{"id": "cis_fedora", "policy": "DRAFT - CIS Benchmark for Fedora", "title": "DRAFT - CIS Benchmark for Fedora", "source": "https://workbench.cisecurity.org/benchmarks/20722", "definition_location": "/aptdata/openscap/scap-security-guide/controls/cis_fedora.yml", "controls": [{"id": "reload_dconf_db", "levels": ["l1_server", "l1_workstation"], "notes": "This is a helper rule to reload Dconf database correctly.", "title": "Reload Dconf database", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_db_up_to_date"], "controls": []}, {"id": "1.1.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure cramfs kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_cramfs_disabled"], "controls": []}, {"id": "1.1.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure freevxfs kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_freevxfs_disabled"], "controls": []}, {"id": "1.1.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure hfs kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_hfs_disabled"], "controls": []}, {"id": "1.1.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure hfsplus kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_hfsplus_disabled"], "controls": []}, {"id": "1.1.1.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure jffs2 kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_jffs2_disabled"], "controls": []}, {"id": "1.1.1.6", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure overlayfs kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_overlayfs_disabled"], "controls": []}, {"id": "1.1.1.7", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure squashfs kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_squashfs_disabled"], "controls": []}, {"id": "1.1.1.8", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure udf kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_udf_disabled"], "controls": []}, {"id": "1.1.1.9", "levels": ["l1_server", "l2_workstation"], "notes": "", "title": "Ensure firewire-core kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_firewire-core_disabled"], "controls": []}, {"id": "1.1.1.10", "levels": ["l1_server", "l2_workstation"], "notes": "", "title": "Ensure usb-storage kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_usb-storage_disabled"], "controls": []}, {"id": "1.1.1.11", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure unused filesystems kernel modules are not available (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.1.2.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure /tmp is tmpfs or a separate partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["systemd_tmp_mount_enabled"], "rules": ["partition_for_tmp"], "controls": []}, {"id": "1.1.2.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nodev option set on /tmp partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_tmp_nodev"], "controls": []}, {"id": "1.1.2.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nosuid option set on /tmp partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_tmp_nosuid"], "controls": []}, {"id": "1.1.2.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure noexec option set on /tmp partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_tmp_noexec"], "controls": []}, {"id": "1.1.2.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure /dev/shm is tmpfs or a separate partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_dev_shm"], "controls": []}, {"id": "1.1.2.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nodev option set on /dev/shm partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_dev_shm_nodev"], "controls": []}, {"id": "1.1.2.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nosuid option set on /dev/shm partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_dev_shm_nosuid"], "controls": []}, {"id": "1.1.2.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure noexec option set on /dev/shm partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_dev_shm_noexec"], "controls": []}, {"id": "1.1.2.3.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure separate partition exists for /home (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_home"], "controls": []}, {"id": "1.1.2.3.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nodev option set on /home partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_home_nodev"], "controls": []}, {"id": "1.1.2.3.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nosuid option set on /home partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_home_nosuid"], "controls": []}, {"id": "1.1.2.4.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure separate partition exists for /var (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_var"], "controls": []}, {"id": "1.1.2.4.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nodev option set on /var partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_nodev"], "controls": []}, {"id": "1.1.2.4.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nosuid option set on /var partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_nosuid"], "controls": []}, {"id": "1.1.2.5.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure separate partition exists for /var/tmp (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_var_tmp"], "controls": []}, {"id": "1.1.2.5.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nodev option set on /var/tmp partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_tmp_nodev"], "controls": []}, {"id": "1.1.2.5.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nosuid option set on /var/tmp partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_tmp_nosuid"], "controls": []}, {"id": "1.1.2.5.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure noexec option set on /var/tmp partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_tmp_noexec"], "controls": []}, {"id": "1.1.2.6.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure separate partition exists for /var/log (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_var_log"], "controls": []}, {"id": "1.1.2.6.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nodev option set on /var/log partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_log_nodev"], "controls": []}, {"id": "1.1.2.6.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nosuid option set on /var/log partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_log_nosuid"], "controls": []}, {"id": "1.1.2.6.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure noexec option set on /var/log partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_log_noexec"], "controls": []}, {"id": "1.1.2.7.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure separate partition exists for /var/log/audit (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["partition_for_var_log_audit"], "controls": []}, {"id": "1.1.2.7.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nodev option set on /var/log/audit partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_log_audit_nodev"], "controls": []}, {"id": "1.1.2.7.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nosuid option set on /var/log/audit partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_log_audit_nosuid"], "controls": []}, {"id": "1.1.2.7.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure noexec option set on /var/log/audit partition (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["mount_option_var_log_audit_noexec"], "controls": []}, {"id": "1.2.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure GPG keys are configured (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["ensure_fedora_gpgkey_installed"], "rules": [], "controls": []}, {"id": "1.2.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure gpgcheck is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["ensure_gpgcheck_globally_activated"], "controls": []}, {"id": "1.2.1.3", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure repo_gpgcheck is globally activated (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure package manager repositories are configured (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.1.5", "levels": ["l1_server", "l2_workstation"], "notes": "", "title": "Ensure weak dependencies are disabled in dnf (Manual)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["disable_weak_deps"], "controls": []}, {"id": "1.2.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure updates, patches, and additional security software are installed (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.3.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure SELinux is installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_libselinux_installed"], "controls": []}, {"id": "1.3.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure SELinux is not disabled in bootloader configuration (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_enable_selinux"], "controls": []}, {"id": "1.3.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure SELinux policy is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["selinux_policytype", "var_selinux_policy_name=targeted"], "controls": []}, {"id": "1.3.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure the SELinux mode is not disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["selinux_not_disabled"], "controls": []}, {"id": "1.3.1.5", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure the SELinux mode is enforcing (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["selinux_state", "var_selinux_state=enforcing"], "controls": []}, {"id": "1.3.1.6", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure no unconfined services exist (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["selinux_confinement_of_daemons"], "rules": [], "controls": []}, {"id": "1.3.1.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure the MCS Translation Service (mcstrans) is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_mcstrans_removed"], "controls": []}, {"id": "1.3.1.8", "levels": ["l1_server"], "notes": "", "title": "Ensure SETroubleshoot is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_setroubleshoot_removed"], "controls": []}, {"id": "1.4.1", "levels": ["l1_server", "l1_workstation"], "notes": "There is no automated remediation for this rule and this is intentional.