| V-280094 | | RHEL 10 must disable the debug-shell systemd service. | The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabl... |
| V-280931 | | RHEL 10 must ensure cryptographic verification of vendor software packages. | Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofi... |
| V-280937 | | RHEL 10 must use a separate file system for user home directories (such as "/home" or an equivalent). | Ensuring that "/home" is mounted on its own partition enables the setting of more restrictive mount options and helps ensure that users cannot trivial... |
| V-280938 | | RHEL 10 must use a separate file system for "/tmp". | The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount ... |
| V-280939 | | RHEL 10 must use a separate file system for "/var". | Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as... |
| V-280940 | | RHEL 10 must use a separate file system for "/var/log". | Placing "/var/log" in its own partition enables better separation between log files and other files in "/var/".... |
| V-280941 | | RHEL 10 must use a separate file system for "/var/tmp". | The "/var/tmp" partition is used as temporary storage by many programs. Placing "/var/tmp" in its own partition enables the setting of more restrictiv... |
| V-280942 | | RHEL 10 must remove all software components after updated versions have been installed. | Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some a... |
| V-280943 | | RHEL 10 must not have the "nfs-utils" package installed. | The "nfs-utils" package provides a daemon for the kernel Network File System (NFS) server and related tools. This package also contains the "showmount... |
| V-280945 | | RHEL 10 must not have the "gssproxy" package installed. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-280946 | | RHEL 10 must not have the tuned package installed. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-280947 | | RHEL 10 must not have a Trivial File Transfer Protocol (TFTP) server package installed unless it is required by the mission, and if required, the TFTP daemon must be configured to operate in secure mode. | Removing the "tftp-server" package decreases the risk of the accidental (or intentional) activation of TFTP services.
If TFTP is required for operati... |
| V-280948 | | RHEL 10 must not have the unbound package installed. | If the system is not a Domain Name Server (DNS), it should not have a DNS server package installed to decrease the attack surface of the system.... |
| V-280950 | | RHEL 10 must not have the "gdm" package installed. | Unnecessary service packages must not be installed to decrease the attack surface of the system. A graphical environment is unnecessary for certain ty... |
| V-280952 | | RHEL 10 must have the "subscription-manager" package installed. | The Red Hat Subscription Manager application manages software subscriptions and software repositories for installed software products on the local sys... |
| V-280953 | | RHEL 10 must have the "nss-tools" package installed. | Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server application... |
| V-280954 | | RHEL 10 must have the "s-nail" package installed. | The "s-nail" package provides the mail command required to allow sending email notifications of unauthorized configuration changes to designated perso... |
| V-280955 | | RHEL 10 must have the "firewalld" package installed. | The "firewalld" package provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
Remote acce... |
| V-280956 | | RHEL 10 must have the "firewalld" service set to active. | "Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
Remote access services,... |
| V-280957 | | RHEL 10 must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound conne... |
| V-280958 | | RHEL 10 must have the "chrony" package installed. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-280959 | | RHEL 10 must enable the chronyd service. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-280960 | | RHEL 10 must disable the chrony daemon from acting as a server. | Minimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface.
Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-0... |
| V-280961 | | RHEL 10 must disable network management of the chrony daemon. | Not exposing the management interface of the chrony daemon on the network diminishes the attack space.
Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-00... |
| V-280962 | | RHEL 10 must have the USBGuard package installed. | The USBGuard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device autho... |
| V-280963 | | RHEL 10 must have the USBGuard package enabled. | The USBGuard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device autho... |
| V-280964 | | RHEL 10 must block unauthorized peripherals before establishing a connection. | The USBGuard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device autho... |
| V-280965 | | RHEL 10 must enable audit logging for the USBGuard daemon. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-280966 | | RHEL 10 must have the "policycoreutils" package installed. | Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is de... |
| V-280967 | | RHEL 10 must have the "policycoreutils-python-utils" package installed. | The "policycoreutils-python-utils" package is required to operate and manage an SELinux environment and its policies. It provides utilities such as "s... |
| V-280968 | | RHEL 10 must have the "sudo" package installed. | The "sudo" package is a program designed to allow a system administrator to give limited root privileges to users and log root activity. The basic phi... |
| V-280969 | | RHEL 10 must have the "fapolicy" module installed. | The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software program... |
| V-280970 | | RHEL 10 must enable the "fapolicy" module. | The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software program... |
| V-280971 | | RHEL 10 must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software program... |
| V-280972 | | RHEL 10 must have the "pcsc-lite" package installed. | The "pcsc-lite" package must be installed if it is to be available for multifactor authentication using smart cards.... |
| V-280973 | | RHEL 10 must have the "pcscd" service set to active. | The information system ensures that even if it is compromised, that compromise will not affect credentials stored on the authentication device.
The d... |
| V-280974 | | RHEL 10 must have the "pcsc-lite-ccid" package installed. | The "pcsc-lite-ccid" package must be installed if it is to be available for multifactor authentication using smart cards.... |
| V-280975 | | RHEL 10 must have the "opensc" package installed. | The use of Personal Identity Verification (PIV) credentials facilitates standardization and reduces the risk of unauthorized access.
