{"id": "ism_o", "policy": "Australian Signals Directorate Information Security Manual", "title": "Australian Signals Directorate Information Security Manual", "source": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism", "definition_location": "/aptdata/openscap/scap-security-guide/controls/ism_o.yml", "controls": [{"id": "0418", "levels": ["base"], "notes": "", "title": "Credentials are kept separate from systems they are used to authenticate to, except for when performing authentication activities.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["network_nmcli_permissions", "enable_ldap_client", "set_password_hashing_algorithm_libuserconf", "configure_kerberos_crypto_policy", "sebool_kerberos_enabled", "accounts_maximum_age_login_defs", "accounts_minimum_age_login_defs", "accounts_password_warn_age_login_defs", "configure_ssh_crypto_policy", "set_password_hashing_algorithm_logindefs", "kerberos_disable_no_keytab", "set_password_hashing_algorithm_systemauth", "sshd_disable_gssapi_auth", "set_password_hashing_algorithm_passwordauth", "var_password_hashing_algorithm_pam=yescrypt"], "controls": []}, {"id": "0421", "levels": ["base"], "notes": "", "title": "Passphrases used for single-factor authentication are at least 4 random words with a total minimum length of 14 characters, unless more stringent requirements apply.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["require_singleuser_auth", "accounts_password_pam_dcredit", "sebool_authlogin_radius", "accounts_passwords_pam_faillock_deny_root", "sshd_set_max_auth_tries", "accounts_password_minlen_login_defs", "require_emergency_target_auth", "sebool_authlogin_nsswitch_use_ldap", "sshd_disable_kerb_auth", "accounts_password_pam_ocredit", "accounts_passwords_pam_faillock_interval", "accounts_password_pam_minclass", "disable_host_auth", "accounts_password_pam_minlen", "accounts_passwords_pam_faillock_unlock_time", "sssd_enable_smartcards", "accounts_passwords_pam_faillock_deny", "accounts_passwords_pam_tally2_deny_root", "accounts_password_pam_ucredit", "accounts_passwords_pam_tally2_unlock_time", "accounts_password_pam_lcredit", "sshd_max_auth_tries_value=5", "var_password_pam_minlen=14", "var_accounts_password_minlen_login_defs=14", "var_accounts_password_warn_age_login_defs=7", "var_accounts_minimum_age_login_defs=1", "var_accounts_maximum_age_login_defs=60", "var_authselect_profile=sssd"], "controls": []}, {"id": "0422", "levels": ["top_secret"], "notes": "", "title": "Passphrases used for single-factor authentication on TOP SECRET systems are at least 6 random words with a total minimum length of 20 characters.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["require_singleuser_auth", "accounts_password_pam_dcredit", "sebool_authlogin_radius", "accounts_passwords_pam_faillock_deny_root", "sshd_set_max_auth_tries", "accounts_password_minlen_login_defs", "require_emergency_target_auth", "sebool_authlogin_nsswitch_use_ldap", "sshd_disable_kerb_auth", "accounts_password_pam_ocredit", "accounts_passwords_pam_faillock_interval", "accounts_password_pam_minclass", "disable_host_auth", "accounts_password_pam_minlen", "accounts_passwords_pam_faillock_unlock_time", "sssd_enable_smartcards", "accounts_passwords_pam_faillock_deny", "accounts_passwords_pam_tally2_deny_root", "accounts_password_pam_ucredit", "accounts_passwords_pam_tally2_unlock_time", "accounts_password_pam_lcredit", "var_password_pam_minlen=20", "var_accounts_password_minlen_login_defs=20"], "controls": []}, {"id": "0484", "levels": ["base"], "notes": "", "title": "SSH daemon configuration", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_x11_forwarding", "disable_host_auth", "sshd_enable_warning_banner"], "controls": []}, {"id": "0487", "levels": ["base"], "notes": "", "title": "Passwordless SSH Connections Configuration", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "0582", "levels": ["base"], "notes": "", "title": "Central Logging for OS