1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
|
---
policy: CCN-STIC-610A22
title: Security Profile Application Guide for Red Hat Enterprise Linux 9
id: ccn_rhel9
version: '2022-10'
source: https://www.ccn-cert.cni.es/pdf/guias/series-ccn-stic/guias-de-acceso-publico-ccn-stic/6768-ccn-stic-610a22-perfilado-de-seguridad-red-hat-enterprise-linux-9-0/file.html
levels:
- id: basic
- id: intermediate
inherits_from:
- basic
- id: advanced
inherits_from:
- intermediate
reference_type: ccn
product: rhel9
controls:
- id: reload_dconf_db
title: Reload Dconf Database
levels:
- basic
- intermediate
- advanced
notes: |-
This is a helper rule to reload Dconf database correctly.
status: automated
rules:
- dconf_db_up_to_date
- id: enable_authselect
title: Enable Authselect
levels:
- basic
- intermediate
- advanced
notes: |-
The policy doesn't have any section where this would fit better.
status: automated
rules:
- var_authselect_profile=sssd
- enable_authselect
- id: A.3.SEC-RHEL1
title: Session Initiation is Audited
original_title: Se auditan los inicios de sesión.
levels:
- basic
- intermediate
- advanced
status: automated
rules:
- audit_rules_session_events_utmp
- audit_rules_session_events_btmp
- audit_rules_session_events_wtmp
- audit_rules_login_events_faillock
- audit_rules_login_events_lastlog
- id: A.3.SEC-RHEL2
title: Control Who Can Access Security and Audit Logs
original_title: Se controla quien puede acceder a los registros de seguridad y auditoría.
levels:
- intermediate
- advanced
status: automated
rules:
- file_permissions_var_log_audit
- file_ownership_var_log_audit
- file_group_ownership_var_log_audit
- directory_permissions_var_log_audit
- id: A.3.SEC-RHEL3
title: System Time Change is Controlled
original_title: Se controla el cambio de hora del sistema.
levels:
- intermediate
- advanced
status: automated
rules:
- package_chrony_installed
- chronyd_specify_remote_server
- chronyd_run_as_chrony_user
- var_multiple_time_servers=rhel
- id: A.3.SEC-RHEL4
title: Control Who Can Generate or Modify Audit Rules
original_title: Se controla quién puede generar o modificar reglas de audit.
levels:
- intermediate
- advanced
status: automated
rules:
- file_permissions_audit_configuration
- file_ownership_audit_configuration
- file_groupownership_audit_configuration
- id: A.3.SEC-RHEL5
title: A Detailed Audit Has Been Implemented Based on Subcategories
original_title: Se ha implementado la auditoría detallada basada en subcategorías.
levels:
- intermediate
- advanced
status: pending
notes: |-
It is not clear the intention of this requirement since there is no definition of these
subcategories. The project has many audit related rules. Clarifying these subcategories
we can select the proper rules.
- id: A.3.SEC-RHEL6
title: At Least 90 Days of Activity Logs Are Guaranteed
original_title: Se garantiza al menos 90 días de registros de actividad.
levels:
- basic
- intermediate
- advanced
status: automated
rules:
- auditd_data_retention_max_log_file_action
- var_auditd_max_log_file_action=keep_logs
- id: A.3.SEC-RHEL7
title: Modifications to the Sudoers File Are Audited, As Are Changes to Permissions, Users, Groups,
and Passwords
original_title: Se auditan las modificaciones del fichero sudoers, así como los cambios en permisos,
usuarios, grupos y contraseñas.
