{"id": "stig_ol9", "policy": "Oracle Linux 9 Security Technical Implementation Guide", "title": "Oracle Linux 9 Security Technical Implementation Guide", "source": "https://www.cyber.mil/stigs/downloads/", "definition_location": "/aptdata/openscap/scap-security-guide/controls/stig_ol9.yml", "controls": [{"id": "needed_rules", "levels": ["medium"], "notes": "", "title": null, "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["enable_authselect", "var_authselect_profile=sssd"], "controls": []}, {"id": "OL09-00-000001", "levels": ["medium"], "notes": "", "title": "The OL 9 operating system must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["encrypt_partitions"], "controls": []}, {"id": "OL09-00-000010", "levels": ["high"], "notes": "", "title": "OL 9 must be a vendor-supported release.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["installed_OS_is_vendor_supported"], "controls": []}, {"id": "OL09-00-000015", "levels": ["medium"], "notes": "", "title": "OL 9 vendor packaged system security patches and updates must be installed and up to date.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["security_patches_up_to_date"], "controls": []}, {"id": "OL09-00-000090", "levels": ["medium"], "notes": "", "title": "OL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["banner_etc_issue", "login_banner_text=dod_default"], "controls": []}, {"id": "OL09-00-000020", "levels": ["medium"], "notes": "", "title": "The graphical display manager must not be the default target on OL 9 unless approved.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["xwindows_runlevel_target"], "controls": []}, {"id": "OL09-00-000360", "levels": ["low"], "notes": "", "title": "OL 9 must enable the hardware random number generator entropy gatherer service.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_rngd_enabled"], "rules": [], "controls": []}, {"id": "OL09-00-002400", "levels": ["medium"], "notes": "", "title": "OL 9 systemd-journald service must be enabled.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_systemd-journald_enabled"], "controls": []}, {"id": "OL09-00-002412", "levels": ["high"], "notes": "", "title": "The systemd Ctrl-Alt-Delete burst key sequence in OL 9 must be disabled.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["disable_ctrlaltdel_burstaction"], "controls": []}, {"id": "OL09-00-002413", "levels": ["high"], "notes": "", "title": "The x86 Ctrl-Alt-Delete key sequence must be disabled on OL 9.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["disable_ctrlaltdel_reboot"], "controls": []}, {"id": "OL09-00-002403", "levels": ["medium"], "notes": "", "title": "OL 9 debug-shell systemd service must be disabled.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_debug-shell_disabled"], "controls": []}, {"id": "OL09-00-001115", "levels": ["medium"], "notes": "", "title": "OL 9 must require a boot loader superuser password.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_password"], "controls": []}, {"id": "OL09-00-002392", "levels": ["medium"], "notes": "", "title": "OL 9 must disable the ability of systemd to spawn an interactive boot process.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_disable_interactive_boot"], "controls": []}, {"id": "OL09-00-000050", "levels": ["high"], "notes": "", "title": "OL 9 must require a unique superusers name upon booting into single-user and maintenance modes.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_admin_username"], "controls": []}, {"id": "OL09-00-002530", "levels": ["medium"], "notes": "", "title": "OL 9 /boot/grub2/grub.cfg file must be group-owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_grub2_cfg"], "controls": []}, {"id": "OL09-00-002531", "levels": ["medium"], "notes": "", "title": "OL 9 /boot/grub2/grub.cfg file must be owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_grub2_cfg"], "controls": []}, {"id": "OL09-00-002393", "levels": ["medium"], "notes": "", "title": "OL 9 must disable virtual system calls.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_vsyscall_argument"], "controls": []}, {"id": "OL09-00-002394", "levels": ["medium"], "notes": "", "title": "OL 9 must clear the page allocator to prevent use-after-free attacks.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_page_poison_argument"], "controls": []}, {"id": "OL09-00-002390", "levels": ["medium"], "notes": "", "title": "OL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_slub_debug_argument"], "controls": []}, {"id": "OL09-00-002391", "levels": ["low"], "notes": "", "title": "OL 9 must enable mitigations against processor-based vulnerabilities.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_pti_argument"], "controls": []}, {"id": "OL09-00-000750", "levels": ["low"], "notes": "", "title": "OL 9 must enable auditing of processes that start prior to the audit daemon.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_audit_argument"], "controls": []}, {"id": "OL09-00-002406", "levels": ["medium"], "notes": "", "title": "OL 9 must restrict access to the kernel message buffer.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_kernel_dmesg_restrict"], "controls": []}, {"id": "OL09-00-002407", "levels": ["medium"], "notes": "", "title": "OL 9 must prevent kernel profiling by nonprivileged users.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_kernel_perf_event_paranoid"], "controls": []}, {"id": "OL09-00-002428", "levels": ["medium"], "notes": "", "title": "OL 9 must prevent the loading of a new kernel for later execution.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_kernel_kexec_load_disabled"], "controls": []}, {"id": "OL09-00-002408", "levels": ["medium"], "notes": "", "title": "OL 9 must restrict exposed kernel pointer addresses access.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_kernel_kptr_restrict"], "controls": []}, {"id": "OL09-00-002401", "levels": ["medium"], "notes": "", "title": "OL 9 must enable kernel parameters to enforce discretionary access control on hardlinks.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_fs_protected_hardlinks"], "controls": []}, {"id": "OL09-00-002402", "levels": ["medium"], "notes": "", "title": "OL 9 must enable kernel parameters to enforce discretionary access control on symlinks.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_fs_protected_symlinks"], "controls": []}, {"id": "OL09-00-002380", "levels": ["medium"], "notes": "", "title": "OL 9 must disable the kernel.core_pattern.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_kernel_core_pattern"], "controls": []}, {"id": "OL09-00-000040", "levels": ["medium"], "notes": "", "title": "OL 9 must be configured to disable the Asynchronous Transfer Mode kernel module.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_atm_disabled"], "controls": []}, {"id": "OL09-00-000041", "levels": ["medium"], "notes": "", "title": "OL 9 must be configured to disable the Controller Area Network kernel module.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_can_disabled"], "controls": []}, {"id": "OL09-00-000042", "levels": ["medium"], "notes": "", "title": "OL 9 must be configured to disable the FireWire kernel module.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_firewire-core_disabled"], "controls": []}, {"id": "OL09-00-000043", "levels": ["medium"], "notes": "", "title": "OL 9 must disable the Stream Control Transmission Protocol (SCTP) kernel module.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_sctp_disabled"], "controls": []}, {"id": "OL09-00-000044", "levels": ["medium"], "notes": "", "title": "OL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_tipc_disabled"], "controls": []}, {"id": "OL09-00-002423", "levels": ["medium"], "notes": "", "title": "OL 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_kernel_randomize_va_space"], "controls": []}, {"id": "OL09-00-002409", "levels": ["medium"], "notes": "", "title": "OL 9 must disable access to network bpf system call from nonprivileged processes.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_kernel_unprivileged_bpf_disabled"], "controls": []}, {"id": "OL09-00-002410", "levels": ["medium"], "notes": "", "title": "OL 9 must restrict usage of ptrace to descendant processes.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_kernel_yama_ptrace_scope"], "controls": []}, {"id": "OL09-00-002381", "levels": ["medium"], "notes": "", "title": "OL 9 must disable core dump backtraces.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["coredump_disable_backtraces"], "controls": []}, {"id": "OL09-00-002382", "levels": ["medium"], "notes": "", "title": "OL 9 must disable storing core dumps.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["coredump_disable_storage"], "controls": []}, {"id": "OL09-00-002383", "levels": ["medium"], "notes": "", "title": "OL 9 must disable core dumps for all users.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["disable_users_coredumps"], "controls": []}, {"id": "OL09-00-002384", "levels": ["medium"], "notes": "", "title": "OL 9 must disable acquiring, saving, and processing core dumps.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_systemd-coredump_disabled"], "controls": []}, {"id": "OL09-00-002370", "levels": ["medium"], "notes": "", "title": "OL 9 must disable the use of user namespaces.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_user_max_user_namespaces"], "controls": []}, {"id": "OL09-00-002385", "levels": ["medium"], "notes": "", "title": "The kdump service on OL 9 must be disabled.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_kdump_disabled"], "controls": []}, {"id": "OL09-00-000499", "levels": ["medium"], "notes": "", "title": "OL 9 must ensure cryptographic verification of vendor software packages.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["ensure_oracle_gpgkey_installed"], "controls": []}, {"id": "OL09-00-000497", "levels": ["high"], "notes": "", "title": "OL 9 must check the GPG signature of software packages originating from external software repositories before installation.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["ensure_gpgcheck_globally_activated"], "controls": []}, {"id": "OL09-00-000496", "levels": ["high"], "notes": "", "title": "OL 9 must check the GPG signature of locally installed software packages before installation.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["ensure_gpgcheck_local_packages"], "controls": []}, {"id": "OL09-00-000498", "levels": ["high"], "notes": "", "title": "OL 9 must have GPG signature verification enabled for all software repositories.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["ensure_gpgcheck_never_disabled"], "controls": []}, {"id": "OL09-00-000495", "levels": ["low"], "notes": "", "title": "OL 9 must remove all software components after updated versions have been installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["clean_components_post_updating"], "controls": []}, {"id": "OL09-00-000130", "levels": ["high"], "notes": "", "title": "OL 9 must not have a File Transfer Protocol (FTP) server package installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_vsftpd_removed"], "controls": []}, {"id": "OL09-00-000150", "levels": ["medium"], "notes": "", "title": "OL 9 must not have the sendmail package installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_sendmail_removed"], "controls": []}, {"id": "OL09-00-000100", "levels": ["medium"], "notes": "", "title": "OL 9 must not have the nfs-utils package installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_nfs-utils_removed"], "controls": []}, {"id": "OL09-00-000105", "levels": ["medium"], "notes": "", "title": "OL 9 must not have the rsh-server package installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_rsh-server_removed"], "controls": []}, {"id": "OL09-00-000110", "levels": ["medium"], "notes": "", "title": "OL 9 must not have the telnet-server package installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_telnet-server_removed"], "controls": []}, {"id": "OL09-00-000115", "levels": ["medium"], "notes": "", "title": "OL 9 must not have the gssproxy package installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_gssproxy_removed"], "controls": []}, {"id": "OL09-00-000120", "levels": ["medium"], "notes": "", "title": "OL 9 must not have the iprutils package installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_iprutils_removed"], "controls": []}, {"id": "OL09-00-000125", "levels": ["medium"], "notes": "", "title": "OL 9 must not have the tuned package installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_tuned_removed"], "controls": []}, {"id": "OL09-00-000135", "levels": ["high"], "notes": "", "title": "OL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_tftp-server_removed"], "controls": []}, {"id": "OL09-00-000140", "levels": ["medium"], "notes": "", "title": "OL 9 must not have the quagga package installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_quagga_removed"], "controls": []}, {"id": "OL09-00-000145", "levels": ["medium"], "notes": "", "title": "A graphical display manager must not be installed on OL 9 unless approved.