Events", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_execution_restorecon", "audit_rules_session_events_btmp", "audit_rules_time_stime", "audit_rules_login_events_lastlog", "audit_access_failed_ppc64le", "audit_access_success_ppc64le", "auditd_log_format", "audit_rules_dac_modification_chmod", "audit_rules_unsuccessful_file_modification_truncate", "audit_rules_sysadmin_actions", "audit_rules_usergroup_modification_group", "audit_access_failed_aarch64", "audit_rules_time_adjtimex", "audit_rules_session_events_utmp", "audit_rules_execution_semanage", "auditd_data_retention_flush", "sshd_print_last_log", "auditd_freq", "audit_rules_execution_seunshare", "audit_rules_time_settimeofday", "audit_access_success_aarch64", "audit_rules_time_clock_settime", "audit_rules_session_events_wtmp", "audit_rules_unsuccessful_file_modification_open_by_handle_at", "audit_rules_unsuccessful_file_modification_creat", "audit_rules_dac_modification_chown", "audit_rules_unsuccessful_file_modification_ftruncate", "audit_rules_execution_setsebool", "audit_rules_time_watch_localtime", "audit_rules_usergroup_modification_gshadow", "audit_rules_unsuccessful_file_modification_open", "auditd_name_format", "audit_rules_login_events_faillock", "auditd_local_events", "audit_rules_execution_chcon", "audit_rules_execution_setfiles", "audit_access_failed", "audit_rules_networkconfig_modification", "audit_rules_usergroup_modification_shadow", "audit_rules_kernel_module_loading", "audit_rules_privileged_commands", "audit_rules_usergroup_modification_opasswd", "audit_access_success", "auditd_write_logs", "package_audit_installed", "audit_rules_usergroup_modification_passwd", "sebool_auditadm_exec_content", "audit_rules_unsuccessful_file_modification_openat", "audit_rules_login_events_tallylog"], "controls": []}, {"id": "0846", "levels": ["base"], "notes": "", "title": "All users (with the exception of local administrator accounts and break glass accounts) cannot disable, bypass or be exempted from application control.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_session_events_btmp", "audit_access_failed_ppc64le", "audit_access_success_ppc64le", "audit_rules_unsuccessful_file_modification_truncate", "audit_access_failed_aarch64", "audit_rules_session_events_utmp", "sshd_print_last_log", "audit_access_success_aarch64", "audit_rules_session_events_wtmp", "audit_rules_unsuccessful_file_modification_open_by_handle_at", "audit_rules_unsuccessful_file_modification_creat", "audit_rules_unsuccessful_file_modification_ftruncate", "audit_rules_unsuccessful_file_modification_open", "audit_access_failed", "audit_rules_privileged_commands", "audit_access_success", "package_audit_installed", "sebool_auditadm_exec_content", "audit_rules_unsuccessful_file_modification_openat"], "controls": []}, {"id": "0974", "levels": ["base"], "notes": "This needs reevaluation.", "title": "Multi-factor authentication is used to authenticate unprivileged users of systems.", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["require_singleuser_auth", "accounts_password_pam_dcredit", "sebool_authlogin_radius", "accounts_passwords_pam_faillock_deny_root", "sshd_set_max_auth_tries", "accounts_password_minlen_login_defs", "require_emergency_target_auth", "sebool_authlogin_nsswitch_use_ldap", "sshd_disable_kerb_auth", "accounts_password_pam_ocredit", "accounts_passwords_pam_faillock_interval", "accounts_password_pam_minclass", "disable_host_auth", "accounts_password_pam_minlen", "accounts_passwords_pam_faillock_unlock_time", "sssd_enable_smartcards", "accounts_passwords_pam_faillock_deny", "accounts_passwords_pam_tally2_deny_root", "accounts_password_pam_ucredit", "accounts_passwords_pam_tally2_unlock_time", "accounts_password_pam_lcredit"], "controls": []}, {"id": "0988", "levels": ["base"], "notes": "", "title": "An accurate time source is established and used consistently across systems to assist with identifying connections between events.