levels:
- basic
- intermediate
- advanced
status: automated
rules:
- audit_sudo_log_events
- audit_rules_usergroup_modification_group
- audit_rules_usergroup_modification_gshadow
- audit_rules_usergroup_modification_opasswd
- audit_rules_usergroup_modification_passwd
- audit_rules_usergroup_modification_shadow
- audit_rules_sysadmin_actions
- audit_rules_dac_modification_chmod
- audit_rules_dac_modification_chown
- audit_rules_dac_modification_fchmod
- audit_rules_dac_modification_fchmodat
- audit_rules_dac_modification_fchown
- audit_rules_dac_modification_fchownat
- audit_rules_dac_modification_fremovexattr
- audit_rules_dac_modification_fsetxattr
- audit_rules_dac_modification_lchown
- audit_rules_dac_modification_lremovexattr
- audit_rules_dac_modification_lsetxattr
- audit_rules_dac_modification_removexattr
- audit_rules_dac_modification_setxattr
- id: A.3.SEC-RHEL8
title: Changes to Cron Settings and Scheduled Tasks Including Startup Scripts Are Audited
original_title: Se auditan los cambios en la configuración de Cron y en tareas programadas incluyendo
los de scripts de inicio.
levels:
- advanced
status: pending
notes: |-
Some possible rules were included here but it is not clear if the requirement intends to
check more than these rules. We can see if more related rules are available in the project
and include everything that makes sense in the context of cron and chrony.
related_rules:
- audit_rules_time_adjtimex
- audit_rules_time_settimeofday
- audit_rules_time_clock_settime
- audit_rules_time_stime
- audit_rules_time_watch_localtime
- id: A.3.SEC-RHEL9
title: Attempts to Access Critical Items Are Audited
original_title: Se auditan los intentos de acceso a elementos críticos.
levels:
- advanced
status: automated
rules:
- audit_rules_unsuccessful_file_modification_creat
- audit_rules_unsuccessful_file_modification_ftruncate
- audit_rules_unsuccessful_file_modification_open
- audit_rules_unsuccessful_file_modification_openat
- audit_rules_unsuccessful_file_modification_truncate
- id: A.3.SEC-RHEL10
title: All Mount Operations on the System and Changes to the Swap Are Audited
original_title: Se audita toda operación de montaje en el sistema y modificaciones en la memoria
de intercambio.
levels:
- intermediate
- advanced
status: partial
notes: |-
We probably have audit related rule to monitor mount related syscalls, but it is not clear
about the swap. Is the intention to monitor when swap is changed?
rules:
- audit_rules_media_export
- id: A.3.SEC-RHEL11
title: Modifications in PAM Files Are Audited
original_title: Se auditan modificaciones en ficheros PAM.
levels:
- advanced
status: pending
notes: |-
The intention here is probably to audit changes in /etc/pam.d files, but we need to confirm
this assumption and get more context.
- id: A.4.SEC-RHEL1
title: Common Users Do Dot Have Local Administrator Permissions and Are Not Included in a Sudo
Group
original_title: Los usuarios estándar no disponen de permisos de administrador local ni se encuentran
incluidos en un grupo sudoer.
levels:
- basic
- intermediate
- advanced
status: pending
notes: |-
It is a little tricky to interpret this requirement. Assuming the "Common users" are actually
interactive users, this requirement would automatically enforce all admin actions to be
performed only by the root user. I am not sure if this is the intetion here.
- id: A.4.SEC-RHEL2
title: The System Has an Updated Antivirus
original_title: El sistema tiene un antivirus y este está actualizado.
levels:
- basic
- intermediate
- advanced
status: pending
notes: |-
New templated rule is necessary to install the package. But to ensure the chosen antivirus
is actually updated would demand a more complex rule. Maybe this requirement can have at
leastthe partial status after the templated rule.
- id: A.4.SEC-RHEL3
title: Permissions by Partitions Are Modified
original_title: Se modifican los permisos por particiones.
levels:
- basic
- intermediate
- advanced
status: pending
notes: |-
Related to nosuid, noexec and nodev options but in /boot. More context is needed.
- id: A.5.SEC-RHEL1
title: Login and Impersonation Permissions Are Controlled
original_title: Se controlan los permisos de inicio de sesión y suplantación de identidad.
levels:
- intermediate
- advanced
status: automated
rules:
- sudo_add_use_pty
- use_pam_wheel_for_su
- id: A.5.SEC-RHEL2
title: Elevation Attempts Are Controlled by Defining Users and Sudoer Groups
original_title: Se controlan los intentos de elevación mediante definición de usuarios y grupos
sudoers.
