Red Hat Enterprise Linux 9 STIG V1R3

View as one page
STIG ID CCI Title
RHEL-09-211010 CCI-000366 RHEL 9 must be a vendor-supported release.
RHEL-09-211015 CCI-000366 RHEL 9 vendor packaged system security patches and updates must be installed and up to date.
RHEL-09-211020 CCI-000048 RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.
RHEL-09-211025 CCI-001233 RHEL 9 must implement the Endpoint Security for Linux Threat Prevention tool.
RHEL-09-211030 CCI-000366 The graphical display manager must not be the default target on RHEL 9 unless approved.
RHEL-09-211035 CCI-000366 RHEL 9 must enable the hardware random number generator entropy gatherer service.
RHEL-09-211040 CCI-001665 RHEL 9 systemd-journald service must be enabled.
RHEL-09-211045 CCI-000366 The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled.
RHEL-09-211050 CCI-000366 The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 9.
RHEL-09-211055 CCI-000366 RHEL 9 debug-shell systemd service must be disabled.
RHEL-09-212010 CCI-000213 RHEL 9 must require a boot loader superuser password.
RHEL-09-212015 CCI-000366 RHEL 9 must disable the ability of systemd to spawn an interactive boot process.
RHEL-09-212020 CCI-000213 RHEL 9 must require a unique superusers name upon booting into single-user and maintenance modes.
RHEL-09-212025 CCI-000366 RHEL 9 /boot/grub2/grub.cfg file must be group-owned by root.
RHEL-09-212030 CCI-000366 RHEL 9 /boot/grub2/grub.cfg file must be owned by root.
RHEL-09-212035 CCI-000366 RHEL 9 must disable virtual system calls.
RHEL-09-212040 CCI-000366 RHEL 9 must clear the page allocator to prevent use-after-free attacks.
RHEL-09-212045 CCI-001084 RHEL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks.
RHEL-09-212050 CCI-000381 RHEL 9 must enable mitigations against processor-based vulnerabilities.
RHEL-09-212055 CCI-000130 RHEL 9 must enable auditing of processes that start prior to the audit daemon.
RHEL-09-213010 CCI-001082 RHEL 9 must restrict access to the kernel message buffer.
RHEL-09-213015 CCI-001082 RHEL 9 must prevent kernel profiling by nonprivileged users.
RHEL-09-213020 CCI-000366 RHEL 9 must prevent the loading of a new kernel for later execution.
RHEL-09-213025 CCI-000366 RHEL 9 must restrict exposed kernel pointer addresses access.
RHEL-09-213030 CCI-002165 RHEL 9 must enable kernel parameters to enforce discretionary access control on hardlinks.
RHEL-09-213035 CCI-002165 RHEL 9 must enable kernel parameters to enforce discretionary access control on symlinks.
RHEL-09-213040 CCI-000366 RHEL 9 must disable the kernel.core_pattern.
RHEL-09-213045 CCI-000381 RHEL 9 must be configured to disable the Asynchronous Transfer Mode kernel module.
RHEL-09-213050 CCI-000381 RHEL 9 must be configured to disable the Controller Area Network kernel module.
RHEL-09-213055 CCI-000381 RHEL 9 must be configured to disable the FireWire kernel module.
RHEL-09-213060 CCI-000381 RHEL 9 must disable the Stream Control Transmission Protocol (SCTP) kernel module.
RHEL-09-213065 CCI-000381 RHEL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module.
RHEL-09-213070 CCI-000366 RHEL 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
RHEL-09-213075 CCI-000366 RHEL 9 must disable access to network bpf system call from nonprivileged processes.
RHEL-09-213080 CCI-000366 RHEL 9 must restrict usage of ptrace to descendant processes.
RHEL-09-213085 CCI-000366 RHEL 9 must disable core dump backtraces.
RHEL-09-213090 CCI-000366 RHEL 9 must disable storing core dumps.
RHEL-09-213095 CCI-000366 RHEL 9 must disable core dumps for all users.
RHEL-09-213100 CCI-000366 RHEL 9 must disable acquiring, saving, and processing core dumps.
RHEL-09-213105 CCI-000366 RHEL 9 must disable the use of user namespaces.
RHEL-09-213110 CCI-002824 RHEL 9 must implement nonexecutable data to protect its memory from unauthorized code execution.
RHEL-09-213115 CCI-000366 The kdump service on RHEL 9 must be disabled.
RHEL-09-214010 CCI-001749 RHEL 9 must ensure cryptographic verification of vendor software packages.
RHEL-09-214015 CCI-001749 RHEL 9 must check the GPG signature of software packages originating from external software repositories before installation.
RHEL-09-214020 CCI-001749 RHEL 9 must check the GPG signature of locally installed software packages before installation.
RHEL-09-214025 CCI-001749 RHEL 9 must have GPG signature verification enabled for all software repositories.
RHEL-09-214030 CCI-000366 RHEL 9 must be configured so that the cryptographic hashes of system files match vendor values.
RHEL-09-214035 CCI-002617 RHEL 9 must remove all software components after updated versions have been installed.
RHEL-09-215010 CCI-001749 RHEL 9 subscription-manager package must be installed.
RHEL-09-215015 CCI-000197 RHEL 9 must not have a File Transfer Protocol (FTP) server package installed.
RHEL-09-215020 CCI-000366 RHEL 9 must not have the sendmail package installed.
RHEL-09-215025 CCI-000381 RHEL 9 must not have the nfs-utils package installed.
RHEL-09-215030 CCI-000381 RHEL 9 must not have the ypserv package installed.
RHEL-09-215035 CCI-000381 RHEL 9 must not have the rsh-server package installed.
