{"id": "bsi_sys_1_1_rhcos4", "policy": "BSI-SYS-1-1-RHCOS4", "title": "SYS.1.1 General Server (RHCOS)", "source": "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf", "definition_location": "/aptdata/openscap/scap-security-guide/controls/bsi_sys_1_1_rhcos4.yml", "controls": [{"id": "SYS.1.1.A1", "levels": ["basic"], "notes": "This requirement must be implemented organizationally and cannot be checked technically", "title": "Appropriate Installation", "description": "(1) Servers MUST be operated in locations that may only be accessed by authorised persons. (2) Servers MUST therefore be set up and installed in data centres, computer rooms, or lockable server rooms (see the corresponding modules in the INF Infrastructure layer). (3) Servers MUST NOT be used as personal computers (4) IT systems used as workstations MUST NOT be used as servers.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A2", "levels": ["basic"], "notes": "In RHCOS context there are no users and services logging into the service from the outside. Logging in is happening through OpenShift. The exception is a sshd login in case of emergency. By default this is only possible by public/private key.", "title": "User Authentication on Servers", "description": "(1) Authentication methods adequate for the protection needs at hand MUST be used when users and services log into servers. (2) This SHOULD be taken into account for administrative access in particular. (3) Central, network-based authentication services SHOULD be used whenever possible.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A3", "levels": ["basic"], "notes": "This requirement has been eliminated.", "title": "ELIMINATED", "description": "This requirement has been eliminated.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A4", "levels": ["basic"], "notes": "This requirement has been eliminated.", "title": "ELIMINATED", "description": "This requirement has been eliminated.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A5", "levels": ["basic"], "notes": "Section 1: If you don't utilize specific software to control the allowed devices for usb ports, you can ensure compliance by disabling the usb port completely. Interfaces is ambiguous, it is focused on usb etc. not on network.", "title": "Protection of Interfaces", "description": "(1) It MUST be ensured that only specified removable storage media and other devices can be connected to servers. All interfaces that are no longer needed must be disabled.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_firewire-core_disabled", "kernel_module_usb-storage_disabled", "coreos_nousb_kernel_argument"], "controls": []}, {"id": "SYS.1.1.A6", "levels": ["basic"], "notes": "Section 1: We can conclude for servers, that wireless protocols are unnecessary Section 3: There are no individual users on a rhcos system. Furthermore the regular system folders are read only. This reduces the risk of overloading the partition and endangering the system. /var, /usr, /etc are in separate partitions by default. /opt is symlinked to /var/opt by default. /tmp is a tmpfs by default. Section 4: Documentation and organizational tasks.", "title": "Disabling Unnecessary Services", "description": "(1) All unnecessary services and applications \u2014 particularly network services \u2014 MUST be disabled or uninstalled. (2) All unused functions in firmware MUST also be disabled. (3) On servers, the disk space allotted to both individual users and applications SHOULD be restricted appropriately. (4) The decisions taken in this regard SHOULD be documented in a way that makes it clear which configuration and software equipment was chosen for servers.", "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_tmp", "kernel_module_iwlmvm_disabled", "partition_for_var", "service_bluetooth_disabled", "kernel_module_cfg80211_disabled", "kernel_module_iwlwifi_disabled", "kernel_module_mac80211_disabled", "wireless_disable_in_bios", "wireless_disable_interfaces", "kernel_module_bluetooth_disabled", "partition_for_var_tmp", "partition_for_usr", "partition_for_var_log"], "controls": []}, {"id": "SYS.1.1.A7", "levels": ["basic"], "notes": "This requirement has been eliminated.", "title": "ELIMINATED", "description": "This requirement has been eliminated.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A8", "levels": ["basic"], "notes": "This requirement has been eliminated.", "title": "ELIMINATED", "description": "This requirement has been eliminated.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A9", "levels": ["basic"], "notes": "Section 1,2: Antivirus software on linux systems is more useful, if the servers provide any file or mailservices to endpoints. Since RHCOS4 is not a standard Linux system, any virus protection measures should be done at a Container Orchestrator level.", "title": "Using Anti-Virus Programs on Servers", "description": "(1) Whether virus protection programs can and should be used MUST be checked depending on the operating system installed, the services provided, and other existing protection mechanisms of the server in question. (2) Where available, concrete statements from the relevant operating system modules of the IT-Grundschutz Compendium on whether virus protection is necessary MUST be considered.