{"id": "cis_rhel8", "policy": "CIS Benchmark for Red Hat Enterprise Linux 8", "title": "CIS Benchmark for Red Hat Enterprise Linux 8", "source": "https://www.cisecurity.org/cis-benchmarks/#red_hat_linux", "definition_location": "/aptdata/openscap/scap-security-guide/controls/cis_rhel8.yml", "controls": [{"id": "reload_dconf_db", "levels": ["l1_server", "l1_workstation"], "notes": "This is a helper rule to reload Dconf database correctly.", "title": "Reload Dconf database", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_db_up_to_date"], "controls": []}, {"id": "enable_authselect", "levels": ["l1_server", "l1_workstation"], "notes": "We need this in all CIS versions, but the policy doesn't have any section where this\nwould fit better.", "title": "Enable Authselect", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["enable_authselect", "var_authselect_profile=sssd"], "controls": []}, {"id": "1.1.1.1", "levels": ["l1_workstation", "l1_server"], "notes": "", "title": "Ensure cramfs kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_cramfs_disabled"], "controls": []}, {"id": "1.1.1.2", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure freevxfs kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_freevxfs_disabled"], "controls": []}, {"id": "1.1.1.3", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure hfs kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_hfs_disabled"], "controls": []}, {"id": "1.1.1.4", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure hfsplus kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_hfsplus_disabled"], "controls": []}, {"id": "1.1.1.5", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure jffs2 kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_jffs2_disabled"], "controls": []}, {"id": "1.1.1.6", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure squashfs kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_squashfs_disabled"], "controls": []}, {"id": "1.1.1.7", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure udf kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_udf_disabled"], "controls": []}, {"id": "1.1.1.8", "levels": ["l1_server", "l2_workstation"], "notes": "", "title": "Ensure usb-storage kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_usb-storage_disabled"], "controls": []}, {"id": "1.1.2.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure /tmp is a separate partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_tmp"], "controls": []}, {"id": "1.1.2.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nodev option set on /tmp partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_tmp_nodev"], "controls": []}, {"id": "1.1.2.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nosuid option set on /tmp partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_tmp_nosuid"], "controls": []}, {"id": "1.1.2.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure noexec option set on /tmp partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_tmp_noexec"], "controls": []}, {"id": "1.1.2.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure /dev/shm is a separate partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_dev_shm"], "controls": []}, {"id": "1.1.2.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nodev option set on /dev/shm partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_dev_shm_nodev"], "controls": []}, {"id": "1.1.2.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nosuid option set on /dev/shm partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_dev_shm_nosuid"], "controls": []}, {"id": "1.1.2.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure noexec option set on /dev/shm partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_dev_shm_noexec"], "controls": []}, {"id": "1.1.2.3.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure separate partition exists for /home (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_home"], "controls": []}, {"id": "1.1.2.3.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nodev option set on /home partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_home_nodev"], "controls": []}, {"id": "1.1.2.3.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nosuid option set on /home partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_home_nosuid"], "controls": []}, {"id": "1.1.2.4.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure separate partition exists for /var (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_var"], "controls": []}, {"id": "1.1.2.4.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nodev option set on /var partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_nodev"], "controls": []}, {"id": "1.1.2.4.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nosuid option set on /var partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_nosuid"], "controls": []}, {"id": "1.1.2.5.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure separate partition exists for /var/tmp (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_var_tmp"], "controls": []}, {"id": "1.1.2.5.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nodev option set on /var/tmp partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_tmp_nodev"], "controls": []}, {"id": "1.1.2.5.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nosuid option set on /var/tmp partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_tmp_nosuid"], "controls": []}, {"id": "1.1.2.5.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure noexec option set on /var/tmp partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_tmp_noexec"], "controls": []}, {"id": "1.1.2.6.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure separate partition exists for /var/log (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_var_log"], "controls": []}, {"id": "1.1.2.6.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nodev option set on /var/log partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_log_nodev"], "controls": []}, {"id": "1.1.2.6.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nosuid option set on /var/log partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_log_nosuid"], "controls": []}, {"id": "1.1.2.6.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure noexec option set on /var/log partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_log_noexec"], "controls": []}, {"id": "1.1.2.7.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure separate partition exists for /var/log/audit (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_var_log_audit"], "controls": []}, {"id": "1.1.2.7.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nodev option set on /var/log/audit partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_log_audit_nodev"], "controls": []}, {"id": "1.1.2.7.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nosuid option set on /var/log/audit partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_log_audit_nosuid"], "controls": []}, {"id": "1.1.2.7.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure noexec option set on /var/log/audit partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_log_audit_noexec"], "controls": []}, {"id": "1.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure GPG keys are configured (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["ensure_redhat_gpgkey_installed"], "rules": [], "controls": []}, {"id": "1.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure gpgcheck is globally activated (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["ensure_gpgcheck_globally_activated", "ensure_gpgcheck_never_disabled"], "controls": []}, {"id": "1.2.3", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure repo_gpgcheck is globally activated (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure package manager repositories are configured (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure updates, patches, and additional security software are installed (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["security_patches_up_to_date"], "rules": [], "controls": []}, {"id": "1.3.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure bootloader password is set (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_password", "grub2_uefi_password"], "controls": []}, {"id": "1.3.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on bootloader config are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_efi_grub2_cfg", "file_groupowner_efi_user_cfg", "file_groupowner_grub2_cfg", "file_groupowner_efi_grub2_cfg", "file_permissions_grub2_cfg", "file_owner_user_cfg", "file_permissions_efi_user_cfg", "file_owner_efi_grub2_cfg", "file_owner_efi_user_cfg", "file_owner_grub2_cfg", "file_permissions_user_cfg", "file_groupowner_user_cfg"], "controls": []}, {"id": "1.4.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure address space layout randomization (ASLR) is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_kernel_randomize_va_space"], "controls": []}, {"id": "1.4.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure ptrace_scope is restricted (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_kernel_yama_ptrace_scope"], "controls": []}, {"id": "1.4.