RHEL-09-215040 CCI-000381 RHEL 9 must not have the telnet-server package installed.
RHEL-09-215045 CCI-000366 RHEL 9 must not have the gssproxy package installed.
RHEL-09-215050 CCI-000366 RHEL 9 must not have the iprutils package installed.
RHEL-09-215055 CCI-000366 RHEL 9 must not have the tuned package installed.
RHEL-09-215060 CCI-000366 RHEL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed.
RHEL-09-215065 CCI-000366 RHEL 9 must not have the quagga package installed.
RHEL-09-215070 CCI-000366 A graphical display manager must not be installed on RHEL 9 unless approved.
RHEL-09-215075 CCI-000765 RHEL 9 must have the openssl-pkcs11 package installed.
RHEL-09-215080 CCI-000366 RHEL 9 must have the gnutls-utils package installed.
RHEL-09-215085 CCI-000366 RHEL 9 must have the nss-tools package installed.
RHEL-09-215090 CCI-000366 RHEL 9 must have the rng-tools package installed.
RHEL-09-215095 CCI-001744 RHEL 9 must have the s-nail package installed.
RHEL-09-231010 CCI-000366 A separate RHEL 9 file system must be used for user home directories (such as /home or an equivalent).
RHEL-09-231015 CCI-000366 RHEL 9 must use a separate file system for /tmp.
RHEL-09-231020 CCI-000366 RHEL 9 must use a separate file system for /var.
RHEL-09-231025 CCI-000366 RHEL 9 must use a separate file system for /var/log.
RHEL-09-231030 CCI-000366 RHEL 9 must use a separate file system for the system audit data path.
RHEL-09-231035 CCI-000366 RHEL 9 must use a separate file system for /var/tmp.
RHEL-09-231040 CCI-000366 RHEL 9 file system automount function must be disabled unless required.
RHEL-09-231045 CCI-001764 RHEL 9 must prevent device files from being interpreted on file systems that contain user home directories.
RHEL-09-231050 CCI-000366 RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
RHEL-09-231055 CCI-000366 RHEL 9 must prevent code from being executed on file systems that contain user home directories.
RHEL-09-231060 CCI-000366 RHEL 9 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.
RHEL-09-231065 CCI-000366 RHEL 9 must prevent special devices on file systems that are imported via Network File System (NFS).
RHEL-09-231070 CCI-000366 RHEL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS).
RHEL-09-231075 CCI-000366 RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
RHEL-09-231080 CCI-000366 RHEL 9 must prevent code from being executed on file systems that are used with removable media.
RHEL-09-231085 CCI-000366 RHEL 9 must prevent special devices on file systems that are used with removable media.
RHEL-09-231090 CCI-000366 RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
RHEL-09-231095 CCI-001764 RHEL 9 must mount /boot with the nodev option.
RHEL-09-231100 CCI-000366 RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
RHEL-09-231105 CCI-000366 RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
RHEL-09-231110 CCI-001764 RHEL 9 must mount /dev/shm with the nodev option.
RHEL-09-231115 CCI-001764 RHEL 9 must mount /dev/shm with the noexec option.
RHEL-09-231120 CCI-001764 RHEL 9 must mount /dev/shm with the nosuid option.
RHEL-09-231125 CCI-001764 RHEL 9 must mount /tmp with the nodev option.
RHEL-09-231130 CCI-001764 RHEL 9 must mount /tmp with the noexec option.
RHEL-09-231135 CCI-001764 RHEL 9 must mount /tmp with the nosuid option.
RHEL-09-231140 CCI-001764 RHEL 9 must mount /var with the nodev option.
RHEL-09-231145 CCI-001764 RHEL 9 must mount /var/log with the nodev option.
RHEL-09-231150 CCI-001764 RHEL 9 must mount /var/log with the noexec option.
RHEL-09-231155 CCI-001764 RHEL 9 must mount /var/log with the nosuid option.
RHEL-09-231160 CCI-001764 RHEL 9 must mount /var/log/audit with the nodev option.
RHEL-09-231165 CCI-001764 RHEL 9 must mount /var/log/audit with the noexec option.
RHEL-09-231170 CCI-001764 RHEL 9 must mount /var/log/audit with the nosuid option.
RHEL-09-231175 CCI-001764 RHEL 9 must mount /var/tmp with the nodev option.
RHEL-09-231180 CCI-001764 RHEL 9 must mount /var/tmp with the noexec option.
RHEL-09-231185 CCI-001764 RHEL 9 must mount /var/tmp with the nosuid option.
RHEL-09-231190 CCI-001199 RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
RHEL-09-231195 CCI-000381 RHEL 9 must disable mounting of cramfs.
RHEL-09-231200 CCI-000366 RHEL 9 must prevent special devices on non-root local partitions.
RHEL-09-232010 CCI-001499 RHEL 9 system commands must have mode 755 or less permissive.
RHEL-09-232015 CCI-001499 RHEL 9 library directories must have mode 755 or less permissive.
RHEL-09-232020 CCI-001499 RHEL 9 library files must have mode 755 or less permissive.
RHEL-09-232025 CCI-001314 RHEL 9 /var/log directory must have mode 0755 or less permissive.
RHEL-09-232030 CCI-001314 RHEL 9 /var/log/messages file must have mode 0640 or less permissive.
RHEL-09-232035 CCI-001493 RHEL 9 audit tools must have a mode of 0755 or less permissive.
RHEL-09-232040 CCI-000366 RHEL 9 cron configuration directories must have a mode of 0700 or less permissive.
RHEL-09-232045 CCI-000366 All RHEL 9 local initialization files must have mode 0740 or less permissive.
