DISA STIG • Operating System
Red Hat Enterprise Linux 9
| Vuln ID | STIG ID | CAT | Finding | Responsibility |
|---|---|---|---|---|
| V-257777 | RHEL-09-211010 | CAT I | RHEL 9 must be a vendor-supported release. | — |
| V-257784 | RHEL-09-211045 | CAT I | The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled. | — |
| V-257785 | RHEL-09-211050 | CAT I | The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 9. | — |
| V-257789 | RHEL-09-212020 | CAT I | RHEL 9 must require a unique superusers name upon booting into single-user and maintenance modes. | — |
| V-257820 | RHEL-09-214015 | CAT I | RHEL 9 must check the GPG signature of software packages originating from external software repositories before installation. | — |
| V-257821 | RHEL-09-214020 | CAT I | RHEL 9 must check the GPG signature of locally installed software packages before installation. | — |
| V-257822 | RHEL-09-214025 | CAT I | RHEL 9 must have GPG signature verification enabled for all software repositories. | — |
| V-257826 | RHEL-09-215015 | CAT I | RHEL 9 must not have a File Transfer Protocol (FTP) server package installed. | — |
| V-257835 | RHEL-09-215060 | CAT I | The Trivial File Transfer Protocol (TFTP) server must not be installed unless it is required, and if required, the RHEL 9 TFTP daemon must be configured to operate in secure mode. | — |
| V-257879 | RHEL-09-231190 | CAT I | RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | — |
| V-257955 | RHEL-09-252070 | CAT I | There must be no shosts.equiv files on RHEL 9. | — |
| V-257956 | RHEL-09-252075 | CAT I | There must be no .shosts files on RHEL 9. | — |
| V-257984 | RHEL-09-255040 | CAT I | RHEL 9 SSHD must not allow blank passwords. | — |
| V-257986 | RHEL-09-255050 | CAT I | RHEL 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD. | — |
| V-258018 | RHEL-09-271040 | CAT I | RHEL 9 must not allow unattended or automatic logon via the graphical user interface. | — |
| V-258059 | RHEL-09-411100 | CAT I | The root account must be the only account having unrestricted access to RHEL 9 system. | — |
| V-258078 | RHEL-09-431010 | CAT I | RHEL 9 must use a Linux Security Module configured to enforce limits on system services. | — |
| V-258094 | RHEL-09-611025 | CAT I | RHEL 9 must not allow blank or null passwords. | — |
| V-258230 | RHEL-09-671010 | CAT I | RHEL 9 must enable FIPS mode. | — |
| V-258236 | RHEL-09-672020 | CAT I | RHEL 9 cryptographic policy must not be overridden. | — |
| V-270174 | RHEL-09-171011 | CAT II | RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. | — |
| V-257778 | RHEL-09-211015 | CAT II | RHEL 9 vendor packaged system security patches and updates must be installed and up to date. | — |
| V-257779 | RHEL-09-211020 | CAT II | RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | — |
| V-257781 | RHEL-09-211030 | CAT II | The graphical display manager must not be the default target on RHEL 9 unless approved. | — |
| V-257783 | RHEL-09-211040 | CAT II | RHEL 9 systemd-journald service must be enabled. | — |
| V-257786 | RHEL-09-211055 | CAT II | RHEL 9 debug-shell systemd service must be disabled. | — |
| V-257787 | RHEL-09-212010 | CAT II | RHEL 9 must require a boot loader superuser password. | — |
| V-257788 | RHEL-09-212015 | CAT II | RHEL 9 must disable the ability of systemd to spawn an interactive boot process. | — |
| V-257790 | RHEL-09-212025 | CAT II | RHEL 9 /boot/grub2/grub.cfg file must be group-owned by root. | — |
| V-257791 | RHEL-09-212030 | CAT II | RHEL 9 /boot/grub2/grub.cfg file must be owned by root. | — |
| V-257792 | RHEL-09-212035 | CAT II | RHEL 9 must disable virtual system calls. | — |
| V-257793 | RHEL-09-212040 | CAT II | RHEL 9 must clear the page allocator to prevent use-after-free attacks. | — |
| V-257794 | RHEL-09-212045 | CAT II | RHEL 9 must clear memory when it is freed to prevent use-after-free attacks. | — |
| V-257797 | RHEL-09-213010 | CAT II | RHEL 9 must restrict access to the kernel message buffer. | — |
| V-257798 | RHEL-09-213015 | CAT II | RHEL 9 must prevent kernel profiling by nonprivileged users. | — |
| V-257799 | RHEL-09-213020 | CAT II | RHEL 9 must prevent the loading of a new kernel for later execution. | — |
| V-257800 | RHEL-09-213025 | CAT II | RHEL 9 must restrict exposed kernel pointer addresses access. | — |
| V-257801 | RHEL-09-213030 | CAT II | RHEL 9 must enable kernel parameters to enforce discretionary access control (DAC) on hardlinks. | — |
| V-257802 | RHEL-09-213035 | CAT II | RHEL 9 must enable kernel parameters to enforce discretionary access (DAC) control on symlinks. | — |
| V-257803 | RHEL-09-213040 | CAT II | RHEL 9 must disable the kernel.core_pattern. | — |
| V-257804 | RHEL-09-213045 | CAT II | RHEL 9 must be configured to disable the Asynchronous Transfer Mode kernel module. | — |
| V-257805 | RHEL-09-213050 | CAT II | RHEL 9 must be configured to disable the Controller Area Network kernel module. | — |
| V-257806 | RHEL-09-213055 | CAT II | RHEL 9 must be configured to disable the FireWire kernel module. | — |
| V-257807 | RHEL-09-213060 | CAT II | RHEL 9 must disable the Stream Control Transmission Protocol (SCTP) kernel module. | — |
| V-257808 | RHEL-09-213065 | CAT II | RHEL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module. | — |
| V-257809 | RHEL-09-213070 | CAT II | RHEL 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. | — |
| V-257810 | RHEL-09-213075 | CAT II | RHEL 9 must disable access to network bpf system call from nonprivileged processes. | — |
| V-257811 | RHEL-09-213080 | CAT II | RHEL 9 must restrict usage of ptrace to descendant processes. | — |
| V-257812 | RHEL-09-213085 | CAT II | RHEL 9 must disable core dump backtraces. | — |
| V-257813 | RHEL-09-213090 | CAT II | RHEL 9 must disable storing core dumps. | — |
| V-257814 | RHEL-09-213095 | CAT II | RHEL 9 must disable core dumps for all users. | — |
