{"component-definition":{"uuid":"a747d207-b734-40dc-8451-d6851d8f4e01","metadata":{"links":[{"rel":"latest-version","href":"https://github.com/CivicActions/oscal-component-definitions/tree/main"}],"roles":[{"id":"creator","title":"Creator"}],"title":"Ilias LMS","parties":[{"name":"CivicActions","type":"organization","uuid":"a37f870b-12f8-46d9-82c4-df9a3a559fb2"}],"version":"20240513","published":"2022-10-10T17:04:46.005102+00:00","document-ids":[{"scheme":"http://oscal.io/oscal/identifier/content-uuid","identifier":"e3c67e99-ce9f-4929-ae90-6ce4a8761d12"}],"last-modified":"2024-05-13T15:00:00.612641+00:00","oscal-version":"1.0.0","responsible-parties":[{"role-id":"creator","party-uuids":["a37f870b-12f8-46d9-82c4-df9a3a559fb2"]}]},"components":[{"type":"software","uuid":"1e31d206-9e16-4a46-9c86-070daa85302f","title":"Ilias","description":"The Ilias Learning Management System","control-implementations":[{"uuid":"df33f215-5b94-4dff-9759-7440964812af","source":"https://raw.githubusercontent.com/usnistgov/oscal-content/v1.0.0/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json","description":"NIST_SP-800-53_rev4","implemented-requirements":[{"uuid":"2c2fd9d3-db64-40d5-b012-ac0163388a61","control-id":"ac-2","statements":[{"uuid":"521bab5d-418a-481e-8d6c-7a8eab708392","description":"Ilias provides user accounts for individuals who participate in visiting, contributing to and administering the site with the following roles:\n- Anonymous user – Readers of the site who either do not have an account or are not logged in.\n- Guest – This role has limited visibility and read permissions\n- User - Standard role for registered users. This role grants read access to most objects.\n- Administrator - This role has all permissions enabled by default.","statement-id":"ac-2_smt.a"},{"uuid":"17c91f03-b466-4814-91f3-02f496e5f1f9","description":"Ilias' permissions and role-based access controls are built-in. Each role within Ilias can only access the pages and controls for which their privilege allows.","statement-id":"ac-2_smt.d"},{"uuid":"450c1d43-aafb-42db-93d1-685a1add552f","description":"Ilias monitors the usage of information accounts in a log on the server.","statement-id":"ac-2_smt.g"}],"description":"Requirements are implemented as described in the included statements."},{"uuid":"e57ad2cf-16ab-4d99-a3f1-95b9b949767a","control-id":"ac-3","description":"Access control in Ilias is enforced by authentication via Shibboleth single sing on (SSO) for every type of user except Anonymous user. The user’s privileges, permissions, and access are provided on the principle of least privilege.\nThe anonymous user role has the least access to the site of all roles. The website does not allow anonymous users to register an account for themselves. Project Administrators, HR Managers, and Org Managers are the only roles that can create new user accounts."},{"uuid":"f55ecffa-cc2c-472a-947e-78d713666497","control-id":"ac-8","description":"System Use Notification is inherited from the Project."},{"uuid":"9a9f60b6-d8f0-4bd1-bc20-46d11140a9a5","control-id":"ac-14","description":"The anonymous user role has the least access to the site of all roles. The website does not allow anonymous users to register an account for themselves."},{"uuid":"328d7604-8e1f-4c7a-9f65-30fbad89c37a","control-id":"au-2","statements":[{"uuid":"6cf7489d-83b2-475e-8e3f-b1cf47ba71fb","description":"Transaction logs are generated by the Apache web server, Ilias CMS, MySQL database and PHP page processing. Specifically, the following server, application, database and network device audit log events are captured:\n- Apache access log: Contains a list of requests for your website that have bypassed Varnish. These requests include pages, theme files, and static media files.\n- Apache error log: Records any Apache-level issues. The issues reported here are usually caused by general server issues, including capacity problems, .htaccess problems, and missing files.\n- Ilias page request log: Records all Ilias page loads on your website.\n- Ilias log: Records Ilias-related actions on your website. The log is recorded on your server.\n- MySQL slow query log: Contains a list of MySQL queries that have taken longer than one second to complete.\n- PHP error log: Records any issues that occur during the PHP processing portion of a page load. Issues reported here are usually caused by a website’s code, configuration, or content.","statement-id":"au-2_smt.a"},{"uuid":"7b6b2423-14fe-49fc-bd1c-2061d44f4573","description":"All security-related issues and events, including requests for server log analysis, are recorded in CivicActions' JIRA tracking system.","statement-id":"au-2_smt.b"},{"uuid":"3cfca17c-0835-4533-a98b-cb18048b79ce","description":"CivicActions has extensive experience and specialization as a host of websites that are built using the Ilias web learning platform. Should the need for additional logging become evident, we have the ability to do so by modifying the website's source code to insert additional Ilias logging hooks.","statement-id":"au-2_smt.c"},{"uuid":"8ae76170-5737-4f4f-bcef-6ec4cebd7de3","description":"Information captured in the transaction logs includes, but is not limited to, the following auditable events:\n- Failed login attempts\n- Successful login attempts\n- New user account creation\n- Password reset instructions mailed\n- User logins via a one-time login link\n- Content creation\n- Content publishing\n- Web page not found\n- Website configuration changes\n- System administration activities\n- Slow query logs.