{"id": "ccn_ol9", "policy": "CCN-STIC-620", "title": "Security Profile Application Guide for Oracle Linux 9", "source": "https://www.ccn-cert.cni.es/es/guias-de-acceso-publico-ccn-stic/6669-ccn-stic-620-guia-de-aplicaciones-de-perfilado-de-seguridad-para-oracle-linux/file.html", "definition_location": "/aptdata/openscap/scap-security-guide/controls/ccn_ol9.yml", "controls": [{"id": "reload_dconf_db", "levels": ["basic", "intermediate", "advanced"], "notes": "This is a helper rule to reload Dconf database correctly.", "title": "Reload Dconf Database", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_db_up_to_date"], "controls": []}, {"id": "enable_authselect", "levels": ["basic", "intermediate", "advanced"], "notes": "The policy doesn't have any section where this would fit better.", "title": "Enable Authselect", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["enable_authselect", "var_authselect_profile=sssd"], "controls": []}, {"id": "A.3.SEC-OL1", "levels": ["basic", "intermediate", "advanced"], "notes": "", "title": "Session Initiation is Audited", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se auditan los inicios de sesi\u00f3n.", "related_rules": [], "rules": ["audit_rules_session_events_utmp", "audit_rules_login_events_lastlog", "audit_rules_login_events_faillock", "audit_rules_session_events_btmp", "audit_rules_session_events_wtmp"], "controls": []}, {"id": "A.3.SEC-OL2", "levels": ["intermediate", "advanced"], "notes": "", "title": "Control Who Can Access Security and Audit Logs", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se controla quien puede acceder a los registros de seguridad y auditor\u00eda.", "related_rules": [], "rules": ["file_group_ownership_var_log_audit", "file_ownership_var_log_audit", "file_permissions_var_log_audit", "directory_permissions_var_log_audit"], "controls": []}, {"id": "A.3.SEC-OL3", "levels": ["intermediate", "advanced"], "notes": "", "title": "System Time Change is Controlled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se controla el cambio de hora del sistema.", "related_rules": [], "rules": ["chronyd_run_as_chrony_user", "package_chrony_installed", "chronyd_specify_remote_server", "var_multiple_time_servers=ol"], "controls": []}, {"id": "A.3.SEC-OL4", "levels": ["intermediate", "advanced"], "notes": "", "title": "Control Who Can Generate or Modify Audit Rules", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se controla qui\u00e9n puede generar o modificar reglas de audit.", "related_rules": [], "rules": ["file_ownership_audit_configuration", "file_groupownership_audit_configuration", "file_permissions_audit_configuration"], "controls": []}, {"id": "A.3.SEC-OL5", "levels": ["intermediate", "advanced"], "notes": "It is not clear the intention of this requirement since there is no definition of these\nsubcategories. The project has many audit related rules. Clarifying these subcategories\nwe can select the proper rules.", "title": "A Detailed Audit Has Been Implemented Based on Subcategories", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se ha implementado la auditor\u00eda detallada basada en subcategor\u00edas.", "related_rules": [], "rules": [], "controls": []}, {"id": "A.3.SEC-OL6", "levels": ["basic", "intermediate", "advanced"], "notes": "", "title": "At Least 90 Days of Activity Logs Are Guaranteed", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se garantiza al menos 90 d\u00edas de registros de actividad.", "related_rules": [], "rules": ["auditd_data_retention_max_log_file_action", "var_auditd_max_log_file_action=keep_logs"], "controls": []}, {"id": "A.3.SEC-OL7", "levels": ["basic", "intermediate", "advanced"], "notes": "", "title": "Modifications to the Sudoers File Are Audited, As Are Changes to Permissions, Users, Groups, and Passwords", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se auditan las modificaciones del fichero sudoers, as\u00ed como los cambios en permisos, usuarios, grupos y