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["chronyd_configure_pool_and_server", "rsyslog_files_ownership", "package_chrony_installed", "rsyslog_cron_logging", "chronyd_specify_remote_server", "rsyslog_remote_tls", "rsyslog_remote_loghost", "rsyslog_files_groupownership", "rsyslog_remote_tls_cacert", "rsyslog_files_permissions", "chronyd_or_ntpd_specify_multiple_servers", "rsyslog_nolisten", "service_chronyd_enabled", "service_chronyd_or_ntpd_enabled"], "controls": []}, {"id": "1034", "levels": ["base"], "notes": "", "title": "A HIPS is implemented on critical servers and high-value servers.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_aide_installed"], "controls": []}, {"id": "1055", "levels": ["base"], "notes": "Needs reevaluation", "title": "LAN Manager and NT LAN Manager authentication methods are disabled.", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["network_nmcli_permissions", "enable_ldap_client", "set_password_hashing_algorithm_libuserconf", "configure_kerberos_crypto_policy", "sebool_kerberos_enabled", "accounts_maximum_age_login_defs", "accounts_minimum_age_login_defs", "accounts_password_warn_age_login_defs", "set_password_hashing_algorithm_logindefs", "kerberos_disable_no_keytab", "set_password_hashing_algorithm_systemauth", "sshd_disable_gssapi_auth", "set_password_hashing_algorithm_passwordauth"], "controls": []}, {"id": "1173", "levels": ["base"], "notes": "", "title": "Multi-factor authentication is used to authenticate privileged users of systems.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["require_singleuser_auth", "accounts_password_pam_dcredit", "sebool_authlogin_radius", "accounts_passwords_pam_faillock_deny_root", "sshd_set_max_auth_tries", "accounts_password_minlen_login_defs", "require_emergency_target_auth", "sebool_authlogin_nsswitch_use_ldap", "sshd_disable_kerb_auth", "accounts_password_pam_ocredit", "accounts_passwords_pam_faillock_interval", "accounts_password_pam_minclass", "disable_host_auth", "accounts_password_pam_minlen", "accounts_passwords_pam_faillock_unlock_time", "sssd_enable_smartcards", "accounts_passwords_pam_faillock_deny", "accounts_passwords_pam_tally2_deny_root", "accounts_password_pam_ucredit", "accounts_passwords_pam_tally2_unlock_time", "accounts_password_pam_lcredit"], "controls": []}, {"id": "1277", "levels": ["base"], "notes": "", "title": "Data communicated between database servers and web servers is encrypted.", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["openssl_use_strong_entropy"], "controls": []}, {"id": "1288", "levels": ["base"], "notes": "", "title": "Files imported or exported via gateways or CDSs undergo antivirus scanning using multiple different scanning engines.", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_aide_installed"], "controls": []}, {"id": "1311", "levels": ["base"], "notes": "", "title": "SNMP version 1 and SNMP version 2 are not used on networks.", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_snmpd_disabled", "snmpd_use_newer_protocol"], "controls": []}, {"id": "1315", "levels": ["base"], "notes": "", "title": "The administrative interface on wireless access points is disabled for wireless network connections.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["wireless_disable_interfaces", "network_ipv6_static_address"], "controls": []}, {"id": "1319", "levels": ["base"], "notes": "", "title": "Static addressing is not used for assigning IP addresses on wireless networks.", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["wireless_disable_interfaces", "network_ipv6_static_address"], "controls": []}, {"id": "1341", "levels": ["base"], "notes": "", "title": "A HIPS is implemented on workstations.