The DOD has mand... |
| V-280976 | | RHEL 10 must use the common access card (CAC) smart card driver. | Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage public ke... |
| V-280977 | | RHEL 10 must have the Advanced Intrusion Detection Environment (AIDE) package installed. | Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is d... |
| V-280979 | | RHEL 10 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories. | RHEL 10 installation media ships with an optional file integrity tool called Advanced Intrusion Detection Environment (AIDE). AIDE is highly configura... |
| V-280980 | | RHEL 10 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered. | Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating s... |
| V-280981 | | RHEL 10 must be configured so that the file integrity tool verifies Access Control Lists (ACLs). | RHEL 10 installation media ships with an optional file integrity tool called Advanced Intrusion Detection Environment (AIDE). AIDE is highly configura... |
| V-280982 | | RHEL 10 must be configured so that the file integrity tool verifies extended attributes. | RHEL 10 installation media ships with an optional file integrity tool called Advanced Intrusion Detection Environment (AIDE). AIDE is highly configura... |
| V-280983 | | RHEL 10 must have the "rsyslog" package installed. | The "rsyslogd" is a system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to su... |
| V-280984 | | RHEL 10 must have the rsyslog service set to active. | The rsyslog service must be running to provide logging services, which are essential to system administration.... |
| V-280985 | | RHEL 10 must be configured to forward audit records via Transmission Control Protocol (TCP) to a different system or media from the system being audited via rsyslog. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-280986 | | RHEL 10 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation. | Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server co... |
| V-280987 | | RHEL 10 must authenticate the remote logging server for off-loading audit logs via "rsyslog". | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-280988 | | RHEL 10 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited via rsyslog. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-280989 | | RHEL 10 must encrypt, via the gtls driver, the transfer of audit records off-loaded onto a different system or media from the system being audited via rsyslog. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-280990 | | RHEL 10 must monitor all remote access methods. | Logging remote access methods can be used to trace the decrease in the risks associated with remote user access management. It can also be used to spo... |
| V-280991 | | RHEL 10 must use cron logging. | Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cr... |
| V-280992 | | RHEL 10 must have the packages required for encrypting off-loaded audit logs installed. | The "rsyslog-gnutls" package provides Transport Layer Security (TLS) support for the rsyslog daemon, which enables secure remote logging.... |
| V-280993 | | RHEL 10 must have the "audit" package installed. | Without establishing what type of events occurred, along with the source, location, and outcome, it would be difficult to establish, correlate, and in... |
| V-280994 | | RHEL 10 must enable the audit service. | Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage o... |
| V-280996 | | RHEL 10 must have the "libreswan" package installed. | Providing the ability for remote users or systems to initiate a secure virtual private network connection protects information when it is transmitted ... |
| V-280997 | | RHEL 10 must notify designated personnel if baseline configurations are changed in an unauthorized manner. | The "postfix" package provides the mail command required to allow sending email notifications of unauthorized configuration changes to designated pers... |
| V-280998 | | RHEL 10 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) of an audit processing failure. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-280999 | | RHEL 10 must be configured to prevent unrestricted mail relaying. | If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay to send spam or for other unauthorized activity.... |
| V-281000 | | RHEL 10 must have the "cronie" package installed. | The "cronie" package must be installed if it is to be available for multifactor authentication using smart cards.... |
| V-281001 | | RHEL 10 must have a Secure Shell (SSH) server installed for all networked systems. | Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercep... |
| V-281002 | | RHEL 10 must, for all networked systems, have and implement Secure Shell (SSH) to protect the confidentiality and integrity of transmitted and received information. | Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercep... |
| V-281003 | | RHEL 10 must have the "openssh-clients" package installed. | This package includes utilities to make encrypted connections and transfer files securely to Secure Shell (SSH) servers.... |
| V-281005 | | RHEL 10 must have the "pkcs11-provider" package installed. | Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires us... |
| V-281006 | | RHEL 10 must have the "gnutls-utils" package installed. | "GnuTLS" is a secure communications library implementing the Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Datagram TLS (DTLS) proto... |
| V-281017 | | RHEL 10 must be configured so that the "/etc/group" file is owned by root. | The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system securit... |
| V-281018 | | RHEL 10 must be configured so that the "/etc/group" file is group-owned by "root". | The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system securit... |
| V-281019 | | RHEL 10 must be configured so that the "/etc/group-" file is owned by "root". | The "/etc/group-" file is a backup file of "/etc/group", and as such contains information regarding groups that are configured on the system. Protecti... |
| V-281020 | | RHEL 10 must be configured so that the "/etc/group-" file is group-owned by "root". | The "/etc/group-" file is a backup file of "/etc/group", and as such contains information regarding groups that are configured on the system. Protecti... |
| V-281021 | | RHEL 10 must be configured so that the "/etc/gshadow" file is owned by "root". | The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.... |
| V-281022 | | RHEL 10 must be configured so that the "/etc/gshadow" file is group-owned by "root". | The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.... |
| V-281023 | | RHEL 10 must be configured so that the "/etc/gshadow-" file is owned by "root". | The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such contains group password hashes. Protection of this file is critical for system sec... |
| V-281024 | | RHEL 10 must be configured so that the "/etc/gshadow-" file is group-owned by "root". | The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such contains group password hashes. Protection of this file is critical for system sec... |
| V-281025 | | RHEL 10 must be configured so that the "/etc/passwd" file is owned by "root". | The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security... |
| V-281026 | | RHEL 10 must be configured so that the "/etc/passwd" file is group-owned by "root". | The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security... |
| V-281027 | | RHEL 10 must be configured so that the "/etc/passwd-" file is owned by "root". | The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such contains information about the users that are configured on the system. Protect... |
| V-281028 | | RHEL 10 must be configured so that the "/etc/passwd-" file is group-owned by "root". | The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such contains information about the users that are configured on the system. Protect... |
| V-281029 | | RHEL 10 must be configured so that the "/etc/shadow" file is owned by "root". | The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security.... |
| V-281030 | | RHEL 10 must be configured so that the "/etc/shadow" file is group-owned by "root". | The "/etc/shadow" file stores password hashes. Protection of this file is critical for system security.... |
| V-281031 | | RHEL 10 must be configured so that the "/etc/shadow-" file is owned by "root". | The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such contains the list of local system accounts and password hashes. Protection of t... |
| V-281032 | | RHEL 10 must be configured so that the "/etc/shadow-" file is group-owned by "root". | The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such contains the list of local system accounts and password hashes. Protection of t... |
| V-281033 | | RHEL 10 must be configured so that the "/var/log" directory is owned by "root". | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-281034 | | RHEL 10 must be configured so that the "/var/log" directory is group-owned by "root". | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-281035 | | RHEL 10 must be configured so that the "/var/log/"messages file is owned by root. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-281036 | | RHEL 10 must be configured so that the "/var/log/messages" file is group-owned by "root". | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-281037 | | RHEL 10 must be configured so that system commands are owned by "root". | If RHEL 10 allowed any user to make changes to software libraries, those changes might be implemented without undergoing the appropriate testing and a... |
| V-281038 | | RHEL 10 must be configured so that system commands are group-owned by root or a system account. | If RHEL 10 allowed any user to make changes to software libraries, those changes might be implemented without undergoing the appropriate testing and a... |
| V-281039 | | RHEL 10 must be configured so that library files are owned by "root". | If RHEL 10 allowed any user to make changes to software libraries, those changes might be implemented without undergoing the appropriate testing and a... |
| V-281040 | | RHEL 10 must be configured so that library files are group-owned by "root" or a system account. | If RHEL 10 allowed any user to make changes to software libraries, those changes might be implemented without undergoing the appropriate testing and a... |
| V-281041 | | RHEL 10 must be configured so that library directories are owned by "root". | If RHEL 10 allowed any user to make changes to software libraries, those changes might be implemented without undergoing the appropriate testing and a... |
| V-281042 | | RHEL 10 must be configured so that library directories are group-owned by "root" or a system account. | If RHEL 10 allowed any user to make changes to software libraries, those changes might be implemented without undergoing the appropriate testing and a... |
| V-281043 | | RHEL 10 must be configured so that cron configuration file directories are owned by root. | Service configuration files enable or disable features of their respective services, which if configured incorrectly could lead to insecure and vulner... |
| V-281044 | | RHEL 10 must be configured so that cron configuration files directories are group-owned by root. | Service configuration files enable or disable features of their respective services, which if configured incorrectly can lead to insecure and vulnerab... |
| V-281045 | | RHEL 10 must be configured so that world-writable directories are owned by root, sys, bin, or an application user. | If a world-writable directory is not owned by root, sys, bin, or an application user identifier (UID), unauthorized users may be able to modify files ... |
| V-281046 | | RHEL 10 must be configured so that all system device files are correctly labeled to prevent unauthorized modification. | If an unauthorized or modified device is allowed to exist on the system, the system may perform unintended or unauthorized operations.... |
| V-281047 | | RHEL 10 must be configured so that the Secure Shell (SSH) server configuration file is group-owned by "root". | Service configuration files enable or disable features of their respective services, which if configured incorrectly can lead to insecure and vulnerab... |
| V-281048 | | RHEL 10 must be configured so that the Secure Shell (SSH) server configuration file is owned by "root". | Service configuration files enable or disable features of their respective services, which if configured incorrectly can lead to insecure and vulnerab... |
| V-281049 | | RHEL 10 must ensure that all local interactive user home directories are group-owned by the home directory owner's primary group. | If the group identifier (GID) of a local interactive user's home directory is not the same as the primary GID of the user, this would allow unauthoriz... |
| V-281050 | | RHEL 10 must enforce group ownership of audit logs by "root" or by a restricted logging group to prevent unauthorized read access. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Satisfies: SRG... |
| V-281051 | | RHEL 10 must enforce "root" ownership of the audit log directory to prevent unauthorized read access. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Satisfies: SRG... |
| V-281052 | | RHEL 10 must enforce "root" ownership of audit logs to prevent unauthorized access. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Satisfies: SRG... |
| V-281053 | | RHEL 10 must enforce group ownership by "root" or a restricted logging group for audit log files to prevent unauthorized access. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Satisfies: SRG... |
| V-281054 | | RHEL 10 must set mode "0600" or less permissive for the audit logs file to prevent unauthorized access to the audit log. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-281055 | | RHEL 10 must enforce the audit log directory to have a mode of "0750" or less permissive to prevent unauthorized read access. | If users can write to audit logs, audit trails can be modified or destroyed.
Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-00... |
| V-281056 | | RHEL 10 must enforce root ownership of the "/etc/audit/" directory. | The "/etc/audit/" directory contains files that ensure the proper auditing of command execution, privilege escalation, file manipulation, and more. Pr... |
| V-281057 | | RHEL 10 must enforce root group ownership of the "/etc/audit/" directory. | The "/etc/audit/" directory contains files that ensure the proper auditing of command execution, privilege escalation, file manipulation, and more. Pr... |
| V-281058 | | RHEL 10 must enforce mode "755" or less permissive for system commands. | If RHEL 10 allowed any user to make changes to software libraries, those changes might be implemented without undergoing the appropriate testing and a... |
| V-281059 | | RHEL 10 must enforce mode "755" or less permissive on library directories. | If RHEL 10 allowed any user to make changes to software libraries, those changes might be implemented without undergoing the appropriate testing and a... |
| V-281060 | | RHEL 10 must enforce mode "755" or less permissive for library files. | If RHEL 10 allowed any user to make changes to software libraries, those changes might be implemented without undergoing the appropriate testing and a... |
| V-281061 | | RHEL 10 must enforce mode "0755" or less permissive for the "/var/log" directory. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-281062 | | RHEL 10 must enforce mode "0640" or less permissive for the "/var/log/messages" file. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-281063 | | RHEL 10 must be configured to prohibit modification of permissions for cron configuration files and directories from the operating system defaults. | If the permissions of cron configuration files or directories are modified from the operating system defaults, it may be possible for individuals to i... |
| V-281064 | | RHEL 10 must enforce mode "0740" or less permissive for local initialization files. | Local initialization files are used to configure the user's shell environment upon login. Malicious modification of these files could compromise accou... |
| V-281065 | | RHEL 10 must enforce mode "0750" or less permissive for local interactive user home directories. | Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.... |
| V-281066 | | RHEL 10 must enforce mode "0644" or less permissive for the "/etc/group" file to prevent unauthorized access. | The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system securit... |
| V-281067 | | RHEL 10 must enforce mode "0644" or less permissive for the "/etc/group-" file to prevent unauthorized access. | The "/etc/group-" file is a backup file of "/etc/group", and as such contains information regarding groups that are configured on the system. Protecti... |
| V-281068 | | RHEL 10 must enforce mode "0000" or less permissive for the "/etc/gshadow" file to prevent unauthorized access. | The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.... |
| V-281069 | | RHEL 10 must enforce mode "0000" or less permissive for the "/etc/gshadow-" file to prevent unauthorized access. | The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such contains group password hashes. Protection of this file is critical for system sec... |
| V-281070 | | RHEL 10 must enforce mode "0644" or less permissive for the "/etc/passwd" file to prevent unauthorized access. | If the "/etc/passwd" file is writable by a group-owner or the world, the risk of its compromise is increased. The file contains the list of accounts o... |
| V-281071 | | RHEL 10 must enforce mode "0644" or less permissive for "/etc/passwd-" file to prevent unauthorized access. | The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such contains information about the users that are configured on the system. Protect... |
| V-281072 | | RHEL 10 must enforce mode "0000" or less permissive for "/etc/shadow-" file to prevent unauthorized access. | The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such contains the list of local system accounts and password hashes. Protection of t... |
| V-281073 | | RHEL 10 must be configured so that a sticky bit is set on all public directories. | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the a... |
| V-281074 | | RHEL 10 must be configured so that all local files and directories have a valid group owner. | Files without a valid group owner may be unintentionally inherited if a group is assigned the same group identifier (GID) as the GID of the files with... |
| V-281075 | | RHEL 10 must be configured so that all local files and directories must have a valid owner. | Unowned files and directories may be unintentionally inherited if a user is assigned the same user identifier (UID) as the UID of the unowned files.... |
| V-281076 | | RHEL 10 must enforce mode "0000" for "/etc/shadow" to prevent unauthorized access. | The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security.... |
| V-281077 | | RHEL 10 must be configured so that audit tools are owned by "root". | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tool... |
| V-281078 | | RHEL 10 must be configured so that audit tools are group-owned by "root". | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data; therefore, protecting audit tool... |
| V-281079 | | RHEL 10 must set the umask value to "077" for all local interactive user accounts. | The umask controls the default access mode assigned to newly created files. A umask of "077" limits new files to mode 600 or less permissive. Although... |
| V-281080 | | RHEL 10 must define default permissions for the bash shell. | The "umask" controls the default access mode assigned to newly created files. A "umask" of "077" limits new files to mode "600" or less permissive. Al... |
| V-281081 | | RHEL 10 must define default permissions for the c shell. | The "umask" controls the default access mode assigned to newly created files. A "umask" of "077" limits new files to mode "600" or less permissive. Al... |
| V-281082 | | RHEL 10 must define default permissions for all authenticated users in such a way that the user can read and modify only their own files. | Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.... |
| V-281083 | | RHEL 10 must define default permissions for the system default profile. | The "umask" controls the default access mode assigned to newly created files. A "umask" of "077" limits new files to mode "600" or less permissive. "A... |
| V-281084 | | RHEL 10 must enforce that all local initialization files configured by systemd-tmpfiles have mode "0600" or less permissive. | Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.... |
| V-281085 | | RHEL 10 must enforce mode "0600" or less permissive for Secure Shell (SSH) private host key files. | If an unauthorized user obtains the private SSH host key file, the host could be impersonated.... |
| V-281086 | | RHEL 10 must enforce "root" group ownership of the "/boot/grub2/grub.cfg" file. | The "root" group is a highly privileged group. Furthermore, the group owner of this file should not have any access privileges anyway.... |
| V-281087 | | RHEL 10 must enforce "root" ownership of the "/boot/grub2/grub.cfg" file. | The " /boot/grub2/grub.cfg" file stores sensitive system configuration. Protection of this file is critical for system security.... |
| V-281088 | | RHEL 10 must prevent device files from being interpreted on file systems that contain user home directories. | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-281089 | | RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on file systems that contain user home directories. | The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-281090 | | RHEL 10 must prevent code from being executed on file systems that contain user home directories. | The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved... |
| V-281091 | | RHEL 10 must mount "/var/log/audit" with the "nodev" option. | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-281092 | | RHEL 10 must mount "/var/log/audit" with the "noexec" option. | The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved... |
| V-281093 | | RHEL 10 must mount "/var/log/audit" with the "nosuid" option. | The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-281094 | | RHEL 10 must enforce a mode of "0755" or less permissive for audit tools. | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tool... |
| V-281095 | | RHEL 10 must prohibit local initialization files from executing world-writable programs. | If user startup files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files... |
| V-281096 | | RHEL 10 must enable the systemd-journald service. | In the event of a system failure, RHEL 10 must preserve any information necessary to determine cause of failure and return to operations with least di... |
| V-281097 | | RHEL 10 must enable auditing of processes that start prior to the audit daemon. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-281098 | | RHEL 10 must audit local events. | Without establishing what type of events occurred, along with the source, location, and outcome, it would be difficult to establish, correlate, and in... |
| V-281099 | | RHEL 10 must write audit records to disk. | Audit data must be synchronously written to disk to ensure log integrity. This setting ensures that all audit event data is written to disk.... |
| V-281100 | | RHEL 10 must log username information when unsuccessful login attempts occur. | Without auditing of these events, it may be harder or impossible to identify what an attacker did after an attack.... |
| V-281101 | | RHEL 10 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. | Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent t... |
| V-281102 | | RHEL 10 must allocate an "audit_backlog_limit" of sufficient size to capture processes that start prior to the audit daemon. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-281103 | | RHEL 10 must take appropriate action when a critical audit processing failure occurs. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-281104 | | RHEL 10 must take action when allocated audit record storage volume reaches 75 percent of the audit record storage capacity. | If action is not taken when storage volume reaches 75 percent utilization, the auditing system may fail when the storage volume reaches capacity.... |
| V-281105 | | RHEL 10 must label all off-loaded audit logs before sending them to the central log server. | Enriched logging is needed to determine who, what, and when events occur on a system. Without this, determining root cause of an event will be much mo... |
| V-281107 | | RHEL 10 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity. | If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.... |
| V-281108 | | RHEL 10 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity. | If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.... |
| V-281109 | | RHEL 10 must take appropriate action when the internal event queue is full. | The audit system must have an action set up in case the internal event queue becomes full so that no data is lost. Information stored in one location ... |
