{"id": "ospp", "policy": "Common Criteria", "title": "Protection Profile for General Purpose Operating Systems", "source": "https://www.niap-ccevs.org/Profile/Info.cfm?PPID=469&id=469", "definition_location": "/aptdata/openscap/scap-security-guide/controls/ospp.yml", "controls": [{"id": "AGD_OPE.1", "levels": ["base"], "notes": "", "title": "Operational User Guidance", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_openscap-scanner_installed", "package_scap-security-guide_installed"], "controls": []}, {"id": "AGD_PRE.1", "levels": ["base"], "notes": "", "title": "Preparative Procedures", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_openscap-scanner_installed", "package_scap-security-guide_installed"], "controls": []}, {"id": "FAU_GEN.1", "levels": ["base"], "notes": "", "title": "Audit Data Generation (Refined)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_basic_configuration", "auditd_freq", "service_auditd_enabled", "grub2_audit_argument", "package_audit_installed", "auditd_data_retention_flush", "zipl_audit_argument", "sshd_disable_root_login", "var_auditd_flush=incremental_async"], "controls": []}, {"id": "FAU_GEN.1.1", "levels": ["base"], "notes": "", "title": "Audit Data Generation - Event Types to be Audited", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_owner_change_success", "audit_modify_success", "audit_ospp_general_ppc64le", "audit_module_load_ppc64le", "audit_perm_change_failed_aarch64", "audit_create_failed_ppc64le", "audit_owner_change_failed_aarch64", "audit_delete_success", "audit_modify_failed_aarch64", "audit_access_failed_ppc64le", "audit_owner_change_failed", "audit_create_success_ppc64le", "audit_perm_change_failed_ppc64le", "audit_ospp_general_aarch64", "audit_delete_failed_ppc64le", "audit_perm_change_success", "audit_modify_success_ppc64le", "audit_create_failed", "audit_access_failed", "audit_modify_failed_ppc64le", "audit_access_success_ppc64le", "audit_owner_change_success_aarch64", "audit_delete_failed_aarch64", "audit_perm_change_success_ppc64le", "audit_delete_success_aarch64", "audit_create_success_aarch64", "audit_module_load", "audit_create_success", "audit_access_success", "audit_perm_change_success_aarch64", "audit_modify_failed", "audit_ospp_general", "audit_owner_change_success_ppc64le", "audit_delete_success_ppc64le", "audit_perm_change_failed", "audit_access_failed_aarch64", "audit_access_success_aarch64", "audit_owner_change_failed_ppc64le", "audit_modify_success_aarch64", "audit_create_failed_aarch64", "audit_delete_failed", "audit_access_success.role=unscored", "audit_access_success.severity=info", "audit_access_success_aarch64.role=unscored", "audit_access_success_aarch64.severity=info", "audit_access_success_ppc64le.role=unscored", "audit_access_success_ppc64le.severity=info"], "controls": []}, {"id": "FAU_GEN.1.2", "levels": ["base"], "notes": "", "title": "Audit Data Generation - Audit Event Format", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_log_format", "auditd_name_format", "disable_ctrlaltdel_burstaction", "disable_ctrlaltdel_reboot", "audit_immutable_login_uids"], "controls": []}, {"id": "FAU_STG.1", "levels": ["base"], "notes": "", "title": "Protected audit trail storage", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_audit_backlog_limit_argument", "zipl_audit_backlog_limit_argument", "var_audit_backlog_limit=8192"], "controls": []}, {"id": "FCS_CKM.1", "levels": ["base"], "notes": "", "title": "Cryptographic Key Generation", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_crypto_policy", "package_crypto-policies_installed", "configure_openssl_crypto_policy", "enable_fips_mode", "var_system_crypto_policy=fips_ospp"], "controls": []}, {"id": "FCS_CKM.1.1", "levels": ["base"], "notes": "", "title": "Cryptographic Key Generation - asymmetric cryptographic", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_crypto_policy", "package_crypto-policies_installed", "configure_openssl_crypto_policy", "enable_fips_mode", "var_system_crypto_policy=fips_ospp"], "controls": []}, {"id": "FCS_CKM.2", "levels": ["base"], "notes": "", "title": "Cryptographic Key Establishment", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_crypto_policy", "package_crypto-policies_installed", "configure_openssl_crypto_policy", "enable_fips_mode", "var_system_crypto_policy=fips_ospp"], "controls": []}, {"id": "FCS_COP.1/ENCRYPT", "levels": ["base"], "notes": "", "title": "Cryptographic Operation - Encryption/Decryption", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_crypto_policy", "package_crypto-policies_installed", "configure_openssl_crypto_policy", "enable_fips_mode", "var_system_crypto_policy=fips_ospp"], "controls": []}, {"id": "FCS_COP.1/HASH", "levels": ["base"], "notes": "", "title": "Cryptographic Operation - Hashing", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_crypto_policy", "package_crypto-policies_installed", "configure_openssl_crypto_policy", "enable_fips_mode", "var_system_crypto_policy=fips_ospp"], "controls": []}, {"id": "FCS_COP.1/SIGN", "levels": ["base"], "notes": "", "title": "Cryptographic