| OL09-00-000001 |
The OL 9 operating system must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest. |
| OL09-00-000002 |
OL 9 must use a separate file system for the system audit data path. |
| OL09-00-000003 |
OL 9 must be configured so that a separate file system must be used for user home directories (such as /home or an equivalent). |
| OL09-00-000004 |
OL 9 must use a separate file system for /tmp. |
| OL09-00-000005 |
OL 9 must use a separate file system for /var. |
| OL09-00-000006 |
OL 9 must use a separate file system for /var/log. |
| OL09-00-000007 |
OL 9 must use a separate file system for /var/tmp. |
| OL09-00-000010 |
OL 9 must be a vendor supported release. |
| OL09-00-000015 |
OL 9 vendor packaged system security patches and updates must be installed and up to date. |
| OL09-00-000020 |
OL 9 must be configured so that the graphical display manager is not the default target unless approved. |
| OL09-00-000025 |
OL 9 must require authentication to access emergency mode. |
| OL09-00-000030 |
OL 9 must require authentication to access single-user mode. |
| OL09-00-000040 |
OL 9 must be configured to disable the Asynchronous Transfer Mode (ATM) kernel module. |
| OL09-00-000041 |
OL 9 must be configured to disable the Controller Area Network (CAN) kernel module. |
| OL09-00-000042 |
OL 9 must be configured to disable the FireWire kernel module. |
| OL09-00-000043 |
OL 9 must disable the Stream Control Transmission Protocol (SCTP) kernel module. |
| OL09-00-000044 |
OL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module. |
| OL09-00-000045 |
OL 9 must disable mounting of cramfs. |
| OL09-00-000046 |
OL 9 Bluetooth must be disabled. |
| OL09-00-000047 |
OL 9 must be configured to disable USB mass storage. |
| OL09-00-000050 |
OL 9 must require a unique superuser's name upon booting into single-user and maintenance modes. |
| OL09-00-000060 |
OL 9 must use a Linux Security Module configured to enforce limits on system services. |
| OL09-00-000065 |
OL 9 must enable the SELinux targeted policy. |
| OL09-00-000070 |
OL 9 must enable FIPS mode. |
| OL09-00-000090 |
OL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. |
| OL09-00-000100 |
OL 9 must not have the nfs-utils package installed. |
| OL09-00-000105 |
OL 9 must not have the rsh-server package installed. |
| OL09-00-000110 |
OL 9 must not have the telnet-server package installed. |
| OL09-00-000115 |
OL 9 must not have the gssproxy package installed. |
| OL09-00-000120 |
OL 9 must not have the iprutils package installed. |
| OL09-00-000125 |
OL 9 must not have the tuned package installed. |
| OL09-00-000130 |
OL 9 must not have a File Transfer Protocol (FTP) server package installed. |
| OL09-00-000135 |
OL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed. |
| OL09-00-000140 |
OL 9 must not have the quagga package installed. |
| OL09-00-000145 |
OL 9 must not have a graphical display manager installed unless approved. |
| OL09-00-000150 |
OL 9 must not have the sendmail package installed. |
| OL09-00-000200 |
OL 9 must have policycoreutils package installed. |
| OL09-00-000210 |
OL 9 policycoreutils-python-utils package must be installed. |
| OL09-00-000220 |
OL 9 must have the firewalld package installed. |
| OL09-00-000221 |
OL 9 must be configured so that the firewalld service is active. |
| OL09-00-000222 |
OL 9 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. |
| OL09-00-000223 |
OL 9 must control remote access methods. |
| OL09-00-000224 |
OL 9 must be configured so that the firewall employs a deny-all, allow-by-exception policy for allowing connections to other systems. |
| OL09-00-000230 |
OL 9 must have the sudo package installed. |
| OL09-00-000231 |
OL 9 must use the invoking user's password for privilege escalation when using sudo. |
| OL09-00-000232 |
OL 9 must restrict privilege elevation to authorized personnel. |
| OL09-00-000240 |
OL 9 must have the crypto-policies package installed. |
| OL09-00-000241 |
OL 9 must implement a FIPS 140-3 compliant system-wide cryptographic policy. |
| OL09-00-000242 |
OL 9 must not allow the cryptographic policy to be overridden. |
| OL09-00-000243 |
OL 9 must be configured so that the cryptographic hashes of system files match vendor values. |
| OL09-00-000244 |
OL 9 cryptographic policy files must match files shipped with the operating system. |
| OL09-00-000250 |
OL 9 networked systems must have SSH installed. |
| OL09-00-000251 |
OL 9 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. |
| OL09-00-000252 |
The OL 9 SSH daemon must be configured to use systemwide cryptographic policies. |
| OL09-00-000254 |
OL 9 SSH server must be configured to use only ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections. |
| OL09-00-000255 |
OL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections. |
| OL09-00-000256 |
OL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a SSH logon. |
| OL09-00-000260 |
OL 9 must have the openssh-clients package installed. |
| OL09-00-000261 |