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure core dump backtraces are disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["coredump_disable_backtraces"], "controls": []}, {"id": "1.4.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure core dump storage is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["coredump_disable_storage"], "controls": []}, {"id": "1.5.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure SELinux is installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_libselinux_installed"], "controls": []}, {"id": "1.5.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure SELinux is not disabled in bootloader configuration (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_enable_selinux"], "controls": []}, {"id": "1.5.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure SELinux policy is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["selinux_policytype", "var_selinux_policy_name=targeted"], "controls": []}, {"id": "1.5.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure the SELinux mode is not disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["selinux_not_disabled"], "controls": []}, {"id": "1.5.1.5", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure the SELinux mode is enforcing (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["selinux_state", "var_selinux_state=enforcing"], "controls": []}, {"id": "1.5.1.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure no unconfined services exist (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["selinux_confinement_of_daemons"], "controls": []}, {"id": "1.5.1.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure the MCS Translation Service (mcstrans) is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_mcstrans_removed"], "controls": []}, {"id": "1.5.1.8", "levels": ["l1_server"], "notes": "", "title": "Ensure SETroubleshoot is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_setroubleshoot_removed"], "controls": []}, {"id": "1.6.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure system wide crypto policy is not set to legacy (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_custom_crypto_policy_cis"], "controls": []}, {"id": "1.6.2", "levels": ["l1_server", "l1_workstation"], "notes": "This requirement is already satisfied by 1.6.1.", "title": "Ensure system wide crypto policy disables sha1 hash and signature support (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["configure_custom_crypto_policy_cis"], "rules": [], "controls": []}, {"id": "1.6.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure system wide crypto policy disables cbc for ssh (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_custom_crypto_policy_cis"], "controls": []}, {"id": "1.6.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure system wide crypto policy disables macs less than 128 bits (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_custom_crypto_policy_cis"], "controls": []}, {"id": "1.7.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure message of the day is configured properly (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["banner_etc_motd_cis", "cis_banner_text=cis"], "controls": []}, {"id": "1.7.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure local login warning banner is configured properly (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["banner_etc_issue_cis", "cis_banner_text=cis"], "controls": []}, {"id": "1.7.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure remote login warning banner is configured properly (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["banner_etc_issue_net_cis", "cis_banner_text=cis"], "controls": []}, {"id": "1.7.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to /etc/motd is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_etc_motd", "file_owner_etc_motd", "file_groupowner_etc_motd"], "controls": []}, {"id": "1.7.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to /etc/issue is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_etc_issue", "file_groupowner_etc_issue", "file_owner_etc_issue"], "controls": []}, {"id": "1.7.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to /etc/issue.net is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_etc_issue_net", "file_groupowner_etc_issue_net", "file_permissions_etc_issue_net"], "controls": []}, {"id": "1.8.1", "levels": ["l2_server"], "notes": "", "title": "Ensure GNOME Display Manager is removed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_gdm_removed"], "controls": []}, {"id": "1.8.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure GDM login banner is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_login_banner_text", "dconf_gnome_banner_enabled", "login_banner_text=cis_banners"], "controls": []}, {"id": "1.8.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure GDM disable-user-list option is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_disable_user_list"], "controls": []}, {"id": "1.8.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure GDM screen locks when the user is idle (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_screensaver_lock_delay", "dconf_gnome_screensaver_idle_delay", "inactivity_timeout_value=15_minutes", "var_screensaver_lock_delay=5_seconds"], "controls": []}, {"id": "1.8.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure GDM screen locks cannot be overridden (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_screensaver_user_locks", "dconf_gnome_session_idle_user_locks"], "controls": []}, {"id": "1.8.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure GDM automatic mounting of removable media is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_disable_automount", "dconf_gnome_disable_automount_open"], "controls": []}, {"id": "1.8.7", "levels": ["l1_server", "l1_workstation"], "notes": "The same rules used in 1.8.6 are applicable here since they configure and also lock the\nsettings.", "title": "Ensure GDM disabling automatic mounting of removable media is not overridden (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["dconf_gnome_disable_automount", "dconf_gnome_disable_automount_open"], "rules": [], "controls": []}, {"id": "1.8.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure GDM autorun-never is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_disable_autorun"], "controls": []}, {"id": "1.8.9", "levels": ["l1_server", "l1_workstation"], "notes": "The same rules used in 1.8.8 are applicable here since they configure and also lock the\nsettings.", "title": "Ensure GDM autorun-never is not overridden (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["dconf_gnome_disable_autorun"], "rules": [], "controls": []}, {"id": "1.8.10", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure XDMCP is not enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["gnome_gdm_disable_xdmcp"], "controls": []}, {"id": "2.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure time synchronization is in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_chrony_installed"], "controls": []}, {"id": "2.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure chrony is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["chronyd_specify_remote_server", "var_multiple_time_servers=rhel"], "controls": []}, {"id": "2.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure chrony is not run as the root user (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["chronyd_run_as_chrony_user"], "controls": []}, {"id": "2.2.1", "levels": ["l1_server", "l2_workstation"], "notes": "", "title": "Ensure autofs services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_autofs_disabled"], "controls": []}, {"id": "2.2.2", "levels": ["l1_server", "l2_workstation"], "notes": "", "title": "Ensure avahi daemon services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["package_avahi_removed"], "rules": ["service_avahi-daemon_disabled"], "controls": []}, {"id": "2.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure dhcp server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_dhcpd_disabled"], "rules": ["package_dhcp_removed"], "controls": []}, {"id": "2.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure dns server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_named_disabled"], "rules": ["package_bind_removed"], "controls": []}, {"id": "2.2.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure dnsmasq services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_dnsmasq_removed"], "controls": []}, {"id": "2.2.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure samba file server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_smb_disabled"], "rules": ["package_samba_removed"], "controls": []}, {"id": "2.2.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure ftp server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_vsftpd_disabled"], "rules": ["package_vsftpd_removed"], "controls": []}, {"id": "2.2.