| RHEL-08-010000 |
RHEL 8 must be a vendor-supported release. |
| RHEL-08-010010 |
RHEL 8 vendor packaged system security patches and updates must be installed and up to date. |
| RHEL-08-010020 |
RHEL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
| RHEL-08-010030 |
All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. |
| RHEL-08-010040 |
RHEL 8 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. |
| RHEL-08-010050 |
RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. |
| RHEL-08-010060 |
RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. |
| RHEL-08-010070 |
All RHEL 8 remote access methods must be monitored. |
| RHEL-08-010090 |
RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. |
| RHEL-08-010100 |
RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. |
| RHEL-08-010110 |
RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm. |
| RHEL-08-010120 |
RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. |
| RHEL-08-010130 |
The RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds. |
| RHEL-08-010140 |
RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance. |
| RHEL-08-010150 |
RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. |
| RHEL-08-010151 |
RHEL 8 operating systems must require authentication upon booting into rescue mode. |
| RHEL-08-010160 |
The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. |
| RHEL-08-010161 |
RHEL 8 must prevent system daemons from using Kerberos for authentication. |
| RHEL-08-010162 |
The krb5-workstation package must not be installed on RHEL 8. |
| RHEL-08-010170 |
RHEL 8 must use a Linux Security Module configured to enforce limits on system services. |
| RHEL-08-010171 |
RHEL 8 must have policycoreutils package installed. |
| RHEL-08-010190 |
A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. |
| RHEL-08-010200 |
RHEL 8 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive. |
| RHEL-08-010210 |
The RHEL 8 /var/log/messages file must have mode 0640 or less permissive. |
| RHEL-08-010220 |
The RHEL 8 /var/log/messages file must be owned by root. |
| RHEL-08-010230 |
The RHEL 8 /var/log/messages file must be group-owned by root. |
| RHEL-08-010240 |
The RHEL 8 /var/log directory must have mode 0755 or less permissive. |
| RHEL-08-010250 |
The RHEL 8 /var/log directory must be owned by root. |
| RHEL-08-010260 |
The RHEL 8 /var/log directory must be group-owned by root. |
| RHEL-08-010290 |
The RHEL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. |
| RHEL-08-010291 |
The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. |
| RHEL-08-010292 |
RHEL 8 must ensure the SSH server uses strong entropy. |
| RHEL-08-010293 |
The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. |
| RHEL-08-010294 |
The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package. |
| RHEL-08-010295 |
The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package. |
| RHEL-08-010300 |
RHEL 8 system commands must have mode 755 or less permissive. |
| RHEL-08-010310 |
RHEL 8 system commands must be owned by root. |
| RHEL-08-010320 |
RHEL 8 system commands must be group-owned by root or a system account. |
| RHEL-08-010330 |
RHEL 8 library files must have mode 755 or less permissive. |
| RHEL-08-010340 |
RHEL 8 library files must be owned by root. |
| RHEL-08-010350 |
RHEL 8 library files must be group-owned by root or a system account. |
| RHEL-08-010360 |
The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency. |
| RHEL-08-010370 |
RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. |
| RHEL-08-010371 |
RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. |
| RHEL-08-010372 |
RHEL 8 must prevent the loading of a new kernel for later execution. |
| RHEL-08-010373 |
RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. |
| RHEL-08-010374 |
RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. |
| RHEL-08-010375 |
RHEL 8 must restrict access to the kernel message buffer. |
| RHEL-08-010376 |
RHEL 8 must prevent kernel profiling by unprivileged users. |
| RHEL-08-010380 |
RHEL 8 must require users to provide a password for privilege escalation. |
| RHEL-08-010381 |
RHEL 8 must require users to reauthenticate for privilege escalation. |
| RHEL-08-010390 |
RHEL 8 must have the packages required for multifactor authentication installed. |
| RHEL-08-010400 |
RHEL 8 must implement certificate status checking for multifactor authentication. |
| RHEL-08-010410 |
