SRG-OS-000480-GPOS-00227 Controls

STIG IDVersionTitleProduct
ALMA-09-011240V1R4AlmaLinux OS 9 must disable core dumps for all users.AlmaLinux OS 9
ALMA-09-011350V1R4AlmaLinux OS 9 must disable acquiring, saving, and processing core dumps.AlmaLinux OS 9
ALMA-09-011460V1R4AlmaLinux OS 9 must disable storing core dumps.AlmaLinux OS 9
ALMA-09-011570V1R4AlmaLinux OS 9 must disable core dump backtraces.AlmaLinux OS 9
ALMA-09-011680V1R4AlmaLinux OS 9 must disable the kernel.core_pattern.AlmaLinux OS 9
ALMA-09-011790V1R4AlmaLinux OS 9 cron configuration files directory must be group-owned by root.AlmaLinux OS 9
ALMA-09-011900V1R4AlmaLinux OS 9 cron configuration files directory must be owned by root.AlmaLinux OS 9
ALMA-09-012010V1R4AlmaLinux OS 9 cron configuration directories must have a mode of 0700 or less permissive.AlmaLinux OS 9
ALMA-09-012120V1R4AlmaLinux OS 9 /etc/crontab file must have mode 0600.AlmaLinux OS 9
ALMA-09-012230V1R4AlmaLinux OS 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot.AlmaLinux OS 9
ALMA-09-012340V1R4AlmaLinux OS 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.AlmaLinux OS 9
ALMA-09-012450V1R4All AlmaLinux OS 9 local files and directories must have a valid group owner.AlmaLinux OS 9
ALMA-09-012560V1R4All AlmaLinux OS 9 local files and directories must have a valid owner.AlmaLinux OS 9
ALMA-09-012670V1R4AlmaLinux OS 9 /etc/group- file must be group owned by root.AlmaLinux OS 9
ALMA-09-012780V1R4AlmaLinux OS 9 /etc/group- file must be owned by root.AlmaLinux OS 9
ALMA-09-012890V1R4AlmaLinux OS 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.AlmaLinux OS 9
ALMA-09-013000V1R4AlmaLinux OS 9 /etc/group file must be group owned by root.AlmaLinux OS 9
ALMA-09-013110V1R4AlmaLinux OS 9 /etc/group file must be owned by root.AlmaLinux OS 9
ALMA-09-013220V1R4AlmaLinux OS 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.AlmaLinux OS 9
ALMA-09-013330V1R4The /boot/grub2/grub.cfg file must be group-owned by root.AlmaLinux OS 9
ALMA-09-013440V1R4The /boot/grub2/grub.cfg file must be owned by root.AlmaLinux OS 9
ALMA-09-013550V1R4AlmaLinux OS 9 must disable the ability of systemd to spawn an interactive boot process.AlmaLinux OS 9
ALMA-09-013660V1R4AlmaLinux OS 9 /etc/gshadow- file must be group-owned by root.AlmaLinux OS 9
ALMA-09-013770V1R4AlmaLinux OS 9 /etc/gshadow- file must be owned by root.AlmaLinux OS 9
ALMA-09-013880V1R4AlmaLinux OS 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.AlmaLinux OS 9
ALMA-09-013990V1R4AlmaLinux OS 9 /etc/gshadow file must be group-owned by root.AlmaLinux OS 9
ALMA-09-014100V1R4AlmaLinux OS 9 /etc/gshadow file must be owned by root.AlmaLinux OS 9
ALMA-09-014210V1R4AlmaLinux OS 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.AlmaLinux OS 9
ALMA-09-014320V1R4The graphical display manager must not be the default target on AlmaLinux OS 9 unless approved.AlmaLinux OS 9
ALMA-09-014430V1R4AlmaLinux OS 9 must disable the user list at logon for graphical user interfaces.AlmaLinux OS 9
ALMA-09-015640V1R4AlmaLinux OS 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.AlmaLinux OS 9
ALMA-09-015750V1R4AlmaLinux OS 9 must not allow blank or null passwords.AlmaLinux OS 9
ALMA-09-015860V1R4AlmaLinux OS 9 must not have accounts configured with blank or null passwords.AlmaLinux OS 9
ALMA-09-015970V1R4AlmaLinux OS 9 /etc/passwd- file must be group-owned by root.AlmaLinux OS 9
ALMA-09-016080V1R4AlmaLinux OS 9 /etc/passwd- file must be owned by root.AlmaLinux OS 9
ALMA-09-016190V1R4AlmaLinux OS 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access.AlmaLinux OS 9
ALMA-09-016300V1R4AlmaLinux OS 9 /etc/passwd file must be group-owned by root.AlmaLinux OS 9
ALMA-09-016410V1R4AlmaLinux OS 9 /etc/passwd file must be owned by root.AlmaLinux OS 9
ALMA-09-016520V1R4AlmaLinux OS 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.AlmaLinux OS 9
ALMA-09-016630V1R4AlmaLinux OS 9 /etc/shadow- file must be group-owned by root.AlmaLinux OS 9
ALMA-09-016740V1R4AlmaLinux OS 9 /etc/shadow- file must be owned by root.AlmaLinux OS 9
ALMA-09-016850V1R4AlmaLinux OS 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access.AlmaLinux OS 9
ALMA-09-016960V1R4AlmaLinux OS 9 /etc/shadow file must be group-owned by root.AlmaLinux OS 9
ALMA-09-017070V1R4AlmaLinux OS 9 /etc/shadow file must be owned by root.AlmaLinux OS 9
ALMA-09-017180V1R4AlmaLinux OS 9 /etc/shadow file must have mode 0000 to prevent unauthorized access.AlmaLinux OS 9
ALMA-09-017290V1R4AlmaLinux OS 9 must restrict privilege elevation to authorized personnel.AlmaLinux OS 9
ALMA-09-017400V1R4AlmaLinux OS 9 must use the invoking user's password for privilege escalation when using "sudo".AlmaLinux OS 9
ALMA-09-017950V1R4AlmaLinux OS 9 must not have unauthorized accounts.AlmaLinux OS 9
ALMA-09-018060V1R4AlmaLinux OS 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs).AlmaLinux OS 9
ALMA-09-018170V1R4AlmaLinux OS 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.AlmaLinux OS 9
ALMA-09-018280V1R4AlmaLinux OS 9 must be configured so that the file integrity tool verifies extended attributes.AlmaLinux OS 9
ALMA-09-018500V1R4AlmaLinux OS 9 must not accept router advertisements on all IPv6 interfaces.AlmaLinux OS 9
ALMA-09-018610V1R4AlmaLinux OS 9 must ignore Internet Control Message Protocol (ICMP) redirect messages.AlmaLinux OS 9
ALMA-09-018830V1R4AlmaLinux OS 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.AlmaLinux OS 9
ALMA-09-018940V1R4AlmaLinux OS 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.AlmaLinux OS 9
ALMA-09-019050V1R4AlmaLinux OS 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.AlmaLinux OS 9
ALMA-09-019160V1R4AlmaLinux OS 9 must not enable IP packet forwarding unless the system is a router.AlmaLinux OS 9
ALMA-09-019270V1R4AlmaLinux OS 9 must not have unauthorized IP tunnels configured.AlmaLinux OS 9
ALMA-09-019380V1R4AlmaLinux OS 9 must log packets with impossible addresses.AlmaLinux OS 9
ALMA-09-019490V1R4AlmaLinux OS 9 must be configured to prevent unrestricted mail relaying.AlmaLinux OS 9
ALMA-09-019600V1R4AlmaLinux OS 9 must have the nss-tools package installed.AlmaLinux OS 9
ALMA-09-019710V1R4AlmaLinux OS 9 network interfaces must not be in promiscuous mode.AlmaLinux OS 9
ALMA-09-019820V1R4AlmaLinux OS 9 must use reverse path filtering on all IP interfaces.AlmaLinux OS 9
ALMA-09-019930V1R4AlmaLinux OS 9 must not send Internet Control Message Protocol (ICMP) redirects.AlmaLinux OS 9
ALMA-09-020040V1R4There must be no .shosts files on AlmaLinux OS 9.AlmaLinux OS 9
ALMA-09-020150V1R4There must be no shosts.equiv files on AlmaLinux OS 9.AlmaLinux OS 9
ALMA-09-020260V1R4Alma Linux OS 9 must not accept IPv4 source-routed packets by default.AlmaLinux OS 9
ALMA-09-020370V1R4AlmaLinux OS 9 SSH daemon must not allow compression or must only allow compression after successful authentication.AlmaLinux OS 9
ALMA-09-020480V1R4The AlmaLinux OS 9 SSH server configuration file must be group-owned by root.AlmaLinux OS 9
ALMA-09-020590V1R4The AlmaLinux OS 9 SSH server configuration file must be owned by root.AlmaLinux OS 9
ALMA-09-020700V1R4AlmaLinux OS 9 SSH server configuration files must have mode 0600 or less permissive.AlmaLinux OS 9
ALMA-09-020810V1R4AlmaLinux OS 9 must not allow a noncertificate trusted host SSH logon to the system.AlmaLinux OS 9
ALMA-09-020920V1R4AlmaLinux OS 9 SSH private host key files must have mode 0640 or less permissive.AlmaLinux OS 9
ALMA-09-021030V1R4AlmaLinux OS 9 SSH public host key files must have mode 0644 or less permissive.AlmaLinux OS 9
ALMA-09-021140V1R4AlmaLinux OS 9 SSH daemon must not allow known hosts authentication.AlmaLinux OS 9
ALMA-09-021250V1R4AlmaLinux OS 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon.AlmaLinux OS 9
ALMA-09-021360V1R4AlmaLinux OS 9 SSH daemon must not allow rhosts authentication.AlmaLinux OS 9
ALMA-09-021470V1R4AlmaLinux OS 9 SSH daemon must disable remote X connections for interactive users.AlmaLinux OS 9
ALMA-09-021580V1R4AlmaLinux OS 9 SSH daemon must prevent remote hosts from connecting to the proxy display.AlmaLinux OS 9
ALMA-09-021690V1R4If the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon must be configured to operate in secure mode.AlmaLinux OS 9
ALMA-09-021800V1R4AlmaLinux OS 9 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time (JIT) compiler.AlmaLinux OS 9
ALMA-09-021910V1R4AlmaLinux OS 9 effective dconf policy must match the policy keyfiles.AlmaLinux OS 9
ALMA-09-022020V1R4AlmaLinux OS 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.AlmaLinux OS 9
ALMA-09-022130V1R4All AlmaLinux OS 9 local initialization files must have mode 0740 or less permissive.AlmaLinux OS 9
ALMA-09-022240V1R4AlmaLinux OS 9 must have the gnutls-utils package installed.AlmaLinux OS 9
ALMA-09-022350V1R4The kdump service on AlmaLinux OS 9 must be disabled.AlmaLinux OS 9
ALMA-09-022460V1R4AlmaLinux OS 9 must disable the ability of a user to restart the system from the login screen.AlmaLinux OS 9
ALMA-09-022570V1R4AlmaLinux OS 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.AlmaLinux OS 9
ALMA-09-022680V1R4AlmaLinux OS 9 must prevent special devices on file systems that are used with removable media.AlmaLinux OS 9
ALMA-09-022790V1R4AlmaLinux OS 9 must prevent code from being executed on file systems that are used with removable media.AlmaLinux OS 9
ALMA-09-022900V1R4AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.AlmaLinux OS 9
ALMA-09-023010V1R4AlmaLinux OS 9 must disable the use of user namespaces.AlmaLinux OS 9
ALMA-09-023120V1R4AlmaLinux OS 9 must prevent special devices on file systems that are imported via Network File System (NFS).AlmaLinux OS 9
ALMA-09-023230V1R4AlmaLinux OS 9 must prevent code execution on file systems that are imported via Network File System (NFS).AlmaLinux OS 9
ALMA-09-023450V1R4AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).AlmaLinux OS 9
ALMA-09-023560V1R4AlmaLinux OS 9 must configure a DNS processing mode set be Network Manager.AlmaLinux OS 9
ALMA-09-023670V1R4AlmaLinux OS 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.AlmaLinux OS 9
ALMA-09-023780V1R4AlmaLinux OS 9 must prevent special devices on nonroot local partitions.AlmaLinux OS 9
ALMA-09-023890V1R4The root account must be the only account having unrestricted access to an AlmaLinux OS 9 system.AlmaLinux OS 9
ALMA-09-024000V1R4AlmaLinux OS 9 must be configured so that the cryptographic hashes of system files match vendor values.AlmaLinux OS 9
ALMA-09-024110V1R4AlmaLinux OS 9 must clear the page allocator to prevent use-after-free attacks.AlmaLinux OS 9
ALMA-09-024220V1R4AlmaLinux OS 9 must display the date and time of the last successful account logon upon logon.AlmaLinux OS 9
ALMA-09-024330V1R4AlmaLinux OS 9 security patches and updates must be installed and up to date.AlmaLinux OS 9
ALMA-09-024440V1R4AlmaLinux OS 9 policycoreutils-python-utils package must be installed.AlmaLinux OS 9
ALMA-09-024550V1R4AlmaLinux OS 9 must enable the hardware random number generator entropy gatherer service.AlmaLinux OS 9
ALMA-09-024660V1R4AlmaLinux OS 9 must have the rng-tools package installed.AlmaLinux OS 9
ALMA-09-024990V1R4AlmaLinux OS 9 system accounts must not have an interactive login shell.AlmaLinux OS 9
ALMA-09-025100V1R4AlmaLinux OS 9 must use a separate file system for /tmp.AlmaLinux OS 9
ALMA-09-025210V1R4Local AlmaLinux OS 9 initialization files must not execute world-writable programs.AlmaLinux OS 9
ALMA-09-025320V1R4AlmaLinux OS 9 must use a separate file system for /var/log.AlmaLinux OS 9
ALMA-09-025430V1R4AlmaLinux OS 9 must use a separate file system for /var.AlmaLinux OS 9
ALMA-09-025540V1R4AlmaLinux OS 9 must use a separate file system for /var/tmp.AlmaLinux OS 9
ALMA-09-025650V1R4AlmaLinux OS 9 must disable virtual system calls.AlmaLinux OS 9
ALMA-09-025760V1R4AlmaLinux OS 9 must use cron logging.AlmaLinux OS 9
ALMA-09-025870V1R4AlmaLinux OS 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.AlmaLinux OS 9
APPL-13-000016V1R5The macOS system must be integrated into a directory services infrastructure.macOS 13 - Ventura
APPL-13-000032V1R5The macOS system must be configured with dedicated user accounts to decrypt the hard disk upon startup.macOS 13 - Ventura
APPL-13-000033V1R5The macOS system must be configured to disable password forwarding for FileVault.macOS 13 - Ventura
APPL-13-002050V1R5The macOS system must disable the Screen Sharing feature.macOS 13 - Ventura
APPL-13-002060V1R5The macOS system must only allow applications with a valid digital signature to run.macOS 13 - Ventura
APPL-13-002070V1R5The macOS system must use an approved antivirus program.macOS 13 - Ventura
APPL-13-003012V1R5The macOS system must be configured to prevent displaying password hints.macOS 13 - Ventura
APPL-13-003013V1R5The macOS system must be configured with a firmware password to prevent access to single user mode and booting from alternative media.macOS 13 - Ventura
APPL-13-003050V1R5The macOS system must be configured so that the login command requires smart card authentication.macOS 13 - Ventura
APPL-13-003051V1R5The macOS system must be configured so that the su command requires smart card authentication.macOS 13 - Ventura
APPL-13-003052V1R5The macOS system must be configured so that the sudo command requires smart card authentication.macOS 13 - Ventura
APPL-13-005051V1R5The macOS system must restrict the ability of individuals to use USB storage devices.macOS 13 - Ventura
APPL-13-005053V1R5The macOS system must restrict the ability of individuals to write to external optical media.macOS 13 - Ventura
APPL-14-003013V2R4The macOS system must enable firmware password.macOS 14 - Sonoma
APPL-14-005110V2R4The macOS system must enforce enrollment in mobile device management.macOS 14 - Sonoma
APPL-14-005120V2R4The macOS system must enable recovery lock.macOS 14 - Sonoma
APPL-14-005130V2R4The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automatically.macOS 14 - Sonoma
APPL-15-003013V1R5The macOS system must enable firmware password.macOS 15 - Sequoia
APPL-15-005110V1R5The macOS system must enforce enrollment in Mobile Device Management (MDM).macOS 15 - Sequoia
APPL-15-005120V1R5The macOS system must enable Recovery Lock.macOS 15 - Sequoia
APPL-15-005130V1R5The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automatically.macOS 15 - Sequoia
OL07-00-010020V3R3The Oracle Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.Oracle Linux 7
OL07-00-010290V3R3The Oracle Linux operating system must not allow accounts configured with blank or null passwords.Oracle Linux 7
OL07-00-020230V3R3The Oracle Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.Oracle Linux 7
OL07-00-020250V3R3The Oracle Linux operating system must be a vendor supported release.Oracle Linux 7
OL07-00-020260V3R3The Oracle Linux operating system security patches and updates must be installed and up to date.Oracle Linux 7
OL07-00-020270V3R3The Oracle Linux operating system must not have unnecessary accounts.Oracle Linux 7
OL07-00-020310V3R3The Oracle Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system.Oracle Linux 7
OL07-00-020320V3R3The Oracle Linux operating system must be configured so that all files and directories have a valid owner.Oracle Linux 7
OL07-00-020330V3R3The Oracle Linux operating system must be configured so that all files and directories have a valid group owner.Oracle Linux 7
OL07-00-020610V3R3The Oracle Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory.Oracle Linux 7
OL07-00-020620V3R3The Oracle Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file.Oracle Linux 7
OL07-00-020630V3R3The Oracle Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive.Oracle Linux 7
OL07-00-020640V3R3The Oracle Linux operating system must be configured so that all local interactive user home directories are owned by their respective users.Oracle Linux 7
OL07-00-020650V3R3The Oracle Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group.Oracle Linux 7
OL07-00-020660V3R3The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a valid owner.Oracle Linux 7
OL07-00-020670V3R3The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.Oracle Linux 7
OL07-00-020680V3R3The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive.Oracle Linux 7
OL07-00-020690V3R3The Oracle Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root.Oracle Linux 7
OL07-00-020700V3R3The Oracle Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root.Oracle Linux 7
OL07-00-020710V3R3The Oracle Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive.Oracle Linux 7
OL07-00-020720V3R3The Oracle Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.Oracle Linux 7
OL07-00-020730V3R3The Oracle Linux operating system must be configured so that local initialization files do not execute world-writable programs.Oracle Linux 7
OL07-00-020900V3R3The Oracle Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.Oracle Linux 7
OL07-00-021000V3R3The Oracle Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed.Oracle Linux 7
OL07-00-021010V3R3The Oracle Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.Oracle Linux 7
OL07-00-021020V3R3The Oracle Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS).Oracle Linux 7
OL07-00-021021V3R3The Oracle Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS).Oracle Linux 7
OL07-00-021030V3R3The Oracle Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.Oracle Linux 7
OL07-00-021040V3R3The Oracle Linux operating system must set the umask value to 077 for all local interactive user accounts.Oracle Linux 7
OL07-00-021100V3R3The Oracle Linux operating system must have cron logging implemented.Oracle Linux 7
OL07-00-021110V3R3The Oracle Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root.Oracle Linux 7
OL07-00-021120V3R3The Oracle Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root.Oracle Linux 7
OL07-00-021300V3R3The Oracle Linux operating system must disable Kernel core dumps unless needed.Oracle Linux 7
OL07-00-021310V3R3The Oracle Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent).Oracle Linux 7
OL07-00-021320V3R3The Oracle Linux operating system must use a separate file system for /var.Oracle Linux 7
OL07-00-021340V3R3The Oracle Linux operating system must use a separate file system for /tmp (or equivalent).Oracle Linux 7
OL07-00-021600V3R3The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).Oracle Linux 7
OL07-00-021610V3R3The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.Oracle Linux 7
