Definition of Protection Profile for General Purpose Operating Systems for rhel10

AGD_OPE.1: Operational User Guidance

Description: None

Levels:

base

Automated: yes

Selections:

package_openscap-scanner_installed: Install openscap-scanner Package
package_scap-security-guide_installed: Install scap-security-guide Package

AGD_PRE.1: Preparative Procedures

Description: None

Levels:

base

Automated: yes

Selections:

package_openscap-scanner_installed: Install openscap-scanner Package
package_scap-security-guide_installed: Install scap-security-guide Package

FAU_GEN.1: Audit Data Generation (Refined)

Description: None

Levels:

base

Automated: yes

Selections:

audit_basic_configuration: Configure basic parameters of Audit system
auditd_data_retention_flush: Configure auditd flush priority
auditd_freq: Set number of records to cause an explicit flush to audit logs
grub2_audit_argument: Enable Auditing for Processes Which Start Prior to the Audit Daemon
package_audit_installed: Ensure the audit Subsystem is Installed
service_auditd_enabled: Enable auditd Service
sshd_disable_root_login: Disable SSH Root Login
var_auditd_flush = incremental_async
zipl_audit_argument: Enable Auditing to Start Prior to the Audit Daemon in zIPL

FAU_GEN.1.1: Audit Data Generation - Event Types to be Audited

Description: None

Levels:

base

Automated: yes

Selections:

audit_access_failed: Configure auditing of unsuccessful file accesses
audit_access_failed_aarch64: Configure auditing of unsuccessful file accesses (AArch64)
audit_access_failed_ppc64le: Configure auditing of unsuccessful file accesses (ppc64le)
audit_access_success: Configure auditing of successful file accesses
audit_access_success_aarch64: Configure auditing of successful file accesses (AArch64)
audit_access_success_ppc64le: Configure auditing of successful file accesses (ppc64le)
audit_create_failed: Configure auditing of unsuccessful file creations
audit_create_failed_aarch64: Configure auditing of unsuccessful file creations (AArch64)
audit_create_failed_ppc64le: Configure auditing of unsuccessful file creations (ppc64le)
audit_create_success: Configure auditing of successful file creations
audit_create_success_aarch64: Configure auditing of successful file creations (AArch64)
audit_create_success_ppc64le: Configure auditing of successful file creations (ppc64le)
audit_delete_failed: Configure auditing of unsuccessful file deletions
audit_delete_failed_aarch64: Configure auditing of unsuccessful file deletions (AArch64)
audit_delete_failed_ppc64le: Configure auditing of unsuccessful file deletions (ppc64le)
audit_delete_success: Configure auditing of successful file deletions
audit_delete_success_aarch64: Configure auditing of successful file deletions (AArch64)
audit_delete_success_ppc64le: Configure auditing of successful file deletions (ppc64le)
audit_modify_failed: Configure auditing of unsuccessful file modifications
audit_modify_failed_aarch64: Configure auditing of unsuccessful file modifications (AARch64)
audit_modify_failed_ppc64le: Configure auditing of unsuccessful file modifications (ppc64le)
audit_modify_success: Configure auditing of successful file modifications
audit_modify_success_aarch64: Configure auditing of successful file modifications (AArch64)
audit_modify_success_ppc64le: Configure auditing of successful file modifications (ppc64le)
audit_module_load: Configure auditing of loading and unloading of kernel modules
audit_module_load_ppc64le: Configure auditing of loading and unloading of kernel modules (ppc64le)
audit_ospp_general: Perform general configuration of Audit for OSPP
audit_ospp_general_aarch64: Perform general configuration of Audit for OSPP (AArch64)
audit_ospp_general_ppc64le: Perform general configuration of Audit for OSPP (ppc64le)
audit_owner_change_failed: Configure auditing of unsuccessful ownership changes
audit_owner_change_failed_aarch64: Configure auditing of unsuccessful ownership changes (AArch64)
audit_owner_change_failed_ppc64le: Configure auditing of unsuccessful ownership changes (ppc64le)
audit_owner_change_success: Configure auditing of successful ownership changes
audit_owner_change_success_aarch64: Configure auditing of successful ownership changes (AArch64)
audit_owner_change_success_ppc64le: Configure auditing of successful ownership changes (ppc64le)
audit_perm_change_failed: Configure auditing of unsuccessful permission changes
audit_perm_change_failed_aarch64: Configure auditing of unsuccessful permission changes (AArch64)
audit_perm_change_failed_ppc64le: Configure auditing of unsuccessful permission changes (ppc64le)
audit_perm_change_success: Configure auditing of successful permission changes
audit_perm_change_success_aarch64: Configure auditing of successful permission changes (AArch64)
audit_perm_change_success_ppc64le: Configure auditing of successful permission changes (ppc64le)