RHEL 8 must accept Personal Identity Verification (PIV) credentials. |
| RHEL-08-010420 |
RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. |
| RHEL-08-010421 |
RHEL 8 must clear the page allocator to prevent use-after-free attacks. |
| RHEL-08-010422 |
RHEL 8 must disable virtual syscalls. |
| RHEL-08-010423 |
RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. |
| RHEL-08-010430 |
RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. |
| RHEL-08-010440 |
YUM must remove all software components after updated versions have been installed on RHEL 8. |
| RHEL-08-010450 |
RHEL 8 must enable the SELinux targeted policy. |
| RHEL-08-010460 |
There must be no shosts.equiv files on the RHEL 8 operating system. |
| RHEL-08-010470 |
There must be no .shosts files on the RHEL 8 operating system. |
| RHEL-08-010471 |
RHEL 8 must enable the hardware random number generator entropy gatherer service. |
| RHEL-08-010480 |
The RHEL 8 SSH public host key files must have mode 0644 or less permissive. |
| RHEL-08-010490 |
The RHEL 8 SSH private host key files must have mode 0640 or less permissive. |
| RHEL-08-010500 |
The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files. |
| RHEL-08-010520 |
The RHEL 8 SSH daemon must not allow authentication using known host’s authentication. |
| RHEL-08-010521 |
The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements. |
| RHEL-08-010540 |
RHEL 8 must use a separate file system for /var. |
| RHEL-08-010541 |
RHEL 8 must use a separate file system for /var/log. |
| RHEL-08-010542 |
RHEL 8 must use a separate file system for the system audit data path. |
| RHEL-08-010543 |
A separate RHEL 8 filesystem must be used for the /tmp directory. |
| RHEL-08-010550 |
RHEL 8 must not permit direct logons to the root account using remote access via SSH. |
| RHEL-08-010561 |
The rsyslog service must be running in RHEL 8. |
| RHEL-08-010570 |
RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories. |
| RHEL-08-010571 |
RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory. |
| RHEL-08-010580 |
RHEL 8 must prevent special devices on non-root local partitions. |
| RHEL-08-010590 |
RHEL 8 must prevent code from being executed on file systems that contain user home directories. |
| RHEL-08-010600 |
RHEL 8 must prevent special devices on file systems that are used with removable media. |
| RHEL-08-010610 |
RHEL 8 must prevent code from being executed on file systems that are used with removable media. |
| RHEL-08-010620 |
RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. |
| RHEL-08-010630 |
RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS). |
| RHEL-08-010640 |
RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS). |
| RHEL-08-010650 |
RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS). |
| RHEL-08-010660 |
Local RHEL 8 initialization files must not execute world-writable programs. |
| RHEL-08-010670 |
RHEL 8 must disable kernel dumps unless needed. |
| RHEL-08-010671 |
RHEL 8 must disable the kernel.core_pattern. |
| RHEL-08-010672 |
RHEL 8 must disable acquiring, saving, and processing core dumps. |
| RHEL-08-010673 |
RHEL 8 must disable core dumps for all users. |
| RHEL-08-010674 |
RHEL 8 must disable storing core dumps. |
| RHEL-08-010675 |
RHEL 8 must disable core dump backtraces. |
| RHEL-08-010680 |
For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. |
| RHEL-08-010690 |
Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory. |
| RHEL-08-010700 |
All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application user. |
| RHEL-08-010710 |
All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. |
| RHEL-08-010720 |
All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. |
| RHEL-08-010730 |
All RHEL 8 local interactive user home directories must have mode 0750 or less permissive. |
| RHEL-08-010740 |
All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group. |
| RHEL-08-010750 |
All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist. |
| RHEL-08-010760 |
All RHEL 8 local interactive user accounts must be assigned a home directory upon creation. |
| RHEL-08-010770 |
All RHEL 8 local initialization files must have mode 0740 or less permissive. |
| RHEL-08-010780 |
All RHEL 8 local files and directories must have a valid owner. |
| RHEL-08-010790 |
All RHEL 8 local files and directories must have a valid group owner. |
| RHEL-08-010800 |
A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent). |
