| V-230222 | | RHEL 8 vendor packaged system security patches and updates must be installed and up to date. | Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. Howev... |
| V-230225 | | RHEL 8 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-230226 | | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-230227 | | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-230228 | | All RHEL 8 remote access methods must be monitored. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities... |
| V-230229 | | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly tru... |
| V-230230 | | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | If an unauthorized user obtains access to a private key without a passcode, that user would have unauthorized access to any system where the associate... |
| V-230231 | | RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can ... |
| V-230232 | | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | The system must use a strong hashing algorithm to store the password.
Passwords need to be protected at all times, and encryption is the standard met... |
| V-230233 | | The RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds. | The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required... |
| V-230236 | | RHEL 8 operating systems must require authentication upon booting into rescue mode. | If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is... |
| V-230237 | | The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. | Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide con... |
| V-230238 | | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide con... |
| V-230239 | | The krb5-workstation package must not be installed on RHEL 8. | Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide con... |
| V-230240 | | RHEL 8 must use a Linux Security Module configured to enforce limits on system services. | Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is de... |
| V-230243 | | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the a... |
| V-230244 | | RHEL 8 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive. | Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a m... |
| V-230245 | | The RHEL 8 /var/log/messages file must have mode 0640 or less permissive. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-230246 | | The RHEL 8 /var/log/messages file must be owned by root. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-230247 | | The RHEL 8 /var/log/messages file must be group-owned by root. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-230248 | | The RHEL 8 /var/log directory must have mode 0755 or less permissive. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-230249 | | The RHEL 8 /var/log directory must be owned by root. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-230250 | | The RHEL 8 /var/log directory must be group-owned by root. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-230251 | | The RHEL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-230252 | | The RHEL 8 operating system must implement DOD-approved encryption to protect the confidentiality of SSH server connections. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-230254 | | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-230255 | | The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-230256 | | The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Transport Layer Security (TLS) encry... |
| V-230257 | | RHEL 8 system commands must have mode 755 or less permissive. | If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate tes... |
| V-230258 | | RHEL 8 system commands must be owned by root. | If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate tes... |
| V-230259 | | RHEL 8 system commands must be group-owned by root or a system account. | If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate tes... |
| V-230260 | | RHEL 8 library files must have mode 755 or less permissive. | If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate tes... |
| V-230261 | | RHEL 8 library files must be owned by root. | If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate tes... |
| V-230262 | | RHEL 8 library files must be group-owned by root or a system account. | If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate tes... |
| V-230263 | | The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency. | Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating s... |
| V-230266 | | RHEL 8 must prevent the loading of a new kernel for later execution. | Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software... |
| V-230267 | | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should ... |
| V-230268 | | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. | Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should ... |
| V-230271 | | RHEL 8 must require users to provide a password for privilege escalation. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the ca... |
| V-230272 | | RHEL 8 must require users to reauthenticate for privilege escalation. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the ca... |
| V-230273 | | RHEL 8 must have the packages required for multifactor authentication installed. | Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the... |
| V-230274 | | RHEL 8 must implement certificate status checking for multifactor authentication. | Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the... |
| V-230275 | | RHEL 8 must accept Personal Identity Verification (PIV) credentials. | The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.