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A10", "levels": ["basic"], "notes": "This whole requirement is more specifically implemented in the CIS hardening guide, which also defines permissions to protect against manipulations. # OPS.1.1.5: Logging Anforderung anschauen # AIDE Section 2: Only in system logs, not in specialized audit logs Section 5: Identify how firewalld logs and if we could use that Section 7 and 8 are not addressed explicitly with rules, as 8 is specific for the AV software and 7 is quite broad.", "title": "Logging", "description": "(1) In general, all security-relevant system events MUST be logged, including the following at minimum: \u2022 (2) System starts and reboots \u2022 (3) Successful and failed login attempts (operating system and application software) \u2022 (4) Failed authorisation checks \u2022 (5) Blocked data flows (violations of ACLs or firewall rules) \u2022 (6) Creation of or changes to users, groups, and authorisations \u2022 (7) Security-relevant error messages (e.g. hardware defects, exceeded capacity limits) \u2022 (8) Warnings from security systems (e.g. virus protection)", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands_newgidmap", "audit_rules_privileged_commands_pt_chown", "audit_rules_login_events_lastlog", "audit_rules_privileged_commands_usernetctl", "audit_rules_privileged_commands_usermod", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_fremovexattr", "audit_rules_privileged_commands_sudoedit", "audit_rules_privileged_commands_newgrp", "audit_rules_privileged_commands_sudo", "audit_rules_privileged_commands_passwd", "audit_rules_dac_modification_chmod", "audit_rules_dac_modification_fchownat", "audit_rules_sysadmin_actions", "coreos_audit_option", "audit_rules_usergroup_modification_group", "audit_rules_privileged_commands_umount", "audit_rules_execution_setfacl", "audit_rules_session_events", "audit_rules_dac_modification_lremovexattr", "audit_rules_privileged_commands_chsh", "audit_rules_privileged_commands_postdrop", "audit_rules_privileged_commands_unix_chkpwd", "audit_rules_privileged_commands_at", "audit_rules_privileged_commands_postqueue", "audit_rules_privileged_commands_newuidmap", "audit_rules_privileged_commands_userhelper", "audit_rules_dac_modification_fchmodat", "audit_rules_dac_modification_setxattr", "audit_rules_privileged_commands_crontab", "service_auditd_enabled", "audit_rules_privileged_commands_gpasswd", "audit_rules_dac_modification_chown", "audit_rules_usergroup_modification_gshadow", "audit_rules_privileged_commands_pam_timestamp_check", "audit_rules_suid_auid_privilege_function", "coreos_audit_backlog_limit_kernel_argument", "audit_rules_privileged_commands_chage", "audit_rules_login_events_faillock", "audit_rules_dac_modification_lsetxattr", "package_audit-libs_installed", "audit_rules_privileged_commands_mount", "audit_sudo_log_events", "audit_rules_execution_chcon", "audit_rules_dac_modification_fchmod", "audit_rules_dac_modification_fchown", "audit_rules_privileged_commands_su", "audit_rules_usergroup_modification_shadow", "audit_rules_dac_modification_fsetxattr", "audit_rules_usergroup_modification_opasswd", "audit_rules_privileged_commands_ssh_keysign", "package_audit_installed", "audit_rules_usergroup_modification_passwd", "audit_rules_dac_modification_lchown", "var_accounts_passwords_pam_faillock_dir=run"], "controls": []}, {"id": "SYS.1.1.A11", "levels": ["standard"], "notes": "This requirement must be implemented organizationally. If we interpret this towards hardening, the CIS Profile could be used", "title": "Defining a Security Policy for Servers", "description": "(1) Based on the general security policy of the organisation in question, the requirements for servers SHOULD be specified in a separate security policy. (2) This policy SHOULD be known to all administrators and other persons involved in the procurement and operation of servers and be integral to their work. (3) The implementation of the policy's requirements SHOULD be checked at regular intervals. (4) The results SHOULD be appropriately documented.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A12", "levels": ["standard"], "notes": "This requirement must be implemented organizationally. Some parts could be technically checked, i.e. if repositories are configured, if AV is installed and therelike.", "title": "Planning the Use of Servers", "description": "Each server system SHOULD be suitably planned. In this process, the following points SHOULD be taken into account at minimum: \u2022 Selection of the hardware platform, operating system, and application software \u2022 Hardware capacity (performance, memory, bandwidth, etc) \u2022 Type and number of communication interfaces \u2022 Power consumption, thermal load, space requirements, and structural shape \u2022 Administrative access points (see SYS.1.1.A5 Protection of Administration Interfaces) \u2022 User access \u2022 Logging (see SYS.1.1.A10 Logging). \u2022 Updates for operating systems and applications \u2022 Integration into system and network management, backups, and protection systems (virus protection, IDS, etc) All decisions taken in the planning phase SHOULD be documented in such a way that they can be understood at any future point in time.