RHEL-09-232050 CCI-000366 All RHEL 9 local interactive user home directories must have mode 0750 or less permissive.
RHEL-09-232055 CCI-000366 RHEL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.
RHEL-09-232060 CCI-000366 RHEL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.
RHEL-09-232065 CCI-000366 RHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.
RHEL-09-232070 CCI-000366 RHEL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.
RHEL-09-232075 CCI-000366 RHEL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.
RHEL-09-232080 CCI-000366 RHEL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access.
RHEL-09-232085 CCI-000366 RHEL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access.
RHEL-09-232090 CCI-000366 RHEL 9 /etc/group file must be owned by root.
RHEL-09-232095 CCI-000366 RHEL 9 /etc/group file must be group-owned by root.
RHEL-09-232100 CCI-000366 RHEL 9 /etc/group- file must be owned by root.
RHEL-09-232105 CCI-000366 RHEL 9 /etc/group- file must be group-owned by root.
RHEL-09-232110 CCI-000366 RHEL 9 /etc/gshadow file must be owned by root.
RHEL-09-232115 CCI-000366 RHEL 9 /etc/gshadow file must be group-owned by root.
RHEL-09-232120 CCI-000366 RHEL 9 /etc/gshadow- file must be owned by root.
RHEL-09-232125 CCI-000366 RHEL 9 /etc/gshadow- file must be group-owned by root.
RHEL-09-232130 CCI-000366 RHEL 9 /etc/passwd file must be owned by root.
RHEL-09-232135 CCI-000366 RHEL 9 /etc/passwd file must be group-owned by root.
RHEL-09-232140 CCI-000366 RHEL 9 /etc/passwd- file must be owned by root.
RHEL-09-232145 CCI-000366 RHEL 9 /etc/passwd- file must be group-owned by root.
RHEL-09-232150 CCI-000366 RHEL 9 /etc/shadow file must be owned by root.
RHEL-09-232155 CCI-000366 RHEL 9 /etc/shadow file must be group-owned by root.
RHEL-09-232160 CCI-000366 RHEL 9 /etc/shadow- file must be owned by root.
RHEL-09-232165 CCI-000366 RHEL 9 /etc/shadow- file must be group-owned by root.
RHEL-09-232170 CCI-001314 RHEL 9 /var/log directory must be owned by root.
RHEL-09-232175 CCI-001314 RHEL 9 /var/log directory must be group-owned by root.
RHEL-09-232180 CCI-001314 RHEL 9 /var/log/messages file must be owned by root.
RHEL-09-232185 CCI-001314 RHEL 9 /var/log/messages file must be group-owned by root.
RHEL-09-232190 CCI-001499 RHEL 9 system commands must be owned by root.
RHEL-09-232195 CCI-001499 RHEL 9 system commands must be group-owned by root or a system account.
RHEL-09-232200 CCI-001499 RHEL 9 library files must be owned by root.
RHEL-09-232205 CCI-001499 RHEL 9 library files must be group-owned by root or a system account.
RHEL-09-232210 CCI-001499 RHEL 9 library directories must be owned by root.
RHEL-09-232215 CCI-001499 RHEL 9 library directories must be group-owned by root or a system account.
RHEL-09-232220 CCI-001493 RHEL 9 audit tools must be owned by root.
RHEL-09-232225 CCI-001493 RHEL 9 audit tools must be group-owned by root.
RHEL-09-232230 CCI-000366 RHEL 9 cron configuration files directory must be owned by root.
RHEL-09-232235 CCI-000366 RHEL 9 cron configuration files directory must be group-owned by root.
RHEL-09-232240 CCI-000366 All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user.
RHEL-09-232245 CCI-001090 A sticky bit must be set on all RHEL 9 public directories.
RHEL-09-232250 CCI-000366 All RHEL 9 local files and directories must have a valid group owner.
RHEL-09-232255 CCI-000366 All RHEL 9 local files and directories must have a valid owner.
RHEL-09-232260 CCI-000366 RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.
RHEL-09-232265 CCI-000366 RHEL 9 /etc/crontab file must have mode 0600.
RHEL-09-232270 CCI-000366 RHEL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access.
RHEL-09-251010 CCI-000366 RHEL 9 must have the firewalld package installed.
RHEL-09-251015 CCI-000366 The firewalld service on RHEL 9 must be active.
RHEL-09-251020 CCI-000366 A RHEL 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.
RHEL-09-251025 CCI-000382 RHEL 9 must control remote access methods.
RHEL-09-251030 CCI-002385 RHEL 9 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures on impacted network interfaces are implemented.
RHEL-09-251035 CCI-000382 RHEL 9 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.
RHEL-09-251040 CCI-000366 RHEL 9 network interfaces must not be in promiscuous mode.
RHEL-09-251045 CCI-000366 RHEL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler.
RHEL-09-252010 CCI-001891 RHEL 9 must have the chrony package installed.
RHEL-09-252015 CCI-001891 RHEL 9 chronyd service must be enabled.
RHEL-09-252020 CCI-001890 RHEL 9 must securely compare internal information system clocks at least every 24 hours.
RHEL-09-252025 CCI-000381 RHEL 9 must disable the chrony daemon from acting as a server.
RHEL-09-252030 CCI-000381 RHEL 9 must disable network management of the chrony daemon.
RHEL-09-252035 CCI-000366 RHEL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.
RHEL-09-252040 CCI-000366 RHEL 9 must configure a DNS processing mode set be Network Manager.
RHEL-09-252045 CCI-000366 RHEL 9 must not have unauthorized IP tunnels configured.
RHEL-09-252050 CCI-000366 RHEL 9 must be configured to prevent unrestricted mail relaying.