| V-281110 | | RHEL 10 must produce audit records containing information to establish the identity of any individual or process associated with the event. | Without establishing what type of events occurred, along with the source, location, and outcome, it would be difficult to establish, correlate, and in... |
| V-281111 | | RHEL 10 must periodically flush audit records to disk to ensure that audit records are not lost. | If option "freq" is not set to a value that requires audit records to be written to disk after a threshold number is reached, audit records may be los... |
| V-281113 | | RHEL 10 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization. | If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storag... |
| V-281114 | | RHEL 10 must notify the system administrator (SA) and/or information system security officer (ISSO) (at a minimum) of an audit processing failure. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-281115 | | RHEL 10 must log Secure Shell (SSH) connection attempts and failures to the server. | SSH provides several logging levels with varying amounts of verbosity. "DEBUG" is specifically not recommended other than strictly for debugging SSH c... |
| V-281116 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "execve" system call. | Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromise... |
| V-281117 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-281118 | | RHEL 10 must generate audit records for successful and unsuccessful uses of "umount" system calls. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-281119 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "chacl" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-281120 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "setfacl" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-281121 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "chcon" command. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-281122 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "semanage" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-281123 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "setfiles" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-281124 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "setsebool" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-281125 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-281126 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "delete_module" system call. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-281127 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "init_module" and "finit_module" system calls. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-281128 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "chage" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-281129 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "chsh" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-281130 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "crontab" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-281131 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "gpasswd" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-281132 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "kmod" command. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-281133 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "newgrp" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-281134 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "pam_timestamp_check" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-281135 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "passwd" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-281136 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "postdrop" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-281137 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "postqueue" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-281138 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the ssh-agent command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-281139 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "ssh-keysign" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-281140 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "su" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-281141 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "sudo" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-281142 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "sudoedit" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-281143 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "unix_chkpwd" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-281144 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "unix_update" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-281145 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "userhelper" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-281146 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "usermod" command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-281147 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "mount" command. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-281148 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "init" command. | Misuse of the "init" command may cause availability issues for the system.... |
| V-281149 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "poweroff" command. | Misuse of the "poweroff" command may cause availability issues for the system.... |
| V-281150 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "reboot" command. | Misuse of the "reboot" command may cause system availability issues.... |
| V-281151 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the shutdown command. | Misuse of the shutdown command may cause availability issues for the system.... |
| V-281152 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "umount" system call. | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing d... |
| V-281153 | | RHEL 10 must generate audit records for successful and unsuccessful uses of the "umount2" system call. | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing d... |
| V-281154 | | RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers". | The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes... |
| V-281155 | | RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect the "/etc/sudoers.d/" directory. | The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes... |
| V-281156 | | RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group". | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, ... |
| V-281157 | | RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow". | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, ... |
| V-281158 | | RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/opasswd". | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, ... |
| V-281159 | | RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, ... |
| V-281160 | | RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow". | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, ... |
| V-281161 | | RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/faillock". | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-281162 | | RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog". | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-281163 | | RHEL 10 must generate audit records for all uses of the "chmod", "fchmod", "fchmodat", and "fchmodat2" syscalls. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-281164 | | RHEL 10 must generate audit records for all uses of the "chown", "fchown", "fchownat", and "lchown" syscalls. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-281165 | | RHEL 10 must generate audit records for all uses of the "rename", "unlink", "rmdir", "renameat", "renameat2", and "unlinkat" system calls. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-281166 | | RHEL 10 must require a boot loader superuser password. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-281167 | | RHEL 10 must require a unique superusers name upon booting into single-user and maintenance modes. | Having a nondefault grub superuser username makes password-guessing attacks less effective.... |
| V-281168 | | RHEL 10 must not assign an interactive login shell for system accounts. | Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to use system accounts.... |
| V-281169 | | RHEL 10 must, for new users or password changes, have a 60-day maximum password lifetime restriction for user account passwords in "/etc/login.defs". | Any password, no matter how complex, can eventually be cracked; therefore, passwords must be changed periodically. If the operating system does not li... |
| V-281170 | | RHEL 10 must, for user account passwords, have a 60-day maximum password lifetime restriction. | Any password, no matter how complex, can eventually be cracked. Therefore, passwords must be changed periodically. If the operating system does not li... |
| V-281171 | | RHEL 10 must assign a home directory for local interactive user accounts upon creation. | If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.... |
| V-281172 | | RHEL 10 must not allow duplicate user IDs (UIDs) to exist for interactive users. | To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and co... |
| V-281173 | | RHEL 10 must automatically expire temporary accounts within 72 hours. | Temporary accounts are privileged or nonprivileged accounts that are established during pressing circumstances, such as new software or hardware confi... |
| V-281174 | | RHEL 10 must assign a primary group to all interactive users. | If a user is assigned the group identifier (GID) of a group that does not exist on the system, and a group with the GID is subsequently created, the u... |
| V-281175 | | RHEL 10 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. | Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected ac... |
| V-281176 | | RHEL 10 must be configured so that all local interactive user initialization file executable search path statements do not contain statements that will reference a working directory other than user home directories. | The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If th... |
| V-281177 | | RHEL 10 must assign a home directory to all local interactive users in the "/etc/passwd" file. | If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.... |
| V-281178 | | RHEL 10 must ensure that all local interactive user home directories defined in the "/etc/passwd" file must exist. | If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working d... |
| V-281179 | | RHEL 10 must enforce a delay of at least four seconds between login prompts following a failed login attempt. | Increasing the time between a failed authentication attempt and reprompting to enter credentials helps to slow a single-threaded brute-force attack.... |
| V-281180 | | RHEL 10 must enforce a 24-hours minimum password lifetime restriction for passwords for new users or password changes in "/etc/login.defs". | Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If u... |
| V-281181 | | RHEL 10 must enforce that passwords be created with a minimum of 15 characters. | The shorter the password, the lower the number of possible combinations that must be tested before the password is compromised.
