{"id": "cis_debian12", "policy": "CIS Benchmark for Debian 12", "title": "CIS Benchmark for Debian 12", "source": "https://www.cisecurity.org/cis-benchmarks", "definition_location": "/aptdata/openscap/scap-security-guide/controls/cis_debian12.yml", "controls": [{"id": "1.1.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure cramfs kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_cramfs_disabled"], "controls": []}, {"id": "1.1.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure freevxfs kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_freevxfs_disabled"], "controls": []}, {"id": "1.1.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure hfs kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_hfs_disabled"], "controls": []}, {"id": "1.1.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure hfsplus kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_hfsplus_disabled"], "controls": []}, {"id": "1.1.1.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure jffs2 kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_jffs2_disabled"], "controls": []}, {"id": "1.1.1.6", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure overlayfs kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_overlayfs_disabled"], "controls": []}, {"id": "1.1.1.7", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure squashfs kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["kernel_module_squashfs_disabled"], "rules": [], "controls": []}, {"id": "1.1.1.8", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure udf kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_udf_disabled"], "controls": []}, {"id": "1.1.1.9", "levels": ["l1_server", "l2_workstation"], "notes": "", "title": "Ensure usb-storage kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_usb-storage_disabled"], "controls": []}, {"id": "1.1.1.10", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure unused filesystems kernel modules are not available (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.1.2.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure /tmp is a separate partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_tmp"], "controls": []}, {"id": "1.1.2.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nodev option set on /tmp partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_tmp_nodev"], "controls": []}, {"id": "1.1.2.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nosuid option set on /tmp partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_tmp_nosuid"], "controls": []}, {"id": "1.1.2.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure noexec option set on /tmp partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_tmp_noexec"], "controls": []}, {"id": "1.1.2.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure /dev/shm is a separate partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_dev_shm"], "controls": []}, {"id": "1.1.2.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nodev option set on /dev/shm partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_dev_shm_nodev"], "controls": []}, {"id": "1.1.2.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nosuid option set on /dev/shm partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_dev_shm_nosuid"], "controls": []}, {"id": "1.1.2.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure noexec option set on /dev/shm partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_dev_shm_noexec"], "controls": []}, {"id": "1.1.2.3.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure separate partition exists for /home (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_home"], "controls": []}, {"id": "1.1.2.3.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nodev option set on /home partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_home_nodev"], "controls": []}, {"id": "1.1.2.3.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nosuid option set on /home partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_home_nosuid"], "controls": []}, {"id": "1.1.2.4.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure separate partition exists for /var (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_var"], "controls": []}, {"id": "1.1.2.4.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nodev option set on /var partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_nodev"], "controls": []}, {"id": "1.1.2.4.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nosuid option set on /var partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_nosuid"], "controls": []}, {"id": "1.1.2.5.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure separate partition exists for /var/tmp (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_var_tmp"], "controls": []}, {"id": "1.1.2.5.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nodev option set on /var/tmp partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_tmp_nodev"], "controls": []}, {"id": "1.1.2.5.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nosuid option set on /var/tmp partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_tmp_nosuid"], "controls": []}, {"id": "1.1.2.5.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure noexec option set on /var/tmp partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_tmp_noexec"], "controls": []}, {"id": "1.1.2.6.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure separate partition exists for /var/log (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_var_log"], "controls": []}, {"id": "1.1.2.6.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nodev option set on /var/log partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_log_nodev"], "controls": []}, {"id": "1.1.2.6.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nosuid option set on /var/log partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_log_nosuid"], "controls": []}, {"id": "1.1.2.6.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure noexec option set on /var/log partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_log_noexec"], "controls": []}, {"id": "1.1.2.7.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure separate partition exists for /var/log/audit (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_var_log_audit"], "controls": []}, {"id": "1.1.2.7.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nodev option set on /var/log/audit partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_log_audit_nodev"], "controls": []}, {"id": "1.1.2.7.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nosuid option set on /var/log/audit partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_log_audit_nosuid"], "controls": []}, {"id": "1.1.2.7.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure noexec option set on /var/log/audit partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_log_audit_noexec"], "controls": []}, {"id": "1.2.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure GPG keys are configured (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure package manager repositories are configured (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure updates, patches, and additional security software are installed (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.3.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure AppArmor is installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_apparmor_installed", "package_apparmor-utils_installed"], "controls": []}, {"id": "1.3.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure AppArmor is enabled in the bootloader configuration (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_enable_apparmor"], "controls": []}, {"id": "1.3.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "CIS recommendation does not adequately address the nuances\nof various profiles, including disabled, force-complain,\nand unconfined. Currently, the control changes the default apparmor\nmode for all profiles in /etc/apparmor.d which can\nbreak certain applications. See https://workbench.cisecurity.org/benchmarks/18959/tickets/23987\nThe remediation for this rule sets apparmor in complain mode. The remediation can be\ndeactivated by setting var_apparmor_mode to keep_existing_mode\n", "title": "Ensure all AppArmor Profiles are in enforce or complain mode (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["all_apparmor_profiles_in_enforce_complain_mode", "var_apparmor_mode=complain"], "controls": []}, {"id": "1.3.1.4", "levels": ["l2_server", "l2_workstation"], "notes": "CIS recommendation does not adequately address the nuances\nof various profiles, including disabled, force-complain,\nand unconfined. Currently, the control changes the default apparmor\nmode for all profiles in /etc/apparmor.d which can\nbreak certain applications. See https://workbench.cisecurity.org/benchmarks/18959/tickets/23987\n", "title": "Ensure all AppArmor Profiles are enforcing (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["all_apparmor_profiles_enforced"], "controls": []}, {"id": "1.4.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure bootloader password is set (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_password", "grub2_uefi_password"], "controls": []}, {"id": "1.4.