SRG-OS-000480-GPOS-00227 Controls

STIG ID Version Title Product
OL07-00-010020 V2R10 The Oracle Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.
OL07-00-010290 V2R10 The Oracle Linux operating system must not allow accounts configured with blank or null passwords.
OL07-00-020230 V2R10 The Oracle Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.
OL07-00-020250 V2R10 The Oracle Linux operating system must be a vendor supported release.
OL07-00-020260 V2R10 The Oracle Linux operating system security patches and updates must be installed and up to date.
OL07-00-020270 V2R10 The Oracle Linux operating system must not have unnecessary accounts.
OL07-00-020310 V2R10 The Oracle Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system.
OL07-00-020320 V2R10 The Oracle Linux operating system must be configured so that all files and directories have a valid owner.
OL07-00-020330 V2R10 The Oracle Linux operating system must be configured so that all files and directories have a valid group owner.
OL07-00-020610 V2R10 The Oracle Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory.
OL07-00-020620 V2R10 The Oracle Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file.
OL07-00-020630 V2R10 The Oracle Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive.
OL07-00-020640 V2R10 The Oracle Linux operating system must be configured so that all local interactive user home directories are owned by their respective users.
OL07-00-020650 V2R10 The Oracle Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group.
OL07-00-020660 V2R10 The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a valid owner.
OL07-00-020670 V2R10 The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.
OL07-00-020680 V2R10 The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive.
OL07-00-020690 V2R10 The Oracle Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root.
OL07-00-020700 V2R10 The Oracle Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root.
OL07-00-020710 V2R10 The Oracle Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive.
OL07-00-020720 V2R10 The Oracle Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.
OL07-00-020730 V2R10 The Oracle Linux operating system must be configured so that local initialization files do not execute world-writable programs.
OL07-00-020900 V2R10 The Oracle Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.
OL07-00-021000 V2R10 The Oracle Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed.
OL07-00-021010 V2R10 The Oracle Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
OL07-00-021020 V2R10 The Oracle Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS).
OL07-00-021021 V2R10 The Oracle Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS).
OL07-00-021030 V2R10 The Oracle Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.
OL07-00-021040 V2R10 The Oracle Linux operating system must set the umask value to 077 for all local interactive user accounts.
OL07-00-021100 V2R10 The Oracle Linux operating system must have cron logging implemented.
OL07-00-021110 V2R10 The Oracle Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root.
OL07-00-021120 V2R10 The Oracle Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root.
OL07-00-021300 V2R10 The Oracle Linux operating system must disable Kernel core dumps unless needed.
OL07-00-021310 V2R10 The Oracle Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent).
OL07-00-021320 V2R10 The Oracle Linux operating system must use a separate file system for /var.
OL07-00-021340 V2R10 The Oracle Linux operating system must use a separate file system for /tmp (or equivalent).
OL07-00-021600 V2R10 The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).
OL07-00-021610 V2R10 The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.
OL07-00-021620 V2R10 The Oracle Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.
OL07-00-031000 V2R10 The Oracle Linux operating system must send rsyslog output to a log aggregation server.
OL07-00-031010 V2R10 The Oracle Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
OL07-00-032000 V2R10 The Oracle Linux operating system must use a virus scan program.
OL07-00-040330 V2R10 The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication.
OL07-00-040350 V2R10 The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication.
OL07-00-040360 V2R10 The Oracle Linux operating system must display the date and time of the last successful account logon upon an SSH logon.
OL07-00-040370 V2R10 The Oracle Linux operating system must not permit direct logons to the root account using remote access via SSH.
OL07-00-040380 V2R10 The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication.
OL07-00-040410 V2R10 The Oracle Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive.
OL07-00-040420 V2R10 The Oracle Linux operating system must be configured so the SSH private host key files have mode 0640 or less permissive.
OL07-00-040450 V2R10 The Oracle Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files.
OL07-00-040460 V2R10 The Oracle Linux operating system must be configured so that the SSH daemon uses privilege separation.
OL07-00-040470 V2R10 The Oracle Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.
OL07-00-040520 V2R10 The Oracle Linux operating system must enable an application firewall, if available.
OL07-00-040530 V2R10 The Oracle Linux operating system must display the date and time of the last successful account logon upon logon.
OL07-00-040540 V2R10 The Oracle Linux operating system must not contain .shosts files.
OL07-00-040550 V2R10 The Oracle Linux operating system must not contain shosts.equiv files.
OL07-00-040600 V2R10 For Oracle Linux operating systems using DNS resolution, at least two name servers must be configured.
OL07-00-040610 V2R10 The Oracle Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
OL07-00-040611 V2R10 The Oracle Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
OL07-00-040612 V2R10 The Oracle Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default.
OL07-00-040620 V2R10 The Oracle Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
OL07-00-040630 V2R10 The Oracle Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
OL07-00-040640 V2R10 The Oracle Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
OL07-00-040641 V2R10 The Oracle Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
OL07-00-040650 V2R10 The Oracle Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.
OL07-00-040660 V2R10 The Oracle Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
OL07-00-040670 V2R10 Network interfaces configured on The Oracle Linux operating system must not be in promiscuous mode.
OL07-00-040680 V2R10 The Oracle Linux operating system must be configured to prevent unrestricted mail relaying.
OL07-00-040690 V2R10 The Oracle Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed.
OL07-00-040700 V2R10 The Oracle Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.
OL07-00-040710 V2R10 The Oracle Linux operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.
OL07-00-040720 V2R10 The Oracle Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode.
OL07-00-040730 V2R10 The Oracle Linux operating system must not have a graphical display manager installed unless approved.
OL07-00-040740 V2R10 The Oracle Linux operating system must not be performing packet forwarding unless the system is a router.
OL07-00-040750 V2R10 The Oracle Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.
OL07-00-040800 V2R10 SNMP community strings on the Oracle Linux operating system must be changed from the default.
OL07-00-040810 V2R10 The Oracle Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.
OL07-00-040820 V2R10 The Oracle Linux operating system must not have unauthorized IP tunnels configured.
OL07-00-040830 V2R10 The Oracle Linux operating system must not forward IPv6 source-routed packets.
OL07-00-020231 V2R10 The Oracle Linux operating system must be configured so the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface.
OL07-00-021031 V2R10 The Oracle Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user.
OL07-00-040711 V2R10 The Oracle Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
OL07-00-010341 V2R10 The Oracle Linux operating system must restrict privilege elevation to authorized personnel.
OL07-00-010342 V2R10 The Oracle Linux operating system must use the invoking user's password for privilege escalation when using "sudo".
OL07-00-010291 V2R10 The Oracle Linux operating system must not have accounts configured with blank or null passwords.
OL07-00-010339 V2R10 The Oracle Linux operating system must specify the default "include" directory for the /etc/sudoers file.
WN10-00-000005 V3R1 Domain-joined systems must use Windows 10 Enterprise Edition 64-bit version.
WN10-00-000010 V3R1 Windows 10 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
WN10-00-000015 V3R1 Windows 10 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
WN10-00-000020 V3R1 Secure Boot must be enabled on Windows 10 systems.
WN10-00-000040 V3R1 Windows 10 systems must be maintained at a supported servicing level.
WN10-00-000045 V3R1 The Windows 10 system must use an anti-virus program.
WN10-00-000055 V3R1 Alternate operating systems must not be permitted on the same system.
WN10-00-000075 V3R1 Only accounts responsible for the backup operations must be members of the Backup Operators group.
WN10-00-000085 V3R1 Standard local user accounts must not exist on a system in a domain.
WN10-00-000130 V3R1 Software certificate installation files must be removed from Windows 10.
WN10-00-000135 V3R1 A host-based firewall must be installed and enabled on the system.
WN10-00-000140 V3R1 Inbound exceptions to the firewall on Windows 10 domain workstations must only allow authorized remote management hosts.
WN10-00-000190 V3R1 Orphaned security identifiers (SIDs) must be removed from user rights on Windows 10.
WN10-00-000230 V3R1 The system must notify the user when a Bluetooth device attempts to connect.
WN10-00-000240 V3R1 Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
WN10-CC-000020 V3R1 IPv6 source routing must be configured to highest protection.
WN10-CC-000025 V3R1 The system must be configured to prevent IP source routing.
WN10-CC-000030 V3R1 The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.
WN10-CC-000040 V3R1 Insecure logons to an SMB server must be disabled.
WN10-CC-000055 V3R1 Simultaneous connections to the internet or a Windows domain must be limited.
WN10-CC-000060 V3R1 Connections to non-domain networks when connected to a domain authenticated network must be blocked.
WN10-CC-000065 V3R1 Wi-Fi Sense must be disabled.
WN10-CC-000068 V3R1 Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials.
WN10-CC-000070 V3R1 Virtualization Based Security must be enabled on Windows 10 with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
WN10-CC-000075 V3R1 Credential Guard must be running on Windows 10 domain-joined systems.
WN10-CC-000085 V3R1 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers.
WN10-CC-000090 V3R1 Group Policy objects must be reprocessed even if they have not changed.
WN10-CC-000115 V3R1 Systems must at least attempt device authentication using certificates.
WN10-CC-000170 V3R1 The setting to allow Microsoft accounts to be optional for modern style apps must be enabled.
WN10-CC-000195 V3R1 Enhanced anti-spoofing for facial recognition must be enabled on Window 10.
WN10-CC-000204 V3R1 If Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics.
WN10-CC-000205 V3R1 Windows Telemetry must not be configured to Full.
WN10-CC-000206 V3R1 Windows Update must not obtain updates from other PCs on the internet.
WN10-CC-000225 V3R1 File Explorer shell protocol must run in protected mode.
WN10-CC-000230 V3R1 Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge.
WN10-CC-000235 V3R1 Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge.
WN10-CC-000238 V3R1 Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge.
WN10-CC-000245 V3R1 The password manager function in the Edge browser must be disabled.
WN10-CC-000250 V3R1 The Windows Defender SmartScreen filter for Microsoft Edge must be enabled.
WN10-CC-000255 V3R1 The use of a hardware security device with Windows Hello for Business must be enabled.