\nMore details in the rule description.", "title": "Ensure bootloader password is set (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_password"], "controls": []}, {"id": "1.4.2", "levels": ["l1_server", "l1_workstation"], "notes": "This requirement demands a deeper review of the rules.", "title": "Ensure access to bootloader config is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_boot_grub2", "file_groupowner_boot_grub2", "file_owner_boot_grub2"], "controls": []}, {"id": "1.5.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure core file size is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["disable_users_coredumps"], "controls": []}, {"id": "1.5.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure fs.protected_hardlinks is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_fs_protected_hardlinks"], "controls": []}, {"id": "1.5.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure fs.protected_symlinks is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_fs_protected_symlinks"], "controls": []}, {"id": "1.5.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure fs.suid_dumpable is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_fs_suid_dumpable"], "controls": []}, {"id": "1.5.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure kernel.dmesg_restrict is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_kernel_dmesg_restrict"], "controls": []}, {"id": "1.5.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure kernel.kptr_restrict is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_kernel_kptr_restrict"], "controls": []}, {"id": "1.5.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure kernel.yama.ptrace_scope is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_kernel_yama_ptrace_scope"], "controls": []}, {"id": "1.5.8", "levels": ["l1_server", "l1_workstation"], "notes": "Address Space Layout Randomization (ASLR)", "title": "Ensure kernel.randomize_va_space is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_kernel_randomize_va_space"], "controls": []}, {"id": "1.5.9", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure systemd-coredump ProcessSizeMax is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["coredump_disable_backtraces"], "controls": []}, {"id": "1.5.10", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure systemd-coredump Storage is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["coredump_disable_storage"], "controls": []}, {"id": "1.6.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure system wide crypto policy is not set to legacy (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_custom_crypto_policy_cis"], "controls": []}, {"id": "1.6.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure system wide crypto policy disables sha1 hash and signature support (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_custom_crypto_policy_cis"], "controls": []}, {"id": "1.6.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure system wide crypto policy macs are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_custom_crypto_policy_cis"], "controls": []}, {"id": "1.6.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure system wide crypto policy disables cbc for ssh (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_custom_crypto_policy_cis"], "controls": []}, {"id": "1.7.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure /etc/motd is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["banner_etc_motd_cis", "cis_banner_text=cis"], "controls": []}, {"id": "1.7.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure /etc/issue is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["banner_etc_issue_cis", "cis_banner_text=cis"], "controls": []}, {"id": "1.7.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure /etc/issue.net is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["banner_etc_issue_net_cis", "cis_banner_text=cis"], "controls": []}, {"id": "1.7.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to /etc/motd is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_etc_motd", "file_groupowner_etc_motd", "file_owner_etc_motd"], "controls": []}, {"id": "1.7.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to /etc/issue is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_etc_issue", "file_owner_etc_issue", "file_permissions_etc_issue"], "controls": []}, {"id": "1.7.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to /etc/issue.net is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_etc_issue_net", "file_permissions_etc_issue_net", "file_owner_etc_issue_net"], "controls": []}, {"id": "1.8.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure GDM login banner is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_banner_enabled", "dconf_gnome_login_banner_text", "login_banner_text=cis_banners"], "controls": []}, {"id": "1.8.2", "levels": ["l1_server", "l1_workstation"], "notes": "Review rules to confirm settings are not writeable by users", "title": "Ensure GDM disable-user-list is configured (Automated)", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_disable_user_list"], "controls": []}, {"id": "1.8.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure GDM screen lock is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_screensaver_user_locks", "dconf_gnome_session_idle_user_locks", "dconf_gnome_screensaver_idle_delay", "dconf_gnome_screensaver_lock_delay", "inactivity_timeout_value=15_minutes", "var_screensaver_lock_delay=5_seconds"], "controls": []}, {"id": "1.8.4", "levels": ["l1_server", "l2_workstation"], "notes": "", "title": "Ensure GDM automount is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_disable_automount", "dconf_gnome_disable_automount_open"], "controls": []}, {"id": "1.8.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure GDM autorun-never is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["dconf_gnome_disable_autorun"], "controls": []}, {"id": "1.8.6", "levels": ["l1_server", "l1_workstation"], "notes": "Confirm if XDMCP is still available.", "title": "Ensure XDMCP is not enabled (Automated)", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["gnome_gdm_disable_xdmcp"], "rules": [], "controls": []}, {"id": "1.8.7", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure Xwayland is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["xwayland_disabled"], "controls": []}, {"id": "2.1.1", "levels": ["l1_server", "l2_workstation"], "notes": "", "title": "Ensure autofs services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_autofs_disabled"], "controls": []}, {"id": "2.1.2", "levels": ["l1_server", "l2_workstation"], "notes": "", "title": "Ensure avahi daemon services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["package_avahi_removed"], "rules": ["service_avahi-daemon_disabled"], "controls": []}, {"id": "2.1.3", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure cockpit web services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_cockpit_disabled"], "controls": []}, {"id": "2.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure dhcp server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_dhcpd_disabled"], "rules": ["package_kea_removed"], "controls": []}, {"id": "2.1.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure dns server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_named_disabled"], "rules": ["package_bind_removed"], "controls": []}, {"id": "2.1.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure dnsmasq services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_dnsmasq_removed"], "controls": []}, {"id": "2.1.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure ftp server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_vsftpd_disabled"], "rules": ["package_vsftpd_removed"], "controls": []}, {"id": "2.1.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure message access server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_dovecot_disabled"], "rules": ["package_cyrus-imapd_removed", "package_dovecot_removed"], "controls": []}, {"id": "2.1.9", "levels": ["l1_server", "l1_workstation"], "notes": "Many of the libvirt packages used by Enterprise Linux virtualization are dependent on the\nnfs-utils package.", "title": "Ensure network file system services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["package_nfs-utils_removed"], "rules": ["service_nfs_disabled"], "controls": []}, {"id": "2.1.10", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nis server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_ypserv_disabled", "package_ypserv_removed"], "rules": [], "controls": []}, {"id": "2.1.11", "levels": ["l1_server"], "notes": "", "title": "Ensure print server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["package_cups_removed"], "rules": ["service_cups_disabled"], "controls": []}, {"id": "2.1.12", "levels": ["l1_server", "l1_workstation"], "notes": "Many of the libvirt packages used by Enterprise Linux virtualization, and the nfs-utils\npackage used for The Network File System (NFS), are dependent on the rpcbind package.", "title": "Ensure rpcbind services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["package_rpcbind_removed"], "rules": ["service_rpcbind_disabled"], "controls": []}, {"id": "2.1.13", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure rsync services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_rsyncd_disabled"], "rules": ["package_rsync_removed"], "controls": []}, {"id": "2.1.14", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure samba file server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_smb_disabled"], "rules": ["package_samba_removed"], "controls": []}, {"id": "2.1.15", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure snmp services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_snmpd_disabled"], "rules": ["package_net-snmp_removed"], "controls": []}, {"id": "2.1.16", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure telnet server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_telnet_disabled"], "rules": ["package_telnet-server_removed"], "controls": []}, {"id": "2.1.17", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure tftp server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_tftp_disabled"], "rules": ["package_tftp-server_removed"], "controls": []}, {"id": "2.1.18", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure web proxy server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_squid_disabled"], "rules": ["package_squid_removed"], "controls": []}, {"id": "2.1.19", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure web server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_httpd_disabled"], "rules": ["package_httpd_removed", "package_nginx_removed"], "controls": []}, {"id": "2.1.20", "levels": ["l1_server", "l1_workstation"], "notes": "Will likely be dropped.", "title": "Ensure xinetd services are not in use (Automated)", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "2.1.21", "levels": ["l2_server"], "notes": "", "title": "Ensure GNOME Display Manager is removed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_gdm_removed"], "controls": []}, {"id": "2.1.22", "levels": ["l2_server"], "notes": "", "title": "Ensure X window server services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_xorg-x11-server-Xwayland_removed"], "controls": []}, {"id": "2.1.23", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure mail transfer agents are configured for local-only mode (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["has_nonlocal_mta", "postfix_network_listening_disabled", "var_postfix_inet_interfaces=loopback-only"], "controls": []}, {"id": "2.1.24", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure only approved services are listening on a network interface (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "2.