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure message access server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_dovecot_disabled"], "rules": ["package_dovecot_removed", "package_cyrus-imapd_removed"], "controls": []}, {"id": "2.2.9", "levels": ["l1_server", "l1_workstation"], "notes": "Many of the libvirt packages used by Enterprise Linux virtualization are\ndependent on the nfs-utils package.", "title": "Ensure network file system services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["package_nfs-utils_removed"], "rules": ["service_nfs_disabled"], "controls": []}, {"id": "2.2.10", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nis server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_ypserv_disabled"], "rules": ["package_ypserv_removed"], "controls": []}, {"id": "2.2.11", "levels": ["l1_server"], "notes": "", "title": "Ensure print server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["package_cups_removed"], "rules": ["service_cups_disabled"], "controls": []}, {"id": "2.2.12", "levels": ["l1_server", "l1_workstation"], "notes": "Many of the libvirt packages used by Enterprise Linux virtualization, and\nthe nfs-utils\npackage used for The Network File System (NFS), are dependent on the rpcbind\npackage.", "title": "Ensure rpcbind services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["package_rpcbind_removed"], "rules": ["service_rpcbind_disabled"], "controls": []}, {"id": "2.2.13", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure rsync services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_rsyncd_disabled"], "rules": ["package_rsync_removed"], "controls": []}, {"id": "2.2.14", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure snmp services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_snmpd_disabled"], "rules": ["package_net-snmp_removed"], "controls": []}, {"id": "2.2.15", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure telnet server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_telnet_disabled"], "rules": ["package_telnet-server_removed"], "controls": []}, {"id": "2.2.16", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure tftp server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_tftp_disabled"], "rules": ["package_tftp-server_removed"], "controls": []}, {"id": "2.2.17", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure web proxy server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_squid_disabled"], "rules": ["package_squid_removed"], "controls": []}, {"id": "2.2.18", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure web server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_httpd_disabled"], "rules": ["package_nginx_removed", "package_httpd_removed"], "controls": []}, {"id": "2.2.19", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure xinetd services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_xinetd_disabled"], "rules": ["package_xinetd_removed"], "controls": []}, {"id": "2.2.20", "levels": ["l2_server"], "notes": "The rule also configures correct run level to prevent unbootable system.", "title": "Ensure X window server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_xorg-x11-server-common_removed", "xwindows_runlevel_target"], "controls": []}, {"id": "2.2.21", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure mail transfer agents are configured for local-only mode (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["has_nonlocal_mta", "postfix_network_listening_disabled", "var_postfix_inet_interfaces=loopback-only"], "controls": []}, {"id": "2.2.22", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure only approved services are listening on a network interface (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "2.3.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure ftp client is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_ftp_removed"], "controls": []}, {"id": "2.3.2", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure LDAP client is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_openldap-clients_removed"], "controls": []}, {"id": "2.3.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure NIS Client is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_ypbind_removed"], "controls": []}, {"id": "2.3.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure telnet client is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_telnet_removed"], "controls": []}, {"id": "2.3.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure tftp client is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_tftp_removed"], "controls": []}, {"id": "3.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure IPv6 status is identified (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.1.2", "levels": ["l1_server"], "notes": "", "title": "Ensure wireless interfaces are disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["wireless_disable_interfaces"], "controls": []}, {"id": "3.1.3", "levels": ["l1_server", "l2_workstation"], "notes": "", "title": "Ensure bluetooth services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_bluetooth_disabled"], "controls": []}, {"id": "3.2.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure dccp kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_dccp_disabled"], "controls": []}, {"id": "3.2.2", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure tipc kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_tipc_disabled"], "controls": []}, {"id": "3.2.3", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure rds kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_rds_disabled"], "controls": []}, {"id": "3.2.4", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure sctp kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_sctp_disabled"], "controls": []}, {"id": "3.3.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure ip forwarding is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv6_conf_all_forwarding", "sysctl_net_ipv4_ip_forward", "sysctl_net_ipv6_conf_all_forwarding_value=disabled"], "controls": []}, {"id": "3.3.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure packet redirect sending is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_all_send_redirects", "sysctl_net_ipv4_conf_default_send_redirects"], "controls": []}, {"id": "3.3.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure bogus icmp responses are ignored (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_icmp_ignore_bogus_error_responses", "sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled"], "controls": []}, {"id": "3.3.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure broadcast icmp requests are ignored(Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_icmp_echo_ignore_broadcasts", "sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled"], "controls": []}, {"id": "3.3.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure icmp redirects are not accepted (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_default_accept_redirects", "sysctl_net_ipv6_conf_all_accept_redirects", "sysctl_net_ipv4_conf_all_accept_redirects", "sysctl_net_ipv6_conf_default_accept_redirects", "sysctl_net_ipv4_conf_all_accept_redirects_value=disabled", "sysctl_net_ipv4_conf_default_accept_redirects_value=disabled", "sysctl_net_ipv6_conf_all_accept_redirects_value=disabled", "sysctl_net_ipv6_conf_default_accept_redirects_value=disabled"], "controls": []}, {"id": "3.3.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure secure icmp redirects are not accepted (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_default_secure_redirects", "sysctl_net_ipv4_conf_all_secure_redirects", "sysctl_net_ipv4_conf_all_secure_redirects_value=disabled", "sysctl_net_ipv4_conf_default_secure_redirects_value=disabled"], "controls": []}, {"id": "3.3.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure reverse path filtering is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_default_rp_filter", "sysctl_net_ipv4_conf_all_rp_filter", "sysctl_net_ipv4_conf_all_rp_filter_value=enabled", "sysctl_net_ipv4_conf_default_rp_filter_value=enabled"], "controls": []}, {"id": "3.3.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure source routed packets are not accepted (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_all_accept_source_route", "sysctl_net_ipv6_conf_all_accept_source_route", "sysctl_net_ipv6_conf_default_accept_source_route", "sysctl_net_ipv4_conf_default_accept_source_route", "sysctl_net_ipv4_conf_all_accept_source_route_value=disabled", "sysctl_net_ipv4_conf_default_accept_source_route_value=disabled", "sysctl_net_ipv6_conf_all_accept_source_route_value=disabled", "sysctl_net_ipv6_conf_default_accept_source_route_value=disabled"], "controls": []}, {"id": "3.3.9", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure suspicious packets are logged (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_default_log_martians", "sysctl_net_ipv4_conf_all_log_martians", "sysctl_net_ipv4_conf_all_log_martians_value=enabled", "sysctl_net_ipv4_conf_default_log_martians_value=enabled"], "controls": []}, {"id": "3.3.10", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure tcp sync cookies is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_tcp_syncookies", "sysctl_net_ipv4_tcp_syncookies_value=enabled"], "controls": []}, {"id": "3.3.11", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure IPv6 router advertisements are not accepted (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv6_conf_all_accept_ra", "sysctl_net_ipv6_conf_default_accept_ra", "sysctl_net_ipv6_conf_all_accept_ra_value=disabled", "sysctl_net_ipv6_conf_default_accept_ra_value=disabled"], "controls": []}, {"id": "3.4.