| ALMA-09-011240 |
V1R1 |
AlmaLinux OS 9 must disable core dumps for all users. |
|
| ALMA-09-011350 |
V1R1 |
AlmaLinux OS 9 must disable acquiring, saving, and processing core dumps. |
|
| ALMA-09-011460 |
V1R1 |
AlmaLinux OS 9 must disable storing core dumps. |
|
| ALMA-09-011570 |
V1R1 |
AlmaLinux OS 9 must disable core dump backtraces. |
|
| ALMA-09-011680 |
V1R1 |
AlmaLinux OS 9 must disable the kernel.core_pattern. |
|
| ALMA-09-011790 |
V1R1 |
AlmaLinux OS 9 cron configuration files directory must be group-owned by root. |
|
| ALMA-09-011900 |
V1R1 |
AlmaLinux OS 9 cron configuration files directory must be owned by root. |
|
| ALMA-09-012010 |
V1R1 |
AlmaLinux OS 9 cron configuration directories must have a mode of 0700 or less permissive. |
|
| ALMA-09-012120 |
V1R1 |
AlmaLinux OS 9 /etc/crontab file must have mode 0600. |
|
| ALMA-09-012230 |
V1R1 |
AlmaLinux OS 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot. |
|
| ALMA-09-012340 |
V1R1 |
AlmaLinux OS 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface. |
|
| ALMA-09-012450 |
V1R1 |
All AlmaLinux OS 9 local files and directories must have a valid group owner. |
|
| ALMA-09-012560 |
V1R1 |
All AlmaLinux OS 9 local files and directories must have a valid owner. |
|
| ALMA-09-012670 |
V1R1 |
AlmaLinux OS 9 /etc/group- file must be group owned by root. |
|
| ALMA-09-012780 |
V1R1 |
AlmaLinux OS 9 /etc/group- file must be owned by root. |
|
| ALMA-09-012890 |
V1R1 |
AlmaLinux OS 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access. |
|
| ALMA-09-013000 |
V1R1 |
AlmaLinux OS 9 /etc/group file must be group owned by root. |
|
| ALMA-09-013110 |
V1R1 |
AlmaLinux OS 9 /etc/group file must be owned by root. |
|
| ALMA-09-013220 |
V1R1 |
AlmaLinux OS 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access. |
|
| ALMA-09-013330 |
V1R1 |
The /boot/grub2/grub.cfg file must be group-owned by root. |
|
| ALMA-09-013440 |
V1R1 |
The /boot/grub2/grub.cfg file must be owned by root. |
|
| ALMA-09-013550 |
V1R1 |
AlmaLinux OS 9 must disable the ability of systemd to spawn an interactive boot process. |
|
| ALMA-09-013660 |
V1R1 |
AlmaLinux OS 9 /etc/gshadow- file must be group-owned by root. |
|
| ALMA-09-013770 |
V1R1 |
AlmaLinux OS 9 /etc/gshadow- file must be owned by root. |
|
| ALMA-09-013880 |
V1R1 |
AlmaLinux OS 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access. |
|
| ALMA-09-013990 |
V1R1 |
AlmaLinux OS 9 /etc/gshadow file must be group-owned by root. |
|
| ALMA-09-014100 |
V1R1 |
AlmaLinux OS 9 /etc/gshadow file must be owned by root. |
|
| ALMA-09-014210 |
V1R1 |
AlmaLinux OS 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access. |
|
| ALMA-09-014320 |
V1R1 |
The graphical display manager must not be the default target on AlmaLinux OS 9 unless approved.
|
|
| ALMA-09-014430 |
V1R1 |
AlmaLinux OS 9 must disable the user list at logon for graphical user interfaces. |
|
| ALMA-09-015640 |
V1R1 |
AlmaLinux OS 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. |
|
| ALMA-09-015750 |
V1R1 |
AlmaLinux OS 9 must not allow blank or null passwords. |
|
| ALMA-09-015860 |
V1R1 |
AlmaLinux OS 9 must not have accounts configured with blank or null passwords. |
|
| ALMA-09-015970 |
V1R1 |
AlmaLinux OS 9 /etc/passwd- file must be group-owned by root. |
|
| ALMA-09-016080 |
V1R1 |
AlmaLinux OS 9 /etc/passwd- file must be owned by root. |
|
| ALMA-09-016190 |
V1R1 |
AlmaLinux OS 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access. |
|
| ALMA-09-016300 |
V1R1 |
AlmaLinux OS 9 /etc/passwd file must be group-owned by root. |
|
| ALMA-09-016410 |
V1R1 |
AlmaLinux OS 9 /etc/passwd file must be owned by root. |
|
| ALMA-09-016520 |
V1R1 |
AlmaLinux OS 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access. |
|
| ALMA-09-016630 |
V1R1 |
AlmaLinux OS 9 /etc/shadow- file must be group-owned by root. |
|
| ALMA-09-016740 |
V1R1 |
AlmaLinux OS 9 /etc/shadow- file must be owned by root. |
|
| ALMA-09-016850 |
V1R1 |
AlmaLinux OS 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access. |
|
| ALMA-09-016960 |
V1R1 |
AlmaLinux OS 9 /etc/shadow file must be group-owned by root. |
|
| ALMA-09-017070 |
V1R1 |
AlmaLinux OS 9 /etc/shadow file must be owned by root. |
|
| ALMA-09-017180 |
V1R1 |
AlmaLinux OS 9 /etc/shadow file must have mode 0000 to prevent unauthorized access. |
|
| ALMA-09-017290 |
V1R1 |
AlmaLinux OS 9 must restrict privilege elevation to authorized personnel. |
|
| ALMA-09-017400 |
V1R1 |
AlmaLinux OS 9 must use the invoking user's password for privilege escalation when using "sudo". |
|
| ALMA-09-017950 |
V1R1 |
AlmaLinux OS 9 must not have unauthorized accounts. |
|
| ALMA-09-018060 |
V1R1 |
AlmaLinux OS 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs). |
|
| ALMA-09-018170 |
V1R1 |
AlmaLinux OS 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories. |
|
| ALMA-09-018280 |
V1R1 |
AlmaLinux OS 9 must be configured so that the file integrity tool verifies extended attributes. |
|
| ALMA-09-018500 |
V1R1 |
AlmaLinux OS 9 must not accept router advertisements on all IPv6 interfaces. |
|
| ALMA-09-018610 |
V1R1 |
AlmaLinux OS 9 must ignore Internet Control Message Protocol (ICMP) redirect messages. |
|
| ALMA-09-018830 |
V1R1 |
AlmaLinux OS 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. |
|
| ALMA-09-018940 |
V1R1 |
AlmaLinux OS 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs. |
|
| ALMA-09-019050 |
V1R1 |
AlmaLinux OS 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. |
|
| ALMA-09-019160 |
V1R1 |
AlmaLinux OS 9 must not enable IP packet forwarding unless the system is a router. |
|
| ALMA-09-019270 |
V1R1 |
AlmaLinux OS 9 must not have unauthorized IP tunnels configured. |
|
| ALMA-09-019380 |
V1R1 |
AlmaLinux OS 9 must log packets with impossible addresses. |
|
| ALMA-09-019490 |
V1R1 |
AlmaLinux OS 9 must be configured to prevent unrestricted mail relaying. |
|
| ALMA-09-019600 |
V1R1 |
AlmaLinux OS 9 must have the nss-tools package installed. |
|
| ALMA-09-019710 |
V1R1 |
AlmaLinux OS 9 network interfaces must not be in promiscuous mode. |
|
| ALMA-09-019820 |
V1R1 |
AlmaLinux OS 9 must use reverse path filtering on all IP interfaces. |
|
| ALMA-09-019930 |
V1R1 |
AlmaLinux OS 9 must not send Internet Control Message Protocol (ICMP) redirects. |
|
| ALMA-09-020040 |
V1R1 |
There must be no .shosts files on AlmaLinux OS 9. |
|
| ALMA-09-020150 |
V1R1 |
There must be no shosts.equiv files on AlmaLinux OS 9. |
|
| ALMA-09-020260 |
V1R1 |
AlmaLinux OS 9 must not forward source-routed packets. |
|
| ALMA-09-020370 |
V1R1 |
AlmaLinux OS 9 SSH daemon must not allow compression or must only allow compression after successful authentication. |
|
| ALMA-09-020480 |
V1R1 |
The AlmaLinux OS 9 SSH server configuration file must be group-owned by root. |
|
| ALMA-09-020590 |
V1R1 |
The AlmaLinux OS 9 SSH server configuration file must be owned by root. |
|
| ALMA-09-020700 |
V1R1 |
AlmaLinux OS 9 SSH server configuration files must have mode 0600 or less permissive. |
|
| ALMA-09-020810 |
V1R1 |
AlmaLinux OS 9 must not allow a noncertificate trusted host SSH logon to the system. |
|
| ALMA-09-020920 |
V1R1 |
AlmaLinux OS 9 SSH private host key files must have mode 0640 or less permissive. |
|
| ALMA-09-021030 |
V1R1 |
AlmaLinux OS 9 SSH public host key files must have mode 0644 or less permissive. |
|
| ALMA-09-021140 |
V1R1 |
AlmaLinux OS 9 SSH daemon must not allow known hosts authentication. |
|
| ALMA-09-021250 |
V1R1 |
AlmaLinux OS 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon. |
|
| ALMA-09-021360 |
V1R1 |
AlmaLinux OS 9 SSH daemon must not allow rhosts authentication. |
|
| ALMA-09-021470 |
V1R1 |
AlmaLinux OS 9 SSH daemon must disable remote X connections for interactive users. |
|
| ALMA-09-021580 |
V1R1 |
AlmaLinux OS 9 SSH daemon must prevent remote hosts from connecting to the proxy display. |
|
| ALMA-09-021690 |
V1R1 |
If the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon must be configured to operate in secure mode. |
|
| ALMA-09-021800 |
V1R1 |
AlmaLinux OS 9 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time (JIT) compiler. |
|
| ALMA-09-021910 |
V1R1 |
AlmaLinux OS 9 effective dconf policy must match the policy keyfiles. |
|
| ALMA-09-022020 |
V1R1 |
AlmaLinux OS 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification. |
|
| ALMA-09-022130 |
V1R1 |
All AlmaLinux OS 9 local initialization files must have mode 0740 or less permissive. |
|
| ALMA-09-022240 |
V1R1 |
AlmaLinux OS 9 must have the gnutls-utils package installed. |
|
| ALMA-09-022350 |
V1R1 |
The kdump service on AlmaLinux OS 9 must be disabled. |
|
| ALMA-09-022460 |
V1R1 |
AlmaLinux OS 9 must disable the ability of a user to restart the system from the login screen. |
|
| ALMA-09-022570 |
V1R1 |
AlmaLinux OS 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface. |
|
| ALMA-09-022680 |
V1R1 |
AlmaLinux OS 9 must prevent special devices on file systems that are used with removable media. |
|
| ALMA-09-022790 |
V1R1 |
AlmaLinux OS 9 must prevent code from being executed on file systems that are used with removable media. |
|
| ALMA-09-022900 |
V1R1 |
AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. |
|
| ALMA-09-023010 |
V1R1 |
AlmaLinux OS 9 must disable the use of user namespaces. |
|
| ALMA-09-023120 |
V1R1 |
AlmaLinux OS 9 must prevent special devices on file systems that are imported via Network File System (NFS). |
|
| ALMA-09-023230 |
V1R1 |
AlmaLinux OS 9 must prevent code execution on file systems that are imported via Network File System (NFS). |
|
| ALMA-09-023450 |
V1R1 |
AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS). |
|
| ALMA-09-023560 |
V1R1 |
AlmaLinux OS 9 must configure a DNS processing mode set be Network Manager. |
|
| ALMA-09-023670 |
V1R1 |
AlmaLinux OS 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured. |
|
| ALMA-09-023780 |
V1R1 |
AlmaLinux OS 9 must prevent special devices on nonroot local partitions. |
|
| ALMA-09-023890 |
V1R1 |
The root account must be the only account having unrestricted access to an AlmaLinux OS 9 system. |
|
| ALMA-09-024000 |
V1R1 |
AlmaLinux OS 9 must be configured so that the cryptographic hashes of system files match vendor values. |
|
| ALMA-09-024110 |
V1R1 |
AlmaLinux OS 9 must clear the page allocator to prevent use-after-free attacks. |
|
| ALMA-09-024220 |
V1R1 |
AlmaLinux OS 9 must display the date and time of the last successful account logon upon logon. |
|
| ALMA-09-024330 |
V1R1 |
AlmaLinux OS 9 security patches and updates must be installed and up to date. |
|
| ALMA-09-024440 |
V1R1 |
AlmaLinux OS 9 policycoreutils-python-utils package must be installed. |
|
| ALMA-09-024550 |
V1R1 |
AlmaLinux OS 9 must enable the hardware random number generator entropy gatherer service. |
|
| ALMA-09-024660 |
V1R1 |
AlmaLinux OS 9 must have the rng-tools package installed. |
|
| ALMA-09-024990 |
V1R1 |
AlmaLinux OS 9 system accounts must not have an interactive login shell. |
|
| ALMA-09-025100 |
V1R1 |
AlmaLinux OS 9 must use a separate file system for /tmp. |
|
| ALMA-09-025210 |
V1R1 |
Local AlmaLinux OS 9 initialization files must not execute world-writable programs. |
|
| ALMA-09-025320 |
V1R1 |
AlmaLinux OS 9 must use a separate file system for /var/log. |
|
| ALMA-09-025430 |
V1R1 |
AlmaLinux OS 9 must use a separate file system for /var. |
|
| ALMA-09-025540 |
V1R1 |
AlmaLinux OS 9 must use a separate file system for /var/tmp. |
|
| ALMA-09-025650 |
V1R1 |
AlmaLinux OS 9 must disable virtual system calls. |
|
| ALMA-09-025760 |
V1R1 |
AlmaLinux OS 9 must use cron logging. |
|
| ALMA-09-025870 |
V1R1 |
AlmaLinux OS 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation. |
|
| APPL-14-003013 |
V2R2 |
The macOS system must enable firmware password. |
|
| APPL-14-005110 |
V2R2 |
The macOS system must enforce enrollment in mobile device management. |
|
| APPL-14-005120 |
V2R2 |
The macOS system must enable recovery lock. |
|
| APPL-14-005130 |
V2R2 |
The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automatically. |
|
| OL07-00-010020 |
V3R1 |
The Oracle Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values. |
|
| OL07-00-010290 |
V3R1 |
The Oracle Linux operating system must not allow accounts configured with blank or null passwords. |
|
| OL07-00-020230 |
V3R1 |
The Oracle Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line. |
|
| OL07-00-020250 |
V3R1 |
The Oracle Linux operating system must be a vendor supported release. |
|
| OL07-00-020260 |
V3R1 |
The Oracle Linux operating system security patches and updates must be installed and up to date. |
|
| OL07-00-020270 |
V3R1 |
The Oracle Linux operating system must not have unnecessary accounts. |
|
| OL07-00-020310 |
V3R1 |
The Oracle Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system. |
|
| OL07-00-020320 |
V3R1 |
The Oracle Linux operating system must be configured so that all files and directories have a valid owner. |
|
| OL07-00-020330 |
V3R1 |
The Oracle Linux operating system must be configured so that all files and directories have a valid group owner. |
|
| OL07-00-020610 |
V3R1 |
The Oracle Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory. |
|
| OL07-00-020620 |
V3R1 |
The Oracle Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file. |
|
| OL07-00-020630 |
V3R1 |
The Oracle Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive. |
|
| OL07-00-020640 |
V3R1 |
The Oracle Linux operating system must be configured so that all local interactive user home directories are owned by their respective users. |
|
| OL07-00-020650 |
V3R1 |
The Oracle Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group. |
|
| OL07-00-020660 |
V3R1 |
The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a valid owner. |
|
| OL07-00-020670 |
V3R1 |
The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member. |
|
| OL07-00-020680 |
V3R1 |
The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive. |
|
| OL07-00-020690 |
V3R1 |
The Oracle Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root. |
|
| OL07-00-020700 |
V3R1 |
The Oracle Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root. |