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_aide_installed"], "controls": []}, {"id": "1386", "levels": ["base"], "notes": "This needs reevaluation.", "title": "Network management traffic can only originate from administrative infrastructure.", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_sudo_installed", "configure_opensc_card_drivers", "force_opensc_card_drivers", "package_opensc_installed", "package_pcsc-lite-ccid_installed", "package_pcsc-lite_installed", "service_pcscd_enabled"], "controls": []}, {"id": "1401", "levels": ["base"], "notes": "", "title": "Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are.", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["require_singleuser_auth", "accounts_password_pam_dcredit", "sebool_authlogin_radius", "accounts_passwords_pam_faillock_deny_root", "sshd_set_max_auth_tries", "accounts_password_minlen_login_defs", "require_emergency_target_auth", "sebool_authlogin_nsswitch_use_ldap", "sshd_disable_kerb_auth", "accounts_password_pam_ocredit", "accounts_passwords_pam_faillock_interval", "accounts_password_pam_minclass", "disable_host_auth", "accounts_password_pam_minlen", "accounts_passwords_pam_faillock_unlock_time", "sssd_enable_smartcards", "accounts_passwords_pam_faillock_deny", "accounts_passwords_pam_tally2_deny_root", "accounts_password_pam_ucredit", "accounts_passwords_pam_tally2_unlock_time", "accounts_password_pam_lcredit"], "controls": []}, {"id": "1402", "levels": ["base"], "notes": "", "title": "Credentials stored on systems are protected by a password manager; a hardware security module; or by salting, hashing and stretching them before storage within a database", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["network_nmcli_permissions", "enable_ldap_client", "set_password_hashing_algorithm_libuserconf", "configure_kerberos_crypto_policy", "sebool_kerberos_enabled", "accounts_maximum_age_login_defs", "accounts_minimum_age_login_defs", "accounts_password_warn_age_login_defs", "set_password_hashing_algorithm_logindefs", "kerberos_disable_no_keytab", "accounts_password_all_shadowed", "set_password_hashing_algorithm_systemauth", "sshd_disable_gssapi_auth", "set_password_hashing_algorithm_passwordauth"], "controls": []}, {"id": "1405", "levels": ["base"], "notes": "", "title": "A centralised event logging facility is implemented and event logs are sent to the facility as soon as possible after they occur.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["chronyd_configure_pool_and_server", "rsyslog_files_ownership", "package_chrony_installed", "rsyslog_cron_logging", "chronyd_specify_remote_server", "rsyslog_remote_tls", "rsyslog_remote_loghost", "rsyslog_files_groupownership", "rsyslog_remote_tls_cacert", "rsyslog_files_permissions", "chronyd_or_ntpd_specify_multiple_servers", "rsyslog_nolisten", "service_chronyd_enabled", "service_chronyd_or_ntpd_enabled"], "controls": []}, {"id": "1409", "levels": ["base"], "notes": "", "title": "Operating systems are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_dev_shm_noexec", "rpm_verify_permissions", "package_telnet_removed", "service_squid_disabled", "service_telnet_disabled", "file_ownership_binary_dirs", "package_fapolicyd_installed", "file_permissions_unauthorized_suid", "sysctl_kernel_yama_ptrace_scope", "package_rsyslog_installed", "rpm_verify_ownership", "file_permissions_unauthorized_world_writable", "enable_authselect", "security_patches_up_to_date", "network_sniffer_disabled", "selinux_policytype", "mount_option_dev_shm_nosuid", "service_rsyslog_enabled", "dir_perms_world_writable_sticky_bits", "sysctl_kernel_kexec_load_disabled", "sysctl_kernel_exec_shield", "package_ypbind_removed", "file_permissions_library_dirs", "package_telnet-server_removed", "package_firewalld_installed", "service_firewalld_enabled", "mount_option_dev_shm_nodev", "file_ownership_library_dirs", "file_permissions_unauthorized_sgid", "service_auditd_enabled", "sshd_set_loglevel_info", "sysctl_kernel_kptr_restrict", "package_rear_installed", "service_xinetd_disabled", "sysctl_kernel_unprivileged_bpf_disabled", "service_fapolicyd_enabled", "package_squid_removed", "file_permissions_binary_dirs", "rpm_verify_hashes", "service_avahi-daemon_disabled", "selinux_state", "sshd_enable_strictmodes", "sysctl_kernel_randomize_va_space", "package_xinetd_removed", "sshd_use_directory_configuration", "sysctl_net_core_bpf_jit_harden"], "controls": []}, {"id": "1416", "levels": ["base"], "notes": "", "title": "A software firewall is implemented on workstations and servers to restrict inbound and outbound network connections to an organisation-approved set of applications and services.