Definition of Red Hat Enterprise Linux 10 Security Technical Implementation Guide for rhel10
based on https://www.cyber.mil/stigs/downloads/
RHEL-10-700970: RHEL 10 must disable the debug-shell systemd service.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-001020: RHEL 10 must ensure cryptographic verification of vendor software packages.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-001030: RHEL 10 must check the GNU Privacy Guard (GPG) signature of software packages originating from external software repositories before installation.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-001040: RHEL 10 must check the GNU Privacy Guard (GPG) signature of locally installed software packages before installation.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-001050: RHEL 10 must have GNU Privacy Guard (GPG) signature verification enabled for all software repositories.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-000510: RHEL 10 must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information on local disk partitions that requires at-rest protection.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-000520: RHEL 10 must use a separate file system for the system audit data path.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-000530: RHEL 10 must use a separate file system for user home directories (such as "/home" or an equivalent).
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-000540: RHEL 10 must use a separate file system for "/tmp".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-000550: RHEL 10 must use a separate file system for "/var".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-000560: RHEL 10 must use a separate file system for "/var/log".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-000570: RHEL 10 must use a separate file system for "/var/tmp".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200000: RHEL 10 must remove all software components after updated versions have been installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200010: RHEL 10 must not have the "nfs-utils" package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200020: RHEL 10 must not have the "telnet-server" package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200030: RHEL 10 must not have the "gssproxy" package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200040: RHEL 10 must not have the tuned package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200050: RHEL 10 must not have a Trivial File Transfer Protocol (TFTP) server package installed unless it is required by the mission, and if required, the TFTP daemon must be configured to operate in secure mode.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200060: RHEL 10 must not have the unbound package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200070: RHEL 10 must not have the "tftp" package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200080: RHEL 10 must not have the "gdm" package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200090: RHEL 10 must not have a File Transfer Protocol (FTP) server package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200500: RHEL 10 must have the "subscription-manager" package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200510: RHEL 10 must have the "nss-tools" package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200520: RHEL 10 must have the "s-nail" package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200530: RHEL 10 must have the "firewalld" package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200531: RHEL 10 must have the "firewalld" service set to active.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200532: RHEL 10 must employ a deny-all, allow-by-exception policy for allowing connections to other systems.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200540: RHEL 10 must have the "chrony" package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200541: RHEL 10 must enable the chronyd service.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200542: RHEL 10 must disable the chrony daemon from acting as a server.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200543: RHEL 10 must disable network management of the chrony daemon.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200560: RHEL 10 must have the USBGuard package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200561: RHEL 10 must have the USBGuard package enabled.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200562: RHEL 10 must block unauthorized peripherals before establishing a connection.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200563: RHEL 10 must enable audit logging for the USBGuard daemon.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200570: RHEL 10 must have the "policycoreutils" package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200580: RHEL 10 must have the "policycoreutils-python-utils" package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200590: RHEL 10 must have the "sudo" package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200600: RHEL 10 must have the "fapolicy" module installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200601: RHEL 10 must enable the "fapolicy" module.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200602: RHEL 10 must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
Description: None
Levels:
Automated: yes
Selections:
- fapolicy_default_deny: Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs.
RHEL-10-200610: RHEL 10 must have the "pcsc-lite" package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200611: RHEL 10 must have the "pcscd" service set to active.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200612: RHEL 10 must have the "pcsc-lite-ccid" package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200620: RHEL 10 must have the "opensc" package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200621: RHEL 10 must use the common access card (CAC) smart card driver.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200630: RHEL 10 must have the Advanced Intrusion Detection Environment (AIDE) package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200631: RHEL 10 must use cryptographic mechanisms to protect the integrity of audit tools.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200632: RHEL 10 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200633: RHEL 10 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200634: RHEL 10 must be configured so that the file integrity tool verifies Access Control Lists (ACLs).