FAU_GEN.1.2: Audit Data Generation - Audit Event Format

Description: None

Levels:

base

Automated: yes

Selections:

audit_immutable_login_uids: Configure immutable Audit login UIDs
auditd_log_format: Resolve information before writing to audit logs
auditd_name_format: Set type of computer node name logging in audit logs
disable_ctrlaltdel_burstaction: Disable Ctrl-Alt-Del Burst Action
disable_ctrlaltdel_reboot: Disable Ctrl-Alt-Del Reboot Activation

FAU_STG.1: Protected audit trail storage

Description: None

Levels:

base

Automated: yes

Selections:

grub2_audit_backlog_limit_argument: Extend Audit Backlog Limit for the Audit Daemon
zipl_audit_backlog_limit_argument: Extend Audit Backlog Limit for the Audit Daemon in zIPL

FCS_CKM.1: Cryptographic Key Generation

Description: None

Levels:

base

Automated: yes

Selections:

configure_crypto_policy: Configure System Cryptography Policy
configure_openssl_crypto_policy: Configure OpenSSL library to use System Crypto Policy
enable_fips_mode: Enable FIPS Mode
package_crypto-policies_installed: Install crypto-policies package
var_system_crypto_policy = fips_ospp

FCS_CKM.1.1: Cryptographic Key Generation - asymmetric cryptographic

Description: None

Levels:

base

Automated: yes

Selections:

configure_crypto_policy: Configure System Cryptography Policy
configure_openssl_crypto_policy: Configure OpenSSL library to use System Crypto Policy
enable_fips_mode: Enable FIPS Mode
package_crypto-policies_installed: Install crypto-policies package
var_system_crypto_policy = fips_ospp

FCS_CKM.2: Cryptographic Key Establishment

Description: None

Levels:

base

Automated: yes

Selections:

configure_crypto_policy: Configure System Cryptography Policy
configure_openssl_crypto_policy: Configure OpenSSL library to use System Crypto Policy
enable_fips_mode: Enable FIPS Mode
package_crypto-policies_installed: Install crypto-policies package
var_system_crypto_policy = fips_ospp

FCS_COP.1/ENCRYPT: Cryptographic Operation - Encryption/Decryption

Description: None

Levels:

base

Automated: yes

Selections:

configure_crypto_policy: Configure System Cryptography Policy
configure_openssl_crypto_policy: Configure OpenSSL library to use System Crypto Policy
enable_fips_mode: Enable FIPS Mode
package_crypto-policies_installed: Install crypto-policies package
var_system_crypto_policy = fips_ospp

FCS_COP.1/HASH: Cryptographic Operation - Hashing

Description: None

Levels:

base

Automated: yes

Selections:

configure_crypto_policy: Configure System Cryptography Policy
configure_openssl_crypto_policy: Configure OpenSSL library to use System Crypto Policy
enable_fips_mode: Enable FIPS Mode
package_crypto-policies_installed: Install crypto-policies package
var_system_crypto_policy = fips_ospp

FCS_COP.1/SIGN: Cryptographic Operation - Signing

Description: None

Levels:

base

Automated: yes

Selections:

configure_crypto_policy: Configure System Cryptography Policy
configure_openssl_crypto_policy: Configure OpenSSL library to use System Crypto Policy
enable_fips_mode: Enable FIPS Mode
package_crypto-policies_installed: Install crypto-policies package
var_system_crypto_policy = fips_ospp

FCS_COP.1/KEYHMAC: Keyed-Hash Message Authentication

Description: None

Levels:

base

Automated: yes

Selections:

configure_crypto_policy: Configure System Cryptography Policy
configure_openssl_crypto_policy: Configure OpenSSL library to use System Crypto Policy
enable_fips_mode: Enable FIPS Mode
package_crypto-policies_installed: Install crypto-policies package
var_system_crypto_policy = fips_ospp