| V-257815 | RHEL-09-213100 | CAT II | RHEL 9 must disable acquiring, saving, and processing core dumps. | — |
| V-257816 | RHEL-09-213105 | CAT II | RHEL 9 must disable the use of user namespaces. | — |
| V-257817 | RHEL-09-213110 | CAT II | RHEL 9 must implement nonexecutable data to protect its memory from unauthorized code execution. | — |
| V-257818 | RHEL-09-213115 | CAT II | The kdump service on RHEL 9 must be disabled. | — |
| V-257819 | RHEL-09-214010 | CAT II | RHEL 9 must ensure cryptographic verification of vendor software packages. | — |
| V-257823 | RHEL-09-214030 | CAT II | RHEL 9 must be configured so that the cryptographic hashes of system files match vendor values. | — |
| V-257825 | RHEL-09-215010 | CAT II | RHEL 9 subscription-manager package must be installed. | — |
| V-257827 | RHEL-09-215020 | CAT II | RHEL 9 must not have the sendmail package installed. | — |
| V-257828 | RHEL-09-215025 | CAT II | RHEL 9 must not have the nfs-utils package installed. | — |
| V-257829 | RHEL-09-215030 | CAT II | RHEL 9 must not have the ypserv package installed. | — |
| V-257830 | RHEL-09-215035 | CAT II | RHEL 9 must not install packages from the Extra Packages for Enterprise Linux (EPEL) repository. | — |
| V-257831 | RHEL-09-215040 | CAT II | RHEL 9 must not have the telnet-server package installed. | — |
| V-257832 | RHEL-09-215045 | CAT II | RHEL 9 must not have the gssproxy package installed. | — |
| V-257833 | RHEL-09-215050 | CAT II | RHEL 9 must not have the iprutils package installed. | — |
| V-257834 | RHEL-09-215055 | CAT II | RHEL 9 must not have the tuned package installed. | — |
| V-257836 | RHEL-09-215065 | CAT II | RHEL 9 must not have the quagga package installed. | — |
| V-257837 | RHEL-09-215070 | CAT II | A graphical display manager must not be installed on RHEL 9 unless approved. | — |
| V-257838 | RHEL-09-215075 | CAT II | RHEL 9 must have the openssl-pkcs11 package installed. | — |
| V-257839 | RHEL-09-215080 | CAT II | RHEL 9 must have the gnutls-utils package installed. | — |
| V-257840 | RHEL-09-215085 | CAT II | RHEL 9 must have the nss-tools package installed. | — |
| V-257841 | RHEL-09-215090 | CAT II | RHEL 9 must have the rng-tools package installed. | — |
| V-257842 | RHEL-09-215095 | CAT II | RHEL 9 must have the s-nail package installed. | — |
| V-258234 | RHEL-09-215100 | CAT II | RHEL 9 must have the crypto-policies package installed. | — |
| V-272488 | RHEL-09-215101 | CAT II | RHEL 9 must have the Postfix package installed. | — |
| V-258241 | RHEL-09-215105 | CAT II | RHEL 9 must implement a FIPS 140-3-compliant systemwide cryptographic policy. | — |
| V-257843 | RHEL-09-231010 | CAT II | A separate RHEL 9 file system must be used for user home directories (such as /home or an equivalent). | — |
| V-257844 | RHEL-09-231015 | CAT II | RHEL 9 must use a separate file system for /tmp. | — |
| V-257848 | RHEL-09-231035 | CAT II | RHEL 9 must use a separate file system for /var/tmp. | — |
| V-257849 | RHEL-09-231040 | CAT II | RHEL 9 file system automount function must be disabled unless required. | — |
| V-257850 | RHEL-09-231045 | CAT II | RHEL 9 must prevent device files from being interpreted on file systems that contain user home directories. | — |
| V-257851 | RHEL-09-231050 | CAT II | RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories. | — |
| V-257852 | RHEL-09-231055 | CAT II | RHEL 9 must prevent code from being executed on file systems that contain user home directories. | — |
| V-257854 | RHEL-09-231065 | CAT II | RHEL 9 must prevent special devices on file systems that are imported via Network File System (NFS). | — |
| V-257855 | RHEL-09-231070 | CAT II | RHEL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS). | — |
| V-257856 | RHEL-09-231075 | CAT II | RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS). | — |
| V-257857 | RHEL-09-231080 | CAT II | RHEL 9 must prevent code from being executed on file systems that are used with removable media. | — |
| V-257858 | RHEL-09-231085 | CAT II | RHEL 9 must prevent special devices on file systems that are used with removable media. | — |
| V-257859 | RHEL-09-231090 | CAT II | RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | — |
| V-257860 | RHEL-09-231095 | CAT II | RHEL 9 must mount /boot with the nodev option. | — |
| V-257861 | RHEL-09-231100 | CAT II | RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory. | — |
| V-257862 | RHEL-09-231105 | CAT II | RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory. | — |
| V-257863 | RHEL-09-231110 | CAT II | RHEL 9 must mount /dev/shm with the nodev option. | — |
| V-257864 | RHEL-09-231115 | CAT II | RHEL 9 must mount /dev/shm with the noexec option. | — |
| V-257865 | RHEL-09-231120 | CAT II | RHEL 9 must mount /dev/shm with the nosuid option. | — |
| V-257866 | RHEL-09-231125 | CAT II | RHEL 9 must mount /tmp with the nodev option. | — |
| V-257867 | RHEL-09-231130 | CAT II | RHEL 9 must mount /tmp with the noexec option. | — |
| V-257868 | RHEL-09-231135 | CAT II | RHEL 9 must mount /tmp with the nosuid option. | — |
| V-257869 | RHEL-09-231140 | CAT II | RHEL 9 must mount /var with the nodev option. | — |
| V-257870 | RHEL-09-231145 | CAT II | RHEL 9 must mount /var/log with the nodev option. | — |
| V-257871 | RHEL-09-231150 | CAT II | RHEL 9 must mount /var/log with the noexec option. | — |
| V-257872 | RHEL-09-231155 | CAT II | RHEL 9 must mount /var/log with the nosuid option. | — |
| V-257873 | RHEL-09-231160 | CAT II | RHEL 9 must mount /var/log/audit with the nodev option. | — |
| V-257874 | RHEL-09-231165 | CAT II | RHEL 9 must mount /var/log/audit with the noexec option. | — |
| V-257875 | RHEL-09-231170 | CAT II | RHEL 9 must mount /var/log/audit with the nosuid option. | — |
| V-257876 | RHEL-09-231175 | CAT II | RHEL 9 must mount /var/tmp with the nodev option. | — |