contrase\u00f1as.", "related_rules": [], "rules": ["audit_rules_usergroup_modification_group", "audit_rules_dac_modification_lchown", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_fchownat", "audit_rules_dac_modification_lsetxattr", "audit_rules_usergroup_modification_opasswd", "audit_rules_dac_modification_chmod", "audit_rules_dac_modification_fsetxattr", "audit_rules_dac_modification_fchown", "audit_sudo_log_events", "audit_rules_usergroup_modification_passwd", "audit_rules_dac_modification_fchmod", "audit_rules_dac_modification_fremovexattr", "audit_rules_dac_modification_chown", "audit_rules_dac_modification_setxattr", "audit_rules_dac_modification_lremovexattr", "audit_rules_usergroup_modification_shadow", "audit_rules_sysadmin_actions", "audit_rules_usergroup_modification_gshadow", "audit_rules_dac_modification_fchmodat"], "controls": []}, {"id": "A.3.SEC-OL8", "levels": ["advanced"], "notes": "Some possible rules were included here but it is not clear if the requirement intends to\ncheck more than these rules. We can see if more related rules are available in the project\nand include everything that makes sense in the context of cron and chrony.", "title": "Changes to Cron Settings and Scheduled Tasks Including Startup Scripts Are Audited", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se auditan los cambios en la configuraci\u00f3n de Cron y en tareas programadas incluyendo los de scripts de inicio.", "related_rules": ["audit_rules_time_adjtimex", "audit_rules_time_settimeofday", "audit_rules_time_clock_settime", "audit_rules_time_stime", "audit_rules_time_watch_localtime"], "rules": [], "controls": []}, {"id": "A.3.SEC-OL9", "levels": ["advanced"], "notes": "", "title": "Attempts to Access Critical Items Are Audited", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se auditan los intentos de acceso a elementos cr\u00edticos.", "related_rules": [], "rules": ["audit_rules_unsuccessful_file_modification_open", "audit_rules_unsuccessful_file_modification_openat", "audit_rules_unsuccessful_file_modification_creat", "audit_rules_unsuccessful_file_modification_truncate", "audit_rules_unsuccessful_file_modification_ftruncate"], "controls": []}, {"id": "A.3.SEC-OL10", "levels": ["intermediate", "advanced"], "notes": "We probably have audit related rule to monitor mount related syscalls, but it is not clear\nabout the swap. Is the intention to monitor when swap is changed?", "title": "All Mount Operations on the System and Changes to the Swap Are Audited", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se audita toda operaci\u00f3n de montaje en el sistema y modificaciones en la memoria de intercambio.", "related_rules": [], "rules": ["audit_rules_media_export"], "controls": []}, {"id": "A.3.SEC-OL11", "levels": ["advanced"], "notes": "The intention here is probably to audit changes in /etc/pam.d files, but we need to confirm\nthis assumption and get more context.", "title": "Modifications in PAM Files Are Audited", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se auditan modificaciones en ficheros PAM.", "related_rules": [], "rules": [], "controls": []}, {"id": "A.4.SEC-OL1", "levels": ["basic", "intermediate", "advanced"], "notes": "It is a little tricky to interpret this requirement. Assuming the \"Common users\" are actually\ninteractive users, this requirement would automatically enforce all admin actions to be\nperformed only by the root user. I am not sure if this is the intetion here.", "title": "Common Users Do Dot Have Local Administrator Permissions and Are Not Included in a Sudo Group", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Los usuarios est\u00e1ndar no disponen de permisos de administrador local ni se encuentran incluidos en un grupo sudoer.", "related_rules": [], "rules": [], "controls": []}, {"id": "A.4.SEC-OL2", "levels": ["basic", "intermediate", "advanced"], "notes": "New templated rule is necessary to install the package. But to ensure the chosen antivirus\nis actually updated would demand a more complex rule. Maybe this requirement can have at\nleastthe partial status after the templated rule.", "title": "The System Has an Updated Antivirus", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "El sistema tiene un antivirus y este est\u00e1 actualizado.", "related_rules": [], "rules": [], "controls": []}, {"id": "A.4.SEC-OL3", "levels": ["basic", "intermediate", "advanced"], "notes": "Related to nosuid, noexec and nodev options but in /boot. More context is needed.", "title": "Permissions by Partitions Are Modified", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se modifican los permisos por particiones.", "related_rules": [], "rules": [], "controls": []}, {"id": "A.5.SEC-OL1", "levels": ["intermediate", "advanced"], "notes": "", "title": "Login and Impersonation Permissions Are Controlled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se controlan los permisos de inicio de sesi\u00f3n y suplantaci\u00f3n de identidad.", "related_rules": [], "rules": ["sudo_add_use_pty", "use_pam_wheel_for_su"], "controls": []}, {"id": "A.5.SEC-OL2", "levels": ["basic", "intermediate", "advanced"], "notes": "", "title": "Elevation Attempts Are Controlled by Defining Users and Sudoer Groups", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se controlan los intentos de elevaci\u00f3n mediante definici\u00f3n de usuarios y grupos sudoers.", "related_rules": [], "rules": ["sudo_require_reauthentication", "sudo_require_authentication"], "controls": []}, {"id": "A.5.SEC-OL3", "levels": ["basic", "intermediate", "advanced"], "notes": "There are rules for ssh_keys, for example. We need to confirm the scope of this requirement", "title": "Access to Encryption Keys is Controlled", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se controla el acceso a las claves de cifrado.", "related_rules": [], "rules": [], "controls": []}, {"id": "A.5.SEC-OL4", "levels": ["basic", "intermediate", "advanced"], "notes": "", "title": "Disable Insecure Encryption Algorithms", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se han deshabilitado los algoritmos de cifrado inseguros.", "related_rules": [], "rules": ["configure_crypto_policy", "var_system_crypto_policy=default_policy"], "controls": []}, {"id": "A.5.SEC-OL5", "levels": ["basic", "intermediate", "advanced"], "notes": "", "title": "Recurring Password Change is Required", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se exige el cambio de contrase\u00f1a de forma recurrente.", "related_rules": [], "rules": ["accounts_maximum_age_login_defs", "accounts_password_set_min_life_existing", "accounts_password_warn_age_login_defs", "accounts_minimum_age_login_defs", "accounts_password_set_warn_age_existing", "accounts_password_set_max_life_existing", "var_accounts_maximum_age_login_defs=45", "var_accounts_minimum_age_login_defs=2", "var_accounts_password_warn_age_login_defs=10"], "controls": []}, {"id": "A.5.SEC-OL6", "levels": ["basic", "intermediate", "advanced"], "notes": "", "title": "Secure Protocols Are Used For the Network Authentication Processes", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se hace uso de protocolos seguros para los procesos de autenticaci\u00f3n de red.", "related_rules": [], "rules": ["configure_ssh_crypto_policy"], "controls": []}, {"id": "A.5.SEC-OL7", "levels": ["basic", "intermediate", "advanced"], "notes": "", "title": "Network Session Inactivity is Controlled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se controla la inactividad de la sesi\u00f3n de red.", "related_rules": [], "rules": ["sshd_set_keepalive", "sshd_set_idle_timeout", "sshd_idle_timeout_value=15_minutes", "var_sshd_set_keepalive=1"], "controls": []}, {"id": "A.5.SEC-OL8", "levels": ["advanced"], "notes": "", "title": "Local and Remote Console Inactivity is Controlled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se controla la inactividad de consola local y remota.", "related_rules": [], "rules": ["accounts_tmout", "var_accounts_tmout=5_min"], "controls": []}, {"id": "A.6.SEC-OL1", "levels": ["intermediate", "advanced"], "notes": "", "title": "The Security of Sensitive System Objects is Reinforced", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se refuerza la seguridad de los objetos sensibles del