WN10-CC-000260 V3R1 Windows 10 must be configured to require a minimum pin length of six characters or greater.
WN10-CC-000295 V3R1 Attachments must be prevented from being downloaded from RSS feeds.
WN10-CC-000320 V3R1 Users must be notified if a web-based program attempts to install software.
WN10-SO-000015 V3R1 Local accounts with blank passwords must be restricted to prevent access from the network.
WN10-SO-000020 V3R1 The built-in administrator account must be renamed.
WN10-SO-000025 V3R1 The built-in guest account must be renamed.
WN10-SO-000050 V3R1 The computer account password must not be prevented from being reset.
WN10-SO-000055 V3R1 The maximum age for machine account passwords must be configured to 30 days or less.
WN10-SO-000085 V3R1 Caching of logon credentials must be limited.
WN10-SO-000095 V3R1 The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
WN10-SO-000140 V3R1 Anonymous SID/Name translation must not be allowed.
WN10-SO-000145 V3R1 Anonymous enumeration of SAM accounts must not be allowed.
WN10-SO-000160 V3R1 The system must be configured to prevent anonymous users from having the same rights as the Everyone group.
WN10-SO-000180 V3R1 NTLM must be prevented from falling back to a Null session.
WN10-SO-000185 V3R1 PKU2U authentication using online identities must be prevented.
WN10-SO-000205 V3R1 The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
WN10-SO-000210 V3R1 The system must be configured to the required LDAP client signing level.
WN10-SO-000215 V3R1 The system must be configured to meet the minimum session security requirement for NTLM SSP based clients.
WN10-SO-000220 V3R1 The system must be configured to meet the minimum session security requirement for NTLM SSP based servers.
WN10-SO-000240 V3R1 The default permissions of global system objects must be increased.
WN10-UC-000020 V3R1 Zone information must be preserved when saving attachments.
WN10-CC-000050 V3R1 Hardened UNC paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
WN10-CC-000080 V3R1 Virtualization-based protection of code integrity must be enabled.
WN10-00-000395 V3R1 Windows 10 must not have portproxy enabled or in use.
SLES-15-010000 V1R13 The SUSE operating system must be a vendor-supported release.
SLES-15-010010 V1R13 Vendor-packaged SUSE operating system security patches and updates must be installed and up to date.
SLES-15-020080 V1R13 The SUSE operating system must display the date and time of the last successful account logon upon logon.
SLES-15-020090 V1R13 The SUSE operating system must not have unnecessary accounts.
SLES-15-020091 V1R13 The SUSE operating system must not have unnecessary account capabilities.
SLES-15-020100 V1R13 The SUSE operating system root account must be the only account with unrestricted access to the system.
SLES-15-020101 V1R13 The SUSE operating system must restrict privilege elevation to authorized personnel.
SLES-15-020103 V1R13 The SUSE operating system must use the invoking user's password for privilege escalation when using "sudo".
SLES-15-020110 V1R13 All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory.
SLES-15-020120 V1R13 The SUSE operating system must display the date and time of the last successful account logon upon an SSH logon.
SLES-15-020300 V1R13 The SUSE operating system must not be configured to allow blank or null passwords.
SLES-15-030810 V1R13 The SUSE operating system must use a separate file system for the system audit data path.
SLES-15-030820 V1R13 The SUSE operating system must not disable syscall auditing.
SLES-15-040020 V1R13 There must be no .shosts files on the SUSE operating system.
SLES-15-040030 V1R13 There must be no shosts.equiv files on the SUSE operating system.
SLES-15-040040 V1R13 The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs).
SLES-15-040050 V1R13 The SUSE operating system file integrity tool must be configured to verify extended attributes.
SLES-15-040060 V1R13 The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence.
SLES-15-040061 V1R13 The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces.
SLES-15-040062 V1R13 The SUSE operating system must disable the systemd Ctrl-Alt-Delete burst key sequence.
SLES-15-040070 V1R13 All SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file.
SLES-15-040080 V1R13 All SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist.
SLES-15-040090 V1R13 All SUSE operating system local interactive user home directories must have mode 0750 or less permissive.
SLES-15-040100 V1R13 All SUSE operating system local interactive user home directories must be group-owned by the home directory owner's primary group.
SLES-15-040110 V1R13 All SUSE operating system local initialization files must have mode 0740 or less permissive.
SLES-15-040120 V1R13 All SUSE operating system local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory.
SLES-15-040130 V1R13 All SUSE operating system local initialization files must not execute world-writable programs.
SLES-15-040140 V1R13 SUSE operating system file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.
SLES-15-040150 V1R13 SUSE operating system file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.
SLES-15-040160 V1R13 SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.
SLES-15-040170 V1R13 SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.
SLES-15-040180 V1R13 All SUSE operating system world-writable directories must be group-owned by root, sys, bin, or an application group.
SLES-15-040190 V1R13 SUSE operating system kernel core dumps must be disabled unless needed.
SLES-15-040200 V1R13 A separate file system must be used for SUSE operating system user home directories (such as /home or an equivalent).
SLES-15-040210 V1R13 The SUSE operating system must use a separate file system for /var.
SLES-15-040220 V1R13 The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.
SLES-15-040230 V1R13 The SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication.
SLES-15-040240 V1R13 The SUSE operating system SSH daemon public host key files must have mode 0644 or less permissive.
SLES-15-040250 V1R13 The SUSE operating system SSH daemon private host key files must have mode 0640 or less permissive.
SLES-15-040260 V1R13 The SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files.
SLES-15-040290 V1R13 The SUSE operating system SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements.
SLES-15-040300 V1R13 The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
SLES-15-040310 V1R13 The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets.
SLES-15-040320 V1R13 The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
SLES-15-040321 V1R13 The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets by default.
SLES-15-040330 V1R13 The SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
SLES-15-040340 V1R13 The SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
SLES-15-040341 V1R13 The SUSE operating system must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
SLES-15-040350 V1R13 The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.
SLES-15-040360 V1R13 The SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
SLES-15-040370 V1R13 The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
SLES-15-040380 V1R13 The SUSE operating system must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.
SLES-15-040381 V1R13 The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.
SLES-15-040382 V1R13 The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router.
SLES-15-040390 V1R13 The SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented.
SLES-15-040400 V1R13 All SUSE operating system files and directories must have a valid owner.
SLES-15-040410 V1R13 All SUSE operating system files and directories must have a valid group owner.
SLES-15-020099 V1R13 The SUSE operating system must specify the default "include" directory for the /etc/sudoers file.
SLES-15-020181 V1R13 The SUSE operating system must not have accounts configured with blank or null passwords.
RHEL-09-211010 V1R2 RHEL 9 must be a vendor-supported release.
RHEL-09-211015 V1R2 RHEL 9 vendor packaged system security patches and updates must be installed and up to date.
RHEL-09-211030 V1R2 The graphical display manager must not be the default target on RHEL 9 unless approved.
RHEL-09-211035 V1R2 RHEL 9 must enable the hardware random number generator entropy gatherer service.
RHEL-09-212015 V1R2 RHEL 9 must disable the ability of systemd to spawn an interactive boot process.
RHEL-09-212025 V1R2 RHEL 9 /boot/grub2/grub.cfg file must be group-owned by root.
RHEL-09-212030 V1R2 RHEL 9 /boot/grub2/grub.cfg file must be owned by root.
RHEL-09-212035 V1R2 RHEL 9 must disable virtual system calls.
RHEL-09-212040 V1R2 RHEL 9 must clear the page allocator to prevent use-after-free attacks.
RHEL-09-213020 V1R2 RHEL 9 must prevent the loading of a new kernel for later execution.
RHEL-09-213040 V1R2 RHEL 9 must disable the kernel.core_pattern.
RHEL-09-213085 V1R2 RHEL 9 must disable core dump backtraces.
RHEL-09-213090 V1R2 RHEL 9 must disable storing core dumps.
RHEL-09-213095 V1R2 RHEL 9 must disable core dumps for all users.
RHEL-09-213100 V1R2 RHEL 9 must disable acquiring, saving, and processing core dumps.
RHEL-09-213105 V1R2 RHEL 9 must disable the use of user namespaces.
RHEL-09-213115 V1R2 The kdump service on RHEL 9 must be disabled.
RHEL-09-214030 V1R2 RHEL 9 must be configured so that the cryptographic hashes of system files match vendor values.
RHEL-09-215020 V1R2 RHEL 9 must not have the sendmail package installed.
RHEL-09-215060 V1R2 RHEL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed.
RHEL-09-215065 V1R2 RHEL 9 must not have the quagga package installed.
RHEL-09-215070 V1R2 A graphical display manager must not be installed on RHEL 9 unless approved.
RHEL-09-215080 V1R2 RHEL 9 must have the gnutls-utils package installed.
RHEL-09-215085 V1R2 RHEL 9 must have the nss-tools package installed.
RHEL-09-215090 V1R2 RHEL 9 must have the rng-tools package installed.
RHEL-09-231010 V1R2 A separate RHEL 9 file system must be used for user home directories (such as /home or an equivalent).
RHEL-09-231015 V1R2 RHEL 9 must use a separate file system for /tmp.
RHEL-09-231020 V1R2 RHEL 9 must use a separate file system for /var.
RHEL-09-231025 V1R2 RHEL 9 must use a separate file system for /var/log.
RHEL-09-231035 V1R2 RHEL 9 must use a separate file system for /var/tmp.
RHEL-09-231055 V1R2 RHEL 9 must prevent code from being executed on file systems that contain user home directories.
RHEL-09-231060 V1R2 RHEL 9 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.
RHEL-09-231065 V1R2 RHEL 9 must prevent special devices on file systems that are imported via Network File System (NFS).
RHEL-09-231070 V1R2 RHEL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS).
RHEL-09-231075 V1R2 RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
RHEL-09-231080 V1R2 RHEL 9 must prevent code from being executed on file systems that are used with removable media.
RHEL-09-231085 V1R2 RHEL 9 must prevent special devices on file systems that are used with removable media.
