SRG-OS-000480-GPOS-00227 Controls

STIG IDVersionTitleProduct
ALMA-09-011240V1R2AlmaLinux OS 9 must disable core dumps for all users.
ALMA-09-011350V1R2AlmaLinux OS 9 must disable acquiring, saving, and processing core dumps.
ALMA-09-011460V1R2AlmaLinux OS 9 must disable storing core dumps.
ALMA-09-011570V1R2AlmaLinux OS 9 must disable core dump backtraces.
ALMA-09-011680V1R2AlmaLinux OS 9 must disable the kernel.core_pattern.
ALMA-09-011790V1R2AlmaLinux OS 9 cron configuration files directory must be group-owned by root.
ALMA-09-011900V1R2AlmaLinux OS 9 cron configuration files directory must be owned by root.
ALMA-09-012010V1R2AlmaLinux OS 9 cron configuration directories must have a mode of 0700 or less permissive.
ALMA-09-012120V1R2AlmaLinux OS 9 /etc/crontab file must have mode 0600.
ALMA-09-012230V1R2AlmaLinux OS 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot.
ALMA-09-012340V1R2AlmaLinux OS 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.
ALMA-09-012450V1R2All AlmaLinux OS 9 local files and directories must have a valid group owner.
ALMA-09-012560V1R2All AlmaLinux OS 9 local files and directories must have a valid owner.
ALMA-09-012670V1R2AlmaLinux OS 9 /etc/group- file must be group owned by root.
ALMA-09-012780V1R2AlmaLinux OS 9 /etc/group- file must be owned by root.
ALMA-09-012890V1R2AlmaLinux OS 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.
ALMA-09-013000V1R2AlmaLinux OS 9 /etc/group file must be group owned by root.
ALMA-09-013110V1R2AlmaLinux OS 9 /etc/group file must be owned by root.
ALMA-09-013220V1R2AlmaLinux OS 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.
ALMA-09-013330V1R2The /boot/grub2/grub.cfg file must be group-owned by root.
ALMA-09-013440V1R2The /boot/grub2/grub.cfg file must be owned by root.
ALMA-09-013550V1R2AlmaLinux OS 9 must disable the ability of systemd to spawn an interactive boot process.
ALMA-09-013660V1R2AlmaLinux OS 9 /etc/gshadow- file must be group-owned by root.
ALMA-09-013770V1R2AlmaLinux OS 9 /etc/gshadow- file must be owned by root.
ALMA-09-013880V1R2AlmaLinux OS 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.
ALMA-09-013990V1R2AlmaLinux OS 9 /etc/gshadow file must be group-owned by root.
ALMA-09-014100V1R2AlmaLinux OS 9 /etc/gshadow file must be owned by root.
ALMA-09-014210V1R2AlmaLinux OS 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.
ALMA-09-014320V1R2The graphical display manager must not be the default target on AlmaLinux OS 9 unless approved.
ALMA-09-014430V1R2AlmaLinux OS 9 must disable the user list at logon for graphical user interfaces.
ALMA-09-015640V1R2AlmaLinux OS 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
ALMA-09-015750V1R2AlmaLinux OS 9 must not allow blank or null passwords.
ALMA-09-015860V1R2AlmaLinux OS 9 must not have accounts configured with blank or null passwords.
ALMA-09-015970V1R2AlmaLinux OS 9 /etc/passwd- file must be group-owned by root.
ALMA-09-016080V1R2AlmaLinux OS 9 /etc/passwd- file must be owned by root.
ALMA-09-016190V1R2AlmaLinux OS 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access.
ALMA-09-016300V1R2AlmaLinux OS 9 /etc/passwd file must be group-owned by root.
ALMA-09-016410V1R2AlmaLinux OS 9 /etc/passwd file must be owned by root.
ALMA-09-016520V1R2AlmaLinux OS 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.
ALMA-09-016630V1R2AlmaLinux OS 9 /etc/shadow- file must be group-owned by root.
ALMA-09-016740V1R2AlmaLinux OS 9 /etc/shadow- file must be owned by root.
ALMA-09-016850V1R2AlmaLinux OS 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access.
ALMA-09-016960V1R2AlmaLinux OS 9 /etc/shadow file must be group-owned by root.
ALMA-09-017070V1R2AlmaLinux OS 9 /etc/shadow file must be owned by root.
ALMA-09-017180V1R2AlmaLinux OS 9 /etc/shadow file must have mode 0000 to prevent unauthorized access.
ALMA-09-017290V1R2AlmaLinux OS 9 must restrict privilege elevation to authorized personnel.
ALMA-09-017400V1R2AlmaLinux OS 9 must use the invoking user's password for privilege escalation when using "sudo".
ALMA-09-017950V1R2AlmaLinux OS 9 must not have unauthorized accounts.
ALMA-09-018060V1R2AlmaLinux OS 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs).
ALMA-09-018170V1R2AlmaLinux OS 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.
ALMA-09-018280V1R2AlmaLinux OS 9 must be configured so that the file integrity tool verifies extended attributes.
ALMA-09-018500V1R2AlmaLinux OS 9 must not accept router advertisements on all IPv6 interfaces.
ALMA-09-018610V1R2AlmaLinux OS 9 must ignore Internet Control Message Protocol (ICMP) redirect messages.
ALMA-09-018830V1R2AlmaLinux OS 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.
ALMA-09-018940V1R2AlmaLinux OS 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.
ALMA-09-019050V1R2AlmaLinux OS 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
ALMA-09-019160V1R2AlmaLinux OS 9 must not enable IP packet forwarding unless the system is a router.
ALMA-09-019270V1R2AlmaLinux OS 9 must not have unauthorized IP tunnels configured.
ALMA-09-019380V1R2AlmaLinux OS 9 must log packets with impossible addresses.
ALMA-09-019490V1R2AlmaLinux OS 9 must be configured to prevent unrestricted mail relaying.
ALMA-09-019600V1R2AlmaLinux OS 9 must have the nss-tools package installed.
ALMA-09-019710V1R2AlmaLinux OS 9 network interfaces must not be in promiscuous mode.
ALMA-09-019820V1R2AlmaLinux OS 9 must use reverse path filtering on all IP interfaces.
ALMA-09-019930V1R2AlmaLinux OS 9 must not send Internet Control Message Protocol (ICMP) redirects.
ALMA-09-020040V1R2There must be no .shosts files on AlmaLinux OS 9.
ALMA-09-020150V1R2There must be no shosts.equiv files on AlmaLinux OS 9.
ALMA-09-020260V1R2AlmaLinux OS 9 must not forward source-routed packets.
ALMA-09-020370V1R2AlmaLinux OS 9 SSH daemon must not allow compression or must only allow compression after successful authentication.
ALMA-09-020480V1R2The AlmaLinux OS 9 SSH server configuration file must be group-owned by root.
ALMA-09-020590V1R2The AlmaLinux OS 9 SSH server configuration file must be owned by root.
ALMA-09-020700V1R2AlmaLinux OS 9 SSH server configuration files must have mode 0600 or less permissive.
ALMA-09-020810V1R2AlmaLinux OS 9 must not allow a noncertificate trusted host SSH logon to the system.
ALMA-09-020920V1R2AlmaLinux OS 9 SSH private host key files must have mode 0640 or less permissive.
ALMA-09-021030V1R2AlmaLinux OS 9 SSH public host key files must have mode 0644 or less permissive.
ALMA-09-021140V1R2AlmaLinux OS 9 SSH daemon must not allow known hosts authentication.
ALMA-09-021250V1R2AlmaLinux OS 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon.
ALMA-09-021360V1R2AlmaLinux OS 9 SSH daemon must not allow rhosts authentication.
ALMA-09-021470V1R2AlmaLinux OS 9 SSH daemon must disable remote X connections for interactive users.
ALMA-09-021580V1R2AlmaLinux OS 9 SSH daemon must prevent remote hosts from connecting to the proxy display.
ALMA-09-021690V1R2If the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon must be configured to operate in secure mode.
ALMA-09-021800V1R2AlmaLinux OS 9 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time (JIT) compiler.
ALMA-09-021910V1R2AlmaLinux OS 9 effective dconf policy must match the policy keyfiles.
ALMA-09-022020V1R2AlmaLinux OS 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.
ALMA-09-022130V1R2All AlmaLinux OS 9 local initialization files must have mode 0740 or less permissive.
ALMA-09-022240V1R2AlmaLinux OS 9 must have the gnutls-utils package installed.
ALMA-09-022350V1R2The kdump service on AlmaLinux OS 9 must be disabled.
ALMA-09-022460V1R2AlmaLinux OS 9 must disable the ability of a user to restart the system from the login screen.
ALMA-09-022570V1R2AlmaLinux OS 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.
ALMA-09-022680V1R2AlmaLinux OS 9 must prevent special devices on file systems that are used with removable media.
ALMA-09-022790V1R2AlmaLinux OS 9 must prevent code from being executed on file systems that are used with removable media.
ALMA-09-022900V1R2AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
ALMA-09-023010V1R2AlmaLinux OS 9 must disable the use of user namespaces.
ALMA-09-023120V1R2AlmaLinux OS 9 must prevent special devices on file systems that are imported via Network File System (NFS).
ALMA-09-023230V1R2AlmaLinux OS 9 must prevent code execution on file systems that are imported via Network File System (NFS).
ALMA-09-023450V1R2AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
ALMA-09-023560V1R2AlmaLinux OS 9 must configure a DNS processing mode set be Network Manager.
ALMA-09-023670V1R2AlmaLinux OS 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.
ALMA-09-023780V1R2AlmaLinux OS 9 must prevent special devices on nonroot local partitions.
ALMA-09-023890V1R2The root account must be the only account having unrestricted access to an AlmaLinux OS 9 system.
ALMA-09-024000V1R2AlmaLinux OS 9 must be configured so that the cryptographic hashes of system files match vendor values.
ALMA-09-024110V1R2AlmaLinux OS 9 must clear the page allocator to prevent use-after-free attacks.
ALMA-09-024220V1R2AlmaLinux OS 9 must display the date and time of the last successful account logon upon logon.
ALMA-09-024330V1R2AlmaLinux OS 9 security patches and updates must be installed and up to date.
ALMA-09-024440V1R2AlmaLinux OS 9 policycoreutils-python-utils package must be installed.
ALMA-09-024550V1R2AlmaLinux OS 9 must enable the hardware random number generator entropy gatherer service.
ALMA-09-024660V1R2AlmaLinux OS 9 must have the rng-tools package installed.
ALMA-09-024990V1R2AlmaLinux OS 9 system accounts must not have an interactive login shell.
ALMA-09-025100V1R2AlmaLinux OS 9 must use a separate file system for /tmp.
ALMA-09-025210V1R2Local AlmaLinux OS 9 initialization files must not execute world-writable programs.
ALMA-09-025320V1R2AlmaLinux OS 9 must use a separate file system for /var/log.
ALMA-09-025430V1R2AlmaLinux OS 9 must use a separate file system for /var.
ALMA-09-025540V1R2AlmaLinux OS 9 must use a separate file system for /var/tmp.
ALMA-09-025650V1R2AlmaLinux OS 9 must disable virtual system calls.
ALMA-09-025760V1R2AlmaLinux OS 9 must use cron logging.
ALMA-09-025870V1R2AlmaLinux OS 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
APPL-14-003013V2R3The macOS system must enable firmware password.
APPL-14-005110V2R3The macOS system must enforce enrollment in mobile device management.
APPL-14-005120V2R3The macOS system must enable recovery lock.
APPL-14-005130V2R3The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automatically.
APPL-15-003013V1R3The macOS system must enable firmware password.
APPL-15-005110V1R3The macOS system must enforce enrollment in Mobile Device Management (MDM).
APPL-15-005120V1R3The macOS system must enable Recovery Lock.
APPL-15-005130V1R3The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automatically.
OL07-00-010020V3R2The Oracle Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.
OL07-00-010290V3R2The Oracle Linux operating system must not allow accounts configured with blank or null passwords.
OL07-00-020230V3R2The Oracle Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.
OL07-00-020250V3R2The Oracle Linux operating system must be a vendor supported release.
OL07-00-020260V3R2The Oracle Linux operating system security patches and updates must be installed and up to date.
OL07-00-020270V3R2The Oracle Linux operating system must not have unnecessary accounts.
OL07-00-020310V3R2The Oracle Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system.
OL07-00-020320V3R2The Oracle Linux operating system must be configured so that all files and directories have a valid owner.
