Definition of Australian Signals Directorate Information Security Manual for ol9

0418: Credentials are kept separate from systems they are used to authenticate to, except for when performing authentication activities.

Description: None

• base

Automated: yes

• accounts_maximum_age_login_defs: Set Password Maximum Age
• accounts_minimum_age_login_defs: Set Password Minimum Age
• accounts_password_warn_age_login_defs: Set Password Warning Age
• configure_kerberos_crypto_policy: Configure Kerberos to use System Crypto Policy
• enable_ldap_client: Enable the LDAP Client For Use in Authconfig
• kerberos_disable_no_keytab: Disable Kerberos by removing host keytab
• network_nmcli_permissions: Prevent non-Privileged Users from Modifying Network Interfaces using nmcli
• sebool_kerberos_enabled: Enable the kerberos_enabled SELinux Boolean
• set_password_hashing_algorithm_libuserconf: Set Password Hashing Algorithm in /etc/libuser.conf
• set_password_hashing_algorithm_logindefs: Set Password Hashing Algorithm in /etc/login.defs
• set_password_hashing_algorithm_passwordauth: Set PAM''s Password Hashing Algorithm - password-auth
• set_password_hashing_algorithm_systemauth: Set PAM''s Password Hashing Algorithm
• sshd_disable_gssapi_auth: Disable GSSAPI Authentication
• var_password_hashing_algorithm_pam = sha512

0421: Passphrases used for single-factor authentication are at least 4 random words with a total minimum length of 14 characters, unless more stringent requirements apply.

Description: None

• base

Automated: yes

• accounts_password_minlen_login_defs: Set Password Minimum Length in login.defs
• accounts_password_pam_dcredit: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
• accounts_password_pam_lcredit: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
• accounts_password_pam_minclass: Ensure PAM Enforces Password Requirements - Minimum Different Categories
• accounts_password_pam_minlen: Ensure PAM Enforces Password Requirements - Minimum Length
• accounts_password_pam_ocredit: Ensure PAM Enforces Password Requirements - Minimum Special Characters
• accounts_password_pam_ucredit: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
• accounts_passwords_pam_faillock_deny: Lock Accounts After Failed Password Attempts
• accounts_passwords_pam_faillock_deny_root: Configure the root Account for Failed Password Attempts
• accounts_passwords_pam_faillock_interval: Set Interval For Counting Failed Password Attempts
• accounts_passwords_pam_faillock_unlock_time: Set Lockout Time for Failed Password Attempts
• accounts_passwords_pam_tally2_deny_root: Configure the root Account lock for Failed Password Attempts via pam_tally2
• accounts_passwords_pam_tally2_unlock_time: Set Lockout Time for Failed Password Attempts using pam_tally2
• disable_host_auth: Disable Host-Based Authentication
• require_emergency_target_auth: Require Authentication for Emergency Systemd Target
• require_singleuser_auth: Require Authentication for Single User Mode
• sebool_authlogin_nsswitch_use_ldap: Disable the authlogin_nsswitch_use_ldap SELinux Boolean
• sebool_authlogin_radius: Disable the authlogin_radius SELinux Boolean
• sshd_disable_kerb_auth: Disable Kerberos Authentication
• sshd_max_auth_tries_value = 5
• sshd_set_max_auth_tries: Set SSH authentication attempt limit
• sssd_enable_smartcards: Enable Smartcards in SSSD
• var_accounts_maximum_age_login_defs = 60
• var_accounts_minimum_age_login_defs = 1
• var_accounts_password_minlen_login_defs = 14
• var_accounts_password_warn_age_login_defs = 7
• var_authselect_profile = sssd
• var_password_pam_minlen = 14

0422: Passphrases used for single-factor authentication on TOP SECRET systems are at least 6 random words with a total minimum length of 20 characters.

Description: None

• top_secret

Automated: yes

• accounts_password_minlen_login_defs: Set Password Minimum Length in login.defs
• accounts_password_pam_dcredit: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
• accounts_password_pam_lcredit: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
• accounts_password_pam_minclass: Ensure PAM Enforces Password Requirements - Minimum Different Categories
• accounts_password_pam_minlen: Ensure PAM Enforces Password Requirements - Minimum Length
• accounts_password_pam_ocredit: Ensure PAM Enforces Password Requirements - Minimum Special Characters
• accounts_password_pam_ucredit: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
• accounts_passwords_pam_faillock_deny: Lock Accounts After Failed Password Attempts
• accounts_passwords_pam_faillock_deny_root: Configure the root Account for Failed Password Attempts
• accounts_passwords_pam_faillock_interval: Set Interval For Counting Failed Password Attempts
• accounts_passwords_pam_faillock_unlock_time: Set Lockout Time for Failed Password Attempts
• accounts_passwords_pam_tally2_deny_root: Configure the root Account lock for Failed Password Attempts via pam_tally2
• accounts_passwords_pam_tally2_unlock_time: Set Lockout Time for Failed Password Attempts using pam_tally2
• disable_host_auth: Disable Host-Based Authentication
• require_emergency_target_auth: Require Authentication for Emergency Systemd Target
• require_singleuser_auth: Require Authentication for Single User Mode
• sebool_authlogin_nsswitch_use_ldap: Disable the authlogin_nsswitch_use_ldap SELinux Boolean
• sebool_authlogin_radius: Disable the authlogin_radius SELinux Boolean
• sshd_disable_kerb_auth: Disable Kerberos Authentication
• sshd_set_max_auth_tries: Set SSH authentication attempt limit
• sssd_enable_smartcards: Enable Smartcards in SSSD
• var_accounts_password_minlen_login_defs = 20
• var_password_pam_minlen = 20