FCS_RBG_EXT.1: Random Bit Generation

Description: None

Levels:

base

Automated: yes

Selections:

enable_dracut_fips_module: Enable Dracut FIPS Module
enable_fips_mode: Enable FIPS Mode
var_system_crypto_policy = fips_ospp

FCS_RBG_EXT.1.1: Random Bit Generation - deterministic random bit generation

Description: None

Levels:

base

Automated: yes

Selections:

enable_dracut_fips_module: Enable Dracut FIPS Module
enable_fips_mode: Enable FIPS Mode
var_system_crypto_policy = fips_ospp

FCS_RBG_EXT.1.2: Random Bit Generation - entropy source

Description: None

Levels:

base

Automated: yes

Selections:

enable_dracut_fips_module: Enable Dracut FIPS Module
enable_fips_mode: Enable FIPS Mode
var_system_crypto_policy = fips_ospp

FCS_SSHC_EXT.1: SSH Client Protocol

Description: None

Levels:

base

Automated: yes

Selections:

configure_ssh_crypto_policy: Configure SSH to use System Crypto Policy
package_openssh-clients_installed: Install OpenSSH client software

FCS_SSHS_EXT.1: SSH Server Protocol

Description: None

Levels:

base

Automated: yes

Selections:

configure_ssh_crypto_policy: Configure SSH to use System Crypto Policy
package_openssh-server_installed: Install the OpenSSH Server Package

FCS_SSH_EXT.1: SSH Protocol

Description: None

Levels:

base

Automated: yes

Selections:

configure_ssh_crypto_policy: Configure SSH to use System Crypto Policy
package_openssh-clients_installed: Install OpenSSH client software
package_openssh-server_installed: Install the OpenSSH Server Package
sshd_use_directory_configuration: Distribute the SSH Server configuration to multiple files in a config directory.

FCS_SSH_EXT.1.2: SSH Protocol - Authentication Methods

Description: None

Levels:

base

Automated: yes

Selections:

sshd_disable_gssapi_auth: Disable GSSAPI Authentication
sshd_disable_kerb_auth: Disable Kerberos Authentication

FCS_SSH_EXT.1.8: SSH Protocol - Session

Description: None

Levels:

base

Automated: yes

Selections:

ssh_client_rekey_limit: Configure session renegotiation for SSH client
sshd_rekey_limit: Force frequent session key renegotiation
var_rekey_limit_size = 1G
var_rekey_limit_time = 1hour
var_ssh_client_rekey_limit_size = 1G
var_ssh_client_rekey_limit_time = 1hour

FCS_TLSC_EXT.1: TLS Client Protocol

Description: None

Levels:

base

Automated: yes

Selections:

configure_crypto_policy: Configure System Cryptography Policy
configure_openssl_crypto_policy: Configure OpenSSL library to use System Crypto Policy
enable_fips_mode: Enable FIPS Mode
package_crypto-policies_installed: Install crypto-policies package

FCS_TLSC_EXT.1.1: Allowed Cipher Suites

Description: None

Levels:

base

Automated: yes

Selections:

configure_crypto_policy: Configure System Cryptography Policy
configure_openssl_crypto_policy: Configure OpenSSL library to use System Crypto Policy
enable_fips_mode: Enable FIPS Mode
package_crypto-policies_installed: Install crypto-policies package

FIA_AFL.1: Authentication failure handling

Description: None

Levels:

base

Automated: yes

Selections:

accounts_passwords_pam_faillock_deny: Lock Accounts After Failed Password Attempts
accounts_passwords_pam_faillock_interval: Set Interval For Counting Failed Password Attempts
accounts_passwords_pam_faillock_unlock_time: Set Lockout Time for Failed Password Attempts
enable_authselect: Enable authselect
var_accounts_passwords_pam_faillock_deny = 3
var_accounts_passwords_pam_faillock_fail_interval = 900
var_accounts_passwords_pam_faillock_unlock_time = never
var_authselect_profile = minimal

FIA_UAU.1: Timing of authentication

Description: None

Levels:

base

Automated: yes

Selections:

disable_host_auth: Disable Host-Based Authentication
enable_authselect: Enable authselect
grub2_disable_recovery: Disable Recovery Booting
grub2_systemd_debug-shell_argument_absent: Ensure debug-shell service is not enabled during boot
grub2_uefi_password: Set the UEFI Boot Loader Password
no_empty_passwords: Prevent Login to Accounts With Empty Password
require_singleuser_auth: Require Authentication for Single User Mode
service_debug-shell_disabled: Disable debug-shell SystemD Service
sshd_disable_empty_passwords: Disable SSH Access via Empty Passwords
var_authselect_profile = minimal
zipl_systemd_debug-shell_argument_absent: Ensure debug-shell service is not enabled in zIPL