RHEL-09-231090 V1R2 RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
RHEL-09-231200 V1R2 RHEL 9 must prevent special devices on non-root local partitions.
RHEL-09-232040 V1R2 RHEL 9 cron configuration directories must have a mode of 0700 or less permissive.
RHEL-09-232045 V1R2 All RHEL 9 local initialization files must have mode 0740 or less permissive.
RHEL-09-232050 V1R2 All RHEL 9 local interactive user home directories must have mode 0750 or less permissive.
RHEL-09-232055 V1R2 RHEL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.
RHEL-09-232060 V1R2 RHEL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.
RHEL-09-232065 V1R2 RHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.
RHEL-09-232070 V1R2 RHEL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.
RHEL-09-232075 V1R2 RHEL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.
RHEL-09-232080 V1R2 RHEL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access.
RHEL-09-232085 V1R2 RHEL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access.
RHEL-09-232090 V1R2 RHEL 9 /etc/group file must be owned by root.
RHEL-09-232095 V1R2 RHEL 9 /etc/group file must be group-owned by root.
RHEL-09-232100 V1R2 RHEL 9 /etc/group- file must be owned by root.
RHEL-09-232105 V1R2 RHEL 9 /etc/group- file must be group-owned by root.
RHEL-09-232110 V1R2 RHEL 9 /etc/gshadow file must be owned by root.
RHEL-09-232115 V1R2 RHEL 9 /etc/gshadow file must be group-owned by root.
RHEL-09-232120 V1R2 RHEL 9 /etc/gshadow- file must be owned by root.
RHEL-09-232125 V1R2 RHEL 9 /etc/gshadow- file must be group-owned by root.
RHEL-09-232130 V1R2 RHEL 9 /etc/passwd file must be owned by root.
RHEL-09-232135 V1R2 RHEL 9 /etc/passwd file must be group-owned by root.
RHEL-09-232140 V1R2 RHEL 9 /etc/passwd- file must be owned by root.
RHEL-09-232145 V1R2 RHEL 9 /etc/passwd- file must be group-owned by root.
RHEL-09-232150 V1R2 RHEL 9 /etc/shadow file must be owned by root.
RHEL-09-232155 V1R2 RHEL 9 /etc/shadow file must be group-owned by root.
RHEL-09-232160 V1R2 RHEL 9 /etc/shadow- file must be owned by root.
RHEL-09-232165 V1R2 RHEL 9 /etc/shadow- file must be group-owned by root.
RHEL-09-232230 V1R2 RHEL 9 cron configuration files directory must be owned by root.
RHEL-09-232235 V1R2 RHEL 9 cron configuration files directory must be group-owned by root.
RHEL-09-232240 V1R2 All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user.
RHEL-09-232250 V1R2 All RHEL 9 local files and directories must have a valid group owner.
RHEL-09-232255 V1R2 All RHEL 9 local files and directories must have a valid owner.
RHEL-09-232260 V1R2 RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.
RHEL-09-232265 V1R2 RHEL 9 /etc/crontab file must have mode 0600.
RHEL-09-232270 V1R2 RHEL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access.
RHEL-09-251020 V1R2 A RHEL 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.
RHEL-09-251040 V1R2 RHEL 9 network interfaces must not be in promiscuous mode.
RHEL-09-251045 V1R2 RHEL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler.
RHEL-09-252035 V1R2 RHEL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.
RHEL-09-252040 V1R2 RHEL 9 must configure a DNS processing mode set be Network Manager.
RHEL-09-252045 V1R2 RHEL 9 must not have unauthorized IP tunnels configured.
RHEL-09-252050 V1R2 RHEL 9 must be configured to prevent unrestricted mail relaying.
RHEL-09-252055 V1R2 If the Trivial File Transfer Protocol (TFTP) server is required, RHEL 9 TFTP daemon must be configured to operate in secure mode.
RHEL-09-252065 V1R2 RHEL 9 libreswan package must be installed.
RHEL-09-252070 V1R2 There must be no shosts.equiv files on RHEL 9.
RHEL-09-252075 V1R2 There must be no .shosts files on RHEL 9.
RHEL-09-253010 V1R2 RHEL 9 must be configured to use TCP syncookies.
RHEL-09-253015 V1R2 RHEL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
RHEL-09-253020 V1R2 RHEL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets.
RHEL-09-253025 V1R2 RHEL 9 must log IPv4 packets with impossible addresses.
RHEL-09-253030 V1R2 RHEL 9 must log IPv4 packets with impossible addresses by default.
RHEL-09-253035 V1R2 RHEL 9 must use reverse path filtering on all IPv4 interfaces.
RHEL-09-253040 V1R2 RHEL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
RHEL-09-253045 V1R2 RHEL 9 must not forward IPv4 source-routed packets by default.
RHEL-09-253050 V1R2 RHEL 9 must use a reverse-path filter for IPv4 network traffic when possible by default.
RHEL-09-253055 V1R2 RHEL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
RHEL-09-253060 V1R2 RHEL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.
RHEL-09-253065 V1R2 RHEL 9 must not send Internet Control Message Protocol (ICMP) redirects.
RHEL-09-253070 V1R2 RHEL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
RHEL-09-253075 V1R2 RHEL 9 must not enable IPv4 packet forwarding unless the system is a router.
RHEL-09-254010 V1R2 RHEL 9 must not accept router advertisements on all IPv6 interfaces.
RHEL-09-254015 V1R2 RHEL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
RHEL-09-254020 V1R2 RHEL 9 must not forward IPv6 source-routed packets.
RHEL-09-254025 V1R2 RHEL 9 must not enable IPv6 packet forwarding unless the system is a router.
RHEL-09-254030 V1R2 RHEL 9 must not accept router advertisements on all IPv6 interfaces by default.
RHEL-09-254035 V1R2 RHEL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
RHEL-09-254040 V1R2 RHEL 9 must not forward IPv6 source-routed packets by default.
RHEL-09-255020 V1R2 RHEL 9 must have the openssh-clients package installed.
RHEL-09-255105 V1R2 RHEL 9 SSH server configuration file must be group-owned by root.
RHEL-09-255110 V1R2 RHEL 9 SSH server configuration file must be owned by root.
RHEL-09-255115 V1R2 RHEL 9 SSH server configuration file must have mode 0600 or less permissive.
RHEL-09-255120 V1R2 RHEL 9 SSH private host key files must have mode 0640 or less permissive.
RHEL-09-255125 V1R2 RHEL 9 SSH public host key files must have mode 0644 or less permissive.
RHEL-09-255130 V1R2 RHEL 9 SSH daemon must not allow compression or must only allow compression after successful authentication.
RHEL-09-255145 V1R2 RHEL 9 SSH daemon must not allow rhosts authentication.
RHEL-09-255150 V1R2 RHEL 9 SSH daemon must not allow known hosts authentication.
RHEL-09-255155 V1R2 RHEL 9 SSH daemon must disable remote X connections for interactive users.
RHEL-09-255160 V1R2 RHEL 9 SSH daemon must perform strict mode checking of home directory configuration files.
RHEL-09-255165 V1R2 RHEL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon.
RHEL-09-255170 V1R2 RHEL 9 SSH daemon must be configured to use privilege separation.
RHEL-09-255175 V1R2 RHEL 9 SSH daemon must prevent remote hosts from connecting to the proxy display.
RHEL-09-271090 V1R2 RHEL 9 effective dconf policy must match the policy keyfiles.
RHEL-09-271095 V1R2 RHEL 9 must disable the ability of a user to restart the system from the login screen.
RHEL-09-271100 V1R2 RHEL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.
RHEL-09-271105 V1R2 RHEL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot.
RHEL-09-271110 V1R2 RHEL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.
RHEL-09-271115 V1R2 RHEL 9 must disable the user list at logon for graphical user interfaces.
RHEL-09-411020 V1R2 All RHEL 9 local interactive user accounts must be assigned a home directory upon creation.
RHEL-09-411025 V1R2 RHEL 9 must set the umask value to 077 for all local interactive user accounts.
RHEL-09-411035 V1R2 RHEL 9 system accounts must not have an interactive login shell.
RHEL-09-411055 V1R2 Executable search paths within the initialization files of all local interactive RHEL 9 users must only contain paths that resolve to the system default or the users home directory.
RHEL-09-411060 V1R2 All RHEL 9 local interactive users must have a home directory assigned in the /etc/passwd file.
RHEL-09-411065 V1R2 All RHEL 9 local interactive user home directories defined in the /etc/passwd file must exist.
RHEL-09-411070 V1R2 All RHEL 9 local interactive user home directories must be group-owned by the home directory owner's primary group.
RHEL-09-411095 V1R2 RHEL 9 must not have unauthorized accounts.
RHEL-09-411100 V1R2 The root account must be the only account having unrestricted access to RHEL 9 system.
RHEL-09-411115 V1R2 Local RHEL 9 initialization files must not execute world-writable programs.
RHEL-09-412075 V1R2 RHEL 9 must display the date and time of the last successful account logon upon logon.
RHEL-09-431025 V1R2 RHEL 9 must have policycoreutils package installed.
RHEL-09-431030 V1R2 RHEL 9 policycoreutils-python-utils package must be installed.
RHEL-09-432020 V1R2 RHEL 9 must use the invoking user's password for privilege escalation when using "sudo".
RHEL-09-432030 V1R2 RHEL 9 must restrict privilege elevation to authorized personnel.
RHEL-09-611025 V1R2 RHEL 9 must not allow blank or null passwords.
RHEL-09-611045 V1R2 RHEL 9 must ensure the password complexity module is enabled in the system-auth file.
RHEL-09-611155 V1R2 RHEL 9 must not have accounts configured with blank or null passwords.
RHEL-09-651020 V1R2 RHEL 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.
RHEL-09-651030 V1R2 RHEL 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs).
RHEL-09-651035 V1R2 RHEL 9 must be configured so that the file integrity tool verifies extended attributes.