0484: SSH daemon configuration

Description: None

• base

Automated: no

• disable_host_auth: Disable Host-Based Authentication
• sshd_disable_x11_forwarding: Disable X11 Forwarding
• sshd_enable_warning_banner: Enable SSH Warning Banner

0487: Passwordless SSH Connections Configuration

Description: None

• base

Automated: no

No rules selected

0582: Central Logging for OS Events

Description: None

• base

Automated: yes

• audit_access_failed: Configure auditing of unsuccessful file accesses
• audit_access_failed_aarch64: Configure auditing of unsuccessful file accesses (AArch64)
• audit_access_failed_ppc64le: Configure auditing of unsuccessful file accesses (ppc64le)
• audit_access_success: Configure auditing of successful file accesses
• audit_access_success_aarch64: Configure auditing of successful file accesses (AArch64)
• audit_access_success_ppc64le: Configure auditing of successful file accesses (ppc64le)
• audit_rules_privileged_commands: Ensure auditd Collects Information on the Use of Privileged Commands
• audit_rules_session_events: Record Attempts to Alter Process and Session Initiation Information
• audit_rules_unsuccessful_file_modification: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)
• sebool_auditadm_exec_content: Enable the auditadm_exec_content SELinux Boolean
• sshd_print_last_log: Enable SSH Print Last Log

0846: All users (with the exception of local administrator accounts and break glass accounts) cannot disable, bypass or be exempted from application control.

Description: None

• base

Automated: yes

• audit_access_failed: Configure auditing of unsuccessful file accesses
• audit_access_failed_aarch64: Configure auditing of unsuccessful file accesses (AArch64)
• audit_access_failed_ppc64le: Configure auditing of unsuccessful file accesses (ppc64le)
• audit_access_success: Configure auditing of successful file accesses
• audit_access_success_aarch64: Configure auditing of successful file accesses (AArch64)
• audit_access_success_ppc64le: Configure auditing of successful file accesses (ppc64le)
• audit_rules_privileged_commands: Ensure auditd Collects Information on the Use of Privileged Commands
• audit_rules_session_events: Record Attempts to Alter Process and Session Initiation Information
• audit_rules_unsuccessful_file_modification: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)
• sebool_auditadm_exec_content: Enable the auditadm_exec_content SELinux Boolean
• sshd_print_last_log: Enable SSH Print Last Log

0974: Multi-factor authentication is used to authenticate unprivileged users of systems.

Description: None

• base

Automated: no

• accounts_password_minlen_login_defs: Set Password Minimum Length in login.defs
• accounts_password_pam_dcredit: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
• accounts_password_pam_lcredit: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
• accounts_password_pam_minclass: Ensure PAM Enforces Password Requirements - Minimum Different Categories
• accounts_password_pam_minlen: Ensure PAM Enforces Password Requirements - Minimum Length
• accounts_password_pam_ocredit: Ensure PAM Enforces Password Requirements - Minimum Special Characters
• accounts_password_pam_ucredit: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
• accounts_passwords_pam_faillock_deny: Lock Accounts After Failed Password Attempts
• accounts_passwords_pam_faillock_deny_root: Configure the root Account for Failed Password Attempts
• accounts_passwords_pam_faillock_interval: Set Interval For Counting Failed Password Attempts
• accounts_passwords_pam_faillock_unlock_time: Set Lockout Time for Failed Password Attempts
• accounts_passwords_pam_tally2_deny_root: Configure the root Account lock for Failed Password Attempts via pam_tally2
• accounts_passwords_pam_tally2_unlock_time: Set Lockout Time for Failed Password Attempts using pam_tally2
• disable_host_auth: Disable Host-Based Authentication
• require_emergency_target_auth: Require Authentication for Emergency Systemd Target
• require_singleuser_auth: Require Authentication for Single User Mode
• sebool_authlogin_nsswitch_use_ldap: Disable the authlogin_nsswitch_use_ldap SELinux Boolean
• sebool_authlogin_radius: Disable the authlogin_radius SELinux Boolean
• sshd_disable_kerb_auth: Disable Kerberos Authentication
• sshd_set_max_auth_tries: Set SSH authentication attempt limit
• sssd_enable_smartcards: Enable Smartcards in SSSD

0988: An accurate time source is established and used consistently across systems to assist with identifying connections between events.

