SRG-OS-000368-GPOS-00154 Controls

STIG IDVersionTitleProduct
ALMA-09-026090V1R2AlmaLinux OS 9 must prevent device files from being interpreted on file systems that contain user home directories.
ALMA-09-026200V1R2AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
ALMA-09-026310V1R2AlmaLinux OS 9 must mount /boot with the nodev option.
ALMA-09-026420V1R2AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
ALMA-09-026530V1R2AlmaLinux OS 9 must mount /dev/shm with the nodev option.
ALMA-09-026640V1R2AlmaLinux OS 9 must mount /dev/shm with the noexec option.
ALMA-09-026750V1R2AlmaLinux OS 9 must mount /dev/shm with the nosuid option.
ALMA-09-026860V1R2AlmaLinux OS 9 must mount /tmp with the nodev option.
ALMA-09-026970V1R2AlmaLinux OS 9 must mount /tmp with the noexec option.
ALMA-09-027080V1R2AlmaLinux OS 9 must mount /tmp with the nosuid option.
ALMA-09-027190V1R2AlmaLinux OS 9 must mount /var/log/audit with the nodev option.
ALMA-09-027300V1R2AlmaLinux OS 9 must mount /var/log/audit with the noexec option.
ALMA-09-027410V1R2AlmaLinux OS 9 must mount /var/log/audit with the nosuid option.
ALMA-09-027520V1R2AlmaLinux OS 9 must mount /var/log with the nodev option.
ALMA-09-027630V1R2AlmaLinux OS 9 must mount /var/log with the noexec option.
ALMA-09-027740V1R2AlmaLinux OS 9 must mount /var/log with the nosuid option.
ALMA-09-027850V1R2AlmaLinux OS 9 must mount /var with the nodev option.
ALMA-09-027960V1R2AlmaLinux OS 9 must mount /var/tmp with the nodev option.
ALMA-09-028070V1R2AlmaLinux OS 9 must mount /var/tmp with the noexec option.
ALMA-09-028180V1R2AlmaLinux OS 9 must mount /var/tmp with the nosuid option.
OL07-00-021024V3R2The Oracle Linux operating system must mount /dev/shm with secure options.
OL08-00-040120V2R4OL 8 must mount "/dev/shm" with the "nodev" option.
OL08-00-040121V2R4OL 8 must mount "/dev/shm" with the "nosuid" option.
OL08-00-040122V2R4OL 8 must mount "/dev/shm" with the "noexec" option.
OL08-00-040123V2R4OL 8 must mount "/tmp" with the "nodev" option.
OL08-00-040124V2R4OL 8 must mount "/tmp" with the "nosuid" option.
OL08-00-040125V2R4OL 8 must mount "/tmp" with the "noexec" option.
OL08-00-040126V2R4OL 8 must mount "/var/log" with the "nodev" option.
OL08-00-040127V2R4OL 8 must mount "/var/log" with the "nosuid" option.
OL08-00-040128V2R4OL 8 must mount "/var/log" with the "noexec" option.
OL08-00-040129V2R4OL 8 must mount "/var/log/audit" with the "nodev" option.
OL08-00-040130V2R4OL 8 must mount "/var/log/audit" with the "nosuid" option.
OL08-00-040131V2R4OL 8 must mount "/var/log/audit" with the "noexec" option.
OL08-00-040132V2R4OL 8 must mount "/var/tmp" with the "nodev" option.
OL08-00-040133V2R4OL 8 must mount "/var/tmp" with the "nosuid" option.
OL08-00-040134V2R4OL 8 must mount "/var/tmp" with the "noexec" option.
OL08-00-040135V2R4The OL 8 "fapolicy" module must be installed.
OL08-00-040136V2R4The OL 8 "fapolicy" module must be enabled.
OL08-00-040137V2R4The OL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
OL09-00-002030V1R1OL 9 must mount /boot with the nodev option.
OL09-00-002031V1R1OL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
OL09-00-002032V1R1OL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
OL09-00-002040V1R1OL 9 must mount /dev/shm with the nodev option.
OL09-00-002041V1R1OL 9 must mount /dev/shm with the noexec option.
OL09-00-002042V1R1OL 9 must mount /dev/shm with the nosuid option.
OL09-00-002050V1R1OL 9 must mount /tmp with the nodev option.
OL09-00-002051V1R1OL 9 must mount /tmp with the noexec option.
OL09-00-002052V1R1OL 9 must mount /tmp with the nosuid option.
OL09-00-002060V1R1OL 9 must mount /var with the nodev option.
OL09-00-002061V1R1OL 9 must mount /var/log with the nodev option.
OL09-00-002062V1R1OL 9 must mount /var/log with the noexec option.
OL09-00-002063V1R1OL 9 must mount /var/log with the nosuid option.
OL09-00-002064V1R1OL 9 must mount /var/log/audit with the nodev option.
OL09-00-002065V1R1OL 9 must mount /var/log/audit with the noexec option.
OL09-00-002066V1R1OL 9 must mount /var/log/audit with the nosuid option.
OL09-00-002067V1R1OL 9 must mount /var/tmp with the nodev option.
OL09-00-002068V1R1OL 9 must mount /var/tmp with the noexec option.
OL09-00-002069V1R1OL 9 must mount /var/tmp with the nosuid option.
OL09-00-002070V1R1OL 9 must prevent device files from being interpreted on file systems that contain user home directories.
OL09-00-002071V1R1OL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
OL09-00-002101V1R1OL 9 must disable the graphical user interface autorun function unless required.