OL 9 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections. |
| OL09-00-000262 |
OL 9 SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections. |
| OL09-00-000270 |
OL 9 must have the openssl-pkcs11 package installed. |
| OL09-00-000280 |
OL 9 must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access. |
| OL09-00-000285 |
OL 9 must have the SSSD package installed. |
| OL09-00-000286 |
OL 9 must use the SSSD package for multifactor authentication services. |
| OL09-00-000290 |
OL 9 must have the s-nail package installed. |
| OL09-00-000300 |
OL 9 must have the Advanced Intrusion Detection Environment (AIDE) package installed. |
| OL09-00-000301 |
OL 9 must routinely check the baseline configuration for unauthorized changes and notify the system administrator (SA) when anomalies in the operation of any security functions are discovered. |
| OL09-00-000302 |
OL 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories. |
| OL09-00-000303 |
OL 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs). |
| OL09-00-000304 |
OL 9 must be configured so that the file integrity tool verifies extended attributes. |
| OL09-00-000310 |
OL 9 must have the chrony package installed. |
| OL09-00-000311 |
OL 9 must enable the chronyd service. |
| OL09-00-000320 |
OL 9 must have the USBGuard package installed. |
| OL09-00-000321 |
OL 9 must enable the USBGuard package. |
| OL09-00-000330 |
OL 9 must have the subscription-manager package installed. |
| OL09-00-000340 |
OL 9 must have the fapolicy module installed. |
| OL09-00-000341 |
OL 9 must enable the fapolicy module. |
| OL09-00-000350 |
OL 9 must have the rsyslog package installed. |
| OL09-00-000351 |
OL 9 must be configured so that the rsyslog service is active. |
| OL09-00-000355 |
OL 9 must have the packages required for encrypting offloaded audit logs installed. |
| OL09-00-000360 |
OL 9 must enable the hardware random number generator entropy gatherer service. |
| OL09-00-000370 |
OL 9 must have the rng-tools package installed. |
| OL09-00-000380 |
OL 9 must have the nss-tools package installed. |
| OL09-00-000390 |
OL 9 must have the pcsc-lite package installed. |
| OL09-00-000400 |
OL 9 must have the opensc package installed. |
| OL09-00-000401 |
OL 9 must be configured so that the pcscd service is active. |
| OL09-00-000410 |
OL 9 must have the libreswan package installed. |
| OL09-00-000430 |
OL 9 must have the gnutls-utils package installed. |
| OL09-00-000440 |
OL 9 must have the audit package installed. |
| OL09-00-000441 |
OL 9 audit service must be enabled. |
| OL09-00-000450 |
OL 9 must have the audispd-plugins package installed. |
| OL09-00-000495 |
OL 9 must remove all software components after updated versions have been installed. |
| OL09-00-000496 |
OL 9 must check the GPG signature of locally installed software packages before installation. |
| OL09-00-000497 |
OL 9 must check the GPG signature of software packages originating from external software repositories before installation. |
| OL09-00-000498 |
OL 9 must have GPG signature verification enabled for all software repositories. |
| OL09-00-000499 |
OL 9 must ensure cryptographic verification of vendor software packages. |
| OL09-00-000500 |
OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. |
| OL09-00-000505 |
OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory. |
| OL09-00-000510 |
OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. |
| OL09-00-000515 |
OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. |
| OL09-00-000520 |
OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd. |
| OL09-00-000525 |
OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. |
| OL09-00-000530 |
OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. |
| OL09-00-000535 |
OL 9 must audit all uses of the unix_update command. |
| OL09-00-000540 |
OL 9 must audit all uses of the su command. |
| OL09-00-000545 |
OL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. |
| OL09-00-000550 |
OL 9 must audit all uses of the chage command. |
| OL09-00-000555 |
OL 9 must audit all uses of the chcon command. |
| OL09-00-000560 |
OL 9 must audit all uses of the setfacl command. |
| OL09-00-000565 |
OL 9 must audit all uses of the chsh command. |
| OL09-00-000570 |
OL 9 must audit all uses of the crontab command. |
| OL09-00-000575 |
OL 9 must audit all uses of the gpasswd command. |
| OL09-00-000580 |
OL 9 must audit all uses of the newgrp command. |
| OL09-00-000585 |
OL 9 must audit all uses of the pam_timestamp_check command. |
| OL09-00-000590 |
OL 9 must audit all uses of the passwd command. |
| OL09-00-000595 |
OL 9 must audit all uses of the postdrop command. |
| OL09-00-000600 |
OL 9 must audit all uses of the postqueue command. |
| OL09-00-000605 |
OL 9 must audit all uses of the ssh-agent command. |
| OL09-00-000610 |
OL 9 must audit all uses of the ssh-keysign command. |
| OL09-00-000615 |
OL 9 must audit all uses of the sudoedit command. |
| OL09-00-000620 |
OL 9 must audit all uses of the unix_chkpwd command. |
| OL09-00-000625 |
