{"id": "e8", "policy": "e8", "title": "Australian Cyber Security Centre (ACSC)", "source": "https://www.cyber.gov.au/sites/default/files/2023-11/PROTECT%20-%20Hardening%20Linux%20Workstations%20and%20Servers%20%28November%202023%29.pdf", "definition_location": "/aptdata/openscap/scap-security-guide/controls/e8.yml", "controls": [{"id": "patching", "levels": ["base"], "notes": "", "title": "Application and operating system patching", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["security_patches_up_to_date", "package_ypbind_removed", "service_telnet_disabled", "ensure_gpgcheck_never_disabled", "package_talk_removed", "package_rsh_removed", "package_telnet_removed", "package_telnet-server_removed", "package_rsh-server_removed", "service_squid_disabled", "ensure_redhat_gpgkey_installed", "ensure_gpgcheck_globally_activated", "package_talk-server_removed", "service_avahi-daemon_disabled", "dnf-automatic_security_updates_only", "package_squid_removed", "ensure_gpgcheck_local_packages"], "controls": []}, {"id": "mfa", "levels": ["base"], "notes": "", "title": "Multi-factor authentication", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "restrict_admin", "levels": ["base"], "notes": "", "title": "Restricting administrative privileges", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_no_uid_except_zero", "sudo_remove_nopasswd", "sudo_remove_no_authenticate", "sudo_require_authentication"], "controls": []}, {"id": "app_control", "levels": ["base"], "notes": "", "title": "Application control", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_fapolicyd_enabled", "package_fapolicyd_installed"], "controls": []}, {"id": "restrict_macros", "levels": ["base"], "notes": "", "title": "Restrict Microsoft Office macros", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "app_hardening", "levels": ["base"], "notes": "", "title": "User application hardening", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "backups", "levels": ["base"], "notes": "", "title": "Regular backups", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["package_rear_installed"], "rules": [], "controls": []}, {"id": "hardening", "levels": ["base"], "notes": "", "title": "General hardening", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_dev_shm_nodev", "sysctl_net_core_bpf_jit_harden", "enable_authselect", "sshd_disable_empty_passwords", "sysctl_kernel_kptr_restrict", "audit_rules_time_watch_localtime", "file_ownership_binary_dirs", "auditd_freq", "sshd_disable_user_known_hosts", "audit_rules_usergroup_modification_opasswd", "auditd_log_format", "service_auditd_enabled", "sshd_set_loglevel_info", "service_rsyslog_enabled", "file_permissions_unauthorized_sgid", "selinux_state", "audit_rules_login_events_lastlog", "audit_rules_usergroup_modification_passwd", "auditd_name_format", "sysctl_kernel_exec_shield", "sshd_disable_root_login", "audit_rules_time_stime", "sshd_disable_gssapi_auth", "sshd_do_not_permit_user_env", "auditd_data_retention_flush", "auditd_write_logs", "file_permissions_unauthorized_world_writable", "audit_rules_usergroup_modification_group", "dir_perms_world_writable_sticky_bits", "sshd_use_directory_configuration", "file_permissions_library_dirs", "sysctl_kernel_unprivileged_bpf_disabled", "mount_option_dev_shm_nosuid", "file_permissions_unauthorized_suid", "selinux_policytype", "rpm_verify_ownership", "package_rsyslog_installed", "audit_rules_execution_chcon", "file_ownership_library_dirs", "audit_rules_time_adjtimex", "package_firewalld_installed", "audit_rules_execution_restorecon", "audit_rules_execution_setsebool", "file_permissions_binary_dirs", "sysctl_kernel_yama_ptrace_scope", "audit_rules_networkconfig_modification", "sshd_enable_strictmodes", "configure_crypto_policy", "audit_rules_login_events_faillock", "network_sniffer_disabled", "audit_rules_usergroup_modification_shadow", "audit_rules_time_clock_settime", "sysctl_kernel_randomize_va_space", "rpm_verify_hashes", "sshd_disable_rhosts", "audit_rules_execution_semanage", "audit_rules_dac_modification_chmod", "audit_rules_execution_seunshare", "auditd_local_events", "sysctl_kernel_kexec_load_disabled", "audit_rules_login_events_tallylog", "audit_rules_usergroup_modification_gshadow", "rpm_verify_permissions", "mount_option_dev_shm_noexec", "audit_rules_kernel_module_loading", "audit_rules_time_settimeofday", "configure_ssh_crypto_policy", "audit_rules_dac_modification_chown", "service_firewalld_enabled", "sshd_print_last_log", "sysctl_kernel_dmesg_restrict", "audit_rules_sysadmin_actions", "audit_rules_execution_setfiles", "no_empty_passwords", "var_system_crypto_policy=default_nosha1", "var_auditd_flush=incremental_async", "var_selinux_state=enforcing", "var_selinux_policy_name=targeted", "var_authselect_profile=sssd"], "controls": []}], "levels": [{"id": "base", "inherits_from": null}]}