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure ftp client is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_ftp_removed"], "controls": []}, {"id": "2.2.2", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure ldap client is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_openldap-clients_removed"], "controls": []}, {"id": "2.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nis client is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["package_ypbind_removed"], "rules": [], "controls": []}, {"id": "2.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure telnet client is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_telnet_removed"], "controls": []}, {"id": "2.2.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure tftp client is not installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_tftp_removed"], "controls": []}, {"id": "2.3.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure time synchronization is in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["package_chrony_installed"], "rules": [], "controls": []}, {"id": "2.3.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure chrony is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["chronyd_specify_remote_server", "var_multiple_time_servers=rhel"], "controls": []}, {"id": "2.3.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure chrony is not run as the root user (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["chronyd_run_as_chrony_user"], "controls": []}, {"id": "2.4.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure cron daemon is enabled and active (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_cron_installed", "service_crond_enabled"], "controls": []}, {"id": "2.4.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to /etc/crontab is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_crontab", "file_owner_crontab", "file_permissions_crontab"], "controls": []}, {"id": "2.4.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to /etc/cron.hourly is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_cron_hourly", "file_permissions_cron_hourly", "file_groupowner_cron_hourly"], "controls": []}, {"id": "2.4.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to /etc/cron.daily is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_cron_daily", "file_permissions_cron_daily", "file_owner_cron_daily"], "controls": []}, {"id": "2.4.1.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to /etc/cron.weekly is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_cron_weekly", "file_groupowner_cron_weekly", "file_owner_cron_weekly"], "controls": []}, {"id": "2.4.1.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to /etc/cron.monthly is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_cron_monthly", "file_permissions_cron_monthly", "file_owner_cron_monthly"], "controls": []}, {"id": "2.4.1.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to /etc/cron.yearly is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_cron_yearly", "file_groupowner_cron_yearly", "file_permissions_cron_yearly"], "controls": []}, {"id": "2.4.1.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to /etc/cron.d is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_cron_d", "file_groupowner_cron_d", "file_permissions_cron_d"], "controls": []}, {"id": "2.4.1.9", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to crontab is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_cron_deny_not_exist", "file_permissions_cron_allow", "file_groupowner_cron_allow", "file_cron_allow_exists", "file_owner_cron_allow"], "controls": []}, {"id": "2.4.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to at is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_at_deny_not_exist", "file_permissions_at_allow", "file_owner_at_allow", "file_groupowner_at_allow", "file_at_allow_exists"], "controls": []}, {"id": "3.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure IPv6 status is identified (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.1.2", "levels": ["l1_server"], "notes": "", "title": "Ensure wireless interfaces are not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["wireless_disable_interfaces"], "controls": []}, {"id": "3.1.3", "levels": ["l1_server", "l2_workstation"], "notes": "", "title": "Ensure bluetooth services are not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_bluetooth_disabled"], "controls": []}, {"id": "3.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure atm kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_atm_disabled"], "controls": []}, {"id": "3.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure can kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_can_disabled"], "controls": []}, {"id": "3.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure dccp kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_dccp_disabled"], "controls": []}, {"id": "3.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure tipc kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_tipc_disabled"], "controls": []}, {"id": "3.2.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure rds kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_rds_disabled"], "controls": []}, {"id": "3.2.6", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure sctp kernel module is not available (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["kernel_module_sctp_disabled"], "controls": []}, {"id": "3.3.1.1", "levels": ["l2_server", "l1_workstation"], "notes": "", "title": "Ensure net.ipv4.ip_forward is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_ip_forward"], "controls": []}, {"id": "3.3.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure net.ipv4.conf.all.forwarding is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_all_forwarding"], "controls": []}, {"id": "3.3.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure net.ipv4.conf.default.forwarding is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_default_forwarding", "sysctl_net_ipv4_conf_default_forwarding_value=disabled"], "controls": []}, {"id": "3.3.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure net.ipv4.conf.all.send_redirects is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_all_send_redirects"], "controls": []}, {"id": "3.3.1.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure net.ipv4.conf.default.send_redirects is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_default_send_redirects"], "controls": []}, {"id": "3.3.1.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure net.ipv4.icmp_ignore_bogus_error_responses is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_icmp_ignore_bogus_error_responses", "sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled"], "controls": []}, {"id": "3.3.1.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure net.ipv4.icmp_echo_ignore_broadcasts is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_icmp_echo_ignore_broadcasts", "sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled"], "controls": []}, {"id": "3.3.1.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure net.ipv4.conf.all.accept_redirects is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_all_accept_redirects", "sysctl_net_ipv4_conf_all_accept_redirects_value=disabled"], "controls": []}, {"id": "3.3.1.9", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure net.ipv4.conf.default.accept_redirects is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_default_accept_redirects", "sysctl_net_ipv4_conf_default_accept_redirects_value=disabled"], "controls": []}, {"id": "3.3.1.10", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure net.ipv4.conf.all.secure_redirects is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_all_secure_redirects", "sysctl_net_ipv4_conf_all_secure_redirects_value=disabled"], "controls": []}, {"id": "3.3.1.11", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure net.ipv4.conf.default.secure_redirects is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_default_secure_redirects", "sysctl_net_ipv4_conf_default_secure_redirects_value=disabled"], "controls": []}, {"id": "3.3.1.12", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure net.ipv4.conf.all.rp_filter is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_all_rp_filter", "sysctl_net_ipv4_conf_all_rp_filter_value=enabled"], "controls": []}, {"id": "3.3.1.13", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure net.ipv4.conf.default.rp_filter is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_default_rp_filter", "sysctl_net_ipv4_conf_default_rp_filter_value=enabled"], "controls": []}, {"id": "3.3.1.14", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure net.ipv4.conf.all.accept_source_route is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_all_accept_source_route", "sysctl_net_ipv4_conf_all_accept_source_route_value=disabled"], "controls": []}, {"id": "3.3.1.15", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure net.ipv4.conf.default.accept_source_route is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_default_accept_source_route", "sysctl_net_ipv4_conf_default_accept_source_route_value=disabled"], "controls": []}, {"id": "3.3.1.16", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure net.ipv4.conf.all.log_martians is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_all_log_martians", "sysctl_net_ipv4_conf_all_log_martians_value=enabled"], "controls": []}, {"id": "3.3.1.17", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure net.ipv4.conf.default.log_martians is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_conf_default_log_martians", "sysctl_net_ipv4_conf_default_log_martians_value=enabled"], "controls": []}, {"id": "3.3.1.18", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure net.ipv4.tcp_syncookies is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv4_tcp_syncookies", "sysctl_net_ipv4_tcp_syncookies_value=enabled"], "controls": []}, {"id": "3.3.