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_firewalld_default_zone", "firewalld_sshd_port_enabled", "configure_firewalld_ports"], "controls": []}, {"id": "1417", "levels": ["base"], "notes": "", "title": "Antivirus software is implemented on workstations and server.", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_aide_installed"], "controls": []}, {"id": "1418", "levels": ["base"], "notes": "", "title": "If there is no business requirement for reading from removable media and devices, such functionality is disabled via the use of device access control software or by disabling external communication interfaces", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_usbguard_enabled", "package_usbguard_installed", "usbguard_allow_hid_and_hub"], "controls": []}, {"id": "1446", "levels": ["base"], "notes": "", "title": "When using elliptic curve cryptography, a suitable curve from NIST SP 800-186 is used.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["system_booted_in_fips_mode", "enable_fips_mode", "enable_dracut_fips_module", "configure_crypto_policy", "var_system_crypto_policy=fips"], "controls": []}, {"id": "1449", "levels": ["base"], "notes": "This needs more", "title": "SSH private keys are protected with a passphrase or a key encryption key", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_sshd_private_key"], "controls": []}, {"id": "1467", "levels": ["base"], "notes": "", "title": "The latest release of office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are used.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dnf-automatic_apply_updates", "package_subscription-manager_installed", "package_libdnf-plugin-subscription-manager_installed"], "controls": []}, {"id": "1483", "levels": ["base"], "notes": "", "title": "The latest release of internet-facing server applications are used.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dnf-automatic_apply_updates", "package_subscription-manager_installed", "package_libdnf-plugin-subscription-manager_installed", "sshd_allow_only_protocol2"], "controls": []}, {"id": "1491", "levels": ["base"], "notes": "", "title": "Unprivileged users are prevented from running script execution engines.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_shelllogin_for_systemaccounts"], "controls": []}, {"id": "1493", "levels": ["base"], "notes": "", "title": "Software registers for workstations, servers, network devices and other ICT equipment are developed, implemented, maintained and verified on a regular basis.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["ensure_oracle_gpgkey_installed", "ensure_gpgcheck_globally_activated", "package_libdnf-plugin-subscription-manager_installed", "ensure_gpgcheck_never_disabled", "dnf-automatic_apply_updates", "ensure_gpgcheck_local_packages", "ensure_redhat_gpgkey_installed", "package_sequoia-sq_installed", "dnf-automatic_security_updates_only", "package_subscription-manager_installed"], "controls": []}, {"id": "1504", "levels": ["base"], "notes": "", "title": "Multi-factor authentication is used to authenticate users to their organisation\u2019s online services that process, store or communicate their organisation\u2019s sensitive data.", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["require_singleuser_auth", "accounts_password_pam_dcredit", "sebool_authlogin_radius", "accounts_passwords_pam_faillock_deny_root", "sshd_set_max_auth_tries", "accounts_password_minlen_login_defs", "require_emergency_target_auth", "sebool_authlogin_nsswitch_use_ldap", "sshd_disable_kerb_auth", "accounts_password_pam_ocredit", "accounts_passwords_pam_faillock_interval", "accounts_password_pam_minclass", "disable_host_auth", "accounts_password_pam_minlen", "accounts_passwords_pam_faillock_unlock_time", "sssd_enable_smartcards", "accounts_passwords_pam_faillock_deny", "accounts_passwords_pam_tally2_deny_root", "accounts_password_pam_ucredit", "accounts_passwords_pam_tally2_unlock_time", "accounts_password_pam_lcredit"], "controls": []}, {"id": "1505", "levels": ["base"], "notes": "", "title": "Multi-factor