OL 9 must audit all uses of the userhelper command. |
| OL09-00-000630 |
OL 9 must audit all uses of the mount command. |
| OL09-00-000635 |
OL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls. |
| OL09-00-000640 |
OL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls. |
| OL09-00-000645 |
OL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls. |
| OL09-00-000650 |
OL 9 must audit all uses of the semanage command. |
| OL09-00-000655 |
OL 9 must audit all uses of the setfiles command. |
| OL09-00-000660 |
OL 9 must audit all uses of the setsebool command. |
| OL09-00-000665 |
OL 9 must audit all uses of the chacl command. |
| OL09-00-000670 |
OL 9 must audit all uses of the sudo command. |
| OL09-00-000675 |
OL 9 must audit all uses of the usermod command. |
| OL09-00-000680 |
OL 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls. |
| OL09-00-000685 |
OL 9 must audit all uses of the delete_module system call. |
| OL09-00-000690 |
OL 9 must audit all uses of the init_module and finit_module system calls. |
| OL09-00-000695 |
OL 9 must audit all uses of the kmod command. |
| OL09-00-000700 |
OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog. |
| OL09-00-000705 |
OL 9 must audit all uses of umount system calls. |
| OL09-00-000710 |
OL 9 must use cryptographic mechanisms to protect the integrity of audit tools. |
| OL09-00-000715 |
OL 9 must audit uses of the execve system call. |
| OL09-00-000720 |
OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock. |
| OL09-00-000725 |
OL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog. |
| OL09-00-000730 |
OL 9 must be configured so that successful/unsuccessful uses of the init command generate an audit record. |
| OL09-00-000735 |
OL 9 must be configured so that successful/unsuccessful uses of the poweroff command generate an audit record. |
| OL09-00-000740 |
OL 9 must be configured so that successful/unsuccessful uses of the reboot command generate an audit record. |
| OL09-00-000745 |
OL 9 must be configured so that successful/unsuccessful uses of the shutdown command generate an audit record. |
| OL09-00-000750 |
OL 9 must enable auditing of processes that start prior to the audit daemon. |
| OL09-00-000755 |
OL 9 must label all offloaded audit logs before sending them to the central log server. |
| OL09-00-000760 |
OL 9 audit system must take appropriate action when an error writing to the audit storage volume occurs. |
| OL09-00-000765 |
OL 9 audit system must take appropriate action when the audit storage volume is full. |
| OL09-00-000770 |
OL 9 audit system must take appropriate action when the audit files have reached maximum size. |
| OL09-00-000775 |
OL 9 must periodically flush audit records to disk to prevent the loss of audit records. |
| OL09-00-000785 |
OL 9 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access. |
| OL09-00-000790 |
OL 9 audit log directory must be owned by root to prevent unauthorized read access. |
| OL09-00-000795 |
OL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log. |
| OL09-00-000800 |
OL 9 audit system must audit local events. |
| OL09-00-000805 |
OL 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. |
| OL09-00-000810 |
OL 9 /etc/audit/auditd.conf file must have 0640 or less permissive to prevent unauthorized access. |
| OL09-00-000815 |
OL 9 must forward mail from postmaster to the root account using a postfix alias. |
| OL09-00-000820 |
OL 9 must take appropriate action when a critical audit processing failure occurs. |
| OL09-00-000825 |
The OL 9 system administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event. |
| OL09-00-000830 |
OL 9 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. |
| OL09-00-000835 |
OL 9 must produce audit records containing information to establish the identity of any individual or process associated with the event. |
| OL09-00-000840 |
OL 9 must be configured so that successful/unsuccessful uses of the umount system call generate an audit record. |
| OL09-00-000845 |
OL 9 must be configured so that successful/unsuccessful uses of the umount2 system call generate an audit record. |
| OL09-00-000850 |
OL 9 must allocate audit record storage capacity to store at least one week's worth of audit records. |
| OL09-00-000855 |
OL 9 must be configured to offload audit records onto a different system from the system being audited via syslog. |
| OL09-00-000860 |
OL 9 must take appropriate action when the internal event queue is full. |
| OL09-00-000865 |
OL 9 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. |
| OL09-00-000870 |
OL 9 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization. |
| OL09-00-000875 |
OL 9 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity. |
| OL09-00-000880 |
OL 9 must write audit records to disk. |
| OL09-00-000885 |
OL 9 must act when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity. |
| OL09-00-000900 |
OL 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. |
| OL09-00-000905 |