RHEL-09-252055 CCI-000366 If the Trivial File Transfer Protocol (TFTP) server is required, RHEL 9 TFTP daemon must be configured to operate in secure mode.
RHEL-09-252060 CCI-000139 RHEL 9 must forward mail from postmaster to the root account using a postfix alias.
RHEL-09-252065 CCI-000366 RHEL 9 libreswan package must be installed.
RHEL-09-252070 CCI-000366 There must be no shosts.equiv files on RHEL 9.
RHEL-09-252075 CCI-000366 There must be no .shosts files on RHEL 9.
RHEL-09-253010 CCI-000366 RHEL 9 must be configured to use TCP syncookies.
RHEL-09-253015 CCI-000366 RHEL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
RHEL-09-253020 CCI-000366 RHEL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets.
RHEL-09-253025 CCI-000366 RHEL 9 must log IPv4 packets with impossible addresses.
RHEL-09-253030 CCI-000366 RHEL 9 must log IPv4 packets with impossible addresses by default.
RHEL-09-253035 CCI-000366 RHEL 9 must use reverse path filtering on all IPv4 interfaces.
RHEL-09-253040 CCI-000366 RHEL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
RHEL-09-253045 CCI-000366 RHEL 9 must not forward IPv4 source-routed packets by default.
RHEL-09-253050 CCI-000366 RHEL 9 must use a reverse-path filter for IPv4 network traffic when possible by default.
RHEL-09-253055 CCI-000366 RHEL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
RHEL-09-253060 CCI-000366 RHEL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.
RHEL-09-253065 CCI-000366 RHEL 9 must not send Internet Control Message Protocol (ICMP) redirects.
RHEL-09-253070 CCI-000366 RHEL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
RHEL-09-253075 CCI-000366 RHEL 9 must not enable IPv4 packet forwarding unless the system is a router.
RHEL-09-254010 CCI-000366 RHEL 9 must not accept router advertisements on all IPv6 interfaces.
RHEL-09-254015 CCI-000366 RHEL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
RHEL-09-254020 CCI-000366 RHEL 9 must not forward IPv6 source-routed packets.
RHEL-09-254025 CCI-000366 RHEL 9 must not enable IPv6 packet forwarding unless the system is a router.
RHEL-09-254030 CCI-000366 RHEL 9 must not accept router advertisements on all IPv6 interfaces by default.
RHEL-09-254035 CCI-000366 RHEL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
RHEL-09-254040 CCI-000366 RHEL 9 must not forward IPv6 source-routed packets by default.
RHEL-09-255010 CCI-002418 All RHEL 9 networked systems must have SSH installed.
RHEL-09-255015 CCI-002418 All RHEL 9 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
RHEL-09-255020 CCI-000366 RHEL 9 must have the openssh-clients package installed.
RHEL-09-255025 CCI-000048 RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a SSH logon.
RHEL-09-255030 CCI-000067 RHEL 9 must log SSH connection attempts and failures to the server.
RHEL-09-255035 CCI-000765 RHEL 9 SSHD must accept public key authentication.
RHEL-09-255040 CCI-000366 RHEL 9 SSHD must not allow blank passwords.
RHEL-09-255045 CCI-000366 RHEL 9 must not permit direct logons to the root account using remote access via SSH.
RHEL-09-255050 CCI-000877 RHEL 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD.
RHEL-09-255055 CCI-001453 RHEL 9 SSH daemon must be configured to use system-wide crypto policies.
RHEL-09-255060 CCI-001453 RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH client connections.
RHEL-09-255065 CCI-001453 RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH server connections.
RHEL-09-255075 CCI-001453 RHEL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms.
RHEL-09-255080 CCI-000366 RHEL 9 must not allow a noncertificate trusted host SSH logon to the system.
RHEL-09-255085 CCI-000366 RHEL 9 must not allow users to override SSH environment variables.
RHEL-09-255090 CCI-000068 RHEL 9 must force a frequent session key renegotiation for SSH connections to the server.
RHEL-09-255095 CCI-001133 RHEL 9 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.
RHEL-09-255100 CCI-000879 RHEL 9 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.
RHEL-09-255105 CCI-000366 RHEL 9 SSH server configuration file must be group-owned by root.
RHEL-09-255110 CCI-000366 RHEL 9 SSH server configuration file must be owned by root.
RHEL-09-255115 CCI-000366 RHEL 9 SSH server configuration file must have mode 0600 or less permissive.
RHEL-09-255120 CCI-000366 RHEL 9 SSH private host key files must have mode 0640 or less permissive.
RHEL-09-255125 CCI-000366 RHEL 9 SSH public host key files must have mode 0644 or less permissive.
RHEL-09-255130 CCI-000366 RHEL 9 SSH daemon must not allow compression or must only allow compression after successful authentication.
RHEL-09-255135 CCI-000366 RHEL 9 SSH daemon must not allow GSSAPI authentication.
RHEL-09-255140 CCI-000366 RHEL 9 SSH daemon must not allow Kerberos authentication.
RHEL-09-255145 CCI-000366 RHEL 9 SSH daemon must not allow rhosts authentication.
RHEL-09-255150 CCI-000366 RHEL 9 SSH daemon must not allow known hosts authentication.
RHEL-09-255155 CCI-000366 RHEL 9 SSH daemon must disable remote X connections for interactive users.
RHEL-09-255160 CCI-000366 RHEL 9 SSH daemon must perform strict mode checking of home directory configuration files.
RHEL-09-255165 CCI-000366 RHEL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon.
RHEL-09-255170 CCI-000366 RHEL 9 SSH daemon must be configured to use privilege separation.
RHEL-09-255175 CCI-000366 RHEL 9 SSH daemon must prevent remote hosts from connecting to the proxy display.