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to bootloader config is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_grub2_cfg", "file_permissions_grub2_cfg"], "controls": []}, {"id": "1.5.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure address space layout randomization is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_kernel_randomize_va_space"], "controls": []}, {"id": "1.5.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure ptrace_scope is restricted (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_kernel_yama_ptrace_scope", "sysctl_kernel_yama_ptrace_scope_value=1"], "controls": []}, {"id": "1.5.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure core dumps are restricted (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_fs_suid_dumpable", "disable_users_coredumps"], "controls": []}, {"id": "1.6.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure message of the day is configured properly (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["banner_etc_motd_cis", "cis_banner_text=cis"], "controls": []}, {"id": "1.6.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure local login warning banner is configured properly (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["banner_etc_issue_cis", "cis_banner_text=cis"], "controls": []}, {"id": "1.6.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure remote login warning banner is configured properly (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["banner_etc_issue_net_cis", "cis_banner_text=cis"], "controls": []}, {"id": "1.6.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to /etc/motd is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_etc_motd", "file_permissions_etc_motd", "file_owner_etc_motd"], "controls": []}, {"id": "1.6.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to /etc/issue is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_etc_issue", "file_permissions_etc_issue", "file_groupowner_etc_issue"], "controls": []}, {"id": "1.6.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to /etc/issue.net is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_etc_issue_net", "file_permissions_etc_issue_net", "file_groupowner_etc_issue_net"], "controls": []}, {"id": "1.7.1", "levels": ["l2_server"], "notes": "", "title": "Ensure GDM is removed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_gdm_removed"], "controls": []}, {"id": "1.7.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure GDM login banner is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_login_banner_text", "dconf_gnome_banner_enabled", "login_banner_text=cis_default"], "controls": []}, {"id": "1.7.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure GDM disable-user-list option is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_disable_user_list"], "controls": []}, {"id": "1.7.4", "levels": ["l1_server", "l1_workstation"], "notes": "The rules satisfy both controls 1.7.4 and 1.7.5.\nRule lock_enabled is not part of CIS recommendation but is\nrequired to assure the lock is enabled and cannot be manually disabled.\nSee https://workbench.cisecurity.org/benchmarks/18959/tickets/23123\n", "title": "Ensure GDM screen locks when the user is idle (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_screensaver_idle_delay", "dconf_gnome_screensaver_lock_enabled", "dconf_gnome_screensaver_lock_delay", "inactivity_timeout_value=15_minutes", "var_screensaver_lock_delay=5_seconds"], "controls": []}, {"id": "1.7.5", "levels": ["l1_server", "l1_workstation"], "notes": "The rules satisfy both controls 1.7.4 and 1.7.5.\nRule lock_enabled is not part of CIS recommendation but is\nrequired to assure the lock is enabled and cannot be manually disabled.\nSee https://workbench.cisecurity.org/benchmarks/18959/tickets/23123\n", "title": "Ensure GDM screen locks cannot be overridden (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_screensaver_idle_delay", "dconf_gnome_screensaver_lock_enabled", "dconf_gnome_screensaver_lock_delay"], "controls": []}, {"id": "1.7.6", "levels": ["l1_server", "l2_workstation"], "notes": "The rules satisfy both controls 1.7.6 and 1.7.7\n", "title": "Ensure GDM automatic mounting of removable media is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_disable_automount", "dconf_gnome_disable_automount_open"], "controls": []}, {"id": "1.7.7", "levels": ["l1_server", "l2_workstation"], "notes": "The rules satisfy both controls 1.7.6 and 1.7.7\n", "title": "Ensure GDM disabling automatic mounting of removable media is not overridden (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_disable_automount", "dconf_gnome_disable_automount_open"], "controls": []}, {"id": "1.7.8", "levels": ["l1_server", "l1_workstation"], "notes": "The rule satisfies both controls 1.7.8 and 1.7.9\n", "title": "Ensure GDM autorun-never is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_disable_autorun"], "controls": []}, {"id": "1.7.9", "levels": ["l1_server", "l1_workstation"], "notes": "The rule satisfies both controls 1.7.8 and 1.7.9\n", "title": "Ensure GDM autorun-never is not overridden (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_disable_autorun"], "controls": []}, {"id": "1.7.10", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure XDMCP is not enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["gnome_gdm_disable_xdmcp"], "controls": []}, {"id": "2.1.1", "levels": ["l1_server", "l2_workstation"], "notes": "", "title": "Ensure autofs services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_autofs_removed", "service_autofs_disabled"], "controls": []}, {"id": "2.1.2", "levels": ["l1_server", "l2_workstation"], "notes": "", "title": "Ensure avahi daemon services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_avahi_removed", "service_avahi-daemon_disabled"], "controls": []}, {"id": "2.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure dhcp server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_dhcpd_disabled", "service_dhcpd6_disabled", "package_dhcp_removed"], "controls": []}, {"id": "2.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure dns server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_named_disabled", "package_bind_removed"], "controls": []}, {"id": "2.1.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure dnsmasq services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_dnsmasq_disabled", "package_dnsmasq_removed"], "controls": []}, {"id": "2.1.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure ftp server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_vsftpd_removed", "service_vsftpd_disabled"], "controls": []}, {"id": "2.1.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure ldap server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_openldap-servers_removed", "service_slapd_disabled"], "controls": []}, {"id": "2.1.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure message access server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_dovecot_disabled", "package_dovecot_removed"], "controls": []}, {"id": "2.1.9", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure network file system services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_nfs-kernel-server_removed", "service_nfs_disabled"], "controls": []}, {"id": "2.1.10", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nis server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_ypserv_removed", "service_ypserv_disabled"], "controls": []}, {"id": "2.1.11", "levels": ["l1_server", "l2_workstation"], "notes": "", "title": "Ensure print server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_cups_removed", "service_cups_disabled"], "controls": []}, {"id": "2.1.12", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure rpcbind services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_rpcbind_disabled", "package_rpcbind_removed"], "controls": []}, {"id": "2.1.13", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure rsync services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_rsync_removed", "service_rsyncd_disabled"], "controls": []}, {"id": "2.1.14", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure samba file server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_smb_disabled", "package_samba_removed"], "controls": []}, {"id": "2.1.15", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure snmp services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_snmpd_disabled", "package_net-snmp_removed"], "controls": []}, {"id": "2.1.16", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure tftp server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_tftp_disabled", "package_tftp-server_removed"], "controls": []}, {"id": "2.1.17", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure web proxy server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_squid_disabled", "package_squid_removed"], "controls": []}, {"id": "2.1.18", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure web server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_httpd_disabled", "package_httpd_removed", "package_nginx_removed", "service_nginx_disabled"], "controls": []}, {"id": "2.1.19", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure xinetd services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_xinetd_disabled", "package_xinetd_removed"], "controls": []}, {"id": "2.1.20", "levels": ["l2_server"], "notes": "", "title": "Ensure X window server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_xorg-x11-server-common_removed"], "controls": []}, {"id": "2.1.21", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure mail transfer agent is configured for local-only mode (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["postfix_network_listening_disabled", "has_nonlocal_mta", "var_postfix_inet_interfaces=loopback-only"], "controls": []}, {"id": "2.1.22", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure only approved services are listening on a network interface (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "2.