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nftables is installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_nftables_installed"], "controls": []}, {"id": "3.4.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure a single firewall configuration utility is in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_firewalld_installed", "service_firewalld_enabled", "service_nftables_disabled"], "controls": []}, {"id": "3.4.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "RHEL systems use firewalld for firewall management. Although nftables is the default\nback-end for firewalld, it is not recommended to use nftables directly when firewalld\nis in use. When using firewalld the base chains are installed by default.", "title": "Ensure nftables base chains exist (Automated)", "description": null, "rationale": null, "automated": "no", "status": "supported", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["set_nftables_base_chain", "var_nftables_table=firewalld", "var_nftables_family=inet", "var_nftables_base_chain_names=chain_names", "var_nftables_base_chain_types=chain_types", "var_nftables_base_chain_hooks=chain_hooks", "var_nftables_base_chain_priorities=chain_priorities", "var_nftables_base_chain_policies=chain_policies"], "rules": [], "controls": []}, {"id": "3.4.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure host based firewall loopback traffic is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["firewalld_loopback_traffic_restricted", "firewalld_loopback_traffic_trusted"], "controls": []}, {"id": "3.4.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure firewalld drops unnecessary services and ports (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.4.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "RHEL systems use firewalld for firewall management. Although nftables is the default\nback-end for firewalld, it is not recommended to use nftables directly when firewalld\nis in use. When using firewalld the base chains are installed by default.", "title": "Ensure nftables established connections are configured (Manual)", "description": null, "rationale": null, "automated": "no", "status": "supported", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["set_nftables_new_connections"], "rules": [], "controls": []}, {"id": "3.4.2.5", "levels": ["l1_server", "l1_workstation"], "notes": "RHEL systems use firewalld for firewall management. Although nftables is the default\nback-end for firewalld, it is not recommended to use nftables directly when firewalld\nis in use.", "title": "Ensure nftables default deny firewall policy (Automated)", "description": null, "rationale": null, "automated": "no", "status": "supported", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["nftables_ensure_default_deny_policy"], "rules": [], "controls": []}, {"id": "4.1.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure cron daemon is enabled and active (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_crond_enabled"], "controls": []}, {"id": "4.1.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/crontab are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_crontab", "file_owner_crontab", "file_groupowner_crontab"], "controls": []}, {"id": "4.1.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/cron.hourly are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_cron_hourly", "file_permissions_cron_hourly", "file_groupowner_cron_hourly"], "controls": []}, {"id": "4.1.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/cron.daily are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_cron_daily", "file_owner_cron_daily", "file_permissions_cron_daily"], "controls": []}, {"id": "4.1.1.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/cron.weekly are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_cron_weekly", "file_groupowner_cron_weekly", "file_permissions_cron_weekly"], "controls": []}, {"id": "4.1.1.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/cron.monthly are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_cron_monthly", "file_groupowner_cron_monthly", "file_permissions_cron_monthly"], "controls": []}, {"id": "4.1.1.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/cron.d are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_cron_d", "file_owner_cron_d", "file_permissions_cron_d"], "controls": []}, {"id": "4.1.1.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure cron is restricted to authorized users (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_cron_allow", "file_permissions_cron_allow", "file_owner_cron_allow", "file_cron_allow_exists", "file_cron_deny_not_exist"], "controls": []}, {"id": "4.1.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure at is restricted to authorized users (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_at_allow", "file_groupowner_at_allow", "file_at_deny_not_exist", "file_owner_at_allow", "file_at_allow_exists"], "controls": []}, {"id": "4.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "These rules only check the /etc/ssh/sshd_config file but the policy also mentions files in\n/etc/ssh/sshd_config.d directory. New templated rules should be created for sshd_config.d.", "title": "Ensure permissions on /etc/ssh/sshd_config are configured (Automated)", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_sshd_config", "file_permissions_sshd_config", "file_owner_sshd_config"], "controls": []}, {"id": "4.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on SSH private host key files are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupownership_sshd_private_key", "file_ownership_sshd_private_key", "file_permissions_sshd_private_key"], "controls": []}, {"id": "4.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on SSH public host key files are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupownership_sshd_pub_key", "file_ownership_sshd_pub_key", "file_permissions_sshd_pub_key"], "controls": []}, {"id": "4.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd access is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_limit_user_access"], "controls": []}, {"id": "4.2.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd Banner is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["sshd_enable_warning_banner"], "rules": ["sshd_enable_warning_banner_net"], "controls": []}, {"id": "4.2.6", "levels": ["l1_server", "l1_workstation"], "notes": "Introduced in CIS RHEL8 v3.0.0", "title": "Ensure sshd Ciphers are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_custom_crypto_policy_cis"], "controls": []}, {"id": "4.2.7", "levels": ["l1_server", "l1_workstation"], "notes": "The requirement gives an example of 45 seconds, but is flexible about the values. It is only\nnecessary to ensure there is a timeout is configured in alignment to the site policy.", "title": "Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_idle_timeout", "sshd_set_keepalive", "sshd_idle_timeout_value=5_minutes", "var_sshd_set_keepalive=1"], "controls": []}, {"id": "4.2.8", "levels": ["l2_server", "l1_workstation"], "notes": "", "title": "Ensure sshd DisableForwarding is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["sshd_disable_tcp_forwarding", "sshd_disable_x11_forwarding"], "rules": ["sshd_disable_forwarding"], "controls": []}, {"id": "4.2.9", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd HostbasedAuthentication is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["disable_host_auth"], "controls": []}, {"id": "4.2.10", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd IgnoreRhosts is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_rhosts"], "controls": []}, {"id": "4.2.11", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd KexAlgorithms is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_use_strong_kex", "sshd_strong_kex=cis_rhel8"], "controls": []}, {"id": "4.2.12", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd LoginGraceTime is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_login_grace_time", "var_sshd_set_login_grace_time=60"], "controls": []}, {"id": "4.2.13", "levels": ["l1_server", "l1_workstation"], "notes": "The CIS benchmark is not opinionated about which loglevel is selected here. Here, this\nprofile uses VERBOSE by default, as it allows for the capture of login and logout activity\nas well as key fingerprints.", "title": "Ensure sshd LogLevel is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["sshd_set_loglevel_info"], "rules": ["sshd_set_loglevel_verbose"], "controls": []}, {"id": "4.2.14", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd MACs are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_custom_crypto_policy_cis"], "controls": []}, {"id": "4.2.15", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd MaxAuthTries is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_max_auth_tries", "sshd_max_auth_tries_value=4"], "controls": []}, {"id": "4.2.16", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd MaxSessions is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_max_sessions", "var_sshd_max_sessions=10"], "controls": []}, {"id": "4.2.17", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd MaxStartups is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_maxstartups", "var_sshd_set_maxstartups=10:30:60"], "controls": []}, {"id": "4.2.18", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd PermitEmptyPasswords is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_empty_passwords"], "controls": []}, {"id": "4.2.19", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd PermitRootLogin is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_root_login"], "controls": []}, {"id": "4.2.20", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd PermitUserEnvironment is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_do_not_permit_user_env"], "controls": []}, {"id": "4.2.21", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd UsePAM is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_enable_pam"], "controls": []}, {"id": "4.2.22", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd crypto_policy is not set (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_ssh_crypto_policy"], "controls": []}, {"id": "4.3.