| V-257877 | RHEL-09-231180 | CAT II | RHEL 9 must mount /var/tmp with the noexec option. | — |
| V-257878 | RHEL-09-231185 | CAT II | RHEL 9 must mount /var/tmp with the nosuid option. | — |
| V-257881 | RHEL-09-231200 | CAT II | RHEL 9 must prevent special devices on non-root local partitions. | — |
| V-257882 | RHEL-09-232010 | CAT II | RHEL 9 system commands must have mode 755 or less permissive. | — |
| V-257883 | RHEL-09-232015 | CAT II | RHEL 9 library directories must have mode 755 or less permissive. | — |
| V-257884 | RHEL-09-232020 | CAT II | RHEL 9 library files must have mode 755 or less permissive. | — |
| V-257885 | RHEL-09-232025 | CAT II | RHEL 9 /var/log directory must have mode 0755 or less permissive. | — |
| V-257886 | RHEL-09-232030 | CAT II | RHEL 9 /var/log/messages file must have mode 0640 or less permissive. | — |
| V-257887 | RHEL-09-232035 | CAT II | RHEL 9 audit tools must have a mode of 0755 or less permissive. | — |
| V-257888 | RHEL-09-232040 | CAT II | RHEL 9 permissions of cron configuration files and directories must not be modified from the operating system defaults. | — |
| V-257889 | RHEL-09-232045 | CAT II | All RHEL 9 local initialization files must have mode 0740 or less permissive. | — |
| V-257890 | RHEL-09-232050 | CAT II | All RHEL 9 local interactive user home directories must have mode 0750 or less permissive. | — |
| V-257891 | RHEL-09-232055 | CAT II | RHEL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access. | — |
| V-257892 | RHEL-09-232060 | CAT II | RHEL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access. | — |
| V-257893 | RHEL-09-232065 | CAT II | RHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access. | — |
| V-257894 | RHEL-09-232070 | CAT II | RHEL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access. | — |
| V-257895 | RHEL-09-232075 | CAT II | RHEL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access. | — |
| V-257896 | RHEL-09-232080 | CAT II | RHEL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access. | — |
| V-257897 | RHEL-09-232085 | CAT II | RHEL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access. | — |
| V-257898 | RHEL-09-232090 | CAT II | RHEL 9 /etc/group file must be owned by root. | — |
| V-257899 | RHEL-09-232095 | CAT II | RHEL 9 /etc/group file must be group-owned by root. | — |
| V-257900 | RHEL-09-232100 | CAT II | RHEL 9 /etc/group- file must be owned by root. | — |
| V-270175 | RHEL-09-232103 | CAT II | RHEL 9 "/etc/audit/" must be owned by root. | — |
| V-270176 | RHEL-09-232104 | CAT II | RHEL 9 "/etc/audit/" must be group-owned by root. | — |
| V-257901 | RHEL-09-232105 | CAT II | RHEL 9 /etc/group- file must be group-owned by root. | — |
| V-257902 | RHEL-09-232110 | CAT II | RHEL 9 /etc/gshadow file must be owned by root. | — |
| V-257903 | RHEL-09-232115 | CAT II | RHEL 9 /etc/gshadow file must be group-owned by root. | — |
| V-257904 | RHEL-09-232120 | CAT II | RHEL 9 /etc/gshadow- file must be owned by root. | — |
| V-257905 | RHEL-09-232125 | CAT II | RHEL 9 /etc/gshadow- file must be group-owned by root. | — |
| V-257906 | RHEL-09-232130 | CAT II | RHEL 9 /etc/passwd file must be owned by root. | — |
| V-257907 | RHEL-09-232135 | CAT II | RHEL 9 /etc/passwd file must be group-owned by root. | — |
| V-257908 | RHEL-09-232140 | CAT II | RHEL 9 /etc/passwd- file must be owned by root. | — |
| V-257909 | RHEL-09-232145 | CAT II | RHEL 9 /etc/passwd- file must be group-owned by root. | — |
| V-257910 | RHEL-09-232150 | CAT II | RHEL 9 /etc/shadow file must be owned by root. | — |
| V-257911 | RHEL-09-232155 | CAT II | RHEL 9 /etc/shadow file must be group-owned by root. | — |
| V-257912 | RHEL-09-232160 | CAT II | RHEL 9 /etc/shadow- file must be owned by root. | — |
| V-257913 | RHEL-09-232165 | CAT II | RHEL 9 /etc/shadow- file must be group-owned by root. | — |
| V-257914 | RHEL-09-232170 | CAT II | RHEL 9 /var/log directory must be owned by root. | — |
| V-257915 | RHEL-09-232175 | CAT II | RHEL 9 /var/log directory must be group-owned by root. | — |
| V-257916 | RHEL-09-232180 | CAT II | RHEL 9 /var/log/messages file must be owned by root. | — |
| V-257917 | RHEL-09-232185 | CAT II | RHEL 9 /var/log/messages file must be group-owned by root. | — |
| V-257918 | RHEL-09-232190 | CAT II | RHEL 9 system commands must be owned by root. | — |
| V-257919 | RHEL-09-232195 | CAT II | RHEL 9 system commands must be group-owned by root or a system account. | — |
| V-257920 | RHEL-09-232200 | CAT II | RHEL 9 library files must be owned by root. | — |
| V-257921 | RHEL-09-232205 | CAT II | RHEL 9 library files must be group-owned by root or a system account. | — |
| V-257922 | RHEL-09-232210 | CAT II | RHEL 9 library directories must be owned by root. | — |
| V-257923 | RHEL-09-232215 | CAT II | RHEL 9 library directories must be group-owned by root or a system account. | — |
| V-257924 | RHEL-09-232220 | CAT II | RHEL 9 audit tools must be owned by root. | — |
| V-257925 | RHEL-09-232225 | CAT II | RHEL 9 audit tools must be group-owned by root. | — |
| V-257926 | RHEL-09-232230 | CAT II | RHEL 9 cron configuration files directory must be owned by root. | — |
| V-257927 | RHEL-09-232235 | CAT II | RHEL 9 cron configuration files directory must be group-owned by root. | — |
| V-257928 | RHEL-09-232240 | CAT II | All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user. | — |
| V-257929 | RHEL-09-232245 | CAT II | A sticky bit must be set on all RHEL 9 public directories. | — |
| V-257930 | RHEL-09-232250 | CAT II | All RHEL 9 local files and directories must have a valid group owner. | — |
| V-257931 | RHEL-09-232255 | CAT II | All RHEL 9 local files and directories must have a valid owner. | — |
| V-257932 | RHEL-09-232260 | CAT II | RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification. | — |