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["xwindows_remove_packages"], "controls": []}, {"id": "OL09-00-000270", "levels": ["medium"], "notes": "", "title": "OL 9 must have the openssl-pkcs11 package installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["install_smartcard_packages"], "controls": []}, {"id": "OL09-00-000285", "levels": ["medium"], "notes": "", "title": "OL 9 must have the SSSD package installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_sssd_installed"], "controls": []}, {"id": "OL09-00-000286", "levels": ["medium"], "notes": "", "title": "OL 9 must use the SSSD package for multifactor authentication services.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_sssd_enabled"], "controls": []}, {"id": "OL09-00-000430", "levels": ["medium"], "notes": "", "title": "OL 9 must have the gnutls-utils package installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_gnutls-utils_installed"], "controls": []}, {"id": "OL09-00-000380", "levels": ["medium"], "notes": "", "title": "OL 9 must have the nss-tools package installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_nss-tools_installed"], "controls": []}, {"id": "OL09-00-000370", "levels": ["medium"], "notes": "", "title": "OL 9 must have the rng-tools package installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_rng-tools_installed"], "controls": []}, {"id": "OL09-00-000290", "levels": ["medium"], "notes": "", "title": "OL 9 must have the s-nail package installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_s-nail_installed"], "controls": []}, {"id": "OL09-00-000003", "levels": ["medium"], "notes": "", "title": "A separate OL 9 file system must be used for user home directories (such as /home or an equivalent).", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_home"], "controls": []}, {"id": "OL09-00-000004", "levels": ["medium"], "notes": "", "title": "OL 9 must use a separate file system for /tmp.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_tmp"], "controls": []}, {"id": "OL09-00-000005", "levels": ["low"], "notes": "", "title": "OL 9 must use a separate file system for /var.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_var"], "controls": []}, {"id": "OL09-00-000006", "levels": ["low"], "notes": "", "title": "OL 9 must use a separate file system for /var/log.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_var_log"], "controls": []}, {"id": "OL09-00-000002", "levels": ["low"], "notes": "", "title": "OL 9 must use a separate file system for the system audit data path.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_var_log_audit"], "controls": []}, {"id": "OL09-00-000007", "levels": ["medium"], "notes": "", "title": "OL 9 must use a separate file system for /var/tmp.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_var_tmp"], "controls": []}, {"id": "OL09-00-002000", "levels": ["medium"], "notes": "", "title": "OL 9 file system automount function must be disabled unless required.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_autofs_disabled"], "controls": []}, {"id": "OL09-00-002070", "levels": ["medium"], "notes": "", "title": "OL 9 must prevent device files from being interpreted on file systems that contain user home directories.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_home_nodev"], "controls": []}, {"id": "OL09-00-002071", "levels": ["medium"], "notes": "", "title": "OL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_home_nosuid"], "controls": []}, {"id": "OL09-00-002072", "levels": ["medium"], "notes": "", "title": "OL 9 must prevent code from being executed on file systems that contain user home directories.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_home_noexec"], "controls": []}, {"id": "OL09-00-002010", "levels": ["medium"], "notes": "", "title": "OL 9 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_krb_sec_remote_filesystems"], "controls": []}, {"id": "OL09-00-002011", "levels": ["medium"], "notes": "", "title": "OL 9 must prevent special devices on file systems that are imported via Network File System (NFS).", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_nodev_remote_filesystems"], "controls": []}, {"id": "OL09-00-002012", "levels": ["medium"], "notes": "", "title": "OL 9  must prevent code from being executed on file systems that are imported via Network File System (NFS).", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_noexec_remote_filesystems"], "controls": []}, {"id": "OL09-00-002013", "levels": ["medium"], "notes": "", "title": "OL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_nosuid_remote_filesystems"], "controls": []}, {"id": "OL09-00-002020", "levels": ["medium"], "notes": "", "title": "OL 9 must prevent code from being executed on file systems that are used with removable media.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_noexec_removable_partitions"], "controls": []}, {"id": "OL09-00-002021", "levels": ["medium"], "notes": "", "title": "OL 9 must prevent special devices on file systems that are used with removable media.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_nodev_removable_partitions"], "controls": []}, {"id": "OL09-00-002022", "levels": ["medium"], "notes": "", "title": "OL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_nosuid_removable_partitions"], "controls": []}, {"id": "OL09-00-002030", "levels": ["medium"], "notes": "", "title": "OL 9 must mount /boot with the nodev option.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_boot_nodev"], "controls": []}, {"id": "OL09-00-002031", "levels": ["medium"], "notes": "", "title": "OL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_boot_nosuid"], "controls": []}, {"id": "OL09-00-002032", "levels": ["medium"], "notes": "", "title": "OL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_boot_efi_nosuid"], "controls": []}, {"id": "OL09-00-002040", "levels": ["medium"], "notes": "", "title": "OL 9 must mount /dev/shm with the nodev option.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_dev_shm_nodev"], "controls": []}, {"id": "OL09-00-002041", "levels": ["medium"], "notes": "", "title": "OL 9 must mount /dev/shm with the noexec option.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_dev_shm_noexec"], "controls": []}, {"id": "OL09-00-002042", "levels": ["medium"], "notes": "", "title": "OL 9 must mount /dev/shm with the nosuid option.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_dev_shm_nosuid"], "controls": []}, {"id": "OL09-00-002050", "levels": ["medium"], "notes": "", "title": "OL 9 must mount /tmp with the nodev option.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_tmp_nodev"], "controls": []}, {"id": "OL09-00-002051", "levels": ["medium"], "notes": "", "title": "OL 9 must mount /tmp with the noexec option.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_tmp_noexec"], "controls": []}, {"id": "OL09-00-002052", "levels": ["medium"], "notes": "", "title": "OL 9 must mount /tmp with the nosuid option.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_tmp_nosuid"], "controls": []}, {"id": "OL09-00-002060", "levels": ["medium"], "notes": "", "title": "OL 9 must mount /var with the nodev option.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_nodev"], "controls": []}, {"id": "OL09-00-002061", "levels": ["medium"], "notes": "", "title": "OL 9 must mount /var/log with the nodev option.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_log_nodev"], "controls": []}, {"id": "OL09-00-002062", "levels": ["medium"], "notes": "", "title": "OL 9 must mount /var/log with the noexec option.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_log_noexec"], "controls": []}, {"id": "OL09-00-002063", "levels": ["medium"], "notes": "", "title": "OL 9 must mount /var/log with the nosuid option.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_log_nosuid"], "controls": []}, {"id": "OL09-00-002064", "levels": ["medium"], "notes": "", "title": "OL 9 must mount /var/log/audit with the nodev option.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_log_audit_nodev"], "controls": []}, {"id": "OL09-00-002065", "levels": ["medium"], "notes": "", "title": "OL 9 must mount /var/log/audit with the noexec option.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_log_audit_noexec"], "controls": []}, {"id": "OL09-00-002066", "levels": ["medium"], "notes": "", "title": "OL 9 must mount /var/log/audit with the nosuid option.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_log_audit_nosuid"], "controls": []}, {"id": "OL09-00-002067", "levels": ["medium"], "notes": "", "title": "OL 9 must mount /var/tmp with the nodev option.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_tmp_nodev"], "controls": []}, {"id": "OL09-00-002068", "levels": ["medium"], "notes": "", "title": "OL 9 must mount /var/tmp with the noexec option.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_tmp_noexec"], "controls": []}, {"id": "OL09-00-002069", "levels": ["medium"], "notes": "", "title": "OL 9 must mount /var/tmp with the nosuid option.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_tmp_nosuid"], "controls": []}, {"id": "OL09-00-002418", "levels": ["high"], "notes": "", "title": "OL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["encrypt_partitions"], "controls": []}, {"id": "OL09-00-000045", "levels": ["low"], "notes": "", "title": "OL 9 must disable mounting of cramfs.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_cramfs_disabled"], "controls": []}, {"id": "OL09-00-002080", "levels": ["medium"], "notes": "", "title": "OL 9 must prevent special devices on non-root local partitions.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_nodev_nonroot_local_partitions"], "controls": []}, {"id": "OL09-00-002506", "levels": ["medium"], "notes": "", "title": "OL 9 system commands must have mode 755 or less permissive.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_binary_dirs"], "controls": []}, {"id": "OL09-00-002522", "levels": ["medium"], "notes": "", "title": "OL 9 library directories must have mode 755 or less permissive.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dir_permissions_library_dirs"], "controls": []}, {"id": "OL09-00-002525", "levels": ["medium"], "notes": "", "title": "OL 9 library files must have mode 755 or less permissive.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_library_dirs"], "controls": []}, {"id": "OL09-00-002562", "levels": ["medium"], "notes": "", "title": "OL 9 /var/log directory must have mode 0755 or less permissive.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_var_log"], "controls": []}, {"id": "OL09-00-002565", "levels": ["medium"], "notes": "", "title": "OL 9 /var/log/messages file must have mode 0640 or less permissive.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_var_log_messages"], "controls": []}, {"id": "OL09-00-002572", "levels": ["medium"], "notes": "", "title": "OL 9 audit tools must have a mode of 0755 or less permissive.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_audit_tools_permissions"], "controls": []}, {"id": "OL09-00-002580", "levels": ["medium"], "notes": "", "title": "OL 9 cron configuration directories must have a mode of 0700 or less permissive.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_cron_d", "file_permissions_cron_hourly", "file_permissions_cron_monthly", "file_permissions_cron_daily", "file_permissions_cron_weekly"], "controls": []}, {"id": "OL09-00-002513", "levels": ["medium"], "notes": "", "title": "OL 9 local initialization files must have mode 0740 or less permissive.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permission_user_init_files"], "controls": []}, {"id": "OL09-00-002515", "levels": ["medium"], "notes": "", "title": "OL 9 local interactive user home directories must have mode 0750 or less permissive.