OL07-00-020330V3R2The Oracle Linux operating system must be configured so that all files and directories have a valid group owner.
OL07-00-020610V3R2The Oracle Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory.
OL07-00-020620V3R2The Oracle Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file.
OL07-00-020630V3R2The Oracle Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive.
OL07-00-020640V3R2The Oracle Linux operating system must be configured so that all local interactive user home directories are owned by their respective users.
OL07-00-020650V3R2The Oracle Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group.
OL07-00-020660V3R2The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a valid owner.
OL07-00-020670V3R2The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.
OL07-00-020680V3R2The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive.
OL07-00-020690V3R2The Oracle Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root.
OL07-00-020700V3R2The Oracle Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root.
OL07-00-020710V3R2The Oracle Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive.
OL07-00-020720V3R2The Oracle Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.
OL07-00-020730V3R2The Oracle Linux operating system must be configured so that local initialization files do not execute world-writable programs.
OL07-00-020900V3R2The Oracle Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.
OL07-00-021000V3R2The Oracle Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed.
OL07-00-021010V3R2The Oracle Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
OL07-00-021020V3R2The Oracle Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS).
OL07-00-021021V3R2The Oracle Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS).
OL07-00-021030V3R2The Oracle Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.
OL07-00-021040V3R2The Oracle Linux operating system must set the umask value to 077 for all local interactive user accounts.
OL07-00-021100V3R2The Oracle Linux operating system must have cron logging implemented.
OL07-00-021110V3R2The Oracle Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root.
OL07-00-021120V3R2The Oracle Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root.
OL07-00-021300V3R2The Oracle Linux operating system must disable Kernel core dumps unless needed.
OL07-00-021310V3R2The Oracle Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent).
OL07-00-021320V3R2The Oracle Linux operating system must use a separate file system for /var.
OL07-00-021340V3R2The Oracle Linux operating system must use a separate file system for /tmp (or equivalent).
OL07-00-021600V3R2The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).
OL07-00-021610V3R2The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.
OL07-00-021620V3R2The Oracle Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.
OL07-00-031000V3R2The Oracle Linux operating system must send rsyslog output to a log aggregation server.
OL07-00-031010V3R2The Oracle Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
OL07-00-032000V3R2The Oracle Linux operating system must use a virus scan program.
OL07-00-040330V3R2The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication.
OL07-00-040350V3R2The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication.
OL07-00-040360V3R2The Oracle Linux operating system must display the date and time of the last successful account logon upon an SSH logon.
OL07-00-040370V3R2The Oracle Linux operating system must not permit direct logons to the root account using remote access via SSH.
OL07-00-040380V3R2The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication.
OL07-00-040410V3R2The Oracle Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive.
OL07-00-040420V3R2The Oracle Linux operating system must be configured so the SSH private host key files have mode 0640 or less permissive.
OL07-00-040450V3R2The Oracle Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files.
OL07-00-040460V3R2The Oracle Linux operating system must be configured so that the SSH daemon uses privilege separation.
OL07-00-040470V3R2The Oracle Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.
OL07-00-040520V3R2The Oracle Linux operating system must enable an application firewall, if available.
OL07-00-040530V3R2The Oracle Linux operating system must display the date and time of the last successful account logon upon logon.
OL07-00-040540V3R2The Oracle Linux operating system must not contain .shosts files.
OL07-00-040550V3R2The Oracle Linux operating system must not contain shosts.equiv files.
OL07-00-040600V3R2For Oracle Linux operating systems using DNS resolution, at least two name servers must be configured.
OL07-00-040610V3R2The Oracle Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
OL07-00-040611V3R2The Oracle Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
OL07-00-040612V3R2The Oracle Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default.
OL07-00-040620V3R2The Oracle Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
OL07-00-040630V3R2The Oracle Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
OL07-00-040640V3R2The Oracle Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
OL07-00-040641V3R2The Oracle Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
OL07-00-040650V3R2The Oracle Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.
OL07-00-040660V3R2The Oracle Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
OL07-00-040670V3R2Network interfaces configured on The Oracle Linux operating system must not be in promiscuous mode.
OL07-00-040680V3R2The Oracle Linux operating system must be configured to prevent unrestricted mail relaying.
OL07-00-040690V3R2The Oracle Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed.
OL07-00-040700V3R2The Oracle Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.
OL07-00-040710V3R2The Oracle Linux operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.
OL07-00-040720V3R2The Oracle Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode.
OL07-00-040730V3R2The Oracle Linux operating system must not have a graphical display manager installed unless approved.
OL07-00-040740V3R2The Oracle Linux operating system must not be performing packet forwarding unless the system is a router.
OL07-00-040750V3R2The Oracle Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.
OL07-00-040800V3R2SNMP community strings on the Oracle Linux operating system must be changed from the default.
OL07-00-040810V3R2The Oracle Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.
OL07-00-040820V3R2The Oracle Linux operating system must not have unauthorized IP tunnels configured.
OL07-00-040830V3R2The Oracle Linux operating system must not forward IPv6 source-routed packets.
OL07-00-020231V3R2The Oracle Linux operating system must be configured so the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface.
OL07-00-021031V3R2The Oracle Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user.
OL07-00-040711V3R2The Oracle Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
OL07-00-010341V3R2The Oracle Linux operating system must restrict privilege elevation to authorized personnel.
OL07-00-010342V3R2The Oracle Linux operating system must use the invoking user's password for privilege escalation when using "sudo".
OL07-00-010291V3R2The Oracle Linux operating system must not have accounts configured with blank or null passwords.
OL07-00-010339V3R2The Oracle Linux operating system must specify the default "include" directory for the /etc/sudoers file.
OL07-00-010063V3R2The Oracle Linux operating system must disable the login screen user list for graphical user interfaces.
OL08-00-010000V2R4OL 8 must be a vendor-supported release.
OL08-00-010010V2R4OL 8 vendor-packaged system security patches and updates must be installed and up to date.
OL08-00-010382V2R4OL 8 must restrict privilege elevation to authorized personnel.
OL08-00-010383V2R4OL 8 must use the invoking user's password for privilege escalation when using "sudo".
OL08-00-010424V2R4OL 8 must not let Meltdown and Spectre exploit critical vulnerabilities in modern processors.
OL08-00-010460V2R4There must be no "shosts.equiv" files on the OL 8 operating system.
OL08-00-010470V2R4There must be no ".shosts" files on the OL 8 operating system.
OL08-00-010473V2R4OL 8 must enable the hardware random number generator entropy gatherer service.
OL08-00-010472V2R4OL 8 must have the packages required to use the hardware random number generator entropy gatherer service.
OL08-00-010480V2R4The OL 8 SSH public host key files must have mode "0644" or less permissive.
OL08-00-010490V2R4The OL 8 SSH private host key files must have mode "0640" or less permissive.
OL08-00-010500V2R4The OL 8 SSH daemon must perform strict mode checking of home directory configuration files.
OL08-00-010520V2R4The OL 8 SSH daemon must not allow authentication using known host's authentication.
OL08-00-010521V2R4The OL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.
OL08-00-010522V2R4The OL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.
OL08-00-010540V2R4OL 8 must use a separate file system for "/var".
OL08-00-010541V2R4OL 8 must use a separate file system for "/var/log".
OL08-00-010542V2R4OL 8 must use a separate file system for the system audit data path.
OL08-00-010543V2R4OL 8 must use a separate file system for "/tmp".
OL08-00-010544V2R4OL 8 must use a separate file system for /var/tmp.
OL08-00-010561V2R4OL 8 must have the rsyslog service enabled and active.
OL08-00-010570V2R4OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
OL08-00-010571V2R4OL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
OL08-00-010572V2R4OL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
OL08-00-010580V2R4OL 8 must prevent special devices on non-root local partitions.
OL08-00-010590V2R4OL 8 file systems that contain user home directories must not execute binary files.
OL08-00-010600V2R4OL 8 file systems must not interpret character or block special devices from untrusted file systems.
OL08-00-010610V2R4OL 8 file systems must not execute binary files on removable media.
OL08-00-010620V2R4OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
OL08-00-010630V2R4OL 8 file systems must not execute binary files that are imported via Network File System (NFS).
OL08-00-010640V2R4OL 8 file systems must not interpret character or block special devices that are imported via NFS.
OL08-00-010650V2R4OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
OL08-00-010660V2R4Local OL 8 initialization files must not execute world-writable programs.
OL08-00-010671V2R4OL 8 must disable the "kernel.core_pattern".
OL08-00-010672V2R4OL 8 must disable acquiring, saving, and processing core dumps.
OL08-00-010673V2R4OL 8 must disable core dumps for all users.
OL08-00-010674V2R4OL 8 must disable storing core dumps.
OL08-00-010675V2R4OL 8 must disable core dump backtraces.
OL08-00-010680V2R4For OL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.
OL08-00-010690V2R4Executable search paths within the initialization files of all local interactive OL 8 users must only contain paths that resolve to the system default or the user's home directory.
OL08-00-010700V2R4All OL 8 world-writable directories must be owned by root, sys, bin, or an application user.
OL08-00-010710V2R4All OL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.
OL08-00-010720V2R4All OL 8 local interactive users must have a home directory assigned in the "/etc/passwd" file.
OL08-00-010730V2R4All OL 8 local interactive user home directories must have mode "0750" or less permissive.
OL08-00-010731V2R4All OL 8 local interactive user home directory files must have mode "0750" or less permissive.
OL08-00-010740V2R4All OL 8 local interactive user home directories must be group-owned by the home directory owner's primary group.
OL08-00-010741V2R4OL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.
OL08-00-010750V2R4All OL 8 local interactive user home directories defined in the "/etc/passwd" file must exist.
OL08-00-010760V2R4All OL 8 local interactive user accounts must be assigned a home directory upon creation.
OL08-00-010770V2R4All OL 8 local initialization files must have mode "0740" or less permissive.
OL08-00-010780V2R4All OL 8 files and directories must have a valid owner.
OL08-00-010790V2R4All OL 8 files and directories must have a valid group owner.
OL08-00-010800V2R4A separate OL 8 filesystem must be used for user home directories (such as "/home" or an equivalent).
OL08-00-020032V2R4OL 8 must disable the user list at logon for graphical user interfaces.
OL08-00-020320V2R4OL 8 must not have unnecessary accounts.
OL08-00-020330V2R4OL 8 must not allow accounts configured with blank or null passwords.
OL08-00-020331V2R4OL 8 must not allow blank or null passwords in the system-auth file.
OL08-00-020332V2R4OL 8 must not allow blank or null passwords in the password-auth file.
OL08-00-020340V2R4OL 8 must display the date and time of the last successful account logon upon logon.
OL08-00-020350V2R4OL 8 must display the date and time of the last successful account logon upon an SSH logon.
OL08-00-030010V2R4Cron logging must be implemented in OL 8.
OL08-00-030061V2R4The OL 8 audit system must audit local events.
OL08-00-030063V2R4OL 8 must resolve audit information before writing to disk.
OL08-00-030670V2R4OL 8 must have the packages required for offloading audit logs installed.
OL08-00-030680V2R4OL 8 must have the packages required for encrypting offloaded audit logs installed.
OL08-00-040021V2R4OL 8 must not have the asynchronous transfer mode (ATM) kernel module installed if not required for operational support.
OL08-00-040022V2R4OL 8 must not have the Controller Area Network (CAN) kernel module installed if not required for operational support.
OL08-00-040023V2R4OL 8 must not have the stream control transmission protocol (SCTP) kernel module installed if not required for operational support.
OL08-00-040170V2R4The x86 Ctrl-Alt-Delete key sequence must be disabled on OL 8.
OL08-00-040171V2R4The x86 Ctrl-Alt-Delete key sequence in OL 8 must be disabled if a graphical user interface is installed.
OL08-00-040172V2R4OL 8 must disable the systemd Ctrl-Alt-Delete burst key sequence.
OL08-00-040180V2R4OL 8 must disable the debug-shell systemd service.
OL08-00-040190V2R4The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for OL 8 operational support.
OL08-00-040200V2R4The root account must be the only account having unrestricted access to the OL 8 system.
OL08-00-040209V2R4OL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
OL08-00-040210V2R4OL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
OL08-00-040220V2R4OL 8 must not send Internet Control Message Protocol (ICMP) redirects.
OL08-00-040230V2R4OL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
OL08-00-040239V2R4OL 8 must not forward IPv4 source-routed packets.
OL08-00-040240V2R4OL 8 must not forward IPv6 source-routed packets.
OL08-00-040249V2R4OL 8 must not forward IPv4 source-routed packets by default.