RHEL-09-652015 V1R2 RHEL 9 must have the packages required for encrypting offloaded audit logs installed.
RHEL-09-652020 V1R2 The rsyslog service on RHEL 9 must be active.
RHEL-09-652025 V1R2 RHEL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
RHEL-09-652060 V1R2 RHEL 9 must use cron logging.
RHEL-09-653105 V1R2 RHEL 9 must write audit records to disk.
WN16-00-000010 V2R7 Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
WN16-00-000040 V2R7 Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
WN16-00-000050 V2R7 Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
WN16-00-000070 V2R7 Manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
WN16-00-000100 V2R7 Windows Server 2016 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
WN16-00-000110 V2R7 Systems must be maintained at a supported servicing level.
WN16-00-000120 V2R7 The Windows Server 2016 system must use an anti-virus program.
WN16-00-000140 V2R7 Servers must have a host-based intrusion detection or prevention system.
WN16-00-000270 V2R7 Software certificate installation files must be removed from Windows Server 2016.
WN16-00-000310 V2R7 A host-based firewall must be installed and enabled on the system.
WN16-00-000430 V2R7 FTP servers must be configured to prevent anonymous logons.
WN16-00-000440 V2R7 FTP servers must be configured to prevent access to the system drive.
WN16-00-000460 V2R7 Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2016.
WN16-00-000470 V2R7 Secure Boot must be enabled on Windows Server 2016 systems.
WN16-00-000480 V2R7 Windows 2016 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
WN16-CC-000040 V2R7 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.
WN16-CC-000050 V2R7 Source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
WN16-CC-000060 V2R7 Windows Server 2016 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
WN16-CC-000080 V2R7 Insecure logons to an SMB server must be disabled.
WN16-CC-000090 V2R7 Hardened UNC paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
WN16-CC-000110 V2R7 Windows Server 2016 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
WN16-CC-000140 V2R7 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
WN16-CC-000150 V2R7 Group Policy objects must be reprocessed even if they have not changed.
WN16-CC-000210 V2R7 Users must be prompted to authenticate when the system wakes from sleep (on battery).
WN16-CC-000220 V2R7 Users must be prompted to authenticate when the system wakes from sleep (plugged in).
WN16-CC-000290 V2R7 Windows Telemetry must be configured to Security or Basic.
WN16-CC-000350 V2R7 Turning off File Explorer heap termination on corruption must be disabled.
WN16-CC-000360 V2R7 File Explorer shell protocol must run in protected mode.
WN16-CC-000420 V2R7 Attachments must be prevented from being downloaded from RSS feeds.
WN16-CC-000470 V2R7 Users must be notified if a web-based program attempts to install software.
WN16-DC-000150 V2R7 Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
WN16-DC-000330 V2R7 Domain controllers must be configured to allow reset of machine account passwords.
WN16-DC-000430 V2R7 The password for the krbtgt account on a domain must be reset at least every 180 days.
WN16-MS-000050 V2R7 Caching of logon credentials must be limited.
WN16-MS-000120 V2R7 Windows Server 2016 must be running Credential Guard on domain-joined member servers.
WN16-SO-000020 V2R7 Local accounts with blank passwords must be restricted to prevent access from the network.
WN16-SO-000030 V2R7 Windows Server 2016 built-in administrator account must be renamed.
WN16-SO-000040 V2R7 Windows Server 2016 built-in guest account must be renamed.
WN16-SO-000120 V2R7 The maximum age for machine account passwords must be configured to 30 days or less.
WN16-SO-000180 V2R7 The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
WN16-SO-000250 V2R7 Anonymous SID/Name translation must not be allowed.
WN16-SO-000260 V2R7 Anonymous enumeration of Security Account Manager (SAM) accounts must not be allowed.
WN16-SO-000290 V2R7 Windows Server 2016 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
WN16-SO-000320 V2R7 Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
WN16-SO-000330 V2R7 NTLM must be prevented from falling back to a Null session.
WN16-SO-000340 V2R7 PKU2U authentication using online identities must be prevented.
WN16-SO-000380 V2R7 The LAN Manager authentication level must be set to send NTLMv2 response only and to refuse LM and NTLM.
WN16-SO-000390 V2R7 Windows Server 2016 must be configured to at least negotiate signing for LDAP client signing.
WN16-SO-000400 V2R7 Session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
WN16-SO-000410 V2R7 Session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
WN16-SO-000450 V2R7 The default permissions of global system objects must be strengthened.
WN16-UC-000030 V2R7 Zone information must be preserved when saving attachments.
RHEL-07-010290 V3R9 The Red Hat Enterprise Linux operating system must not allow accounts configured with blank or null passwords.
RHEL-07-020230 V3R9 The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.
RHEL-07-020231 V3R9 The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface.
RHEL-07-020250 V3R9 The Red Hat Enterprise Linux operating system must be a vendor supported release.
RHEL-07-020260 V3R9 The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date.
RHEL-07-020270 V3R9 The Red Hat Enterprise Linux operating system must not have unnecessary accounts.
RHEL-07-020310 V3R9 The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system.
RHEL-07-020320 V3R9 The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner.
RHEL-07-020330 V3R9 The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner.
RHEL-07-020610 V3R9 The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory.
RHEL-07-020620 V3R9 The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file.
RHEL-07-020630 V3R9 The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive.
RHEL-07-020640 V3R9 The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are owned by their respective users.
RHEL-07-020650 V3R9 The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group.
RHEL-07-020660 V3R9 The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a valid owner.
RHEL-07-020670 V3R9 The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.
RHEL-07-020680 V3R9 The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive.
RHEL-07-020690 V3R9 The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root.
RHEL-07-020700 V3R9 The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root.
RHEL-07-020710 V3R9 The Red Hat Enterprise Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive.
RHEL-07-020720 V3R9 The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.
RHEL-07-020730 V3R9 The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs.
RHEL-07-020900 V3R9 The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.
RHEL-07-021000 V3R9 The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed.
RHEL-07-021010 V3R9 The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
RHEL-07-021020 V3R9 The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS).
RHEL-07-021021 V3R9 The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS).
RHEL-07-021030 V3R9 The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.
RHEL-07-021040 V3R9 The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts.
RHEL-07-021100 V3R9 The Red Hat Enterprise Linux operating system must have cron logging implemented.
RHEL-07-021110 V3R9 The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root.
RHEL-07-021120 V3R9 The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root.
RHEL-07-021300 V3R9 The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed.
RHEL-07-021310 V3R9 The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent).
RHEL-07-021320 V3R9 The Red Hat Enterprise Linux operating system must use a separate file system for /var.
RHEL-07-021330 V3R9 The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data path.
RHEL-07-021340 V3R9 The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent).
RHEL-07-021600 V3R9 The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).
RHEL-07-021610 V3R9 The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.
RHEL-07-021620 V3R9 The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.
RHEL-07-031000 V3R9 The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server.
RHEL-07-031010 V3R9 The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
RHEL-07-040201 V3R9 The Red Hat Enterprise Linux operating system must implement virtual address space randomization.
RHEL-07-040330 V3R9 The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication.
RHEL-07-040350 V3R9 The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication.
RHEL-07-040360 V3R9 The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon an SSH logon.
RHEL-07-040370 V3R9 The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using remote access via SSH.
RHEL-07-040380 V3R9 The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication.
RHEL-07-040410 V3R9 The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive.
RHEL-07-040420 V3R9 The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0600 or less permissive.
RHEL-07-040450 V3R9 The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files.
RHEL-07-040460 V3R9 The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation.
RHEL-07-040470 V3R9 The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.
RHEL-07-040520 V3R9 The Red Hat Enterprise Linux operating system must enable an application firewall, if available.
RHEL-07-040530 V3R9 The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon.
RHEL-07-040540 V3R9 The Red Hat Enterprise Linux operating system must not contain .shosts files.
RHEL-07-040550 V3R9 The Red Hat Enterprise Linux operating system must not contain shosts.equiv files.
RHEL-07-040600 V3R9 For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured.
RHEL-07-040610 V3R9 The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
RHEL-07-040611 V3R9 The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
RHEL-07-040612 V3R9 The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default.
RHEL-07-040620 V3R9 The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
RHEL-07-040630 V3R9 The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
RHEL-07-040640 V3R9 The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
RHEL-07-040641 V3R9 The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
RHEL-07-040650 V3R9 The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.
RHEL-07-040660 V3R9 The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
RHEL-07-040670 V3R9 Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode.
RHEL-07-040680 V3R9 The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying.
RHEL-07-040690 V3R9 The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed.
RHEL-07-040700 V3R9 The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.
RHEL-07-040710 V3R9 The Red Hat Enterprise Linux operating system must be configured so that remote X connections are disabled except to fulfill documented and validated mission requirements.
RHEL-07-040720 V3R9 The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode.
RHEL-07-040730 V3R9 The Red Hat Enterprise Linux operating system must not have a graphical display manager installed unless approved.
RHEL-07-040740 V3R9 The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router.
RHEL-07-040750 V3R9 The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.
RHEL-07-040800 V3R9 SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default.
RHEL-07-040810 V3R9 The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.
RHEL-07-040820 V3R9 The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured.
RHEL-07-040830 V3R9 The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets.
RHEL-07-010020 V3R9 The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.
RHEL-07-020019 V3R9 The Red Hat Enterprise Linux operating system must implement the Endpoint Security for Linux Threat Prevention tool.
RHEL-07-032000 V3R9 The Red Hat Enterprise Linux operating system must use a virus scan program.
RHEL-07-021031 V3R9 The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user.
RHEL-07-040711 V3R9 The Red Hat Enterprise Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
RHEL-07-010341 V3R9 The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel.
RHEL-07-010342 V3R9 The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using "sudo".
RHEL-07-010291 V3R9 The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords.
RHEL-07-010339 V3R9 The Red Hat Enterprise Linux operating system must specify the default "include" directory for the /etc/sudoers file.
OL08-00-010000 V1R2 OL 8 must be a vendor-supported release.