levels:
- basic
- intermediate
- advanced
status: automated
rules:
- sudo_require_authentication
- sudo_require_reauthentication
- id: A.5.SEC-RHEL3
title: Access to Encryption Keys is Controlled
original_title: Se controla el acceso a las claves de cifrado.
levels:
- basic
- intermediate
- advanced
status: pending
notes: |-
There are rules for ssh_keys, for example. We need to confirm the scope of this requirement
- id: A.5.SEC-RHEL4
title: Disable Insecure Encryption Algorithms
original_title: Se han deshabilitado los algoritmos de cifrado inseguros.
levels:
- basic
- intermediate
- advanced
status: automated
rules:
- configure_crypto_policy
- var_system_crypto_policy=default_policy
- id: A.5.SEC-RHEL5
title: Recurring Password Change is Required
original_title: Se exige el cambio de contraseña de forma recurrente.
levels:
- basic
- intermediate
- advanced
status: automated
rules:
- accounts_maximum_age_login_defs
- accounts_minimum_age_login_defs
- accounts_password_set_max_life_existing
- accounts_password_set_min_life_existing
- accounts_password_set_warn_age_existing
- accounts_password_warn_age_login_defs
- var_accounts_maximum_age_login_defs=45
- var_accounts_minimum_age_login_defs=2
- var_accounts_password_warn_age_login_defs=10
- id: A.5.SEC-RHEL6
title: Secure Protocols Are Used For the Network Authentication Processes
original_title: Se hace uso de protocolos seguros para los procesos de autenticación de red.
levels:
- basic
- intermediate
- advanced
status: automated
rules:
- configure_ssh_crypto_policy
- id: A.5.SEC-RHEL7
title: Network Session Inactivity is Controlled
original_title: Se controla la inactividad de la sesión de red.
levels:
- basic
- intermediate
- advanced
status: automated
rules:
- sshd_idle_timeout_value=15_minutes
- sshd_set_idle_timeout
- sshd_set_keepalive
- var_sshd_set_keepalive=1
- id: A.5.SEC-RHEL8
title: Local and Remote Console Inactivity is Controlled
original_title: Se controla la inactividad de consola local y remota.
levels:
- advanced
status: automated
rules:
- accounts_tmout
- var_accounts_tmout=5_min
- id: A.6.SEC-RHEL1
title: The Security of Sensitive System Objects is Reinforced
original_title: Se refuerza la seguridad de los objetos sensibles del sistema.
levels:
- intermediate
- advanced
status: automated
rules:
- grub2_enable_selinux
- package_libselinux_installed
- selinux_policytype
- selinux_state
- var_selinux_policy_name=targeted
- var_selinux_state=enforcing
- id: A.6.SEC-RHEL2
title: Access in Recovery Mode Including Grub Boot Modification Mode is Restricted
original_title: Se restringen accesos en modo recuperación incluido el modo modificación de inicio
de grub.
levels:
- basic
- intermediate
- advanced
status: automated
rules:
- file_groupowner_grub2_cfg
- file_groupowner_user_cfg
- file_owner_grub2_cfg
- file_owner_user_cfg
- file_permissions_grub2_cfg
- file_permissions_user_cfg
- id: A.6.SEC-RHEL3
title: Service Users Shell is Limited to "/bin/false"
original_title: Se limita la shell de usuarios de servicio a "/bin/false".
levels:
- intermediate
- advanced
status: automated
notes: |-
"/sbin/nologin" might be a better option
rules:
- no_password_auth_for_systemaccounts
- no_shelllogin_for_systemaccounts
- id: A.6.SEC-RHEL4
title: The Use of Sessions With the "root" User is Restricted
original_title: Se restringe el uso de sesiones con usuario "root".
levels:
- intermediate
- advanced
status: automated
rules:
- ensure_root_password_configured
- no_empty_passwords_etc_shadow
- id: A.6.SEC-RHEL5
title: The Global System Mask is Modified To Be More Restrictive
original_title: Se modifica la máscara global del sistema para ser más restrictiva.
levels:
- advanced
status: automated
rules:
- accounts_umask_etc_bashrc
- accounts_umask_etc_login_defs
- accounts_umask_etc_profile
- var_accounts_user_umask=027
- id: A.6.SEC-RHEL6
title: Unnecessary Groups and Users are Removed From the System
original_title: Se eliminan los grupos y usuarios innecesarios del sistema.