OL08-00-040250V2R4OL 8 must not forward IPv6 source-routed packets by default.
OL08-00-040260V2R4OL 8 must not enable IPv6 packet forwarding unless the system is a router.
OL08-00-040261V2R4OL 8 must not accept router advertisements on all IPv6 interfaces.
OL08-00-040262V2R4OL 8 must not accept router advertisements on all IPv6 interfaces by default.
OL08-00-040270V2R4OL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
OL08-00-040279V2R4OL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.
OL08-00-040280V2R4OL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
OL08-00-040281V2R4OL 8 must disable access to the network "bpf" syscall from unprivileged processes.
OL08-00-040282V2R4OL 8 must restrict the use of "ptrace" to descendant processes.
OL08-00-040283V2R4OL 8 must restrict exposed kernel pointer addresses access.
OL08-00-040284V2R4OL 8 must disable the use of user namespaces.
OL08-00-040285V2R4OL 8 must use reverse path filtering on all IPv4 interfaces.
OL08-00-040286V2R4OL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.
OL08-00-040290V2R4OL 8 must be configured to prevent unrestricted mail relaying.
OL08-00-040300V2R4The OL 8 file integrity tool must be configured to verify extended attributes.
OL08-00-040310V2R4The OL 8 file integrity tool must be configured to verify Access Control Lists (ACLs).
OL08-00-040320V2R4The graphical display manager must not be installed on OL 8 unless approved.
OL08-00-040330V2R4OL 8 network interfaces must not be in promiscuous mode.
OL08-00-040340V2R4OL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements.
OL08-00-040341V2R4The OL 8 SSH daemon must prevent remote hosts from connecting to the proxy display.
OL08-00-040350V2R4If the Trivial File Transfer Protocol (TFTP) server is required, the OL 8 TFTP daemon must be configured to operate in secure mode.
OL08-00-040360V2R4A File Transfer Protocol (FTP) server package must not be installed unless mission essential on OL 8.
OL08-00-040370V2R4OL 8 must not have the "gssproxy" package installed if not required for operational support.
OL08-00-040380V2R4OL 8 must not have the "iprutils" package installed if not required for operational support.
OL08-00-040390V2R4OL 8 must not have the "tuned" package installed if not required for operational support.
OL08-00-010121V2R4The OL 8 operating system must not have accounts configured with blank or null passwords.
OL08-00-010379V2R4OL 8 must specify the default "include" directory for the /etc/sudoers file.
OL08-00-020101V2R4OL 8 must ensure the password complexity module is enabled in the system-auth file.
OL08-00-020102V2R4OL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.
OL08-00-020103V2R4OL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less.
OL08-00-020104V2R4OL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.
OL08-00-040259V2R4OL 8 must not enable IPv4 packet forwarding unless the system is a router.
OL08-00-040321V2R4The graphical display manager must not be the default target on OL 8 unless approved.
OL09-00-000003V1R1OL 9 must be configured so that a separate file system must be used for user home directories (such as /home or an equivalent).
OL09-00-000004V1R1OL 9 must use a separate file system for /tmp.
OL09-00-000005V1R1OL 9 must use a separate file system for /var.
OL09-00-000006V1R1OL 9 must use a separate file system for /var/log.
OL09-00-000007V1R1OL 9 must use a separate file system for /var/tmp.
OL09-00-000015V1R1OL 9 vendor packaged system security patches and updates must be installed and up to date.
OL09-00-000020V1R1OL 9 must be configured so that the graphical display manager is not the default target unless approved.
OL09-00-000135V1R1OL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed.
OL09-00-000140V1R1OL 9 must not have the quagga package installed.
OL09-00-000145V1R1OL 9 must not have a graphical display manager installed unless approved.
OL09-00-000210V1R1OL 9 policycoreutils-python-utils package must be installed.
OL09-00-000224V1R1OL 9 must be configured so that the firewall employs a deny-all, allow-by-exception policy for allowing connections to other systems.
OL09-00-000231V1R1OL 9 must use the invoking user's password for privilege escalation when using sudo.
OL09-00-000232V1R1OL 9 must restrict privilege elevation to authorized personnel.
OL09-00-000243V1R1OL 9 must be configured so that the cryptographic hashes of system files match vendor values.
OL09-00-000260V1R1OL 9 must have the openssh-clients package installed.
OL09-00-000302V1R1OL 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.
OL09-00-000303V1R1OL 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs).
OL09-00-000304V1R1OL 9 must be configured so that the file integrity tool verifies extended attributes.
OL09-00-000351V1R1OL 9 must be configured so that the rsyslog service is active.
OL09-00-000360V1R1OL 9 must enable the hardware random number generator entropy gatherer service.
OL09-00-000370V1R1OL 9 must have the rng-tools package installed.
OL09-00-000380V1R1OL 9 must have the nss-tools package installed.
OL09-00-000430V1R1OL 9 must have the gnutls-utils package installed.
OL09-00-000880V1R1OL 9 must write audit records to disk.
OL09-00-001000V1R1OL 9 must ensure the password complexity module is enabled in the system-auth file.
OL09-00-001110V1R1OL 9 must not allow blank or null passwords.
OL09-00-001130V1R1OL 9 must not have accounts configured with blank or null passwords.
OL09-00-002010V1R1OL 9 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.
OL09-00-002011V1R1OL 9 must prevent special devices on file systems that are imported via Network File System (NFS).
OL09-00-002012V1R1OL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS).
OL09-00-002013V1R1OL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
OL09-00-002020V1R1OL 9 must prevent code from being executed on file systems that are used with removable media.
OL09-00-002021V1R1OL 9 must prevent special devices on file systems that are used with removable media.
OL09-00-002022V1R1OL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
OL09-00-002072V1R1OL 9 must prevent code from being executed on file systems that contain user home directories.
OL09-00-002080V1R1OL 9 must prevent special devices on nonroot local partitions.
OL09-00-002102V1R1OL 9 must disable the user list at logon for graphical user interfaces.
OL09-00-002107V1R1OL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot.
OL09-00-002127V1R1OL 9 must disable the ability of a user to restart the system from the login screen.
OL09-00-002128V1R1OL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.
OL09-00-002129V1R1OL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.
OL09-00-002162V1R1OL 9 effective dconf policy must match the policy keyfiles.
OL09-00-002301V1R1OL 9 must define default permissions for the bash shell.
OL09-00-002302V1R1OL 9 must define default permissions for the c shell.
OL09-00-002303V1R1OL 9 must define default permissions for the system default profile.
OL09-00-002348V1R1OL 9 SSH daemon must not allow rhosts authentication.
OL09-00-002349V1R1OL 9 SSH daemon must not allow known hosts authentication.
OL09-00-002350V1R1OL 9 SSH daemon must disable remote X connections for interactive users.
OL09-00-002351V1R1OL 9 SSH daemon must perform strict mode checking of home directory configuration files.
OL09-00-002352V1R1OL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon.
OL09-00-002354V1R1OL 9 SSH daemon must prevent remote hosts from connecting to the proxy display.
OL09-00-002355V1R1OL 9 SSH daemon must not allow compression or must only allow compression after successful authentication.
OL09-00-002360V1R1OL 9 must require reauthentication when using the "sudo" command.
OL09-00-002370V1R1OL 9 must disable the use of user namespaces.
OL09-00-002380V1R1OL 9 must disable the kernel.core_pattern.
OL09-00-002381V1R1OL 9 must disable core dump backtraces.
OL09-00-002382V1R1OL 9 must disable storing core dumps.
OL09-00-002383V1R1OL 9 must disable core dumps for all users.
OL09-00-002384V1R1OL 9 must disable acquiring, saving, and processing core dumps.
OL09-00-002385V1R1OL 9 must be configured so that the kdump service is disabled.
OL09-00-002392V1R1OL 9 must disable the ability of systemd to spawn an interactive boot process.
OL09-00-002419V1R1OL 9 file systems must not contain shosts.equiv files.
OL09-00-002420V1R1OL 9 file systems must not contain .shosts files.
OL09-00-002425V1R1OL 9 must be configured to prevent unrestricted mail relaying.
OL09-00-002426V1R1OL 9 Trivial File Transfer Protocol (TFTP) daemon must be configured to operate in secure mode if the TFTP server is required.
OL09-00-002427V1R1OL 9 must be configured so that local initialization files do not execute world-writable programs.
OL09-00-002430V1R1OL 9 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time compiler.
OL09-00-002500V1R1OL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.
OL09-00-002501V1R1OL 9 must not have unauthorized accounts.
OL09-00-002502V1R1OL 9 SSH private host key files must have mode 0640 or less permissive.
OL09-00-002503V1R1OL 9 SSH public host key files must have mode 0644 or less permissive.
OL09-00-002507V1R1OL 9 SSH server configuration file must be group-owned by root.
OL09-00-002508V1R1OL 9 SSH server configuration file must be owned by root.
OL09-00-002509V1R1OL 9 SSH server configuration file must have mode 0600 or less permissive.
OL09-00-002511V1R1OL 9 local files and directories must have a valid group owner.
OL09-00-002512V1R1OL 9 local files and directories must have a valid owner.
OL09-00-002513V1R1OL 9 local initialization files must have mode 0740 or less permissive.
OL09-00-002514V1R1OL 9 local interactive user home directories must be group-owned by the home directory owner's primary group.
OL09-00-002515V1R1OL 9 local interactive user home directories must have mode 0750 or less permissive.
OL09-00-002530V1R1OL 9 /boot/grub2/grub.cfg file must be group-owned by root.
OL09-00-002531V1R1OL 9 /boot/grub2/grub.cfg file must be owned by root.
OL09-00-002532V1R1OL 9 /etc/group file must be group-owned by root.
OL09-00-002533V1R1OL 9 /etc/group- file must be group-owned by root.
OL09-00-002534V1R1OL 9 /etc/group file must be owned by root.
OL09-00-002535V1R1OL 9 /etc/group- file must be owned by root.
OL09-00-002536V1R1OL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.
OL09-00-002537V1R1OL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.
OL09-00-002538V1R1OL 9 /etc/gshadow file must be group-owned by root.
OL09-00-002539V1R1OL 9 /etc/gshadow- file must be group-owned by root.
OL09-00-002540V1R1OL 9 /etc/gshadow file must be owned by root.
OL09-00-002541V1R1OL 9 /etc/gshadow- file must be owned by root.
OL09-00-002542V1R1OL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.
OL09-00-002543V1R1OL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.
OL09-00-002544V1R1OL 9 /etc/passwd file must be group-owned by root.
OL09-00-002545V1R1OL 9 /etc/passwd- file must be group-owned by root.
OL09-00-002546V1R1OL 9 /etc/passwd file must be owned by root.
OL09-00-002547V1R1OL 9 /etc/passwd- file must be owned by root.
OL09-00-002548V1R1OL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.
OL09-00-002549V1R1OL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access.
OL09-00-002550V1R1OL 9 /etc/shadow file must be group-owned by root.
OL09-00-002551V1R1OL 9 /etc/shadow- file must be group-owned by root.
OL09-00-002552V1R1OL 9 /etc/shadow file must be owned by root.
OL09-00-002553V1R1OL 9 /etc/shadow- file must be owned by root.
OL09-00-002554V1R1OL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access.
OL09-00-002555V1R1OL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access.
OL09-00-002580V1R1OL 9 cron configuration directories must have a mode of 0700 or less permissive.
OL09-00-002581V1R1OL 9 cron configuration files directory must be group-owned by root.
OL09-00-002582V1R1OL 9 cron configuration files directory must be owned by root.
OL09-00-002583V1R1OL 9 /etc/crontab file must have mode 0600.
OL09-00-003000V1R1OL 9 must be configured so that the root account is the only account having unrestricted access to the system.
OL09-00-003002V1R1OL 9 local interactive users must have a home directory assigned in the /etc/passwd file.
OL09-00-003050V1R1OL 9 local interactive user home directories defined in the /etc/passwd file must exist.
OL09-00-003051V1R1OL 9 system accounts must not have an interactive login shell.
OL09-00-003052V1R1OL 9 local interactive user accounts must be assigned a home directory upon creation.
OL09-00-003053V1R1OL 9 must be configured so that executable search paths within the initialization files of all local interactive users must only contain paths that resolve to the system default or the users home directory.
OL09-00-003060V1R1OL 9 must set the umask value to 077 for all local interactive user accounts.
OL09-00-005010V1R1OL 9 must use cron logging.
OL09-00-005030V1R1OL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
OL09-00-006002V1R1OL 9 must configure a DNS processing mode set be Network Manager.