|
| OL07-00-020710 |
V3R1 |
The Oracle Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive. |
|
| OL07-00-020720 |
V3R1 |
The Oracle Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory. |
|
| OL07-00-020730 |
V3R1 |
The Oracle Linux operating system must be configured so that local initialization files do not execute world-writable programs. |
|
| OL07-00-020900 |
V3R1 |
The Oracle Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification. |
|
| OL07-00-021000 |
V3R1 |
The Oracle Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed. |
|
| OL07-00-021010 |
V3R1 |
The Oracle Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. |
|
| OL07-00-021020 |
V3R1 |
The Oracle Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS). |
|
| OL07-00-021021 |
V3R1 |
The Oracle Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS). |
|
| OL07-00-021030 |
V3R1 |
The Oracle Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group. |
|
| OL07-00-021040 |
V3R1 |
The Oracle Linux operating system must set the umask value to 077 for all local interactive user accounts. |
|
| OL07-00-021100 |
V3R1 |
The Oracle Linux operating system must have cron logging implemented. |
|
| OL07-00-021110 |
V3R1 |
The Oracle Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root. |
|
| OL07-00-021120 |
V3R1 |
The Oracle Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root. |
|
| OL07-00-021300 |
V3R1 |
The Oracle Linux operating system must disable Kernel core dumps unless needed. |
|
| OL07-00-021310 |
V3R1 |
The Oracle Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent). |
|
| OL07-00-021320 |
V3R1 |
The Oracle Linux operating system must use a separate file system for /var. |
|
| OL07-00-021340 |
V3R1 |
The Oracle Linux operating system must use a separate file system for /tmp (or equivalent). |
|
| OL07-00-021600 |
V3R1 |
The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs). |
|
| OL07-00-021610 |
V3R1 |
The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes. |
|
| OL07-00-021620 |
V3R1 |
The Oracle Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories. |
|
| OL07-00-031000 |
V3R1 |
The Oracle Linux operating system must send rsyslog output to a log aggregation server. |
|
| OL07-00-031010 |
V3R1 |
The Oracle Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation. |
|
| OL07-00-032000 |
V3R1 |
The Oracle Linux operating system must use a virus scan program. |
|
| OL07-00-040330 |
V3R1 |
The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication. |
|
| OL07-00-040350 |
V3R1 |
The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication. |
|
| OL07-00-040360 |
V3R1 |
The Oracle Linux operating system must display the date and time of the last successful account logon upon an SSH logon. |
|
| OL07-00-040370 |
V3R1 |
The Oracle Linux operating system must not permit direct logons to the root account using remote access via SSH. |
|
| OL07-00-040380 |
V3R1 |
The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication. |
|
| OL07-00-040410 |
V3R1 |
The Oracle Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive. |
|
| OL07-00-040420 |
V3R1 |
The Oracle Linux operating system must be configured so the SSH private host key files have mode 0640 or less permissive. |
|
| OL07-00-040450 |
V3R1 |
The Oracle Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files. |
|
| OL07-00-040460 |
V3R1 |
The Oracle Linux operating system must be configured so that the SSH daemon uses privilege separation. |
|
| OL07-00-040470 |
V3R1 |
The Oracle Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication. |
|
| OL07-00-040520 |
V3R1 |
The Oracle Linux operating system must enable an application firewall, if available. |
|
| OL07-00-040530 |
V3R1 |
The Oracle Linux operating system must display the date and time of the last successful account logon upon logon. |
|
| OL07-00-040540 |
V3R1 |
The Oracle Linux operating system must not contain .shosts files. |
|
| OL07-00-040550 |
V3R1 |
The Oracle Linux operating system must not contain shosts.equiv files. |
|
| OL07-00-040600 |
V3R1 |
For Oracle Linux operating systems using DNS resolution, at least two name servers must be configured. |
|
| OL07-00-040610 |
V3R1 |
The Oracle Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets. |
|
| OL07-00-040611 |
V3R1 |
The Oracle Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces. |
|
| OL07-00-040612 |
V3R1 |
The Oracle Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default. |
|
| OL07-00-040620 |
V3R1 |
The Oracle Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default. |
|
| OL07-00-040630 |
V3R1 |
The Oracle Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. |
|
| OL07-00-040640 |
V3R1 |
The Oracle Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted. |
|
| OL07-00-040641 |
V3R1 |
The Oracle Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages. |
|
| OL07-00-040650 |
V3R1 |
The Oracle Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default. |
|
| OL07-00-040660 |
V3R1 |
The Oracle Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects. |
|
| OL07-00-040670 |
V3R1 |
Network interfaces configured on The Oracle Linux operating system must not be in promiscuous mode. |
|
| OL07-00-040680 |
V3R1 |
The Oracle Linux operating system must be configured to prevent unrestricted mail relaying. |
|
| OL07-00-040690 |
V3R1 |
The Oracle Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed. |
|
| OL07-00-040700 |
V3R1 |
The Oracle Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support. |
|
| OL07-00-040710 |
V3R1 |
The Oracle Linux operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements. |
|
| OL07-00-040720 |
V3R1 |
The Oracle Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode. |
|
| OL07-00-040730 |
V3R1 |
The Oracle Linux operating system must not have a graphical display manager installed unless approved. |
|
| OL07-00-040740 |
V3R1 |
The Oracle Linux operating system must not be performing packet forwarding unless the system is a router. |
|
| OL07-00-040750 |
V3R1 |
The Oracle Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS. |
|
| OL07-00-040800 |
V3R1 |
SNMP community strings on the Oracle Linux operating system must be changed from the default. |
|
| OL07-00-040810 |
V3R1 |
The Oracle Linux operating system access control program must be configured to grant or deny system access to specific hosts and services. |
|
| OL07-00-040820 |
V3R1 |
The Oracle Linux operating system must not have unauthorized IP tunnels configured. |
|
| OL07-00-040830 |
V3R1 |
The Oracle Linux operating system must not forward IPv6 source-routed packets. |
|
| OL07-00-020231 |
V3R1 |
The Oracle Linux operating system must be configured so the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface. |
|
| OL07-00-021031 |
V3R1 |
The Oracle Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user. |
|
| OL07-00-040711 |
V3R1 |
The Oracle Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display. |
|
| OL07-00-010341 |
V3R1 |
The Oracle Linux operating system must restrict privilege elevation to authorized personnel. |
|
| OL07-00-010342 |
V3R1 |
The Oracle Linux operating system must use the invoking user's password for privilege escalation when using "sudo". |
|
| OL07-00-010291 |
V3R1 |
The Oracle Linux operating system must not have accounts configured with blank or null passwords. |
|
| OL07-00-010339 |
V3R1 |
The Oracle Linux operating system must specify the default "include" directory for the /etc/sudoers file. |
|
| OL07-00-010063 |
V3R1 |
The Oracle Linux operating system must disable the login screen user list for graphical user interfaces. |
|
| OL08-00-010000 |
V2R2 |
OL 8 must be a vendor-supported release. |
|
| OL08-00-010010 |
V2R2 |
OL 8 vendor-packaged system security patches and updates must be installed and up to date. |
|
| OL08-00-010382 |
V2R2 |
OL 8 must restrict privilege elevation to authorized personnel. |
|
| OL08-00-010383 |
V2R2 |
OL 8 must use the invoking user's password for privilege escalation when using "sudo". |
|
| OL08-00-010424 |
V2R2 |
OL 8 must not let Meltdown and Spectre exploit critical vulnerabilities in modern processors. |
|
| OL08-00-010460 |
V2R2 |
There must be no "shosts.equiv" files on the OL 8 operating system. |
|
| OL08-00-010470 |
V2R2 |
There must be no ".shosts" files on the OL 8 operating system. |
|
| OL08-00-010473 |
V2R2 |
OL 8 must enable the hardware random number generator entropy gatherer service. |
|
| OL08-00-010472 |
V2R2 |
OL 8 must have the packages required to use the hardware random number generator entropy gatherer service. |
|
| OL08-00-010480 |
V2R2 |
The OL 8 SSH public host key files must have mode "0644" or less permissive. |
|
| OL08-00-010490 |
V2R2 |
The OL 8 SSH private host key files must have mode "0640" or less permissive. |
|
| OL08-00-010500 |
V2R2 |
The OL 8 SSH daemon must perform strict mode checking of home directory configuration files. |
|
| OL08-00-010520 |
V2R2 |
The OL 8 SSH daemon must not allow authentication using known host's authentication. |
|
| OL08-00-010521 |
V2R2 |
The OL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements. |
|
| OL08-00-010522 |
V2R2 |
The OL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements. |
|
| OL08-00-010540 |
V2R2 |
OL 8 must use a separate file system for "/var". |
|
| OL08-00-010541 |
V2R2 |
OL 8 must use a separate file system for "/var/log". |
|
| OL08-00-010542 |
V2R2 |
OL 8 must use a separate file system for the system audit data path. |
|
| OL08-00-010543 |
V2R2 |
OL 8 must use a separate file system for "/tmp". |
|
| OL08-00-010544 |
V2R2 |
OL 8 must use a separate file system for /var/tmp. |
|
| OL08-00-010561 |
V2R2 |
OL 8 must have the rsyslog service enabled and active. |
|
| OL08-00-010570 |
V2R2 |
OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories. |
|
| OL08-00-010571 |
V2R2 |
OL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory. |
|
| OL08-00-010572 |
V2R2 |
OL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory. |
|
| OL08-00-010580 |
V2R2 |
OL 8 must prevent special devices on non-root local partitions. |
|
| OL08-00-010590 |
V2R2 |
OL 8 file systems that contain user home directories must not execute binary files. |
|
| OL08-00-010600 |
V2R2 |
OL 8 file systems must not interpret character or block special devices from untrusted file systems. |
|
| OL08-00-010610 |
V2R2 |
OL 8 file systems must not execute binary files on removable media. |
|
| OL08-00-010620 |
V2R2 |
OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. |
|
| OL08-00-010630 |
V2R2 |
OL 8 file systems must not execute binary files that are imported via Network File System (NFS). |
|
| OL08-00-010640 |
V2R2 |
OL 8 file systems must not interpret character or block special devices that are imported via NFS. |
|
| OL08-00-010650 |
V2R2 |
OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS). |
|
| OL08-00-010660 |
V2R2 |
Local OL 8 initialization files must not execute world-writable programs. |
|
| OL08-00-010671 |
V2R2 |
OL 8 must disable the "kernel.core_pattern". |
|
| OL08-00-010672 |
V2R2 |
OL 8 must disable acquiring, saving, and processing core dumps. |
|
| OL08-00-010673 |
V2R2 |
OL 8 must disable core dumps for all users. |
|
| OL08-00-010674 |
V2R2 |
OL 8 must disable storing core dumps. |
|
| OL08-00-010675 |
V2R2 |
OL 8 must disable core dump backtraces. |
|
| OL08-00-010680 |
V2R2 |
For OL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. |
|
| OL08-00-010690 |
V2R2 |
Executable search paths within the initialization files of all local interactive OL 8 users must only contain paths that resolve to the system default or the user's home directory. |
|
| OL08-00-010700 |
V2R2 |
All OL 8 world-writable directories must be owned by root, sys, bin, or an application user. |
|
| OL08-00-010710 |
V2R2 |
All OL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. |
|
| OL08-00-010720 |
V2R2 |
All OL 8 local interactive users must have a home directory assigned in the "/etc/passwd" file. |
|
| OL08-00-010730 |
V2R2 |
All OL 8 local interactive user home directories must have mode "0750" or less permissive. |
|
| OL08-00-010731 |
V2R2 |
All OL 8 local interactive user home directory files must have mode "0750" or less permissive. |
|
| OL08-00-010740 |
V2R2 |
All OL 8 local interactive user home directories must be group-owned by the home directory owner's primary group. |
|
| OL08-00-010741 |
V2R2 |
OL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member. |
|
| OL08-00-010750 |
V2R2 |
All OL 8 local interactive user home directories defined in the "/etc/passwd" file must exist. |
|
| OL08-00-010760 |
V2R2 |
All OL 8 local interactive user accounts must be assigned a home directory upon creation. |
|
| OL08-00-010770 |
V2R2 |
All OL 8 local initialization files must have mode "0740" or less permissive. |
|
| OL08-00-010780 |
V2R2 |
All OL 8 files and directories must have a valid owner. |
|
| OL08-00-010790 |
V2R2 |
All OL 8 files and directories must have a valid group owner. |
|
| OL08-00-010800 |
V2R2 |
A separate OL 8 filesystem must be used for user home directories (such as "/home" or an equivalent). |
|
| OL08-00-020032 |
V2R2 |
OL 8 must disable the user list at logon for graphical user interfaces. |
|
| OL08-00-020320 |
V2R2 |
OL 8 must not have unnecessary accounts. |
|
| OL08-00-020330 |
V2R2 |
OL 8 must not allow accounts configured with blank or null passwords. |
|
| OL08-00-020331 |
V2R2 |
OL 8 must not allow blank or null passwords in the system-auth file. |
|
| OL08-00-020332 |
V2R2 |
OL 8 must not allow blank or null passwords in the password-auth file. |
|
| OL08-00-020340 |
V2R2 |
OL 8 must display the date and time of the last successful account logon upon logon. |
|
| OL08-00-020350 |
V2R2 |
OL 8 must display the date and time of the last successful account logon upon an SSH logon. |
|
| OL08-00-030010 |
V2R2 |
Cron logging must be implemented in OL 8. |
|
| OL08-00-030061 |
V2R2 |
The OL 8 audit system must audit local events. |
|
| OL08-00-030063 |
V2R2 |
OL 8 must resolve audit information before writing to disk. |