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_home_directories"], "controls": []}, {"id": "OL09-00-002536", "levels": ["medium"], "notes": "", "title": "OL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_etc_group"], "controls": []}, {"id": "OL09-00-002537", "levels": ["medium"], "notes": "", "title": "OL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_backup_etc_group"], "controls": []}, {"id": "OL09-00-002542", "levels": ["medium"], "notes": "", "title": "OL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_etc_gshadow"], "controls": []}, {"id": "OL09-00-002543", "levels": ["medium"], "notes": "", "title": "OL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_backup_etc_gshadow"], "controls": []}, {"id": "OL09-00-002548", "levels": ["medium"], "notes": "", "title": "OL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_etc_passwd"], "controls": []}, {"id": "OL09-00-002549", "levels": ["medium"], "notes": "", "title": "OL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_backup_etc_passwd"], "controls": []}, {"id": "OL09-00-002554", "levels": ["medium"], "notes": "", "title": "OL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_backup_etc_shadow"], "controls": []}, {"id": "OL09-00-002534", "levels": ["medium"], "notes": "", "title": "OL 9 /etc/group file must be owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_etc_group"], "controls": []}, {"id": "OL09-00-002532", "levels": ["medium"], "notes": "", "title": "OL 9 /etc/group file must be group-owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_etc_group"], "controls": []}, {"id": "OL09-00-002535", "levels": ["medium"], "notes": "", "title": "OL 9 /etc/group- file must be owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_backup_etc_group"], "controls": []}, {"id": "OL09-00-002533", "levels": ["medium"], "notes": "", "title": "OL 9 /etc/group- file must be group-owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_backup_etc_group"], "controls": []}, {"id": "OL09-00-002540", "levels": ["medium"], "notes": "", "title": "OL 9 /etc/gshadow file must be owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_etc_gshadow"], "controls": []}, {"id": "OL09-00-002538", "levels": ["medium"], "notes": "", "title": "OL 9 /etc/gshadow file must be group-owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_etc_gshadow"], "controls": []}, {"id": "OL09-00-002541", "levels": ["medium"], "notes": "", "title": "OL 9 /etc/gshadow- file must be owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_backup_etc_gshadow"], "controls": []}, {"id": "OL09-00-002539", "levels": ["medium"], "notes": "", "title": "OL 9 /etc/gshadow- file must be group-owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_backup_etc_gshadow"], "controls": []}, {"id": "OL09-00-002546", "levels": ["medium"], "notes": "", "title": "OL 9 /etc/passwd file must be owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_etc_passwd"], "controls": []}, {"id": "OL09-00-002544", "levels": ["medium"], "notes": "", "title": "OL 9 /etc/passwd file must be group-owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_etc_passwd"], "controls": []}, {"id": "OL09-00-002547", "levels": ["medium"], "notes": "", "title": "OL 9 /etc/passwd- file must be owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_backup_etc_passwd"], "controls": []}, {"id": "OL09-00-002545", "levels": ["medium"], "notes": "", "title": "OL 9 /etc/passwd- file must be group-owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_backup_etc_passwd"], "controls": []}, {"id": "OL09-00-002552", "levels": ["medium"], "notes": "", "title": "OL 9 /etc/shadow file must be owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_etc_shadow"], "controls": []}, {"id": "OL09-00-002550", "levels": ["medium"], "notes": "", "title": "OL 9 /etc/shadow file must be group-owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_etc_shadow"], "controls": []}, {"id": "OL09-00-002553", "levels": ["medium"], "notes": "", "title": "OL 9 /etc/shadow- file must be owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_backup_etc_shadow"], "controls": []}, {"id": "OL09-00-002551", "levels": ["medium"], "notes": "", "title": "OL 9 /etc/shadow- file must be group-owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_backup_etc_shadow"], "controls": []}, {"id": "OL09-00-002561", "levels": ["medium"], "notes": "", "title": "OL 9 /var/log directory must be owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_var_log"], "controls": []}, {"id": "OL09-00-002560", "levels": ["medium"], "notes": "", "title": "OL 9 /var/log directory must be group-owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_var_log"], "controls": []}, {"id": "OL09-00-002564", "levels": ["medium"], "notes": "", "title": "OL 9 /var/log/messages file must be owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_var_log_messages"], "controls": []}, {"id": "OL09-00-002563", "levels": ["medium"], "notes": "", "title": "OL 9 /var/log/messages file must be group-owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_var_log_messages"], "controls": []}, {"id": "OL09-00-002505", "levels": ["medium"], "notes": "", "title": "OL 9 system commands must be owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_ownership_binary_dirs"], "controls": []}, {"id": "OL09-00-002504", "levels": ["medium"], "notes": "", "title": "OL 9 system commands must be group-owned by root or a system account.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupownership_system_commands_dirs"], "controls": []}, {"id": "OL09-00-002524", "levels": ["medium"], "notes": "", "title": "OL 9 library files must be owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_ownership_library_dirs"], "controls": []}, {"id": "OL09-00-002523", "levels": ["medium"], "notes": "", "title": "OL 9 library files must be group-owned by root or a system account.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["root_permissions_syslibrary_files"], "controls": []}, {"id": "OL09-00-002521", "levels": ["medium"], "notes": "", "title": "OL 9 library directories must be owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dir_ownership_library_dirs"], "controls": []}, {"id": "OL09-00-002520", "levels": ["medium"], "notes": "", "title": "OL 9 library directories must be group-owned by root or a system account.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dir_group_ownership_library_dirs"], "controls": []}, {"id": "OL09-00-002571", "levels": ["medium"], "notes": "", "title": "OL 9 audit tools must be owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_audit_tools_ownership"], "controls": []}, {"id": "OL09-00-002570", "levels": ["medium"], "notes": "", "title": "OL 9 audit tools must be group-owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_audit_tools_group_ownership"], "controls": []}, {"id": "OL09-00-002582", "levels": ["medium"], "notes": "", "title": "OL 9 cron configuration files directory must be owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_crontab", "file_owner_cron_weekly", "file_owner_cron_d", "file_owner_cron_monthly", "file_owner_cron_deny", "file_owner_cron_hourly", "file_owner_cron_daily"], "controls": []}, {"id": "OL09-00-002581", "levels": ["medium"], "notes": "", "title": "OL 9 cron configuration files directory must be group-owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_crontab", "file_groupowner_cron_daily", "file_groupowner_cron_d", "file_groupowner_cron_weekly", "file_groupowner_cron_hourly", "file_groupowner_cron_monthly", "file_groupowner_cron_deny"], "controls": []}, {"id": "OL09-00-002516", "levels": ["medium"], "notes": "", "title": "OL 9 world-writable directories must be owned by root, sys, bin, or an application user.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dir_perms_world_writable_root_owned"], "controls": []}, {"id": "OL09-00-002510", "levels": ["medium"], "notes": "", "title": "A sticky bit must be set on all OL 9 public directories.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dir_perms_world_writable_sticky_bits"], "controls": []}, {"id": "OL09-00-002511", "levels": ["medium"], "notes": "", "title": "OL 9 local files and directories must have a valid group owner.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_ungroupowned"], "controls": []}, {"id": "OL09-00-002512", "levels": ["medium"], "notes": "", "title": "OL 9 local files and directories must have a valid owner.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_files_unowned_by_user"], "controls": []}, {"id": "OL09-00-002500", "levels": ["medium"], "notes": "", "title": "OL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["selinux_all_devicefiles_labeled"], "controls": []}, {"id": "OL09-00-002583", "levels": ["medium"], "notes": "", "title": "OL 9 /etc/crontab file must have mode 0600.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_crontab"], "controls": []}, {"id": "OL09-00-002555", "levels": ["medium"], "notes": "", "title": "OL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_etc_shadow"], "controls": []}, {"id": "OL09-00-000220", "levels": ["medium"], "notes": "", "title": "OL 9 must have the firewalld package installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_firewalld_installed"], "controls": []}, {"id": "OL09-00-000221", "levels": ["medium"], "notes": "", "title": "The firewalld service on OL 9 must be active.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_firewalld_enabled"], "controls": []}, {"id": "OL09-00-000224", "levels": ["medium"], "notes": "", "title": "A OL 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configured_firewalld_default_deny"], "controls": []}, {"id": "OL09-00-000223", "levels": ["medium"], "notes": "", "title": "OL 9 must control remote access methods.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_firewalld_ports"], "controls": []}, {"id": "OL09-00-006000", "levels": ["medium"], "notes": "", "title": "OL 9 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures on impacted network interfaces are implemented.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["firewalld-backend"], "controls": []}, {"id": "OL09-00-000222", "levels": ["medium"], "notes": "", "title": "OL 9 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.", "description": null, "rationale": null, "automated": "no", "status": "supported", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_firewalld_ports"], "controls": []}, {"id": "OL09-00-006004", "levels": ["medium"], "notes": "", "title": "OL 9 network interfaces must not be in promiscuous mode.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["network_sniffer_disabled"], "controls": []}, {"id": "OL09-00-002430", "levels": ["medium"], "notes": "", "title": "OL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_core_bpf_jit_harden"], "controls": []}, {"id": "OL09-00-000310", "levels": ["medium"], "notes": "", "title": "OL 9 must have the chrony package installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_chrony_installed"], "controls": []}, {"id": "OL09-00-000311", "levels": ["medium"], "notes": "", "title": "OL 9 chronyd service must be enabled.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_chronyd_enabled"], "controls": []}, {"id": "OL09-00-002323", "levels": ["medium"], "notes": "", "title": "OL 9 must securely compare internal information system clocks at least every 24 hours.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["chronyd_or_ntpd_set_maxpoll", "chronyd_server_directive", "var_multiple_time_servers=stig", "var_time_service_set_maxpoll=18_hours"], "controls": []}, {"id": "OL09-00-002320", "levels": ["low"], "notes": "", "title": "OL 9 must disable the chrony daemon from acting as a server.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["chronyd_client_only"], "controls": []}, {"id": "OL09-00-002321", "levels": ["low"], "notes": "", "title": "OL 9 must disable network management of the chrony daemon.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["chronyd_no_chronyc_network"], "controls": []}, {"id": "OL09-00-006003", "levels": ["medium"], "notes": "", "title": "OL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["network_configure_name_resolution"], "controls": []}, {"id": "OL09-00-006002", "levels": ["medium"], "notes": "", "title": "OL 9 must configure a DNS processing mode set be Network Manager.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["networkmanager_dns_mode", "var_networkmanager_dns_mode=none"], "controls": []}, {"id": "OL09-00-006010", "levels": ["medium"], "notes": "", "title": "OL 9 must not have unauthorized IP tunnels configured.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["libreswan_approved_tunnels"], "controls": []}, {"id": "OL09-00-002425", "levels": ["medium"], "notes": "", "title": "OL 9 must be configured to prevent unrestricted mail relaying.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["postfix_prevent_unrestricted_relay"], "controls": []}, {"id": "OL09-00-002426", "levels": ["medium"], "notes": "", "title": "If the Trivial File Transfer Protocol (TFTP) server is required, OL 9 TFTP daemon must be configured to operate in secure mode.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["tftp_uses_secure_mode_systemd"], "controls": []}, {"id": "OL09-00-000815", "levels": ["medium"], "notes": "", "title": "OL 9 must forward mail from postmaster to the root account using a postfix alias.