{"id": "std_tencentos4", "policy": "Standard Benchmark for TencentOS 4", "title": "Standard Benchmark for TencentOS 4", "source": "", "definition_location": "/aptdata/openscap/scap-security-guide/controls/std_tencentos4.yml", "controls": [{"id": "1.1.1", "levels": ["l1_server"], "notes": "", "title": "Ensure mounting of cramfs filesystems is disabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_cramfs_disabled"], "controls": []}, {"id": "1.1.2", "levels": ["l1_server"], "notes": "", "title": "Ensure mounting of squashfs filesystems is disabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_squashfs_disabled"], "controls": []}, {"id": "1.1.3", "levels": ["l2_server"], "notes": "", "title": "Ensure USB Disabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_usb-storage_disabled"], "controls": []}, {"id": "1.1.4", "levels": ["l2_server"], "notes": "", "title": "Ensure a separate partition exists for /tmp", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_tmp"], "controls": []}, {"id": "1.1.5", "levels": ["l2_server"], "notes": "", "title": "Ensure correct mounting options set on /tmp partition", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_tmp_nodev", "mount_option_tmp_nosuid"], "controls": []}, {"id": "1.1.6", "levels": ["l2_server"], "notes": "", "title": "Ensure a separate partition exists for /dev/shm", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_dev_shm"], "controls": []}, {"id": "1.1.7", "levels": ["l2_server"], "notes": "", "title": "Ensure correct mounting options set on /dev/shm partition", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_dev_shm_nosuid", "mount_option_dev_shm_noexec", "mount_option_dev_shm_nodev"], "controls": []}, {"id": "1.2.1", "levels": ["l2_server"], "notes": "", "title": "Ensure AIDE is installed", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_aide_installed"], "controls": []}, {"id": "1.2.2", "levels": ["l2_server"], "notes": "", "title": "Ensure filesystem integrity is regularly checked", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["aide_periodic_cron_checking"], "controls": []}, {"id": "1.2.3", "levels": ["l2_server"], "notes": "", "title": "Ensure IMA is enabled", "description": null, "rationale": null, "automated": "no", "status": "planned", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.3.1", "levels": ["l1_server"], "notes": "", "title": "Ensure gpgcheck is globally activated", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["ensure_gpgcheck_never_disabled", "ensure_gpgcheck_globally_activated"], "controls": []}, {"id": "1.4.1", "levels": ["l1_server"], "notes": "", "title": "Ensure message of the day is configured properly", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["banner_etc_motd", "motd_banner_text=cis_banners"], "controls": []}, {"id": "1.4.2", "levels": ["l1_server"], "notes": "", "title": "Ensure local login warning banner is configured properly", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["banner_etc_issue", "login_banner_text=cis_banners"], "controls": []}, {"id": "1.4.3", "levels": ["l1_server"], "notes": "", "title": "Ensure remote login warning banner is configured properly", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["banner_etc_issue_net", "remote_login_banner_text=cis_banners"], "controls": []}, {"id": "1.4.4", "levels": ["l1_server"], "notes": "", "title": "Ensure permissions on /etc/motd are configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_etc_motd", "file_owner_etc_motd", "file_permissions_etc_motd"], "controls": []}, {"id": "1.4.5", "levels": ["l1_server"], "notes": "", "title": "Ensure permissions on /etc/issue are configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_etc_issue", "file_permissions_etc_issue", "file_groupowner_etc_issue"], "controls": []}, {"id": "1.4.6", "levels": ["l1_server"], "notes": "", "title": "Ensure permissions on /etc/issue.net are configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_etc_issue_net", "file_owner_etc_issue_net", "file_groupowner_etc_issue_net"], "controls": []}, {"id": "1.5.1", "levels": ["l2_server"], "notes": "", "title": "Ensure Secure Boot is enabled", "description": null, "rationale": null, "automated": "no", "status": "planned", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.5.2", "levels": ["l2_server"], "notes": "", "title": "Ensure bootloader password is set", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_password", "grub2_uefi_password"], "controls": []}, {"id": "1.5.3", "levels": ["l2_server"], "notes": "", "title": "Ensure permissions on bootloader config are configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_grub2_cfg", "file_groupowner_grub2_cfg", "file_owner_grub2_cfg"], "controls": []}, {"id": "1.6.1", "levels": ["l2_server"], "notes": "", "title": "Ensure SELinux is enabled by grub2", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_enable_selinux"], "controls": []}, {"id": "1.6.2", "levels": ["l2_server"], "notes": "", "title": "Ensure SELinux is set to enforcing