The DoD has mandated the use of the Common Access... |
| V-230276 | | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Secu... |
| V-230277 | | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Secu... |
| V-230278 | | RHEL 8 must disable virtual syscalls. | Syscalls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive op... |
| V-230279 | | RHEL 8 must clear memory when it is freed to prevent use-after-free attacks. | Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Secur... |
| V-230280 | | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. | Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Secu... |
| V-230282 | | RHEL 8 must enable the SELinux targeted policy. | Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is de... |
| V-230286 | | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | If a public host key file is modified by an unauthorized user, the SSH service may be compromised.... |
| V-230287 | | The RHEL 8 SSH private host key files must have mode 0640 or less permissive. | If an unauthorized user obtains the private SSH host key file, the host could be impersonated.... |
| V-230288 | | The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files. | If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.... |
| V-230290 | | The RHEL 8 SSH daemon must not allow authentication using known host’s authentication. | Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misc... |
| V-230291 | | The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements. | Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, e... |
| V-230295 | | A separate RHEL 8 filesystem must be used for the /tmp directory. | The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.... |
| V-230296 | | RHEL 8 must not permit direct logons to the root account using remote access via SSH. | Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly ... |
| V-230298 | | The rsyslog service must be running in RHEL 8. | Configuring RHEL 8 to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and... |
| V-230299 | | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories. | The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-230300 | | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory. | The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-230301 | | RHEL 8 must prevent special devices on non-root local partitions. | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-230302 | | RHEL 8 must prevent code from being executed on file systems that contain user home directories. | The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved... |
| V-230303 | | RHEL 8 must prevent special devices on file systems that are used with removable media. | The "nodev" mount option causes the system not to interpret character or block special devices. Executing character or block special devices from untr... |
| V-230304 | | RHEL 8 must prevent code from being executed on file systems that are used with removable media. | The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved... |
| V-230305 | | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-230306 | | RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS). | The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved... |
| V-230307 | | RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS). | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-230308 | | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS). | The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-230309 | | Local RHEL 8 initialization files must not execute world-writable programs. | If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user file... |
| V-230310 | | RHEL 8 must disable kernel dumps unless needed. | Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk... |
| V-230311 | | RHEL 8 must disable the kernel.core_pattern. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-230312 | | RHEL 8 must disable acquiring, saving, and processing core dumps. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-230313 | | RHEL 8 must disable core dumps for all users. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-230314 | | RHEL 8 must disable storing core dumps. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-230315 | | RHEL 8 must disable core dump backtraces. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-230316 | | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the fai... |
| V-230317 | | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory. | The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If th... |
| V-230318 | | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application user. | If a world-writable directory is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files ... |
| V-230319 | | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify... |
| V-230320 | | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.... |
| V-230321 | | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive. | Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.... |
| V-230322 | | All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group. | If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, this would allow unauthoriz... |
| V-230323 | | All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist. | If a local interactive user has a home directory defined that does not exist, the user may be given access to the "/" directory as the current working... |
| V-230324 | | All RHEL 8 local interactive user accounts must be assigned a home directory upon creation. | If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.... |
| V-230325 | | All RHEL 8 local initialization files must have mode 0740 or less permissive. | Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accou... |
| V-230326 | | All RHEL 8 local files and directories must have a valid owner. | Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files.... |
| V-230327 | | All RHEL 8 local files and directories must have a valid group owner. | Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files with... |
| V-230328 | | A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent). | The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.... |
| V-230330 | | RHEL 8 must not allow users to override SSH environment variables. | SSH environment options potentially allow users to bypass access restriction in some configurations.... |
| V-230331 | | RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less. | If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To ... |
| V-230332 | | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-230333 | | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-230334 | | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-230335 | | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-230336 | | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-230337 | | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-230338 | | RHEL 8 must ensure account lockouts persist. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-230339 | | RHEL 8 must ensure account lockouts persist. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-230340 | | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-230341 | | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-230342 | | RHEL 8 must log user name information when unsuccessful logon attempts occur. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-230343 | | RHEL 8 must log user name information when unsuccessful logon attempts occur. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-230344 | | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-230345 | | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-230347 | | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-230351 | | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-230352 | | RHEL 8 must automatically lock graphical user sessions after 15 minutes of inactivity. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-230354 | | RHEL 8 must prevent a user from overriding the session lock-delay setting for the graphical user interface. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syst... |
| V-230355 | | RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication. | Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will n... |
| V-230356 | | RHEL 8 must ensure the password complexity module is enabled in the password-auth file. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-230357 | | RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-230358 | | RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-230359 | | RHEL 8 must enforce password complexity by requiring that at least one numeric character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-230360 | | RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-230361 | | RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-230362 | | RHEL 8 must require the change of at least four character classes when passwords are changed. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-230363 | | RHEL 8 must require the change of at least 8 characters when passwords are changed. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-230364 | | RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If u... |
| V-230365 | | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/login.defs. | Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If u... |
| V-230366 | | RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction. | Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lif... |
| V-230367 | | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lif... |
| V-230369 | | RHEL 8 passwords must have a minimum of 15 characters. | The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexit... |
| V-230370 | | RHEL 8 passwords for new users must have a minimum of 15 characters. | The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexit... |
| V-230371 | | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and co... |
| V-230372 | | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Using an authentication device, such as a Common Access Card (CAC) or token that is separate from the information system, ensures that even if the inf... |
| V-230373 | | RHEL 8 account identifiers (individuals, groups, roles, and devices) must be disabled after 35 days of inactivity. | Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected ac... |
| V-230374 | | RHEL 8 must automatically expire temporary accounts within 72 hours. | Temporary accounts are privileged or nonprivileged accounts that are established during pressing circumstances, such as new software or hardware confi... |
| V-230375 | | All RHEL 8 passwords must contain at least one special character. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-230376 | | RHEL 8 must prohibit the use of cached authentications after one day. | If cached authentication information is out-of-date, the validity of the authentication information may be questionable.