sistema.", "related_rules": [], "rules": ["grub2_enable_selinux", "package_libselinux_installed", "selinux_policytype", "selinux_state", "var_selinux_policy_name=targeted", "var_selinux_state=enforcing"], "controls": []}, {"id": "A.6.SEC-OL2", "levels": ["basic", "intermediate", "advanced"], "notes": "", "title": "Access in Recovery Mode Including Grub Boot Modification Mode is Restricted", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se restringen accesos en modo recuperaci\u00f3n incluido el modo modificaci\u00f3n de inicio de grub.", "related_rules": [], "rules": ["file_groupowner_grub2_cfg", "file_permissions_user_cfg", "file_owner_grub2_cfg", "file_groupowner_user_cfg", "file_owner_user_cfg", "file_permissions_grub2_cfg"], "controls": []}, {"id": "A.6.SEC-OL3", "levels": ["intermediate", "advanced"], "notes": "\"/sbin/nologin\" might be a better option", "title": "Service Users Shell is Limited to \"/bin/false\"", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se limita la shell de usuarios de servicio a \"/bin/false\".", "related_rules": [], "rules": ["no_shelllogin_for_systemaccounts", "no_password_auth_for_systemaccounts"], "controls": []}, {"id": "A.6.SEC-OL4", "levels": ["intermediate", "advanced"], "notes": "", "title": "The Use of Sessions With the \"root\" User is Restricted", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se restringe el uso de sesiones con usuario \"root\".", "related_rules": [], "rules": ["no_empty_passwords_etc_shadow", "ensure_root_password_configured"], "controls": []}, {"id": "A.6.SEC-OL5", "levels": ["advanced"], "notes": "", "title": "The Global System Mask is Modified To Be More Restrictive", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se modifica la m\u00e1scara global del sistema para ser m\u00e1s restrictiva.", "related_rules": [], "rules": ["accounts_umask_etc_bashrc", "accounts_umask_etc_login_defs", "accounts_umask_etc_profile", "var_accounts_user_umask=027"], "controls": []}, {"id": "A.6.SEC-OL6", "levels": ["basic", "intermediate", "advanced"], "notes": "", "title": "Unnecessary Groups and Users are Removed From the System", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se eliminan los grupos y usuarios innecesarios del sistema.", "related_rules": [], "rules": [], "controls": []}, {"id": "A.8.SEC-OL1", "levels": ["basic", "intermediate", "advanced"], "notes": "", "title": "Control Who Can Install Software on the System", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se controla qui\u00e9n puede instalar software en el sistema.", "related_rules": [], "rules": [], "controls": []}, {"id": "A.8.SEC-OL2", "levels": ["basic", "intermediate", "advanced"], "notes": "", "title": "The Operating System is Updated", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "El sistema operativo est\u00e1 actualizado.", "related_rules": ["security_patches_up_to_date"], "rules": [], "controls": []}, {"id": "A.8.SEC-OL3", "levels": ["basic", "intermediate", "advanced"], "notes": "", "title": "The System Has an Activated Local Firewall", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "El sistema tiene un firewall local activado.", "related_rules": [], "rules": ["set_firewalld_default_zone", "firewalld_loopback_traffic_trusted", "service_nftables_disabled", "package_firewalld_installed", "service_firewalld_enabled", "firewalld_loopback_traffic_restricted"], "controls": []}, {"id": "A.8.SEC-OL4", "levels": ["intermediate", "advanced"], "notes": "", "title": "Unnecessary Services are Disabled, Reducing the Attack Surface", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se deshabilitan servicios innecesarios, reduciendo la superficie de exposici\u00f3n.", "related_rules": [], "rules": ["kernel_module_udf_disabled", "package_bind_removed", "package_cyrus-imapd_removed", "package_net-snmp_removed", "package_squid_removed", "package_tftp-server_removed", "package_dovecot_removed", "package_vsftpd_removed", "kernel_module_squashfs_disabled", "package_telnet-server_removed"], "controls": []}, {"id": "A.8.SEC-OL5", "levels": ["advanced"], "notes": "This might be related to SELinux or fapolicyd.