|
| OL08-00-030670 |
V2R2 |
OL 8 must have the packages required for offloading audit logs installed. |
|
| OL08-00-030680 |
V2R2 |
OL 8 must have the packages required for encrypting offloaded audit logs installed. |
|
| OL08-00-040021 |
V2R2 |
OL 8 must not have the asynchronous transfer mode (ATM) kernel module installed if not required for operational support. |
|
| OL08-00-040022 |
V2R2 |
OL 8 must not have the Controller Area Network (CAN) kernel module installed if not required for operational support. |
|
| OL08-00-040023 |
V2R2 |
OL 8 must not have the stream control transmission protocol (SCTP) kernel module installed if not required for operational support. |
|
| OL08-00-040170 |
V2R2 |
The x86 Ctrl-Alt-Delete key sequence must be disabled on OL 8. |
|
| OL08-00-040171 |
V2R2 |
The x86 Ctrl-Alt-Delete key sequence in OL 8 must be disabled if a graphical user interface is installed. |
|
| OL08-00-040172 |
V2R2 |
OL 8 must disable the systemd Ctrl-Alt-Delete burst key sequence. |
|
| OL08-00-040180 |
V2R2 |
OL 8 must disable the debug-shell systemd service. |
|
| OL08-00-040190 |
V2R2 |
The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for OL 8 operational support. |
|
| OL08-00-040200 |
V2R2 |
The root account must be the only account having unrestricted access to the OL 8 system. |
|
| OL08-00-040209 |
V2R2 |
OL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. |
|
| OL08-00-040210 |
V2R2 |
OL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. |
|
| OL08-00-040220 |
V2R2 |
OL 8 must not send Internet Control Message Protocol (ICMP) redirects. |
|
| OL08-00-040230 |
V2R2 |
OL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. |
|
| OL08-00-040239 |
V2R2 |
OL 8 must not forward IPv4 source-routed packets. |
|
| OL08-00-040240 |
V2R2 |
OL 8 must not forward IPv6 source-routed packets. |
|
| OL08-00-040249 |
V2R2 |
OL 8 must not forward IPv4 source-routed packets by default. |
|
| OL08-00-040250 |
V2R2 |
OL 8 must not forward IPv6 source-routed packets by default. |
|
| OL08-00-040260 |
V2R2 |
OL 8 must not enable IPv6 packet forwarding unless the system is a router. |
|
| OL08-00-040261 |
V2R2 |
OL 8 must not accept router advertisements on all IPv6 interfaces. |
|
| OL08-00-040262 |
V2R2 |
OL 8 must not accept router advertisements on all IPv6 interfaces by default. |
|
| OL08-00-040270 |
V2R2 |
OL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. |
|
| OL08-00-040279 |
V2R2 |
OL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. |
|
| OL08-00-040280 |
V2R2 |
OL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. |
|
| OL08-00-040281 |
V2R2 |
OL 8 must disable access to the network "bpf" syscall from unprivileged processes. |
|
| OL08-00-040282 |
V2R2 |
OL 8 must restrict the use of "ptrace" to descendant processes. |
|
| OL08-00-040283 |
V2R2 |
OL 8 must restrict exposed kernel pointer addresses access. |
|
| OL08-00-040284 |
V2R2 |
OL 8 must disable the use of user namespaces. |
|
| OL08-00-040285 |
V2R2 |
OL 8 must use reverse path filtering on all IPv4 interfaces. |
|
| OL08-00-040286 |
V2R2 |
OL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. |
|
| OL08-00-040290 |
V2R2 |
OL 8 must be configured to prevent unrestricted mail relaying. |
|
| OL08-00-040300 |
V2R2 |
The OL 8 file integrity tool must be configured to verify extended attributes. |
|
| OL08-00-040310 |
V2R2 |
The OL 8 file integrity tool must be configured to verify Access Control Lists (ACLs). |
|
| OL08-00-040320 |
V2R2 |
The graphical display manager must not be installed on OL 8 unless approved. |
|
| OL08-00-040330 |
V2R2 |
OL 8 network interfaces must not be in promiscuous mode. |
|
| OL08-00-040340 |
V2R2 |
OL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements. |
|
| OL08-00-040341 |
V2R2 |
The OL 8 SSH daemon must prevent remote hosts from connecting to the proxy display. |
|
| OL08-00-040350 |
V2R2 |
If the Trivial File Transfer Protocol (TFTP) server is required, the OL 8 TFTP daemon must be configured to operate in secure mode. |
|
| OL08-00-040360 |
V2R2 |
A File Transfer Protocol (FTP) server package must not be installed unless mission essential on OL 8. |
|
| OL08-00-040370 |
V2R2 |
OL 8 must not have the "gssproxy" package installed if not required for operational support. |
|
| OL08-00-040380 |
V2R2 |
OL 8 must not have the "iprutils" package installed if not required for operational support. |
|
| OL08-00-040390 |
V2R2 |
OL 8 must not have the "tuned" package installed if not required for operational support. |
|
| OL08-00-010121 |
V2R2 |
The OL 8 operating system must not have accounts configured with blank or null passwords. |
|
| OL08-00-010379 |
V2R2 |
OL 8 must specify the default "include" directory for the /etc/sudoers file. |
|
| OL08-00-020101 |
V2R2 |
OL 8 must ensure the password complexity module is enabled in the system-auth file. |
|
| OL08-00-020102 |
V2R2 |
OL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. |
|
| OL08-00-020103 |
V2R2 |
OL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less. |
|
| OL08-00-020104 |
V2R2 |
OL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less. |
|
| OL08-00-040259 |
V2R2 |
OL 8 must not enable IPv4 packet forwarding unless the system is a router. |
|
| OL08-00-040321 |
V2R2 |
The graphical display manager must not be the default target on OL 8 unless approved. |
|
| RHEL-07-010290 |
V3R9 |
The Red Hat Enterprise Linux operating system must not allow accounts configured with blank or null passwords. |
|
| RHEL-07-020230 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line. |
|
| RHEL-07-020231 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface. |
|
| RHEL-07-020250 |
V3R9 |
The Red Hat Enterprise Linux operating system must be a vendor supported release. |
|
| RHEL-07-020260 |
V3R9 |
The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date. |
|
| RHEL-07-020270 |
V3R9 |
The Red Hat Enterprise Linux operating system must not have unnecessary accounts. |
|
| RHEL-07-020310 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system. |
|
| RHEL-07-020320 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner. |
|
| RHEL-07-020330 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner. |
|
| RHEL-07-020610 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory. |
|
| RHEL-07-020620 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file. |
|
| RHEL-07-020630 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive. |
|
| RHEL-07-020640 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are owned by their respective users. |
|
| RHEL-07-020650 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group. |
|
| RHEL-07-020660 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a valid owner. |
|
| RHEL-07-020670 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member. |
|
| RHEL-07-020680 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive. |
|
| RHEL-07-020690 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root. |
|
| RHEL-07-020700 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root. |
|
| RHEL-07-020710 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive. |
|
| RHEL-07-020720 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory. |
|
| RHEL-07-020730 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs. |
|
| RHEL-07-020900 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification. |
|
| RHEL-07-021000 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed. |
|
| RHEL-07-021010 |
V3R9 |
The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. |
|
| RHEL-07-021020 |
V3R9 |
The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS). |
|
| RHEL-07-021021 |
V3R9 |
The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS). |
|
| RHEL-07-021030 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group. |
|
| RHEL-07-021040 |
V3R9 |
The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts. |
|
| RHEL-07-021100 |
V3R9 |
The Red Hat Enterprise Linux operating system must have cron logging implemented. |
|
| RHEL-07-021110 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root. |
|
| RHEL-07-021120 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root. |
|
| RHEL-07-021300 |
V3R9 |
The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed. |
|
| RHEL-07-021310 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent). |
|
| RHEL-07-021320 |
V3R9 |
The Red Hat Enterprise Linux operating system must use a separate file system for /var. |
|
| RHEL-07-021330 |
V3R9 |
The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data path. |
|
| RHEL-07-021340 |
V3R9 |
The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent). |
|
| RHEL-07-021600 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs). |
|
| RHEL-07-021610 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes. |
|
| RHEL-07-021620 |
V3R9 |
The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories. |
|
| RHEL-07-031000 |
V3R9 |
The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server. |
|
| RHEL-07-031010 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation. |
|
| RHEL-07-040201 |
V3R9 |
The Red Hat Enterprise Linux operating system must implement virtual address space randomization. |
|
| RHEL-07-040330 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication. |
|
| RHEL-07-040350 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication. |
|
| RHEL-07-040360 |
V3R9 |
The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon an SSH logon. |
|
| RHEL-07-040370 |
V3R9 |
The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using remote access via SSH. |
|
| RHEL-07-040380 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication. |
|
| RHEL-07-040410 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive. |
|
| RHEL-07-040420 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0600 or less permissive. |
|
| RHEL-07-040450 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files. |
|
| RHEL-07-040460 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation. |
|
| RHEL-07-040470 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication. |
|
| RHEL-07-040520 |
V3R9 |
The Red Hat Enterprise Linux operating system must enable an application firewall, if available. |
|
| RHEL-07-040530 |
V3R9 |
The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon. |
|
| RHEL-07-040540 |
V3R9 |
The Red Hat Enterprise Linux operating system must not contain .shosts files. |
|
| RHEL-07-040550 |
V3R9 |
The Red Hat Enterprise Linux operating system must not contain shosts.equiv files. |
|
| RHEL-07-040600 |
V3R9 |
For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured. |
|
| RHEL-07-040610 |
V3R9 |
The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets. |
|
| RHEL-07-040611 |
V3R9 |
The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces. |
|
| RHEL-07-040612 |
V3R9 |
The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default. |
|
| RHEL-07-040620 |
V3R9 |
The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default. |
|
| RHEL-07-040630 |
V3R9 |
The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. |
|
| RHEL-07-040640 |
V3R9 |
The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted. |
|
| RHEL-07-040641 |
V3R9 |
The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages. |
|
| RHEL-07-040650 |
V3R9 |
The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default. |
|
| RHEL-07-040660 |
V3R9 |
The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects. |
|
| RHEL-07-040670 |
V3R9 |
Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode. |
|
| RHEL-07-040680 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying. |
|
| RHEL-07-040690 |
V3R9 |
The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed. |
|
| RHEL-07-040700 |
V3R9 |
The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support. |
|
| RHEL-07-040710 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that remote X connections are disabled except to fulfill documented and validated mission requirements. |
|
| RHEL-07-040720 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode. |
|
| RHEL-07-040730 |
V3R9 |
The Red Hat Enterprise Linux operating system must not have a graphical display manager installed unless approved. |
|
| RHEL-07-040740 |
V3R9 |
The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router. |
|
| RHEL-07-040750 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS. |
|
| RHEL-07-040800 |
V3R9 |
SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default. |
|
| RHEL-07-040810 |
V3R9 |
The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services. |
|
| RHEL-07-040820 |
V3R9 |
The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured. |
|
| RHEL-07-040830 |
V3R9 |
The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets. |
|
| RHEL-07-010020 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values. |
|
| RHEL-07-020019 |
V3R9 |
The Red Hat Enterprise Linux operating system must implement the Endpoint Security for Linux Threat Prevention tool. |
|
| RHEL-07-032000 |
V3R9 |
The Red Hat Enterprise Linux operating system must use a virus scan program. |
|
| RHEL-07-021031 |
V3R9 |
The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user. |
|
| RHEL-07-040711 |
V3R9 |
The Red Hat Enterprise Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display. |
|
| RHEL-07-010341 |
V3R9 |
The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel. |
|
| RHEL-07-010342 |
V3R9 |
The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using "sudo". |
|
| RHEL-07-010291 |
V3R9 |
The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords. |
|
| RHEL-07-010339 |
V3R9 |
The Red Hat Enterprise Linux operating system must specify the default "include" directory for the /etc/sudoers file. |
|
| RHEL-08-010000 |
V2R1 |
RHEL 8 must be a vendor-supported release. |
|
| RHEL-08-010010 |
V2R1 |
RHEL 8 vendor packaged system security patches and updates must be installed and up to date. |
|
| RHEL-08-010292 |
V2R1 |
RHEL 8 must ensure the SSH server uses strong entropy. |
|
| RHEL-08-010460 |
V2R1 |
There must be no shosts.equiv files on the RHEL 8 operating system. |
|
| RHEL-08-010470 |