RHEL-09-271010 CCI-000048 RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
RHEL-09-271015 CCI-000048 RHEL 9 must prevent a user from overriding the banner-message-enable setting for the graphical user interface.
RHEL-09-271020 CCI-000366 RHEL 9 must disable the graphical user interface automount function unless required.
RHEL-09-271025 CCI-000366 RHEL 9 must prevent a user from overriding the disabling of the graphical user interface automount function.
RHEL-09-271030 CCI-001764 RHEL 9 must disable the graphical user interface autorun function unless required.
RHEL-09-271035 CCI-000366 RHEL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function.
RHEL-09-271040 CCI-000366 RHEL 9 must not allow unattended or automatic logon via the graphical user interface.
RHEL-09-271045 CCI-000056 RHEL 9 must be able to initiate directly a session lock for all connection types using smart card when the smart card is removed.
RHEL-09-271050 CCI-000056 RHEL 9 must prevent a user from overriding the disabling of the graphical user smart card removal action.
RHEL-09-271055 CCI-000056 RHEL 9 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions.
RHEL-09-271060 CCI-000056 RHEL 9 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.
RHEL-09-271065 CCI-000057 RHEL 9 must automatically lock graphical user sessions after 15 minutes of inactivity.
RHEL-09-271070 CCI-000057 RHEL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface.
RHEL-09-271075 CCI-000057 RHEL 9 must initiate a session lock for graphical user interfaces when the screensaver is activated.
RHEL-09-271080 CCI-000057 RHEL 9 must prevent a user from overriding the session lock-delay setting for the graphical user interface.
RHEL-09-271085 CCI-000060 RHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
RHEL-09-271090 CCI-000366 RHEL 9 effective dconf policy must match the policy keyfiles.
RHEL-09-271095 CCI-000366 RHEL 9 must disable the ability of a user to restart the system from the login screen.
RHEL-09-271100 CCI-000366 RHEL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.
RHEL-09-271105 CCI-000366 RHEL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot.
RHEL-09-271110 CCI-000366 RHEL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.
RHEL-09-271115 CCI-000366 RHEL 9 must disable the user list at logon for graphical user interfaces.
RHEL-09-291010 CCI-000366 RHEL 9 must be configured to disable USB mass storage.
RHEL-09-291015 CCI-001958 RHEL 9 must have the USBGuard package installed.
RHEL-09-291020 CCI-001958 RHEL 9 must have the USBGuard package enabled.
RHEL-09-291025 CCI-000169 RHEL 9 must enable Linux audit logging for the USBGuard daemon.
RHEL-09-291030 CCI-001958 RHEL 9 must block unauthorized peripherals before establishing a connection.
RHEL-09-291035 CCI-000381 RHEL 9 Bluetooth must be disabled.
RHEL-09-291040 CCI-001443 RHEL 9 wireless network adapters must be disabled.
RHEL-09-411010 CCI-000199 RHEL 9 user account passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs.
RHEL-09-411015 CCI-000199 RHEL 9 user account passwords must have a 60-day maximum password lifetime restriction.
RHEL-09-411020 CCI-000366 All RHEL 9 local interactive user accounts must be assigned a home directory upon creation.
RHEL-09-411025 CCI-000366 RHEL 9 must set the umask value to 077 for all local interactive user accounts.
RHEL-09-411030 CCI-000135 RHEL 9 duplicate User IDs (UIDs) must not exist for interactive users.
RHEL-09-411035 CCI-000366 RHEL 9 system accounts must not have an interactive login shell.
RHEL-09-411040 CCI-000016 RHEL 9 must automatically expire temporary accounts within 72 hours.
RHEL-09-411045 CCI-000764 All RHEL 9 interactive users must have a primary group that exists.
RHEL-09-411050 CCI-000795 RHEL 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
RHEL-09-411055 CCI-000366 Executable search paths within the initialization files of all local interactive RHEL 9 users must only contain paths that resolve to the system default or the users home directory.
RHEL-09-411060 CCI-000366 All RHEL 9 local interactive users must have a home directory assigned in the /etc/passwd file.
RHEL-09-411065 CCI-000366 All RHEL 9 local interactive user home directories defined in the /etc/passwd file must exist.
RHEL-09-411070 CCI-000366 All RHEL 9 local interactive user home directories must be group-owned by the home directory owner's primary group.
RHEL-09-411075 CCI-000044 RHEL 9 must automatically lock an account when three unsuccessful logon attempts occur.
RHEL-09-411080 CCI-000044 RHEL 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
RHEL-09-411085 CCI-000044 RHEL 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
RHEL-09-411090 CCI-000044 RHEL 9 must maintain an account lock until the locked account is released by an administrator.
RHEL-09-411095 CCI-000366 RHEL 9 must not have unauthorized accounts.
RHEL-09-411100 CCI-000366 The root account must be the only account having unrestricted access to RHEL 9 system.
RHEL-09-411105 CCI-000044 RHEL 9 must ensure account lockouts persist.
RHEL-09-411110 CCI-000764 RHEL 9 groups must have unique Group ID (GID).
RHEL-09-411115 CCI-000366 Local RHEL 9 initialization files must not execute world-writable programs.
RHEL-09-412010 CCI-000056 RHEL 9 must have the tmux package installed.
RHEL-09-412015 CCI-000056 RHEL 9 must ensure session control is automatically started at shell initialization.
RHEL-09-412020 CCI-000056 RHEL 9 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions.
RHEL-09-412025 CCI-000057 RHEL 9 must automatically lock command line user sessions after 15 minutes of inactivity.
RHEL-09-412030 CCI-000056 RHEL 9 must prevent users from disabling session control mechanisms.