OL07-00-021620V3R3The Oracle Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.Oracle Linux 7
OL07-00-031000V3R3The Oracle Linux operating system must send rsyslog output to a log aggregation server.Oracle Linux 7
OL07-00-031010V3R3The Oracle Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.Oracle Linux 7
OL07-00-032000V3R3The Oracle Linux operating system must use a virus scan program.Oracle Linux 7
OL07-00-040330V3R3The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication.Oracle Linux 7
OL07-00-040350V3R3The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication.Oracle Linux 7
OL07-00-040360V3R3The Oracle Linux operating system must display the date and time of the last successful account logon upon an SSH logon.Oracle Linux 7
OL07-00-040370V3R3The Oracle Linux operating system must not permit direct logons to the root account using remote access via SSH.Oracle Linux 7
OL07-00-040380V3R3The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication.Oracle Linux 7
OL07-00-040410V3R3The Oracle Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive.Oracle Linux 7
OL07-00-040420V3R3The Oracle Linux operating system must be configured so the SSH private host key files have mode 0640 or less permissive.Oracle Linux 7
OL07-00-040450V3R3The Oracle Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files.Oracle Linux 7
OL07-00-040460V3R3The Oracle Linux operating system must be configured so that the SSH daemon uses privilege separation.Oracle Linux 7
OL07-00-040470V3R3The Oracle Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.Oracle Linux 7
OL07-00-040520V3R3The Oracle Linux operating system must enable an application firewall, if available.Oracle Linux 7
OL07-00-040530V3R3The Oracle Linux operating system must display the date and time of the last successful account logon upon logon.Oracle Linux 7
OL07-00-040540V3R3The Oracle Linux operating system must not contain .shosts files.Oracle Linux 7
OL07-00-040550V3R3The Oracle Linux operating system must not contain shosts.equiv files.Oracle Linux 7
OL07-00-040600V3R3For Oracle Linux operating systems using DNS resolution, at least two name servers must be configured.Oracle Linux 7
OL07-00-040610V3R3The Oracle Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.Oracle Linux 7
OL07-00-040611V3R3The Oracle Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.Oracle Linux 7
OL07-00-040612V3R3The Oracle Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default.Oracle Linux 7
OL07-00-040620V3R3The Oracle Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.Oracle Linux 7
OL07-00-040630V3R3The Oracle Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.Oracle Linux 7
OL07-00-040640V3R3The Oracle Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.Oracle Linux 7
OL07-00-040641V3R3The Oracle Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.Oracle Linux 7
OL07-00-040650V3R3The Oracle Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.Oracle Linux 7
OL07-00-040660V3R3The Oracle Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.Oracle Linux 7
OL07-00-040670V3R3Network interfaces configured on The Oracle Linux operating system must not be in promiscuous mode.Oracle Linux 7
OL07-00-040680V3R3The Oracle Linux operating system must be configured to prevent unrestricted mail relaying.Oracle Linux 7
OL07-00-040690V3R3The Oracle Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed.Oracle Linux 7
OL07-00-040700V3R3The Oracle Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.Oracle Linux 7
OL07-00-040710V3R3The Oracle Linux operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.Oracle Linux 7
OL07-00-040720V3R3The Oracle Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode.Oracle Linux 7
OL07-00-040730V3R3The Oracle Linux operating system must not have a graphical display manager installed unless approved.Oracle Linux 7
OL07-00-040740V3R3The Oracle Linux operating system must not be performing packet forwarding unless the system is a router.Oracle Linux 7
OL07-00-040750V3R3The Oracle Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.Oracle Linux 7
OL07-00-040800V3R3SNMP community strings on the Oracle Linux operating system must be changed from the default.Oracle Linux 7
OL07-00-040810V3R3The Oracle Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.Oracle Linux 7
OL07-00-040820V3R3The Oracle Linux operating system must not have unauthorized IP tunnels configured.Oracle Linux 7
OL07-00-040830V3R3The Oracle Linux operating system must not forward IPv6 source-routed packets.Oracle Linux 7
OL07-00-020231V3R3The Oracle Linux operating system must be configured so the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface.Oracle Linux 7
OL07-00-021031V3R3The Oracle Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user.Oracle Linux 7
OL07-00-040711V3R3The Oracle Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display.Oracle Linux 7
OL07-00-010341V3R3The Oracle Linux operating system must restrict privilege elevation to authorized personnel.Oracle Linux 7
OL07-00-010342V3R3The Oracle Linux operating system must use the invoking user's password for privilege escalation when using "sudo".Oracle Linux 7
OL07-00-010291V3R3The Oracle Linux operating system must not have accounts configured with blank or null passwords.Oracle Linux 7
OL07-00-010339V3R3The Oracle Linux operating system must specify the default "include" directory for the /etc/sudoers file.Oracle Linux 7
OL07-00-010063V3R3The Oracle Linux operating system must disable the login screen user list for graphical user interfaces.Oracle Linux 7
OL08-00-010000V2R6OL 8 must be a vendor-supported release.Oracle Linux 8
OL08-00-010010V2R6OL 8 vendor-packaged system security patches and updates must be installed and up to date.Oracle Linux 8
OL08-00-010382V2R6OL 8 must restrict privilege elevation to authorized personnel.Oracle Linux 8
OL08-00-010383V2R6OL 8 must use the invoking user's password for privilege escalation when using "sudo".Oracle Linux 8
OL08-00-010424V2R6OL 8 must not let Meltdown and Spectre exploit critical vulnerabilities in modern processors.Oracle Linux 8
OL08-00-010460V2R6There must be no "shosts.equiv" files on the OL 8 operating system.Oracle Linux 8
OL08-00-010470V2R6There must be no ".shosts" files on the OL 8 operating system.Oracle Linux 8
OL08-00-010473V2R6OL 8 must enable the hardware random number generator entropy gatherer service.Oracle Linux 8
OL08-00-010472V2R6OL 8 must have the packages required to use the hardware random number generator entropy gatherer service.Oracle Linux 8
OL08-00-010480V2R6The OL 8 SSH public host key files must have mode "0644" or less permissive.Oracle Linux 8
OL08-00-010490V2R6The OL 8 SSH private host key files must have mode "0640" or less permissive.Oracle Linux 8
OL08-00-010500V2R6The OL 8 SSH daemon must perform strict mode checking of home directory configuration files.Oracle Linux 8
OL08-00-010520V2R6The OL 8 SSH daemon must not allow authentication using known host's authentication.Oracle Linux 8
OL08-00-010521V2R6The OL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.Oracle Linux 8
OL08-00-010522V2R6The OL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.Oracle Linux 8
OL08-00-010540V2R6OL 8 must use a separate file system for "/var".Oracle Linux 8
OL08-00-010541V2R6OL 8 must use a separate file system for "/var/log".Oracle Linux 8
OL08-00-010542V2R6OL 8 must use a separate file system for the system audit data path.Oracle Linux 8
OL08-00-010543V2R6OL 8 must use a separate file system for "/tmp".Oracle Linux 8
OL08-00-010544V2R6OL 8 must use a separate file system for /var/tmp.Oracle Linux 8
OL08-00-010561V2R6OL 8 must have the rsyslog service enabled and active.Oracle Linux 8
OL08-00-010570V2R6OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.Oracle Linux 8
OL08-00-010571V2R6OL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.Oracle Linux 8
OL08-00-010572V2R6OL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.Oracle Linux 8
OL08-00-010580V2R6OL 8 must prevent special devices on non-root local partitions.Oracle Linux 8
OL08-00-010590V2R6OL 8 file systems that contain user home directories must not execute binary files.Oracle Linux 8
OL08-00-010600V2R6OL 8 file systems must not interpret character or block special devices from untrusted file systems.Oracle Linux 8
OL08-00-010610V2R6OL 8 file systems must not execute binary files on removable media.Oracle Linux 8
OL08-00-010620V2R6OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.Oracle Linux 8
OL08-00-010630V2R6OL 8 file systems must not execute binary files that are imported via Network File System (NFS).Oracle Linux 8
OL08-00-010640V2R6OL 8 file systems must not interpret character or block special devices that are imported via NFS.Oracle Linux 8
OL08-00-010650V2R6OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).Oracle Linux 8
OL08-00-010660V2R6Local OL 8 initialization files must not execute world-writable programs.Oracle Linux 8
OL08-00-010671V2R6OL 8 must disable the "kernel.core_pattern".Oracle Linux 8
OL08-00-010672V2R6OL 8 must disable acquiring, saving, and processing core dumps.Oracle Linux 8
OL08-00-010673V2R6OL 8 must disable core dumps for all users.Oracle Linux 8
OL08-00-010674V2R6OL 8 must disable storing core dumps.Oracle Linux 8
OL08-00-010675V2R6OL 8 must disable core dump backtraces.Oracle Linux 8
OL08-00-010680V2R6For OL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.Oracle Linux 8
OL08-00-010690V2R6Executable search paths within the initialization files of all local interactive OL 8 users must only contain paths that resolve to the system default or the user's home directory.Oracle Linux 8
OL08-00-010700V2R6All OL 8 world-writable directories must be owned by root, sys, bin, or an application user.Oracle Linux 8
OL08-00-010710V2R6All OL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.Oracle Linux 8
OL08-00-010720V2R6All OL 8 local interactive users must have a home directory assigned in the "/etc/passwd" file.Oracle Linux 8
OL08-00-010730V2R6All OL 8 local interactive user home directories must have mode "0750" or less permissive.Oracle Linux 8
OL08-00-010731V2R6All OL 8 local interactive user home directory files must have mode "0750" or less permissive.Oracle Linux 8
OL08-00-010740V2R6All OL 8 local interactive user home directories must be group-owned by the home directory owner's primary group.Oracle Linux 8
OL08-00-010741V2R6OL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.Oracle Linux 8
OL08-00-010750V2R6All OL 8 local interactive user home directories defined in the "/etc/passwd" file must exist.Oracle Linux 8
OL08-00-010760V2R6All OL 8 local interactive user accounts must be assigned a home directory upon creation.Oracle Linux 8
OL08-00-010770V2R6All OL 8 local initialization files must have mode "0740" or less permissive.Oracle Linux 8
OL08-00-010780V2R6All OL 8 files and directories must have a valid owner.Oracle Linux 8
OL08-00-010790V2R6All OL 8 files and directories must have a valid group owner.Oracle Linux 8
OL08-00-010800V2R6A separate OL 8 filesystem must be used for user home directories (such as "/home" or an equivalent).Oracle Linux 8
OL08-00-020032V2R6OL 8 must disable the user list at logon for graphical user interfaces.Oracle Linux 8
OL08-00-020320V2R6OL 8 must not have unnecessary accounts.Oracle Linux 8
OL08-00-020330V2R6OL 8 must not allow accounts configured with blank or null passwords.Oracle Linux 8
OL08-00-020331V2R6OL 8 must not allow blank or null passwords in the system-auth file.Oracle Linux 8
OL08-00-020332V2R6OL 8 must not allow blank or null passwords in the password-auth file.Oracle Linux 8
OL08-00-020340V2R6OL 8 must display the date and time of the last successful account logon upon logon.Oracle Linux 8
OL08-00-020350V2R6OL 8 must display the date and time of the last successful account logon upon an SSH logon.Oracle Linux 8
OL08-00-030010V2R6Cron logging must be implemented in OL 8.Oracle Linux 8
OL08-00-030061V2R6The OL 8 audit system must audit local events.Oracle Linux 8
OL08-00-030063V2R6OL 8 must resolve audit information before writing to disk.Oracle Linux 8
OL08-00-030670V2R6OL 8 must have the packages required for offloading audit logs installed.Oracle Linux 8
OL08-00-030680V2R6OL 8 must have the packages required for encrypting offloaded audit logs installed.Oracle Linux 8
OL08-00-040021V2R6OL 8 must not have the asynchronous transfer mode (ATM) kernel module installed if not required for operational support.Oracle Linux 8
OL08-00-040022V2R6OL 8 must not have the Controller Area Network (CAN) kernel module installed if not required for operational support.Oracle Linux 8
OL08-00-040023V2R6OL 8 must not have the stream control transmission protocol (SCTP) kernel module installed if not required for operational support.Oracle Linux 8
OL08-00-040170V2R6The x86 Ctrl-Alt-Delete key sequence must be disabled on OL 8.Oracle Linux 8
OL08-00-040171V2R6The x86 Ctrl-Alt-Delete key sequence in OL 8 must be disabled if a graphical user interface is installed.Oracle Linux 8
OL08-00-040172V2R6OL 8 must disable the systemd Ctrl-Alt-Delete burst key sequence.Oracle Linux 8
OL08-00-040180V2R6OL 8 must disable the debug-shell systemd service.Oracle Linux 8
OL08-00-040190V2R6The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for OL 8 operational support.Oracle Linux 8
OL08-00-040200V2R6The root account must be the only account having unrestricted access to the OL 8 system.Oracle Linux 8
OL08-00-040209V2R6OL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.Oracle Linux 8
OL08-00-040210V2R6OL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.Oracle Linux 8
OL08-00-040220V2R6OL 8 must not send Internet Control Message Protocol (ICMP) redirects.Oracle Linux 8
OL08-00-040230V2R6OL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.Oracle Linux 8
OL08-00-040239V2R6OL 8 must not forward IPv4 source-routed packets.Oracle Linux 8
OL08-00-040240V2R6OL 8 must not forward IPv6 source-routed packets.Oracle Linux 8
OL08-00-040249V2R6OL 8 must not forward IPv4 source-routed packets by default.Oracle Linux 8
OL08-00-040250V2R6OL 8 must not forward IPv6 source-routed packets by default.Oracle Linux 8
OL08-00-040260V2R6OL 8 must not enable IPv6 packet forwarding unless the system is a router.Oracle Linux 8
OL08-00-040261V2R6OL 8 must not accept router advertisements on all IPv6 interfaces.Oracle Linux 8
OL08-00-040262V2R6OL 8 must not accept router advertisements on all IPv6 interfaces by default.Oracle Linux 8
OL08-00-040270V2R6OL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.Oracle Linux 8
OL08-00-040279V2R6OL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.Oracle Linux 8
OL08-00-040280V2R6OL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.Oracle Linux 8
OL08-00-040281V2R6OL 8 must disable access to the network "bpf" syscall from unprivileged processes.Oracle Linux 8
OL08-00-040282V2R6OL 8 must restrict the use of "ptrace" to descendant processes.Oracle Linux 8
OL08-00-040283V2R6OL 8 must restrict exposed kernel pointer addresses access.Oracle Linux 8
OL08-00-040284V2R6OL 8 must disable the use of user namespaces.Oracle Linux 8
OL08-00-040285V2R6OL 8 must use reverse path filtering on all IPv4 interfaces.Oracle Linux 8
OL08-00-040286V2R6OL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.Oracle Linux 8
OL08-00-040290V2R6OL 8 must be configured to prevent unrestricted mail relaying.Oracle Linux 8
OL08-00-040300V2R6The OL 8 file integrity tool must be configured to verify extended attributes.Oracle Linux 8
OL08-00-040310V2R6The OL 8 file integrity tool must be configured to verify Access Control Lists (ACLs).Oracle Linux 8
OL08-00-040320V2R6The graphical display manager must not be installed on OL 8 unless approved.Oracle Linux 8
OL08-00-040330V2R6OL 8 network interfaces must not be in promiscuous mode.Oracle Linux 8
OL08-00-040340V2R6OL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements.Oracle Linux 8
OL08-00-040341V2R6The OL 8 SSH daemon must prevent remote hosts from connecting to the proxy display.Oracle Linux 8
OL08-00-040350V2R6If the Trivial File Transfer Protocol (TFTP) server is required, the OL 8 TFTP daemon must be configured to operate in secure mode.Oracle Linux 8
OL08-00-040360V2R6A File Transfer Protocol (FTP) server package must not be installed unless mission essential on OL 8.Oracle Linux 8
OL08-00-040370V2R6OL 8 must not have the "gssproxy" package installed if not required for operational support.Oracle Linux 8
OL08-00-040380V2R6OL 8 must not have the "iprutils" package installed if not required for operational support.Oracle Linux 8
OL08-00-040390V2R6OL 8 must not have the "tuned" package installed if not required for operational support.Oracle Linux 8
OL08-00-010121V2R6The OL 8 operating system must not have accounts configured with blank or null passwords.Oracle Linux 8
OL08-00-010379V2R6OL 8 must specify the default "include" directory for the /etc/sudoers file.Oracle Linux 8
OL08-00-020101V2R6OL 8 must ensure the password complexity module is enabled in the system-auth file.Oracle Linux 8
OL08-00-020102V2R6OL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.Oracle Linux 8
OL08-00-020103V2R6OL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less.Oracle Linux 8
OL08-00-020104V2R6OL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.Oracle Linux 8
OL08-00-040259V2R6OL 8 must not enable IPv4 packet forwarding unless the system is a router.Oracle Linux 8
OL08-00-040321V2R6The graphical display manager must not be the default target on OL 8 unless approved.Oracle Linux 8
OL09-00-000003V1R3OL 9 must be configured so that a separate file system must be used for user home directories (such as /home or an equivalent).Oracle Linux 9
OL09-00-000004V1R3OL 9 must use a separate file system for /tmp.Oracle Linux 9
OL09-00-000005V1R3OL 9 must use a separate file system for /var.Oracle Linux 9
OL09-00-000006V1R3OL 9 must use a separate file system for /var/log.Oracle Linux 9
OL09-00-000007V1R3OL 9 must use a separate file system for /var/tmp.Oracle Linux 9
OL09-00-000015V1R3OL 9 vendor packaged system security patches and updates must be installed and up to date.Oracle Linux 9
OL09-00-000020V1R3OL 9 must be configured so that the graphical display manager is not the default target unless approved.Oracle Linux 9
OL09-00-000135V1R3OL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed.Oracle Linux 9
OL09-00-000140V1R3OL 9 must not have the quagga package installed.Oracle Linux 9