levels:
- basic
- intermediate
- advanced
status: manual
- id: A.8.SEC-RHEL1
title: Control Who Can Install Software on the System
original_title: Se controla quién puede instalar software en el sistema.
levels:
- basic
- intermediate
- advanced
status: pending
- id: A.8.SEC-RHEL2
title: The Operating System is Updated
original_title: El sistema operativo está actualizado.
levels:
- basic
- intermediate
- advanced
status: manual
related_rules:
- security_patches_up_to_date
- id: A.8.SEC-RHEL3
title: The System Has an Activated Local Firewall
original_title: El sistema tiene un firewall local activado.
levels:
- basic
- intermediate
- advanced
status: automated
rules:
- firewalld_loopback_traffic_restricted
- firewalld_loopback_traffic_trusted
- service_firewalld_enabled
- package_firewalld_installed
- service_nftables_disabled
- set_firewalld_default_zone
- id: A.8.SEC-RHEL4
title: Unnecessary Services are Disabled, Reducing the Attack Surface
original_title: Se deshabilitan servicios innecesarios, reduciendo la superficie de exposición.
levels:
- intermediate
- advanced
status: automated
rules:
- kernel_module_squashfs_disabled
- kernel_module_udf_disabled
- package_bind_removed
- package_cyrus-imapd_removed
- package_dovecot_removed
- package_net-snmp_removed
- package_squid_removed
- package_telnet-server_removed
- package_tftp-server_removed
- package_vsftpd_removed
- id: A.8.SEC-RHEL5
title: Application Execution is Controlled
original_title: Se controla la ejecución de aplicaciones.
levels:
- advanced
status: pending
notes: |-
This might be related to SELinux or fapolicyd.
We need more context to confirm the intention of this requirement
- id: A.8.SEC-RHEL6
title: Anti-Ransomware Measures are Enabled
original_title: Se dispone de medidas anti ransomware habilitadas.
levels:
- basic
- intermediate
- advanced
status: partial
notes: |-
These are mentioned to be reviewed but not enforced:
# net.ipv4.icmp_echo_ignore_all = 1
# net.ipv4.tcp_timestamps = 0
# net.ipv4.tcp_max_syn_backlog = 1280
# sysctl_net_ipv6_conf_all_disable_ipv6
# sysctl_net_ipv6_conf_default_disable_ipv6
rules:
- sysctl_net_ipv4_conf_all_send_redirects
- sysctl_net_ipv4_conf_all_accept_redirects
- sysctl_net_ipv4_conf_all_secure_redirects
- sysctl_net_ipv4_conf_all_accept_source_route
- sysctl_net_ipv4_conf_all_log_martians
- sysctl_net_ipv4_conf_default_send_redirects
- sysctl_net_ipv4_conf_default_accept_redirects
- sysctl_net_ipv4_conf_default_secure_redirects
- sysctl_net_ipv4_conf_default_accept_source_route
- sysctl_net_ipv4_conf_default_log_martians
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
- sysctl_net_ipv4_tcp_syncookies
- sysctl_net_ipv6_conf_all_accept_source_route
- sysctl_net_ipv6_conf_all_accept_redirects
- sysctl_net_ipv6_conf_all_accept_ra
- sysctl_net_ipv6_conf_default_accept_source_route
- sysctl_net_ipv6_conf_default_accept_redirects
- sysctl_net_ipv6_conf_default_accept_ra
- sysctl_fs_suid_dumpable
- sysctl_net_ipv4_ip_forward
- sysctl_net_ipv4_conf_all_rp_filter
- sysctl_net_ipv4_conf_default_rp_filter
- id: A.8.SEC-RHEL7
title: Password Encrypted Boot That Prevents Modification is Enabled (Protected GRUB)
original_title: Está habilitado el arranque cifrado con contraseña que evite modificaciones (GRUB
protegido).
levels:
- basic
- intermediate
- advanced
status: automated
rules:
- grub2_password
- id: A.8.SEC-RHEL8
title: File Download is Audited
original_title: Se audita la descarga de archivos.
