csname #1\endcsname[1]{%
\namedrequirement{#1}{#3}{##1}}
\expandafter\newcommand\csname indexhead#1\endcsname{#2}
}
% \end{macrocode}
% \end{macro}
% \begin{macro}{\requirement}
% Usage: |\requirement| \marg{document tag} \marg{requirement name}. Example:
% |\requirement{unixsrg}{GEN006480}|. Use this macro to mention requirements
% that come from other documents, without implying a particular compliance
% posture. For example, ``The check content of
% |\requirement{unixsrg}{GEN006480}| suggests the following solution.''
% \begin{macrocode}
\newcommand{\requirement}[2]{%
\expandafter\csname requirement@#1\endcsname{#2}}
% \end{macrocode}
% \end{macro}
% \begin{macro}{\namedrequirement}
% Usage: |\namedrequirement| \marg{index name} \marg{official title prefix} \marg{requirement name}.
% Example: |\namedrequirement{iacontrol}{IA Control }{IAAC-1}| will say ``IA
% Control IAAC-1'' in the body of the document, and make an index entry in the
% compliance index under the ``IA Controls'' heading. (``IA Controls'' in this
% example is the value of a parameter given to |\requirementsdocument|, not to
% this macro.)
%
% This macro exists so it will be possible to redefine it to change how such a
% thing looks. When referring to a named requirement in a document that you are
% writing, use |\requirement| above, not this macro.
%
% The index macro is the same as in indexhelper below but without the last
% |!{#2}| for the subhead.
% \begin{macrocode}
\newcommand{\namedrequirement}[3]{%
\index[cybercompliance]{\csname indexhead#1\endcsname @\iaindexheadstyle{\csname indexhead#1\endcsname}!{#3}!}%
{\small #2\mbox{#3}}%
}
% \end{macrocode}
% \end{macro}
%
% This will be redefined by \textsf{iacic} if that package is included.
% \begin{macrocode}
\def\addtosectionname#1{}
% \end{macrocode}
%
% This is here so you can turn off indexing for a portion of your document.
% \begin{macrocode}
\newif\ifCyberindexingenabled
\Cyberindexingenabledtrue
% \end{macrocode}
%
% Style the text for per-document heads in the compliance index.
% \begin{macrocode}
\newcommand{\iaindexheadstyle}[1]{%
\vspace{1em}{\large \textbf{#1}}\vspace{1em}}
% \end{macrocode}
%
% parameters: index name, implementation status, requirement name
% \begin{macrocode}
\newcommand{\indexhelper}[3]{%
\ifCyberindexingenabled\index[cybercompliance]{\csname indexhead#1\endcsname @\iaindexheadstyle{\csname indexhead#1\endcsname}!{#3}!{#2}}\fi}
% \end{macrocode}
%
% parameters: index name, prefix (e.g. {RHEL5: }), requirement name
% \begin{macrocode}
\newcommand{\marginhelper}[3]{#2~\mbox{#3}\\ }
% \end{macrocode}
%
% parameters: index name, compliance status, requirement name.
% Compliance status is not necessarily the same as implementation status.
% \begin{macrocode}
\newcommand{\compliancehelper}[3]{%
\write\complianceaux{#1:#3:#2}}
% \end{macrocode}
%
% parameters: index name, explanation, requirement name
% \begin{macrocode}
\newcommand{\explanationshelper}[3]{%
\write\explanationsaux{#1:#3:}%
\write\explanationsaux{#2}%
\write\explanationsaux{:}%
}
% \end{macrocode}
% parameters: index name, nothing, requirement name
% \begin{macrocode}
\newcommand{\sectionnamehelper}[3]{%
\def\@numberone{#1}%
\def\@iacontrol{iacontrol}%
\ifx\@numberone\@iacontrol\addtosectionname{#3}\fi}
% \end{macrocode}
%
% \begin{macrocode}
\def\iamarginsize{\footnotesize}
% \end{macrocode}
%
% These all take two parameters.
% The first parameter is the identifier of the document from which the
% requirement comes (e.g. iacontrol, unixstig, spanstig, apachestig,
% etc)---same names as the indices. The second parameter is which
% requirement(s) is/are in the given status (e.g. GEN000320). You may supply
% multiple values for this one, separated by commas.