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A13", "levels": ["standard"], "notes": "This requirement must be implemented organizationally.", "title": "Procurement of Servers", "description": "Prior to procuring one or more servers, a requirements list SHOULD be drawn up that can be used to evaluate the products available on the market.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A14", "levels": ["standard"], "notes": "This requirement has been eliminated.", "title": "ELIMINATED", "description": "This requirement has been eliminated.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A15", "levels": ["standard"], "notes": "This requirement must be implemented organizationally.", "title": "Stable and Uninterruptible Power Supply [Building Services]", "description": "(1) Every server SHOULD be connected to an uninterruptible power supply (UPS).", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A16", "levels": ["standard"], "notes": "One could argue, that this is done with this profile. Or could utilize the CIS Benchmark again, if CIS is the security policy. Furthermore OCP4/RHCOS4 implement a security by default approach.", "title": "Secure Basic Configuration of Servers", "description": "(1) The basic settings of servers SHOULD be checked and, where necessary, adapted to the specifications of the security policy at hand. (2) Clients SHOULD only be connected to the Internet after the installation and configuration have been completed.", "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A17", "levels": ["standard"], "notes": "This requirement has been eliminated.", "title": "ELIMINATED", "description": "This requirement has been eliminated.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A18", "levels": ["standard"], "notes": "This requirement has been eliminated.", "title": "ELIMINATED", "description": "This requirement has been eliminated.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A19", "levels": ["standard"], "notes": "Red Hat Core OS is a container specific OS. It is used in combination with software defined networking solutions. They may implement the necessary packet filters. Additional filtering on the host must be done in a native way, that is understood from an OpenShift/Kubernetes perspective. This is done in APP.4.4 / SYS.1.6 Rulesets", "title": "Configuring Local Packet Filters", "description": "(1) Based on a set of rules, existing local packet filters SHOULD be designed to limit incoming and outgoing communications to the necessary communication partners, communication protocols, ports, and interfaces. (2) The identity of remote systems and the integrity of corresponding connections SHOULD be protected cryptographically.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A20", "levels": ["standard"], "notes": "This requirement has been eliminated.", "title": "ELIMINATED", "description": "This requirement has been eliminated.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A21", "levels": ["standard"], "notes": "This requirement must be implemented organizationally.", "title": "Operational Documentation for Servers", "description": "(1) Operational tasks that are carried out on a server SHOULD be clearly documented in terms of what has been done, when, and by whom. (2) In particular, the documentation SHOULD make configuration changes transparent. (3) Security-relevant responsibilities, such as who is authorised to install new hard disks, SHOULD be documented. (4) Everything that can be documented automatically SHOULD be documented automatically. (5) The documentation SHOULD be protected against unauthorised access and loss.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A22", "levels": ["standard"], "notes": "This requirement must be implemented organizationally.", "title": "Integration into Contingency Planning", "description": "(1) Servers SHOULD be taken into account in business continuity management processes. (2) To this end, the contingency requirements for the system in question SHOULD be determined and appropriate contingency procedures implemented\u2014for example, by drawing up recovery plans or securely storing passwords and cryptographic keys.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A23", "levels": ["standard"], "notes": "This is an organizational measurement. RHCOS4 is integrated in metrics from OCP It provides metrics for monitoring via prometheus.", "title": "Monitoring Systems and Servers", "description": "(1) Server systems SHOULD be integrated into an appropriate system monitoring concept. (2) The status and functionality of these systems and the services operated on them SHOULD be continuously monitored. (3) Error conditions and defined thresholds that are exceeded SHOULD be reported to the operating personnel.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A24", "levels": ["standard"], "notes": "This is met due to the usage of this compliance profile.", "title": "Security Checks for Servers", "description": "(1) Servers SHOULD be subjected to regular security tests to check their compliance with the applicable security requirements and identify possible vulnerabilities. (2) In particular, these security tests SHOULD be performed on servers with external interfaces. (3) To prevent indirect attacks via infected systems in an organisation\u2019s own network, internal server systems SHOULD also be checked accordingly at defined intervals. (4) Whether the security checks can be realised automatically\u2014by means of suitable scripts, for example\u2014SHOULD be examined.", "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A25", "levels": ["standard"], "notes": "This requirement must be implemented organizationally.", "title": "Controlled Decommissioning of a Server", "description": "(1) When decommissioning a server, it SHOULD be ensured that no important data that might still be present on the storage media is lost and no sensitive data remains. (2) There SHOULD be an overview of the data stored in each location on the server. (3) Furthermore, it SHOULD be ensured that services offered by the server will be taken over by another server when necessary. (4) A checklist SHOULD be created that is to be completed when decommissioning a server. (5) This checklist SHOULD at least include aspects related to backing up data, migrating services, and subsequently deleting all data in a secure manner.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A35", "levels": ["standard"], "notes": "This requirement must be implemented organizationally.", "title": "Drawing Up and Maintaining an Operating Manual", "description": "(1) An operating manual SHOULD be drawn up. (2) It SHOULD document all the rules, requirements, and settings that are necessary in operating servers. (3) There SHOULD be a specific operating manual for every type of server. (4) Each operating manual SHOULD be updated at regular intervals. (5) Operating manuals SHOULD be protected against unauthorised access. (6) Operating manuals SHOULD be available in emergencies.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A37", "levels": ["standard"], "notes": "Section 1-2: This can be done by utilizing SELinux for enhanced protection and/or container technology (Microsegmentation)", "title": "Encapsulation of Security-Critical Applications and Operating System Components", "description": "(1) In order to prevent an attacker from accessing the operating system or other applications and prevent access from the operating system to files that are particularly sensitive, applications and operating system components (such as authentication or certificate verification) SHOULD be specially encapsulated according to their protection needs or isolated from other applications and operating system components. (2) Particular attention SHOULD be paid to security-critical applications that work with data from insecure sources (e.g. web browsers and office communication applications)", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["selinux_confinement_of_daemons", "grub2_enable_selinux", "selinux_not_disabled", "selinux_state", "selinux_policytype", "package_libselinux_installed", "var_selinux_policy_name=targeted", "var_selinux_state=enforcing"], "controls": []}, {"id": "SYS.1.1.A26", "levels": ["elevated"], "notes": "This requirement has been eliminated.", "title": "ELIMINATED", "description": "This requirement has been eliminated.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A27", "levels": ["elevated"], "notes": "Section 1: Can only be checked manually. Section 2,3: this is an organizational requirement Section 4: AIDE could be leveraged as a system mechanism, in the context of RHCOS4 / OpenShift this can be done by leveraging the File Integrity Operator. This would be done on OpenShift Level and not on OS Level.\nChecking RPM integrity, with rpm_verify_hashes, rpm_verify_ownership and rpm_verify_permissions is of no avail, since in OpenShift Container Platform, the Machine Config Operator handles operating system upgrades. Instead of upgrading individual packages, as is done with yum upgrades, rpm-ostree delivers upgrades of the OS as an atomic unit. The new OS deployment is staged during upgrades and goes into effect on the next reboot. If something goes wrong with the upgrade, a single rollback and reboot returns the system to the previous state. RHCOS upgrades in OpenShift Container Platform are performed during cluster updates.", "title": "Host-Based Attack Detection", "description": "(1) Host-based attack detection systems (also referred to as host-based intrusion detection systems, IDS, or intrusion prevention systems, IPS) SHOULD be used to monitor system behaviour for abnormalities and misuse. (2) The IDS/IPS mechanisms used SHOULD be appropriately selected, configured, and thoroughly tested. (3) If an attack has been detected, the operating personnel SHOULD be alerted in an appropriate manner. (4) Using operating system mechanisms or suitable additional products, changes made to system files and configuration settings SHOULD be checked, restricted, and reported.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A28", "levels": ["elevated"], "notes": "this is an organizational requirement", "title": "Increasing Availability Through Redundancy", "description": "(1) Server systems with high availability requirements SHOULD be protected adequately against failures. (2) At minimum, suitable redundancies SHOULD be available and maintenance contracts concluded with the respective suppliers. (3) Whether high-availability architectures with automatic failover (across various sites, if necessary) are required in the case of very high requirements SHOULD be checked.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A29", "levels": ["elevated"], "notes": "This requirement has been eliminated.", "title": "ELIMINATED", "description": "This requirement has been eliminated.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A30", "levels": ["elevated"], "notes": "This requirement must be implemented organizationally.", "title": "One Service per Server", "description": "(1) Depending on the threat landscape at hand and the protection needs of services, only one service SHOULD be operated on each server.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A31", "levels": ["elevated"], "notes": "While not directly leveraging a allowlist of executable programs, SELinux helps to address this issue. They deny execution or fileaccess based on a list of allowed permissions.", "title": "Using Execution Control", "description": "(1) Execution control SHOULD be used to ensure that only explicitly authorised programs and scripts can be executed. (2) The rules SHOULD be set as restrictively as possible. (3) If explicit specification of paths and hashes is not possible, certificate-based or path rules SHOULD be used as an alternative.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["selinux_confinement_of_daemons", "grub2_enable_selinux", "selinux_not_disabled", "selinux_state", "selinux_policytype", "package_libselinux_installed", "var_selinux_policy_name=targeted", "var_selinux_state=enforcing"], "controls": []}, {"id": "SYS.1.1.A32", "levels": ["elevated"], "notes": "This requirement has been eliminated.", "title": "ELIMINATED", "description": "This requirement has been eliminated.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A33", "levels": ["elevated"], "notes": "Section 1: organizational control Section 2-4: can be addressed by a manual rule in OpenSCAP This can be in conflict with rpm_checks as changing the ca-trust-store triggers these checks.", "title": "Active Administration of Root Certificates", "description": "(1) As part of the procurement and installation of a server, the root certificates that are required to operate the server SHOULD be documented. (2) Only the previously documented root certificates required for operation SHOULD be present on the server. (3) Regular checks SHOULD be performed as to whether existing root certificates still comply with the respective organisation\u2019s requirements. (4) All certificate stores on the IT system at hand SHOULD be included in these checks.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["only_allow_specific_certs"], "controls": []}, {"id": "SYS.1.1.A34", "levels": ["elevated"], "notes": "Section 1-3: Specification of what is needed Section 4: organizational control Section 5: can be addressed on a partition label with existing checks # Keylime? # nbde? # https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening", "title": "Hard Disk Encryption", "description": "(1) In case of increased protection needs, a server's storage media should be encrypted using a product or procedure that is considered secure. (2) This SHOULD also apply to virtual machines containing production data. (3) Trusted Platform Module (TPM) SHOULD NOT be the only form of key protection used. (4) Recovery passwords SHOULD be stored in an appropriate and secure location. (5) In case of very high requirements (e.g. regarding confidentiality), full volume or full disk encryption SHOULD be used.", "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_rng_core_default_quality_argument", "encrypt_partitions"], "controls": []}, {"id": "SYS.1.1.A36", "levels": ["elevated"], "notes": "At the moment there is no automatic check to check if secure boot is active. It can be done manually by using mokutil --sb-state", "title": "Protecting the Boot Process", "description": "(1) A server's boot loader and operating system kernel SHOULD be checked by self-controlled key material that is signed upon system start in a trusted chain (secure boot). (2) Unnecessary key material SHOULD be removed.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "SYS.1.1.A38", "levels": ["elevated"], "notes": "Red Hat CoreOS 4 is a Operating System which is largely read-only due to the purpose of only hosting containers upon it. It is widely immutable (reasonable exceptions like for /etc apply).", "title": "Hardening of the Host System by Means of a Read-Only File System", "description": "The integrity of the host system should be ensured by a read-only file system (an immutable OS).", "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}], "levels": [{"id": "basic", "inherits_from": null}, {"id": "standard", "inherits_from": ["basic"]}, {"id": "elevated", "inherits_from": ["standard"]}]}