\nWe need more context to confirm the intention of this requirement", "title": "Application Execution is Controlled", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se controla la ejecuci\u00f3n de aplicaciones.", "related_rules": [], "rules": [], "controls": []}, {"id": "A.8.SEC-OL6", "levels": ["basic", "intermediate", "advanced"], "notes": "These are mentioned to be reviewed but not enforced:\n# net.ipv4.icmp_echo_ignore_all = 1\n# net.ipv4.tcp_timestamps = 0\n# net.ipv4.tcp_max_syn_backlog = 1280\n# sysctl_net_ipv6_conf_all_disable_ipv6\n# sysctl_net_ipv6_conf_default_disable_ipv6", "title": "Anti-Ransomware Measures are Enabled", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se dispone de medidas anti ransomware habilitadas.", "related_rules": [], "rules": ["sysctl_net_ipv6_conf_all_accept_redirects", "sysctl_net_ipv4_conf_all_accept_source_route", "sysctl_net_ipv4_conf_default_accept_source_route", "sysctl_net_ipv6_conf_default_accept_source_route", "sysctl_net_ipv4_tcp_syncookies", "sysctl_net_ipv4_conf_all_rp_filter", "sysctl_net_ipv6_conf_default_accept_redirects", "sysctl_net_ipv4_conf_all_secure_redirects", "sysctl_fs_suid_dumpable", "sysctl_net_ipv4_conf_all_log_martians", "sysctl_net_ipv4_conf_default_log_martians", "sysctl_net_ipv4_conf_all_send_redirects", "sysctl_net_ipv4_ip_forward", "sysctl_net_ipv4_icmp_ignore_bogus_error_responses", "sysctl_net_ipv4_icmp_echo_ignore_broadcasts", "sysctl_net_ipv4_conf_default_rp_filter", "sysctl_net_ipv4_conf_default_secure_redirects", "sysctl_net_ipv6_conf_default_accept_ra", "sysctl_net_ipv4_conf_default_accept_redirects", "sysctl_net_ipv6_conf_all_accept_ra", "sysctl_net_ipv6_conf_all_accept_source_route", "sysctl_net_ipv4_conf_default_send_redirects", "sysctl_net_ipv4_conf_all_accept_redirects"], "controls": []}, {"id": "A.8.SEC-OL7", "levels": ["basic", "intermediate", "advanced"], "notes": "", "title": "Password Encrypted Boot That Prevents Modification is Enabled (Protected GRUB)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Est\u00e1 habilitado el arranque cifrado con contrase\u00f1a que evite modificaciones (GRUB protegido).", "related_rules": [], "rules": ["grub2_password"], "controls": []}, {"id": "A.8.SEC-OL8", "levels": ["basic", "intermediate", "advanced"], "notes": "Is it related to downloads from the Internet to the system or from the system to an external\nstorage, for example?", "title": "File Download is Audited", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se audita la descarga de archivos.", "related_rules": ["audit_rules_file_deletion_events_rename", "audit_rules_file_deletion_events_renameat", "audit_rules_file_deletion_events_unlink", "audit_rules_file_deletion_events_unlinkat"], "rules": [], "controls": []}, {"id": "A.8.SEC-OL9", "levels": ["basic", "intermediate", "advanced"], "notes": "Maybe simply removing the packages is enough.", "title": "System Compilers are Disabled", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Est\u00e1n deshabilitados los compiladores del sistema.", "related_rules": [], "rules": [], "controls": []}, {"id": "A.11.SEC-OL1", "levels": ["basic", "intermediate", "advanced"], "notes": "Is it related to TTY access, physical access, local users authentication, etc?\nIt is not not clear the scope.", "title": "Local Log On To the System is Controlled", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se controla el inicio de sesi\u00f3n local en el sistema.", "related_rules": [], "rules": [], "controls": []}, {"id": "A.11.SEC-OL2", "levels": ["basic", "intermediate", "advanced"], "notes": "", "title": "The Security of the SSH Protocol is Strengthened", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se ha reforzado la seguridad del protocolo SSH.", "related_rules": [], "rules": ["sshd_limit_user_access"], "controls": []}, {"id": "A.11.SEC-OL3", "levels": ["basic", "intermediate", "advanced"], "notes": "", "title": "A Robust Credential Policy is In Place", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se dispone de una pol\u00edtica de credenciales