OL09-00-006003V1R1OL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.
OL09-00-006004V1R1OL 9 network interfaces must not be in promiscuous mode.
OL09-00-006010V1R1OL 9 must not have unauthorized IP tunnels configured.
OL09-00-006020V1R1OL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
OL09-00-006021V1R1OL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets.
OL09-00-006022V1R1OL 9 must log IPv4 packets with impossible addresses.
OL09-00-006023V1R1OL 9 must log IPv4 packets with impossible addresses by default.
OL09-00-006024V1R1OL 9 must use reverse path filtering on all IPv4 interfaces.
OL09-00-006025V1R1OL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
OL09-00-006026V1R1OL 9 must not forward IPv4 source-routed packets by default.
OL09-00-006027V1R1OL 9 must use a reverse-path filter for IPv4 network traffic, when possible, by default.
OL09-00-006028V1R1OL 9 must not enable IPv4 packet forwarding unless the system is a router.
OL09-00-006030V1R1OL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
OL09-00-006031V1R1OL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.
OL09-00-006032V1R1OL 9 must not send Internet Control Message Protocol (ICMP) redirects.
OL09-00-006033V1R1OL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
OL09-00-006040V1R1OL 9 must not accept router advertisements on all IPv6 interfaces.
OL09-00-006041V1R1OL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
OL09-00-006042V1R1OL 9 must not forward IPv6 source-routed packets.
OL09-00-006043V1R1OL 9 must not enable IPv6 packet forwarding unless the system is a router.
OL09-00-006044V1R1OL 9 must not accept router advertisements on all IPv6 interfaces by default.
OL09-00-006045V1R1OL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
OL09-00-006046V1R1OL 9 must not forward IPv6 source-routed packets by default.
RHEL-07-010290V3R9The Red Hat Enterprise Linux operating system must not allow accounts configured with blank or null passwords.
RHEL-07-020230V3R9The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.
RHEL-07-020231V3R9The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface.
RHEL-07-020250V3R9The Red Hat Enterprise Linux operating system must be a vendor supported release.
RHEL-07-020260V3R9The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date.
RHEL-07-020270V3R9The Red Hat Enterprise Linux operating system must not have unnecessary accounts.
RHEL-07-020310V3R9The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system.
RHEL-07-020320V3R9The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner.
RHEL-07-020330V3R9The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner.
RHEL-07-020610V3R9The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory.
RHEL-07-020620V3R9The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file.
RHEL-07-020630V3R9The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive.
RHEL-07-020640V3R9The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are owned by their respective users.
RHEL-07-020650V3R9The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group.
RHEL-07-020660V3R9The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a valid owner.
RHEL-07-020670V3R9The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.
RHEL-07-020680V3R9The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive.
RHEL-07-020690V3R9The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root.
RHEL-07-020700V3R9The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root.
RHEL-07-020710V3R9The Red Hat Enterprise Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive.
RHEL-07-020720V3R9The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.
RHEL-07-020730V3R9The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs.
RHEL-07-020900V3R9The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.
RHEL-07-021000V3R9The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed.
RHEL-07-021010V3R9The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
RHEL-07-021020V3R9The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS).
RHEL-07-021021V3R9The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS).
RHEL-07-021030V3R9The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.
RHEL-07-021040V3R9The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts.
RHEL-07-021100V3R9The Red Hat Enterprise Linux operating system must have cron logging implemented.
RHEL-07-021110V3R9The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root.
RHEL-07-021120V3R9The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root.
RHEL-07-021300V3R9The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed.
RHEL-07-021310V3R9The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent).
RHEL-07-021320V3R9The Red Hat Enterprise Linux operating system must use a separate file system for /var.
RHEL-07-021330V3R9The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data path.
RHEL-07-021340V3R9The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent).
RHEL-07-021600V3R9The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).
RHEL-07-021610V3R9The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.
RHEL-07-021620V3R9The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.
RHEL-07-031000V3R9The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server.
RHEL-07-031010V3R9The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
RHEL-07-040201V3R9The Red Hat Enterprise Linux operating system must implement virtual address space randomization.
RHEL-07-040330V3R9The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication.
RHEL-07-040350V3R9The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication.
RHEL-07-040360V3R9The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon an SSH logon.
RHEL-07-040370V3R9The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using remote access via SSH.
RHEL-07-040380V3R9The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication.
RHEL-07-040410V3R9The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive.
RHEL-07-040420V3R9The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0600 or less permissive.
RHEL-07-040450V3R9The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files.
RHEL-07-040460V3R9The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation.
RHEL-07-040470V3R9The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.
RHEL-07-040520V3R9The Red Hat Enterprise Linux operating system must enable an application firewall, if available.
RHEL-07-040530V3R9The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon.
RHEL-07-040540V3R9The Red Hat Enterprise Linux operating system must not contain .shosts files.
RHEL-07-040550V3R9The Red Hat Enterprise Linux operating system must not contain shosts.equiv files.
RHEL-07-040600V3R9For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured.
RHEL-07-040610V3R9The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
RHEL-07-040611V3R9The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
RHEL-07-040612V3R9The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default.
RHEL-07-040620V3R9The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
RHEL-07-040630V3R9The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
RHEL-07-040640V3R9The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
RHEL-07-040641V3R9The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
RHEL-07-040650V3R9The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.
RHEL-07-040660V3R9The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
RHEL-07-040670V3R9Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode.
RHEL-07-040680V3R9The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying.
RHEL-07-040690V3R9The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed.
RHEL-07-040700V3R9The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.
RHEL-07-040710V3R9The Red Hat Enterprise Linux operating system must be configured so that remote X connections are disabled except to fulfill documented and validated mission requirements.
RHEL-07-040720V3R9The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode.
RHEL-07-040730V3R9The Red Hat Enterprise Linux operating system must not have a graphical display manager installed unless approved.
RHEL-07-040740V3R9The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router.
RHEL-07-040750V3R9The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.
RHEL-07-040800V3R9SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default.
RHEL-07-040810V3R9The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.
RHEL-07-040820V3R9The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured.
RHEL-07-040830V3R9The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets.
RHEL-07-010020V3R9The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.
RHEL-07-020019V3R9The Red Hat Enterprise Linux operating system must implement the Endpoint Security for Linux Threat Prevention tool.
RHEL-07-032000V3R9The Red Hat Enterprise Linux operating system must use a virus scan program.
RHEL-07-021031V3R9The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user.
RHEL-07-040711V3R9The Red Hat Enterprise Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
RHEL-07-010341V3R9The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel.
RHEL-07-010342V3R9The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using "sudo".
RHEL-07-010291V3R9The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords.
RHEL-07-010339V3R9The Red Hat Enterprise Linux operating system must specify the default "include" directory for the /etc/sudoers file.
RHEL-08-010000V2R3RHEL 8 must be a vendor-supported release.
RHEL-08-010010V2R3RHEL 8 vendor packaged system security patches and updates must be installed and up to date.
RHEL-08-010292V2R3RHEL 8 must ensure the SSH server uses strong entropy.
RHEL-08-010460V2R3There must be no shosts.equiv files on the RHEL 8 operating system.
RHEL-08-010470V2R3There must be no .shosts files on the RHEL 8 operating system.
RHEL-08-010471V2R3RHEL 8 must enable the hardware random number generator entropy gatherer service.
RHEL-08-010480V2R3The RHEL 8 SSH public host key files must have mode 0644 or less permissive.
RHEL-08-010490V2R3The RHEL 8 SSH private host key files must have mode 0640 or less permissive.
RHEL-08-010500V2R3The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files.
RHEL-08-010520V2R3The RHEL 8 SSH daemon must not allow authentication using known host’s authentication.
RHEL-08-010521V2R3The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.
RHEL-08-010540V2R3RHEL 8 must use a separate file system for /var.
RHEL-08-010541V2R3RHEL 8 must use a separate file system for /var/log.
RHEL-08-010542V2R3RHEL 8 must use a separate file system for the system audit data path.
RHEL-08-010543V2R3A separate RHEL 8 filesystem must be used for the /tmp directory.
RHEL-08-010561V2R3The rsyslog service must be running in RHEL 8.
RHEL-08-010570V2R3RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
RHEL-08-010571V2R3RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
RHEL-08-010580V2R3RHEL 8 must prevent special devices on non-root local partitions.
RHEL-08-010590V2R3RHEL 8 must prevent code from being executed on file systems that contain user home directories.
RHEL-08-010600V2R3RHEL 8 must prevent special devices on file systems that are used with removable media.
RHEL-08-010610V2R3RHEL 8 must prevent code from being executed on file systems that are used with removable media.
RHEL-08-010620V2R3RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
RHEL-08-010630V2R3RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS).
RHEL-08-010640V2R3RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS).
RHEL-08-010650V2R3RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
RHEL-08-010660V2R3Local RHEL 8 initialization files must not execute world-writable programs.
RHEL-08-010670V2R3RHEL 8 must disable kernel dumps unless needed.
RHEL-08-010671V2R3RHEL 8 must disable the kernel.core_pattern.
RHEL-08-010672V2R3RHEL 8 must disable acquiring, saving, and processing core dumps.
RHEL-08-010673V2R3RHEL 8 must disable core dumps for all users.
RHEL-08-010674V2R3RHEL 8 must disable storing core dumps.
RHEL-08-010675V2R3RHEL 8 must disable core dump backtraces.
RHEL-08-010680V2R3For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.
RHEL-08-010690V2R3Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory.
RHEL-08-010700V2R3All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application user.
RHEL-08-010710V2R3All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.
RHEL-08-010720V2R3All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file.
RHEL-08-010730V2R3All RHEL 8 local interactive user home directories must have mode 0750 or less permissive.
RHEL-08-010740V2R3All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group.
RHEL-08-010750V2R3All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist.
RHEL-08-010760V2R3All RHEL 8 local interactive user accounts must be assigned a home directory upon creation.
RHEL-08-010770V2R3All RHEL 8 local initialization files must have mode 0740 or less permissive.
RHEL-08-010780V2R3All RHEL 8 local files and directories must have a valid owner.
RHEL-08-010790V2R3All RHEL 8 local files and directories must have a valid group owner.
RHEL-08-010800V2R3A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent).
RHEL-08-020320V2R3RHEL 8 must not have unnecessary accounts.
RHEL-08-020330V2R3RHEL 8 must not allow accounts configured with blank or null passwords.
RHEL-08-020340V2R3RHEL 8 must display the date and time of the last successful account logon upon logon.
RHEL-08-020350V2R3RHEL 8 must display the date and time of the last successful account logon upon an SSH logon.
RHEL-08-020353V2R3RHEL 8 must define default permissions for logon and non-logon shells.
RHEL-08-030010V2R3Cron logging must be implemented in RHEL 8.
RHEL-08-030061V2R3The RHEL 8 audit system must audit local events.
RHEL-08-030063V2R3RHEL 8 must resolve audit information before writing to disk.
RHEL-08-030670V2R3RHEL 8 must have the packages required for offloading audit logs installed.
RHEL-08-030680V2R3RHEL 8 must have the packages required for encrypting offloaded audit logs installed.
RHEL-08-040170V2R3The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8.
RHEL-08-040171V2R3The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed.
RHEL-08-040172V2R3The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled.
RHEL-08-040180V2R3The debug-shell systemd service must be disabled on RHEL 8.
RHEL-08-040190V2R3The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support.
RHEL-08-040200V2R3The root account must be the only account having unrestricted access to the RHEL 8 system.
RHEL-08-040210V2R3RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
RHEL-08-040220V2R3RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.
RHEL-08-040230V2R3RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
RHEL-08-040240V2R3RHEL 8 must not forward IPv6 source-routed packets.
RHEL-08-040250V2R3RHEL 8 must not forward IPv6 source-routed packets by default.
RHEL-08-040260V2R3RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.
RHEL-08-040261V2R3RHEL 8 must not accept router advertisements on all IPv6 interfaces.
RHEL-08-040262V2R3RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.
RHEL-08-040270V2R3RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
RHEL-08-040280V2R3RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
RHEL-08-040281V2R3RHEL 8 must disable access to network bpf syscall from unprivileged processes.
RHEL-08-040282V2R3RHEL 8 must restrict usage of ptrace to descendant processes.
RHEL-08-040283V2R3RHEL 8 must restrict exposed kernel pointer addresses access.
RHEL-08-040284V2R3RHEL 8 must disable the use of user namespaces.
