| V-257778 | | RHEL 9 vendor packaged system security patches and updates must be installed and up to date. | Installing software updates is a fundamental mitigation against the exploitation of publicly known vulnerabilities. If the most recent security patche... |
| V-257779 | | RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-257781 | | The graphical display manager must not be the default target on RHEL 9 unless approved. | Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of sec... |
| V-257783 | | RHEL 9 systemd-journald service must be enabled. | In the event of a system failure, RHEL 9 must preserve any information necessary to determine cause of failure and any information necessary to return... |
| V-257786 | | RHEL 9 debug-shell systemd service must be disabled. | The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabl... |
| V-257787 | | RHEL 9 must require a boot loader superuser password. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-257788 | | RHEL 9 must disable the ability of systemd to spawn an interactive boot process. | Using interactive or recovery boot, the console user could disable auditing, firewalls, or other services, weakening system security.... |
| V-257790 | | RHEL 9 /boot/grub2/grub.cfg file must be group-owned by root. | The "root" group is a highly privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.... |
| V-257791 | | RHEL 9 /boot/grub2/grub.cfg file must be owned by root. | The " /boot/grub2/grub.cfg" file stores sensitive system configuration. Protection of this file is critical for system security.... |
| V-257792 | | RHEL 9 must disable virtual system calls. | System calls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive... |
| V-257793 | | RHEL 9 must clear the page allocator to prevent use-after-free attacks. | Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will b... |
| V-257794 | | RHEL 9 must clear memory when it is freed to prevent use-after-free attacks. | Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Secur... |
| V-257797 | | RHEL 9 must restrict access to the kernel message buffer. | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the a... |
| V-257798 | | RHEL 9 must prevent kernel profiling by nonprivileged users. | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the a... |
| V-257799 | | RHEL 9 must prevent the loading of a new kernel for later execution. | Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software... |
| V-257800 | | RHEL 9 must restrict exposed kernel pointer addresses access. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-257801 | | RHEL 9 must enable kernel parameters to enforce discretionary access control on hardlinks. | Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should ... |
| V-257802 | | RHEL 9 must enable kernel parameters to enforce discretionary access control on symlinks. | Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should ... |
| V-257803 | | RHEL 9 must disable the kernel.core_pattern. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-257804 | | RHEL 9 must be configured to disable the Asynchronous Transfer Mode kernel module. | Disabling Asynchronous Transfer Mode (ATM) protects the system against exploitation of any flaws in its implementation.... |
| V-257805 | | RHEL 9 must be configured to disable the Controller Area Network kernel module. | Disabling Controller Area Network (CAN) protects the system against exploitation of any flaws in its implementation.... |
| V-257806 | | RHEL 9 must be configured to disable the FireWire kernel module. | Disabling firewire protects the system against exploitation of any flaws in its implementation.... |
| V-257807 | | RHEL 9 must disable the Stream Control Transmission Protocol (SCTP) kernel module. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-257808 | | RHEL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-257809 | | RHEL 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. | Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Secur... |
| V-257810 | | RHEL 9 must disable access to network bpf system call from nonprivileged processes. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-257811 | | RHEL 9 must restrict usage of ptrace to descendant processes. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-257812 | | RHEL 9 must disable core dump backtraces. | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data an... |
| V-257813 | | RHEL 9 must disable storing core dumps. | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data an... |
| V-257814 | | RHEL 9 must disable core dumps for all users. | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data an... |
| V-257815 | | RHEL 9 must disable acquiring, saving, and processing core dumps. | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data an... |
| V-257816 | | RHEL 9 must disable the use of user namespaces. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-257817 | | RHEL 9 must implement nonexecutable data to protect its memory from unauthorized code execution. | ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a li... |
| V-257818 | | The kdump service on RHEL 9 must be disabled. | Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk spa... |
| V-257819 | | RHEL 9 must ensure cryptographic verification of vendor software packages. | Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofi... |
| V-257823 | | RHEL 9 must be configured so that the cryptographic hashes of system files match vendor values. | The hashes of important files such as system executables should match the information given by the RPM database. Executables with erroneous hashes cou... |
| V-257825 | | RHEL 9 subscription-manager package must be installed. | The Red Hat Subscription Manager application manages software subscriptions and software repositories for installed software products on the local sys... |
| V-257827 | | RHEL 9 must not have the sendmail package installed. | The sendmail software was not developed with security in mind, and its design prevents it from being effectively contained by SELinux. Postfix must be... |
| V-257828 | | RHEL 9 must not have the nfs-utils package installed. | "nfs-utils" provides a daemon for the kernel NFS server and related tools. This package also contains the "showmount" program. "showmount" queries the... |
| V-257829 | | RHEL 9 must not have the ypserv package installed. | The NIS service provides an unencrypted authentication service, which does not provide for the confidentiality and integrity of user passwords or the ... |
| V-257830 | | RHEL 9 must not have the rsh-server package installed. | The "rsh-server" service provides unencrypted remote access service, which does not provide for the confidentiality and integrity of user passwords or... |
| V-257831 | | RHEL 9 must not have the telnet-server package installed. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-257832 | | RHEL 9 must not have the gssproxy package installed. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-257833 | | RHEL 9 must not have the iprutils package installed. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-257834 | | RHEL 9 must not have the tuned package installed. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-257836 | | RHEL 9 must not have the quagga package installed. | Quagga is a network routing software suite providing implementations of Open Shortest Path First (OSPF), Routing Information Protocol (RIP), Border Ga... |
| V-257837 | | A graphical display manager must not be installed on RHEL 9 unless approved. | Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of sec... |
| V-257838 | | RHEL 9 must have the openssl-pkcs11 package installed. | Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires us... |
| V-257839 | | RHEL 9 must have the gnutls-utils package installed. | GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language a... |
| V-257840 | | RHEL 9 must have the nss-tools package installed. | Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server application... |
| V-257841 | | RHEL 9 must have the rng-tools package installed. | "rng-tools" provides hardware random number generator tools, such as those used in the formation of x509/PKI certificates.... |
| V-257842 | | RHEL 9 must have the s-nail package installed. | The "s-nail" package provides the mail command required to allow sending email notifications of unauthorized configuration changes to designated perso... |
| V-257843 | | A separate RHEL 9 file system must be used for user home directories (such as /home or an equivalent). | Ensuring that "/home" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot t... |