authentication is used to authenticate users of data repositories.", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["require_singleuser_auth", "accounts_password_pam_dcredit", "sebool_authlogin_radius", "accounts_passwords_pam_faillock_deny_root", "sshd_set_max_auth_tries", "accounts_password_minlen_login_defs", "require_emergency_target_auth", "sebool_authlogin_nsswitch_use_ldap", "sshd_disable_kerb_auth", "accounts_password_pam_ocredit", "accounts_passwords_pam_faillock_interval", "accounts_password_pam_minclass", "disable_host_auth", "accounts_password_pam_minlen", "accounts_passwords_pam_faillock_unlock_time", "sssd_enable_smartcards", "accounts_passwords_pam_faillock_deny", "accounts_passwords_pam_tally2_deny_root", "accounts_password_pam_ucredit", "accounts_passwords_pam_tally2_unlock_time", "accounts_password_pam_lcredit"], "controls": []}, {"id": "1506", "levels": ["base"], "notes": "As of OpenSSH 7.6, OpenSSH only supports SSH 2.", "title": "The use of SSH version 1 is disabled for SSH connections.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["sshd_allow_only_protocol2"], "rules": [], "controls": []}, {"id": "1546", "levels": ["base"], "notes": "", "title": "Users are authenticated before they are granted access to a system and its resources", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_rhosts", "require_singleuser_auth", "accounts_password_pam_dcredit", "sshd_do_not_permit_user_env", "sebool_authlogin_radius", "accounts_passwords_pam_faillock_deny_root", "sshd_set_max_auth_tries", "sudo_require_authentication", "sudo_remove_nopasswd", "sshd_disable_user_known_hosts", "accounts_password_minlen_login_defs", "require_emergency_target_auth", "sebool_authlogin_nsswitch_use_ldap", "sysctl_kernel_dmesg_restrict", "no_empty_passwords", "accounts_no_uid_except_zero", "sudo_remove_no_authenticate", "sshd_disable_empty_passwords", "sshd_disable_kerb_auth", "accounts_password_pam_ocredit", "accounts_passwords_pam_faillock_interval", "accounts_password_pam_minclass", "disable_host_auth", "accounts_password_pam_minlen", "accounts_passwords_pam_faillock_unlock_time", "sssd_enable_smartcards", "accounts_passwords_pam_faillock_deny", "sshd_disable_root_login", "accounts_passwords_pam_tally2_deny_root", "accounts_password_pam_ucredit", "accounts_passwords_pam_tally2_unlock_time", "accounts_password_pam_lcredit"], "controls": []}, {"id": "1552", "levels": ["base"], "notes": "", "title": "All web application content is offered exclusively using HTTPS.", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["openssl_use_strong_entropy"], "controls": []}, {"id": "1557", "levels": ["secret"], "notes": "", "title": "Passphrases used for single-factor authentication on SECRET systems are at least 5 random words with a total minimum length of 17 characters.", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["require_singleuser_auth", "accounts_password_pam_dcredit", "sebool_authlogin_radius", "accounts_passwords_pam_faillock_deny_root", "sshd_set_max_auth_tries", "accounts_password_minlen_login_defs", "require_emergency_target_auth", "sebool_authlogin_nsswitch_use_ldap", "sshd_disable_kerb_auth", "accounts_password_pam_ocredit", "accounts_passwords_pam_faillock_interval", "accounts_password_pam_minclass", "disable_host_auth", "accounts_password_pam_minlen", "accounts_passwords_pam_faillock_unlock_time", "sssd_enable_smartcards", "accounts_passwords_pam_faillock_deny", "accounts_passwords_pam_tally2_deny_root", "accounts_password_pam_ucredit", "accounts_passwords_pam_tally2_unlock_time", "accounts_password_pam_lcredit", "var_password_pam_minlen=17", "var_accounts_password_minlen_login_defs=17"], "controls": []}, {"id": "1558", "levels": ["base"], "notes": "", "title": "Passphrases used for single-factor authentication are not a list of categorised words; do not form a real sentence in a natural language; and are not constructed from song lyrics, movies, literature or any other publicly available material.