OL 9, for PKI-based authentication, must enforce authorized access to the corresponding private key. |
| OL09-00-000910 |
OL 9 must map the authenticated identity to the user or group account for PKI-based authentication. |
| OL09-00-000925 |
OL 9 must enable certificate-based smart card authentication. |
| OL09-00-000930 |
OL 9 must implement certificate status checking for multifactor authentication (MFA). |
| OL09-00-000935 |
OL 9 must prohibit the use of cached authenticators after one day. |
| OL09-00-000940 |
OL 9 must use the CAC smart card driver. |
| OL09-00-001000 |
OL 9 must ensure the password complexity module is enabled in the system-auth file. |
| OL09-00-001001 |
OL 9 must ensure the password complexity module in the system-auth file is configured for three retries or less. |
| OL09-00-001005 |
OL 9 must enforce password complexity by requiring that at least one uppercase character be used. |
| OL09-00-001010 |
OL 9 must ensure the password complexity module is enabled in the password-auth file. |
| OL09-00-001015 |
OL 9 must enforce password complexity by requiring that at least one lowercase character be used. |
| OL09-00-001020 |
OL 9 must enforce password complexity by requiring that at least one numeric character be used. |
| OL09-00-001025 |
OL 9 must require the change of at least eight characters when passwords are changed. |
| OL09-00-001030 |
OL 9 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed. |
| OL09-00-001035 |
OL 9 must require the maximum number of repeating characters be limited to three when passwords are changed. |
| OL09-00-001040 |
OL 9 must require the change of at least four character classes when passwords are changed. |
| OL09-00-001045 |
OL 9 must enforce password complexity rules for the root account. |
| OL09-00-001050 |
OL 9 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords. |
| OL09-00-001055 |
OL 9 must be configured to use the shadow file to store only encrypted representations of passwords. |
| OL09-00-001060 |
OL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication. |
| OL09-00-001065 |
OL 9 password-auth must be configured to use a sufficient number of hashing rounds. |
| OL09-00-001070 |
OL 9 system-auth must be configured to use a sufficient number of hashing rounds. |
| OL09-00-001075 |
OL 9 shadow password suite must be configured to use a sufficient number of hashing rounds. |
| OL09-00-001080 |
OL 9 must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords. |
| OL09-00-001085 |
OL 9 passwords for new users or password changes must have a 24-hour minimum password lifetime restriction in /etc/login.defs. |
| OL09-00-001090 |
OL 9 passwords must have a 24-hour minimum password lifetime restriction in /etc/shadow. |
| OL09-00-001095 |
OL 9 user account passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs. |
| OL09-00-001100 |
OL 9 user account passwords must have a 60-day maximum password lifetime restriction. |
| OL09-00-001105 |
OL 9 passwords must be created with a minimum of 15 characters. |
| OL09-00-001110 |
OL 9 must not allow blank or null passwords. |
| OL09-00-001115 |
OL 9 must require a boot loader superuser password. |
| OL09-00-001120 |
OL 9 must enforce password complexity by requiring that at least one special character be used. |
| OL09-00-001125 |
OL 9 must prevent the use of dictionary words for passwords. |
| OL09-00-001130 |
OL 9 must not have accounts configured with blank or null passwords. |
| OL09-00-002000 |
OL 9 file system automount function must be disabled unless required. |
| OL09-00-002010 |
OL 9 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS. |
| OL09-00-002011 |
OL 9 must prevent special devices on file systems that are imported via Network File System (NFS). |
| OL09-00-002012 |
OL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS). |
| OL09-00-002013 |
OL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS). |
| OL09-00-002020 |
OL 9 must prevent code from being executed on file systems that are used with removable media. |
| OL09-00-002021 |
OL 9 must prevent special devices on file systems that are used with removable media. |
| OL09-00-002022 |
OL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. |
| OL09-00-002030 |
OL 9 must mount /boot with the nodev option. |
| OL09-00-002031 |
OL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory. |
| OL09-00-002032 |
OL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory. |
| OL09-00-002040 |
OL 9 must mount /dev/shm with the nodev option. |
| OL09-00-002041 |
OL 9 must mount /dev/shm with the noexec option. |
| OL09-00-002042 |
OL 9 must mount /dev/shm with the nosuid option. |
| OL09-00-002050 |
OL 9 must mount /tmp with the nodev option. |
| OL09-00-002051 |
OL 9 must mount /tmp with the noexec option. |
| OL09-00-002052 |
OL 9 must mount /tmp with the nosuid option. |
| OL09-00-002060 |
OL 9 must mount /var with the nodev option. |
| OL09-00-002061 |
OL 9 must mount /var/log with the nodev option. |
| OL09-00-002062 |
OL 9 must mount /var/log with the noexec option. |
| OL09-00-002063 |