OL09-00-000145V1R3OL 9 must not have a graphical display manager installed unless approved.Oracle Linux 9
OL09-00-000210V1R3OL 9 policycoreutils-python-utils package must be installed.Oracle Linux 9
OL09-00-000224V1R3OL 9 must be configured so that the firewall employs a deny-all, allow-by-exception policy for allowing connections to other systems.Oracle Linux 9
OL09-00-000231V1R3OL 9 must use the invoking user's password for privilege escalation when using sudo.Oracle Linux 9
OL09-00-000232V1R3OL 9 must restrict privilege elevation to authorized personnel.Oracle Linux 9
OL09-00-000243V1R3OL 9 must be configured so that the cryptographic hashes of system files match vendor values.Oracle Linux 9
OL09-00-000260V1R3OL 9 must have the openssh-clients package installed.Oracle Linux 9
OL09-00-000302V1R3OL 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.Oracle Linux 9
OL09-00-000303V1R3OL 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs).Oracle Linux 9
OL09-00-000304V1R3OL 9 must be configured so that the file integrity tool verifies extended attributes.Oracle Linux 9
OL09-00-000351V1R3OL 9 must be configured so that the rsyslog service is active.Oracle Linux 9
OL09-00-000360V1R3OL 9 must enable the hardware random number generator entropy gatherer service.Oracle Linux 9
OL09-00-000370V1R3OL 9 must have the rng-tools package installed.Oracle Linux 9
OL09-00-000380V1R3OL 9 must have the nss-tools package installed.Oracle Linux 9
OL09-00-000430V1R3OL 9 must have the gnutls-utils package installed.Oracle Linux 9
OL09-00-000880V1R3OL 9 must write audit records to disk.Oracle Linux 9
OL09-00-001000V1R3OL 9 must ensure the password complexity module is enabled in the system-auth file.Oracle Linux 9
OL09-00-001110V1R3OL 9 must not allow blank or null passwords.Oracle Linux 9
OL09-00-001130V1R3OL 9 must not have accounts configured with blank or null passwords.Oracle Linux 9
OL09-00-002010V1R3OL 9 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.Oracle Linux 9
OL09-00-002011V1R3OL 9 must prevent special devices on file systems that are imported via Network File System (NFS).Oracle Linux 9
OL09-00-002012V1R3OL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS).Oracle Linux 9
OL09-00-002013V1R3OL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).Oracle Linux 9
OL09-00-002020V1R3OL 9 must prevent code from being executed on file systems that are used with removable media.Oracle Linux 9
OL09-00-002021V1R3OL 9 must prevent special devices on file systems that are used with removable media.Oracle Linux 9
OL09-00-002022V1R3OL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.Oracle Linux 9
OL09-00-002072V1R3OL 9 must prevent code from being executed on file systems that contain user home directories.Oracle Linux 9
OL09-00-002080V1R3OL 9 must prevent special devices on nonroot local partitions.Oracle Linux 9
OL09-00-002102V1R3OL 9 must disable the user list at logon for graphical user interfaces.Oracle Linux 9
OL09-00-002107V1R3OL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot.Oracle Linux 9
OL09-00-002127V1R3OL 9 must disable the ability of a user to restart the system from the login screen.Oracle Linux 9
OL09-00-002128V1R3OL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.Oracle Linux 9
OL09-00-002129V1R3OL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.Oracle Linux 9
OL09-00-002162V1R3OL 9 effective dconf policy must match the policy keyfiles.Oracle Linux 9
OL09-00-002301V1R3OL 9 must define default permissions for the bash shell.Oracle Linux 9
OL09-00-002302V1R3OL 9 must define default permissions for the c shell.Oracle Linux 9
OL09-00-002303V1R3OL 9 must define default permissions for the system default profile.Oracle Linux 9
OL09-00-002348V1R3OL 9 SSH daemon must not allow rhosts authentication.Oracle Linux 9
OL09-00-002349V1R3OL 9 SSH daemon must not allow known hosts authentication.Oracle Linux 9
OL09-00-002350V1R3OL 9 SSH daemon must disable remote X connections for interactive users.Oracle Linux 9
OL09-00-002351V1R3OL 9 SSH daemon must perform strict mode checking of home directory configuration files.Oracle Linux 9
OL09-00-002352V1R3OL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon.Oracle Linux 9
OL09-00-002354V1R3OL 9 SSH daemon must prevent remote hosts from connecting to the proxy display.Oracle Linux 9
OL09-00-002355V1R3OL 9 SSH daemon must not allow compression or must only allow compression after successful authentication.Oracle Linux 9
OL09-00-002360V1R3OL 9 must require reauthentication when using the "sudo" command.Oracle Linux 9
OL09-00-002370V1R3OL 9 must disable the use of user namespaces.Oracle Linux 9
OL09-00-002380V1R3OL 9 must disable the kernel.core_pattern.Oracle Linux 9
OL09-00-002381V1R3OL 9 must disable core dump backtraces.Oracle Linux 9
OL09-00-002382V1R3OL 9 must disable storing core dumps.Oracle Linux 9
OL09-00-002383V1R3OL 9 must disable core dumps for all users.Oracle Linux 9
OL09-00-002384V1R3OL 9 must disable acquiring, saving, and processing core dumps.Oracle Linux 9
OL09-00-002385V1R3OL 9 must be configured so that the kdump service is disabled.Oracle Linux 9
OL09-00-002392V1R3OL 9 must disable the ability of systemd to spawn an interactive boot process.Oracle Linux 9
OL09-00-002419V1R3OL 9 file systems must not contain shosts.equiv files.Oracle Linux 9
OL09-00-002420V1R3OL 9 file systems must not contain .shosts files.Oracle Linux 9
OL09-00-002425V1R3OL 9 must be configured to prevent unrestricted mail relaying.Oracle Linux 9
OL09-00-002426V1R3OL 9 Trivial File Transfer Protocol (TFTP) daemon must be configured to operate in secure mode if the TFTP server is required.Oracle Linux 9
OL09-00-002427V1R3OL 9 must be configured so that local initialization files do not execute world-writable programs.Oracle Linux 9
OL09-00-002430V1R3OL 9 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time compiler.Oracle Linux 9
OL09-00-002500V1R3OL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.Oracle Linux 9
OL09-00-002501V1R3OL 9 must not have unauthorized accounts.Oracle Linux 9
OL09-00-002502V1R3OL 9 SSH private host key files must have mode 0640 or less permissive.Oracle Linux 9
OL09-00-002503V1R3OL 9 SSH public host key files must have mode 0644 or less permissive.Oracle Linux 9
OL09-00-002507V1R3OL 9 SSH server configuration file must be group-owned by root.Oracle Linux 9
OL09-00-002508V1R3OL 9 SSH server configuration file must be owned by root.Oracle Linux 9
OL09-00-002509V1R3OL 9 SSH server configuration file must have mode 0600 or less permissive.Oracle Linux 9
OL09-00-002511V1R3OL 9 local files and directories must have a valid group owner.Oracle Linux 9
OL09-00-002512V1R3OL 9 local files and directories must have a valid owner.Oracle Linux 9
OL09-00-002513V1R3OL 9 local initialization files must have mode 0740 or less permissive.Oracle Linux 9
OL09-00-002514V1R3OL 9 local interactive user home directories must be group-owned by the home directory owner's primary group.Oracle Linux 9
OL09-00-002515V1R3OL 9 local interactive user home directories must have mode 0750 or less permissive.Oracle Linux 9
OL09-00-002530V1R3OL 9 /boot/grub2/grub.cfg file must be group-owned by root.Oracle Linux 9
OL09-00-002531V1R3OL 9 /boot/grub2/grub.cfg file must be owned by root.Oracle Linux 9
OL09-00-002532V1R3OL 9 /etc/group file must be group-owned by root.Oracle Linux 9
OL09-00-002533V1R3OL 9 /etc/group- file must be group-owned by root.Oracle Linux 9
OL09-00-002534V1R3OL 9 /etc/group file must be owned by root.Oracle Linux 9
OL09-00-002535V1R3OL 9 /etc/group- file must be owned by root.Oracle Linux 9
OL09-00-002536V1R3OL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.Oracle Linux 9
OL09-00-002537V1R3OL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.Oracle Linux 9
OL09-00-002538V1R3OL 9 /etc/gshadow file must be group-owned by root.Oracle Linux 9
OL09-00-002539V1R3OL 9 /etc/gshadow- file must be group-owned by root.Oracle Linux 9
OL09-00-002540V1R3OL 9 /etc/gshadow file must be owned by root.Oracle Linux 9
OL09-00-002541V1R3OL 9 /etc/gshadow- file must be owned by root.Oracle Linux 9
OL09-00-002542V1R3OL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.Oracle Linux 9
OL09-00-002543V1R3OL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.Oracle Linux 9
OL09-00-002544V1R3OL 9 /etc/passwd file must be group-owned by root.Oracle Linux 9
OL09-00-002545V1R3OL 9 /etc/passwd- file must be group-owned by root.Oracle Linux 9
OL09-00-002546V1R3OL 9 /etc/passwd file must be owned by root.Oracle Linux 9
OL09-00-002547V1R3OL 9 /etc/passwd- file must be owned by root.Oracle Linux 9
OL09-00-002548V1R3OL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.Oracle Linux 9
OL09-00-002549V1R3OL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access.Oracle Linux 9
OL09-00-002550V1R3OL 9 /etc/shadow file must be group-owned by root.Oracle Linux 9
OL09-00-002551V1R3OL 9 /etc/shadow- file must be group-owned by root.Oracle Linux 9
OL09-00-002552V1R3OL 9 /etc/shadow file must be owned by root.Oracle Linux 9
OL09-00-002553V1R3OL 9 /etc/shadow- file must be owned by root.Oracle Linux 9
OL09-00-002554V1R3OL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access.Oracle Linux 9
OL09-00-002555V1R3OL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access.Oracle Linux 9
OL09-00-002580V1R3OL 9 cron configuration directories must have a mode of 0700 or less permissive.Oracle Linux 9
OL09-00-002581V1R3OL 9 cron configuration files directory must be group-owned by root.Oracle Linux 9
OL09-00-002582V1R3OL 9 cron configuration files directory must be owned by root.Oracle Linux 9
OL09-00-002583V1R3OL 9 /etc/crontab file must have mode 0600.Oracle Linux 9
OL09-00-003000V1R3OL 9 must be configured so that the root account is the only account having unrestricted access to the system.Oracle Linux 9
OL09-00-003002V1R3OL 9 local interactive users must have a home directory assigned in the /etc/passwd file.Oracle Linux 9
OL09-00-003050V1R3OL 9 local interactive user home directories defined in the /etc/passwd file must exist.Oracle Linux 9
OL09-00-003051V1R3OL 9 system accounts must not have an interactive login shell.Oracle Linux 9
OL09-00-003052V1R3OL 9 local interactive user accounts must be assigned a home directory upon creation.Oracle Linux 9
OL09-00-003053V1R3OL 9 must be configured so that executable search paths within the initialization files of all local interactive users must only contain paths that resolve to the system default or the users home directory.Oracle Linux 9
OL09-00-003060V1R3OL 9 must set the umask value to 077 for all local interactive user accounts.Oracle Linux 9
OL09-00-005010V1R3OL 9 must use cron logging.Oracle Linux 9
OL09-00-005030V1R3OL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.Oracle Linux 9
OL09-00-006002V1R3OL 9 must configure a DNS processing mode set be Network Manager.Oracle Linux 9
OL09-00-006003V1R3OL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.Oracle Linux 9
OL09-00-006004V1R3OL 9 network interfaces must not be in promiscuous mode.Oracle Linux 9
OL09-00-006010V1R3OL 9 must not have unauthorized IP tunnels configured.Oracle Linux 9
OL09-00-006020V1R3OL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.Oracle Linux 9
OL09-00-006021V1R3OL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets.Oracle Linux 9
OL09-00-006022V1R3OL 9 must log IPv4 packets with impossible addresses.Oracle Linux 9
OL09-00-006023V1R3OL 9 must log IPv4 packets with impossible addresses by default.Oracle Linux 9
OL09-00-006024V1R3OL 9 must use reverse path filtering on all IPv4 interfaces.Oracle Linux 9
OL09-00-006025V1R3OL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.Oracle Linux 9
OL09-00-006026V1R3OL 9 must not forward IPv4 source-routed packets by default.Oracle Linux 9
OL09-00-006027V1R3OL 9 must use a reverse-path filter for IPv4 network traffic, when possible, by default.Oracle Linux 9
OL09-00-006028V1R3OL 9 must not enable IPv4 packet forwarding unless the system is a router.Oracle Linux 9
OL09-00-006030V1R3OL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.Oracle Linux 9
OL09-00-006031V1R3OL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.Oracle Linux 9
OL09-00-006032V1R3OL 9 must not send Internet Control Message Protocol (ICMP) redirects.Oracle Linux 9
OL09-00-006033V1R3OL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.Oracle Linux 9
OL09-00-006040V1R3OL 9 must not accept router advertisements on all IPv6 interfaces.Oracle Linux 9
OL09-00-006041V1R3OL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.Oracle Linux 9
OL09-00-006042V1R3OL 9 must not forward IPv6 source-routed packets.Oracle Linux 9
OL09-00-006043V1R3OL 9 must not enable IPv6 packet forwarding unless the system is a router.Oracle Linux 9
OL09-00-006044V1R3OL 9 must not accept router advertisements on all IPv6 interfaces by default.Oracle Linux 9
OL09-00-006045V1R3OL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.Oracle Linux 9
OL09-00-006046V1R3OL 9 must not forward IPv6 source-routed packets by default.Oracle Linux 9
RHEL-07-010290V3R9The Red Hat Enterprise Linux operating system must not allow accounts configured with blank or null passwords.Red Hat Enterprise Linux 7
RHEL-07-020230V3R9The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.Red Hat Enterprise Linux 7
RHEL-07-020231V3R9The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface.Red Hat Enterprise Linux 7
RHEL-07-020250V3R9The Red Hat Enterprise Linux operating system must be a vendor supported release.Red Hat Enterprise Linux 7
RHEL-07-020260V3R9The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date.Red Hat Enterprise Linux 7
RHEL-07-020270V3R9The Red Hat Enterprise Linux operating system must not have unnecessary accounts.Red Hat Enterprise Linux 7
RHEL-07-020310V3R9The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system.Red Hat Enterprise Linux 7
RHEL-07-020320V3R9The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner.Red Hat Enterprise Linux 7
RHEL-07-020330V3R9The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner.Red Hat Enterprise Linux 7
RHEL-07-020610V3R9The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory.Red Hat Enterprise Linux 7
RHEL-07-020620V3R9The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file.Red Hat Enterprise Linux 7
RHEL-07-020630V3R9The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive.Red Hat Enterprise Linux 7
RHEL-07-020640V3R9The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are owned by their respective users.Red Hat Enterprise Linux 7
RHEL-07-020650V3R9The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group.Red Hat Enterprise Linux 7
RHEL-07-020660V3R9The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a valid owner.Red Hat Enterprise Linux 7
RHEL-07-020670V3R9The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.Red Hat Enterprise Linux 7
RHEL-07-020680V3R9The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive.Red Hat Enterprise Linux 7
RHEL-07-020690V3R9The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root.Red Hat Enterprise Linux 7
RHEL-07-020700V3R9The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root.Red Hat Enterprise Linux 7
RHEL-07-020710V3R9The Red Hat Enterprise Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive.Red Hat Enterprise Linux 7
RHEL-07-020720V3R9The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.Red Hat Enterprise Linux 7
RHEL-07-020730V3R9The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs.Red Hat Enterprise Linux 7
RHEL-07-020900V3R9The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.Red Hat Enterprise Linux 7
RHEL-07-021000V3R9The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed.Red Hat Enterprise Linux 7
RHEL-07-021010V3R9The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.Red Hat Enterprise Linux 7
RHEL-07-021020V3R9The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS).Red Hat Enterprise Linux 7
RHEL-07-021021V3R9The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS).Red Hat Enterprise Linux 7
RHEL-07-021030V3R9The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.Red Hat Enterprise Linux 7
RHEL-07-021040V3R9The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts.Red Hat Enterprise Linux 7
RHEL-07-021100V3R9The Red Hat Enterprise Linux operating system must have cron logging implemented.Red Hat Enterprise Linux 7
RHEL-07-021110V3R9The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root.Red Hat Enterprise Linux 7
RHEL-07-021120V3R9The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root.Red Hat Enterprise Linux 7
RHEL-07-021300V3R9The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed.Red Hat Enterprise Linux 7
RHEL-07-021310V3R9The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent).Red Hat Enterprise Linux 7
RHEL-07-021320V3R9The Red Hat Enterprise Linux operating system must use a separate file system for /var.Red Hat Enterprise Linux 7
RHEL-07-021330V3R9The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data path.Red Hat Enterprise Linux 7
RHEL-07-021340V3R9The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent).Red Hat Enterprise Linux 7
RHEL-07-021600V3R9The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).Red Hat Enterprise Linux 7
RHEL-07-021610V3R9The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.Red Hat Enterprise Linux 7
RHEL-07-021620V3R9The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.Red Hat Enterprise Linux 7
RHEL-07-031000V3R9The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server.Red Hat Enterprise Linux 7
RHEL-07-031010V3R9The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.Red Hat Enterprise Linux 7
RHEL-07-040201V3R9The Red Hat Enterprise Linux operating system must implement virtual address space randomization.Red Hat Enterprise Linux 7
RHEL-07-040330V3R9The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication.Red Hat Enterprise Linux 7
RHEL-07-040350V3R9The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication.Red Hat Enterprise Linux 7
RHEL-07-040360V3R9The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon an SSH logon.Red Hat Enterprise Linux 7
RHEL-07-040370V3R9The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using remote access via SSH.Red Hat Enterprise Linux 7
RHEL-07-040380V3R9The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication.Red Hat Enterprise Linux 7
RHEL-07-040410V3R9The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive.Red Hat Enterprise Linux 7