mode", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["selinux_state", "selinux_not_disabled", "var_selinux_state=enforcing"], "controls": []}, {"id": "1.6.3", "levels": ["l2_server"], "notes": "", "title": "Ensure SELinux policy is configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["selinux_policytype", "var_selinux_policy_name=targeted"], "controls": []}, {"id": "1.6.4", "levels": ["l2_server"], "notes": "", "title": "Ensure no unconfined services exist", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["selinux_confinement_of_daemons"], "controls": []}, {"id": "2.1.1", "levels": ["l1_server"], "notes": "", "title": "Ensure time synchronization is in use", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_chrony_installed"], "controls": []}, {"id": "2.1.3", "levels": ["l1_server"], "notes": "", "title": "Ensure chrony is configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_chronyd_enabled", "chronyd_run_as_chrony_user", "chronyd_configure_pool_and_server"], "controls": []}, {"id": "2.2.1", "levels": ["l1_server"], "notes": "", "title": "Ensure firewalld is installed", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_firewalld_installed"], "controls": []}, {"id": "2.2.2", "levels": ["l2_server"], "notes": "", "title": "Ensure firewalld is enabled and configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_firewalld_default_zone", "service_firewalld_enabled"], "controls": []}, {"id": "2.2.3", "levels": ["l2_server"], "notes": "", "title": "Ensure nftables is installed", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_nftables_installed"], "controls": []}, {"id": "2.2.4", "levels": ["l2_server"], "notes": "", "title": "Ensure nftables is enabled and configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_nftables_loopback_traffic", "nftables_ensure_default_deny_policy", "service_nftables_enabled"], "controls": []}, {"id": "2.3.1", "levels": ["l1_server"], "notes": "", "title": "Ensure Avahi Server is not installed", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_avahi_removed"], "controls": []}, {"id": "2.3.2", "levels": ["l1_server"], "notes": "", "title": "Ensure CUPS is not installed", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_cups_disabled", "package_cups_removed"], "controls": []}, {"id": "2.3.3", "levels": ["l1_server"], "notes": "", "title": "Ensure Rsync Server is not installed", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_rsyncd_disabled", "package_rsync_removed"], "controls": []}, {"id": "2.3.4", "levels": ["l1_server"], "notes": "", "title": "Ensure LDAP Server is not installed", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_openldap-servers_removed"], "controls": []}, {"id": "2.3.5", "levels": ["l1_server"], "notes": "", "title": "Ensure xinetd is not installed", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_xinetd_disabled", "package_xinetd_removed"], "controls": []}, {"id": "2.3.6", "levels": ["l1_server"], "notes": "", "title": "Ensure NIS Server is not installed", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_ypserv_disabled", "package_ypserv_removed"], "controls": []}, {"id": "2.3.7", "levels": ["l1_server"], "notes": "", "title": "Ensure telnet Server is not installed", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_telnet_removed", "package_telnet-server_removed"], "controls": []}, {"id": "2.3.8", "levels": ["l1_server"], "notes": "", "title": "Ensure DNS Server is not installed", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_named_disabled", "package_bind_removed"], "controls": []}, {"id": "2.3.9", "levels": ["l1_server"], "notes": "", "title": "Ensure FTP Server is not installed", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_vsftpd_disabled", "package_vsftpd_removed"], "controls": []}, {"id": "2.3.10", "levels": ["l1_server"], "notes": "", "title": "Ensure TFTP Server is not installed", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_tftp_disabled", "package_tftp_removed", "package_tftp-server_removed"], "controls": []}, {"id": "2.3.11", "levels": ["l1_server"], "notes": "", "title": "Ensure HTTP Server is not installed", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_httpd_disabled", "package_httpd_removed"], "controls": []}, {"id": "2.3.12", "levels": ["l2_server"], "notes": "", "title": "Ensure Samba is not installed", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_samba_removed", "service_smb_disabled"], "controls": []}, {"id": "2.3.13", "levels": ["l2_server"], "notes": "", "title": "Ensure HTTP Proxy Server is not installed", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_squid_removed"], "controls": []}, {"id": "2.3.14", "levels": ["l2_server"], "notes": "", "title": "Ensure SNMP Server is not installed", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_net-snmp_removed"], "controls": []}, {"id": "2.3.15", "levels": ["l2_server"], "notes": "", "title": "Ensure rsh is not installed", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_rsh_removed", "service_rsh_disabled"], "controls": []}, {"id": "2.3.16", "levels": ["l2_server"], "notes": "", "title": "Ensure