RHEL-09-412035 CCI-000057 RHEL 9 must automatically exit interactive command shell user sessions after 15 minutes of inactivity.
RHEL-09-412040 CCI-000054 RHEL 9 must limit the number of concurrent sessions to ten for all accounts and/or account types.
RHEL-09-412045 CCI-000044 RHEL 9 must log username information when unsuccessful logon attempts occur.
RHEL-09-412050 CCI-000366 RHEL 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
RHEL-09-412055 CCI-000366 RHEL 9 must define default permissions for the bash shell.
RHEL-09-412060 CCI-000366 RHEL 9 must define default permissions for the c shell.
RHEL-09-412065 CCI-000366 RHEL 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
RHEL-09-412070 CCI-000366 RHEL 9 must define default permissions for the system default profile.
RHEL-09-412075 CCI-000366 RHEL 9 must display the date and time of the last successful account logon upon logon.
RHEL-09-412080 CCI-001133 RHEL 9 must terminate idle user sessions.
RHEL-09-431010 CCI-001084 RHEL 9 must use a Linux Security Module configured to enforce limits on system services.
RHEL-09-431015 CCI-002696 RHEL 9 must enable the SELinux targeted policy.
RHEL-09-431020 CCI-000044 RHEL 9 must configure SELinux context type to allow the use of a nondefault faillock tally directory.
RHEL-09-431025 CCI-000366 RHEL 9 must have policycoreutils package installed.
RHEL-09-431030 CCI-000366 RHEL 9 policycoreutils-python-utils package must be installed.
RHEL-09-432010 CCI-002235 RHEL 9 must have the sudo package installed.
RHEL-09-432015 CCI-002038 RHEL 9 must require reauthentication when using the "sudo" command.
RHEL-09-432020 CCI-000366 RHEL 9 must use the invoking user's password for privilege escalation when using "sudo".
RHEL-09-432025 CCI-002038 RHEL 9 must require users to reauthenticate for privilege escalation.
RHEL-09-432030 CCI-000366 RHEL 9 must restrict privilege elevation to authorized personnel.
RHEL-09-432035 CCI-002038 RHEL 9 must restrict the use of the "su" command.
RHEL-09-433010 CCI-001764 RHEL 9 fapolicy module must be installed.
RHEL-09-433015 CCI-001764 RHEL 9 fapolicy module must be enabled.
RHEL-09-611010 CCI-000192 RHEL 9 must ensure the password complexity module in the system-auth file is configured for three retries or less.
RHEL-09-611015 CCI-000200 RHEL 9 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations.
RHEL-09-611020 CCI-000200 RHEL 9 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations.
RHEL-09-611025 CCI-000366 RHEL 9 must not allow blank or null passwords.
RHEL-09-611030 CCI-000044 RHEL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
RHEL-09-611035 CCI-000044 RHEL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
RHEL-09-611040 CCI-000192 RHEL 9 must ensure the password complexity module is enabled in the password-auth file.
RHEL-09-611045 CCI-000366 RHEL 9 must ensure the password complexity module is enabled in the system-auth file.
RHEL-09-611050 CCI-000196 RHEL 9 password-auth must be configured to use a sufficient number of hashing rounds.
RHEL-09-611055 CCI-000196 RHEL 9 system-auth must be configured to use a sufficient number of hashing rounds.
RHEL-09-611060 CCI-000192 RHEL 9 must enforce password complexity rules for the root account.
RHEL-09-611065 CCI-000193 RHEL 9 must enforce password complexity by requiring that at least one lowercase character be used.
RHEL-09-611070 CCI-000194 RHEL 9 must enforce password complexity by requiring that at least one numeric character be used.
RHEL-09-611075 CCI-000198 RHEL 9 passwords for new users or password changes must have a 24 hours minimum password lifetime restriction in /etc/login.defs.
RHEL-09-611080 CCI-000198 RHEL 9 passwords must have a 24 hours minimum password lifetime restriction in /etc/shadow.
RHEL-09-611085 CCI-002038 RHEL 9 must require users to provide a password for privilege escalation.
RHEL-09-611090 CCI-000205 RHEL 9 passwords must be created with a minimum of 15 characters.
RHEL-09-611095 CCI-000205 RHEL 9 passwords for new users must have a minimum of 15 characters.
RHEL-09-611100 CCI-001619 RHEL 9 must enforce password complexity by requiring that at least one special character be used.
RHEL-09-611105 CCI-000366 RHEL 9 must prevent the use of dictionary words for passwords.
RHEL-09-611110 CCI-000192 RHEL 9 must enforce password complexity by requiring that at least one uppercase character be used.
RHEL-09-611115 CCI-000195 RHEL 9 must require the change of at least eight characters when passwords are changed.
RHEL-09-611120 CCI-000195 RHEL 9 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.
RHEL-09-611125 CCI-000195 RHEL 9 must require the maximum number of repeating characters be limited to three when passwords are changed.
RHEL-09-611130 CCI-000195 RHEL 9 must require the change of at least four character classes when passwords are changed.
RHEL-09-611135 CCI-000196 RHEL 9 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.
RHEL-09-611140 CCI-000196 RHEL 9 must be configured to use the shadow file to store only encrypted representations of passwords.
RHEL-09-611145 CCI-002038 RHEL 9 must not be configured to bypass password requirements for privilege escalation.
RHEL-09-611150 CCI-000196 RHEL 9 shadow password suite must be configured to use a sufficient number of hashing rounds.
RHEL-09-611155 CCI-000366 RHEL 9 must not have accounts configured with blank or null passwords.
RHEL-09-611160 CCI-000764 RHEL 9 must use the CAC smart card driver.