Description: None

• base

Automated: yes

• chronyd_configure_pool_and_server: Chrony Configure Pool and Server
• chronyd_or_ntpd_specify_multiple_servers: Specify Additional Remote NTP Servers
• chronyd_specify_remote_server: A remote time server for Chrony is configured
• package_chrony_installed: The Chrony package is installed
• rsyslog_cron_logging: Ensure cron Is Logging To Rsyslog
• rsyslog_files_groupownership: Ensure Log Files Are Owned By Appropriate Group
• rsyslog_files_ownership: Ensure Log Files Are Owned By Appropriate User
• rsyslog_files_permissions: Ensure System Log Files Have Correct Permissions
• rsyslog_nolisten: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
• rsyslog_remote_loghost: Ensure Logs Sent To Remote Host
• rsyslog_remote_tls: Configure TLS for rsyslog remote logging
• rsyslog_remote_tls_cacert: Configure CA certificate for rsyslog remote logging
• service_chronyd_enabled: The Chronyd service is enabled
• service_chronyd_or_ntpd_enabled: Enable the NTP Daemon

1034: A HIPS is implemented on critical servers and high-value servers.

Description: None

• base

Automated: yes

• package_aide_installed: Install AIDE

1055: LAN Manager and NT LAN Manager authentication methods are disabled.

Description: None

• base

Automated: no

• accounts_maximum_age_login_defs: Set Password Maximum Age
• accounts_minimum_age_login_defs: Set Password Minimum Age
• accounts_password_warn_age_login_defs: Set Password Warning Age
• configure_kerberos_crypto_policy: Configure Kerberos to use System Crypto Policy
• enable_ldap_client: Enable the LDAP Client For Use in Authconfig
• kerberos_disable_no_keytab: Disable Kerberos by removing host keytab
• network_nmcli_permissions: Prevent non-Privileged Users from Modifying Network Interfaces using nmcli
• sebool_kerberos_enabled: Enable the kerberos_enabled SELinux Boolean
• set_password_hashing_algorithm_libuserconf: Set Password Hashing Algorithm in /etc/libuser.conf
• set_password_hashing_algorithm_logindefs: Set Password Hashing Algorithm in /etc/login.defs
• set_password_hashing_algorithm_passwordauth: Set PAM''s Password Hashing Algorithm - password-auth
• set_password_hashing_algorithm_systemauth: Set PAM''s Password Hashing Algorithm
• sshd_disable_gssapi_auth: Disable GSSAPI Authentication

1173: Multi-factor authentication is used to authenticate privileged users of systems.

Description: None

• base

Automated: yes

• accounts_password_minlen_login_defs: Set Password Minimum Length in login.defs
• accounts_password_pam_dcredit: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
• accounts_password_pam_lcredit: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
• accounts_password_pam_minclass: Ensure PAM Enforces Password Requirements - Minimum Different Categories
• accounts_password_pam_minlen: Ensure PAM Enforces Password Requirements - Minimum Length
• accounts_password_pam_ocredit: Ensure PAM Enforces Password Requirements - Minimum Special Characters
• accounts_password_pam_ucredit: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
• accounts_passwords_pam_faillock_deny: Lock Accounts After Failed Password Attempts
• accounts_passwords_pam_faillock_deny_root: Configure the root Account for Failed Password Attempts
• accounts_passwords_pam_faillock_interval: Set Interval For Counting Failed Password Attempts
• accounts_passwords_pam_faillock_unlock_time: Set Lockout Time for Failed Password Attempts
• accounts_passwords_pam_tally2_deny_root: Configure the root Account lock for Failed Password Attempts via pam_tally2
• accounts_passwords_pam_tally2_unlock_time: Set Lockout Time for Failed Password Attempts using pam_tally2
• disable_host_auth: Disable Host-Based Authentication
• require_emergency_target_auth: Require Authentication for Emergency Systemd Target
• require_singleuser_auth: Require Authentication for Single User Mode
• sebool_authlogin_nsswitch_use_ldap: Disable the authlogin_nsswitch_use_ldap SELinux Boolean
• sebool_authlogin_radius: Disable the authlogin_radius SELinux Boolean
• sshd_disable_kerb_auth: Disable Kerberos Authentication
• sshd_set_max_auth_tries: Set SSH authentication attempt limit
• sssd_enable_smartcards: Enable Smartcards in SSSD

1277: Data communicated between database servers and web servers is encrypted.

Description: None

• base

Automated: no

• openssl_use_strong_entropy: OpenSSL uses strong entropy source

1288: Files imported or exported via gateways or CDSs undergo antivirus scanning using multiple different scanning engines.