OL 9 must mount /var/log with the nosuid option. |
| OL09-00-002064 |
OL 9 must mount /var/log/audit with the nodev option. |
| OL09-00-002065 |
OL 9 must mount /var/log/audit with the noexec option. |
| OL09-00-002066 |
OL 9 must mount /var/log/audit with the nosuid option. |
| OL09-00-002067 |
OL 9 must mount /var/tmp with the nodev option. |
| OL09-00-002068 |
OL 9 must mount /var/tmp with the noexec option. |
| OL09-00-002069 |
OL 9 must mount /var/tmp with the nosuid option. |
| OL09-00-002070 |
OL 9 must prevent device files from being interpreted on file systems that contain user home directories. |
| OL09-00-002071 |
OL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories. |
| OL09-00-002072 |
OL 9 must prevent code from being executed on file systems that contain user home directories. |
| OL09-00-002080 |
OL 9 must prevent special devices on nonroot local partitions. |
| OL09-00-002100 |
OL 9 must disable the graphical user interface automount function unless required. |
| OL09-00-002101 |
OL 9 must disable the graphical user interface autorun function unless required. |
| OL09-00-002102 |
OL 9 must disable the user list at logon for graphical user interfaces. |
| OL09-00-002103 |
OL 9 must initiate a session lock for graphical user interfaces when the screensaver is activated. |
| OL09-00-002104 |
OL 9 must automatically lock graphical user sessions after 15 minutes of inactivity. |
| OL09-00-002106 |
OL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image. |
| OL09-00-002107 |
OL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot. |
| OL09-00-002120 |
OL 9 must prevent a user from overriding the disabling of the graphical user interface automount function. |
| OL09-00-002121 |
OL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function. |
| OL09-00-002122 |
OL 9 must prevent a user from overriding the banner-message-enable setting for the graphical user interface. |
| OL09-00-002123 |
OL 9 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface. |
| OL09-00-002124 |
OL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface. |
| OL09-00-002125 |
OL 9 must prevent a user from overriding the session lock-delay setting for the graphical user interface. |
| OL09-00-002126 |
OL 9 must prevent a user from overriding the disabling of the graphical user smart card removal action. |
| OL09-00-002127 |
OL 9 must disable the ability of a user to restart the system from the login screen. |
| OL09-00-002128 |
OL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface. |
| OL09-00-002129 |
OL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface. |
| OL09-00-002150 |
OL 9 must be configured to enable the display of the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. |
| OL09-00-002151 |
OL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. |
| OL09-00-002160 |
OL 9 must be able to directly initiate a session lock for all connection types using smart card when the smart card is removed. |
| OL09-00-002161 |
OL 9 must not allow unattended or automatic logon via the graphical user interface. |
| OL09-00-002162 |
OL 9 effective dconf policy must match the policy keyfiles. |
| OL09-00-002301 |
OL 9 must define default permissions for the bash shell. |
| OL09-00-002302 |
OL 9 must define default permissions for the c shell. |
| OL09-00-002303 |
OL 9 must define default permissions for the system default profile. |
| OL09-00-002304 |
OL 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. |
| OL09-00-002320 |
OL 9 must disable the chrony daemon from acting as a server. |
| OL09-00-002321 |
OL 9 must disable network management of the chrony daemon. |
| OL09-00-002323 |
OL 9 must securely compare internal information system clocks at least every 24 hours. |
| OL09-00-002330 |
OL 9 must enable Linux audit logging for the USBGuard daemon. |
| OL09-00-002331 |
OL 9 must block unauthorized peripherals before establishing a connection. |
| OL09-00-002332 |
OL 9 must disable automatic mounting of Universal Serial Bus (USB) mass storage driver. |
| OL09-00-002340 |
OL 9 must log SSH connection attempts and failures to the server. |
| OL09-00-002341 |
OL 9 SSH daemon must not allow Generic Security Service Application Program Interface (GSSAPI) authentication. |
| OL09-00-002342 |
OL 9 must force a frequent session key renegotiation for SSH connections to the server. |
| OL09-00-002343 |
OL 9 SSHD must not allow blank passwords. |
| OL09-00-002344 |
OL 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD. |
| OL09-00-002345 |
OL 9 must not permit direct logons to the root account using remote access via SSH. |
| OL09-00-002346 |
OL 9 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive. |
| OL09-00-002347 |
OL 9 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive. |
| OL09-00-002348 |
OL 9 SSH daemon must not allow rhosts authentication. |
| OL09-00-002349 |
OL 9 SSH daemon must not allow known hosts authentication. |
| OL09-00-002350 |
OL 9 SSH daemon must disable remote X connections for interactive users. |