Operation - Signing", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_crypto_policy", "package_crypto-policies_installed", "configure_openssl_crypto_policy", "enable_fips_mode", "var_system_crypto_policy=fips_ospp"], "controls": []}, {"id": "FCS_COP.1/KEYHMAC", "levels": ["base"], "notes": "", "title": "Keyed-Hash Message Authentication", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_crypto_policy", "package_crypto-policies_installed", "configure_openssl_crypto_policy", "enable_fips_mode", "var_system_crypto_policy=fips_ospp"], "controls": []}, {"id": "FCS_RBG_EXT.1", "levels": ["base"], "notes": "", "title": "Random Bit Generation", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["enable_dracut_fips_module", "enable_fips_mode", "var_system_crypto_policy=fips_ospp"], "controls": []}, {"id": "FCS_RBG_EXT.1.1", "levels": ["base"], "notes": "", "title": "Random Bit Generation - deterministic random bit generation", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["enable_dracut_fips_module", "enable_fips_mode", "var_system_crypto_policy=fips_ospp"], "controls": []}, {"id": "FCS_RBG_EXT.1.2", "levels": ["base"], "notes": "", "title": "Random Bit Generation - entropy source", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["enable_dracut_fips_module", "enable_fips_mode", "var_system_crypto_policy=fips_ospp"], "controls": []}, {"id": "FCS_SSHC_EXT.1", "levels": ["base"], "notes": "", "title": "SSH Client Protocol", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_ssh_crypto_policy", "package_openssh-clients_installed"], "controls": []}, {"id": "FCS_SSHS_EXT.1", "levels": ["base"], "notes": "", "title": "SSH Server Protocol", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_openssh-server_installed", "configure_ssh_crypto_policy"], "controls": []}, {"id": "FCS_SSH_EXT.1", "levels": ["base"], "notes": "", "title": "SSH Protocol", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_openssh-server_installed", "configure_ssh_crypto_policy", "package_openssh-clients_installed", "sshd_use_directory_configuration"], "controls": []}, {"id": "FCS_SSH_EXT.1.2", "levels": ["base"], "notes": "", "title": "SSH Protocol - Authentication Methods", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_gssapi_auth", "sshd_disable_kerb_auth"], "controls": []}, {"id": "FCS_SSH_EXT.1.8", "levels": ["base"], "notes": "", "title": "SSH Protocol - Session", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_rekey_limit", "ssh_client_rekey_limit", "var_ssh_client_rekey_limit_size=1G", "var_ssh_client_rekey_limit_time=1hour", "var_rekey_limit_size=1G", "var_rekey_limit_time=1hour"], "controls": []}, {"id": "FCS_TLSC_EXT.1", "levels": ["base"], "notes": "", "title": "TLS Client Protocol", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_crypto_policy", "package_crypto-policies_installed", "configure_openssl_crypto_policy", "enable_fips_mode"], "controls": []}, {"id": "FCS_TLSC_EXT.1.1", "levels": ["base"], "notes": "", "title": "Allowed Cipher Suites", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_crypto_policy", "package_crypto-policies_installed", "configure_openssl_crypto_policy", "enable_fips_mode"], "controls": []}, {"id": "FIA_AFL.1", "levels": ["base"], "notes": "", "title": "Authentication failure handling", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_passwords_pam_faillock_interval", "accounts_passwords_pam_faillock_deny", "accounts_passwords_pam_faillock_unlock_time", "var_accounts_passwords_pam_faillock_deny=3", "var_accounts_passwords_pam_faillock_fail_interval=900", "var_accounts_passwords_pam_faillock_unlock_time=never"], "controls": []}, {"id": "FIA_UAU.1", "levels": ["base"], "notes": "", "title": "Timing of authentication", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_empty_passwords", "require_singleuser_auth", "grub2_disable_recovery", "disable_host_auth", "service_debug-shell_disabled", "grub2_password", "sshd_disable_empty_passwords", "zipl_systemd_debug-shell_argument_absent", "grub2_systemd_debug-shell_argument_absent"], "controls": []}, {"id": "FIA_UAU.5", "levels": ["base"], "notes": "", "title": "Multiple Authentication Mechanisms", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_openssh-server_installed", "package_openssh-clients_installed"], "controls": []}, {"id": "FIA_X509_EXT.1", "levels": ["base"], "notes": "", "title": "X.509 Certificate Validation", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_gnutls-utils_installed"], "controls": []}, {"id": "FIA_X509_EXT.1.1", "levels": ["base"], "notes": "", "title": "X.509 Certificate Validation - Valid Certificates", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_gnutls-utils_installed"], "controls": []}, {"id": "FIA_X509_EXT.2", "levels": ["base"], "notes": "", "title": "X.509 Certificate Validation - basicConstraints", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_gnutls-utils_installed"], "controls": []}, {"id": "FMT_MOF_EXT.1", "levels": ["base"], "notes": "", "title": "Management of security functions behavior", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["selinux_policytype", "package_sudo_installed", "selinux_state", "logind_session_timeout", "var_logind_session_timeout=30_minutes", "var_selinux_state=enforcing", "var_selinux_policy_name=targeted"], "controls": []}, {"id": "FMT_SMF_EXT.1", "levels": ["base"], "notes": "", "title": "Specification of Management Functions", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_usbguard_auditbackend", "accounts_password_pam_ucredit", "accounts_password_pam_dcredit", "usbguard_allow_hid_and_hub", "kernel_module_sctp_disabled", "sysctl_kernel_perf_event_paranoid", "partition_for_var_log_audit", "accounts_password_pam_lcredit", "sysctl_kernel_kptr_restrict", "sysctl_kernel_unprivileged_bpf_disabled_accept_default", "mount_option_var_log_audit_nodev", "sysctl_kernel_yama_ptrace_scope", "sysctl_kernel_core_pattern_empty_string", "chronyd_client_only", "package_fapolicyd_installed", "sysctl_user_max_user_namespaces", "accounts_password_pam_minlen", "sysctl_kernel_kexec_load_disabled", "accounts_password_pam_ocredit", "timer_dnf-automatic_enabled", "service_systemd-coredump_disabled", "kernel_module_tipc_disabled", "kernel_module_bluetooth_disabled", "service_fapolicyd_enabled", "package_firewalld_installed", "package_chrony_installed", "service_firewalld_enabled", "logind_session_timeout", "service_usbguard_enabled", "sysctl_kernel_core_uses_pid", "package_usbguard_installed", "kernel_module_can_disabled", "mount_option_var_log_audit_nosuid", "mount_option_var_log_audit_noexec", "sysctl_kernel_dmesg_restrict", "dnf-automatic_apply_updates", "var_password_pam_minlen=12", "var_password_pam_ocredit=1", "var_password_pam_dcredit=1", "var_password_pam_ucredit=1", "var_password_pam_lcredit=1", "sysctl_kernel_unprivileged_bpf_disabled_value=2", "var_logind_session_timeout=30_minutes"], "controls": []}, {"id": "FMT_SMF_EXT.1.1", "levels": ["base"], "notes": "", "title": "Management of security functions behavior - Restrict Administrator Functions", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_kdump_disabled", "logind_session_timeout", "use_pam_wheel_for_su"], "controls": []}, {"id": "FPT_ASLR_EXT.1", "levels": ["base"], "notes": "", "title": "Address Space Layout Randomization", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_vsyscall_argument"], "controls": []}, {"id": "FPT_TUD_EXT.1", "levels": ["base"], "notes": "", "title": "Trusted Update", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["ensure_gpgcheck_globally_activated", "ensure_gpgcheck_local_packages", "package_dnf-automatic_installed", "ensure_gpgcheck_never_disabled", "package_dnf-plugin-subscription-manager_installed", "package_subscription-manager_installed", "ensure_redhat_gpgkey_installed"], "controls": []}, {"id": "FPT_TUD_EXT.2", "levels": ["base"], "notes": "", "title": "Trusted Update for Application Software", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["ensure_gpgcheck_globally_activated", "ensure_gpgcheck_local_packages", "package_dnf-automatic_installed", "ensure_gpgcheck_never_disabled", "package_dnf-plugin-subscription-manager_installed", "package_subscription-manager_installed", "ensure_redhat_gpgkey_installed"], "controls": []}, {"id": "FPT_TST_EXT.1", "levels": ["base"], "notes": "", "title": "Boot Integrity", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["zipl_bls_entries_only", "zipl_bootmap_is_up_to_date"], "controls": []}, {"id": "FTA_SSL.1", "levels": ["base"], "notes": "", "title": "TSF-initiated session locking", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["logind_session_timeout", "var_logind_session_timeout=30_minutes"], "controls": []}, {"id": "FTA_TAB.1", "levels": ["base"], "notes": "", "title": "Default TOE access banners", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_enable_warning_banner"], "controls": []}, {"id": "FTP_ITC_EXT.1", "levels": ["base"], "notes": "", "title": "Trusted channel communication", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_openssh-server_installed", "sshd_disable_gssapi_auth", "package_openssh-clients_installed", "sshd_disable_kerb_auth"], "controls": []}, {"id": "FTP_ITC_EXT.1.1", "levels": ["base"], "notes": "", "title": "Trusted channel communication - TLS", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_openssh-server_installed", "sshd_disable_gssapi_auth", "package_openssh-clients_installed", "sshd_disable_kerb_auth"], "controls": []}, {"id": "AVA_VAN.1", "levels": ["base"], "notes": "", "title": "Vulnerability Assessment", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["zipl_page_alloc_shuffle_argument", "grub2_init_on_alloc_argument", "grub2_page_alloc_shuffle_argument", "zipl_init_on_alloc_argument"], "controls": []}], "levels": [{"id": "base", "inherits_from": null}]}