Description: None

• base

Automated: no

• package_aide_installed: Install AIDE

1311: SNMP version 1 and SNMP version 2 are not used on networks.

Description: None

• base

Automated: no

• service_snmpd_disabled: Disable snmpd Service
• snmpd_use_newer_protocol: Configure SNMP Service to Use Only SNMPv3 or Newer

1315: The administrative interface on wireless access points is disabled for wireless network connections.

Description: None

• base

Automated: yes

• network_ipv6_static_address: Manually Assign Global IPv6 Address
• wireless_disable_interfaces: Deactivate Wireless Network Interfaces

1319: Static addressing is not used for assigning IP addresses on wireless networks.

Description: None

• base

Automated: no

• network_ipv6_static_address: Manually Assign Global IPv6 Address
• wireless_disable_interfaces: Deactivate Wireless Network Interfaces

1341: A HIPS is implemented on workstations.

Description: None

• base

Automated: yes

• package_aide_installed: Install AIDE

1386: Network management traffic can only originate from administrative infrastructure.

Description: None

• base

Automated: no

• configure_opensc_card_drivers: Configure opensc Smart Card Drivers
• force_opensc_card_drivers: Force opensc To Use Defined Smart Card Driver
• package_opensc_installed: Install the opensc Package For Multifactor Authentication
• package_pcsc-lite_installed: Install the pcsc-lite package
• package_sudo_installed: Install sudo Package
• service_pcscd_enabled: Enable the pcscd Service

1401: Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are.

Description: None

• base

Automated: no

• accounts_password_minlen_login_defs: Set Password Minimum Length in login.defs
• accounts_password_pam_dcredit: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
• accounts_password_pam_lcredit: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
• accounts_password_pam_minclass: Ensure PAM Enforces Password Requirements - Minimum Different Categories
• accounts_password_pam_minlen: Ensure PAM Enforces Password Requirements - Minimum Length
• accounts_password_pam_ocredit: Ensure PAM Enforces Password Requirements - Minimum Special Characters
• accounts_password_pam_ucredit: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
• accounts_passwords_pam_faillock_deny: Lock Accounts After Failed Password Attempts
• accounts_passwords_pam_faillock_deny_root: Configure the root Account for Failed Password Attempts
• accounts_passwords_pam_faillock_interval: Set Interval For Counting Failed Password Attempts
• accounts_passwords_pam_faillock_unlock_time: Set Lockout Time for Failed Password Attempts
• accounts_passwords_pam_tally2_deny_root: Configure the root Account lock for Failed Password Attempts via pam_tally2
• accounts_passwords_pam_tally2_unlock_time: Set Lockout Time for Failed Password Attempts using pam_tally2
• disable_host_auth: Disable Host-Based Authentication
• require_emergency_target_auth: Require Authentication for Emergency Systemd Target
• require_singleuser_auth: Require Authentication for Single User Mode
• sebool_authlogin_nsswitch_use_ldap: Disable the authlogin_nsswitch_use_ldap SELinux Boolean
• sebool_authlogin_radius: Disable the authlogin_radius SELinux Boolean
• sshd_disable_kerb_auth: Disable Kerberos Authentication
• sshd_set_max_auth_tries: Set SSH authentication attempt limit
• sssd_enable_smartcards: Enable Smartcards in SSSD

1402: Credentials stored on systems are protected by a password manager; a hardware security module; or by salting, hashing and stretching them before storage within a database

Description: None

• base

Automated: yes

• accounts_maximum_age_login_defs: Set Password Maximum Age
• accounts_minimum_age_login_defs: Set Password Minimum Age
• accounts_password_warn_age_login_defs: Set Password Warning Age
• configure_kerberos_crypto_policy: Configure Kerberos to use System Crypto Policy
• enable_ldap_client: Enable the LDAP Client For Use in Authconfig
• kerberos_disable_no_keytab: Disable Kerberos by removing host keytab
• network_nmcli_permissions: Prevent non-Privileged Users from Modifying Network Interfaces using nmcli
• sebool_kerberos_enabled: Enable the kerberos_enabled SELinux Boolean
• set_password_hashing_algorithm_libuserconf: Set Password Hashing Algorithm in /etc/libuser.conf
• set_password_hashing_algorithm_logindefs: Set Password Hashing Algorithm in /etc/login.defs
• set_password_hashing_algorithm_passwordauth: Set PAM''s Password Hashing Algorithm - password-auth
• set_password_hashing_algorithm_systemauth: Set PAM''s Password Hashing Algorithm
• sshd_disable_gssapi_auth: Disable GSSAPI Authentication

1405: A centralised event logging facility is implemented and event logs are sent to the facility as soon as possible after they occur.