| V-257844 | | RHEL 9 must use a separate file system for /tmp. | The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount ... |
| V-257848 | | RHEL 9 must use a separate file system for /var/tmp. | The "/var/tmp" partition is used as temporary storage by many programs. Placing "/var/tmp" in its own partition enables the setting of more restrictiv... |
| V-257849 | | RHEL 9 file system automount function must be disabled unless required. | An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous aut... |
| V-257850 | | RHEL 9 must prevent device files from being interpreted on file systems that contain user home directories. | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-257851 | | RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories. | The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-257852 | | RHEL 9 must prevent code from being executed on file systems that contain user home directories. | The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved... |
| V-257854 | | RHEL 9 must prevent special devices on file systems that are imported via Network File System (NFS). | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-257855 | | RHEL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS). | The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved... |
| V-257856 | | RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS). | The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-257857 | | RHEL 9 must prevent code from being executed on file systems that are used with removable media. | The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved... |
| V-257858 | | RHEL 9 must prevent special devices on file systems that are used with removable media. | The "nodev" mount option causes the system not to interpret character or block special devices. Executing character or blocking special devices from u... |
| V-257859 | | RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-257860 | | RHEL 9 must mount /boot with the nodev option. | The only legitimate location for device files is the "/dev" directory located on the root partition. The only exception to this is chroot jails.... |
| V-257861 | | RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory. | The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-257862 | | RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory. | The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-257863 | | RHEL 9 must mount /dev/shm with the nodev option. | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-257864 | | RHEL 9 must mount /dev/shm with the noexec option. | The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved... |
| V-257865 | | RHEL 9 must mount /dev/shm with the nosuid option. | The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-257866 | | RHEL 9 must mount /tmp with the nodev option. | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-257867 | | RHEL 9 must mount /tmp with the noexec option. | The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved... |
| V-257868 | | RHEL 9 must mount /tmp with the nosuid option. | The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-257869 | | RHEL 9 must mount /var with the nodev option. | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-257870 | | RHEL 9 must mount /var/log with the nodev option. | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-257871 | | RHEL 9 must mount /var/log with the noexec option. | The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved... |
| V-257872 | | RHEL 9 must mount /var/log with the nosuid option. | The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-257873 | | RHEL 9 must mount /var/log/audit with the nodev option. | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-257874 | | RHEL 9 must mount /var/log/audit with the noexec option. | The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved... |
| V-257875 | | RHEL 9 must mount /var/log/audit with the nosuid option. | The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-257876 | | RHEL 9 must mount /var/tmp with the nodev option. | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-257877 | | RHEL 9 must mount /var/tmp with the noexec option. | The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved... |
| V-257878 | | RHEL 9 must mount /var/tmp with the nosuid option. | The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting an... |
| V-257881 | | RHEL 9 must prevent special devices on non-root local partitions. | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untr... |
| V-257882 | | RHEL 9 system commands must have mode 755 or less permissive. | If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing a... |
| V-257883 | | RHEL 9 library directories must have mode 755 or less permissive. | If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing a... |
| V-257884 | | RHEL 9 library files must have mode 755 or less permissive. | If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing a... |
| V-257885 | | RHEL 9 /var/log directory must have mode 0755 or less permissive. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-257886 | | RHEL 9 /var/log/messages file must have mode 0640 or less permissive. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-257887 | | RHEL 9 audit tools must have a mode of 0755 or less permissive. | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tool... |
| V-257888 | | RHEL 9 permissions of cron configuration files and directories must not be modified from the operating system defaults. | If the permissions of cron configuration files or directories are modified from the operating system defaults, it may be possible for individuals to i... |
| V-257889 | | All RHEL 9 local initialization files must have mode 0740 or less permissive. | Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accou... |
| V-257890 | | All RHEL 9 local interactive user home directories must have mode 0750 or less permissive. | Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.... |
| V-257891 | | RHEL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access. | The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system securit... |
| V-257892 | | RHEL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access. | The "/etc/group-" file is a backup file of "/etc/group", and as such, contains information regarding groups that are configured on the system. Protect... |
| V-257893 | | RHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access. | The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.... |
| V-257894 | | RHEL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access. | The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protection of this file is critical for system se... |
| V-257895 | | RHEL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access. | If the "/etc/passwd" file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on... |
| V-257896 | | RHEL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access. | The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protec... |
| V-257897 | | RHEL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access. | The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protection of ... |
| V-257898 | | RHEL 9 /etc/group file must be owned by root. | The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system securit... |
| V-257899 | | RHEL 9 /etc/group file must be group-owned by root. | The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system securit... |
| V-257900 | | RHEL 9 /etc/group- file must be owned by root. | The "/etc/group-" file is a backup file of "/etc/group", and as such, contains information regarding groups that are configured on the system. Protect... |
| V-257901 | | RHEL 9 /etc/group- file must be group-owned by root. | The "/etc/group-" file is a backup file of "/etc/group", and as such, contains information regarding groups that are configured on the system. Protect... |
| V-257902 | | RHEL 9 /etc/gshadow file must be owned by root. | The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.... |
| V-257903 | | RHEL 9 /etc/gshadow file must be group-owned by root. | The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.... |
| V-257904 | | RHEL 9 /etc/gshadow- file must be owned by root. | The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protection of this file is critical for system se... |
| V-257905 | | RHEL 9 /etc/gshadow- file must be group-owned by root. | The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protection of this file is critical for system se... |
| V-257906 | | RHEL 9 /etc/passwd file must be owned by root. | The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security... |