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200635: RHEL 10 must be configured so that the file integrity tool verifies extended attributes.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200640: RHEL 10 must have the "rsyslog" package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200641: RHEL 10 must have the rsyslog service set to active.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200642: RHEL 10 must be configured to forward audit records via Transmission Control Protocol (TCP) to a different system or media from the system being audited via rsyslog.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200643: RHEL 10 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
Description: None
Levels:
Automated: yes
Selections:
- rsyslog_nolisten: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
RHEL-10-200644: RHEL 10 must authenticate the remote logging server for off-loading audit logs via "rsyslog".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200645: RHEL 10 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited via rsyslog.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200646: RHEL 10 must encrypt, via the gtls driver, the transfer of audit records off-loaded onto a different system or media from the system being audited via rsyslog.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200647: RHEL 10 must monitor all remote access methods.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200648: RHEL 10 must use cron logging.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200650: RHEL 10 must have the packages required for encrypting off-loaded audit logs installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200660: RHEL 10 must have the "audit" package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200661: RHEL 10 must enable the audit service.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200662: RHEL 10 must have the "audispd-plugins" package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200680: RHEL 10 must have the "libreswan" package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200690: RHEL 10 must notify designated personnel if baseline configurations are changed in an unauthorized manner.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200691: RHEL 10 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) of an audit processing failure.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200692: RHEL 10 must be configured to prevent unrestricted mail relaying.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200700: RHEL 10 must have the "cronie" package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200720: RHEL 10 must have a Secure Shell (SSH) server installed for all networked systems.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200721: RHEL 10 must, for all networked systems, have and implement Secure Shell (SSH) to protect the confidentiality and integrity of transmitted and received information.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200722: RHEL 10 must have the "openssh-clients" package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200730: RHEL 10 must have the "pkcs11-provider" package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-200740: RHEL 10 must have the "gnutls-utils" package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-300000: RHEL 10 must have the "crypto-policies" package installed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-300010: RHEL 10 must implement a FIPS 140-3-compliant systemwide cryptographic policy.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-000500: RHEL 10 must enable FIPS mode.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-300030: RHEL 10 must be configured so that Secure Shell (SSH) clients use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-300040: RHEL 10 must be configured so that Secure Shell (SSH) servers use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-300050: RHEL 10 must be configured so that Secure Shell (SSH) clients use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-300060: RHEL 10 must be configured so that Secure Shell (SSH) servers use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-300070: RHEL 10 must use FIPS 140-3-approved cryptographic algorithms for IP tunnels.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-300080: RHEL 10 must implement DOD-approved encryption in the bind package.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-300090: RHEL 10 cryptographic policy must not be overridden.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400000: RHEL 10 must be configured so that the "/etc/group" file is owned by root.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400005: RHEL 10 must be configured so that the "/etc/group" file is group-owned by "root".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400010: RHEL 10 must be configured so that the "/etc/group-" file is owned by "root".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400015: RHEL 10 must be configured so that the "/etc/group-" file is group-owned by "root".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400020: RHEL 10 must be configured so that the "/etc/gshadow" file is owned by "root".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400025: RHEL 10 must be configured so that the "/etc/gshadow" file is group-owned by "root".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400030: RHEL 10 must be configured so that the "/etc/gshadow-" file is owned by "root".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400035: RHEL 10 must be configured so that the "/etc/gshadow-" file is group-owned by "root".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400040: RHEL 10 must be configured so that the "/etc/passwd" file is owned by "root".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400045: RHEL 10 must be configured so that the "/etc/passwd" file is group-owned by "root".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400050: RHEL 10 must be configured so that the "/etc/passwd-" file is owned by "root".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400055: RHEL 10 must be configured so that the "/etc/passwd-" file is group-owned by "root".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400060: RHEL 10 must be configured so that the "/etc/shadow" file is owned by "root".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400065: RHEL 10 must be configured so that the "/etc/shadow" file is group-owned by "root".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400070: RHEL 10 must be configured so that the "/etc/shadow-" file is owned by "root".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400075: RHEL 10 must be configured so that the "/etc/shadow-" file is group-owned by "root".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400080: RHEL 10 must be configured so that the "/var/log" directory is owned by "root".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400085: RHEL 10 must be configured so that the "/var/log" directory is group-owned by "root".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400090: RHEL 10 must be configured so that the "/var/log/"messages file is owned by root.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400095: RHEL 10 must be configured so that the "/var/log/messages" file is group-owned by "root".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400100: RHEL 10 must be configured so that system commands are owned by "root".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400105: RHEL 10 must be configured so that system commands are group-owned by root or a system account.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400110: RHEL 10 must be configured so that library files are owned by "root".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400115: RHEL 10 must be configured so that library files are group-owned by "root" or a system account.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400120: RHEL 10 must be configured so that library directories are owned by "root".