| V-257934 | RHEL-09-232270 | CAT II | RHEL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access. | — |
| V-257935 | RHEL-09-251010 | CAT II | RHEL 9 must have the firewalld package installed. | — |
| V-257936 | RHEL-09-251015 | CAT II | The firewalld service on RHEL 9 must be active. | — |
| V-257937 | RHEL-09-251020 | CAT II | The RHEL 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | — |
| V-257939 | RHEL-09-251030 | CAT II | RHEL 9 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures on impacted network interfaces are implemented. | — |
| V-257940 | RHEL-09-251035 | CAT II | RHEL 9 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | — |
| V-257941 | RHEL-09-251040 | CAT II | RHEL 9 network interfaces must not be in promiscuous mode. | — |
| V-257942 | RHEL-09-251045 | CAT II | RHEL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler. | — |
| V-257943 | RHEL-09-252010 | CAT II | RHEL 9 must have the chrony package installed. | — |
| V-257944 | RHEL-09-252015 | CAT II | RHEL 9 chronyd service must be enabled. | — |
| V-257945 | RHEL-09-252020 | CAT II | RHEL 9 must securely compare internal information system clocks at least every 24 hours. | — |
| V-257948 | RHEL-09-252035 | CAT II | RHEL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured. | — |
| V-257949 | RHEL-09-252040 | CAT II | RHEL 9 must configure a DNS processing mode in Network Manager. | — |
| V-257950 | RHEL-09-252045 | CAT II | RHEL 9 must not have unauthorized IP tunnels configured. | — |
| V-257951 | RHEL-09-252050 | CAT II | RHEL 9 must be configured to prevent unrestricted mail relaying. | — |
| V-257953 | RHEL-09-252060 | CAT II | RHEL 9 must forward mail from postmaster to the root account using a postfix alias. | — |
| V-257954 | RHEL-09-252065 | CAT II | RHEL 9 libreswan package must be installed. | — |
| V-257957 | RHEL-09-253010 | CAT II | RHEL 9 must be configured to use TCP syncookies. | — |
| V-257958 | RHEL-09-253015 | CAT II | RHEL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages. | — |
| V-257959 | RHEL-09-253020 | CAT II | RHEL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets. | — |
| V-257960 | RHEL-09-253025 | CAT II | RHEL 9 must log IPv4 packets with impossible addresses. | — |
| V-257961 | RHEL-09-253030 | CAT II | RHEL 9 must log IPv4 packets with impossible addresses by default. | — |
| V-257962 | RHEL-09-253035 | CAT II | RHEL 9 must use reverse path filtering on all IPv4 interfaces. | — |
| V-257963 | RHEL-09-253040 | CAT II | RHEL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | — |
| V-257964 | RHEL-09-253045 | CAT II | RHEL 9 must not forward IPv4 source-routed packets by default. | — |
| V-257965 | RHEL-09-253050 | CAT II | RHEL 9 must use a reverse-path filter for IPv4 network traffic when possible by default. | — |
| V-257966 | RHEL-09-253055 | CAT II | RHEL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | — |
| V-257967 | RHEL-09-253060 | CAT II | RHEL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs. | — |
| V-257968 | RHEL-09-253065 | CAT II | RHEL 9 must not send Internet Control Message Protocol (ICMP) redirects. | — |
| V-257969 | RHEL-09-253070 | CAT II | RHEL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | — |
| V-257970 | RHEL-09-253075 | CAT II | RHEL 9 must not enable IPv4 packet forwarding unless the system is a router. | — |
| V-257971 | RHEL-09-254010 | CAT II | RHEL 9 must not accept router advertisements on all IPv6 interfaces. | — |
| V-257972 | RHEL-09-254015 | CAT II | RHEL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. | — |
| V-257973 | RHEL-09-254020 | CAT II | RHEL 9 must not forward IPv6 source-routed packets. | — |
| V-257974 | RHEL-09-254025 | CAT II | RHEL 9 must not enable IPv6 packet forwarding unless the system is a router. | — |
| V-257975 | RHEL-09-254030 | CAT II | RHEL 9 must not accept router advertisements on all IPv6 interfaces by default. | — |
| V-257976 | RHEL-09-254035 | CAT II | RHEL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | — |
| V-257977 | RHEL-09-254040 | CAT II | RHEL 9 must not forward IPv6 source-routed packets by default. | — |
| V-257978 | RHEL-09-255010 | CAT II | All RHEL 9 networked systems must have SSH installed. | — |
| V-257979 | RHEL-09-255015 | CAT II | All RHEL 9 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | — |
| V-257980 | RHEL-09-255020 | CAT II | RHEL 9 must have the openssh-clients package installed. | — |
| V-257981 | RHEL-09-255025 | CAT II | RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a SSH logon. | — |
| V-257982 | RHEL-09-255030 | CAT II | RHEL 9 must log SSH connection attempts and failures to the server. | — |
| V-257983 | RHEL-09-255035 | CAT II | RHEL 9 SSHD must accept public key authentication. | — |
| V-257985 | RHEL-09-255045 | CAT II | RHEL 9 must not permit direct logons to the root account using remote access via SSH. | — |
| V-270177 | RHEL-09-255064 | CAT II | The RHEL 9 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections. | — |
| V-257989 | RHEL-09-255065 | CAT II | The RHEL 9 SSH server must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections. | — |
| V-270178 | RHEL-09-255070 | CAT II | The RHEL 9 SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections. | — |
| V-257991 | RHEL-09-255075 | CAT II | The RHEL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections. | — |
| V-257992 | RHEL-09-255080 | CAT II | RHEL 9 must not allow a noncertificate trusted host SSH logon to the system. | — |
| V-257993 | RHEL-09-255085 | CAT II | RHEL 9 must not allow users to override SSH environment variables. | — |
| V-257994 | RHEL-09-255090 | CAT II | RHEL 9 must force a frequent session key renegotiation for SSH connections to the server. | — |
| V-257995 | RHEL-09-255095 | CAT II | RHEL 9 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive. | — |
| V-257996 | RHEL-09-255100 | CAT II | RHEL 9 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive. | — |