\n- PHP error logs: Captures any errors logged during execution of the PHP programming\n language.","statement-id":"au-2_smt.d"}],"description":"Requirements are implemented as described in the included statements."},{"uuid":"81f763a1-14d9-4273-8e2e-0bd34da5ffb3","control-id":"au-3","description":"The logs collected for Ilias sites include the following types of information:\n- IP number of the request originator\n- Timestamp\n- Username\n- Ilias log message (if applicable)\n- Unique numerical ID of the content being modified (for content creation, modification and deletion events)\nWhen auditing an Ilias incident, CivicActions' developers aggregate log sources from multiple servers into the Graylog dashboard so that all log entries for a single managed security incident can be analyzed in a single document. Log sources are sorted, filtered and reviewed. Application logs are maintained primarily for an after-the-fact investigation of critical systems or security events."},{"uuid":"bb369f75-b2e8-4394-a5ad-af63037ae120","control-id":"ca-7","statements":[{"uuid":"af6ebd14-410f-41de-aa12-4b8efa7ebdc5","description":"CivicActions follows recommendations and best practices developed by the Ilias community for monitoring. Examples of specific logs and metrics are included in AU-2 and AU-3.","statement-id":"ca-7_smt.a"},{"uuid":"1718b0b2-7f39-40ff-a271-cbe06171cdaa","description":"CivicActions works closely with the Ilias security community and reviews security announcements as part of the continuous monitoring strategy. Items found to require immediate remediation will be addressed.","statement-id":"ca-7_smt.c"}],"description":"Requirements are implemented as described in the included statements."},{"uuid":"b0b9f438-44cf-4f89-8f8c-5e079f9a0847","control-id":"cm-2","description":"The baseline configuration is maintained in Git and described in the Configuration Management Plan, which describes the change workflow and software configuration. In the context of Security Configuration Management, the baseline configuration is a collection of formally approved configuration state(s) of one or more configuration items (\"features\") that compose the system. The baseline configuration is used to restore and serves as the basis against which the next change or set of changes to the system is made.\nThe features for the system are maintained in the website's source code, which is managed in Git, a source code version control system. Once the source code is updated, Git maintains the new version of staged code once committed in the Git repository as the new baseline. All code prior to it being staged is documented, tested and approved by CivicActions Development, which is described in control SA-3. The production environment is configured to take database snapshots daily."},{"uuid":"8deb03ec-cc48-4fe7-ba90-89c77b82bc98","control-id":"cm-8","description":"The software inventory for the application is maintained in the codebase stored CivicActions' Git source code version control system. It consists of the following components:\n- The Ilias open-source web learning management system\n- Ilias add-on modules, themes, and libraries available from the Ilias.de website which extend Ilias core\n- Custom code written by CivicActions' developers\nThe inventory is reviewed monthly by CivicActions Product Engineering teams in accordance with the Configuration Management Plan.\nWebsite content is backed up daily using CPM snapshots. This allows CivicActions to build an inventory of the system on demand."},{"uuid":"875697db-0cb4-41e9-9696-daa82b876232","control-id":"cm-10","description":"Ilias is hosted on a LAMP platform (Linux, Apache, MySQL, and PHP). These are all compatible with the Free Software Foundation's General Public License (GPL) version 2 or later and are freely available for use under copyright law."},{"uuid":"ecc504cf-c5d6-4c31-91c4-a74fb7782755","control-id":"ia-4","statements":[{"uuid":"20d71ec6-7fe6-4e19-9695-bb3ee8d6886e","description":"Upon account creation, the Ilias software assigns each user account a unique numerical user ID (UID). This UID is used internally by the system to track user actions such as content creation or editing. The numerical user IDs are never reused even if their user accounts are subsequently blocked or deleted.","statement-id":"ia-4_smt.a"},{"uuid":"b6a73e28-a2d6-4366-9acb-180cee20100d","description":"When Ilias user accounts are created, users' email addresses are verified by sending a single-use activation link to the user’s mailbox. The email recipient then uses the activation link to log in to the website and supply a password which must meet the system's password complexity requirements.","statement-id":"ia-4_smt.b"},{"uuid":"c2f52e82-2944-48a1-b78e-4c27d7defe69","description":"Identifiers for CivicActions internal personnel include a username based on the individual's full first and last name and are reviewed for uniqueness by the admin group when it approves the creation of the user account.","statement-id":"ia-4_smt.c"},{"uuid":"d340fa98-8e65-4da8-b024-b9fedf4e4c65","description":"Ilias user's unique identifier (the numeric user ID, or UID) is never reused.","statement-id":"ia-4_smt.d"}],"description":"Requirements are implemented as described in the included statements."