RHEL 8 includes multiple opt... |
| V-230377 | | RHEL 8 must prevent the use of dictionary words for passwords. | If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportuni... |
| V-230378 | | RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. | Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federa... |
| V-230379 | | RHEL 8 must not have unnecessary accounts. | Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for indiv... |
| V-230382 | | RHEL 8 must display the date and time of the last successful account logon upon an SSH logon. | Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.... |
| V-230383 | | RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. | Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.... |
| V-230384 | | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although u... |
| V-230385 | | RHEL 8 must define default permissions for logon and non-logon shells. | The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although u... |
| V-230386 | | The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software. | Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromise... |
| V-230387 | | Cron logging must be implemented in RHEL 8. | Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cr... |
| V-230388 | | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-230389 | | The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-230390 | | The RHEL 8 System must take appropriate action when an audit processing failure occurs. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-230392 | | The RHEL 8 audit system must take appropriate action when the audit storage volume is full. | It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing fai... |
| V-230393 | | The RHEL 8 audit system must audit local events. | Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to es... |
| V-230394 | | RHEL 8 must label all off-loaded audit logs before sending them to the central log server. | Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to es... |
| V-230396 | | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-230397 | | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-230398 | | RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit informat... |
| V-230399 | | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit informat... |
| V-230400 | | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit informat... |
| V-230401 | | RHEL 8 audit log directory must have a mode of 0700 or less permissive to prevent unauthorized read access. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit informat... |
| V-230402 | | RHEL 8 audit system must protect auditing rules from unauthorized change. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit informat... |
| V-230403 | | RHEL 8 audit system must protect logon UIDs from unauthorized change. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit informat... |
| V-230404 | | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230405 | | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230406 | | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230407 | | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230408 | | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230409 | | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230410 | | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230411 | | The RHEL 8 audit package must be installed. | Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to es... |
| V-230412 | | Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230413 | | The RHEL 8 audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230418 | | Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230419 | | Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230421 | | Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230422 | | Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230423 | | Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230424 | | Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230425 | | Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230426 | | Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organizat... |
| V-230427 | | Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organizat... |
| V-230428 | | Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organizat... |
| V-230429 | | Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organizat... |
| V-230430 | | Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organizat... |
| V-230431 | | Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organizat... |
| V-230432 | | Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organizat... |
| V-230433 | | Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organizat... |
| V-230434 | | Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230435 | | Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230436 | | Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230437 | | Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230438 | | Successful/unsuccessful uses of the init_module and finit_module system calls in RHEL 8 must generate an audit record. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230439 | | Successful/unsuccessful uses of the rename, unlink, rmdir, renameat, and unlinkat system calls in RHEL 8 must generate an audit record. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230444 | | Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230446 | | Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230447 | | Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230448 | | Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230449 | | Successful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls in RHEL 8 must generate an audit record. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230455 | | Successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls in RHEL 8 must generate an audit record. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230456 | | Successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls in RHEL 8 must generate an audit record. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230462 | | Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230463 | | Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230464 | | Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-230465 | | Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-230466 | | Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-230467 | | Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-230471 | | RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. | Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent t... |
| V-230472 | | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tool... |
| V-230473 | | RHEL 8 audit tools must be owned by root. | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tool... |
| V-230474 | | RHEL 8 audit tools must be group-owned by root. | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tool... |
| V-230475 | | RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools. | Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit informat... |
| V-230476 | | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | To ensure RHEL 8 systems have a sufficient storage capacity in which to write the audit logs, RHEL 8 needs to be able to allocate audit record storage... |
| V-230477 | | RHEL 8 must have the packages required for offloading audit logs installed. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-230478 | | RHEL 8 must have the packages required for encrypting offloaded audit logs installed. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-230479 | | The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-230480 | | RHEL 8 must take appropriate action when the internal event queue is full. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-230481 | | RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-230482 | | RHEL 8 must authenticate the remote logging server for off-loading audit logs. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-230483 | | RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. | If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storag... |
| V-230484 | | RHEL 8 must securely compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-230488 | | RHEL 8 must not have any automated bug reporting tools installed. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-230489 | | RHEL 8 must not have the sendmail package installed. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-230493 | | RHEL 8 must cover or disable the built-in or attached camera when not in use. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-230500 | | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within d... |
| V-230502 | | The RHEL 8 file system automounter must be disabled unless required. | Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.... |
| V-230503 | | RHEL 8 must be configured to disable USB mass storage. | USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.
Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-0... |
| V-230504 | | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound conne... |
| V-230505 | | A firewall must be installed on RHEL 8. | "Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
Remote access services,... |
| V-230506 | | RHEL 8 wireless network adapters must be disabled. | Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications ca... |
| V-230507 | | RHEL 8 Bluetooth must be disabled. | Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications ca... |
| V-230508 | | RHEL 8 must mount /dev/shm with the nodev option. | The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software program... |
| V-230509 | | RHEL 8 must mount /dev/shm with the nosuid option. | The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software program... |
| V-230510 | | RHEL 8 must mount /dev/shm with the noexec option. | The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software program... |
| V-230511 | | RHEL 8 must mount /tmp with the nodev option. | The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software program... |
| V-230512 | | RHEL 8 must mount /tmp with the nosuid option. | The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software program... |
| V-230513 | | RHEL 8 must mount /tmp with the noexec option. | The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software program... |
| V-230514 | | RHEL 8 must mount /var/log with the nodev option. | The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software program... |
| V-230515 | | RHEL 8 must mount /var/log with the nosuid option. | The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software program... |
| V-230516 | | RHEL 8 must mount /var/log with the noexec option. | The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software program... |
| V-230517 | | RHEL 8 must mount /var/log/audit with the nodev option. | The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software program... |
| V-230518 | | RHEL 8 must mount /var/log/audit with the nosuid option. | The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software program... |
| V-230519 | | RHEL 8 must mount /var/log/audit with the noexec option. | The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software program... |
| V-230520 | | RHEL 8 must mount /var/tmp with the nodev option. | The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software program... |
| V-230521 | | RHEL 8 must mount /var/tmp with the nosuid option. | The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software program... |
| V-230522 | | RHEL 8 must mount /var/tmp with the noexec option. | The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software program... |
| V-230523 | | The RHEL 8 fapolicy module must be installed. | The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software program... |
| V-230524 | | RHEL 8 must block unauthorized peripherals before establishing a connection. | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
Peripherals include, but ... |
| V-230525 | | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or m... |
| V-230526 | | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercep... |
| V-230527 | | RHEL 8 must force a frequent session key renegotiation for SSH connections to the server. | Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercep... |
| V-230532 | | The debug-shell systemd service must be disabled on RHEL 8. | The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disab... |
| V-230535 | | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the hos... |
| V-230536 | | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain inform... |
| V-230537 | | RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks.