| V-257997 | RHEL-09-255105 | CAT II | RHEL 9 SSH server configuration file must be group-owned by root. | — |
| V-257998 | RHEL-09-255110 | CAT II | The RHEL 9 SSH server configuration file must be owned by root. | — |
| V-257999 | RHEL-09-255115 | CAT II | RHEL 9 SSH server configuration files' permissions must not be modified. | — |
| V-258000 | RHEL-09-255120 | CAT II | RHEL 9 SSH private host key files must have mode 0640 or less permissive. | — |
| V-258001 | RHEL-09-255125 | CAT II | RHEL 9 SSH public host key files must have mode 0644 or less permissive. | — |
| V-258002 | RHEL-09-255130 | CAT II | RHEL 9 SSH daemon must not allow compression or must only allow compression after successful authentication. | — |
| V-258003 | RHEL-09-255135 | CAT II | RHEL 9 SSH daemon must not allow GSSAPI authentication. | — |
| V-258004 | RHEL-09-255140 | CAT II | RHEL 9 SSH daemon must not allow Kerberos authentication. | — |
| V-258005 | RHEL-09-255145 | CAT II | RHEL 9 SSH daemon must not allow rhosts authentication. | — |
| V-258006 | RHEL-09-255150 | CAT II | RHEL 9 SSH daemon must not allow known hosts authentication. | — |
| V-258007 | RHEL-09-255155 | CAT II | RHEL 9 SSH daemon must disable remote X connections for interactive users. | — |
| V-258008 | RHEL-09-255160 | CAT II | RHEL 9 SSH daemon must perform strict mode checking of home directory configuration files. | — |
| V-258009 | RHEL-09-255165 | CAT II | RHEL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon. | — |
| V-258011 | RHEL-09-255175 | CAT II | RHEL 9 SSH daemon must prevent remote hosts from connecting to the proxy display. | — |
| V-258012 | RHEL-09-271010 | CAT II | RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. | — |
| V-258013 | RHEL-09-271015 | CAT II | RHEL 9 must prevent a user from overriding the banner-message-enable setting for the graphical user interface. | — |
| V-258014 | RHEL-09-271020 | CAT II | RHEL 9 must disable the graphical user interface automount function unless required. | — |
| V-258015 | RHEL-09-271025 | CAT II | RHEL 9 must prevent a user from overriding the disabling of the graphical user interface automount function. | — |
| V-258016 | RHEL-09-271030 | CAT II | RHEL 9 must disable the graphical user interface autorun function unless required. | — |
| V-258017 | RHEL-09-271035 | CAT II | RHEL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function. | — |
| V-258019 | RHEL-09-271045 | CAT II | RHEL 9 must be able to initiate directly a session lock for all connection types using smart card when the smart card is removed. | — |
| V-258020 | RHEL-09-271050 | CAT II | RHEL 9 must prevent a user from overriding the disabling of the graphical user smart card removal action. | — |
| V-258021 | RHEL-09-271055 | CAT II | RHEL 9 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | — |
| V-258022 | RHEL-09-271060 | CAT II | RHEL 9 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface. | — |
| V-258023 | RHEL-09-271065 | CAT II | RHEL 9 must automatically lock graphical user sessions after 10 minutes of inactivity. | — |
| V-258024 | RHEL-09-271070 | CAT II | RHEL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface. | — |
| V-258025 | RHEL-09-271075 | CAT II | RHEL 9 must initiate a session lock for graphical user interfaces when the screensaver is activated. | — |
| V-258026 | RHEL-09-271080 | CAT II | RHEL 9 must prevent a user from overriding the session lock-delay setting for the graphical user interface. | — |
| V-258027 | RHEL-09-271085 | CAT II | RHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image. | — |
| V-258028 | RHEL-09-271090 | CAT II | RHEL 9 effective dconf policy must match the policy keyfiles. | — |
| V-258029 | RHEL-09-271095 | CAT II | RHEL 9 must disable the ability of a user to restart the system from the login screen. | — |
| V-258030 | RHEL-09-271100 | CAT II | RHEL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface. | — |
| V-258031 | RHEL-09-271105 | CAT II | RHEL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot. | — |
| V-258032 | RHEL-09-271110 | CAT II | RHEL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface. | — |
| V-258033 | RHEL-09-271115 | CAT II | RHEL 9 must disable the user list at logon for graphical user interfaces. | — |
| V-258034 | RHEL-09-291010 | CAT II | RHEL 9 must be configured to disable USB mass storage. | — |
| V-258035 | RHEL-09-291015 | CAT II | RHEL 9 must have the USBGuard package installed. | — |
| V-258036 | RHEL-09-291020 | CAT II | RHEL 9 must have the USBGuard package enabled. | — |
| V-258038 | RHEL-09-291030 | CAT II | RHEL 9 must block unauthorized peripherals before establishing a connection. | — |
| V-258039 | RHEL-09-291035 | CAT II | RHEL 9 Bluetooth must be disabled. | — |
| V-258040 | RHEL-09-291040 | CAT II | RHEL 9 wireless network adapters must be disabled. | — |
| V-258041 | RHEL-09-411010 | CAT II | RHEL 9 user account passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs. | — |
| V-258042 | RHEL-09-411015 | CAT II | RHEL 9 user account passwords must have a 60-day maximum password lifetime restriction. | — |
| V-258043 | RHEL-09-411020 | CAT II | All RHEL 9 local interactive user accounts must be assigned a home directory upon creation. | — |
| V-258044 | RHEL-09-411025 | CAT II | RHEL 9 must set the umask value to 077 for all local interactive user accounts. | — |
| V-258045 | RHEL-09-411030 | CAT II | RHEL 9 duplicate User IDs (UIDs) must not exist for interactive users. | — |
| V-258046 | RHEL-09-411035 | CAT II | RHEL 9 system accounts must not have an interactive login shell. | — |
| V-258047 | RHEL-09-411040 | CAT II | RHEL 9 must automatically expire temporary accounts within 72 hours. | — |
| V-258048 | RHEL-09-411045 | CAT II | All RHEL 9 interactive users must have a primary group that exists. | — |