RHEL-07-040420V3R9The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0600 or less permissive.Red Hat Enterprise Linux 7
RHEL-07-040450V3R9The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files.Red Hat Enterprise Linux 7
RHEL-07-040460V3R9The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation.Red Hat Enterprise Linux 7
RHEL-07-040470V3R9The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.Red Hat Enterprise Linux 7
RHEL-07-040520V3R9The Red Hat Enterprise Linux operating system must enable an application firewall, if available.Red Hat Enterprise Linux 7
RHEL-07-040530V3R9The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon.Red Hat Enterprise Linux 7
RHEL-07-040540V3R9The Red Hat Enterprise Linux operating system must not contain .shosts files.Red Hat Enterprise Linux 7
RHEL-07-040550V3R9The Red Hat Enterprise Linux operating system must not contain shosts.equiv files.Red Hat Enterprise Linux 7
RHEL-07-040600V3R9For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured.Red Hat Enterprise Linux 7
RHEL-07-040610V3R9The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.Red Hat Enterprise Linux 7
RHEL-07-040611V3R9The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.Red Hat Enterprise Linux 7
RHEL-07-040612V3R9The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default.Red Hat Enterprise Linux 7
RHEL-07-040620V3R9The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.Red Hat Enterprise Linux 7
RHEL-07-040630V3R9The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.Red Hat Enterprise Linux 7
RHEL-07-040640V3R9The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.Red Hat Enterprise Linux 7
RHEL-07-040641V3R9The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.Red Hat Enterprise Linux 7
RHEL-07-040650V3R9The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.Red Hat Enterprise Linux 7
RHEL-07-040660V3R9The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.Red Hat Enterprise Linux 7
RHEL-07-040670V3R9Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode.Red Hat Enterprise Linux 7
RHEL-07-040680V3R9The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying.Red Hat Enterprise Linux 7
RHEL-07-040690V3R9The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed.Red Hat Enterprise Linux 7
RHEL-07-040700V3R9The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.Red Hat Enterprise Linux 7
RHEL-07-040710V3R9The Red Hat Enterprise Linux operating system must be configured so that remote X connections are disabled except to fulfill documented and validated mission requirements.Red Hat Enterprise Linux 7
RHEL-07-040720V3R9The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode.Red Hat Enterprise Linux 7
RHEL-07-040730V3R9The Red Hat Enterprise Linux operating system must not have a graphical display manager installed unless approved.Red Hat Enterprise Linux 7
RHEL-07-040740V3R9The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router.Red Hat Enterprise Linux 7
RHEL-07-040750V3R9The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.Red Hat Enterprise Linux 7
RHEL-07-040800V3R9SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default.Red Hat Enterprise Linux 7
RHEL-07-040810V3R9The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.Red Hat Enterprise Linux 7
RHEL-07-040820V3R9The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured.Red Hat Enterprise Linux 7
RHEL-07-040830V3R9The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets.Red Hat Enterprise Linux 7
RHEL-07-010020V3R9The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.Red Hat Enterprise Linux 7
RHEL-07-020019V3R9The Red Hat Enterprise Linux operating system must implement the Endpoint Security for Linux Threat Prevention tool.Red Hat Enterprise Linux 7
RHEL-07-032000V3R9The Red Hat Enterprise Linux operating system must use a virus scan program.Red Hat Enterprise Linux 7
RHEL-07-021031V3R9The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user.Red Hat Enterprise Linux 7
RHEL-07-040711V3R9The Red Hat Enterprise Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display.Red Hat Enterprise Linux 7
RHEL-07-010341V3R9The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel.Red Hat Enterprise Linux 7
RHEL-07-010342V3R9The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using "sudo".Red Hat Enterprise Linux 7
RHEL-07-010291V3R9The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords.Red Hat Enterprise Linux 7
RHEL-07-010339V3R9The Red Hat Enterprise Linux operating system must specify the default "include" directory for the /etc/sudoers file.Red Hat Enterprise Linux 7
RHEL-08-010000V2R5RHEL 8 must be a vendor-supported release.Red Hat Enterprise Linux 8
RHEL-08-010010V2R5RHEL 8 vendor packaged system security patches and updates must be installed and up to date.Red Hat Enterprise Linux 8
RHEL-08-010292V2R5RHEL 8 must ensure the SSH server uses strong entropy.Red Hat Enterprise Linux 8
RHEL-08-010460V2R5There must be no shosts.equiv files on the RHEL 8 operating system.Red Hat Enterprise Linux 8
RHEL-08-010470V2R5There must be no .shosts files on the RHEL 8 operating system.Red Hat Enterprise Linux 8
RHEL-08-010471V2R5RHEL 8 must enable the hardware random number generator entropy gatherer service.Red Hat Enterprise Linux 8
RHEL-08-010480V2R5The RHEL 8 SSH public host key files must have mode 0644 or less permissive.Red Hat Enterprise Linux 8
RHEL-08-010490V2R5The RHEL 8 SSH private host key files must have mode 0640 or less permissive.Red Hat Enterprise Linux 8
RHEL-08-010500V2R5The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files.Red Hat Enterprise Linux 8
RHEL-08-010520V2R5The RHEL 8 SSH daemon must not allow authentication using known host’s authentication.Red Hat Enterprise Linux 8
RHEL-08-010521V2R5The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.Red Hat Enterprise Linux 8
RHEL-08-010540V2R5RHEL 8 must use a separate file system for /var.Red Hat Enterprise Linux 8
RHEL-08-010541V2R5RHEL 8 must use a separate file system for /var/log.Red Hat Enterprise Linux 8
RHEL-08-010542V2R5RHEL 8 must use a separate file system for the system audit data path.Red Hat Enterprise Linux 8
RHEL-08-010543V2R5A separate RHEL 8 filesystem must be used for the /tmp directory.Red Hat Enterprise Linux 8
RHEL-08-010561V2R5The rsyslog service must be running in RHEL 8.Red Hat Enterprise Linux 8
RHEL-08-010570V2R5RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.Red Hat Enterprise Linux 8
RHEL-08-010571V2R5RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.Red Hat Enterprise Linux 8
RHEL-08-010580V2R5RHEL 8 must prevent special devices on non-root local partitions.Red Hat Enterprise Linux 8
RHEL-08-010590V2R5RHEL 8 must prevent code from being executed on file systems that contain user home directories.Red Hat Enterprise Linux 8
RHEL-08-010600V2R5RHEL 8 must prevent special devices on file systems that are used with removable media.Red Hat Enterprise Linux 8
RHEL-08-010610V2R5RHEL 8 must prevent code from being executed on file systems that are used with removable media.Red Hat Enterprise Linux 8
RHEL-08-010620V2R5RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.Red Hat Enterprise Linux 8
RHEL-08-010630V2R5RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS).Red Hat Enterprise Linux 8
RHEL-08-010640V2R5RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS).Red Hat Enterprise Linux 8
RHEL-08-010650V2R5RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).Red Hat Enterprise Linux 8
RHEL-08-010660V2R5Local RHEL 8 initialization files must not execute world-writable programs.Red Hat Enterprise Linux 8
RHEL-08-010670V2R5RHEL 8 must disable kernel dumps unless needed.Red Hat Enterprise Linux 8
RHEL-08-010671V2R5RHEL 8 must disable the kernel.core_pattern.Red Hat Enterprise Linux 8
RHEL-08-010672V2R5RHEL 8 must disable acquiring, saving, and processing core dumps.Red Hat Enterprise Linux 8
RHEL-08-010673V2R5RHEL 8 must disable core dumps for all users.Red Hat Enterprise Linux 8
RHEL-08-010674V2R5RHEL 8 must disable storing core dumps.Red Hat Enterprise Linux 8
RHEL-08-010675V2R5RHEL 8 must disable core dump backtraces.Red Hat Enterprise Linux 8
RHEL-08-010680V2R5For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.Red Hat Enterprise Linux 8
RHEL-08-010690V2R5Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory.Red Hat Enterprise Linux 8
RHEL-08-010700V2R5All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application user.Red Hat Enterprise Linux 8
RHEL-08-010710V2R5All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.Red Hat Enterprise Linux 8
RHEL-08-010720V2R5All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file.Red Hat Enterprise Linux 8
RHEL-08-010730V2R5All RHEL 8 local interactive user home directories must have mode 0750 or less permissive.Red Hat Enterprise Linux 8
RHEL-08-010740V2R5All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group.Red Hat Enterprise Linux 8
RHEL-08-010750V2R5All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist.Red Hat Enterprise Linux 8
RHEL-08-010760V2R5All RHEL 8 local interactive user accounts must be assigned a home directory upon creation.Red Hat Enterprise Linux 8
RHEL-08-010770V2R5All RHEL 8 local initialization files must have mode 0740 or less permissive.Red Hat Enterprise Linux 8
RHEL-08-010780V2R5All RHEL 8 local files and directories must have a valid owner.Red Hat Enterprise Linux 8
RHEL-08-010790V2R5All RHEL 8 local files and directories must have a valid group owner.Red Hat Enterprise Linux 8
RHEL-08-010800V2R5A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent).Red Hat Enterprise Linux 8
RHEL-08-020320V2R5RHEL 8 must not have unnecessary accounts.Red Hat Enterprise Linux 8
RHEL-08-020330V2R5RHEL 8 must not allow accounts configured with blank or null passwords.Red Hat Enterprise Linux 8
RHEL-08-020340V2R5RHEL 8 must display the date and time of the last successful account logon upon logon.Red Hat Enterprise Linux 8
RHEL-08-020350V2R5RHEL 8 must display the date and time of the last successful account logon upon an SSH logon.Red Hat Enterprise Linux 8
RHEL-08-020353V2R5RHEL 8 must define default permissions for logon and non-logon shells.Red Hat Enterprise Linux 8
RHEL-08-030010V2R5Cron logging must be implemented in RHEL 8.Red Hat Enterprise Linux 8
RHEL-08-030061V2R5The RHEL 8 audit system must audit local events.Red Hat Enterprise Linux 8
RHEL-08-030063V2R5RHEL 8 must resolve audit information before writing to disk.Red Hat Enterprise Linux 8
RHEL-08-030670V2R5RHEL 8 must have the packages required for offloading audit logs installed.Red Hat Enterprise Linux 8
RHEL-08-030680V2R5RHEL 8 must have the packages required for encrypting offloaded audit logs installed.Red Hat Enterprise Linux 8
RHEL-08-040170V2R5The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8.Red Hat Enterprise Linux 8
RHEL-08-040171V2R5The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed.Red Hat Enterprise Linux 8
RHEL-08-040172V2R5The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled.Red Hat Enterprise Linux 8
RHEL-08-040180V2R5The debug-shell systemd service must be disabled on RHEL 8.Red Hat Enterprise Linux 8
RHEL-08-040190V2R5The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support.Red Hat Enterprise Linux 8
RHEL-08-040200V2R5The root account must be the only account having unrestricted access to the RHEL 8 system.Red Hat Enterprise Linux 8
RHEL-08-040210V2R5RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.Red Hat Enterprise Linux 8
RHEL-08-040220V2R5RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.Red Hat Enterprise Linux 8
RHEL-08-040230V2R5RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.Red Hat Enterprise Linux 8
RHEL-08-040240V2R5RHEL 8 must not forward IPv6 source-routed packets.Red Hat Enterprise Linux 8
RHEL-08-040250V2R5RHEL 8 must not forward IPv6 source-routed packets by default.Red Hat Enterprise Linux 8
RHEL-08-040260V2R5RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.Red Hat Enterprise Linux 8
RHEL-08-040261V2R5RHEL 8 must not accept router advertisements on all IPv6 interfaces.Red Hat Enterprise Linux 8
RHEL-08-040262V2R5RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.Red Hat Enterprise Linux 8
RHEL-08-040270V2R5RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.Red Hat Enterprise Linux 8
RHEL-08-040280V2R5RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.Red Hat Enterprise Linux 8
RHEL-08-040281V2R5RHEL 8 must disable access to network bpf syscall from unprivileged processes.Red Hat Enterprise Linux 8
RHEL-08-040282V2R5RHEL 8 must restrict usage of ptrace to descendant processes.Red Hat Enterprise Linux 8
RHEL-08-040283V2R5RHEL 8 must restrict exposed kernel pointer addresses access.Red Hat Enterprise Linux 8
RHEL-08-040284V2R5RHEL 8 must disable the use of user namespaces.Red Hat Enterprise Linux 8
RHEL-08-040285V2R5RHEL 8 must use reverse path filtering on all IPv4 interfaces.Red Hat Enterprise Linux 8
RHEL-08-040290V2R5RHEL 8 must be configured to prevent unrestricted mail relaying.Red Hat Enterprise Linux 8
RHEL-08-040300V2R5The RHEL 8 file integrity tool must be configured to verify extended attributes.Red Hat Enterprise Linux 8
RHEL-08-040310V2R5The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs).Red Hat Enterprise Linux 8
RHEL-08-040320V2R5The graphical display manager must not be installed on RHEL 8 unless approved.Red Hat Enterprise Linux 8
RHEL-08-040330V2R5RHEL 8 network interfaces must not be in promiscuous mode.Red Hat Enterprise Linux 8
RHEL-08-040340V2R5RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements.Red Hat Enterprise Linux 8
RHEL-08-040341V2R5The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display.Red Hat Enterprise Linux 8
RHEL-08-040350V2R5If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode.Red Hat Enterprise Linux 8
RHEL-08-040360V2R5A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8.Red Hat Enterprise Linux 8
RHEL-08-040370V2R5The gssproxy package must not be installed unless mission essential on RHEL 8.Red Hat Enterprise Linux 8
RHEL-08-040380V2R5The iprutils package must not be installed unless mission essential on RHEL 8.Red Hat Enterprise Linux 8
RHEL-08-040390V2R5The tuned package must not be installed unless mission essential on RHEL 8.Red Hat Enterprise Linux 8
RHEL-08-010382V2R5RHEL 8 must restrict privilege elevation to authorized personnel.Red Hat Enterprise Linux 8
RHEL-08-010383V2R5RHEL 8 must use the invoking user's password for privilege escalation when using "sudo".Red Hat Enterprise Linux 8
RHEL-08-010472V2R5RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service.Red Hat Enterprise Linux 8
RHEL-08-010522V2R5The RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.Red Hat Enterprise Linux 8
RHEL-08-010544V2R5RHEL 8 must use a separate file system for /var/tmp.Red Hat Enterprise Linux 8
RHEL-08-010572V2R5RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.Red Hat Enterprise Linux 8
RHEL-08-010731V2R5All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive.Red Hat Enterprise Linux 8
RHEL-08-010741V2R5RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.Red Hat Enterprise Linux 8
RHEL-08-020032V2R5RHEL 8 must disable the user list at logon for graphical user interfaces.Red Hat Enterprise Linux 8
RHEL-08-020332V2R5RHEL 8 must not allow blank or null passwords in the password-auth file.Red Hat Enterprise Linux 8
RHEL-08-040209V2R5RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.Red Hat Enterprise Linux 8
RHEL-08-040239V2R5RHEL 8 must not forward IPv4 source-routed packets.Red Hat Enterprise Linux 8
RHEL-08-040249V2R5RHEL 8 must not forward IPv4 source-routed packets by default.Red Hat Enterprise Linux 8
RHEL-08-040279V2R5RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.Red Hat Enterprise Linux 8
RHEL-08-040286V2R5RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.Red Hat Enterprise Linux 8
RHEL-08-040259V2R5RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.Red Hat Enterprise Linux 8
RHEL-08-010121V2R5The RHEL 8 operating system must not have accounts configured with blank or null passwords.Red Hat Enterprise Linux 8
RHEL-08-010379V2R5RHEL 8 must specify the default "include" directory for the /etc/sudoers file.Red Hat Enterprise Linux 8
RHEL-08-020101V2R5RHEL 8 must ensure the password complexity module is enabled in the system-auth file.Red Hat Enterprise Linux 8
RHEL-08-020104V2R5RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.Red Hat Enterprise Linux 8
RHEL-08-040321V2R5The graphical display manager must not be the default target on RHEL 8 unless approved.Red Hat Enterprise Linux 8
RHEL-08-020331V2R5RHEL 8 must not allow blank or null passwords in the system-auth file.Red Hat Enterprise Linux 8
RHEL-09-211010V2R6RHEL 9 must be a vendor-supported release.Red Hat Enterprise Linux 9
RHEL-09-211015V2R6RHEL 9 vendor packaged system security patches and updates must be installed and up to date.Red Hat Enterprise Linux 9
RHEL-09-211030V2R6The graphical display manager must not be the default target on RHEL 9 unless approved.Red Hat Enterprise Linux 9
RHEL-09-211035V2R6RHEL 9 must enable the hardware random number generator entropy gatherer service.Red Hat Enterprise Linux 9
RHEL-09-212015V2R6RHEL 9 must disable the ability of systemd to spawn an interactive boot process.Red Hat Enterprise Linux 9
RHEL-09-212025V2R6RHEL 9 /boot/grub2/grub.cfg file must be group-owned by root.Red Hat Enterprise Linux 9
RHEL-09-212030V2R6RHEL 9 /boot/grub2/grub.cfg file must be owned by root.Red Hat Enterprise Linux 9
RHEL-09-212035V2R6RHEL 9 must disable virtual system calls.Red Hat Enterprise Linux 9
RHEL-09-212040V2R6RHEL 9 must clear the page allocator to prevent use-after-free attacks.Red Hat Enterprise Linux 9
RHEL-09-213020V2R6RHEL 9 must prevent the loading of a new kernel for later execution.Red Hat Enterprise Linux 9
RHEL-09-213040V2R6RHEL 9 must disable the kernel.core_pattern.Red Hat Enterprise Linux 9
RHEL-09-213085V2R6RHEL 9 must disable core dump backtraces.Red Hat Enterprise Linux 9
RHEL-09-213090V2R6RHEL 9 must disable storing core dumps.Red Hat Enterprise Linux 9
RHEL-09-213095V2R6RHEL 9 must disable core dumps for all users.Red Hat Enterprise Linux 9
RHEL-09-213100V2R6RHEL 9 must disable acquiring, saving, and processing core dumps.Red Hat Enterprise Linux 9
RHEL-09-213105V2R6RHEL 9 must disable the use of user namespaces.Red Hat Enterprise Linux 9