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure NIS Client is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_nis_removed"], "controls": []}, {"id": "2.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure rsh client is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_rsh_removed"], "controls": []}, {"id": "2.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure talk client is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_talk_removed"], "controls": []}, {"id": "2.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure telnet client is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_telnet_removed", "package_inetutils-telnet_removed"], "controls": []}, {"id": "2.2.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure ldap client is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_openldap-clients_removed"], "controls": []}, {"id": "2.2.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure ftp client is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_ftp_removed", "package_tnftp_removed"], "controls": []}, {"id": "2.3.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "To select which timesync daemon to install and configure, use the\nprofile variable var_timesync_service.\n", "title": "Ensure a single time synchronization daemon is in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_timesyncd_disabled", "service_chronyd_disabled", "package_chrony_installed", "service_timesyncd_enabled", "ntp_single_service_active", "service_chronyd_enabled", "package_timesyncd_installed", "var_timesync_service=systemd-timesyncd"], "controls": []}, {"id": "2.3.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure systemd-timesyncd configured with authorized timeserver (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_timesyncd_configured", "var_multiple_time_servers=debian"], "controls": []}, {"id": "2.3.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "Implemented in 2.3.1.1", "title": "Ensure systemd-timesyncd is enabled and running (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_timesyncd_enabled", "service_timesyncd_disabled"], "rules": [], "controls": []}, {"id": "2.3.3.1", "levels": ["l1_server", "l1_workstation"], "notes": "Rule does not check or remediate config files included via\nconfdir and sourcedir directives.\n", "title": "Ensure chrony is configured with authorized timeserver (Automated)", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["chronyd_configure_pool_and_server", "var_multiple_time_servers=debian", "var_multiple_time_pools=debian"], "controls": []}, {"id": "2.3.3.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure chrony is running as user _chrony (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["chronyd_run_as_chrony_user"], "controls": []}, {"id": "2.3.3.3", "levels": ["l1_server", "l1_workstation"], "notes": "Implemented in 2.3.1.1", "title": "Ensure chrony is enabled and running (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_chronyd_enabled", "service_chronyd_disabled"], "rules": [], "controls": []}, {"id": "2.4.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure cron daemon is enabled and active (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_cron_enabled", "package_cron_installed"], "controls": []}, {"id": "2.4.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/crontab are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_cron_allow_exists", "file_owner_crontab", "file_permissions_crontab", "file_groupowner_crontab"], "controls": []}, {"id": "2.4.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/cron.hourly are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_cron_hourly", "file_owner_cron_hourly", "file_groupowner_cron_hourly"], "controls": []}, {"id": "2.4.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/cron.daily are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_cron_daily", "file_permissions_cron_daily", "file_groupowner_cron_daily"], "controls": []}, {"id": "2.4.1.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/cron.weekly are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_cron_weekly", "file_groupowner_cron_weekly", "file_owner_cron_weekly"], "controls": []}, {"id": "2.4.1.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/cron.monthly are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_cron_monthly", "file_permissions_cron_monthly", "file_owner_cron_monthly"], "controls": []}, {"id": "2.4.1.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/cron.d are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_cron_d", "file_groupowner_cron_d", "file_permissions_cron_d"], "controls": []}, {"id": "2.4.1.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure crontab is restricted to authorized users (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_cron_allow", "file_groupowner_cron_allow", "file_cron_deny_not_exist", "file_owner_cron_allow"], "controls": []}, {"id": "2.4.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "file_owner_at_deny and file_owner_at_allow currently require root as owner and don't accept daemon", "title": "Ensure at is restricted to authorized users (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_at_deny", "file_groupowner_at_allow", "file_owner_at_allow", "file_groupowner_at_deny", "file_owner_at_deny", "file_at_allow_exists", "file_permissions_at_allow"], "controls": []}, {"id": "3.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure IPv6 status is identified (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.1.2", "levels": ["l1_server"], "notes": "", "title": "Ensure wireless interfaces are disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["wireless_disable_interfaces"], "controls": []}, {"id": "3.1.3", "levels": ["l1_server", "l2_workstation"], "notes": "", "title": "Ensure bluetooth services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_bluetooth_disabled"], "controls": []}, {"id": "3.2.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure dccp kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_dccp_disabled"], "controls": []}, {"id": "3.2.2", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure tipc kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_tipc_disabled"], "controls": []}, {"id": "3.2.3", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure rds kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_rds_disabled"], "controls": []}, {"id": "3.2.4", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure sctp kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_sctp_disabled"], "controls": []}, {"id": "3.3.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure ip forwarding is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_ip_forward", "sysctl_net_ipv6_conf_all_forwarding"], "controls": []}, {"id": "3.3.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure packet redirect sending is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_all_send_redirects", "sysctl_net_ipv4_conf_default_send_redirects"], "controls": []}, {"id": "3.3.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure bogus icmp responses are ignored (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_icmp_ignore_bogus_error_responses"], "controls": []}, {"id": "3.3.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure broadcast icmp requests are ignored (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_icmp_echo_ignore_broadcasts"], "controls": []}, {"id": "3.3.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure icmp redirects are not accepted (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv6_conf_all_accept_redirects", "sysctl_net_ipv6_conf_default_accept_redirects", "sysctl_net_ipv4_conf_all_accept_redirects", "sysctl_net_ipv4_conf_default_accept_redirects"], "controls": []}, {"id": "3.3.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure secure icmp redirects are not accepted (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_all_secure_redirects", "sysctl_net_ipv4_conf_default_secure_redirects"], "controls": []}, {"id": "3.3.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure reverse path filtering is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_all_rp_filter", "sysctl_net_ipv4_conf_default_rp_filter"], "controls": []}, {"id": "3.3.