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["postfix_client_configure_mail_alias_postmaster"], "controls": []}, {"id": "OL09-00-000410", "levels": ["medium"], "notes": "", "title": "OL 9 libreswan package must be installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_libreswan_installed"], "controls": []}, {"id": "OL09-00-002419", "levels": ["high"], "notes": "", "title": "There must be no shosts.equiv files on OL 9.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_host_based_files"], "controls": []}, {"id": "OL09-00-002420", "levels": ["high"], "notes": "", "title": "There must be no .shosts files on OL 9.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_user_host_based_files"], "controls": []}, {"id": "OL09-00-006050", "levels": ["medium"], "notes": "", "title": "OL 9 must be configured to use TCP syncookies.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_tcp_syncookies"], "controls": []}, {"id": "OL09-00-006020", "levels": ["medium"], "notes": "", "title": "OL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_all_accept_redirects"], "controls": []}, {"id": "OL09-00-006021", "levels": ["medium"], "notes": "", "title": "OL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_all_accept_source_route"], "controls": []}, {"id": "OL09-00-006022", "levels": ["medium"], "notes": "", "title": "OL 9 must log IPv4 packets with impossible addresses.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_all_log_martians"], "controls": []}, {"id": "OL09-00-006023", "levels": ["medium"], "notes": "", "title": "OL 9 must log IPv4 packets with impossible addresses by default.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_default_log_martians"], "controls": []}, {"id": "OL09-00-006024", "levels": ["medium"], "notes": "", "title": "OL 9 must use reverse path filtering on all IPv4 interfaces.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_all_rp_filter"], "controls": []}, {"id": "OL09-00-006025", "levels": ["medium"], "notes": "", "title": "OL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_default_accept_redirects"], "controls": []}, {"id": "OL09-00-006026", "levels": ["medium"], "notes": "", "title": "OL 9 must not forward IPv4 source-routed packets by default.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_default_accept_source_route"], "controls": []}, {"id": "OL09-00-006027", "levels": ["medium"], "notes": "", "title": "OL 9 must use a reverse-path filter for IPv4 network traffic when possible by default.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_default_rp_filter"], "controls": []}, {"id": "OL09-00-006030", "levels": ["medium"], "notes": "", "title": "OL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_icmp_echo_ignore_broadcasts"], "controls": []}, {"id": "OL09-00-006031", "levels": ["medium"], "notes": "", "title": "OL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_icmp_ignore_bogus_error_responses"], "controls": []}, {"id": "OL09-00-006032", "levels": ["medium"], "notes": "", "title": "OL 9 must not send Internet Control Message Protocol (ICMP) redirects.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_all_send_redirects"], "controls": []}, {"id": "OL09-00-006033", "levels": ["medium"], "notes": "", "title": "OL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_default_send_redirects"], "controls": []}, {"id": "OL09-00-006028", "levels": ["medium"], "notes": "", "title": "OL 9 must not enable IPv4 packet forwarding unless the system is a router.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_all_forwarding"], "controls": []}, {"id": "OL09-00-006040", "levels": ["medium"], "notes": "", "title": "OL 9 must not accept router advertisements on all IPv6 interfaces.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv6_conf_all_accept_ra"], "controls": []}, {"id": "OL09-00-006041", "levels": ["medium"], "notes": "", "title": "OL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv6_conf_all_accept_redirects"], "controls": []}, {"id": "OL09-00-006042", "levels": ["medium"], "notes": "", "title": "OL 9 must not forward IPv6 source-routed packets.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv6_conf_all_accept_source_route"], "controls": []}, {"id": "OL09-00-006043", "levels": ["medium"], "notes": "", "title": "OL 9 must not enable IPv6 packet forwarding unless the system is a router.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv6_conf_all_forwarding"], "controls": []}, {"id": "OL09-00-006044", "levels": ["medium"], "notes": "", "title": "OL 9 must not accept router advertisements on all IPv6 interfaces by default.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv6_conf_default_accept_ra"], "controls": []}, {"id": "OL09-00-006045", "levels": ["medium"], "notes": "", "title": "OL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv6_conf_default_accept_redirects"], "controls": []}, {"id": "OL09-00-006046", "levels": ["medium"], "notes": "", "title": "OL 9 must not forward IPv6 source-routed packets by default.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv6_conf_default_accept_source_route"], "controls": []}, {"id": "OL09-00-000250", "levels": ["medium"], "notes": "", "title": "OL 9 networked systems must have SSH installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_openssh-server_installed"], "controls": []}, {"id": "OL09-00-000251", "levels": ["medium"], "notes": "", "title": "OL 9 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_sshd_enabled"], "controls": []}, {"id": "OL09-00-000260", "levels": ["medium"], "notes": "", "title": "OL 9 must have the openssh-clients package installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_openssh-clients_installed"], "controls": []}, {"id": "OL09-00-000256", "levels": ["medium"], "notes": "", "title": "OL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a SSH logon.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_enable_warning_banner"], "controls": []}, {"id": "OL09-00-002340", "levels": ["medium"], "notes": "", "title": "OL 9 must log SSH connection attempts and failures to the server.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_loglevel_verbose"], "controls": []}, {"id": "OL09-00-002355", "levels": ["medium"], "notes": "", "title": "OL 9 SSH daemon must not allow compression or must only allow compression after successful authentication.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_compression", "var_sshd_disable_compression=no"], "controls": []}, {"id": "OL09-00-002359", "levels": ["medium"], "notes": "", "title": "OL 9 SSHD must accept public key authentication.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_enable_pubkey_auth"], "controls": []}, {"id": "OL09-00-002343", "levels": ["high"], "notes": "", "title": "OL 9 SSHD must not allow blank passwords.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_empty_passwords"], "controls": []}, {"id": "OL09-00-002345", "levels": ["medium"], "notes": "", "title": "OL 9 must not permit direct logons to the root account using remote access via SSH.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_root_login"], "controls": []}, {"id": "OL09-00-002344", "levels": ["high"], "notes": "", "title": "OL 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_enable_pam"], "controls": []}, {"id": "OL09-00-000261", "levels": ["medium"], "notes": "", "title": "OL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH client connections.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["harden_sshd_ciphers_openssh_conf_crypto_policy", "sshd_approved_ciphers=stig_ol9"], "controls": []}, {"id": "OL09-00-000252", "levels": ["medium"], "notes": "", "title": "The OL 9 SSH daemon must be configured to use systemwide cryptographic policies.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_sshd_50_redhat_exists", "sshd_include_crypto_policy"], "controls": []}, {"id": "OL09-00-000254", "levels": ["medium"], "notes": "", "title": "OL 9 SSH server must be configured to use only ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["harden_sshd_ciphers_opensshserver_conf_crypto_policy", "sshd_approved_ciphers=stig_ol9"], "controls": []}, {"id": "OL09-00-000262", "levels": ["medium"], "notes": "", "title": "OL 9 SSH client must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["harden_sshd_macs_openssh_conf_crypto_policy", "sshd_strong_macs=stig_ol9"], "controls": []}, {"id": "OL09-00-000255", "levels": ["medium"], "notes": "", "title": "OL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["harden_sshd_macs_opensshserver_conf_crypto_policy", "sshd_approved_macs=stig_ol9"], "controls": []}, {"id": "OL09-00-002357", "levels": ["medium"], "notes": "", "title": "OL 9 must not allow a noncertificate trusted host SSH logon to the system.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["disable_host_auth"], "controls": []}, {"id": "OL09-00-002358", "levels": ["medium"], "notes": "", "title": "OL 9 must not allow users to override SSH environment variables.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_do_not_permit_user_env"], "controls": []}, {"id": "OL09-00-002342", "levels": ["medium"], "notes": "", "title": "OL 9 must force a frequent session key renegotiation for SSH connections to the server.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_rekey_limit", "var_rekey_limit_size=1G", "var_rekey_limit_time=1hour"], "controls": []}, {"id": "OL09-00-002346", "levels": ["medium"], "notes": "", "title": "OL 9 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_keepalive", "var_sshd_set_keepalive=1"], "controls": []}, {"id": "OL09-00-002347", "levels": ["medium"], "notes": "", "title": "OL 9 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_idle_timeout", "sshd_idle_timeout_value=10_minutes"], "controls": []}, {"id": "OL09-00-002507", "levels": ["medium"], "notes": "", "title": "OL 9 SSH server configuration file must be group-owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_sshd_config"], "controls": []}, {"id": "OL09-00-002508", "levels": ["medium"], "notes": "", "title": "OL 9 SSH server configuration file must be owned by root.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_sshd_config"], "controls": []}, {"id": "OL09-00-002509", "levels": ["medium"], "notes": "", "title": "OL 9 SSH server configuration file must have mode 0600 or less permissive.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_sshd_config"], "controls": []}, {"id": "OL09-00-002502", "levels": ["medium"], "notes": "", "title": "OL 9 SSH private host key files must have mode 0640 or less permissive.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_sshd_private_key"], "controls": []}, {"id": "OL09-00-002503", "levels": ["medium"], "notes": "", "title": "OL 9 SSH public host key files must have mode 0644 or less permissive.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_sshd_pub_key"], "controls": []}, {"id": "OL09-00-002341", "levels": ["medium"], "notes": "", "title": "OL 9 SSH daemon must not allow GSSAPI authentication.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_gssapi_auth"], "controls": []}, {"id": "OL09-00-002356", "levels": ["medium"], "notes": "", "title": "OL 9 SSH daemon must not allow Kerberos authentication.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_kerb_auth"], "controls": []}, {"id": "OL09-00-002348", "levels": ["medium"], "notes": "", "title": "OL 9 SSH daemon must not allow rhosts authentication.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_rhosts"], "controls": []}, {"id": "OL09-00-002349", "levels": ["medium"], "notes": "", "title": "OL 9 SSH daemon must not allow known hosts authentication.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_user_known_hosts"], "controls": []}, {"id": "OL09-00-002350", "levels": ["medium"], "notes": "", "title": "OL 9 SSH daemon must disable remote X connections for interactive users.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_x11_forwarding"], "controls": []}, {"id": "OL09-00-002351", "levels": ["medium"], "notes": "", "title": "OL 9 SSH daemon must perform strict mode checking of home directory configuration files.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_enable_strictmodes"], "controls": []}, {"id": "OL09-00-002352", "levels": ["medium"], "notes": "", "title": "OL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_print_last_log"], "controls": []}, {"id": "OL09-00-002354", "levels": ["medium"], "notes": "", "title": "OL 9 SSH daemon must prevent remote hosts from connecting to the proxy display.