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400125: RHEL 10 must be configured so that library directories are group-owned by "root" or a system account.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400130: RHEL 10 must be configured so that cron configuration file directories are owned by root.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400135: RHEL 10 must be configured so that cron configuration files directories are group-owned by root.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400140: RHEL 10 must be configured so that world-writable directories are owned by root, sys, bin, or an application user.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400145: RHEL 10 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400150: RHEL 10 must be configured so that the Secure Shell (SSH) server configuration file is group-owned by "root".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400155: RHEL 10 must be configured so that the Secure Shell (SSH) server configuration file is owned by "root".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400160: RHEL 10 must ensure that all local interactive user home directories are group-owned by the home directory owner's primary group.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400165: RHEL 10 must enforce group ownership of audit logs by "root" or by a restricted logging group to prevent unauthorized read access.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400170: RHEL 10 must enforce "root" ownership of the audit log directory to prevent unauthorized read access.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400175: RHEL 10 must enforce "root" ownership of audit logs to prevent unauthorized access.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400180: RHEL 10 must enforce group ownership by "root" or a restricted logging group for audit log files to prevent unauthorized access.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400185: RHEL 10 must set mode "0600" or less permissive for the audit logs file to prevent unauthorized access to the audit log.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400190: RHEL 10 must enforce the audit log directory to have a mode of "0750" or less permissive to prevent unauthorized read access.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400195: RHEL 10 must enforce root ownership of the "/etc/audit/" directory.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400200: RHEL 10 must enforce root group ownership of the "/etc/audit/" directory.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400205: RHEL 10 must enforce mode "755" or less permissive for system commands.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400210: RHEL 10 must enforce mode "755" or less permissive on library directories.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400215: RHEL 10 must enforce mode "755" or less permissive for library files.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400220: RHEL 10 must enforce mode "0755" or less permissive for the "/var/log" directory.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400225: RHEL 10 must enforce mode "0640" or less permissive for the "/var/log/messages" file.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400230: RHEL 10 must be configured to prohibit modification of permissions for cron configuration files and directories from the operating system defaults.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400235: RHEL 10 must enforce mode "0740" or less permissive for local initialization files.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400240: RHEL 10 must enforce mode "0750" or less permissive for local interactive user home directories.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400245: RHEL 10 must enforce mode "0644" or less permissive for the "/etc/group" file to prevent unauthorized access.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400250: RHEL 10 must enforce mode "0644" or less permissive for the "/etc/group-" file to prevent unauthorized access.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400255: RHEL 10 must enforce mode "0000" or less permissive for the "/etc/gshadow" file to prevent unauthorized access.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400260: RHEL 10 must enforce mode "0000" or less permissive for the "/etc/gshadow-" file to prevent unauthorized access.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400265: RHEL 10 must enforce mode "0644" or less permissive for the "/etc/passwd" file to prevent unauthorized access.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400270: RHEL 10 must enforce mode "0644" or less permissive for "/etc/passwd-" file to prevent unauthorized access.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400275: RHEL 10 must enforce mode "0000" or less permissive for "/etc/shadow-" file to prevent unauthorized access.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400280: RHEL 10 must be configured so that a sticky bit is set on all public directories.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400285: RHEL 10 must be configured so that all local files and directories have a valid group owner.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400290: RHEL 10 must be configured so that all local files and directories must have a valid owner.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400295: RHEL 10 must enforce mode "0000" for "/etc/shadow" to prevent unauthorized access.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400300: RHEL 10 must be configured so that audit tools are owned by "root".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400305: RHEL 10 must be configured so that audit tools are group-owned by "root".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400310: RHEL 10 must set the umask value to "077" for all local interactive user accounts.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400315: RHEL 10 must define default permissions for the bash shell.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400320: RHEL 10 must define default permissions for the c shell.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400325: RHEL 10 must define default permissions for all authenticated users in such a way that the user can read and modify only their own files.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400330: RHEL 10 must define default permissions for the system default profile.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400335: RHEL 10 must enforce that all local initialization files configured by systemd-tmpfiles have mode "0600" or less permissive.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400340: RHEL 10 must enforce mode "0600" or less permissive for Secure Shell (SSH) private host key files.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400345: RHEL 10 must enforce "root" group ownership of the "/boot/grub2/grub.cfg" file.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400350: RHEL 10 must enforce "root" ownership of the "/boot/grub2/grub.cfg" file.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400355: RHEL 10 must prevent device files from being interpreted on file systems that contain user home directories.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400360: RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on file systems that contain user home directories.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400365: RHEL 10 must prevent code from being executed on file systems that contain user home directories.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400400: RHEL 10 must mount "/var/log/audit" with the "nodev" option.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400405: RHEL 10 must mount "/var/log/audit" with the "noexec" option.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400410: RHEL 10 must mount "/var/log/audit" with the "nosuid" option.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400450: RHEL 10 must enforce a mode of "0755" or less permissive for audit tools.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-400500: RHEL 10 must prohibit local initialization files from executing world-writable programs.