Description: None

• base

Automated: yes

• chronyd_configure_pool_and_server: Chrony Configure Pool and Server
• chronyd_or_ntpd_specify_multiple_servers: Specify Additional Remote NTP Servers
• chronyd_specify_remote_server: A remote time server for Chrony is configured
• package_chrony_installed: The Chrony package is installed
• rsyslog_cron_logging: Ensure cron Is Logging To Rsyslog
• rsyslog_files_groupownership: Ensure Log Files Are Owned By Appropriate Group
• rsyslog_files_ownership: Ensure Log Files Are Owned By Appropriate User
• rsyslog_files_permissions: Ensure System Log Files Have Correct Permissions
• rsyslog_nolisten: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
• rsyslog_remote_loghost: Ensure Logs Sent To Remote Host
• rsyslog_remote_tls: Configure TLS for rsyslog remote logging
• rsyslog_remote_tls_cacert: Configure CA certificate for rsyslog remote logging
• service_chronyd_enabled: The Chronyd service is enabled
• service_chronyd_or_ntpd_enabled: Enable the NTP Daemon

1416: A software firewall is implemented on workstations and servers to restrict inbound and outbound network connections to an organisation-approved set of applications and services.

Description: None

• base

Automated: yes

• configure_firewalld_ports: Configure the Firewalld Ports
• firewalld_sshd_port_enabled: Enable SSH Server firewalld Firewall Exception
• set_firewalld_default_zone: Set Default firewalld Zone for Incoming Packets

1417: Antivirus software is implemented on workstations and server.

Description: None

• base

Automated: no

• package_aide_installed: Install AIDE

1418: If there is no business requirement for reading from removable media and devices, such functionality is disabled via the use of device access control software or by disabling external communication interfaces

Description: None

• base

Automated: yes

• package_usbguard_installed: Install usbguard Package
• service_usbguard_enabled: Enable the USBGuard Service

1446: When using elliptic curve cryptography, a suitable curve from NIST SP 800-186 is used.

Description: None

• base

Automated: yes

• configure_crypto_policy: Configure System Cryptography Policy
• enable_dracut_fips_module: Enable Dracut FIPS Module
• enable_fips_mode: Enable FIPS Mode
• var_system_crypto_policy = fips

1449: SSH private keys are protected with a passphrase or a key encryption key

Description: None

• base

Automated: no

• file_permissions_sshd_private_key: Verify Permissions on SSH Server Private *_key Key Files

1467: The latest release of office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are used.

Description: None

• base

Automated: yes

• dnf-automatic_apply_updates: Configure dnf-automatic to Install Available Updates Automatically
• package_libdnf-plugin-subscription-manager_installed: Install libdnf-plugin-subscription-manager Package
• package_subscription-manager_installed: Install subscription-manager Package

1483: The latest release of internet-facing server applications are used.

Description: None

• base

Automated: yes

• dnf-automatic_apply_updates: Configure dnf-automatic to Install Available Updates Automatically
• package_libdnf-plugin-subscription-manager_installed: Install libdnf-plugin-subscription-manager Package
• package_subscription-manager_installed: Install subscription-manager Package

1491: Unprivileged users are prevented from running script execution engines.

Description: None

• base

Automated: yes

• no_shelllogin_for_systemaccounts: Ensure that System Accounts Do Not Run a Shell Upon Login

1493: Software registers for workstations, servers, network devices and other ICT equipment are developed, implemented, maintained and verified on a regular basis.

Description: None

• base

Automated: yes

• dnf-automatic_apply_updates: Configure dnf-automatic to Install Available Updates Automatically
• package_libdnf-plugin-subscription-manager_installed: Install libdnf-plugin-subscription-manager Package
• package_subscription-manager_installed: Install subscription-manager Package

1504: Multi-factor authentication is used to authenticate users to their organisation’s online services that process, store or communicate their organisation’s sensitive data.

Description: None

• base

Automated: no

• accounts_password_minlen_login_defs: Set Password Minimum Length in login.defs
• accounts_password_pam_dcredit: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
• accounts_password_pam_lcredit: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
• accounts_password_pam_minclass: Ensure PAM Enforces Password Requirements - Minimum Different Categories
• accounts_password_pam_minlen: Ensure PAM Enforces Password Requirements - Minimum Length
• accounts_password_pam_ocredit: Ensure PAM Enforces Password Requirements - Minimum Special Characters
• accounts_password_pam_ucredit: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
• accounts_passwords_pam_faillock_deny: Lock Accounts After Failed Password Attempts
• accounts_passwords_pam_faillock_deny_root: Configure the root Account for Failed Password Attempts
• accounts_passwords_pam_faillock_interval: Set Interval For Counting Failed Password Attempts
• accounts_passwords_pam_faillock_unlock_time: Set Lockout Time for Failed Password Attempts
• accounts_passwords_pam_tally2_deny_root: Configure the root Account lock for Failed Password Attempts via pam_tally2
• accounts_passwords_pam_tally2_unlock_time: Set Lockout Time for Failed Password Attempts using pam_tally2
• disable_host_auth: Disable Host-Based Authentication
• require_emergency_target_auth: Require Authentication for Emergency Systemd Target
• require_singleuser_auth: Require Authentication for Single User Mode
• sebool_authlogin_nsswitch_use_ldap: Disable the authlogin_nsswitch_use_ldap SELinux Boolean
• sebool_authlogin_radius: Disable the authlogin_radius SELinux Boolean
• sshd_disable_kerb_auth: Disable Kerberos Authentication
• sshd_set_max_auth_tries: Set SSH authentication attempt limit
• sssd_enable_smartcards: Enable Smartcards in SSSD