levels:
- basic
- intermediate
- advanced
status: pending
notes: |-
Is it related to downloads from the Internet to the system or from the system to an external
storage, for example?
related_rules:
- audit_rules_file_deletion_events_rename
- audit_rules_file_deletion_events_renameat
- audit_rules_file_deletion_events_unlink
- audit_rules_file_deletion_events_unlinkat
- id: A.8.SEC-RHEL9
title: System Compilers are Disabled
original_title: Están deshabilitados los compiladores del sistema.
levels:
- basic
- intermediate
- advanced
status: pending
notes: |-
Maybe simply removing the packages is enough.
- id: A.11.SEC-RHEL1
title: Local Log On To the System is Controlled
original_title: Se controla el inicio de sesión local en el sistema.
levels:
- basic
- intermediate
- advanced
status: pending
notes: |-
Is it related to TTY access, physical access, local users authentication, etc?
It is not not clear the scope.
- id: A.11.SEC-RHEL2
title: The Security of the SSH Protocol is Strengthened
original_title: Se ha reforzado la seguridad del protocolo SSH.
levels:
- basic
- intermediate
- advanced
status: automated
rules:
- sshd_limit_user_access
- id: A.11.SEC-RHEL3
title: A Robust Credential Policy is In Place
original_title: Se dispone de una política de credenciales robusta.
levels:
- basic
- intermediate
- advanced
status: automated
rules:
- accounts_password_pam_minclass
- accounts_password_pam_minlen
- accounts_password_pam_retry
- var_password_pam_minclass=4
- var_password_pam_minlen=14
- id: A.11.SEC-RHEL4
title: During Login, the System Displays a Text in Compliance With the Organization's Standards
or Directives
original_title: Durante el inicio de sesión, el sistema muestra un texto en cumplimiento con las
normas o directivas de la organización.
levels:
- basic
- intermediate
- advanced
status: automated
rules:
- banner_etc_issue
- banner_etc_issue_net
- banner_etc_motd
- dconf_gnome_banner_enabled
- dconf_gnome_login_banner_text
- sshd_enable_warning_banner_net
- login_banner_text=cis_banners
- motd_banner_text=cis_banners
- remote_login_banner_text=cis_banners
- id: A.11.SEC-RHEL5
title: Network Acess to the System is Controlled
original_title: Se controla el acceso al sistema a través de la red.
levels:
- basic
- intermediate
- advanced
status: manual
related_rules:
- configure_firewalld_ports
- id: A.11.SEC-RHEL6
title: Only Strong Encryption Algorithms are Allowed in Accesses to the System
original_title: Sólo se permiten algoritmos de cifrado robustos en accesos al sistema.
levels:
- basic
- intermediate
- advanced
status: automated
notes: |-
It overlaps the rule in A.5.SEC-RHEL6 requirement
related_rules:
- configure_ssh_crypto_policy
- id: A.11.SEC-RHEL7
title: GUI Idle Time is Limited
original_title: Se limita el tiempo de inactividad del GUI.
levels:
- intermediate
- advanced
status: automated
rules:
- dconf_gnome_screensaver_idle_delay
- dconf_gnome_screensaver_lock_delay
- inactivity_timeout_value=5_minutes
- var_screensaver_lock_delay=immediate
- id: A.11.SEC-RHEL8
title: A Dissuasive Banner is Displayed
original_title: Se muestra un banner disuasorio.
levels:
- intermediate
- advanced
status: pending
notes: |-
It seems to duplicate the A.11.SEC-RHEL4 requirement
- id: A.11.SEC-RHEL9
title: The User List is Disabled
original_title: Se deshabilita la lista de usuarios.
levels:
- intermediate
- advanced
status: automated
rules:
- dconf_gnome_disable_user_list
- id: A.11.SEC-RHEL10
title: File History is Disabled
original_title: Se deshabilita recordar el historial de ficheros.
levels:
- intermediate
- advanced
status: pending
notes: |-
New rules might be necessary.
- id: A.11.SEC-RHEL11
title: Key Combination to Launch GTK Inspector is Disabled
original_title: Se deshabilita combinación de teclas para iniciar el inspector GTK
levels:
- intermediate
- advanced
status: pending
notes: |-
New rules might be necessary.