| RHEL-08-010820 |
Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed. |
| RHEL-08-010830 |
RHEL 8 must not allow users to override SSH environment variables. |
| RHEL-08-020000 |
RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less. |
| RHEL-08-020010 |
RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. |
| RHEL-08-020011 |
RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. |
| RHEL-08-020012 |
RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. |
| RHEL-08-020013 |
RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. |
| RHEL-08-020014 |
RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. |
| RHEL-08-020015 |
RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. |
| RHEL-08-020016 |
RHEL 8 must ensure account lockouts persist. |
| RHEL-08-020017 |
RHEL 8 must ensure account lockouts persist. |
| RHEL-08-020018 |
RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. |
| RHEL-08-020019 |
RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. |
| RHEL-08-020020 |
RHEL 8 must log user name information when unsuccessful logon attempts occur. |
| RHEL-08-020021 |
RHEL 8 must log user name information when unsuccessful logon attempts occur. |
| RHEL-08-020022 |
RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. |
| RHEL-08-020023 |
RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. |
| RHEL-08-020024 |
RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types. |
| RHEL-08-020030 |
RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. |
| RHEL-08-020050 |
RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. |
| RHEL-08-020060 |
RHEL 8 must automatically lock graphical user sessions after 15 minutes of inactivity. |
| RHEL-08-020080 |
RHEL 8 must prevent a user from overriding the session lock-delay setting for the graphical user interface. |
| RHEL-08-020090 |
RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication. |
| RHEL-08-020100 |
RHEL 8 must ensure the password complexity module is enabled in the password-auth file. |
| RHEL-08-020110 |
RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used. |
| RHEL-08-020120 |
RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used. |
| RHEL-08-020130 |
RHEL 8 must enforce password complexity by requiring that at least one numeric character be used. |
| RHEL-08-020140 |
RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed. |
| RHEL-08-020150 |
RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed. |
| RHEL-08-020160 |
RHEL 8 must require the change of at least four character classes when passwords are changed. |
| RHEL-08-020170 |
RHEL 8 must require the change of at least 8 characters when passwords are changed. |
| RHEL-08-020180 |
RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. |
| RHEL-08-020190 |
RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/login.defs. |
| RHEL-08-020200 |
RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction. |
| RHEL-08-020210 |
RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. |
| RHEL-08-020230 |
RHEL 8 passwords must have a minimum of 15 characters. |
| RHEL-08-020231 |
RHEL 8 passwords for new users must have a minimum of 15 characters. |
| RHEL-08-020240 |
RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. |
| RHEL-08-020250 |
RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. |
| RHEL-08-020260 |
RHEL 8 account identifiers (individuals, groups, roles, and devices) must be disabled after 35 days of inactivity. |
| RHEL-08-020270 |
RHEL 8 must automatically expire temporary accounts within 72 hours. |
| RHEL-08-020280 |
All RHEL 8 passwords must contain at least one special character. |
| RHEL-08-020290 |
RHEL 8 must prohibit the use of cached authentications after one day. |
| RHEL-08-020300 |
RHEL 8 must prevent the use of dictionary words for passwords. |
| RHEL-08-020310 |
RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. |
| RHEL-08-020320 |
RHEL 8 must not have unnecessary accounts. |
| RHEL-08-020330 |
RHEL 8 must not allow accounts configured with blank or null passwords. |
| RHEL-08-020340 |
RHEL 8 must display the date and time of the last successful account logon upon logon. |
| RHEL-08-020350 |
RHEL 8 must display the date and time of the last successful account logon upon an SSH logon. |
| RHEL-08-020351 |
RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. |
| RHEL-08-020352 |
RHEL 8 must set the umask value to 077 for all local interactive user accounts. |
| RHEL-08-020353 |