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_x11_use_localhost"], "controls": []}, {"id": "OL09-00-002150", "levels": ["medium"], "notes": "", "title": "OL 9 must be configured to enable the display of the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_banner_enabled"], "controls": []}, {"id": "OL09-00-002151", "levels": ["medium"], "notes": "", "title": "OL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_login_banner_text", "login_banner_text=dod_default"], "controls": []}, {"id": "OL09-00-002122", "levels": ["medium"], "notes": "", "title": "OL 9 must prevent a user from overriding the banner-message-enable setting for the graphical user interface.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_banner_enabled"], "controls": []}, {"id": "OL09-00-002100", "levels": ["medium"], "notes": "", "title": "OL 9 must disable the graphical user interface automount function unless required.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_disable_automount_open"], "controls": []}, {"id": "OL09-00-002120", "levels": ["medium"], "notes": "", "title": "OL 9 must prevent a user from overriding the disabling of the graphical user interface automount function.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_disable_automount_open"], "controls": []}, {"id": "OL09-00-002101", "levels": ["medium"], "notes": "", "title": "OL 9 must disable the graphical user interface autorun function unless required.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_disable_autorun"], "controls": []}, {"id": "OL09-00-002121", "levels": ["medium"], "notes": "", "title": "OL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_disable_autorun"], "controls": []}, {"id": "OL09-00-002161", "levels": ["high"], "notes": "", "title": "OL 9 must not allow unattended or automatic logon via the graphical user interface.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["gnome_gdm_disable_automatic_login"], "controls": []}, {"id": "OL09-00-002160", "levels": ["medium"], "notes": "", "title": "OL 9 must be able to initiate directly a session lock for all connection types using smart card when the smart card is removed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_lock_screen_on_smartcard_removal"], "controls": []}, {"id": "OL09-00-002126", "levels": ["medium"], "notes": "", "title": "OL 9 must prevent a user from overriding the disabling of the graphical user smart card removal action.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_lock_screen_on_smartcard_removal"], "controls": []}, {"id": "OL09-00-002123", "levels": ["medium"], "notes": "", "title": "OL 9 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_screensaver_lock_enabled"], "controls": []}, {"id": "OL09-00-002104", "levels": ["medium"], "notes": "", "title": "OL 9 must automatically lock graphical user sessions after 15 minutes of inactivity.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_screensaver_idle_delay"], "controls": []}, {"id": "OL09-00-002124", "levels": ["medium"], "notes": "", "title": "OL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_session_idle_user_locks"], "controls": []}, {"id": "OL09-00-002103", "levels": ["medium"], "notes": "", "title": "OL 9 must initiate a session lock for graphical user interfaces when the screensaver is activated.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_screensaver_lock_delay", "var_screensaver_lock_delay=5_seconds"], "controls": []}, {"id": "OL09-00-002125", "levels": ["medium"], "notes": "", "title": "OL 9 must prevent a user from overriding the session lock-delay setting for the graphical user interface.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_screensaver_user_locks"], "controls": []}, {"id": "OL09-00-002106", "levels": ["medium"], "notes": "", "title": "OL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_screensaver_mode_blank"], "controls": []}, {"id": "OL09-00-002162", "levels": ["medium"], "notes": "", "title": "OL 9 effective dconf policy must match the policy keyfiles.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_db_up_to_date"], "controls": []}, {"id": "OL09-00-002127", "levels": ["medium"], "notes": "", "title": "OL 9 must disable the ability of a user to restart the system from the login screen.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_disable_restart_shutdown"], "controls": []}, {"id": "OL09-00-002128", "levels": ["medium"], "notes": "", "title": "OL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_disable_restart_shutdown"], "controls": []}, {"id": "OL09-00-002107", "levels": ["medium"], "notes": "", "title": "OL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_disable_ctrlaltdel_reboot"], "controls": []}, {"id": "OL09-00-002129", "levels": ["medium"], "notes": "", "title": "OL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_disable_ctrlaltdel_reboot"], "controls": []}, {"id": "OL09-00-002102", "levels": ["medium"], "notes": "", "title": "OL 9 must disable the user list at logon for graphical user interfaces.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_disable_user_list"], "controls": []}, {"id": "OL09-00-000047", "levels": ["medium"], "notes": "", "title": "OL 9 must be configured to disable USB mass storage.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_usb-storage_disabled"], "controls": []}, {"id": "OL09-00-000320", "levels": ["medium"], "notes": "", "title": "OL 9 must have the USBGuard package installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_usbguard_installed"], "controls": []}, {"id": "OL09-00-000321", "levels": ["medium"], "notes": "", "title": "OL 9 must have the USBGuard package enabled.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_usbguard_enabled"], "controls": []}, {"id": "OL09-00-002330", "levels": ["low"], "notes": "", "title": "OL 9 must enable Linux audit logging for the USBGuard daemon.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_usbguard_auditbackend"], "controls": []}, {"id": "OL09-00-002331", "levels": ["medium"], "notes": "", "title": "OL 9 must block unauthorized peripherals before establishing a connection.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["usbguard_generate_policy"], "controls": []}, {"id": "OL09-00-002332", "levels": ["medium"], "notes": "", "title": "OL 9 must disable automatic mounting of Universal Serial Bus (USB) mass storage driver.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_usb-storage_disabled"], "controls": []}, {"id": "OL09-00-000046", "levels": ["medium"], "notes": "", "title": "OL 9 Bluetooth must be disabled.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_bluetooth_disabled"], "controls": []}, {"id": "OL09-00-006001", "levels": ["medium"], "notes": "", "title": "OL 9 wireless network adapters must be disabled.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["wireless_disable_interfaces"], "controls": []}, {"id": "OL09-00-001090", "levels": ["medium"], "notes": "", "title": "OL 9 passwords must have a 24-hour minimum password lifetime restriction in /etc/shadow.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_set_min_life_existing", "var_accounts_minimum_age_login_defs=1"], "controls": []}, {"id": "OL09-00-001095", "levels": ["medium"], "notes": "", "title": "OL 9 user account passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_maximum_age_login_defs"], "controls": []}, {"id": "OL09-00-001100", "levels": ["medium"], "notes": "", "title": "OL 9 user account passwords must have a 60-day maximum password lifetime restriction.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_set_max_life_existing", "var_accounts_maximum_age_login_defs=60"], "controls": []}, {"id": "OL09-00-003052", "levels": ["medium"], "notes": "", "title": "OL 9 local interactive user accounts must be assigned a home directory upon creation.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_have_homedir_login_defs"], "controls": []}, {"id": "OL09-00-003060", "levels": ["medium"], "notes": "", "title": "OL 9 must set the umask value to 077 for all local interactive user accounts.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_umask_interactive_users", "var_accounts_user_umask=077"], "controls": []}, {"id": "OL09-00-003001", "levels": ["medium"], "notes": "", "title": "OL 9 duplicate User IDs (UIDs) must not exist for interactive users.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["account_unique_id"], "controls": []}, {"id": "OL09-00-003051", "levels": ["medium"], "notes": "", "title": "OL 9 system accounts must not have an interactive login shell.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_shelllogin_for_systemaccounts"], "controls": []}, {"id": "OL09-00-003030", "levels": ["medium"], "notes": "", "title": "OL 9 must automatically expire temporary accounts within 72 hours.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["account_temp_expire_date"], "controls": []}, {"id": "OL09-00-003005", "levels": ["medium"], "notes": "", "title": "OL 9 interactive users must have a primary group that exists.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["gid_passwd_group_same"], "controls": []}, {"id": "OL09-00-003065", "levels": ["medium"], "notes": "", "title": "OL 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["account_disable_post_pw_expiration", "var_account_disable_post_pw_expiration=35"], "controls": []}, {"id": "OL09-00-003053", "levels": ["medium"], "notes": "", "title": "Executable search paths within the initialization files of all local interactive OL 9 users must only contain paths that resolve to the system default or the users home directory.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_user_home_paths_only"], "controls": []}, {"id": "OL09-00-003002", "levels": ["medium"], "notes": "", "title": "OL 9 local interactive users must have a home directory assigned in the /etc/passwd file.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_user_interactive_home_directory_defined"], "controls": []}, {"id": "OL09-00-003050", "levels": ["medium"], "notes": "", "title": "OL 9 local interactive user home directories defined in the /etc/passwd file must exist.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_user_interactive_home_directory_exists"], "controls": []}, {"id": "OL09-00-002514", "levels": ["medium"], "notes": "", "title": "OL 9 local interactive user home directories must be group-owned by the home directory owner's primary group.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupownership_home_directories"], "controls": []}, {"id": "OL09-00-003020", "levels": ["medium"], "notes": "", "title": "OL 9 must automatically lock an account when three unsuccessful logon attempts occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_passwords_pam_faillock_deny", "var_accounts_passwords_pam_faillock_deny=3"], "controls": []}, {"id": "OL09-00-003021", "levels": ["medium"], "notes": "", "title": "OL 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_passwords_pam_faillock_deny_root"], "controls": []}, {"id": "OL09-00-002416", "levels": ["medium"], "notes": "", "title": "OL 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_passwords_pam_faillock_interval", "var_accounts_passwords_pam_faillock_fail_interval=900"], "controls": []}, {"id": "OL09-00-002417", "levels": ["medium"], "notes": "", "title": "OL 9 must maintain an account lock until the locked account is released by an administrator.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_passwords_pam_faillock_unlock_time", "var_accounts_passwords_pam_faillock_unlock_time=never"], "controls": []}, {"id": "OL09-00-002501", "levels": ["medium"], "notes": "", "title": "OL 9 must not have unauthorized accounts.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_authorized_local_users", "var_accounts_authorized_local_users_regex=ol9"], "controls": []}, {"id": "OL09-00-003000", "levels": ["high"], "notes": "", "title": "The root account must be the only account having unrestricted access to OL 9 system.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_no_uid_except_zero"], "controls": []}, {"id": "OL09-00-003023", "levels": ["medium"], "notes": "", "title": "OL 9 must ensure account lockouts persist.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_passwords_pam_faillock_dir"], "controls": []}, {"id": "OL09-00-003006", "levels": ["medium"], "notes": "", "title": "OL 9 groups must have unique Group ID (GID).", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["group_unique_id"], "controls": []}, {"id": "OL09-00-002422", "levels": ["medium"], "notes": "", "title": "OL 9 must implement nonexecutable data to protect its memory from unauthorized code execution.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_kernel_exec_shield"], "controls": []}, {"id": "OL09-00-002427", "levels": ["medium"], "notes": "", "title": "Local OL 9 initialization files must not execute world-writable programs.