OL08-00-010010 V1R2 OL 8 vendor-packaged system security patches and updates must be installed and up to date.
OL08-00-010382 V1R2 OL 8 must restrict privilege elevation to authorized personnel.
OL08-00-010383 V1R2 OL 8 must use the invoking user's password for privilege escalation when using "sudo".
OL08-00-010424 V1R2 OL 8 must not let Meltdown and Spectre exploit critical vulnerabilities in modern processors.
OL08-00-010460 V1R2 There must be no "shosts.equiv" files on the OL 8 operating system.
OL08-00-010470 V1R2 There must be no ".shosts" files on the OL 8 operating system.
OL08-00-010471 V1R2 OL 8 must enable the hardware random number generator entropy gatherer service.
OL08-00-010472 V1R2 OL 8 must have the packages required to use the hardware random number generator entropy gatherer service.
OL08-00-010480 V1R2 The OL 8 SSH public host key files must have mode "0644" or less permissive.
OL08-00-010490 V1R2 The OL 8 SSH private host key files must have mode "0600" or less permissive.
OL08-00-010500 V1R2 The OL 8 SSH daemon must perform strict mode checking of home directory configuration files.
OL08-00-010510 V1R2 The OL 8 SSH daemon must not allow compression or must only allow compression after successful authentication.
OL08-00-010520 V1R2 The OL 8 SSH daemon must not allow authentication using known host's authentication.
OL08-00-010521 V1R2 The OL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.
OL08-00-010522 V1R2 The OL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.
OL08-00-010540 V1R2 OL 8 must use a separate file system for "/var".
OL08-00-010541 V1R2 OL 8 must use a separate file system for "/var/log".
OL08-00-010542 V1R2 OL 8 must use a separate file system for the system audit data path.
OL08-00-010543 V1R2 OL 8 must use a separate file system for "/tmp".
OL08-00-010544 V1R2 OL 8 must use a separate file system for /var/tmp.
OL08-00-010561 V1R2 OL 8 must have the rsyslog service enabled and active.
OL08-00-010570 V1R2 OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
OL08-00-010571 V1R2 OL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
OL08-00-010572 V1R2 OL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
OL08-00-010580 V1R2 OL 8 must prevent special devices on non-root local partitions.
OL08-00-010590 V1R2 OL 8 file systems that contain user home directories must not execute binary files.
OL08-00-010600 V1R2 OL 8 file systems must not interpret character or block special devices from untrusted file systems.
OL08-00-010610 V1R2 OL 8 file systems must not execute binary files on removable media.
OL08-00-010620 V1R2 OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
OL08-00-010630 V1R2 OL 8 file systems must not execute binary files that are imported via Network File System (NFS).
OL08-00-010640 V1R2 OL 8 file systems must not interpret character or block special devices that are imported via NFS.
OL08-00-010650 V1R2 OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
OL08-00-010660 V1R2 Local OL 8 initialization files must not execute world-writable programs.
OL08-00-010671 V1R2 OL 8 must disable the "kernel.core_pattern".
OL08-00-010672 V1R2 OL 8 must disable acquiring, saving, and processing core dumps.
OL08-00-010673 V1R2 OL 8 must disable core dumps for all users.
OL08-00-010674 V1R2 OL 8 must disable storing core dumps.
OL08-00-010675 V1R2 OL 8 must disable core dump backtraces.
OL08-00-010680 V1R2 For OL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.
OL08-00-010690 V1R2 Executable search paths within the initialization files of all local interactive OL 8 users must only contain paths that resolve to the system default or the user's home directory.
OL08-00-010700 V1R2 All OL 8 world-writable directories must be owned by root, sys, bin, or an application user.
OL08-00-010710 V1R2 All OL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.
OL08-00-010720 V1R2 All OL 8 local interactive users must have a home directory assigned in the "/etc/passwd" file.
OL08-00-010730 V1R2 All OL 8 local interactive user home directories must have mode "0750" or less permissive.
OL08-00-010731 V1R2 All OL 8 local interactive user home directory files must have mode "0750" or less permissive.
OL08-00-010740 V1R2 All OL 8 local interactive user home directories must be group-owned by the home directory owner's primary group.
OL08-00-010741 V1R2 OL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.
OL08-00-010750 V1R2 All OL 8 local interactive user home directories defined in the "/etc/passwd" file must exist.
OL08-00-010760 V1R2 All OL 8 local interactive user accounts must be assigned a home directory upon creation.
OL08-00-010770 V1R2 All OL 8 local initialization files must have mode "0740" or less permissive.
OL08-00-010780 V1R2 All OL 8 files and directories must have a valid owner.
OL08-00-010790 V1R2 All OL 8 files and directories must have a valid group owner.
OL08-00-010800 V1R2 A separate OL 8 filesystem must be used for user home directories (such as "/home" or an equivalent).
OL08-00-020032 V1R2 OL 8 must disable the user list at logon for graphical user interfaces.
OL08-00-020320 V1R2 OL 8 must not have unnecessary accounts.
OL08-00-020330 V1R2 OL 8 must not allow accounts configured with blank or null passwords.
OL08-00-020331 V1R2 OL 8 must not allow blank or null passwords in the system-auth file.
OL08-00-020332 V1R2 OL 8 must not allow blank or null passwords in the password-auth file.
OL08-00-020340 V1R2 OL 8 must display the date and time of the last successful account logon upon logon.
OL08-00-020350 V1R2 OL 8 must display the date and time of the last successful account logon upon an SSH logon.
OL08-00-030010 V1R2 Cron logging must be implemented in OL 8.
OL08-00-030061 V1R2 The OL 8 audit system must audit local events.
OL08-00-030063 V1R2 OL 8 must resolve audit information before writing to disk.
OL08-00-030670 V1R2 OL 8 must have the packages required for offloading audit logs installed.
OL08-00-030680 V1R2 OL 8 must have the packages required for encrypting offloaded audit logs installed.
OL08-00-040021 V1R2 OL 8 must not have the asynchronous transfer mode (ATM) kernel module installed if not required for operational support.
OL08-00-040022 V1R2 OL 8 must not have the Controller Area Network (CAN) kernel module installed if not required for operational support.
OL08-00-040023 V1R2 OL 8 must not have the stream control transmission protocol (SCTP) kernel module installed if not required for operational support.
OL08-00-040170 V1R2 The x86 Ctrl-Alt-Delete key sequence must be disabled on OL 8.
OL08-00-040171 V1R2 The x86 Ctrl-Alt-Delete key sequence in OL 8 must be disabled if a graphical user interface is installed.
OL08-00-040172 V1R2 OL 8 must disable the systemd Ctrl-Alt-Delete burst key sequence.
OL08-00-040180 V1R2 OL 8 must disable the debug-shell systemd service.
OL08-00-040190 V1R2 The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for OL 8 operational support.
OL08-00-040200 V1R2 The root account must be the only account having unrestricted access to the OL 8 system.
OL08-00-040209 V1R2 OL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
OL08-00-040210 V1R2 OL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
OL08-00-040220 V1R2 OL 8 must not send Internet Control Message Protocol (ICMP) redirects.
OL08-00-040230 V1R2 OL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
OL08-00-040239 V1R2 OL 8 must not forward IPv4 source-routed packets.
OL08-00-040240 V1R2 OL 8 must not forward IPv6 source-routed packets.
OL08-00-040249 V1R2 OL 8 must not forward IPv4 source-routed packets by default.
OL08-00-040250 V1R2 OL 8 must not forward IPv6 source-routed packets by default.
OL08-00-040260 V1R2 OL 8 must not enable IPv6 packet forwarding unless the system is a router.
OL08-00-040261 V1R2 OL 8 must not accept router advertisements on all IPv6 interfaces.
OL08-00-040262 V1R2 OL 8 must not accept router advertisements on all IPv6 interfaces by default.
OL08-00-040270 V1R2 OL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
OL08-00-040279 V1R2 OL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.
OL08-00-040280 V1R2 OL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
OL08-00-040281 V1R2 OL 8 must disable access to the network "bpf" syscall from unprivileged processes.
OL08-00-040282 V1R2 OL 8 must restrict the use of "ptrace" to descendant processes.
OL08-00-040283 V1R2 OL 8 must restrict exposed kernel pointer addresses access.
OL08-00-040284 V1R2 OL 8 must disable the use of user namespaces.
OL08-00-040285 V1R2 OL 8 must use reverse path filtering on all IPv4 interfaces.
OL08-00-040286 V1R2 OL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.
OL08-00-040290 V1R2 OL 8 must be configured to prevent unrestricted mail relaying.
OL08-00-040300 V1R2 The OL 8 file integrity tool must be configured to verify extended attributes.
OL08-00-040310 V1R2 The OL 8 file integrity tool must be configured to verify Access Control Lists (ACLs).
OL08-00-040320 V1R2 The graphical display manager must not be installed on OL 8 unless approved.
OL08-00-040330 V1R2 OL 8 network interfaces must not be in promiscuous mode.
OL08-00-040340 V1R2 OL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements.
OL08-00-040341 V1R2 The OL 8 SSH daemon must prevent remote hosts from connecting to the proxy display.
OL08-00-040350 V1R2 If the Trivial File Transfer Protocol (TFTP) server is required, the OL 8 TFTP daemon must be configured to operate in secure mode.
OL08-00-040360 V1R2 A File Transfer Protocol (FTP) server package must not be installed unless mission essential on OL 8.
OL08-00-040370 V1R2 OL 8 must not have the "gssproxy" package installed if not required for operational support.
OL08-00-040380 V1R2 OL 8 must not have the "iprutils" package installed if not required for operational support.
OL08-00-040390 V1R2 OL 8 must not have the "tuned" package installed if not required for operational support.
OL08-00-010121 V1R2 The OL 8 operating system must not have accounts configured with blank or null passwords.
OL08-00-010379 V1R2 OL 8 must specify the default "include" directory for the /etc/sudoers file.
OL08-00-020101 V1R2 OL 8 must ensure the password complexity module is enabled in the system-auth file.
OL08-00-020102 V1R2 OL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.