RHEL-09-213115V2R6The kdump service on RHEL 9 must be disabled.Red Hat Enterprise Linux 9
RHEL-09-214030V2R6RHEL 9 must be configured so that the cryptographic hashes of system files match vendor values.Red Hat Enterprise Linux 9
RHEL-09-215020V2R6RHEL 9 must not have the sendmail package installed.Red Hat Enterprise Linux 9
RHEL-09-215060V2R6RHEL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed.Red Hat Enterprise Linux 9
RHEL-09-215065V2R6RHEL 9 must not have the quagga package installed.Red Hat Enterprise Linux 9
RHEL-09-215070V2R6A graphical display manager must not be installed on RHEL 9 unless approved.Red Hat Enterprise Linux 9
RHEL-09-215080V2R6RHEL 9 must have the gnutls-utils package installed.Red Hat Enterprise Linux 9
RHEL-09-215085V2R6RHEL 9 must have the nss-tools package installed.Red Hat Enterprise Linux 9
RHEL-09-215090V2R6RHEL 9 must have the rng-tools package installed.Red Hat Enterprise Linux 9
RHEL-09-231010V2R6A separate RHEL 9 file system must be used for user home directories (such as /home or an equivalent).Red Hat Enterprise Linux 9
RHEL-09-231015V2R6RHEL 9 must use a separate file system for /tmp.Red Hat Enterprise Linux 9
RHEL-09-231020V2R6RHEL 9 must use a separate file system for /var.Red Hat Enterprise Linux 9
RHEL-09-231025V2R6RHEL 9 must use a separate file system for /var/log.Red Hat Enterprise Linux 9
RHEL-09-231035V2R6RHEL 9 must use a separate file system for /var/tmp.Red Hat Enterprise Linux 9
RHEL-09-231055V2R6RHEL 9 must prevent code from being executed on file systems that contain user home directories.Red Hat Enterprise Linux 9
RHEL-09-231065V2R6RHEL 9 must prevent special devices on file systems that are imported via Network File System (NFS).Red Hat Enterprise Linux 9
RHEL-09-231070V2R6RHEL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS).Red Hat Enterprise Linux 9
RHEL-09-231075V2R6RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).Red Hat Enterprise Linux 9
RHEL-09-231080V2R6RHEL 9 must prevent code from being executed on file systems that are used with removable media.Red Hat Enterprise Linux 9
RHEL-09-231085V2R6RHEL 9 must prevent special devices on file systems that are used with removable media.Red Hat Enterprise Linux 9
RHEL-09-231090V2R6RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.Red Hat Enterprise Linux 9
RHEL-09-231200V2R6RHEL 9 must prevent special devices on non-root local partitions.Red Hat Enterprise Linux 9
RHEL-09-232040V2R6RHEL 9 permissions of cron configuration files and directories must not be modified from the operating system defaults.Red Hat Enterprise Linux 9
RHEL-09-232045V2R6All RHEL 9 local initialization files must have mode 0740 or less permissive.Red Hat Enterprise Linux 9
RHEL-09-232050V2R6All RHEL 9 local interactive user home directories must have mode 0750 or less permissive.Red Hat Enterprise Linux 9
RHEL-09-232055V2R6RHEL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.Red Hat Enterprise Linux 9
RHEL-09-232060V2R6RHEL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.Red Hat Enterprise Linux 9
RHEL-09-232065V2R6RHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.Red Hat Enterprise Linux 9
RHEL-09-232070V2R6RHEL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.Red Hat Enterprise Linux 9
RHEL-09-232075V2R6RHEL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.Red Hat Enterprise Linux 9
RHEL-09-232080V2R6RHEL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access.Red Hat Enterprise Linux 9
RHEL-09-232085V2R6RHEL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access.Red Hat Enterprise Linux 9
RHEL-09-232090V2R6RHEL 9 /etc/group file must be owned by root.Red Hat Enterprise Linux 9
RHEL-09-232095V2R6RHEL 9 /etc/group file must be group-owned by root.Red Hat Enterprise Linux 9
RHEL-09-232100V2R6RHEL 9 /etc/group- file must be owned by root.Red Hat Enterprise Linux 9
RHEL-09-232105V2R6RHEL 9 /etc/group- file must be group-owned by root.Red Hat Enterprise Linux 9
RHEL-09-232110V2R6RHEL 9 /etc/gshadow file must be owned by root.Red Hat Enterprise Linux 9
RHEL-09-232115V2R6RHEL 9 /etc/gshadow file must be group-owned by root.Red Hat Enterprise Linux 9
RHEL-09-232120V2R6RHEL 9 /etc/gshadow- file must be owned by root.Red Hat Enterprise Linux 9
RHEL-09-232125V2R6RHEL 9 /etc/gshadow- file must be group-owned by root.Red Hat Enterprise Linux 9
RHEL-09-232130V2R6RHEL 9 /etc/passwd file must be owned by root.Red Hat Enterprise Linux 9
RHEL-09-232135V2R6RHEL 9 /etc/passwd file must be group-owned by root.Red Hat Enterprise Linux 9
RHEL-09-232140V2R6RHEL 9 /etc/passwd- file must be owned by root.Red Hat Enterprise Linux 9
RHEL-09-232145V2R6RHEL 9 /etc/passwd- file must be group-owned by root.Red Hat Enterprise Linux 9
RHEL-09-232150V2R6RHEL 9 /etc/shadow file must be owned by root.Red Hat Enterprise Linux 9
RHEL-09-232155V2R6RHEL 9 /etc/shadow file must be group-owned by root.Red Hat Enterprise Linux 9
RHEL-09-232160V2R6RHEL 9 /etc/shadow- file must be owned by root.Red Hat Enterprise Linux 9
RHEL-09-232165V2R6RHEL 9 /etc/shadow- file must be group-owned by root.Red Hat Enterprise Linux 9
RHEL-09-232230V2R6RHEL 9 cron configuration files directory must be owned by root.Red Hat Enterprise Linux 9
RHEL-09-232235V2R6RHEL 9 cron configuration files directory must be group-owned by root.Red Hat Enterprise Linux 9
RHEL-09-232240V2R6All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user.Red Hat Enterprise Linux 9
RHEL-09-232250V2R6All RHEL 9 local files and directories must have a valid group owner.Red Hat Enterprise Linux 9
RHEL-09-232255V2R6All RHEL 9 local files and directories must have a valid owner.Red Hat Enterprise Linux 9
RHEL-09-232260V2R6RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.Red Hat Enterprise Linux 9
RHEL-09-232270V2R6RHEL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access.Red Hat Enterprise Linux 9
RHEL-09-251020V2R6The RHEL 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.Red Hat Enterprise Linux 9
RHEL-09-251040V2R6RHEL 9 network interfaces must not be in promiscuous mode.Red Hat Enterprise Linux 9
RHEL-09-251045V2R6RHEL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler.Red Hat Enterprise Linux 9
RHEL-09-252035V2R6RHEL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.Red Hat Enterprise Linux 9
RHEL-09-252040V2R6RHEL 9 must configure a DNS processing mode in Network Manager.Red Hat Enterprise Linux 9
RHEL-09-252045V2R6RHEL 9 must not have unauthorized IP tunnels configured.Red Hat Enterprise Linux 9
RHEL-09-252050V2R6RHEL 9 must be configured to prevent unrestricted mail relaying.Red Hat Enterprise Linux 9
RHEL-09-252065V2R6RHEL 9 libreswan package must be installed.Red Hat Enterprise Linux 9
RHEL-09-252070V2R6There must be no shosts.equiv files on RHEL 9.Red Hat Enterprise Linux 9
RHEL-09-252075V2R6There must be no .shosts files on RHEL 9.Red Hat Enterprise Linux 9
RHEL-09-253010V2R6RHEL 9 must be configured to use TCP syncookies.Red Hat Enterprise Linux 9
RHEL-09-253015V2R6RHEL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.Red Hat Enterprise Linux 9
RHEL-09-253020V2R6RHEL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets.Red Hat Enterprise Linux 9
RHEL-09-253025V2R6RHEL 9 must log IPv4 packets with impossible addresses.Red Hat Enterprise Linux 9
RHEL-09-253030V2R6RHEL 9 must log IPv4 packets with impossible addresses by default.Red Hat Enterprise Linux 9
RHEL-09-253035V2R6RHEL 9 must use reverse path filtering on all IPv4 interfaces.Red Hat Enterprise Linux 9
RHEL-09-253040V2R6RHEL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.Red Hat Enterprise Linux 9
RHEL-09-253045V2R6RHEL 9 must not forward IPv4 source-routed packets by default.Red Hat Enterprise Linux 9
RHEL-09-253050V2R6RHEL 9 must use a reverse-path filter for IPv4 network traffic when possible by default.Red Hat Enterprise Linux 9
RHEL-09-253055V2R6RHEL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.Red Hat Enterprise Linux 9
RHEL-09-253060V2R6RHEL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.Red Hat Enterprise Linux 9
RHEL-09-253065V2R6RHEL 9 must not send Internet Control Message Protocol (ICMP) redirects.Red Hat Enterprise Linux 9
RHEL-09-253070V2R6RHEL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.Red Hat Enterprise Linux 9
RHEL-09-253075V2R6RHEL 9 must not enable IPv4 packet forwarding unless the system is a router.Red Hat Enterprise Linux 9
RHEL-09-254010V2R6RHEL 9 must not accept router advertisements on all IPv6 interfaces.Red Hat Enterprise Linux 9
RHEL-09-254015V2R6RHEL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.Red Hat Enterprise Linux 9
RHEL-09-254020V2R6RHEL 9 must not forward IPv6 source-routed packets.Red Hat Enterprise Linux 9
RHEL-09-254025V2R6RHEL 9 must not enable IPv6 packet forwarding unless the system is a router.Red Hat Enterprise Linux 9
RHEL-09-254030V2R6RHEL 9 must not accept router advertisements on all IPv6 interfaces by default.Red Hat Enterprise Linux 9
RHEL-09-254035V2R6RHEL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.Red Hat Enterprise Linux 9
RHEL-09-254040V2R6RHEL 9 must not forward IPv6 source-routed packets by default.Red Hat Enterprise Linux 9
RHEL-09-255020V2R6RHEL 9 must have the openssh-clients package installed.Red Hat Enterprise Linux 9
RHEL-09-255105V2R6RHEL 9 SSH server configuration file must be group-owned by root.Red Hat Enterprise Linux 9
RHEL-09-255110V2R6The RHEL 9 SSH server configuration file must be owned by root.Red Hat Enterprise Linux 9
RHEL-09-255115V2R6RHEL 9 SSH server configuration files' permissions must not be modified.Red Hat Enterprise Linux 9
RHEL-09-255120V2R6RHEL 9 SSH private host key files must have mode 0640 or less permissive.Red Hat Enterprise Linux 9
RHEL-09-255125V2R6RHEL 9 SSH public host key files must have mode 0644 or less permissive.Red Hat Enterprise Linux 9
RHEL-09-255130V2R6RHEL 9 SSH daemon must not allow compression or must only allow compression after successful authentication.Red Hat Enterprise Linux 9
RHEL-09-255145V2R6RHEL 9 SSH daemon must not allow rhosts authentication.Red Hat Enterprise Linux 9
RHEL-09-255150V2R6RHEL 9 SSH daemon must not allow known hosts authentication.Red Hat Enterprise Linux 9
RHEL-09-255155V2R6RHEL 9 SSH daemon must disable remote X connections for interactive users.Red Hat Enterprise Linux 9
RHEL-09-255160V2R6RHEL 9 SSH daemon must perform strict mode checking of home directory configuration files.Red Hat Enterprise Linux 9
RHEL-09-255165V2R6RHEL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon.Red Hat Enterprise Linux 9
RHEL-09-255175V2R6RHEL 9 SSH daemon must prevent remote hosts from connecting to the proxy display.Red Hat Enterprise Linux 9
RHEL-09-271090V2R6RHEL 9 effective dconf policy must match the policy keyfiles.Red Hat Enterprise Linux 9
RHEL-09-271095V2R6RHEL 9 must disable the ability of a user to restart the system from the login screen.Red Hat Enterprise Linux 9
RHEL-09-271100V2R6RHEL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.Red Hat Enterprise Linux 9
RHEL-09-271105V2R6RHEL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot.Red Hat Enterprise Linux 9
RHEL-09-271110V2R6RHEL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.Red Hat Enterprise Linux 9
RHEL-09-271115V2R6RHEL 9 must disable the user list at logon for graphical user interfaces.Red Hat Enterprise Linux 9
RHEL-09-411020V2R6All RHEL 9 local interactive user accounts must be assigned a home directory upon creation.Red Hat Enterprise Linux 9
RHEL-09-411025V2R6RHEL 9 must set the umask value to 077 for all local interactive user accounts.Red Hat Enterprise Linux 9
RHEL-09-411035V2R6RHEL 9 system accounts must not have an interactive login shell.Red Hat Enterprise Linux 9
RHEL-09-411055V2R6Executable search paths within the initialization files of all local interactive RHEL 9 users must only contain paths that resolve to the system default or the users home directory.Red Hat Enterprise Linux 9
RHEL-09-411060V2R6All RHEL 9 local interactive users must have a home directory assigned in the /etc/passwd file.Red Hat Enterprise Linux 9
RHEL-09-411065V2R6All RHEL 9 local interactive user home directories defined in the /etc/passwd file must exist.Red Hat Enterprise Linux 9
RHEL-09-411070V2R6All RHEL 9 local interactive user home directories must be group-owned by the home directory owner's primary group.Red Hat Enterprise Linux 9
RHEL-09-411095V2R6RHEL 9 must not have unauthorized accounts.Red Hat Enterprise Linux 9
RHEL-09-411100V2R6The root account must be the only account having unrestricted access to RHEL 9 system.Red Hat Enterprise Linux 9
RHEL-09-411115V2R6Local RHEL 9 initialization files must not execute world-writable programs.Red Hat Enterprise Linux 9
RHEL-09-412075V2R6RHEL 9 must display the date and time of the last successful account logon upon logon.Red Hat Enterprise Linux 9
RHEL-09-431025V2R6RHEL 9 must have policycoreutils package installed.Red Hat Enterprise Linux 9
RHEL-09-431030V2R6RHEL 9 policycoreutils-python-utils package must be installed.Red Hat Enterprise Linux 9
RHEL-09-432020V2R6RHEL 9 must use the invoking user's password for privilege escalation when using "sudo".Red Hat Enterprise Linux 9
RHEL-09-432030V2R6RHEL 9 must restrict privilege elevation to authorized personnel.Red Hat Enterprise Linux 9
RHEL-09-611025V2R6RHEL 9 must not allow blank or null passwords.Red Hat Enterprise Linux 9
RHEL-09-611045V2R6RHEL 9 must ensure the password complexity module is enabled in the system-auth file.Red Hat Enterprise Linux 9
RHEL-09-611155V2R6RHEL 9 must not have accounts configured with blank or null passwords.Red Hat Enterprise Linux 9
RHEL-09-651020V2R6RHEL 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.Red Hat Enterprise Linux 9
RHEL-09-651030V2R6RHEL 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs).Red Hat Enterprise Linux 9
RHEL-09-651035V2R6RHEL 9 must be configured so that the file integrity tool verifies extended attributes.Red Hat Enterprise Linux 9
RHEL-09-652015V2R6RHEL 9 must have the packages required for encrypting offloaded audit logs installed.Red Hat Enterprise Linux 9
RHEL-09-652020V2R6The rsyslog service on RHEL 9 must be active.Red Hat Enterprise Linux 9
RHEL-09-652025V2R6RHEL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.Red Hat Enterprise Linux 9
RHEL-09-652060V2R6RHEL 9 must use cron logging.Red Hat Enterprise Linux 9
RHEL-09-653105V2R6RHEL 9 must write audit records to disk.Red Hat Enterprise Linux 9
SLES-12-010000V3R2The SUSE operating system must be a vendor-supported release.SUSE Linux Enterprise 12
SLES-12-010010V3R2Vendor-packaged SUSE operating system security patches and updates must be installed and up to date.SUSE Linux Enterprise 12
SLES-12-010231V3R2The SUSE operating system must not be configured to allow blank or null passwords.SUSE Linux Enterprise 12
SLES-12-010390V3R2The SUSE operating system must display the date and time of the last successful account logon upon logon.SUSE Linux Enterprise 12
SLES-12-010400V3R2There must be no .shosts files on the SUSE operating system.SUSE Linux Enterprise 12
SLES-12-010410V3R2There must be no shosts.equiv files on the SUSE operating system.SUSE Linux Enterprise 12
SLES-12-010520V3R2The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs).SUSE Linux Enterprise 12
SLES-12-010530V3R2The SUSE operating system file integrity tool must be configured to verify extended attributes.SUSE Linux Enterprise 12
SLES-12-010610V3R2The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence.SUSE Linux Enterprise 12
SLES-12-010611V3R2The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces.SUSE Linux Enterprise 12
SLES-12-010630V3R2The SUSE operating system must not have unnecessary accounts.SUSE Linux Enterprise 12
SLES-12-010650V3R2The SUSE operating system root account must be the only account having unrestricted access to the system.SUSE Linux Enterprise 12
SLES-12-010690V3R2All SUSE operating system files and directories must have a valid owner.SUSE Linux Enterprise 12
SLES-12-010700V3R2All SUSE operating system files and directories must have a valid group owner.SUSE Linux Enterprise 12
SLES-12-010710V3R2All SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file.SUSE Linux Enterprise 12
SLES-12-010720V3R2All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory.SUSE Linux Enterprise 12
SLES-12-010730V3R2All SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist.SUSE Linux Enterprise 12
SLES-12-010740V3R2All SUSE operating system local interactive user home directories must have mode 0750 or less permissive.SUSE Linux Enterprise 12
SLES-12-010750V3R2All SUSE operating system local interactive user home directories must be group-owned by the home directory owners primary group.SUSE Linux Enterprise 12
SLES-12-010760V3R2All SUSE operating system local initialization files must have mode 0740 or less permissive.SUSE Linux Enterprise 12
SLES-12-010770V3R2All SUSE operating system local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory.SUSE Linux Enterprise 12
SLES-12-010780V3R2All SUSE operating system local initialization files must not execute world-writable programs.SUSE Linux Enterprise 12
SLES-12-010790V3R2SUSE operating system file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.SUSE Linux Enterprise 12
SLES-12-010800V3R2SUSE operating system file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.SUSE Linux Enterprise 12
SLES-12-010810V3R2SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.SUSE Linux Enterprise 12
SLES-12-010820V3R2SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.SUSE Linux Enterprise 12
SLES-12-010830V3R2All SUSE operating system world-writable directories must be group-owned by root, sys, bin, or an application group.SUSE Linux Enterprise 12
SLES-12-010840V3R2SUSE operating system kernel core dumps must be disabled unless needed.SUSE Linux Enterprise 12
SLES-12-010850V3R2A separate file system must be used for SUSE operating system user home directories (such as /home or an equivalent).SUSE Linux Enterprise 12
SLES-12-010860V3R2The SUSE operating system must use a separate file system for /var.SUSE Linux Enterprise 12
SLES-12-010870V3R2The SUSE operating system must use a separate file system for the system audit data path.SUSE Linux Enterprise 12
SLES-12-010910V3R2The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.SUSE Linux Enterprise 12
SLES-12-020199V3R2The SUSE operating system must not disable syscall auditing.SUSE Linux Enterprise 12