robusta.", "related_rules": [], "rules": ["accounts_password_pam_minlen", "accounts_password_pam_minclass", "accounts_password_pam_retry", "var_password_pam_minclass=4", "var_password_pam_minlen=14"], "controls": []}, {"id": "A.11.SEC-OL4", "levels": ["basic", "intermediate", "advanced"], "notes": "", "title": "During Login, the System Displays a Text in Compliance With the Organization's Standards or Directives", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Durante el inicio de sesi\u00f3n, el sistema muestra un texto en cumplimiento con las normas o directivas de la organizaci\u00f3n.", "related_rules": [], "rules": ["dconf_gnome_banner_enabled", "banner_etc_issue_net", "banner_etc_motd", "sshd_enable_warning_banner_net", "dconf_gnome_login_banner_text", "banner_etc_issue", "login_banner_text=default", "motd_banner_text=default", "remote_login_banner_text=default"], "controls": []}, {"id": "A.11.SEC-OL5", "levels": ["basic", "intermediate", "advanced"], "notes": "", "title": "Network Acess to the System is Controlled", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se controla el acceso al sistema a trav\u00e9s de la red.", "related_rules": ["configure_firewalld_ports"], "rules": [], "controls": []}, {"id": "A.11.SEC-OL6", "levels": ["basic", "intermediate", "advanced"], "notes": "It overlaps the rule in A.5.SEC-OL6 requirement", "title": "Only Strong Encryption Algorithms are Allowed in Accesses to the System", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "S\u00f3lo se permiten algoritmos de cifrado robustos en accesos al sistema.", "related_rules": ["configure_ssh_crypto_policy"], "rules": [], "controls": []}, {"id": "A.11.SEC-OL7", "levels": ["intermediate", "advanced"], "notes": "", "title": "GUI Idle Time is Limited", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se limita el tiempo de inactividad del GUI.", "related_rules": [], "rules": ["dconf_gnome_screensaver_lock_delay", "dconf_gnome_screensaver_idle_delay", "inactivity_timeout_value=5_minutes", "var_screensaver_lock_delay=immediate"], "controls": []}, {"id": "A.11.SEC-OL8", "levels": ["intermediate", "advanced"], "notes": "It seems to duplicate the A.11.SEC-OL4 requirement", "title": "A Dissuasive Banner is Displayed", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se muestra un banner disuasorio.", "related_rules": [], "rules": [], "controls": []}, {"id": "A.11.SEC-OL9", "levels": ["intermediate", "advanced"], "notes": "", "title": "The User List is Disabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se deshabilita la lista de usuarios.", "related_rules": [], "rules": ["dconf_gnome_disable_user_list"], "controls": []}, {"id": "A.11.SEC-OL10", "levels": ["intermediate", "advanced"], "notes": "New rules might be necessary.", "title": "File History is Disabled", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se deshabilita recordar el historial de ficheros.", "related_rules": [], "rules": [], "controls": []}, {"id": "A.11.SEC-OL11", "levels": ["intermediate", "advanced"], "notes": "New rules might be necessary.", "title": "Key Combination to Launch GTK Inspector is Disabled", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se deshabilita combinaci\u00f3n de teclas para iniciar el inspector GTK", "related_rules": [], "rules": [], "controls": []}, {"id": "A.11.SEC-OL12", "levels": ["intermediate", "advanced"], "notes": "", "title": "Auto-Mounting of Removable Devices on the System is Disabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se deshabilita el auto montaje de dispositivos extra\u00edbles en el sistema.", "related_rules": [], "rules": ["dconf_gnome_disable_automount_open", "dconf_gnome_disable_autorun", "dconf_gnome_disable_automount"], "controls": []}, {"id": "A.15.SEC-OL1", "levels": ["intermediate", "advanced"], "notes": "", "title": "The Use of Removable Storage Media is Controlled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se controla el uso de medios de almacenamiento extra\u00edbles.", "related_rules": [], "rules": ["kernel_module_usb-storage_disabled"], "controls": []}, {"id": "A.19.SEC-OL1", "levels": ["basic", "intermediate", "advanced"], "notes": "More