{"id": "cis_sle12", "policy": "CIS benchmark for SUSE Linux Enterprise 12", "title": "CIS benchmark for SUSE Linux Enterprise 12", "source": "https://www.cisecurity.org/cis-benchmarks/#suse_linux", "definition_location": "/aptdata/openscap/scap-security-guide/controls/cis_sle12.yml", "controls": [{"id": "reload_dconf_db", "levels": ["l1_server", "l1_workstation", "l2_server", "l2_workstation"], "notes": "This is a helper rule to reload Dconf database correctly.", "title": "Reload Dconf database", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_db_up_to_date"], "controls": []}, {"id": "1.1.1.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure mounting of squashfs filesystems is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_squashfs_disabled", "kernel_module_cramfs_disabled"], "controls": []}, {"id": "1.1.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure mounting of udf filesystems is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_udf_disabled"], "controls": []}, {"id": "1.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure /tmp is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_tmp"], "controls": []}, {"id": "1.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure noexec option set on /tmp partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_tmp_noexec"], "controls": []}, {"id": "1.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nodev option set on /tmp partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_tmp_nodev"], "controls": []}, {"id": "1.1.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nosuid option set on /tmp partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_tmp_nosuid"], "controls": []}, {"id": "1.1.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure /dev/shm is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_dev_shm"], "controls": []}, {"id": "1.1.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure noexec option set on /dev/shm partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_dev_shm_noexec"], "controls": []}, {"id": "1.1.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nodev option set on /dev/shm partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_dev_shm_nodev"], "controls": []}, {"id": "1.1.9", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nosuid option set on /dev/shm partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_dev_shm_nosuid"], "controls": []}, {"id": "1.1.10", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure separate partition exists for /var (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_var"], "controls": []}, {"id": "1.1.11", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure separate partition exists for /var/tmp (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_var_tmp"], "controls": []}, {"id": "1.1.12", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure /var/tmp partition includes the noexec option (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_tmp_noexec"], "controls": []}, {"id": "1.1.13", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure /var/tmp partition includes the nodev option (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_tmp_nodev"], "controls": []}, {"id": "1.1.14", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure /var/tmp partition includes the nosuid option (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_tmp_nosuid"], "controls": []}, {"id": "1.1.15", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure separate partition exists for /var/log (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_var_log"], "controls": []}, {"id": "1.1.16", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure separate partition exists for /var/log/audit (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_var_log_audit"], "controls": []}, {"id": "1.1.17", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure separate partition exists for /home (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_home"], "controls": []}, {"id": "1.1.18", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure /home partition includes the nodev option (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_home_nodev"], "controls": []}, {"id": "1.1.19", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure noexec option set on removable media partitions (Manual)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_noexec_removable_partitions"], "controls": []}, {"id": "1.1.20", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nodev option set on removable media partitions (Manual)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_nodev_removable_partitions"], "controls": []}, {"id": "1.1.21", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nosuid option set on removable media partitions (Manual)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_nosuid_removable_partitions"], "controls": []}, {"id": "1.1.22", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sticky bit is set on all world-writable directories (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dir_perms_world_writable_sticky_bits"], "controls": []}, {"id": "1.1.23", "levels": ["l1_server", "l2_workstation"], "notes": "", "title": "Disable Automounting (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_autofs_disabled", "kernel_module_usb-storage_disabled"], "controls": []}, {"id": "1.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "The control cannot be automated, and should be addressed manually.", "title": "Ensure GPG keys are configured (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["ensure_GPG_keys_are_configured"], "controls": []}, {"id": "1.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "The control cannot be automated, and should be addressed manually.", "title": "Ensure package manager repositories are configured (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["ensure_package_repositories_are_configured"], "controls": []}, {"id": "1.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure gpgcheck is globally activated (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["ensure_gpgcheck_never_disabled", "ensure_gpgcheck_globally_activated"], "controls": []}, {"id": "1.3.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sudo is installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_sudo_installed"], "controls": []}, {"id": "1.3.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sudo commands use pty (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudo_add_use_pty"], "controls": []}, {"id": "1.3.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sudo log file exists (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudo_custom_logfile", "var_sudo_logfile=var_log_sudo_log"], "controls": []}, {"id": "1.4.