RHEL-08-040285V2R3RHEL 8 must use reverse path filtering on all IPv4 interfaces.
RHEL-08-040290V2R3RHEL 8 must be configured to prevent unrestricted mail relaying.
RHEL-08-040300V2R3The RHEL 8 file integrity tool must be configured to verify extended attributes.
RHEL-08-040310V2R3The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs).
RHEL-08-040320V2R3The graphical display manager must not be installed on RHEL 8 unless approved.
RHEL-08-040330V2R3RHEL 8 network interfaces must not be in promiscuous mode.
RHEL-08-040340V2R3RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements.
RHEL-08-040341V2R3The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display.
RHEL-08-040350V2R3If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode.
RHEL-08-040360V2R3A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8.
RHEL-08-040370V2R3The gssproxy package must not be installed unless mission essential on RHEL 8.
RHEL-08-040380V2R3The iprutils package must not be installed unless mission essential on RHEL 8.
RHEL-08-040390V2R3The tuned package must not be installed unless mission essential on RHEL 8.
RHEL-08-010382V2R3RHEL 8 must restrict privilege elevation to authorized personnel.
RHEL-08-010383V2R3RHEL 8 must use the invoking user's password for privilege escalation when using "sudo".
RHEL-08-010472V2R3RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service.
RHEL-08-010522V2R3The RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.
RHEL-08-010544V2R3RHEL 8 must use a separate file system for /var/tmp.
RHEL-08-010572V2R3RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
RHEL-08-010731V2R3All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive.
RHEL-08-010741V2R3RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.
RHEL-08-020032V2R3RHEL 8 must disable the user list at logon for graphical user interfaces.
RHEL-08-020332V2R3RHEL 8 must not allow blank or null passwords in the password-auth file.
RHEL-08-040209V2R3RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
RHEL-08-040239V2R3RHEL 8 must not forward IPv4 source-routed packets.
RHEL-08-040249V2R3RHEL 8 must not forward IPv4 source-routed packets by default.
RHEL-08-040279V2R3RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.
RHEL-08-040286V2R3RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.
RHEL-08-040259V2R3RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.
RHEL-08-010121V2R3The RHEL 8 operating system must not have accounts configured with blank or null passwords.
RHEL-08-010379V2R3RHEL 8 must specify the default "include" directory for the /etc/sudoers file.
RHEL-08-020101V2R3RHEL 8 must ensure the password complexity module is enabled in the system-auth file.
RHEL-08-020104V2R3RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.
RHEL-08-040321V2R3The graphical display manager must not be the default target on RHEL 8 unless approved.
RHEL-08-020331V2R3RHEL 8 must not allow blank or null passwords in the system-auth file.
RHEL-09-211010V2R4RHEL 9 must be a vendor-supported release.
RHEL-09-211015V2R4RHEL 9 vendor packaged system security patches and updates must be installed and up to date.
RHEL-09-211030V2R4The graphical display manager must not be the default target on RHEL 9 unless approved.
RHEL-09-211035V2R4RHEL 9 must enable the hardware random number generator entropy gatherer service.
RHEL-09-212015V2R4RHEL 9 must disable the ability of systemd to spawn an interactive boot process.
RHEL-09-212025V2R4RHEL 9 /boot/grub2/grub.cfg file must be group-owned by root.
RHEL-09-212030V2R4RHEL 9 /boot/grub2/grub.cfg file must be owned by root.
RHEL-09-212035V2R4RHEL 9 must disable virtual system calls.
RHEL-09-212040V2R4RHEL 9 must clear the page allocator to prevent use-after-free attacks.
RHEL-09-213020V2R4RHEL 9 must prevent the loading of a new kernel for later execution.
RHEL-09-213040V2R4RHEL 9 must disable the kernel.core_pattern.
RHEL-09-213085V2R4RHEL 9 must disable core dump backtraces.
RHEL-09-213090V2R4RHEL 9 must disable storing core dumps.
RHEL-09-213095V2R4RHEL 9 must disable core dumps for all users.
RHEL-09-213100V2R4RHEL 9 must disable acquiring, saving, and processing core dumps.
RHEL-09-213105V2R4RHEL 9 must disable the use of user namespaces.
RHEL-09-213115V2R4The kdump service on RHEL 9 must be disabled.
RHEL-09-214030V2R4RHEL 9 must be configured so that the cryptographic hashes of system files match vendor values.
RHEL-09-215020V2R4RHEL 9 must not have the sendmail package installed.
RHEL-09-215060V2R4RHEL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed.
RHEL-09-215065V2R4RHEL 9 must not have the quagga package installed.
RHEL-09-215070V2R4A graphical display manager must not be installed on RHEL 9 unless approved.
RHEL-09-215080V2R4RHEL 9 must have the gnutls-utils package installed.
RHEL-09-215085V2R4RHEL 9 must have the nss-tools package installed.
RHEL-09-215090V2R4RHEL 9 must have the rng-tools package installed.
RHEL-09-231010V2R4A separate RHEL 9 file system must be used for user home directories (such as /home or an equivalent).
RHEL-09-231015V2R4RHEL 9 must use a separate file system for /tmp.
RHEL-09-231020V2R4RHEL 9 must use a separate file system for /var.
RHEL-09-231025V2R4RHEL 9 must use a separate file system for /var/log.
RHEL-09-231035V2R4RHEL 9 must use a separate file system for /var/tmp.
RHEL-09-231055V2R4RHEL 9 must prevent code from being executed on file systems that contain user home directories.
RHEL-09-231065V2R4RHEL 9 must prevent special devices on file systems that are imported via Network File System (NFS).
RHEL-09-231070V2R4RHEL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS).
RHEL-09-231075V2R4RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
RHEL-09-231080V2R4RHEL 9 must prevent code from being executed on file systems that are used with removable media.
RHEL-09-231085V2R4RHEL 9 must prevent special devices on file systems that are used with removable media.
RHEL-09-231090V2R4RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
RHEL-09-231200V2R4RHEL 9 must prevent special devices on non-root local partitions.
RHEL-09-232040V2R4RHEL 9 permissions of cron configuration files and directories must not be modified from the operating system defaults.
RHEL-09-232045V2R4All RHEL 9 local initialization files must have mode 0740 or less permissive.
RHEL-09-232050V2R4All RHEL 9 local interactive user home directories must have mode 0750 or less permissive.
RHEL-09-232055V2R4RHEL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.
RHEL-09-232060V2R4RHEL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.
RHEL-09-232065V2R4RHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.
RHEL-09-232070V2R4RHEL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.
RHEL-09-232075V2R4RHEL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.
RHEL-09-232080V2R4RHEL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access.
RHEL-09-232085V2R4RHEL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access.
RHEL-09-232090V2R4RHEL 9 /etc/group file must be owned by root.
RHEL-09-232095V2R4RHEL 9 /etc/group file must be group-owned by root.
RHEL-09-232100V2R4RHEL 9 /etc/group- file must be owned by root.
RHEL-09-232105V2R4RHEL 9 /etc/group- file must be group-owned by root.
RHEL-09-232110V2R4RHEL 9 /etc/gshadow file must be owned by root.
RHEL-09-232115V2R4RHEL 9 /etc/gshadow file must be group-owned by root.
RHEL-09-232120V2R4RHEL 9 /etc/gshadow- file must be owned by root.
RHEL-09-232125V2R4RHEL 9 /etc/gshadow- file must be group-owned by root.
RHEL-09-232130V2R4RHEL 9 /etc/passwd file must be owned by root.
RHEL-09-232135V2R4RHEL 9 /etc/passwd file must be group-owned by root.
RHEL-09-232140V2R4RHEL 9 /etc/passwd- file must be owned by root.
RHEL-09-232145V2R4RHEL 9 /etc/passwd- file must be group-owned by root.
RHEL-09-232150V2R4RHEL 9 /etc/shadow file must be owned by root.
RHEL-09-232155V2R4RHEL 9 /etc/shadow file must be group-owned by root.
RHEL-09-232160V2R4RHEL 9 /etc/shadow- file must be owned by root.
RHEL-09-232165V2R4RHEL 9 /etc/shadow- file must be group-owned by root.
RHEL-09-232230V2R4RHEL 9 cron configuration files directory must be owned by root.
RHEL-09-232235V2R4RHEL 9 cron configuration files directory must be group-owned by root.
RHEL-09-232240V2R4All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user.
RHEL-09-232250V2R4All RHEL 9 local files and directories must have a valid group owner.
RHEL-09-232255V2R4All RHEL 9 local files and directories must have a valid owner.
RHEL-09-232260V2R4RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.
RHEL-09-232270V2R4RHEL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access.
RHEL-09-251020V2R4A RHEL 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.
RHEL-09-251040V2R4RHEL 9 network interfaces must not be in promiscuous mode.
RHEL-09-251045V2R4RHEL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler.
RHEL-09-252035V2R4RHEL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.
RHEL-09-252040V2R4RHEL 9 must configure a DNS processing mode in Network Manager.
RHEL-09-252045V2R4RHEL 9 must not have unauthorized IP tunnels configured.
RHEL-09-252050V2R4RHEL 9 must be configured to prevent unrestricted mail relaying.
RHEL-09-252065V2R4RHEL 9 libreswan package must be installed.
RHEL-09-252070V2R4There must be no shosts.equiv files on RHEL 9.
RHEL-09-252075V2R4There must be no .shosts files on RHEL 9.
RHEL-09-253010V2R4RHEL 9 must be configured to use TCP syncookies.
RHEL-09-253015V2R4RHEL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
RHEL-09-253020V2R4RHEL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets.
RHEL-09-253025V2R4RHEL 9 must log IPv4 packets with impossible addresses.
RHEL-09-253030V2R4RHEL 9 must log IPv4 packets with impossible addresses by default.
RHEL-09-253035V2R4RHEL 9 must use reverse path filtering on all IPv4 interfaces.
RHEL-09-253040V2R4RHEL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
RHEL-09-253045V2R4RHEL 9 must not forward IPv4 source-routed packets by default.
RHEL-09-253050V2R4RHEL 9 must use a reverse-path filter for IPv4 network traffic when possible by default.
RHEL-09-253055V2R4RHEL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
RHEL-09-253060V2R4RHEL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.
RHEL-09-253065V2R4RHEL 9 must not send Internet Control Message Protocol (ICMP) redirects.
RHEL-09-253070V2R4RHEL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
RHEL-09-253075V2R4RHEL 9 must not enable IPv4 packet forwarding unless the system is a router.
RHEL-09-254010V2R4RHEL 9 must not accept router advertisements on all IPv6 interfaces.
RHEL-09-254015V2R4RHEL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
RHEL-09-254020V2R4RHEL 9 must not forward IPv6 source-routed packets.
RHEL-09-254025V2R4RHEL 9 must not enable IPv6 packet forwarding unless the system is a router.
RHEL-09-254030V2R4RHEL 9 must not accept router advertisements on all IPv6 interfaces by default.
RHEL-09-254035V2R4RHEL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
RHEL-09-254040V2R4RHEL 9 must not forward IPv6 source-routed packets by default.
RHEL-09-255020V2R4RHEL 9 must have the openssh-clients package installed.
RHEL-09-255105V2R4RHEL 9 SSH server configuration file must be group-owned by root.
RHEL-09-255110V2R4The RHEL 9 SSH server configuration file must be owned by root.
RHEL-09-255115V2R4RHEL 9 SSH server configuration files' permissions must not be modified.
RHEL-09-255120V2R4RHEL 9 SSH private host key files must have mode 0640 or less permissive.
RHEL-09-255125V2R4RHEL 9 SSH public host key files must have mode 0644 or less permissive.
RHEL-09-255130V2R4RHEL 9 SSH daemon must not allow compression or must only allow compression after successful authentication.
RHEL-09-255145V2R4RHEL 9 SSH daemon must not allow rhosts authentication.
RHEL-09-255150V2R4RHEL 9 SSH daemon must not allow known hosts authentication.
RHEL-09-255155V2R4RHEL 9 SSH daemon must disable remote X connections for interactive users.
RHEL-09-255160V2R4RHEL 9 SSH daemon must perform strict mode checking of home directory configuration files.
RHEL-09-255165V2R4RHEL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon.
RHEL-09-255175V2R4RHEL 9 SSH daemon must prevent remote hosts from connecting to the proxy display.
RHEL-09-271090V2R4RHEL 9 effective dconf policy must match the policy keyfiles.
RHEL-09-271095V2R4RHEL 9 must disable the ability of a user to restart the system from the login screen.
RHEL-09-271100V2R4RHEL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.