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sudo is installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_sudo_installed"], "controls": []}, {"id": "4.3.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sudo commands use pty (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudo_add_use_pty"], "controls": []}, {"id": "4.3.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sudo log file exists (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudo_custom_logfile"], "controls": []}, {"id": "4.3.4", "levels": ["l2_server", "l2_workstation"], "notes": "The rule sudo_require_authentication can probably be split to better attend requirements\n4.3.4 and 4.3.5.", "title": "Ensure users must provide password for escalation (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudo_require_authentication"], "controls": []}, {"id": "4.3.5", "levels": ["l1_server", "l1_workstation"], "notes": "The rule sudo_require_authentication can probably be split to better attend requirements\n4.3.4 and 4.3.5.", "title": "Ensure re-authentication for privilege escalation is not disabled globally (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudo_require_authentication"], "controls": []}, {"id": "4.3.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sudo authentication timeout is configured correctly (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudo_require_reauthentication"], "controls": []}, {"id": "4.3.7", "levels": ["l1_server", "l1_workstation"], "notes": "Members of \"wheel\" or GID 0 groups are checked by default if the group option is not set for\npam_wheel.so module. The recommendation states the group should be empty to reinforce the\nuse of \"sudo\" for privileged access. Therefore, members of these groups should be manually\nchecked or a different group should be informed.", "title": "Ensure access to the su command is restricted (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["use_pam_wheel_group_for_su", "ensure_pam_wheel_group_empty", "var_pam_wheel_group_for_su=cis"], "controls": []}, {"id": "4.4.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "It is necessary a new rule to ensure PAM package is updated.", "title": "Ensure latest version of pam is installed (Automated)", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.4.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "It is necessary a new rule to ensure PAM package is updated.", "title": "Ensure latest version of authselect is installed (Automated)", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.4.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "This requirement is hard to be automated without any specific requirement. The policy even\nstates that provided commands are examples, other custom settings might be in place and the\nsettings might be different depending on site policies. The other rules will already make\nsure there is a correct autheselect profile regardless of the existing settings. It is\nnecessary to better discuss with CIS Community.", "title": "Ensure active authselect profile includes pam modules (Automated)", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["no_empty_passwords"], "rules": [], "controls": []}, {"id": "4.4.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "This requirement is also indirectly satisfied by the requirement 4.4.3.1.", "title": "Ensure pam_faillock module is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["account_password_pam_faillock_system_auth", "account_password_pam_faillock_password_auth"], "controls": []}, {"id": "4.4.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "CIS requirement asks to enable an authselect feature called \"with-pwquality\" but this\nfeature is not present in RHEL 8. This needs to be discussed in CIS Community. For now the\nrequirement is attended by ensuring the libpwquality is present. Its configuration is\ncovered by other requirements.", "title": "Ensure pam_pwquality module is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_pam_pwquality_installed"], "controls": []}, {"id": "4.4.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "The module is properly enabled by the rules mentioned in related_rules.\nRequirements in 4.4.3.3 use these rules.", "title": "Ensure pam_pwhistory module is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["accounts_password_pam_pwhistory_remember_password_auth", "accounts_password_pam_pwhistory_remember_system_auth"], "rules": [], "controls": []}, {"id": "4.4.2.5", "levels": ["l1_server", "l1_workstation"], "notes": "This module is always present by default. It is necessary to investigate if a new rule to\ncheck its existence needs to be created. But so far the rule no_empty_passwords, used in\n4.4.3.4.1 can ensure this requirement is attended.", "title": "Ensure pam_unix module is enabled (Automated)", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["no_empty_passwords"], "rules": [], "controls": []}, {"id": "4.4.3.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password failed attempts lockout is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_passwords_pam_faillock_deny", "var_accounts_passwords_pam_faillock_deny=5"], "controls": []}, {"id": "4.4.3.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "The policy also accepts value 0, which means the locked accounts should be manually unlocked\nby an administrator. However, it also mentions that using value 0 can facilitate a DoS\nattack to legitimate users.", "title": "Ensure password unlock time is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_passwords_pam_faillock_unlock_time", "var_accounts_passwords_pam_faillock_unlock_time=900"], "controls": []}, {"id": "4.4.3.1.3", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure password failed attempts lockout includes root account (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_passwords_pam_faillock_deny_root"], "controls": []}, {"id": "4.4.3.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password number of changed characters is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_difok", "var_password_pam_difok=2"], "controls": []}, {"id": "4.4.3.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password length is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_minlen", "var_password_pam_minlen=14"], "controls": []}, {"id": "4.4.3.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "This requirement is expected to be manual. However, in previous versions of the policy\nit was already automated the configuration of \"minclass\" option. This posture was kept for\nRHEL 8 in this new version. Rules related to other options are informed in related_rules.\nIn short, minclass=4 alone can achieve the same result achieved by the combination of the\nother 4 options mentioned in the policy.", "title": "Ensure password complexity is configured (Manual)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["accounts_password_pam_dcredit", "accounts_password_pam_lcredit", "accounts_password_pam_ocredit", "accounts_password_pam_ucredit"], "rules": ["accounts_password_pam_minclass", "var_password_pam_minclass=4"], "controls": []}, {"id": "4.4.3.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password same consecutive characters is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_maxrepeat", "var_password_pam_maxrepeat=3"], "controls": []}, {"id": "4.4.3.2.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password maximum sequential characters is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_maxsequence", "var_password_pam_maxsequence=3"], "controls": []}, {"id": "4.4.3.2.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password dictionary check is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_dictcheck", "var_password_pam_dictcheck=1"], "controls": []}, {"id": "4.4.3.2.