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure AIDE is installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_aide_installed", "aide_build_database"], "controls": []}, {"id": "1.4.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure filesystem integrity is regularly checked (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["aide_periodic_cron_checking"], "controls": []}, {"id": "1.4.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure authentication required for single user mode (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["require_singleuser_auth", "require_emergency_target_auth"], "controls": []}, {"id": "1.5.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure bootloader password is set (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_password", "grub2_uefi_password"], "controls": []}, {"id": "1.5.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on bootloader config are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_grub2_cfg", "file_groupowner_grub2_cfg", "file_owner_grub2_cfg"], "controls": []}, {"id": "1.5.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure authentication required for single user mode (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["require_singleuser_auth", "require_emergency_target_auth"], "controls": []}, {"id": "1.6.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure core dumps are restricted (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["coredump_disable_storage", "coredump_disable_backtraces", "sysctl_fs_suid_dumpable", "disable_users_coredumps"], "controls": []}, {"id": "1.6.2", "levels": ["l1_server", "l1_workstation"], "notes": "Automatic remediation of these rules is not available.", "title": "Ensure XD/NX support is enabled (Automated)", "description": null, "rationale": null, "automated": "partially", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["install_PAE_kernel_on_x86-32", "bios_enable_execution_restrictions"], "controls": []}, {"id": "1.6.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure address space layout randomization (ASLR) is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_kernel_randomize_va_space"], "controls": []}, {"id": "1.6.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure prelink is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["disable_prelink"], "controls": []}, {"id": "1.7.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure AppArmor is installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_pam_apparmor_installed"], "controls": []}, {"id": "1.7.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure AppArmor is enabled in the bootloader configuration (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["apparmor_configured"], "controls": []}, {"id": "1.7.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure all AppArmor Profiles are in enforce or complain mode (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["all_apparmor_profiles_in_enforce_complain_mode", "var_apparmor_mode=complain"], "controls": []}, {"id": "1.7.1.4", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure all AppArmor Profiles are enforcing (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["all_apparmor_profiles_enforced"], "controls": []}, {"id": "1.8.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure message of the day is configured properly (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["banner_etc_motd", "motd_banner_text=cis_banners"], "controls": []}, {"id": "1.8.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure local login warning banner is configured properly (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["banner_etc_issue", "login_banner_text=cis_banners"], "controls": []}, {"id": "1.8.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure remote login warning banner is configured properly (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["banner_etc_issue_net", "remote_login_banner_text=cis_banners"], "controls": []}, {"id": "1.8.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/motd are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_etc_motd", "file_owner_etc_motd", "file_permissions_etc_motd"], "controls": []}, {"id": "1.8.1.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/issue are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_etc_issue", "file_permissions_etc_issue", "file_groupowner_etc_issue"], "controls": []}, {"id": "1.8.1.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/issue.net are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_etc_issue_net", "file_owner_etc_issue_net", "file_permissions_etc_issue_net"], "controls": []}, {"id": "1.9", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure updates, patches, and additional security software are installed (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["security_patches_up_to_date"], "rules": [], "controls": []}, {"id": 1.1, "levels": ["l1_server", "l1_workstation"], "notes": "The idea of the requirement is to have either package_gdm_removed rule\nor the rest of the rules as they are mutually exclusive.", "title": "Ensure GDM login banner is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_login_banner_text", "dconf_gnome_disable_user_list", "package_gdm_removed", "enable_dconf_user_profile", "dconf_gnome_banner_enabled", "login_banner_text=cis_default"], "controls": []}, {"id": "2.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure xinetd is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_xinetd_disabled", "package_xinetd_removed", "package_tcp_wrappers_removed"], "controls": []}, {"id": "2.2.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure time synchronization is in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_chrony_installed"], "controls": []}, {"id": "2.2.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure systemd-timesyncd is configured (Manual)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_timesyncd_configured", "service_timesyncd_root_distance_configured", "service_timesyncd_enabled"], "controls": []}, {"id": "2.2.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure chrony is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["chronyd_run_as_chrony_user", "chronyd_configure_pool_and_server", "var_multiple_time_servers=suse", "var_multiple_time_pools=suse"], "controls": []}, {"id": "2.2.