1505: Multi-factor authentication is used to authenticate users of data repositories.

Description: None

• base

Automated: no

• accounts_password_minlen_login_defs: Set Password Minimum Length in login.defs
• accounts_password_pam_dcredit: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
• accounts_password_pam_lcredit: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
• accounts_password_pam_minclass: Ensure PAM Enforces Password Requirements - Minimum Different Categories
• accounts_password_pam_minlen: Ensure PAM Enforces Password Requirements - Minimum Length
• accounts_password_pam_ocredit: Ensure PAM Enforces Password Requirements - Minimum Special Characters
• accounts_password_pam_ucredit: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
• accounts_passwords_pam_faillock_deny: Lock Accounts After Failed Password Attempts
• accounts_passwords_pam_faillock_deny_root: Configure the root Account for Failed Password Attempts
• accounts_passwords_pam_faillock_interval: Set Interval For Counting Failed Password Attempts
• accounts_passwords_pam_faillock_unlock_time: Set Lockout Time for Failed Password Attempts
• accounts_passwords_pam_tally2_deny_root: Configure the root Account lock for Failed Password Attempts via pam_tally2
• accounts_passwords_pam_tally2_unlock_time: Set Lockout Time for Failed Password Attempts using pam_tally2
• disable_host_auth: Disable Host-Based Authentication
• require_emergency_target_auth: Require Authentication for Emergency Systemd Target
• require_singleuser_auth: Require Authentication for Single User Mode
• sebool_authlogin_nsswitch_use_ldap: Disable the authlogin_nsswitch_use_ldap SELinux Boolean
• sebool_authlogin_radius: Disable the authlogin_radius SELinux Boolean
• sshd_disable_kerb_auth: Disable Kerberos Authentication
• sshd_set_max_auth_tries: Set SSH authentication attempt limit
• sssd_enable_smartcards: Enable Smartcards in SSSD

1506: The use of SSH version 1 is disabled for SSH connections.

Description: None

• base

Automated: no

No rules selected

1546: Users are authenticated before they are granted access to a system and its resources

Description: None

• base

Automated: yes

• accounts_password_minlen_login_defs: Set Password Minimum Length in login.defs
• accounts_password_pam_dcredit: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
• accounts_password_pam_lcredit: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
• accounts_password_pam_minclass: Ensure PAM Enforces Password Requirements - Minimum Different Categories
• accounts_password_pam_minlen: Ensure PAM Enforces Password Requirements - Minimum Length
• accounts_password_pam_ocredit: Ensure PAM Enforces Password Requirements - Minimum Special Characters
• accounts_password_pam_ucredit: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
• accounts_passwords_pam_faillock_deny: Lock Accounts After Failed Password Attempts
• accounts_passwords_pam_faillock_deny_root: Configure the root Account for Failed Password Attempts
• accounts_passwords_pam_faillock_interval: Set Interval For Counting Failed Password Attempts
• accounts_passwords_pam_faillock_unlock_time: Set Lockout Time for Failed Password Attempts
• accounts_passwords_pam_tally2_deny_root: Configure the root Account lock for Failed Password Attempts via pam_tally2
• accounts_passwords_pam_tally2_unlock_time: Set Lockout Time for Failed Password Attempts using pam_tally2
• disable_host_auth: Disable Host-Based Authentication
• require_emergency_target_auth: Require Authentication for Emergency Systemd Target
• require_singleuser_auth: Require Authentication for Single User Mode
• sebool_authlogin_nsswitch_use_ldap: Disable the authlogin_nsswitch_use_ldap SELinux Boolean
• sebool_authlogin_radius: Disable the authlogin_radius SELinux Boolean
• sshd_disable_kerb_auth: Disable Kerberos Authentication
• sshd_set_max_auth_tries: Set SSH authentication attempt limit
• sssd_enable_smartcards: Enable Smartcards in SSSD

1552: All web application content is offered exclusively using HTTPS.

Description: None

• base

Automated: no

• openssl_use_strong_entropy: OpenSSL uses strong entropy source

1557: Passphrases used for single-factor authentication on SECRET systems are at least 5 random words with a total minimum length of 17 characters.