OL08-00-020103 V1R2 OL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less.
OL08-00-020104 V1R2 OL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.
OL08-00-040259 V1R2 OL 8 must not enable IPv4 packet forwarding unless the system is a router.
OL08-00-040321 V1R2 The graphical display manager must not be the default target on OL 8 unless approved.
WN19-00-000010 V3R1 Windows Server 2019 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
WN19-00-000030 V3R1 Windows Server 2019 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
WN19-00-000040 V3R1 Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
WN19-00-000060 V3R1 Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
WN19-00-000090 V3R1 Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
WN19-00-000100 V3R1 Windows Server 2019 must be maintained at a supported servicing level.
WN19-00-000110 V3R1 Windows Server 2019 must use an anti-virus program.
WN19-00-000120 V3R1 Windows Server 2019 must have a host-based intrusion detection or prevention system.
WN19-00-000240 V3R1 Windows Server 2019 must have software certificate installation files removed.
WN19-00-000420 V3R1 Windows Server 2019 FTP servers must be configured to prevent anonymous logons.
WN19-00-000430 V3R1 Windows Server 2019 FTP servers must be configured to prevent access to the system drive.
WN19-00-000450 V3R1 Windows Server 2019 must have orphaned security identifiers (SIDs) removed from user rights.
WN19-00-000460 V3R1 Windows Server 2019 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
WN19-00-000470 V3R1 Windows Server 2019 must have Secure Boot enabled.
WN19-CC-000030 V3R1 Windows Server 2019 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.
WN19-CC-000040 V3R1 Windows Server 2019 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
WN19-CC-000050 V3R1 Windows Server 2019 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
WN19-CC-000070 V3R1 Windows Server 2019 insecure logons to an SMB server must be disabled.
WN19-CC-000080 V3R1 Windows Server 2019 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
WN19-CC-000100 V3R1 Windows Server 2019 must be configured to enable Remote host allows delegation of non-exportable credentials.
WN19-CC-000110 V3R1 Windows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
WN19-CC-000130 V3R1 Windows Server 2019 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
WN19-CC-000140 V3R1 Windows Server 2019 group policy objects must be reprocessed even if they have not changed.
WN19-CC-000180 V3R1 Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (on battery).
WN19-CC-000190 V3R1 Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (plugged in).
WN19-CC-000250 V3R1 Windows Server 2019 Telemetry must be configured to Security or Basic.
WN19-CC-000260 V3R1 Windows Server 2019 Windows Update must not obtain updates from other PCs on the Internet.
WN19-CC-000320 V3R1 Windows Server 2019 Turning off File Explorer heap termination on corruption must be disabled.
WN19-CC-000330 V3R1 Windows Server 2019 File Explorer shell protocol must run in protected mode.
WN19-CC-000390 V3R1 Windows Server 2019 must prevent attachments from being downloaded from RSS feeds.
WN19-CC-000440 V3R1 Windows Server 2019 users must be notified if a web-based program attempts to install software.
WN19-DC-000150 V3R1 Windows Server 2019 directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
WN19-DC-000330 V3R1 Windows Server 2019 domain controllers must be configured to allow reset of machine account passwords.
WN19-DC-000430 V3R1 The password for the krbtgt account on a domain must be reset at least every 180 days.
WN19-MS-000050 V3R1 Windows Server 2019 must limit the caching of logon credentials to four or less on domain-joined member servers.
WN19-MS-000140 V3R1 Windows Server 2019 must be running Credential Guard on domain-joined member servers.
WN19-SO-000020 V3R1 Windows Server 2019 must prevent local accounts with blank passwords from being used from the network.
WN19-SO-000030 V3R1 Windows Server 2019 built-in administrator account must be renamed.
WN19-SO-000040 V3R1 Windows Server 2019 built-in guest account must be renamed.
WN19-SO-000100 V3R1 Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less.
WN19-SO-000150 V3R1 Windows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation.
WN19-SO-000210 V3R1 Windows Server 2019 must not allow anonymous SID/Name translation.
WN19-SO-000220 V3R1 Windows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.
WN19-SO-000240 V3R1 Windows Server 2019 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
WN19-SO-000260 V3R1 Windows Server 2019 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
WN19-SO-000270 V3R1 Windows Server 2019 must prevent NTLM from falling back to a Null session.
WN19-SO-000280 V3R1 Windows Server 2019 must prevent PKU2U authentication using online identities.
WN19-SO-000310 V3R1 Windows Server 2019 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM.
WN19-SO-000320 V3R1 Windows Server 2019 must be configured to at least negotiate signing for LDAP client signing.
WN19-SO-000330 V3R1 Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
WN19-SO-000340 V3R1 Windows Server 2019 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
WN19-SO-000370 V3R1 Windows Server 2019 default permissions of global system objects must be strengthened.
WN19-UC-000010 V3R1 Windows Server 2019 must preserve zone information when saving attachments.
WN19-00-000280 V3R1 Windows Server 2019 must have a host-based firewall installed and enabled.
UBTU-20-010048 V1R5 The Ubuntu operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.
UBTU-20-010049 V1R5 The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
UBTU-20-010453 V1R5 The Ubuntu operating system must display the date and time of the last successful account logon upon logon.
UBTU-20-010459 V1R5 The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed.
UBTU-20-010460 V1R5 The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence.
UBTU-20-010462 V1R5 The Ubuntu operating system must not have accounts configured with blank or null passwords.
UBTU-20-010463 V1R5 The Ubuntu operating system must not allow accounts configured with blank or null passwords.
WN22-00-000010 V1R5 Windows Server 2022 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
WN22-00-000030 V1R5 Windows Server 2022 administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.
WN22-00-000040 V1R5 Windows Server 2022 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
WN22-00-000060 V1R5 Windows Server 2022 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
WN22-00-000090 V1R5 Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
WN22-00-000100 V1R5 Windows Server 2022 must be maintained at a supported servicing level.
WN22-00-000110 V1R5 Windows Server 2022 must use an antivirus program.
WN22-00-000120 V1R5 Windows Server 2022 must have a host-based intrusion detection or prevention system.
WN22-00-000240 V1R5 Windows Server 2022 must have software certificate installation files removed.
WN22-00-000280 V1R5 Windows Server 2022 must have a host-based firewall installed and enabled.
WN22-00-000420 V1R5 Windows Server 2022 FTP servers must be configured to prevent anonymous logons.
WN22-00-000430 V1R5 Windows Server 2022 FTP servers must be configured to prevent access to the system drive.
WN22-00-000450 V1R5 Windows Server 2022 must have orphaned security identifiers (SIDs) removed from user rights.
WN22-00-000460 V1R5 Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
WN22-00-000470 V1R5 Windows Server 2022 must have Secure Boot enabled.
WN22-CC-000030 V1R5 Windows Server 2022 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.
WN22-CC-000040 V1R5 Windows Server 2022 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
WN22-CC-000050 V1R5 Windows Server 2022 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
WN22-CC-000070 V1R5 Windows Server 2022 insecure logons to an SMB server must be disabled.
WN22-CC-000080 V1R5 Windows Server 2022 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
WN22-CC-000100 V1R5 Windows Server 2022 must be configured to enable Remote host allows delegation of nonexportable credentials.
WN22-CC-000110 V1R5 Windows Server 2022 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
WN22-CC-000130 V1R5 Windows Server 2022 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
WN22-CC-000140 V1R5 Windows Server 2022 group policy objects must be reprocessed even if they have not changed.
WN22-CC-000180 V1R5 Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (on battery).
WN22-CC-000190 V1R5 Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (plugged in).
WN22-CC-000250 V1R5 Windows Server 2022 Diagnostic Data must be configured to send "required diagnostic data" or "optional diagnostic data".
WN22-CC-000260 V1R5 Windows Server 2022 Windows Update must not obtain updates from other PCs on the internet.
WN22-CC-000320 V1R5 Windows Server 2022 Turning off File Explorer heap termination on corruption must be disabled.
WN22-CC-000330 V1R5 Windows Server 2022 File Explorer shell protocol must run in protected mode.
WN22-CC-000390 V1R5 Windows Server 2022 must prevent attachments from being downloaded from RSS feeds.
WN22-CC-000440 V1R5 Windows Server 2022 users must be notified if a web-based program attempts to install software.
WN22-DC-000150 V1R5 Windows Server 2022 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access.
WN22-DC-000330 V1R5 Windows Server 2022 domain controllers must be configured to allow reset of machine account passwords.
WN22-DC-000430 V1R5 The password for the krbtgt account on a domain must be reset at least every 180 days.
WN22-MS-000050 V1R5 Windows Server 2022 must limit the caching of logon credentials to four or less on domain-joined member servers.
WN22-MS-000140 V1R5 Windows Server 2022 must be running Credential Guard on domain-joined member servers.
WN22-SO-000020 V1R5 Windows Server 2022 must prevent local accounts with blank passwords from being used from the network.
WN22-SO-000030 V1R5 Windows Server 2022 built-in administrator account must be renamed.
WN22-SO-000040 V1R5 Windows Server 2022 built-in guest account must be renamed.
WN22-SO-000100 V1R5 Windows Server 2022 maximum age for machine account passwords must be configured to 30 days or less.
WN22-SO-000150 V1R5 Windows Server 2022 Smart Card removal option must be configured to Force Logoff or Lock Workstation.
WN22-SO-000210 V1R5 Windows Server 2022 must not allow anonymous SID/Name translation.
WN22-SO-000220 V1R5 Windows Server 2022 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.
WN22-SO-000240 V1R5 Windows Server 2022 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
WN22-SO-000260 V1R5 Windows Server 2022 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
WN22-SO-000270 V1R5 Windows Server 2022 must prevent NTLM from falling back to a Null session.
WN22-SO-000280 V1R5 Windows Server 2022 must prevent PKU2U authentication using online identities.
WN22-SO-000310 V1R5 Windows Server 2022 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM.
WN22-SO-000320 V1R5 Windows Server 2022 must be configured to at least negotiate signing for LDAP client signing.