| OL09-00-002351 |
OL 9 SSH daemon must perform strict mode checking of home directory configuration files. |
| OL09-00-002352 |
OL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon. |
| OL09-00-002354 |
OL 9 SSH daemon must prevent remote hosts from connecting to the proxy display. |
| OL09-00-002355 |
OL 9 SSH daemon must not allow compression or must only allow compression after successful authentication. |
| OL09-00-002356 |
OL 9 SSH daemon must not allow Kerberos authentication. |
| OL09-00-002357 |
OL 9 must not allow a noncertificate trusted host SSH logon to the system. |
| OL09-00-002358 |
OL 9 must not allow users to override SSH environment variables. |
| OL09-00-002359 |
OL 9 SSHD must accept public key authentication. |
| OL09-00-002360 |
OL 9 must require reauthentication when using the "sudo" command. |
| OL09-00-002361 |
OL 9 must restrict the use of the su command. |
| OL09-00-002362 |
OL 9 must require users to reauthenticate for privilege escalation. |
| OL09-00-002363 |
OL 9 must require users to provide a password for privilege escalation. |
| OL09-00-002364 |
OL 9 must not be configured to bypass password requirements for privilege escalation. |
| OL09-00-002370 |
OL 9 must disable the use of user namespaces. |
| OL09-00-002380 |
OL 9 must disable the kernel.core_pattern. |
| OL09-00-002381 |
OL 9 must disable core dump backtraces. |
| OL09-00-002382 |
OL 9 must disable storing core dumps. |
| OL09-00-002383 |
OL 9 must disable core dumps for all users. |
| OL09-00-002384 |
OL 9 must disable acquiring, saving, and processing core dumps. |
| OL09-00-002385 |
OL 9 must be configured so that the kdump service is disabled. |
| OL09-00-002390 |
OL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks. |
| OL09-00-002391 |
OL 9 must enable mitigations against processor-based vulnerabilities. |
| OL09-00-002392 |
OL 9 must disable the ability of systemd to spawn an interactive boot process. |
| OL09-00-002393 |
OL 9 must disable virtual system calls. |
| OL09-00-002394 |
OL 9 must clear the page allocator to prevent use-after-free attacks. |
| OL09-00-002400 |
OL 9 systemd-journald service must be enabled. |
| OL09-00-002401 |
OL 9 must enable kernel parameters to enforce discretionary access control on hardlinks. |
| OL09-00-002402 |
OL 9 must enable kernel parameters to enforce discretionary access control on symlinks. |
| OL09-00-002403 |
OL 9 debug-shell systemd service must be disabled. |
| OL09-00-002404 |
OL 9 IP tunnels must use 140-3 approved cryptographic algorithms. |
| OL09-00-002405 |
OL 9 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure. |
| OL09-00-002406 |
OL 9 must restrict access to the kernel message buffer. |
| OL09-00-002407 |
OL 9 must prevent kernel profiling by nonprivileged users. |
| OL09-00-002408 |
OL 9 must restrict exposed kernel pointer addresses access. |
| OL09-00-002409 |
OL 9 must disable access to network bpf system call from nonprivileged processes. |
| OL09-00-002410 |
OL 9 must restrict usage of ptrace to descendant processes. |
| OL09-00-002411 |
OL 9 must automatically exit interactive command shell user sessions after 15 minutes of inactivity. |
| OL09-00-002412 |
OL 9 must be configured so that the systemd Ctrl-Alt-Delete burst key sequence is disabled. |
| OL09-00-002413 |
OL 9 must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled. |
| OL09-00-002415 |
OL 9 must limit the number of concurrent sessions to ten for all accounts and/or account types. |
| OL09-00-002416 |
OL 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. |
| OL09-00-002417 |
OL 9 must maintain an account lock until the locked account is released by an administrator. |
| OL09-00-002418 |
OL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. |
| OL09-00-002419 |
OL 9 file systems must not contain shosts.equiv files. |
| OL09-00-002420 |
OL 9 file systems must not contain .shosts files. |
| OL09-00-002421 |
OL 9 must implement DOD-approved encryption in the bind package. |
| OL09-00-002422 |
OL 9 must implement nonexecutable data to protect its memory from unauthorized code execution. |
| OL09-00-002423 |
OL 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. |
| OL09-00-002424 |
OL 9 must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. |
| OL09-00-002425 |
OL 9 must be configured to prevent unrestricted mail relaying. |
| OL09-00-002426 |
OL 9 Trivial File Transfer Protocol (TFTP) daemon must be configured to operate in secure mode if the TFTP server is required. |
| OL09-00-002427 |
OL 9 must be configured so that local initialization files do not execute world-writable programs. |
| OL09-00-002428 |
OL 9 must prevent the loading of a new kernel for later execution. |
| OL09-00-002429 |
OL 9 must prevent system daemons from using Kerberos for authentication. |
| OL09-00-002430 |
OL 9 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time compiler. |
| OL09-00-002500 |
OL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification. |
| OL09-00-002501 |
OL 9 must not have unauthorized accounts. |