| V-257907 | | RHEL 9 /etc/passwd file must be group-owned by root. | The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security... |
| V-257908 | | RHEL 9 /etc/passwd- file must be owned by root. | The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protec... |
| V-257909 | | RHEL 9 /etc/passwd- file must be group-owned by root. | The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protec... |
| V-257910 | | RHEL 9 /etc/shadow file must be owned by root. | The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security.... |
| V-257911 | | RHEL 9 /etc/shadow file must be group-owned by root. | The "/etc/shadow" file stores password hashes. Protection of this file is critical for system security.... |
| V-257912 | | RHEL 9 /etc/shadow- file must be owned by root. | The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protection of ... |
| V-257913 | | RHEL 9 /etc/shadow- file must be group-owned by root. | The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protection of ... |
| V-257914 | | RHEL 9 /var/log directory must be owned by root. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-257915 | | RHEL 9 /var/log directory must be group-owned by root. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-257916 | | RHEL 9 /var/log/messages file must be owned by root. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-257917 | | RHEL 9 /var/log/messages file must be group-owned by root. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-257918 | | RHEL 9 system commands must be owned by root. | If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing a... |
| V-257919 | | RHEL 9 system commands must be group-owned by root or a system account. | If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing a... |
| V-257920 | | RHEL 9 library files must be owned by root. | If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing a... |
| V-257921 | | RHEL 9 library files must be group-owned by root or a system account. | If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing a... |
| V-257922 | | RHEL 9 library directories must be owned by root. | If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing a... |
| V-257923 | | RHEL 9 library directories must be group-owned by root or a system account. | If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing a... |
| V-257924 | | RHEL 9 audit tools must be owned by root. | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tool... |
| V-257925 | | RHEL 9 audit tools must be group-owned by root. | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data; therefore, protecting audit tool... |
| V-257926 | | RHEL 9 cron configuration files directory must be owned by root. | Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable... |
| V-257927 | | RHEL 9 cron configuration files directory must be group-owned by root. | Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable... |
| V-257928 | | All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user. | If a world-writable directory is not owned by root, sys, bin, or an application user identifier (UID), unauthorized users may be able to modify files ... |
| V-257929 | | A sticky bit must be set on all RHEL 9 public directories. | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the a... |
| V-257930 | | All RHEL 9 local files and directories must have a valid group owner. | Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files with... |
| V-257931 | | All RHEL 9 local files and directories must have a valid owner. | Unowned files and directories may be unintentionally inherited if a user is assigned the same user identifier "UID" as the UID of the unowned files.... |
| V-257932 | | RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification. | If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system may perform unintended or unauthorized op... |
| V-257934 | | RHEL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access. | The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security.... |
| V-257935 | | RHEL 9 must have the firewalld package installed. | "Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
Remote access services,... |
| V-257936 | | The firewalld service on RHEL 9 must be active. | "Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
Remote access services,... |
| V-257937 | | The RHEL 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound conne... |
| V-257939 | | RHEL 9 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures on impacted network interfaces are implemented. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or m... |
| V-257940 | | RHEL 9 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within d... |
| V-257941 | | RHEL 9 network interfaces must not be in promiscuous mode. | Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access thes... |
| V-257942 | | RHEL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-257943 | | RHEL 9 must have the chrony package installed. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-257944 | | RHEL 9 chronyd service must be enabled. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-257945 | | RHEL 9 must securely compare internal information system clocks at least every 24 hours. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-257948 | | RHEL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured. | To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the fai... |
| V-257949 | | RHEL 9 must configure a DNS processing mode in Network Manager. | In order to ensure that DNS resolver settings are respected, a DNS mode in Network Manager must be configured.... |
| V-257950 | | RHEL 9 must not have unauthorized IP tunnels configured. | IP tunneling mechanisms can be used to bypass network filtering. If tunneling is required, it must be documented with the information system security ... |
| V-257951 | | RHEL 9 must be configured to prevent unrestricted mail relaying. | If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthor... |
| V-257953 | | RHEL 9 must forward mail from postmaster to the root account using a postfix alias. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-257954 | | RHEL 9 libreswan package must be installed. | Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area net... |
| V-257957 | | RHEL 9 must be configured to use TCP syncookies. | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the a... |
| V-257958 | | RHEL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the hos... |
| V-257959 | | RHEL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets. | Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, ... |
| V-257960 | | RHEL 9 must log IPv4 packets with impossible addresses. | The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign o... |
| V-257961 | | RHEL 9 must log IPv4 packets with impossible addresses by default. | The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign o... |
| V-257962 | | RHEL 9 must use reverse path filtering on all IPv4 interfaces. | Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were ... |
| V-257963 | | RHEL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the hos... |
| V-257964 | | RHEL 9 must not forward IPv4 source-routed packets by default. | Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, ... |
| V-257965 | | RHEL 9 must use a reverse-path filter for IPv4 network traffic when possible by default. | Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were ... |
| V-257966 | | RHEL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings... |
| V-257967 | | RHEL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs. | Some routers will send responses to broadcast frames that violate RFC-1122, which fills up a log file system with many useless error messages. An atta... |
| V-257968 | | RHEL 9 must not send Internet Control Message Protocol (ICMP) redirects. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain inform... |
| V-257969 | | RHEL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain inform... |
| V-257970 | | RHEL 9 must not enable IPv4 packet forwarding unless the system is a router. | Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when no... |
| V-257971 | | RHEL 9 must not accept router advertisements on all IPv6 interfaces. | Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not ... |
| V-257972 | | RHEL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the hos... |
| V-257973 | | RHEL 9 must not forward IPv6 source-routed packets. | Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, ... |
| V-257974 | | RHEL 9 must not enable IPv6 packet forwarding unless the system is a router. | Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not ... |