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure source routed packets are not accepted (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv6_conf_default_accept_source_route", "sysctl_net_ipv4_conf_default_accept_source_route", "sysctl_net_ipv6_conf_all_accept_source_route", "sysctl_net_ipv4_conf_all_accept_source_route"], "controls": []}, {"id": "3.3.9", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure suspicious packets are logged (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_default_log_martians", "sysctl_net_ipv4_conf_all_log_martians"], "controls": []}, {"id": "3.3.10", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure tcp syn cookies is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_tcp_syncookies"], "controls": []}, {"id": "3.3.11", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure ipv6 router advertisements are not accepted (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv6_conf_default_accept_ra", "sysctl_net_ipv6_conf_all_accept_ra"], "controls": []}, {"id": "4.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "Remediation is not automated. To select which firewall to\ninstall and configure, use the profile variable var_network_filtering_service.\n", "title": "Ensure a single firewall configuration utility is in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["firewall_single_service_active", "var_network_filtering_service=nftables"], "controls": []}, {"id": "4.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure ufw is installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_ufw_installed"], "controls": []}, {"id": "4.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure iptables-persistent is not installed with ufw (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_iptables-persistent_removed"], "controls": []}, {"id": "4.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure ufw service is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["check_ufw_active", "service_ufw_enabled"], "controls": []}, {"id": "4.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure ufw loopback traffic is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_ufw_loopback_traffic"], "controls": []}, {"id": "4.2.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure ufw outbound connections are configured (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.2.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure ufw firewall rules exist for all open ports (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["ufw_rules_for_open_ports"], "controls": []}, {"id": "4.2.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure ufw default deny firewall policy (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_ufw_default_rule"], "controls": []}, {"id": "4.3.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nftables is installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_nftables_installed"], "controls": []}, {"id": "4.3.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure ufw is uninstalled or disabled with nftables (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_ufw_removed"], "controls": []}, {"id": "4.3.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure iptables are flushed with nftables (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.3.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure a nftables table exists (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_nftables_table", "var_nftables_family=inet", "var_nftables_table=filter"], "controls": []}, {"id": "4.3.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nftables base chains exist (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_nftables_base_chain", "var_nftables_base_chain_names=chain_names", "var_nftables_base_chain_types=chain_types", "var_nftables_base_chain_hooks=chain_hooks", "var_nftables_base_chain_priorities=chain_priorities", "var_nftables_base_chain_policies=chain_policies"], "controls": []}, {"id": "4.3.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nftables loopback traffic is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_nftables_loopback_traffic"], "controls": []}, {"id": "4.3.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nftables outbound and established connections are configured (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.3.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nftables default deny firewall policy (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["nftables_ensure_default_deny_policy"], "controls": []}, {"id": "4.3.9", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nftables service is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_nftables_enabled"], "controls": []}, {"id": "4.3.10", "levels": ["l1_server", "l1_workstation"], "notes": "Audit procedure for 4.3.10 depends on local site policy thus\nit cannot be fully automated. Upstream ticket:\nhttps://workbench.cisecurity.org/benchmarks/18959/tickets/23190\n", "title": "Ensure nftables rules are permanent (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["nftables_rules_permanent", "var_nftables_master_config_file=etc"], "controls": []}, {"id": "4.4.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure iptables packages are installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_iptables-persistent_installed", "package_iptables_installed"], "controls": []}, {"id": "4.4.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nftables is not in use with iptables (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_nftables_disabled"], "controls": []}, {"id": "4.4.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure ufw is not in use with iptables (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_ufw_removed"], "controls": []}, {"id": "4.4.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure iptables default deny firewall policy (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_iptables_default_rule"], "controls": []}, {"id": "4.4.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure iptables loopback traffic is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_loopback_traffic"], "controls": []}, {"id": "4.4.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure iptables outbound and established connections are configured (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.4.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure iptables firewall rules exist for all open ports (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["iptables_rules_for_open_ports"], "controls": []}, {"id": "4.4.3.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure ip6tables default deny firewall policy (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_ip6tables_default_rule"], "controls": []}, {"id": "4.4.3.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure ip6tables loopback traffic is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_ipv6_loopback_traffic"], "controls": []}, {"id": "4.4.3.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure ip6tables outbound and established connections are configured (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.4.3.4", "levels": ["l1_server", "l1_workstation"], "notes": "Remediation is not automated to avoid lockout.\n", "title": "Ensure ip6tables firewall rules exist for all open ports (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["ip6tables_rules_for_open_ports"], "controls": []}, {"id": "5.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/ssh/sshd_config are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_sshd_config", "file_groupowner_sshd_config", "file_owner_sshd_config"], "controls": []}, {"id": "5.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on SSH private host key files are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_sshd_private_key"], "controls": []}, {"id": "5.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on SSH public host key files are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_sshd_pub_key"], "controls": []}, {"id": "5.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd access is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_limit_user_access"], "controls": []}, {"id": "5.1.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd Banner is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_enable_warning_banner_net"], "controls": []}, {"id": "5.1.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd Ciphers are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_use_strong_ciphers"], "controls": []}, {"id": "5.1.7", "levels": ["l1_server", "l1_workstation"], "notes": "The current implementation imposes an upper boundary on the\nvalues. The CIS benchmark requires only that the values\nare greater than 0.