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500000: RHEL 10 must enable the systemd-journald service.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500005: RHEL 10 must enable auditing of processes that start prior to the audit daemon.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500010: RHEL 10 must audit local events.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500015: RHEL 10 must write audit records to disk.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500020: RHEL 10 must log username information when unsuccessful login attempts occur.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500025: RHEL 10 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500030: RHEL 10 must allocate an "audit_backlog_limit" of sufficient size to capture processes that start prior to the audit daemon.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500035: RHEL 10 must take appropriate action when a critical audit processing failure occurs.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500040: RHEL 10 must take action when allocated audit record storage volume reaches 75 percent of the audit record storage capacity.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500045: RHEL 10 must label all off-loaded audit logs before sending them to the central log server.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500100: RHEL 10 must allocate audit record storage capacity to store at least one week's worth of audit records.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500105: RHEL 10 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500110: RHEL 10 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500115: RHEL 10 must take appropriate action when the internal event queue is full.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500120: RHEL 10 must produce audit records containing information to establish the identity of any individual or process associated with the event.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500125: RHEL 10 must periodically flush audit records to disk to ensure that audit records are not lost.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500205: RHEL 10 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500210: RHEL 10 must notify the system administrator (SA) and/or information system security officer (ISSO) (at a minimum) of an audit processing failure.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500215: RHEL 10 must log Secure Shell (SSH) connection attempts and failures to the server.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500300: RHEL 10 must generate audit records for successful and unsuccessful uses of the "execve" system call.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500310: RHEL 10 must generate audit records for successful and unsuccessful uses of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500320: RHEL 10 must generate audit records for successful and unsuccessful uses of "umount" system calls.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500330: RHEL 10 must generate audit records for successful and unsuccessful uses of the "chacl" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500340: RHEL 10 must generate audit records for successful and unsuccessful uses of the "setfacl" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500350: RHEL 10 must generate audit records for successful and unsuccessful uses of the "chcon" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500360: RHEL 10 must generate audit records for successful and unsuccessful uses of the "semanage" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500370: RHEL 10 must generate audit records for successful and unsuccessful uses of the "setfiles" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500380: RHEL 10 must generate audit records for successful and unsuccessful uses of the "setsebool" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500390: RHEL 10 must generate audit records for successful and unsuccessful uses of the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500400: RHEL 10 must generate audit records for successful and unsuccessful uses of the "delete_module" system call.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500410: RHEL 10 must generate audit records for successful and unsuccessful uses of the "init_module" and "finit_module" system calls.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500420: RHEL 10 must generate audit records for successful and unsuccessful uses of the "chage" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500430: RHEL 10 must generate audit records for successful and unsuccessful uses of the "chsh" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500440: RHEL 10 must generate audit records for successful and unsuccessful uses of the "crontab" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500450: RHEL 10 must generate audit records for successful and unsuccessful uses of the "gpasswd" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500460: RHEL 10 must generate audit records for successful and unsuccessful uses of the "kmod" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500470: RHEL 10 must generate audit records for successful and unsuccessful uses of the "newgrp" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500480: RHEL 10 must generate audit records for successful and unsuccessful uses of the "pam_timestamp_check" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500490: RHEL 10 must generate audit records for successful and unsuccessful uses of the "passwd" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500500: RHEL 10 must generate audit records for successful and unsuccessful uses of the "postdrop" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500510: RHEL 10 must generate audit records for successful and unsuccessful uses of the "postqueue" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500520: RHEL 10 must generate audit records for successful and unsuccessful uses of the ssh-agent command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500530: RHEL 10 must generate audit records for successful and unsuccessful uses of the "ssh-keysign" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500540: RHEL 10 must generate audit records for successful and unsuccessful uses of the "su" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500550: RHEL 10 must generate audit records for successful and unsuccessful uses of the "sudo" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500560: RHEL 10 must generate audit records for successful and unsuccessful uses of the "sudoedit" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500570: RHEL 10 must generate audit records for successful and unsuccessful uses of the "unix_chkpwd" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500580: RHEL 10 must generate audit records for successful and unsuccessful uses of the "unix_update" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500590: RHEL 10 must generate audit records for successful and unsuccessful uses of the "userhelper" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500600: RHEL 10 must generate audit records for successful and unsuccessful uses of the "usermod" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500610: RHEL 10 must generate audit records for successful and unsuccessful uses of the "mount" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500620: RHEL 10 must generate audit records for successful and unsuccessful uses of the "init" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500630: RHEL 10 must generate audit records for successful and unsuccessful uses of the "poweroff" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500640: RHEL 10 must generate audit records for successful and unsuccessful uses of the "reboot" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500650: RHEL 10 must generate audit records for successful and unsuccessful uses of the shutdown command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500660: RHEL 10 must generate audit records for successful and unsuccessful uses of the "umount" system call.