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_user_dot_no_world_writable_programs"], "controls": []}, {"id": "OL09-00-002411", "levels": ["medium"], "notes": "", "title": "OL 9 must automatically exit interactive command shell user sessions after 15 minutes of inactivity.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_tmout", "var_accounts_tmout=15_min"], "controls": []}, {"id": "OL09-00-002415", "levels": ["low"], "notes": "", "title": "OL 9 must limit the number of concurrent sessions to ten for all accounts and/or account types.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_max_concurrent_login_sessions", "var_accounts_max_concurrent_login_sessions=10"], "controls": []}, {"id": "OL09-00-003022", "levels": ["medium"], "notes": "", "title": "OL 9 must log username information when unsuccessful logon attempts occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_passwords_pam_faillock_audit"], "controls": []}, {"id": "OL09-00-003070", "levels": ["medium"], "notes": "", "title": "OL 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_logon_fail_delay", "var_accounts_fail_delay=4"], "controls": []}, {"id": "OL09-00-002301", "levels": ["medium"], "notes": "", "title": "OL 9 must define default permissions for the bash shell.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_umask_etc_bashrc"], "controls": []}, {"id": "OL09-00-002302", "levels": ["medium"], "notes": "", "title": "OL 9 must define default permissions for the c shell.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_umask_etc_csh_cshrc"], "controls": []}, {"id": "OL09-00-002304", "levels": ["medium"], "notes": "", "title": "OL 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_umask_etc_login_defs"], "controls": []}, {"id": "OL09-00-002303", "levels": ["medium"], "notes": "", "title": "OL 9 must define default permissions for the system default profile.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_umask_etc_profile"], "controls": []}, {"id": "OL09-00-000060", "levels": ["high"], "notes": "", "title": "OL 9 must use a Linux Security Module configured to enforce limits on system services.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["selinux_state", "var_selinux_state=enforcing"], "controls": []}, {"id": "OL09-00-000065", "levels": ["medium"], "notes": "", "title": "OL 9 must enable the SELinux targeted policy.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["selinux_policytype", "var_selinux_policy_name=targeted"], "controls": []}, {"id": "OL09-00-003010", "levels": ["medium"], "notes": "", "title": "OL 9 must configure SELinux context type to allow the use of a nondefault faillock tally directory.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["account_password_selinux_faillock_dir"], "controls": []}, {"id": "OL09-00-000200", "levels": ["medium"], "notes": "", "title": "OL 9 must have policycoreutils package installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_policycoreutils_installed"], "controls": []}, {"id": "OL09-00-000210", "levels": ["medium"], "notes": "", "title": "OL 9 policycoreutils-python-utils package must be installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_policycoreutils-python-utils_installed"], "controls": []}, {"id": "OL09-00-000230", "levels": ["medium"], "notes": "", "title": "OL 9 must have the sudo package installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_sudo_installed"], "controls": []}, {"id": "OL09-00-002360", "levels": ["medium"], "notes": "", "title": "OL 9 must require reauthentication when using the \"sudo\" command.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudo_require_reauthentication", "var_sudo_timestamp_timeout=always_prompt"], "controls": []}, {"id": "OL09-00-000231", "levels": ["medium"], "notes": "", "title": "OL 9 must use the invoking user's password for privilege escalation when using \"sudo\".", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudoers_validate_passwd"], "controls": []}, {"id": "OL09-00-002362", "levels": ["medium"], "notes": "", "title": "OL 9 must require users to reauthenticate for privilege escalation.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudo_remove_no_authenticate"], "controls": []}, {"id": "OL09-00-000232", "levels": ["medium"], "notes": "", "title": "OL 9 must restrict privilege elevation to authorized personnel.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudo_restrict_privilege_elevation_to_authorized"], "controls": []}, {"id": "OL09-00-002361", "levels": ["medium"], "notes": "", "title": "OL 9 must restrict the use of the \"su\" command.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["use_pam_wheel_for_su"], "controls": []}, {"id": "OL09-00-000340", "levels": ["medium"], "notes": "", "title": "OL 9 fapolicy module must be installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_fapolicyd_installed"], "controls": []}, {"id": "OL09-00-000341", "levels": ["medium"], "notes": "", "title": "OL 9 fapolicy module must be enabled.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_fapolicyd_enabled"], "controls": []}, {"id": "OL09-00-001001", "levels": ["medium"], "notes": "", "title": "OL 9 must ensure the password complexity module in the system-auth file is configured for three retries or less.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_pwquality_retry", "var_password_pam_retry=3"], "controls": []}, {"id": "OL09-00-001110", "levels": ["high"], "notes": "", "title": "OL 9 must not allow blank or null passwords.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_empty_passwords"], "controls": []}, {"id": "OL09-00-003011", "levels": ["medium"], "notes": "", "title": "OL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["account_password_pam_faillock_system_auth"], "controls": []}, {"id": "OL09-00-003012", "levels": ["medium"], "notes": "", "title": "OL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["account_password_pam_faillock_password_auth"], "controls": []}, {"id": "OL09-00-001010", "levels": ["medium"], "notes": "", "title": "OL 9 must ensure the password complexity module is enabled in the password-auth file.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_pwquality_password_auth"], "controls": []}, {"id": "OL09-00-001000", "levels": ["medium"], "notes": "", "title": "OL 9 must ensure the password complexity module is enabled in the system-auth file.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_pwquality_system_auth"], "controls": []}, {"id": "OL09-00-001065", "levels": ["medium"], "notes": "", "title": "OL 9 password-auth must be configured to use a sufficient number of hashing rounds.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_unix_rounds_password_auth", "var_password_pam_unix_rounds=100000"], "controls": []}, {"id": "OL09-00-001070", "levels": ["medium"], "notes": "", "title": "OL 9 system-auth must be configured to use a sufficient number of hashing rounds.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_unix_rounds_system_auth"], "controls": []}, {"id": "OL09-00-001045", "levels": ["medium"], "notes": "", "title": "OL 9 must enforce password complexity rules for the root account.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_enforce_root"], "controls": []}, {"id": "OL09-00-001015", "levels": ["medium"], "notes": "", "title": "OL 9 must enforce password complexity by requiring that at least one lowercase character be used.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_lcredit", "var_password_pam_lcredit=1"], "controls": []}, {"id": "OL09-00-001020", "levels": ["medium"], "notes": "", "title": "OL 9 must enforce password complexity by requiring that at least one numeric character be used.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_dcredit", "var_password_pam_dcredit=1"], "controls": []}, {"id": "OL09-00-001085", "levels": ["medium"], "notes": "", "title": "OL 9 passwords for new users or password changes must have a 24 hours minimum password lifetime restriction in /etc/login.defs.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_minimum_age_login_defs", "var_accounts_minimum_age_login_defs=1"], "controls": []}, {"id": "OL09-00-002363", "levels": ["medium"], "notes": "", "title": "OL 9 must require users to provide a password for privilege escalation.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudo_remove_nopasswd"], "controls": []}, {"id": "OL09-00-001105", "levels": ["medium"], "notes": "", "title": "OL 9 passwords must be created with a minimum of 15 characters.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_minlen", "var_password_pam_minlen=15"], "controls": []}, {"id": "OL09-00-001120", "levels": ["medium"], "notes": "", "title": "OL 9 must enforce password complexity by requiring that at least one special character be used.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_ocredit", "var_password_pam_ocredit=1"], "controls": []}, {"id": "OL09-00-001125", "levels": ["medium"], "notes": "", "title": "OL 9 must prevent the use of dictionary words for passwords.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_dictcheck", "var_password_pam_dictcheck=1"], "controls": []}, {"id": "OL09-00-001005", "levels": ["medium"], "notes": "", "title": "OL 9 must enforce password complexity by requiring that at least one uppercase character be used.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_ucredit", "var_password_pam_ucredit=1"], "controls": []}, {"id": "OL09-00-001025", "levels": ["medium"], "notes": "", "title": "OL 9 must require the change of at least eight characters when passwords are changed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_difok", "var_password_pam_difok=8"], "controls": []}, {"id": "OL09-00-001030", "levels": ["medium"], "notes": "", "title": "OL 9 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_maxclassrepeat", "var_password_pam_maxclassrepeat=4"], "controls": []}, {"id": "OL09-00-001035", "levels": ["medium"], "notes": "", "title": "OL 9 must require the maximum number of repeating characters be limited to three when passwords are changed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_maxrepeat", "var_password_pam_maxrepeat=3"], "controls": []}, {"id": "OL09-00-001040", "levels": ["medium"], "notes": "", "title": "OL 9 must require the change of at least four character classes when passwords are changed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_minclass", "var_password_pam_minclass=4"], "controls": []}, {"id": "OL09-00-001050", "levels": ["medium"], "notes": "", "title": "OL 9 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_password_hashing_algorithm_libuserconf", "var_password_hashing_algorithm_pam=sha512"], "controls": []}, {"id": "OL09-00-001055", "levels": ["medium"], "notes": "", "title": "OL 9 must be configured to use the shadow file to store only encrypted representations of passwords.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_password_hashing_algorithm_logindefs", "var_password_hashing_algorithm=SHA512"], "controls": []}, {"id": "OL09-00-002364", "levels": ["medium"], "notes": "", "title": "OL 9 must not be configured to bypass password requirements for privilege escalation.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["disallow_bypass_password_sudo"], "controls": []}, {"id": "OL09-00-001075", "levels": ["medium"], "notes": "", "title": "OL 9 shadow password suite must be configured to use a sufficient number of hashing rounds.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_password_hashing_min_rounds_logindefs", "var_password_hashing_min_rounds_login_defs=100000"], "controls": []}, {"id": "OL09-00-001130", "levels": ["medium"], "notes": "", "title": "OL 9 must not have accounts configured with blank or null passwords.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_empty_passwords_etc_shadow"], "controls": []}, {"id": "OL09-00-000940", "levels": ["medium"], "notes": "", "title": "OL 9 must use the CAC smart card driver.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_opensc_card_drivers", "var_smartcard_drivers=cac"], "controls": []}, {"id": "OL09-00-000925", "levels": ["medium"], "notes": "", "title": "OL 9 must enable certificate based smart card authentication.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sssd_enable_smartcards"], "controls": []}, {"id": "OL09-00-000930", "levels": ["medium"], "notes": "", "title": "OL 9 must implement certificate status checking for multifactor authentication.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sssd_certificate_verification", "var_sssd_certificate_verification_digest_function=sha512"], "controls": []}, {"id": "OL09-00-000390", "levels": ["medium"], "notes": "", "title": "OL 9 must have the pcsc-lite package installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_pcsc-lite_installed"], "controls": []}, {"id": "OL09-00-000401", "levels": ["medium"], "notes": "", "title": "The pcscd service on OL 9 must be active.