V2R1 |
There must be no .shosts files on the RHEL 8 operating system. |
|
| RHEL-08-010471 |
V2R1 |
RHEL 8 must enable the hardware random number generator entropy gatherer service. |
|
| RHEL-08-010480 |
V2R1 |
The RHEL 8 SSH public host key files must have mode 0644 or less permissive. |
|
| RHEL-08-010490 |
V2R1 |
The RHEL 8 SSH private host key files must have mode 0640 or less permissive. |
|
| RHEL-08-010500 |
V2R1 |
The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files. |
|
| RHEL-08-010520 |
V2R1 |
The RHEL 8 SSH daemon must not allow authentication using known host’s authentication. |
|
| RHEL-08-010521 |
V2R1 |
The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements. |
|
| RHEL-08-010540 |
V2R1 |
RHEL 8 must use a separate file system for /var. |
|
| RHEL-08-010541 |
V2R1 |
RHEL 8 must use a separate file system for /var/log. |
|
| RHEL-08-010542 |
V2R1 |
RHEL 8 must use a separate file system for the system audit data path. |
|
| RHEL-08-010543 |
V2R1 |
A separate RHEL 8 filesystem must be used for the /tmp directory. |
|
| RHEL-08-010561 |
V2R1 |
The rsyslog service must be running in RHEL 8. |
|
| RHEL-08-010570 |
V2R1 |
RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories. |
|
| RHEL-08-010571 |
V2R1 |
RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory. |
|
| RHEL-08-010580 |
V2R1 |
RHEL 8 must prevent special devices on non-root local partitions. |
|
| RHEL-08-010590 |
V2R1 |
RHEL 8 must prevent code from being executed on file systems that contain user home directories. |
|
| RHEL-08-010600 |
V2R1 |
RHEL 8 must prevent special devices on file systems that are used with removable media. |
|
| RHEL-08-010610 |
V2R1 |
RHEL 8 must prevent code from being executed on file systems that are used with removable media. |
|
| RHEL-08-010620 |
V2R1 |
RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. |
|
| RHEL-08-010630 |
V2R1 |
RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS). |
|
| RHEL-08-010640 |
V2R1 |
RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS). |
|
| RHEL-08-010650 |
V2R1 |
RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS). |
|
| RHEL-08-010660 |
V2R1 |
Local RHEL 8 initialization files must not execute world-writable programs. |
|
| RHEL-08-010670 |
V2R1 |
RHEL 8 must disable kernel dumps unless needed. |
|
| RHEL-08-010671 |
V2R1 |
RHEL 8 must disable the kernel.core_pattern. |
|
| RHEL-08-010672 |
V2R1 |
RHEL 8 must disable acquiring, saving, and processing core dumps. |
|
| RHEL-08-010673 |
V2R1 |
RHEL 8 must disable core dumps for all users. |
|
| RHEL-08-010674 |
V2R1 |
RHEL 8 must disable storing core dumps. |
|
| RHEL-08-010675 |
V2R1 |
RHEL 8 must disable core dump backtraces. |
|
| RHEL-08-010680 |
V2R1 |
For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. |
|
| RHEL-08-010690 |
V2R1 |
Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory. |
|
| RHEL-08-010700 |
V2R1 |
All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application user. |
|
| RHEL-08-010710 |
V2R1 |
All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. |
|
| RHEL-08-010720 |
V2R1 |
All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. |
|
| RHEL-08-010730 |
V2R1 |
All RHEL 8 local interactive user home directories must have mode 0750 or less permissive. |
|
| RHEL-08-010740 |
V2R1 |
All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group. |
|
| RHEL-08-010750 |
V2R1 |
All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist. |
|
| RHEL-08-010760 |
V2R1 |
All RHEL 8 local interactive user accounts must be assigned a home directory upon creation. |
|
| RHEL-08-010770 |
V2R1 |
All RHEL 8 local initialization files must have mode 0740 or less permissive. |
|
| RHEL-08-010780 |
V2R1 |
All RHEL 8 local files and directories must have a valid owner. |
|
| RHEL-08-010790 |
V2R1 |
All RHEL 8 local files and directories must have a valid group owner. |
|
| RHEL-08-010800 |
V2R1 |
A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent). |
|
| RHEL-08-020320 |
V2R1 |
RHEL 8 must not have unnecessary accounts. |
|
| RHEL-08-020330 |
V2R1 |
RHEL 8 must not allow accounts configured with blank or null passwords. |
|
| RHEL-08-020340 |
V2R1 |
RHEL 8 must display the date and time of the last successful account logon upon logon. |
|
| RHEL-08-020350 |
V2R1 |
RHEL 8 must display the date and time of the last successful account logon upon an SSH logon. |
|
| RHEL-08-020353 |
V2R1 |
RHEL 8 must define default permissions for logon and non-logon shells. |
|
| RHEL-08-030010 |
V2R1 |
Cron logging must be implemented in RHEL 8. |
|
| RHEL-08-030061 |
V2R1 |
The RHEL 8 audit system must audit local events. |
|
| RHEL-08-030063 |
V2R1 |
RHEL 8 must resolve audit information before writing to disk. |
|
| RHEL-08-030670 |
V2R1 |
RHEL 8 must have the packages required for offloading audit logs installed. |
|
| RHEL-08-030680 |
V2R1 |
RHEL 8 must have the packages required for encrypting offloaded audit logs installed. |
|
| RHEL-08-040170 |
V2R1 |
The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8. |
|
| RHEL-08-040171 |
V2R1 |
The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. |
|
| RHEL-08-040172 |
V2R1 |
The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled. |
|
| RHEL-08-040180 |
V2R1 |
The debug-shell systemd service must be disabled on RHEL 8. |
|
| RHEL-08-040190 |
V2R1 |
The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support. |
|
| RHEL-08-040200 |
V2R1 |
The root account must be the only account having unrestricted access to the RHEL 8 system. |
|
| RHEL-08-040210 |
V2R1 |
RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. |
|
| RHEL-08-040220 |
V2R1 |
RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. |
|
| RHEL-08-040230 |
V2R1 |
RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. |
|
| RHEL-08-040240 |
V2R1 |
RHEL 8 must not forward IPv6 source-routed packets. |
|
| RHEL-08-040250 |
V2R1 |
RHEL 8 must not forward IPv6 source-routed packets by default. |
|
| RHEL-08-040260 |
V2R1 |
RHEL 8 must not enable IPv6 packet forwarding unless the system is a router. |
|
| RHEL-08-040261 |
V2R1 |
RHEL 8 must not accept router advertisements on all IPv6 interfaces. |
|
| RHEL-08-040262 |
V2R1 |
RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. |
|
| RHEL-08-040270 |
V2R1 |
RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. |
|
| RHEL-08-040280 |
V2R1 |
RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. |
|
| RHEL-08-040281 |
V2R1 |
RHEL 8 must disable access to network bpf syscall from unprivileged processes. |
|
| RHEL-08-040282 |
V2R1 |
RHEL 8 must restrict usage of ptrace to descendant processes. |
|
| RHEL-08-040283 |
V2R1 |
RHEL 8 must restrict exposed kernel pointer addresses access. |
|
| RHEL-08-040284 |
V2R1 |
RHEL 8 must disable the use of user namespaces. |
|
| RHEL-08-040285 |
V2R1 |
RHEL 8 must use reverse path filtering on all IPv4 interfaces. |
|
| RHEL-08-040290 |
V2R1 |
RHEL 8 must be configured to prevent unrestricted mail relaying. |
|
| RHEL-08-040300 |
V2R1 |
The RHEL 8 file integrity tool must be configured to verify extended attributes. |
|
| RHEL-08-040310 |
V2R1 |
The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs). |
|
| RHEL-08-040320 |
V2R1 |
The graphical display manager must not be installed on RHEL 8 unless approved. |
|
| RHEL-08-040330 |
V2R1 |
RHEL 8 network interfaces must not be in promiscuous mode. |
|
| RHEL-08-040340 |
V2R1 |
RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements. |
|
| RHEL-08-040341 |
V2R1 |
The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display. |
|
| RHEL-08-040350 |
V2R1 |
If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode. |
|
| RHEL-08-040360 |
V2R1 |
A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8. |
|
| RHEL-08-040370 |
V2R1 |
The gssproxy package must not be installed unless mission essential on RHEL 8. |
|
| RHEL-08-040380 |
V2R1 |
The iprutils package must not be installed unless mission essential on RHEL 8. |
|
| RHEL-08-040390 |
V2R1 |
The tuned package must not be installed unless mission essential on RHEL 8. |
|
| RHEL-08-010382 |
V2R1 |
RHEL 8 must restrict privilege elevation to authorized personnel. |
|
| RHEL-08-010383 |
V2R1 |
RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". |
|
| RHEL-08-010472 |
V2R1 |
RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service. |
|
| RHEL-08-010522 |
V2R1 |
The RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements. |
|
| RHEL-08-010544 |
V2R1 |
RHEL 8 must use a separate file system for /var/tmp. |
|
| RHEL-08-010572 |
V2R1 |
RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory. |
|
| RHEL-08-010731 |
V2R1 |
All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. |
|
| RHEL-08-010741 |
V2R1 |
RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member. |
|
| RHEL-08-020032 |
V2R1 |
RHEL 8 must disable the user list at logon for graphical user interfaces. |
|
| RHEL-08-020332 |
V2R1 |
RHEL 8 must not allow blank or null passwords in the password-auth file. |
|
| RHEL-08-040209 |
V2R1 |
RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. |
|
| RHEL-08-040239 |
V2R1 |
RHEL 8 must not forward IPv4 source-routed packets. |
|
| RHEL-08-040249 |
V2R1 |
RHEL 8 must not forward IPv4 source-routed packets by default. |
|
| RHEL-08-040279 |
V2R1 |
RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. |
|
| RHEL-08-040286 |
V2R1 |
RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. |
|
| RHEL-08-040259 |
V2R1 |
RHEL 8 must not enable IPv4 packet forwarding unless the system is a router. |
|
| RHEL-08-010121 |
V2R1 |
The RHEL 8 operating system must not have accounts configured with blank or null passwords. |
|
| RHEL-08-010379 |
V2R1 |
RHEL 8 must specify the default "include" directory for the /etc/sudoers file. |
|
| RHEL-08-020101 |
V2R1 |
RHEL 8 must ensure the password complexity module is enabled in the system-auth file. |
|
| RHEL-08-020102 |
V2R1 |
RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. |
|
| RHEL-08-020103 |
V2R1 |
RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less. |
|
| RHEL-08-020104 |
V2R1 |
RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less. |
|
| RHEL-08-040321 |
V2R1 |
The graphical display manager must not be the default target on RHEL 8 unless approved. |
|
| RHEL-08-020331 |
V2R1 |
RHEL 8 must not allow blank or null passwords in the system-auth file. |
|
| RHEL-09-211010 |
V2R2 |
RHEL 9 must be a vendor-supported release. |
|
| RHEL-09-211015 |
V2R2 |
RHEL 9 vendor packaged system security patches and updates must be installed and up to date. |
|
| RHEL-09-211030 |
V2R2 |
The graphical display manager must not be the default target on RHEL 9 unless approved. |
|
| RHEL-09-211035 |
V2R2 |
RHEL 9 must enable the hardware random number generator entropy gatherer service. |
|
| RHEL-09-212015 |
V2R2 |
RHEL 9 must disable the ability of systemd to spawn an interactive boot process. |
|
| RHEL-09-212025 |
V2R2 |
RHEL 9 /boot/grub2/grub.cfg file must be group-owned by root. |
|
| RHEL-09-212030 |
V2R2 |
RHEL 9 /boot/grub2/grub.cfg file must be owned by root. |
|
| RHEL-09-212035 |
V2R2 |
RHEL 9 must disable virtual system calls. |
|
| RHEL-09-212040 |
V2R2 |
RHEL 9 must clear the page allocator to prevent use-after-free attacks. |
|
| RHEL-09-213020 |
V2R2 |
RHEL 9 must prevent the loading of a new kernel for later execution. |
|
| RHEL-09-213040 |
V2R2 |
RHEL 9 must disable the kernel.core_pattern. |
|
| RHEL-09-213085 |
V2R2 |
RHEL 9 must disable core dump backtraces. |
|
| RHEL-09-213090 |
V2R2 |
RHEL 9 must disable storing core dumps. |
|
| RHEL-09-213095 |
V2R2 |
RHEL 9 must disable core dumps for all users. |
|
| RHEL-09-213100 |
V2R2 |
RHEL 9 must disable acquiring, saving, and processing core dumps. |
|
| RHEL-09-213105 |
V2R2 |
RHEL 9 must disable the use of user namespaces. |
|
| RHEL-09-213115 |
V2R2 |
The kdump service on RHEL 9 must be disabled. |
|
| RHEL-09-214030 |
V2R2 |
RHEL 9 must be configured so that the cryptographic hashes of system files match vendor values. |
|
| RHEL-09-215020 |
V2R2 |
RHEL 9 must not have the sendmail package installed. |
|
| RHEL-09-215060 |
V2R2 |
RHEL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed. |
|
| RHEL-09-215065 |
V2R2 |
RHEL 9 must not have the quagga package installed. |
|
| RHEL-09-215070 |
V2R2 |
A graphical display manager must not be installed on RHEL 9 unless approved. |
|
| RHEL-09-215080 |
V2R2 |
RHEL 9 must have the gnutls-utils package installed. |
|
| RHEL-09-215085 |
V2R2 |
RHEL 9 must have the nss-tools package installed. |
|
| RHEL-09-215090 |
V2R2 |
RHEL 9 must have the rng-tools package installed. |
|
| RHEL-09-231010 |
V2R2 |
A separate RHEL 9 file system must be used for user home directories (such as /home or an equivalent). |
|
| RHEL-09-231015 |
V2R2 |
RHEL 9 must use a separate file system for /tmp. |
|
| RHEL-09-231020 |
V2R2 |
RHEL 9 must use a separate file system for /var. |
|
| RHEL-09-231025 |
V2R2 |
RHEL 9 must use a separate file system for /var/log. |
|
| RHEL-09-231035 |
V2R2 |
RHEL 9 must use a separate file system for /var/tmp. |
|
| RHEL-09-231055 |
V2R2 |
RHEL 9 must prevent code from being executed on file systems that contain user home directories. |
|
| RHEL-09-231065 |
V2R2 |
RHEL 9 must prevent special devices on file systems that are imported via Network File System (NFS). |
|
| RHEL-09-231070 |
V2R2 |
RHEL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS). |
|
| RHEL-09-231075 |
V2R2 |
RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS). |
|
| RHEL-09-231080 |
V2R2 |
RHEL 9 must prevent code from being executed on file systems that are used with removable media. |
|
| RHEL-09-231085 |
V2R2 |
RHEL 9 must prevent special devices on file systems that are used with removable media. |
|
| RHEL-09-231090 |
V2R2 |
RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. |
|
| RHEL-09-231200 |
V2R2 |
RHEL 9 must prevent special devices on non-root local partitions. |
|
| RHEL-09-232040 |
V2R2 |
RHEL 9 cron configuration directories must have a mode of 0700 or less permissive. |
|
| RHEL-09-232045 |
V2R2 |