There are notable differences betwee... |
| V-230538 | | RHEL 8 must not forward IPv6 source-routed packets. | Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, ... |
| V-230539 | | RHEL 8 must not forward IPv6 source-routed packets by default. | Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, ... |
| V-230540 | | RHEL 8 must not enable IPv6 packet forwarding unless the system is a router. | Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not ... |
| V-230541 | | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not ... |
| V-230542 | | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not ... |
| V-230543 | | RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain inform... |
| V-230544 | | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the hos... |
| V-230545 | | RHEL 8 must disable access to network bpf syscall from unprivileged processes. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-230546 | | RHEL 8 must restrict usage of ptrace to descendant processes. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-230547 | | RHEL 8 must restrict exposed kernel pointer addresses access. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-230548 | | RHEL 8 must disable the use of user namespaces. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-230549 | | RHEL 8 must use reverse path filtering on all IPv4 interfaces. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-230550 | | RHEL 8 must be configured to prevent unrestricted mail relaying. | If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthor... |
| V-230553 | | The graphical display manager must not be installed on RHEL 8 unless approved. | Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical... |
| V-230554 | | RHEL 8 network interfaces must not be in promiscuous mode. | Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access thes... |
| V-230555 | | RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements. | The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A... |
| V-230556 | | The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display. | When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen o... |
| V-230557 | | If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode. | Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.... |
| V-230559 | | The gssproxy package must not be installed unless mission essential on RHEL 8. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-230560 | | The iprutils package must not be installed unless mission essential on RHEL 8. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-230561 | | The tuned package must not be installed unless mission essential on RHEL 8. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-237640 | | The krb5-server package must not be installed on RHEL 8. | Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide con... |
| V-237641 | | RHEL 8 must restrict privilege elevation to authorized personnel. | The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your ... |
| V-237642 | | RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". | The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates t... |
| V-237643 | | RHEL 8 must require re-authentication when using the "sudo" command. | Without re-authentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the ... |
| V-244519 | | RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-244521 | | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance. | If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenanc... |
| V-244522 | | RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes. | If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenanc... |
| V-244523 | | RHEL 8 operating systems must require authentication upon booting into emergency mode. | If the system does not require valid root authentication before it boots into emergency or rescue mode, anyone who invokes emergency or rescue mode is... |
| V-244524 | | The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. | Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide con... |
| V-244525 | | RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive. | Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a m... |
| V-244526 | | The RHEL 8 SSH daemon must be configured to use system-wide crypto policies. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-244528 | | The RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements. | Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misc... |
| V-244529 | | RHEL 8 must use a separate file system for /var/tmp. | The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.... |
| V-244530 | | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory. | The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-244531 | | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.... |
| V-244532 | | RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member. | If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them.... |
| V-244533 | | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-244534 | | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-244535 | | RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syst... |
| V-244536 | | RHEL 8 must disable the user list at logon for graphical user interfaces. | Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to enumerate known user accounts without au... |
| V-244538 | | RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syst... |
| V-244539 | | RHEL 8 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syst... |
| V-244542 | | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to es... |
| V-244543 | | RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization. | If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storag... |
| V-244544 | | A firewall must be active on RHEL 8. | "Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
Remote access services,... |
| V-244545 | | The RHEL 8 fapolicy module must be enabled. | The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software program... |
| V-244546 | | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software program... |
| V-244547 | | RHEL 8 must have the USBGuard installed. | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
Peripherals include, but a... |
| V-244548 | | RHEL 8 must enable the USBGuard. | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
Peripherals include, but ... |
| V-244549 | | All RHEL 8 networked systems must have SSH installed. | Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercep... |
| V-244550 | | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the hos... |
| V-244551 | | RHEL 8 must not forward IPv4 source-routed packets. | Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, ... |
| V-244552 | | RHEL 8 must not forward IPv4 source-routed packets by default. | Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, ... |
| V-244553 | | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the hos... |
| V-244554 | | RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-250315 | | RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-250316 | | RHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-250317 | | RHEL 8 must not enable IPv4 packet forwarding unless the system is a router. | Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not ... |
| V-251707 | | RHEL 8 library directories must have mode 755 or less permissive. | If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate tes... |
| V-251708 | | RHEL 8 library directories must be owned by root. | If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate tes... |
| V-251709 | | RHEL 8 library directories must be group-owned by root or a system account. | If RHEL 8 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate tes... |
| V-251710 | | The RHEL 8 operating system must use a file integrity tool to verify correct operation of all security functions. | Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is d... |
| V-251711 | | RHEL 8 must specify the default "include" directory for the /etc/sudoers file. | The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used ... |
| V-251712 | | The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation. | Without re-authentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the ... |