RHEL-09-271105V2R4RHEL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot.
RHEL-09-271110V2R4RHEL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.
RHEL-09-271115V2R4RHEL 9 must disable the user list at logon for graphical user interfaces.
RHEL-09-411020V2R4All RHEL 9 local interactive user accounts must be assigned a home directory upon creation.
RHEL-09-411025V2R4RHEL 9 must set the umask value to 077 for all local interactive user accounts.
RHEL-09-411035V2R4RHEL 9 system accounts must not have an interactive login shell.
RHEL-09-411055V2R4Executable search paths within the initialization files of all local interactive RHEL 9 users must only contain paths that resolve to the system default or the users home directory.
RHEL-09-411060V2R4All RHEL 9 local interactive users must have a home directory assigned in the /etc/passwd file.
RHEL-09-411065V2R4All RHEL 9 local interactive user home directories defined in the /etc/passwd file must exist.
RHEL-09-411070V2R4All RHEL 9 local interactive user home directories must be group-owned by the home directory owner's primary group.
RHEL-09-411095V2R4RHEL 9 must not have unauthorized accounts.
RHEL-09-411100V2R4The root account must be the only account having unrestricted access to RHEL 9 system.
RHEL-09-411115V2R4Local RHEL 9 initialization files must not execute world-writable programs.
RHEL-09-412075V2R4RHEL 9 must display the date and time of the last successful account logon upon logon.
RHEL-09-431025V2R4RHEL 9 must have policycoreutils package installed.
RHEL-09-431030V2R4RHEL 9 policycoreutils-python-utils package must be installed.
RHEL-09-432020V2R4RHEL 9 must use the invoking user's password for privilege escalation when using "sudo".
RHEL-09-432030V2R4RHEL 9 must restrict privilege elevation to authorized personnel.
RHEL-09-611025V2R4RHEL 9 must not allow blank or null passwords.
RHEL-09-611045V2R4RHEL 9 must ensure the password complexity module is enabled in the system-auth file.
RHEL-09-611155V2R4RHEL 9 must not have accounts configured with blank or null passwords.
RHEL-09-651020V2R4RHEL 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.
RHEL-09-651030V2R4RHEL 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs).
RHEL-09-651035V2R4RHEL 9 must be configured so that the file integrity tool verifies extended attributes.
RHEL-09-652015V2R4RHEL 9 must have the packages required for encrypting offloaded audit logs installed.
RHEL-09-652020V2R4The rsyslog service on RHEL 9 must be active.
RHEL-09-652025V2R4RHEL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
RHEL-09-652060V2R4RHEL 9 must use cron logging.
RHEL-09-653105V2R4RHEL 9 must write audit records to disk.
SLES-12-010000V3R2The SUSE operating system must be a vendor-supported release.
SLES-12-010010V3R2Vendor-packaged SUSE operating system security patches and updates must be installed and up to date.
SLES-12-010231V3R2The SUSE operating system must not be configured to allow blank or null passwords.
SLES-12-010390V3R2The SUSE operating system must display the date and time of the last successful account logon upon logon.
SLES-12-010400V3R2There must be no .shosts files on the SUSE operating system.
SLES-12-010410V3R2There must be no shosts.equiv files on the SUSE operating system.
SLES-12-010520V3R2The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs).
SLES-12-010530V3R2The SUSE operating system file integrity tool must be configured to verify extended attributes.
SLES-12-010610V3R2The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence.
SLES-12-010611V3R2The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces.
SLES-12-010630V3R2The SUSE operating system must not have unnecessary accounts.
SLES-12-010650V3R2The SUSE operating system root account must be the only account having unrestricted access to the system.
SLES-12-010690V3R2All SUSE operating system files and directories must have a valid owner.
SLES-12-010700V3R2All SUSE operating system files and directories must have a valid group owner.
SLES-12-010710V3R2All SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file.
SLES-12-010720V3R2All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory.
SLES-12-010730V3R2All SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist.
SLES-12-010740V3R2All SUSE operating system local interactive user home directories must have mode 0750 or less permissive.
SLES-12-010750V3R2All SUSE operating system local interactive user home directories must be group-owned by the home directory owners primary group.
SLES-12-010760V3R2All SUSE operating system local initialization files must have mode 0740 or less permissive.
SLES-12-010770V3R2All SUSE operating system local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory.
SLES-12-010780V3R2All SUSE operating system local initialization files must not execute world-writable programs.
SLES-12-010790V3R2SUSE operating system file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.
SLES-12-010800V3R2SUSE operating system file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.
SLES-12-010810V3R2SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.
SLES-12-010820V3R2SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.
SLES-12-010830V3R2All SUSE operating system world-writable directories must be group-owned by root, sys, bin, or an application group.
SLES-12-010840V3R2SUSE operating system kernel core dumps must be disabled unless needed.
SLES-12-010850V3R2A separate file system must be used for SUSE operating system user home directories (such as /home or an equivalent).
SLES-12-010860V3R2The SUSE operating system must use a separate file system for /var.
SLES-12-010870V3R2The SUSE operating system must use a separate file system for the system audit data path.
SLES-12-010910V3R2The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.
SLES-12-020199V3R2The SUSE operating system must not disable syscall auditing.
SLES-12-030130V3R2The SUSE operating system must display the date and time of the last successful account logon upon an SSH logon.
SLES-12-030200V3R2The SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication.
SLES-12-030210V3R2The SUSE operating system SSH daemon public host key files must have mode 0644 or less permissive.
SLES-12-030220V3R2The SUSE operating system SSH daemon private host key files must have mode 0640 or less permissive.
SLES-12-030230V3R2The SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files.
SLES-12-030240V3R2The SUSE operating system SSH daemon must use privilege separation.
SLES-12-030250V3R2The SUSE operating system SSH daemon must not allow compression or must only allow compression after successful authentication.
SLES-12-030260V3R2The SUSE operating system SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements.
SLES-12-030360V3R2The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
SLES-12-030361V3R2The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets.
SLES-12-030370V3R2The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
SLES-12-030380V3R2The SUSE operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
SLES-12-030390V3R2The SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
SLES-12-030400V3R2The SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
SLES-12-030401V3R2The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.
SLES-12-030410V3R2The SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
SLES-12-030420V3R2The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
SLES-12-030430V3R2The SUSE operating system must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.
SLES-12-030440V3R2The SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented.
SLES-12-030611V3R2The SUSE operating system must use a virus scan program.
SLES-12-030261V3R2The SUSE operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
SLES-12-010111V3R2The SUSE operating system must restrict privilege elevation to authorized personnel.
SLES-12-010112V3R2The SUSE operating system must use the invoking user's password for privilege escalation when using "sudo".
SLES-12-010631V3R2The SUSE operating system must not have unnecessary account capabilities.
SLES-12-030362V3R2The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets by default.
SLES-12-030363V3R2The SUSE operating system must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
SLES-12-030364V3R2The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.
SLES-12-030365V3R2The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router.
SLES-12-010109V3R2The SUSE operating system must specify the default "include" directory for the /etc/sudoers file.
SLES-12-010221V3R2The SUSE operating system must not have accounts configured with blank or null passwords.
SLES-15-010000V2R4The SUSE operating system must be a vendor-supported release.
SLES-15-010010V2R4Vendor-packaged SUSE operating system security patches and updates must be installed and up to date.
SLES-15-020080V2R4The SUSE operating system must display the date and time of the last successful account logon upon logon.
SLES-15-020090V2R4The SUSE operating system must not have unnecessary accounts.
SLES-15-020091V2R4The SUSE operating system must not have unnecessary account capabilities.
SLES-15-020100V2R4The SUSE operating system root account must be the only account with unrestricted access to the system.
SLES-15-020101V2R4The SUSE operating system must restrict privilege elevation to authorized personnel.
SLES-15-020103V2R4The SUSE operating system must use the invoking user's password for privilege escalation when using "sudo".
SLES-15-020110V2R4All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory.
SLES-15-020120V2R4The SUSE operating system must display the date and time of the last successful account logon upon an SSH logon.
SLES-15-020300V2R4The SUSE operating system must not be configured to allow blank or null passwords.
SLES-15-030810V2R4The SUSE operating system must use a separate file system for the system audit data path.
SLES-15-030820V2R4The SUSE operating system must not disable syscall auditing.
SLES-15-040020V2R4There must be no .shosts files on the SUSE operating system.
SLES-15-040030V2R4There must be no shosts.equiv files on the SUSE operating system.
SLES-15-040040V2R4The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs).
SLES-15-040050V2R4The SUSE operating system file integrity tool must be configured to verify extended attributes.
SLES-15-040060V2R4The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence.
SLES-15-040061V2R4The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces.
SLES-15-040062V2R4The SUSE operating system must disable the systemd Ctrl-Alt-Delete burst key sequence.
SLES-15-040070V2R4All SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file.
SLES-15-040080V2R4All SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist.
SLES-15-040090V2R4All SUSE operating system local interactive user home directories must have mode 0750 or less permissive.
SLES-15-040100V2R4All SUSE operating system local interactive user home directories must be group-owned by the home directory owner's primary group.
SLES-15-040110V2R4All SUSE operating system local initialization files must have mode 0740 or less permissive.
SLES-15-040120V2R4All SUSE operating system local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory.
SLES-15-040130V2R4All SUSE operating system local initialization files must not execute world-writable programs.
SLES-15-040140V2R4SUSE operating system file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.
SLES-15-040150V2R4SUSE operating system file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.
SLES-15-040160V2R4SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.
SLES-15-040170V2R4SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.
SLES-15-040180V2R4All SUSE operating system world-writable directories must be group-owned by root, sys, bin, or an application group.
SLES-15-040190V2R4SUSE operating system kernel core dumps must be disabled unless needed.
SLES-15-040200V2R4A separate file system must be used for SUSE operating system user home directories (such as /home or an equivalent).
SLES-15-040210V2R4The SUSE operating system must use a separate file system for /var.
SLES-15-040220V2R4The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.
SLES-15-040230V2R4The SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication.
SLES-15-040240V2R4The SUSE operating system SSH daemon public host key files must have mode 0644 or less permissive.
SLES-15-040250V2R4The SUSE operating system SSH daemon private host key files must have mode 0640 or less permissive.
SLES-15-040260V2R4The SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files.
SLES-15-040290V2R4The SUSE operating system SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements.
SLES-15-040300V2R4The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
SLES-15-040310V2R4The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets.
SLES-15-040320V2R4The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
SLES-15-040321V2R4The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets by default.
SLES-15-040330V2R4The SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
SLES-15-040340V2R4The SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
SLES-15-040341V2R4The SUSE operating system must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
SLES-15-040350V2R4The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.
SLES-15-040360V2R4The SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
SLES-15-040370V2R4The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
SLES-15-040380V2R4The SUSE operating system must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.
SLES-15-040381V2R4The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.
SLES-15-040382V2R4The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router.
SLES-15-040390V2R4The SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented.
SLES-15-040400V2R4All SUSE operating system files and directories must have a valid owner.
SLES-15-040410V2R4All SUSE operating system files and directories must have a valid group owner.
SLES-15-020099V2R4The SUSE operating system must specify the default "include" directory for the /etc/sudoers file.
SLES-15-020181V2R4The SUSE operating system must not have accounts configured with blank or null passwords.
UBTU-18-010032V2R15The Ubuntu operating system must display the date and time of the last successful account logon upon logon.
UBTU-18-010150V2R15The Ubuntu Operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed.
UBTU-18-010151V2R15The Ubuntu Operating system must disable the x86 Ctrl-Alt-Delete key sequence.
UBTU-18-010418V2R15The Ubuntu operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.
UBTU-18-010419V2R15The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
UBTU-18-010450V2R15All local interactive user home directories defined in the /etc/passwd file must exist.
UBTU-18-010451V2R15All local interactive user home directories must have mode 0750 or less permissive.
UBTU-18-010452V2R15All local interactive user home directories must be group-owned by the home directory owners primary group.
UBTU-18-010522V2R15The Ubuntu operating system must not have accounts configured with blank or null passwords.
UBTU-18-010523V2R15The Ubuntu operating system must not allow accounts configured with blank or null passwords.
UBTU-18-999999V2R15The Ubuntu operating system must be a vendor supported release.
UBTU-20-010048V2R1The Ubuntu operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.
UBTU-20-010049V2R1The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
UBTU-20-010453V2R1The Ubuntu operating system must display the date and time of the last successful account logon upon logon.