All RHEL 9 local initialization files must have mode 0740 or less permissive. |
|
| RHEL-09-232050 |
V2R2 |
All RHEL 9 local interactive user home directories must have mode 0750 or less permissive. |
|
| RHEL-09-232055 |
V2R2 |
RHEL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access. |
|
| RHEL-09-232060 |
V2R2 |
RHEL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access. |
|
| RHEL-09-232065 |
V2R2 |
RHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access. |
|
| RHEL-09-232070 |
V2R2 |
RHEL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access. |
|
| RHEL-09-232075 |
V2R2 |
RHEL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access. |
|
| RHEL-09-232080 |
V2R2 |
RHEL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access. |
|
| RHEL-09-232085 |
V2R2 |
RHEL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access. |
|
| RHEL-09-232090 |
V2R2 |
RHEL 9 /etc/group file must be owned by root. |
|
| RHEL-09-232095 |
V2R2 |
RHEL 9 /etc/group file must be group-owned by root. |
|
| RHEL-09-232100 |
V2R2 |
RHEL 9 /etc/group- file must be owned by root. |
|
| RHEL-09-232105 |
V2R2 |
RHEL 9 /etc/group- file must be group-owned by root. |
|
| RHEL-09-232110 |
V2R2 |
RHEL 9 /etc/gshadow file must be owned by root. |
|
| RHEL-09-232115 |
V2R2 |
RHEL 9 /etc/gshadow file must be group-owned by root. |
|
| RHEL-09-232120 |
V2R2 |
RHEL 9 /etc/gshadow- file must be owned by root. |
|
| RHEL-09-232125 |
V2R2 |
RHEL 9 /etc/gshadow- file must be group-owned by root. |
|
| RHEL-09-232130 |
V2R2 |
RHEL 9 /etc/passwd file must be owned by root. |
|
| RHEL-09-232135 |
V2R2 |
RHEL 9 /etc/passwd file must be group-owned by root. |
|
| RHEL-09-232140 |
V2R2 |
RHEL 9 /etc/passwd- file must be owned by root. |
|
| RHEL-09-232145 |
V2R2 |
RHEL 9 /etc/passwd- file must be group-owned by root. |
|
| RHEL-09-232150 |
V2R2 |
RHEL 9 /etc/shadow file must be owned by root. |
|
| RHEL-09-232155 |
V2R2 |
RHEL 9 /etc/shadow file must be group-owned by root. |
|
| RHEL-09-232160 |
V2R2 |
RHEL 9 /etc/shadow- file must be owned by root. |
|
| RHEL-09-232165 |
V2R2 |
RHEL 9 /etc/shadow- file must be group-owned by root. |
|
| RHEL-09-232230 |
V2R2 |
RHEL 9 cron configuration files directory must be owned by root. |
|
| RHEL-09-232235 |
V2R2 |
RHEL 9 cron configuration files directory must be group-owned by root. |
|
| RHEL-09-232240 |
V2R2 |
All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user. |
|
| RHEL-09-232250 |
V2R2 |
All RHEL 9 local files and directories must have a valid group owner. |
|
| RHEL-09-232255 |
V2R2 |
All RHEL 9 local files and directories must have a valid owner. |
|
| RHEL-09-232260 |
V2R2 |
RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification. |
|
| RHEL-09-232265 |
V2R2 |
RHEL 9 /etc/crontab file must have mode 0600. |
|
| RHEL-09-232270 |
V2R2 |
RHEL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access. |
|
| RHEL-09-251020 |
V2R2 |
A RHEL 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. |
|
| RHEL-09-251040 |
V2R2 |
RHEL 9 network interfaces must not be in promiscuous mode. |
|
| RHEL-09-251045 |
V2R2 |
RHEL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler. |
|
| RHEL-09-252035 |
V2R2 |
RHEL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured. |
|
| RHEL-09-252040 |
V2R2 |
RHEL 9 must configure a DNS processing mode in Network Manager. |
|
| RHEL-09-252045 |
V2R2 |
RHEL 9 must not have unauthorized IP tunnels configured. |
|
| RHEL-09-252050 |
V2R2 |
RHEL 9 must be configured to prevent unrestricted mail relaying. |
|
| RHEL-09-252065 |
V2R2 |
RHEL 9 libreswan package must be installed. |
|
| RHEL-09-252070 |
V2R2 |
There must be no shosts.equiv files on RHEL 9. |
|
| RHEL-09-252075 |
V2R2 |
There must be no .shosts files on RHEL 9. |
|
| RHEL-09-253010 |
V2R2 |
RHEL 9 must be configured to use TCP syncookies. |
|
| RHEL-09-253015 |
V2R2 |
RHEL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages. |
|
| RHEL-09-253020 |
V2R2 |
RHEL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets. |
|
| RHEL-09-253025 |
V2R2 |
RHEL 9 must log IPv4 packets with impossible addresses. |
|
| RHEL-09-253030 |
V2R2 |
RHEL 9 must log IPv4 packets with impossible addresses by default. |
|
| RHEL-09-253035 |
V2R2 |
RHEL 9 must use reverse path filtering on all IPv4 interfaces. |
|
| RHEL-09-253040 |
V2R2 |
RHEL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. |
|
| RHEL-09-253045 |
V2R2 |
RHEL 9 must not forward IPv4 source-routed packets by default. |
|
| RHEL-09-253050 |
V2R2 |
RHEL 9 must use a reverse-path filter for IPv4 network traffic when possible by default. |
|
| RHEL-09-253055 |
V2R2 |
RHEL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. |
|
| RHEL-09-253060 |
V2R2 |
RHEL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs. |
|
| RHEL-09-253065 |
V2R2 |
RHEL 9 must not send Internet Control Message Protocol (ICMP) redirects. |
|
| RHEL-09-253070 |
V2R2 |
RHEL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. |
|
| RHEL-09-253075 |
V2R2 |
RHEL 9 must not enable IPv4 packet forwarding unless the system is a router. |
|
| RHEL-09-254010 |
V2R2 |
RHEL 9 must not accept router advertisements on all IPv6 interfaces. |
|
| RHEL-09-254015 |
V2R2 |
RHEL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. |
|
| RHEL-09-254020 |
V2R2 |
RHEL 9 must not forward IPv6 source-routed packets. |
|
| RHEL-09-254025 |
V2R2 |
RHEL 9 must not enable IPv6 packet forwarding unless the system is a router. |
|
| RHEL-09-254030 |
V2R2 |
RHEL 9 must not accept router advertisements on all IPv6 interfaces by default. |
|
| RHEL-09-254035 |
V2R2 |
RHEL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. |
|
| RHEL-09-254040 |
V2R2 |
RHEL 9 must not forward IPv6 source-routed packets by default. |
|
| RHEL-09-255020 |
V2R2 |
RHEL 9 must have the openssh-clients package installed. |
|
| RHEL-09-255105 |
V2R2 |
RHEL 9 SSH server configuration file must be group-owned by root. |
|
| RHEL-09-255110 |
V2R2 |
RHEL 9 SSH server configuration file must be owned by root. |
|
| RHEL-09-255115 |
V2R2 |
RHEL 9 SSH server configuration file must have mode 0600 or less permissive. |
|
| RHEL-09-255120 |
V2R2 |
RHEL 9 SSH private host key files must have mode 0640 or less permissive. |
|
| RHEL-09-255125 |
V2R2 |
RHEL 9 SSH public host key files must have mode 0644 or less permissive. |
|
| RHEL-09-255130 |
V2R2 |
RHEL 9 SSH daemon must not allow compression or must only allow compression after successful authentication. |
|
| RHEL-09-255145 |
V2R2 |
RHEL 9 SSH daemon must not allow rhosts authentication. |
|
| RHEL-09-255150 |
V2R2 |
RHEL 9 SSH daemon must not allow known hosts authentication. |
|
| RHEL-09-255155 |
V2R2 |
RHEL 9 SSH daemon must disable remote X connections for interactive users. |
|
| RHEL-09-255160 |
V2R2 |
RHEL 9 SSH daemon must perform strict mode checking of home directory configuration files. |
|
| RHEL-09-255165 |
V2R2 |
RHEL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon. |
|
| RHEL-09-255175 |
V2R2 |
RHEL 9 SSH daemon must prevent remote hosts from connecting to the proxy display. |
|
| RHEL-09-271090 |
V2R2 |
RHEL 9 effective dconf policy must match the policy keyfiles. |
|
| RHEL-09-271095 |
V2R2 |
RHEL 9 must disable the ability of a user to restart the system from the login screen. |
|
| RHEL-09-271100 |
V2R2 |
RHEL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface. |
|
| RHEL-09-271105 |
V2R2 |
RHEL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot. |
|
| RHEL-09-271110 |
V2R2 |
RHEL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface. |
|
| RHEL-09-271115 |
V2R2 |
RHEL 9 must disable the user list at logon for graphical user interfaces. |
|
| RHEL-09-411020 |
V2R2 |
All RHEL 9 local interactive user accounts must be assigned a home directory upon creation. |
|
| RHEL-09-411025 |
V2R2 |
RHEL 9 must set the umask value to 077 for all local interactive user accounts. |
|
| RHEL-09-411035 |
V2R2 |
RHEL 9 system accounts must not have an interactive login shell. |
|
| RHEL-09-411055 |
V2R2 |
Executable search paths within the initialization files of all local interactive RHEL 9 users must only contain paths that resolve to the system default or the users home directory. |
|
| RHEL-09-411060 |
V2R2 |
All RHEL 9 local interactive users must have a home directory assigned in the /etc/passwd file. |
|
| RHEL-09-411065 |
V2R2 |
All RHEL 9 local interactive user home directories defined in the /etc/passwd file must exist. |
|
| RHEL-09-411070 |
V2R2 |
All RHEL 9 local interactive user home directories must be group-owned by the home directory owner's primary group. |
|
| RHEL-09-411095 |
V2R2 |
RHEL 9 must not have unauthorized accounts. |
|
| RHEL-09-411100 |
V2R2 |
The root account must be the only account having unrestricted access to RHEL 9 system. |
|
| RHEL-09-411115 |
V2R2 |
Local RHEL 9 initialization files must not execute world-writable programs. |
|
| RHEL-09-412075 |
V2R2 |
RHEL 9 must display the date and time of the last successful account logon upon logon. |
|
| RHEL-09-431025 |
V2R2 |
RHEL 9 must have policycoreutils package installed. |
|
| RHEL-09-431030 |
V2R2 |
RHEL 9 policycoreutils-python-utils package must be installed. |
|
| RHEL-09-432020 |
V2R2 |
RHEL 9 must use the invoking user's password for privilege escalation when using "sudo". |
|
| RHEL-09-432030 |
V2R2 |
RHEL 9 must restrict privilege elevation to authorized personnel. |
|
| RHEL-09-611025 |
V2R2 |
RHEL 9 must not allow blank or null passwords. |
|
| RHEL-09-611045 |
V2R2 |
RHEL 9 must ensure the password complexity module is enabled in the system-auth file. |
|
| RHEL-09-611155 |
V2R2 |
RHEL 9 must not have accounts configured with blank or null passwords. |
|
| RHEL-09-651020 |
V2R2 |
RHEL 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories. |
|
| RHEL-09-651030 |
V2R2 |
RHEL 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs). |
|
| RHEL-09-651035 |
V2R2 |
RHEL 9 must be configured so that the file integrity tool verifies extended attributes. |
|
| RHEL-09-652015 |
V2R2 |
RHEL 9 must have the packages required for encrypting offloaded audit logs installed. |
|
| RHEL-09-652020 |
V2R2 |
The rsyslog service on RHEL 9 must be active. |
|
| RHEL-09-652025 |
V2R2 |
RHEL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation. |
|
| RHEL-09-652060 |
V2R2 |
RHEL 9 must use cron logging. |
|
| RHEL-09-653105 |
V2R2 |
RHEL 9 must write audit records to disk. |
|
| SLES-12-010000 |
V3R1 |
The SUSE operating system must be a vendor-supported release. |
|
| SLES-12-010010 |
V3R1 |
Vendor-packaged SUSE operating system security patches and updates must be installed and up to date. |
|
| SLES-12-010231 |
V3R1 |
The SUSE operating system must not be configured to allow blank or null passwords. |
|
| SLES-12-010390 |
V3R1 |
The SUSE operating system must display the date and time of the last successful account logon upon logon. |
|
| SLES-12-010400 |
V3R1 |
There must be no .shosts files on the SUSE operating system. |
|
| SLES-12-010410 |
V3R1 |
There must be no shosts.equiv files on the SUSE operating system. |
|
| SLES-12-010520 |
V3R1 |
The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs). |
|
| SLES-12-010530 |
V3R1 |
The SUSE operating system file integrity tool must be configured to verify extended attributes. |
|
| SLES-12-010610 |
V3R1 |
The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence. |
|
| SLES-12-010611 |
V3R1 |
The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces. |
|
| SLES-12-010630 |
V3R1 |
The SUSE operating system must not have unnecessary accounts. |
|
| SLES-12-010650 |
V3R1 |
The SUSE operating system root account must be the only account having unrestricted access to the system. |
|
| SLES-12-010690 |
V3R1 |
All SUSE operating system files and directories must have a valid owner. |
|
| SLES-12-010700 |
V3R1 |
All SUSE operating system files and directories must have a valid group owner. |
|
| SLES-12-010710 |
V3R1 |
All SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file. |
|
| SLES-12-010720 |
V3R1 |
All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory. |
|
| SLES-12-010730 |
V3R1 |
All SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist. |
|
| SLES-12-010740 |
V3R1 |
All SUSE operating system local interactive user home directories must have mode 0750 or less permissive. |
|
| SLES-12-010750 |
V3R1 |
All SUSE operating system local interactive user home directories must be group-owned by the home directory owners primary group. |
|
| SLES-12-010760 |
V3R1 |
All SUSE operating system local initialization files must have mode 0740 or less permissive. |
|
| SLES-12-010770 |
V3R1 |
All SUSE operating system local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory. |
|
| SLES-12-010780 |
V3R1 |
All SUSE operating system local initialization files must not execute world-writable programs. |
|
| SLES-12-010790 |
V3R1 |
SUSE operating system file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed. |
|
| SLES-12-010800 |
V3R1 |
SUSE operating system file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed. |
|
| SLES-12-010810 |
V3R1 |
SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed. |
|
| SLES-12-010820 |
V3R1 |
SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed. |
|
| SLES-12-010830 |
V3R1 |
All SUSE operating system world-writable directories must be group-owned by root, sys, bin, or an application group. |
|
| SLES-12-010840 |
V3R1 |
SUSE operating system kernel core dumps must be disabled unless needed. |
|
| SLES-12-010850 |
V3R1 |
A separate file system must be used for SUSE operating system user home directories (such as /home or an equivalent). |
|
| SLES-12-010860 |
V3R1 |
The SUSE operating system must use a separate file system for /var. |
|
| SLES-12-010870 |
V3R1 |
The SUSE operating system must use a separate file system for the system audit data path. |
|
| SLES-12-010910 |
V3R1 |
The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes. |
|
| SLES-12-020199 |
V3R1 |
The SUSE operating system must not disable syscall auditing. |
|
| SLES-12-030130 |
V3R1 |