},{"uuid":"e7a4ae48-2ff8-4ec6-b228-7d27c0601d31","control-id":"ia-5","statements":[{"uuid":"036d5ed7-0a4b-4cbb-8a2f-d8009c4b1c0b","description":"Refer to control AC-2 in this SSP for further details on account provisioning.\nCivicActions will create and maintain an initial Ilias Administrator (highest level of Ilias Account). New Administrators are able to provide additional Administrator access at their own discretion and are ultimately responsible for managing their own Administrator and other user accounts that they create.","statement-id":"ia-5_smt.a"},{"uuid":"5b03ce00-890f-49a4-90ab-56629e64ca0b","description":"Initial authenticator content (a unique email address – not previously used in any other account) is provided by the user. Internal initial password requirements set by CivicActions Operations and ongoing password refreshes by internal users follow the requirements set in the Identification and Authentication Policy.","statement-id":"ia-5_smt.b"},{"uuid":"51c4035c-741b-4244-8696-29dbb9b8c3b9","description":"The system partially inherits this control from Ilias standard password strength mechanisms.","statement-id":"ia-5_smt.c"},{"uuid":"52cce68e-6e2a-4929-ab8b-17bbdc2f97a8","description":"The system partially inherits this control from Ilias standard password management.\nAll password creation/change/reset operations are recorded in the website's Ilias logs.","statement-id":"ia-5_smt.d"},{"uuid":"13e8a050-4c4c-4a4f-bde8-1319ed43af4a","description":"Ilias requires users to change their password upon initial login, and the application website enforces this. Each user account is assigned a default password that is randomly generated, not possible to guess, and not shared with anyone, including site administrators. When the user logs in and creates a new password, the default password is erased from the website database.","statement-id":"ia-5_smt.e"},{"uuid":"9a57d62e-b868-42bd-a6b8-56f03bcc8888","description":"For all Ilias users, passwords are protected by the website's software, which only stores an encrypted string based on the password. This means that even if the website's database should be compromised, an attacker would still be unable to know users' actual passwords. Internal users receive training in security awareness and acceptable use and are instructed never to reveal their passwords to anyone.","statement-id":"ia-5_smt.h"},{"uuid":"9e8c5f5f-1c90-4a6a-ad64-9d203bedc246","description":"Ilias users are required to take appropriate measures in the handling of passwords including:\n- Not transmitting user names and passwords together in an unencrypted format\n- Not permitting the sending of passwords in an unencrypted format via email\n- Not listing passwords in tickets\n- Not writing down or storing passwords in a readable form in any physical or logical location where they may be discoverable by unauthorized persons.","statement-id":"ia-5_smt.i"},{"uuid":"23e00bbd-fa91-440e-9a17-1ff1484f2b2f","description":"This control is not applicable due to the fact that group accounts are not created within the Ilias application per IA Policy.","statement-id":"ia-5_smt.j"}],"description":"Requirements are implemented as described in the included statements."},{"uuid":"dfc5283d-d7a2-4b3e-950f-1490edc993f5","control-id":"ia-5.1","statements":[{"uuid":"0adaa466-d5fa-4ba6-962a-b8f5fe809971","description":"Ilias supports the requirement for password-based authentication complexity. New users of Ilias are required to specify their password authentication as soon as they log in to the website for the first. The website requires all submitted passwords to comply with validation rules, as described above in IA-5(c).\nChanging password lifetime, length, reuse or strength requirements requires a code setting change that therefore needs to be planned and approved by {'name': 'CivicActions, Inc', 'name_short': 'CivicActions', 'address': {'street': '3527 Mt Diablo Blvd, Unit 269', 'city': 'Lafayette', 'state': 'CA', 'zip': 94549, 'country': None}, 'phone': '510-408-7510', 'website': 'www.civicactions.com', 'compliance_docs_url': 'https://github.com/CivicActions/compliance-docs', 'email_support': 'support@civicactions.com', 'security_policy_url': 'https://github.com/CivicActions/security-policy'}' Change Control Board before being implemented.","statement-id":"ia-5.1_smt.a"},{"uuid":"ecdd84c8-9d2b-461b-832e-a05231b64eab","description":"When required to change passwords, Ilias users are