| V-251713 | | RHEL 8 must ensure the password complexity module is enabled in the system-auth file. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-251716 | | RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-251718 | | The graphical display manager must not be the default target on RHEL 8 unless approved. | Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical... |
| V-254520 | | RHEL 8 must prevent nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures. | Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary ... |
| V-255924 | | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized... |
| V-256973 | | RHEL 8 must ensure cryptographic verification of vendor software packages. | Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofi... |
| V-256974 | | RHEL 8 must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel. | Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating s... |
| V-257258 | | RHEL 8.7 and higher must terminate idle user sessions. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-272482 | | RHEL 8 SSH client must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-272483 | | RHEL 8 SSH client must be configured to use only ciphers employing FIPS 140-3 validated cryptographic hash algorithms. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-272484 | | RHEL 8 must elevate the SELinux context when an administrator calls the sudo command. | Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary ... |
| V-274877 | | RHEL 8 must audit any script or executable called by cron as root or by any privileged user. | Any script or executable called by cron as root or by any privileged user must be owned by that user, must have the permissions set to 755 or more res... |
| V-230241 | | RHEL 8 must have policycoreutils package installed. | Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is de... |
| V-230253 | | RHEL 8 must ensure the SSH server uses strong entropy. | The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to ... |
| V-230269 | | RHEL 8 must restrict access to the kernel message buffer. | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the a... |
| V-230270 | | RHEL 8 must prevent kernel profiling by unprivileged users. | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the a... |
| V-230281 | | YUM must remove all software components after updated versions have been installed on RHEL 8. | Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by advers... |
| V-230285 | | RHEL 8 must enable the hardware random number generator entropy gatherer service. | The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to ... |
| V-230292 | | RHEL 8 must use a separate file system for /var. | The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.... |
| V-230293 | | RHEL 8 must use a separate file system for /var/log. | The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.... |
| V-230294 | | RHEL 8 must use a separate file system for the system audit data path. | The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.... |
| V-230346 | | RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types. | Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the numbe... |
| V-230381 | | RHEL 8 must display the date and time of the last successful account logon upon logon. | Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.... |
| V-230395 | | RHEL 8 must resolve audit information before writing to disk. | Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to es... |
| V-230468 | | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-230469 | | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-230470 | | RHEL 8 must enable Linux audit logging for the USBGuard daemon. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-230485 | | RHEL 8 must disable the chrony daemon from acting as a server. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-230486 | | RHEL 8 must disable network management of the chrony daemon. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-230491 | | RHEL 8 must enable mitigations against processor-based vulnerabilities. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-230494 | | RHEL 8 must disable the asynchronous transfer mode (ATM) protocol. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-230495 | | RHEL 8 must disable the controller area network (CAN) protocol. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-230496 | | RHEL 8 must disable the stream control transmission protocol (SCTP). | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-230497 | | RHEL 8 must disable the transparent inter-process communication (TIPC) protocol. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-230498 | | RHEL 8 must disable mounting of cramfs. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-230499 | | RHEL 8 must disable IEEE 1394 (FireWire) Support. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-230551 | | The RHEL 8 file integrity tool must be configured to verify extended attributes. | Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.
RHEL 8 installation media come w... |
| V-230552 | | The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs). | ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.
Selection lines in the aide.c... |
| V-244527 | | RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service. | The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to ... |
| V-230221 | | RHEL 8 must be a vendor-supported release. | An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release... |
| V-230223 | | RHEL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptog... |
| V-230224 | | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | RHEL 8 systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modifica... |
| V-230234 | | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance. | If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenanc... |
| V-230235 | | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenanc... |
| V-230264 | | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software... |
| V-230265 | | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software... |
| V-230283 | | There must be no shosts.equiv files on the RHEL 8 operating system. | The "shosts.equiv" files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preve... |
| V-230284 | | There must be no .shosts files on the RHEL 8 operating system. | The ".shosts" files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not suffi... |
| V-230329 | | Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed. | Failure to restrict system access to authenticated users negatively impacts operating system security.... |
| V-230380 | | RHEL 8 must not allow accounts configured with blank or null passwords. | If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should ne... |
| V-230487 | | RHEL 8 must not have the telnet-server package installed. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-230492 | | RHEL 8 must not have the rsh-server package installed. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-230529 | | The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8. | A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case... |
| V-230530 | | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | A locally logged-on user, who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the cas... |
| V-230531 | | The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled. | A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case o... |
| V-230533 | | The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support. | If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System... |
| V-230534 | | The root account must be the only account having unrestricted access to the RHEL 8 system. | If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire op... |
| V-230558 | | A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8. | The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote sess... |
| V-244541 | | RHEL 8 must not allow blank or null passwords in the password-auth file. | If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should ne... |
| V-251706 | | The RHEL 8 operating system must not have accounts configured with blank or null passwords. | If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should ne... |
| V-268322 | | RHEL 8 must not allow blank or null passwords in the system-auth file. | If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should ne... |