\n", "title": "Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured (Automated)", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_keepalive", "sshd_set_idle_timeout", "sshd_idle_timeout_value=5_minutes", "var_sshd_set_keepalive=3"], "controls": []}, {"id": "5.1.8", "levels": ["l1_workstation", "l2_server"], "notes": "", "title": "Ensure sshd DisableForwarding is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_forwarding"], "controls": []}, {"id": "5.1.9", "levels": ["l1_workstation", "l2_server"], "notes": "", "title": "Ensure sshd GSSAPIAuthentication is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_gssapi_auth"], "controls": []}, {"id": "5.1.10", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd HostbasedAuthentication is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["disable_host_auth"], "controls": []}, {"id": "5.1.11", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd IgnoreRhosts is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_rhosts"], "controls": []}, {"id": "5.1.12", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd KexAlgorithms is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_use_strong_kex", "sshd_strong_kex=cis_debian12"], "controls": []}, {"id": "5.1.13", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd LoginGraceTime is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_login_grace_time", "var_sshd_set_login_grace_time=60"], "controls": []}, {"id": "5.1.14", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd LogLevel is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_loglevel_info"], "controls": []}, {"id": "5.1.15", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd MACs are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_use_strong_macs", "sshd_strong_macs=cis_debian12"], "controls": []}, {"id": "5.1.16", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd MaxAuthTries is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_max_auth_tries", "sshd_max_auth_tries_value=4"], "controls": []}, {"id": "5.1.17", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd MaxSessions is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_max_sessions", "var_sshd_max_sessions=10"], "controls": []}, {"id": "5.1.18", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd MaxStartups is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_maxstartups", "var_sshd_set_maxstartups=10:30:60"], "controls": []}, {"id": "5.1.19", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd PermitEmptyPasswords is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_empty_passwords"], "controls": []}, {"id": "5.1.20", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd PermitRootLogin is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_root_login"], "controls": []}, {"id": "5.1.21", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd PermitUserEnvironment is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_do_not_permit_user_env"], "controls": []}, {"id": "5.1.22", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd UsePAM is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_enable_pam"], "controls": []}, {"id": "5.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sudo is installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_sudo_installed"], "controls": []}, {"id": "5.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sudo commands use pty (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudo_add_use_pty"], "controls": []}, {"id": "5.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sudo log file exists (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudo_custom_logfile"], "controls": []}, {"id": "5.2.4", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure users must provide password for privilege escalation (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudo_require_authentication"], "controls": []}, {"id": "5.2.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure re-authentication for privilege escalation is not disabled globally (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudo_remove_no_authenticate"], "controls": []}, {"id": "5.2.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sudo authentication timeout is configured correctly (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudo_require_reauthentication", "var_sudo_timestamp_timeout=15_minutes"], "controls": []}, {"id": "5.2.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to the su command is restricted (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["use_pam_wheel_group_for_su", "ensure_pam_wheel_group_empty", "var_pam_wheel_group_for_su=cis"], "controls": []}, {"id": "5.3.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "The CIS control checks that version >= 1.5.2-6 and not that\nit is the latest version as the title suggests.\n", "title": "Ensure latest version of pam is installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_pam_runtime_installed"], "controls": []}, {"id": "5.3.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure libpam-modules is installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_pam_modules_installed"], "controls": []}, {"id": "5.3.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure libpam-pwquality is installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_pam_pwquality_installed"], "controls": []}, {"id": "5.3.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure pam_unix module is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_unix_enabled"], "controls": []}, {"id": "5.3.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure pam_faillock module is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_passwords_pam_faillock_enabled"], "controls": []}, {"id": "5.3.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure pam_pwquality module is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_pwquality_enabled"], "controls": []}, {"id": "5.3.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure pam_pwhistory module is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_pwhistory_enabled"], "controls": []}, {"id": "5.3.3.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password failed attempts lockout is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_passwords_pam_faillock_deny", "var_accounts_passwords_pam_faillock_deny=4"], "controls": []}, {"id": "5.3.3.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password unlock time is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_passwords_pam_faillock_unlock_time", "var_accounts_passwords_pam_faillock_unlock_time=900"], "controls": []}, {"id": "5.3.3.1.3", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure password failed attempts lockout includes root account (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_passwords_pam_faillock_root_unlock_time", "var_accounts_passwords_pam_faillock_root_unlock_time=900"], "controls": []}, {"id": "5.3.3.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password number of changed characters is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_difok", "var_password_pam_difok=2"], "controls": []}, {"id": "5.3.3.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure minimum password length is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_minlen", "var_password_pam_minlen=14"], "controls": []}, {"id": "5.3.3.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password complexity is configured (Manual)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_ocredit", "accounts_password_pam_minclass", "accounts_password_pam_ucredit", "accounts_password_pam_dcredit", "accounts_password_pam_lcredit", "var_password_pam_minclass=4", "var_password_pam_dcredit=1", "var_password_pam_lcredit=1", "var_password_pam_ocredit=1", "var_password_pam_ucredit=1"], "controls": []}, {"id": "5.3.3.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password same consecutive characters is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_maxrepeat", "var_password_pam_maxrepeat=3"], "controls": []}, {"id": "5.3.3.2.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password maximum sequential characters is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_maxsequence"], "controls": []}, {"id": "5.3.3.2.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password dictionary check is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_dictcheck", "var_password_pam_dictcheck=1"], "controls": []}, {"id": "5.3.3.2.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password quality checking is enforced (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_enforcing", "var_password_pam_enforcing=1"], "controls": []}, {"id": "5.3.3.2.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password quality is enforced for the root user (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_enforce_root"], "controls": []}, {"id": "5.3.3.3.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password history remember is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_pwhistory_remember", "var_password_pam_remember=24"], "controls": []}, {"id": "5.3.3.3.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password history is enforced for the root user (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_pwhistory_enforce_root"], "controls": []}, {"id": "5.3.3.3.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure pam_pwhistory includes use_authtok (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_pwhistory_use_authtok"], "controls": []}, {"id": "5.3.3.4.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure pam_unix does not include nullok (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_empty_passwords_unix"], "controls": []}, {"id": "5.3.3.4.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure pam_unix does not include remember (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_unix_no_remember"], "controls": []}, {"id": "5.3.3.4.