context should be provided to clarify this requirement", "title": "Access to the Folder and File Tree is Controlled", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se controla el acceso al \u00e1rbol de carpetas y ficheros.", "related_rules": [], "rules": [], "controls": []}, {"id": "A.19.SEC-OL2", "levels": ["basic", "intermediate", "advanced"], "notes": "This is already covered by other requirements. Maybe more rules could be included here.", "title": "Measures Are Applied to Protect Accounts", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se aplican medidas para la protecci\u00f3n de las cuentas.", "related_rules": [], "rules": [], "controls": []}, {"id": "A.19.SEC-OL3", "levels": ["basic", "intermediate", "advanced"], "notes": "", "title": "A Robust Algorithm and Password Complexity Are Enabled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Est\u00e1 habilitado un algoritmo robusto y la complejidad de contrase\u00f1as.", "related_rules": [], "rules": ["set_password_hashing_algorithm_passwordauth", "set_password_hashing_algorithm_systemauth", "set_password_hashing_algorithm_logindefs", "var_password_hashing_algorithm=SHA512", "var_password_hashing_algorithm_pam=sha512"], "controls": []}, {"id": "A.23.SEC-OL1", "levels": ["basic", "intermediate", "advanced"], "notes": "", "title": "The Installation And Use of Any Device Connected to the Equipment is Controlled", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se controla la instalaci\u00f3n y uso de cualquier dispositivo conectado al equipo.", "related_rules": [], "rules": ["package_usbguard_installed", "service_usbguard_enabled", "usbguard_generate_policy"], "controls": []}, {"id": "A.23.SEC-OL2", "levels": ["basic", "intermediate", "advanced"], "notes": "It seems to duplicate the A.11.SEC-OL12 requirement.", "title": "The Dynamic Mounting and Unmounting of File Systems is Restricted", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se restringe el montaje y desmontaje din\u00e1mico de sistemas de archivos.", "related_rules": [], "rules": [], "controls": []}, {"id": "A.24.SEC-OL1", "levels": ["intermediate", "advanced"], "notes": "Is it about system limits?", "title": "Privileges That Affect System Performance Are Controlled", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se controlan los privilegios que afectan al rendimiento del sistema.", "related_rules": [], "rules": [], "controls": []}, {"id": "A.24.SEC-OL2", "levels": ["intermediate", "advanced"], "notes": "", "title": "Control Who Can Turn Off the System", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Se controla quien puede apagar el sistema.", "related_rules": ["disable_ctrlaltdel_burstaction", "disable_ctrlaltdel_reboot"], "rules": [], "controls": []}, {"id": "A.25.SEC-OL1", "levels": ["advanced"], "notes": "", "title": "System Disk is Encrypted", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "El disco del sistema est\u00e1 cifrado.", "related_rules": [], "rules": ["package_cryptsetup-luks_installed", "encrypt_partitions"], "controls": []}, {"id": "A.25.SEC-OL2", "levels": ["advanced"], "notes": "The rules in this requirement overlaps the A.25.SEC-OL1 requirement", "title": "The Data Disk is Encrypted", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "El disco de datos est\u00e1 cifrado.", "related_rules": ["package_cryptsetup-luks_installed", "encrypt_partitions"], "rules": [], "controls": []}, {"id": "A.30.SEC-OL1", "levels": ["advanced"], "notes": "", "title": "There Is an Account Lockout Policy for Incorrect Logins", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": "Existe una pol\u00edtica de bloqueo de cuentas ante inicios de sesi\u00f3n incorrectos.", "related_rules": [], "rules": ["accounts_passwords_pam_faillock_deny", "accounts_passwords_pam_faillock_unlock_time", "var_accounts_passwords_pam_faillock_deny=8", "var_accounts_passwords_pam_faillock_unlock_time=never"], "controls": []}], "levels": [{"id": "basic", "inherits_from": null}, {"id": "intermediate", "inherits_from": ["basic"]}, {"id": "advanced", "inherits_from": ["intermediate"]}]}