| OL09-00-002502 |
OL 9 SSH private host key files must have mode 0640 or less permissive. |
| OL09-00-002503 |
OL 9 SSH public host key files must have mode 0644 or less permissive. |
| OL09-00-002504 |
OL 9 system commands must be group-owned by root or a system account. |
| OL09-00-002505 |
OL 9 system commands must be owned by root. |
| OL09-00-002506 |
OL 9 system commands must have mode 755 or less permissive. |
| OL09-00-002507 |
OL 9 SSH server configuration file must be group-owned by root. |
| OL09-00-002508 |
OL 9 SSH server configuration file must be owned by root. |
| OL09-00-002509 |
OL 9 SSH server configuration file must have mode 0600 or less permissive. |
| OL09-00-002510 |
OL 9 must be configured so that a sticky bit must be set on all public directories. |
| OL09-00-002511 |
OL 9 local files and directories must have a valid group owner. |
| OL09-00-002512 |
OL 9 local files and directories must have a valid owner. |
| OL09-00-002513 |
OL 9 local initialization files must have mode 0740 or less permissive. |
| OL09-00-002514 |
OL 9 local interactive user home directories must be group-owned by the home directory owner's primary group. |
| OL09-00-002515 |
OL 9 local interactive user home directories must have mode 0750 or less permissive. |
| OL09-00-002516 |
OL 9 world-writable directories must be owned by root, sys, bin, or an application user. |
| OL09-00-002520 |
OL 9 library directories must be group-owned by root or a system account. |
| OL09-00-002521 |
OL 9 library directories must be owned by root. |
| OL09-00-002522 |
OL 9 library directories must have mode 755 or less permissive. |
| OL09-00-002523 |
OL 9 library files must be group-owned by root or a system account. |
| OL09-00-002524 |
OL 9 library files must be owned by root. |
| OL09-00-002525 |
OL 9 library files must have mode 755 or less permissive. |
| OL09-00-002530 |
OL 9 /boot/grub2/grub.cfg file must be group-owned by root. |
| OL09-00-002531 |
OL 9 /boot/grub2/grub.cfg file must be owned by root. |
| OL09-00-002532 |
OL 9 /etc/group file must be group-owned by root. |
| OL09-00-002533 |
OL 9 /etc/group- file must be group-owned by root. |
| OL09-00-002534 |
OL 9 /etc/group file must be owned by root. |
| OL09-00-002535 |
OL 9 /etc/group- file must be owned by root. |
| OL09-00-002536 |
OL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access. |
| OL09-00-002537 |
OL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access. |
| OL09-00-002538 |
OL 9 /etc/gshadow file must be group-owned by root. |
| OL09-00-002539 |
OL 9 /etc/gshadow- file must be group-owned by root. |
| OL09-00-002540 |
OL 9 /etc/gshadow file must be owned by root. |
| OL09-00-002541 |
OL 9 /etc/gshadow- file must be owned by root. |
| OL09-00-002542 |
OL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access. |
| OL09-00-002543 |
OL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access. |
| OL09-00-002544 |
OL 9 /etc/passwd file must be group-owned by root. |
| OL09-00-002545 |
OL 9 /etc/passwd- file must be group-owned by root. |
| OL09-00-002546 |
OL 9 /etc/passwd file must be owned by root. |
| OL09-00-002547 |
OL 9 /etc/passwd- file must be owned by root. |
| OL09-00-002548 |
OL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access. |
| OL09-00-002549 |
OL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access. |
| OL09-00-002550 |
OL 9 /etc/shadow file must be group-owned by root. |
| OL09-00-002551 |
OL 9 /etc/shadow- file must be group-owned by root. |
| OL09-00-002552 |
OL 9 /etc/shadow file must be owned by root. |
| OL09-00-002553 |
OL 9 /etc/shadow- file must be owned by root. |
| OL09-00-002554 |
OL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access. |
| OL09-00-002555 |
OL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access. |
| OL09-00-002560 |
OL 9 /var/log directory must be group-owned by root. |
| OL09-00-002561 |
OL 9 /var/log directory must be owned by root. |
| OL09-00-002562 |
OL 9 /var/log directory must have mode 0755 or less permissive. |
| OL09-00-002563 |
OL 9 /var/log/messages file must be group-owned by root. |
| OL09-00-002564 |
OL 9 /var/log/messages file must be owned by root. |
| OL09-00-002565 |
OL 9 /var/log/messages file must have mode 0640 or less permissive. |
| OL09-00-002570 |
OL 9 audit tools must be group-owned by root. |
| OL09-00-002571 |
OL 9 audit tools must be owned by root. |
| OL09-00-002572 |
OL 9 audit tools must have a mode of 0755 or less permissive. |
| OL09-00-002580 |
OL 9 cron configuration directories must have a mode of 0700 or less permissive. |
| OL09-00-002581 |
OL 9 cron configuration files directory must be group-owned by root. |
| OL09-00-002582 |
OL 9 cron configuration files directory must be owned by root. |
| OL09-00-002583 |
OL 9 /etc/crontab file must have mode 0600. |
| OL09-00-003000 |
OL 9 must be configured so that the root account is the only account having unrestricted access to the system. |
| OL09-00-003001 |
OL 9 duplicate User IDs (UIDs) must not exist for interactive users. |