- id: A.11.SEC-RHEL12
title: Auto-Mounting of Removable Devices on the System is Disabled
original_title: Se deshabilita el auto montaje de dispositivos extraíbles en el sistema.
levels:
- intermediate
- advanced
status: automated
rules:
- dconf_gnome_disable_automount
- dconf_gnome_disable_automount_open
- dconf_gnome_disable_autorun
- id: A.15.SEC-RHEL1
title: The Use of Removable Storage Media is Controlled
original_title: Se controla el uso de medios de almacenamiento extraíbles.
levels:
- intermediate
- advanced
status: automated
rules:
- kernel_module_usb-storage_disabled
- id: A.19.SEC-RHEL1
title: Access to the Folder and File Tree is Controlled
original_title: Se controla el acceso al árbol de carpetas y ficheros.
levels:
- basic
- intermediate
- advanced
status: pending
notes: |-
More context should be provided to clarify this requirement
- id: A.19.SEC-RHEL2
title: Measures Are Applied to Protect Accounts
original_title: Se aplican medidas para la protección de las cuentas.
levels:
- basic
- intermediate
- advanced
status: pending
notes: |-
This is already covered by other requirements. Maybe more rules could be included here.
- id: A.19.SEC-RHEL3
title: A Robust Algorithm and Password Complexity Are Enabled
original_title: Está habilitado un algoritmo robusto y la complejidad de contraseñas.
levels:
- basic
- intermediate
- advanced
status: automated
rules:
- set_password_hashing_algorithm_systemauth
- set_password_hashing_algorithm_passwordauth
- set_password_hashing_algorithm_logindefs
- var_password_hashing_algorithm=SHA512
- var_password_hashing_algorithm_pam=sha512
- id: A.23.SEC-RHEL1
title: The Installation And Use of Any Device Connected to the Equipment is Controlled
original_title: Se controla la instalación y uso de cualquier dispositivo conectado al equipo.
levels:
- basic
- intermediate
- advanced
status: automated
rules:
- package_usbguard_installed
- service_usbguard_enabled
- usbguard_generate_policy
- id: A.23.SEC-RHEL2
title: The Dynamic Mounting and Unmounting of File Systems is Restricted
original_title: Se restringe el montaje y desmontaje dinámico de sistemas de archivos.
levels:
- basic
- intermediate
- advanced
status: pending
notes: |-
It seems to duplicate the A.11.SEC-RHEL12 requirement.
- id: A.24.SEC-RHEL1
title: Privileges That Affect System Performance Are Controlled
original_title: Se controlan los privilegios que afectan al rendimiento del sistema.
levels:
- intermediate
- advanced
status: pending
notes: |-
Is it about system limits?
- id: A.24.SEC-RHEL2
title: Control Who Can Turn Off the System
original_title: Se controla quien puede apagar el sistema.
levels:
- intermediate
- advanced
status: pending
related_rules:
- disable_ctrlaltdel_burstaction
- disable_ctrlaltdel_reboot
- id: A.25.SEC-RHEL1
title: System Disk is Encrypted
original_title: El disco del sistema está cifrado.
levels:
- advanced
status: automated
rules:
- encrypt_partitions
- package_cryptsetup-luks_installed
- id: A.25.SEC-RHEL2
title: The Data Disk is Encrypted
original_title: El disco de datos está cifrado.
levels:
- advanced
status: automated
notes: |-
The rules in this requirement overlaps the A.25.SEC-RHEL1 requirement
related_rules:
- package_cryptsetup-luks_installed
- encrypt_partitions
- id: A.30.SEC-RHEL1
title: There Is an Account Lockout Policy for Incorrect Logins
original_title: Existe una política de bloqueo de cuentas ante inicios de sesión incorrectos.
levels:
- advanced
status: automated
rules:
- accounts_passwords_pam_faillock_deny
- accounts_passwords_pam_faillock_unlock_time
- var_accounts_passwords_pam_faillock_deny=8
- var_accounts_passwords_pam_faillock_unlock_time=never
|