| V-257975 | | RHEL 9 must not accept router advertisements on all IPv6 interfaces by default. | Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not ... |
| V-257976 | | RHEL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the hos... |
| V-257977 | | RHEL 9 must not forward IPv6 source-routed packets by default. | Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, ... |
| V-257978 | | All RHEL 9 networked systems must have SSH installed. | Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercep... |
| V-257979 | | All RHEL 9 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercep... |
| V-257980 | | RHEL 9 must have the openssh-clients package installed. | This package includes utilities to make encrypted connections and transfer files securely to SSH servers.... |
| V-257981 | | RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a SSH logon. | The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, syste... |
| V-257982 | | RHEL 9 must log SSH connection attempts and failures to the server. | SSH provides several logging levels with varying amounts of verbosity. "DEBUG" is specifically not recommended other than strictly for debugging SSH c... |
| V-257983 | | RHEL 9 SSHD must accept public key authentication. | Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires us... |
| V-257985 | | RHEL 9 must not permit direct logons to the root account using remote access via SSH. | Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on ... |
| V-257989 | | The RHEL 9 SSH server must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-257991 | | The RHEL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access ... |
| V-257992 | | RHEL 9 must not allow a noncertificate trusted host SSH logon to the system. | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.... |
| V-257993 | | RHEL 9 must not allow users to override SSH environment variables. | SSH environment options potentially allow users to bypass access restriction in some configurations.... |
| V-257994 | | RHEL 9 must force a frequent session key renegotiation for SSH connections to the server. | Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercep... |
| V-257995 | | RHEL 9 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive. | Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a m... |
| V-257996 | | RHEL 9 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive. | Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a m... |
| V-257997 | | RHEL 9 SSH server configuration file must be group-owned by root. | Service configuration files enable or disable features of their respective services, which if configured incorrectly, can lead to insecure and vulnera... |
| V-257998 | | The RHEL 9 SSH server configuration file must be owned by root. | Service configuration files enable or disable features of their respective services, which if configured incorrectly, can lead to insecure and vulnera... |
| V-257999 | | RHEL 9 SSH server configuration files' permissions must not be modified. | Service configuration files enable or disable features of their respective services, that if configured incorrectly, can lead to insecure and vulnerab... |
| V-258000 | | RHEL 9 SSH private host key files must have mode 0640 or less permissive. | If an unauthorized user obtains the private SSH host key file, the host could be impersonated.... |
| V-258001 | | RHEL 9 SSH public host key files must have mode 0644 or less permissive. | If a public host key file is modified by an unauthorized user, the SSH service may be compromised.... |
| V-258002 | | RHEL 9 SSH daemon must not allow compression or must only allow compression after successful authentication. | If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the ... |
| V-258003 | | RHEL 9 SSH daemon must not allow GSSAPI authentication. | Generic Security Service Application Program Interface (GSSAPI) authentication is used to provide additional authentication mechanisms to applications... |
| V-258004 | | RHEL 9 SSH daemon must not allow Kerberos authentication. | Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled thr... |
| V-258005 | | RHEL 9 SSH daemon must not allow rhosts authentication. | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.... |
| V-258006 | | RHEL 9 SSH daemon must not allow known hosts authentication. | Configuring the IgnoreUserKnownHosts setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even ... |
| V-258007 | | RHEL 9 SSH daemon must disable remote X connections for interactive users. | When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen o... |
| V-258008 | | RHEL 9 SSH daemon must perform strict mode checking of home directory configuration files. | If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.... |
| V-258009 | | RHEL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon. | Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.... |
| V-258011 | | RHEL 9 SSH daemon must prevent remote hosts from connecting to the proxy display. | When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen o... |
| V-258012 | | RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-258013 | | RHEL 9 must prevent a user from overriding the banner-message-enable setting for the graphical user interface. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-258014 | | RHEL 9 must disable the graphical user interface automount function unless required. | Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
Satisfies: SRG-OS-000114-G... |
| V-258015 | | RHEL 9 must prevent a user from overriding the disabling of the graphical user interface automount function. | A nonprivileged account is any operating system account with authorizations of a nonprivileged user.
Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-0003... |
| V-258016 | | RHEL 9 must disable the graphical user interface autorun function unless required. | Allowing autorun commands to execute may introduce malicious code to a system. Configuring this setting prevents autorun commands from executing.... |
| V-258017 | | RHEL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function. | Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Secu... |
| V-258019 | | RHEL 9 must be able to initiate directly a session lock for all connection types using smart card when the smart card is removed. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-258020 | | RHEL 9 must prevent a user from overriding the disabling of the graphical user smart card removal action. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-258021 | | RHEL 9 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-258022 | | RHEL 9 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syst... |
| V-258023 | | RHEL 9 must automatically lock graphical user sessions after 15 minutes of inactivity. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syst... |
| V-258024 | | RHEL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syst... |
| V-258025 | | RHEL 9 must initiate a session lock for graphical user interfaces when the screensaver is activated. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-258026 | | RHEL 9 must prevent a user from overriding the session lock-delay setting for the graphical user interface. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syst... |
| V-258027 | | RHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image. | Setting the screensaver mode to blank-only conceals the contents of the display from passersby.... |
| V-258028 | | RHEL 9 effective dconf policy must match the policy keyfiles. | Unlike text-based keyfiles, the binary database is impossible to check through most automated and all manual means; therefore, in order to evaluate dc... |
| V-258029 | | RHEL 9 must disable the ability of a user to restart the system from the login screen. | A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can creat... |
| V-258030 | | RHEL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface. | A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can creat... |
| V-258031 | | RHEL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot. | A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of... |
| V-258032 | | RHEL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface. | A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of... |
| V-258033 | | RHEL 9 must disable the user list at logon for graphical user interfaces. | Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to enumerate known user accounts without au... |
| V-258034 | | RHEL 9 must be configured to disable USB mass storage. | USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.
Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-0... |
| V-258035 | | RHEL 9 must have the USBGuard package installed. | The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device autho... |
| V-258036 | | RHEL 9 must have the USBGuard package enabled. | The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device autho... |
| V-258038 | | RHEL 9 must block unauthorized peripherals before establishing a connection. | The USBguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device autho... |
| V-258039 | | RHEL 9 Bluetooth must be disabled. | This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 9 systems. Wireless perip... |
| V-258040 | | RHEL 9 wireless network adapters must be disabled. | This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 9 systems. Wireless perip... |
| V-258041 | | RHEL 9 user account passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs. | Any password, no matter how complex, can eventually be cracked; therefore, passwords need to be changed periodically. If the operating system does not... |
| V-258042 | | RHEL 9 user account passwords must have a 60-day maximum password lifetime restriction. | Any password, no matter how complex, can eventually be cracked; therefore, passwords need to be changed periodically. If RHEL 9 does not limit the lif... |
| V-258043 | | All RHEL 9 local interactive user accounts must be assigned a home directory upon creation. | If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.... |
| V-258044 | | RHEL 9 must set the umask value to 077 for all local interactive user accounts. | The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although u... |
| V-258045 | | RHEL 9 duplicate User IDs (UIDs) must not exist for interactive users. | To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and co... |
| V-258046 | | RHEL 9 system accounts must not have an interactive login shell. | Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts.... |
| V-258047 | | RHEL 9 must automatically expire temporary accounts within 72 hours. | Temporary accounts are privileged or nonprivileged accounts that are established during pressing circumstances, such as new software or hardware confi... |
| V-258048 | | All RHEL 9 interactive users must have a primary group that exists. | If a user is assigned the Group Identifier (GID) of a group that does not exist on the system, and a group with the GID is subsequently created, the u... |
| V-258049 | | RHEL 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. | Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected ac... |
| V-258050 | | Executable search paths within the initialization files of all local interactive RHEL 9 users must only contain paths that resolve to the system default or the users home directory. | The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If th... |
| V-258051 | | All RHEL 9 local interactive users must have a home directory assigned in the /etc/passwd file. | If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.... |
| V-258052 | | All RHEL 9 local interactive user home directories defined in the /etc/passwd file must exist. | If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working d... |
| V-258053 | | All RHEL 9 local interactive user home directories must be group-owned by the home directory owner's primary group. | If the Group Identifier (GID) of a local interactive users home directory is not the same as the primary GID of the user, this would allow unauthorize... |
| V-258054 | | RHEL 9 must automatically lock an account when three unsuccessful logon attempts occur. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-258055 | | RHEL 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is re... |
| V-258056 | | RHEL 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, i... |
| V-258057 | | RHEL 9 must maintain an account lock until the locked account is released by an administrator. | By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, i... |
| V-258058 | | RHEL 9 must not have unauthorized accounts. | Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for indiv... |
| V-258060 | | RHEL 9 must ensure account lockouts persist. | Having lockouts persist across reboots ensures that account is only unlocked by an administrator. If the lockouts did not persist across reboots, an a... |
| V-258061 | | RHEL 9 groups must have unique Group ID (GID). | To ensure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the syst... |
| V-258062 | | Local RHEL 9 initialization files must not execute world-writable programs. | If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user file... |
| V-258068 | | RHEL 9 must automatically exit interactive command shell user sessions after 10 minutes of inactivity. | Terminating an idle interactive command shell user session within a short time period reduces the window of opportunity for unauthorized personnel to ... |
| V-258070 | | RHEL 9 must log username information when unsuccessful logon attempts occur. | Without auditing of these events, it may be harder or impossible to identify what an attacker did after an attack.... |
| V-258071 | | RHEL 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. | Increasing the time between a failed authentication attempt and reprompting to enter credentials helps to slow a single-threaded brute force attack.... |
| V-258072 | | RHEL 9 must define default permissions for the bash shell. | The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although u... |
| V-258073 | | RHEL 9 must define default permissions for the c shell. | The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although u... |
| V-258074 | | RHEL 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. | Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.... |
| V-258075 | | RHEL 9 must define default permissions for the system default profile. | The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although u... |
| V-258077 | | RHEL 9 must terminate idle user sessions. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-258079 | | RHEL 9 must enable the SELinux targeted policy. | Setting the SELinux policy to "targeted" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exp... |
| V-258080 | | RHEL 9 must configure SELinux context type to allow the use of a nondefault faillock tally directory. | Not having the correct SELinux context on the faillock directory may lead to unauthorized access to the directory.... |
| V-258081 | | RHEL 9 must have policycoreutils package installed. | Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is de... |
| V-258082 | | RHEL 9 policycoreutils-python-utils package must be installed. | The policycoreutils-python-utils package is required to operate and manage an SELinux environment and its policies. It provides utilities such as sema... |
| V-258083 | | RHEL 9 must have the sudo package installed. | "sudo" is a program designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is t... |
| V-258084 | | RHEL 9 must require reauthentication when using the "sudo" command. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the c... |
| V-258085 | | RHEL 9 must use the invoking user's password for privilege escalation when using "sudo". | If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" u... |
| V-258086 | | RHEL 9 must require users to reauthenticate for privilege escalation. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the ca... |
| V-258087 | | RHEL 9 must restrict privilege elevation to authorized personnel. | If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.... |
| V-258088 | | RHEL 9 must restrict the use of the "su" command. | The "su" program allows to run commands with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access to ... |
| V-258089 | | RHEL 9 fapolicy module must be installed. | The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software program... |
| V-258090 | | RHEL 9 fapolicy module must be enabled. | The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software program... |
| V-258091 | | RHEL 9 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-258095 | | RHEL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | If the pam_faillock.so module is not loaded, the system will not correctly lockout accounts to prevent password guessing attacks.... |
| V-258096 | | RHEL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | If the pam_faillock.so module is not loaded, the system will not correctly lockout accounts to prevent password guessing attacks.... |
| V-258097 | | RHEL 9 must ensure the password complexity module is enabled in the password-auth file. | Enabling PAM password complexity permits enforcement of strong passwords and consequently makes the system less prone to dictionary attacks.
