From 8117bf022c263e694a3f9ef63c9036080115b0a9 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 29 Apr 2024 15:23:07 -0500 Subject: [PATCH 1/4] Initial HIPAA Control File --- controls/hipaa.yml | 1798 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1798 insertions(+) create mode 100644 controls/hipaa.yml diff --git a/controls/hipaa.yml b/controls/hipaa.yml new file mode 100644 index 00000000000..d73e907f3ab --- /dev/null +++ b/controls/hipaa.yml @@ -0,0 +1,1798 @@ +title: 'Health Insurance Portability and Accountability Act (HIPAA)' +id: 'hipaa' +policy: 'hipaa' +source: 'https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164?toc=1' +levels: + - id: required + inherits_from: + - addressable + - id: addressable + inherits_from: + - base + - id: base +controls: + - id: 164.308(a)(1)(ii)(B) + title: 'Risk management' + description: |- + Implement security measures sufficient to reduce risks and vulnerabilities to a + reasonable and appropriate level to comply with § 164.306(a).' + levels: + - required + rules: + - coreos_disable_interactive_boot + - disable_ctrlaltdel_burstaction + - disable_ctrlaltdel_reboot + - grub2_disable_interactive_boot + - require_emergency_target_auth + - require_singleuser_auth + - service_debug-shell_disabled + - no_empty_passwords + - no_direct_root_logins + - restrict_serial_port_logins + - securetty_root_login_console_only + - enable_authselect + - file_groupowner_grub2_cfg + - file_groupowner_user_cfg + - file_owner_grub2_cfg + - file_owner_user_cfg + - file_permissions_grub2_cfg + - file_permissions_user_cfg + - grub2_admin_username + - grub2_password + - grub2_uefi_admin_username + - grub2_uefi_password + - dconf_db_up_to_date + status: automated + + - id: 164.308(a)(1)(ii)(D) + title: 'Information system activity review' + description: |- + Implement procedures to regularly review records of information system activity, such as audit logs, access + reports, and security incident tracking reports. + levels: + - required + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_execution_chcon + - audit_rules_execution_restorecon + - audit_rules_execution_semanage + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat + - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write + - audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order + - audit_rules_unsuccessful_file_modification_open_o_creat + - audit_rules_unsuccessful_file_modification_open_o_trunc_write + - audit_rules_unsuccessful_file_modification_open_rule_order + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_openat_o_creat + - audit_rules_unsuccessful_file_modification_openat_o_trunc_write + - audit_rules_unsuccessful_file_modification_openat_rule_order + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix2_chkpwd + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_userhelper + - audit_rules_immutable + - audit_rules_mac_modification + - audit_rules_mac_modification_usr_share + - audit_rules_media_export + - audit_rules_networkconfig_modification + - audit_rules_session_events + - audit_rules_sysadmin_actions + - audit_rules_system_shutdown + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - audit_rules_time_adjtimex + - audit_rules_time_clock_settime + - audit_rules_time_settimeofday + - audit_rules_time_stime + - audit_rules_time_watch_localtime + - auditd_audispd_syslog_plugin_activated + - auditd_data_retention_flush + - coreos_audit_option + - grub2_audit_argument + - package_audit-audispd-plugins_installed + - package_audit_installed + - service_auditd_enabled + - service_kdump_disabled + - rsyslog_remote_loghost + - sysctl_fs_suid_dumpable + - sysctl_kernel_exec_shield + - sysctl_kernel_randomize_va_space + - sysctl_kernel_dmesg_restrict + - coreos_enable_selinux_kernel_argument + - grub2_enable_selinux + - sebool_selinuxuser_execheap + - sebool_selinuxuser_execmod + - sebool_selinuxuser_execstack + - selinux_confinement_of_daemons + - selinux_policytype + - selinux_state + - encrypt_partitions + - rpm_verify_hashes + - rpm_verify_permissions + - ensure_fedora_gpgkey_installed + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_local_packages + - ensure_gpgcheck_never_disabled + - ensure_gpgcheck_repo_metadata + - ensure_redhat_gpgkey_installed + - ensure_suse_gpgkey_installed + status: automated + + - id: 164.308(a)(3) + title: 'Workforce security' + description: + Implement policies and procedures to ensure that all members of + its workforce have appropriate access to electronic protected health information, as provided + under paragraph (a)(4) of this section, and to prevent those workforce members who do not + have access under paragraph (a)(4) of this section from obtaining access to electronic + protected health information. + levels: + - base + rules: + - service_kdump_disabled + - sysctl_fs_suid_dumpable + - sysctl_kernel_exec_shield + - sysctl_kernel_randomize_va_space + - sysctl_kernel_dmesg_restrict + - coreos_enable_selinux_kernel_argument + - grub2_enable_selinux + - sebool_selinuxuser_execheap + - sebool_selinuxuser_execmod + - sebool_selinuxuser_execstack + - selinux_confinement_of_daemons + - selinux_policytype + - selinux_state + status: automated + + - id: 164.308(a)(3)(i) + title: 'Standard: Workforce security' + description: |- + Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. + levels: + - addressable + rules: + - coreos_nousb_kernel_argument + - grub2_nousb_argument + - kernel_module_usb-storage_disabled + - service_autofs_disabled + status: automated + + - id: 164.308(a)(3)(ii)(A) + title: 'Authorization and/or supervision (Addressable)' + description: 'Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.' + levels: + - required + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_execution_chcon + - audit_rules_execution_restorecon + - audit_rules_execution_semanage + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat + - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write + - audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order + - audit_rules_unsuccessful_file_modification_open_o_creat + - audit_rules_unsuccessful_file_modification_open_o_trunc_write + - audit_rules_unsuccessful_file_modification_open_rule_order + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_openat_o_creat + - audit_rules_unsuccessful_file_modification_openat_o_trunc_write + - audit_rules_unsuccessful_file_modification_openat_rule_order + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix2_chkpwd + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_userhelper + - audit_rules_immutable + - audit_rules_mac_modification + - audit_rules_mac_modification_usr_share + - audit_rules_media_export + - audit_rules_networkconfig_modification + - audit_rules_session_events + - audit_rules_sysadmin_actions + - audit_rules_system_shutdown + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - audit_rules_time_adjtimex + - audit_rules_time_clock_settime + - audit_rules_time_settimeofday + - audit_rules_time_stime + - audit_rules_time_watch_localtime + - auditd_data_retention_flush + - coreos_nousb_kernel_argument + - grub2_nousb_argument + - kernel_module_usb-storage_disabled + - service_autofs_disabled + status: automated + + - id: 164.308(a)(4) + title: 'Information Access Management' + description: |- + Implement policies and procedures for authorizing + access to electronic protected health information that are consistent with the applicable + requirements of subpart E of this part. + levels: + - base + rules: + - service_kdump_disabled + - sysctl_fs_suid_dumpable + - sysctl_kernel_exec_shield + - sysctl_kernel_randomize_va_space + - sysctl_kernel_dmesg_restrict + - coreos_enable_selinux_kernel_argument + - grub2_enable_selinux + - sebool_selinuxuser_execheap + - sebool_selinuxuser_execmod + - sebool_selinuxuser_execstack + - selinux_confinement_of_daemons + - selinux_policytype + - selinux_state + status: automated + + - id: 164.308(a)(4)(i) + title: 'Information access management' + description: |- + Implement policies and procedures for authorizing + access to electronic protected health information that are consistent with the applicable + requirements of subpart E of this part. + levels: + - base + rules: + - package_cron_installed + - service_cron_enabled + - service_crond_enabled + - use_kerberos_security_all_exports + - package_tcp_wrappers_removed + - package_xinetd_removed + - service_xinetd_disabled + - package_ypbind_removed + - package_ypserv_removed + - service_ypbind_disabled + - no_rsh_trust_files + - package_rsh-server_removed + - package_rsh_removed + - service_rexec_disabled + - service_rlogin_disabled + - service_rsh_disabled + - package_talk-server_removed + - package_talk_removed + - package_telnet-server_removed + - package_telnet_removed + - service_telnet_disabled + - service_zebra_disabled + - disable_host_auth + - sshd_allow_only_protocol2 + - sshd_disable_compression + - sshd_disable_empty_passwords + - sshd_disable_gssapi_auth + - sshd_disable_kerb_auth + - sshd_disable_rhosts_rsa + - sshd_disable_root_login + - sshd_disable_user_known_hosts + - sshd_do_not_permit_user_env + - sshd_enable_strictmodes + - sshd_enable_warning_banner + - sshd_enable_warning_banner_net + - sshd_set_keepalive + - sshd_set_keepalive_0 + - sshd_use_priv_separation + - libreswan_approved_tunnels + - dconf_gnome_remote_access_credential_prompt + - dconf_gnome_remote_access_encryption + - configure_crypto_policy + - configure_ssh_crypto_policy + status: automated + + - id: 164.308(a)(5)(ii)(A) + title: 'Security reminders' + description: |- + Periodic security updates. + levels: + - addressable + rules: + - dconf_db_up_to_date + status: automated + + - id: 164.308(a)(5)(ii)(B) + title: 'Protection from malicious software' + description: |- + Procedures for guarding against, detecting, and reporting malicious software. + levels: + - base + rules: + - auditd_audispd_syslog_plugin_activated + - rsyslog_remote_loghost + status: automated + + - id: 164.308(a)(5)(ii)(C) + title: 'Log-in monitoring' + description: |- + Procedures for monitoring log-in attempts and reporting discrepancies. + levels: + - base + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_execution_chcon + - audit_rules_execution_restorecon + - audit_rules_execution_semanage + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat + - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write + - audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order + - audit_rules_unsuccessful_file_modification_open_o_creat + - audit_rules_unsuccessful_file_modification_open_o_trunc_write + - audit_rules_unsuccessful_file_modification_open_rule_order + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_openat_o_creat + - audit_rules_unsuccessful_file_modification_openat_o_trunc_write + - audit_rules_unsuccessful_file_modification_openat_rule_order + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix2_chkpwd + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_userhelper + - audit_rules_immutable + - audit_rules_mac_modification + - audit_rules_mac_modification_usr_share + - audit_rules_media_export + - audit_rules_networkconfig_modification + - audit_rules_session_events + - audit_rules_sysadmin_actions + - audit_rules_system_shutdown + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - audit_rules_time_adjtimex + - audit_rules_time_clock_settime + - audit_rules_time_settimeofday + - audit_rules_time_stime + - audit_rules_time_watch_localtime + - auditd_audispd_syslog_plugin_activated + - auditd_data_retention_flush + - coreos_audit_option + - grub2_audit_argument + - package_audit-audispd-plugins_installed + - package_audit_installed + - service_auditd_enabled + - rsyslog_remote_loghost + status: automated + + - id: 164.308(a)(6)(ii) + title: 'Response and reporting' + description: |- + Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, + harmful effects of security incidents that are known to the covered entity or business associate; and + document security incidents and their outcomes. + levels: + - required + rules: + - auditd_audispd_syslog_plugin_activated + - rsyslog_remote_loghost + status: automated + + - id: 164.308(a)(7)(i) + title: 'Contingency plan' + description: |- + Establish (and implement as needed) policies and procedures for responding to an emergency or other + occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that + contain electronic protected health information. + levels: + - base + rules: + - coreos_disable_interactive_boot + - disable_ctrlaltdel_burstaction + - disable_ctrlaltdel_reboot + - grub2_disable_interactive_boot + - require_emergency_target_auth + - require_singleuser_auth + - service_debug-shell_disabled + - no_empty_passwords + - no_direct_root_logins + - restrict_serial_port_logins + - securetty_root_login_console_only + - enable_authselect + - file_groupowner_grub2_cfg + - file_groupowner_user_cfg + - file_owner_grub2_cfg + - file_owner_user_cfg + - file_permissions_grub2_cfg + - file_permissions_user_cfg + - grub2_admin_username + - grub2_password + - grub2_uefi_admin_username + - grub2_uefi_password + status: automated + + - id: 164.308(a)(7)(ii)(A) + title: 'Data backup plan' + description: |- + Establish and implement procedures to create and maintain retrievable exact copies of electronic protected + health information. + levels: + - required + rules: + - coreos_disable_interactive_boot + - disable_ctrlaltdel_burstaction + - disable_ctrlaltdel_reboot + - grub2_disable_interactive_boot + - require_emergency_target_auth + - require_singleuser_auth + - service_debug-shell_disabled + - no_empty_passwords + - no_direct_root_logins + - restrict_serial_port_logins + - securetty_root_login_console_only + - enable_authselect + - file_groupowner_grub2_cfg + - file_groupowner_user_cfg + - file_owner_grub2_cfg + - file_owner_user_cfg + - file_permissions_grub2_cfg + - file_permissions_user_cfg + - grub2_admin_username + - grub2_password + - grub2_uefi_admin_username + - grub2_uefi_password + status: automated + + - id: 164.308(a)(8) + title: 'Evaluation' + description: |- + Perform a periodic technical and nontechnical evaluation, based initially upon + the standards implemented under this rule and, subsequently, in response to environmental or + operational changes affecting the security of electronic protected health information, that + establishes the extent to which a covered entity's or business associate's security policies and + procedures meet the requirements of this subpart. + levels: + - base + rules: + - auditd_audispd_syslog_plugin_activated + - rsyslog_remote_loghost + status: automated + + - id: 164.308(b)(1) + title: 'Business associate contracts and other arrangements' + description: |- + A covered entity may permit a business + associate to create, receive, maintain, or transmit electronic protected health information on the + covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with + § 164.314(a), that the business associate will appropriately safeguard the information. A covered + entity is not required to obtain such satisfactory assurances from a business associate that is a + subcontractor + levels: + - base + rules: + - package_cron_installed + - service_cron_enabled + - service_crond_enabled + - use_kerberos_security_all_exports + - package_tcp_wrappers_removed + - package_xinetd_removed + - service_xinetd_disabled + - package_ypbind_removed + - package_ypserv_removed + - service_ypbind_disabled + - no_rsh_trust_files + - package_rsh-server_removed + - package_rsh_removed + - service_rexec_disabled + - service_rlogin_disabled + - service_rsh_disabled + - package_talk-server_removed + - package_talk_removed + - package_telnet-server_removed + - package_telnet_removed + - service_telnet_disabled + - service_zebra_disabled + - disable_host_auth + - sshd_allow_only_protocol2 + - sshd_disable_compression + - sshd_disable_empty_passwords + - sshd_disable_gssapi_auth + - sshd_disable_kerb_auth + - sshd_disable_rhosts_rsa + - sshd_disable_root_login + - sshd_disable_user_known_hosts + - sshd_do_not_permit_user_env + - sshd_enable_strictmodes + - sshd_enable_warning_banner + - sshd_enable_warning_banner_net + - sshd_set_keepalive + - sshd_set_keepalive_0 + - sshd_use_approved_ciphers + - sshd_use_approved_macs + - sshd_use_priv_separation + - libreswan_approved_tunnels + - encrypt_partitions + - dconf_gnome_remote_access_credential_prompt + - dconf_gnome_remote_access_encryption + - configure_crypto_policy + - configure_ssh_crypto_policy + status: automated + + - id: 164.308(b)(2) + title: 'Sub-contractors must follow 164.314(a)' + notes: |- + This title was created by analysis, not by the CFR. + description: |- + A business associate may permit a business associate that is a subcontractor to create, receive, maintain, + or transmit electronic protected health information on its behalf only if the business associate obtains + satisfactory assurances, in accordance with § 164.314(a), that the subcontractor will appropriately + safeguard the information. + levels: + - base + rules: + - sshd_use_approved_ciphers + - sshd_use_approved_macs + status: automated + + - id: 164.308(b)(3) + title: 'Implementation specifications: Written contract or other arrangement.' + levels: + - required + rules: + - package_cron_installed + - service_cron_enabled + - service_crond_enabled + - use_kerberos_security_all_exports + - package_tcp_wrappers_removed + - package_xinetd_removed + - service_xinetd_disabled + - package_ypbind_removed + - package_ypserv_removed + - service_ypbind_disabled + - no_rsh_trust_files + - package_rsh-server_removed + - package_rsh_removed + - service_rexec_disabled + - service_rlogin_disabled + - service_rsh_disabled + - package_talk-server_removed + - package_talk_removed + - package_telnet-server_removed + - package_telnet_removed + - service_telnet_disabled + - service_zebra_disabled + - disable_host_auth + - sshd_allow_only_protocol2 + - sshd_disable_compression + - sshd_disable_empty_passwords + - sshd_disable_gssapi_auth + - sshd_disable_kerb_auth + - sshd_disable_rhosts_rsa + - sshd_disable_root_login + - sshd_disable_user_known_hosts + - sshd_do_not_permit_user_env + - sshd_enable_strictmodes + - sshd_enable_warning_banner + - sshd_enable_warning_banner_net + - sshd_set_keepalive + - sshd_set_keepalive_0 + - sshd_use_priv_separation + - libreswan_approved_tunnels + - dconf_gnome_remote_access_credential_prompt + - dconf_gnome_remote_access_encryption + - configure_crypto_policy + - configure_ssh_crypto_policy + status: automated + + - id: 164.310(a)(1) + title: 'Facility access controls' + description: |- + Implement policies and procedures to limit physical access to its electronic information systems and the + facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. + levels: + - base + rules: + - coreos_disable_interactive_boot + - disable_ctrlaltdel_burstaction + - disable_ctrlaltdel_reboot + - grub2_disable_interactive_boot + - require_emergency_target_auth + - require_singleuser_auth + - service_debug-shell_disabled + - no_empty_passwords + - no_direct_root_logins + - restrict_serial_port_logins + - securetty_root_login_console_only + - enable_authselect + - file_groupowner_grub2_cfg + - file_groupowner_user_cfg + - file_owner_grub2_cfg + - file_owner_user_cfg + - file_permissions_grub2_cfg + - file_permissions_user_cfg + - grub2_admin_username + - grub2_password + - grub2_uefi_admin_username + - grub2_uefi_password + status: automated + - id: 164.310(a)(2)(i) + title: 'Contingency operations' + description: |- + Establish (and implement as needed) procedures that allow facility access in support of restoration of los + data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. + levels: + - addressable + rules: + - coreos_disable_interactive_boot + - disable_ctrlaltdel_burstaction + - disable_ctrlaltdel_reboot + - grub2_disable_interactive_boot + - require_emergency_target_auth + - require_singleuser_auth + - service_debug-shell_disabled + - no_empty_passwords + - no_direct_root_logins + - restrict_serial_port_logins + - securetty_root_login_console_only + - enable_authselect + - file_groupowner_grub2_cfg + - file_groupowner_user_cfg + - file_owner_grub2_cfg + - file_owner_user_cfg + - file_permissions_grub2_cfg + - file_permissions_user_cfg + - grub2_admin_username + - grub2_password + - grub2_uefi_admin_username + - grub2_uefi_password + status: automated + + - id: 164.310(a)(2)(ii) + title: 'Contingency operations' + description: |- + Establish (and implement as needed) procedures that allow facility access in support of restoration of lost + data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. + levels: + - addressable + rules: + - coreos_disable_interactive_boot + - disable_ctrlaltdel_burstaction + - disable_ctrlaltdel_reboot + - grub2_disable_interactive_boot + - require_emergency_target_auth + - require_singleuser_auth + - service_debug-shell_disabled + - no_empty_passwords + - no_direct_root_logins + - restrict_serial_port_logins + - securetty_root_login_console_only + - enable_authselect + - file_groupowner_grub2_cfg + - file_groupowner_user_cfg + - file_owner_grub2_cfg + - file_owner_user_cfg + - file_permissions_grub2_cfg + - file_permissions_user_cfg + - grub2_admin_username + - grub2_password + - grub2_uefi_admin_username + - grub2_uefi_password + status: automated + + - id: 164.310(a)(2)(iii) + title: 'Access control and validation procedures' + description: |- + Implement procedures to control and validate a person's access to facilities based on their role or + function, including visitor control, and control of access to software programs for testing and revision. + levels: + - addressable + rules: + - coreos_disable_interactive_boot + - disable_ctrlaltdel_burstaction + - disable_ctrlaltdel_reboot + - grub2_disable_interactive_boot + - require_emergency_target_auth + - require_singleuser_auth + - service_debug-shell_disabled + - no_empty_passwords + - no_direct_root_logins + - restrict_serial_port_logins + - securetty_root_login_console_only + - enable_authselect + - file_groupowner_grub2_cfg + - file_groupowner_user_cfg + - file_owner_grub2_cfg + - file_owner_user_cfg + - file_permissions_grub2_cfg + - file_permissions_user_cfg + - grub2_admin_username + - grub2_password + - grub2_uefi_admin_username + - grub2_uefi_password + status: automated + + - id: 164.310(a)(2)(iv) + title: 'Maintenance records' + description: |- + Implement policies and procedures to document repairs and modifications to the physical components of a + facility which are related to security (for example, hardware, walls, doors, and locks). + levels: + - base + rules: + - audit_rules_immutable + - coreos_audit_option + - grub2_audit_argument + - package_audit-audispd-plugins_installed + - package_audit_installed + - service_auditd_enabled + status: automated + + - id: 164.310(b) + title: 'Workstation use' + description: |- + Implement policies and procedures that specify the proper functions to be performed, the manner in which + those functions are to be performed, and the physical attributes of the surroundings of a specific + workstation or class of workstation that can access electronic protected health information. + levels: + - addressable + rules: + - service_kdump_disabled + - package_cron_installed + - service_cron_enabled + - service_crond_enabled + - use_kerberos_security_all_exports + - package_tcp_wrappers_removed + - package_xinetd_removed + - service_xinetd_disabled + - package_ypbind_removed + - package_ypserv_removed + - service_ypbind_disabled + - no_rsh_trust_files + - package_rsh-server_removed + - package_rsh_removed + - service_rexec_disabled + - service_rlogin_disabled + - service_rsh_disabled + - package_talk-server_removed + - package_talk_removed + - package_telnet-server_removed + - package_telnet_removed + - service_telnet_disabled + - service_zebra_disabled + - disable_host_auth + - sshd_allow_only_protocol2 + - sshd_disable_compression + - sshd_disable_empty_passwords + - sshd_disable_gssapi_auth + - sshd_disable_kerb_auth + - sshd_disable_rhosts_rsa + - sshd_disable_root_login + - sshd_disable_user_known_hosts + - sshd_do_not_permit_user_env + - sshd_enable_strictmodes + - sshd_enable_warning_banner + - sshd_enable_warning_banner_net + - sshd_set_keepalive + - sshd_set_keepalive_0 + - sshd_use_priv_separation + - coreos_disable_interactive_boot + - disable_ctrlaltdel_burstaction + - disable_ctrlaltdel_reboot + - grub2_disable_interactive_boot + - require_emergency_target_auth + - require_singleuser_auth + - service_debug-shell_disabled + - no_empty_passwords + - no_direct_root_logins + - restrict_serial_port_logins + - securetty_root_login_console_only + - enable_authselect + - file_groupowner_grub2_cfg + - file_groupowner_user_cfg + - file_owner_grub2_cfg + - file_owner_user_cfg + - file_permissions_grub2_cfg + - file_permissions_user_cfg + - grub2_admin_username + - grub2_password + - grub2_uefi_admin_username + - grub2_uefi_password + - libreswan_approved_tunnels + - sysctl_fs_suid_dumpable + - sysctl_kernel_exec_shield + - sysctl_kernel_randomize_va_space + - sysctl_kernel_dmesg_restrict + - coreos_enable_selinux_kernel_argument + - grub2_enable_selinux + - sebool_selinuxuser_execheap + - sebool_selinuxuser_execmod + - sebool_selinuxuser_execstack + - selinux_confinement_of_daemons + - selinux_policytype + - selinux_state + - dconf_gnome_remote_access_credential_prompt + - dconf_gnome_remote_access_encryption + status: automated + + - id: 164.310(c) + title: 'Workstation security' + description: |- + Implement physical safeguards for all workstations that access electronic protected health information, + to restrict access to authorized users. + levels: + - base + rules: + - service_kdump_disabled + - coreos_disable_interactive_boot + - disable_ctrlaltdel_burstaction + - disable_ctrlaltdel_reboot + - grub2_disable_interactive_boot + - require_emergency_target_auth + - require_singleuser_auth + - service_debug-shell_disabled + - no_empty_passwords + - no_direct_root_logins + - restrict_serial_port_logins + - securetty_root_login_console_only + - enable_authselect + - file_groupowner_grub2_cfg + - file_groupowner_user_cfg + - file_owner_grub2_cfg + - file_owner_user_cfg + - file_permissions_grub2_cfg + - file_permissions_user_cfg + - grub2_admin_username + - grub2_password + - grub2_uefi_admin_username + - grub2_uefi_password + - sysctl_fs_suid_dumpable + - sysctl_kernel_exec_shield + - sysctl_kernel_randomize_va_space + - sysctl_kernel_dmesg_restrict + - coreos_enable_selinux_kernel_argument + - grub2_enable_selinux + - sebool_selinuxuser_execheap + - sebool_selinuxuser_execmod + - sebool_selinuxuser_execstack + - selinux_confinement_of_daemons + - selinux_policytype + - selinux_state + status: automated + + - id: 164.310(d) + title: 'Person or entity authentication' + description: |- + Implement procedures to verify that a person or entity seeking access to electronic protected health + information is the one claimed. + levels: + - base + rules: + - encrypt_partitions + status: automated + + - id: 164.310(d)(1) + title: 'Device and media control' + levels: + - base + rules: + - coreos_disable_interactive_boot + - disable_ctrlaltdel_burstaction + - disable_ctrlaltdel_reboot + - grub2_disable_interactive_boot + - require_emergency_target_auth + - require_singleuser_auth + - service_debug-shell_disabled + - no_empty_passwords + - no_direct_root_logins + - restrict_serial_port_logins + - securetty_root_login_console_only + - enable_authselect + - file_groupowner_grub2_cfg + - file_groupowner_user_cfg + - file_owner_grub2_cfg + - file_owner_user_cfg + - file_permissions_grub2_cfg + - file_permissions_user_cfg + - grub2_admin_username + - grub2_password + - grub2_uefi_admin_username + - grub2_uefi_password + - coreos_nousb_kernel_argument + - grub2_nousb_argument + - kernel_module_usb-storage_disabled + - service_autofs_disabled + status: automated + + - id: 164.310(d)(2) + title: 'Device and media controls' + description: |- + Implement policies and procedures that govern the receipt and removal of hardware and electronic media that + contain electronic protected health information into and out of a facility, and the movement of these items + within the facility. + levels: + - base + rules: + - coreos_nousb_kernel_argument + - grub2_nousb_argument + - kernel_module_usb-storage_disabled + - service_autofs_disabled + status: automated + + - id: 164.310(d)(2)(iii) + title: 'Accountability' + description: |- + Maintain a record of the movements of hardware and electronic media and any person responsible therefore. + levels: + - addressable + rules: + - audit_rules_immutable + - auditd_audispd_syslog_plugin_activated + - coreos_audit_option + - grub2_audit_argument + - package_audit-audispd-plugins_installed + - package_audit_installed + - service_auditd_enabled + - coreos_disable_interactive_boot + - disable_ctrlaltdel_burstaction + - disable_ctrlaltdel_reboot + - grub2_disable_interactive_boot + - require_emergency_target_auth + - require_singleuser_auth + - service_debug-shell_disabled + - no_empty_passwords + - no_direct_root_logins + - restrict_serial_port_logins + - securetty_root_login_console_only + - enable_authselect + - file_groupowner_grub2_cfg + - file_groupowner_user_cfg + - file_owner_grub2_cfg + - file_owner_user_cfg + - file_permissions_grub2_cfg + - file_permissions_user_cfg + - grub2_admin_username + - grub2_password + - grub2_uefi_admin_username + - grub2_uefi_password + - rsyslog_remote_loghost + status: automated + + - id: 164.312(a) + title: 'Access Control' + description: |- + Implement technical policies and procedures for electronic information systems that maintain electronic + protected health information to allow access only to those persons or software programs that have been + granted access rights as specified in § 164.308(a)(4). + levels: + - base + rules: + - service_kdump_disabled + - sysctl_fs_suid_dumpable + - sysctl_kernel_exec_shield + - sysctl_kernel_randomize_va_space + - sysctl_kernel_dmesg_restrict + - coreos_enable_selinux_kernel_argument + - grub2_enable_selinux + - sebool_selinuxuser_execheap + - sebool_selinuxuser_execmod + - sebool_selinuxuser_execstack + - selinux_confinement_of_daemons + - selinux_policytype + - selinux_state + status: automated + + - id: 164.312(a)(1) + title: 'Access Control' + description: |- + Implement technical policies and procedures for electronic information systems that maintain electronic + protected health information to allow access only to those persons or software programs that have been + granted access rights as specified in § 164.308(a)(4). + levels: + - base + rules: + - coreos_nousb_kernel_argument + - grub2_nousb_argument + - kernel_module_usb-storage_disabled + - service_autofs_disabled + - encrypt_partitions + status: automated + + - id: 164.312(a)(2)(i) + title: 'Unique user identification' + description: |- + Assign a unique name and/or number for identifying and tracking user identity. + levels: + - required + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_execution_chcon + - audit_rules_execution_restorecon + - audit_rules_execution_semanage + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat + - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write + - audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order + - audit_rules_unsuccessful_file_modification_open_o_creat + - audit_rules_unsuccessful_file_modification_open_o_trunc_write + - audit_rules_unsuccessful_file_modification_open_rule_order + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_openat_o_creat + - audit_rules_unsuccessful_file_modification_openat_o_trunc_write + - audit_rules_unsuccessful_file_modification_openat_rule_order + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix2_chkpwd + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_userhelper + - audit_rules_immutable + - audit_rules_mac_modification + - audit_rules_mac_modification_usr_share + - audit_rules_media_export + - audit_rules_networkconfig_modification + - audit_rules_session_events + - audit_rules_sysadmin_actions + - audit_rules_system_shutdown + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - audit_rules_time_adjtimex + - audit_rules_time_clock_settime + - audit_rules_time_settimeofday + - audit_rules_time_stime + - audit_rules_time_watch_localtime + - auditd_data_retention_flush + status: automated + + - id: 164.312(a)(2)(ii) + title: 'Emergency access procedure' + description: |- + Establish (and implement as needed) procedures for obtaining necessary electronic protected health + information during an emergency. + levels: + - required + rules: + - auditd_data_retention_action_mail_acct + - auditd_data_retention_admin_space_left_action + - auditd_data_retention_max_log_file_action + - auditd_data_retention_max_log_file_action_stig + - auditd_data_retention_space_left_action + - package_rsyslog_installed + - service_rsyslog_enabled + - partition_for_var_log_audit + status: automated + + - id: 164.312(a)(2)(iii) + title: 'Automatic logoff' + description: |- + Implement electronic procedures that terminate an electronic session after a predetermined time of + inactivity. + levels: + - addressable + rules: + - encrypt_partitions + status: automated + + - id: 164.312(a)(2)(iv) + title: 'Encryption and decryption' + description: |- + Implement a mechanism to encrypt and decrypt electronic protected health information. + levels: + - addressable + rules: + - coreos_nousb_kernel_argument + - grub2_nousb_argument + - kernel_module_usb-storage_disabled + - service_autofs_disabled + - encrypt_partitions + status: automated + + - id: 164.312(b) + title: 'Audit controls.' + description: |- + Implement hardware, software, and/or procedural mechanisms that record and examine activity in information + systems that contain or use electronic protected health information. + levels: + - base + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_execution_chcon + - audit_rules_execution_restorecon + - audit_rules_execution_semanage + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat + - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write + - audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order + - audit_rules_unsuccessful_file_modification_open_o_creat + - audit_rules_unsuccessful_file_modification_open_o_trunc_write + - audit_rules_unsuccessful_file_modification_open_rule_order + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_openat_o_creat + - audit_rules_unsuccessful_file_modification_openat_o_trunc_write + - audit_rules_unsuccessful_file_modification_openat_rule_order + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix2_chkpwd + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_userhelper + - audit_rules_immutable + - audit_rules_mac_modification + - audit_rules_mac_modification_usr_share + - audit_rules_media_export + - audit_rules_networkconfig_modification + - audit_rules_session_events + - audit_rules_sysadmin_actions + - audit_rules_system_shutdown + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - audit_rules_time_adjtimex + - audit_rules_time_clock_settime + - audit_rules_time_settimeofday + - audit_rules_time_stime + - audit_rules_time_watch_localtime + - auditd_audispd_syslog_plugin_activated + - auditd_data_retention_flush + - coreos_audit_option + - grub2_audit_argument + - package_audit-audispd-plugins_installed + - package_audit_installed + - service_auditd_enabled + - rsyslog_remote_loghost + - coreos_nousb_kernel_argument + - grub2_nousb_argument + - kernel_module_usb-storage_disabled + - service_autofs_disabled + - encrypt_partitions + - rpm_verify_hashes + - rpm_verify_permissions + - ensure_fedora_gpgkey_installed + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_local_packages + - ensure_gpgcheck_never_disabled + - ensure_gpgcheck_repo_metadata + - ensure_redhat_gpgkey_installed + - ensure_suse_gpgkey_installed + status: automated + + - id: 164.312(c) + title: 'Integrity.' + description: |- + Implement policies and procedures to protect electronic protected health information from improper + alteration or destruction. + levels: + - base + rules: + - encrypt_partitions + status: automated + + - id: 164.312(c)(1) + title: 'Integrity.' + description: |- + Implement policies and procedures to protect electronic protected health information from improper + alteration or destruction. + levels: + - base + rules: + - rpm_verify_hashes + - rpm_verify_permissions + - ensure_fedora_gpgkey_installed + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_local_packages + - ensure_gpgcheck_never_disabled + - ensure_gpgcheck_repo_metadata + - ensure_redhat_gpgkey_installed + - ensure_suse_gpgkey_installed + status: automated + + - id: 164.312(c)(2) + title: 'Implementation specification: Mechanism to authenticate electronic protected health information' + description: |- + Implement electronic mechanisms to corroborate that electronic protected health information has not been + altered or destroyed in an unauthorized manner. + levels: + - addressable + rules: + - rpm_verify_hashes + - rpm_verify_permissions + - ensure_fedora_gpgkey_installed + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_local_packages + - ensure_gpgcheck_never_disabled + - ensure_gpgcheck_repo_metadata + - ensure_redhat_gpgkey_installed + - ensure_suse_gpgkey_installed + status: automated + + - id: 164.312(d) + title: 'Person or entity authentication.' + description: |- + Implement procedures to verify that a person or entity seeking access to electronic protected health information + is the one claimed. + levels: + - base + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_execution_chcon + - audit_rules_execution_restorecon + - audit_rules_execution_semanage + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat + - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write + - audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order + - audit_rules_unsuccessful_file_modification_open_o_creat + - audit_rules_unsuccessful_file_modification_open_o_trunc_write + - audit_rules_unsuccessful_file_modification_open_rule_order + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_openat_o_creat + - audit_rules_unsuccessful_file_modification_openat_o_trunc_write + - audit_rules_unsuccessful_file_modification_openat_rule_order + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix2_chkpwd + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_userhelper + - audit_rules_immutable + - audit_rules_mac_modification + - audit_rules_mac_modification_usr_share + - audit_rules_media_export + - audit_rules_networkconfig_modification + - audit_rules_session_events + - audit_rules_sysadmin_actions + - audit_rules_system_shutdown + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - audit_rules_time_adjtimex + - audit_rules_time_clock_settime + - audit_rules_time_settimeofday + - audit_rules_time_stime + - audit_rules_time_watch_localtime + - auditd_data_retention_flush + - encrypt_partitions + status: automated + + - id: 164.312(e) + title: 'Transmission security.' + description: |- + Implement technical security measures to guard against unauthorized access to electronic protected health + information that is being transmitted over an electronic communications network. + levels: + - base + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_execution_chcon + - audit_rules_execution_restorecon + - audit_rules_execution_semanage + - audit_rules_execution_setsebool + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat + - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write + - audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order + - audit_rules_unsuccessful_file_modification_open_o_creat + - audit_rules_unsuccessful_file_modification_open_o_trunc_write + - audit_rules_unsuccessful_file_modification_open_rule_order + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_openat_o_creat + - audit_rules_unsuccessful_file_modification_openat_o_trunc_write + - audit_rules_unsuccessful_file_modification_openat_rule_order + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + - audit_rules_login_events_faillock + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_chsh + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_gpasswd + - audit_rules_privileged_commands_newgrp + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_passwd + - audit_rules_privileged_commands_postdrop + - audit_rules_privileged_commands_postqueue + - audit_rules_privileged_commands_ssh_keysign + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_sudoedit + - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix2_chkpwd + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_privileged_commands_userhelper + - audit_rules_immutable + - audit_rules_mac_modification + - audit_rules_mac_modification_usr_share + - audit_rules_media_export + - audit_rules_networkconfig_modification + - audit_rules_session_events + - audit_rules_sysadmin_actions + - audit_rules_system_shutdown + - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - audit_rules_time_adjtimex + - audit_rules_time_clock_settime + - audit_rules_time_settimeofday + - audit_rules_time_stime + - audit_rules_time_watch_localtime + - auditd_data_retention_flush + - service_kdump_disabled + - sysctl_fs_suid_dumpable + - sysctl_kernel_exec_shield + - sysctl_kernel_randomize_va_space + - sysctl_kernel_dmesg_restrict + - coreos_enable_selinux_kernel_argument + - grub2_enable_selinux + - sebool_selinuxuser_execheap + - sebool_selinuxuser_execmod + - sebool_selinuxuser_execstack + - selinux_confinement_of_daemons + - selinux_policytype + - selinux_state + status: automated + - id: 164.312(e)(1) + title: 'Transmission security.' + description: |- + Implement technical security measures to guard against unauthorized access to electronic protected health + information that is being transmitted over an electronic communications network. + levels: + - base + rules: + - package_cron_installed + - service_cron_enabled + - service_crond_enabled + - use_kerberos_security_all_exports + - package_tcp_wrappers_removed + - package_xinetd_removed + - service_xinetd_disabled + - package_ypbind_removed + - package_ypserv_removed + - service_ypbind_disabled + - no_rsh_trust_files + - package_rsh-server_removed + - package_rsh_removed + - service_rexec_disabled + - service_rlogin_disabled + - service_rsh_disabled + - package_talk-server_removed + - package_talk_removed + - package_telnet-server_removed + - package_telnet_removed + - service_telnet_disabled + - service_zebra_disabled + - disable_host_auth + - sshd_allow_only_protocol2 + - sshd_disable_compression + - sshd_disable_empty_passwords + - sshd_disable_gssapi_auth + - sshd_disable_kerb_auth + - sshd_disable_rhosts_rsa + - sshd_disable_root_login + - sshd_disable_user_known_hosts + - sshd_do_not_permit_user_env + - sshd_enable_strictmodes + - sshd_enable_warning_banner + - sshd_enable_warning_banner_net + - sshd_set_keepalive + - sshd_set_keepalive_0 + - sshd_use_approved_ciphers + - sshd_use_approved_macs + - sshd_use_priv_separation + - libreswan_approved_tunnels + - dconf_gnome_remote_access_credential_prompt + - dconf_gnome_remote_access_encryption + - configure_crypto_policy + - configure_ssh_crypto_policy + status: automated + - id: 164.312(e)(2)(i) + title: 'Integrity controls' + description: |- + Implement security measures to ensure that electronically transmitted electronic protected health information is not + improperly modified without detection until disposed of. + levels: + - addressable + rules: + - sshd_use_approved_ciphers + - sshd_use_approved_macs + - rpm_verify_hashes + - rpm_verify_permissions + - ensure_fedora_gpgkey_installed + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_local_packages + - ensure_gpgcheck_never_disabled + - ensure_gpgcheck_repo_metadata + - ensure_redhat_gpgkey_installed + - ensure_suse_gpgkey_installed + status: automated + + - id: 164.312(e)(2)(ii) + title: 'Encryption' + description: |- + Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. + levels: + - addressable + rules: + - package_cron_installed + - service_cron_enabled + - service_crond_enabled + - use_kerberos_security_all_exports + - package_tcp_wrappers_removed + - package_xinetd_removed + - service_xinetd_disabled + - package_ypbind_removed + - package_ypserv_removed + - service_ypbind_disabled + - no_rsh_trust_files + - package_rsh-server_removed + - package_rsh_removed + - service_rexec_disabled + - service_rlogin_disabled + - service_rsh_disabled + - package_talk-server_removed + - package_talk_removed + - package_telnet-server_removed + - package_telnet_removed + - service_telnet_disabled + - service_zebra_disabled + - disable_host_auth + - sshd_allow_only_protocol2 + - sshd_disable_compression + - sshd_disable_empty_passwords + - sshd_disable_gssapi_auth + - sshd_disable_kerb_auth + - sshd_disable_rhosts_rsa + - sshd_disable_root_login + - sshd_disable_user_known_hosts + - sshd_do_not_permit_user_env + - sshd_enable_strictmodes + - sshd_enable_warning_banner + - sshd_enable_warning_banner_net + - sshd_set_keepalive + - sshd_set_keepalive_0 + - sshd_use_approved_ciphers + - sshd_use_approved_macs + - sshd_use_priv_separation + - libreswan_approved_tunnels + - dconf_gnome_remote_access_credential_prompt + - dconf_gnome_remote_access_encryption + - configure_crypto_policy + - configure_ssh_crypto_policy + status: automated + + - id: 164.314(a)(2)(i)(C) + title: 'Business associate contracts.' + description: |- + Report to the covered entity any security incident of which it becomes aware, including breaches of + unsecured protected health information as required by § 164.410. + levels: + - required + rules: + - auditd_audispd_syslog_plugin_activated + - rsyslog_remote_loghost + status: automated + + - id: 164.314(a)(2)(iii) + title: 'Business associate contracts with subcontractors.' + description: |- + The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other + arrangement between a business associate and a subcontractor required by § 164.308(b)(4) in the same manner + as such requirements apply to contracts or other arrangements between a covered entity and business + associate. + levels: + - required + rules: + - auditd_audispd_syslog_plugin_activated + - rsyslog_remote_loghost + status: automated + + - id: 164.314(b)(2)(i) + title: 'Implementation specifications' + description: |- + Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the + confidentiality, integrity, and availability of the electronic protected health information that it creates, + receives, maintains, or transmits on behalf of the group health plan; + levels: + - required + rules: + - sshd_use_approved_ciphers + - sshd_use_approved_macs + - encrypt_partitions + status: automated From 9ffb137a1871e9494b25a9c568a785687d42e4e1 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 1 May 2024 07:33:34 -0500 Subject: [PATCH 2/4] Add RHEL 10 HIPAA profile --- products/rhel10/profiles/hipaa.profile | 27 ++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 products/rhel10/profiles/hipaa.profile diff --git a/products/rhel10/profiles/hipaa.profile b/products/rhel10/profiles/hipaa.profile new file mode 100644 index 00000000000..480f92a1102 --- /dev/null +++ b/products/rhel10/profiles/hipaa.profile @@ -0,0 +1,27 @@ +documentation_complete: True + +metadata: + SMEs: + - jjaswanson4 + +reference: https://www.hhs.gov/hipaa/for-professionals/index.html + +title: 'Health Insurance Portability and Accountability Act (HIPAA)' + +description: |- + The HIPAA Security Rule establishes U.S. national standards to protect individuals’ + electronic personal health information that is created, received, used, or + maintained by a covered entity. The Security Rule requires appropriate + administrative, physical and technical safeguards to ensure the + confidentiality, integrity, and security of electronic protected health + information. + + This profile configures Red Hat Enterprise Linux 9 to the HIPAA Security + Rule identified for securing of electronic protected health information. + Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s). + +selections: + - hipaa:all + +# vim syntax=yaml + From 81f9ca8fa8a8c999a2aabf50ec807a219f149817 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 8 May 2024 15:07:31 -0500 Subject: [PATCH 3/4] Deselect incompatible rules for the RHEL 10 HIPAA profile --- products/rhel10/profiles/hipaa.profile | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/products/rhel10/profiles/hipaa.profile b/products/rhel10/profiles/hipaa.profile index 480f92a1102..252de207d45 100644 --- a/products/rhel10/profiles/hipaa.profile +++ b/products/rhel10/profiles/hipaa.profile @@ -1,4 +1,4 @@ -documentation_complete: True +documentation_complete: true metadata: SMEs: @@ -22,6 +22,23 @@ description: |- selections: - hipaa:all - -# vim syntax=yaml - + - '!coreos_disable_interactive_boot' + - '!coreos_audit_option' + - '!coreos_nousb_kernel_argument' + - '!coreos_enable_selinux_kernel_argument' + - '!ensure_suse_gpgkey_installed' + - '!ensure_fedora_gpgkey_installed' + - '!grub2_uefi_admin_username' + - '!grub2_uefi_pass' + - '!service_zebra_disabled' + - '!package_talk-server_removed' + - '!package_talk_removed' + - '!sshd_use_approved_macs' + - '!sshd_use_approved_ciphers' + - '!accounts_passwords_pam_tally2' + - '!package_audit-audispd-plugins_installed' + - '!package_ypserv_removed' + - '!package_ypbind_removed' + - '!package_xinetd_removed' + - '!package_rsh_removed' + - '!package_rsh-server_removed' From f280f1da8a63c7dadee488d2197df0d280feb684 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 9 May 2024 12:22:40 -0500 Subject: [PATCH 4/4] Address reviewer comments in #11915 --- controls/hipaa.yml | 2 +- products/rhel10/profiles/hipaa.profile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/controls/hipaa.yml b/controls/hipaa.yml index d73e907f3ab..a2eaad9c65d 100644 --- a/controls/hipaa.yml +++ b/controls/hipaa.yml @@ -15,7 +15,7 @@ controls: title: 'Risk management' description: |- Implement security measures sufficient to reduce risks and vulnerabilities to a - reasonable and appropriate level to comply with § 164.306(a).' + reasonable and appropriate level to comply with § 164.306(a). levels: - required rules: diff --git a/products/rhel10/profiles/hipaa.profile b/products/rhel10/profiles/hipaa.profile index 252de207d45..189345252c8 100644 --- a/products/rhel10/profiles/hipaa.profile +++ b/products/rhel10/profiles/hipaa.profile @@ -16,7 +16,7 @@ description: |- confidentiality, integrity, and security of electronic protected health information. - This profile configures Red Hat Enterprise Linux 9 to the HIPAA Security + This profile configures Red Hat Enterprise Linux 10 to the HIPAA Security Rule identified for securing of electronic protected health information. Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).