| V-258049 | RHEL-09-411050 | CAT II | RHEL 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. | — |
| V-258050 | RHEL-09-411055 | CAT II | Executable search paths within the initialization files of all local interactive RHEL 9 users must only contain paths that resolve to the system default or the users home directory. | — |
| V-258051 | RHEL-09-411060 | CAT II | All RHEL 9 local interactive users must have a home directory assigned in the /etc/passwd file. | — |
| V-258052 | RHEL-09-411065 | CAT II | All RHEL 9 local interactive user home directories defined in the /etc/passwd file must exist. | — |
| V-258053 | RHEL-09-411070 | CAT II | All RHEL 9 local interactive user home directories must be group-owned by the home directory owner's primary group. | — |
| V-258054 | RHEL-09-411075 | CAT II | RHEL 9 must automatically lock an account when three unsuccessful logon attempts occur. | — |
| V-258055 | RHEL-09-411080 | CAT II | RHEL 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | — |
| V-258056 | RHEL-09-411085 | CAT II | RHEL 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | — |
| V-258057 | RHEL-09-411090 | CAT II | RHEL 9 must maintain an account lock until the locked account is released by an administrator. | — |
| V-258058 | RHEL-09-411095 | CAT II | RHEL 9 must not have unauthorized accounts. | — |
| V-258060 | RHEL-09-411105 | CAT II | RHEL 9 must ensure account lockouts persist. | — |
| V-258061 | RHEL-09-411110 | CAT II | RHEL 9 groups must have unique Group ID (GID). | — |
| V-258068 | RHEL-09-412035 | CAT II | RHEL 9 must automatically exit interactive command shell user sessions after 10 minutes of inactivity. | — |
| V-258070 | RHEL-09-412045 | CAT II | RHEL 9 must log username information when unsuccessful logon attempts occur. | — |
| V-258071 | RHEL-09-412050 | CAT II | RHEL 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt. | — |
| V-258072 | RHEL-09-412055 | CAT II | RHEL 9 must define default permissions for the bash shell. | — |
| V-258073 | RHEL-09-412060 | CAT II | RHEL 9 must define default permissions for the c shell. | — |
| V-258074 | RHEL-09-412065 | CAT II | RHEL 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. | — |
| V-258075 | RHEL-09-412070 | CAT II | RHEL 9 must define default permissions for the system default profile. | — |
| V-258077 | RHEL-09-412080 | CAT II | RHEL 9 must terminate idle user sessions. | — |
| V-258079 | RHEL-09-431015 | CAT II | RHEL 9 must enable the SELinux targeted policy. | — |
| V-272496 | RHEL-09-431016 | CAT II | RHEL 9 must elevate the SELinux context when an administrator calls the sudo command. | — |
| V-258080 | RHEL-09-431020 | CAT II | RHEL 9 must configure SELinux context type to allow the use of a nondefault faillock tally directory. | — |
| V-258081 | RHEL-09-431025 | CAT II | RHEL 9 must have policycoreutils package installed. | — |
| V-258082 | RHEL-09-431030 | CAT II | RHEL 9 policycoreutils-python-utils package must be installed. | — |
| V-258083 | RHEL-09-432010 | CAT II | RHEL 9 must have the sudo package installed. | — |
| V-258084 | RHEL-09-432015 | CAT II | RHEL 9 must require reauthentication when using the "sudo" command. | — |
| V-258085 | RHEL-09-432020 | CAT II | RHEL 9 must use the invoking user's password for privilege escalation when using "sudo". | — |
| V-258086 | RHEL-09-432025 | CAT II | RHEL 9 must require users to reauthenticate for privilege escalation. | — |
| V-258087 | RHEL-09-432030 | CAT II | RHEL 9 must restrict privilege elevation to authorized personnel. | — |
| V-258088 | RHEL-09-432035 | CAT II | RHEL 9 must restrict the use of the "su" command. | — |
| V-258089 | RHEL-09-433010 | CAT II | RHEL 9 fapolicy module must be installed. | — |
| V-258090 | RHEL-09-433015 | CAT II | RHEL 9 fapolicy module must be enabled. | — |
| V-270180 | RHEL-09-433016 | CAT II | The RHEL 9 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | — |
| V-258091 | RHEL-09-611010 | CAT II | RHEL 9 must ensure the password complexity module in the system-auth file is configured for three retries or less. | — |
| V-258095 | RHEL-09-611030 | CAT II | RHEL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | — |
| V-258096 | RHEL-09-611035 | CAT II | RHEL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | — |
| V-258097 | RHEL-09-611040 | CAT II | RHEL 9 must ensure the password complexity module is enabled in the password-auth file. | — |
| V-258098 | RHEL-09-611045 | CAT II | RHEL 9 must ensure the password complexity module is enabled in the system-auth file. | — |
| V-258099 | RHEL-09-611050 | CAT II | RHEL 9 password-auth must be configured to use a sufficient number of hashing rounds. | — |
| V-258100 | RHEL-09-611055 | CAT II | RHEL 9 system-auth must be configured to use a sufficient number of hashing rounds. | — |
| V-258101 | RHEL-09-611060 | CAT II | RHEL 9 must enforce password complexity rules for the root account. | — |
| V-258102 | RHEL-09-611065 | CAT II | RHEL 9 must enforce password complexity by requiring that at least one lowercase character be used. | — |
| V-258103 | RHEL-09-611070 | CAT II | RHEL 9 must enforce password complexity by requiring that at least one numeric character be used. | — |
| V-258104 | RHEL-09-611075 | CAT II | RHEL 9 passwords for new users or password changes must have a 24 hours minimum password lifetime restriction in /etc/login.defs. | — |
| V-258105 | RHEL-09-611080 | CAT II | RHEL 9 passwords must have a 24 hours minimum password lifetime restriction in /etc/shadow. | — |
| V-258106 | RHEL-09-611085 | CAT II | RHEL 9 must require users to provide a password for privilege escalation. | — |
| V-258107 | RHEL-09-611090 | CAT II | RHEL 9 passwords must be created with a minimum of 15 characters. | — |
| V-258109 | RHEL-09-611100 | CAT II | RHEL 9 must enforce password complexity by requiring that at least one special character be used. | — |