Satisfie... |
| V-258098 | | RHEL 9 must ensure the password complexity module is enabled in the system-auth file. | Enabling PAM password complexity permits enforcement of strong passwords and consequently makes the system less prone to dictionary attacks.... |
| V-258099 | | RHEL 9 password-auth must be configured to use a sufficient number of hashing rounds. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can ... |
| V-258100 | | RHEL 9 system-auth must be configured to use a sufficient number of hashing rounds. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can ... |
| V-258101 | | RHEL 9 must enforce password complexity rules for the root account. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-258102 | | RHEL 9 must enforce password complexity by requiring that at least one lowercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-258103 | | RHEL 9 must enforce password complexity by requiring that at least one numeric character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-258104 | | RHEL 9 passwords for new users or password changes must have a 24 hours minimum password lifetime restriction in /etc/login.defs. | Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If u... |
| V-258105 | | RHEL 9 passwords must have a 24 hours minimum password lifetime restriction in /etc/shadow. | Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If u... |
| V-258106 | | RHEL 9 must require users to provide a password for privilege escalation. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the ca... |
| V-258107 | | RHEL 9 passwords must be created with a minimum of 15 characters. | The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexit... |
| V-258109 | | RHEL 9 must enforce password complexity by requiring that at least one special character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-258110 | | RHEL 9 must prevent the use of dictionary words for passwords. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-258111 | | RHEL 9 must enforce password complexity by requiring that at least one uppercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-258112 | | RHEL 9 must require the change of at least eight characters when passwords are changed. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-258113 | | RHEL 9 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-258114 | | RHEL 9 must require the maximum number of repeating characters be limited to three when passwords are changed. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-258115 | | RHEL 9 must require the change of at least four character classes when passwords are changed. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-258116 | | RHEL 9 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can ... |
| V-258117 | | RHEL 9 must be configured to use the shadow file to store only encrypted representations of passwords. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can ... |
| V-258118 | | RHEL 9 must not be configured to bypass password requirements for privilege escalation. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the cap... |
| V-258120 | | RHEL 9 must not have accounts configured with blank or null passwords. | If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should ne... |
| V-258121 | | RHEL 9 must use the common access card (CAC) smart card driver. | Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage public ke... |
| V-258122 | | RHEL 9 must enable certificate based smart card authentication. | Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires us... |
| V-258123 | | RHEL 9 must implement certificate status checking for multifactor authentication. | Using an authentication device, such as a DOD common access card (CAC) or token that is separate from the information system, ensures that even if the... |
| V-258124 | | RHEL 9 must have the pcsc-lite package installed. | The pcsc-lite package must be installed if it is to be available for multifactor authentication using smart cards.... |
| V-258125 | | The pcscd service on RHEL 9 must be active. | The information system ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentic... |
| V-258126 | | RHEL 9 must have the opensc package installed. | The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.
The DOD has mandated the use of the common access... |
| V-258127 | | RHEL 9, for PKI-based authentication, must enforce authorized access to the corresponding private key. | If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.
Th... |
| V-258128 | | RHEL 9 must require authentication to access emergency mode. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-258129 | | RHEL 9 must require authentication to access single-user mode. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-258131 | | RHEL 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly tru... |
| V-258132 | | RHEL 9 must map the authenticated identity to the user or group account for PKI-based authentication. | Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will n... |
| V-258133 | | RHEL 9 must prohibit the use of cached authenticators after one day. | If cached authentication information is out-of-date, the validity of the authentication information may be questionable.... |
| V-258134 | | RHEL 9 must have the AIDE package installed. | Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is d... |
| V-258135 | | RHEL 9 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered. | Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating s... |
| V-258136 | | RHEL 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories. | RHEL 9 installation media ships with an optional file integrity tool called Advanced Intrusion Detection Environment (AIDE). AIDE is highly configurab... |
| V-258137 | | RHEL 9 must use cryptographic mechanisms to protect the integrity of audit tools. | Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit informat... |
| V-258140 | | RHEL 9 must have the rsyslog package installed. | rsyslogd is a system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support ... |
| V-258141 | | RHEL 9 must have the packages required for encrypting offloaded audit logs installed. | The rsyslog-gnutls package provides Transport Layer Security (TLS) support for the rsyslog daemon, which enables secure remote logging.
Satisfies: SR... |
| V-258142 | | The rsyslog service on RHEL 9 must be active. | The "rsyslog" service must be running to provide logging services, which are essential to system administration.... |
| V-258143 | | RHEL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation. | Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server co... |
| V-258144 | | All RHEL 9 remote access methods must be monitored. | Logging remote access methods can be used to trace the decrease in the risks associated with remote user access management. It can also be used to spo... |
| V-258146 | | RHEL 9 must authenticate the remote logging server for offloading audit logs via rsyslog. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Offloading is a common process in information sy... |
| V-258147 | | RHEL 9 must encrypt the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Offloading is a common process in information sy... |
| V-258148 | | RHEL 9 must encrypt via the gtls driver the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Offloading is a common process in information sy... |
| V-258149 | | RHEL 9 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-258150 | | RHEL 9 must use cron logging. | Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cr... |
| V-258151 | | RHEL 9 audit package must be installed. | Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to es... |
| V-258152 | | RHEL 9 audit service must be enabled. | Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage o... |
| V-258153 | | RHEL 9 audit system must take appropriate action when an error writing to the audit storage volume occurs. | It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit ... |
| V-258154 | | RHEL 9 audit system must take appropriate action when the audit storage volume is full. | It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit ... |
| V-258155 | | RHEL 9 must allocate audit record storage capacity to store at least one week's worth of audit records. | To ensure RHEL 9 systems have a sufficient storage capacity in which to write the audit logs, RHEL 9 needs to be able to allocate audit record storage... |
| V-258156 | | RHEL 9 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. | If security personnel are not notified immediately when storage volume reaches a maximum of 75 percent utilization, they are unable to plan for audit ... |
| V-258157 | | RHEL 9 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization. | If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storag... |
| V-258158 | | RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity. | If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.... |
| V-258159 | | RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity. | If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.... |