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_pcscd_enabled"], "controls": []}, {"id": "OL09-00-000400", "levels": ["medium"], "notes": "", "title": "OL 9 must have the opensc package installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_opensc_installed"], "controls": []}, {"id": "OL09-00-000905", "levels": ["medium"], "notes": "", "title": "OL 9, for PKI-based authentication, must enforce authorized access to the corresponding private key.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["ssh_keys_passphrase_protected"], "controls": []}, {"id": "OL09-00-000025", "levels": ["medium"], "notes": "", "title": "OL 9 must require authentication to access emergency mode.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["require_emergency_target_auth"], "controls": []}, {"id": "OL09-00-000030", "levels": ["medium"], "notes": "", "title": "OL 9 must require authentication to access single-user mode.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["require_singleuser_auth"], "controls": []}, {"id": "OL09-00-000900", "levels": ["medium"], "notes": "", "title": "OL 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sssd_has_trust_anchor"], "controls": []}, {"id": "OL09-00-000910", "levels": ["medium"], "notes": "", "title": "OL 9 must map the authenticated identity to the user or group account for PKI-based authentication.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sssd_enable_certmap"], "controls": []}, {"id": "OL09-00-000935", "levels": ["medium"], "notes": "", "title": "OL 9 must prohibit the use of cached authenticators after one day.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sssd_offline_cred_expiration"], "controls": []}, {"id": "OL09-00-000300", "levels": ["medium"], "notes": "", "title": "OL 9 must have the AIDE package installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_aide_installed"], "controls": []}, {"id": "OL09-00-000301", "levels": ["medium"], "notes": "", "title": "OL 9 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["aide_scan_notification", "aide_periodic_cron_checking"], "controls": []}, {"id": "OL09-00-000302", "levels": ["medium"], "notes": "", "title": "OL 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["aide_use_fips_hashes"], "controls": []}, {"id": "OL09-00-000710", "levels": ["medium"], "notes": "", "title": "OL 9 must use cryptographic mechanisms to protect the integrity of audit tools.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["aide_check_audit_tools"], "controls": []}, {"id": "OL09-00-000303", "levels": ["low"], "notes": "", "title": "OL 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs).", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["aide_verify_acls"], "controls": []}, {"id": "OL09-00-000304", "levels": ["low"], "notes": "", "title": "OL 9 must be configured so that the file integrity tool verifies extended attributes.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["aide_verify_ext_attributes"], "controls": []}, {"id": "OL09-00-000350", "levels": ["medium"], "notes": "", "title": "OL 9 must have the rsyslog package installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_rsyslog_installed"], "controls": []}, {"id": "OL09-00-000355", "levels": ["medium"], "notes": "", "title": "OL 9 must have the packages required for encrypting offloaded audit logs installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_rsyslog-gnutls_installed"], "controls": []}, {"id": "OL09-00-000351", "levels": ["medium"], "notes": "", "title": "The rsyslog service on OL 9 must be active.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_rsyslog_enabled"], "controls": []}, {"id": "OL09-00-005030", "levels": ["medium"], "notes": "", "title": "OL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["rsyslog_nolisten"], "controls": []}, {"id": "OL09-00-005000", "levels": ["medium"], "notes": "", "title": "OL 9 remote access methods must be monitored.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["rsyslog_remote_access_monitoring"], "controls": []}, {"id": "OL09-00-000855", "levels": ["medium"], "notes": "", "title": "OL 9 must be configured to offload audit records onto a different system from the system being audited via syslog.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_audispd_syslog_plugin_activated"], "controls": []}, {"id": "OL09-00-005015", "levels": ["medium"], "notes": "", "title": "OL 9 must authenticate the remote logging server for offloading audit logs via rsyslog.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["rsyslog_encrypt_offload_actionsendstreamdriverauthmode"], "controls": []}, {"id": "OL09-00-005020", "levels": ["medium"], "notes": "", "title": "OL 9 must encrypt the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["rsyslog_encrypt_offload_actionsendstreamdrivermode"], "controls": []}, {"id": "OL09-00-005025", "levels": ["medium"], "notes": "", "title": "OL 9 must encrypt via the gtls driver the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["rsyslog_encrypt_offload_defaultnetstreamdriver"], "controls": []}, {"id": "OL09-00-005005", "levels": ["medium"], "notes": "", "title": "OL 9 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["rsyslog_remote_loghost"], "controls": []}, {"id": "OL09-00-005010", "levels": ["medium"], "notes": "", "title": "OL 9 must use cron logging.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["rsyslog_cron_logging"], "controls": []}, {"id": "OL09-00-000440", "levels": ["medium"], "notes": "", "title": "OL 9 audit package must be installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_audit_installed"], "controls": []}, {"id": "OL09-00-000441", "levels": ["medium"], "notes": "", "title": "OL 9 audit service must be enabled.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_auditd_enabled"], "controls": []}, {"id": "OL09-00-000760", "levels": ["medium"], "notes": "", "title": "OL 9 audit system must take appropriate action when an error writing to the audit storage volume occurs.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_disk_error_action_stig", "var_auditd_disk_error_action=halt"], "controls": []}, {"id": "OL09-00-000765", "levels": ["medium"], "notes": "", "title": "OL 9 audit system must take appropriate action when the audit storage volume is full.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_disk_full_action_stig", "var_auditd_disk_full_action=halt"], "controls": []}, {"id": "OL09-00-000850", "levels": ["medium"], "notes": "", "title": "OL 9 must allocate audit record storage capacity to store at least one week's worth of audit records.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_audispd_configure_sufficiently_large_partition"], "controls": []}, {"id": "OL09-00-000865", "levels": ["medium"], "notes": "", "title": "OL 9 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_retention_space_left_percentage", "var_auditd_space_left_percentage=25pc"], "controls": []}, {"id": "OL09-00-000870", "levels": ["medium"], "notes": "", "title": "OL 9 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_retention_space_left_action", "var_auditd_space_left_action=email"], "controls": []}, {"id": "OL09-00-000875", "levels": ["medium"], "notes": "", "title": "OL 9 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_retention_admin_space_left_percentage", "var_auditd_admin_space_left_percentage=5pc"], "controls": []}, {"id": "OL09-00-000770", "levels": ["medium"], "notes": "", "title": "OL 9 audit system must take appropriate action when the audit files have reached maximum size.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_retention_max_log_file_action_stig", "var_auditd_max_log_file_action=rotate"], "controls": []}, {"id": "OL09-00-000755", "levels": ["medium"], "notes": "", "title": "OL 9 must label all offloaded audit logs before sending them to the central log server.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_name_format", "var_auditd_name_format=stig"], "controls": []}, {"id": "OL09-00-000860", "levels": ["medium"], "notes": "", "title": "OL 9 must take appropriate action when the internal event queue is full.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_overflow_action"], "controls": []}, {"id": "OL09-00-000825", "levels": ["medium"], "notes": "", "title": "OL 9 System Administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_retention_action_mail_acct", "var_auditd_action_mail_acct=root"], "controls": []}, {"id": "OL09-00-000800", "levels": ["medium"], "notes": "", "title": "OL 9 audit system must audit local events.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_local_events"], "controls": []}, {"id": "OL09-00-000785", "levels": ["medium"], "notes": "", "title": "OL 9 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["directory_group_ownership_var_log_audit"], "controls": []}, {"id": "OL09-00-000790", "levels": ["medium"], "notes": "", "title": "OL 9 audit log directory must be owned by root to prevent unauthorized read access.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["directory_ownership_var_log_audit"], "controls": []}, {"id": "OL09-00-000795", "levels": ["medium"], "notes": "", "title": "OL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_var_log_audit"], "controls": []}, {"id": "OL09-00-000775", "levels": ["medium"], "notes": "", "title": "OL 9 must periodically flush audit records to disk to prevent the loss of audit records.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_freq", "var_auditd_freq=100"], "controls": []}, {"id": "OL09-00-000835", "levels": ["medium"], "notes": "", "title": "OL 9 must produce audit records containing information to establish the identity of any individual or process associated with the event.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_log_format"], "controls": []}, {"id": "OL09-00-000880", "levels": ["medium"], "notes": "", "title": "OL 9 must write audit records to disk.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_write_logs"], "controls": []}, {"id": "OL09-00-000885", "levels": ["medium"], "notes": "", "title": "OL 9 must act when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_retention_admin_space_left_action", "var_auditd_admin_space_left_action=single"], "controls": []}, {"id": "OL09-00-000805", "levels": ["medium"], "notes": "", "title": "OL 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_etc_audit_rulesd"], "controls": []}, {"id": "OL09-00-000810", "levels": ["medium"], "notes": "", "title": "OL 9 /etc/audit/auditd.conf file must have 0640 or less permissive to prevent unauthorized access.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_etc_audit_auditd"], "controls": []}, {"id": "OL09-00-000830", "levels": ["low"], "notes": "", "title": "OL 9 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_audit_backlog_limit_argument", "var_audit_backlog_limit=8192"], "controls": []}, {"id": "OL09-00-002405", "levels": ["medium"], "notes": "", "title": "OL 9 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["postfix_client_configure_mail_alias"], "controls": []}, {"id": "OL09-00-000450", "levels": ["medium"], "notes": "", "title": "OL 9 audispd-plugins package must be installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_audispd-plugins_installed"], "controls": []}, {"id": "OL09-00-000715", "levels": ["medium"], "notes": "", "title": "OL 9 must audit uses of the \"execve\" system call.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_suid_privilege_function"], "controls": []}, {"id": "OL09-00-000640", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_dac_modification_chmod", "audit_rules_dac_modification_fchmodat", "audit_rules_dac_modification_fchmod"], "controls": []}, {"id": "OL09-00-000645", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_dac_modification_fchown", "audit_rules_dac_modification_fchownat", "audit_rules_dac_modification_chown", "audit_rules_dac_modification_lchown"], "controls": []}, {"id": "OL09-00-000545", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_dac_modification_setxattr", "audit_rules_dac_modification_lremovexattr", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_lsetxattr", "audit_rules_dac_modification_fremovexattr", "audit_rules_dac_modification_fsetxattr"], "controls": []}, {"id": "OL09-00-000705", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of umount system calls.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands_umount"], "controls": []}, {"id": "OL09-00-000665", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the chacl command.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_execution_chacl"], "controls": []}, {"id": "OL09-00-000560", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the setfacl command.