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password quality is enforced for the root user (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_enforce_root"], "controls": []}, {"id": "4.4.3.3.1", "levels": ["l1_server", "l1_workstation"], "notes": "Although mentioned in the section 4.4.3.3, there is no explicit requirement to configure\nretry option of pam_pwhistory. If come in the future, the rule accounts_password_pam_retry\ncan be used.", "title": "Ensure password history remember is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["accounts_password_pam_retry"], "rules": ["accounts_password_pam_pwhistory_remember_password_auth", "accounts_password_pam_pwhistory_remember_system_auth", "var_password_pam_remember_control_flag=requisite_or_required", "var_password_pam_remember=24"], "controls": []}, {"id": "4.4.3.3.2", "levels": ["l1_server", "l1_workstation"], "notes": "A new rule needs to be created to check and remediate the enforce_for_root option in\n/etc/security/pwhistory.conf. accounts_password_pam_enforce_root can be used as reference.", "title": "Ensure password history is enforced for the root user (Automated)", "description": null, "rationale": null, "automated": "no", "status": "planned", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.4.3.3.3", "levels": ["l1_server", "l1_workstation"], "notes": "In RHEL 8 pam_pwhistory is enabled via authselect feature, as required in 4.4.3.3.1. The\nfeature automatically set \"use_authok\" option. In any case, we don't have a rule to check\nthis option specifically.", "title": "Ensure pam_pwhistory includes use_authtok (Automated)", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["accounts_password_pam_pwhistory_remember_password_auth", "accounts_password_pam_pwhistory_remember_system_auth"], "rules": [], "controls": []}, {"id": "4.4.3.4.1", "levels": ["l1_server", "l1_workstation"], "notes": "The rule more specifically used in this requirement also satify the requirements 4.4.2.1\nand 4.4.2.5.", "title": "Ensure pam_unix does not include nullok (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_empty_passwords"], "controls": []}, {"id": "4.4.3.4.2", "levels": ["l1_server", "l1_workstation"], "notes": "Usage of pam_unix.so module together with \"remember\" option is deprecated and is not\nrecommened by this policy. Instead, it should be used remember option of pam_pwhistory\nmodule, as required in 4.4.3.3.1. See here for more details about pam_unix.so:\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1778929\nA new rule needs to be created to remove the remember option from pam_unix module.", "title": "Ensure pam_unix does not include remember (Automated)", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.4.3.4.3", "levels": ["l1_server", "l1_workstation"], "notes": "Changes in logindefs mentioned in this requirement are more specifically covered by 4.5.1.1.", "title": "Ensure pam_unix includes a strong password hashing algorithm (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_password_hashing_algorithm_passwordauth", "set_password_hashing_algorithm_systemauth", "var_password_hashing_algorithm_pam=sha512"], "controls": []}, {"id": "4.4.3.4.4", "levels": ["l1_server", "l1_workstation"], "notes": "In RHEL 8 pam_unix is enabled by default in all authselect profiles already with the\nuse_authtok option set. In any case, we don't have a rule to check this option specifically,\nlike in 4.4.3.3.3.", "title": "Ensure pam_unix includes use_authtok (Automated)", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.5.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure strong password hashing algorithm is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_password_hashing_algorithm_libuserconf", "set_password_hashing_algorithm_logindefs", "var_password_hashing_algorithm=SHA512", "var_password_hashing_algorithm_pam=sha512"], "controls": []}, {"id": "4.5.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password expiration is 365 days or less (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_maximum_age_login_defs", "accounts_password_set_max_life_existing", "var_accounts_maximum_age_login_defs=365"], "controls": []}, {"id": "4.5.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password expiration warning days is 7 or more (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_warn_age_login_defs", "accounts_password_set_warn_age_existing", "var_accounts_password_warn_age_login_defs=7"], "controls": []}, {"id": "4.5.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure inactive password lock is 30 days or less (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_set_post_pw_existing", "account_disable_post_pw_expiration", "var_account_disable_post_pw_expiration=30"], "controls": []}, {"id": "4.5.1.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure all users last password change date is in the past (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_last_change_is_in_past"], "controls": []}, {"id": "4.5.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure default group for the root account is GID 0 (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_root_gid_zero"], "controls": []}, {"id": "4.5.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "There is no rule to ensure umask in /root/.bash_profile and /root/.bashrc. A new rule have\nto be created. It can be based on accounts_umask_interactive_users.", "title": "Ensure root user umask is configured (Automated)", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.5.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure system accounts are secured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_password_auth_for_systemaccounts", "no_shelllogin_for_systemaccounts"], "controls": []}, {"id": "4.5.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure root password is set (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["ensure_root_password_configured"], "controls": []}, {"id": "4.5.3.1", "levels": ["l2_server", "l2_workstation"], "notes": "It is necessary to create a new rule to check and remove nologin from /etc/shells.\nThe no_tmux_in_shells rule can be used as referece.", "title": "Ensure nologin is not listed in /etc/shells (Automated)", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.5.3.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure default user shell timeout is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_tmout", "var_accounts_tmout=15_min"], "controls": []}, {"id": "4.5.3.3", "levels": ["l1_server", "l1_workstation"], "notes": "It is missing a rule to check /etc/pam.d/postlogin. Files /etc/bash.bashrc and\n/etc/default/login are not used in RHEL 8, but are mentioned in the policy. It has to be\nclarified in CIS Community. The policy allows the user to override the default system umask\non its discretion. This is the reason the accounts_umask_interactive_users rule is in\nrelated_rules. If this changes in the future, the rule can be used to ensure that users do\nnot override the system default.", "title": "Ensure default user umask is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["accounts_umask_interactive_users"], "rules": ["accounts_umask_etc_bashrc", "accounts_umask_etc_login_defs", "accounts_umask_etc_profile", "var_accounts_user_umask=027"], "controls": []}, {"id": "5.1.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure rsyslog is installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_rsyslog_installed"], "controls": []}, {"id": "5.1.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "This requirement is expected to be manual in the policy because there are valid cases where\nother solutions are used for logging. rsyslog is the default in RHEL 8 and so far other\nsolutions are not expected to be incompatible with rsyslog. If so, for these particular\ncases, this rule should be removed for those systems by a tailored file.", "title": "Ensure rsyslog service is enabled (Manual)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_rsyslog_enabled"], "controls": []}, {"id": "5.1.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure journald is configured to send logs to rsyslog (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["journald_forward_to_syslog"], "controls": []}, {"id": "5.1.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure rsyslog default file permissions are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["rsyslog_filecreatemode"], "controls": []}, {"id": "5.1.1.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure logging is configured (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.1.1.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure rsyslog is configured to send logs to a remote log host (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["rsyslog_remote_loghost"], "rules": [], "controls": []}, {"id": "5.1.1.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure rsyslog is not configured to recieve logs from a remote client (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["rsyslog_nolisten"], "controls": []}, {"id": "5.1.2.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure systemd-journal-remote is installed (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["package_systemd-journal-remote_installed"], "rules": [], "controls": []}, {"id": "5.1.2.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure systemd-journal-remote is configured (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.1.2.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure systemd-journal-remote is enabled (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.1.2.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure journald is not configured to recieve logs from a remote client (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["socket_systemd-journal-remote_disabled"], "controls": []}, {"id": "5.1.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure journald service is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_systemd-journald_enabled"], "controls": []}, {"id": "5.1.