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure net.ipv6.conf.all.forwarding is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv6_conf_all_forwarding", "sysctl_net_ipv6_conf_all_forwarding_value=disabled"], "controls": []}, {"id": "3.3.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure net.ipv6.conf.default.forwarding is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv6_conf_default_forwarding", "sysctl_net_ipv6_conf_default_forwarding_value=disabled"], "controls": []}, {"id": "3.3.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure net.ipv6.conf.all.accept_redirects is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv6_conf_all_accept_redirects", "sysctl_net_ipv6_conf_all_accept_redirects_value=disabled"], "controls": []}, {"id": "3.3.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure net.ipv6.conf.default.accept_redirects is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv6_conf_default_accept_redirects", "sysctl_net_ipv6_conf_default_accept_redirects_value=disabled"], "controls": []}, {"id": "3.3.2.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure net.ipv6.conf.all.accept_source_route is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv6_conf_all_accept_source_route", "sysctl_net_ipv6_conf_all_accept_source_route_value=disabled"], "controls": []}, {"id": "3.3.2.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure net.ipv6.conf.default.accept_source_route is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv6_conf_default_accept_source_route", "sysctl_net_ipv6_conf_default_accept_source_route_value=disabled"], "controls": []}, {"id": "3.3.2.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure net.ipv6.conf.all.accept_ra is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv6_conf_all_accept_ra", "sysctl_net_ipv6_conf_all_accept_ra_value=disabled"], "controls": []}, {"id": "3.3.2.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure net.ipv6.conf.default.accept_ra is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sysctl_net_ipv6_conf_default_accept_ra", "sysctl_net_ipv6_conf_default_accept_ra_value=disabled"], "controls": []}, {"id": "4.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nftables is installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_nftables_installed"], "controls": []}, {"id": "4.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure a single firewall configuration utility is in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_firewalld_installed", "service_firewalld_enabled", "service_nftables_disabled"], "controls": []}, {"id": "4.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure firewalld drops unnecessary services and ports (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["configure_firewalld_ports"], "rules": [], "controls": []}, {"id": "4.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure firewalld loopback traffic is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["firewalld_loopback_traffic_trusted", "firewalld_loopback_traffic_restricted"], "controls": []}, {"id": "4.3.1", "levels": ["l1_server", "l1_workstation"], "notes": "RHEL systems use firewalld for firewall management. Although nftables is the default\nback-end for firewalld, it is not recommended to use nftables directly when firewalld\nis in use. When using firewalld the base chains are installed by default.", "title": "Ensure nftables base chains exist (Automated)", "description": null, "rationale": null, "automated": "no", "status": "supported", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["set_nftables_base_chain", "var_nftables_table=firewalld", "var_nftables_family=inet", "var_nftables_base_chain_names=chain_names", "var_nftables_base_chain_types=chain_types", "var_nftables_base_chain_hooks=chain_hooks", "var_nftables_base_chain_priorities=chain_priorities", "var_nftables_base_chain_policies=chain_policies"], "rules": [], "controls": []}, {"id": "4.3.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure nftables established connections are configured (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.3.3", "levels": ["l1_server", "l1_workstation"], "notes": "RHEL systems use firewalld for firewall management. Although nftables is the default\nback-end for firewalld, it is not recommended to use nftables directly when firewalld\nis in use.", "title": "Ensure nftables default deny firewall policy (Automated)", "description": null, "rationale": null, "automated": "no", "status": "supported", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["nftables_ensure_default_deny_policy"], "rules": [], "controls": []}, {"id": "4.3.4", "levels": ["l1_server", "l1_workstation"], "notes": "RHEL systems use firewalld for firewall management. Although nftables is the default\nback-end for firewalld, it is not recommended to use nftables directly when firewalld\nis in use.", "title": "Ensure nftables loopback traffic is configured (Automated)", "description": null, "rationale": null, "automated": "no", "status": "supported", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["set_nftables_loopback_traffic"], "rules": [], "controls": []}, {"id": "5.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to /etc/ssh/sshd_config is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_sshd_config", "directory_owner_sshd_config_d", "file_permissions_sshd_drop_in_config", "file_permissions_sshd_config", "file_groupowner_sshd_config", "directory_groupowner_sshd_config_d", "file_owner_sshd_drop_in_config", "file_groupowner_sshd_drop_in_config", "directory_permissions_sshd_config_d"], "controls": []}, {"id": "5.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to SSH private host key files is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupownership_sshd_private_key", "file_permissions_sshd_private_key", "file_ownership_sshd_private_key"], "controls": []}, {"id": "5.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to SSH public host key files is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupownership_sshd_pub_key", "file_permissions_sshd_pub_key", "file_ownership_sshd_pub_key"], "controls": []}, {"id": "5.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd Ciphers are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_custom_crypto_policy_cis"], "controls": []}, {"id": "5.1.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd KexAlgorithms is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_custom_crypto_policy_cis"], "controls": []}, {"id": "5.1.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd MACs are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["configure_custom_crypto_policy_cis"], "controls": []}, {"id": "5.1.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd access is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_limit_user_access"], "controls": []}, {"id": "5.1.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd Banner is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["sshd_enable_warning_banner"], "rules": ["sshd_enable_warning_banner_net"], "controls": []}, {"id": "5.1.9", "levels": ["l1_server", "l1_workstation"], "notes": "The requirement gives an example of 45 seconds, but is flexible about the values. It is only\nnecessary to ensure there is a timeout configured in alignment to the site policy.", "title": "Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_keepalive", "sshd_set_idle_timeout", "sshd_idle_timeout_value=5_minutes", "var_sshd_set_keepalive=1"], "controls": []}, {"id": "5.1.10", "levels": ["l2_server", "l1_workstation"], "notes": "", "title": "Ensure sshd DisableForwarding is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["sshd_disable_tcp_forwarding", "sshd_disable_x11_forwarding"], "rules": ["sshd_disable_forwarding"], "controls": []}, {"id": "5.1.11", "levels": ["l2_server", "l1_workstation"], "notes": "", "title": "Ensure sshd GSSAPIAuthentication is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_gssapi_auth"], "controls": []}, {"id": "5.1.12", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd HostbasedAuthentication is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["disable_host_auth"], "controls": []}, {"id": "5.1.13", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd IgnoreRhosts is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_rhosts"], "controls": []}, {"id": "5.1.14", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd LoginGraceTime is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_login_grace_time", "var_sshd_set_login_grace_time=60"], "controls": []}, {"id": "5.1.15", "levels": ["l1_server", "l1_workstation"], "notes": "The CIS benchmark is not opinionated about which loglevel is selected here. Here, this\nprofile uses VERBOSE by default, as it allows for the capture of login and logout activity\nas well as key fingerprints.", "title": "Ensure sshd LogLevel is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["sshd_set_loglevel_info"], "rules": ["sshd_set_loglevel_verbose"], "controls": []}, {"id": "5.1.16", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd MaxAuthTries is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_max_auth_tries", "sshd_max_auth_tries_value=4"], "controls": []}, {"id": "5.1.17", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd MaxStartups is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_maxstartups", "var_sshd_set_maxstartups=10:30:60"], "controls": []}, {"id": "5.1.18", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd MaxSessions is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_set_max_sessions", "var_sshd_max_sessions=10"], "controls": []}, {"id": "5.1.19", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd PermitEmptyPasswords is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_empty_passwords"], "controls": []}, {"id": "5.1.20", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd PermitRootLogin is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_disable_root_login"], "controls": []}, {"id": "5.1.21", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd PermitUserEnvironment is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_do_not_permit_user_env"], "controls": []}, {"id": "5.1.22", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sshd UsePAM is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sshd_enable_pam"], "controls": []}, {"id": "5.