| V-258110 | RHEL-09-611105 | CAT II | RHEL 9 must prevent the use of dictionary words for passwords. | — |
| V-258111 | RHEL-09-611110 | CAT II | RHEL 9 must enforce password complexity by requiring that at least one uppercase character be used. | — |
| V-258112 | RHEL-09-611115 | CAT II | RHEL 9 must require the change of at least eight characters when passwords are changed. | — |
| V-258113 | RHEL-09-611120 | CAT II | RHEL 9 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed. | — |
| V-258114 | RHEL-09-611125 | CAT II | RHEL 9 must require the maximum number of repeating characters be limited to three when passwords are changed. | — |
| V-258115 | RHEL-09-611130 | CAT II | RHEL 9 must require the change of at least four character classes when passwords are changed. | — |
| V-258116 | RHEL-09-611135 | CAT II | RHEL 9 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords. | — |
| V-258117 | RHEL-09-611140 | CAT II | RHEL 9 must be configured to use the shadow file to store only encrypted representations of passwords. | — |
| V-258118 | RHEL-09-611145 | CAT II | RHEL 9 must not be configured to bypass password requirements for privilege escalation. | — |
| V-258120 | RHEL-09-611155 | CAT II | RHEL 9 must not have accounts configured with blank or null passwords. | — |
| V-258121 | RHEL-09-611160 | CAT II | RHEL 9 must use the common access card (CAC) smart card driver. | — |
| V-258122 | RHEL-09-611165 | CAT II | RHEL 9 must enable certificate based smart card authentication. | — |
| V-258123 | RHEL-09-611170 | CAT II | RHEL 9 must implement certificate status checking for multifactor authentication. | — |
| V-258124 | RHEL-09-611175 | CAT II | RHEL 9 must have the pcsc-lite package installed. | — |
| V-258125 | RHEL-09-611180 | CAT II | The pcscd service on RHEL 9 must be active. | — |
| V-258126 | RHEL-09-611185 | CAT II | RHEL 9 must have the opensc package installed. | — |
| V-258127 | RHEL-09-611190 | CAT II | RHEL 9, for PKI-based authentication, must enforce authorized access to the corresponding private key. | — |
| V-258128 | RHEL-09-611195 | CAT II | RHEL 9 must require authentication to access emergency mode. | — |
| V-258129 | RHEL-09-611200 | CAT II | RHEL 9 must require authentication to access single-user mode. | — |
| V-258131 | RHEL-09-631010 | CAT II | RHEL 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | — |
| V-258132 | RHEL-09-631015 | CAT II | RHEL 9 must map the authenticated identity to the user or group account for PKI-based authentication. | — |
| V-258133 | RHEL-09-631020 | CAT II | RHEL 9 must prohibit the use of cached authenticators after one day. | — |
| V-258134 | RHEL-09-651010 | CAT II | RHEL 9 must have the AIDE package installed. | — |
| V-258135 | RHEL-09-651015 | CAT II | RHEL 9 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered. | — |
| V-258136 | RHEL-09-651020 | CAT II | RHEL 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories. | — |
| V-258137 | RHEL-09-651025 | CAT II | RHEL 9 must use cryptographic mechanisms to protect the integrity of audit tools. | — |
| V-258140 | RHEL-09-652010 | CAT II | RHEL 9 must have the rsyslog package installed. | — |
| V-258141 | RHEL-09-652015 | CAT II | RHEL 9 must have the packages required for encrypting offloaded audit logs installed. | — |
| V-258142 | RHEL-09-652020 | CAT II | The rsyslog service on RHEL 9 must be active. | — |
| V-258143 | RHEL-09-652025 | CAT II | RHEL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation. | — |
| V-258144 | RHEL-09-652030 | CAT II | All RHEL 9 remote access methods must be monitored. | — |
| V-258146 | RHEL-09-652040 | CAT II | RHEL 9 must authenticate the remote logging server for offloading audit logs via rsyslog. | — |
| V-258147 | RHEL-09-652045 | CAT II | RHEL 9 must encrypt the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog. | — |
| V-258148 | RHEL-09-652050 | CAT II | RHEL 9 must encrypt via the gtls driver the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog. | — |
| V-258149 | RHEL-09-652055 | CAT II | RHEL 9 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog. | — |
| V-258150 | RHEL-09-652060 | CAT II | RHEL 9 must use cron logging. | — |
| V-258151 | RHEL-09-653010 | CAT II | RHEL 9 audit package must be installed. | — |
| V-258152 | RHEL-09-653015 | CAT II | RHEL 9 audit service must be enabled. | — |
| V-258153 | RHEL-09-653020 | CAT II | RHEL 9 audit system must take appropriate action when an error writing to the audit storage volume occurs. | — |
| V-258154 | RHEL-09-653025 | CAT II | RHEL 9 audit system must take appropriate action when the audit storage volume is full. | — |
| V-258155 | RHEL-09-653030 | CAT II | RHEL 9 must allocate audit record storage capacity to store at least one week's worth of audit records. | — |
| V-258156 | RHEL-09-653035 | CAT II | RHEL 9 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. | — |
| V-258157 | RHEL-09-653040 | CAT II | RHEL 9 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent utilization. | — |
| V-258158 | RHEL-09-653045 | CAT II | RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity. | — |
| V-258159 | RHEL-09-653050 | CAT II | RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity. | — |
| V-258160 | RHEL-09-653055 | CAT II | RHEL 9 audit system must take appropriate action when the audit files have reached maximum size. | — |
| V-258161 | RHEL-09-653060 | CAT II | RHEL 9 must label all offloaded audit logs before sending them to the central log server. | — |
| V-258162 | RHEL-09-653065 | CAT II | RHEL 9 must take appropriate action when the internal event queue is full. | — |
| V-258163 | RHEL-09-653070 | CAT II | RHEL 9 System Administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event. | — |
| V-258164 | RHEL-09-653075 | CAT II | RHEL 9 audit system must audit local events. | — |