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500670: RHEL 10 must generate audit records for successful and unsuccessful uses of the "umount2" system call.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500680: RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500690: RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect the "/etc/sudoers.d/" directory.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500700: RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500710: RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500720: RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/opasswd".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500730: RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500740: RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500750: RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/faillock".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500760: RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500780: RHEL 10 must generate audit records for all uses of the "chmod", "fchmod", "fchmodat", and "fchmodat2" syscalls.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500790: RHEL 10 must generate audit records for all uses of the "chown", "fchown", "fchownat", and "lchown" syscalls.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-500810: RHEL 10 must generate audit records for all uses of the "rename", "unlink", "rmdir", "renameat", "renameat2", and "unlinkat" system calls.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600000: RHEL 10 must require a boot loader superuser password.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600010: RHEL 10 must require a unique superusers name upon booting into single-user and maintenance modes.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600020: RHEL 10 must not assign an interactive login shell for system accounts.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600100: RHEL 10 must, for new users or password changes, have a 60-day maximum password lifetime restriction for user account passwords in "/etc/login.defs".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600110: RHEL 10 must, for user account passwords, have a 60-day maximum password lifetime restriction.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600120: RHEL 10 must assign a home directory for local interactive user accounts upon creation.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600130: RHEL 10 must not allow duplicate user IDs (UIDs) to exist for interactive users.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600140: RHEL 10 must automatically expire temporary accounts within 72 hours.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600150: RHEL 10 must assign a primary group to all interactive users.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600160: RHEL 10 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600170: RHEL 10 must be configured so that all local interactive user initialization file executable search path statements do not contain statements that will reference a working directory other than user home directories.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600180: RHEL 10 must assign a home directory to all local interactive users in the "/etc/passwd" file.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600190: RHEL 10 must ensure that all local interactive user home directories defined in the "/etc/passwd" file must exist.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600200: RHEL 10 must enforce a delay of at least four seconds between login prompts following a failed login attempt.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600210: RHEL 10 must enforce a 24-hours minimum password lifetime restriction for passwords for new users or password changes in "/etc/login.defs".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600220: RHEL 10 must enforce that passwords be created with a minimum of 15 characters.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600230: RHEL 10 must enforce password complexity by requiring at least one special character to be used.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600240: RHEL 10 must enforce password complexity by requiring that at least one lowercase character be used.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600250: RHEL 10 must enforce password complexity by requiring that at least one uppercase character be used.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600260: RHEL 10 must require the change of at least eight characters when passwords are changed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600270: RHEL 10 must enforce that passwords have a 24 hours/1 day minimum lifetime restriction in "/etc/shadow".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600280: RHEL 10 must require the maximum number of repeating characters of the same character class to be limited to four when passwords are changed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600290: RHEL 10 must require that the maximum number of repeating characters be limited to three when passwords are changed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600300: RHEL 10 must require the change of at least four character classes when passwords are changed.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600310: RHEL 10 must enforce password complexity by requiring that at least one numeric character be used.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600320: RHEL 10 must prevent the use of dictionary words for passwords.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600400: RHEL 10 must allow only the root account to have unrestricted access to the system.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600405: RHEL 10 must enforce password complexity rules for the "root" account.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600410: RHEL 10 must automatically lock an account when three unsuccessful login attempts occur.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600415: RHEL 10 must automatically lock the root account until the root account is released by an administrator when three unsuccessful login attempts occur during a 15-minute time period.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600420: RHEL 10 must automatically lock an account when three unsuccessful login attempts occur during a 15-minute time period.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600425: RHEL 10 must maintain an account lock until the locked account is released by an administrator.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600430: RHEL 10 must ensure account lockouts persist.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600450: RHEL 10 must not have unauthorized accounts.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600455: RHEL 10 must not allow blank or null passwords.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600460: RHEL 10 must not have accounts configured with blank or null passwords.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600470: RHEL 10 must have a unique group ID (GID) for each group in "/etc/group".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600475: RHEL 10 must limit the number of concurrent sessions to 10 for all accounts and/or account types.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600485: RHEL 10 must ensure the password complexity module in the system-auth file is configured for three or fewer retries.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600500: RHEL 10 must restrict the use of the "su" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600510: RHEL 10 must be configured to not bypass password requirements for privilege escalation.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600520: RHEL 10 must restrict privilege elevation to authorized personnel.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600530: RHEL 10 must require users to reauthenticate for privilege escalation.