RHEL 8 must define default permissions for logon and non-logon shells. |
| RHEL-08-030000 |
The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software. |
| RHEL-08-030010 |
Cron logging must be implemented in RHEL 8. |
| RHEL-08-030020 |
The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event. |
| RHEL-08-030030 |
The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure. |
| RHEL-08-030040 |
The RHEL 8 System must take appropriate action when an audit processing failure occurs. |
| RHEL-08-030060 |
The RHEL 8 audit system must take appropriate action when the audit storage volume is full. |
| RHEL-08-030061 |
The RHEL 8 audit system must audit local events. |
| RHEL-08-030062 |
RHEL 8 must label all off-loaded audit logs before sending them to the central log server. |
| RHEL-08-030063 |
RHEL 8 must resolve audit information before writing to disk. |
| RHEL-08-030070 |
RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. |
| RHEL-08-030080 |
RHEL 8 audit logs must be owned by root to prevent unauthorized read access. |
| RHEL-08-030090 |
RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access. |
| RHEL-08-030100 |
RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. |
| RHEL-08-030110 |
RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. |
| RHEL-08-030120 |
RHEL 8 audit log directory must have a mode of 0700 or less permissive to prevent unauthorized read access. |
| RHEL-08-030121 |
RHEL 8 audit system must protect auditing rules from unauthorized change. |
| RHEL-08-030122 |
RHEL 8 audit system must protect logon UIDs from unauthorized change. |
| RHEL-08-030130 |
RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. |
| RHEL-08-030140 |
RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. |
| RHEL-08-030150 |
RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. |
| RHEL-08-030160 |
RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. |
| RHEL-08-030170 |
RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. |
| RHEL-08-030171 |
RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. |
| RHEL-08-030172 |
RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/. |
| RHEL-08-030180 |
The RHEL 8 audit package must be installed. |
| RHEL-08-030190 |
Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record. |
| RHEL-08-030200 |
The RHEL 8 audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. |
| RHEL-08-030250 |
Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record. |
| RHEL-08-030260 |
Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record. |
| RHEL-08-030280 |
Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record. |
| RHEL-08-030290 |
Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record. |
| RHEL-08-030300 |
Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record. |
| RHEL-08-030301 |
Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record. |
| RHEL-08-030302 |
Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record. |
| RHEL-08-030310 |
Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record. |
| RHEL-08-030311 |
Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record. |
| RHEL-08-030312 |
Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record. |
| RHEL-08-030313 |
Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record. |
| RHEL-08-030314 |
Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record. |
| RHEL-08-030315 |
Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record. |
| RHEL-08-030316 |
Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record. |
| RHEL-08-030317 |
Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record. |
| RHEL-08-030320 |
Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record. |
| RHEL-08-030330 |
Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record. |
| RHEL-08-030340 |
Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record. |
| RHEL-08-030350 |
Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record. |
| RHEL-08-030360 |
Successful/unsuccessful uses of the init_module and finit_module system calls in RHEL 8 must generate an audit record. |
| RHEL-08-030361 |
Successful/unsuccessful uses of the rename, unlink, rmdir, renameat, and unlinkat system calls in RHEL 8 must generate an audit record. |
| RHEL-08-030370 |
Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record. |
| RHEL-08-030390 |
Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record. |
| RHEL-08-030400 |
Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record. |
| RHEL-08-030410 |
Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record. |
| RHEL-08-030420 |
Successful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls in RHEL 8 must generate an audit record. |
| RHEL-08-030480 |
Successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls in RHEL 8 must generate an audit record. |
| RHEL-08-030490 |
Successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls in RHEL 8 must generate an audit record. |
| RHEL-08-030550 |
Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record. |
| RHEL-08-030560 |
Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record. |
| RHEL-08-030570 |
Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record. |
| RHEL-08-030580 |
Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record. |
| RHEL-08-030590 |
Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record. |
| RHEL-08-030600 |
Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record. |
| RHEL-08-030601 |
RHEL 8 must enable auditing of processes that start prior to the audit daemon. |
| RHEL-08-030602 |
RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. |
| RHEL-08-030603 |
RHEL 8 must enable Linux audit logging for the USBGuard daemon. |
| RHEL-08-030610 |
RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. |
| RHEL-08-030620 |
RHEL 8 audit tools must have a mode of 0755 or less permissive. |
| RHEL-08-030630 |
RHEL 8 audit tools must be owned by root. |
| RHEL-08-030640 |
RHEL 8 audit tools must be group-owned by root. |
| RHEL-08-030650 |
RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools. |
| RHEL-08-030660 |
RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. |
| RHEL-08-030670 |
RHEL 8 must have the packages required for offloading audit logs installed. |
| RHEL-08-030680 |
RHEL 8 must have the packages required for encrypting offloaded audit logs installed. |
| RHEL-08-030690 |
The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited. |
| RHEL-08-030700 |
RHEL 8 must take appropriate action when the internal event queue is full. |
| RHEL-08-030710 |
RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited. |
| RHEL-08-030720 |
RHEL 8 must authenticate the remote logging server for off-loading audit logs. |
| RHEL-08-030730 |
RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. |
| RHEL-08-030740 |
RHEL 8 must securely compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). |
| RHEL-08-030741 |
RHEL 8 must disable the chrony daemon from acting as a server. |
| RHEL-08-030742 |
RHEL 8 must disable network management of the chrony daemon. |
| RHEL-08-040000 |
RHEL 8 must not have the telnet-server package installed. |
| RHEL-08-040001 |
RHEL 8 must not have any automated bug reporting tools installed. |
| RHEL-08-040002 |
RHEL 8 must not have the sendmail package installed. |
| RHEL-08-040004 |
RHEL 8 must enable mitigations against processor-based vulnerabilities. |
| RHEL-08-040010 |
RHEL 8 must not have the rsh-server package installed. |
| RHEL-08-040020 |
RHEL 8 must cover or disable the built-in or attached camera when not in use. |
| RHEL-08-040021 |
RHEL 8 must disable the asynchronous transfer mode (ATM) protocol. |
| RHEL-08-040022 |
RHEL 8 must disable the controller area network (CAN) protocol. |
| RHEL-08-040023 |
RHEL 8 must disable the stream control transmission protocol (SCTP). |
| RHEL-08-040024 |
RHEL 8 must disable the transparent inter-process communication (TIPC) protocol. |
| RHEL-08-040025 |
RHEL 8 must disable mounting of cramfs. |
| RHEL-08-040026 |
RHEL 8 must disable IEEE 1394 (FireWire) Support. |
| RHEL-08-040030 |
RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. |
| RHEL-08-040070 |
The RHEL 8 file system automounter must be disabled unless required. |
| RHEL-08-040080 |
RHEL 8 must be configured to disable USB mass storage. |
| RHEL-08-040090 |
A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. |
| RHEL-08-040100 |
A firewall must be installed on RHEL 8. |
| RHEL-08-040110 |
RHEL 8 wireless network adapters must be disabled. |
| RHEL-08-040111 |
RHEL 8 Bluetooth must be disabled. |
| RHEL-08-040120 |
RHEL 8 must mount /dev/shm with the nodev option. |
| RHEL-08-040121 |
RHEL 8 must mount /dev/shm with the nosuid option. |
| RHEL-08-040122 |
RHEL 8 must mount /dev/shm with the noexec option. |
| RHEL-08-040123 |
RHEL 8 must mount /tmp with the nodev option. |
| RHEL-08-040124 |