FIA_UAU.5: Multiple Authentication Mechanisms

Description: None

Levels:

base

Automated: yes

Selections:

package_openssh-clients_installed: Install OpenSSH client software
package_openssh-server_installed: Install the OpenSSH Server Package

FIA_X509_EXT.1: X.509 Certificate Validation

Description: None

Levels:

base

Automated: yes

Selections:

package_gnutls-utils_installed: Ensure gnutls-utils is installed

FIA_X509_EXT.1.1: X.509 Certificate Validation - Valid Certificates

Description: None

Levels:

base

Automated: yes

Selections:

package_gnutls-utils_installed: Ensure gnutls-utils is installed

FIA_X509_EXT.2: X.509 Certificate Validation - basicConstraints

Description: None

Levels:

base

Automated: yes

Selections:

package_gnutls-utils_installed: Ensure gnutls-utils is installed

FMT_MOF_EXT.1: Management of security functions behavior

Description: None

Levels:

base

Automated: yes

Selections:

logind_session_timeout: Configure Logind to terminate idle sessions after certain time of inactivity
package_sudo_installed: Install sudo Package
selinux_policytype: Configure SELinux Policy
selinux_state: Ensure SELinux State is Enforcing
var_logind_session_timeout = 30_minutes
var_selinux_policy_name = targeted
var_selinux_state = enforcing

FMT_SMF_EXT.1: Specification of Management Functions

Description: None

Levels:

base

Automated: yes

Selections:

accounts_password_pam_dcredit: Ensure PAM Enforces Password Requirements - Minimum Digit Characters
accounts_password_pam_lcredit: Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
accounts_password_pam_minlen: Ensure PAM Enforces Password Requirements - Minimum Length
accounts_password_pam_ocredit: Ensure PAM Enforces Password Requirements - Minimum Special Characters
accounts_password_pam_ucredit: Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
chronyd_client_only: Disable chrony daemon from acting as server
configure_usbguard_auditbackend: Log USBGuard daemon audit events using Linux Audit
dnf-automatic_apply_updates: Configure dnf-automatic to Install Available Updates Automatically
kernel_module_bluetooth_disabled: Disable Bluetooth Kernel Module
kernel_module_can_disabled: Disable CAN Support
kernel_module_sctp_disabled: Disable SCTP Support
kernel_module_tipc_disabled: Disable TIPC Support
logind_session_timeout: Configure Logind to terminate idle sessions after certain time of inactivity
mount_option_var_log_audit_nodev: Add nodev Option to /var/log/audit
mount_option_var_log_audit_noexec: Add noexec Option to /var/log/audit
mount_option_var_log_audit_nosuid: Add nosuid Option to /var/log/audit
package_chrony_installed: The Chrony package is installed
package_fapolicyd_installed: Install fapolicyd Package
package_firewalld_installed: Install firewalld Package
package_usbguard_installed: Install usbguard Package
partition_for_var_log_audit: Ensure /var/log/audit Located On Separate Partition
service_fapolicyd_enabled: Enable the File Access Policy Service
service_firewalld_enabled: Verify firewalld Enabled
service_systemd-coredump_disabled: Disable acquiring, saving, and processing core dumps
service_usbguard_enabled: Enable the USBGuard Service
sysctl_kernel_core_pattern_empty_string: Disable storing core dumps
sysctl_kernel_core_uses_pid: Configure file name of core dumps
sysctl_kernel_dmesg_restrict: Restrict Access to Kernel Message Buffer
sysctl_kernel_kexec_load_disabled: Disable Kernel Image Loading
sysctl_kernel_kptr_restrict: Restrict Exposed Kernel Pointer Addresses Access
sysctl_kernel_perf_event_paranoid: Disallow kernel profiling by unprivileged users
sysctl_kernel_unprivileged_bpf_disabled_accept_default: Disable Access to Network bpf() Syscall From Unprivileged Processes
sysctl_kernel_unprivileged_bpf_disabled_value = 2
sysctl_kernel_yama_ptrace_scope: Restrict usage of ptrace to descendant processes
sysctl_user_max_user_namespaces: Disable the use of user namespaces
timer_dnf-automatic_enabled: Enable dnf-automatic Timer
usbguard_allow_hid_and_hub: Authorize Human Interface Devices and USB hubs in USBGuard daemon
var_logind_session_timeout = 30_minutes
var_password_pam_dcredit = 1
var_password_pam_lcredit = 1
var_password_pam_minlen = 12
var_password_pam_ocredit = 1
var_password_pam_ucredit = 1