RHEL-09-611165 CCI-000765 RHEL 9 must enable certificate based smart card authentication.
RHEL-09-611170 CCI-001948 RHEL 9 must implement certificate status checking for multifactor authentication.
RHEL-09-611175 CCI-001948 RHEL 9 must have the pcsc-lite package installed.
RHEL-09-611180 CCI-001948 The pcscd service on RHEL 9 must be active.
RHEL-09-611185 CCI-001948 RHEL 9 must have the opensc package installed.
RHEL-09-611190 CCI-000186 RHEL 9, for PKI-based authentication, must enforce authorized access to the corresponding private key.
RHEL-09-611195 CCI-000213 RHEL 9 must require authentication to access emergency mode.
RHEL-09-611200 CCI-000213 RHEL 9 must require authentication to access single-user mode.
RHEL-09-611205 CCI-000803 RHEL 9 must prevent system daemons from using Kerberos for authentication.
RHEL-09-631010 CCI-000185 RHEL 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
RHEL-09-631015 CCI-000187 RHEL 9 must map the authenticated identity to the user or group account for PKI-based authentication.
RHEL-09-631020 CCI-002007 RHEL 9 must prohibit the use of cached authenticators after one day.
RHEL-09-651010 CCI-001744 RHEL 9 must have the AIDE package installed.
RHEL-09-651015 CCI-001744 RHEL 9 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered.
RHEL-09-651020 CCI-000366 RHEL 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.
RHEL-09-651025 CCI-001493 RHEL 9 must use cryptographic mechanisms to protect the integrity of audit tools.
RHEL-09-651030 CCI-000366 RHEL 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs).
RHEL-09-651035 CCI-000366 RHEL 9 must be configured so that the file integrity tool verifies extended attributes.
RHEL-09-652010 CCI-000154 RHEL 9 must have the rsyslog package installed.
RHEL-09-652015 CCI-000366 RHEL 9 must have the packages required for encrypting offloaded audit logs installed.
RHEL-09-652020 CCI-000366 The rsyslog service on RHEL 9 must be active.
RHEL-09-652025 CCI-000366 RHEL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
RHEL-09-652030 CCI-000067 All RHEL 9 remote access methods must be monitored.
RHEL-09-652035 CCI-001851 RHEL 9 must be configured to offload audit records onto a different system from the system being audited via syslog.
RHEL-09-652040 CCI-001851 RHEL 9 must authenticate the remote logging server for offloading audit logs via rsyslog.
RHEL-09-652045 CCI-001851 RHEL 9 must encrypt the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.
RHEL-09-652050 CCI-001851 RHEL 9 must encrypt via the gtls driver the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.
RHEL-09-652055 CCI-000366 RHEL 9 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog.
RHEL-09-652060 CCI-000366 RHEL 9 must use cron logging.
RHEL-09-653010 CCI-000130 RHEL 9 audit package must be installed.
RHEL-09-653015 CCI-000130 RHEL 9 audit service must be enabled.
RHEL-09-653020 CCI-000140 RHEL 9 audit system must take appropriate action when an error writing to the audit storage volume occurs.
RHEL-09-653025 CCI-000140 RHEL 9 audit system must take appropriate action when the audit storage volume is full.
RHEL-09-653030 CCI-001849 RHEL 9 must allocate audit record storage capacity to store at least one week's worth of audit records.
RHEL-09-653035 CCI-001855 RHEL 9 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
RHEL-09-653040 CCI-001855 RHEL 9 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization.
RHEL-09-653045 CCI-001855 RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity.
RHEL-09-653050 CCI-001855 RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.
RHEL-09-653055 CCI-000140 RHEL 9 audit system must take appropriate action when the audit files have reached maximum size.
RHEL-09-653060 CCI-000132 RHEL 9 must label all offloaded audit logs before sending them to the central log server.
RHEL-09-653065 CCI-001851 RHEL 9 must take appropriate action when the internal event queue is full.
RHEL-09-653070 CCI-000139 RHEL 9 System Administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.
RHEL-09-653075 CCI-000169 RHEL 9 audit system must audit local events.
RHEL-09-653080 CCI-000162 RHEL 9 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access.
RHEL-09-653085 CCI-000162 RHEL 9 audit log directory must be owned by root to prevent unauthorized read access.
RHEL-09-653090 CCI-000162 RHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log.
RHEL-09-653095 CCI-000154 RHEL 9 must periodically flush audit records to disk to prevent the loss of audit records.
RHEL-09-653100 CCI-000366 RHEL 9 must produce audit records containing information to establish the identity of any individual or process associated with the event.
RHEL-09-653105 CCI-000366 RHEL 9 must write audit records to disk.
RHEL-09-653110 CCI-000171 RHEL 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
RHEL-09-653115 CCI-000171 RHEL 9 /etc/audit/auditd.conf file must have 0640 or less permissive to prevent unauthorized access.
RHEL-09-653120 CCI-001464 RHEL 9 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.
RHEL-09-653125 CCI-000139 RHEL 9 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure.
RHEL-09-653130 CCI-001851 RHEL 9 audispd-plugins package must be installed.
RHEL-09-654010 CCI-002233 RHEL 9 must audit uses of the "execve" system call.
RHEL-09-654015 CCI-000130 RHEL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls.
RHEL-09-654020 CCI-000130 RHEL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls.
RHEL-09-654025 CCI-000130 RHEL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.
RHEL-09-654030 CCI-000130 RHEL 9 must audit all uses of umount system calls.
RHEL-09-654035 CCI-000130 RHEL 9 must audit all uses of the chacl command.
RHEL-09-654040 CCI-000130 RHEL 9 must audit all uses of the setfacl command.