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600540: RHEL 10 must require reauthentication when using the "sudo" command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600550: RHEL 10 must use the invoking user's password for privilege escalation when using "sudo".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600560: RHEL 10 must require users to provide a password for privilege escalation.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600600: RHEL 10 must configure the use of the pam_faillock.so module in the "/etc/pam.d/system-auth" file.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600610: RHEL 10 must configure the use of the pam_faillock.so module in the "/etc/pam.d/password-auth" file.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600620: RHEL 10 must ensure the password complexity module is enabled in the "password-auth" file.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600630: RHEL 10 must ensure the password complexity module is enabled in the "system-auth" file.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600640: RHEL 10 must enable the Pluggable Authentication Module (PAM) interface for SSHD.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600650: RHEL 10 must ensure that the pam_unix.so module is configured in the password-auth file to use a FIPS 140-3-approved cryptographic hashing algorithm for system authentication.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600700: RHEL 10 must be configured to use a sufficient number of hashing rounds for the shadow password suite.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600710: RHEL 10 must be configured to use a FIPS 140-3-approved cryptographic hashing algorithm for system authentication by ensuring that the pam_unix.so module is configured in the "system-auth" file.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600720: RHEL 10 must be configured so that password-auth uses a sufficient number of hashing rounds.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600730: RHEL 10 must employ FIPS 140-3-approved cryptographic hashing algorithms for all stored passwords.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600740: RHEL 10 must be configured to use the shadow file to store only encrypted representations of passwords.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-600750: RHEL 10 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700010: RHEL 10 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a Secure Shell (SSH) login.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700020: RHEL 10 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user login.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700030: RHEL 10 must prevent a user from overriding the banner-message-enable setting for the graphical user interface.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700040: RHEL 10 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user login.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700100: RHEL 10 must prevent special devices on file systems that are imported via Network File System (NFS).
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700105: RHEL 10 must prevent code from being executed on file systems that are imported via Network File System (NFS).
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700110: RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on file systems that are imported via Network File System (NFS).
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700115: RHEL 10 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700120: RHEL 10 must mount "/boot" with the "nodev" option.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700125: RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on the "/boot" directory.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700130: RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on the "/boot/efi" directory.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700135: RHEL 10 must mount "/dev/shm" with the "nodev" option.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700140: RHEL 10 must mount "/dev/shm" with the "noexec" option.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700145: RHEL 10 must mount "/dev/shm" with the "nosuid" option.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700150: RHEL 10 must mount "/tmp" with the "nodev" option.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700155: RHEL 10 must mount "/tmp" with the "noexec" option.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700160: RHEL 10 must mount "/tmp" with the "nosuid" option.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700165: RHEL 10 must mount "/var" with the "nodev" option.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700170: RHEL 10 must mount "/var/log" with the "nodev" option.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700175: RHEL 10 must mount "/var/log" with the "noexec" option.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700180: RHEL 10 must mount "/var/log" with the "nosuid" option.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700185: RHEL 10 must mount "/var/tmp" with the "nodev" option.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700190: RHEL 10 must mount "/var/tmp" with the "noexec" option.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700195: RHEL 10 must mount "/var/tmp" with the "nosuid" option.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700200: RHEL 10 must prevent special devices on nonroot local partitions.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700400: RHEL 10 must enable the SELinux targeted policy.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700410: RHEL 10 must elevate the SELinux context when an administrator calls the sudo command.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700420: RHEL 10 must use a Linux Security Module configured to enforce limits on system services.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700430: RHEL 10 must configure SELinux context type to allow the use of a nondefault faillock tally directory.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700500: RHEL 10 must be configured so that Secure Shell (SSH) public host key files have mode "0644" or less permissive.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700510: RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow Generic Security Service Application Program Interface (GSSAPI) authentication.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700520: RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow Kerberos authentication.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700530: RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow rhosts authentication.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700540: RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow known hosts authentication.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700550: RHEL 10 must be configured so that the Secure Shell (SSH) daemon disables remote X connections for interactive users.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700560: RHEL 10 must be configured so that the Secure Shell (SSH) daemon performs strict mode checking of home directory configuration files.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700570: RHEL 10 must be configured so that the Secure Shell (SSH) daemon displays the date and time of the last successful account login upon an SSH login.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700580: RHEL 10 must be configured so that the Secure Shell (SSH) daemon prevents remote hosts from connecting to the proxy display.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700590: RHEL 10 must be configured so that Secure Shell (SSH) server configuration files' permissions are not modified.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700600: RHEL 10 must be configured so that SSHD accepts public key authentication.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700610: RHEL 10 must be configured so that SSHD does not allow blank passwords.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700620: RHEL 10 must not permit direct logins to the root account using remote access via Secure Shell (SSH).