%
% Example: |\implements{unixsrg}{GEN000320,GEN000340}|
%
% \begin{macrocode}
\newcommand{\implements}[2]{%
\@bsphack
\hspace{0pt}% this makes sure the marginpar doesn't go with the previous
% paragraph
\foreach{\indexhelper}{#1}{implemented}{#2}%
\marginpar{\iamarginsize \raggedright%
\foreach{\marginhelper}{#1}{auto:}{#2}%
}%
\foreach{\compliancehelper}{#1}{compliant}{#2}%
\foreach{\sectionnamehelper}{#1}{}{#2}%
\@esphack}
\newcommand{\unimplemented}[3]{%
\@bsphack
\hspace{0pt}% this makes sure the marginpar doesn't go with the previous
% paragraph
\foreach{\indexhelper}{#1}{\textcolor{red}{unimplemented}}{#2}%
\marginpar{\iamarginsize \color{red} \raggedright%
\foreach{\marginhelper}{#1}{}{#2}%
}%
\foreach{\compliancehelper}{#1}{non-compliant}{#2}%
\foreach{\explanationshelper}{#1}{#3}{#2}%
\foreach{\sectionnamehelper}{#1}{}{#2}%
{#3}%
\@esphack}
% \end{macrocode}
%
% Except this one takes three parameters: operating system(s),
% identifier of requiring document, requirement(s).
% \begin{macrocode}
\newcommand{\bydefault}[3]{%
\@bsphack
\hspace{0pt}% this makes sure the marginpar doesn't go with the previous
% paragraph
\foreach{\indexhelper}{#2}{default for {#1}}{#3}%
\marginpar{\iamarginsize \raggedright%
\foreach{\marginhelper}{#2}{#1: }{#3}%
}%
\foreach{\compliancehelper}{#2}{compliant}{#3}%
\foreach{\sectionnamehelper}{#1}{}{#2}%
\@esphack}
% \end{macrocode}
%
% \begin{macrocode}
\newcommand{\notapplicable}[2]{%
\@bsphack
\hspace{0pt}% this makes sure the marginpar doesn't go with the previous
% paragraph
\foreach{\indexhelper}{#1}{N/A}{#2}%
\marginpar{\iamarginsize \raggedright%
\foreach{\marginhelper}{#1}{N/A: }{#2}%
}%
\foreach{\compliancehelper}{#1}{N/A}{#2}%
\@esphack}
% \end{macrocode}
% \begin{macrocode}
\newcommand{\doneby}[3]{%
\@bsphack
\hspace{0pt}% this makes sure the marginpar doesn't go with the previous
% paragraph
\foreach{\indexhelper}{#2}{prescribed}{#3}%
\marginpar{\iamarginsize \raggedright%
\foreach{\marginhelper}{#2}{#1 do }{#3}%
}%
\foreach{\compliancehelper}{#2}{compliant}{#3}%
\foreach{\sectionnamehelper}{#1}{}{#2}%
\@esphack}
% \end{macrocode}
% deprecated
% \begin{macrocode}
\newcommand{\prescribed}[2]{\doneby{admins}{#1}{#2}}
% \end{macrocode}
% \begin{macrocode}
\newcommand{\documented}[2]{%
\@bsphack
\hspace{0pt}% this makes sure the marginpar doesn't go with the previous
% paragraph
\foreach{\indexhelper}{#1}{documented}{#2}%
\marginpar{\iamarginsize \raggedright%
\foreach{\marginhelper}{#1}{}{#2}%
}%
\foreach{\compliancehelper}{#1}{compliant}{#2}%
\foreach{\sectionnamehelper}{#1}{}{#2}%
\@esphack}
% \end{macrocode}
% \begin{macrocode}
\newcommand{\documents}[2]{\documented{#1}{#2}}
% \end{macrocode}
% \begin{macro}{\articlesecuritylabel}
% Use this to label documents of class \textsl{article}.
% Use like |\articlesecuritylabel| \marg{thing to write on each page}.
% The thing will be written as part of the page header.