Description: None

• secret

Automated: no

• accounts_password_minlen_login_defs: Set Password Minimum Length in login.defs
• accounts_password_pam_dcredit: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
• accounts_password_pam_lcredit: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
• accounts_password_pam_minclass: Ensure PAM Enforces Password Requirements - Minimum Different Categories
• accounts_password_pam_minlen: Ensure PAM Enforces Password Requirements - Minimum Length
• accounts_password_pam_ocredit: Ensure PAM Enforces Password Requirements - Minimum Special Characters
• accounts_password_pam_ucredit: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
• accounts_passwords_pam_faillock_deny: Lock Accounts After Failed Password Attempts
• accounts_passwords_pam_faillock_deny_root: Configure the root Account for Failed Password Attempts
• accounts_passwords_pam_faillock_interval: Set Interval For Counting Failed Password Attempts
• accounts_passwords_pam_faillock_unlock_time: Set Lockout Time for Failed Password Attempts
• accounts_passwords_pam_tally2_deny_root: Configure the root Account lock for Failed Password Attempts via pam_tally2
• accounts_passwords_pam_tally2_unlock_time: Set Lockout Time for Failed Password Attempts using pam_tally2
• disable_host_auth: Disable Host-Based Authentication
• require_emergency_target_auth: Require Authentication for Emergency Systemd Target
• require_singleuser_auth: Require Authentication for Single User Mode
• sebool_authlogin_nsswitch_use_ldap: Disable the authlogin_nsswitch_use_ldap SELinux Boolean
• sebool_authlogin_radius: Disable the authlogin_radius SELinux Boolean
• sshd_disable_kerb_auth: Disable Kerberos Authentication
• sshd_set_max_auth_tries: Set SSH authentication attempt limit
• sssd_enable_smartcards: Enable Smartcards in SSSD
• var_accounts_password_minlen_login_defs = 17
• var_password_pam_minlen = 17

1558: Passphrases used for single-factor authentication are not a list of categorised words; do not form a real sentence in a natural language; and are not constructed from song lyrics, movies, literature or any other publicly available material.

Description: None

• base

Automated: yes

• accounts_password_minlen_login_defs: Set Password Minimum Length in login.defs
• accounts_password_pam_dcredit: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
• accounts_password_pam_lcredit: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
• accounts_password_pam_minclass: Ensure PAM Enforces Password Requirements - Minimum Different Categories
• accounts_password_pam_minlen: Ensure PAM Enforces Password Requirements - Minimum Length
• accounts_password_pam_ocredit: Ensure PAM Enforces Password Requirements - Minimum Special Characters
• accounts_password_pam_ucredit: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
• accounts_passwords_pam_faillock_deny: Lock Accounts After Failed Password Attempts
• accounts_passwords_pam_faillock_deny_root: Configure the root Account for Failed Password Attempts
• accounts_passwords_pam_faillock_interval: Set Interval For Counting Failed Password Attempts
• accounts_passwords_pam_faillock_unlock_time: Set Lockout Time for Failed Password Attempts
• accounts_passwords_pam_tally2_deny_root: Configure the root Account lock for Failed Password Attempts via pam_tally2
• accounts_passwords_pam_tally2_unlock_time: Set Lockout Time for Failed Password Attempts using pam_tally2
• disable_host_auth: Disable Host-Based Authentication
• require_emergency_target_auth: Require Authentication for Emergency Systemd Target
• require_singleuser_auth: Require Authentication for Single User Mode
• sebool_authlogin_nsswitch_use_ldap: Disable the authlogin_nsswitch_use_ldap SELinux Boolean
• sebool_authlogin_radius: Disable the authlogin_radius SELinux Boolean
• sshd_disable_kerb_auth: Disable Kerberos Authentication
• sshd_set_max_auth_tries: Set SSH authentication attempt limit
• sssd_enable_smartcards: Enable Smartcards in SSSD

1559: Memorised secrets used for multi-factor authentication are a minimum of 6 characters, unless more stringent requirements apply.