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700630: RHEL 10 must not allow a noncertificate trusted host Secure Shell (SSH) login to the system.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700640: RHEL 10 must not allow users to override Secure Shell (SSH) environment variables.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700650: RHEL 10 must force a frequent session key renegotiation for Secure Shell (SSH) connections to the server.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700660: RHEL 10 must be configured so that all network connections associated with Secure Shell (SSH) traffic terminate after becoming unresponsive.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700670: RHEL 10 must forward mail from postmaster to the root account using a postfix alias.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700680: RHEL 10 must not have a "shosts.equiv" file on the system.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700690: RHEL 10 must not have any ".shosts" files on the system.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700700: RHEL 10 must prevent a user from overriding the disabling of the graphical user interface automount function.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700710: RHEL 10 must prevent a user from overriding the disabling of the graphical user interface autorun function.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700720: RHEL 10 must not allow unattended or automatic login via the graphical user interface.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700730: RHEL 10 must prevent a user from overriding the disabling of the graphical user smart card removal action.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700740: RHEL 10 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700750: RHEL 10 must automatically lock graphical user sessions after 15 minutes of inactivity.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700760: RHEL 10 must prevent a user from overriding the session idle-delay setting for the graphical user interface.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700770: RHEL 10 must initiate a session lock for graphical user interfaces when the screensaver is activated.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700780: RHEL 10 must prevent a user from overriding the session lock-delay setting for the graphical user interface.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700790: RHEL 10 must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700800: RHEL 10 must ensure effective dconf policy matches the policy keyfiles.
Description: None
Levels:
Automated: yes
Selections:
- dconf_db_up_to_date: Make sure that the dconf databases are up-to-date with regards to respective keyfiles
RHEL-10-700810: RHEL 10 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700820: RHEL 10 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700830: RHEL 10 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700840: RHEL 10 must disable the user list at login for graphical user interfaces.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700850: RHEL 10 must be configured to disable USB mass storage.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700860: RHEL 10 must disable Bluetooth.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700870: RHEL 10 must disable wireless network adapters.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700880: RHEL 10 must disable the graphical user interface automounter unless required.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700890: RHEL 10 must disable the graphical user interface autorunner unless required.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700900: RHEL 10 must implement nonexecutable data to protect its memory from unauthorized code execution.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700920: RHEL 10 must automatically exit interactive command shell user sessions after 15 minutes of inactivity.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700930: RHEL 10 must be configured with a timeout interval for the Secure Shell (SSH) daemon.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700940: RHEL 10 must not default to the graphical display manager unless approved.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700950: RHEL 10 must disable the systemd Ctrl-Alt-Delete burst key sequence.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700960: RHEL 10 must disable the x86 Ctrl-Alt-Delete key sequence.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700980: RHEL 10 must disable the ability of systemd to spawn an interactive boot process.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-700990: RHEL 10 must disable virtual system calls.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701000: RHEL 10 must clear the page allocator to prevent use-after-free attacks.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701010: RHEL 10 must clear memory when it is freed to prevent use-after-free attacks.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701020: RHEL 10 must enable mitigations against processor-based vulnerabilities.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701030: RHEL 10 must restrict access to the kernel message buffer.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701040: RHEL 10 must prevent kernel profiling by nonprivileged users.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701050: RHEL 10 must prevent the loading of a new kernel for later execution.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701060: RHEL 10 must restrict exposed kernel pointer address access.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701070: RHEL 10 must enable kernel parameters to enforce discretionary access control (DAC) on hardlinks.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701080: RHEL 10 must enable kernel parameters to enforce discretionary access control (DAC) on symlinks.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701090: RHEL 10 must disable the "kernel.core_pattern".