% \begin{macrocode}
\newcommand{\articlesecuritylabel}[1]{%
\pagestyle{fancy}%
\renewcommand{\headrulewidth}{0pt}%
\fancyhf{}%
\chead{#1}%
\cfoot{\thepage}%
\fancypagestyle{plain}{%
\fancyhf{}%
\fancyhead[C]{#1}%
}%
}
% \end{macrocode}
% \end{macro}
%
% \begin{macro}{\booksecuritylabel}
% Use this one to label books. Syntax is the same as above.
% \begin{macrocode}
\newcommand{\booksecuritylabel}[1]{%
\pagestyle{fancy}%
\renewcommand{\headrulewidth}{0.1pt}%
\fancyhf{}%
\fancyhead[CE,CO]{#1\vspace{2\baselineskip}}%
\fancyhead[LE,RO]{\thepage}%
\fancyhead[RE]{\nouppercase{\leftmark}}%
\fancyhead[LO]{\nouppercase{\rightmark}}%
%
\fancypagestyle{empty}{%
\renewcommand{\headrulewidth}{0pt}%
\fancyhf{}%
\fancyhead[C]{#1\vspace{2\baselineskip}}%
}%
\fancypagestyle{plain}{%
\renewcommand{\headrulewidth}{0pt}%
\fancyhf{}%
\fancyhead[C]{#1\vspace{2\baselineskip}}%
\fancyfoot[C]{\thepage}%
}%
}
% \end{macrocode}
% \end{macro}
%
% See \url{http://www.dtic.mil/dtic/submit/guidance/distribstatement.html} on
% distribution statements and on destruction of limited-distribution
% unclassified documents.
%
% \begin{macrocode}
\def\@distribution{\@latex@warning@no@line{No distribution statement given}}
% \end{macrocode}
%
% \begin{macrocode}
\def\@destruction{%
\textbf{DESTRUCTION NOTICE}: Destroy by any method that will prevent disclosure or reconstruction of the document.}
% \end{macrocode}
%
% \begin{macro}{\distributionA}
% \begin{macrocode}
\def\distributionA#1{%
\gdef\@distribution{%
\textbf{DISTRIBUTION STATEMENT A}: Approved for public release. #1}}
% \end{macrocode}
% \end{macro}
% \begin{macro}{\distributionB}
% \begin{macrocode}
\def\distributionB#1#2{%
\gdef\@distribution{%
\textbf{DISTRIBUTION STATEMENT B}: Distribution authorized to U.S. Government agencies only; #1; \@date. Other requests for this document shall be referred to #2.}}
% \end{macrocode}
% \end{macro}
% \begin{macro}{\distributionC}
% \begin{macrocode}
\def\distributionC#1#2{%
\gdef\@distribution{%
\textbf{DISTRIBUTION STATEMENT C}: Distribution authorized to U.S. Government agencies and their contractors; #1; \@date. Other requests for this document shall be referred to #2.}}
% \end{macrocode}
% \end{macro}
% \begin{macro}{\distributionD}
% Use this macro to indicate that your document uses Distribution Statement D,
% and why, like so: |\distributionD| \marg{reason why distribution is limited}.
% Write this in the top of your document, before |\begin{document}|.
% \begin{macrocode}
\def\distributionD#1#2{%
\gdef\@distribution{%
\textbf{DISTRIBUTION STATEMENT D}: Distribution authorized to the Department of Defense and U.S. DoD contractors only; #1; \@date. Other requests shall be referred to #2.}}
% \end{macrocode}
% \end{macro}
% \begin{macro}{\distributionE}
% \begin{macrocode}
\def\distributionE#1#2{%
\gdef\@distribution{%
\textbf{DISTRIBUTION STATEMENT E}: Distribution authorized to DoD Components only; #1; \@date. Other requests shall be referred to #2.}}
% \end{macrocode}
% \end{macro}
% \begin{macro}{\distributionF}
% \begin{macrocode}
\def\distributionF#1{%
\gdef\@distribution{%
\textbf{DISTRIBUTION STATEMENT F}: Further dissemination only as directed by #1 \@date\ or higher DoD authority.}}
% \end{macrocode}
% \end{macro}
%
%
% \begin{macrocode}
\def\@version{}
% \end{macrocode}
% \begin{macro}{\version}
% Use the |\version| \marg{some indication of version} to indicate the version
% of the document.