IMAP and POP3 Server is disabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_dovecot_removed", "service_dovecot_disabled"], "controls": []}, {"id": "2.3.17", "levels": ["l2_server"], "notes": "", "title": "Ensure RPC Service is disabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_rpcbind_disabled"], "controls": []}, {"id": "2.3.18", "levels": ["l2_server"], "notes": "", "title": "Ensure DHCP Service is disabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_dhcp_removed", "service_dhcpd_disabled"], "controls": []}, {"id": "2.3.19", "levels": ["l2_server"], "notes": "", "title": "Ensure NFS Service is disabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_nfs_disabled"], "controls": []}, {"id": "3.1.1", "levels": ["l1_server"], "notes": "", "title": "Ensure IP forwarding is disabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv6_conf_all_forwarding", "sysctl_net_ipv4_ip_forward", "sysctl_net_ipv6_conf_all_forwarding_value=disabled"], "controls": []}, {"id": "3.1.2", "levels": ["l1_server"], "notes": "", "title": "Ensure packet redirect sending is disabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_all_send_redirects", "sysctl_net_ipv4_conf_default_send_redirects"], "controls": []}, {"id": "3.1.3", "levels": ["l1_server"], "notes": "", "title": "Ensure source routed packets are not accepted", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_default_accept_source_route", "sysctl_net_ipv6_conf_all_accept_source_route", "sysctl_net_ipv4_conf_all_accept_source_route", "sysctl_net_ipv6_conf_default_accept_source_route", "sysctl_net_ipv4_conf_all_accept_source_route_value=disabled", "sysctl_net_ipv4_conf_default_accept_source_route_value=disabled", "sysctl_net_ipv6_conf_all_accept_source_route_value=disabled", "sysctl_net_ipv6_conf_default_accept_source_route_value=disabled"], "controls": []}, {"id": "3.1.4", "levels": ["l1_server"], "notes": "", "title": "Ensure ICMP redirects are not accepted", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv6_conf_default_accept_redirects", "sysctl_net_ipv4_conf_all_accept_redirects", "sysctl_net_ipv4_conf_default_accept_redirects", "sysctl_net_ipv6_conf_all_accept_redirects", "sysctl_net_ipv4_conf_all_accept_redirects_value=disabled", "sysctl_net_ipv4_conf_default_accept_redirects_value=disabled", "sysctl_net_ipv6_conf_all_accept_redirects_value=disabled", "sysctl_net_ipv6_conf_default_accept_redirects_value=disabled"], "controls": []}, {"id": "3.1.5", "levels": ["l1_server"], "notes": "", "title": "Ensure secure ICMP redirects are not accepted", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_all_secure_redirects", "sysctl_net_ipv4_conf_default_secure_redirects", "sysctl_net_ipv4_conf_all_secure_redirects_value=disabled", "sysctl_net_ipv4_conf_default_secure_redirects_value=disabled"], "controls": []}, {"id": "3.1.6", "levels": ["l1_server"], "notes": "", "title": "Ensure suspicious packets are logged", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_all_log_martians", "sysctl_net_ipv4_conf_default_log_martians", "sysctl_net_ipv4_conf_all_log_martians_value=enabled", "sysctl_net_ipv4_conf_default_log_martians_value=enabled"], "controls": []}, {"id": "3.1.7", "levels": ["l1_server"], "notes": "", "title": "Ensure broadcast ICMP requests are ignored", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_icmp_echo_ignore_broadcasts", "sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled"], "controls": []}, {"id": "3.1.8", "levels": ["l1_server"], "notes": "", "title": "Ensure bogus ICMP responses are ignored", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_icmp_ignore_bogus_error_responses", "sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled"], "controls": []}, {"id": "3.1.9", "levels": ["l1_server"], "notes": "", "title": "Ensure Reverse Path Filtering is enabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_all_rp_filter", "sysctl_net_ipv4_conf_default_rp_filter", "sysctl_net_ipv4_conf_all_rp_filter_value=enabled", "sysctl_net_ipv4_conf_default_rp_filter_value=enabled"], "controls": []}, {"id": "3.1.10", "levels": ["l1_server"], "notes": "", "title": "Ensure TCP SYN Cookies is enabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_tcp_syncookies", "sysctl_net_ipv4_tcp_syncookies_value=enabled"], "controls": []}, {"id": "3.1.11", "levels": ["l1_server"], "notes": "", "title": "Ensure IPv6 router advertisements are not accepted", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv6_conf_all_accept_ra", "sysctl_net_ipv6_conf_default_accept_ra", "sysctl_net_ipv6_conf_all_accept_ra_value=disabled", "sysctl_net_ipv6_conf_default_accept_ra_value=disabled"], "controls": []}, {"id": "3.2.1", "levels": ["l2_server"], "notes": "", "title": "Ensure DCCP is disabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_dccp_disabled"], "controls": []}, {"id": "3.2.2", "levels": ["l2_server"], "notes": "", "title": "Ensure SCTP is disabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_sctp_disabled"], "controls": []}, {"id": "3.2.3", "levels": ["l2_server"], "notes": "", "title": "Ensure