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure ntp is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_ntpd_enabled", "ntpd_configure_restrictions", "ntpd_specify_remote_server", "ntpd_run_as_ntp_user"], "controls": []}, {"id": "2.2.2", "levels": ["l1_server"], "notes": "The rule also configures correct run level to prevent unbootable system.", "title": "Ensure X11 Server components are not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["xwindows_remove_packages", "package_xorg-x11-server-common_removed"], "controls": []}, {"id": "2.2.3", "levels": ["l1_server", "l2_workstation"], "notes": "", "title": "Ensure Avahi Server is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_avahi_removed", "package_avahi-autoipd_removed", "service_avahi-daemon_disabled"], "controls": []}, {"id": "2.2.4", "levels": ["l1_server"], "notes": "", "title": "Ensure CUPS is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_cups_disabled", "package_cups_removed"], "controls": []}, {"id": "2.2.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure DHCP Server is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_dhcp_removed", "service_dhcpd_disabled", "package_dhcp_client_removed"], "controls": []}, {"id": "2.2.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure LDAP server is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_openldap-servers_removed"], "controls": []}, {"id": "2.2.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nfs-utils is not installed or the nfs-server service is masked (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_nfs-utils_removed", "service_nfs_disabled"], "controls": []}, {"id": "2.2.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure rpcbind is not installed or the rpcbind services are masked (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_rpcbind_disabled", "package_rpcbind_removed"], "controls": []}, {"id": "2.2.9", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure DNS Server is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_named_disabled", "package_bind_removed"], "controls": []}, {"id": "2.2.10", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure FTP Server is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_vsftpd_disabled", "package_vsftpd_removed"], "controls": []}, {"id": "2.2.11", "levels": ["l1_server", "l1_workstation"], "notes": "Only httpd/apache2 is currently covered by this rule.", "title": "Ensure HTTP server is not installed (Automated)", "description": null, "rationale": null, "automated": "partially", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_httpd_disabled", "package_httpd_removed"], "controls": []}, {"id": "2.2.12", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure IMAP and POP3 server is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_dovecot_removed", "service_dovecot_disabled"], "controls": []}, {"id": "2.2.13", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure Samba is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_samba_removed", "service_smb_disabled"], "controls": []}, {"id": "2.2.14", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure HTTP Proxy Server is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_squid_disabled", "package_squid_removed"], "controls": []}, {"id": "2.2.15", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure net-snmp is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_net-snmp_removed", "service_snmpd_disabled"], "controls": []}, {"id": "2.2.16", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure mail transfer agent is configured for local-only mode (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["postfix_network_listening_disabled", "var_postfix_inet_interfaces=loopback-only"], "controls": []}, {"id": "2.2.17", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure rsync is not installed or the rsyncd service is masked (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_rsyncd_disabled", "package_rsync_removed"], "controls": []}, {"id": "2.2.18", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure NIS server is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_ypserv_removed"], "controls": []}, {"id": "2.2.19", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure telnet-server is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_telnet-server_removed"], "controls": []}, {"id": "2.3.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure NIS Client is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_ypbind_removed"], "controls": []}, {"id": "2.3.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure rsh client is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_rsh_removed"], "controls": []}, {"id": "2.3.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure talk client is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_talk_removed"], "controls": []}, {"id": "2.3.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure telnet client is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_telnet_removed"], "controls": []}, {"id": "2.3.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure LDAP client is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_openldap-clients_removed"], "controls": []}, {"id": 2.4, "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nonessential services are removed or masked (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.1.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Disable IPv6 (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv6_conf_all_disable_ipv6", "grub2_ipv6_disable_argument"], "controls": []}, {"id": "3.1.2", "levels": ["l1_server", "l2_workstation"], "notes": "the rule remediation is not exactly on par with the benchmark", "title": "Ensure wireless interfaces are disabled (Manual)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["wireless_disable_interfaces"], "controls": []}, {"id": "3.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure IP forwarding is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv6_conf_all_forwarding", "sysctl_net_ipv4_ip_forward", "sysctl_net_ipv6_conf_all_forwarding_value=disabled"], "controls": []}, {"id": "3.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure packet redirect sending is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_all_send_redirects", "sysctl_net_ipv4_conf_default_send_redirects"], "controls": []}, {"id": "3.3.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure source routed packets are not accepted (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_default_accept_source_route", "sysctl_net_ipv6_conf_all_accept_source_route", "sysctl_net_ipv4_conf_all_accept_source_route", "sysctl_net_ipv6_conf_default_accept_source_route", "sysctl_net_ipv4_conf_all_accept_source_route_value=disabled", "sysctl_net_ipv4_conf_default_accept_source_route_value=disabled", "sysctl_net_ipv6_conf_all_accept_source_route_value=disabled", "sysctl_net_ipv6_conf_default_accept_source_route_value=disabled"], "controls": []}, {"id": "3.3.