The SUSE operating system must display the date and time of the last successful account logon upon an SSH logon. |
|
| SLES-12-030200 |
V3R1 |
The SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication. |
|
| SLES-12-030210 |
V3R1 |
The SUSE operating system SSH daemon public host key files must have mode 0644 or less permissive. |
|
| SLES-12-030220 |
V3R1 |
The SUSE operating system SSH daemon private host key files must have mode 0640 or less permissive. |
|
| SLES-12-030230 |
V3R1 |
The SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files. |
|
| SLES-12-030240 |
V3R1 |
The SUSE operating system SSH daemon must use privilege separation. |
|
| SLES-12-030250 |
V3R1 |
The SUSE operating system SSH daemon must not allow compression or must only allow compression after successful authentication. |
|
| SLES-12-030260 |
V3R1 |
The SUSE operating system SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements. |
|
| SLES-12-030360 |
V3R1 |
The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets. |
|
| SLES-12-030361 |
V3R1 |
The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets. |
|
| SLES-12-030370 |
V3R1 |
The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default. |
|
| SLES-12-030380 |
V3R1 |
The SUSE operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. |
|
| SLES-12-030390 |
V3R1 |
The SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted. |
|
| SLES-12-030400 |
V3R1 |
The SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default. |
|
| SLES-12-030401 |
V3R1 |
The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default. |
|
| SLES-12-030410 |
V3R1 |
The SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default. |
|
| SLES-12-030420 |
V3R1 |
The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects. |
|
| SLES-12-030430 |
V3R1 |
The SUSE operating system must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router. |
|
| SLES-12-030440 |
V3R1 |
The SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented. |
|
| SLES-12-030611 |
V3R1 |
The SUSE operating system must use a virus scan program. |
|
| SLES-12-030261 |
V3R1 |
The SUSE operating system SSH daemon must prevent remote hosts from connecting to the proxy display. |
|
| SLES-12-010111 |
V3R1 |
The SUSE operating system must restrict privilege elevation to authorized personnel. |
|
| SLES-12-010112 |
V3R1 |
The SUSE operating system must use the invoking user's password for privilege escalation when using "sudo". |
|
| SLES-12-010631 |
V3R1 |
The SUSE operating system must not have unnecessary account capabilities. |
|
| SLES-12-030362 |
V3R1 |
The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets by default. |
|
| SLES-12-030363 |
V3R1 |
The SUSE operating system must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted. |
|
| SLES-12-030364 |
V3R1 |
The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router. |
|
| SLES-12-030365 |
V3R1 |
The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router. |
|
| SLES-12-010109 |
V3R1 |
The SUSE operating system must specify the default "include" directory for the /etc/sudoers file. |
|
| SLES-12-010221 |
V3R1 |
The SUSE operating system must not have accounts configured with blank or null passwords. |
|
| SLES-15-010000 |
V2R2 |
The SUSE operating system must be a vendor-supported release. |
|
| SLES-15-010010 |
V2R2 |
Vendor-packaged SUSE operating system security patches and updates must be installed and up to date. |
|
| SLES-15-020080 |
V2R2 |
The SUSE operating system must display the date and time of the last successful account logon upon logon. |
|
| SLES-15-020090 |
V2R2 |
The SUSE operating system must not have unnecessary accounts. |
|
| SLES-15-020091 |
V2R2 |
The SUSE operating system must not have unnecessary account capabilities. |
|
| SLES-15-020100 |
V2R2 |
The SUSE operating system root account must be the only account with unrestricted access to the system. |
|
| SLES-15-020101 |
V2R2 |
The SUSE operating system must restrict privilege elevation to authorized personnel. |
|
| SLES-15-020103 |
V2R2 |
The SUSE operating system must use the invoking user's password for privilege escalation when using "sudo". |
|
| SLES-15-020110 |
V2R2 |
All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory. |
|
| SLES-15-020120 |
V2R2 |
The SUSE operating system must display the date and time of the last successful account logon upon an SSH logon. |
|
| SLES-15-020300 |
V2R2 |
The SUSE operating system must not be configured to allow blank or null passwords. |
|
| SLES-15-030810 |
V2R2 |
The SUSE operating system must use a separate file system for the system audit data path. |
|
| SLES-15-030820 |
V2R2 |
The SUSE operating system must not disable syscall auditing. |
|
| SLES-15-040020 |
V2R2 |
There must be no .shosts files on the SUSE operating system. |
|
| SLES-15-040030 |
V2R2 |
There must be no shosts.equiv files on the SUSE operating system. |
|
| SLES-15-040040 |
V2R2 |
The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs). |
|
| SLES-15-040050 |
V2R2 |
The SUSE operating system file integrity tool must be configured to verify extended attributes. |
|
| SLES-15-040060 |
V2R2 |
The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence. |
|
| SLES-15-040061 |
V2R2 |
The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces. |
|
| SLES-15-040062 |
V2R2 |
The SUSE operating system must disable the systemd Ctrl-Alt-Delete burst key sequence. |
|
| SLES-15-040070 |
V2R2 |
All SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file. |
|
| SLES-15-040080 |
V2R2 |
All SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist. |
|
| SLES-15-040090 |
V2R2 |
All SUSE operating system local interactive user home directories must have mode 0750 or less permissive. |
|
| SLES-15-040100 |
V2R2 |
All SUSE operating system local interactive user home directories must be group-owned by the home directory owner's primary group. |
|
| SLES-15-040110 |
V2R2 |
All SUSE operating system local initialization files must have mode 0740 or less permissive. |
|
| SLES-15-040120 |
V2R2 |
All SUSE operating system local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory. |
|
| SLES-15-040130 |
V2R2 |
All SUSE operating system local initialization files must not execute world-writable programs. |
|
| SLES-15-040140 |
V2R2 |
SUSE operating system file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed. |
|
| SLES-15-040150 |
V2R2 |
SUSE operating system file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed. |
|
| SLES-15-040160 |
V2R2 |
SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed. |
|
| SLES-15-040170 |
V2R2 |
SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed. |
|
| SLES-15-040180 |
V2R2 |
All SUSE operating system world-writable directories must be group-owned by root, sys, bin, or an application group. |
|
| SLES-15-040190 |
V2R2 |
SUSE operating system kernel core dumps must be disabled unless needed. |
|
| SLES-15-040200 |
V2R2 |
A separate file system must be used for SUSE operating system user home directories (such as /home or an equivalent). |
|
| SLES-15-040210 |
V2R2 |
The SUSE operating system must use a separate file system for /var. |
|
| SLES-15-040220 |
V2R2 |
The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes. |
|
| SLES-15-040230 |
V2R2 |
The SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication. |
|
| SLES-15-040240 |
V2R2 |
The SUSE operating system SSH daemon public host key files must have mode 0644 or less permissive. |
|
| SLES-15-040250 |
V2R2 |
The SUSE operating system SSH daemon private host key files must have mode 0640 or less permissive. |
|
| SLES-15-040260 |
V2R2 |
The SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files. |
|
| SLES-15-040290 |
V2R2 |
The SUSE operating system SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements. |
|
| SLES-15-040300 |
V2R2 |
The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets. |
|
| SLES-15-040310 |
V2R2 |
The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets. |
|
| SLES-15-040320 |
V2R2 |
The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default. |
|
| SLES-15-040321 |
V2R2 |
The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets by default. |
|
| SLES-15-040330 |
V2R2 |
The SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted. |
|
| SLES-15-040340 |
V2R2 |
The SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default. |
|
| SLES-15-040341 |
V2R2 |
The SUSE operating system must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted. |
|
| SLES-15-040350 |
V2R2 |
The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default. |
|
| SLES-15-040360 |
V2R2 |
The SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default. |
|
| SLES-15-040370 |
V2R2 |
The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects. |
|
| SLES-15-040380 |
V2R2 |
The SUSE operating system must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router. |
|
| SLES-15-040381 |
V2R2 |
The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router. |
|
| SLES-15-040382 |
V2R2 |
The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router. |
|
| SLES-15-040390 |
V2R2 |
The SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented. |
|
| SLES-15-040400 |
V2R2 |
All SUSE operating system files and directories must have a valid owner. |
|
| SLES-15-040410 |
V2R2 |
All SUSE operating system files and directories must have a valid group owner. |
|
| SLES-15-020099 |
V2R2 |
The SUSE operating system must specify the default "include" directory for the /etc/sudoers file. |
|
| SLES-15-020181 |
V2R2 |
The SUSE operating system must not have accounts configured with blank or null passwords. |
|
| UBTU-18-010032 |
V2R15 |
The Ubuntu operating system must display the date and time of the last successful account logon upon logon. |
|
| UBTU-18-010150 |
V2R15 |
The Ubuntu Operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed. |
|
| UBTU-18-010151 |
V2R15 |
The Ubuntu Operating system must disable the x86 Ctrl-Alt-Delete key sequence. |
|
| UBTU-18-010418 |
V2R15 |
The Ubuntu operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements. |
|
| UBTU-18-010419 |
V2R15 |
The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy display. |
|
| UBTU-18-010450 |
V2R15 |
All local interactive user home directories defined in the /etc/passwd file must exist. |
|
| UBTU-18-010451 |
V2R15 |
All local interactive user home directories must have mode 0750 or less permissive. |
|
| UBTU-18-010452 |
V2R15 |
All local interactive user home directories must be group-owned by the home directory owners primary group. |
|
| UBTU-18-010522 |
V2R15 |
The Ubuntu operating system must not have accounts configured with blank or null passwords. |
|
| UBTU-18-010523 |
V2R15 |
The Ubuntu operating system must not allow accounts configured with blank or null passwords. |
|
| UBTU-18-999999 |
V2R15 |
The Ubuntu operating system must be a vendor supported release. |
|
| UBTU-20-010048 |
V2R1 |
The Ubuntu operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements. |
|
| UBTU-20-010049 |
V2R1 |
The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy display. |
|
| UBTU-20-010453 |
V2R1 |
The Ubuntu operating system must display the date and time of the last successful account logon upon logon. |
|
| UBTU-20-010459 |
V2R1 |
The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed. |
|
| UBTU-20-010460 |
V2R1 |
The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. |
|
| UBTU-20-010462 |
V2R1 |
The Ubuntu operating system must not have accounts configured with blank or null passwords. |
|
| UBTU-20-010463 |
V2R1 |
The Ubuntu operating system must not allow accounts configured with blank or null passwords. |
|
| UBTU-22-211015 |
V2R2 |
Ubuntu 22.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence. |
|
| UBTU-22-215015 |
V2R2 |
Ubuntu 22.04 LTS must have the "chrony" package installed. |
|
| UBTU-22-215020 |
V2R2 |
Ubuntu 22.04 LTS must not have the "systemd-timesyncd" package installed. |
|
| UBTU-22-215025 |
V2R2 |
Ubuntu 22.04 LTS must not have the "ntp" package installed. |
|
| UBTU-22-255040 |
V2R2 |
Ubuntu 22.04 LTS must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements. |
|
| UBTU-22-255045 |
V2R2 |
Ubuntu 22.04 LTS SSH daemon must prevent remote hosts from connecting to the proxy display. |
|
| UBTU-22-271030 |
V2R2 |
Ubuntu 22.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed. |
|
| UBTU-22-412015 |
V2R2 |
Ubuntu 22.04 LTS must display the date and time of the last successful account logon upon logon. |
|
| UBTU-22-611060 |
V2R2 |
Ubuntu 22.04 LTS must not allow accounts configured with blank or null passwords. |
|
| UBTU-22-611065 |
V2R2 |
Ubuntu 22.04 LTS must not have accounts configured with blank or null passwords. |
|
| UBTU-22-654190 |
V2R2 |
Ubuntu 22.04 LTS must generate audit records for all events that affect the systemd journal files. |
|
| WN10-00-000005 |
V3R2 |
Domain-joined systems must use Windows 10 Enterprise Edition 64-bit version. |
|
| WN10-00-000010 |
V3R2 |
Windows 10 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. |
|
| WN10-00-000015 |
V3R2 |
Windows 10 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS. |
|
| WN10-00-000020 |
V3R2 |
Secure Boot must be enabled on Windows 10 systems. |
|
| WN10-00-000040 |
V3R2 |
Windows 10 systems must be maintained at a supported servicing level. |
|
| WN10-00-000045 |
V3R2 |
The Windows 10 system must use an anti-virus program. |
|
| WN10-00-000055 |
V3R2 |
Alternate operating systems must not be permitted on the same system. |
|
| WN10-00-000075 |
V3R2 |
Only accounts responsible for the backup operations must be members of the Backup Operators group. |
|
| WN10-00-000085 |
V3R2 |
Standard local user accounts must not exist on a system in a domain. |
|
| WN10-00-000130 |
V3R2 |
Software certificate installation files must be removed from Windows 10. |
|
| WN10-00-000135 |
V3R2 |
A host-based firewall must be installed and enabled on the system. |
|
| WN10-00-000140 |
V3R2 |
Inbound exceptions to the firewall on Windows 10 domain workstations must only allow authorized remote management hosts. |