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701100: RHEL 10 must be configured to disable the Controller Area Network (CAN) kernel module.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701110: RHEL 10 must disable the Stream Control Transmission Protocol (SCTP) kernel module.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701120: RHEL 10 must disable the Transparent Inter Process Communication (TIPC) kernel module.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701130: RHEL 10 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701140: RHEL 10 must restrict usage of ptrace to descendant processes.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701150: RHEL 10 must disable core dump backtraces.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701160: RHEL 10 must disable storing core dumps.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701170: RHEL 10 must disable core dumps for all users.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701180: RHEL 10 must disable acquiring, saving, and processing core dumps.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701190: RHEL 10 must implement nonexecutable data to protect its memory from unauthorized code execution.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701200: RHEL 10 must disable the kdump service.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701210: RHEL 10 must disable file system automount function unless required.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701220: RHEL 10 must enable certificate-based smart card authentication.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701230: RHEL 10 must implement certificate status checking for multifactor authentication.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701240: RHEL 10 must, for PKI-based authentication, enforce authorized access to the corresponding private key.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701250: RHEL 10 must require authentication to access emergency mode.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701260: RHEL 10 must require authentication to access single-user mode.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701270: RHEL 10 must, for PKI-based authentication, validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701280: RHEL 10 must map the authenticated identity to the user or group account for public key infrastructure (PKI)-based authentication.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-701290: RHEL 10 must prohibit the use of cached authenticators after one day.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800000: RHEL 10 must control remote access methods.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800010: RHEL 10 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800020: RHEL 10 must enforce that network interfaces not be in promiscuous mode.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800030: RHEL 10 must disable access to the network bpf system call from nonprivileged processes.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800040: RHEL 10 must securely compare internal information system clocks at least every 24 hours.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800050: RHEL 10 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time compiler.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800060: RHEL 10 must have at least two name servers configured for systems using Domain Name Server (DNS) resolution.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800070: RHEL 10 must not have unauthorized IP tunnels configured.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800080: RHEL 10 must be configured to use Transmission Control Protocol (TCP) syncookies.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800090: RHEL 10 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800100: RHEL 10 must not forward Internet Protocol version 4 (IPv4) source-routed packets.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800110: RHEL 10 must log Internet Protocol version 4 (IPv4) packets with impossible addresses.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800120: RHEL 10 must log Internet Protocol version 4 (IPv4) packets with impossible addresses by default.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800130: RHEL 10 must use reverse path filtering on all Internet Protocol version 4 (IPv4) interfaces.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800140: RHEL 10 must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800150: RHEL 10 must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800160: RHEL 10 must use a reverse-path filter for Internet Protocol version 4 (IPv4) network traffic when possible by default.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800170: RHEL 10 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800180: RHEL 10 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800190: RHEL 10 must not send Internet Control Message Protocol (ICMP) redirects.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800200: RHEL 10 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800210: RHEL 10 must not enable Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800220: RHEL 10 must not accept router advertisements on all Internet Protocol version 6 (IPv6) interfaces.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800230: RHEL 10 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800240: RHEL 10 must not forward Internet Protocol version 6 (IPv6) source-routed packets.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800250: RHEL 10 must not enable Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800260: RHEL 10 must not accept router advertisements on all Internet Protocol version 6 (IPv6) interfaces by default.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800270: RHEL 10 must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800280: RHEL 10 must not forward Internet Protocol version 6 (IPv6) source-routed packets by default.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800290: RHEL 10 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring that rate-limiting measures on impacted network interfaces are implemented.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800300: RHEL 10 must configure a DNS processing mode in Network Manager to avoid conflicts with other Domain Name Server (DNS) managers and to not leak DNS queries to untrusted networks.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-800310: RHEL 10 must be configured to operate in secure mode if the Trivial File Transfer Protocol (TFTP) server service is required.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-900000: RHEL 10 must enforce mode "0640" or less for the "/etc/audit/auditd.conf" file to prevent unauthorized access.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-900100: RHEL 10 must prevent unauthorized changes to the audit system.
Description: None
Levels:
Automated: yes
Selections:
RHEL-10-001000: RHEL 10 must be a vendor-supported release.
Description: None
Levels:
Automated: yes
Selections: