Red Hat Enterprise Linux 10 STIG V1R1

View as one page
STIG IDTitle
RHEL-10-700970RHEL 10 must disable the debug-shell systemd service.
RHEL-10-001020RHEL 10 must ensure cryptographic verification of vendor software packages.
RHEL-10-001030RHEL 10 must check the GNU Privacy Guard (GPG) signature of software packages originating from external software repositories before installation.
RHEL-10-001040RHEL 10 must check the GNU Privacy Guard (GPG) signature of locally installed software packages before installation.
RHEL-10-001050RHEL 10 must have GNU Privacy Guard (GPG) signature verification enabled for all software repositories.
RHEL-10-000510RHEL 10 must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information on local disk partitions that requires at-rest protection.
RHEL-10-000520RHEL 10 must use a separate file system for the system audit data path.
RHEL-10-000530RHEL 10 must use a separate file system for user home directories (such as "/home" or an equivalent).
RHEL-10-000540RHEL 10 must use a separate file system for "/tmp".
RHEL-10-000550RHEL 10 must use a separate file system for "/var".
RHEL-10-000560RHEL 10 must use a separate file system for "/var/log".
RHEL-10-000570RHEL 10 must use a separate file system for "/var/tmp".
RHEL-10-200000RHEL 10 must remove all software components after updated versions have been installed.
RHEL-10-200010RHEL 10 must not have the "nfs-utils" package installed.
RHEL-10-200020RHEL 10 must not have the "telnet-server" package installed.
RHEL-10-200030RHEL 10 must not have the "gssproxy" package installed.
RHEL-10-200040RHEL 10 must not have the tuned package installed.
RHEL-10-200050RHEL 10 must not have a Trivial File Transfer Protocol (TFTP) server package installed unless it is required by the mission, and if required, the TFTP daemon must be configured to operate in secure mode.
RHEL-10-200060RHEL 10 must not have the unbound package installed.
RHEL-10-200070RHEL 10 must not have the "tftp" package installed.
RHEL-10-200080RHEL 10 must not have the "gdm" package installed.
RHEL-10-200090RHEL 10 must not have a File Transfer Protocol (FTP) server package installed.
RHEL-10-200500RHEL 10 must have the "subscription-manager" package installed.
RHEL-10-200510RHEL 10 must have the "nss-tools" package installed.
RHEL-10-200520RHEL 10 must have the "s-nail" package installed.
RHEL-10-200530RHEL 10 must have the "firewalld" package installed.
RHEL-10-200531RHEL 10 must have the "firewalld" service set to active.
RHEL-10-200532RHEL 10 must employ a deny-all, allow-by-exception policy for allowing connections to other systems.
RHEL-10-200540RHEL 10 must have the "chrony" package installed.
RHEL-10-200541RHEL 10 must enable the chronyd service.
RHEL-10-200542RHEL 10 must disable the chrony daemon from acting as a server.
RHEL-10-200543RHEL 10 must disable network management of the chrony daemon.
RHEL-10-200560RHEL 10 must have the USBGuard package installed.
RHEL-10-200561RHEL 10 must have the USBGuard package enabled.
RHEL-10-200562RHEL 10 must block unauthorized peripherals before establishing a connection.
RHEL-10-200563RHEL 10 must enable audit logging for the USBGuard daemon.
RHEL-10-200570RHEL 10 must have the "policycoreutils" package installed.
RHEL-10-200580RHEL 10 must have the "policycoreutils-python-utils" package installed.
RHEL-10-200590RHEL 10 must have the "sudo" package installed.
RHEL-10-200600RHEL 10 must have the "fapolicy" module installed.
RHEL-10-200601RHEL 10 must enable the "fapolicy" module.
RHEL-10-200602RHEL 10 must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
RHEL-10-200610RHEL 10 must have the "pcsc-lite" package installed.
RHEL-10-200611RHEL 10 must have the "pcscd" service set to active.
RHEL-10-200612RHEL 10 must have the "pcsc-lite-ccid" package installed.
RHEL-10-200620RHEL 10 must have the "opensc" package installed.
RHEL-10-200621RHEL 10 must use the common access card (CAC) smart card driver.
RHEL-10-200630RHEL 10 must have the Advanced Intrusion Detection Environment (AIDE) package installed.
RHEL-10-200631RHEL 10 must use cryptographic mechanisms to protect the integrity of audit tools.
RHEL-10-200632RHEL 10 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.
RHEL-10-200633RHEL 10 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered.
RHEL-10-200634RHEL 10 must be configured so that the file integrity tool verifies Access Control Lists (ACLs).
RHEL-10-200635RHEL 10 must be configured so that the file integrity tool verifies extended attributes.
RHEL-10-200640RHEL 10 must have the "rsyslog" package installed.
RHEL-10-200641RHEL 10 must have the rsyslog service set to active.
RHEL-10-200642RHEL 10 must be configured to forward audit records via Transmission Control Protocol (TCP) to a different system or media from the system being audited via rsyslog.
RHEL-10-200643RHEL 10 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
RHEL-10-200644RHEL 10 must authenticate the remote logging server for off-loading audit logs via "rsyslog".
RHEL-10-200645RHEL 10 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited via rsyslog.
RHEL-10-200646RHEL 10 must encrypt, via the gtls driver, the transfer of audit records off-loaded onto a different system or media from the system being audited via rsyslog.
RHEL-10-200647RHEL 10 must monitor all remote access methods.
RHEL-10-200648RHEL 10 must use cron logging.
RHEL-10-200650RHEL 10 must have the packages required for encrypting off-loaded audit logs installed.
RHEL-10-200660RHEL 10 must have the "audit" package installed.
RHEL-10-200661RHEL 10 must enable the audit service.
RHEL-10-200662RHEL 10 must have the "audispd-plugins" package installed.
RHEL-10-200680RHEL 10 must have the "libreswan" package installed.
RHEL-10-200690RHEL 10 must notify designated personnel if baseline configurations are changed in an unauthorized manner.
RHEL-10-200691RHEL 10 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) of an audit processing failure.
RHEL-10-200692RHEL 10 must be configured to prevent unrestricted mail relaying.
RHEL-10-200700RHEL 10 must have the "cronie" package installed.
RHEL-10-200720RHEL 10 must have a Secure Shell (SSH) server installed for all networked systems.
RHEL-10-200721RHEL 10 must, for all networked systems, have and implement Secure Shell (SSH) to protect the confidentiality and integrity of transmitted and received information.
RHEL-10-200722RHEL 10 must have the "openssh-clients" package installed.
RHEL-10-200730RHEL 10 must have the "pkcs11-provider" package installed.
RHEL-10-200740RHEL 10 must have the "gnutls-utils" package installed.
RHEL-10-300000RHEL 10 must have the "crypto-policies" package installed.
RHEL-10-300010RHEL 10 must implement a FIPS 140-3-compliant systemwide cryptographic policy.
RHEL-10-000500RHEL 10 must enable FIPS mode.
RHEL-10-300030RHEL 10 must be configured so that Secure Shell (SSH) clients use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
RHEL-10-300040RHEL 10 must be configured so that Secure Shell (SSH) servers use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.
RHEL-10-300050RHEL 10 must be configured so that Secure Shell (SSH) clients use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
RHEL-10-300060RHEL 10 must be configured so that Secure Shell (SSH) servers use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.
RHEL-10-300070RHEL 10 must use FIPS 140-3-approved cryptographic algorithms for IP tunnels.
RHEL-10-300080RHEL 10 must implement DOD-approved encryption in the bind package.
RHEL-10-300090RHEL 10 cryptographic policy must not be overridden.
RHEL-10-400000RHEL 10 must be configured so that the "/etc/group" file is owned by root.
RHEL-10-400005RHEL 10 must be configured so that the "/etc/group" file is group-owned by "root".
RHEL-10-400010RHEL 10 must be configured so that the "/etc/group-" file is owned by "root".
RHEL-10-400015RHEL 10 must be configured so that the "/etc/group-" file is group-owned by "root".
RHEL-10-400020RHEL 10 must be configured so that the "/etc/gshadow" file is owned by "root".
RHEL-10-400025RHEL 10 must be configured so that the "/etc/gshadow" file is group-owned by "root".
RHEL-10-400030RHEL 10 must be configured so that the "/etc/gshadow-" file is owned by "root".
RHEL-10-400035RHEL 10 must be configured so that the "/etc/gshadow-" file is group-owned by "root".
RHEL-10-400040RHEL 10 must be configured so that the "/etc/passwd" file is owned by "root".
RHEL-10-400045RHEL 10 must be configured so that the "/etc/passwd" file is group-owned by "root".
RHEL-10-400050RHEL 10 must be configured so that the "/etc/passwd-" file is owned by "root".
RHEL-10-400055RHEL 10 must be configured so that the "/etc/passwd-" file is group-owned by "root".
RHEL-10-400060RHEL 10 must be configured so that the "/etc/shadow" file is owned by "root".
RHEL-10-400065RHEL 10 must be configured so that the "/etc/shadow" file is group-owned by "root".
RHEL-10-400070RHEL 10 must be configured so that the "/etc/shadow-" file is owned by "root".
RHEL-10-400075RHEL 10 must be configured so that the "/etc/shadow-" file is group-owned by "root".
RHEL-10-400080RHEL 10 must be configured so that the "/var/log" directory is owned by "root".
RHEL-10-400085RHEL 10 must be configured so that the "/var/log" directory is group-owned by "root".
RHEL-10-400090RHEL 10 must be configured so that the "/var/log/"messages file is owned by root.
RHEL-10-400095RHEL 10 must be configured so that the "/var/log/messages" file is group-owned by "root".
RHEL-10-400100RHEL 10 must be configured so that system commands are owned by "root".
RHEL-10-400105RHEL 10 must be configured so that system commands are group-owned by root or a system account.
RHEL-10-400110RHEL 10 must be configured so that library files are owned by "root".
RHEL-10-400115RHEL 10 must be configured so that library files are group-owned by "root" or a system account.
RHEL-10-400120RHEL 10 must be configured so that library directories are owned by "root".
RHEL-10-400125RHEL 10 must be configured so that library directories are group-owned by "root" or a system account.
RHEL-10-400130RHEL 10 must be configured so that cron configuration file directories are owned by root.
RHEL-10-400135RHEL 10 must be configured so that cron configuration files directories are group-owned by root.
RHEL-10-400140RHEL 10 must be configured so that world-writable directories are owned by root, sys, bin, or an application user.
RHEL-10-400145RHEL 10 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.
RHEL-10-400150RHEL 10 must be configured so that the Secure Shell (SSH) server configuration file is group-owned by "root".
RHEL-10-400155RHEL 10 must be configured so that the Secure Shell (SSH) server configuration file is owned by "root".
RHEL-10-400160RHEL 10 must ensure that all local interactive user home directories are group-owned by the home directory owner's primary group.
RHEL-10-400165RHEL 10 must enforce group ownership of audit logs by "root" or by a restricted logging group to prevent unauthorized read access.
RHEL-10-400170RHEL 10 must enforce "root" ownership of the audit log directory to prevent unauthorized read access.
RHEL-10-400175RHEL 10 must enforce "root" ownership of audit logs to prevent unauthorized access.
RHEL-10-400180RHEL 10 must enforce group ownership by "root" or a restricted logging group for audit log files to prevent unauthorized access.
RHEL-10-400185RHEL 10 must set mode "0600" or less permissive for the audit logs file to prevent unauthorized access to the audit log.
RHEL-10-400190RHEL 10 must enforce the audit log directory to have a mode of "0750" or less permissive to prevent unauthorized read access.
RHEL-10-400195RHEL 10 must enforce root ownership of the "/etc/audit/" directory.
RHEL-10-400200RHEL 10 must enforce root group ownership of the "/etc/audit/" directory.
RHEL-10-400205RHEL 10 must enforce mode "755" or less permissive for system commands.
RHEL-10-400210RHEL 10 must enforce mode "755" or less permissive on library directories.
RHEL-10-400215RHEL 10 must enforce mode "755" or less permissive for library files.
RHEL-10-400220RHEL 10 must enforce mode "0755" or less permissive for the "/var/log" directory.
RHEL-10-400225RHEL 10 must enforce mode "0640" or less permissive for the "/var/log/messages" file.
RHEL-10-400230RHEL 10 must be configured to prohibit modification of permissions for cron configuration files and directories from the operating system defaults.
RHEL-10-400235RHEL 10 must enforce mode "0740" or less permissive for local initialization files.
RHEL-10-400240RHEL 10 must enforce mode "0750" or less permissive for local interactive user home directories.
RHEL-10-400245RHEL 10 must enforce mode "0644" or less permissive for the "/etc/group" file to prevent unauthorized access.
RHEL-10-400250RHEL 10 must enforce mode "0644" or less permissive for the "/etc/group-" file to prevent unauthorized access.
RHEL-10-400255RHEL 10 must enforce mode "0000" or less permissive for the "/etc/gshadow" file to prevent unauthorized access.
RHEL-10-400260RHEL 10 must enforce mode "0000" or less permissive for the "/etc/gshadow-" file to prevent unauthorized access.
RHEL-10-400265RHEL 10 must enforce mode "0644" or less permissive for the "/etc/passwd" file to prevent unauthorized access.
RHEL-10-400270RHEL 10 must enforce mode "0644" or less permissive for "/etc/passwd-" file to prevent unauthorized access.
RHEL-10-400275RHEL 10 must enforce mode "0000" or less permissive for "/etc/shadow-" file to prevent unauthorized access.
RHEL-10-400280RHEL 10 must be configured so that a sticky bit is set on all public directories.
RHEL-10-400285RHEL 10 must be configured so that all local files and directories have a valid group owner.
RHEL-10-400290RHEL 10 must be configured so that all local files and directories must have a valid owner.
RHEL-10-400295RHEL 10 must enforce mode "0000" for "/etc/shadow" to prevent unauthorized access.
RHEL-10-400300RHEL 10 must be configured so that audit tools are owned by "root".
RHEL-10-400305RHEL 10 must be configured so that audit tools are group-owned by "root".
RHEL-10-400310RHEL 10 must set the umask value to "077" for all local interactive user accounts.
RHEL-10-400315RHEL 10 must define default permissions for the bash shell.
RHEL-10-400320RHEL 10 must define default permissions for the c shell.
RHEL-10-400325RHEL 10 must define default permissions for all authenticated users in such a way that the user can read and modify only their own files.
RHEL-10-400330RHEL 10 must define default permissions for the system default profile.
RHEL-10-400335RHEL 10 must enforce that all local initialization files configured by systemd-tmpfiles have mode "0600" or less permissive.
RHEL-10-400340RHEL 10 must enforce mode "0600" or less permissive for Secure Shell (SSH) private host key files.
RHEL-10-400345RHEL 10 must enforce "root" group ownership of the "/boot/grub2/grub.cfg" file.
RHEL-10-400350RHEL 10 must enforce "root" ownership of the "/boot/grub2/grub.cfg" file.
RHEL-10-400355RHEL 10 must prevent device files from being interpreted on file systems that contain user home directories.
RHEL-10-400360RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on file systems that contain user home directories.
RHEL-10-400365RHEL 10 must prevent code from being executed on file systems that contain user home directories.
RHEL-10-400400RHEL 10 must mount "/var/log/audit" with the "nodev" option.
RHEL-10-400405RHEL 10 must mount "/var/log/audit" with the "noexec" option.
RHEL-10-400410RHEL 10 must mount "/var/log/audit" with the "nosuid" option.
RHEL-10-400450RHEL 10 must enforce a mode of "0755" or less permissive for audit tools.
RHEL-10-400500RHEL 10 must prohibit local initialization files from executing world-writable programs.
RHEL-10-500000RHEL 10 must enable the systemd-journald service.
RHEL-10-500005RHEL 10 must enable auditing of processes that start prior to the audit daemon.
RHEL-10-500010RHEL 10 must audit local events.
RHEL-10-500015RHEL 10 must write audit records to disk.
RHEL-10-500020RHEL 10 must log username information when unsuccessful login attempts occur.
RHEL-10-500025RHEL 10 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
RHEL-10-500030RHEL 10 must allocate an "audit_backlog_limit" of sufficient size to capture processes that start prior to the audit daemon.
RHEL-10-500035RHEL 10 must take appropriate action when a critical audit processing failure occurs.
RHEL-10-500040RHEL 10 must take action when allocated audit record storage volume reaches 75 percent of the audit record storage capacity.
RHEL-10-500045RHEL 10 must label all off-loaded audit logs before sending them to the central log server.
RHEL-10-500100RHEL 10 must allocate audit record storage capacity to store at least one week's worth of audit records.
RHEL-10-500105RHEL 10 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity.
RHEL-10-500110RHEL 10 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.
RHEL-10-500115RHEL 10 must take appropriate action when the internal event queue is full.
RHEL-10-500120RHEL 10 must produce audit records containing information to establish the identity of any individual or process associated with the event.
RHEL-10-500125RHEL 10 must periodically flush audit records to disk to ensure that audit records are not lost.
RHEL-10-500205RHEL 10 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization.
RHEL-10-500210RHEL 10 must notify the system administrator (SA) and/or information system security officer (ISSO) (at a minimum) of an audit processing failure.
RHEL-10-500215RHEL 10 must log Secure Shell (SSH) connection attempts and failures to the server.
RHEL-10-500300RHEL 10 must generate audit records for successful and unsuccessful uses of the "execve" system call.
RHEL-10-500310RHEL 10 must generate audit records for successful and unsuccessful uses of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls.
RHEL-10-500320RHEL 10 must generate audit records for successful and unsuccessful uses of "umount" system calls.
RHEL-10-500330RHEL 10 must generate audit records for successful and unsuccessful uses of the "chacl" command.
RHEL-10-500340RHEL 10 must generate audit records for successful and unsuccessful uses of the "setfacl" command.
RHEL-10-500350RHEL 10 must generate audit records for successful and unsuccessful uses of the "chcon" command.
RHEL-10-500360RHEL 10 must generate audit records for successful and unsuccessful uses of the "semanage" command.
RHEL-10-500370RHEL 10 must generate audit records for successful and unsuccessful uses of the "setfiles" command.
RHEL-10-500380RHEL 10 must generate audit records for successful and unsuccessful uses of the "setsebool" command.
RHEL-10-500390RHEL 10 must generate audit records for successful and unsuccessful uses of the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls.
RHEL-10-500400RHEL 10 must generate audit records for successful and unsuccessful uses of the "delete_module" system call.
RHEL-10-500410RHEL 10 must generate audit records for successful and unsuccessful uses of the "init_module" and "finit_module" system calls.
RHEL-10-500420RHEL 10 must generate audit records for successful and unsuccessful uses of the "chage" command.
RHEL-10-500430RHEL 10 must generate audit records for successful and unsuccessful uses of the "chsh" command.
RHEL-10-500440RHEL 10 must generate audit records for successful and unsuccessful uses of the "crontab" command.
RHEL-10-500450RHEL 10 must generate audit records for successful and unsuccessful uses of the "gpasswd" command.
RHEL-10-500460RHEL 10 must generate audit records for successful and unsuccessful uses of the "kmod" command.
RHEL-10-500470RHEL 10 must generate audit records for successful and unsuccessful uses of the "newgrp" command.
RHEL-10-500480RHEL 10 must generate audit records for successful and unsuccessful uses of the "pam_timestamp_check" command.
RHEL-10-500490RHEL 10 must generate audit records for successful and unsuccessful uses of the "passwd" command.
RHEL-10-500500RHEL 10 must generate audit records for successful and unsuccessful uses of the "postdrop" command.
RHEL-10-500510RHEL 10 must generate audit records for successful and unsuccessful uses of the "postqueue" command.
RHEL-10-500520RHEL 10 must generate audit records for successful and unsuccessful uses of the ssh-agent command.
RHEL-10-500530RHEL 10 must generate audit records for successful and unsuccessful uses of the "ssh-keysign" command.
RHEL-10-500540RHEL 10 must generate audit records for successful and unsuccessful uses of the "su" command.
RHEL-10-500550RHEL 10 must generate audit records for successful and unsuccessful uses of the "sudo" command.
RHEL-10-500560RHEL 10 must generate audit records for successful and unsuccessful uses of the "sudoedit" command.
RHEL-10-500570RHEL 10 must generate audit records for successful and unsuccessful uses of the "unix_chkpwd" command.
RHEL-10-500580RHEL 10 must generate audit records for successful and unsuccessful uses of the "unix_update" command.
RHEL-10-500590RHEL 10 must generate audit records for successful and unsuccessful uses of the "userhelper" command.
RHEL-10-500600RHEL 10 must generate audit records for successful and unsuccessful uses of the "usermod" command.
RHEL-10-500610RHEL 10 must generate audit records for successful and unsuccessful uses of the "mount" command.
RHEL-10-500620RHEL 10 must generate audit records for successful and unsuccessful uses of the "init" command.
RHEL-10-500630RHEL 10 must generate audit records for successful and unsuccessful uses of the "poweroff" command.
RHEL-10-500640RHEL 10 must generate audit records for successful and unsuccessful uses of the "reboot" command.
RHEL-10-500650RHEL 10 must generate audit records for successful and unsuccessful uses of the shutdown command.
RHEL-10-500660RHEL 10 must generate audit records for successful and unsuccessful uses of the "umount" system call.
RHEL-10-500670RHEL 10 must generate audit records for successful and unsuccessful uses of the "umount2" system call.
RHEL-10-500680RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers".
RHEL-10-500690RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect the "/etc/sudoers.d/" directory.
RHEL-10-500700RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group".
RHEL-10-500710RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".
RHEL-10-500720RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/opasswd".
RHEL-10-500730RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".
RHEL-10-500740RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow".
RHEL-10-500750RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/faillock".
RHEL-10-500760RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog".
RHEL-10-500780RHEL 10 must generate audit records for all uses of the "chmod", "fchmod", "fchmodat", and "fchmodat2" syscalls.
RHEL-10-500790RHEL 10 must generate audit records for all uses of the "chown", "fchown", "fchownat", and "lchown" syscalls.
RHEL-10-500810RHEL 10 must generate audit records for all uses of the "rename", "unlink", "rmdir", "renameat", "renameat2", and "unlinkat" system calls.
RHEL-10-600000RHEL 10 must require a boot loader superuser password.
RHEL-10-600010RHEL 10 must require a unique superusers name upon booting into single-user and maintenance modes.
RHEL-10-600020RHEL 10 must not assign an interactive login shell for system accounts.
RHEL-10-600100RHEL 10 must, for new users or password changes, have a 60-day maximum password lifetime restriction for user account passwords in "/etc/login.defs".
RHEL-10-600110RHEL 10 must, for user account passwords, have a 60-day maximum password lifetime restriction.
RHEL-10-600120RHEL 10 must assign a home directory for local interactive user accounts upon creation.
RHEL-10-600130RHEL 10 must not allow duplicate user IDs (UIDs) to exist for interactive users.
RHEL-10-600140RHEL 10 must automatically expire temporary accounts within 72 hours.
RHEL-10-600150RHEL 10 must assign a primary group to all interactive users.
RHEL-10-600160RHEL 10 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
RHEL-10-600170RHEL 10 must be configured so that all local interactive user initialization file executable search path statements do not contain statements that will reference a working directory other than user home directories.
RHEL-10-600180RHEL 10 must assign a home directory to all local interactive users in the "/etc/passwd" file.
RHEL-10-600190RHEL 10 must ensure that all local interactive user home directories defined in the "/etc/passwd" file must exist.
RHEL-10-600200RHEL 10 must enforce a delay of at least four seconds between login prompts following a failed login attempt.
RHEL-10-600210RHEL 10 must enforce a 24-hours minimum password lifetime restriction for passwords for new users or password changes in "/etc/login.defs".
RHEL-10-600220RHEL 10 must enforce that passwords be created with a minimum of 15 characters.
RHEL-10-600230RHEL 10 must enforce password complexity by requiring at least one special character to be used.
RHEL-10-600240RHEL 10 must enforce password complexity by requiring that at least one lowercase character be used.
RHEL-10-600250RHEL 10 must enforce password complexity by requiring that at least one uppercase character be used.
RHEL-10-600260RHEL 10 must require the change of at least eight characters when passwords are changed.
RHEL-10-600270RHEL 10 must enforce that passwords have a 24 hours/1 day minimum lifetime restriction in "/etc/shadow".
RHEL-10-600280RHEL 10 must require the maximum number of repeating characters of the same character class to be limited to four when passwords are changed.
RHEL-10-600290RHEL 10 must require that the maximum number of repeating characters be limited to three when passwords are changed.
RHEL-10-600300RHEL 10 must require the change of at least four character classes when passwords are changed.
RHEL-10-600310RHEL 10 must enforce password complexity by requiring that at least one numeric character be used.
RHEL-10-600320RHEL 10 must prevent the use of dictionary words for passwords.
RHEL-10-600400RHEL 10 must allow only the root account to have unrestricted access to the system.
RHEL-10-600405RHEL 10 must enforce password complexity rules for the "root" account.
RHEL-10-600410RHEL 10 must automatically lock an account when three unsuccessful login attempts occur.
RHEL-10-600415RHEL 10 must automatically lock the root account until the root account is released by an administrator when three unsuccessful login attempts occur during a 15-minute time period.
RHEL-10-600420RHEL 10 must automatically lock an account when three unsuccessful login attempts occur during a 15-minute time period.
RHEL-10-600425RHEL 10 must maintain an account lock until the locked account is released by an administrator.
RHEL-10-600430RHEL 10 must ensure account lockouts persist.
RHEL-10-600450RHEL 10 must not have unauthorized accounts.
RHEL-10-600455RHEL 10 must not allow blank or null passwords.
RHEL-10-600460RHEL 10 must not have accounts configured with blank or null passwords.
RHEL-10-600470RHEL 10 must have a unique group ID (GID) for each group in "/etc/group".
RHEL-10-600475RHEL 10 must limit the number of concurrent sessions to 10 for all accounts and/or account types.
RHEL-10-600485RHEL 10 must ensure the password complexity module in the system-auth file is configured for three or fewer retries.
RHEL-10-600500RHEL 10 must restrict the use of the "su" command.
RHEL-10-600510RHEL 10 must be configured to not bypass password requirements for privilege escalation.
RHEL-10-600520RHEL 10 must restrict privilege elevation to authorized personnel.
RHEL-10-600530RHEL 10 must require users to reauthenticate for privilege escalation.
RHEL-10-600540RHEL 10 must require reauthentication when using the "sudo" command.
RHEL-10-600550RHEL 10 must use the invoking user's password for privilege escalation when using "sudo".
RHEL-10-600560RHEL 10 must require users to provide a password for privilege escalation.
RHEL-10-600600RHEL 10 must configure the use of the pam_faillock.so module in the "/etc/pam.d/system-auth" file.
RHEL-10-600610RHEL 10 must configure the use of the pam_faillock.so module in the "/etc/pam.d/password-auth" file.
RHEL-10-600620RHEL 10 must ensure the password complexity module is enabled in the "password-auth" file.
RHEL-10-600630RHEL 10 must ensure the password complexity module is enabled in the "system-auth" file.
RHEL-10-600640RHEL 10 must enable the Pluggable Authentication Module (PAM) interface for SSHD.
RHEL-10-600650RHEL 10 must ensure that the pam_unix.so module is configured in the password-auth file to use a FIPS 140-3-approved cryptographic hashing algorithm for system authentication.
RHEL-10-600700RHEL 10 must be configured to use a sufficient number of hashing rounds for the shadow password suite.
RHEL-10-600710RHEL 10 must be configured to use a FIPS 140-3-approved cryptographic hashing algorithm for system authentication by ensuring that the pam_unix.so module is configured in the "system-auth" file.
RHEL-10-600720RHEL 10 must be configured so that password-auth uses a sufficient number of hashing rounds.
RHEL-10-600730RHEL 10 must employ FIPS 140-3-approved cryptographic hashing algorithms for all stored passwords.
RHEL-10-600740RHEL 10 must be configured to use the shadow file to store only encrypted representations of passwords.
RHEL-10-600750RHEL 10 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.
RHEL-10-700010RHEL 10 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a Secure Shell (SSH) login.
RHEL-10-700020RHEL 10 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user login.
RHEL-10-700030RHEL 10 must prevent a user from overriding the banner-message-enable setting for the graphical user interface.
RHEL-10-700040RHEL 10 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user login.
RHEL-10-700100RHEL 10 must prevent special devices on file systems that are imported via Network File System (NFS).
RHEL-10-700105RHEL 10 must prevent code from being executed on file systems that are imported via Network File System (NFS).
RHEL-10-700110RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on file systems that are imported via Network File System (NFS).
RHEL-10-700115RHEL 10 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.
RHEL-10-700120RHEL 10 must mount "/boot" with the "nodev" option.
RHEL-10-700125RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on the "/boot" directory.
RHEL-10-700130RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on the "/boot/efi" directory.
RHEL-10-700135RHEL 10 must mount "/dev/shm" with the "nodev" option.
RHEL-10-700140RHEL 10 must mount "/dev/shm" with the "noexec" option.
RHEL-10-700145RHEL 10 must mount "/dev/shm" with the "nosuid" option.
RHEL-10-700150RHEL 10 must mount "/tmp" with the "nodev" option.
RHEL-10-700155RHEL 10 must mount "/tmp" with the "noexec" option.
RHEL-10-700160RHEL 10 must mount "/tmp" with the "nosuid" option.
RHEL-10-700165RHEL 10 must mount "/var" with the "nodev" option.
RHEL-10-700170RHEL 10 must mount "/var/log" with the "nodev" option.
RHEL-10-700175RHEL 10 must mount "/var/log" with the "noexec" option.
RHEL-10-700180RHEL 10 must mount "/var/log" with the "nosuid" option.
RHEL-10-700185RHEL 10 must mount "/var/tmp" with the "nodev" option.
RHEL-10-700190RHEL 10 must mount "/var/tmp" with the "noexec" option.
RHEL-10-700195RHEL 10 must mount "/var/tmp" with the "nosuid" option.
RHEL-10-700200RHEL 10 must prevent special devices on nonroot local partitions.
RHEL-10-700400RHEL 10 must enable the SELinux targeted policy.
RHEL-10-700410RHEL 10 must elevate the SELinux context when an administrator calls the sudo command.
RHEL-10-700420RHEL 10 must use a Linux Security Module configured to enforce limits on system services.
RHEL-10-700430RHEL 10 must configure SELinux context type to allow the use of a nondefault faillock tally directory.
RHEL-10-700500RHEL 10 must be configured so that Secure Shell (SSH) public host key files have mode "0644" or less permissive.
RHEL-10-700510RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow Generic Security Service Application Program Interface (GSSAPI) authentication.
RHEL-10-700520RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow Kerberos authentication.
RHEL-10-700530RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow rhosts authentication.
RHEL-10-700540RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow known hosts authentication.
RHEL-10-700550RHEL 10 must be configured so that the Secure Shell (SSH) daemon disables remote X connections for interactive users.
RHEL-10-700560RHEL 10 must be configured so that the Secure Shell (SSH) daemon performs strict mode checking of home directory configuration files.
RHEL-10-700570RHEL 10 must be configured so that the Secure Shell (SSH) daemon displays the date and time of the last successful account login upon an SSH login.
RHEL-10-700580RHEL 10 must be configured so that the Secure Shell (SSH) daemon prevents remote hosts from connecting to the proxy display.
RHEL-10-700590RHEL 10 must be configured so that Secure Shell (SSH) server configuration files' permissions are not modified.
RHEL-10-700600RHEL 10 must be configured so that SSHD accepts public key authentication.
RHEL-10-700610RHEL 10 must be configured so that SSHD does not allow blank passwords.
RHEL-10-700620RHEL 10 must not permit direct logins to the root account using remote access via Secure Shell (SSH).
RHEL-10-700630RHEL 10 must not allow a noncertificate trusted host Secure Shell (SSH) login to the system.
RHEL-10-700640RHEL 10 must not allow users to override Secure Shell (SSH) environment variables.
RHEL-10-700650RHEL 10 must force a frequent session key renegotiation for Secure Shell (SSH) connections to the server.
RHEL-10-700660RHEL 10 must be configured so that all network connections associated with Secure Shell (SSH) traffic terminate after becoming unresponsive.
RHEL-10-700670RHEL 10 must forward mail from postmaster to the root account using a postfix alias.
RHEL-10-700680RHEL 10 must not have a "shosts.equiv" file on the system.
RHEL-10-700690RHEL 10 must not have any ".shosts" files on the system.
RHEL-10-700700RHEL 10 must prevent a user from overriding the disabling of the graphical user interface automount function.
RHEL-10-700710RHEL 10 must prevent a user from overriding the disabling of the graphical user interface autorun function.
RHEL-10-700720RHEL 10 must not allow unattended or automatic login via the graphical user interface.
RHEL-10-700730RHEL 10 must prevent a user from overriding the disabling of the graphical user smart card removal action.
RHEL-10-700740RHEL 10 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.
RHEL-10-700750RHEL 10 must automatically lock graphical user sessions after 15 minutes of inactivity.
RHEL-10-700760RHEL 10 must prevent a user from overriding the session idle-delay setting for the graphical user interface.
RHEL-10-700770RHEL 10 must initiate a session lock for graphical user interfaces when the screensaver is activated.
RHEL-10-700780RHEL 10 must prevent a user from overriding the session lock-delay setting for the graphical user interface.
RHEL-10-700790RHEL 10 must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
RHEL-10-700800RHEL 10 must ensure effective dconf policy matches the policy keyfiles.
RHEL-10-700810RHEL 10 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.
RHEL-10-700820RHEL 10 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.
RHEL-10-700830RHEL 10 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot.
RHEL-10-700840RHEL 10 must disable the user list at login for graphical user interfaces.
RHEL-10-700850RHEL 10 must be configured to disable USB mass storage.
RHEL-10-700860RHEL 10 must disable Bluetooth.
RHEL-10-700870RHEL 10 must disable wireless network adapters.
RHEL-10-700880RHEL 10 must disable the graphical user interface automounter unless required.
RHEL-10-700890RHEL 10 must disable the graphical user interface autorunner unless required.
RHEL-10-700900RHEL 10 must implement nonexecutable data to protect its memory from unauthorized code execution.
RHEL-10-700920RHEL 10 must automatically exit interactive command shell user sessions after 15 minutes of inactivity.
RHEL-10-700930RHEL 10 must be configured with a timeout interval for the Secure Shell (SSH) daemon.
RHEL-10-700940RHEL 10 must not default to the graphical display manager unless approved.
RHEL-10-700950RHEL 10 must disable the systemd Ctrl-Alt-Delete burst key sequence.
RHEL-10-700960RHEL 10 must disable the x86 Ctrl-Alt-Delete key sequence.
RHEL-10-700980RHEL 10 must disable the ability of systemd to spawn an interactive boot process.
RHEL-10-700990RHEL 10 must disable virtual system calls.
RHEL-10-701000RHEL 10 must clear the page allocator to prevent use-after-free attacks.
RHEL-10-701010RHEL 10 must clear memory when it is freed to prevent use-after-free attacks.
RHEL-10-701020RHEL 10 must enable mitigations against processor-based vulnerabilities.
RHEL-10-701030RHEL 10 must restrict access to the kernel message buffer.
RHEL-10-701040RHEL 10 must prevent kernel profiling by nonprivileged users.
RHEL-10-701050RHEL 10 must prevent the loading of a new kernel for later execution.
RHEL-10-701060RHEL 10 must restrict exposed kernel pointer address access.
RHEL-10-701070RHEL 10 must enable kernel parameters to enforce discretionary access control (DAC) on hardlinks.
RHEL-10-701080RHEL 10 must enable kernel parameters to enforce discretionary access control (DAC) on symlinks.
RHEL-10-701090RHEL 10 must disable the "kernel.core_pattern".
RHEL-10-701100RHEL 10 must be configured to disable the Controller Area Network (CAN) kernel module.
RHEL-10-701110RHEL 10 must disable the Stream Control Transmission Protocol (SCTP) kernel module.
RHEL-10-701120RHEL 10 must disable the Transparent Inter Process Communication (TIPC) kernel module.
RHEL-10-701130RHEL 10 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
RHEL-10-701140RHEL 10 must restrict usage of ptrace to descendant processes.
RHEL-10-701150RHEL 10 must disable core dump backtraces.
RHEL-10-701160RHEL 10 must disable storing core dumps.
RHEL-10-701170RHEL 10 must disable core dumps for all users.
RHEL-10-701180RHEL 10 must disable acquiring, saving, and processing core dumps.
RHEL-10-701190RHEL 10 must implement nonexecutable data to protect its memory from unauthorized code execution.
RHEL-10-701200RHEL 10 must disable the kdump service.
RHEL-10-701210RHEL 10 must disable file system automount function unless required.
RHEL-10-701220RHEL 10 must enable certificate-based smart card authentication.
RHEL-10-701230RHEL 10 must implement certificate status checking for multifactor authentication.
RHEL-10-701240RHEL 10 must, for PKI-based authentication, enforce authorized access to the corresponding private key.
RHEL-10-701250RHEL 10 must require authentication to access emergency mode.
RHEL-10-701260RHEL 10 must require authentication to access single-user mode.
RHEL-10-701270RHEL 10 must, for PKI-based authentication, validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
RHEL-10-701280RHEL 10 must map the authenticated identity to the user or group account for public key infrastructure (PKI)-based authentication.
RHEL-10-701290RHEL 10 must prohibit the use of cached authenticators after one day.
RHEL-10-800000RHEL 10 must control remote access methods.
RHEL-10-800010RHEL 10 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.
RHEL-10-800020RHEL 10 must enforce that network interfaces not be in promiscuous mode.
RHEL-10-800030RHEL 10 must disable access to the network bpf system call from nonprivileged processes.
RHEL-10-800040RHEL 10 must securely compare internal information system clocks at least every 24 hours.
RHEL-10-800050RHEL 10 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time compiler.
RHEL-10-800060RHEL 10 must have at least two name servers configured for systems using Domain Name Server (DNS) resolution.
RHEL-10-800070RHEL 10 must not have unauthorized IP tunnels configured.
RHEL-10-800080RHEL 10 must be configured to use Transmission Control Protocol (TCP) syncookies.
RHEL-10-800090RHEL 10 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
RHEL-10-800100RHEL 10 must not forward Internet Protocol version 4 (IPv4) source-routed packets.
RHEL-10-800110RHEL 10 must log Internet Protocol version 4 (IPv4) packets with impossible addresses.
RHEL-10-800120RHEL 10 must log Internet Protocol version 4 (IPv4) packets with impossible addresses by default.
RHEL-10-800130RHEL 10 must use reverse path filtering on all Internet Protocol version 4 (IPv4) interfaces.
RHEL-10-800140RHEL 10 must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
RHEL-10-800150RHEL 10 must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
RHEL-10-800160RHEL 10 must use a reverse-path filter for Internet Protocol version 4 (IPv4) network traffic when possible by default.
RHEL-10-800170RHEL 10 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
RHEL-10-800180RHEL 10 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.
RHEL-10-800190RHEL 10 must not send Internet Control Message Protocol (ICMP) redirects.
RHEL-10-800200RHEL 10 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
RHEL-10-800210RHEL 10 must not enable Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.
RHEL-10-800220RHEL 10 must not accept router advertisements on all Internet Protocol version 6 (IPv6) interfaces.
RHEL-10-800230RHEL 10 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
RHEL-10-800240RHEL 10 must not forward Internet Protocol version 6 (IPv6) source-routed packets.
RHEL-10-800250RHEL 10 must not enable Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.
RHEL-10-800260RHEL 10 must not accept router advertisements on all Internet Protocol version 6 (IPv6) interfaces by default.
RHEL-10-800270RHEL 10 must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
RHEL-10-800280RHEL 10 must not forward Internet Protocol version 6 (IPv6) source-routed packets by default.
RHEL-10-800290RHEL 10 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring that rate-limiting measures on impacted network interfaces are implemented.
RHEL-10-800300RHEL 10 must configure a DNS processing mode in Network Manager to avoid conflicts with other Domain Name Server (DNS) managers and to not leak DNS queries to untrusted networks.
RHEL-10-800310RHEL 10 must be configured to operate in secure mode if the Trivial File Transfer Protocol (TFTP) server service is required.
RHEL-10-900000RHEL 10 must enforce mode "0640" or less for the "/etc/audit/auditd.conf" file to prevent unauthorized access.
RHEL-10-900100RHEL 10 must prevent unauthorized changes to the audit system.
RHEL-10-001000RHEL 10 must be a vendor-supported release.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.