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["require_singleuser_auth", "accounts_password_pam_dcredit", "sebool_authlogin_radius", "accounts_passwords_pam_faillock_deny_root", "sshd_set_max_auth_tries", "accounts_password_minlen_login_defs", "require_emergency_target_auth", "sebool_authlogin_nsswitch_use_ldap", "sshd_disable_kerb_auth", "accounts_password_pam_ocredit", "accounts_passwords_pam_faillock_interval", "accounts_password_pam_minclass", "disable_host_auth", "accounts_password_pam_minlen", "accounts_passwords_pam_faillock_unlock_time", "sssd_enable_smartcards", "accounts_passwords_pam_faillock_deny", "accounts_passwords_pam_tally2_deny_root", "accounts_password_pam_ucredit", "accounts_passwords_pam_tally2_unlock_time", "accounts_password_pam_lcredit"], "controls": []}, {"id": "1559", "levels": ["base"], "notes": "", "title": "Memorised secrets used for multi-factor authentication are a minimum of 6 characters, unless more stringent requirements apply.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["require_singleuser_auth", "accounts_password_pam_dcredit", "sebool_authlogin_radius", "accounts_passwords_pam_faillock_deny_root", "sshd_set_max_auth_tries", "accounts_password_minlen_login_defs", "require_emergency_target_auth", "sebool_authlogin_nsswitch_use_ldap", "sshd_disable_kerb_auth", "accounts_password_pam_ocredit", "accounts_passwords_pam_faillock_interval", "accounts_password_pam_minclass", "disable_host_auth", "accounts_password_pam_minlen", "accounts_passwords_pam_faillock_unlock_time", "sssd_enable_smartcards", "accounts_passwords_pam_faillock_deny", "accounts_passwords_pam_tally2_deny_root", "accounts_password_pam_ucredit", "accounts_passwords_pam_tally2_unlock_time", "accounts_password_pam_lcredit"], "controls": []}, {"id": "1560", "levels": ["secret"], "notes": "", "title": "Memorised secrets used for multi-factor authentication on SECRET systems are a minimum of 8 characters", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["require_singleuser_auth", "accounts_password_pam_dcredit", "sebool_authlogin_radius", "accounts_passwords_pam_faillock_deny_root", "sshd_set_max_auth_tries", "accounts_password_minlen_login_defs", "require_emergency_target_auth", "sebool_authlogin_nsswitch_use_ldap", "sshd_disable_kerb_auth", "accounts_password_pam_ocredit", "accounts_passwords_pam_faillock_interval", "accounts_password_pam_minclass", "disable_host_auth", "accounts_password_pam_minlen", "accounts_passwords_pam_faillock_unlock_time", "sssd_enable_smartcards", "accounts_passwords_pam_faillock_deny", "accounts_passwords_pam_tally2_deny_root", "accounts_password_pam_ucredit", "accounts_passwords_pam_tally2_unlock_time", "accounts_password_pam_lcredit"], "controls": []}, {"id": "1561", "levels": ["top_secret"], "notes": "", "title": "Memorised secrets used for multi-factor authentication on TOP SECRET systems are a minimum of 10 characters.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["require_singleuser_auth", "accounts_password_pam_dcredit", "sebool_authlogin_radius", "accounts_passwords_pam_faillock_deny_root", "sshd_set_max_auth_tries", "accounts_password_minlen_login_defs", "require_emergency_target_auth", "sebool_authlogin_nsswitch_use_ldap", "sshd_disable_kerb_auth", "accounts_password_pam_ocredit", "accounts_passwords_pam_faillock_interval", "accounts_password_pam_minclass", "disable_host_auth", "accounts_password_pam_minlen", "accounts_passwords_pam_faillock_unlock_time", "sssd_enable_smartcards", "accounts_passwords_pam_faillock_deny", "accounts_passwords_pam_tally2_deny_root", "accounts_password_pam_ucredit", "accounts_passwords_pam_tally2_unlock_time", "accounts_password_pam_lcredit"], "controls": []}, {"id": "1745", "levels": ["base"], "notes": "", "title": "Early Launch Antimalware, Secure Boot, Trusted Boot and Measured Boot functionality is enabled.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["secure_boot_enabled"], "controls": []}], "levels": [{"id": "base", "inherits_from": null}, {"id": "secret", "inherits_from": ["base"]}, {"id": "top_secret", "inherits_from": ["secret"]}]}