WN22-SO-000330 V1R5 Windows Server 2022 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
WN22-SO-000340 V1R5 Windows Server 2022 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
WN22-SO-000370 V1R5 Windows Server 2022 default permissions of global system objects must be strengthened.
WN22-UC-000010 V1R5 Windows Server 2022 must preserve zone information when saving attachments.
UBTU-18-010032 V2R10 The Ubuntu operating system must display the date and time of the last successful account logon upon logon.
UBTU-18-010150 V2R10 The Ubuntu Operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed.
UBTU-18-010151 V2R10 The Ubuntu Operating system must disable the x86 Ctrl-Alt-Delete key sequence.
UBTU-18-010418 V2R10 The Ubuntu operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.
UBTU-18-010419 V2R10 The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
UBTU-18-010450 V2R10 All local interactive user home directories defined in the /etc/passwd file must exist.
UBTU-18-010451 V2R10 All local interactive user home directories must have mode 0750 or less permissive.
UBTU-18-010452 V2R10 All local interactive user home directories must be group-owned by the home directory owners primary group.
UBTU-18-010522 V2R10 The Ubuntu operating system must not have accounts configured with blank or null passwords.
UBTU-18-010523 V2R10 The Ubuntu operating system must not allow accounts configured with blank or null passwords.
UBTU-22-211015 V1R1 Ubuntu 22.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence.
UBTU-22-215015 V1R1 Ubuntu 22.04 LTS must have the "chrony" package installed.
UBTU-22-215020 V1R1 Ubuntu 22.04 LTS must not have the "systemd-timesyncd" package installed.
UBTU-22-215025 V1R1 Ubuntu 22.04 LTS must not have the "ntp" package installed.
UBTU-22-255040 V1R1 Ubuntu 22.04 LTS must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.
UBTU-22-255045 V1R1 Ubuntu 22.04 LTS SSH daemon must prevent remote hosts from connecting to the proxy display.
UBTU-22-271030 V1R1 Ubuntu 22.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed.
UBTU-22-412015 V1R1 Ubuntu 22.04 LTS must display the date and time of the last successful account logon upon logon.
UBTU-22-611060 V1R1 Ubuntu 22.04 LTS must not allow accounts configured with blank or null passwords.
UBTU-22-611065 V1R1 Ubuntu 22.04 LTS must not have accounts configured with blank or null passwords.
UBTU-22-654190 V1R1 Ubuntu 22.04 LTS must generate audit records for all events that affect the systemd journal files.
APPL-14-000016 V1R2 The macOS system must be integrated into a directory services infrastructure.
APPL-14-003013 V1R2 The macOS system must enable firmware password.
APPL-14-005110 V1R2 The macOS system must enforce enrollment in mobile device management.
APPL-14-005120 V1R2 The macOS system must enable recovery lock.
APPL-14-005130 V1R2 The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automatically.
RHEL-08-010000 V1R2 RHEL 8 must be a vendor-supported release.
RHEL-08-010010 V1R2 RHEL 8 vendor packaged system security patches and updates must be installed and up to date.
RHEL-08-010292 V1R2 RHEL 8 must ensure the SSH server uses strong entropy.
RHEL-08-010460 V1R2 There must be no shosts.equiv files on the RHEL 8 operating system.
RHEL-08-010470 V1R2 There must be no .shosts files on the RHEL 8 operating system.
RHEL-08-010471 V1R2 RHEL 8 must enable the hardware random number generator entropy gatherer service.
RHEL-08-010480 V1R2 The RHEL 8 SSH public host key files must have mode 0644 or less permissive.
RHEL-08-010490 V1R2 The RHEL 8 SSH private host key files must have mode 0640 or less permissive.
RHEL-08-010500 V1R2 The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files.
RHEL-08-010510 V1R2 The RHEL 8 SSH daemon must not allow compression or must only allow compression after successful authentication.
RHEL-08-010520 V1R2 The RHEL 8 SSH daemon must not allow authentication using known host’s authentication.
RHEL-08-010521 V1R2 The RHEL 8 SSH daemon must not allow unused methods of authentication.
RHEL-08-010540 V1R2 RHEL 8 must use a separate file system for /var.
RHEL-08-010541 V1R2 RHEL 8 must use a separate file system for /var/log.
RHEL-08-010542 V1R2 RHEL 8 must use a separate file system for the system audit data path.
RHEL-08-010543 V1R2 A separate RHEL 8 filesystem must be used for the /tmp directory.
RHEL-08-010560 V1R2 The auditd service must be running in RHEL 8.
RHEL-08-010561 V1R2 The rsyslog service must be running in RHEL 8.
RHEL-08-010570 V1R2 RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
RHEL-08-010571 V1R2 RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
RHEL-08-010580 V1R2 RHEL 8 must prevent special devices on non-root local partitions.
RHEL-08-010590 V1R2 RHEL 8 must prevent code from being executed on file systems that contain user home directories.
RHEL-08-010600 V1R2 RHEL 8 must prevent special devices on file systems that are used with removable media.
RHEL-08-010610 V1R2 RHEL 8 must prevent code from being executed on file systems that are used with removable media.
RHEL-08-010620 V1R2 RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
RHEL-08-010630 V1R2 RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS).
RHEL-08-010640 V1R2 RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS).
RHEL-08-010650 V1R2 RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
RHEL-08-010660 V1R2 Local RHEL 8 initialization files must not execute world-writable programs.
RHEL-08-010670 V1R2 RHEL 8 must disable kernel dumps unless needed.
RHEL-08-010671 V1R2 RHEL 8 must disable the kernel.core_pattern.
RHEL-08-010672 V1R2 RHEL 8 must disable acquiring, saving, and processing core dumps.
RHEL-08-010673 V1R2 RHEL 8 must disable core dumps for all users.
RHEL-08-010674 V1R2 RHEL 8 must disable storing core dumps.
RHEL-08-010675 V1R2 RHEL 8 must disable core dump backtraces.
RHEL-08-010680 V1R2 For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.
RHEL-08-010690 V1R2 Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory.
RHEL-08-010700 V1R2 All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group.
RHEL-08-010710 V1R2 All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.
RHEL-08-010720 V1R2 All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file.
RHEL-08-010730 V1R2 All RHEL 8 local interactive user home directories must have mode 0750 or less permissive.
RHEL-08-010740 V1R2 All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group.
RHEL-08-010750 V1R2 All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist.
RHEL-08-010760 V1R2 All RHEL 8 local interactive user accounts must be assigned a home directory upon creation.
RHEL-08-010770 V1R2 All RHEL 8 local initialization files must have mode 0740 or less permissive.
RHEL-08-010780 V1R2 All RHEL 8 local files and directories must have a valid owner.
RHEL-08-010790 V1R2 All RHEL 8 local files and directories must have a valid group owner.
RHEL-08-010800 V1R2 A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent).
RHEL-08-020320 V1R2 RHEL 8 must not have unnecessary accounts.
RHEL-08-020330 V1R2 RHEL 8 must not have accounts configured with blank or null passwords.
RHEL-08-020340 V1R2 RHEL 8 must display the date and time of the last successful account logon upon logon.
RHEL-08-020350 V1R2 RHEL 8 must display the date and time of the last successful account logon upon an SSH logon.
RHEL-08-020353 V1R2 RHEL 8 must define default permissions for logon and non-logon shells.
RHEL-08-030010 V1R2 Cron logging must be implemented in RHEL 8.
RHEL-08-030061 V1R2 The RHEL 8 audit system must audit local events.
RHEL-08-030063 V1R2 RHEL 8 must resolve audit information before writing to disk.
RHEL-08-030670 V1R2 RHEL 8 must have the packages required for offloading audit logs installed.
RHEL-08-030680 V1R2 RHEL 8 must have the packages required for encrypting offloaded audit logs installed.
RHEL-08-040170 V1R2 The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8.
RHEL-08-040171 V1R2 The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed.
RHEL-08-040172 V1R2 The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled.
RHEL-08-040180 V1R2 The debug-shell systemd service must be disabled on RHEL 8.
RHEL-08-040190 V1R2 The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support.
RHEL-08-040200 V1R2 The root account must be the only account having unrestricted access to the RHEL 8 system.
RHEL-08-040210 V1R2 RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted.
RHEL-08-040220 V1R2 RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.
RHEL-08-040230 V1R2 RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
RHEL-08-040240 V1R2 RHEL 8 must not forward source-routed packets.
RHEL-08-040250 V1R2 RHEL 8 must not forward source-routed packets by default.
RHEL-08-040260 V1R2 RHEL 8 must not be performing packet forwarding unless the system is a router.
RHEL-08-040261 V1R2 RHEL 8 must not accept router advertisements on all IPv6 interfaces.
RHEL-08-040262 V1R2 RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.
RHEL-08-040270 V1R2 RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
RHEL-08-040280 V1R2 RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages.
RHEL-08-040281 V1R2 RHEL 8 must disable access to network bpf syscall from unprivileged processes.
RHEL-08-040282 V1R2 RHEL 8 must restrict usage of ptrace to descendant processes.
RHEL-08-040283 V1R2 RHEL 8 must restrict exposed kernel pointer addresses access.
RHEL-08-040284 V1R2 RHEL 8 must disable the use of user namespaces.
RHEL-08-040285 V1R2 RHEL 8 must use reverse path filtering on all IPv4 interfaces.
RHEL-08-040290 V1R2 RHEL 8 must be configured to prevent unrestricted mail relaying.
RHEL-08-040300 V1R2 The RHEL 8 file integrity tool must be configured to verify extended attributes.
RHEL-08-040310 V1R2 The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs).
RHEL-08-040320 V1R2 The graphical display manager must not be installed on RHEL 8 unless approved.
RHEL-08-040330 V1R2 RHEL 8 network interfaces must not be in promiscuous mode.
RHEL-08-040340 V1R2 RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements.
RHEL-08-040341 V1R2 The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display.
RHEL-08-040350 V1R2 If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode.
RHEL-08-040360 V1R2 A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8.