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sudo is installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_sudo_installed"], "controls": []}, {"id": "5.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sudo commands use pty (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudo_add_use_pty"], "controls": []}, {"id": "5.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sudo log file exists (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudo_custom_logfile"], "controls": []}, {"id": "5.2.4", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure users must provide password for escalation (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudo_remove_nopasswd"], "controls": []}, {"id": "5.2.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure re-authentication for privilege escalation is not disabled globally (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudo_remove_no_authenticate"], "controls": []}, {"id": "5.2.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure sudo timestamp_timeout is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["sudo_require_reauthentication", "var_sudo_timestamp_timeout=15_minutes"], "controls": []}, {"id": "5.2.7", "levels": ["l1_server", "l1_workstation"], "notes": "Members of \"wheel\" or GID 0 groups are checked by default if the group option is not set for\npam_wheel.so module. The recommendation states the group should be empty to reinforce the\nuse of \"sudo\" for privileged access. Therefore, members of these groups should be manually\nchecked or a different group should be informed.", "title": "Ensure access to the su command is restricted (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["ensure_pam_wheel_group_empty", "use_pam_wheel_group_for_su", "var_pam_wheel_group_for_su=cis"], "controls": []}, {"id": "5.3.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "It is necessary a new rule to ensure PAM package is updated.", "title": "Ensure latest version of pam is installed (Automated)", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.3.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "It is necessary a new rule to ensure authselect package is updated.", "title": "Ensure latest version of authselect is installed (Automated)", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.3.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "It is necessary a new rule to ensure libpwquality package is updated.", "title": "Ensure latest version of libpwquality is installed (Automated)", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_pam_pwquality_installed"], "controls": []}, {"id": "5.3.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "This rule verifies that the active authselect profile includes the required PAM modules:\npam_pwquality.so, pam_pwhistory.so, pam_faillock.so, and pam_unix.so in both system-auth\nand password-auth files. The rule checks the authselect profile source files directly,\nnot the symlinked files in /etc/pam.d/. Other rules ensure these modules are properly\nconfigured with correct options.", "title": "Ensure active authselect profile includes pam modules (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["enable_authselect", "account_password_pam_faillock_password_auth", "account_password_pam_faillock_system_auth", "accounts_password_pam_pwquality_password_auth", "accounts_password_pam_pwquality_system_auth", "accounts_password_pam_pwhistory_remember_password_auth", "accounts_password_pam_pwhistory_remember_system_auth", "accounts_password_pam_unix_enabled"], "rules": ["accounts_password_pam_modules_in_authselect_profile"], "controls": []}, {"id": "5.3.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "This requirement is also indirectly satisfied by the requirement 5.3.3.1.", "title": "Ensure pam_faillock module is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["account_password_pam_faillock_system_auth", "account_password_pam_faillock_password_auth"], "controls": []}, {"id": "5.3.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "This requirement is also indirectly satisfied by the requirement 5.3.3.2.", "title": "Ensure pam_pwquality module is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_pam_pwquality_installed", "accounts_password_pam_pwquality_password_auth", "accounts_password_pam_pwquality_system_auth"], "controls": []}, {"id": "5.3.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "The module is properly enabled by the rules mentioned in related_rules.\nRequirements in 5.3.3.3 use these rules.", "title": "Ensure pam_pwhistory module is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["accounts_password_pam_pwhistory_remember_password_auth", "accounts_password_pam_pwhistory_remember_system_auth"], "rules": [], "controls": []}, {"id": "5.3.2.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure pam_unix module is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["no_empty_passwords"], "rules": ["accounts_password_pam_unix_enabled"], "controls": []}, {"id": "5.3.3.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password failed attempts lockout is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_passwords_pam_faillock_deny", "var_accounts_passwords_pam_faillock_deny=5"], "controls": []}, {"id": "5.3.3.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "The policy also accepts value 0, which means the locked accounts should be manually unlocked\nby an administrator. However, it also mentions that using value 0 can facilitate a DoS\nattack to legitimate users.", "title": "Ensure password unlock time is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_passwords_pam_faillock_unlock_time", "var_accounts_passwords_pam_faillock_unlock_time=900"], "controls": []}, {"id": "5.3.3.1.3", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure password failed attempts lockout includes root account (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_passwords_pam_faillock_deny_root"], "controls": []}, {"id": "5.3.3.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password number of changed characters is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_difok", "var_password_pam_difok=2"], "controls": []}, {"id": "5.3.3.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password length is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_minlen", "var_password_pam_minlen=14"], "controls": []}, {"id": "5.3.3.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "This requirement is expected to be manual. However, in previous versions of the policy\nit was already automated the configuration of \"minclass\" option. Rules related to other\noptions are informed in related_rules. In short, minclass=4 alone can achieve the same\nresult achieved by the combination of the other 4 options mentioned in the policy.", "title": "Ensure password complexity is configured (Manual)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["accounts_password_pam_dcredit", "accounts_password_pam_lcredit", "accounts_password_pam_ocredit", "accounts_password_pam_ucredit"], "rules": ["accounts_password_pam_minclass", "var_password_pam_minclass=4"], "controls": []}, {"id": "5.3.3.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password same consecutive characters is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_maxrepeat", "var_password_pam_maxrepeat=3"], "controls": []}, {"id": "5.3.3.2.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password maximum sequential characters is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_maxsequence", "var_password_pam_maxsequence=3"], "controls": []}, {"id": "5.3.3.2.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password dictionary check is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_dictcheck", "var_password_pam_dictcheck=1"], "controls": []}, {"id": "5.3.3.2.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password quality is enforced for the root user (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_enforce_root"], "controls": []}, {"id": "5.3.3.3.1", "levels": ["l1_server", "l1_workstation"], "notes": "Although mentioned in the section 5.3.3.3, there is no explicit requirement to configure\nretry option of pam_pwhistory. If come in the future, the rule accounts_password_pam_retry\ncan be used.", "title": "Ensure password history remember is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["accounts_password_pam_retry"], "rules": ["accounts_password_pam_pwhistory_remember_password_auth", "accounts_password_pam_pwhistory_remember_system_auth", "var_password_pam_remember_control_flag=requisite_or_required", "var_password_pam_remember=24"], "controls": []}, {"id": "5.3.3.3.