required to change their authenticator password by changing at least one character. Enforcement of this control is implemented through the website's software configuration.","statement-id":"ia-5.1_smt.b"},{"uuid":"ccf21d95-2a05-440f-9e0e-9e958fc64564","description":"All Ilias passwords are encrypted in storage, using the SHA-512 hashing algorithm with a salt. The hash function is performed repeatedly to further obfuscate the password via key stretching. In transmission, passwords are encrypted using SSL via HTTPS.","statement-id":"ia-5.1_smt.c"},{"uuid":"453c7a15-570a-4ed7-bff8-a216cf87f43c","description":"The website requires all submitted passwords to comply with lifetime rules, as described above in IA-5(g).","statement-id":"ia-5.1_smt.d"},{"uuid":"822c27ae-591a-461b-a4dd-1a5854d530b8","description":"Password reuse is limited through software configuration.","statement-id":"ia-5.1_smt.e"},{"uuid":"1244fd89-7a2d-4946-967d-814ab92d4304","description":"When website users request a password reset, the website sends a temporary login link to the email address associated with their user account. After a user logs in via the temporary login link, the website requires the user to enter a new password before proceeding further.","statement-id":"ia-5.1_smt.f"}],"description":"Requirements are implemented as described in the included statements."},{"uuid":"7e2e4f5a-e42e-45c1-b59f-4d4f2f1d8b34","control-id":"ia-6","description":"Feedback of authentication information is obscured during the authentication process into the Ilias application by displaying “dots” in the place of a password, as is standard for web-based applications. In transmission, passwords are encrypted using SSL via HTTPS."},{"uuid":"ebc207e6-1291-4568-9a8a-01c209a4003c","control-id":"ia-7","description":"All Ilias passwords are encrypted in storage, using the SHA-512 hashing algorithm with a salt. SHA-512 is an approved security function under FIPS PUB 140-2. The hash function is performed repeatedly to further obfuscate the password via key stretching. In transmission, passwords are encrypted using SSL via HTTPS."},{"uuid":"bc86dd04-3c5a-4db9-974d-5ba999f43353","control-id":"sa-5","statements":[{"uuid":"ca04c4ac-ef11-43c0-a92a-3e9e98698c05","description":"Public documentation related to Ilias is maintained by the Ilias Association and is located at . This documentation contains administrator documentation for the information system that describes:\n- secure configuration, installation, and operation of the system, component, or service;\n- effective use and maintenance of security functions/mechanisms; and\n- known vulnerabilities regarding configuration and use of administrative functions;","statement-id":"sa-5_smt.a"},{"uuid":"4f3baef5-be4c-4b72-932e-26e72bdeebad","description":"The public documentation at Ilias.de contains user documentation for the information system that describes:\n- user-accessible security functions/mechanisms and how to effectively use those\n security functions/mechanisms;\n- methods for user interaction, which enables individuals to use the system,\n component, or service in a more secure manner; and\n- user responsibilities in maintaining the security of the system, component, or service;","statement-id":"sa-5_smt.b"},{"uuid":"e037a398-2b5c-4f4a-9f44-c210767ef96f","description":"As a popular and well-used and maintained free and open source (FOSS) project, in the event that sought after documentation is not available on Ilias.de, it can usually be found in one of the many forums, mailing lists or Stack Exchange sites covering Ilias and its many contributed modules.","statement-id":"sa-5_smt.c"},{"uuid":"3613fdc5-47bc-4d44-aca7-4575ec9f6b92","description":"The Ilias.de documentation is multi-sourced on GitHub and private repositories.","statement-id":"sa-5_smt.d"},{"uuid":"2a7469f9-9836-4641-8398-c89c46647eb5","description":"As the Ilias.de documentation is publicly available, there is no need to provide distribution mechanisms.","statement-id":"sa-5_smt.e"}],"description":"Requirements are implemented as described in the included statements."},{"uuid":"db10b88e-4f95-4ace-9a1e-29cae436bbef","control-id":"sc-5","description":"Ilias has a manual ability to block IP addresses in cases where attacks bypass cloud protection. This is managed by CivicActions Operations."},{"uuid":"225006ba-d59a-4632-896c-4dced7856dad","control-id":"sc-7","description":"Ilias, when deployed on SELinux in full enforcing mode, minimizes the number of services and computing nodes that are exposed to the Internet. Ilias employs both the AWS platform safeguards and the Ilias logging in monitoring and recording system events. All other computing nodes used in the system are isolated within AWS."},{"uuid":"45279e8a-0346-491c-846b-daa9688abce2","control-id":"si-2","description":"Ilias contains built-in security status monitoring of the core application and contributed modules."},{"uuid":"dfbd1ce3-4440-4d87-9054-97b87cf363e7","control-id":"si-5","description":"CivicActions Security and Operations receive Ilias Security Advisories on a regular basis."}]}]}]}}