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure journald is configured to compress large log files (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["journald_compress"], "controls": []}, {"id": "5.1.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure journald is configured to write logfiles to persistent disk (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["journald_storage"], "controls": []}, {"id": "5.1.2.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure journald is not configured to send logs to rsyslog (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.1.2.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure journald log rotation is configured per site policy (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure logrotate is configured (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["ensure_logrotate_activated", "package_logrotate_installed", "timer_logrotate_enabled"], "rules": [], "controls": []}, {"id": "5.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure all logfiles have appropriate access configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["rsyslog_files_ownership", "rsyslog_files_groupownership", "rsyslog_files_permissions"], "controls": []}, {"id": "5.2.1.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit is installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_audit_installed"], "controls": []}, {"id": "5.2.1.2", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure auditing for processes that start prior to auditd is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_audit_argument"], "controls": []}, {"id": "5.2.1.3", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit_backlog_limit is sufficient (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_audit_backlog_limit_argument", "var_audit_backlog_limit=8192"], "controls": []}, {"id": "5.2.1.4", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure auditd service is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_auditd_enabled"], "controls": []}, {"id": "5.2.2.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit log storage size is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_retention_max_log_file", "var_auditd_max_log_file=6"], "controls": []}, {"id": "5.2.2.2", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit logs are not automatically deleted (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_retention_max_log_file_action", "var_auditd_max_log_file_action=keep_logs"], "controls": []}, {"id": "5.2.2.3", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure system is disabled when audit logs are full (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_disk_error_action", "auditd_data_disk_full_action", "var_auditd_disk_error_action=cis_rhel8", "var_auditd_disk_full_action=cis_rhel8"], "controls": []}, {"id": "5.2.2.4", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure system warns when audit logs are low on space (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_retention_space_left_action", "auditd_data_retention_action_mail_acct", "auditd_data_retention_admin_space_left_action", "var_auditd_action_mail_acct=root", "var_auditd_admin_space_left_action=cis_rhel8", "var_auditd_space_left_action=cis_rhel8"], "controls": []}, {"id": "5.2.3.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure changes to system administration scope (sudoers) is collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_sysadmin_actions"], "controls": []}, {"id": "5.2.3.2", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure actions as another user are always logged (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_suid_auid_privilege_function"], "controls": []}, {"id": "5.2.3.3", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure events that modify the sudo log file are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_sudo_log_events"], "controls": []}, {"id": "5.2.3.4", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure events that modify date and time information are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_time_watch_localtime", "audit_rules_time_adjtimex", "audit_rules_time_clock_settime", "audit_rules_time_settimeofday", "audit_rules_time_stime"], "controls": []}, {"id": "5.2.3.5", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure events that modify the system's network environment are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_networkconfig_modification_network_scripts", "audit_rules_networkconfig_modification"], "controls": []}, {"id": "5.2.3.6", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure use of privileged commands are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands"], "controls": []}, {"id": "5.2.3.7", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure unsuccessful file access attempts are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_unsuccessful_file_modification_creat", "audit_rules_unsuccessful_file_modification_ftruncate", "audit_rules_unsuccessful_file_modification_open", "audit_rules_unsuccessful_file_modification_openat", "audit_rules_unsuccessful_file_modification_truncate"], "controls": []}, {"id": "5.2.3.8", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure events that modify user/group information are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_usergroup_modification_opasswd", "audit_rules_usergroup_modification_group", "audit_rules_usergroup_modification_shadow", "audit_rules_usergroup_modification_passwd", "audit_rules_usergroup_modification_gshadow"], "controls": []}, {"id": "5.2.3.9", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure discretionary access control permission modification events are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_dac_modification_setxattr", "audit_rules_dac_modification_fchown", "audit_rules_dac_modification_fchownat", "audit_rules_dac_modification_chown", "audit_rules_dac_modification_lremovexattr", "audit_rules_dac_modification_lchown", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_lsetxattr", "audit_rules_dac_modification_fremovexattr", "audit_rules_dac_modification_chmod", "audit_rules_dac_modification_fchmodat", "audit_rules_dac_modification_fchmod", "audit_rules_dac_modification_fsetxattr"], "controls": []}, {"id": "5.2.3.10", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure successful file system mounts are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_media_export"], "controls": []}, {"id": "5.2.3.11", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure session initiation information is collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_session_events_utmp", "audit_rules_session_events_btmp", "audit_rules_session_events_wtmp"], "controls": []}, {"id": "5.2.3.12", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure login and logout events are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_login_events_faillock", "audit_rules_login_events_lastlog", "var_accounts_passwords_pam_faillock_dir=run"], "controls": []}, {"id": "5.2.3.13", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure file deletion events by users are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_file_deletion_events_rename", "audit_rules_file_deletion_events_unlink", "audit_rules_file_deletion_events_renameat", "audit_rules_file_deletion_events_unlinkat"], "controls": []}, {"id": "5.2.3.14", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure events that modify the system's Mandatory Access Controls are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_mac_modification_usr_share", "audit_rules_mac_modification"], "controls": []}, {"id": "5.2.3.15", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure successful and unsuccessful attempts to use the chcon command are recorded (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_execution_chcon"], "controls": []}, {"id": "5.2.3.16", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure successful and unsuccessful attempts to use the setfacl command are recorded (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_execution_setfacl"], "controls": []}, {"id": "5.2.3.17", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure successful and unsuccessful attempts to use the chacl command are recorded (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_execution_chacl"], "controls": []}, {"id": "5.2.3.18", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure successful and unsuccessful attempts to use the usermod command are recorded (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands_usermod"], "controls": []}, {"id": "5.2.3.19", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure kernel module loading, unloading and modification is collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_kernel_module_loading_finit", "audit_rules_kernel_module_loading_delete", "audit_rules_kernel_module_loading_query", "audit_rules_kernel_module_loading_create", "audit_rules_kernel_module_loading_init", "audit_rules_privileged_commands_kmod"], "controls": []}, {"id": "5.2.3.20", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure the audit configuration is immutable (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_immutable"], "controls": []}, {"id": "5.2.3.21", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure the running and on disk configuration is the same (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.2.4.