wireless interfaces are disabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["wireless_disable_interfaces"], "controls": []}, {"id": "4.1.1", "levels": ["l1_server"], "notes": "", "title": "Ensure auditd is installed", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_audit-libs_installed", "package_audit_installed"], "controls": []}, {"id": "4.1.2", "levels": ["l2_server"], "notes": "", "title": "Ensure auditd service is enabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_auditd_enabled"], "controls": []}, {"id": "4.1.3", "levels": ["l2_server"], "notes": "", "title": "Ensure auditing for processes that start prior to auditd is enabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_audit_argument"], "controls": []}, {"id": "4.1.4", "levels": ["l2_server"], "notes": "", "title": "Ensure audit_backlog_limit is sufficient", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_audit_backlog_limit_argument", "var_audit_backlog_limit=8192"], "controls": []}, {"id": "4.1.5", "levels": ["l2_server"], "notes": "", "title": "Ensure audit rules are immutable", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_immutable"], "controls": []}, {"id": "4.1.6", "levels": ["l2_server"], "notes": "", "title": "Ensure audit log size is configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_retention_max_log_file"], "controls": []}, {"id": "4.1.7", "levels": ["l2_server"], "notes": "", "title": "Ensure audit logs are not automatically deleted", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_retention_max_log_file_action", "var_auditd_max_log_file_action=keep_logs"], "controls": []}, {"id": "4.1.8", "levels": ["l2_server"], "notes": "", "title": "Ensure system is disabled when audit logs are full", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_retention_space_left", "auditd_data_disk_error_action", "auditd_data_retention_space_left_action", "auditd_data_retention_admin_space_left_percentage", "auditd_audispd_disk_full_action", "auditd_data_disk_full_action", "var_auditd_space_left_action=syslog", "var_auditd_admin_space_left_percentage=50pc", "var_auditd_admin_space_left_action=suspend", "var_auditd_disk_full_action=suspend", "var_auditd_disk_error_action=suspend"], "controls": []}, {"id": "4.1.9", "levels": ["l2_server"], "notes": "", "title": "Ensure auditd log rotation is configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_retention_max_log_file_action", "auditd_data_retention_num_logs", "var_auditd_max_log_file_action=rotate", "var_auditd_num_logs=5"], "controls": []}, {"id": "4.1.10", "levels": ["l2_server"], "notes": "", "title": "Ensure login and logout events are collected", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_login_events_tallylog", "audit_rules_login_events_lastlog", "audit_rules_login_events_faillog"], "controls": []}, {"id": "4.1.11", "levels": ["l2_server"], "notes": "", "title": "Ensure session events are collected", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_session_events"], "controls": []}, {"id": "4.1.12", "levels": ["l2_server"], "notes": "", "title": "Ensure events that modify user/group information are collected", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_usergroup_modification_group", "audit_rules_usergroup_modification_shadow", "audit_rules_usergroup_modification_opasswd", "audit_rules_usergroup_modification_passwd", "audit_rules_usergroup_modification_gshadow"], "controls": []}, {"id": "4.1.13", "levels": ["l2_server"], "notes": "", "title": "Ensure kernel module loading and unloading is collected", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_kernel_module_loading_init", "audit_rules_privileged_commands_modprobe", "audit_rules_privileged_commands_insmod", "audit_rules_privileged_commands_rmmod", "audit_rules_kernel_module_loading_delete", "audit_rules_kernel_module_loading"], "controls": []}, {"id": "4.1.14", "levels": ["l2_server"], "notes": "", "title": "Ensure sudo commands are collected", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands_sudo"], "controls": []}, {"id": "4.1.15", "levels": ["l2_server"], "notes": "", "title": "Ensure the events that modify the sudoers file are collected", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_sysadmin_actions", "audit_rules_sudoers"], "controls": []}, {"id": "4.1.16", "levels": ["l2_server"], "notes": "", "title": "Ensure events that modify date and time information are collected", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_time_settimeofday", "audit_rules_time_adjtimex", "audit_rules_time_clock_settime", "audit_rules_time_stime"], "controls": []}, {"id": "4.1.17", "levels": ["l2_server"], "notes": "", "title": "Ensure events that modify the system's network configuration are collected", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_networkconfig_modification"], "controls": []}, {"id": "4.1.18", "levels": ["l2_server"], "notes": "", "title": "Ensure events that modify the systems Mandatory Access Control (MAC) settings