diff --git a/cmd/mock-oci-registry/main.go b/cmd/mock-oci-registry/main.go index ce0e81e5..05fe48f4 100644 --- a/cmd/mock-oci-registry/main.go +++ b/cmd/mock-oci-registry/main.go @@ -11,6 +11,8 @@ package main import ( + "bufio" + "bytes" "crypto/sha256" "embed" "encoding/json" @@ -18,16 +20,19 @@ import ( "log" "net/http" "os" + "path" "sort" "strings" "time" ) -//go:embed testdata/*.yaml +//go:embed all:testdata var seedData embed.FS const defaultPort = "8765" +const bundleRoot = "testdata/policies" + // OCI media types const ( ociManifestMediaType = "application/vnd.oci.image.manifest.v1+json" @@ -442,6 +447,68 @@ func (s *contentStore) enrich(req enrichmentRequest) enrichmentResponse { } } +// --- Bundle Auto-Loader --- + +// detectMediaType inspects YAML content for top-level keys to determine the Gemara layer type. +func detectMediaType(data []byte) string { + scanner := bufio.NewScanner(bytes.NewReader(data)) + for scanner.Scan() { + line := scanner.Text() + if strings.HasPrefix(line, "guidelines:") { + return gemaraGuidanceType + } + if strings.HasPrefix(line, "controls:") { + return gemaraCatalogType + } + if strings.HasPrefix(line, "adherence:") { + return gemaraPolicyType + } + } + return gemaraCatalogType +} + +// loadBundlesFromDir reads each subdirectory under bundleRoot as an OCI artifact bundle. +// The subdirectory name becomes the bundle portion of the OCI repo path (e.g., "policies/{name}"). +func (s *contentStore) loadBundlesFromDir() { + entries, err := seedData.ReadDir(bundleRoot) + if err != nil { + log.Fatalf("failed to read bundle root %q: %v", bundleRoot, err) + } + + for _, entry := range entries { + if !entry.IsDir() { + continue + } + bundleName := entry.Name() + bundlePath := path.Join(bundleRoot, bundleName) + repoName := "policies/" + bundleName + + files, err := seedData.ReadDir(bundlePath) + if err != nil { + log.Fatalf("failed to read bundle %q: %v", bundlePath, err) + } + + var layers []layerDef + for _, f := range files { + if f.IsDir() || !strings.HasSuffix(f.Name(), ".yaml") { + continue + } + filePath := path.Join(bundlePath, f.Name()) + data, err := seedData.ReadFile(filePath) + if err != nil { + log.Fatalf("failed to read %q: %v", filePath, err) + } + mediaType := detectMediaType(data) + layers = append(layers, layerDef{mediaType: mediaType, data: data}) + } + + if len(layers) > 0 { + s.addArtifact(repoName, []string{"v1.0.0", "latest"}, layers) + log.Printf("loaded bundle %q (%d layers)", repoName, len(layers)) + } + } +} + // --- Seed Data --- func (s *contentStore) seedDefaults() { @@ -601,34 +668,8 @@ guidelines: `)}, }) - // policies/cis-fedora-l1-workstation — real CIS Fedora L1 Workstation data - // sourced from ComplianceAsCode/oscal-content component-definitions - cisCatalog, err := seedData.ReadFile("testdata/cis-fedora-l1-workstation-catalog.yaml") - if err != nil { - log.Fatalf("failed to load CIS Fedora catalog seed data: %v", err) - } - cisPolicy, err := seedData.ReadFile("testdata/cis-fedora-l1-workstation-policy.yaml") - if err != nil { - log.Fatalf("failed to load CIS Fedora policy seed data: %v", err) - } - s.addArtifact("policies/cis-fedora-l1-workstation", []string{"v1.0.0", "latest"}, []layerDef{ - {mediaType: gemaraCatalogType, data: cisCatalog}, - {mediaType: gemaraPolicyType, data: cisPolicy}, - }) - - // policies/ampel-branch-protection — AMPEL branch protection controls - ampelCatalog, err := seedData.ReadFile("testdata/ampel-branch-protection-catalog.yaml") - if err != nil { - log.Fatalf("failed to load AMPEL branch protection catalog seed data: %v", err) - } - ampelPolicy, err := seedData.ReadFile("testdata/ampel-branch-protection-policy.yaml") - if err != nil { - log.Fatalf("failed to load AMPEL branch protection policy seed data: %v", err) - } - s.addArtifact("policies/ampel-branch-protection", []string{"v1.0.0", "latest"}, []layerDef{ - {mediaType: gemaraCatalogType, data: ampelCatalog}, - {mediaType: gemaraPolicyType, data: ampelPolicy}, - }) + // Auto-load all policy bundles from testdata/policies/ + s.loadBundlesFromDir() // Enrichment mappings s.enrichments["OPA:deny-root-user"] = &enrichmentMapping{ diff --git a/cmd/mock-oci-registry/testdata/ampel-branch-protection-catalog.yaml b/cmd/mock-oci-registry/testdata/policies/ampel-branch-protection/catalog.yaml similarity index 97% rename from cmd/mock-oci-registry/testdata/ampel-branch-protection-catalog.yaml rename to cmd/mock-oci-registry/testdata/policies/ampel-branch-protection/catalog.yaml index 614e53f0..7aed0787 100644 --- a/cmd/mock-oci-registry/testdata/ampel-branch-protection-catalog.yaml +++ b/cmd/mock-oci-registry/testdata/policies/ampel-branch-protection/catalog.yaml @@ -1,6 +1,8 @@ title: Branch Protection Controls metadata: id: repo-branch-protection + type: ControlCatalog + gemara-version: "0.1.0" description: Branch protection controls for GitHub/GitLab repositories author: id: complytime diff --git a/cmd/mock-oci-registry/testdata/ampel-branch-protection-policy.yaml b/cmd/mock-oci-registry/testdata/policies/ampel-branch-protection/policy.yaml similarity index 76% rename from cmd/mock-oci-registry/testdata/ampel-branch-protection-policy.yaml rename to cmd/mock-oci-registry/testdata/policies/ampel-branch-protection/policy.yaml index 5c77d05c..521d58fa 100644 --- a/cmd/mock-oci-registry/testdata/ampel-branch-protection-policy.yaml +++ b/cmd/mock-oci-registry/testdata/policies/ampel-branch-protection/policy.yaml @@ -1,6 +1,8 @@ title: AMPEL Branch Protection Policy metadata: id: ampel-branch-protection-policy + type: Policy + gemara-version: "0.1.0" description: Automated evaluation policy for branch protection controls using AMPEL author: id: complytime @@ -28,7 +30,7 @@ imports: - reference-id: repo-branch-protection adherence: evaluation-methods: - - type: automated + - type: Automated description: AMPEL automated branch protection evaluation executor: id: ampel @@ -39,34 +41,44 @@ adherence: requirement-id: BP-1.01 frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: ampel + name: AMPEL + type: Software - id: BP-2.01 requirement-id: BP-2.01 frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: ampel + name: AMPEL + type: Software - id: BP-3.01 requirement-id: BP-3.01 frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: ampel + name: AMPEL + type: Software - id: BP-4.01 requirement-id: BP-4.01 frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: ampel + name: AMPEL + type: Software - id: BP-5.01 requirement-id: BP-5.01 frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: ampel + name: AMPEL + type: Software diff --git a/cmd/mock-oci-registry/testdata/policies/cis-fedora-l1-server/catalog.yaml b/cmd/mock-oci-registry/testdata/policies/cis-fedora-l1-server/catalog.yaml new file mode 100644 index 00000000..5dfa0388 --- /dev/null +++ b/cmd/mock-oci-registry/testdata/policies/cis-fedora-l1-server/catalog.yaml @@ -0,0 +1,217 @@ +title: Linux VM Security Controls Catalog +metadata: + id: linux-vm-security-catalog + type: ControlCatalog + gemara-version: "0.1.0" + version: "1.0.0" + description: >- + A control catalog for Linux virtual machine security that unifies requirements + from the CIS Fedora Server Level 1 Benchmark and the FINOS Common Cloud Controls + framework. Controls are scoped to three areas: audit logging, access control, and + cryptographic policy. Each control contains assessment requirements that can be + evaluated via OpenSCAP using the complyctl toolchain. + author: + id: complytime-demos + name: ComplyTime Demos + type: Human + mapping-references: + - id: cis-fedora-guidance + title: CIS Fedora Server L1 Guidance Catalog + version: "1.0.0" + description: Gemara Layer 1 guidance derived from CIS Fedora Server L1 Benchmark + - id: finos-ccc-guidance + title: FINOS CCC VM Security Guidance Catalog + version: "1.0.0" + description: Gemara Layer 1 guidance derived from FINOS Common Cloud Controls + - id: cis-fedora + title: CIS Fedora Linux Benchmark + version: "Draft" + description: CIS Benchmark for Fedora Linux based on CIS Fedora 40 Branch Benchmark + url: https://workbench.cisecurity.org/benchmarks/20722 + - id: finos-ccc + title: FINOS Common Cloud Controls + version: "2025.10" + description: Open standard for cloud security controls + url: https://ccc.finos.org + - id: openscap-ssg + title: SCAP Security Guide - Fedora + version: "latest" + description: ComplianceAsCode content for Fedora Linux + url: https://github.com/ComplianceAsCode/content +families: + - id: AUDIT + title: Audit and Logging + description: >- + Controls ensuring comprehensive audit logging of security-relevant events + including access attempts, authentication, and system changes. + - id: ACCESS + title: Access Control + description: >- + Controls enforcing least-privilege access, restricting unauthorized entities, + and hardening remote access interfaces. + - id: CRYPTO + title: Cryptographic Standards + description: >- + Controls enforcing approved cryptographic algorithms and policies across + all system services and data protection mechanisms. +controls: + - id: LVMS-AUDIT-01 + title: Audit Service and Event Logging + objective: >- + Ensure that the system audit subsystem is installed, enabled, and configured + with rules to capture all access attempts, login events, session initiation, + and configuration changes. + family: AUDIT + assessment-requirements: + - id: package_audit_installed + text: The audit package MUST be installed on the system. + applicability: + - Fedora Linux servers + - CIS Level 1 - Server + recommendation: >- + CIS Fedora section 5.1.1. Maps to CCC.Core.CN04. + - id: service_auditd_enabled + text: The auditd service MUST be enabled and running. + applicability: + - Fedora Linux servers + - CIS Level 1 - Server + recommendation: >- + CIS Fedora section 5.1.2. Maps to CCC.Core.CN04. + - id: grub2_audit_argument + text: >- + Auditing MUST be enabled for processes that start prior to the + audit daemon. + applicability: + - Fedora Linux servers + - CIS Level 1 - Server + recommendation: >- + CIS Fedora section 5.1.3. + - id: grub2_audit_backlog_limit_argument + text: >- + The audit backlog limit MUST be sufficient to prevent event loss. + applicability: + - Fedora Linux servers + - CIS Level 1 - Server + recommendation: >- + CIS Fedora section 5.1.4. + - id: audit_rules_login_events + text: The system MUST record login and logout events. + applicability: + - Fedora Linux servers + - CIS Level 1 - Server + - All deployment environments + recommendation: >- + CIS Fedora section 5.2.x. Maps to CCC.Core.CN04.AR01. + - id: audit_rules_login_events_faillock + text: The system MUST record failed login attempts via faillock. + applicability: + - Fedora Linux servers + - CIS Level 1 - Server + - All deployment environments + recommendation: >- + CIS Fedora section 5.2.x. Maps to CCC.Core.CN04.AR01. + - id: audit_rules_login_events_lastlog + text: The system MUST record last login information. + applicability: + - Fedora Linux servers + - CIS Level 1 - Server + - All deployment environments + recommendation: >- + CIS Fedora section 5.2.x. Maps to CCC.Core.CN04.AR01. + - id: audit_rules_session_events + text: >- + The system MUST record session initiation information including + utmp, wtmp, and btmp events. + applicability: + - Fedora Linux servers + - CIS Level 1 - Server + recommendation: >- + CIS Fedora section 5.2.x. Maps to CCC.Core.CN04.AR02. + - id: LVMS-ACCESS-01 + title: SSH Access Control and Hardening + objective: >- + Harden the SSH server to prevent unauthorized access by disabling root login, + enforcing session timeouts, restricting file permissions, and ensuring SSH + follows the system-wide cryptographic policy. + family: ACCESS + assessment-requirements: + - id: sshd_disable_root_login + text: >- + SSH root login MUST be disabled to enforce role-based access and + prevent direct administrative access from untrusted entities. + applicability: + - Fedora Linux servers + - CIS Level 1 - Server + - All deployment environments + recommendation: >- + CIS Fedora section 4.2.x. Maps to CCC.Core.CN05.AR02. + - id: sshd_set_idle_timeout + text: >- + SSH sessions MUST be configured with an idle timeout to automatically + terminate inactive connections and prevent session hijacking. + applicability: + - Fedora Linux servers + - CIS Level 1 - Server + recommendation: >- + CIS Fedora section 4.2.x. Maps to CCC.Core.CN05.AR06. + - id: file_permissions_sshd_config + text: >- + SSH server configuration files MUST have restricted permissions. + applicability: + - Fedora Linux servers + - CIS Level 1 - Server + recommendation: >- + CIS Fedora section 4.2.x. + - id: file_owner_sshd_config + text: >- + SSH server configuration files MUST be owned by root. + applicability: + - Fedora Linux servers + - CIS Level 1 - Server + recommendation: >- + CIS Fedora section 4.2.x. + - id: file_groupowner_sshd_config + text: >- + SSH server configuration files MUST be group-owned by root. + applicability: + - Fedora Linux servers + - CIS Level 1 - Server + recommendation: >- + CIS Fedora section 4.2.x. + - id: configure_ssh_crypto_policy + text: >- + SSH MUST follow the system-wide cryptographic policy to ensure only + approved ciphers and algorithms are used for remote access. + applicability: + - Fedora Linux servers + - CIS Level 1 - Server + recommendation: >- + CIS Fedora section 4.2.x. Maps to CCC.Core.CN05.AR01. + - id: LVMS-CRYPTO-01 + title: System-wide Cryptographic Policy + objective: >- + Enforce a system-wide cryptographic policy that eliminates legacy algorithms, + mandates approved ciphers and MACs, and ensures consistent cryptographic + standards across all system services for both data at rest and in transit. + family: CRYPTO + assessment-requirements: + - id: configure_crypto_policy + text: >- + The system-wide cryptographic policy MUST NOT be set to LEGACY and MUST + enforce a minimum standard that disables deprecated algorithms. + applicability: + - Fedora Linux servers + - CIS Level 1 - Server + - All deployment environments + recommendation: >- + CIS Fedora section 1.6.1. Maps to CCC.Core.CN02. + - id: configure_custom_crypto_policy_cis + text: >- + The system MUST use a CIS-compliant custom cryptographic policy that + disables SHA-1 hash and signature support, configures approved MACs, + and disables CBC mode for SSH connections. + applicability: + - Fedora Linux servers + - CIS Level 1 - Server + recommendation: >- + CIS Fedora sections 1.6.1-1.6.4. Maps to CCC.Core.CN11. diff --git a/cmd/mock-oci-registry/testdata/policies/cis-fedora-l1-server/guidance-cis-fedora-server-l1.yaml b/cmd/mock-oci-registry/testdata/policies/cis-fedora-l1-server/guidance-cis-fedora-server-l1.yaml new file mode 100644 index 00000000..f18c340a --- /dev/null +++ b/cmd/mock-oci-registry/testdata/policies/cis-fedora-l1-server/guidance-cis-fedora-server-l1.yaml @@ -0,0 +1,222 @@ +title: CIS Fedora Linux Benchmark - Server Level 1 Guidance +metadata: + id: cis-fedora-server-l1-guidance + type: GuidanceCatalog + gemara-version: "0.1.0" + version: "1.0.0" + description: >- + Guidance catalog derived from the CIS Fedora Linux Benchmark for Level 1 - Server. + This subset focuses on three critical security domains: audit logging, access control, + and cryptographic policy. These guidelines map to specific OpenSCAP rules from the + ComplianceAsCode cis_server_l1 profile for Fedora. + author: + id: complytime-demos + name: ComplyTime Demos + type: Human + mapping-references: + - id: cis-fedora + title: CIS Fedora Linux Benchmark + version: "Draft" + description: CIS Benchmark for Fedora Linux based on CIS Fedora 40 Branch Benchmark + url: https://workbench.cisecurity.org/benchmarks/20722 + - id: openscap-ssg + title: SCAP Security Guide - Fedora + version: "latest" + description: ComplianceAsCode content for Fedora Linux + url: https://github.com/ComplianceAsCode/content + draft: true +type: Best Practice +front-matter: >- + This guidance catalog captures key security recommendations from the CIS Fedora Linux + Benchmark (Level 1 - Server). It is scoped to three areas that are commonly required + across multiple compliance frameworks: audit logging, access control and authentication, + and system-wide cryptographic policy. Each guideline references concrete OpenSCAP rules + that can be evaluated automatically using the complyctl toolchain. +families: + - id: AUDIT + title: Audit and Logging + description: >- + Guidelines related to system audit configuration, ensuring that security-relevant + events are captured, stored, and protected from tampering. + - id: ACCESS + title: Access Control and Authentication + description: >- + Guidelines related to restricting system access to authorized entities, including + SSH server hardening and authentication configuration. + - id: CRYPTO + title: Cryptographic Policy + description: >- + Guidelines related to system-wide cryptographic standards, ensuring that only + approved algorithms and protocols are permitted. +guidelines: + - id: CIS-AUDIT-SERVICE + title: Ensure audit services are enabled and configured + objective: >- + Guarantee that the Linux audit subsystem (auditd) is installed, enabled, and + actively collecting security-relevant events on the system. + family: AUDIT + applicability: + - Fedora Linux servers + - CIS Level 1 - Server + rationale: + importance: >- + The audit daemon provides the foundation for all system-level audit logging. + Without auditd running, no kernel-level audit events will be captured, + leaving the system blind to unauthorized access attempts and configuration changes. + goals: + - Capture all security-relevant system events + - Maintain an audit trail for forensic analysis and compliance reporting + - Detect unauthorized access and configuration changes + recommendations: + - Install the audit package and enable the auditd service via systemctl + - Configure audit to start before other services using grub audit=1 parameter + - Ensure audit backlog limit is sufficient for system workload + statements: + - id: CIS-AUDIT-SERVICE.01 + title: Audit package installation + text: The audit package MUST be installed on the system. + recommendations: + - "OpenSCAP rule: package_audit_installed" + - id: CIS-AUDIT-SERVICE.02 + title: Audit service enablement + text: The auditd service MUST be enabled and running. + recommendations: + - "OpenSCAP rule: service_auditd_enabled" + - id: CIS-AUDIT-SERVICE.03 + title: Pre-auditd audit logging + text: Auditing MUST be enabled for processes that start prior to auditd. + recommendations: + - "OpenSCAP rule: grub2_audit_argument" + - id: CIS-AUDIT-SERVICE.04 + title: Audit backlog limit + text: The audit backlog limit MUST be sufficient to avoid lost events. + recommendations: + - "OpenSCAP rule: grub2_audit_backlog_limit_argument" + see-also: + - CIS-AUDIT-EVENTS + - id: CIS-AUDIT-EVENTS + title: Ensure audit rules capture access and change events + objective: >- + Configure audit rules to record login events, session initiation, and + changes to critical system files, ensuring a complete audit trail + of access and modifications. + family: AUDIT + applicability: + - Fedora Linux servers + - CIS Level 1 - Server + rationale: + importance: >- + Without specific audit rules, auditd will not capture the events necessary + to detect unauthorized access or changes. Audit rules must target login + attempts, session creation, and modification of identity-related files. + goals: + - Record all authentication and login events + - Capture session initiation and termination + - Track changes to user and group management files + recommendations: + - Configure audit rules for /var/log/lastlog, /var/run/faillock, and /var/log/tallylog + - Configure audit rules for /var/run/utmp, /var/log/wtmp, and /var/log/btmp + statements: + - id: CIS-AUDIT-EVENTS.01 + title: Login and logout event recording + text: The system MUST record all login and logout events. + recommendations: + - "OpenSCAP rule: audit_rules_login_events" + - "OpenSCAP rule: audit_rules_login_events_faillock" + - "OpenSCAP rule: audit_rules_login_events_lastlog" + - id: CIS-AUDIT-EVENTS.02 + title: Session initiation recording + text: The system MUST record session initiation information. + recommendations: + - "OpenSCAP rule: audit_rules_session_events" + - "OpenSCAP rule: audit_rules_session_events_utmp" + - "OpenSCAP rule: audit_rules_session_events_wtmp" + - "OpenSCAP rule: audit_rules_session_events_btmp" + see-also: + - CIS-AUDIT-SERVICE + - id: CIS-ACCESS-SSH + title: Ensure SSH server is hardened against unauthorized access + objective: >- + Harden the OpenSSH server configuration to prevent unauthorized access, + enforce strong authentication, and limit exposure to brute-force attacks. + family: ACCESS + applicability: + - Fedora Linux servers + - CIS Level 1 - Server + rationale: + importance: >- + SSH is the primary remote access mechanism for Linux servers. Misconfigured + SSH allows root login, weak authentication, and stale sessions that can be + exploited by attackers to gain persistent unauthorized access. + goals: + - Prevent direct root login over SSH + - Enforce idle session timeouts + - Restrict SSH access to approved authentication methods + - Ensure SSH follows system-wide cryptographic policy + recommendations: + - Disable root login in sshd_config + - Set ClientAliveInterval and ClientAliveCountMax for session timeouts + - Ensure SSH is configured to use the system crypto policy + - Restrict SSH access using AllowUsers or AllowGroups directives + statements: + - id: CIS-ACCESS-SSH.01 + title: Root login disabled + text: SSH root login MUST be disabled. + recommendations: + - "OpenSCAP rule: sshd_disable_root_login" + - id: CIS-ACCESS-SSH.02 + title: SSH idle timeout + text: SSH sessions MUST be configured with an idle timeout interval. + recommendations: + - "OpenSCAP rule: sshd_set_idle_timeout" + - "OpenSCAP rule: sshd_idle_timeout_value=5_minutes" + - id: CIS-ACCESS-SSH.03 + title: SSH permissions on config + text: SSH server configuration files MUST have restricted permissions. + recommendations: + - "OpenSCAP rule: file_permissions_sshd_config" + - "OpenSCAP rule: file_owner_sshd_config" + - "OpenSCAP rule: file_groupowner_sshd_config" + - id: CIS-ACCESS-SSH.04 + title: SSH crypto policy + text: SSH MUST follow the system-wide cryptographic policy. + recommendations: + - "OpenSCAP rule: configure_ssh_crypto_policy" + - id: CIS-CRYPTO-POLICY + title: Ensure system-wide cryptographic policy enforces approved standards + objective: >- + Configure the system-wide cryptographic policy to disable legacy algorithms, + enforce approved ciphers and MACs, and ensure all cryptographic operations + across the system meet minimum security standards. + family: CRYPTO + applicability: + - Fedora Linux servers + - CIS Level 1 - Server + rationale: + importance: >- + A weak or legacy cryptographic policy exposes the system to downgrade attacks, + where attackers force the use of broken algorithms. The system-wide crypto + policy in Fedora controls all TLS, SSH, and disk encryption cipher selections, + making it a single point of enforcement for cryptographic standards. + goals: + - Eliminate use of legacy or deprecated cryptographic algorithms + - Enforce minimum cipher strength across all system services + - Ensure consistent cryptographic posture for data in transit and at rest + recommendations: + - Set system-wide crypto policy to at least DEFAULT (never LEGACY) + - Apply CIS-specific crypto policy submodule to disable SHA-1, CBC for SSH + - Verify crypto policy is applied to all relevant subsystems + statements: + - id: CIS-CRYPTO-POLICY.01 + title: No legacy crypto policy + text: The system-wide cryptographic policy MUST NOT be set to LEGACY. + recommendations: + - "OpenSCAP rule: configure_crypto_policy" + - id: CIS-CRYPTO-POLICY.02 + title: CIS custom crypto policy + text: >- + The system MUST use a custom cryptographic policy that disables SHA-1 + hash and signature support, configures approved MACs, and disables + CBC mode for SSH. + recommendations: + - "OpenSCAP rule: configure_custom_crypto_policy_cis" diff --git a/cmd/mock-oci-registry/testdata/policies/cis-fedora-l1-server/guidance-finos-ccc-vm.yaml b/cmd/mock-oci-registry/testdata/policies/cis-fedora-l1-server/guidance-finos-ccc-vm.yaml new file mode 100644 index 00000000..9517e640 --- /dev/null +++ b/cmd/mock-oci-registry/testdata/policies/cis-fedora-l1-server/guidance-finos-ccc-vm.yaml @@ -0,0 +1,198 @@ +title: FINOS Common Cloud Controls - VM Security Guidance +metadata: + id: finos-ccc-vm-guidance + type: GuidanceCatalog + gemara-version: "0.1.0" + version: "1.0.0" + description: >- + Guidance catalog derived from the FINOS Common Cloud Controls (CCC) framework, + scoped to the Virtual Machines (CCC.VM) and Core (CCC.Core) components. + This subset focuses on three areas that overlap with CIS Linux benchmarks: + access and change logging, access control for untrusted entities, and + data encryption at rest. + author: + id: complytime-demos + name: ComplyTime Demos + type: Human + mapping-references: + - id: finos-ccc + title: FINOS Common Cloud Controls + version: "2025.10" + description: >- + Open standard for consistent cybersecurity, resiliency, and compliance + controls for cloud deployments, maintained by the FINOS project. + url: https://ccc.finos.org + - id: finos-ccc-vm + title: FINOS CCC Virtual Machines Component + version: "DEV" + description: Controls specific to virtual machine cloud services + url: https://ccc.finos.org/ccc/CCC.VM + draft: true +type: Framework +front-matter: >- + This guidance catalog captures recommendations from the FINOS Common Cloud Controls + framework relevant to virtual machine security. FINOS CCC provides technology-neutral + controls for cloud services; this subset distills the guidance applicable to Linux VM + security posture into three families that map naturally to OS-level compliance checks: + logging and monitoring, identity and access management, and data protection. +families: + - id: LOG-MON + title: Logging and Monitoring + description: >- + Guidelines for ensuring comprehensive logging of access attempts, + configuration changes, and data operations to maintain audit trails. + - id: IAM + title: Identity and Access Management + description: >- + Guidelines for enforcing least-privilege access, restricting unauthorized + entities, and securing authentication mechanisms. + - id: DATA + title: Data Protection + description: >- + Guidelines for protecting data confidentiality and integrity through + encryption and approved cryptographic standards. +guidelines: + - id: CCC-LOG-ACCESS-CHANGES + title: Log all access attempts and configuration changes + objective: >- + Ensure that all access attempts and configuration changes to the service and + its resources are logged with sufficient detail for security monitoring and + compliance auditing. + family: LOG-MON + applicability: + - Cloud virtual machines + - Linux server instances + - All deployment environments + rationale: + importance: >- + Comprehensive logging is the foundation of security monitoring and incident + response. Without logs capturing who accessed what and when, organizations + cannot detect unauthorized access, investigate incidents, or demonstrate + compliance with regulatory requirements. + goals: + - Maintain a complete audit trail of all access and change events + - Enable real-time security monitoring and alerting + - Support forensic investigation and compliance reporting + recommendations: + - Enable system audit daemon to capture kernel-level access events + - Configure audit rules to record authentication, authorization, and modification events + - Ensure logs capture client identity, timestamp, and operation result + - Protect log integrity by restricting write access to the logging subsystem + statements: + - id: CCC-LOG-ACCESS-CHANGES.01 + title: Administrative access logging + text: >- + When administrative access or configuration change is attempted on the + service or a child resource, the service MUST log the client identity, + time, and result of the attempt. + recommendations: + - Derived from CCC.Core.CN04.AR01 + - id: CCC-LOG-ACCESS-CHANGES.02 + title: Data modification logging + text: >- + When any attempt is made to modify data on the service or a child + resource, the service MUST log the client identity, time, and result + of the attempt. + recommendations: + - Derived from CCC.Core.CN04.AR02 + - id: CCC-LOG-ACCESS-CHANGES.03 + title: Data read logging + text: >- + When any attempt is made to read data on the service or a child + resource, the service MUST log the client identity, time, and result + of the attempt. + recommendations: + - Derived from CCC.Core.CN04.AR03 + see-also: + - CCC-PREVENT-UNTRUSTED-ACCESS + - id: CCC-PREVENT-UNTRUSTED-ACCESS + title: Prevent access from untrusted entities + objective: >- + Ensure that secure access controls enforce the principle of least privilege + to restrict access to authorized entities from explicitly trusted sources only. + family: IAM + applicability: + - Cloud virtual machines + - Linux server instances + - All deployment environments + rationale: + importance: >- + Unrestricted access to virtual machines allows unauthorized entities to + read or modify data, change configurations, or use the system as a + pivot point for lateral movement. Enforcing least privilege and blocking + untrusted sources is essential for protecting the system and its data. + goals: + - Restrict access to explicitly authorized entities only + - Block requests from unauthorized sources at all service interfaces + - Prevent information leakage to unauthorized requestors + recommendations: + - Disable direct root access to enforce role-based access + - Configure SSH to reject connections from unauthorized entities + - Enforce session timeouts to limit exposure from abandoned sessions + - Restrict remote access interfaces with network-level controls + statements: + - id: CCC-PREVENT-UNTRUSTED-ACCESS.01 + title: Block unauthorized data modification + text: >- + When an attempt is made to modify data on the service or a child + resource, the service MUST block requests from unauthorized entities. + recommendations: + - Derived from CCC.Core.CN05.AR01 + - id: CCC-PREVENT-UNTRUSTED-ACCESS.02 + title: Refuse unauthorized administrative access + text: >- + When administrative access or configuration change is attempted on the + service or a child resource, the service MUST refuse requests from + unauthorized entities. + recommendations: + - Derived from CCC.Core.CN05.AR02 + - id: CCC-PREVENT-UNTRUSTED-ACCESS.03 + title: Refuse all unauthorized requests + text: >- + When any request is made to the service or a child resource, the + service MUST refuse requests from unauthorized entities. + recommendations: + - Derived from CCC.Core.CN05.AR06 + see-also: + - CCC-LOG-ACCESS-CHANGES + - id: CCC-ENCRYPT-DATA-STORAGE + title: Encrypt data at rest using approved cryptographic standards + objective: >- + Ensure that all data stored on the system is protected using strong, + approved cryptographic algorithms and that the system-wide cryptographic + policy enforces minimum standards for all encryption operations. + family: DATA + applicability: + - Cloud virtual machines + - Linux server instances + - All deployment environments + rationale: + importance: >- + Data stored without encryption is vulnerable to unauthorized access if + physical or logical access controls are bypassed. A strong system-wide + cryptographic policy ensures that all encryption operations, whether for + data at rest, in transit, or in memory, use approved algorithms that + resist known attacks. + goals: + - Protect stored data from unauthorized access through encryption + - Enforce minimum cryptographic standards across all system services + - Eliminate use of deprecated or weak cryptographic algorithms + recommendations: + - Configure system-wide cryptographic policy to enforce approved algorithms + - Disable legacy and weak cipher suites including SHA-1 and CBC for SSH + - Ensure all cryptographic subsystems (TLS, SSH, disk) follow the policy + statements: + - id: CCC-ENCRYPT-DATA-STORAGE.01 + title: Approved encryption algorithms + text: >- + The system MUST use industry-standard cryptographic algorithms for all + encryption operations, including data storage and transport. + recommendations: + - Derived from CCC.Core.CN02 objective + - id: CCC-ENCRYPT-DATA-STORAGE.02 + title: No legacy cryptographic algorithms + text: >- + The system MUST NOT permit the use of deprecated or legacy cryptographic + algorithms that are known to be vulnerable. + recommendations: + - Derived from CCC.Core.CN11 objective regarding approved algorithms diff --git a/cmd/mock-oci-registry/testdata/policies/cis-fedora-l1-server/policy.yaml b/cmd/mock-oci-registry/testdata/policies/cis-fedora-l1-server/policy.yaml new file mode 100644 index 00000000..25b1d837 --- /dev/null +++ b/cmd/mock-oci-registry/testdata/policies/cis-fedora-l1-server/policy.yaml @@ -0,0 +1,190 @@ +title: Linux VM Compliance Policy - CIS Fedora Server L1 and FINOS CCC +metadata: + id: linux-vm-compliance-policy + type: Policy + gemara-version: "0.1.0" + version: "1.0.0" + description: >- + Organization policy for assessing Linux virtual machines against a unified set of + security controls derived from the CIS Fedora Server Level 1 Benchmark and the + FINOS Common Cloud Controls framework. This policy defines assessment plans that + leverage OpenSCAP via the complyctl toolchain to evaluate audit logging, access + control, and cryptographic policy compliance. + author: + id: complytime-demos + name: ComplyTime Demos + type: Human + mapping-references: + - id: linux-vm-security-catalog + title: Linux VM Security Controls Catalog + version: "1.0.0" + description: Gemara Layer 2 control catalog for Linux VM security +contacts: + responsible: + - name: Platform Engineering Team + accountable: + - name: Chief Information Security Officer +scope: + in: + technologies: + - Linux Virtual Machines + - Fedora +imports: + catalogs: + - reference-id: linux-vm-security-catalog +adherence: + evaluation-methods: + - type: Automated + description: OpenSCAP automated compliance evaluation + executor: + id: openscap + name: OpenSCAP + type: Software + assessment-plans: + # --- AUDIT: LVMS-AUDIT-01 --- + - id: package_audit_installed + requirement-id: package_audit_installed + frequency: on-demand + evaluation-methods: + - type: Automated + executor: + id: openscap + name: OpenSCAP + type: Software + - id: service_auditd_enabled + requirement-id: service_auditd_enabled + frequency: on-demand + evaluation-methods: + - type: Automated + executor: + id: openscap + name: OpenSCAP + type: Software + - id: grub2_audit_argument + requirement-id: grub2_audit_argument + frequency: on-demand + evaluation-methods: + - type: Automated + executor: + id: openscap + name: OpenSCAP + type: Software + - id: grub2_audit_backlog_limit_argument + requirement-id: grub2_audit_backlog_limit_argument + frequency: on-demand + evaluation-methods: + - type: Automated + executor: + id: openscap + name: OpenSCAP + type: Software + - id: audit_rules_login_events + requirement-id: audit_rules_login_events + frequency: on-demand + evaluation-methods: + - type: Automated + executor: + id: openscap + name: OpenSCAP + type: Software + - id: audit_rules_login_events_faillock + requirement-id: audit_rules_login_events_faillock + frequency: on-demand + evaluation-methods: + - type: Automated + executor: + id: openscap + name: OpenSCAP + type: Software + - id: audit_rules_login_events_lastlog + requirement-id: audit_rules_login_events_lastlog + frequency: on-demand + evaluation-methods: + - type: Automated + executor: + id: openscap + name: OpenSCAP + type: Software + - id: audit_rules_session_events + requirement-id: audit_rules_session_events + frequency: on-demand + evaluation-methods: + - type: Automated + executor: + id: openscap + name: OpenSCAP + type: Software + # --- ACCESS: LVMS-ACCESS-01 --- + - id: sshd_disable_root_login + requirement-id: sshd_disable_root_login + frequency: on-demand + evaluation-methods: + - type: Automated + executor: + id: openscap + name: OpenSCAP + type: Software + - id: sshd_set_idle_timeout + requirement-id: sshd_set_idle_timeout + frequency: on-demand + evaluation-methods: + - type: Automated + executor: + id: openscap + name: OpenSCAP + type: Software + - id: file_permissions_sshd_config + requirement-id: file_permissions_sshd_config + frequency: on-demand + evaluation-methods: + - type: Automated + executor: + id: openscap + name: OpenSCAP + type: Software + - id: file_owner_sshd_config + requirement-id: file_owner_sshd_config + frequency: on-demand + evaluation-methods: + - type: Automated + executor: + id: openscap + name: OpenSCAP + type: Software + - id: file_groupowner_sshd_config + requirement-id: file_groupowner_sshd_config + frequency: on-demand + evaluation-methods: + - type: Automated + executor: + id: openscap + name: OpenSCAP + type: Software + - id: configure_ssh_crypto_policy + requirement-id: configure_ssh_crypto_policy + frequency: on-demand + evaluation-methods: + - type: Automated + executor: + id: openscap + name: OpenSCAP + type: Software + # --- CRYPTO: LVMS-CRYPTO-01 --- + - id: configure_crypto_policy + requirement-id: configure_crypto_policy + frequency: on-demand + evaluation-methods: + - type: Automated + executor: + id: openscap + name: OpenSCAP + type: Software + - id: configure_custom_crypto_policy_cis + requirement-id: configure_custom_crypto_policy_cis + frequency: on-demand + evaluation-methods: + - type: Automated + executor: + id: openscap + name: OpenSCAP + type: Software diff --git a/cmd/mock-oci-registry/testdata/cis-fedora-l1-workstation-catalog.yaml b/cmd/mock-oci-registry/testdata/policies/cis-fedora-l1-workstation/catalog.yaml similarity index 73% rename from cmd/mock-oci-registry/testdata/cis-fedora-l1-workstation-catalog.yaml rename to cmd/mock-oci-registry/testdata/policies/cis-fedora-l1-workstation/catalog.yaml index efc04ff1..8d5f185a 100644 --- a/cmd/mock-oci-registry/testdata/cis-fedora-l1-workstation-catalog.yaml +++ b/cmd/mock-oci-registry/testdata/policies/cis-fedora-l1-workstation/catalog.yaml @@ -1,6 +1,8 @@ title: CIS Fedora Linux - Level 1 Workstation metadata: id: cis-fedora-l1-workstation + type: ControlCatalog + gemara-version: "0.1.0" description: Control catalog derived from the CIS Fedora Linux Level 1 Workstation Benchmark author: id: complytime @@ -37,7 +39,7 @@ controls: objective: Ensure Cramfs Kernel Module Is Not Available family: initial-setup assessment-requirements: - - id: cis_fedora_1-1.1.1-ar + - id: kernel_module_cramfs_disabled text: Cramfs Kernel Module Is Not Available MUST be verified applicability: - Fedora Linux @@ -46,7 +48,7 @@ controls: objective: Ensure Freevxfs Kernel Module Is Not Available family: initial-setup assessment-requirements: - - id: cis_fedora_1-1.1.2-ar + - id: kernel_module_freevxfs_disabled text: Freevxfs Kernel Module Is Not Available MUST be verified applicability: - Fedora Linux @@ -55,7 +57,7 @@ controls: objective: Ensure Hfs Kernel Module Is Not Available family: initial-setup assessment-requirements: - - id: cis_fedora_1-1.1.3-ar + - id: kernel_module_hfs_disabled text: Hfs Kernel Module Is Not Available MUST be verified applicability: - Fedora Linux @@ -64,7 +66,7 @@ controls: objective: Ensure Hfsplus Kernel Module Is Not Available family: initial-setup assessment-requirements: - - id: cis_fedora_1-1.1.4-ar + - id: kernel_module_hfsplus_disabled text: Hfsplus Kernel Module Is Not Available MUST be verified applicability: - Fedora Linux @@ -73,7 +75,7 @@ controls: objective: Ensure Jffs2 Kernel Module Is Not Available family: initial-setup assessment-requirements: - - id: cis_fedora_1-1.1.5-ar + - id: kernel_module_jffs2_disabled text: Jffs2 Kernel Module Is Not Available MUST be verified applicability: - Fedora Linux @@ -82,7 +84,7 @@ controls: objective: CIS Fedora 1 - 1.2.1.1 family: initial-setup assessment-requirements: - - id: cis_fedora_1-1.2.1.1-ar + - id: partition_for_tmp text: CIS Fedora 1 - 1.2.1.1 MUST be verified applicability: - Fedora Linux @@ -91,7 +93,7 @@ controls: objective: CIS Fedora 1 - 1.2.1.2 family: initial-setup assessment-requirements: - - id: cis_fedora_1-1.2.1.2-ar + - id: mount_option_tmp_nodev text: CIS Fedora 1 - 1.2.1.2 MUST be verified applicability: - Fedora Linux @@ -100,7 +102,7 @@ controls: objective: CIS Fedora 1 - 1.2.1.3 family: initial-setup assessment-requirements: - - id: cis_fedora_1-1.2.1.3-ar + - id: mount_option_tmp_nosuid text: CIS Fedora 1 - 1.2.1.3 MUST be verified applicability: - Fedora Linux @@ -109,7 +111,7 @@ controls: objective: CIS Fedora 1 - 1.2.1.4 family: initial-setup assessment-requirements: - - id: cis_fedora_1-1.2.1.4-ar + - id: mount_option_tmp_noexec text: CIS Fedora 1 - 1.2.1.4 MUST be verified applicability: - Fedora Linux @@ -118,7 +120,7 @@ controls: objective: CIS Fedora 1 - 1.2.2.1 family: initial-setup assessment-requirements: - - id: cis_fedora_1-1.2.2.1-ar + - id: partition_for_dev_shm text: CIS Fedora 1 - 1.2.2.1 MUST be verified applicability: - Fedora Linux @@ -127,7 +129,7 @@ controls: objective: CIS Fedora 1 - 1.2.2.2 family: initial-setup assessment-requirements: - - id: cis_fedora_1-1.2.2.2-ar + - id: mount_option_dev_shm_nodev text: CIS Fedora 1 - 1.2.2.2 MUST be verified applicability: - Fedora Linux @@ -136,7 +138,7 @@ controls: objective: CIS Fedora 1 - 1.2.2.3 family: initial-setup assessment-requirements: - - id: cis_fedora_1-1.2.2.3-ar + - id: mount_option_dev_shm_nosuid text: CIS Fedora 1 - 1.2.2.3 MUST be verified applicability: - Fedora Linux @@ -145,7 +147,7 @@ controls: objective: CIS Fedora 1 - 1.2.2.4 family: initial-setup assessment-requirements: - - id: cis_fedora_1-1.2.2.4-ar + - id: mount_option_dev_shm_noexec text: CIS Fedora 1 - 1.2.2.4 MUST be verified applicability: - Fedora Linux @@ -154,7 +156,7 @@ controls: objective: CIS Fedora 1 - 1.2.3.2 family: initial-setup assessment-requirements: - - id: cis_fedora_1-1.2.3.2-ar + - id: mount_option_home_nodev text: CIS Fedora 1 - 1.2.3.2 MUST be verified applicability: - Fedora Linux @@ -163,7 +165,7 @@ controls: objective: CIS Fedora 1 - 1.2.3.3 family: initial-setup assessment-requirements: - - id: cis_fedora_1-1.2.3.3-ar + - id: mount_option_home_nosuid text: CIS Fedora 1 - 1.2.3.3 MUST be verified applicability: - Fedora Linux @@ -172,7 +174,7 @@ controls: objective: CIS Fedora 1 - 1.2.4.2 family: initial-setup assessment-requirements: - - id: cis_fedora_1-1.2.4.2-ar + - id: mount_option_var_nodev text: CIS Fedora 1 - 1.2.4.2 MUST be verified applicability: - Fedora Linux @@ -181,7 +183,7 @@ controls: objective: CIS Fedora 1 - 1.2.4.3 family: initial-setup assessment-requirements: - - id: cis_fedora_1-1.2.4.3-ar + - id: mount_option_var_nosuid text: CIS Fedora 1 - 1.2.4.3 MUST be verified applicability: - Fedora Linux @@ -190,7 +192,7 @@ controls: objective: CIS Fedora 1 - 1.2.5.2 family: initial-setup assessment-requirements: - - id: cis_fedora_1-1.2.5.2-ar + - id: mount_option_var_tmp_nodev text: CIS Fedora 1 - 1.2.5.2 MUST be verified applicability: - Fedora Linux @@ -199,7 +201,7 @@ controls: objective: CIS Fedora 1 - 1.2.5.3 family: initial-setup assessment-requirements: - - id: cis_fedora_1-1.2.5.3-ar + - id: mount_option_var_tmp_nosuid text: CIS Fedora 1 - 1.2.5.3 MUST be verified applicability: - Fedora Linux @@ -208,7 +210,7 @@ controls: objective: CIS Fedora 1 - 1.2.5.4 family: initial-setup assessment-requirements: - - id: cis_fedora_1-1.2.5.4-ar + - id: mount_option_var_tmp_noexec text: CIS Fedora 1 - 1.2.5.4 MUST be verified applicability: - Fedora Linux @@ -217,7 +219,7 @@ controls: objective: CIS Fedora 1 - 1.2.6.2 family: initial-setup assessment-requirements: - - id: cis_fedora_1-1.2.6.2-ar + - id: mount_option_var_log_nodev text: CIS Fedora 1 - 1.2.6.2 MUST be verified applicability: - Fedora Linux @@ -226,7 +228,7 @@ controls: objective: CIS Fedora 1 - 1.2.6.3 family: initial-setup assessment-requirements: - - id: cis_fedora_1-1.2.6.3-ar + - id: mount_option_var_log_nosuid text: CIS Fedora 1 - 1.2.6.3 MUST be verified applicability: - Fedora Linux @@ -235,7 +237,7 @@ controls: objective: CIS Fedora 1 - 1.2.6.4 family: initial-setup assessment-requirements: - - id: cis_fedora_1-1.2.6.4-ar + - id: mount_option_var_log_noexec text: CIS Fedora 1 - 1.2.6.4 MUST be verified applicability: - Fedora Linux @@ -244,7 +246,7 @@ controls: objective: CIS Fedora 1 - 1.2.7.2 family: initial-setup assessment-requirements: - - id: cis_fedora_1-1.2.7.2-ar + - id: mount_option_var_log_audit_nodev text: CIS Fedora 1 - 1.2.7.2 MUST be verified applicability: - Fedora Linux @@ -253,7 +255,7 @@ controls: objective: CIS Fedora 1 - 1.2.7.3 family: initial-setup assessment-requirements: - - id: cis_fedora_1-1.2.7.3-ar + - id: mount_option_var_log_audit_nosuid text: CIS Fedora 1 - 1.2.7.3 MUST be verified applicability: - Fedora Linux @@ -262,7 +264,7 @@ controls: objective: CIS Fedora 1 - 1.2.7.4 family: initial-setup assessment-requirements: - - id: cis_fedora_1-1.2.7.4-ar + - id: mount_option_var_log_audit_noexec text: CIS Fedora 1 - 1.2.7.4 MUST be verified applicability: - Fedora Linux @@ -271,7 +273,7 @@ controls: objective: Ensure Gpgcheck Is Configured family: initial-setup assessment-requirements: - - id: cis_fedora_1-2.1.2-ar + - id: ensure_gpgcheck_globally_activated text: Gpgcheck Is Configured MUST be verified applicability: - Fedora Linux @@ -280,7 +282,7 @@ controls: objective: Ensure Selinux Is Installed family: initial-setup assessment-requirements: - - id: cis_fedora_1-3.1.1-ar + - id: package_libselinux_installed text: Selinux Is Installed MUST be verified applicability: - Fedora Linux @@ -289,7 +291,7 @@ controls: objective: Ensure Selinux Is Not Disabled In Bootloader Configuration family: initial-setup assessment-requirements: - - id: cis_fedora_1-3.1.2-ar + - id: grub2_enable_selinux text: Selinux Is Not Disabled In Bootloader Configuration MUST be verified applicability: - Fedora Linux @@ -298,7 +300,7 @@ controls: objective: Ensure Selinux Policy Is Configured family: initial-setup assessment-requirements: - - id: cis_fedora_1-3.1.3-ar + - id: selinux_policytype text: Selinux Policy Is Configured MUST be verified applicability: - Fedora Linux @@ -307,7 +309,7 @@ controls: objective: Ensure The Selinux Mode Is Not Disabled family: initial-setup assessment-requirements: - - id: cis_fedora_1-3.1.4-ar + - id: selinux_not_disabled text: The Selinux Mode Is Not Disabled MUST be verified applicability: - Fedora Linux @@ -316,7 +318,7 @@ controls: objective: Ensure The Mcs Translation Service (Mcstrans) Is Not Installed family: initial-setup assessment-requirements: - - id: cis_fedora_1-3.1.7-ar + - id: package_mcstrans_removed text: The Mcs Translation Service (Mcstrans) Is Not Installed MUST be verified applicability: - Fedora Linux @@ -325,7 +327,7 @@ controls: objective: Ensure Bootloader Password Is Set family: initial-setup assessment-requirements: - - id: cis_fedora_1-4.1-ar + - id: grub2_password text: Bootloader Password Is Set MUST be verified applicability: - Fedora Linux @@ -334,7 +336,7 @@ controls: objective: Ensure Core File Size Is Configured family: initial-setup assessment-requirements: - - id: cis_fedora_1-5.1-ar + - id: disable_users_coredumps text: Core File Size Is Configured MUST be verified applicability: - Fedora Linux @@ -343,7 +345,7 @@ controls: objective: Ensure Systemd-Coredump Storage Is Configured family: initial-setup assessment-requirements: - - id: cis_fedora_1-5.10-ar + - id: coredump_disable_storage text: Systemd-Coredump Storage Is Configured MUST be verified applicability: - Fedora Linux @@ -352,7 +354,7 @@ controls: objective: Ensure Fs.Protected_Hardlinks Is Configured family: initial-setup assessment-requirements: - - id: cis_fedora_1-5.2-ar + - id: sysctl_fs_protected_hardlinks text: Fs.Protected_Hardlinks Is Configured MUST be verified applicability: - Fedora Linux @@ -361,7 +363,7 @@ controls: objective: Ensure Fs.Protected_Symlinks Is Configured family: initial-setup assessment-requirements: - - id: cis_fedora_1-5.3-ar + - id: sysctl_fs_protected_symlinks text: Fs.Protected_Symlinks Is Configured MUST be verified applicability: - Fedora Linux @@ -370,7 +372,7 @@ controls: objective: Ensure Fs.Suid_Dumpable Is Configured family: initial-setup assessment-requirements: - - id: cis_fedora_1-5.4-ar + - id: sysctl_fs_suid_dumpable text: Fs.Suid_Dumpable Is Configured MUST be verified applicability: - Fedora Linux @@ -379,7 +381,7 @@ controls: objective: Ensure Kernel.Dmesg_Restrict Is Configured family: initial-setup assessment-requirements: - - id: cis_fedora_1-5.5-ar + - id: sysctl_kernel_dmesg_restrict text: Kernel.Dmesg_Restrict Is Configured MUST be verified applicability: - Fedora Linux @@ -388,7 +390,7 @@ controls: objective: Ensure Kernel.Kptr_Restrict Is Configured family: initial-setup assessment-requirements: - - id: cis_fedora_1-5.6-ar + - id: sysctl_kernel_kptr_restrict text: Kernel.Kptr_Restrict Is Configured MUST be verified applicability: - Fedora Linux @@ -397,7 +399,7 @@ controls: objective: Ensure Kernel.Yama.Ptrace_Scope Is Configured family: initial-setup assessment-requirements: - - id: cis_fedora_1-5.7-ar + - id: sysctl_kernel_yama_ptrace_scope text: Kernel.Yama.Ptrace_Scope Is Configured MUST be verified applicability: - Fedora Linux @@ -406,7 +408,7 @@ controls: objective: Ensure Kernel.Randomize_Va_Space Is Configured family: initial-setup assessment-requirements: - - id: cis_fedora_1-5.8-ar + - id: sysctl_kernel_randomize_va_space text: Kernel.Randomize_Va_Space Is Configured MUST be verified applicability: - Fedora Linux @@ -415,7 +417,7 @@ controls: objective: Ensure Systemd-Coredump Processsizemax Is Configured family: initial-setup assessment-requirements: - - id: cis_fedora_1-5.9-ar + - id: coredump_disable_backtraces text: Systemd-Coredump Processsizemax Is Configured MUST be verified applicability: - Fedora Linux @@ -451,7 +453,7 @@ controls: objective: Ensure /Etc/Motd Is Configured family: initial-setup assessment-requirements: - - id: cis_fedora_1-7.1-ar + - id: banner_etc_motd_cis text: /Etc/Motd Is Configured MUST be verified applicability: - Fedora Linux @@ -460,7 +462,7 @@ controls: objective: Ensure /Etc/Issue Is Configured family: initial-setup assessment-requirements: - - id: cis_fedora_1-7.2-ar + - id: banner_etc_issue_cis text: /Etc/Issue Is Configured MUST be verified applicability: - Fedora Linux @@ -469,7 +471,7 @@ controls: objective: Ensure /Etc/Issue.Net Is Configured family: initial-setup assessment-requirements: - - id: cis_fedora_1-7.3-ar + - id: banner_etc_issue_net_cis text: /Etc/Issue.Net Is Configured MUST be verified applicability: - Fedora Linux @@ -478,7 +480,15 @@ controls: objective: Ensure Access To /Etc/Motd Is Configured family: initial-setup assessment-requirements: - - id: cis_fedora_1-7.4-ar + - id: file_groupowner_etc_motd + text: Access To /Etc/Motd Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_owner_etc_motd + text: Access To /Etc/Motd Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_permissions_etc_motd text: Access To /Etc/Motd Is Configured MUST be verified applicability: - Fedora Linux @@ -487,7 +497,15 @@ controls: objective: Ensure Access To /Etc/Issue Is Configured family: initial-setup assessment-requirements: - - id: cis_fedora_1-7.5-ar + - id: file_groupowner_etc_issue + text: Access To /Etc/Issue Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_owner_etc_issue + text: Access To /Etc/Issue Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_permissions_etc_issue text: Access To /Etc/Issue Is Configured MUST be verified applicability: - Fedora Linux @@ -496,7 +514,15 @@ controls: objective: Ensure Access To /Etc/Issue.Net Is Configured family: initial-setup assessment-requirements: - - id: cis_fedora_1-7.6-ar + - id: file_groupowner_etc_issue_net + text: Access To /Etc/Issue.Net Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_owner_etc_issue_net + text: Access To /Etc/Issue.Net Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_permissions_etc_issue_net text: Access To /Etc/Issue.Net Is Configured MUST be verified applicability: - Fedora Linux @@ -505,7 +531,11 @@ controls: objective: Ensure Gdm Login Banner Is Configured family: initial-setup assessment-requirements: - - id: cis_fedora_1-8.1-ar + - id: dconf_gnome_banner_enabled + text: Gdm Login Banner Is Configured MUST be verified + applicability: + - Fedora Linux + - id: dconf_gnome_login_banner_text text: Gdm Login Banner Is Configured MUST be verified applicability: - Fedora Linux @@ -514,7 +544,7 @@ controls: objective: Ensure Gdm Disable-User-List Is Configured family: initial-setup assessment-requirements: - - id: cis_fedora_1-8.2-ar + - id: dconf_gnome_disable_user_list text: Gdm Disable-User-List Is Configured MUST be verified applicability: - Fedora Linux @@ -523,7 +553,19 @@ controls: objective: Ensure Gdm Screen Lock Is Configured family: initial-setup assessment-requirements: - - id: cis_fedora_1-8.3-ar + - id: dconf_gnome_screensaver_idle_delay + text: Gdm Screen Lock Is Configured MUST be verified + applicability: + - Fedora Linux + - id: dconf_gnome_screensaver_lock_delay + text: Gdm Screen Lock Is Configured MUST be verified + applicability: + - Fedora Linux + - id: dconf_gnome_screensaver_user_locks + text: Gdm Screen Lock Is Configured MUST be verified + applicability: + - Fedora Linux + - id: dconf_gnome_session_idle_user_locks text: Gdm Screen Lock Is Configured MUST be verified applicability: - Fedora Linux @@ -532,7 +574,7 @@ controls: objective: Ensure Gdm Autorun-Never Is Configured family: initial-setup assessment-requirements: - - id: cis_fedora_1-8.5-ar + - id: dconf_gnome_disable_autorun text: Gdm Autorun-Never Is Configured MUST be verified applicability: - Fedora Linux @@ -541,7 +583,7 @@ controls: objective: Ensure Rpcbind Services Are Not In Use family: services assessment-requirements: - - id: cis_fedora_2-1.12-ar + - id: service_rpcbind_disabled text: Rpcbind Services Are Not In Use MUST be verified applicability: - Fedora Linux @@ -550,7 +592,7 @@ controls: objective: Ensure Rsync Services Are Not In Use family: services assessment-requirements: - - id: cis_fedora_2-1.13-ar + - id: package_rsync_removed text: Rsync Services Are Not In Use MUST be verified applicability: - Fedora Linux @@ -559,7 +601,7 @@ controls: objective: Ensure Samba File Server Services Are Not In Use family: services assessment-requirements: - - id: cis_fedora_2-1.14-ar + - id: package_samba_removed text: Samba File Server Services Are Not In Use MUST be verified applicability: - Fedora Linux @@ -568,7 +610,7 @@ controls: objective: Ensure Snmp Services Are Not In Use family: services assessment-requirements: - - id: cis_fedora_2-1.15-ar + - id: package_net-snmp_removed text: Snmp Services Are Not In Use MUST be verified applicability: - Fedora Linux @@ -577,7 +619,7 @@ controls: objective: Ensure Telnet Server Services Are Not In Use family: services assessment-requirements: - - id: cis_fedora_2-1.16-ar + - id: package_telnet-server_removed text: Telnet Server Services Are Not In Use MUST be verified applicability: - Fedora Linux @@ -586,7 +628,7 @@ controls: objective: Ensure Tftp Server Services Are Not In Use family: services assessment-requirements: - - id: cis_fedora_2-1.17-ar + - id: package_tftp-server_removed text: Tftp Server Services Are Not In Use MUST be verified applicability: - Fedora Linux @@ -595,7 +637,7 @@ controls: objective: Ensure Web Proxy Server Services Are Not In Use family: services assessment-requirements: - - id: cis_fedora_2-1.18-ar + - id: package_squid_removed text: Web Proxy Server Services Are Not In Use MUST be verified applicability: - Fedora Linux @@ -604,7 +646,11 @@ controls: objective: Ensure Web Server Services Are Not In Use family: services assessment-requirements: - - id: cis_fedora_2-1.19-ar + - id: package_httpd_removed + text: Web Server Services Are Not In Use MUST be verified + applicability: + - Fedora Linux + - id: package_nginx_removed text: Web Server Services Are Not In Use MUST be verified applicability: - Fedora Linux @@ -613,7 +659,11 @@ controls: objective: Ensure