| V-258160 | | RHEL 9 audit system must take appropriate action when the audit files have reached maximum size. | It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit ... |
| V-258161 | | RHEL 9 must label all offloaded audit logs before sending them to the central log server. | Enriched logging is needed to determine who, what, and when events occur on a system. Without this, determining root cause of an event will be much mo... |
| V-258162 | | RHEL 9 must take appropriate action when the internal event queue is full. | The audit system should have an action setup in the event the internal event queue becomes full so that no data is lost. Information stored in one lo... |
| V-258163 | | RHEL 9 System Administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-258164 | | RHEL 9 audit system must audit local events. | Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to es... |
| V-258165 | | RHEL 9 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Satisfies: SRG... |
| V-258166 | | RHEL 9 audit log directory must be owned by root to prevent unauthorized read access. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Satisfies: SRG... |
| V-258167 | | RHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-258168 | | RHEL 9 must periodically flush audit records to disk to prevent the loss of audit records. | If option "freq" is not set to a value that requires audit records being written to disk after a threshold number is reached, then audit records may b... |
| V-258169 | | RHEL 9 must produce audit records containing information to establish the identity of any individual or process associated with the event. | Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to es... |
| V-258170 | | RHEL 9 must write audit records to disk. | Audit data should be synchronously written to disk to ensure log integrity. This setting assures that all audit event data is written disk.... |
| V-258171 | | RHEL 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. | Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent t... |
| V-258174 | | RHEL 9 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-258175 | | RHEL 9 audispd-plugins package must be installed. | "audispd-plugins" provides plugins for the real-time interface to the audit subsystem, "audispd". These plugins can do things like relay events to rem... |
| V-258176 | | RHEL 9 must audit uses of the "execve" system call. | Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromise... |
| V-258177 | | RHEL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-258178 | | RHEL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-258179 | | RHEL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-258180 | | RHEL 9 must audit all uses of umount system calls. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-258181 | | RHEL 9 must audit all uses of the chacl command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-258182 | | RHEL 9 must audit all uses of the setfacl command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-258183 | | RHEL 9 must audit all uses of the chcon command. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-258184 | | RHEL 9 must audit all uses of the semanage command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-258185 | | RHEL 9 must audit all uses of the setfiles command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-258186 | | RHEL 9 must audit all uses of the setsebool command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-258187 | | RHEL 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-258188 | | RHEL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-258189 | | RHEL 9 must audit all uses of the delete_module system call. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-258190 | | RHEL 9 must audit all uses of the init_module and finit_module system calls. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-258191 | | RHEL 9 must audit all uses of the chage command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-258192 | | RHEL 9 must audit all uses of the chsh command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-258193 | | RHEL 9 must audit all uses of the crontab command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-258194 | | RHEL 9 must audit all uses of the gpasswd command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-258195 | | RHEL 9 must audit all uses of the kmod command. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-258196 | | RHEL 9 must audit all uses of the newgrp command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-258197 | | RHEL 9 must audit all uses of the pam_timestamp_check command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-258198 | | RHEL 9 must audit all uses of the passwd command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-258199 | | RHEL 9 must audit all uses of the postdrop command. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-258200 | | RHEL 9 must audit all uses of the postqueue command. | Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and inv... |
| V-258201 | | RHEL 9 must audit all uses of the ssh-agent command. | Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and inv... |
| V-258202 | | RHEL 9 must audit all uses of the ssh-keysign command. | Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and inv... |
| V-258203 | | RHEL 9 must audit all uses of the su command. | Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and inv... |
| V-258204 | | RHEL 9 must audit all uses of the sudo command. | Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and inv... |
| V-258205 | | RHEL 9 must audit all uses of the sudoedit command. | Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and inv... |
| V-258206 | | RHEL 9 must audit all uses of the unix_chkpwd command. | Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and inv... |
| V-258207 | | RHEL 9 must audit all uses of the unix_update command. | Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and inv... |
| V-258208 | | RHEL 9 must audit all uses of the userhelper command. | Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and inv... |
| V-258209 | | RHEL 9 must audit all uses of the usermod command. | Without generating audit record specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and inv... |
| V-258210 | | RHEL 9 must audit all uses of the mount command. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-258211 | | Successful/unsuccessful uses of the init command in RHEL 9 must generate an audit record. | Misuse of the init command may cause availability issues for the system.... |
| V-258212 | | Successful/unsuccessful uses of the poweroff command in RHEL 9 must generate an audit record. | Misuse of the poweroff command may cause availability issues for the system.... |
| V-258213 | | Successful/unsuccessful uses of the reboot command in RHEL 9 must generate an audit record. | Misuse of the reboot command may cause availability issues for the system.... |
| V-258214 | | Successful/unsuccessful uses of the shutdown command in RHEL 9 must generate an audit record. | Misuse of the shutdown command may cause availability issues for the system.... |
| V-258215 | | Successful/unsuccessful uses of the umount system call in RHEL 9 must generate an audit record. | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing D... |
| V-258216 | | Successful/unsuccessful uses of the umount2 system call in RHEL 9 must generate an audit record. | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing D... |
| V-258217 | | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. | The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes... |
| V-258218 | | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory. | The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes... |
| V-258219 | | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, ... |
| V-258220 | | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, ... |
| V-258221 | | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd. | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, ... |
| V-258222 | | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, ... |
| V-258223 | | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, ... |
| V-258224 | | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-258225 | | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-258226 | | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog. | Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and in... |
| V-258227 | | RHEL 9 must take appropriate action when a critical audit processing failure occurs. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-258228 | | RHEL 9 audit system must protect logon UIDs from unauthorized change. | If modification of login user identifiers (UIDs) is not prevented, they can be changed by nonprivileged users and make auditing complicated or impossi... |
| V-258229 | | RHEL 9 audit system must protect auditing rules from unauthorized change. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit informat... |
| V-258231 | | RHEL 9 must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords. | The system must use a strong hashing algorithm to store the password.