SLES-12-030130V3R2The SUSE operating system must display the date and time of the last successful account logon upon an SSH logon.SUSE Linux Enterprise 12
SLES-12-030200V3R2The SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication.SUSE Linux Enterprise 12
SLES-12-030210V3R2The SUSE operating system SSH daemon public host key files must have mode 0644 or less permissive.SUSE Linux Enterprise 12
SLES-12-030220V3R2The SUSE operating system SSH daemon private host key files must have mode 0640 or less permissive.SUSE Linux Enterprise 12
SLES-12-030230V3R2The SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files.SUSE Linux Enterprise 12
SLES-12-030240V3R2The SUSE operating system SSH daemon must use privilege separation.SUSE Linux Enterprise 12
SLES-12-030250V3R2The SUSE operating system SSH daemon must not allow compression or must only allow compression after successful authentication.SUSE Linux Enterprise 12
SLES-12-030260V3R2The SUSE operating system SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements.SUSE Linux Enterprise 12
SLES-12-030360V3R2The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.SUSE Linux Enterprise 12
SLES-12-030361V3R2The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets.SUSE Linux Enterprise 12
SLES-12-030370V3R2The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.SUSE Linux Enterprise 12
SLES-12-030380V3R2The SUSE operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.SUSE Linux Enterprise 12
SLES-12-030390V3R2The SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.SUSE Linux Enterprise 12
SLES-12-030400V3R2The SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.SUSE Linux Enterprise 12
SLES-12-030401V3R2The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.SUSE Linux Enterprise 12
SLES-12-030410V3R2The SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.SUSE Linux Enterprise 12
SLES-12-030420V3R2The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.SUSE Linux Enterprise 12
SLES-12-030430V3R2The SUSE operating system must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.SUSE Linux Enterprise 12
SLES-12-030440V3R2The SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented.SUSE Linux Enterprise 12
SLES-12-030611V3R2The SUSE operating system must use a virus scan program.SUSE Linux Enterprise 12
SLES-12-030261V3R2The SUSE operating system SSH daemon must prevent remote hosts from connecting to the proxy display.SUSE Linux Enterprise 12
SLES-12-010111V3R2The SUSE operating system must restrict privilege elevation to authorized personnel.SUSE Linux Enterprise 12
SLES-12-010112V3R2The SUSE operating system must use the invoking user's password for privilege escalation when using "sudo".SUSE Linux Enterprise 12
SLES-12-010631V3R2The SUSE operating system must not have unnecessary account capabilities.SUSE Linux Enterprise 12
SLES-12-030362V3R2The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets by default.SUSE Linux Enterprise 12
SLES-12-030363V3R2The SUSE operating system must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted.SUSE Linux Enterprise 12
SLES-12-030364V3R2The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.SUSE Linux Enterprise 12
SLES-12-030365V3R2The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router.SUSE Linux Enterprise 12
SLES-12-010109V3R2The SUSE operating system must specify the default "include" directory for the /etc/sudoers file.SUSE Linux Enterprise 12
SLES-12-010221V3R2The SUSE operating system must not have accounts configured with blank or null passwords.SUSE Linux Enterprise 12
SLES-15-010000V2R4The SUSE operating system must be a vendor-supported release.SUSE Linux Enterprise 15
SLES-15-010010V2R4Vendor-packaged SUSE operating system security patches and updates must be installed and up to date.SUSE Linux Enterprise 15
SLES-15-020080V2R4The SUSE operating system must display the date and time of the last successful account logon upon logon.SUSE Linux Enterprise 15
SLES-15-020090V2R4The SUSE operating system must not have unnecessary accounts.SUSE Linux Enterprise 15
SLES-15-020091V2R4The SUSE operating system must not have unnecessary account capabilities.SUSE Linux Enterprise 15
SLES-15-020100V2R4The SUSE operating system root account must be the only account with unrestricted access to the system.SUSE Linux Enterprise 15
SLES-15-020101V2R4The SUSE operating system must restrict privilege elevation to authorized personnel.SUSE Linux Enterprise 15
SLES-15-020103V2R4The SUSE operating system must use the invoking user's password for privilege escalation when using "sudo".SUSE Linux Enterprise 15
SLES-15-020110V2R4All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory.SUSE Linux Enterprise 15
SLES-15-020120V2R4The SUSE operating system must display the date and time of the last successful account logon upon an SSH logon.SUSE Linux Enterprise 15
SLES-15-020300V2R4The SUSE operating system must not be configured to allow blank or null passwords.SUSE Linux Enterprise 15
SLES-15-030810V2R4The SUSE operating system must use a separate file system for the system audit data path.SUSE Linux Enterprise 15
SLES-15-030820V2R4The SUSE operating system must not disable syscall auditing.SUSE Linux Enterprise 15
SLES-15-040020V2R4There must be no .shosts files on the SUSE operating system.SUSE Linux Enterprise 15
SLES-15-040030V2R4There must be no shosts.equiv files on the SUSE operating system.SUSE Linux Enterprise 15
SLES-15-040040V2R4The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs).SUSE Linux Enterprise 15
SLES-15-040050V2R4The SUSE operating system file integrity tool must be configured to verify extended attributes.SUSE Linux Enterprise 15
SLES-15-040060V2R4The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence.SUSE Linux Enterprise 15
SLES-15-040061V2R4The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces.SUSE Linux Enterprise 15
SLES-15-040062V2R4The SUSE operating system must disable the systemd Ctrl-Alt-Delete burst key sequence.SUSE Linux Enterprise 15
SLES-15-040070V2R4All SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file.SUSE Linux Enterprise 15
SLES-15-040080V2R4All SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist.SUSE Linux Enterprise 15
SLES-15-040090V2R4All SUSE operating system local interactive user home directories must have mode 0750 or less permissive.SUSE Linux Enterprise 15
SLES-15-040100V2R4All SUSE operating system local interactive user home directories must be group-owned by the home directory owner's primary group.SUSE Linux Enterprise 15
SLES-15-040110V2R4All SUSE operating system local initialization files must have mode 0740 or less permissive.SUSE Linux Enterprise 15
SLES-15-040120V2R4All SUSE operating system local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory.SUSE Linux Enterprise 15
SLES-15-040130V2R4All SUSE operating system local initialization files must not execute world-writable programs.SUSE Linux Enterprise 15
SLES-15-040140V2R4SUSE operating system file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.SUSE Linux Enterprise 15
SLES-15-040150V2R4SUSE operating system file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.SUSE Linux Enterprise 15
SLES-15-040160V2R4SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.SUSE Linux Enterprise 15
SLES-15-040170V2R4SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.SUSE Linux Enterprise 15
SLES-15-040180V2R4All SUSE operating system world-writable directories must be group-owned by root, sys, bin, or an application group.SUSE Linux Enterprise 15
SLES-15-040190V2R4SUSE operating system kernel core dumps must be disabled unless needed.SUSE Linux Enterprise 15
SLES-15-040200V2R4A separate file system must be used for SUSE operating system user home directories (such as /home or an equivalent).SUSE Linux Enterprise 15
SLES-15-040210V2R4The SUSE operating system must use a separate file system for /var.SUSE Linux Enterprise 15
SLES-15-040220V2R4The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.SUSE Linux Enterprise 15
SLES-15-040230V2R4The SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication.SUSE Linux Enterprise 15
SLES-15-040240V2R4The SUSE operating system SSH daemon public host key files must have mode 0644 or less permissive.SUSE Linux Enterprise 15
SLES-15-040250V2R4The SUSE operating system SSH daemon private host key files must have mode 0640 or less permissive.SUSE Linux Enterprise 15
SLES-15-040260V2R4The SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files.SUSE Linux Enterprise 15
SLES-15-040290V2R4The SUSE operating system SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements.SUSE Linux Enterprise 15
SLES-15-040300V2R4The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.SUSE Linux Enterprise 15
SLES-15-040310V2R4The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets.SUSE Linux Enterprise 15
SLES-15-040320V2R4The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.SUSE Linux Enterprise 15
SLES-15-040321V2R4The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets by default.SUSE Linux Enterprise 15
SLES-15-040330V2R4The SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.SUSE Linux Enterprise 15
SLES-15-040340V2R4The SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.SUSE Linux Enterprise 15
SLES-15-040341V2R4The SUSE operating system must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted.SUSE Linux Enterprise 15
SLES-15-040350V2R4The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.SUSE Linux Enterprise 15
SLES-15-040360V2R4The SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.SUSE Linux Enterprise 15
SLES-15-040370V2R4The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.SUSE Linux Enterprise 15
SLES-15-040380V2R4The SUSE operating system must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.SUSE Linux Enterprise 15
SLES-15-040381V2R4The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.SUSE Linux Enterprise 15
SLES-15-040382V2R4The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router.SUSE Linux Enterprise 15
SLES-15-040390V2R4The SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented.SUSE Linux Enterprise 15
SLES-15-040400V2R4All SUSE operating system files and directories must have a valid owner.SUSE Linux Enterprise 15
SLES-15-040410V2R4All SUSE operating system files and directories must have a valid group owner.SUSE Linux Enterprise 15
SLES-15-020099V2R4The SUSE operating system must specify the default "include" directory for the /etc/sudoers file.SUSE Linux Enterprise 15
SLES-15-020181V2R4The SUSE operating system must not have accounts configured with blank or null passwords.SUSE Linux Enterprise 15
TOSS-04-010330V2R3For TOSS systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.Tri-Lab Operating System Stack
TOSS-04-010340V2R3The debug-shell systemd service must be disabled on TOSS.Tri-Lab Operating System Stack
TOSS-04-010350V2R3The root account must be the only account having unrestricted access to the TOSS system.Tri-Lab Operating System Stack
TOSS-04-010360V2R3The systemd Ctrl-Alt-Delete burst key sequence in TOSS must be disabled.Tri-Lab Operating System Stack
TOSS-04-010370V2R3There must be no ".shosts" files on The TOSS operating system.Tri-Lab Operating System Stack
TOSS-04-010380V2R3TOSS must not allow blank or null passwords in the system-auth file.Tri-Lab Operating System Stack
TOSS-04-010390V2R3TOSS must not be performing packet forwarding unless the system is a router.Tri-Lab Operating System Stack
TOSS-04-010400V2R3The TOSS SSH daemon must not allow authentication using known host's authentication.Tri-Lab Operating System Stack
TOSS-04-010410V2R3The TOSS SSH daemon must not allow compression or must only allow compression after successful authentication.Tri-Lab Operating System Stack
TOSS-04-010420V2R3The TOSS SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.Tri-Lab Operating System Stack
TOSS-04-020200V2R3All TOSS local interactive user accounts must be assigned a home directory upon creation.Tri-Lab Operating System Stack
TOSS-04-020210V2R3All TOSS local interactive user home directories must be group-owned by the home directory owner's primary group.Tri-Lab Operating System Stack
TOSS-04-020230V2R3All TOSS local interactive users must have a home directory assigned in the /etc/passwd file.Tri-Lab Operating System Stack
TOSS-04-020240V2R3The x86 Ctrl-Alt-Delete key sequence in TOSS must be disabled if a graphical user interface is installed.Tri-Lab Operating System Stack
TOSS-04-020250V2R3TOSS must disable the user list at logon for graphical user interfaces.Tri-Lab Operating System Stack
TOSS-04-020260V2R3TOSS must display the date and time of the last successful account logon upon an SSH logon.Tri-Lab Operating System Stack
TOSS-04-020270V2R3TOSS must not allow accounts configured with blank or null passwords.Tri-Lab Operating System Stack
TOSS-04-020280V2R3TOSS must not have unnecessary accounts.Tri-Lab Operating System Stack
TOSS-04-031340V2R3The auditd service must be running in TOSS.Tri-Lab Operating System Stack
TOSS-04-031350V2R3The TOSS audit system must audit local events.Tri-Lab Operating System Stack
TOSS-04-031360V2R3TOSS must resolve audit information before writing to disk.Tri-Lab Operating System Stack
TOSS-04-031370V2R3TOSS must have the packages required for offloading audit logs installed.Tri-Lab Operating System Stack
TOSS-04-031380V2R3TOSS must have the packages required for encrypting offloaded audit logs installed.Tri-Lab Operating System Stack
TOSS-04-040560V2R3A File Transfer Protocol (FTP) server package must not be installed unless mission essential on TOSS.Tri-Lab Operating System Stack
TOSS-04-040570V2R3All TOSS local files and directories must have a valid group owner.Tri-Lab Operating System Stack
TOSS-04-040580V2R3All TOSS local files and directories must have a valid owner.Tri-Lab Operating System Stack
TOSS-04-040590V2R3Cron logging must be implemented in TOSS.Tri-Lab Operating System Stack
TOSS-04-040600V2R3If the Trivial File Transfer Protocol (TFTP) server is required, the TOSS TFTP daemon must be configured to operate in secure mode.Tri-Lab Operating System Stack
TOSS-04-040610V2R3The graphical display manager must not be installed on TOSS unless approved.Tri-Lab Operating System Stack
TOSS-04-040630V2R3The TOSS file integrity tool must be configured to verify Access Control Lists (ACLs).Tri-Lab Operating System Stack
TOSS-04-040640V2R3The TOSS file integrity tool must be configured to verify extended attributes.Tri-Lab Operating System Stack
TOSS-04-040650V2R3The TOSS SSH daemon must perform strict mode checking of home directory configuration files.Tri-Lab Operating System Stack
TOSS-04-040660V2R3The TOSS SSH private host key files must have mode 0600 or less permissive.Tri-Lab Operating System Stack
TOSS-04-040670V2R3The TOSS SSH public host key files must have mode 0644 or less permissive.Tri-Lab Operating System Stack
TOSS-04-040680V2R3The x86 Ctrl-Alt-Delete key sequence must be disabled on TOSS.Tri-Lab Operating System Stack
TOSS-04-040690V2R3TOSS must be a vendor-supported release.Tri-Lab Operating System Stack
TOSS-04-040700V2R3TOSS must be configured to prevent unrestricted mail relaying.Tri-Lab Operating System Stack
TOSS-04-040710V2R3TOSS must define default permissions for logon and non-logon shells.Tri-Lab Operating System Stack
TOSS-04-040720V2R3TOSS must disable access to network bpf syscall from unprivileged processes.Tri-Lab Operating System Stack
TOSS-04-040730V2R3TOSS must enable hardening for the Berkeley Packet Filter Just-in-time compiler.Tri-Lab Operating System Stack
TOSS-04-040740V2R3TOSS must enable the hardware random number generator entropy gatherer service.Tri-Lab Operating System Stack
TOSS-04-040750V2R3TOSS must ensure the SSH server uses strong entropy.Tri-Lab Operating System Stack
TOSS-04-040760V2R3TOSS must have the packages required to use the hardware random number generator entropy gatherer service.Tri-Lab Operating System Stack
TOSS-04-040770V2R3TOSS must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.Tri-Lab Operating System Stack
TOSS-04-040780V2R3TOSS must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.Tri-Lab Operating System Stack
TOSS-04-040790V2R3TOSS must not accept router advertisements on all IPv6 interfaces by default.Tri-Lab Operating System Stack
TOSS-04-040800V2R3TOSS must not accept router advertisements on all IPv6 interfaces.Tri-Lab Operating System Stack
TOSS-04-040810V2R3TOSS must not allow blank or null passwords in the password-auth file.Tri-Lab Operating System Stack
TOSS-04-040820V2R3TOSS must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.Tri-Lab Operating System Stack
TOSS-04-040830V2R3TOSS must not forward IPv4 source-routed packets by default.Tri-Lab Operating System Stack
TOSS-04-040840V2R3TOSS must not forward IPv4 source-routed packets.Tri-Lab Operating System Stack
TOSS-04-040850V2R3TOSS must not forward IPv6 source-routed packets by default.Tri-Lab Operating System Stack
TOSS-04-040860V2R3TOSS must not forward IPv6 source-routed packets.Tri-Lab Operating System Stack
TOSS-04-040870V2R3TOSS must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.Tri-Lab Operating System Stack
TOSS-04-040880V2R3TOSS must not send Internet Control Message Protocol (ICMP) redirects.Tri-Lab Operating System Stack
TOSS-04-040890V2R3TOSS must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.Tri-Lab Operating System Stack
TOSS-04-040900V2R3TOSS must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.Tri-Lab Operating System Stack
TOSS-04-040910V2R3TOSS must restrict exposed kernel pointer addresses access.Tri-Lab Operating System Stack
TOSS-04-040920V2R3TOSS must restrict privilege elevation to authorized personnel.Tri-Lab Operating System Stack
TOSS-04-040930V2R3TOSS must use reverse path filtering on all IPv4 interfaces.Tri-Lab Operating System Stack
TOSS-04-040940V2R3TOSS network interfaces must not be in promiscuous mode.Tri-Lab Operating System Stack
UBTU-18-010032V2R15The Ubuntu operating system must display the date and time of the last successful account logon upon logon.Ubuntu 18.04
UBTU-18-010150V2R15The Ubuntu Operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed.Ubuntu 18.04
UBTU-18-010151V2R15The Ubuntu Operating system must disable the x86 Ctrl-Alt-Delete key sequence.Ubuntu 18.04
UBTU-18-010418V2R15The Ubuntu operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.Ubuntu 18.04
UBTU-18-010419V2R15The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy display.Ubuntu 18.04