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure ICMP redirects are not accepted (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv6_conf_default_accept_redirects", "sysctl_net_ipv4_conf_all_accept_redirects", "sysctl_net_ipv4_conf_default_accept_redirects", "sysctl_net_ipv6_conf_all_accept_redirects", "sysctl_net_ipv4_conf_all_accept_redirects_value=disabled", "sysctl_net_ipv4_conf_default_accept_redirects_value=disabled", "sysctl_net_ipv6_conf_all_accept_redirects_value=disabled", "sysctl_net_ipv6_conf_default_accept_redirects_value=disabled"], "controls": []}, {"id": "3.3.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure secure ICMP redirects are not accepted (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_all_secure_redirects", "sysctl_net_ipv4_conf_default_secure_redirects", "sysctl_net_ipv4_conf_all_secure_redirects_value=disabled", "sysctl_net_ipv4_conf_default_secure_redirects_value=disabled"], "controls": []}, {"id": "3.3.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure suspicious packets are logged (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_all_log_martians", "sysctl_net_ipv4_conf_default_log_martians", "sysctl_net_ipv4_conf_all_log_martians_value=enabled", "sysctl_net_ipv4_conf_default_log_martians_value=enabled"], "controls": []}, {"id": "3.3.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure broadcast ICMP requests are ignored (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_icmp_echo_ignore_broadcasts", "sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled"], "controls": []}, {"id": "3.3.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure bogus ICMP responses are ignored (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_icmp_ignore_bogus_error_responses", "sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled"], "controls": []}, {"id": "3.3.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure Reverse Path Filtering is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_all_rp_filter", "sysctl_net_ipv4_conf_default_rp_filter", "sysctl_net_ipv4_conf_all_rp_filter_value=enabled", "sysctl_net_ipv4_conf_default_rp_filter_value=enabled"], "controls": []}, {"id": "3.3.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure TCP SYN Cookies is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_tcp_syncookies", "sysctl_net_ipv4_tcp_syncookies_value=enabled"], "controls": []}, {"id": "3.3.9", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure IPv6 router advertisements are not accepted (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv6_conf_all_accept_ra", "sysctl_net_ipv6_conf_default_accept_ra", "sysctl_net_ipv6_conf_all_accept_ra_value=disabled", "sysctl_net_ipv6_conf_default_accept_ra_value=disabled"], "controls": []}, {"id": "3.4.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure DCCP is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_dccp_disabled"], "controls": []}, {"id": "3.4.2", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure SCTP is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_sctp_disabled"], "controls": []}, {"id": "3.5.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure iptables package is installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_iptables_enabled", "package_iptables_installed"], "controls": []}, {"id": "3.5.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure loopback traffic is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_loopback_traffic"], "controls": []}, {"id": "3.5.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure outbound and established connections are configured (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_iptables_outbound_n_established"], "controls": []}, {"id": "3.5.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure firewall rules exist for all open ports (Automated)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.5.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure default deny firewall policy (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_iptables_default_rule"], "controls": []}, {"id": "3.5.3.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure IPv6 loopback traffic is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_ipv6_loopback_traffic"], "controls": []}, {"id": "3.5.3.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure IPv6 outbound and established connections are configured (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_iptables_outbound_n_established"], "controls": []}, {"id": "3.5.3.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure IPv6 firewall rules exist for all open ports (Automated)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.5.3.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure IPv6 default deny firewall policy (Automated)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.1.1.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure auditd is installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_audit-libs_installed", "package_audit_installed"], "controls": []}, {"id": "4.1.1.2", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure auditd service is enabled and running (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_auditd_enabled"], "controls": []}, {"id": "4.1.1.3", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure auditing for processes that start prior to auditd is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_audit_argument"], "controls": []}, {"id": "4.1.2.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit log storage size is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_retention_max_log_file", "var_auditd_max_log_file=6"], "controls": []}, {"id": "4.1.2.2", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit logs are not automatically deleted (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_retention_max_log_file_action", "var_auditd_max_log_file_action=keep_logs"], "controls": []}, {"id": "4.1.2.3", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure system is disabled when audit logs are full (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_retention_admin_space_left_action", "auditd_data_retention_space_left_action", "auditd_data_retention_action_mail_acct", "var_auditd_space_left_action=email", "var_auditd_action_mail_acct=root", "var_auditd_admin_space_left_action=halt"], "controls": []}, {"id": "4.1.2.4", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit_backlog_limit is sufficient (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_audit_backlog_limit_argument", "var_audit_backlog_limit=8192"], "controls": []}, {"id": "4.1.3", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure events that modify date and time information are collected (Automated)", "description": null, "rationale": null, "automated": "partially", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_time_settimeofday", "audit_rules_time_watch_localtime", "audit_rules_time_adjtimex", "audit_rules_time_stime"], "controls": []}, {"id": "4.1.4", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure events that modify user/group information are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_usergroup_modification_group", "audit_rules_usergroup_modification_shadow", "audit_rules_usergroup_modification_opasswd", "audit_rules_usergroup_modification_passwd", "audit_rules_usergroup_modification_gshadow"], "controls": []}, {"id": "4.1.5", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure events that modify the system's network environment are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_networkconfig_modification"], "controls": []}, {"id": "4.1.6", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure events that modify the system's Mandatory Access Controls are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_mac_modification_usr_share", "audit_rules_mac_modification"], "controls": []}, {"id": "4.1.7", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure login and logout events are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_login_events_tallylog", "audit_rules_login_events_lastlog", "audit_rules_login_events_faillog"], "controls": []}, {"id": "4.1.8", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure session initiation information is collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_session_events"], "controls": []}, {"id": "4.1.9", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure discretionary access control permission modification events are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_dac_modification_fsetxattr", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_lchown", "audit_rules_dac_modification_fchmod", "audit_rules_dac_modification_fchown", "audit_rules_dac_modification_chown", "audit_rules_dac_modification_lremovexattr", "audit_rules_dac_modification_lsetxattr", "audit_rules_dac_modification_setxattr", "audit_rules_dac_modification_fchmodat", "audit_rules_dac_modification_fremovexattr", "audit_rules_dac_modification_fchownat", "audit_rules_dac_modification_chmod"], "controls": []}, {"id": "4.1.10", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure unsuccessful unauthorized file access attempts are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_unsuccessful_file_modification_ftruncate", "audit_rules_unsuccessful_file_modification_openat", "audit_rules_unsuccessful_file_modification_creat", "audit_rules_unsuccessful_file_modification_truncate", "audit_rules_unsuccessful_file_modification_open"], "controls": []}, {"id": "4.1.11", "levels": ["l2_server", "l2_workstation"], "notes": "Additional rules for priviliged commands are available and can be enabled.", "title": "Ensure use of privileged commands is collected (Automated)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_rules_privileged_commands"], "rules": [], "controls": []}, {"id": "4.1.12", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure successful file system mounts are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_media_export"], "controls": []}, {"id": "4.1.13", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure file deletion events by users are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_file_deletion_events_rename", "audit_rules_file_deletion_events_unlinkat", "audit_rules_file_deletion_events_unlink", "audit_rules_file_deletion_events_renameat"], "controls": []}, {"id": "4.1.14", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure changes to system administration scope (sudoers) is collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_sysadmin_actions"], "controls": []}, {"id": "4.1.15", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure system administrator actions (sudolog) are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_sudo_log_events"], "controls": []}, {"id": "4.1.16", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure kernel module loading and unloading is collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_kernel_module_loading_init", "audit_rules_privileged_commands_modprobe", "audit_rules_privileged_commands_insmod", "audit_rules_privileged_commands_rmmod", "audit_rules_kernel_module_loading_delete", "audit_rules_kernel_module_loading"], "controls": []}, {"id": "4.1.17", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure the audit configuration is immutable (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_immutable"], "controls": []}, {"id": "4.2.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure rsyslog is installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_rsyslog_installed"], "controls": []}, {"id": "4.2.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure rsyslog Service is enabled and running (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_rsyslog_enabled"], "controls": []}, {"id": "4.2.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure rsyslog default file permissions configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["rsyslog_files_groupownership", "rsyslog_files_ownership", "rsyslog_files_permissions"], "controls": []}, {"id": "4.2.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure logging is configured (Manual)", "description": null, "rationale": null, "automated": "yes", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["rsyslog_logging_configured"], "controls": []}, {"id": "4.2.1.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure rsyslog is configured to send logs to a remote log host (Automated)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["rsyslog_remote_loghost"], "controls": []}, {"id": "4.2.1.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure remote rsyslog messages are only accepted on designated log hosts. (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["rsyslog_nolisten"], "rules": [], "controls": []}, {"id": "4.2.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure journald is configured to send logs to rsyslog (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["journald_forward_to_syslog"], "controls": []}, {"id": "4.2.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure journald is configured to compress large log files (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["journald_compress"], "controls": []}, {"id": "4.2.