RHEL 8 must mount /tmp with the nosuid option. |
| RHEL-08-040125 |
RHEL 8 must mount /tmp with the noexec option. |
| RHEL-08-040126 |
RHEL 8 must mount /var/log with the nodev option. |
| RHEL-08-040127 |
RHEL 8 must mount /var/log with the nosuid option. |
| RHEL-08-040128 |
RHEL 8 must mount /var/log with the noexec option. |
| RHEL-08-040129 |
RHEL 8 must mount /var/log/audit with the nodev option. |
| RHEL-08-040130 |
RHEL 8 must mount /var/log/audit with the nosuid option. |
| RHEL-08-040131 |
RHEL 8 must mount /var/log/audit with the noexec option. |
| RHEL-08-040132 |
RHEL 8 must mount /var/tmp with the nodev option. |
| RHEL-08-040133 |
RHEL 8 must mount /var/tmp with the nosuid option. |
| RHEL-08-040134 |
RHEL 8 must mount /var/tmp with the noexec option. |
| RHEL-08-040135 |
The RHEL 8 fapolicy module must be installed. |
| RHEL-08-040140 |
RHEL 8 must block unauthorized peripherals before establishing a connection. |
| RHEL-08-040150 |
A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. |
| RHEL-08-040160 |
All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. |
| RHEL-08-040161 |
RHEL 8 must force a frequent session key renegotiation for SSH connections to the server. |
| RHEL-08-040170 |
The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8. |
| RHEL-08-040171 |
The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. |
| RHEL-08-040172 |
The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled. |
| RHEL-08-040180 |
The debug-shell systemd service must be disabled on RHEL 8. |
| RHEL-08-040190 |
The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support. |
| RHEL-08-040200 |
The root account must be the only account having unrestricted access to the RHEL 8 system. |
| RHEL-08-040210 |
RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. |
| RHEL-08-040220 |
RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. |
| RHEL-08-040230 |
RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. |
| RHEL-08-040240 |
RHEL 8 must not forward IPv6 source-routed packets. |
| RHEL-08-040250 |
RHEL 8 must not forward IPv6 source-routed packets by default. |
| RHEL-08-040260 |
RHEL 8 must not enable IPv6 packet forwarding unless the system is a router. |
| RHEL-08-040261 |
RHEL 8 must not accept router advertisements on all IPv6 interfaces. |
| RHEL-08-040262 |
RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. |
| RHEL-08-040270 |
RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. |
| RHEL-08-040280 |
RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. |
| RHEL-08-040281 |
RHEL 8 must disable access to network bpf syscall from unprivileged processes. |
| RHEL-08-040282 |
RHEL 8 must restrict usage of ptrace to descendant processes. |
| RHEL-08-040283 |
RHEL 8 must restrict exposed kernel pointer addresses access. |
| RHEL-08-040284 |
RHEL 8 must disable the use of user namespaces. |
| RHEL-08-040285 |
RHEL 8 must use reverse path filtering on all IPv4 interfaces. |
| RHEL-08-040290 |
RHEL 8 must be configured to prevent unrestricted mail relaying. |
| RHEL-08-040300 |
The RHEL 8 file integrity tool must be configured to verify extended attributes. |
| RHEL-08-040310 |
The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs). |
| RHEL-08-040320 |
The graphical display manager must not be installed on RHEL 8 unless approved. |
| RHEL-08-040330 |
RHEL 8 network interfaces must not be in promiscuous mode. |
| RHEL-08-040340 |
RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements. |
| RHEL-08-040341 |
The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display. |
| RHEL-08-040350 |
If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode. |
| RHEL-08-040360 |
A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8. |
| RHEL-08-040370 |
The gssproxy package must not be installed unless mission essential on RHEL 8. |
| RHEL-08-040380 |
The iprutils package must not be installed unless mission essential on RHEL 8. |
| RHEL-08-040390 |
The tuned package must not be installed unless mission essential on RHEL 8. |
| RHEL-08-010163 |
The krb5-server package must not be installed on RHEL 8. |
| RHEL-08-010382 |
RHEL 8 must restrict privilege elevation to authorized personnel. |
| RHEL-08-010383 |
RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". |
| RHEL-08-010384 |
RHEL 8 must require re-authentication when using the "sudo" command. |
| RHEL-08-010049 |
RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon. |
| RHEL-08-010141 |
RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance. |
| RHEL-08-010149 |
RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes. |
| RHEL-08-010152 |
RHEL 8 operating systems must require authentication upon booting into emergency mode. |
| RHEL-08-010159 |
The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. |
| RHEL-08-010201 |
RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive. |
| RHEL-08-010287 |
The RHEL 8 SSH daemon must be configured to use system-wide crypto policies. |
| RHEL-08-010472 |
RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service. |
| RHEL-08-010522 |
The RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements. |
| RHEL-08-010544 |
RHEL 8 must use a separate file system for /var/tmp. |
| RHEL-08-010572 |
RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory. |
| RHEL-08-010731 |
All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. |
| RHEL-08-010741 |
RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member. |
| RHEL-08-020025 |
RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. |
| RHEL-08-020026 |
RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. |
| RHEL-08-020031 |
RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated. |
| RHEL-08-020032 |
RHEL 8 must disable the user list at logon for graphical user interfaces. |
| RHEL-08-020081 |
RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface. |
| RHEL-08-020082 |
RHEL 8 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface. |
| RHEL-08-020332 |
RHEL 8 must not allow blank or null passwords in the password-auth file. |
| RHEL-08-030181 |
RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. |
| RHEL-08-030731 |
RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization. |
| RHEL-08-040101 |
A firewall must be active on RHEL 8. |
| RHEL-08-040136 |
The RHEL 8 fapolicy module must be enabled. |
| RHEL-08-040137 |
The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. |
| RHEL-08-040139 |
RHEL 8 must have the USBGuard installed. |
| RHEL-08-040141 |
RHEL 8 must enable the USBGuard. |
| RHEL-08-040159 |
All RHEL 8 networked systems must have SSH installed. |
| RHEL-08-040209 |
RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. |
| RHEL-08-040239 |
RHEL 8 must not forward IPv4 source-routed packets. |
| RHEL-08-040249 |
RHEL 8 must not forward IPv4 source-routed packets by default. |
| RHEL-08-040279 |
RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. |
| RHEL-08-040286 |
RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. |
| RHEL-08-020027 |
RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory. |
| RHEL-08-020028 |
RHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory. |
| RHEL-08-040259 |
RHEL 8 must not enable IPv4 packet forwarding unless the system is a router. |
| RHEL-08-010121 |
The RHEL 8 operating system must not have accounts configured with blank or null passwords. |
| RHEL-08-010331 |
RHEL 8 library directories must have mode 755 or less permissive. |
| RHEL-08-010341 |
RHEL 8 library directories must be owned by root. |
| RHEL-08-010351 |
RHEL 8 library directories must be group-owned by root or a system account. |
| RHEL-08-010359 |
The RHEL 8 operating system must use a file integrity tool to verify correct operation of all security functions. |
| RHEL-08-010379 |
RHEL 8 must specify the default "include" directory for the /etc/sudoers file. |
| RHEL-08-010385 |
The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation. |
| RHEL-08-020101 |
RHEL 8 must ensure the password complexity module is enabled in the system-auth file. |
| RHEL-08-020102 |
RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. |
| RHEL-08-020103 |
RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less. |
| RHEL-08-020104 |
RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less. |
| RHEL-08-040321 |
The graphical display manager must not be the default target on RHEL 8 unless approved. |
| RHEL-08-040400 |
RHEL 8 must prevent nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures. |
| RHEL-08-040342 |
RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. |
| RHEL-08-010019 |
RHEL 8 must ensure cryptographic verification of vendor software packages. |
| RHEL-08-010358 |
RHEL 8 must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel. |
| RHEL-08-020035 |
RHEL 8.7 and higher must terminate idle user sessions. |
| RHEL-08-020331 |
RHEL 8 must not allow blank or null passwords in the system-auth file. |