UBTU-18-010450V2R15All local interactive user home directories defined in the /etc/passwd file must exist.Ubuntu 18.04
UBTU-18-010451V2R15All local interactive user home directories must have mode 0750 or less permissive.Ubuntu 18.04
UBTU-18-010452V2R15All local interactive user home directories must be group-owned by the home directory owners primary group.Ubuntu 18.04
UBTU-18-010522V2R15The Ubuntu operating system must not have accounts configured with blank or null passwords.Ubuntu 18.04
UBTU-18-010523V2R15The Ubuntu operating system must not allow accounts configured with blank or null passwords.Ubuntu 18.04
UBTU-18-999999V2R15The Ubuntu operating system must be a vendor supported release.Ubuntu 18.04
UBTU-20-010048V2R3The Ubuntu operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.Ubuntu 20.04
UBTU-20-010049V2R3The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy display.Ubuntu 20.04
UBTU-20-010453V2R3The Ubuntu operating system must display the date and time of the last successful account logon upon logon.Ubuntu 20.04
UBTU-20-010459V2R3The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed.Ubuntu 20.04
UBTU-20-010460V2R3The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence.Ubuntu 20.04
UBTU-20-010462V2R3The Ubuntu operating system must not have accounts configured with blank or null passwords.Ubuntu 20.04
UBTU-20-010463V2R3The Ubuntu operating system must not allow accounts configured with blank or null passwords.Ubuntu 20.04
UBTU-22-211015V2R6Ubuntu 22.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence.Ubuntu 22.04
UBTU-22-215015V2R6Ubuntu 22.04 LTS must have the "chrony" package installed.Ubuntu 22.04
UBTU-22-215020V2R6Ubuntu 22.04 LTS must not have the "systemd-timesyncd" package installed.Ubuntu 22.04
UBTU-22-215025V2R6Ubuntu 22.04 LTS must not have the "ntp" package installed.Ubuntu 22.04
UBTU-22-255040V2R6Ubuntu 22.04 LTS must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.Ubuntu 22.04
UBTU-22-255045V2R6Ubuntu 22.04 LTS SSH daemon must prevent remote hosts from connecting to the proxy display.Ubuntu 22.04
UBTU-22-271030V2R6Ubuntu 22.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed.Ubuntu 22.04
UBTU-22-611060V2R6Ubuntu 22.04 LTS must not allow accounts configured with blank or null passwords.Ubuntu 22.04
UBTU-22-611065V2R6Ubuntu 22.04 LTS must not have accounts configured with blank or null passwords.Ubuntu 22.04
UBTU-22-654190V2R6Ubuntu 22.04 LTS must generate audit records for all events that affect the systemd journal files.Ubuntu 22.04
UBTU-22-211000V2R6Ubuntu 22.04 LTS must be a vendor-supported release.Ubuntu 22.04
UBTU-24-100010V1R1Ubuntu 24.04 LTS must not have the "systemd-timesyncd" package installed.Ubuntu 24.04
UBTU-24-100020V1R1Ubuntu 24.04 LTS must not have the "ntp" package installed.Ubuntu 24.04
UBTU-24-100700V1R1Ubuntu 24.04 LTS must have the "chrony" package installed.Ubuntu 24.04
UBTU-24-300021V1R1Ubuntu 24.04 LTS must require users to reauthenticate for privilege escalation or when changing roles.Ubuntu 24.04
UBTU-24-300022V1R1Ubuntu 24.04 LTS must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.Ubuntu 24.04
UBTU-24-300023V1R1Ubuntu 24.04 LTS SSH daemon must prevent remote hosts from connecting to the proxy display.Ubuntu 24.04
UBTU-24-300024V1R1Ubuntu 24.04 LTS must display the date and time of the last successful account logon upon logon.Ubuntu 24.04
UBTU-24-300025V1R1Ubuntu 24.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed.Ubuntu 24.04
UBTU-24-300026V1R1Ubuntu 24.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence.Ubuntu 24.04
UBTU-24-300027V1R1Ubuntu 24.04 LTS must not have accounts configured with blank or null passwords.Ubuntu 24.04
UBTU-24-300028V1R1Ubuntu 24.04 LTS must not allow accounts configured in Pluggable Authentication Modules (PAM) with blank or null passwords.Ubuntu 24.04
UBTU-24-300029V1R1Ubuntu 24.04 LTS must generate audit records for all events that affect the systemd journal files.Ubuntu 24.04
WN10-00-000005V3R4Domain-joined systems must use Windows 10 Enterprise Edition 64-bit version.Microsoft Windows 10
WN10-00-000010V3R4Windows 10 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.Microsoft Windows 10
WN10-00-000015V3R4Windows 10 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.Microsoft Windows 10
WN10-00-000020V3R4Secure Boot must be enabled on Windows 10 systems.Microsoft Windows 10
WN10-00-000040V3R4Windows 10 systems must be maintained at a supported servicing level.Microsoft Windows 10
WN10-00-000045V3R4The Windows 10 system must use an anti-virus program.Microsoft Windows 10
WN10-00-000055V3R4Alternate operating systems must not be permitted on the same system.Microsoft Windows 10
WN10-00-000075V3R4Only accounts responsible for the backup operations must be members of the Backup Operators group.Microsoft Windows 10
WN10-00-000085V3R4Standard local user accounts must not exist on a system in a domain.Microsoft Windows 10
WN10-00-000130V3R4Software certificate installation files must be removed from Windows 10.Microsoft Windows 10
WN10-00-000135V3R4A host-based firewall must be installed and enabled on the system.Microsoft Windows 10
WN10-00-000140V3R4Inbound exceptions to the firewall on Windows 10 domain workstations must only allow authorized remote management hosts.Microsoft Windows 10
WN10-00-000190V3R4Orphaned security identifiers (SIDs) must be removed from user rights on Windows 10.Microsoft Windows 10
WN10-00-000230V3R4The system must notify the user when a Bluetooth device attempts to connect.Microsoft Windows 10
WN10-00-000240V3R4Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.Microsoft Windows 10
WN10-CC-000020V3R4IPv6 source routing must be configured to highest protection.Microsoft Windows 10
WN10-CC-000025V3R4The system must be configured to prevent IP source routing.Microsoft Windows 10
WN10-CC-000030V3R4The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.Microsoft Windows 10
WN10-CC-000040V3R4Insecure logons to an SMB server must be disabled.Microsoft Windows 10
WN10-CC-000055V3R4Simultaneous connections to the internet or a Windows domain must be limited.Microsoft Windows 10
WN10-CC-000060V3R4Connections to non-domain networks when connected to a domain authenticated network must be blocked.Microsoft Windows 10
WN10-CC-000065V3R4Wi-Fi Sense must be disabled.Microsoft Windows 10
WN10-CC-000068V3R4Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials.Microsoft Windows 10
WN10-CC-000070V3R4Virtualization Based Security must be enabled on Windows 10 with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.Microsoft Windows 10
WN10-CC-000075V3R4Credential Guard must be running on Windows 10 domain-joined systems.Microsoft Windows 10
WN10-CC-000085V3R4Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers.Microsoft Windows 10
WN10-CC-000090V3R4Group Policy objects must be reprocessed even if they have not changed.Microsoft Windows 10
WN10-CC-000115V3R4Systems must at least attempt device authentication using certificates.Microsoft Windows 10
WN10-CC-000170V3R4The setting to allow Microsoft accounts to be optional for modern style apps must be enabled.Microsoft Windows 10
WN10-CC-000195V3R4Enhanced anti-spoofing for facial recognition must be enabled on Window 10.Microsoft Windows 10
WN10-CC-000204V3R4If Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics.Microsoft Windows 10
WN10-CC-000205V3R4Windows Telemetry must not be configured to Full.Microsoft Windows 10
WN10-CC-000206V3R4Windows Update must not obtain updates from other PCs on the internet.Microsoft Windows 10
WN10-CC-000225V3R4File Explorer shell protocol must run in protected mode.Microsoft Windows 10
WN10-CC-000230V3R4Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge.Microsoft Windows 10
WN10-CC-000235V3R4Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge.Microsoft Windows 10
WN10-CC-000238V3R4Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge.Microsoft Windows 10
WN10-CC-000245V3R4The password manager function in the Edge browser must be disabled.Microsoft Windows 10
WN10-CC-000250V3R4The Windows Defender SmartScreen filter for Microsoft Edge must be enabled.Microsoft Windows 10
WN10-CC-000255V3R4The use of a hardware security device with Windows Hello for Business must be enabled.Microsoft Windows 10
WN10-CC-000260V3R4Windows 10 must be configured to require a minimum pin length of six characters or greater.Microsoft Windows 10
WN10-CC-000295V3R4Attachments must be prevented from being downloaded from RSS feeds.Microsoft Windows 10
WN10-CC-000320V3R4Users must be notified if a web-based program attempts to install software.Microsoft Windows 10
WN10-SO-000015V3R4Local accounts with blank passwords must be restricted to prevent access from the network.Microsoft Windows 10
WN10-SO-000020V3R4The built-in administrator account must be renamed.Microsoft Windows 10
WN10-SO-000025V3R4The built-in guest account must be renamed.Microsoft Windows 10
WN10-SO-000050V3R4The computer account password must not be prevented from being reset.Microsoft Windows 10
WN10-SO-000055V3R4The maximum age for machine account passwords must be configured to 30 days or less.Microsoft Windows 10
WN10-SO-000085V3R4Caching of logon credentials must be limited.Microsoft Windows 10
WN10-SO-000095V3R4The Smart Card removal option must be configured to Force Logoff or Lock Workstation.Microsoft Windows 10
WN10-SO-000140V3R4Anonymous SID/Name translation must not be allowed.Microsoft Windows 10
WN10-SO-000145V3R4Anonymous enumeration of SAM accounts must not be allowed.Microsoft Windows 10
WN10-SO-000160V3R4The system must be configured to prevent anonymous users from having the same rights as the Everyone group.Microsoft Windows 10
WN10-SO-000180V3R4NTLM must be prevented from falling back to a Null session.Microsoft Windows 10
WN10-SO-000185V3R4PKU2U authentication using online identities must be prevented.Microsoft Windows 10
WN10-SO-000205V3R4The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.Microsoft Windows 10
WN10-SO-000210V3R4The system must be configured to the required LDAP client signing level.Microsoft Windows 10
WN10-SO-000215V3R4The system must be configured to meet the minimum session security requirement for NTLM SSP based clients.Microsoft Windows 10
WN10-SO-000220V3R4The system must be configured to meet the minimum session security requirement for NTLM SSP based servers.Microsoft Windows 10
WN10-SO-000240V3R4The default permissions of global system objects must be increased.Microsoft Windows 10
WN10-UC-000020V3R4Zone information must be preserved when saving attachments.Microsoft Windows 10
WN10-CC-000050V3R4Hardened UNC paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.Microsoft Windows 10
WN10-CC-000080V3R4Virtualization-based protection of code integrity must be enabled.Microsoft Windows 10
WN10-00-000395V3R4Windows 10 must not have portproxy enabled or in use.Microsoft Windows 10
WN10-CC-000063V3R4Windows 10 systems must use either Group Policy or an approved Mobile Device Management (MDM) product to enforce STIG compliance.Microsoft Windows 10
WN11-00-000005V2R5Domain-joined systems must use Windows 11 Enterprise Edition 64-bit version.Microsoft Windows 11
WN11-00-000040V2R5Windows 11 systems must be maintained at a supported servicing level.Microsoft Windows 11
WN11-00-000045V2R5The Windows 11 system must use an antivirus program.Microsoft Windows 11
WN11-00-000055V2R5Alternate operating systems must not be permitted on the same system.Microsoft Windows 11
WN11-00-000075V2R5Only accounts responsible for the backup operations must be members of the Backup Operators group.Microsoft Windows 11
WN11-00-000085V2R5Standard local user accounts must not exist on a system in a domain.Microsoft Windows 11
WN11-00-000130V2R5Software certificate installation files must be removed from Windows 11.Microsoft Windows 11
WN11-00-000135V2R5A host-based firewall must be installed and enabled on the system.Microsoft Windows 11
WN11-00-000190V2R5Orphaned security identifiers (SIDs) must be removed from user rights on Windows 11.Microsoft Windows 11
WN11-00-000230V2R5The system must notify the user when a Bluetooth device attempts to connect.Microsoft Windows 11
WN11-00-000240V2R5Administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.Microsoft Windows 11
WN11-CC-000020V2R5IPv6 source routing must be configured to highest protection.Microsoft Windows 11
WN11-CC-000025V2R5The system must be configured to prevent IP source routing.Microsoft Windows 11
WN11-CC-000030V2R5The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.Microsoft Windows 11
WN11-CC-000040V2R5Insecure logons to an SMB server must be disabled.Microsoft Windows 11
WN11-CC-000050V2R5Hardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.Microsoft Windows 11
WN11-CC-000060V2R5Connections to non-domain networks when connected to a domain authenticated network must be blocked.Microsoft Windows 11
WN11-CC-000065V2R5Wi-Fi Sense must be disabled.Microsoft Windows 11
WN11-CC-000068V2R5Windows 11 must be configured to enable Remote host allows delegation of non-exportable credentials.Microsoft Windows 11
WN11-CC-000070V2R5Virtualization-based Security must be enabled on Windows 11 with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.Microsoft Windows 11
WN11-CC-000075V2R5Credential Guard must be running on Windows 11 domain-joined systems.Microsoft Windows 11
WN11-CC-000080V2R5Virtualization-based protection of code integrity must be enabled.Microsoft Windows 11
WN11-CC-000085V2R5Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers.Microsoft Windows 11
WN11-CC-000090V2R5Group Policy objects must be reprocessed even if they have not changed.Microsoft Windows 11
WN11-CC-000115V2R5Systems must at least attempt device authentication using certificates.Microsoft Windows 11
WN11-CC-000170V2R5The setting to allow Microsoft accounts to be optional for modern style apps must be enabled.Microsoft Windows 11
WN11-CC-000195V2R5Enhanced anti-spoofing for facial recognition must be enabled on Windows 11.Microsoft Windows 11
WN11-CC-000204V2R5Enhanced diagnostic data must be limited to the minimum required to support Windows Analytics.Microsoft Windows 11
WN11-CC-000206V2R5Windows Update must not obtain updates from other PCs on the internet.Microsoft Windows 11
WN11-CC-000225V2R5File Explorer shell protocol must run in protected mode.Microsoft Windows 11
WN11-CC-000255V2R5The use of a hardware security device with Windows Hello for Business must be enabled.Microsoft Windows 11
WN11-CC-000260V2R5Windows 11 must be configured to require a minimum pin length of six characters or greater.Microsoft Windows 11
WN11-CC-000295V2R5Attachments must be prevented from being downloaded from RSS feeds.Microsoft Windows 11
WN11-CC-000320V2R5Users must be notified if a web-based program attempts to install software.Microsoft Windows 11
WN11-SO-000015V2R5Local accounts with blank passwords must be restricted to prevent access from the network.Microsoft Windows 11
WN11-SO-000020V2R5The built-in administrator account must be renamed.Microsoft Windows 11
WN11-SO-000025V2R5The built-in guest account must be renamed.Microsoft Windows 11
WN11-SO-000050V2R5The computer account password must not be prevented from being reset.Microsoft Windows 11
WN11-SO-000055V2R5The maximum age for machine account passwords must be configured to 30 days or less.Microsoft Windows 11
WN11-SO-000085V2R5Caching of logon credentials must be limited.Microsoft Windows 11
WN11-SO-000095V2R5The Smart Card removal option must be configured to Force Logoff or Lock Workstation.Microsoft Windows 11
WN11-SO-000140V2R5Anonymous SID/Name translation must not be allowed.Microsoft Windows 11
WN11-SO-000145V2R5Anonymous enumeration of SAM accounts must not be allowed.Microsoft Windows 11
WN11-SO-000160V2R5The system must be configured to prevent anonymous users from having the same rights as the Everyone group.Microsoft Windows 11
WN11-SO-000180V2R5NTLM must be prevented from falling back to a Null session.Microsoft Windows 11
WN11-SO-000185V2R5PKU2U authentication using online identities must be prevented.Microsoft Windows 11
WN11-SO-000205V2R5The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.Microsoft Windows 11
WN11-SO-000210V2R5The system must be configured to the required LDAP client signing level.Microsoft Windows 11
WN11-SO-000215V2R5The system must be configured to meet the minimum session security requirement for NTLM SSP based clients.Microsoft Windows 11
WN11-SO-000220V2R5The system must be configured to meet the minimum session security requirement for NTLM SSP based servers.Microsoft Windows 11
WN11-SO-000240V2R5The default permissions of global system objects must be increased.Microsoft Windows 11
WN11-UC-000020V2R5Zone information must be preserved when saving attachments.Microsoft Windows 11
WN11-00-000395V2R5Windows 11 must not have portproxy enabled or in use.Microsoft Windows 11
WN11-CC-000063V2R5Windows 11 systems must use either Group Policy or an approved Mobile Device Management (MDM) product to enforce STIG compliance.Microsoft Windows 11
WN16-00-000010V2R9Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.Microsoft Windows Server 2016
WN16-00-000040V2R9Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.Microsoft Windows Server 2016
WN16-00-000050V2R9Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.Microsoft Windows Server 2016
WN16-00-000070V2R9Manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.Microsoft Windows Server 2016
WN16-00-000100V2R9Windows Server 2016 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.Microsoft Windows Server 2016
WN16-00-000110V2R9Systems must be maintained at a supported servicing level.Microsoft Windows Server 2016
WN16-00-000120V2R9The Windows Server 2016 system must use an anti-virus program.Microsoft Windows Server 2016
WN16-00-000140V2R9Servers must have a host-based intrusion detection or prevention system.Microsoft Windows Server 2016
WN16-00-000270V2R9Software certificate installation files must be removed from Windows Server 2016.Microsoft Windows Server 2016
WN16-00-000310V2R9A host-based firewall must be installed and enabled on the system.Microsoft Windows Server 2016
WN16-00-000430V2R9FTP servers must be configured to prevent anonymous logons.Microsoft Windows Server 2016
WN16-00-000440V2R9FTP servers must be configured to prevent access to the system drive.Microsoft Windows Server 2016