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_execution_setfacl"], "controls": []}, {"id": "OL09-00-000555", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the chcon command.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_execution_chcon"], "controls": []}, {"id": "OL09-00-000650", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the semanage command.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_execution_semanage"], "controls": []}, {"id": "OL09-00-000655", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the setfiles command.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_execution_setfiles"], "controls": []}, {"id": "OL09-00-000660", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the setsebool command.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_execution_setsebool"], "controls": []}, {"id": "OL09-00-000680", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_file_deletion_events_rename", "audit_rules_file_deletion_events_unlinkat", "audit_rules_file_deletion_events_rmdir", "audit_rules_file_deletion_events_unlink", "audit_rules_file_deletion_events_renameat"], "controls": []}, {"id": "OL09-00-000635", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_unsuccessful_file_modification_creat", "audit_rules_unsuccessful_file_modification_open_by_handle_at", "audit_rules_unsuccessful_file_modification_ftruncate", "audit_rules_unsuccessful_file_modification_open", "audit_rules_unsuccessful_file_modification_openat", "audit_rules_unsuccessful_file_modification_truncate"], "controls": []}, {"id": "OL09-00-000685", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the delete_module system call.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_kernel_module_loading_delete"], "controls": []}, {"id": "OL09-00-000690", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the init_module and finit_module system calls.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_kernel_module_loading_init", "audit_rules_kernel_module_loading_finit"], "controls": []}, {"id": "OL09-00-000550", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the chage command.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands_chage"], "controls": []}, {"id": "OL09-00-000565", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the chsh command.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands_chsh"], "controls": []}, {"id": "OL09-00-000570", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the crontab command.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands_crontab"], "controls": []}, {"id": "OL09-00-000575", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the gpasswd command.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands_gpasswd"], "controls": []}, {"id": "OL09-00-000695", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the kmod command.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands_kmod"], "controls": []}, {"id": "OL09-00-000580", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the newgrp command.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands_newgrp"], "controls": []}, {"id": "OL09-00-000585", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the pam_timestamp_check command.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands_pam_timestamp_check"], "controls": []}, {"id": "OL09-00-000590", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the passwd command.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands_passwd"], "controls": []}, {"id": "OL09-00-000595", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the postdrop command.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands_postdrop"], "controls": []}, {"id": "OL09-00-000600", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the postqueue command.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands_postqueue"], "controls": []}, {"id": "OL09-00-000605", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the ssh-agent command.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands_ssh_agent"], "controls": []}, {"id": "OL09-00-000610", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the ssh-keysign command.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands_ssh_keysign"], "controls": []}, {"id": "OL09-00-000540", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the su command.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands_su"], "controls": []}, {"id": "OL09-00-000670", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the sudo command.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands_sudo"], "controls": []}, {"id": "OL09-00-000615", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the sudoedit command.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands_sudoedit"], "controls": []}, {"id": "OL09-00-000620", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the unix_chkpwd command.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands_unix_chkpwd"], "controls": []}, {"id": "OL09-00-000535", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the unix_update command.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands_unix_update"], "controls": []}, {"id": "OL09-00-000625", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the userhelper command.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands_userhelper"], "controls": []}, {"id": "OL09-00-000675", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the usermod command.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands_usermod"], "controls": []}, {"id": "OL09-00-000630", "levels": ["medium"], "notes": "", "title": "OL 9 must audit all uses of the mount command.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands_mount"], "controls": []}, {"id": "OL09-00-000730", "levels": ["medium"], "notes": "", "title": "Successful/unsuccessful uses of the init command in OL 9 must generate an audit record.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_privileged_commands_init"], "controls": []}, {"id": "OL09-00-000735", "levels": ["medium"], "notes": "", "title": "Successful/unsuccessful uses of the poweroff command in OL 9 must generate an audit record.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_privileged_commands_poweroff"], "controls": []}, {"id": "OL09-00-000740", "levels": ["medium"], "notes": "", "title": "Successful/unsuccessful uses of the reboot command in OL 9 must generate an audit record.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_privileged_commands_reboot"], "controls": []}, {"id": "OL09-00-000745", "levels": ["medium"], "notes": "", "title": "Successful/unsuccessful uses of the shutdown command in OL 9 must generate an audit record.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_privileged_commands_shutdown"], "controls": []}, {"id": "OL09-00-000840", "levels": ["medium"], "notes": "", "title": "Successful/unsuccessful uses of the umount system call in OL 9 must generate an audit record.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_dac_modification_umount"], "controls": []}, {"id": "OL09-00-000845", "levels": ["medium"], "notes": "", "title": "Successful/unsuccessful uses of the umount2 system call in OL 9 must generate an audit record.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_dac_modification_umount2"], "controls": []}, {"id": "OL09-00-000500", "levels": ["medium"], "notes": "", "title": "OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_sudoers"], "controls": []}, {"id": "OL09-00-000505", "levels": ["medium"], "notes": "", "title": "OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_sudoers_d"], "controls": []}, {"id": "OL09-00-000510", "levels": ["medium"], "notes": "", "title": "OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_usergroup_modification_group"], "controls": []}, {"id": "OL09-00-000515", "levels": ["medium"], "notes": "", "title": "OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_usergroup_modification_gshadow"], "controls": []}, {"id": "OL09-00-000520", "levels": ["medium"], "notes": "", "title": "OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_usergroup_modification_opasswd"], "controls": []}, {"id": "OL09-00-000525", "levels": ["medium"], "notes": "", "title": "OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_usergroup_modification_passwd"], "controls": []}, {"id": "OL09-00-000530", "levels": ["medium"], "notes": "", "title": "OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_usergroup_modification_shadow"], "controls": []}, {"id": "OL09-00-000720", "levels": ["medium"], "notes": "", "title": "OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_login_events_faillock"], "controls": []}, {"id": "OL09-00-000700", "levels": ["medium"], "notes": "", "title": "OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_login_events_lastlog"], "controls": []}, {"id": "OL09-00-000725", "levels": ["medium"], "notes": "", "title": "OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_login_events_tallylog"], "controls": []}, {"id": "OL09-00-000820", "levels": ["medium"], "notes": "", "title": "OL 9 must take appropriate action when a critical audit processing failure occurs.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_system_shutdown"], "controls": []}, {"id": "OL09-00-008000", "levels": ["medium"], "notes": "", "title": "OL 9 audit system must protect logon UIDs from unauthorized change.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_immutable_login_uids"], "controls": []}, {"id": "OL09-00-008005", "levels": ["medium"], "notes": "", "title": "OL 9 audit system must protect auditing rules from unauthorized change.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_immutable"], "controls": []}, {"id": "OL09-00-000070", "levels": ["high"], "notes": "", "title": "OL 9 must enable FIPS mode.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_crypto_fips_enabled", "configure_crypto_policy", "enable_dracut_fips_module", "enable_fips_mode", "var_system_crypto_policy=fips"], "controls": []}, {"id": "OL09-00-001080", "levels": ["medium"], "notes": "", "title": "OL 9 must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_all_shadowed_sha512"], "controls": []}, {"id": "OL09-00-002404", "levels": ["medium"], "notes": "", "title": "OL 9 IP tunnels must use FIPS 140-2/140-3 approved cryptographic algorithms.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_libreswan_crypto_policy"], "controls": []}, {"id": "OL09-00-001060", "levels": ["medium"], "notes": "", "title": "OL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_password_hashing_algorithm_passwordauth", "var_password_hashing_algorithm_pam=sha512"], "controls": []}, {"id": "OL09-00-000240", "levels": ["medium"], "notes": "", "title": "OL 9 must have the crypto-policies package installed.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_crypto-policies_installed"], "controls": []}, {"id": "OL09-00-000243", "levels": ["medium"], "notes": "", "title": "OL 9 must be configured so that the cryptographic hashes of system files match vendor values.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["rpm_verify_hashes"], "controls": []}, {"id": "OL09-00-000244", "levels": ["high"], "notes": "", "title": "OL 9 crypto policy files must match files shipped with the operating system.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["rpm_verify_crypto_policies"], "controls": []}, {"id": "OL09-00-000242", "levels": ["medium"], "notes": "", "title": "OL 9 crypto policy must not be overridden.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["fips_crypto_policy_symlinks"], "controls": []}, {"id": "OL09-00-002424", "levels": ["medium"], "notes": "", "title": "OL 9 must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_kerberos_crypto_policy"], "controls": []}, {"id": "OL09-00-000241", "levels": ["medium"], "notes": "", "title": "OL 9 must implement a system-wide encryption policy.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_crypto_policy"], "controls": []}, {"id": "OL09-00-002421", "levels": ["medium"], "notes": "", "title": "OL 9 must implement DOD-approved encryption in the bind package.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_bind_crypto_policy"], "controls": []}, {"id": "OL09-00-900140", "levels": ["medium"], "notes": "", "title": "OL 9 must only allow the use of DOD PKI-established certificate authorities for authentication in the establishment of protected sessions to OL 9.", "description": null, "rationale": null, "automated": "no", "status": "supported", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["only_allow_dod_certs"], "controls": []}], "levels": [{"id": "high", "inherits_from": null}, {"id": "medium", "inherits_from": null}, {"id": "low", "inherits_from": null}]}