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password history is enforced for the root user (Automated)", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.3.3.3.3", "levels": ["l1_server", "l1_workstation"], "notes": "pam_pwhistory is enabled via authselect feature, as required in 5.3.2.4. The\nfeature automatically set \"use_authok\" option. In any case, we don't have a rule to check\nthis option specifically.", "title": "Ensure pam_pwhistory includes use_authtok (Automated)", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["accounts_password_pam_pwhistory_remember_password_auth", "accounts_password_pam_pwhistory_remember_system_auth"], "rules": ["accounts_password_pam_pwhistory_use_authtok"], "controls": []}, {"id": "5.3.3.4.1", "levels": ["l1_server", "l1_workstation"], "notes": "The rule more specifically used in this requirement also satify the requirement 5.3.2.5.", "title": "Ensure pam_unix does not include nullok (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_empty_passwords"], "controls": []}, {"id": "5.3.3.4.2", "levels": ["l1_server", "l1_workstation"], "notes": "Usage of pam_unix.so module together with \"remember\" option is deprecated and is not\nrecommened by this policy. Instead, it should be used remember option of pam_pwhistory\nmodule, as required in 5.3.3.3.1. See here for more details about pam_unix.so:\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1778929", "title": "Ensure pam_unix does not include remember (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_unix_no_remember"], "controls": []}, {"id": "5.3.3.4.3", "levels": ["l1_server", "l1_workstation"], "notes": "Changes in logindefs mentioned in this requirement are more specifically covered by 5.4.1.4", "title": "Ensure pam_unix includes a strong password hashing algorithm (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_password_hashing_algorithm_passwordauth", "set_password_hashing_algorithm_systemauth", "var_password_hashing_algorithm_pam=yescrypt"], "controls": []}, {"id": "5.3.3.4.4", "levels": ["l1_server", "l1_workstation"], "notes": "In RHEL 9 pam_unix is enabled by default in all authselect profiles already with the\nuse_authtok option set. In any case, we don't have a rule to check this option specifically,\nlike in 5.3.3.3.3.", "title": "Ensure pam_unix includes use_authtok (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_pam_unix_authtok"], "controls": []}, {"id": "5.4.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password expiration is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_maximum_age_login_defs", "accounts_password_set_max_life_existing", "var_accounts_maximum_age_login_defs=365"], "controls": []}, {"id": "5.4.1.2", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure minimum password days is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_minimum_age_login_defs", "accounts_password_set_min_life_existing", "var_accounts_minimum_age_login_defs=1"], "controls": []}, {"id": "5.4.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure password expiration warning days is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_warn_age_login_defs", "accounts_password_set_warn_age_existing", "var_accounts_password_warn_age_login_defs=7"], "controls": []}, {"id": "5.4.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure strong password hashing algorithm is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["set_password_hashing_algorithm_logindefs", "var_password_hashing_algorithm=cis_fedora"], "controls": []}, {"id": "5.4.1.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure inactive password lock is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_set_post_pw_existing", "account_disable_post_pw_expiration", "var_account_disable_post_pw_expiration=30"], "controls": []}, {"id": "5.4.1.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure all users last password change date is in the past (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_last_change_is_in_past"], "controls": []}, {"id": "5.4.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure root is the only UID 0 account (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_no_uid_except_zero"], "controls": []}, {"id": "5.4.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "There is assessment but no automated remediation for this rule and this sounds reasonable.", "title": "Ensure root is the only GID 0 account (Automated)", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_root_gid_zero"], "controls": []}, {"id": "5.4.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "There is assessment but no automated remediation for this rule and this sounds reasonable.", "title": "Ensure group root is the only GID 0 group (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["groups_no_zero_gid_except_root"], "controls": []}, {"id": "5.4.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure root account access is controlled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["ensure_root_password_configured"], "controls": []}, {"id": "5.4.2.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure root path integrity (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_root_path_dirs_no_write", "root_path_no_dot"], "controls": []}, {"id": "5.4.2.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure root user umask is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_umask_root"], "controls": []}, {"id": "5.4.2.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure system accounts do not have a valid login shell (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_shelllogin_for_systemaccounts", "no_password_auth_for_systemaccounts"], "controls": []}, {"id": "5.4.2.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure accounts without a valid login shell are locked (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_invalid_shell_accounts_unlocked"], "controls": []}, {"id": "5.4.3.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure nologin is not listed in /etc/shells (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_nologin_in_shells"], "controls": []}, {"id": "5.4.3.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure default user shell timeout is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_tmout", "var_accounts_tmout=15_min"], "controls": []}, {"id": "5.4.3.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure default user umask is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_umask_etc_profile", "accounts_umask_etc_login_defs", "accounts_umask_etc_bashrc", "var_accounts_user_umask=027"], "controls": []}, {"id": "6.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure AIDE is installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_aide_installed", "aide_build_database"], "controls": []}, {"id": "6.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure filesystem integrity is regularly checked (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["aide_periodic_cron_checking"], "controls": []}, {"id": "6.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure cryptographic mechanisms are used to protect the integrity of audit tools (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["aide_use_fips_hashes"], "rules": ["aide_check_audit_tools"], "controls": []}, {"id": "6.2.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure journald service is active (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_systemd-journald_enabled"], "controls": []}, {"id": "6.2.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure journald log file access is configured (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "6.2.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure journald log file rotation is configured (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "6.2.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure only one logging system is in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["ensure_journald_and_rsyslog_not_active_together"], "controls": []}, {"id": "6.2.2.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure systemd-journal-remote is installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_systemd-journal-remote_installed"], "controls": []}, {"id": "6.2.2.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure systemd-journal-upload authentication is configured (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "6.2.2.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure systemd-journal-upload is enabled and active (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_systemd-journal-upload_enabled"], "controls": []}, {"id": "6.2.2.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure systemd-journal-remote service is not in use (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["socket_systemd-journal-remote_disabled"], "controls": []}, {"id": "6.2.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure journald ForwardToSyslog is disabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["journald_disable_forward_to_syslog"], "controls": []}, {"id": "6.2.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure journald Compress is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["journald_compress"], "controls": []}, {"id": "6.2.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure journald Storage is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["journald_storage"], "controls": []}, {"id": "6.2.5.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure rsyslog is installed (Automated)", "description": null, "rationale": null, "automated": "no", "status": "supported", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["package_rsyslog_installed"], "rules": [], "controls": []}, {"id": "6.2.5.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure rsyslog service is enabled and active (Automated)", "description": null, "rationale": null, "automated": "no", "status": "supported", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_rsyslog_enabled"], "rules": [], "controls": []}, {"id": "6.2.5.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure journald is configured to send logs to rsyslog (Automated)", "description": null, "rationale": null, "automated": "no", "status": "supported", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["journald_forward_to_syslog"], "rules": [], "controls": []}, {"id": "6.2.5.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure rsyslog log file creation mode is configured (Automated)", "description": null, "rationale": null, "automated": "no", "status": "supported", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["rsyslog_filecreatemode"], "rules": [], "controls": []}, {"id": "6.2.5.