% \begin{macrocode}
\def\version#1{\gdef\@version{#1}}
% \end{macrocode}
% \end{macro}
% \begin{macro}{\today}
% This redefinition of the |\today| macro formats the date like ``4 Oct 2011,''
% as military folks are used to. Use it in the |\date| macro.
% \begin{macrocode}
\def\today{\number\day\space\ifcase\month\or Jan\or Feb\or Mar\or Apr\or
May\or Jun\or Jul\or Aug\or Sep\or Oct\or Nov\or Dec\fi
\space\number\year}
% \end{macrocode}
% \end{macro}
% \begin{macro}{\narrowermargins}
% \begin{macrocode}
\newcommand{\narrowermargins}{%
\addtolength{\hoffset}{-0.5in}%
\addtolength{\textwidth}{1in}%
\addtolength{\marginparwidth}{-0.5in}%
\addtolength{\voffset}{-0.5in}%
\addtolength{\textheight}{1in}%
% bring up bottom of text to match whitespace at top caused by security
% label
\addtolength{\textheight}{-2\baselineskip}%
}
% \end{macrocode}
% \end{macro}
%
% \begin{macro}{\makedodtitle}
% Use this macro instead of |\maketitle|, right after |\begin{document}|.
% \begin{macrocode}
\newcommand{\makedodtitle}[0]{%
\begin{titlepage}%
\begin{center}%
~\vskip 1.5in%
{\LARGE \@title \par}%
\vskip 3em%
{\large \lineskip .75em \begin{tabular}[t]{c}%
\@author%
\end{tabular}\par}%
{\large \@date \par \large \@version}\vskip 0.5in%
\includegraphics[width=0.4\textwidth]{org_logo}
\end{center}\par%
\@thanks\vskip 0.5in\par%
\@distribution\par%
\@destruction%
\vfil\null
\end{titlepage}}
% \end{macrocode}
% \end{macro}
%
%
% \begin{environment}{changelog}
% \begin{macro}{\change}
% Usage: |\change| \marg{when} \marg{who} \marg{what}. For example,
% \begin{Verbatim}[gobble=2]
% \change{3 Aug 2011}{Jared Jennings}{Added backup plan}
% \end{Verbatim}
%
% \begin{macrocode}
\newcommand{\change}[3]{%
{#1} & {#2} & {#3}\\
}
% \end{macrocode}
% \end{macro}
%
% \begin{macrocode}
\newenvironment{changelog}{
\phantomsection
\chapter*{Changelog}
\addcontentsline{toc}{chapter}{Changelog}
\begin{longtable}{@{\extracolsep{\fill}} l l p{4in}}
\hline
{\bf Date} & {\bf Person} & {\bf Change Description}\\
\hline\hline
\endhead
}{\end{longtable}}
% \end{macrocode}
% \end{environment}
%
% \begin{environment}{executivesummary}
% An ``executive summary,'' in the context of documents submitted as
% information assurance artifacts, means specifically a table of IA controls to
% which this document applies. Executive summaries can be built automatically
% by the shaney script, but must be included in the main document by means of
% the |\include| command.
%
% \begin{macro}{\executivesummaryiacontrol}
% Usage: |\executivesummaryiacontrol| \marg{IA control ID} \marg{IA control
% name}. Use only inside the executivesummary environment.
% \begin{macrocode}
\newcommand{\executivesummaryiacontrol}[2]{%
{#1} & {#2}\\
}
% \end{macrocode}
% \end{macro}
%
% \begin{macrocode}
\newenvironment{executivesummary}{
\phantomsection
\chapter*{Executive Summary}
\addcontentsline{toc}{chapter}{Executive Summary}
The following table lists the NIST SP 800-53 Security Controls that are satisfied
through this artifact.
\begin{longtable}{@{\extracolsep{\fill}} l p{4in}}
\hline
{\bf IA Control Number} & {\bf IA Control Name}\\
\hline\hline
\endhead
}{\end{longtable}}
% \end{macrocode}
% \end{environment}
\makeatother
% \Finale