UBTU-20-010459V2R1The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed.
UBTU-20-010460V2R1The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence.
UBTU-20-010462V2R1The Ubuntu operating system must not have accounts configured with blank or null passwords.
UBTU-20-010463V2R1The Ubuntu operating system must not allow accounts configured with blank or null passwords.
UBTU-22-211015V2R4Ubuntu 22.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence.
UBTU-22-215015V2R4Ubuntu 22.04 LTS must have the "chrony" package installed.
UBTU-22-215020V2R4Ubuntu 22.04 LTS must not have the "systemd-timesyncd" package installed.
UBTU-22-215025V2R4Ubuntu 22.04 LTS must not have the "ntp" package installed.
UBTU-22-255040V2R4Ubuntu 22.04 LTS must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.
UBTU-22-255045V2R4Ubuntu 22.04 LTS SSH daemon must prevent remote hosts from connecting to the proxy display.
UBTU-22-271030V2R4Ubuntu 22.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed.
UBTU-22-611060V2R4Ubuntu 22.04 LTS must not allow accounts configured with blank or null passwords.
UBTU-22-611065V2R4Ubuntu 22.04 LTS must not have accounts configured with blank or null passwords.
UBTU-22-654190V2R4Ubuntu 22.04 LTS must generate audit records for all events that affect the systemd journal files.
UBTU-24-100010V1R1Ubuntu 24.04 LTS must not have the "systemd-timesyncd" package installed.
UBTU-24-100020V1R1Ubuntu 24.04 LTS must not have the "ntp" package installed.
UBTU-24-100700V1R1Ubuntu 24.04 LTS must have the "chrony" package installed.
UBTU-24-300021V1R1Ubuntu 24.04 LTS must require users to reauthenticate for privilege escalation or when changing roles.
UBTU-24-300022V1R1Ubuntu 24.04 LTS must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.
UBTU-24-300023V1R1Ubuntu 24.04 LTS SSH daemon must prevent remote hosts from connecting to the proxy display.
UBTU-24-300024V1R1Ubuntu 24.04 LTS must display the date and time of the last successful account logon upon logon.
UBTU-24-300025V1R1Ubuntu 24.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed.
UBTU-24-300026V1R1Ubuntu 24.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence.
UBTU-24-300027V1R1Ubuntu 24.04 LTS must not have accounts configured with blank or null passwords.
UBTU-24-300028V1R1Ubuntu 24.04 LTS must not allow accounts configured in Pluggable Authentication Modules (PAM) with blank or null passwords.
UBTU-24-300029V1R1Ubuntu 24.04 LTS must generate audit records for all events that affect the systemd journal files.
WN10-00-000005V3R4Domain-joined systems must use Windows 10 Enterprise Edition 64-bit version.
WN10-00-000010V3R4Windows 10 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
WN10-00-000015V3R4Windows 10 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
WN10-00-000020V3R4Secure Boot must be enabled on Windows 10 systems.
WN10-00-000040V3R4Windows 10 systems must be maintained at a supported servicing level.
WN10-00-000045V3R4The Windows 10 system must use an anti-virus program.
WN10-00-000055V3R4Alternate operating systems must not be permitted on the same system.
WN10-00-000075V3R4Only accounts responsible for the backup operations must be members of the Backup Operators group.
WN10-00-000085V3R4Standard local user accounts must not exist on a system in a domain.
WN10-00-000130V3R4Software certificate installation files must be removed from Windows 10.
WN10-00-000135V3R4A host-based firewall must be installed and enabled on the system.
WN10-00-000140V3R4Inbound exceptions to the firewall on Windows 10 domain workstations must only allow authorized remote management hosts.
WN10-00-000190V3R4Orphaned security identifiers (SIDs) must be removed from user rights on Windows 10.
WN10-00-000230V3R4The system must notify the user when a Bluetooth device attempts to connect.
WN10-00-000240V3R4Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
WN10-CC-000020V3R4IPv6 source routing must be configured to highest protection.
WN10-CC-000025V3R4The system must be configured to prevent IP source routing.
WN10-CC-000030V3R4The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.
WN10-CC-000040V3R4Insecure logons to an SMB server must be disabled.
WN10-CC-000055V3R4Simultaneous connections to the internet or a Windows domain must be limited.
WN10-CC-000060V3R4Connections to non-domain networks when connected to a domain authenticated network must be blocked.
WN10-CC-000065V3R4Wi-Fi Sense must be disabled.
WN10-CC-000068V3R4Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials.
WN10-CC-000070V3R4Virtualization Based Security must be enabled on Windows 10 with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
WN10-CC-000075V3R4Credential Guard must be running on Windows 10 domain-joined systems.
WN10-CC-000085V3R4Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers.
WN10-CC-000090V3R4Group Policy objects must be reprocessed even if they have not changed.
WN10-CC-000115V3R4Systems must at least attempt device authentication using certificates.
WN10-CC-000170V3R4The setting to allow Microsoft accounts to be optional for modern style apps must be enabled.
WN10-CC-000195V3R4Enhanced anti-spoofing for facial recognition must be enabled on Window 10.
WN10-CC-000204V3R4If Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics.
WN10-CC-000205V3R4Windows Telemetry must not be configured to Full.
WN10-CC-000206V3R4Windows Update must not obtain updates from other PCs on the internet.
WN10-CC-000225V3R4File Explorer shell protocol must run in protected mode.
WN10-CC-000230V3R4Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge.
WN10-CC-000235V3R4Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge.
WN10-CC-000238V3R4Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge.
WN10-CC-000245V3R4The password manager function in the Edge browser must be disabled.
WN10-CC-000250V3R4The Windows Defender SmartScreen filter for Microsoft Edge must be enabled.
WN10-CC-000255V3R4The use of a hardware security device with Windows Hello for Business must be enabled.
WN10-CC-000260V3R4Windows 10 must be configured to require a minimum pin length of six characters or greater.
WN10-CC-000295V3R4Attachments must be prevented from being downloaded from RSS feeds.
WN10-CC-000320V3R4Users must be notified if a web-based program attempts to install software.
WN10-SO-000015V3R4Local accounts with blank passwords must be restricted to prevent access from the network.
WN10-SO-000020V3R4The built-in administrator account must be renamed.
WN10-SO-000025V3R4The built-in guest account must be renamed.
WN10-SO-000050V3R4The computer account password must not be prevented from being reset.
WN10-SO-000055V3R4The maximum age for machine account passwords must be configured to 30 days or less.
WN10-SO-000085V3R4Caching of logon credentials must be limited.
WN10-SO-000095V3R4The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
WN10-SO-000140V3R4Anonymous SID/Name translation must not be allowed.
WN10-SO-000145V3R4Anonymous enumeration of SAM accounts must not be allowed.
WN10-SO-000160V3R4The system must be configured to prevent anonymous users from having the same rights as the Everyone group.
WN10-SO-000180V3R4NTLM must be prevented from falling back to a Null session.
WN10-SO-000185V3R4PKU2U authentication using online identities must be prevented.
WN10-SO-000205V3R4The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
WN10-SO-000210V3R4The system must be configured to the required LDAP client signing level.
WN10-SO-000215V3R4The system must be configured to meet the minimum session security requirement for NTLM SSP based clients.
WN10-SO-000220V3R4The system must be configured to meet the minimum session security requirement for NTLM SSP based servers.
WN10-SO-000240V3R4The default permissions of global system objects must be increased.
WN10-UC-000020V3R4Zone information must be preserved when saving attachments.
WN10-CC-000050V3R4Hardened UNC paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
WN10-CC-000080V3R4Virtualization-based protection of code integrity must be enabled.
WN10-00-000395V3R4Windows 10 must not have portproxy enabled or in use.
WN10-CC-000063V3R4Windows 10 systems must use either Group Policy or an approved Mobile Device Management (MDM) product to enforce STIG compliance.
WN11-00-000005V2R3Domain-joined systems must use Windows 11 Enterprise Edition 64-bit version.
WN11-00-000040V2R3Windows 11 systems must be maintained at a supported servicing level.
WN11-00-000045V2R3The Windows 11 system must use an antivirus program.
WN11-00-000055V2R3Alternate operating systems must not be permitted on the same system.
WN11-00-000075V2R3Only accounts responsible for the backup operations must be members of the Backup Operators group.
WN11-00-000085V2R3Standard local user accounts must not exist on a system in a domain.
WN11-00-000130V2R3Software certificate installation files must be removed from Windows 11.
WN11-00-000135V2R3A host-based firewall must be installed and enabled on the system.
WN11-00-000190V2R3Orphaned security identifiers (SIDs) must be removed from user rights on Windows 11.
WN11-00-000230V2R3The system must notify the user when a Bluetooth device attempts to connect.
WN11-00-000240V2R3Administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.
WN11-CC-000020V2R3IPv6 source routing must be configured to highest protection.
WN11-CC-000025V2R3The system must be configured to prevent IP source routing.
WN11-CC-000030V2R3The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.
WN11-CC-000040V2R3Insecure logons to an SMB server must be disabled.
WN11-CC-000050V2R3Hardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
WN11-CC-000060V2R3Connections to non-domain networks when connected to a domain authenticated network must be blocked.
WN11-CC-000065V2R3Wi-Fi Sense must be disabled.
WN11-CC-000068V2R3Windows 11 must be configured to enable Remote host allows delegation of non-exportable credentials.
WN11-CC-000070V2R3Virtualization-based Security must be enabled on Windows 11 with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
WN11-CC-000075V2R3Credential Guard must be running on Windows 11 domain-joined systems.
WN11-CC-000080V2R3Virtualization-based protection of code integrity must be enabled.
WN11-CC-000085V2R3Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers.
WN11-CC-000090V2R3Group Policy objects must be reprocessed even if they have not changed.
WN11-CC-000115V2R3Systems must at least attempt device authentication using certificates.
WN11-CC-000170V2R3The setting to allow Microsoft accounts to be optional for modern style apps must be enabled.
WN11-CC-000195V2R3Enhanced anti-spoofing for facial recognition must be enabled on Windows 11.
WN11-CC-000204V2R3Enhanced diagnostic data must be limited to the minimum required to support Windows Analytics.
WN11-CC-000206V2R3Windows Update must not obtain updates from other PCs on the internet.
WN11-CC-000225V2R3File Explorer shell protocol must run in protected mode.
WN11-CC-000255V2R3The use of a hardware security device with Windows Hello for Business must be enabled.
WN11-CC-000260V2R3Windows 11 must be configured to require a minimum pin length of six characters or greater.
WN11-CC-000295V2R3Attachments must be prevented from being downloaded from RSS feeds.
WN11-CC-000320V2R3Users must be notified if a web-based program attempts to install software.
WN11-SO-000015V2R3Local accounts with blank passwords must be restricted to prevent access from the network.
WN11-SO-000020V2R3The built-in administrator account must be renamed.
WN11-SO-000025V2R3The built-in guest account must be renamed.
WN11-SO-000050V2R3The computer account password must not be prevented from being reset.
WN11-SO-000055V2R3The maximum age for machine account passwords must be configured to 30 days or less.
WN11-SO-000085V2R3Caching of logon credentials must be limited.
WN11-SO-000095V2R3The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
WN11-SO-000140V2R3Anonymous SID/Name translation must not be allowed.
WN11-SO-000145V2R3Anonymous enumeration of SAM accounts must not be allowed.
WN11-SO-000160V2R3The system must be configured to prevent anonymous users from having the same rights as the Everyone group.
WN11-SO-000180V2R3NTLM must be prevented from falling back to a Null session.
WN11-SO-000185V2R3PKU2U authentication using online identities must be prevented.
WN11-SO-000205V2R3The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
WN11-SO-000210V2R3The system must be configured to the required LDAP client signing level.
WN11-SO-000215V2R3The system must be configured to meet the minimum session security requirement for NTLM SSP based clients.
WN11-SO-000220V2R3The system must be configured to meet the minimum session security requirement for NTLM SSP based servers.
WN11-SO-000240V2R3The default permissions of global system objects must be increased.
WN11-UC-000020V2R3Zone information must be preserved when saving attachments.
WN11-00-000395V2R3Windows 11 must not have portproxy enabled or in use.
WN11-CC-000063V2R3Windows 11 systems must use either Group Policy or an approved Mobile Device Management (MDM) product to enforce STIG compliance.
WN16-00-000010V2R9Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
WN16-00-000040V2R9Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
WN16-00-000050V2R9Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
WN16-00-000070V2R9Manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
WN16-00-000100V2R9Windows Server 2016 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
WN16-00-000110V2R9Systems must be maintained at a supported servicing level.