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure rsyslog logging is configured (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "6.2.5.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure rsyslog is configured to send logs to a remote log host (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["rsyslog_remote_loghost"], "rules": [], "controls": []}, {"id": "6.2.5.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure rsyslog is not configured to receive logs from a remote client (Automated)", "description": null, "rationale": null, "automated": "no", "status": "supported", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["rsyslog_nolisten"], "rules": [], "controls": []}, {"id": "6.2.3.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure rsyslog logrotate is configured (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["ensure_logrotate_activated", "package_logrotate_installed", "timer_logrotate_enabled"], "rules": [], "controls": []}, {"id": "6.2.6.1", "levels": ["l1_server", "l1_workstation"], "notes": "It is not harmful to run these rules even if rsyslog is not installed or active.", "title": "Ensure access to all logfiles has been configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["rsyslog_files_permissions", "rsyslog_files_groupownership", "rsyslog_files_ownership"], "controls": []}, {"id": "6.3.1.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure auditd packages are installed (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["package_audit-libs_installed", "package_audit_installed"], "controls": []}, {"id": "6.3.1.2", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure auditing for processes that start prior to auditd is enabled (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_audit_argument"], "controls": []}, {"id": "6.3.1.3", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit_backlog_limit is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["grub2_audit_backlog_limit_argument", "var_audit_backlog_limit=8192"], "controls": []}, {"id": "6.3.1.4", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure auditd service is enabled and active (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["service_auditd_enabled"], "controls": []}, {"id": "6.3.2.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit log storage size is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_retention_max_log_file", "var_auditd_max_log_file=6"], "controls": []}, {"id": "6.3.2.2", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit logs are not automatically deleted (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_retention_max_log_file_action", "var_auditd_max_log_file_action=keep_logs"], "controls": []}, {"id": "6.3.2.3", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure system is disabled when audit logs are full (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_disk_error_action", "auditd_data_disk_full_action", "var_auditd_disk_error_action=cis_fedora", "var_auditd_disk_full_action=cis_fedora"], "controls": []}, {"id": "6.3.2.4", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure system warns when audit logs are low on space (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["auditd_data_retention_space_left_action", "auditd_data_retention_admin_space_left_action", "var_auditd_admin_space_left_action=cis_fedora", "var_auditd_space_left_action=cis_fedora"], "controls": []}, {"id": "6.3.3.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure modification of the /etc/sudoers file is collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_sysadmin_actions"], "controls": []}, {"id": "6.3.3.2", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure actions as another user are always logged (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_suid_auid_privilege_function"], "controls": []}, {"id": "6.3.3.3", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure events that modify the sudo log file are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_sudo_log_events"], "controls": []}, {"id": "6.3.3.4", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure events that modify date and time information are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_rules_time_stime"], "rules": ["audit_rules_time_clock_settime", "audit_rules_time_adjtimex", "audit_rules_time_settimeofday", "audit_rules_time_watch_localtime"], "controls": []}, {"id": "6.3.3.5", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure events that modify sethostname and setdomainname are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_networkconfig_modification_setdomainname", "audit_rules_networkconfig_modification_sethostname"], "controls": []}, {"id": "6.3.3.6", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure events that modify /etc/issue and /etc/issue.net are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_networkconfig_modification_etc_issue", "audit_rules_networkconfig_modification_etc_issue_net"], "controls": []}, {"id": "6.3.3.7", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure events that modify /etc/hosts and /etc/hostname are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_networkconfig_modification_hostname_file", "audit_rules_networkconfig_modification_etc_hosts"], "controls": []}, {"id": "6.3.3.8", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure events that modify /etc/sysconfig/network and /etc/sysconfig/network-scripts/ are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_networkconfig_modification_etc_sysconfig_network", "audit_rules_networkconfig_modification_etc_networkmanager_system_connections"], "controls": []}, {"id": "6.3.3.9", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure events that modify /etc/NetworkManager directory are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_networkconfig_modification_networkmanager"], "controls": []}, {"id": "6.3.3.10", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure use of privileged commands are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands"], "controls": []}, {"id": "6.3.3.11", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure unsuccessful file access attempts are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_unsuccessful_file_modification_ftruncate", "audit_rules_unsuccessful_file_modification_open", "audit_rules_unsuccessful_file_modification_truncate", "audit_rules_unsuccessful_file_modification_creat", "audit_rules_unsuccessful_file_modification_openat"], "controls": []}, {"id": "6.3.3.12", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure events that modify /etc/group information are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_usergroup_modification_group"], "controls": []}, {"id": "6.3.3.13", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure events that modify /etc/passwd information are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_usergroup_modification_passwd"], "controls": []}, {"id": "6.3.3.14", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure events that modify /etc/shadow and /etc/gshadow are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_usergroup_modification_gshadow", "audit_rules_usergroup_modification_shadow"], "controls": []}, {"id": "6.3.3.15", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure events that modify /etc/security/opasswd are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_usergroup_modification_opasswd"], "controls": []}, {"id": "6.3.3.16", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure events that modify /etc/nsswitch.conf file are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_usergroup_modification_nsswitch_conf"], "controls": []}, {"id": "6.3.3.17", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure events that modify /etc/pam.conf and /etc/pam.d/ information are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_usergroup_modification_pam_conf", "audit_rules_usergroup_modification_pamd"], "controls": []}, {"id": "6.3.3.18", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure discretionary access control permission modification events are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_dac_modification_fchmodat2", "audit_rules_dac_modification_lremovexattr", "audit_rules_dac_modification_fchown", "audit_rules_dac_modification_chmod", "audit_rules_dac_modification_fsetxattr", "audit_rules_dac_modification_fchownat", "audit_rules_dac_modification_removexattr", "audit_rules_dac_modification_lsetxattr", "audit_rules_dac_modification_chown", "audit_rules_dac_modification_fchmodat", "audit_rules_dac_modification_fremovexattr", "audit_rules_dac_modification_lchown", "audit_rules_dac_modification_setxattr", "audit_rules_dac_modification_fchmod"], "controls": []}, {"id": "6.3.3.19", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure successful file system mounts are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_media_export"], "controls": []}, {"id": "6.3.3.20", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure session initiation information is collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_session_events_wtmp", "audit_rules_session_events_utmp", "audit_rules_session_events_btmp"], "controls": []}, {"id": "6.3.3.21", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure login and logout events are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_login_events_faillock", "audit_rules_login_events_lastlog", "var_accounts_passwords_pam_faillock_dir=run"], "controls": []}, {"id": "6.3.3.22", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure file deletion events by users are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_file_deletion_events_renameat2", "audit_rules_file_deletion_events_unlink", "audit_rules_file_deletion_events_rename", "audit_rules_file_deletion_events_renameat", "audit_rules_file_deletion_events_unlinkat"], "controls": []}, {"id": "6.3.3.23", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure events that modify the system's Mandatory Access Controls are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_mac_modification_etc_selinux", "audit_rules_mac_modification_usr_share"], "controls": []}, {"id": "6.3.3.24", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure successful and unsuccessful attempts to use the chcon command