Passwords need to be protected at all times, and encryption is the standard met... |
| V-258232 | | RHEL 9 IP tunnels must use FIPS 140-3 approved cryptographic algorithms. | Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations, and makes system configuration more fragmented.... |
| V-258233 | | RHEL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication. | Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and; therefore, cannot be relied upon to provide c... |
| V-258234 | | RHEL 9 must have the crypto-policies package installed. | Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system.... |
| V-258241 | | RHEL 9 must implement a FIPS 140-3-compliant systemwide cryptographic policy. | Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system.... |
| V-258242 | | RHEL 9 must implement DOD-approved encryption in the bind package. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Cryptographic mechanisms used for pr... |
| V-270174 | | RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-270175 | | RHEL 9 "/etc/audit/" must be owned by root. | The "/etc/audit/" directory contains files that ensure the proper auditing of command execution, privilege escalation, file manipulation, and more. Pr... |
| V-270176 | | RHEL 9 "/etc/audit/" must be group-owned by root. | The "/etc/audit/" directory contains files that ensure the proper auditing of command execution, privilege escalation, file manipulation, and more. Pr... |
| V-270177 | | The RHEL 9 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access... |
| V-270178 | | The RHEL 9 SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access (e.g., RDP) is access... |
| V-270180 | | The RHEL 9 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software program... |
| V-272488 | | RHEL 9 must have the Postfix package installed. | Postfix is a free, open-source mail transfer agent (MTA) that sends and receives emails. It is a server-side application that can be used to set up a ... |
| V-272496 | | RHEL 9 must elevate the SELinux context when an administrator calls the sudo command. | Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is de... |
| V-274878 | | RHEL 9 must audit any script or executable called by cron as root or by any privileged user. | Any script or executable called by cron as root or by any privileged user must be owned by that user and must have the permissions 755 or more restric... |
| V-275779 | | RHEL 9 must audit any script or executable called by cron as root or by any privileged user. | Any script or executable called by cron as root or by any privileged user must be owned by that user, must have the permissions 755 or more restrictiv... |
| V-257782 | | RHEL 9 must enable the hardware random number generator entropy gatherer service. | The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to ... |
| V-257795 | | RHEL 9 must enable mitigations against processor-based vulnerabilities. | Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass k... |
| V-257796 | | RHEL 9 must enable auditing of processes that start prior to the audit daemon. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-257824 | | RHEL 9 must remove all software components after updated versions have been installed. | Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some a... |
| V-257845 | | RHEL 9 must use a separate file system for /var. | Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as... |
| V-257846 | | RHEL 9 must use a separate file system for /var/log. | Placing "/var/log" in its own partition enables better separation between log files and other files in "/var/".... |
| V-257847 | | RHEL 9 must use a separate file system for the system audit data path. | Placing "/var/log/audit" in its own partition enables better separation between audit files and other system files, and helps ensure that auditing can... |
| V-257880 | | RHEL 9 must disable mounting of cramfs. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-257946 | | RHEL 9 must disable the chrony daemon from acting as a server. | Minimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface.
Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-0... |
| V-257947 | | RHEL 9 must disable network management of the chrony daemon. | Not exposing the management interface of the chrony daemon on the network diminishes the attack space.
Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-00... |
| V-258037 | | RHEL 9 must enable Linux audit logging for the USBGuard daemon. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-258069 | | RHEL 9 must limit the number of concurrent sessions to ten for all accounts and/or account types. | Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the numbe... |
| V-258076 | | RHEL 9 must display the date and time of the last successful account logon upon logon. | Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts... |
| V-258138 | | RHEL 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs). | RHEL 9 installation media ships with an optional file integrity tool called Advanced Intrusion Detection Environment (AIDE). AIDE is highly configurab... |
| V-258139 | | RHEL 9 must be configured so that the file integrity tool verifies extended attributes. | RHEL 9 installation media ships with an optional file integrity tool called Advanced Intrusion Detection Environment (AIDE). AIDE is highly configurab... |
| V-258173 | | RHEL 9 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-257777 | | RHEL 9 must be a vendor-supported release. | An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release... |
| V-257784 | | The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled. | A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case o... |
| V-257785 | | The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 9. | A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case o... |
| V-257789 | | RHEL 9 must require a unique superusers name upon booting into single-user and maintenance modes. | Having a nondefault grub superuser username makes password-guessing attacks less effective.... |
| V-257820 | | RHEL 9 must check the GPG signature of software packages originating from external software repositories before installation. | Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software... |
| V-257821 | | RHEL 9 must check the GPG signature of locally installed software packages before installation. | Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software... |
| V-257822 | | RHEL 9 must have GPG signature verification enabled for all software repositories. | Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software... |
| V-257826 | | RHEL 9 must not have a File Transfer Protocol (FTP) server package installed. | The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote sess... |
| V-257835 | | RHEL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed. | Removing the "tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services.
If TFTP is required for operati... |
| V-257879 | | RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | RHEL 9 systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modifica... |
| V-257955 | | There must be no shosts.equiv files on RHEL 9. | The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for prevent... |
| V-257956 | | There must be no .shosts files on RHEL 9. | The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not suffici... |
| V-257984 | | RHEL 9 SSHD must not allow blank passwords. | If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should ne... |
| V-257986 | | RHEL 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD. | When UsePAM is set to "yes", PAM runs through account and session types properly. This is important when restricted access to services based off of IP... |
| V-258018 | | RHEL 9 must not allow unattended or automatic logon via the graphical user interface. | Failure to restrict system access to authenticated users negatively impacts operating system security.... |
| V-258059 | | The root account must be the only account having unrestricted access to RHEL 9 system. | An account has root authority if it has a user identifier (UID) of "0". Multiple accounts with a UID of "0" afford more opportunity for potential intr... |
| V-258078 | | RHEL 9 must use a Linux Security Module configured to enforce limits on system services. | Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is de... |
| V-258094 | | RHEL 9 must not allow blank or null passwords. | If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should ne... |
| V-258230 | | RHEL 9 must enable FIPS mode. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cry... |
| V-258236 | | RHEL 9 cryptographic policy must not be overridden. | Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system.... |