WN16-00-000460V2R9Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2016.Microsoft Windows Server 2016
WN16-00-000470V2R9Secure Boot must be enabled on Windows Server 2016 systems.Microsoft Windows Server 2016
WN16-00-000480V2R9Windows 2016 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.Microsoft Windows Server 2016
WN16-CC-000040V2R9Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.Microsoft Windows Server 2016
WN16-CC-000050V2R9Source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.Microsoft Windows Server 2016
WN16-CC-000060V2R9Windows Server 2016 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.Microsoft Windows Server 2016
WN16-CC-000080V2R9Insecure logons to an SMB server must be disabled.Microsoft Windows Server 2016
WN16-CC-000090V2R9Hardened UNC paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.Microsoft Windows Server 2016
WN16-CC-000110V2R9Windows Server 2016 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.Microsoft Windows Server 2016
WN16-CC-000140V2R9Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.Microsoft Windows Server 2016
WN16-CC-000150V2R9Group Policy objects must be reprocessed even if they have not changed.Microsoft Windows Server 2016
WN16-CC-000210V2R9Users must be prompted to authenticate when the system wakes from sleep (on battery).Microsoft Windows Server 2016
WN16-CC-000220V2R9Users must be prompted to authenticate when the system wakes from sleep (plugged in).Microsoft Windows Server 2016
WN16-CC-000290V2R9Windows Telemetry must be configured to Security or Basic.Microsoft Windows Server 2016
WN16-CC-000350V2R9Turning off File Explorer heap termination on corruption must be disabled.Microsoft Windows Server 2016
WN16-CC-000360V2R9File Explorer shell protocol must run in protected mode.Microsoft Windows Server 2016
WN16-CC-000420V2R9Attachments must be prevented from being downloaded from RSS feeds.Microsoft Windows Server 2016
WN16-CC-000470V2R9Users must be notified if a web-based program attempts to install software.Microsoft Windows Server 2016
WN16-DC-000150V2R9Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.Microsoft Windows Server 2016
WN16-DC-000330V2R9Domain controllers must be configured to allow reset of machine account passwords.Microsoft Windows Server 2016
WN16-DC-000430V2R9The password for the krbtgt account on a domain must be reset at least every 180 days.Microsoft Windows Server 2016
WN16-MS-000050V2R9Caching of logon credentials must be limited.Microsoft Windows Server 2016
WN16-MS-000120V2R9Windows Server 2016 must be running Credential Guard on domain-joined member servers.Microsoft Windows Server 2016
WN16-SO-000020V2R9Local accounts with blank passwords must be restricted to prevent access from the network.Microsoft Windows Server 2016
WN16-SO-000030V2R9Windows Server 2016 built-in administrator account must be renamed.Microsoft Windows Server 2016
WN16-SO-000040V2R9Windows Server 2016 built-in guest account must be renamed.Microsoft Windows Server 2016
WN16-SO-000120V2R9The maximum age for machine account passwords must be configured to 30 days or less.Microsoft Windows Server 2016
WN16-SO-000180V2R9The Smart Card removal option must be configured to Force Logoff or Lock Workstation.Microsoft Windows Server 2016
WN16-SO-000250V2R9Anonymous SID/Name translation must not be allowed.Microsoft Windows Server 2016
WN16-SO-000260V2R9Anonymous enumeration of Security Account Manager (SAM) accounts must not be allowed.Microsoft Windows Server 2016
WN16-SO-000290V2R9Windows Server 2016 must be configured to prevent anonymous users from having the same permissions as the Everyone group.Microsoft Windows Server 2016
WN16-SO-000320V2R9Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.Microsoft Windows Server 2016
WN16-SO-000330V2R9NTLM must be prevented from falling back to a Null session.Microsoft Windows Server 2016
WN16-SO-000340V2R9PKU2U authentication using online identities must be prevented.Microsoft Windows Server 2016
WN16-SO-000380V2R9The LAN Manager authentication level must be set to send NTLMv2 response only and to refuse LM and NTLM.Microsoft Windows Server 2016
WN16-SO-000390V2R9Windows Server 2016 must be configured to at least negotiate signing for LDAP client signing.Microsoft Windows Server 2016
WN16-SO-000400V2R9Session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.Microsoft Windows Server 2016
WN16-SO-000410V2R9Session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.Microsoft Windows Server 2016
WN16-SO-000450V2R9The default permissions of global system objects must be strengthened.Microsoft Windows Server 2016
WN16-UC-000030V2R9Zone information must be preserved when saving attachments.Microsoft Windows Server 2016
WN19-00-000010V3R6Windows Server 2019 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.Microsoft Windows Server 2019
WN19-00-000030V3R6Windows Server 2019 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.Microsoft Windows Server 2019
WN19-00-000040V3R6Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.Microsoft Windows Server 2019
WN19-00-000060V3R6Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.Microsoft Windows Server 2019
WN19-00-000090V3R6Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.Microsoft Windows Server 2019
WN19-00-000100V3R6Windows Server 2019 must be maintained at a supported servicing level.Microsoft Windows Server 2019
WN19-00-000110V3R6Windows Server 2019 must use an anti-virus program.Microsoft Windows Server 2019
WN19-00-000120V3R6Windows Server 2019 must have a host-based intrusion detection or prevention system.Microsoft Windows Server 2019
WN19-00-000240V3R6Windows Server 2019 must have software certificate installation files removed.Microsoft Windows Server 2019
WN19-00-000420V3R6Windows Server 2019 FTP servers must be configured to prevent anonymous logons.Microsoft Windows Server 2019
WN19-00-000430V3R6Windows Server 2019 FTP servers must be configured to prevent access to the system drive.Microsoft Windows Server 2019
WN19-00-000450V3R6Windows Server 2019 must have orphaned security identifiers (SIDs) removed from user rights.Microsoft Windows Server 2019
WN19-00-000460V3R6Windows Server 2019 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.Microsoft Windows Server 2019
WN19-00-000470V3R6Windows Server 2019 must have Secure Boot enabled.Microsoft Windows Server 2019
WN19-CC-000030V3R6Windows Server 2019 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.Microsoft Windows Server 2019
WN19-CC-000040V3R6Windows Server 2019 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.Microsoft Windows Server 2019
WN19-CC-000050V3R6Windows Server 2019 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.Microsoft Windows Server 2019
WN19-CC-000070V3R6Windows Server 2019 insecure logons to an SMB server must be disabled.Microsoft Windows Server 2019
WN19-CC-000080V3R6Windows Server 2019 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.Microsoft Windows Server 2019
WN19-CC-000100V3R6Windows Server 2019 must be configured to enable Remote host allows delegation of non-exportable credentials.Microsoft Windows Server 2019
WN19-CC-000110V3R6Windows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.Microsoft Windows Server 2019
WN19-CC-000130V3R6Windows Server 2019 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.Microsoft Windows Server 2019
WN19-CC-000140V3R6Windows Server 2019 group policy objects must be reprocessed even if they have not changed.Microsoft Windows Server 2019
WN19-CC-000180V3R6Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (on battery).Microsoft Windows Server 2019
WN19-CC-000190V3R6Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (plugged in).Microsoft Windows Server 2019
WN19-CC-000250V3R6Windows Server 2019 Telemetry must be configured to Security or Basic.Microsoft Windows Server 2019
WN19-CC-000260V3R6Windows Server 2019 Windows Update must not obtain updates from other PCs on the Internet.Microsoft Windows Server 2019
WN19-CC-000320V3R6Windows Server 2019 Turning off File Explorer heap termination on corruption must be disabled.Microsoft Windows Server 2019
WN19-CC-000330V3R6Windows Server 2019 File Explorer shell protocol must run in protected mode.Microsoft Windows Server 2019
WN19-CC-000390V3R6Windows Server 2019 must prevent attachments from being downloaded from RSS feeds.Microsoft Windows Server 2019
WN19-CC-000440V3R6Windows Server 2019 users must be notified if a web-based program attempts to install software.Microsoft Windows Server 2019
WN19-DC-000150V3R6Windows Server 2019 directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.Microsoft Windows Server 2019
WN19-DC-000330V3R6Windows Server 2019 domain controllers must be configured to allow reset of machine account passwords.Microsoft Windows Server 2019
WN19-DC-000430V3R6The password for the krbtgt account on a domain must be reset at least every 180 days.Microsoft Windows Server 2019
WN19-MS-000050V3R6Windows Server 2019 must limit the caching of logon credentials to four or less on domain-joined member servers.Microsoft Windows Server 2019
WN19-MS-000140V3R6Windows Server 2019 must be running Credential Guard on domain-joined member servers.Microsoft Windows Server 2019
WN19-SO-000020V3R6Windows Server 2019 must prevent local accounts with blank passwords from being used from the network.Microsoft Windows Server 2019
WN19-SO-000030V3R6Windows Server 2019 built-in administrator account must be renamed.Microsoft Windows Server 2019
WN19-SO-000040V3R6Windows Server 2019 built-in guest account must be renamed.Microsoft Windows Server 2019
WN19-SO-000100V3R6Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less.Microsoft Windows Server 2019
WN19-SO-000150V3R6Windows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation.Microsoft Windows Server 2019
WN19-SO-000210V3R6Windows Server 2019 must not allow anonymous SID/Name translation.Microsoft Windows Server 2019
WN19-SO-000220V3R6Windows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.Microsoft Windows Server 2019
WN19-SO-000240V3R6Windows Server 2019 must be configured to prevent anonymous users from having the same permissions as the Everyone group.Microsoft Windows Server 2019
WN19-SO-000260V3R6Windows Server 2019 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.Microsoft Windows Server 2019
WN19-SO-000270V3R6Windows Server 2019 must prevent NTLM from falling back to a Null session.Microsoft Windows Server 2019
WN19-SO-000280V3R6Windows Server 2019 must prevent PKU2U authentication using online identities.Microsoft Windows Server 2019
WN19-SO-000310V3R6Windows Server 2019 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM.Microsoft Windows Server 2019
WN19-SO-000320V3R6Windows Server 2019 must be configured to at least negotiate signing for LDAP client signing.Microsoft Windows Server 2019
WN19-SO-000330V3R6Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.Microsoft Windows Server 2019
WN19-SO-000340V3R6Windows Server 2019 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.Microsoft Windows Server 2019
WN19-SO-000370V3R6Windows Server 2019 default permissions of global system objects must be strengthened.Microsoft Windows Server 2019
WN19-UC-000010V3R6Windows Server 2019 must preserve zone information when saving attachments.Microsoft Windows Server 2019
WN19-00-000280V3R6Windows Server 2019 must have a host-based firewall installed and enabled.Microsoft Windows Server 2019
WN22-00-000010V2R6Windows Server 2022 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.Microsoft Windows Server 2022
WN22-00-000030V2R6Windows Server 2022 administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.Microsoft Windows Server 2022
WN22-00-000040V2R6Windows Server 2022 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.Microsoft Windows Server 2022
WN22-00-000060V2R6Windows Server 2022 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.Microsoft Windows Server 2022
WN22-00-000090V2R6Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.Microsoft Windows Server 2022
WN22-00-000100V2R6Windows Server 2022 must be maintained at a supported servicing level.Microsoft Windows Server 2022
WN22-00-000110V2R6Windows Server 2022 must use an antivirus program.Microsoft Windows Server 2022
WN22-00-000120V2R6Windows Server 2022 must have a host-based intrusion detection or prevention system.Microsoft Windows Server 2022
WN22-00-000240V2R6Windows Server 2022 must have software certificate installation files removed.Microsoft Windows Server 2022
WN22-00-000280V2R6Windows Server 2022 must have a host-based firewall installed and enabled.Microsoft Windows Server 2022
WN22-00-000420V2R6Windows Server 2022 FTP servers must be configured to prevent anonymous logons.Microsoft Windows Server 2022
WN22-00-000430V2R6Windows Server 2022 FTP servers must be configured to prevent access to the system drive.Microsoft Windows Server 2022
WN22-00-000450V2R6Windows Server 2022 must have orphaned security identifiers (SIDs) removed from user rights.Microsoft Windows Server 2022
WN22-00-000460V2R6Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.Microsoft Windows Server 2022
WN22-00-000470V2R6Windows Server 2022 must have Secure Boot enabled.Microsoft Windows Server 2022
WN22-CC-000030V2R6Windows Server 2022 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.Microsoft Windows Server 2022
WN22-CC-000040V2R6Windows Server 2022 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.Microsoft Windows Server 2022
WN22-CC-000050V2R6Windows Server 2022 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.Microsoft Windows Server 2022
WN22-CC-000070V2R6Windows Server 2022 insecure logons to an SMB server must be disabled.Microsoft Windows Server 2022
WN22-CC-000080V2R6Windows Server 2022 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.Microsoft Windows Server 2022
WN22-CC-000100V2R6Windows Server 2022 must be configured to enable Remote host allows delegation of nonexportable credentials.Microsoft Windows Server 2022
WN22-CC-000110V2R6Windows Server 2022 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.Microsoft Windows Server 2022
WN22-CC-000130V2R6Windows Server 2022 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.Microsoft Windows Server 2022
WN22-CC-000140V2R6Windows Server 2022 group policy objects must be reprocessed even if they have not changed.Microsoft Windows Server 2022
WN22-CC-000180V2R6Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (on battery).Microsoft Windows Server 2022
WN22-CC-000190V2R6Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (plugged in).Microsoft Windows Server 2022
WN22-CC-000250V2R6Windows Server 2022 Diagnostic Data must be configured to send "required diagnostic data" or "optional diagnostic data".Microsoft Windows Server 2022
WN22-CC-000260V2R6Windows Server 2022 Windows Update must not obtain updates from other PCs on the internet.Microsoft Windows Server 2022
WN22-CC-000320V2R6Windows Server 2022 Turning off File Explorer heap termination on corruption must be disabled.Microsoft Windows Server 2022
WN22-CC-000330V2R6Windows Server 2022 File Explorer shell protocol must run in protected mode.Microsoft Windows Server 2022
WN22-CC-000390V2R6Windows Server 2022 must prevent attachments from being downloaded from RSS feeds.Microsoft Windows Server 2022
WN22-CC-000440V2R6Windows Server 2022 users must be notified if a web-based program attempts to install software.Microsoft Windows Server 2022
WN22-DC-000150V2R6Windows Server 2022 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access.Microsoft Windows Server 2022
WN22-DC-000330V2R6Windows Server 2022 domain controllers must be configured to allow reset of machine account passwords.Microsoft Windows Server 2022
WN22-DC-000430V2R6The password for the krbtgt account on a domain must be reset at least every 180 days.Microsoft Windows Server 2022
WN22-MS-000050V2R6Windows Server 2022 must limit the caching of logon credentials to four or less on domain-joined member servers.Microsoft Windows Server 2022
WN22-MS-000140V2R6Windows Server 2022 must be running Credential Guard on domain-joined member servers.Microsoft Windows Server 2022
WN22-SO-000020V2R6Windows Server 2022 must prevent local accounts with blank passwords from being used from the network.Microsoft Windows Server 2022
WN22-SO-000030V2R6Windows Server 2022 built-in administrator account must be renamed.Microsoft Windows Server 2022
WN22-SO-000040V2R6Windows Server 2022 built-in guest account must be renamed.Microsoft Windows Server 2022
WN22-SO-000100V2R6Windows Server 2022 maximum age for machine account passwords must be configured to 30 days or less.Microsoft Windows Server 2022
WN22-SO-000150V2R6Windows Server 2022 Smart Card removal option must be configured to Force Logoff or Lock Workstation.Microsoft Windows Server 2022
WN22-SO-000210V2R6Windows Server 2022 must not allow anonymous SID/Name translation.Microsoft Windows Server 2022
WN22-SO-000220V2R6Windows Server 2022 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.Microsoft Windows Server 2022
WN22-SO-000240V2R6Windows Server 2022 must be configured to prevent anonymous users from having the same permissions as the Everyone group.Microsoft Windows Server 2022
WN22-SO-000260V2R6Windows Server 2022 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.Microsoft Windows Server 2022
WN22-SO-000270V2R6Windows Server 2022 must prevent NTLM from falling back to a Null session.Microsoft Windows Server 2022
WN22-SO-000280V2R6Windows Server 2022 must prevent PKU2U authentication using online identities.Microsoft Windows Server 2022
WN22-SO-000310V2R6Windows Server 2022 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM.Microsoft Windows Server 2022
WN22-SO-000320V2R6Windows Server 2022 must be configured to at least negotiate signing for LDAP client signing.Microsoft Windows Server 2022
WN22-SO-000330V2R6Windows Server 2022 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.Microsoft Windows Server 2022
WN22-SO-000340V2R6Windows Server 2022 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.Microsoft Windows Server 2022
WN22-SO-000370V2R6Windows Server 2022 default permissions of global system objects must be strengthened.Microsoft Windows Server 2022
WN22-UC-000010V2R6Windows Server 2022 must preserve zone information when saving attachments.Microsoft Windows Server 2022
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.