FMT_SMF_EXT.1.1: Management of security functions behavior - Restrict Administrator Functions

Description: None

Levels:

base

Automated: yes

Selections:

logind_session_timeout: Configure Logind to terminate idle sessions after certain time of inactivity
service_kdump_disabled: Disable KDump Kernel Crash Analyzer (kdump)
use_pam_wheel_for_su: Enforce usage of pam_wheel for su authentication

FPT_ASLR_EXT.1: Address Space Layout Randomization

Description: None

Levels:

base

Automated: yes

Selections:

grub2_vsyscall_argument: Disable vsyscalls

FPT_TUD_EXT.1: Trusted Update

Description: None

Levels:

base

Automated: yes

Selections:

ensure_gpgcheck_globally_activated: Ensure gpgcheck Enabled In Main dnf Configuration
ensure_gpgcheck_local_packages: Ensure gpgcheck Enabled for Local Packages
ensure_gpgcheck_never_disabled: Ensure gpgcheck Enabled for All dnf Package Repositories
ensure_redhat_gpgkey_installed: Ensure Red Hat GPG Key Installed
package_dnf-automatic_installed: Install dnf-automatic Package
package_dnf-plugin-subscription-manager_installed: Install dnf-plugin-subscription-manager Package
package_subscription-manager_installed: Install subscription-manager Package

FPT_TUD_EXT.2: Trusted Update for Application Software

Description: None

Levels:

base

Automated: yes

Selections:

ensure_gpgcheck_globally_activated: Ensure gpgcheck Enabled In Main dnf Configuration
ensure_gpgcheck_local_packages: Ensure gpgcheck Enabled for Local Packages
ensure_gpgcheck_never_disabled: Ensure gpgcheck Enabled for All dnf Package Repositories
ensure_redhat_gpgkey_installed: Ensure Red Hat GPG Key Installed
package_dnf-automatic_installed: Install dnf-automatic Package
package_dnf-plugin-subscription-manager_installed: Install dnf-plugin-subscription-manager Package
package_subscription-manager_installed: Install subscription-manager Package

FPT_TST_EXT.1: Boot Integrity

Description: None

Levels:

base

Automated: yes

Selections:

zipl_bls_entries_only: Ensure all zIPL boot entries are BLS compliant
zipl_bootmap_is_up_to_date: Ensure zIPL bootmap is up to date

FTA_SSL.1: TSF-initiated session locking

Description: None

Levels:

base

Automated: yes

Selections:

logind_session_timeout: Configure Logind to terminate idle sessions after certain time of inactivity
var_logind_session_timeout = 30_minutes

FTA_TAB.1: Default TOE access banners

Description: None

Levels:

base

Automated: yes

Selections:

sshd_enable_warning_banner: Enable SSH Warning Banner

FTP_ITC_EXT.1: Trusted channel communication

Description: None

Levels:

base

Automated: yes

Selections:

package_openssh-clients_installed: Install OpenSSH client software
package_openssh-server_installed: Install the OpenSSH Server Package
sshd_disable_gssapi_auth: Disable GSSAPI Authentication
sshd_disable_kerb_auth: Disable Kerberos Authentication

FTP_ITC_EXT.1.1: Trusted channel communication - TLS

Description: None

Levels:

base

Automated: yes

Selections:

package_openssh-clients_installed: Install OpenSSH client software
package_openssh-server_installed: Install the OpenSSH Server Package
sshd_disable_gssapi_auth: Disable GSSAPI Authentication
sshd_disable_kerb_auth: Disable Kerberos Authentication

AVA_VAN.1: Vulnerability Assessment

Description: None

Levels:

base

Automated: yes

Selections:

grub2_init_on_alloc_argument: Configure kernel to zero out memory before allocation
grub2_page_alloc_shuffle_argument: Enable randomization of the page allocator
zipl_init_on_alloc_argument: Configure kernel to zero out memory before allocation in zIPL
zipl_page_alloc_shuffle_argument: Enable randomization of the page allocator in zIPL