RHEL-08-040370 V1R2 The gssproxy package must not be installed unless mission essential on RHEL 8.
RHEL-08-040380 V1R2 The iprutils package must not be installed unless mission essential on RHEL 8.
RHEL-08-040390 V1R2 The tuned package must not be installed unless mission essential on RHEL 8.
RHEL-08-010382 V1R2 RHEL 8 must restrict privilege elevation to authorized personnel.
RHEL-08-010383 V1R2 RHEL 8 must use the invoking user's password for privilege escalation when using "sudo".
SLES-12-010000 V2R10 The SUSE operating system must be a vendor-supported release.
SLES-12-010010 V2R10 Vendor-packaged SUSE operating system security patches and updates must be installed and up to date.
SLES-12-010231 V2R10 The SUSE operating system must not be configured to allow blank or null passwords.
SLES-12-010390 V2R10 The SUSE operating system must display the date and time of the last successful account logon upon logon.
SLES-12-010400 V2R10 There must be no .shosts files on the SUSE operating system.
SLES-12-010410 V2R10 There must be no shosts.equiv files on the SUSE operating system.
SLES-12-010520 V2R10 The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs).
SLES-12-010530 V2R10 The SUSE operating system file integrity tool must be configured to verify extended attributes.
SLES-12-010610 V2R10 The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence.
SLES-12-010611 V2R10 The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces.
SLES-12-010630 V2R10 The SUSE operating system must not have unnecessary accounts.
SLES-12-010650 V2R10 The SUSE operating system root account must be the only account having unrestricted access to the system.
SLES-12-010690 V2R10 All SUSE operating system files and directories must have a valid owner.
SLES-12-010700 V2R10 All SUSE operating system files and directories must have a valid group owner.
SLES-12-010710 V2R10 All SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file.
SLES-12-010720 V2R10 All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory.
SLES-12-010730 V2R10 All SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist.
SLES-12-010740 V2R10 All SUSE operating system local interactive user home directories must have mode 0750 or less permissive.
SLES-12-010750 V2R10 All SUSE operating system local interactive user home directories must be group-owned by the home directory owners primary group.
SLES-12-010760 V2R10 All SUSE operating system local initialization files must have mode 0740 or less permissive.
SLES-12-010770 V2R10 All SUSE operating system local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory.
SLES-12-010780 V2R10 All SUSE operating system local initialization files must not execute world-writable programs.
SLES-12-010790 V2R10 SUSE operating system file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.
SLES-12-010800 V2R10 SUSE operating system file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.
SLES-12-010810 V2R10 SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.
SLES-12-010820 V2R10 SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.
SLES-12-010830 V2R10 All SUSE operating system world-writable directories must be group-owned by root, sys, bin, or an application group.
SLES-12-010840 V2R10 SUSE operating system kernel core dumps must be disabled unless needed.
SLES-12-010850 V2R10 A separate file system must be used for SUSE operating system user home directories (such as /home or an equivalent).
SLES-12-010860 V2R10 The SUSE operating system must use a separate file system for /var.
SLES-12-010870 V2R10 The SUSE operating system must use a separate file system for the system audit data path.
SLES-12-010910 V2R10 The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.
SLES-12-020199 V2R10 The SUSE operating system must not disable syscall auditing.
SLES-12-030130 V2R10 The SUSE operating system must display the date and time of the last successful account logon upon an SSH logon.
SLES-12-030200 V2R10 The SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication.
SLES-12-030210 V2R10 The SUSE operating system SSH daemon public host key files must have mode 0644 or less permissive.
SLES-12-030220 V2R10 The SUSE operating system SSH daemon private host key files must have mode 0640 or less permissive.
SLES-12-030230 V2R10 The SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files.
SLES-12-030240 V2R10 The SUSE operating system SSH daemon must use privilege separation.
SLES-12-030250 V2R10 The SUSE operating system SSH daemon must not allow compression or must only allow compression after successful authentication.
SLES-12-030260 V2R10 The SUSE operating system SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements.
SLES-12-030360 V2R10 The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
SLES-12-030361 V2R10 The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets.
SLES-12-030370 V2R10 The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
SLES-12-030380 V2R10 The SUSE operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
SLES-12-030390 V2R10 The SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
SLES-12-030400 V2R10 The SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
SLES-12-030401 V2R10 The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.
SLES-12-030410 V2R10 The SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
SLES-12-030420 V2R10 The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
SLES-12-030430 V2R10 The SUSE operating system must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.
SLES-12-030440 V2R10 The SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented.
SLES-12-030611 V2R10 The SUSE operating system must use a virus scan program.
SLES-12-030261 V2R10 The SUSE operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
SLES-12-010111 V2R10 The SUSE operating system must restrict privilege elevation to authorized personnel.
SLES-12-010112 V2R10 The SUSE operating system must use the invoking user's password for privilege escalation when using "sudo".
SLES-12-010631 V2R10 The SUSE operating system must not have unnecessary account capabilities.
SLES-12-030362 V2R10 The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets by default.
SLES-12-030363 V2R10 The SUSE operating system must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
SLES-12-030364 V2R10 The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.
SLES-12-030365 V2R10 The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router.
SLES-12-010109 V2R10 The SUSE operating system must specify the default "include" directory for the /etc/sudoers file.
SLES-12-010221 V2R10 The SUSE operating system must not have accounts configured with blank or null passwords.
WN11-00-000005 V1R5 Domain-joined systems must use Windows 11 Enterprise Edition 64-bit version.
WN11-00-000040 V1R5 Windows 11 systems must be maintained at a supported servicing level.
WN11-00-000045 V1R5 The Windows 11 system must use an antivirus program.
WN11-00-000055 V1R5 Alternate operating systems must not be permitted on the same system.
WN11-00-000075 V1R5 Only accounts responsible for the backup operations must be members of the Backup Operators group.
WN11-00-000085 V1R5 Standard local user accounts must not exist on a system in a domain.
WN11-00-000130 V1R5 Software certificate installation files must be removed from Windows 11.
WN11-00-000135 V1R5 A host-based firewall must be installed and enabled on the system.
WN11-00-000190 V1R5 Orphaned security identifiers (SIDs) must be removed from user rights on Windows 11.
WN11-00-000230 V1R5 The system must notify the user when a Bluetooth device attempts to connect.
WN11-00-000240 V1R5 Administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.
WN11-CC-000020 V1R5 IPv6 source routing must be configured to highest protection.
WN11-CC-000025 V1R5 The system must be configured to prevent IP source routing.
WN11-CC-000030 V1R5 The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.
WN11-CC-000040 V1R5 Insecure logons to an SMB server must be disabled.
WN11-CC-000050 V1R5 Hardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
WN11-CC-000060 V1R5 Connections to non-domain networks when connected to a domain authenticated network must be blocked.
WN11-CC-000065 V1R5 Wi-Fi Sense must be disabled.
WN11-CC-000068 V1R5 Windows 11 must be configured to enable Remote host allows delegation of non-exportable credentials.
WN11-CC-000070 V1R5 Virtualization-based Security must be enabled on Windows 11 with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
WN11-CC-000075 V1R5 Credential Guard must be running on Windows 11 domain-joined systems.
WN11-CC-000080 V1R5 Virtualization-based protection of code integrity must be enabled.
WN11-CC-000085 V1R5 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers.
WN11-CC-000090 V1R5 Group Policy objects must be reprocessed even if they have not changed.
WN11-CC-000115 V1R5 Systems must at least attempt device authentication using certificates.
WN11-CC-000170 V1R5 The setting to allow Microsoft accounts to be optional for modern style apps must be enabled.
WN11-CC-000195 V1R5 Enhanced anti-spoofing for facial recognition must be enabled on Windows 11.
WN11-CC-000204 V1R5 Enhanced diagnostic data must be limited to the minimum required to support Windows Analytics.
WN11-CC-000206 V1R5 Windows Update must not obtain updates from other PCs on the internet.
WN11-CC-000225 V1R5 File Explorer shell protocol must run in protected mode.
WN11-CC-000255 V1R5 The use of a hardware security device with Windows Hello for Business must be enabled.
WN11-CC-000260 V1R5 Windows 11 must be configured to require a minimum pin length of six characters or greater.
WN11-CC-000295 V1R5 Attachments must be prevented from being downloaded from RSS feeds.
WN11-CC-000320 V1R5 Users must be notified if a web-based program attempts to install software.
WN11-SO-000015 V1R5 Local accounts with blank passwords must be restricted to prevent access from the network.
WN11-SO-000020 V1R5 The built-in administrator account must be renamed.
WN11-SO-000025 V1R5 The built-in guest account must be renamed.
WN11-SO-000050 V1R5 The computer account password must not be prevented from being reset.
WN11-SO-000055 V1R5 The maximum age for machine account passwords must be configured to 30 days or less.
WN11-SO-000085 V1R5 Caching of logon credentials must be limited.
WN11-SO-000095 V1R5 The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
WN11-SO-000140 V1R5 Anonymous SID/Name translation must not be allowed.
WN11-SO-000145 V1R5 Anonymous enumeration of SAM accounts must not be allowed.
WN11-SO-000160 V1R5 The system must be configured to prevent anonymous users from having the same rights as the Everyone group.
WN11-SO-000180 V1R5 NTLM must be prevented from falling back to a Null session.
WN11-SO-000185 V1R5 PKU2U authentication using online identities must be prevented.
WN11-SO-000205 V1R5 The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
WN11-SO-000210 V1R5 The system must be configured to the required LDAP client signing level.
WN11-SO-000215 V1R5 The system must be configured to meet the minimum session security requirement for NTLM SSP based clients.
WN11-SO-000220 V1R5 The system must be configured to meet the minimum session security requirement for NTLM SSP based servers.
WN11-SO-000240 V1R5 The default permissions of global system objects must be increased.
WN11-UC-000020 V1R5 Zone information must be preserved when saving attachments.
WN11-00-000395 V1R5 Windows 11 must not have portproxy enabled or in use.