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure journald is configured to write logfiles to persistent disk (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["journald_storage"], "controls": []}, {"id": "4.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on all logfiles are configured (Automated)", "description": null, "rationale": null, "automated": "partially", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["file_owner_var_log", "file_groupowner_var_log", "file_permissions_var_log", "file_owner_var_log_messages", "file_groupowner_var_log_messages", "file_permissions_var_log"], "rules": ["permissions_local_var_log"], "controls": []}, {"id": "4.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "Rule configures logrotate service.", "title": "Ensure logrotate is configured (Manual)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["ensure_logrotate_activated", "package_logrotate_installed", "timer_logrotate_enabled"], "controls": []}, {"id": "5.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure cron daemon is enabled and running (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_cron_installed", "service_cron_enabled"], "controls": []}, {"id": "5.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/crontab are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_crontab", "file_permissions_crontab", "file_owner_crontab"], "controls": []}, {"id": "5.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/cron.hourly are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_cron_hourly", "file_permissions_cron_hourly", "file_groupowner_cron_hourly"], "controls": []}, {"id": "5.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/cron.daily are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_cron_daily", "file_permissions_cron_daily", "file_owner_cron_daily"], "controls": []}, {"id": "5.1.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/cron.weekly are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_cron_weekly", "file_owner_cron_weekly", "file_groupowner_cron_weekly"], "controls": []}, {"id": "5.1.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/cron.monthly are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_cron_monthly", "file_groupowner_cron_monthly", "file_owner_cron_monthly"], "controls": []}, {"id": "5.1.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/cron.d are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_cron_d", "file_permissions_cron_d", "file_groupowner_cron_d"], "controls": []}, {"id": "5.1.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure cron is restricted to authorized users (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_cron_allow", "file_groupowner_cron_allow", "file_owner_cron_allow", "file_cron_deny_not_exist"], "controls": []}, {"id": "5.1.9", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure at is restricted to authorized users (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_at_deny_not_exist", "file_owner_at_allow", "file_groupowner_at_allow", "file_permissions_at_allow"], "controls": []}, {"id": "5.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/ssh/sshd_config are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_sshd_config", "file_owner_sshd_config", "file_permissions_sshd_config"], "controls": []}, {"id": "5.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "Rule is not covering User and group Ownership", "title": "Ensure permissions on SSH private host key files are configured (Automated)", "description": null, "rationale": null, "automated": "partially", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_sshd_private_key"], "controls": []}, {"id": "5.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "Rule is not covering User and group Ownership", "title": "Ensure permissions on SSH public host key files are configured (Automated)", "description": null, "rationale": null, "automated": "partially", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_sshd_pub_key"], "controls": []}, {"id": "5.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure SSH access is limited (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_limit_user_access"], "controls": []}, {"id": "5.2.5", "levels": ["l1_server", "l1_workstation"], "notes": "The default rule is configured to enforce the \"verbose\" log level. Use tailoring to change it to \"info\" level.", "title": "Ensure SSH LogLevel is appropriate (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["sshd_set_loglevel_info"], "rules": ["sshd_set_loglevel_verbose"], "controls": []}, {"id": "5.2.6", "levels": ["l2_server", "l1_workstation"], "notes": "", "title": "Ensure SSH X11 forwarding is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_x11_forwarding"], "controls": []}, {"id": "5.2.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure SSH MaxAuthTries is set to 4 or less (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_max_auth_tries", "sshd_max_auth_tries_value=4"], "controls": []}, {"id": "5.2.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure SSH IgnoreRhosts is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_rhosts"], "controls": []}, {"id": "5.2.9", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure SSH HostbasedAuthentication is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["disable_host_auth"], "controls": []}, {"id": "5.2.10", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure SSH root login is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_root_login"], "controls": []}, {"id": "5.2.11", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure SSH PermitEmptyPasswords is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_empty_passwords"], "controls": []}, {"id": "5.2.12", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure SSH PermitUserEnvironment is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_do_not_permit_user_env"], "controls": []}, {"id": "5.2.13", "levels": ["l1_server", "l1_workstation"], "notes": "The rule checks for default list of ciphers provided in the benchmark.", "title": "Ensure only strong Ciphers are used (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_use_strong_ciphers", "sshd_use_approved_ciphers", "sshd_approved_ciphers=cis_sle12"], "controls": []}, {"id": "5.2.14", "levels": ["l1_server", "l1_workstation"], "notes": "The rule checks for default list of MACs provided in the benchmark.", "title": "Ensure only strong MAC algorithms are used (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_use_strong_macs", "sshd_use_approved_macs", "sshd_approved_macs=cis_sle12", "sshd_strong_macs=cis_sle12"], "controls": []}, {"id": "5.2.15", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure only strong Key