are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_execution_chcon"], "controls": []}, {"id": "6.3.3.25", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure successful and unsuccessful attempts to use the setfacl command are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_execution_setfacl"], "controls": []}, {"id": "6.3.3.26", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure successful and unsuccessful attempts to use the chacl command are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_execution_chacl"], "controls": []}, {"id": "6.3.3.27", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure successful and unsuccessful attempts to use the usermod command are collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands_usermod"], "controls": []}, {"id": "6.3.3.28", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure kernel module loading unloading and modification is collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_privileged_commands_kmod"], "controls": []}, {"id": "6.3.3.29", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure kernel \"init_module\" and \"finit_module\" loading unloading and modification is collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_kernel_module_loading_init", "audit_rules_kernel_module_loading_finit"], "controls": []}, {"id": "6.3.3.30", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure kernel \"delete_module\" loading unloading and modification is collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_kernel_module_loading_delete"], "controls": []}, {"id": "6.3.3.31", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure kernel \"create_module\" and \"query_module\" loading unloading and modification is collected (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_kernel_module_loading_create", "audit_rules_kernel_module_loading_query"], "controls": []}, {"id": "6.3.3.32", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure the audit configuration is loaded regardless of errors (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_continue_loading"], "controls": []}, {"id": "6.3.3.33", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure the audit configuration is immutable (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["audit_rules_immutable"], "controls": []}, {"id": "6.3.3.34", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure the running and on disk configuration is the same (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "6.3.4.1", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure the audit log file directory mode is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["directory_permissions_var_log_audit"], "controls": []}, {"id": "6.3.4.2", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit log files mode is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_var_log_audit"], "controls": []}, {"id": "6.3.4.3", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit log files owner is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_ownership_var_log_audit_stig"], "controls": []}, {"id": "6.3.4.4", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit log files group owner is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_group_ownership_var_log_audit"], "controls": []}, {"id": "6.3.4.5", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit configuration files mode is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_audit_configuration"], "controls": []}, {"id": "6.3.4.6", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit configuration files owner is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_ownership_audit_configuration"], "controls": []}, {"id": "6.3.4.7", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit configuration files group owner is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupownership_audit_configuration"], "controls": []}, {"id": "6.3.4.8", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit tools mode is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_audit_binaries"], "controls": []}, {"id": "6.3.4.9", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit tools owner is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_ownership_audit_binaries"], "controls": []}, {"id": "6.3.4.10", "levels": ["l2_server", "l2_workstation"], "notes": "", "title": "Ensure audit tools group owner is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupownership_audit_binaries"], "controls": []}, {"id": "7.1.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to /etc/passwd is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_etc_passwd", "file_permissions_etc_passwd", "file_owner_etc_passwd"], "controls": []}, {"id": "7.1.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to /etc/passwd- is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_backup_etc_passwd", "file_owner_backup_etc_passwd", "file_permissions_backup_etc_passwd"], "controls": []}, {"id": "7.1.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to /etc/group is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_etc_group", "file_owner_etc_group", "file_permissions_etc_group"], "controls": []}, {"id": "7.1.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to /etc/group- is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_backup_etc_group", "file_owner_backup_etc_group", "file_permissions_backup_etc_group"], "controls": []}, {"id": "7.1.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to /etc/shadow is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_etc_shadow", "file_permissions_etc_shadow", "file_groupowner_etc_shadow"], "controls": []}, {"id": "7.1.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to /etc/shadow- is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_backup_etc_shadow", "file_owner_backup_etc_shadow", "file_permissions_backup_etc_shadow"], "controls": []}, {"id": "7.1.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to /etc/gshadow is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_etc_gshadow", "file_permissions_etc_gshadow", "file_groupowner_etc_gshadow"], "controls": []}, {"id": "7.1.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to /etc/gshadow- is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_backup_etc_gshadow", "file_groupowner_backup_etc_gshadow", "file_owner_backup_etc_gshadow"], "controls": []}, {"id": "7.1.9", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to /etc/shells is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_owner_etc_shells", "file_groupowner_etc_shells", "file_permissions_etc_shells"], "controls": []}, {"id": "7.1.10", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure access to /etc/security/opasswd is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_groupowner_etc_security_opasswd_old", "file_owner_etc_security_opasswd_old", "file_owner_etc_security_opasswd", "file_permissions_etc_security_opasswd", "file_permissions_etc_security_opasswd_old", "file_groupowner_etc_security_opasswd"], "controls": []}, {"id": "7.1.11", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure world writable files and directories are secured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["file_permissions_unauthorized_world_writable", "dir_perms_world_writable_sticky_bits"], "controls": []}, {"id": "7.1.12", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure no files or directories without an owner and a group exist (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_files_or_dirs_ungroupowned", "no_files_or_dirs_unowned_by_user"], "controls": []}, {"id": "7.1.13", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure SUID and SGID files are reviewed (Manual)", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["file_permissions_unauthorized_suid", "file_permissions_unauthorized_sgid"], "rules": [], "controls": []}, {"id": "7.2.1", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure accounts in /etc/passwd use shadowed passwords (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["accounts_password_all_shadowed"], "controls": []}, {"id": "7.2.2", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure /etc/shadow password fields are not empty (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["no_empty_passwords_etc_shadow"], "controls": []}, {"id": "7.2.3", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure all groups in /etc/passwd exist in /etc/group (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["gid_passwd_group_same"], "controls": []}, {"id": "7.2.4", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure no duplicate UIDs exist (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["account_unique_id"], "controls": []}, {"id": "7.2.5", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure no duplicate GIDs exist (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["group_unique_id"], "controls": []}, {"id": "7.2.6", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure no duplicate user names exist (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["account_unique_name"], "controls": []}, {"id": "7.2.7", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure no duplicate group names exist (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["group_unique_name"], "controls": []}, {"id": "7.2.8", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure local interactive user home directories are configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["file_groupownership_home_directories"], "rules": ["accounts_user_interactive_home_directory_exists", "file_permissions_home_directories", "file_ownership_home_directories"], "controls": []}, {"id": "7.2.9", "levels": ["l1_server", "l1_workstation"], "notes": "", "title": "Ensure local interactive user dot files access is configured (Automated)", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["accounts_users_netrc_file_permissions"], "rules": ["no_forward_files", "file_permission_user_bash_history", "accounts_user_dot_user_ownership", "no_netrc_files", "file_permission_user_init_files", "no_rhost_files", "accounts_user_dot_group_ownership", "var_user_initialization_files_regex=all_dotfiles"], "controls": []}], "levels": [{"id": "l1_server", "inherits_from": null}, {"id": "l2_server", "inherits_from": ["l1_server"]}, {"id": "l1_workstation", "inherits_from": null}, {"id": "l2_workstation", "inherits_from": ["l1_workstation"]}]}