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure the audit log directory is 0750 or more restrictive (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["directory_permissions_var_log_audit"], "controls": []}, {"id": "5.2.4.2", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit log files are mode 0640 or less permissive (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_var_log_audit"], "controls": []}, {"id": "5.2.4.3", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure only authorized users own audit log files (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_ownership_var_log_audit_stig"], "controls": []}, {"id": "5.2.4.4", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure only authorized groups are assigned ownership of audit log files (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_group_ownership_var_log_audit"], "controls": []}, {"id": "5.2.4.5", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit configuration files are 640 or more restrictive (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_audit_configuration"], "controls": []}, {"id": "5.2.4.6", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit configuration files are owned by root (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_ownership_audit_configuration"], "controls": []}, {"id": "5.2.4.7", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit configuration files belong to group root (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupownership_audit_configuration"], "controls": []}, {"id": "5.2.4.8", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit tools are 755 or more restrictive (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_audit_binaries"], "controls": []}, {"id": "5.2.4.9", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit tools are owned by root (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_ownership_audit_binaries"], "controls": []}, {"id": "5.2.4.10", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit tools belong to group root (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupownership_audit_binaries"], "controls": []}, {"id": "5.3.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure AIDE is installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_aide_installed", "aide_build_database"], "controls": []}, {"id": "5.3.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure filesystem integrity is regularly checked (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["aide_periodic_checking_systemd_timer"], "rules": ["aide_periodic_cron_checking"], "controls": []}, {"id": "5.3.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure cryptographic mechanisms are used to protect the integrity of audit tools (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["aide_use_fips_hashes"], "rules": ["aide_check_audit_tools"], "controls": []}, {"id": "6.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/passwd are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_etc_passwd", "file_permissions_etc_passwd", "file_owner_etc_passwd"], "controls": []}, {"id": "6.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/passwd- are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_backup_etc_passwd", "file_groupowner_backup_etc_passwd", "file_permissions_backup_etc_passwd"], "controls": []}, {"id": "6.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/security/opasswd are configured (Automated)", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_etc_security_opasswd"], "controls": []}, {"id": "6.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/group are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_etc_group", "file_owner_etc_group", "file_permissions_etc_group"], "controls": []}, {"id": "6.1.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/group- are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_backup_etc_group", "file_permissions_backup_etc_group", "file_owner_backup_etc_group"], "controls": []}, {"id": "6.1.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/shadow are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_etc_shadow", "file_permissions_etc_shadow", "file_groupowner_etc_shadow"], "controls": []}, {"id": "6.1.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/shadow- are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_backup_etc_shadow", "file_groupowner_backup_etc_shadow", "file_owner_backup_etc_shadow"], "controls": []}, {"id": "6.1.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/gshadow are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_etc_gshadow", "file_groupowner_etc_gshadow", "file_owner_etc_gshadow"], "controls": []}, {"id": "6.1.9", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/gshadow- are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_backup_etc_gshadow", "file_permissions_backup_etc_gshadow", "file_groupowner_backup_etc_gshadow"], "controls": []}, {"id": "6.1.10", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/shells are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_etc_shells", "file_owner_etc_shells", "file_groupowner_etc_shells"], "controls": []}, {"id": "6.1.11", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure world writable files and directories are secured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dir_perms_world_writable_sticky_bits", "file_permissions_unauthorized_world_writable"], "controls": []}, {"id": "6.1.12", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure no unowned or ungrouped files or directories exist (Automated)", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_files_unowned_by_user", "file_permissions_ungroupowned"], "controls": []}, {"id": "6.1.13", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure SUID and SGID files are reviewed (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["file_permissions_unauthorized_suid", "file_permissions_unauthorized_sgid"], "rules": [], "controls": []}, {"id": "6.1.14", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Audit system file permissions (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["rpm_verify_permissions", "rpm_verify_ownership"], "rules": [], "controls": []}, {"id": "6.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure accounts in /etc/passwd use shadowed passwords (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_all_shadowed"], "controls": []}, {"id": "6.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure /etc/shadow password fields are not empty (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_empty_passwords_etc_shadow"], "controls": []}, {"id": "6.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure all groups in /etc/passwd exist in /etc/group (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["gid_passwd_group_same"], "controls": []}, {"id": "6.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure no duplicate UIDs exist (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["account_unique_id"], "controls": []}, {"id": "6.2.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure no duplicate GIDs exist (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["group_unique_id"], "controls": []}, {"id": "6.2.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure no duplicate user names exist (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["account_unique_name"], "controls": []}, {"id": "6.2.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure no duplicate group names exist (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["group_unique_name"], "controls": []}, {"id": "6.2.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure root path integrity (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_root_path_dirs_no_write", "root_path_no_dot"], "controls": []}, {"id": "6.2.9", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure root is the only UID 0 account (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_no_uid_except_zero"], "controls": []}, {"id": "6.2.10", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure local interactive user home directories are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_user_interactive_home_directory_exists", "file_permissions_home_directories", "file_ownership_home_directories"], "controls": []}, {"id": "6.2.11", "levels": ["l1_server", "l1_workstation"], "notes": "According to the RHEL 8 CIS Benchmark guidance, the incompliant .forward\nand .rhost files should be investigated and remediated manually.\nHowever, in other profiles we remediate the rule using the automated\nremediation.", "title": "Ensure local interactive user dot files access is configured (Automated)", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_forward_files", "no_rsh_trust_files", "accounts_users_netrc_file_permissions", "accounts_user_dot_group_ownership", "file_permission_user_init_files", "accounts_user_dot_user_ownership", "var_user_initialization_files_regex=all_dotfiles"], "controls": []}], "levels": [{"id": "l1_server", "inherits_from": null}, {"id": "l2_server", "inherits_from": ["l1_server"]}, {"id": "l1_workstation", "inherits_from": null}, {"id": "l2_workstation", "inherits_from": ["l1_workstation"]}]}