Mail Transfer Agents Are Configured For Local-Only Mode family: services assessment-requirements: - - id: cis_fedora_2-1.23-ar + - id: has_nonlocal_mta + text: Mail Transfer Agents Are Configured For Local-Only Mode MUST be verified + applicability: + - Fedora Linux + - id: postfix_network_listening_disabled text: Mail Transfer Agents Are Configured For Local-Only Mode MUST be verified applicability: - Fedora Linux @@ -622,7 +672,7 @@ controls: objective: Ensure Dhcp Server Services Are Not In Use family: services assessment-requirements: - - id: cis_fedora_2-1.4-ar + - id: package_kea_removed text: Dhcp Server Services Are Not In Use MUST be verified applicability: - Fedora Linux @@ -631,7 +681,7 @@ controls: objective: Ensure Dns Server Services Are Not In Use family: services assessment-requirements: - - id: cis_fedora_2-1.5-ar + - id: package_bind_removed text: Dns Server Services Are Not In Use MUST be verified applicability: - Fedora Linux @@ -640,7 +690,7 @@ controls: objective: Ensure Dnsmasq Services Are Not In Use family: services assessment-requirements: - - id: cis_fedora_2-1.6-ar + - id: package_dnsmasq_removed text: Dnsmasq Services Are Not In Use MUST be verified applicability: - Fedora Linux @@ -649,7 +699,7 @@ controls: objective: Ensure Ftp Server Services Are Not In Use family: services assessment-requirements: - - id: cis_fedora_2-1.7-ar + - id: package_vsftpd_removed text: Ftp Server Services Are Not In Use MUST be verified applicability: - Fedora Linux @@ -658,7 +708,11 @@ controls: objective: Ensure Message Access Server Services Are Not In Use family: services assessment-requirements: - - id: cis_fedora_2-1.8-ar + - id: package_cyrus-imapd_removed + text: Message Access Server Services Are Not In Use MUST be verified + applicability: + - Fedora Linux + - id: package_dovecot_removed text: Message Access Server Services Are Not In Use MUST be verified applicability: - Fedora Linux @@ -667,7 +721,7 @@ controls: objective: Ensure Network File System Services Are Not In Use family: services assessment-requirements: - - id: cis_fedora_2-1.9-ar + - id: service_nfs_disabled text: Network File System Services Are Not In Use MUST be verified applicability: - Fedora Linux @@ -676,7 +730,7 @@ controls: objective: Ensure Ftp Client Is Not Installed family: services assessment-requirements: - - id: cis_fedora_2-2.1-ar + - id: package_ftp_removed text: Ftp Client Is Not Installed MUST be verified applicability: - Fedora Linux @@ -685,7 +739,7 @@ controls: objective: Ensure Telnet Client Is Not Installed family: services assessment-requirements: - - id: cis_fedora_2-2.4-ar + - id: package_telnet_removed text: Telnet Client Is Not Installed MUST be verified applicability: - Fedora Linux @@ -694,7 +748,7 @@ controls: objective: Ensure Tftp Client Is Not Installed family: services assessment-requirements: - - id: cis_fedora_2-2.5-ar + - id: package_tftp_removed text: Tftp Client Is Not Installed MUST be verified applicability: - Fedora Linux @@ -703,7 +757,7 @@ controls: objective: Ensure Chrony Is Configured family: services assessment-requirements: - - id: cis_fedora_2-3.2-ar + - id: chronyd_specify_remote_server text: Chrony Is Configured MUST be verified applicability: - Fedora Linux @@ -712,7 +766,7 @@ controls: objective: Ensure Chrony Is Not Run As The Root User family: services assessment-requirements: - - id: cis_fedora_2-3.3-ar + - id: chronyd_run_as_chrony_user text: Chrony Is Not Run As The Root User MUST be verified applicability: - Fedora Linux @@ -721,7 +775,11 @@ controls: objective: Ensure Cron Daemon Is Enabled And Active family: services assessment-requirements: - - id: cis_fedora_2-4.1.1-ar + - id: package_cron_installed + text: Cron Daemon Is Enabled And Active MUST be verified + applicability: + - Fedora Linux + - id: service_crond_enabled text: Cron Daemon Is Enabled And Active MUST be verified applicability: - Fedora Linux @@ -730,7 +788,15 @@ controls: objective: Ensure Access To /Etc/Crontab Is Configured family: services assessment-requirements: - - id: cis_fedora_2-4.1.2-ar + - id: file_groupowner_crontab + text: Access To /Etc/Crontab Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_owner_crontab + text: Access To /Etc/Crontab Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_permissions_crontab text: Access To /Etc/Crontab Is Configured MUST be verified applicability: - Fedora Linux @@ -739,7 +805,15 @@ controls: objective: Ensure Access To /Etc/Cron.Hourly Is Configured family: services assessment-requirements: - - id: cis_fedora_2-4.1.3-ar + - id: file_groupowner_cron_hourly + text: Access To /Etc/Cron.Hourly Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_owner_cron_hourly + text: Access To /Etc/Cron.Hourly Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_permissions_cron_hourly text: Access To /Etc/Cron.Hourly Is Configured MUST be verified applicability: - Fedora Linux @@ -748,7 +822,15 @@ controls: objective: Ensure Access To /Etc/Cron.Daily Is Configured family: services assessment-requirements: - - id: cis_fedora_2-4.1.4-ar + - id: file_groupowner_cron_daily + text: Access To /Etc/Cron.Daily Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_owner_cron_daily + text: Access To /Etc/Cron.Daily Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_permissions_cron_daily text: Access To /Etc/Cron.Daily Is Configured MUST be verified applicability: - Fedora Linux @@ -757,7 +839,15 @@ controls: objective: Ensure Access To /Etc/Cron.Weekly Is Configured family: services assessment-requirements: - - id: cis_fedora_2-4.1.5-ar + - id: file_groupowner_cron_weekly + text: Access To /Etc/Cron.Weekly Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_owner_cron_weekly + text: Access To /Etc/Cron.Weekly Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_permissions_cron_weekly text: Access To /Etc/Cron.Weekly Is Configured MUST be verified applicability: - Fedora Linux @@ -766,7 +856,15 @@ controls: objective: Ensure Access To /Etc/Cron.Monthly Is Configured family: services assessment-requirements: - - id: cis_fedora_2-4.1.6-ar + - id: file_groupowner_cron_monthly + text: Access To /Etc/Cron.Monthly Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_owner_cron_monthly + text: Access To /Etc/Cron.Monthly Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_permissions_cron_monthly text: Access To /Etc/Cron.Monthly Is Configured MUST be verified applicability: - Fedora Linux @@ -775,7 +873,15 @@ controls: objective: Ensure Access To /Etc/Cron.D Is Configured family: services assessment-requirements: - - id: cis_fedora_2-4.1.8-ar + - id: file_groupowner_cron_d + text: Access To /Etc/Cron.D Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_owner_cron_d + text: Access To /Etc/Cron.D Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_permissions_cron_d text: Access To /Etc/Cron.D Is Configured MUST be verified applicability: - Fedora Linux @@ -784,7 +890,23 @@ controls: objective: Ensure Access To Crontab Is Configured family: services assessment-requirements: - - id: cis_fedora_2-4.1.9-ar + - id: file_cron_allow_exists + text: Access To Crontab Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_cron_deny_not_exist + text: Access To Crontab Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_groupowner_cron_allow + text: Access To Crontab Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_owner_cron_allow + text: Access To Crontab Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_permissions_cron_allow text: Access To Crontab Is Configured MUST be verified applicability: - Fedora Linux @@ -793,7 +915,19 @@ controls: objective: Ensure Access To At Is Configured family: services assessment-requirements: - - id: cis_fedora_2-4.2.1-ar + - id: file_at_deny_not_exist + text: Access To At Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_groupowner_at_allow + text: Access To At Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_owner_at_allow + text: Access To At Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_permissions_at_allow text: Access To At Is Configured MUST be verified applicability: - Fedora Linux @@ -802,7 +936,7 @@ controls: objective: Ensure Atm Kernel Module Is Not Available family: network assessment-requirements: - - id: cis_fedora_3-2.1-ar + - id: kernel_module_atm_disabled text: Atm Kernel Module Is Not Available MUST be verified applicability: - Fedora Linux @@ -811,7 +945,7 @@ controls: objective: Ensure Can Kernel Module Is Not Available family: network assessment-requirements: - - id: cis_fedora_3-2.2-ar + - id: kernel_module_can_disabled text: Can Kernel Module Is Not Available MUST be verified applicability: - Fedora Linux @@ -820,7 +954,7 @@ controls: objective: Ensure Dccp Kernel Module Is Not Available family: network assessment-requirements: - - id: cis_fedora_3-2.3-ar + - id: kernel_module_dccp_disabled text: Dccp Kernel Module Is Not Available MUST be verified applicability: - Fedora Linux @@ -829,7 +963,7 @@ controls: objective: Ensure Tipc Kernel Module Is Not Available family: network assessment-requirements: - - id: cis_fedora_3-2.4-ar + - id: kernel_module_tipc_disabled text: Tipc Kernel Module Is Not Available MUST be verified applicability: - Fedora Linux @@ -838,7 +972,7 @@ controls: objective: Ensure Rds Kernel Module Is Not Available family: network assessment-requirements: - - id: cis_fedora_3-2.5-ar + - id: kernel_module_rds_disabled text: Rds Kernel Module Is Not Available MUST be verified applicability: - Fedora Linux @@ -847,7 +981,7 @@ controls: objective: Ensure Net.Ipv4.Ip_Forward Is Configured family: network assessment-requirements: - - id: cis_fedora_3-3.1.1-ar + - id: sysctl_net_ipv4_ip_forward text: Net.Ipv4.Ip_Forward Is Configured MUST be verified applicability: - Fedora Linux @@ -856,7 +990,7 @@ controls: objective: Ensure Net.Ipv4.Conf.All.Secure_Redirects Is Configured family: network assessment-requirements: - - id: cis_fedora_3-3.1.10-ar + - id: sysctl_net_ipv4_conf_all_secure_redirects text: Net.Ipv4.Conf.All.Secure_Redirects Is Configured MUST be verified applicability: - Fedora Linux @@ -865,7 +999,7 @@ controls: objective: Ensure Net.Ipv4.Conf.Default.Secure_Redirects Is Configured family: network assessment-requirements: - - id: cis_fedora_3-3.1.11-ar + - id: sysctl_net_ipv4_conf_default_secure_redirects text: Net.Ipv4.Conf.Default.Secure_Redirects Is Configured MUST be verified applicability: - Fedora Linux @@ -874,7 +1008,7 @@ controls: objective: Ensure Net.Ipv4.Conf.All.Rp_Filter Is Configured family: network assessment-requirements: - - id: cis_fedora_3-3.1.12-ar + - id: sysctl_net_ipv4_conf_all_rp_filter text: Net.Ipv4.Conf.All.Rp_Filter Is Configured MUST be verified applicability: - Fedora Linux @@ -883,7 +1017,7 @@ controls: objective: Ensure Net.Ipv4.Conf.Default.Rp_Filter Is Configured family: network assessment-requirements: - - id: cis_fedora_3-3.1.13-ar + - id: sysctl_net_ipv4_conf_default_rp_filter text: Net.Ipv4.Conf.Default.Rp_Filter Is Configured MUST be verified applicability: - Fedora Linux @@ -892,7 +1026,7 @@ controls: objective: Ensure Net.Ipv4.Conf.All.Accept_Source_Route Is Configured family: network assessment-requirements: - - id: cis_fedora_3-3.1.14-ar + - id: sysctl_net_ipv4_conf_all_accept_source_route text: Net.Ipv4.Conf.All.Accept_Source_Route Is Configured MUST be verified applicability: - Fedora Linux @@ -901,7 +1035,7 @@ controls: objective: Ensure Net.Ipv4.Conf.Default.Accept_Source_Route Is Configured family: network assessment-requirements: - - id: cis_fedora_3-3.1.15-ar + - id: sysctl_net_ipv4_conf_default_accept_source_route text: Net.Ipv4.Conf.Default.Accept_Source_Route Is Configured MUST be verified applicability: - Fedora Linux @@ -910,7 +1044,7 @@ controls: objective: Ensure Net.Ipv4.Conf.All.Log_Martians Is Configured family: network assessment-requirements: - - id: cis_fedora_3-3.1.16-ar + - id: sysctl_net_ipv4_conf_all_log_martians text: Net.Ipv4.Conf.All.Log_Martians Is Configured MUST be verified applicability: - Fedora Linux @@ -919,7 +1053,7 @@ controls: objective: Ensure Net.Ipv4.Conf.Default.Log_Martians Is Configured family: network assessment-requirements: - - id: cis_fedora_3-3.1.17-ar + - id: sysctl_net_ipv4_conf_default_log_martians text: Net.Ipv4.Conf.Default.Log_Martians Is Configured MUST be verified applicability: - Fedora Linux @@ -928,7 +1062,7 @@ controls: objective: Ensure Net.Ipv4.Tcp_Syncookies Is Configured family: network assessment-requirements: - - id: cis_fedora_3-3.1.18-ar + - id: sysctl_net_ipv4_tcp_syncookies text: Net.Ipv4.Tcp_Syncookies Is Configured MUST be verified applicability: - Fedora Linux @@ -937,7 +1071,7 @@ controls: objective: Ensure Net.Ipv4.Conf.All.Send_Redirects Is Configured family: network assessment-requirements: - - id: cis_fedora_3-3.1.4-ar + - id: sysctl_net_ipv4_conf_all_send_redirects text: Net.Ipv4.Conf.All.Send_Redirects Is Configured MUST be verified applicability: - Fedora Linux @@ -946,7 +1080,7 @@ controls: objective: Ensure Net.Ipv4.Conf.Default.Send_Redirects Is Configured family: network assessment-requirements: - - id: cis_fedora_3-3.1.5-ar + - id: sysctl_net_ipv4_conf_default_send_redirects text: Net.Ipv4.Conf.Default.Send_Redirects Is Configured MUST be verified applicability: - Fedora Linux @@ -955,7 +1089,7 @@ controls: objective: Ensure Net.Ipv4.Icmp_Ignore_Bogus_Error_Responses Is Configured family: network assessment-requirements: - - id: cis_fedora_3-3.1.6-ar + - id: sysctl_net_ipv4_icmp_ignore_bogus_error_responses text: Net.Ipv4.Icmp_Ignore_Bogus_Error_Responses Is Configured MUST be verified applicability: - Fedora Linux @@ -964,7 +1098,7 @@ controls: objective: Ensure Net.Ipv4.Icmp_Echo_Ignore_Broadcasts Is Configured family: network assessment-requirements: - - id: cis_fedora_3-3.1.7-ar + - id: sysctl_net_ipv4_icmp_echo_ignore_broadcasts text: Net.Ipv4.Icmp_Echo_Ignore_Broadcasts Is Configured MUST be verified applicability: - Fedora Linux @@ -973,7 +1107,7 @@ controls: objective: Ensure Net.Ipv4.Conf.All.Accept_Redirects Is Configured family: network assessment-requirements: - - id: cis_fedora_3-3.1.8-ar + - id: sysctl_net_ipv4_conf_all_accept_redirects text: Net.Ipv4.Conf.All.Accept_Redirects Is Configured MUST be verified applicability: - Fedora Linux @@ -982,7 +1116,7 @@ controls: objective: Ensure Net.Ipv4.Conf.Default.Accept_Redirects Is Configured family: network assessment-requirements: - - id: cis_fedora_3-3.1.9-ar + - id: sysctl_net_ipv4_conf_default_accept_redirects text: Net.Ipv4.Conf.Default.Accept_Redirects Is Configured MUST be verified applicability: - Fedora Linux @@ -991,7 +1125,7 @@ controls: objective: Ensure Net.Ipv6.Conf.All.Forwarding Is Configured family: network assessment-requirements: - - id: cis_fedora_3-3.2.1-ar + - id: sysctl_net_ipv6_conf_all_forwarding text: Net.Ipv6.Conf.All.Forwarding Is Configured MUST be verified applicability: - Fedora Linux @@ -1000,7 +1134,7 @@ controls: objective: Ensure Net.Ipv6.Conf.All.Accept_Redirects Is Configured family: network assessment-requirements: - - id: cis_fedora_3-3.2.3-ar + - id: sysctl_net_ipv6_conf_all_accept_redirects text: Net.Ipv6.Conf.All.Accept_Redirects Is Configured MUST be verified applicability: - Fedora Linux @@ -1009,7 +1143,7 @@ controls: objective: Ensure Net.Ipv6.Conf.Default.Accept_Redirects Is Configured family: network assessment-requirements: - - id: cis_fedora_3-3.2.4-ar + - id: sysctl_net_ipv6_conf_default_accept_redirects text: Net.Ipv6.Conf.Default.Accept_Redirects Is Configured MUST be verified applicability: - Fedora Linux @@ -1018,7 +1152,7 @@ controls: objective: Ensure Net.Ipv6.Conf.All.Accept_Source_Route Is Configured family: network assessment-requirements: - - id: cis_fedora_3-3.2.5-ar + - id: sysctl_net_ipv6_conf_all_accept_source_route text: Net.Ipv6.Conf.All.Accept_Source_Route Is Configured MUST be verified applicability: - Fedora Linux @@ -1027,7 +1161,7 @@ controls: objective: Ensure Net.Ipv6.Conf.Default.Accept_Source_Route Is Configured family: network assessment-requirements: - - id: cis_fedora_3-3.2.6-ar + - id: sysctl_net_ipv6_conf_default_accept_source_route text: Net.Ipv6.Conf.Default.Accept_Source_Route Is Configured MUST be verified applicability: - Fedora Linux @@ -1036,7 +1170,7 @@ controls: objective: Ensure Net.Ipv6.Conf.All.Accept_Ra Is Configured family: network assessment-requirements: - - id: cis_fedora_3-3.2.7-ar + - id: sysctl_net_ipv6_conf_all_accept_ra text: Net.Ipv6.Conf.All.Accept_Ra Is Configured MUST be verified applicability: - Fedora Linux @@ -1045,7 +1179,7 @@ controls: objective: Ensure Net.Ipv6.Conf.Default.Accept_Ra Is Configured family: network assessment-requirements: - - id: cis_fedora_3-3.2.8-ar + - id: sysctl_net_ipv6_conf_default_accept_ra text: Net.Ipv6.Conf.Default.Accept_Ra Is Configured MUST be verified applicability: - Fedora Linux @@ -1054,7 +1188,7 @@ controls: objective: Ensure Nftables Is Installed family: firewall assessment-requirements: - - id: cis_fedora_4-1.1-ar + - id: package_nftables_installed text: Nftables Is Installed MUST be verified applicability: - Fedora Linux @@ -1063,7 +1197,15 @@ controls: objective: Ensure A Single Firewall Configuration Utility Is In Use family: firewall assessment-requirements: - - id: cis_fedora_4-1.2-ar + - id: package_firewalld_installed + text: A Single Firewall Configuration Utility Is In Use MUST be verified + applicability: + - Fedora Linux + - id: service_firewalld_enabled + text: A Single Firewall Configuration Utility Is In Use MUST be verified + applicability: + - Fedora Linux + - id: service_nftables_disabled text: A Single Firewall Configuration Utility Is In Use MUST be verified applicability: - Fedora Linux @@ -1072,7 +1214,11 @@ controls: objective: Ensure Firewalld Loopback Traffic Is Configured family: firewall assessment-requirements: - - id: cis_fedora_4-2.2-ar + - id: firewalld_loopback_traffic_restricted + text: Firewalld Loopback Traffic Is Configured MUST be verified + applicability: + - Fedora Linux + - id: firewalld_loopback_traffic_trusted text: Firewalld Loopback Traffic Is Configured MUST be verified applicability: - Fedora Linux @@ -1081,7 +1227,15 @@ controls: objective: Ensure Access To /Etc/Ssh/Sshd_Config Is Configured family: access-auth assessment-requirements: - - id: cis_fedora_5-1.1-ar + - id: file_groupowner_sshd_config + text: Access To /Etc/Ssh/Sshd_Config Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_owner_sshd_config + text: Access To /Etc/Ssh/Sshd_Config Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_permissions_sshd_config text: Access To /Etc/Ssh/Sshd_Config Is Configured MUST be verified applicability: - Fedora Linux @@ -1090,7 +1244,7 @@ controls: objective: Ensure Sshd Gssapiauthentication Is Disabled family: access-auth assessment-requirements: - - id: cis_fedora_5-1.11-ar + - id: sshd_disable_gssapi_auth text: Sshd Gssapiauthentication Is Disabled MUST be verified applicability: - Fedora Linux @@ -1099,7 +1253,7 @@ controls: objective: Ensure Sshd Hostbasedauthentication Is Disabled family: access-auth assessment-requirements: - - id: cis_fedora_5-1.12-ar + - id: disable_host_auth text: Sshd Hostbasedauthentication Is Disabled MUST be verified applicability: - Fedora Linux @@ -1108,7 +1262,7 @@ controls: objective: Ensure Sshd Ignorerhosts Is Enabled family: access-auth assessment-requirements: - - id: cis_fedora_5-1.13-ar + - id: sshd_disable_rhosts text: Sshd Ignorerhosts Is Enabled MUST be verified applicability: - Fedora Linux @@ -1117,7 +1271,7 @@ controls: objective: Ensure Sshd Logingracetime Is Configured family: access-auth assessment-requirements: - - id: cis_fedora_5-1.14-ar + - id: sshd_set_login_grace_time text: Sshd Logingracetime Is Configured MUST be verified applicability: - Fedora Linux @@ -1126,7 +1280,7 @@ controls: objective: Ensure Sshd Loglevel Is Configured family: access-auth assessment-requirements: - - id: cis_fedora_5-1.15-ar + - id: sshd_set_loglevel_verbose text: Sshd Loglevel Is Configured MUST be verified applicability: - Fedora Linux @@ -1135,7 +1289,7 @@ controls: objective: Ensure Sshd Maxauthtries Is Configured family: access-auth assessment-requirements: - - id: cis_fedora_5-1.16-ar + - id: sshd_set_max_auth_tries text: Sshd Maxauthtries Is Configured MUST be verified applicability: - Fedora Linux @@ -1144,7 +1298,7 @@ controls: objective: Ensure Sshd Maxstartups Is Configured family: access-auth assessment-requirements: - - id: cis_fedora_5-1.17-ar + - id: sshd_set_maxstartups text: Sshd Maxstartups Is Configured MUST be verified applicability: - Fedora Linux @@ -1153,7 +1307,7 @@ controls: objective: Ensure Sshd Maxsessions Is Configured family: access-auth assessment-requirements: - - id: cis_fedora_5-1.18-ar + - id: sshd_set_max_sessions text: Sshd Maxsessions Is Configured MUST be verified applicability: - Fedora Linux @@ -1162,7 +1316,7 @@ controls: objective: Ensure Sshd Permitemptypasswords Is Disabled family: access-auth assessment-requirements: - - id: cis_fedora_5-1.19-ar + - id: sshd_disable_empty_passwords text: Sshd Permitemptypasswords Is Disabled MUST be verified applicability: - Fedora Linux @@ -1171,7 +1325,15 @@ controls: objective: Ensure Access To Ssh Private Host Key Files Is Configured family: access-auth assessment-requirements: - - id: cis_fedora_5-1.2-ar + - id: file_groupownership_sshd_private_key + text: Access To Ssh Private Host Key Files Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_ownership_sshd_private_key + text: Access To Ssh Private Host Key Files Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_permissions_sshd_private_key text: Access To Ssh Private Host Key Files Is Configured MUST be verified applicability: - Fedora Linux @@ -1180,7 +1342,7 @@ controls: objective: Ensure Sshd Permitrootlogin Is Disabled family: access-auth assessment-requirements: - - id: cis_fedora_5-1.20-ar + - id: sshd_disable_root_login text: Sshd Permitrootlogin Is Disabled MUST be verified applicability: - Fedora Linux @@ -1189,7 +1351,7 @@ controls: objective: Ensure Sshd Permituserenvironment Is Disabled family: access-auth assessment-requirements: - - id: cis_fedora_5-1.21-ar + - id: sshd_do_not_permit_user_env text: Sshd Permituserenvironment Is Disabled MUST be verified applicability: - Fedora Linux @@ -1198,7 +1360,7 @@ controls: objective: Ensure Sshd Usepam Is Enabled family: access-auth assessment-requirements: - - id: cis_fedora_5-1.22-ar + - id: sshd_enable_pam text: Sshd Usepam Is Enabled MUST be verified applicability: - Fedora Linux @@ -1207,7 +1369,15 @@ controls: objective: Ensure Access To Ssh Public Host Key Files Is Configured family: access-auth assessment-requirements: - - id: cis_fedora_5-1.3-ar + - id: file_groupownership_sshd_pub_key + text: Access To Ssh Public Host Key Files Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_ownership_sshd_pub_key + text: Access To Ssh Public Host Key Files Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_permissions_sshd_pub_key text: Access To Ssh Public Host Key Files Is Configured MUST be verified applicability: - Fedora Linux @@ -1243,7 +1413,7 @@ controls: objective: Ensure Sshd Access Is Configured family: access-auth assessment-requirements: - - id: cis_fedora_5-1.7-ar + - id: sshd_limit_user_access text: Sshd Access Is Configured MUST be verified applicability: - Fedora Linux @@ -1252,7 +1422,7 @@ controls: objective: Ensure Sshd Banner Is Configured family: access-auth assessment-requirements: - - id: cis_fedora_5-1.8-ar + - id: sshd_enable_warning_banner_net text: Sshd Banner Is Configured MUST be verified applicability: - Fedora Linux @@ -1261,7 +1431,11 @@ controls: objective: Ensure Sshd Clientaliveinterval And Clientalivecountmax Are Configured family: access-auth assessment-requirements: - - id: cis_fedora_5-1.9-ar + - id: sshd_set_idle_timeout + text: Sshd Clientaliveinterval And Clientalivecountmax Are Configured MUST be verified + applicability: + - Fedora Linux + - id: sshd_set_keepalive text: Sshd Clientaliveinterval And Clientalivecountmax Are Configured MUST be verified applicability: - Fedora Linux @@ -1270,7 +1444,7 @@ controls: objective: Ensure Sudo Is Installed family: access-auth assessment-requirements: - - id: cis_fedora_5-2.1-ar + - id: package_sudo_installed text: Sudo Is Installed MUST be verified applicability: - Fedora Linux @@ -1279,7 +1453,7 @@ controls: objective: Ensure Sudo Commands Use Pty family: access-auth assessment-requirements: - - id: cis_fedora_5-2.2-ar + - id: sudo_add_use_pty text: Sudo Commands Use Pty MUST be verified applicability: - Fedora Linux @@ -1288,7 +1462,7 @@ controls: objective: Ensure Sudo Log File Exists family: access-auth assessment-requirements: - - id: cis_fedora_5-2.3-ar + - id: sudo_custom_logfile text: Sudo Log File Exists MUST be verified applicability: - Fedora Linux @@ -1297,7 +1471,7 @@ controls: objective: Ensure Re-Authentication For Privilege Escalation Is Not Disabled Globally family: access-auth assessment-requirements: - - id: cis_fedora_5-2.5-ar + - id: sudo_remove_no_authenticate text: Re-Authentication For Privilege Escalation Is Not Disabled Globally MUST be verified applicability: - Fedora Linux @@ -1306,7 +1480,7 @@ controls: objective: Ensure Sudo Timestamp_Timeout Is Configured family: access-auth assessment-requirements: - - id: cis_fedora_5-2.6-ar + - id: sudo_require_reauthentication text: Sudo Timestamp_Timeout Is Configured MUST be verified applicability: - Fedora Linux @@ -1315,7 +1489,11 @@ controls: objective: Ensure Access To The Su Command Is Restricted family: access-auth assessment-requirements: - - id: cis_fedora_5-2.7-ar + - id: ensure_pam_wheel_group_empty + text: Access To The Su Command Is Restricted MUST be verified + applicability: + - Fedora Linux + - id: use_pam_wheel_group_for_su text: Access To The Su Command Is Restricted MUST be verified applicability: - Fedora Linux @@ -1324,7 +1502,7 @@ controls: objective: Ensure Latest Version Of Libpwquality Is Installed family: access-auth assessment-requirements: - - id: cis_fedora_5-3.1.3-ar + - id: package_pam_pwquality_installed text: Latest Version Of Libpwquality Is Installed MUST be verified applicability: - Fedora Linux @@ -1333,7 +1511,11 @@ controls: objective: Ensure Pam_Faillock Module Is Enabled family: access-auth assessment-requirements: - - id: cis_fedora_5-3.2.2-ar + - id: account_password_pam_faillock_password_auth + text: Pam_Faillock Module Is Enabled MUST be verified + applicability: + - Fedora Linux + - id: account_password_pam_faillock_system_auth text: Pam_Faillock Module Is Enabled MUST be verified applicability: - Fedora Linux @@ -1342,7 +1524,11 @@ controls: objective: Ensure Pam_Pwquality Module Is Enabled family: access-auth assessment-requirements: - - id: cis_fedora_5-3.2.3-ar + - id: accounts_password_pam_pwquality_password_auth + text: Pam_Pwquality Module Is Enabled MUST be verified + applicability: + - Fedora Linux + - id: accounts_password_pam_pwquality_system_auth text: Pam_Pwquality Module Is Enabled MUST be verified applicability: - Fedora Linux @@ -1351,7 +1537,7 @@ controls: objective: CIS Fedora 5 - 3.3.1.1 family: access-auth assessment-requirements: - - id: cis_fedora_5-3.3.1.1-ar + - id: accounts_passwords_pam_faillock_deny text: CIS Fedora 5 - 3.3.1.1 MUST be verified applicability: - Fedora Linux @@ -1360,7 +1546,7 @@ controls: objective: CIS Fedora 5 - 3.3.1.2 family: access-auth assessment-requirements: - - id: cis_fedora_5-3.3.1.2-ar + - id: accounts_passwords_pam_faillock_unlock_time text: CIS Fedora 5 - 3.3.1.2 MUST be verified applicability: - Fedora Linux @@ -1369,7 +1555,7 @@ controls: objective: CIS Fedora 5 - 3.3.2.1 family: access-auth assessment-requirements: - - id: cis_fedora_5-3.3.2.1-ar + - id: accounts_password_pam_difok text: CIS Fedora 5 - 3.3.2.1 MUST be verified applicability: - Fedora Linux @@ -1378,7 +1564,7 @@ controls: objective: CIS Fedora 5 - 3.3.2.2 family: access-auth assessment-requirements: - - id: cis_fedora_5-3.3.2.2-ar + - id: accounts_password_pam_minlen text: CIS Fedora 5 - 3.3.2.2 MUST be verified applicability: - Fedora Linux @@ -1387,7 +1573,7 @@ controls: objective: CIS Fedora 5 - 3.3.2.3 family: access-auth assessment-requirements: - - id: cis_fedora_5-3.3.2.3-ar + - id: accounts_password_pam_minclass text: CIS Fedora 5 - 3.3.2.3 MUST be verified applicability: - Fedora Linux @@ -1396,7 +1582,7 @@ controls: objective: CIS Fedora 5 - 3.3.2.4 family: access-auth assessment-requirements: - - id: cis_fedora_5-3.3.2.4-ar + - id: accounts_password_pam_maxrepeat text: CIS Fedora 5 - 3.3.2.4 MUST be verified applicability: - Fedora Linux @@ -1405,7 +1591,7 @@ controls: objective: CIS Fedora 5 - 3.3.2.6 family: access-auth assessment-requirements: - - id: cis_fedora_5-3.3.2.6-ar + - id: accounts_password_pam_dictcheck text: CIS Fedora 5 - 3.3.2.6 MUST be verified applicability: - Fedora Linux @@ -1414,7 +1600,7 @@ controls: objective: CIS Fedora 5 - 3.3.2.7 family: access-auth assessment-requirements: - - id: cis_fedora_5-3.3.2.7-ar + - id: accounts_password_pam_enforce_root text: CIS Fedora 5 - 3.3.2.7 MUST be verified applicability: - Fedora Linux @@ -1423,7 +1609,11 @@ controls: objective: CIS Fedora 5 - 3.3.3.1 family: access-auth assessment-requirements: - - id: cis_fedora_5-3.3.3.1-ar + - id: accounts_password_pam_pwhistory_remember_password_auth + text: CIS Fedora 5 - 3.3.3.1 MUST be verified + applicability: + - Fedora Linux + - id: accounts_password_pam_pwhistory_remember_system_auth text: CIS Fedora 5 - 3.3.3.1 MUST be verified applicability: - Fedora Linux @@ -1432,7 +1622,7 @@ controls: objective: CIS Fedora 5 - 3.3.4.1 family: access-auth assessment-requirements: - - id: cis_fedora_5-3.3.4.1-ar + - id: no_empty_passwords text: CIS Fedora 5 - 3.3.4.1 MUST be verified applicability: - Fedora Linux @@ -1441,7 +1631,11 @@ controls: objective: CIS Fedora 5 - 3.3.4.3 family: access-auth assessment-requirements: - - id: cis_fedora_5-3.3.4.3-ar + - id: set_password_hashing_algorithm_passwordauth + text: CIS Fedora 5 - 3.3.4.3 MUST be verified + applicability: + - Fedora Linux + - id: set_password_hashing_algorithm_systemauth text: CIS Fedora 5 - 3.3.4.3 MUST be verified applicability: - Fedora Linux @@ -1450,7 +1644,11 @@ controls: objective: Ensure Password Expiration Is Configured family: access-auth assessment-requirements: - - id: cis_fedora_5-4.1.1-ar + - id: accounts_maximum_age_login_defs + text: Password Expiration Is Configured MUST be verified + applicability: + - Fedora Linux + - id: accounts_password_set_max_life_existing text: Password Expiration Is Configured MUST be verified applicability: - Fedora Linux @@ -1459,7 +1657,11 @@ controls: objective: Ensure Password Expiration Warning Days Is Configured family: access-auth assessment-requirements: - - id: cis_fedora_5-4.1.3-ar + - id: accounts_password_set_warn_age_existing + text: Password Expiration Warning Days Is Configured MUST be verified + applicability: + - Fedora Linux + - id: accounts_password_warn_age_login_defs text: Password Expiration Warning Days Is Configured MUST be verified applicability: - Fedora Linux @@ -1468,7 +1670,7 @@ controls: objective: Ensure Strong Password Hashing Algorithm Is Configured family: access-auth assessment-requirements: - - id: cis_fedora_5-4.1.4-ar + - id: set_password_hashing_algorithm_logindefs text: Strong Password Hashing Algorithm Is Configured MUST be verified applicability: - Fedora Linux @@ -1477,7 +1679,11 @@ controls: objective: Ensure Inactive Password Lock Is Configured family: access-auth assessment-requirements: - - id: cis_fedora_5-4.1.5-ar + - id: account_disable_post_pw_expiration + text: Inactive Password Lock Is Configured MUST be verified + applicability: + - Fedora Linux + - id: accounts_set_post_pw_existing text: Inactive Password Lock Is Configured MUST be verified applicability: - Fedora Linux @@ -1486,7 +1692,7 @@ controls: objective: Ensure All Users Last Password Change Date Is In The Past family: access-auth assessment-requirements: - - id: cis_fedora_5-4.1.6-ar + - id: accounts_password_last_change_is_in_past text: All Users Last Password Change Date Is In The Past MUST be verified applicability: - Fedora Linux @@ -1495,7 +1701,7 @@ controls: objective: Ensure Root Is The Only Uid 0 Account family: access-auth assessment-requirements: - - id: cis_fedora_5-4.2.1-ar + - id: accounts_no_uid_except_zero text: Root Is The Only Uid 0 Account MUST be verified applicability: - Fedora Linux @@ -1504,7 +1710,7 @@ controls: objective: Ensure Root Is The Only Gid 0 Account family: access-auth assessment-requirements: - - id: cis_fedora_5-4.2.2-ar + - id: accounts_root_gid_zero text: Root Is The Only Gid 0 Account MUST be verified applicability: - Fedora Linux @@ -1513,7 +1719,7 @@ controls: objective: Ensure Root Account Access Is Controlled family: access-auth assessment-requirements: - - id: cis_fedora_5-4.2.4-ar + - id: ensure_root_password_configured text: Root Account Access Is Controlled MUST be verified applicability: - Fedora Linux @@ -1522,7 +1728,11 @@ controls: objective: Ensure Root Path Integrity family: access-auth assessment-requirements: - - id: cis_fedora_5-4.2.5-ar + - id: accounts_root_path_dirs_no_write + text: Root Path Integrity MUST be verified + applicability: + - Fedora Linux + - id: root_path_no_dot text: Root Path Integrity MUST be verified applicability: - Fedora Linux @@ -1531,7 +1741,11 @@ controls: objective: Ensure System Accounts Do Not Have A Valid Login Shell family: access-auth assessment-requirements: - - id: cis_fedora_5-4.2.7-ar + - id: no_password_auth_for_systemaccounts + text: System Accounts Do Not Have A Valid Login Shell MUST be verified + applicability: + - Fedora Linux + - id: no_shelllogin_for_systemaccounts text: System Accounts Do Not Have A Valid Login Shell MUST be verified applicability: - Fedora Linux @@ -1540,7 +1754,7 @@ controls: objective: Ensure Default User Shell Timeout Is Configured family: access-auth assessment-requirements: - - id: cis_fedora_5-4.3.2-ar + - id: accounts_tmout text: Default User Shell Timeout Is Configured MUST be verified applicability: - Fedora Linux @@ -1549,7 +1763,15 @@ controls: objective: Ensure Default User Umask Is Configured family: access-auth assessment-requirements: - - id: cis_fedora_5-4.3.3-ar + - id: accounts_umask_etc_bashrc + text: Default User Umask Is Configured MUST be verified + applicability: + - Fedora Linux + - id: accounts_umask_etc_login_defs + text: Default User Umask Is Configured MUST be verified + applicability: + - Fedora Linux + - id: accounts_umask_etc_profile text: Default User Umask Is Configured MUST be verified applicability: - Fedora Linux @@ -1558,7 +1780,11 @@ controls: objective: Ensure Aide Is Installed family: logging assessment-requirements: - - id: cis_fedora_6-1.1-ar + - id: aide_build_database + text: Aide Is Installed MUST be verified + applicability: + - Fedora Linux + - id: package_aide_installed text: Aide Is Installed MUST be verified applicability: - Fedora Linux @@ -1567,7 +1793,7 @@ controls: objective: Ensure Filesystem Integrity Is Regularly Checked family: logging assessment-requirements: - - id: cis_fedora_6-1.2-ar + - id: aide_periodic_cron_checking text: Filesystem Integrity Is Regularly Checked MUST be verified applicability: - Fedora Linux @@ -1576,7 +1802,7 @@ controls: objective: Ensure Cryptographic Mechanisms Are Used To Protect The Integrity Of Audit Tools family: logging assessment-requirements: - - id: cis_fedora_6-1.3-ar + - id: aide_check_audit_tools text: Cryptographic Mechanisms Are Used To Protect The Integrity Of Audit Tools MUST be verified applicability: - Fedora Linux @@ -1585,7 +1811,7 @@ controls: objective: Ensure Journald Service Is Active family: logging assessment-requirements: - - id: cis_fedora_6-2.1.1-ar + - id: service_systemd-journald_enabled text: Journald Service Is Active MUST be verified applicability: - Fedora Linux @@ -1594,7 +1820,7 @@ controls: objective: CIS Fedora 6 - 2.2.1.1 family: logging assessment-requirements: - - id: cis_fedora_6-2.2.1.1-ar + - id: package_systemd-journal-remote_installed text: CIS Fedora 6 - 2.2.1.1 MUST be verified applicability: - Fedora Linux @@ -1603,7 +1829,7 @@ controls: objective: CIS Fedora 6 - 2.2.1.4 family: logging assessment-requirements: - - id: cis_fedora_6-2.2.1.4-ar + - id: socket_systemd-journal-remote_disabled text: CIS Fedora 6 - 2.2.1.4 MUST be verified applicability: - Fedora Linux @@ -1612,7 +1838,7 @@ controls: objective: Ensure Journald Compress Is Configured family: logging assessment-requirements: - - id: cis_fedora_6-2.2.3-ar + - id: journald_compress text: Journald Compress Is Configured MUST be verified applicability: - Fedora Linux @@ -1621,7 +1847,7 @@ controls: objective: Ensure Journald Storage Is Configured family: logging assessment-requirements: - - id: cis_fedora_6-2.2.4-ar + - id: journald_storage text: Journald Storage Is Configured MUST be verified applicability: - Fedora Linux @@ -1630,7 +1856,15 @@ controls: objective: Ensure Access To All Logfiles Has Been Configured family: logging assessment-requirements: - - id: cis_fedora_6-2.6.1-ar + - id: rsyslog_files_groupownership + text: Access To All Logfiles Has Been Configured MUST be verified + applicability: + - Fedora Linux + - id: rsyslog_files_ownership + text: Access To All Logfiles Has Been Configured MUST be verified + applicability: + - Fedora Linux + - id: rsyslog_files_permissions text: Access To All Logfiles Has Been Configured MUST be verified applicability: - Fedora Linux @@ -1639,7 +1873,15 @@ controls: objective: Ensure Access To /Etc/Passwd