are collected", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_mac_modification_usr_share", "audit_rules_mac_modification"], "controls": []}, {"id": "4.1.19", "levels": ["l2_server"], "notes": "", "title": "Ensure discretionary access control permission modification events are collected", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_dac_modification_fsetxattr", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_lchown", "audit_rules_dac_modification_fchmod", "audit_rules_dac_modification_fchown", "audit_rules_dac_modification_chown", "audit_rules_dac_modification_lremovexattr", "audit_rules_dac_modification_lsetxattr", "audit_rules_dac_modification_setxattr", "audit_rules_dac_modification_fchmodat", "audit_rules_dac_modification_fremovexattr", "audit_rules_dac_modification_fchownat", "audit_rules_dac_modification_chmod"], "controls": []}, {"id": "4.1.20", "levels": ["l2_server"], "notes": "", "title": "Ensure successful file access is audited", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_successful_file_modification_fchmodat", "audit_rules_successful_file_modification_chown", "audit_rules_successful_file_modification_fchownat", "audit_rules_successful_file_modification_fsetxattr", "audit_rules_successful_file_modification_fchmod", "audit_rules_successful_file_modification_lsetxattr", "audit_rules_successful_file_modification_lremovexattr", "audit_rules_successful_file_modification_fchown", "audit_rules_successful_file_modification_removexattr", "audit_rules_successful_file_modification_fremovexattr", "audit_rules_successful_file_modification_setxattr", "audit_rules_successful_file_modification_chmod"], "controls": []}, {"id": "4.1.21", "levels": ["l2_server"], "notes": "", "title": "Ensure unsuccessful file access attempts are collected", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_unsuccessful_file_modification"], "controls": []}, {"id": "4.1.22", "levels": ["l2_server"], "notes": "", "title": "Ensure file deletion events by users are collected", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_successful_file_modification_unlink", "audit_rules_successful_file_modification_rename", "audit_rules_successful_file_modification_unlinkat", "audit_rules_successful_file_modification_renameat"], "controls": []}, {"id": "4.2.1", "levels": ["l1_server"], "notes": "", "title": "Ensure rsyslog is installed", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_rsyslog_installed"], "controls": []}, {"id": "4.2.2", "levels": ["l2_server"], "notes": "", "title": "Ensure rsyslog is enabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_rsyslog_enabled"], "controls": []}, {"id": "4.2.3", "levels": ["l2_server"], "notes": "", "title": "Ensure rsyslog default file permissions are configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["rsyslog_files_groupownership", "rsyslog_files_ownership", "rsyslog_files_permissions"], "controls": []}, {"id": "4.3.1", "levels": ["l2_server"], "notes": "", "title": "Ensure journald is enabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_systemd-journald_enabled"], "controls": []}, {"id": "4.3.2", "levels": ["l2_server"], "notes": "", "title": "Ensure journald is configured to send logs to rsyslog", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["journald_forward_to_syslog"], "controls": []}, {"id": "4.3.3", "levels": ["l2_server"], "notes": "", "title": "Ensure journald is configured to compress large log files", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["journald_compress"], "controls": []}, {"id": "4.3.4", "levels": ["l2_server"], "notes": "", "title": "Ensure journald is configured to write logfiles to persistent disk", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["journald_storage"], "controls": []}, {"id": "4.3.5", "levels": ["l2_server"], "notes": "", "title": "Ensure journald is disabled from receiving logs from a remote client", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["socket_systemd-journal-remote_disabled"], "controls": []}, {"id": "5.1.1", "levels": ["l1_server"], "notes": "", "title": "Ensure cron daemon is enabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_crond_enabled"], "controls": []}, {"id": "5.1.2", "levels": ["l1_server"], "notes": "", "title": "Ensure permissions on /etc/crontab are configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_crontab", "file_permissions_crontab", "file_owner_crontab"], "controls": []}, {"id": "5.1.3", "levels": ["l1_server"], "notes": "", "title": "Ensure permissions on /etc/cron.hourly are configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_cron_hourly", "file_permissions_cron_hourly", "file_groupowner_cron_hourly"], "controls": []}, {"id": "5.1.4", "levels": ["l1_server"], "notes": "", "title": "Ensure permissions on /etc/cron.daily are configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_cron_daily", "file_permissions_cron_daily", "file_owner_cron_daily"], "controls": []}, {"id": "5.1.5", "levels": ["l1_server"], "notes": "", "title": "Ensure permissions on /etc/cron.weekly are configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_cron_weekly", "file_owner_cron_weekly", "file_groupowner_cron_weekly"], "controls": []}, {"id": "5.1.6", "levels": ["l1_server"], "notes": "", "title": "Ensure permissions on /etc/cron.monthly are configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_cron_monthly", "file_groupowner_cron_monthly", "file_owner_cron_monthly"], "controls": []}, {"id": "5.1.7", "levels": ["l1_server"], "notes": "", "title": "Ensure permissions on /etc/cron.d are configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_cron_d", "file_permissions_cron_d", "file_groupowner_cron_d"], "controls": []}, {"id": "5.1.8", "levels": ["l1_server"], "notes": "", "title": "Ensure cron is restricted to authorized users", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_cron_allow", "file_groupowner_cron_allow", "file_owner_cron_allow", "file_cron_deny_not_exist"], "controls": []}, {"id": "5.1.9", "levels": ["l1_server"], "notes": "", "title": "Ensure at is restricted to authorized users", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_at_deny_not_exist", "file_owner_at_allow", "file_groupowner_at_allow", "file_permissions_at_allow"], "controls": []}, {"id": "5.2.1", "levels": ["l1_server"], "notes": "", "title": "Ensure permissions on /etc/ssh/sshd_config are configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_sshd_config", "file_owner_sshd_config", "file_permissions_sshd_config"], "controls": []}, {"id": "5.2.2", "levels": ["l1_server"], "notes": "", "title": "Ensure SSH PermitEmptyPasswords is disabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_empty_passwords"], "controls": []}, {"id": "5.2.3", "levels": ["l1_server"], "notes": "", "title": "Ensure SSH root login from remote is disabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_root_login"], "controls": []}, {"id": "5.2.4", "levels": ["l1_server"], "notes": "", "title": "Ensure SSH PermitUserEnvironment is disabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_do_not_permit_user_env"], "controls": []}, {"id": "5.2.5", "levels": ["l1_server"], "notes": "", "title": "Ensure SSH Protocol is set to 2", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_allow_only_protocol2"], "controls": []}, {"id": "5.2.6", "levels": ["l1_server"], "notes": "", "title": "Ensure SSH X11 forwarding is disabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_x11_forwarding"], "controls": []}, {"id": "5.2.7", "levels": ["l1_server"], "notes": "", "title": "Ensure SSH disallows TCP forwarding", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_tcp_forwarding"], "controls": []}, {"id": "5.2.8", "levels": ["l1_server"], "notes": "", "title": "Ensure SSH IgnoreRhosts is enabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_rhosts"], "controls": []}, {"id": "5.2.9", "levels": ["l1_server"], "notes": "", "title": "Ensure SSH HostbasedAuthentication is disabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["disable_host_auth"], "controls": []}, {"id": "5.2.10", "levels": ["l1_server"], "notes": "", "title": "Ensure SSH PAM is enabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_enable_pam"], "controls": []}, {"id": "5.2.11", "levels": ["l1_server"], "notes": "", "title": "Ensure SSH warning banner is configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_enable_warning_banner_net"], "controls": []}, {"id": "5.2.12", "levels": ["l2_server"], "notes": "", "title": "Ensure SSH access is limited to authorized users", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_limit_user_access"], "controls": []}, {"id": "5.2.13", "levels": ["l2_server"], "notes": "", "title": "Ensure SSH LogLevel is appropriate", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_loglevel_verbose"], "controls": []}, {"id": "5.2.14", "levels": ["l2_server"], "notes": "", "title": "Ensure SSH MaxAuthTries is set to 4 or less", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_max_auth_tries", "sshd_max_auth_tries_value=4"], "controls": []}, {"id": "5.2.15", "levels": ["l2_server"], "notes": "", "title": "Ensure SSH MaxSessions is set to 10 or less", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_max_sessions", "var_sshd_max_sessions=10"], "controls": []}, {"id": "5.2.16", "levels": ["l2_server"], "notes": "", "title": "Ensure SSH MaxStartups is set properly", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_maxstartups", "var_sshd_set_maxstartups=10:30:60"], "controls": []}, {"id": "5.2.17", "levels": ["l2_server"], "notes": "", "title": "Ensure SSH LoginGraceTime is set to 1 minute or less", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_login_grace_time", "var_sshd_set_login_grace_time=60"], "controls": []}, {"id": "5.2.18", "levels": ["l2_server"], "notes": "", "title": "Ensure SSH Idle Timeout Interval is configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_idle_timeout", "sshd_idle_timeout_value=15_minutes"], "controls": []}, {"id": "5.2.19", "levels": ["l2_server"], "notes": "", "title": "Ensure SSH MACs are configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_use_strong_macs", "sshd_strong_macs=cis_tencentos4"], "controls": []}, {"id": "5.2.20", "levels": ["l2_server"], "notes": "", "title": "Ensure SSH Ciphers are configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_use_strong_ciphers"], "controls": []}, {"id": "5.2.21", "levels": ["l2_server"], "notes": "", "title": "Ensure SSH Key Exchange Algorithms are configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_use_strong_kex"], "controls": []}, {"id": "5.3.1", "levels": ["l1_server"], "notes": "", "title": "Ensure password creation requirements are configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_lcredit", "accounts_password_pam_minclass", "accounts_password_pam_ucredit", "accounts_password_pam_enforce_root", "accounts_password_pam_minlen", "accounts_password_pam_dcredit", "accounts_password_pam_retry", "accounts_password_pam_ocredit", "var_password_pam_minclass=3", "var_password_pam_minlen=8", "var_password_pam_dcredit=0", "var_password_pam_ucredit=0", "var_password_pam_lcredit=0", "var_password_pam_ocredit=0", "var_password_pam_retry=3"], "controls": []}, {"id": "5.3.2", "levels": ["l1_server"], "notes": "", "title": "Ensure password hashing algorithm is SHA-512", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_password_hashing_algorithm_systemauth", "set_password_hashing_algorithm_passwordauth", "var_password_hashing_algorithm_pam=sha512"], "controls": []}, {"id": "5.3.3", "levels": ["l1_server"], "notes": "", "title": "Ensure password expiration is 180 days or less", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_maximum_age_login_defs", "accounts_password_set_max_life_existing", "var_accounts_maximum_age_login_defs=180"], "controls": []}, {"id": "5.3.4", "levels": ["l1_server"], "notes": "", "title": "Ensure minimum days between password changes is configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_minimum_age_login_defs", "accounts_password_set_min_life_existing", "var_accounts_minimum_age_login_defs=1"], "controls": []}, {"id": "5.3.5", "levels": ["l1_server"], "notes": "", "title": "Ensure password expiration warning days is 7 or more", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_set_warn_age_existing", "accounts_password_warn_age_login_defs", "var_accounts_password_warn_age_login_defs=7"], "controls": []}, {"id": "5.3.6", "levels": ["l1_server"], "notes": "", "title": "Ensure inactive password lock is 30 days or less", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_set_post_pw_existing", "account_disable_post_pw_expiration", "var_account_disable_post_pw_expiration=30"], "controls": []}, {"id": "5.3.7", "levels": ["l1_server"], "notes": "", "title": "Ensure all users last password change date is in the past", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_last_change_is_in_past"], "controls": []}, {"id": "5.3.8", "levels": ["l1_server"], "notes": "", "title": "Ensure accounts locked after 5 failed logins is configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_passwords_pam_faillock_deny", "accounts_passwords_pam_faillock_unlock_time", "var_accounts_passwords_pam_faillock_deny=5", "var_accounts_passwords_pam_faillock_unlock_time=300"], "controls": []}, {"id": "5.4.1", "levels": ["l1_server"], "notes": "", "title": "Ensure system accounts are secured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_shelllogin_for_systemaccounts"], "controls": []}, {"id": "5.4.2", "levels": ["l1_server"], "notes": "", "title": "Ensure default group for the root account is GID 0", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_root_gid_zero"], "controls": []}, {"id": "5.4.3", "levels": ["l1_server"], "notes": "", "title": "Ensure default user shell timeout is configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_tmout", "var_accounts_tmout=15_min"], "controls": []}, {"id": "5.4.4", "levels": ["l1_server"], "notes": "", "title": "Ensure default user umask is configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_umask_etc_bashrc", "var_accounts_user_umask=027"], "controls": []}, {"id": "5.4.5", "levels": ["l1_server"], "notes": "", "title": "Ensure passwords are set in single user mode", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["require_emergency_target_auth"], "controls": []}, {"id": "5.4.6", "levels": ["l1_server"], "notes": "", "title": "Ensure display of failed login attempts is configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["display_login_attempts"], "controls": []}, {"id": "5.4.7", "levels": ["l1_server"], "notes": "", "title": "Ensure every UID is unique", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["account_unique_id"], "controls": []}, {"id": "5.4.8", "levels": ["l1_server"], "notes": "", "title": "Ensure account name is unique", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["account_unique_name"], "controls": []}, {"id": "5.4.9", "levels": ["l1_server"], "notes": "", "title": "Ensure every GID is unique", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["group_unique_id"], "controls": []}, {"id": "5.4.10", "levels": ["l1_server"], "notes": "", "title": "Ensure