Exchange algorithms are used (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_use_strong_kex", "sshd_strong_kex=cis_sle12"], "controls": []}, {"id": "5.2.16", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure SSH Idle Timeout Interval is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_idle_timeout", "sshd_set_keepalive", "sshd_idle_timeout_value=5_minutes", "var_sshd_set_keepalive=0"], "controls": []}, {"id": "5.2.17", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure SSH LoginGraceTime is set to one minute or less (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_login_grace_time", "var_sshd_set_login_grace_time=60"], "controls": []}, {"id": "5.2.18", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure SSH warning banner is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_enable_warning_banner"], "controls": []}, {"id": "5.2.19", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure SSH PAM is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_enable_pam"], "controls": []}, {"id": "5.2.20", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure SSH AllowTcpForwarding is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_tcp_forwarding"], "controls": []}, {"id": "5.2.21", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure SSH MaxStartups is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_maxstartups", "var_sshd_set_maxstartups=10:30:60"], "controls": []}, {"id": "5.2.22", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure SSH MaxSessions is limited (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_max_sessions", "var_sshd_max_sessions=10"], "controls": []}, {"id": "5.3.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password creation requirements are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["cracklib_accounts_password_pam_dcredit", "cracklib_accounts_password_pam_ucredit", "cracklib_accounts_password_pam_minlen", "cracklib_accounts_password_pam_retry", "cracklib_accounts_password_pam_lcredit", "cracklib_accounts_password_pam_ocredit", "var_password_pam_dcredit=1", "var_password_pam_ucredit=1", "var_password_pam_lcredit=1", "var_password_pam_ocredit=1", "var_password_pam_minlen=14", "var_password_pam_retry=3"], "controls": []}, {"id": "5.3.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure lockout for failed password attempts is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_passwords_pam_tally2", "accounts_passwords_pam_tally2_deny_root", "accounts_passwords_pam_tally2_unlock_time", "var_password_pam_tally2=5", "var_accounts_passwords_pam_tally2_unlock_time=1800"], "controls": []}, {"id": "5.3.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password reuse is limited (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_pwhistory_remember", "var_password_pam_remember=5"], "controls": []}, {"id": "5.4.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password hashing algorithm is SHA-512 (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_all_shadowed_sha512", "set_password_hashing_algorithm_logindefs"], "controls": []}, {"id": "5.4.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password expiration is 365 days or less (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_maximum_age_login_defs", "accounts_password_set_max_life_existing", "var_accounts_maximum_age_login_defs=365"], "controls": []}, {"id": "5.4.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure minimum days between password changes is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_minimum_age_login_defs", "accounts_password_set_min_life_existing", "var_accounts_minimum_age_login_defs=1"], "controls": []}, {"id": "5.4.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password expiration warning days is 7 or more (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_set_warn_age_existing", "accounts_password_warn_age_login_defs", "var_accounts_password_warn_age_login_defs=7"], "controls": []}, {"id": "5.4.1.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure inactive password lock is 30 days or less (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_set_post_pw_existing", "account_disable_post_pw_expiration", "var_account_disable_post_pw_expiration=30"], "controls": []}, {"id": "5.4.1.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure all users last password change date is in the past (Automated)", "description": null, "rationale": null, "automated": "partially", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_last_change_is_in_past"], "controls": []}, {"id": "5.4.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure system accounts are secured (Automated)", "description": null, "rationale": null, "automated": "partially", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_shelllogin_for_systemaccounts"], "controls": []}, {"id": "5.4.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure default group for the root account is GID 0 (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_root_gid_zero"], "controls": []}, {"id": "5.4.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure default user shell timeout is configured (Automated)", "description": null, "rationale": null, "automated": "partially", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_tmout", "var_accounts_tmout=15_min"], "controls": []}, {"id": "5.4.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure default user umask is configured (Automated)", "description": null, "rationale": null, "automated": "partially", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_umask_etc_login_defs", "accounts_umask_etc_profile", "accounts_umask_etc_bashrc", "var_accounts_user_umask=027"], "controls": []}, {"id": 5.5, "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure root login is restricted to system console (Manual)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_direct_root_logins", "securetty_root_login_console_only"], "controls": []}, {"id": 5.6, "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to the su command is restricted (Automated)", "description": null, "rationale": null, "automated": "partially", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["use_pam_wheel_group_for_su", "ensure_pam_wheel_group_empty", "var_pam_wheel_group_for_su=cis"], "controls": []}, {"id": "6.1.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Audit system file permissions (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["rpm_verify_permissions", "rpm_verify_ownership"], "rules": [], "controls": []}, {"id": "6.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/passwd are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_etc_passwd", "file_groupowner_etc_gshadow", "file_owner_etc_gshadow", "file_owner_etc_passwd", "file_groupowner_etc_passwd", "file_permissions_etc_gshadow"], "controls": []}, {"id": "6.