WN16-00-000120V2R9The Windows Server 2016 system must use an anti-virus program.
WN16-00-000140V2R9Servers must have a host-based intrusion detection or prevention system.
WN16-00-000270V2R9Software certificate installation files must be removed from Windows Server 2016.
WN16-00-000310V2R9A host-based firewall must be installed and enabled on the system.
WN16-00-000430V2R9FTP servers must be configured to prevent anonymous logons.
WN16-00-000440V2R9FTP servers must be configured to prevent access to the system drive.
WN16-00-000460V2R9Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2016.
WN16-00-000470V2R9Secure Boot must be enabled on Windows Server 2016 systems.
WN16-00-000480V2R9Windows 2016 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
WN16-CC-000040V2R9Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.
WN16-CC-000050V2R9Source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
WN16-CC-000060V2R9Windows Server 2016 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
WN16-CC-000080V2R9Insecure logons to an SMB server must be disabled.
WN16-CC-000090V2R9Hardened UNC paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
WN16-CC-000110V2R9Windows Server 2016 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
WN16-CC-000140V2R9Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
WN16-CC-000150V2R9Group Policy objects must be reprocessed even if they have not changed.
WN16-CC-000210V2R9Users must be prompted to authenticate when the system wakes from sleep (on battery).
WN16-CC-000220V2R9Users must be prompted to authenticate when the system wakes from sleep (plugged in).
WN16-CC-000290V2R9Windows Telemetry must be configured to Security or Basic.
WN16-CC-000350V2R9Turning off File Explorer heap termination on corruption must be disabled.
WN16-CC-000360V2R9File Explorer shell protocol must run in protected mode.
WN16-CC-000420V2R9Attachments must be prevented from being downloaded from RSS feeds.
WN16-CC-000470V2R9Users must be notified if a web-based program attempts to install software.
WN16-DC-000150V2R9Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
WN16-DC-000330V2R9Domain controllers must be configured to allow reset of machine account passwords.
WN16-DC-000430V2R9The password for the krbtgt account on a domain must be reset at least every 180 days.
WN16-MS-000050V2R9Caching of logon credentials must be limited.
WN16-MS-000120V2R9Windows Server 2016 must be running Credential Guard on domain-joined member servers.
WN16-SO-000020V2R9Local accounts with blank passwords must be restricted to prevent access from the network.
WN16-SO-000030V2R9Windows Server 2016 built-in administrator account must be renamed.
WN16-SO-000040V2R9Windows Server 2016 built-in guest account must be renamed.
WN16-SO-000120V2R9The maximum age for machine account passwords must be configured to 30 days or less.
WN16-SO-000180V2R9The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
WN16-SO-000250V2R9Anonymous SID/Name translation must not be allowed.
WN16-SO-000260V2R9Anonymous enumeration of Security Account Manager (SAM) accounts must not be allowed.
WN16-SO-000290V2R9Windows Server 2016 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
WN16-SO-000320V2R9Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
WN16-SO-000330V2R9NTLM must be prevented from falling back to a Null session.
WN16-SO-000340V2R9PKU2U authentication using online identities must be prevented.
WN16-SO-000380V2R9The LAN Manager authentication level must be set to send NTLMv2 response only and to refuse LM and NTLM.
WN16-SO-000390V2R9Windows Server 2016 must be configured to at least negotiate signing for LDAP client signing.
WN16-SO-000400V2R9Session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
WN16-SO-000410V2R9Session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
WN16-SO-000450V2R9The default permissions of global system objects must be strengthened.
WN16-UC-000030V2R9Zone information must be preserved when saving attachments.
WN19-00-000010V3R4Windows Server 2019 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
WN19-00-000030V3R4Windows Server 2019 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
WN19-00-000040V3R4Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
WN19-00-000060V3R4Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
WN19-00-000090V3R4Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
WN19-00-000100V3R4Windows Server 2019 must be maintained at a supported servicing level.
WN19-00-000110V3R4Windows Server 2019 must use an anti-virus program.
WN19-00-000120V3R4Windows Server 2019 must have a host-based intrusion detection or prevention system.
WN19-00-000240V3R4Windows Server 2019 must have software certificate installation files removed.
WN19-00-000420V3R4Windows Server 2019 FTP servers must be configured to prevent anonymous logons.
WN19-00-000430V3R4Windows Server 2019 FTP servers must be configured to prevent access to the system drive.
WN19-00-000450V3R4Windows Server 2019 must have orphaned security identifiers (SIDs) removed from user rights.
WN19-00-000460V3R4Windows Server 2019 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
WN19-00-000470V3R4Windows Server 2019 must have Secure Boot enabled.
WN19-CC-000030V3R4Windows Server 2019 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.
WN19-CC-000040V3R4Windows Server 2019 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
WN19-CC-000050V3R4Windows Server 2019 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
WN19-CC-000070V3R4Windows Server 2019 insecure logons to an SMB server must be disabled.
WN19-CC-000080V3R4Windows Server 2019 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
WN19-CC-000100V3R4Windows Server 2019 must be configured to enable Remote host allows delegation of non-exportable credentials.
WN19-CC-000110V3R4Windows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
WN19-CC-000130V3R4Windows Server 2019 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
WN19-CC-000140V3R4Windows Server 2019 group policy objects must be reprocessed even if they have not changed.
WN19-CC-000180V3R4Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (on battery).
WN19-CC-000190V3R4Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (plugged in).
WN19-CC-000250V3R4Windows Server 2019 Telemetry must be configured to Security or Basic.
WN19-CC-000260V3R4Windows Server 2019 Windows Update must not obtain updates from other PCs on the Internet.
WN19-CC-000320V3R4Windows Server 2019 Turning off File Explorer heap termination on corruption must be disabled.
WN19-CC-000330V3R4Windows Server 2019 File Explorer shell protocol must run in protected mode.
WN19-CC-000390V3R4Windows Server 2019 must prevent attachments from being downloaded from RSS feeds.
WN19-CC-000440V3R4Windows Server 2019 users must be notified if a web-based program attempts to install software.
WN19-DC-000150V3R4Windows Server 2019 directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
WN19-DC-000330V3R4Windows Server 2019 domain controllers must be configured to allow reset of machine account passwords.
WN19-DC-000430V3R4The password for the krbtgt account on a domain must be reset at least every 180 days.
WN19-MS-000050V3R4Windows Server 2019 must limit the caching of logon credentials to four or less on domain-joined member servers.
WN19-MS-000140V3R4Windows Server 2019 must be running Credential Guard on domain-joined member servers.
WN19-SO-000020V3R4Windows Server 2019 must prevent local accounts with blank passwords from being used from the network.
WN19-SO-000030V3R4Windows Server 2019 built-in administrator account must be renamed.
WN19-SO-000040V3R4Windows Server 2019 built-in guest account must be renamed.
WN19-SO-000100V3R4Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less.
WN19-SO-000150V3R4Windows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation.
WN19-SO-000210V3R4Windows Server 2019 must not allow anonymous SID/Name translation.
WN19-SO-000220V3R4Windows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.
WN19-SO-000240V3R4Windows Server 2019 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
WN19-SO-000260V3R4Windows Server 2019 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
WN19-SO-000270V3R4Windows Server 2019 must prevent NTLM from falling back to a Null session.
WN19-SO-000280V3R4Windows Server 2019 must prevent PKU2U authentication using online identities.
WN19-SO-000310V3R4Windows Server 2019 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM.
WN19-SO-000320V3R4Windows Server 2019 must be configured to at least negotiate signing for LDAP client signing.
WN19-SO-000330V3R4Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
WN19-SO-000340V3R4Windows Server 2019 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
WN19-SO-000370V3R4Windows Server 2019 default permissions of global system objects must be strengthened.
WN19-UC-000010V3R4Windows Server 2019 must preserve zone information when saving attachments.
WN19-00-000280V3R4Windows Server 2019 must have a host-based firewall installed and enabled.
WN22-00-000010V2R4Windows Server 2022 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
WN22-00-000030V2R4Windows Server 2022 administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.
WN22-00-000040V2R4Windows Server 2022 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
WN22-00-000060V2R4Windows Server 2022 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
WN22-00-000090V2R4Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
WN22-00-000100V2R4Windows Server 2022 must be maintained at a supported servicing level.
WN22-00-000110V2R4Windows Server 2022 must use an antivirus program.
WN22-00-000120V2R4Windows Server 2022 must have a host-based intrusion detection or prevention system.
WN22-00-000240V2R4Windows Server 2022 must have software certificate installation files removed.
WN22-00-000280V2R4Windows Server 2022 must have a host-based firewall installed and enabled.
WN22-00-000420V2R4Windows Server 2022 FTP servers must be configured to prevent anonymous logons.
WN22-00-000430V2R4Windows Server 2022 FTP servers must be configured to prevent access to the system drive.
WN22-00-000450V2R4Windows Server 2022 must have orphaned security identifiers (SIDs) removed from user rights.
WN22-00-000460V2R4Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
WN22-00-000470V2R4Windows Server 2022 must have Secure Boot enabled.
WN22-CC-000030V2R4Windows Server 2022 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.
WN22-CC-000040V2R4Windows Server 2022 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
WN22-CC-000050V2R4Windows Server 2022 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
WN22-CC-000070V2R4Windows Server 2022 insecure logons to an SMB server must be disabled.
WN22-CC-000080V2R4Windows Server 2022 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
WN22-CC-000100V2R4Windows Server 2022 must be configured to enable Remote host allows delegation of nonexportable credentials.
WN22-CC-000110V2R4Windows Server 2022 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
WN22-CC-000130V2R4Windows Server 2022 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
WN22-CC-000140V2R4Windows Server 2022 group policy objects must be reprocessed even if they have not changed.
WN22-CC-000180V2R4Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (on battery).
WN22-CC-000190V2R4Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (plugged in).
WN22-CC-000250V2R4Windows Server 2022 Diagnostic Data must be configured to send "required diagnostic data" or "optional diagnostic data".
WN22-CC-000260V2R4Windows Server 2022 Windows Update must not obtain updates from other PCs on the internet.
WN22-CC-000320V2R4Windows Server 2022 Turning off File Explorer heap termination on corruption must be disabled.
WN22-CC-000330V2R4Windows Server 2022 File Explorer shell protocol must run in protected mode.
WN22-CC-000390V2R4Windows Server 2022 must prevent attachments from being downloaded from RSS feeds.
WN22-CC-000440V2R4Windows Server 2022 users must be notified if a web-based program attempts to install software.
WN22-DC-000150V2R4Windows Server 2022 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access.
WN22-DC-000330V2R4Windows Server 2022 domain controllers must be configured to allow reset of machine account passwords.
WN22-DC-000430V2R4The password for the krbtgt account on a domain must be reset at least every 180 days.
WN22-MS-000050V2R4Windows Server 2022 must limit the caching of logon credentials to four or less on domain-joined member servers.
WN22-MS-000140V2R4Windows Server 2022 must be running Credential Guard on domain-joined member servers.
WN22-SO-000020V2R4Windows Server 2022 must prevent local accounts with blank passwords from being used from the network.
WN22-SO-000030V2R4Windows Server 2022 built-in administrator account must be renamed.
WN22-SO-000040V2R4Windows Server 2022 built-in guest account must be renamed.
WN22-SO-000100V2R4Windows Server 2022 maximum age for machine account passwords must be configured to 30 days or less.
WN22-SO-000150V2R4Windows Server 2022 Smart Card removal option must be configured to Force Logoff or Lock Workstation.
WN22-SO-000210V2R4Windows Server 2022 must not allow anonymous SID/Name translation.
WN22-SO-000220V2R4Windows Server 2022 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.
WN22-SO-000240V2R4Windows Server 2022 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
WN22-SO-000260V2R4Windows Server 2022 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
WN22-SO-000270V2R4Windows Server 2022 must prevent NTLM from falling back to a Null session.
WN22-SO-000280V2R4Windows Server 2022 must prevent PKU2U authentication using online identities.
WN22-SO-000310V2R4Windows Server 2022 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM.
WN22-SO-000320V2R4Windows Server 2022 must be configured to at least negotiate signing for LDAP client signing.
WN22-SO-000330V2R4Windows Server 2022 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
WN22-SO-000340V2R4Windows Server 2022 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
WN22-SO-000370V2R4Windows Server 2022 default permissions of global system objects must be strengthened.
WN22-UC-000010V2R4Windows Server 2022 must preserve zone information when saving attachments.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.