Is Configured family: maintenance assessment-requirements: - - id: cis_fedora_7-1.1-ar + - id: file_groupowner_etc_passwd + text: Access To /Etc/Passwd Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_owner_etc_passwd + text: Access To /Etc/Passwd Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_permissions_etc_passwd text: Access To /Etc/Passwd Is Configured MUST be verified applicability: - Fedora Linux @@ -1648,7 +1890,11 @@ controls: objective: Ensure World Writable Files And Directories Are Secured family: maintenance assessment-requirements: - - id: cis_fedora_7-1.11-ar + - id: dir_perms_world_writable_sticky_bits + text: World Writable Files And Directories Are Secured MUST be verified + applicability: + - Fedora Linux + - id: file_permissions_unauthorized_world_writable text: World Writable Files And Directories Are Secured MUST be verified applicability: - Fedora Linux @@ -1657,7 +1903,15 @@ controls: objective: Ensure Access To /Etc/Passwd- Is Configured family: maintenance assessment-requirements: - - id: cis_fedora_7-1.2-ar + - id: file_groupowner_backup_etc_passwd + text: Access To /Etc/Passwd- Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_owner_backup_etc_passwd + text: Access To /Etc/Passwd- Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_permissions_backup_etc_passwd text: Access To /Etc/Passwd- Is Configured MUST be verified applicability: - Fedora Linux @@ -1666,7 +1920,15 @@ controls: objective: Ensure Access To /Etc/Group Is Configured family: maintenance assessment-requirements: - - id: cis_fedora_7-1.3-ar + - id: file_groupowner_etc_group + text: Access To /Etc/Group Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_owner_etc_group + text: Access To /Etc/Group Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_permissions_etc_group text: Access To /Etc/Group Is Configured MUST be verified applicability: - Fedora Linux @@ -1675,7 +1937,15 @@ controls: objective: Ensure Access To /Etc/Group- Is Configured family: maintenance assessment-requirements: - - id: cis_fedora_7-1.4-ar + - id: file_groupowner_backup_etc_group + text: Access To /Etc/Group- Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_owner_backup_etc_group + text: Access To /Etc/Group- Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_permissions_backup_etc_group text: Access To /Etc/Group- Is Configured MUST be verified applicability: - Fedora Linux @@ -1684,7 +1954,15 @@ controls: objective: Ensure Access To /Etc/Shadow Is Configured family: maintenance assessment-requirements: - - id: cis_fedora_7-1.5-ar + - id: file_groupowner_etc_shadow + text: Access To /Etc/Shadow Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_owner_etc_shadow + text: Access To /Etc/Shadow Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_permissions_etc_shadow text: Access To /Etc/Shadow Is Configured MUST be verified applicability: - Fedora Linux @@ -1693,7 +1971,15 @@ controls: objective: Ensure Access To /Etc/Shadow- Is Configured family: maintenance assessment-requirements: - - id: cis_fedora_7-1.6-ar + - id: file_groupowner_backup_etc_shadow + text: Access To /Etc/Shadow- Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_owner_backup_etc_shadow + text: Access To /Etc/Shadow- Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_permissions_backup_etc_shadow text: Access To /Etc/Shadow- Is Configured MUST be verified applicability: - Fedora Linux @@ -1702,7 +1988,15 @@ controls: objective: Ensure Access To /Etc/Gshadow Is Configured family: maintenance assessment-requirements: - - id: cis_fedora_7-1.7-ar + - id: file_groupowner_etc_gshadow + text: Access To /Etc/Gshadow Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_owner_etc_gshadow + text: Access To /Etc/Gshadow Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_permissions_etc_gshadow text: Access To /Etc/Gshadow Is Configured MUST be verified applicability: - Fedora Linux @@ -1711,7 +2005,15 @@ controls: objective: Ensure Access To /Etc/Gshadow- Is Configured family: maintenance assessment-requirements: - - id: cis_fedora_7-1.8-ar + - id: file_groupowner_backup_etc_gshadow + text: Access To /Etc/Gshadow- Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_owner_backup_etc_gshadow + text: Access To /Etc/Gshadow- Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_permissions_backup_etc_gshadow text: Access To /Etc/Gshadow- Is Configured MUST be verified applicability: - Fedora Linux @@ -1720,7 +2022,15 @@ controls: objective: Ensure Access To /Etc/Shells Is Configured family: maintenance assessment-requirements: - - id: cis_fedora_7-1.9-ar + - id: file_groupowner_etc_shells + text: Access To /Etc/Shells Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_owner_etc_shells + text: Access To /Etc/Shells Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_permissions_etc_shells text: Access To /Etc/Shells Is Configured MUST be verified applicability: - Fedora Linux @@ -1729,7 +2039,7 @@ controls: objective: Ensure Accounts In /Etc/Passwd Use Shadowed Passwords family: maintenance assessment-requirements: - - id: cis_fedora_7-2.1-ar + - id: accounts_password_all_shadowed text: Accounts In /Etc/Passwd Use Shadowed Passwords MUST be verified applicability: - Fedora Linux @@ -1738,7 +2048,7 @@ controls: objective: Ensure /Etc/Shadow Password Fields Are Not Empty family: maintenance assessment-requirements: - - id: cis_fedora_7-2.2-ar + - id: no_empty_passwords_etc_shadow text: /Etc/Shadow Password Fields Are Not Empty MUST be verified applicability: - Fedora Linux @@ -1747,7 +2057,7 @@ controls: objective: Ensure All Groups In /Etc/Passwd Exist In /Etc/Group family: maintenance assessment-requirements: - - id: cis_fedora_7-2.3-ar + - id: gid_passwd_group_same text: All Groups In /Etc/Passwd Exist In /Etc/Group MUST be verified applicability: - Fedora Linux @@ -1756,7 +2066,7 @@ controls: objective: Ensure No Duplicate Uids Exist family: maintenance assessment-requirements: - - id: cis_fedora_7-2.4-ar + - id: account_unique_id text: No Duplicate Uids Exist MUST be verified applicability: - Fedora Linux @@ -1765,7 +2075,7 @@ controls: objective: Ensure No Duplicate Gids Exist family: maintenance assessment-requirements: - - id: cis_fedora_7-2.5-ar + - id: group_unique_id text: No Duplicate Gids Exist MUST be verified applicability: - Fedora Linux @@ -1774,7 +2084,7 @@ controls: objective: Ensure No Duplicate User Names Exist family: maintenance assessment-requirements: - - id: cis_fedora_7-2.6-ar + - id: account_unique_name text: No Duplicate User Names Exist MUST be verified applicability: - Fedora Linux @@ -1783,7 +2093,7 @@ controls: objective: Ensure No Duplicate Group Names Exist family: maintenance assessment-requirements: - - id: cis_fedora_7-2.7-ar + - id: group_unique_name text: No Duplicate Group Names Exist MUST be verified applicability: - Fedora Linux @@ -1792,7 +2102,15 @@ controls: objective: Ensure Local Interactive User Home Directories Are Configured family: maintenance assessment-requirements: - - id: cis_fedora_7-2.8-ar + - id: accounts_user_interactive_home_directory_exists + text: Local Interactive User Home Directories Are Configured MUST be verified + applicability: + - Fedora Linux + - id: file_ownership_home_directories + text: Local Interactive User Home Directories Are Configured MUST be verified + applicability: + - Fedora Linux + - id: file_permissions_home_directories text: Local Interactive User Home Directories Are Configured MUST be verified applicability: - Fedora Linux @@ -1801,7 +2119,23 @@ controls: objective: Ensure Local Interactive User Dot Files Access Is Configured family: maintenance assessment-requirements: - - id: cis_fedora_7-2.9-ar + - id: accounts_user_dot_group_ownership + text: Local Interactive User Dot Files Access Is Configured MUST be verified + applicability: + - Fedora Linux + - id: accounts_user_dot_user_ownership + text: Local Interactive User Dot Files Access Is Configured MUST be verified + applicability: + - Fedora Linux + - id: file_permission_user_init_files + text: Local Interactive User Dot Files Access Is Configured MUST be verified + applicability: + - Fedora Linux + - id: no_forward_files + text: Local Interactive User Dot Files Access Is Configured MUST be verified + applicability: + - Fedora Linux + - id: no_netrc_files text: Local Interactive User Dot Files Access Is Configured MUST be verified applicability: - Fedora Linux @@ -1810,7 +2144,7 @@ controls: objective: Reload Dconf Database family: operations assessment-requirements: - - id: reload_dconf_db-ar + - id: dconf_db_up_to_date text: The dconf database MUST be reloaded after configuration changes applicability: - Fedora Linux diff --git a/cmd/mock-oci-registry/testdata/cis-fedora-l1-workstation-policy.yaml b/cmd/mock-oci-registry/testdata/policies/cis-fedora-l1-workstation/policy.yaml similarity index 51% rename from cmd/mock-oci-registry/testdata/cis-fedora-l1-workstation-policy.yaml rename to cmd/mock-oci-registry/testdata/policies/cis-fedora-l1-workstation/policy.yaml index d0f74e62..9caa2515 100644 --- a/cmd/mock-oci-registry/testdata/cis-fedora-l1-workstation-policy.yaml +++ b/cmd/mock-oci-registry/testdata/policies/cis-fedora-l1-workstation/policy.yaml @@ -1,6 +1,8 @@ title: CIS Fedora Linux - Level 1 Workstation Policy metadata: id: cis-fedora-l1-workstation-policy + type: Policy + gemara-version: "0.1.0" description: Automated evaluation policy for the CIS Fedora Linux Level 1 Workstation Benchmark author: id: complytime @@ -27,7 +29,7 @@ imports: - reference-id: cis-fedora-l1-workstation adherence: evaluation-methods: - - type: automated + - type: Automated description: OpenSCAP automated compliance evaluation executor: id: openscap @@ -35,1927 +37,2477 @@ adherence: type: Software assessment-plans: - id: account_disable_post_pw_expiration - requirement-id: cis_fedora_5-4.1.5-ar + requirement-id: account_disable_post_pw_expiration frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: account_password_pam_faillock_password_auth - requirement-id: cis_fedora_5-3.2.2-ar + requirement-id: account_password_pam_faillock_password_auth frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: account_password_pam_faillock_system_auth - requirement-id: cis_fedora_5-3.2.2-ar + requirement-id: account_password_pam_faillock_system_auth frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: account_unique_id - requirement-id: cis_fedora_7-2.4-ar + requirement-id: account_unique_id frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: account_unique_name - requirement-id: cis_fedora_7-2.6-ar + requirement-id: account_unique_name frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: accounts_maximum_age_login_defs - requirement-id: cis_fedora_5-4.1.1-ar + requirement-id: accounts_maximum_age_login_defs frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: accounts_no_uid_except_zero - requirement-id: cis_fedora_5-4.2.1-ar + requirement-id: accounts_no_uid_except_zero frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: accounts_password_all_shadowed - requirement-id: cis_fedora_7-2.1-ar + requirement-id: accounts_password_all_shadowed frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: accounts_password_last_change_is_in_past - requirement-id: cis_fedora_5-4.1.6-ar + requirement-id: accounts_password_last_change_is_in_past frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: accounts_password_pam_dictcheck - requirement-id: cis_fedora_5-3.3.2.6-ar + requirement-id: accounts_password_pam_dictcheck frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: accounts_password_pam_difok - requirement-id: cis_fedora_5-3.3.2.1-ar + requirement-id: accounts_password_pam_difok frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: accounts_password_pam_enforce_root - requirement-id: cis_fedora_5-3.3.2.7-ar + requirement-id: accounts_password_pam_enforce_root frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: accounts_password_pam_maxrepeat - requirement-id: cis_fedora_5-3.3.2.4-ar + requirement-id: accounts_password_pam_maxrepeat frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: accounts_password_pam_minclass - requirement-id: cis_fedora_5-3.3.2.3-ar + requirement-id: accounts_password_pam_minclass frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: accounts_password_pam_minlen - requirement-id: cis_fedora_5-3.3.2.2-ar + requirement-id: accounts_password_pam_minlen frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: accounts_password_pam_pwhistory_remember_password_auth - requirement-id: cis_fedora_5-3.3.3.1-ar + requirement-id: accounts_password_pam_pwhistory_remember_password_auth frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: accounts_password_pam_pwhistory_remember_system_auth - requirement-id: cis_fedora_5-3.3.3.1-ar + requirement-id: accounts_password_pam_pwhistory_remember_system_auth frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: accounts_password_pam_pwquality_password_auth - requirement-id: cis_fedora_5-3.2.3-ar + requirement-id: accounts_password_pam_pwquality_password_auth frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: accounts_password_pam_pwquality_system_auth - requirement-id: cis_fedora_5-3.2.3-ar + requirement-id: accounts_password_pam_pwquality_system_auth frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: accounts_password_set_max_life_existing - requirement-id: cis_fedora_5-4.1.1-ar + requirement-id: accounts_password_set_max_life_existing frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: accounts_password_set_warn_age_existing - requirement-id: cis_fedora_5-4.1.3-ar + requirement-id: accounts_password_set_warn_age_existing frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: accounts_password_warn_age_login_defs - requirement-id: cis_fedora_5-4.1.3-ar + requirement-id: accounts_password_warn_age_login_defs frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: accounts_passwords_pam_faillock_deny - requirement-id: cis_fedora_5-3.3.1.1-ar + requirement-id: accounts_passwords_pam_faillock_deny frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: accounts_passwords_pam_faillock_unlock_time - requirement-id: cis_fedora_5-3.3.1.2-ar + requirement-id: accounts_passwords_pam_faillock_unlock_time frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: accounts_root_gid_zero - requirement-id: cis_fedora_5-4.2.2-ar + requirement-id: accounts_root_gid_zero frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: accounts_root_path_dirs_no_write - requirement-id: cis_fedora_5-4.2.5-ar + requirement-id: accounts_root_path_dirs_no_write frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: accounts_set_post_pw_existing - requirement-id: cis_fedora_5-4.1.5-ar + requirement-id: accounts_set_post_pw_existing frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: accounts_tmout - requirement-id: cis_fedora_5-4.3.2-ar + requirement-id: accounts_tmout frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: accounts_umask_etc_bashrc - requirement-id: cis_fedora_5-4.3.3-ar + requirement-id: accounts_umask_etc_bashrc frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: accounts_umask_etc_login_defs - requirement-id: cis_fedora_5-4.3.3-ar + requirement-id: accounts_umask_etc_login_defs frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: accounts_umask_etc_profile - requirement-id: cis_fedora_5-4.3.3-ar + requirement-id: accounts_umask_etc_profile frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: accounts_user_dot_group_ownership - requirement-id: cis_fedora_7-2.9-ar + requirement-id: accounts_user_dot_group_ownership frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: accounts_user_dot_user_ownership - requirement-id: cis_fedora_7-2.9-ar + requirement-id: accounts_user_dot_user_ownership frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: accounts_user_interactive_home_directory_exists - requirement-id: cis_fedora_7-2.8-ar + requirement-id: accounts_user_interactive_home_directory_exists frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: aide_build_database - requirement-id: cis_fedora_6-1.1-ar + requirement-id: aide_build_database frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: aide_check_audit_tools - requirement-id: cis_fedora_6-1.3-ar + requirement-id: aide_check_audit_tools frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: aide_periodic_cron_checking - requirement-id: cis_fedora_6-1.2-ar + requirement-id: aide_periodic_cron_checking frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: banner_etc_issue_cis - requirement-id: cis_fedora_1-7.2-ar + requirement-id: banner_etc_issue_cis frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: banner_etc_issue_net_cis - requirement-id: cis_fedora_1-7.3-ar + requirement-id: banner_etc_issue_net_cis frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: banner_etc_motd_cis - requirement-id: cis_fedora_1-7.1-ar + requirement-id: banner_etc_motd_cis frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: chronyd_run_as_chrony_user - requirement-id: cis_fedora_2-3.3-ar + requirement-id: chronyd_run_as_chrony_user frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: chronyd_specify_remote_server - requirement-id: cis_fedora_2-3.2-ar + requirement-id: chronyd_specify_remote_server frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: coredump_disable_backtraces - requirement-id: cis_fedora_1-5.9-ar + requirement-id: coredump_disable_backtraces frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: coredump_disable_storage - requirement-id: cis_fedora_1-5.10-ar + requirement-id: coredump_disable_storage frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: dconf_db_up_to_date - requirement-id: reload_dconf_db-ar + requirement-id: dconf_db_up_to_date frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: dconf_gnome_banner_enabled - requirement-id: cis_fedora_1-8.1-ar + requirement-id: dconf_gnome_banner_enabled frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: dconf_gnome_disable_autorun - requirement-id: cis_fedora_1-8.5-ar + requirement-id: dconf_gnome_disable_autorun frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: dconf_gnome_disable_user_list - requirement-id: cis_fedora_1-8.2-ar + requirement-id: dconf_gnome_disable_user_list frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: dconf_gnome_login_banner_text - requirement-id: cis_fedora_1-8.1-ar + requirement-id: dconf_gnome_login_banner_text frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: dconf_gnome_screensaver_idle_delay - requirement-id: cis_fedora_1-8.3-ar + requirement-id: dconf_gnome_screensaver_idle_delay frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: dconf_gnome_screensaver_lock_delay - requirement-id: cis_fedora_1-8.3-ar + requirement-id: dconf_gnome_screensaver_lock_delay frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: dconf_gnome_screensaver_user_locks - requirement-id: cis_fedora_1-8.3-ar + requirement-id: dconf_gnome_screensaver_user_locks frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: dconf_gnome_session_idle_user_locks - requirement-id: cis_fedora_1-8.3-ar + requirement-id: dconf_gnome_session_idle_user_locks frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: dir_perms_world_writable_sticky_bits - requirement-id: cis_fedora_7-1.11-ar + requirement-id: dir_perms_world_writable_sticky_bits frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: disable_host_auth - requirement-id: cis_fedora_5-1.12-ar + requirement-id: disable_host_auth frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: disable_users_coredumps - requirement-id: cis_fedora_1-5.1-ar + requirement-id: disable_users_coredumps frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: ensure_gpgcheck_globally_activated - requirement-id: cis_fedora_1-2.1.2-ar + requirement-id: ensure_gpgcheck_globally_activated frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: ensure_pam_wheel_group_empty - requirement-id: cis_fedora_5-2.7-ar + requirement-id: ensure_pam_wheel_group_empty frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: ensure_root_password_configured - requirement-id: cis_fedora_5-4.2.4-ar + requirement-id: ensure_root_password_configured frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_at_deny_not_exist - requirement-id: cis_fedora_2-4.2.1-ar + requirement-id: file_at_deny_not_exist frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_cron_allow_exists - requirement-id: cis_fedora_2-4.1.9-ar + requirement-id: file_cron_allow_exists frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_cron_deny_not_exist - requirement-id: cis_fedora_2-4.1.9-ar + requirement-id: file_cron_deny_not_exist frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_groupowner_at_allow - requirement-id: cis_fedora_2-4.2.1-ar + requirement-id: file_groupowner_at_allow frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_groupowner_backup_etc_group - requirement-id: cis_fedora_7-1.4-ar + requirement-id: file_groupowner_backup_etc_group frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_groupowner_backup_etc_gshadow - requirement-id: cis_fedora_7-1.8-ar + requirement-id: file_groupowner_backup_etc_gshadow frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_groupowner_backup_etc_passwd - requirement-id: cis_fedora_7-1.2-ar + requirement-id: file_groupowner_backup_etc_passwd frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_groupowner_backup_etc_shadow - requirement-id: cis_fedora_7-1.6-ar + requirement-id: file_groupowner_backup_etc_shadow frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_groupowner_cron_allow - requirement-id: cis_fedora_2-4.1.9-ar + requirement-id: file_groupowner_cron_allow frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_groupowner_cron_d - requirement-id: cis_fedora_2-4.1.8-ar + requirement-id: file_groupowner_cron_d frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_groupowner_cron_daily - requirement-id: cis_fedora_2-4.1.4-ar + requirement-id: file_groupowner_cron_daily frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_groupowner_cron_hourly - requirement-id: cis_fedora_2-4.1.3-ar + requirement-id: file_groupowner_cron_hourly frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_groupowner_cron_monthly - requirement-id: cis_fedora_2-4.1.6-ar + requirement-id: file_groupowner_cron_monthly frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_groupowner_cron_weekly - requirement-id: cis_fedora_2-4.1.5-ar + requirement-id: file_groupowner_cron_weekly frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_groupowner_crontab - requirement-id: cis_fedora_2-4.1.2-ar + requirement-id: file_groupowner_crontab frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_groupowner_etc_group - requirement-id: cis_fedora_7-1.3-ar + requirement-id: file_groupowner_etc_group frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_groupowner_etc_gshadow - requirement-id: cis_fedora_7-1.7-ar + requirement-id: file_groupowner_etc_gshadow frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_groupowner_etc_issue - requirement-id: cis_fedora_1-7.5-ar + requirement-id: file_groupowner_etc_issue frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_groupowner_etc_issue_net - requirement-id: cis_fedora_1-7.6-ar + requirement-id: file_groupowner_etc_issue_net frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_groupowner_etc_motd - requirement-id: cis_fedora_1-7.4-ar + requirement-id: file_groupowner_etc_motd frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_groupowner_etc_passwd - requirement-id: cis_fedora_7-1.1-ar + requirement-id: file_groupowner_etc_passwd frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_groupowner_etc_shadow - requirement-id: cis_fedora_7-1.5-ar + requirement-id: file_groupowner_etc_shadow frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_groupowner_etc_shells - requirement-id: cis_fedora_7-1.9-ar + requirement-id: file_groupowner_etc_shells frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_groupowner_sshd_config - requirement-id: cis_fedora_5-1.1-ar + requirement-id: file_groupowner_sshd_config frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_groupownership_sshd_private_key - requirement-id: cis_fedora_5-1.2-ar + requirement-id: file_groupownership_sshd_private_key frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_groupownership_sshd_pub_key - requirement-id: cis_fedora_5-1.3-ar + requirement-id: file_groupownership_sshd_pub_key frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_owner_at_allow - requirement-id: cis_fedora_2-4.2.1-ar + requirement-id: file_owner_at_allow frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_owner_backup_etc_group - requirement-id: cis_fedora_7-1.4-ar + requirement-id: file_owner_backup_etc_group frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_owner_backup_etc_gshadow - requirement-id: cis_fedora_7-1.8-ar + requirement-id: file_owner_backup_etc_gshadow frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_owner_backup_etc_passwd - requirement-id: cis_fedora_7-1.2-ar + requirement-id: file_owner_backup_etc_passwd frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_owner_backup_etc_shadow - requirement-id: cis_fedora_7-1.6-ar + requirement-id: file_owner_backup_etc_shadow frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_owner_cron_allow - requirement-id: cis_fedora_2-4.1.9-ar + requirement-id: file_owner_cron_allow frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_owner_cron_d - requirement-id: cis_fedora_2-4.1.8-ar + requirement-id: file_owner_cron_d frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_owner_cron_daily - requirement-id: cis_fedora_2-4.1.4-ar + requirement-id: file_owner_cron_daily frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_owner_cron_hourly - requirement-id: cis_fedora_2-4.1.3-ar + requirement-id: file_owner_cron_hourly frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_owner_cron_monthly - requirement-id: cis_fedora_2-4.1.6-ar + requirement-id: file_owner_cron_monthly frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_owner_cron_weekly - requirement-id: cis_fedora_2-4.1.5-ar + requirement-id: file_owner_cron_weekly frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_owner_crontab - requirement-id: cis_fedora_2-4.1.2-ar + requirement-id: file_owner_crontab frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_owner_etc_group - requirement-id: cis_fedora_7-1.3-ar + requirement-id: file_owner_etc_group frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_owner_etc_gshadow - requirement-id: cis_fedora_7-1.7-ar + requirement-id: file_owner_etc_gshadow frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_owner_etc_issue - requirement-id: cis_fedora_1-7.5-ar + requirement-id: file_owner_etc_issue frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_owner_etc_issue_net - requirement-id: cis_fedora_1-7.6-ar + requirement-id: file_owner_etc_issue_net frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_owner_etc_motd - requirement-id: cis_fedora_1-7.4-ar + requirement-id: file_owner_etc_motd frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_owner_etc_passwd - requirement-id: cis_fedora_7-1.1-ar + requirement-id: file_owner_etc_passwd frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_owner_etc_shadow - requirement-id: cis_fedora_7-1.5-ar + requirement-id: file_owner_etc_shadow frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_owner_etc_shells - requirement-id: cis_fedora_7-1.9-ar + requirement-id: file_owner_etc_shells frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_owner_sshd_config - requirement-id: cis_fedora_5-1.1-ar + requirement-id: file_owner_sshd_config frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_ownership_home_directories - requirement-id: cis_fedora_7-2.8-ar + requirement-id: file_ownership_home_directories frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_ownership_sshd_private_key - requirement-id: cis_fedora_5-1.2-ar + requirement-id: file_ownership_sshd_private_key frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_ownership_sshd_pub_key - requirement-id: cis_fedora_5-1.3-ar + requirement-id: file_ownership_sshd_pub_key frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_permission_user_init_files - requirement-id: cis_fedora_7-2.9-ar + requirement-id: file_permission_user_init_files frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_permissions_at_allow - requirement-id: cis_fedora_2-4.2.1-ar + requirement-id: file_permissions_at_allow frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_permissions_backup_etc_group - requirement-id: cis_fedora_7-1.4-ar + requirement-id: file_permissions_backup_etc_group frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_permissions_backup_etc_gshadow - requirement-id: cis_fedora_7-1.8-ar + requirement-id: file_permissions_backup_etc_gshadow frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_permissions_backup_etc_passwd - requirement-id: cis_fedora_7-1.2-ar + requirement-id: file_permissions_backup_etc_passwd frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_permissions_backup_etc_shadow - requirement-id: cis_fedora_7-1.6-ar + requirement-id: file_permissions_backup_etc_shadow frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_permissions_cron_allow - requirement-id: cis_fedora_2-4.1.9-ar + requirement-id: file_permissions_cron_allow frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_permissions_cron_d - requirement-id: cis_fedora_2-4.1.8-ar + requirement-id: file_permissions_cron_d frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_permissions_cron_daily - requirement-id: cis_fedora_2-4.1.4-ar + requirement-id: file_permissions_cron_daily frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_permissions_cron_hourly - requirement-id: cis_fedora_2-4.1.3-ar + requirement-id: file_permissions_cron_hourly frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_permissions_cron_monthly - requirement-id: cis_fedora_2-4.1.6-ar + requirement-id: file_permissions_cron_monthly frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_permissions_cron_weekly - requirement-id: cis_fedora_2-4.1.5-ar + requirement-id: file_permissions_cron_weekly frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_permissions_crontab - requirement-id: cis_fedora_2-4.1.2-ar + requirement-id: file_permissions_crontab frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_permissions_etc_group - requirement-id: cis_fedora_7-1.3-ar + requirement-id: file_permissions_etc_group frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_permissions_etc_gshadow - requirement-id: cis_fedora_7-1.7-ar + requirement-id: file_permissions_etc_gshadow frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_permissions_etc_issue - requirement-id: cis_fedora_1-7.5-ar + requirement-id: file_permissions_etc_issue frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_permissions_etc_issue_net - requirement-id: cis_fedora_1-7.6-ar + requirement-id: file_permissions_etc_issue_net frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_permissions_etc_motd - requirement-id: cis_fedora_1-7.4-ar + requirement-id: file_permissions_etc_motd frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_permissions_etc_passwd - requirement-id: cis_fedora_7-1.1-ar + requirement-id: file_permissions_etc_passwd frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_permissions_etc_shadow - requirement-id: cis_fedora_7-1.5-ar + requirement-id: file_permissions_etc_shadow frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_permissions_etc_shells - requirement-id: cis_fedora_7-1.9-ar + requirement-id: file_permissions_etc_shells frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_permissions_home_directories - requirement-id: cis_fedora_7-2.8-ar + requirement-id: file_permissions_home_directories frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_permissions_sshd_config - requirement-id: cis_fedora_5-1.1-ar + requirement-id: file_permissions_sshd_config frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_permissions_sshd_private_key - requirement-id: cis_fedora_5-1.2-ar + requirement-id: file_permissions_sshd_private_key frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_permissions_sshd_pub_key - requirement-id: cis_fedora_5-1.3-ar + requirement-id: file_permissions_sshd_pub_key frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: file_permissions_unauthorized_world_writable - requirement-id: cis_fedora_7-1.11-ar + requirement-id: file_permissions_unauthorized_world_writable frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: firewalld_loopback_traffic_restricted - requirement-id: cis_fedora_4-2.2-ar + requirement-id: firewalld_loopback_traffic_restricted frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: firewalld_loopback_traffic_trusted - requirement-id: cis_fedora_4-2.2-ar + requirement-id: firewalld_loopback_traffic_trusted frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: gid_passwd_group_same - requirement-id: cis_fedora_7-2.3-ar + requirement-id: gid_passwd_group_same frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: group_unique_id - requirement-id: cis_fedora_7-2.5-ar + requirement-id: group_unique_id frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: group_unique_name - requirement-id: cis_fedora_7-2.7-ar + requirement-id: group_unique_name frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: grub2_enable_selinux - requirement-id: cis_fedora_1-3.1.2-ar + requirement-id: grub2_enable_selinux frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: grub2_password - requirement-id: cis_fedora_1-4.1-ar + requirement-id: grub2_password frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: has_nonlocal_mta - requirement-id: cis_fedora_2-1.23-ar + requirement-id: has_nonlocal_mta frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: journald_compress - requirement-id: cis_fedora_6-2.2.3-ar + requirement-id: journald_compress frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: journald_storage - requirement-id: cis_fedora_6-2.2.4-ar + requirement-id: journald_storage frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: kernel_module_atm_disabled - requirement-id: cis_fedora_3-2.1-ar + requirement-id: kernel_module_atm_disabled frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: kernel_module_can_disabled - requirement-id: cis_fedora_3-2.2-ar + requirement-id: kernel_module_can_disabled frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: kernel_module_cramfs_disabled - requirement-id: cis_fedora_1-1.1.1-ar + requirement-id: kernel_module_cramfs_disabled frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: kernel_module_dccp_disabled - requirement-id: cis_fedora_3-2.3-ar + requirement-id: kernel_module_dccp_disabled frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: kernel_module_freevxfs_disabled - requirement-id: cis_fedora_1-1.1.2-ar + requirement-id: kernel_module_freevxfs_disabled frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: kernel_module_hfs_disabled - requirement-id: cis_fedora_1-1.1.3-ar + requirement-id: kernel_module_hfs_disabled frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: kernel_module_hfsplus_disabled - requirement-id: cis_fedora_1-1.1.4-ar + requirement-id: kernel_module_hfsplus_disabled frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: kernel_module_jffs2_disabled - requirement-id: cis_fedora_1-1.1.5-ar + requirement-id: kernel_module_jffs2_disabled frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: kernel_module_rds_disabled - requirement-id: cis_fedora_3-2.5-ar + requirement-id: kernel_module_rds_disabled frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: kernel_module_tipc_disabled - requirement-id: cis_fedora_3-2.4-ar + requirement-id: kernel_module_tipc_disabled frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: mount_option_dev_shm_nodev - requirement-id: cis_fedora_1-1.2.2.2-ar + requirement-id: mount_option_dev_shm_nodev frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: mount_option_dev_shm_noexec - requirement-id: cis_fedora_1-1.2.2.4-ar + requirement-id: mount_option_dev_shm_noexec frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: mount_option_dev_shm_nosuid - requirement-id: cis_fedora_1-1.2.2.3-ar + requirement-id: mount_option_dev_shm_nosuid frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: mount_option_home_nodev - requirement-id: cis_fedora_1-1.2.3.2-ar + requirement-id: mount_option_home_nodev frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: mount_option_home_nosuid - requirement-id: cis_fedora_1-1.2.3.3-ar + requirement-id: mount_option_home_nosuid frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: mount_option_tmp_nodev - requirement-id: cis_fedora_1-1.2.1.2-ar + requirement-id: mount_option_tmp_nodev frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: mount_option_tmp_noexec - requirement-id: cis_fedora_1-1.2.1.4-ar + requirement-id: mount_option_tmp_noexec frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: mount_option_tmp_nosuid - requirement-id: cis_fedora_1-1.2.1.3-ar + requirement-id: mount_option_tmp_nosuid frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: mount_option_var_log_audit_nodev - requirement-id: cis_fedora_1-1.2.7.2-ar + requirement-id: mount_option_var_log_audit_nodev frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: mount_option_var_log_audit_noexec - requirement-id: cis_fedora_1-1.2.7.4-ar + requirement-id: mount_option_var_log_audit_noexec frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: mount_option_var_log_audit_nosuid - requirement-id: cis_fedora_1-1.2.7.3-ar + requirement-id: mount_option_var_log_audit_nosuid frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: mount_option_var_log_nodev - requirement-id: cis_fedora_1-1.2.6.2-ar + requirement-id: mount_option_var_log_nodev frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: mount_option_var_log_noexec - requirement-id: cis_fedora_1-1.2.6.4-ar + requirement-id: mount_option_var_log_noexec frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: mount_option_var_log_nosuid - requirement-id: cis_fedora_1-1.2.6.3-ar + requirement-id: mount_option_var_log_nosuid frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: mount_option_var_nodev - requirement-id: cis_fedora_1-1.2.4.2-ar + requirement-id: mount_option_var_nodev frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: mount_option_var_nosuid - requirement-id: cis_fedora_1-1.2.4.3-ar + requirement-id: mount_option_var_nosuid frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: mount_option_var_tmp_nodev - requirement-id: cis_fedora_1-1.2.5.2-ar + requirement-id: mount_option_var_tmp_nodev frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: mount_option_var_tmp_noexec - requirement-id: cis_fedora_1-1.2.5.4-ar + requirement-id: mount_option_var_tmp_noexec frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: mount_option_var_tmp_nosuid - requirement-id: cis_fedora_1-1.2.5.3-ar + requirement-id: mount_option_var_tmp_nosuid frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: no_empty_passwords - requirement-id: cis_fedora_5-3.3.4.1-ar + requirement-id: no_empty_passwords frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: no_empty_passwords_etc_shadow - requirement-id: cis_fedora_7-2.2-ar + requirement-id: no_empty_passwords_etc_shadow frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: no_forward_files - requirement-id: cis_fedora_7-2.9-ar + requirement-id: no_forward_files frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: no_netrc_files - requirement-id: cis_fedora_7-2.9-ar + requirement-id: no_netrc_files frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: no_password_auth_for_systemaccounts - requirement-id: cis_fedora_5-4.2.7-ar + requirement-id: no_password_auth_for_systemaccounts frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: no_shelllogin_for_systemaccounts - requirement-id: cis_fedora_5-4.2.7-ar + requirement-id: no_shelllogin_for_systemaccounts frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: package_aide_installed - requirement-id: cis_fedora_6-1.1-ar + requirement-id: package_aide_installed frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: package_bind_removed - requirement-id: cis_fedora_2-1.5-ar + requirement-id: package_bind_removed frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: package_cron_installed - requirement-id: cis_fedora_2-4.1.1-ar + requirement-id: package_cron_installed frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: package_cyrus-imapd_removed - requirement-id: cis_fedora_2-1.8-ar + requirement-id: package_cyrus-imapd_removed frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: package_dnsmasq_removed - requirement-id: cis_fedora_2-1.6-ar + requirement-id: package_dnsmasq_removed frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: package_dovecot_removed - requirement-id: cis_fedora_2-1.8-ar + requirement-id: package_dovecot_removed frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: package_firewalld_installed - requirement-id: cis_fedora_4-1.2-ar + requirement-id: package_firewalld_installed frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: package_ftp_removed - requirement-id: cis_fedora_2-2.1-ar + requirement-id: package_ftp_removed frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: package_httpd_removed - requirement-id: cis_fedora_2-1.19-ar + requirement-id: package_httpd_removed frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: package_kea_removed - requirement-id: cis_fedora_2-1.4-ar + requirement-id: package_kea_removed frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: package_libselinux_installed - requirement-id: cis_fedora_1-3.1.1-ar + requirement-id: package_libselinux_installed frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: package_mcstrans_removed - requirement-id: cis_fedora_1-3.1.7-ar + requirement-id: package_mcstrans_removed frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: package_net-snmp_removed - requirement-id: cis_fedora_2-1.15-ar + requirement-id: package_net-snmp_removed frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: package_nftables_installed - requirement-id: cis_fedora_4-1.1-ar + requirement-id: package_nftables_installed frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: package_nginx_removed - requirement-id: cis_fedora_2-1.19-ar + requirement-id: package_nginx_removed frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: package_pam_pwquality_installed - requirement-id: cis_fedora_5-3.1.3-ar + requirement-id: package_pam_pwquality_installed frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: package_rsync_removed - requirement-id: cis_fedora_2-1.13-ar + requirement-id: package_rsync_removed frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: package_samba_removed - requirement-id: cis_fedora_2-1.14-ar + requirement-id: package_samba_removed frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: package_squid_removed - requirement-id: cis_fedora_2-1.18-ar + requirement-id: package_squid_removed frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: package_sudo_installed - requirement-id: cis_fedora_5-2.1-ar + requirement-id: package_sudo_installed frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: package_systemd-journal-remote_installed - requirement-id: cis_fedora_6-2.2.1.1-ar + requirement-id: package_systemd-journal-remote_installed frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: package_telnet-server_removed - requirement-id: cis_fedora_2-1.16-ar + requirement-id: package_telnet-server_removed frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: package_telnet_removed - requirement-id: cis_fedora_2-2.4-ar + requirement-id: package_telnet_removed frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: package_tftp-server_removed - requirement-id: cis_fedora_2-1.17-ar + requirement-id: package_tftp-server_removed frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: package_tftp_removed - requirement-id: cis_fedora_2-2.5-ar + requirement-id: package_tftp_removed frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: package_vsftpd_removed - requirement-id: cis_fedora_2-1.7-ar + requirement-id: package_vsftpd_removed frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: partition_for_dev_shm - requirement-id: cis_fedora_1-1.2.2.1-ar + requirement-id: partition_for_dev_shm frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: partition_for_tmp - requirement-id: cis_fedora_1-1.2.1.1-ar + requirement-id: partition_for_tmp frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: postfix_network_listening_disabled - requirement-id: cis_fedora_2-1.23-ar + requirement-id: postfix_network_listening_disabled frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: root_path_no_dot - requirement-id: cis_fedora_5-4.2.5-ar + requirement-id: root_path_no_dot frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: rsyslog_files_groupownership - requirement-id: cis_fedora_6-2.6.1-ar + requirement-id: rsyslog_files_groupownership frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: rsyslog_files_ownership - requirement-id: cis_fedora_6-2.6.1-ar + requirement-id: rsyslog_files_ownership frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: rsyslog_files_permissions - requirement-id: cis_fedora_6-2.6.1-ar + requirement-id: rsyslog_files_permissions frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: selinux_not_disabled - requirement-id: cis_fedora_1-3.1.4-ar + requirement-id: selinux_not_disabled frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: selinux_policytype - requirement-id: cis_fedora_1-3.1.3-ar + requirement-id: selinux_policytype frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: service_crond_enabled - requirement-id: cis_fedora_2-4.1.1-ar + requirement-id: service_crond_enabled frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: service_firewalld_enabled - requirement-id: cis_fedora_4-1.2-ar + requirement-id: service_firewalld_enabled frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: service_nfs_disabled - requirement-id: cis_fedora_2-1.9-ar + requirement-id: service_nfs_disabled frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: service_nftables_disabled - requirement-id: cis_fedora_4-1.2-ar + requirement-id: service_nftables_disabled frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: service_rpcbind_disabled - requirement-id: cis_fedora_2-1.12-ar + requirement-id: service_rpcbind_disabled frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: service_systemd-journald_enabled - requirement-id: cis_fedora_6-2.1.1-ar + requirement-id: service_systemd-journald_enabled frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: set_password_hashing_algorithm_logindefs - requirement-id: cis_fedora_5-4.1.4-ar + requirement-id: set_password_hashing_algorithm_logindefs frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: set_password_hashing_algorithm_passwordauth - requirement-id: cis_fedora_5-3.3.4.3-ar + requirement-id: set_password_hashing_algorithm_passwordauth frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: set_password_hashing_algorithm_systemauth - requirement-id: cis_fedora_5-3.3.4.3-ar + requirement-id: set_password_hashing_algorithm_systemauth frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: socket_systemd-journal-remote_disabled - requirement-id: cis_fedora_6-2.2.1.4-ar + requirement-id: socket_systemd-journal-remote_disabled frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sshd_disable_empty_passwords - requirement-id: cis_fedora_5-1.19-ar + requirement-id: sshd_disable_empty_passwords frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sshd_disable_gssapi_auth - requirement-id: cis_fedora_5-1.11-ar + requirement-id: sshd_disable_gssapi_auth frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sshd_disable_rhosts - requirement-id: cis_fedora_5-1.13-ar + requirement-id: sshd_disable_rhosts frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sshd_disable_root_login - requirement-id: cis_fedora_5-1.20-ar + requirement-id: sshd_disable_root_login frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sshd_do_not_permit_user_env - requirement-id: cis_fedora_5-1.21-ar + requirement-id: sshd_do_not_permit_user_env frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sshd_enable_pam - requirement-id: cis_fedora_5-1.22-ar + requirement-id: sshd_enable_pam frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sshd_enable_warning_banner_net - requirement-id: cis_fedora_5-1.8-ar + requirement-id: sshd_enable_warning_banner_net frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sshd_limit_user_access - requirement-id: cis_fedora_5-1.7-ar + requirement-id: sshd_limit_user_access frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sshd_set_idle_timeout - requirement-id: cis_fedora_5-1.9-ar + requirement-id: sshd_set_idle_timeout frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sshd_set_keepalive - requirement-id: cis_fedora_5-1.9-ar + requirement-id: sshd_set_keepalive frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sshd_set_login_grace_time - requirement-id: cis_fedora_5-1.14-ar + requirement-id: sshd_set_login_grace_time frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sshd_set_loglevel_verbose - requirement-id: cis_fedora_5-1.15-ar + requirement-id: sshd_set_loglevel_verbose frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sshd_set_max_auth_tries - requirement-id: cis_fedora_5-1.16-ar + requirement-id: sshd_set_max_auth_tries frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sshd_set_max_sessions - requirement-id: cis_fedora_5-1.18-ar + requirement-id: sshd_set_max_sessions frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sshd_set_maxstartups - requirement-id: cis_fedora_5-1.17-ar + requirement-id: sshd_set_maxstartups frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sudo_add_use_pty - requirement-id: cis_fedora_5-2.2-ar + requirement-id: sudo_add_use_pty frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sudo_custom_logfile - requirement-id: cis_fedora_5-2.3-ar + requirement-id: sudo_custom_logfile frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sudo_remove_no_authenticate - requirement-id: cis_fedora_5-2.5-ar + requirement-id: sudo_remove_no_authenticate frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sudo_require_reauthentication - requirement-id: cis_fedora_5-2.6-ar + requirement-id: sudo_require_reauthentication frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_fs_protected_hardlinks - requirement-id: cis_fedora_1-5.2-ar + requirement-id: sysctl_fs_protected_hardlinks frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_fs_protected_symlinks - requirement-id: cis_fedora_1-5.3-ar + requirement-id: sysctl_fs_protected_symlinks frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_fs_suid_dumpable - requirement-id: cis_fedora_1-5.4-ar + requirement-id: sysctl_fs_suid_dumpable frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_kernel_dmesg_restrict - requirement-id: cis_fedora_1-5.5-ar + requirement-id: sysctl_kernel_dmesg_restrict frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_kernel_kptr_restrict - requirement-id: cis_fedora_1-5.6-ar + requirement-id: sysctl_kernel_kptr_restrict frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_kernel_randomize_va_space - requirement-id: cis_fedora_1-5.8-ar + requirement-id: sysctl_kernel_randomize_va_space frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_kernel_yama_ptrace_scope - requirement-id: cis_fedora_1-5.7-ar + requirement-id: sysctl_kernel_yama_ptrace_scope frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_net_ipv4_conf_all_accept_redirects - requirement-id: cis_fedora_3-3.1.8-ar + requirement-id: sysctl_net_ipv4_conf_all_accept_redirects frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_net_ipv4_conf_all_accept_source_route - requirement-id: cis_fedora_3-3.1.14-ar + requirement-id: sysctl_net_ipv4_conf_all_accept_source_route frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_net_ipv4_conf_all_log_martians - requirement-id: cis_fedora_3-3.1.16-ar + requirement-id: sysctl_net_ipv4_conf_all_log_martians frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_net_ipv4_conf_all_rp_filter - requirement-id: cis_fedora_3-3.1.12-ar + requirement-id: sysctl_net_ipv4_conf_all_rp_filter frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_net_ipv4_conf_all_secure_redirects - requirement-id: cis_fedora_3-3.1.10-ar + requirement-id: sysctl_net_ipv4_conf_all_secure_redirects frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_net_ipv4_conf_all_send_redirects - requirement-id: cis_fedora_3-3.1.4-ar + requirement-id: sysctl_net_ipv4_conf_all_send_redirects frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_net_ipv4_conf_default_accept_redirects - requirement-id: cis_fedora_3-3.1.9-ar + requirement-id: sysctl_net_ipv4_conf_default_accept_redirects frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_net_ipv4_conf_default_accept_source_route - requirement-id: cis_fedora_3-3.1.15-ar + requirement-id: sysctl_net_ipv4_conf_default_accept_source_route frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_net_ipv4_conf_default_log_martians - requirement-id: cis_fedora_3-3.1.17-ar + requirement-id: sysctl_net_ipv4_conf_default_log_martians frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_net_ipv4_conf_default_rp_filter - requirement-id: cis_fedora_3-3.1.13-ar + requirement-id: sysctl_net_ipv4_conf_default_rp_filter frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_net_ipv4_conf_default_secure_redirects - requirement-id: cis_fedora_3-3.1.11-ar + requirement-id: sysctl_net_ipv4_conf_default_secure_redirects frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_net_ipv4_conf_default_send_redirects - requirement-id: cis_fedora_3-3.1.5-ar + requirement-id: sysctl_net_ipv4_conf_default_send_redirects frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_net_ipv4_icmp_echo_ignore_broadcasts - requirement-id: cis_fedora_3-3.1.7-ar + requirement-id: sysctl_net_ipv4_icmp_echo_ignore_broadcasts frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_net_ipv4_icmp_ignore_bogus_error_responses - requirement-id: cis_fedora_3-3.1.6-ar + requirement-id: sysctl_net_ipv4_icmp_ignore_bogus_error_responses frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_net_ipv4_ip_forward - requirement-id: cis_fedora_3-3.1.1-ar + requirement-id: sysctl_net_ipv4_ip_forward frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_net_ipv4_tcp_syncookies - requirement-id: cis_fedora_3-3.1.18-ar + requirement-id: sysctl_net_ipv4_tcp_syncookies frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_net_ipv6_conf_all_accept_ra - requirement-id: cis_fedora_3-3.2.7-ar + requirement-id: sysctl_net_ipv6_conf_all_accept_ra frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_net_ipv6_conf_all_accept_redirects - requirement-id: cis_fedora_3-3.2.3-ar + requirement-id: sysctl_net_ipv6_conf_all_accept_redirects frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_net_ipv6_conf_all_accept_source_route - requirement-id: cis_fedora_3-3.2.5-ar + requirement-id: sysctl_net_ipv6_conf_all_accept_source_route frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_net_ipv6_conf_all_forwarding - requirement-id: cis_fedora_3-3.2.1-ar + requirement-id: sysctl_net_ipv6_conf_all_forwarding frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_net_ipv6_conf_default_accept_ra - requirement-id: cis_fedora_3-3.2.8-ar + requirement-id: sysctl_net_ipv6_conf_default_accept_ra frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_net_ipv6_conf_default_accept_redirects - requirement-id: cis_fedora_3-3.2.4-ar + requirement-id: sysctl_net_ipv6_conf_default_accept_redirects frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: sysctl_net_ipv6_conf_default_accept_source_route - requirement-id: cis_fedora_3-3.2.6-ar + requirement-id: sysctl_net_ipv6_conf_default_accept_source_route frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software - id: use_pam_wheel_group_for_su - requirement-id: cis_fedora_5-2.7-ar + requirement-id: use_pam_wheel_group_for_su frequency: on-demand evaluation-methods: - - type: automated + - type: Automated executor: id: openscap + name: OpenSCAP + type: Software