|
| WN10-00-000190 |
V3R2 |
Orphaned security identifiers (SIDs) must be removed from user rights on Windows 10. |
|
| WN10-00-000230 |
V3R2 |
The system must notify the user when a Bluetooth device attempts to connect. |
|
| WN10-00-000240 |
V3R2 |
Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. |
|
| WN10-CC-000020 |
V3R2 |
IPv6 source routing must be configured to highest protection. |
|
| WN10-CC-000025 |
V3R2 |
The system must be configured to prevent IP source routing. |
|
| WN10-CC-000030 |
V3R2 |
The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes. |
|
| WN10-CC-000040 |
V3R2 |
Insecure logons to an SMB server must be disabled. |
|
| WN10-CC-000055 |
V3R2 |
Simultaneous connections to the internet or a Windows domain must be limited. |
|
| WN10-CC-000060 |
V3R2 |
Connections to non-domain networks when connected to a domain authenticated network must be blocked. |
|
| WN10-CC-000065 |
V3R2 |
Wi-Fi Sense must be disabled. |
|
| WN10-CC-000068 |
V3R2 |
Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials. |
|
| WN10-CC-000070 |
V3R2 |
Virtualization Based Security must be enabled on Windows 10 with the platform security level configured to Secure Boot or Secure Boot with DMA Protection. |
|
| WN10-CC-000075 |
V3R2 |
Credential Guard must be running on Windows 10 domain-joined systems. |
|
| WN10-CC-000085 |
V3R2 |
Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers. |
|
| WN10-CC-000090 |
V3R2 |
Group Policy objects must be reprocessed even if they have not changed. |
|
| WN10-CC-000115 |
V3R2 |
Systems must at least attempt device authentication using certificates. |
|
| WN10-CC-000170 |
V3R2 |
The setting to allow Microsoft accounts to be optional for modern style apps must be enabled. |
|
| WN10-CC-000195 |
V3R2 |
Enhanced anti-spoofing for facial recognition must be enabled on Window 10. |
|
| WN10-CC-000204 |
V3R2 |
If Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics. |
|
| WN10-CC-000205 |
V3R2 |
Windows Telemetry must not be configured to Full. |
|
| WN10-CC-000206 |
V3R2 |
Windows Update must not obtain updates from other PCs on the internet. |
|
| WN10-CC-000225 |
V3R2 |
File Explorer shell protocol must run in protected mode. |
|
| WN10-CC-000230 |
V3R2 |
Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge. |
|
| WN10-CC-000235 |
V3R2 |
Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge. |
|
| WN10-CC-000238 |
V3R2 |
Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge. |
|
| WN10-CC-000245 |
V3R2 |
The password manager function in the Edge browser must be disabled. |
|
| WN10-CC-000250 |
V3R2 |
The Windows Defender SmartScreen filter for Microsoft Edge must be enabled. |
|
| WN10-CC-000255 |
V3R2 |
The use of a hardware security device with Windows Hello for Business must be enabled. |
|
| WN10-CC-000260 |
V3R2 |
Windows 10 must be configured to require a minimum pin length of six characters or greater. |
|
| WN10-CC-000295 |
V3R2 |
Attachments must be prevented from being downloaded from RSS feeds. |
|
| WN10-CC-000320 |
V3R2 |
Users must be notified if a web-based program attempts to install software. |
|
| WN10-SO-000015 |
V3R2 |
Local accounts with blank passwords must be restricted to prevent access from the network. |
|
| WN10-SO-000020 |
V3R2 |
The built-in administrator account must be renamed. |
|
| WN10-SO-000025 |
V3R2 |
The built-in guest account must be renamed. |
|
| WN10-SO-000050 |
V3R2 |
The computer account password must not be prevented from being reset. |
|
| WN10-SO-000055 |
V3R2 |
The maximum age for machine account passwords must be configured to 30 days or less. |
|
| WN10-SO-000085 |
V3R2 |
Caching of logon credentials must be limited. |
|
| WN10-SO-000095 |
V3R2 |
The Smart Card removal option must be configured to Force Logoff or Lock Workstation. |
|
| WN10-SO-000140 |
V3R2 |
Anonymous SID/Name translation must not be allowed. |
|
| WN10-SO-000145 |
V3R2 |
Anonymous enumeration of SAM accounts must not be allowed. |
|
| WN10-SO-000160 |
V3R2 |
The system must be configured to prevent anonymous users from having the same rights as the Everyone group. |
|
| WN10-SO-000180 |
V3R2 |
NTLM must be prevented from falling back to a Null session. |
|
| WN10-SO-000185 |
V3R2 |
PKU2U authentication using online identities must be prevented. |
|
| WN10-SO-000205 |
V3R2 |
The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM. |
|
| WN10-SO-000210 |
V3R2 |
The system must be configured to the required LDAP client signing level. |
|
| WN10-SO-000215 |
V3R2 |
The system must be configured to meet the minimum session security requirement for NTLM SSP based clients. |
|
| WN10-SO-000220 |
V3R2 |
The system must be configured to meet the minimum session security requirement for NTLM SSP based servers. |
|
| WN10-SO-000240 |
V3R2 |
The default permissions of global system objects must be increased. |
|
| WN10-UC-000020 |
V3R2 |
Zone information must be preserved when saving attachments. |
|
| WN10-CC-000050 |
V3R2 |
Hardened UNC paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares. |
|
| WN10-CC-000080 |
V3R2 |
Virtualization-based protection of code integrity must be enabled. |
|
| WN10-00-000395 |
V3R2 |
Windows 10 must not have portproxy enabled or in use. |
|
| WN10-CC-000063 |
V3R2 |
Windows 10 systems must use either Group Policy or an approved Mobile Device Management (MDM) product to enforce STIG compliance. |
|
| WN11-00-000005 |
V2R2 |
Domain-joined systems must use Windows 11 Enterprise Edition 64-bit version. |
|
| WN11-00-000040 |
V2R2 |
Windows 11 systems must be maintained at a supported servicing level. |
|
| WN11-00-000045 |
V2R2 |
The Windows 11 system must use an antivirus program. |
|
| WN11-00-000055 |
V2R2 |
Alternate operating systems must not be permitted on the same system. |
|
| WN11-00-000075 |
V2R2 |
Only accounts responsible for the backup operations must be members of the Backup Operators group. |
|
| WN11-00-000085 |
V2R2 |
Standard local user accounts must not exist on a system in a domain. |
|
| WN11-00-000130 |
V2R2 |
Software certificate installation files must be removed from Windows 11. |
|
| WN11-00-000135 |
V2R2 |
A host-based firewall must be installed and enabled on the system. |
|
| WN11-00-000190 |
V2R2 |
Orphaned security identifiers (SIDs) must be removed from user rights on Windows 11. |
|
| WN11-00-000230 |
V2R2 |
The system must notify the user when a Bluetooth device attempts to connect. |
|
| WN11-00-000240 |
V2R2 |
Administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email. |
|
| WN11-CC-000020 |
V2R2 |
IPv6 source routing must be configured to highest protection. |
|
| WN11-CC-000025 |
V2R2 |
The system must be configured to prevent IP source routing. |
|
| WN11-CC-000030 |
V2R2 |
The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes. |
|
| WN11-CC-000040 |
V2R2 |
Insecure logons to an SMB server must be disabled. |
|
| WN11-CC-000050 |
V2R2 |
Hardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares. |
|
| WN11-CC-000060 |
V2R2 |
Connections to non-domain networks when connected to a domain authenticated network must be blocked. |
|
| WN11-CC-000065 |
V2R2 |
Wi-Fi Sense must be disabled. |
|
| WN11-CC-000068 |
V2R2 |
Windows 11 must be configured to enable Remote host allows delegation of non-exportable credentials. |
|
| WN11-CC-000070 |
V2R2 |
Virtualization-based Security must be enabled on Windows 11 with the platform security level configured to Secure Boot or Secure Boot with DMA Protection. |
|
| WN11-CC-000075 |
V2R2 |
Credential Guard must be running on Windows 11 domain-joined systems. |
|
| WN11-CC-000080 |
V2R2 |
Virtualization-based protection of code integrity must be enabled. |
|
| WN11-CC-000085 |
V2R2 |
Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers. |
|
| WN11-CC-000090 |
V2R2 |
Group Policy objects must be reprocessed even if they have not changed. |
|
| WN11-CC-000115 |
V2R2 |
Systems must at least attempt device authentication using certificates. |
|
| WN11-CC-000170 |
V2R2 |
The setting to allow Microsoft accounts to be optional for modern style apps must be enabled. |
|
| WN11-CC-000195 |
V2R2 |
Enhanced anti-spoofing for facial recognition must be enabled on Windows 11. |
|
| WN11-CC-000204 |
V2R2 |
Enhanced diagnostic data must be limited to the minimum required to support Windows Analytics. |
|
| WN11-CC-000206 |
V2R2 |
Windows Update must not obtain updates from other PCs on the internet. |
|
| WN11-CC-000225 |
V2R2 |
File Explorer shell protocol must run in protected mode. |
|
| WN11-CC-000255 |
V2R2 |
The use of a hardware security device with Windows Hello for Business must be enabled. |
|
| WN11-CC-000260 |
V2R2 |
Windows 11 must be configured to require a minimum pin length of six characters or greater. |
|
| WN11-CC-000295 |
V2R2 |
Attachments must be prevented from being downloaded from RSS feeds. |
|
| WN11-CC-000320 |
V2R2 |
Users must be notified if a web-based program attempts to install software. |
|
| WN11-SO-000015 |
V2R2 |
Local accounts with blank passwords must be restricted to prevent access from the network. |
|
| WN11-SO-000020 |
V2R2 |
The built-in administrator account must be renamed. |
|
| WN11-SO-000025 |
V2R2 |
The built-in guest account must be renamed. |
|
| WN11-SO-000050 |
V2R2 |
The computer account password must not be prevented from being reset. |
|
| WN11-SO-000055 |
V2R2 |
The maximum age for machine account passwords must be configured to 30 days or less. |
|
| WN11-SO-000085 |
V2R2 |
Caching of logon credentials must be limited. |
|
| WN11-SO-000095 |
V2R2 |
The Smart Card removal option must be configured to Force Logoff or Lock Workstation. |
|
| WN11-SO-000140 |
V2R2 |
Anonymous SID/Name translation must not be allowed. |
|
| WN11-SO-000145 |
V2R2 |
Anonymous enumeration of SAM accounts must not be allowed. |
|
| WN11-SO-000160 |
V2R2 |
The system must be configured to prevent anonymous users from having the same rights as the Everyone group. |
|
| WN11-SO-000180 |
V2R2 |
NTLM must be prevented from falling back to a Null session. |
|
| WN11-SO-000185 |
V2R2 |
PKU2U authentication using online identities must be prevented. |
|
| WN11-SO-000205 |
V2R2 |
The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM. |
|
| WN11-SO-000210 |
V2R2 |
The system must be configured to the required LDAP client signing level. |
|
| WN11-SO-000215 |
V2R2 |
The system must be configured to meet the minimum session security requirement for NTLM SSP based clients. |
|
| WN11-SO-000220 |
V2R2 |
The system must be configured to meet the minimum session security requirement for NTLM SSP based servers. |
|
| WN11-SO-000240 |
V2R2 |
The default permissions of global system objects must be increased. |
|
| WN11-UC-000020 |
V2R2 |
Zone information must be preserved when saving attachments. |
|
| WN11-00-000395 |
V2R2 |
Windows 11 must not have portproxy enabled or in use. |
|
| WN11-CC-000063 |
V2R2 |
Windows 11 systems must use either Group Policy or an approved Mobile Device Management (MDM) product to enforce STIG compliance. |
|
| WN16-00-000010 |
V2R9 |
Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks. |
|
| WN16-00-000040 |
V2R9 |
Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. |
|
| WN16-00-000050 |
V2R9 |
Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks. |
|
| WN16-00-000070 |
V2R9 |
Manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization. |
|
| WN16-00-000100 |
V2R9 |
Windows Server 2016 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. |
|
| WN16-00-000110 |
V2R9 |
Systems must be maintained at a supported servicing level. |
|
| WN16-00-000120 |
V2R9 |
The Windows Server 2016 system must use an anti-virus program. |
|
| WN16-00-000140 |
V2R9 |
Servers must have a host-based intrusion detection or prevention system. |
|
| WN16-00-000270 |
V2R9 |
Software certificate installation files must be removed from Windows Server 2016. |
|
| WN16-00-000310 |
V2R9 |
A host-based firewall must be installed and enabled on the system. |
|
| WN16-00-000430 |
V2R9 |
FTP servers must be configured to prevent anonymous logons. |
|
| WN16-00-000440 |
V2R9 |
FTP servers must be configured to prevent access to the system drive. |
|
| WN16-00-000460 |
V2R9 |
Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2016. |
|
| WN16-00-000470 |
V2R9 |
Secure Boot must be enabled on Windows Server 2016 systems. |
|
| WN16-00-000480 |
V2R9 |
Windows 2016 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS. |
|
| WN16-CC-000040 |
V2R9 |
Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing. |
|
| WN16-CC-000050 |
V2R9 |
Source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing. |
|
| WN16-CC-000060 |
V2R9 |
Windows Server 2016 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes. |
|
| WN16-CC-000080 |
V2R9 |
Insecure logons to an SMB server must be disabled. |
|
| WN16-CC-000090 |
V2R9 |
Hardened UNC paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares. |
|
| WN16-CC-000110 |
V2R9 |
Windows Server 2016 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection. |
|
| WN16-CC-000140 |
V2R9 |
Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad. |
|
| WN16-CC-000150 |
V2R9 |
Group Policy objects must be reprocessed even if they have not changed. |
|
| WN16-CC-000210 |
V2R9 |
Users must be prompted to authenticate when the system wakes from sleep (on battery). |
|
| WN16-CC-000220 |
V2R9 |
Users must be prompted to authenticate when the system wakes from sleep (plugged in). |
|
| WN16-CC-000290 |
V2R9 |
Windows Telemetry must be configured to Security or Basic. |
|
| WN16-CC-000350 |
V2R9 |
Turning off File Explorer heap termination on corruption must be disabled. |
|
| WN16-CC-000360 |
V2R9 |
File Explorer shell protocol must run in protected mode. |
|
| WN16-CC-000420 |
V2R9 |
Attachments must be prevented from being downloaded from RSS feeds. |
|
| WN16-CC-000470 |
V2R9 |
Users must be notified if a web-based program attempts to install software. |
|
| WN16-DC-000150 |
V2R9 |
Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access. |
|
| WN16-DC-000330 |
V2R9 |
Domain controllers must be configured to allow reset of machine account passwords. |