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure pam_unix includes a strong password hashing algorithm (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_password_hashing_algorithm_systemauth", "var_password_hashing_algorithm_pam=yescrypt"], "controls": []}, {"id": "5.3.3.4.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure pam_unix includes use_authtok (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_unix_authtok"], "controls": []}, {"id": "5.4.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password expiration is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_maximum_age_login_defs", "accounts_password_set_max_life_existing", "var_accounts_maximum_age_login_defs=365"], "controls": []}, {"id": "5.4.1.2", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure minimum password days is configured (Manual)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_set_min_life_existing", "accounts_minimum_age_login_defs", "var_accounts_minimum_age_login_defs=1"], "controls": []}, {"id": "5.4.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password expiration warning days is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_warn_age_login_defs", "var_accounts_password_warn_age_login_defs=7"], "controls": []}, {"id": "5.4.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "Rule allows either SHA512 or YESCRYPT", "title": "Ensure strong password hashing algorithm is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_password_hashing_algorithm_logindefs", "var_password_hashing_algorithm=yescrypt"], "controls": []}, {"id": "5.4.1.5", "levels": ["l1_server", "l1_workstation"], "notes": "CIS setting now 45 days.", "title": "Ensure inactive password lock is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["account_disable_post_pw_expiration", "accounts_set_post_pw_existing", "var_account_disable_post_pw_expiration=45"], "controls": []}, {"id": "5.4.1.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure all users last password change date is in the past (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_last_change_is_in_past"], "controls": []}, {"id": "5.4.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure root is the only UID 0 account (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_no_uid_except_zero"], "controls": []}, {"id": "5.4.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "The remediation is not automated as the removal or modification\nof group IDs from a system is too disruptive.\n", "title": "Ensure root is the only GID 0 account (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_root_gid_zero"], "controls": []}, {"id": "5.4.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "The remediation is not automated as the removal or modification\nof group IDs from a system is too disruptive.\n", "title": "Ensure group root is the only GID 0 group (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["groups_no_zero_gid_except_root"], "controls": []}, {"id": "5.4.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "This rule doesn't come with a remediation, as the exact requirement allows root to either have a password or be locked.", "title": "Ensure root account access is controlled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["ensure_root_access_controlled"], "controls": []}, {"id": "5.4.2.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure root path integrity (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["root_path_all_dirs", "root_path_no_dot", "no_dirs_unowned_by_root", "accounts_root_path_dirs_no_write"], "controls": []}, {"id": "5.4.2.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure root user umask is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_umask_root"], "controls": []}, {"id": "5.4.2.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure system accounts do not have a valid login shell (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_shelllogin_for_systemaccounts"], "controls": []}, {"id": "5.4.2.8", "levels": ["l1_server", "l1_workstation"], "notes": "Remediation is not automated.\n", "title": "Ensure accounts without a valid login shell are locked (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_invalid_shell_accounts_unlocked"], "controls": []}, {"id": "5.4.3.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure nologin is not listed in /etc/shells (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_nologin_in_shells"], "controls": []}, {"id": "5.4.3.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure default user shell timeout is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_tmout", "var_accounts_tmout=15_min"], "controls": []}, {"id": "5.4.3.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure default user umask is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_umask_etc_profile", "accounts_umask_etc_login_defs", "accounts_umask_etc_bashrc", "var_accounts_user_umask=027"], "controls": []}, {"id": "6.1.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure journald service is enabled and active (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_systemd-journald_enabled"], "controls": []}, {"id": "6.1.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure journald log file access is configured (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "6.1.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure journald log file rotation is configured (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "6.1.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "The title of this rule is misleading. The actual audit checks that at least\none of \"rsyslogd\" and \"systemd-journald\" is active.\nSee https://workbench.cisecurity.org/benchmarks/18959/tickets/23601\n\nRemediation is not automated as the choice of correct logging service\nis dependent on site policy.\n", "title": "Ensure only one logging system is in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["logging_services_active"], "controls": []}, {"id": "6.1.2.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure systemd-journal-remote is installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_systemd-journal-remote_installed"], "controls": []}, {"id": "6.1.2.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure systemd-journal-upload authentication is configured (Manual)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["systemd_journal_upload_url", "systemd_journal_upload_server_tls"], "controls": []}, {"id": "6.1.2.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure systemd-journal-upload is enabled and active (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_systemd-journal-upload_enabled"], "controls": []}, {"id": "6.1.2.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure systemd-journal-remote service is not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["socket_systemd-journal-remote_disabled"], "controls": []}, {"id": "6.1.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure journald ForwardToSyslog is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["journald_disable_forward_to_syslog"], "controls": []}, {"id": "6.1.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure journald Compress is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["journald_compress"], "controls": []}, {"id": "6.1.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure journald Storage is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["journald_storage"], "controls": []}, {"id": "6.1.3.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure rsyslog is installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_rsyslog_installed"], "controls": []}, {"id": "6.1.3.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure rsyslog service is enabled and active (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_rsyslog_enabled"], "controls": []}, {"id": "6.1.3.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure journald is configured to send logs to rsyslog (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["journald_forward_to_syslog"], "controls": []}, {"id": "6.1.3.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure rsyslog log file creation mode is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["rsyslog_filecreatemode"], "controls": []}, {"id": "6.1.3.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure rsyslog logging is configured (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "6.1.3.6", "levels": ["l1_server", "l1_workstation"], "notes": "Existing rule (rsyslog_remote_loghost) is not used because rsyslog configuration\nis site-specific and can be too complex to reliably audit and remediate.\nSee also https://github.com/ComplianceAsCode/content/issues/11812\n", "title": "Ensure rsyslog is configured to send logs to a remote log host (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["rsyslog_remote_loghost"], "rules": [], "controls": []}, {"id": "6.1.3.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure rsyslog is not configured to receive logs from a remote client (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["rsyslog_nolisten"], "controls": []}, {"id": "6.1.3.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure logrotate is configured (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "6.1.4.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to all logfiles has been configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_var_log_syslog", "file_groupowner_var_log_cloud_init", "file_groupowner_var_log_waagent", "file_permissions_var_log_lastlog", "file_owner_var_log_wbtmp", "file_owner_var_log_messages", "file_groupownerships_var_log_apt", "file_ownerships_var_log_gdm3", "file_permissions_var_log_messages", "file_groupowner_var_log_secure", "file_groupowner_var_log_wbtmp", "file_groupownerships_var_log_sssd", "file_permissions_var_log_localmessages", "file_permissions_var_log_sssd", "file_groupowner_var_log_localmessages", "file_groupowner_var_log_journal", "file_ownerships_var_log_sssd", "file_permissions_var_log_gdm3", "permissions_local_var_log", "file_owner_var_log_syslog", "file_owner_var_log_lastlog", "file_groupownerships_var_log", "file_groupownerships_var_log_gdm3", "file_ownerships_var_log", "file_owner_var_log_cloud_init", "file_permissions_var_log_secure", "file_groupowner_var_log_syslog", "file_groupowner_var_log_messages", "file_permissions_var_log_gdm", "file_permissions_var_log_wbtmp", "file_ownerships_var_log_apt", "file_ownerships_var_log_gdm", "file_ownerships_var_log_landscape", "file_groupownerships_var_log_gdm", "file_owner_var_log_localmessages", "file_owner_var_log_waagent", "file_permissions_var_log_cloud-init", "file_groupowner_var_log_auth", "file_owner_var_log_auth", "file_permissions_var_log_apt", "file_permissions_var_log_waagent", "file_groupowner_var_log_lastlog", "file_groupownerships_var_log_landscape", "file_owner_var_log_journal", "file_permissions_var_log_auth", "file_owner_var_log_secure"], "controls": []}, {"id": "6.2.1.1", "levels": ["l2_server", "l2_workstation"], "notes": "Implementation analogous to ubuntu2204/4.1.1.1.\nAdded also the missing rule for audispd.\n", "title": "Ensure auditd packages are installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_audit-audispd-plugins_installed", "package_audit_installed"], "controls": []}, {"id": "6.2.1.2", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure auditd service is enabled and active (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_auditd_enabled"], "controls": []}, {"id": "6.2.1.3", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure auditing for processes that start prior to auditd is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_audit_argument", "zipl_audit_argument"], "controls": []}, {"id": "6.2.1.4", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit_backlog_limit is sufficient (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["zipl_audit_backlog_limit_argument", "grub2_audit_backlog_limit_argument", "var_audit_backlog_limit=8192"], "controls": []}, {"id": "6.2.2.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit log storage size is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_retention_max_log_file", "var_auditd_max_log_file=6"], "controls": []}, {"id": "6.2.2.2", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit logs are not automatically deleted (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_retention_max_log_file_action", "var_auditd_max_log_file_action=keep_logs"], "controls": []}, {"id": "6.2.2.3", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure system is disabled when audit logs are full (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_disk_error_action", "auditd_data_disk_full_action", "var_auditd_disk_error_action=cis_debian12", "var_auditd_disk_full_action=cis_debian12"], "controls": []}, {"id": "6.2.2.4", "levels": ["l2_server", "l2_workstation"], "notes": "The variables should allow multiple options.\n", "title": "Ensure system warns when audit logs are low on space (Automated)", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_retention_space_left_action", "auditd_data_retention_admin_space_left_action", "auditd_data_retention_action_mail_acct", "var_auditd_action_mail_acct=root", "var_auditd_space_left_action=email", "var_auditd_admin_space_left_action=halt"], "controls": []}, {"id": "6.2.3.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure changes to system administration scope (sudoers) is collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_sysadmin_actions"], "controls": []}, {"id": "6.2.3.2", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure actions as another user are always logged (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_suid_auid_privilege_function"], "controls": []}, {"id": "6.2.3.3", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure events that modify the sudo log file are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_sudo_log_events"], "controls": []}, {"id": "6.2.3.4", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure events that modify date and time information are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_time_adjtimex", "audit_rules_time_settimeofday", "audit_rules_time_watch_localtime", "audit_rules_time_clock_settime"], "controls": []}, {"id": "6.2.3.5", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure events that modify the system's network environment are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_networkconfig_modification"], "controls": []}, {"id": "6.2.3.6", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure use of privileged commands are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands"], "controls": []}, {"id": "6.2.3.7", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure unsuccessful file access attempts are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_unsuccessful_file_modification_truncate", "audit_rules_unsuccessful_file_modification_creat", "audit_rules_unsuccessful_file_modification_ftruncate", "audit_rules_unsuccessful_file_modification_open", "audit_rules_unsuccessful_file_modification_openat"], "controls": []}, {"id": "6.2.3.8", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure events that modify user/group information are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_usergroup_modification_pamd", "audit_rules_usergroup_modification_group", "audit_rules_usergroup_modification_pam_conf", "audit_rules_usergroup_modification_shadow", "audit_rules_usergroup_modification_gshadow", "audit_rules_usergroup_modification_opasswd", "audit_rules_usergroup_modification_nsswitch_conf", "audit_rules_usergroup_modification_passwd"], "controls": []}, {"id": "6.2.3.9", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure discretionary access control permission modification events are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_dac_modification_fchmod", "audit_rules_dac_modification_fchownat", "audit_rules_dac_modification_chmod", "audit_rules_dac_modification_fchown", "audit_rules_dac_modification_fchmodat", "audit_rules_dac_modification_setxattr", "audit_rules_dac_modification_chown", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_fsetxattr", "audit_rules_dac_modification_fremovexattr", "audit_rules_dac_modification_lsetxattr", "audit_rules_dac_modification_lremovexattr", "audit_rules_dac_modification_lchown"], "controls": []}, {"id": "6.2.3.10", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure successful file system mounts are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_media_export"], "controls": []}, {"id": "6.2.3.11", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure session initiation information is collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_session_events"], "controls": []}, {"id": "6.2.3.12", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure login and logout events are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_login_events_faillock", "audit_rules_login_events_lastlog", "var_accounts_passwords_pam_faillock_dir=run"], "controls": []}, {"id": "6.2.3.13", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure file deletion events by users are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_file_deletion_events_rename", "audit_rules_file_deletion_events_renameat", "audit_rules_file_deletion_events_unlinkat", "audit_rules_file_deletion_events_unlink"], "controls": []}, {"id": "6.2.3.14", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure events that modify the system's Mandatory Access Controls are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_mac_modification_etc_apparmor_d", "audit_rules_mac_modification_etc_apparmor"], "controls": []}, {"id": "6.2.3.15", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure successful and unsuccessful attempts to use the chcon command are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_execution_chcon"], "controls": []}, {"id": "6.2.3.16", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure successful and unsuccessful attempts to use the setfacl command are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_execution_setfacl"], "controls": []}, {"id": "6.2.3.17", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure successful and unsuccessful attempts to use the chacl command are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_execution_chacl"], "controls": []}, {"id": "6.2.3.18", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure successful and unsuccessful attempts to use the usermod command are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands_usermod"], "controls": []}, {"id": "6.2.3.19", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure kernel module loading unloading and modification is collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_kernel_module_loading_create", "audit_rules_kernel_module_loading_finit", "audit_rules_kernel_module_loading_init", "audit_rules_kernel_module_loading_delete", "audit_rules_privileged_commands_kmod", "audit_rules_kernel_module_loading_query"], "controls": []}, {"id": "6.2.3.20", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure the audit configuration is immutable (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_immutable"], "controls": []}, {"id": "6.2.3.21", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure the running and on disk configuration is the same (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "6.2.4.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit log files mode is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_var_log_audit"], "controls": []}, {"id": "6.2.4.2", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit log files owner is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_ownership_var_log_audit_stig"], "controls": []}, {"id": "6.2.4.3", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit log files group owner is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_group_ownership_var_log_audit"], "controls": []}, {"id": "6.2.4.4", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure the audit log file directory mode is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["directory_permissions_var_log_audit"], "controls": []}, {"id": "6.2.4.5", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit configuration files mode is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_etc_audit_rulesd", "file_permissions_etc_audit_auditd", "file_permissions_etc_audit_rules"], "controls": []}, {"id": "6.2.4.6", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit configuration files owner is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_ownership_audit_configuration"], "controls": []}, {"id": "6.2.4.7", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit configuration files group owner is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupownership_audit_configuration"], "controls": []}, {"id": "6.2.4.8", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit tools mode is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_audit_binaries"], "controls": []}, {"id": "6.2.4.9", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit tools owner is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_ownership_audit_binaries"], "controls": []}, {"id": "6.2.4.10", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit tools group owner is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupownership_audit_binaries"], "controls": []}, {"id": "6.3.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure AIDE is installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["aide_build_database", "package_aide_installed"], "controls": []}, {"id": "6.3.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure filesystem integrity is regularly checked (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["aide_periodic_checking_systemd_timer"], "controls": []}, {"id": "6.3.3", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure cryptographic mechanisms are used to protect the integrity of audit tools (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["aide_check_audit_tools"], "controls": []}, {"id": "7.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/passwd are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_etc_passwd", "file_groupowner_etc_passwd", "file_permissions_etc_passwd"], "controls": []}, {"id": "7.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/passwd- are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_backup_etc_passwd", "file_owner_backup_etc_passwd", "file_permissions_backup_etc_passwd"], "controls": []}, {"id": "7.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/group are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_etc_group", "file_owner_etc_group", "file_groupowner_etc_group"], "controls": []}, {"id": "7.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/group- are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_backup_etc_group", "file_permissions_backup_etc_group", "file_groupowner_backup_etc_group"], "controls": []}, {"id": "7.1.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/shadow are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_etc_shadow", "file_groupowner_etc_shadow", "file_owner_etc_shadow"], "controls": []}, {"id": "7.1.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/shadow- are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_backup_etc_shadow", "file_groupowner_backup_etc_shadow", "file_permissions_backup_etc_shadow"], "controls": []}, {"id": "7.1.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/gshadow are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_etc_gshadow", "file_permissions_etc_gshadow", "file_owner_etc_gshadow"], "controls": []}, {"id": "7.1.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/gshadow- are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_backup_etc_gshadow", "file_permissions_backup_etc_gshadow", "file_owner_backup_etc_gshadow"], "controls": []}, {"id": "7.1.9", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/shells are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_etc_shells", "file_groupowner_etc_shells", "file_permissions_etc_shells"], "controls": []}, {"id": "7.1.10", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure permissions on /etc/security/opasswd are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_etc_security_opasswd_old", "file_permissions_etc_security_opasswd", "file_owner_etc_security_opasswd_old", "file_permissions_etc_security_opasswd_old", "file_groupowner_etc_security_opasswd", "file_owner_etc_security_opasswd"], "controls": []}, {"id": "7.1.11", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure world writable files and directories are secured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_unauthorized_world_writable"], "controls": []}, {"id": "7.1.12", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure no files or directories without an owner and a group exist (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_files_unowned_by_user", "file_permissions_ungroupowned"], "controls": []}, {"id": "7.1.13", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure SUID and SGID files are reviewed (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "7.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure accounts in /etc/passwd use shadowed passwords (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_all_shadowed"], "controls": []}, {"id": "7.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure /etc/shadow password fields are not empty (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_empty_passwords_etc_shadow"], "controls": []}, {"id": "7.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure all groups in /etc/passwd exist in /etc/group (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["gid_passwd_group_same"], "controls": []}, {"id": "7.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure shadow group is empty (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["ensure_shadow_group_empty"], "controls": []}, {"id": "7.2.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure no duplicate UIDs exist (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["account_unique_id"], "controls": []}, {"id": "7.2.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure no duplicate GIDs exist (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["group_unique_id"], "controls": []}, {"id": "7.2.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure no duplicate user names exist (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["account_unique_name"], "controls": []}, {"id": "7.2.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure no duplicate group names exist (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["group_unique_name"], "controls": []}, {"id": "7.2.9", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure local interactive user home directories are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_home_directories", "file_groupownership_home_directories", "file_ownership_home_directories", "accounts_user_interactive_home_directory_exists"], "controls": []}, {"id": "7.2.10", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure local interactive user dot files access is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_netrc_files", "file_permission_user_init_files", "no_forward_files", "accounts_user_dot_group_ownership", "accounts_user_dot_user_ownership", "no_rsh_trust_files", "file_permission_user_bash_history", "var_user_initialization_files_regex=all_dotfiles"], "controls": []}], "levels": [{"id": "l1_server", "inherits_from": null}, {"id": "l2_server", "inherits_from": ["l1_server"]}, {"id": "l1_workstation", "inherits_from": null}, {"id": "l2_workstation", "inherits_from": ["l1_workstation"]}]}