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/shadow are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_etc_shadow", "file_owner_etc_shadow", "file_permissions_etc_shadow"], "controls": []}, {"id": "6.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/group are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_etc_group", "file_owner_etc_group", "file_permissions_etc_group"], "controls": []}, {"id": "6.1.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/passwd- are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_backup_etc_gshadow", "file_permissions_backup_etc_passwd", "file_groupowner_backup_etc_gshadow", "file_permissions_backup_etc_gshadow", "file_owner_backup_etc_passwd", "file_groupowner_backup_etc_passwd"], "controls": []}, {"id": "6.1.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/shadow- are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_backup_etc_shadow", "file_permissions_backup_etc_shadow", "file_owner_backup_etc_shadow"], "controls": []}, {"id": "6.1.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/group- are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_backup_etc_group", "file_groupowner_backup_etc_group", "file_permissions_backup_etc_group"], "controls": []}, {"id": "6.1.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure no world writable files exist (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_unauthorized_world_writable"], "controls": []}, {"id": "6.1.9", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure no unowned files or directories exist (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_files_unowned_by_user"], "controls": []}, {"id": "6.1.10", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure no ungrouped files or directories exist (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_ungroupowned"], "controls": []}, {"id": "6.1.11", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Audit SUID executables (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["file_permissions_unauthorized_suid"], "rules": [], "controls": []}, {"id": "6.1.12", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Audit SGID executables (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["file_permissions_unauthorized_sgid"], "rules": [], "controls": []}, {"id": "6.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure accounts in /etc/passwd use shadowed passwords (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_all_shadowed"], "controls": []}, {"id": "6.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure /etc/shadow password fields are not empty (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_legacy_plus_entries_etc_shadow", "no_legacy_plus_entries_etc_passwd"], "controls": []}, {"id": "6.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure root is the only UID 0 account (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_no_uid_except_zero"], "controls": []}, {"id": "6.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure root PATH Integrity (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_root_path_dirs_no_write", "root_path_no_dot"], "controls": []}, {"id": "6.2.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure all users' home directories exist (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_user_interactive_home_directory_exists"], "controls": []}, {"id": "6.2.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure users' home directories permissions are 750 or more restrictive (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_home_directories", "accounts_users_home_files_permissions"], "controls": []}, {"id": "6.2.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure users own their home directories (Automated)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["file_ownership_home_directories", "file_groupownership_home_directories", "accounts_users_home_files_ownership", "accounts_users_home_files_groupownership"], "rules": [], "controls": []}, {"id": "6.2.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure users' dot files are not group or world writable (Automated)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["accounts_user_dot_no_world_writable_programs", "accounts_user_dot_group_ownership", "accounts_user_dot_user_ownership"], "rules": [], "controls": []}, {"id": "6.2.9", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure no users have .forward files (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_forward_files"], "controls": []}, {"id": "6.2.10", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure no users have .netrc files (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_netrc_files"], "controls": []}, {"id": "6.2.11", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure users' .netrc Files are not group or world accessible (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_users_netrc_file_permissions"], "controls": []}, {"id": "6.2.12", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure no users have .rhosts files (Automated)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["no_rsh_trust_files"], "rules": [], "controls": []}, {"id": "6.2.13", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure all groups in /etc/passwd exist in /etc/group (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["gid_passwd_group_same"], "controls": []}, {"id": "6.2.14", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure no duplicate UIDs exist (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["account_unique_id"], "controls": []}, {"id": "6.2.15", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure no duplicate GIDs exist (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["group_unique_id"], "controls": []}, {"id": "6.2.16", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure no duplicate user names exist (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["account_unique_name"], "controls": []}, {"id": "6.2.17", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure no duplicate group names exist (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["group_unique_name"], "controls": []}, {"id": "6.2.18", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure shadow group is empty (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["ensure_shadow_group_empty"], "controls": []}], "levels": [{"id": "l1_server", "inherits_from": null}, {"id": "l2_server", "inherits_from": ["l1_server"]}, {"id": "l1_workstation", "inherits_from": null}, {"id": "l2_workstation", "inherits_from": ["l1_workstation"]}]}