RHEL-09-654045 CCI-000130 RHEL 9 must audit all uses of the chcon command.
RHEL-09-654050 CCI-000130 RHEL 9 must audit all uses of the semanage command.
RHEL-09-654055 CCI-000130 RHEL 9 must audit all uses of the setfiles command.
RHEL-09-654060 CCI-000130 RHEL 9 must audit all uses of the setsebool command.
RHEL-09-654065 CCI-000130 RHEL 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.
RHEL-09-654070 CCI-000130 RHEL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.
RHEL-09-654075 CCI-000130 RHEL 9 must audit all uses of the delete_module system call.
RHEL-09-654080 CCI-000130 RHEL 9 must audit all uses of the init_module and finit_module system calls.
RHEL-09-654085 CCI-000130 RHEL 9 must audit all uses of the chage command.
RHEL-09-654090 CCI-000130 RHEL 9 must audit all uses of the chsh command.
RHEL-09-654095 CCI-000130 RHEL 9 must audit all uses of the crontab command.
RHEL-09-654100 CCI-000130 RHEL 9 must audit all uses of the gpasswd command.
RHEL-09-654105 CCI-000130 RHEL 9 must audit all uses of the kmod command.
RHEL-09-654110 CCI-000130 RHEL 9 must audit all uses of the newgrp command.
RHEL-09-654115 CCI-000130 RHEL 9 must audit all uses of the pam_timestamp_check command.
RHEL-09-654120 CCI-000130 RHEL 9 must audit all uses of the passwd command.
RHEL-09-654125 CCI-000130 RHEL 9 must audit all uses of the postdrop command.
RHEL-09-654130 CCI-000130 RHEL 9 must audit all uses of the postqueue command.
RHEL-09-654135 CCI-000130 RHEL 9 must audit all uses of the ssh-agent command.
RHEL-09-654140 CCI-000130 RHEL 9 must audit all uses of the ssh-keysign command.
RHEL-09-654145 CCI-000130 RHEL 9 must audit all uses of the su command.
RHEL-09-654150 CCI-000130 RHEL 9 must audit all uses of the sudo command.
RHEL-09-654155 CCI-000130 RHEL 9 must audit all uses of the sudoedit command.
RHEL-09-654160 CCI-000130 RHEL 9 must audit all uses of the unix_chkpwd command.
RHEL-09-654165 CCI-000130 RHEL 9 must audit all uses of the unix_update command.
RHEL-09-654170 CCI-000130 RHEL 9 must audit all uses of the userhelper command.
RHEL-09-654175 CCI-000130 RHEL 9 must audit all uses of the usermod command.
RHEL-09-654180 CCI-000130 RHEL 9 must audit all uses of the mount command.
RHEL-09-654185 CCI-000172 Successful/unsuccessful uses of the init command in RHEL 9 must generate an audit record.
RHEL-09-654190 CCI-000172 Successful/unsuccessful uses of the poweroff command in RHEL 9 must generate an audit record.
RHEL-09-654195 CCI-000172 Successful/unsuccessful uses of the reboot command in RHEL 9 must generate an audit record.
RHEL-09-654200 CCI-000172 Successful/unsuccessful uses of the shutdown command in RHEL 9 must generate an audit record.
RHEL-09-654205 CCI-000130 Successful/unsuccessful uses of the umount system call in RHEL 9 must generate an audit record.
RHEL-09-654210 CCI-000130 Successful/unsuccessful uses of the umount2 system call in RHEL 9 must generate an audit record.
RHEL-09-654215 CCI-000018 RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.
RHEL-09-654220 CCI-000018 RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory.
RHEL-09-654225 CCI-000018 RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
RHEL-09-654230 CCI-000018 RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
RHEL-09-654235 CCI-000018 RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
RHEL-09-654240 CCI-000018 RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
RHEL-09-654245 CCI-000018 RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
RHEL-09-654250 CCI-000172 RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock.
RHEL-09-654255 CCI-000130 RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.
RHEL-09-654260 CCI-000172 RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog.
RHEL-09-654265 CCI-000139 RHEL 9 must take appropriate action when a critical audit processing failure occurs.
RHEL-09-654270 CCI-000162 RHEL 9 audit system must protect logon UIDs from unauthorized change.
RHEL-09-654275 CCI-000162 RHEL 9 audit system must protect auditing rules from unauthorized change.
RHEL-09-671010 CCI-000068 RHEL 9 must enable FIPS mode.
RHEL-09-671015 CCI-000196 RHEL 9 must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.
RHEL-09-671020 CCI-000068 RHEL 9 IP tunnels must use FIPS 140-2/140-3 approved cryptographic algorithms.
RHEL-09-671025 CCI-000196 RHEL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.
RHEL-09-672010 CCI-002450 RHEL 9 must have the crypto-policies package installed.
RHEL-09-672015 CCI-002450 RHEL 9 crypto policy files must match files shipped with the operating system.
RHEL-09-672020 CCI-002450 RHEL 9 crypto policy must not be overridden.
RHEL-09-672025 CCI-000803 RHEL 9 must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
RHEL-09-672030 CCI-001453 RHEL 9 must implement DOD-approved TLS encryption in the GnuTLS package.
RHEL-09-672035 CCI-001453 RHEL 9 must implement DOD-approved encryption in the OpenSSL package.
RHEL-09-672040 CCI-001453 RHEL 9 must implement DOD-approved TLS encryption in the OpenSSL package.
RHEL-09-672045 CCI-002450 RHEL 9 must implement a system-wide encryption policy.
RHEL-09-672050 CCI-002418 RHEL 9 must implement DOD-approved encryption in the bind package.