Password complexity, ... |
| V-281182 | | RHEL 10 must enforce password complexity by requiring at least one special character to be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-281183 | | RHEL 10 must enforce password complexity by requiring that at least one lowercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-281184 | | RHEL 10 must enforce password complexity by requiring that at least one uppercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-281185 | | RHEL 10 must require the change of at least eight characters when passwords are changed. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-281186 | | RHEL 10 must enforce that passwords have a 24 hours/1 day minimum lifetime restriction in "/etc/shadow". | Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If u... |
| V-281187 | | RHEL 10 must require the maximum number of repeating characters of the same character class to be limited to four when passwords are changed. | Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measur... |
| V-281188 | | RHEL 10 must require that the maximum number of repeating characters be limited to three when passwords are changed. | Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measur... |
| V-281189 | | RHEL 10 must require the change of at least four character classes when passwords are changed. | Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measu... |
| V-281190 | | RHEL 10 must enforce password complexity by requiring that at least one numeric character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-281191 | | RHEL 10 must prevent the use of dictionary words for passwords. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-281192 | | RHEL 10 must allow only the root account to have unrestricted access to the system. | An account has root authority if it has a user identifier (UID) of "0". Multiple accounts with a UID of "0" afford more opportunity for potential intr... |
| V-281193 | | RHEL 10 must enforce password complexity rules for the "root" account. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-281194 | | RHEL 10 must automatically lock an account when three unsuccessful login attempts occur. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-281195 | | RHEL 10 must automatically lock the root account until the root account is released by an administrator when three unsuccessful login attempts occur during a 15-minute time period. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is re... |
| V-281196 | | RHEL 10 must automatically lock an account when three unsuccessful login attempts occur during a 15-minute time period. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, ... |
| V-281197 | | RHEL 10 must maintain an account lock until the locked account is released by an administrator. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, ... |
| V-281198 | | RHEL 10 must ensure account lockouts persist. | Having lockouts persist across reboots ensures that an account is unlocked only by an administrator. If the lockouts did not persist across reboots, a... |
| V-281199 | | RHEL 10 must not have unauthorized accounts. | Having lockouts persist across reboots ensures that account is unlocked only by an administrator. If the lockouts did not persist across reboots, an a... |
| V-281200 | | RHEL 10 must not allow blank or null passwords. | If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords must neve... |
| V-281201 | | RHEL 10 must not have accounts configured with blank or null passwords. | If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should ne... |
| V-281202 | | RHEL 10 must have a unique group ID (GID) for each group in "/etc/group". | To ensure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the syst... |
| V-281204 | | RHEL 10 must ensure the password complexity module in the system-auth file is configured for three or fewer retries. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-281205 | | RHEL 10 must restrict the use of the "su" command. | The "su" program allows commands to be run with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access ... |
| V-281206 | | RHEL 10 must be configured to not bypass password requirements for privilege escalation. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the cap... |
| V-281207 | | RHEL 10 must restrict privilege elevation to authorized personnel. | If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.... |
| V-281208 | | RHEL 10 must require users to reauthenticate for privilege escalation. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the ca... |
| V-281209 | | RHEL 10 must require reauthentication when using the "sudo" command. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the ca... |
| V-281210 | | RHEL 10 must use the invoking user's password for privilege escalation when using "sudo". | If the "rootpw", "targetpw", or "runaspw" flags are defined and not disabled, by default the operating system will prompt the invoking user for the "r... |
| V-281212 | | RHEL 10 must configure the use of the pam_faillock.so module in the "/etc/pam.d/system-auth" file. | If the pam_faillock.so module is not loaded, the system will not correctly lock out accounts to prevent password guessing attacks.... |
| V-281213 | | RHEL 10 must configure the use of the pam_faillock.so module in the "/etc/pam.d/password-auth" file. | If the pam_faillock.so module is not loaded, the system will not correctly lock out accounts to prevent password guessing attacks.... |
| V-281214 | | RHEL 10 must ensure the password complexity module is enabled in the "password-auth" file. | Enabling Pluggable Authentication Module (PAM) password complexity permits enforcement of strong passwords and consequently makes the system less pron... |
| V-281215 | | RHEL 10 must ensure the password complexity module is enabled in the "system-auth" file. | Enabling Pluggable Authentication Module (PAM) password complexity permits enforcement of strong passwords and consequently makes the system less pron... |
| V-281217 | | RHEL 10 must ensure that the pam_unix.so module is configured in the password-auth file to use a FIPS 140-3-approved cryptographic hashing algorithm for system authentication. | Unapproved mechanisms that are used for authentication to the cryptographic module are not verified; therefore, they cannot be relied on to provide co... |
| V-281218 | | RHEL 10 must be configured to use a sufficient number of hashing rounds for the shadow password suite. | Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be ... |
| V-281219 | | RHEL 10 must be configured to use a FIPS 140-3-approved cryptographic hashing algorithm for system authentication by ensuring that the pam_unix.so module is configured in the "system-auth" file. | Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confi... |
| V-281220 | | RHEL 10 must be configured so that password-auth uses a sufficient number of hashing rounds. | Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be ... |
| V-281224 | | RHEL 10 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a Secure Shell (SSH) login. | The warning message reinforces policy awareness during the login process and facilitates possible legal action against attackers. Alternatively, syste... |
| V-281225 | | RHEL 10 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user login. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-281226 | | RHEL 10 must prevent a user from overriding the banner-message-enable setting for the graphical user interface. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-281227 | | RHEL 10 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user login. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-281228 | | RHEL 10 must prevent special devices on file systems that are imported via Network File System (NFS). | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-281229 | | RHEL 10 must prevent code from being executed on file systems that are imported via Network File System (NFS). | The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved... |
| V-281230 | | RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on file systems that are imported via Network File System (NFS). | The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-281231 | | RHEL 10 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS. | When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and gro... |
| V-281232 | | RHEL 10 must mount "/boot" with the "nodev" option. | The only legitimate location for device files is the "/dev" directory located on the root partition. The only exception to this is chroot jails.... |
| V-281233 | | RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on the "/boot" directory. | The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-281234 | | RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on the "/boot/efi" directory. | The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-281235 | | RHEL 10 must mount "/dev/shm" with the "nodev" option. | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-281236 | | RHEL 10 must mount "/dev/shm" with the "noexec" option. | The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved... |