RHEL-07-021024V3R9The Red Hat Enterprise Linux operating system must mount /dev/shm with secure options.
RHEL-08-040120V2R3RHEL 8 must mount /dev/shm with the nodev option.
RHEL-08-040121V2R3RHEL 8 must mount /dev/shm with the nosuid option.
RHEL-08-040122V2R3RHEL 8 must mount /dev/shm with the noexec option.
RHEL-08-040123V2R3RHEL 8 must mount /tmp with the nodev option.
RHEL-08-040124V2R3RHEL 8 must mount /tmp with the nosuid option.
RHEL-08-040125V2R3RHEL 8 must mount /tmp with the noexec option.
RHEL-08-040126V2R3RHEL 8 must mount /var/log with the nodev option.
RHEL-08-040127V2R3RHEL 8 must mount /var/log with the nosuid option.
RHEL-08-040128V2R3RHEL 8 must mount /var/log with the noexec option.
RHEL-08-040129V2R3RHEL 8 must mount /var/log/audit with the nodev option.
RHEL-08-040130V2R3RHEL 8 must mount /var/log/audit with the nosuid option.
RHEL-08-040131V2R3RHEL 8 must mount /var/log/audit with the noexec option.
RHEL-08-040132V2R3RHEL 8 must mount /var/tmp with the nodev option.
RHEL-08-040133V2R3RHEL 8 must mount /var/tmp with the nosuid option.
RHEL-08-040134V2R3RHEL 8 must mount /var/tmp with the noexec option.
RHEL-08-040135V2R3The RHEL 8 fapolicy module must be installed.
RHEL-08-040136V2R3The RHEL 8 fapolicy module must be enabled.
RHEL-08-040137V2R3The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
RHEL-09-231045V2R4RHEL 9 must prevent device files from being interpreted on file systems that contain user home directories.
RHEL-09-231050V2R4RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
RHEL-09-231095V2R4RHEL 9 must mount /boot with the nodev option.
RHEL-09-231100V2R4RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
RHEL-09-231105V2R4RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
RHEL-09-231110V2R4RHEL 9 must mount /dev/shm with the nodev option.
RHEL-09-231115V2R4RHEL 9 must mount /dev/shm with the noexec option.
RHEL-09-231120V2R4RHEL 9 must mount /dev/shm with the nosuid option.
RHEL-09-231125V2R4RHEL 9 must mount /tmp with the nodev option.
RHEL-09-231130V2R4RHEL 9 must mount /tmp with the noexec option.
RHEL-09-231135V2R4RHEL 9 must mount /tmp with the nosuid option.
RHEL-09-231140V2R4RHEL 9 must mount /var with the nodev option.
RHEL-09-231145V2R4RHEL 9 must mount /var/log with the nodev option.
RHEL-09-231150V2R4RHEL 9 must mount /var/log with the noexec option.
RHEL-09-231155V2R4RHEL 9 must mount /var/log with the nosuid option.
RHEL-09-231160V2R4RHEL 9 must mount /var/log/audit with the nodev option.
RHEL-09-231165V2R4RHEL 9 must mount /var/log/audit with the noexec option.
RHEL-09-231170V2R4RHEL 9 must mount /var/log/audit with the nosuid option.
RHEL-09-231175V2R4RHEL 9 must mount /var/tmp with the nodev option.
RHEL-09-231180V2R4RHEL 9 must mount /var/tmp with the noexec option.
RHEL-09-231185V2R4RHEL 9 must mount /var/tmp with the nosuid option.
RHEL-09-271030V2R4RHEL 9 must disable the graphical user interface autorun function unless required.
RHEL-09-433016V2R4The RHEL 9 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
UBTU-18-010441V2R15The Ubuntu operating system must be configured to use AppArmor.
UBTU-20-010439V2R1The Ubuntu operating system must be configured to use AppArmor.
UBTU-22-431015V2R4Ubuntu 22.04 LTS must be configured to use AppArmor.
UBTU-24-100510V1R1Ubuntu 24.04 LTS must be configured to use AppArmor.
WN10-CC-000180V3R4Autoplay must be turned off for non-volume devices.
WN10-CC-000185V3R4The default autorun behavior must be configured to prevent autorun commands.
WN10-CC-000190V3R4Autoplay must be disabled for all drives.
WN11-CC-000180V2R3Autoplay must be turned off for non-volume devices.
WN11-CC-000185V2R3The default autorun behavior must be configured to prevent autorun commands.
WN11-CC-000190V2R3Autoplay must be disabled for all drives.
WN16-CC-000250V2R9AutoPlay must be turned off for non-volume devices.
WN16-CC-000260V2R9The default AutoRun behavior must be configured to prevent AutoRun commands.
WN16-CC-000270V2R9AutoPlay must be disabled for all drives.
WN19-CC-000210V3R4Windows Server 2019 Autoplay must be turned off for non-volume devices.
WN19-CC-000220V3R4Windows Server 2019 default AutoRun behavior must be configured to prevent AutoRun commands.
WN19-CC-000230V3R4Windows Server 2019 AutoPlay must be disabled for all drives.
WN22-CC-000210V2R4Windows Server 2022 Autoplay must be turned off for nonvolume devices.
WN22-CC-000220V2R4Windows Server 2022 default AutoRun behavior must be configured to prevent AutoRun commands.
WN22-CC-000230V2R4Windows Server 2022 AutoPlay must be disabled for all drives.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.