| OL09-00-003002 |
OL 9 local interactive users must have a home directory assigned in the /etc/passwd file. |
| OL09-00-003005 |
OL 9 interactive users must have a primary group that exists. |
| OL09-00-003006 |
OL 9 groups must have unique Group ID (GID). |
| OL09-00-003010 |
OL 9 must configure SELinux context type to allow the use of a nondefault faillock tally directory. |
| OL09-00-003011 |
OL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. |
| OL09-00-003012 |
OL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. |
| OL09-00-003020 |
OL 9 must automatically lock an account when three unsuccessful logon attempts occur. |
| OL09-00-003021 |
OL 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. |
| OL09-00-003022 |
OL 9 must log username information when unsuccessful logon attempts occur. |
| OL09-00-003023 |
OL 9 must ensure account lockouts persist. |
| OL09-00-003030 |
OL 9 must automatically expire temporary accounts within 72 hours. |
| OL09-00-003050 |
OL 9 local interactive user home directories defined in the /etc/passwd file must exist. |
| OL09-00-003051 |
OL 9 system accounts must not have an interactive login shell. |
| OL09-00-003052 |
OL 9 local interactive user accounts must be assigned a home directory upon creation. |
| OL09-00-003053 |
OL 9 must be configured so that executable search paths within the initialization files of all local interactive users must only contain paths that resolve to the system default or the users home directory. |
| OL09-00-003060 |
OL 9 must set the umask value to 077 for all local interactive user accounts. |
| OL09-00-003065 |
OL 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. |
| OL09-00-003070 |
OL 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. |
| OL09-00-005000 |
OL 9 remote access methods must be monitored. |
| OL09-00-005005 |
OL 9 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog. |
| OL09-00-005010 |
OL 9 must use cron logging. |
| OL09-00-005015 |
OL 9 must authenticate the remote logging server for offloading audit logs via rsyslog. |
| OL09-00-005020 |
OL 9 must encrypt the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog. |
| OL09-00-005025 |
OL 9 must encrypt via the gtls driver the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog. |
| OL09-00-005030 |
OL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation. |
| OL09-00-006000 |
OL 9 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures on impacted network interfaces are implemented. |
| OL09-00-006001 |
OL 9 wireless network adapters must be disabled. |
| OL09-00-006002 |
OL 9 must configure a DNS processing mode set be Network Manager. |
| OL09-00-006003 |
OL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured. |
| OL09-00-006004 |
OL 9 network interfaces must not be in promiscuous mode. |
| OL09-00-006010 |
OL 9 must not have unauthorized IP tunnels configured. |
| OL09-00-006020 |
OL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages. |
| OL09-00-006021 |
OL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets. |
| OL09-00-006022 |
OL 9 must log IPv4 packets with impossible addresses. |
| OL09-00-006023 |
OL 9 must log IPv4 packets with impossible addresses by default. |
| OL09-00-006024 |
OL 9 must use reverse path filtering on all IPv4 interfaces. |
| OL09-00-006025 |
OL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. |
| OL09-00-006026 |
OL 9 must not forward IPv4 source-routed packets by default. |
| OL09-00-006027 |
OL 9 must use a reverse-path filter for IPv4 network traffic, when possible, by default. |
| OL09-00-006028 |
OL 9 must not enable IPv4 packet forwarding unless the system is a router. |
| OL09-00-006030 |
OL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. |
| OL09-00-006031 |
OL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs. |
| OL09-00-006032 |
OL 9 must not send Internet Control Message Protocol (ICMP) redirects. |
| OL09-00-006033 |
OL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. |
| OL09-00-006040 |
OL 9 must not accept router advertisements on all IPv6 interfaces. |
| OL09-00-006041 |
OL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. |
| OL09-00-006042 |
OL 9 must not forward IPv6 source-routed packets. |
| OL09-00-006043 |
OL 9 must not enable IPv6 packet forwarding unless the system is a router. |
| OL09-00-006044 |
OL 9 must not accept router advertisements on all IPv6 interfaces by default. |
| OL09-00-006045 |
OL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. |
| OL09-00-006046 |
OL 9 must not forward IPv6 source-routed packets by default. |
| OL09-00-006050 |
OL 9 must be configured to use TCP syncookies. |
| OL09-00-008000 |
OL 9 audit system must protect logon UIDs from unauthorized change. |
| OL09-00-008005 |
OL 9 audit system must protect auditing rules from unauthorized change. |
| OL09-00-900140 |
OL 9 must only allow the use of DOD PKI-established certificate authorities for authentication in the establishment of protected sessions to OL 9. |