every group name is unique", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["group_unique_name"], "controls": []}, {"id": "5.4.11", "levels": ["l1_server"], "notes": "", "title": "Ensure accounts related files have correct permissions", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_backup_etc_gshadow", "file_groupowner_etc_group", "file_owner_etc_shadow", "file_owner_etc_gshadow", "file_permissions_etc_gshadow", "file_permissions_etc_passwd", "file_permissions_backup_etc_shadow", "file_permissions_backup_etc_gshadow", "file_owner_backup_etc_passwd", "file_owner_etc_passwd", "file_groupowner_etc_passwd", "file_permissions_backup_etc_group", "file_owner_backup_etc_group", "file_groupowner_backup_etc_gshadow", "file_groupowner_etc_gshadow", "file_permissions_etc_shadow", "file_owner_etc_group", "file_groupowner_backup_etc_shadow", "file_groupowner_backup_etc_passwd", "file_permissions_etc_group", "file_groupowner_etc_shadow", "file_permissions_backup_etc_passwd", "file_owner_backup_etc_shadow", "file_groupowner_backup_etc_group"], "controls": []}, {"id": "5.4.12", "levels": ["l1_server"], "notes": "", "title": "Ensure all users' home directories exist", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_user_interactive_home_directory_exists"], "controls": []}, {"id": "5.4.13", "levels": ["l1_server"], "notes": "", "title": "Ensure all users' home directories permissions are 750 or more restrictive", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_home_directories", "accounts_users_home_files_permissions"], "controls": []}, {"id": "5.5.1", "levels": ["l1_server"], "notes": "", "title": "Ensure sudo is installed", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_sudo_installed"], "controls": []}, {"id": "5.5.2", "levels": ["l1_server"], "notes": "", "title": "Ensure sudo commands use pty", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudo_add_use_pty"], "controls": []}, {"id": "5.5.3", "levels": ["l1_server"], "notes": "", "title": "Ensure sudo log file exists", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudo_custom_logfile"], "controls": []}, {"id": "5.5.4", "levels": ["l1_server"], "notes": "", "title": "Ensure sudo is limited to authorized users", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudo_restrict_privilege_elevation_to_authorized"], "controls": []}, {"id": "5.5.5", "levels": ["l1_server"], "notes": "", "title": "Ensure users must provide password for privilege escalation", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudo_require_authentication"], "controls": []}, {"id": "6.1.1", "levels": ["l1_server"], "notes": "", "title": "Ensure no world writable files exist", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_unauthorized_world_writable"], "controls": []}, {"id": "6.1.2", "levels": ["l1_server"], "notes": "", "title": "Ensure no unowned files or directories exist", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_files_unowned_by_user"], "controls": []}, {"id": "6.1.3", "levels": ["l1_server"], "notes": "", "title": "Ensure no ungrouped files or directories exist", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_ungroupowned"], "controls": []}, {"id": "6.1.4", "levels": ["l1_server"], "notes": "", "title": "Audit SUID executables", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_unauthorized_suid"], "controls": []}, {"id": "6.1.5", "levels": ["l1_server"], "notes": "", "title": "Audit SGID executables", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_unauthorized_sgid"], "controls": []}, {"id": "6.1.6", "levels": ["l1_server"], "notes": "", "title": "Ensure no users have .forward files", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_forward_files"], "controls": []}, {"id": "6.1.7", "levels": ["l1_server"], "notes": "", "title": "Ensure no users have .netrc files", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_netrc_files"], "controls": []}, {"id": "6.2.1", "levels": ["l1_server"], "notes": "", "title": "Ensure address space layout randomization (ASLR) is enabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_kernel_randomize_va_space"], "controls": []}, {"id": "6.2.2", "levels": ["l1_server"], "notes": "", "title": "Ensure core dumps are restricted", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["coredump_disable_storage", "coredump_disable_backtraces", "sysctl_fs_suid_dumpable", "disable_users_coredumps"], "controls": []}, {"id": "6.2.3", "levels": ["l1_server"], "notes": "", "title": "Ensure dmesg access permission is correct", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_kernel_dmesg_restrict"], "controls": []}, {"id": "6.2.4", "levels": ["l1_server"], "notes": "", "title": "Ensure kernel kptr_restrict is configured", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_kernel_kptr_restrict", "sysctl_kernel_kptr_restrict_value=1"], "controls": []}], "levels": [{"id": "l1_server", "inherits_from": null}, {"id": "l2_server", "inherits_from": ["l1_server"]}]}