| V-281237 | | RHEL 10 must mount "/dev/shm" with the "nosuid" option. | The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-281238 | | RHEL 10 must mount "/tmp" with the "nodev" option. | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-281239 | | RHEL 10 must mount "/tmp" with the "noexec" option. | The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved... |
| V-281240 | | RHEL 10 must mount "/tmp" with the "nosuid" option. | The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-281241 | | RHEL 10 must mount "/var" with the "nodev" option. | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-281242 | | RHEL 10 must mount "/var/log" with the "nodev" option. | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-281243 | | RHEL 10 must mount "/var/log" with the "noexec" option. | The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved... |
| V-281244 | | RHEL 10 must mount "/var/log" with the "nosuid" option. | The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-281245 | | RHEL 10 must mount "/var/tmp" with the "nodev" option. | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-281246 | | RHEL 10 must mount "/var/tmp" with the "noexec" option. | The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved... |
| V-281247 | | RHEL 10 must mount "/var/tmp" with the "nosuid" option. | The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-281248 | | RHEL 10 must prevent special devices on nonroot local partitions. | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-281249 | | RHEL 10 must enable the SELinux targeted policy. | Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exp... |
| V-281250 | | RHEL 10 must elevate the SELinux context when an administrator calls the sudo command. | Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is de... |
| V-281251 | | RHEL 10 must use a Linux Security Module configured to enforce limits on system services. | Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is de... |
| V-281252 | | RHEL 10 must configure SELinux context type to allow the use of a nondefault faillock tally directory. | Not having the correct SELinux context on the faillock directory may lead to unauthorized access to the directory.... |
| V-281253 | | RHEL 10 must be configured so that Secure Shell (SSH) public host key files have mode "0644" or less permissive. | If a public host key file is modified by an unauthorized user, the SSH service may be compromised.... |
| V-281254 | | RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow Generic Security Service Application Program Interface (GSSAPI) authentication. | GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the ... |
| V-281255 | | RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow Kerberos authentication. | Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled thr... |
| V-281256 | | RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow rhosts authentication. | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
OpenSSH uses the first occurrence of a ... |
| V-281257 | | RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow known hosts authentication. | Configuring the "IgnoreUserKnownHosts" setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, eve... |
| V-281258 | | RHEL 10 must be configured so that the Secure Shell (SSH) daemon disables remote X connections for interactive users. | When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen o... |
| V-281259 | | RHEL 10 must be configured so that the Secure Shell (SSH) daemon performs strict mode checking of home directory configuration files. | If other users have access to modify user-specific SSH configuration files, they may be able to log in to the system as another user.
OpenSSH uses th... |
| V-281260 | | RHEL 10 must be configured so that the Secure Shell (SSH) daemon displays the date and time of the last successful account login upon an SSH login. | Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.
OpenSSH ... |
| V-281261 | | RHEL 10 must be configured so that the Secure Shell (SSH) daemon prevents remote hosts from connecting to the proxy display. | When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen o... |
| V-281262 | | RHEL 10 must be configured so that Secure Shell (SSH) server configuration files' permissions are not modified. | Service configuration files enable or disable features of their respective services, which if configured incorrectly can lead to insecure and vulnerab... |
| V-281263 | | RHEL 10 must be configured so that SSHD accepts public key authentication. | Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires us... |
| V-281264 | | RHEL 10 must be configured so that SSHD does not allow blank passwords. | If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should ne... |
| V-281265 | | RHEL 10 must not permit direct logins to the root account using remote access via Secure Shell (SSH). | Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on ... |
| V-281266 | | RHEL 10 must not allow a noncertificate trusted host Secure Shell (SSH) login to the system. | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
OpenSSH uses the first occurrence of a ... |
| V-281269 | | RHEL 10 must be configured so that all network connections associated with Secure Shell (SSH) traffic terminate after becoming unresponsive. | Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a managemen... |
| V-281270 | | RHEL 10 must forward mail from postmaster to the root account using a postfix alias. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-281271 | | RHEL 10 must not have a "shosts.equiv" file on the system. | The "shosts.equiv" files are used to configure host-based authentication for the system via Secure Shell (SSH). Host-based authentication is not suffi... |
| V-281272 | | RHEL 10 must not have any ".shosts" files on the system. | The ".shosts" files are used to configure host-based authentication for individual users or the system via Secure Shell (SSH). Host-based authenticati... |
| V-281273 | | RHEL 10 must prevent a user from overriding the disabling of the graphical user interface automount function. | Without identifying and authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
Periphera... |
| V-281274 | | RHEL 10 must prevent a user from overriding the disabling of the graphical user interface autorun function. | Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., Transport La... |
| V-281276 | | RHEL 10 must prevent a user from overriding the disabling of the graphical user smart card removal action. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-281277 | | RHEL 10 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface. | A session timeout lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syste... |
| V-281278 | | RHEL 10 must automatically lock graphical user sessions after 15 minutes of inactivity. | A session timeout lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syste... |
| V-281279 | | RHEL 10 must prevent a user from overriding the session idle-delay setting for the graphical user interface. | A session timeout lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syste... |
| V-281280 | | RHEL 10 must initiate a session lock for graphical user interfaces when the screensaver is activated. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-281281 | | RHEL 10 must prevent a user from overriding the session lock-delay setting for the graphical user interface. | A session timeout lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syste... |
| V-281282 | | RHEL 10 must conceal, via the session lock, information previously visible on the display with a publicly viewable image. | Setting the screensaver mode to blank-only conceals the contents of the display from passersby.... |
| V-281283 | | RHEL 10 must ensure effective dconf policy matches the policy keyfiles. | Unlike text-based keyfiles, the binary database is impossible to check through most automated and all manual means; therefore, to evaluate dconf confi... |
| V-281284 | | RHEL 10 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface. | A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can creat... |
| V-281285 | | RHEL 10 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface. | A locally logged-in user who presses Ctrl-Alt-Del when at the console can reboot the system. If accidentally pressed, as could happen in the case of a... |
| V-281286 | | RHEL 10 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot. | A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of... |
| V-281287 | | RHEL 10 must disable the user list at login for graphical user interfaces. | Leaving the user list enabled is a security risk because it allows anyone with physical access to the system to enumerate known user accounts without ... |
| V-281288 | | RHEL 10 must be configured to disable USB mass storage. | USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.
Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-0... |
| V-281289 | | RHEL 10 must disable Bluetooth. | This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 10 systems. Wireless peri... |
| V-281290 | | RHEL 10 must disable wireless network adapters. | This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 10 systems. Wireless peri... |
| V-281291 | | RHEL 10 must disable the graphical user interface automounter unless required. | Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
Satisfies: SRG-OS-000114-G... |
| V-281293 | | RHEL 10 must implement nonexecutable data to protect its memory from unauthorized code execution. | ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a li... |
| V-281295 | | RHEL 10 must automatically exit interactive command shell user sessions after 15 minutes of inactivity. | Terminating an idle interactive command shell user session within a short time period reduces the window of opportunity for unauthorized personnel to ... |
| V-281296 | | RHEL 10 must be configured with a timeout interval for the Secure Shell (SSH) daemon. | Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a managemen... |
| V-281297 | | RHEL 10 must not default to the graphical display manager unless approved. | Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of sec... |
| V-281300 | | RHEL 10 must disable the ability of systemd to spawn an interactive boot process. | Using interactive or recovery boot, the console user could disable auditing, firewalls, or other services, weakening system security.... |
| V-281301 | | RHEL 10 must disable virtual system calls. | System calls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive... |
| V-281302 | | RHEL 10 must clear the page allocator to prevent use-after-free attacks. | Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will b... |
| V-281303 | | RHEL 10 must clear memory when it is freed to prevent use-after-free attacks. | Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Secur... |
| V-281304 | | RHEL 10 must enable mitigations against processor-based vulnerabilities. | Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass k... |
| V-281305 | | RHEL 10 must restrict access to the kernel message buffer. | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the a... |
| V-281306 | | RHEL 10 must prevent kernel profiling by nonprivileged users. | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the a... |
| V-281308 | | RHEL 10 must restrict exposed kernel pointer address access. | Exposing kernel pointers (through procfs or "seq_printf()") exposes kernel writable structures, which may contain functions pointers. If a write vulne... |
| V-281309 | | RHEL 10 must enable kernel parameters to enforce discretionary access control (DAC) on hardlinks. | By enabling the "fs.protected_hardlinks" kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such ha... |
| V-281310 | | RHEL 10 must enable kernel parameters to enforce discretionary access control (DAC) on symlinks. | By enabling the "fs.protected_symlinks" kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable direct... |
| V-281311 | | RHEL 10 must disable the "kernel.core_pattern". | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data an... |
| V-281312 | | RHEL 10 must be configured to disable the Controller Area Network (CAN) kernel module. | Disabling CAN protects the system against exploitation of any flaws in its implementation.... |
| V-281313 | | RHEL 10 must disable the Stream Control Transmission Protocol (SCTP) kernel module. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-281314 | | RHEL 10 must disable the Transparent Inter Process Communication (TIPC) kernel module. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-281315 | | RHEL 10 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. | ASLR makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an atte... |
| V-281316 | | RHEL 10 must restrict usage of ptrace to descendant processes. | Unrestricted usage of ptrace allows compromised binaries to run ptrace on other processes of the user. The attacker can then steal sensitive informati... |
| V-281317 | | RHEL 10 must disable core dump backtraces. | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data an... |
| V-281318 | | RHEL 10 must disable storing core dumps. | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data an... |
| V-281319 | | RHEL 10 must disable core dumps for all users. | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data an... |
| V-281320 | | RHEL 10 must disable acquiring, saving, and processing core dumps. | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data an... |
| V-281321 | | RHEL 10 must implement nonexecutable data to protect its memory from unauthorized code execution. | ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a li... |
| V-281322 | | RHEL 10 must disable the kdump service. | Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk spa... |
| V-281323 | | RHEL 10 must disable file system automount function unless required. | An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous aut... |
| V-281324 | | RHEL 10 must enable certificate-based smart card authentication. | Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires us... |
| V-281325 | | RHEL 10 must implement certificate status checking for multifactor authentication. | Using an authentication device, such as a DOD common access card (CAC) or token that is separate from the information system, ensures that even if the... |
| V-281326 | | RHEL 10 must, for PKI-based authentication, enforce authorized access to the corresponding private key. | If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.
Th... |
| V-281327 | | RHEL 10 must require authentication to access emergency mode. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-281328 | | RHEL 10 must require authentication to access single-user mode. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-281329 | | RHEL 10 must, for PKI-based authentication, validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly tru... |
| V-281330 | | RHEL 10 must map the authenticated identity to the user or group account for public key infrastructure (PKI)-based authentication. | Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will n... |
| V-281331 | | RHEL 10 must prohibit the use of cached authenticators after one day. | If cached authentication information is out of date, the validity of the authentication information may be questionable.... |
| V-281332 | | RHEL 10 must control remote access methods. | To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within d... |
| V-281333 | | RHEL 10 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within d... |
| V-281334 | | RHEL 10 must enforce that network interfaces not be in promiscuous mode. | Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access thes... |
| V-281335 | | RHEL 10 must disable access to the network bpf system call from nonprivileged processes. | Loading and accessing the packet filters programs and maps using the bpf() system call has the potential to reveal sensitive information about the ker... |
| V-281336 | | RHEL 10 must securely compare internal information system clocks at least every 24 hours. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-281337 | | RHEL 10 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time compiler. | When hardened, the extended BPF just-in-time (JIT) compiler will randomize any kernel addresses in the BPF programs and maps, and will not expose the ... |
| V-281338 | | RHEL 10 must have at least two name servers configured for systems using Domain Name Server (DNS) resolution. | To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the fai... |
| V-281339 | | RHEL 10 must not have unauthorized IP tunnels configured. | IP tunneling mechanisms can be used to bypass network filtering. If tunneling is required, it must be documented with the information system security ... |
| V-281340 | | RHEL 10 must be configured to use Transmission Control Protocol (TCP) syncookies. | Denial of service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accompl... |
| V-281341 | | RHEL 10 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the hos... |
| V-281342 | | RHEL 10 must not forward Internet Protocol version 4 (IPv4) source-routed packets. | Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, ... |
| V-281343 | | RHEL 10 must log Internet Protocol version 4 (IPv4) packets with impossible addresses. | The presence of "martian" packets (which have impossible addresses), as well as spoofed packets, source-routed packets, and redirects, could be a sign... |
| V-281344 | | RHEL 10 must log Internet Protocol version 4 (IPv4) packets with impossible addresses by default. | The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects, could be a sign ... |
| V-281345 | | RHEL 10 must use reverse path filtering on all Internet Protocol version 4 (IPv4) interfaces. | Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were ... |
| V-281346 | | RHEL 10 must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the hos... |
| V-281347 | | RHEL 10 must not forward Internet Protocol version 4 (IPv4) source-routed packets by default. | Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which... |
| V-281348 | | RHEL 10 must use a reverse-path filter for Internet Protocol version 4 (IPv4) network traffic when possible by default. | Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were ... |
| V-281349 | | RHEL 10 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings... |
| V-281350 | | RHEL 10 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs. | Some routers will send responses to broadcast frames that violate RFC-1122, which fills up a log file system with many useless error messages. An atta... |
| V-281351 | | RHEL 10 must not send Internet Control Message Protocol (ICMP) redirects. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain inform... |
| V-281352 | | RHEL 10 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain inform... |
| V-281353 | | RHEL 10 must not enable Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router. | Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when no... |
| V-281354 | | RHEL 10 must not accept router advertisements on all Internet Protocol version 6 (IPv6) interfaces. | An illicit router advertisement message could result in a man-in-the-middle attack.
Satisfies: SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00085... |
| V-281355 | | RHEL 10 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. | An illicit ICMP redirect message could result in a man-in-the-middle attack.
Satisfies: SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00086... |
| V-281356 | | RHEL 10 must not forward Internet Protocol version 6 (IPv6) source-routed packets. | Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, ... |
| V-281357 | | RHEL 10 must not enable Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router. | IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only... |
| V-281358 | | RHEL 10 must not accept router advertisements on all Internet Protocol version 6 (IPv6) interfaces by default. | An illicit router advertisement message could result in a man-in-the-middle attack.
Satisfies: SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00089... |
| V-281359 | | RHEL 10 must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the hos... |
| V-281360 | | RHEL 10 must not forward Internet Protocol version 6 (IPv6) source-routed packets by default. | Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, ... |
| V-281361 | | RHEL 10 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring that rate-limiting measures on impacted network interfaces are implemented. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or m... |
| V-281362 | | RHEL 10 must configure a DNS processing mode in Network Manager to avoid conflicts with other Domain Name Server (DNS) managers and to not leak DNS queries to untrusted networks. | To ensure that DNS resolver settings are respected, a DNS mode in Network Manager must be configured. The following are common DNS values in "NetworkM... |
| V-281363 | | RHEL 10 must be configured to operate in secure mode if the Trivial File Transfer Protocol (TFTP) server service is required. | Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.... |
| V-281364 | | RHEL 10 must enforce mode "0640" or less for the "/etc/audit/auditd.conf" file to prevent unauthorized access. | Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent t... |
| V-281365 | | RHEL 10 must prevent unauthorized changes to the audit system. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit informat... |
| V-280936 | | RHEL 10 must use a separate file system for the system audit data path. | Placing "/var/log/audit" in its own partition enables better separation between audit files and other system files and helps ensure that auditing cann... |
| V-280995 | | RHEL 10 must have the "audispd-plugins" package installed. | The "audispd-plugins" package provides plugins for the real-time interface to the audit subsystem, "audispd". These plugins can do such things as rela... |
| V-281106 | | RHEL 10 must allocate audit record storage capacity to store at least one week's worth of audit records. | To ensure RHEL 10 systems have a sufficient storage capacity in which to write the audit logs, RHEL 10 must be able to allocate audit record storage c... |
| V-281203 | | RHEL 10 must limit the number of concurrent sessions to 10 for all accounts and/or account types. | Operating system management includes the ability to control the number of users and user sessions that use an operating system. Limiting the number of... |
| V-281292 | | RHEL 10 must disable the graphical user interface autorunner unless required. | Automatically running applications when media is inserted allows for the easy introduction of unknown data, thereby facilitating malicious activity.
... |
| V-280932 | | RHEL 10 must check the GNU Privacy Guard (GPG) signature of software packages originating from external software repositories before installation. | Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software... |
| V-280933 | | RHEL 10 must check the GNU Privacy Guard (GPG) signature of locally installed software packages before installation. | Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software... |
| V-280934 | | RHEL 10 must have GNU Privacy Guard (GPG) signature verification enabled for all software repositories. | Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software... |
| V-280935 | | RHEL 10 must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information on local disk partitions that requires at-rest protection. | RHEL 10 systems handling data that requires "data-at-rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and mod... |
| V-280944 | | RHEL 10 must not have the "telnet-server" package installed. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-280949 | | RHEL 10 must not have the "tftp" package installed. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-280951 | | RHEL 10 must not have a File Transfer Protocol (FTP) server package installed. | The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote sess... |
| V-280978 | | RHEL 10 must use cryptographic mechanisms to protect the integrity of audit tools. | Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit informat... |
| V-281007 | | RHEL 10 must have the "crypto-policies" package installed. | Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system.... |
| V-281008 | | RHEL 10 must implement a FIPS 140-3-compliant systemwide cryptographic policy. | Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system.... |
| V-281009 | | RHEL 10 must enable FIPS mode. | Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptog... |
| V-281010 | | RHEL 10 must be configured so that Secure Shell (SSH) clients use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., Remote Desktop ... |
| V-281011 | | RHEL 10 must be configured so that Secure Shell (SSH) servers use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH server connections. | Without cryptographic integrity protections, unauthorized users can alter information without detection.
Remote access (e.g., Remote Desktop Protocol... |
| V-281012 | | RHEL 10 must be configured so that Secure Shell (SSH) clients use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., Remote Desktop ... |
| V-281013 | | RHEL 10 must be configured so that Secure Shell (SSH) servers use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH server connections. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., Remote Desktop ... |
| V-281014 | | RHEL 10 must use FIPS 140-3-approved cryptographic algorithms for IP tunnels. | Overriding the systemwide cryptographic policy makes the behavior of the Libreswan service violate expectations and makes system configuration more fr... |
| V-281015 | | RHEL 10 must implement DOD-approved encryption in the bind package. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Cryptographic mechanisms used for pr... |
| V-281016 | | RHEL 10 cryptographic policy must not be overridden. | Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system.... |
| V-281211 | | RHEL 10 must require users to provide a password for privilege escalation. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the ca... |
| V-281216 | | RHEL 10 must enable the Pluggable Authentication Module (PAM) interface for SSHD. | When "UsePAM" is set to "yes", PAM runs through account and session types properly. This is important when restricted access to services based on IP, ... |
| V-281221 | | RHEL 10 must employ FIPS 140-3-approved cryptographic hashing algorithms for all stored passwords. | The system must use a strong hashing algorithm to store the password.
Passwords must be protected at all times, and encryption is the standard method... |
| V-281222 | | RHEL 10 must be configured to use the shadow file to store only encrypted representations of passwords. | Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be ... |
| V-281223 | | RHEL 10 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords. | Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be ... |
| V-281267 | | RHEL 10 must not allow users to override Secure Shell (SSH) environment variables. | SSH environment options potentially allow users to bypass access restriction in some configurations.
OpenSSH uses the first occurrence of a keyword i... |
| V-281268 | | RHEL 10 must force a frequent session key renegotiation for Secure Shell (SSH) connections to the server. | Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercep... |
| V-281275 | | RHEL 10 must not allow unattended or automatic login via the graphical user interface. | Failure to restrict system access to authenticated users negatively impacts operating system security.... |
| V-281298 | | RHEL 10 must disable the systemd Ctrl-Alt-Delete burst key sequence. | A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case o... |
| V-281299 | | RHEL 10 must disable the x86 Ctrl-Alt-Delete key sequence. | A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case o... |
| V-281307 | | RHEL 10 must prevent the loading of a new kernel for later execution. | Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software... |
| V-282965 | | RHEL 10 must be a vendor-supported release. | An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release... |