|
| WN16-DC-000430 |
V2R9 |
The password for the krbtgt account on a domain must be reset at least every 180 days. |
|
| WN16-MS-000050 |
V2R9 |
Caching of logon credentials must be limited. |
|
| WN16-MS-000120 |
V2R9 |
Windows Server 2016 must be running Credential Guard on domain-joined member servers. |
|
| WN16-SO-000020 |
V2R9 |
Local accounts with blank passwords must be restricted to prevent access from the network. |
|
| WN16-SO-000030 |
V2R9 |
Windows Server 2016 built-in administrator account must be renamed. |
|
| WN16-SO-000040 |
V2R9 |
Windows Server 2016 built-in guest account must be renamed. |
|
| WN16-SO-000120 |
V2R9 |
The maximum age for machine account passwords must be configured to 30 days or less. |
|
| WN16-SO-000180 |
V2R9 |
The Smart Card removal option must be configured to Force Logoff or Lock Workstation. |
|
| WN16-SO-000250 |
V2R9 |
Anonymous SID/Name translation must not be allowed. |
|
| WN16-SO-000260 |
V2R9 |
Anonymous enumeration of Security Account Manager (SAM) accounts must not be allowed. |
|
| WN16-SO-000290 |
V2R9 |
Windows Server 2016 must be configured to prevent anonymous users from having the same permissions as the Everyone group. |
|
| WN16-SO-000320 |
V2R9 |
Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously. |
|
| WN16-SO-000330 |
V2R9 |
NTLM must be prevented from falling back to a Null session. |
|
| WN16-SO-000340 |
V2R9 |
PKU2U authentication using online identities must be prevented. |
|
| WN16-SO-000380 |
V2R9 |
The LAN Manager authentication level must be set to send NTLMv2 response only and to refuse LM and NTLM. |
|
| WN16-SO-000390 |
V2R9 |
Windows Server 2016 must be configured to at least negotiate signing for LDAP client signing. |
|
| WN16-SO-000400 |
V2R9 |
Session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption. |
|
| WN16-SO-000410 |
V2R9 |
Session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption. |
|
| WN16-SO-000450 |
V2R9 |
The default permissions of global system objects must be strengthened. |
|
| WN16-UC-000030 |
V2R9 |
Zone information must be preserved when saving attachments. |
|
| WN19-00-000010 |
V3R2 |
Windows Server 2019 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks. |
|
| WN19-00-000030 |
V3R2 |
Windows Server 2019 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. |
|
| WN19-00-000040 |
V3R2 |
Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks. |
|
| WN19-00-000060 |
V3R2 |
Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization. |
|
| WN19-00-000090 |
V3R2 |
Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. |
|
| WN19-00-000100 |
V3R2 |
Windows Server 2019 must be maintained at a supported servicing level. |
|
| WN19-00-000110 |
V3R2 |
Windows Server 2019 must use an anti-virus program. |
|
| WN19-00-000120 |
V3R2 |
Windows Server 2019 must have a host-based intrusion detection or prevention system. |
|
| WN19-00-000240 |
V3R2 |
Windows Server 2019 must have software certificate installation files removed. |
|
| WN19-00-000420 |
V3R2 |
Windows Server 2019 FTP servers must be configured to prevent anonymous logons. |
|
| WN19-00-000430 |
V3R2 |
Windows Server 2019 FTP servers must be configured to prevent access to the system drive. |
|
| WN19-00-000450 |
V3R2 |
Windows Server 2019 must have orphaned security identifiers (SIDs) removed from user rights. |
|
| WN19-00-000460 |
V3R2 |
Windows Server 2019 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS. |
|
| WN19-00-000470 |
V3R2 |
Windows Server 2019 must have Secure Boot enabled. |
|
| WN19-CC-000030 |
V3R2 |
Windows Server 2019 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing. |
|
| WN19-CC-000040 |
V3R2 |
Windows Server 2019 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing. |
|
| WN19-CC-000050 |
V3R2 |
Windows Server 2019 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes. |
|
| WN19-CC-000070 |
V3R2 |
Windows Server 2019 insecure logons to an SMB server must be disabled. |
|
| WN19-CC-000080 |
V3R2 |
Windows Server 2019 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares. |
|
| WN19-CC-000100 |
V3R2 |
Windows Server 2019 must be configured to enable Remote host allows delegation of non-exportable credentials. |
|
| WN19-CC-000110 |
V3R2 |
Windows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection. |
|
| WN19-CC-000130 |
V3R2 |
Windows Server 2019 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad. |
|
| WN19-CC-000140 |
V3R2 |
Windows Server 2019 group policy objects must be reprocessed even if they have not changed. |
|
| WN19-CC-000180 |
V3R2 |
Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (on battery). |
|
| WN19-CC-000190 |
V3R2 |
Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (plugged in). |
|
| WN19-CC-000250 |
V3R2 |
Windows Server 2019 Telemetry must be configured to Security or Basic. |
|
| WN19-CC-000260 |
V3R2 |
Windows Server 2019 Windows Update must not obtain updates from other PCs on the Internet. |
|
| WN19-CC-000320 |
V3R2 |
Windows Server 2019 Turning off File Explorer heap termination on corruption must be disabled. |
|
| WN19-CC-000330 |
V3R2 |
Windows Server 2019 File Explorer shell protocol must run in protected mode. |
|
| WN19-CC-000390 |
V3R2 |
Windows Server 2019 must prevent attachments from being downloaded from RSS feeds. |
|
| WN19-CC-000440 |
V3R2 |
Windows Server 2019 users must be notified if a web-based program attempts to install software. |
|
| WN19-DC-000150 |
V3R2 |
Windows Server 2019 directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access. |
|
| WN19-DC-000330 |
V3R2 |
Windows Server 2019 domain controllers must be configured to allow reset of machine account passwords. |
|
| WN19-DC-000430 |
V3R2 |
The password for the krbtgt account on a domain must be reset at least every 180 days. |
|
| WN19-MS-000050 |
V3R2 |
Windows Server 2019 must limit the caching of logon credentials to four or less on domain-joined member servers. |
|
| WN19-MS-000140 |
V3R2 |
Windows Server 2019 must be running Credential Guard on domain-joined member servers. |
|
| WN19-SO-000020 |
V3R2 |
Windows Server 2019 must prevent local accounts with blank passwords from being used from the network. |
|
| WN19-SO-000030 |
V3R2 |
Windows Server 2019 built-in administrator account must be renamed. |
|
| WN19-SO-000040 |
V3R2 |
Windows Server 2019 built-in guest account must be renamed. |
|
| WN19-SO-000100 |
V3R2 |
Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less. |
|
| WN19-SO-000150 |
V3R2 |
Windows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation. |
|
| WN19-SO-000210 |
V3R2 |
Windows Server 2019 must not allow anonymous SID/Name translation. |
|
| WN19-SO-000220 |
V3R2 |
Windows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts. |
|
| WN19-SO-000240 |
V3R2 |
Windows Server 2019 must be configured to prevent anonymous users from having the same permissions as the Everyone group. |
|
| WN19-SO-000260 |
V3R2 |
Windows Server 2019 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously. |
|
| WN19-SO-000270 |
V3R2 |
Windows Server 2019 must prevent NTLM from falling back to a Null session. |
|
| WN19-SO-000280 |
V3R2 |
Windows Server 2019 must prevent PKU2U authentication using online identities. |
|
| WN19-SO-000310 |
V3R2 |
Windows Server 2019 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM. |
|
| WN19-SO-000320 |
V3R2 |
Windows Server 2019 must be configured to at least negotiate signing for LDAP client signing. |
|
| WN19-SO-000330 |
V3R2 |
Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption. |
|
| WN19-SO-000340 |
V3R2 |
Windows Server 2019 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption. |
|
| WN19-SO-000370 |
V3R2 |
Windows Server 2019 default permissions of global system objects must be strengthened. |
|
| WN19-UC-000010 |
V3R2 |
Windows Server 2019 must preserve zone information when saving attachments. |
|
| WN19-00-000280 |
V3R2 |
Windows Server 2019 must have a host-based firewall installed and enabled. |
|
| WN22-00-000010 |
V2R2 |
Windows Server 2022 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks. |
|
| WN22-00-000030 |
V2R2 |
Windows Server 2022 administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email. |
|
| WN22-00-000040 |
V2R2 |
Windows Server 2022 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks. |
|
| WN22-00-000060 |
V2R2 |
Windows Server 2022 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization. |
|
| WN22-00-000090 |
V2R2 |
Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. |
|
| WN22-00-000100 |
V2R2 |
Windows Server 2022 must be maintained at a supported servicing level. |
|
| WN22-00-000110 |
V2R2 |
Windows Server 2022 must use an antivirus program. |
|
| WN22-00-000120 |
V2R2 |
Windows Server 2022 must have a host-based intrusion detection or prevention system. |
|
| WN22-00-000240 |
V2R2 |
Windows Server 2022 must have software certificate installation files removed. |
|
| WN22-00-000280 |
V2R2 |
Windows Server 2022 must have a host-based firewall installed and enabled. |
|
| WN22-00-000420 |
V2R2 |
Windows Server 2022 FTP servers must be configured to prevent anonymous logons. |
|
| WN22-00-000430 |
V2R2 |
Windows Server 2022 FTP servers must be configured to prevent access to the system drive. |
|
| WN22-00-000450 |
V2R2 |
Windows Server 2022 must have orphaned security identifiers (SIDs) removed from user rights. |
|
| WN22-00-000460 |
V2R2 |
Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS. |
|
| WN22-00-000470 |
V2R2 |
Windows Server 2022 must have Secure Boot enabled. |
|
| WN22-CC-000030 |
V2R2 |
Windows Server 2022 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing. |
|
| WN22-CC-000040 |
V2R2 |
Windows Server 2022 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing. |
|
| WN22-CC-000050 |
V2R2 |
Windows Server 2022 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes. |
|
| WN22-CC-000070 |
V2R2 |
Windows Server 2022 insecure logons to an SMB server must be disabled. |
|
| WN22-CC-000080 |
V2R2 |
Windows Server 2022 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares. |
|
| WN22-CC-000100 |
V2R2 |
Windows Server 2022 must be configured to enable Remote host allows delegation of nonexportable credentials. |
|
| WN22-CC-000110 |
V2R2 |
Windows Server 2022 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection. |
|
| WN22-CC-000130 |
V2R2 |
Windows Server 2022 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad. |
|
| WN22-CC-000140 |
V2R2 |
Windows Server 2022 group policy objects must be reprocessed even if they have not changed. |
|
| WN22-CC-000180 |
V2R2 |
Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (on battery). |
|
| WN22-CC-000190 |
V2R2 |
Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (plugged in). |
|
| WN22-CC-000250 |
V2R2 |
Windows Server 2022 Diagnostic Data must be configured to send "required diagnostic data" or "optional diagnostic data". |
|
| WN22-CC-000260 |
V2R2 |
Windows Server 2022 Windows Update must not obtain updates from other PCs on the internet. |
|
| WN22-CC-000320 |
V2R2 |
Windows Server 2022 Turning off File Explorer heap termination on corruption must be disabled. |
|
| WN22-CC-000330 |
V2R2 |
Windows Server 2022 File Explorer shell protocol must run in protected mode. |
|
| WN22-CC-000390 |
V2R2 |
Windows Server 2022 must prevent attachments from being downloaded from RSS feeds. |
|
| WN22-CC-000440 |
V2R2 |
Windows Server 2022 users must be notified if a web-based program attempts to install software. |
|
| WN22-DC-000150 |
V2R2 |
Windows Server 2022 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access. |
|
| WN22-DC-000330 |
V2R2 |
Windows Server 2022 domain controllers must be configured to allow reset of machine account passwords. |
|
| WN22-DC-000430 |
V2R2 |
The password for the krbtgt account on a domain must be reset at least every 180 days. |
|
| WN22-MS-000050 |
V2R2 |
Windows Server 2022 must limit the caching of logon credentials to four or less on domain-joined member servers. |
|
| WN22-MS-000140 |
V2R2 |
Windows Server 2022 must be running Credential Guard on domain-joined member servers. |
|
| WN22-SO-000020 |
V2R2 |
Windows Server 2022 must prevent local accounts with blank passwords from being used from the network. |
|
| WN22-SO-000030 |
V2R2 |
Windows Server 2022 built-in administrator account must be renamed. |
|
| WN22-SO-000040 |
V2R2 |
Windows Server 2022 built-in guest account must be renamed. |
|
| WN22-SO-000100 |
V2R2 |
Windows Server 2022 maximum age for machine account passwords must be configured to 30 days or less. |
|
| WN22-SO-000150 |
V2R2 |
Windows Server 2022 Smart Card removal option must be configured to Force Logoff or Lock Workstation. |
|
| WN22-SO-000210 |
V2R2 |
Windows Server 2022 must not allow anonymous SID/Name translation. |
|
| WN22-SO-000220 |
V2R2 |
Windows Server 2022 must not allow anonymous enumeration of Security Account Manager (SAM) accounts. |
|
| WN22-SO-000240 |
V2R2 |
Windows Server 2022 must be configured to prevent anonymous users from having the same permissions as the Everyone group. |
|
| WN22-SO-000260 |
V2R2 |
Windows Server 2022 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously. |
|
| WN22-SO-000270 |
V2R2 |
Windows Server 2022 must prevent NTLM from falling back to a Null session. |
|
| WN22-SO-000280 |
V2R2 |
Windows Server 2022 must prevent PKU2U authentication using online identities. |
|
| WN22-SO-000310 |
V2R2 |
Windows Server 2022 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM. |
|
| WN22-SO-000320 |
V2R2 |
Windows Server 2022 must be configured to at least negotiate signing for LDAP client signing. |
|
| WN22-SO-000330 |
V2R2 |
Windows Server 2022 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption. |
|
| WN22-SO-000340 |
V2R2 |
Windows Server 2022 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption. |
|
| WN22-SO-000370 |
V2R2 |
Windows Server 2022 default permissions of global system objects must be strengthened. |
|
| WN22-UC-000010 |
V2R2 |
Windows Server 2022 must preserve zone information when saving attachments. |
|