Description: None

• base

Automated: yes

• accounts_password_minlen_login_defs: Set Password Minimum Length in login.defs
• accounts_password_pam_dcredit: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
• accounts_password_pam_lcredit: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
• accounts_password_pam_minclass: Ensure PAM Enforces Password Requirements - Minimum Different Categories
• accounts_password_pam_minlen: Ensure PAM Enforces Password Requirements - Minimum Length
• accounts_password_pam_ocredit: Ensure PAM Enforces Password Requirements - Minimum Special Characters
• accounts_password_pam_ucredit: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
• accounts_passwords_pam_faillock_deny: Lock Accounts After Failed Password Attempts
• accounts_passwords_pam_faillock_deny_root: Configure the root Account for Failed Password Attempts
• accounts_passwords_pam_faillock_interval: Set Interval For Counting Failed Password Attempts
• accounts_passwords_pam_faillock_unlock_time: Set Lockout Time for Failed Password Attempts
• accounts_passwords_pam_tally2_deny_root: Configure the root Account lock for Failed Password Attempts via pam_tally2
• accounts_passwords_pam_tally2_unlock_time: Set Lockout Time for Failed Password Attempts using pam_tally2
• disable_host_auth: Disable Host-Based Authentication
• require_emergency_target_auth: Require Authentication for Emergency Systemd Target
• require_singleuser_auth: Require Authentication for Single User Mode
• sebool_authlogin_nsswitch_use_ldap: Disable the authlogin_nsswitch_use_ldap SELinux Boolean
• sebool_authlogin_radius: Disable the authlogin_radius SELinux Boolean
• sshd_disable_kerb_auth: Disable Kerberos Authentication
• sshd_set_max_auth_tries: Set SSH authentication attempt limit
• sssd_enable_smartcards: Enable Smartcards in SSSD

1560: Memorised secrets used for multi-factor authentication on SECRET systems are a minimum of 8 characters

Description: None

• secret

Automated: yes

• accounts_password_minlen_login_defs: Set Password Minimum Length in login.defs
• accounts_password_pam_dcredit: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
• accounts_password_pam_lcredit: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
• accounts_password_pam_minclass: Ensure PAM Enforces Password Requirements - Minimum Different Categories
• accounts_password_pam_minlen: Ensure PAM Enforces Password Requirements - Minimum Length
• accounts_password_pam_ocredit: Ensure PAM Enforces Password Requirements - Minimum Special Characters
• accounts_password_pam_ucredit: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
• accounts_passwords_pam_faillock_deny: Lock Accounts After Failed Password Attempts
• accounts_passwords_pam_faillock_deny_root: Configure the root Account for Failed Password Attempts
• accounts_passwords_pam_faillock_interval: Set Interval For Counting Failed Password Attempts
• accounts_passwords_pam_faillock_unlock_time: Set Lockout Time for Failed Password Attempts
• accounts_passwords_pam_tally2_deny_root: Configure the root Account lock for Failed Password Attempts via pam_tally2
• accounts_passwords_pam_tally2_unlock_time: Set Lockout Time for Failed Password Attempts using pam_tally2
• disable_host_auth: Disable Host-Based Authentication
• require_emergency_target_auth: Require Authentication for Emergency Systemd Target
• require_singleuser_auth: Require Authentication for Single User Mode
• sebool_authlogin_nsswitch_use_ldap: Disable the authlogin_nsswitch_use_ldap SELinux Boolean
• sebool_authlogin_radius: Disable the authlogin_radius SELinux Boolean
• sshd_disable_kerb_auth: Disable Kerberos Authentication
• sshd_set_max_auth_tries: Set SSH authentication attempt limit
• sssd_enable_smartcards: Enable Smartcards in SSSD

1561: Memorised secrets used for multi-factor authentication on TOP SECRET systems are a minimum of 10 characters.

Description: None

• top_secret

Automated: yes

• accounts_password_minlen_login_defs: Set Password Minimum Length in login.defs
• accounts_password_pam_dcredit: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
• accounts_password_pam_lcredit: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
• accounts_password_pam_minclass: Ensure PAM Enforces Password Requirements - Minimum Different Categories
• accounts_password_pam_minlen: Ensure PAM Enforces Password Requirements - Minimum Length
• accounts_password_pam_ocredit: Ensure PAM Enforces Password Requirements - Minimum Special Characters
• accounts_password_pam_ucredit: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
• accounts_passwords_pam_faillock_deny: Lock Accounts After Failed Password Attempts
• accounts_passwords_pam_faillock_deny_root: Configure the root Account for Failed Password Attempts
• accounts_passwords_pam_faillock_interval: Set Interval For Counting Failed Password Attempts
• accounts_passwords_pam_faillock_unlock_time: Set Lockout Time for Failed Password Attempts
• accounts_passwords_pam_tally2_deny_root: Configure the root Account lock for Failed Password Attempts via pam_tally2
• accounts_passwords_pam_tally2_unlock_time: Set Lockout Time for Failed Password Attempts using pam_tally2
• disable_host_auth: Disable Host-Based Authentication
• require_emergency_target_auth: Require Authentication for Emergency Systemd Target
• require_singleuser_auth: Require Authentication for Single User Mode
• sebool_authlogin_nsswitch_use_ldap: Disable the authlogin_nsswitch_use_ldap SELinux Boolean
• sebool_authlogin_radius: Disable the authlogin_radius SELinux Boolean
• sshd_disable_kerb_auth: Disable Kerberos Authentication
• sshd_set_max_auth_tries: Set SSH authentication attempt limit
• sssd_enable_smartcards: Enable Smartcards in SSSD