| V-258165 | RHEL-09-653080 | CAT II | RHEL 9 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access. | — |
| V-258166 | RHEL-09-653085 | CAT II | RHEL 9 audit log directory must be owned by root to prevent unauthorized read access. | — |
| V-258167 | RHEL-09-653090 | CAT II | RHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log. | — |
| V-258168 | RHEL-09-653095 | CAT II | RHEL 9 must periodically flush audit records to disk to prevent the loss of audit records. | — |
| V-258169 | RHEL-09-653100 | CAT II | RHEL 9 must produce audit records containing information to establish the identity of any individual or process associated with the event. | — |
| V-258170 | RHEL-09-653105 | CAT II | RHEL 9 must write audit records to disk. | — |
| V-258171 | RHEL-09-653110 | CAT II | RHEL 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. | — |
| V-258174 | RHEL-09-653125 | CAT II | RHEL 9 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure. | — |
| V-258175 | RHEL-09-653130 | CAT II | RHEL 9 audispd-plugins package must be installed. | — |
| V-258176 | RHEL-09-654010 | CAT II | RHEL 9 must audit uses of the "execve" system call. | — |
| V-258177 | RHEL-09-654015 | CAT II | RHEL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls. | — |
| V-258178 | RHEL-09-654020 | CAT II | RHEL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls. | — |
| V-258179 | RHEL-09-654025 | CAT II | RHEL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. | — |
| V-258180 | RHEL-09-654030 | CAT II | RHEL 9 must audit all uses of umount system calls. | — |
| V-258181 | RHEL-09-654035 | CAT II | RHEL 9 must audit all uses of the chacl command. | — |
| V-258182 | RHEL-09-654040 | CAT II | RHEL 9 must audit all uses of the setfacl command. | — |
| V-258183 | RHEL-09-654045 | CAT II | RHEL 9 must audit all uses of the chcon command. | — |
| V-258184 | RHEL-09-654050 | CAT II | RHEL 9 must audit all uses of the semanage command. | — |
| V-258185 | RHEL-09-654055 | CAT II | RHEL 9 must audit all uses of the setfiles command. | — |
| V-258186 | RHEL-09-654060 | CAT II | RHEL 9 must audit all uses of the setsebool command. | — |
| V-258187 | RHEL-09-654065 | CAT II | RHEL 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls. | — |
| V-258188 | RHEL-09-654070 | CAT II | RHEL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls. | — |
| V-258189 | RHEL-09-654075 | CAT II | RHEL 9 must audit all uses of the delete_module system call. | — |
| V-258190 | RHEL-09-654080 | CAT II | RHEL 9 must audit all uses of the init_module and finit_module system calls. | — |
| V-258191 | RHEL-09-654085 | CAT II | RHEL 9 must audit all uses of the chage command. | — |
| V-258192 | RHEL-09-654090 | CAT II | RHEL 9 must audit all uses of the chsh command. | — |
| V-258193 | RHEL-09-654095 | CAT II | RHEL 9 must audit all uses of the crontab command. | — |
| V-279936 | RHEL-09-654097 | CAT II | RHEL 9 must audit any script or executable called by cron as root or by any privileged user. | — |
| V-258194 | RHEL-09-654100 | CAT II | RHEL 9 must audit all uses of the gpasswd command. | — |
| V-258195 | RHEL-09-654105 | CAT II | RHEL 9 must audit all uses of the kmod command. | — |
| V-258196 | RHEL-09-654110 | CAT II | RHEL 9 must audit all uses of the newgrp command. | — |
| V-258197 | RHEL-09-654115 | CAT II | RHEL 9 must audit all uses of the pam_timestamp_check command. | — |
| V-258198 | RHEL-09-654120 | CAT II | RHEL 9 must audit all uses of the passwd command. | — |
| V-258199 | RHEL-09-654125 | CAT II | RHEL 9 must audit all uses of the postdrop command. | — |
| V-258200 | RHEL-09-654130 | CAT II | RHEL 9 must audit all uses of the postqueue command. | — |
| V-258201 | RHEL-09-654135 | CAT II | RHEL 9 must audit all uses of the ssh-agent command. | — |
| V-258202 | RHEL-09-654140 | CAT II | RHEL 9 must audit all uses of the ssh-keysign command. | — |
| V-258203 | RHEL-09-654145 | CAT II | RHEL 9 must audit all uses of the su command. | — |
| V-258204 | RHEL-09-654150 | CAT II | RHEL 9 must audit all uses of the sudo command. | — |
| V-258205 | RHEL-09-654155 | CAT II | RHEL 9 must audit all uses of the sudoedit command. | — |
| V-258206 | RHEL-09-654160 | CAT II | RHEL 9 must audit all uses of the unix_chkpwd command. | — |
| V-258207 | RHEL-09-654165 | CAT II | RHEL 9 must audit all uses of the unix_update command. | — |
| V-258208 | RHEL-09-654170 | CAT II | RHEL 9 must audit all uses of the userhelper command. | — |
| V-258209 | RHEL-09-654175 | CAT II | RHEL 9 must audit all uses of the usermod command. | — |
| V-258210 | RHEL-09-654180 | CAT II | RHEL 9 must audit all uses of the mount command. | — |
| V-258211 | RHEL-09-654185 | CAT II | Successful/unsuccessful uses of the init command in RHEL 9 must generate an audit record. | — |
| V-258212 | RHEL-09-654190 | CAT II | Successful/unsuccessful uses of the poweroff command in RHEL 9 must generate an audit record. | — |
| V-258213 | RHEL-09-654195 | CAT II | Successful/unsuccessful uses of the reboot command in RHEL 9 must generate an audit record. | — |
| V-258214 | RHEL-09-654200 | CAT II | Successful/unsuccessful uses of the shutdown command in RHEL 9 must generate an audit record. | — |
| V-258215 | RHEL-09-654205 | CAT II | Successful/unsuccessful uses of the umount system call in RHEL 9 must generate an audit record. | — |
| V-258216 | RHEL-09-654210 | CAT II | Successful/unsuccessful uses of the umount2 system call in RHEL 9 must generate an audit record. | — |
| V-258217 | RHEL-09-654215 | CAT II | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. | — |
| V-258218 | RHEL-09-654220 | CAT II | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory. | — |
| V-258219 | RHEL-09-654225 | CAT II | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. | — |
| V-258220 | RHEL-09-654230 | CAT II | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. | — |
| V-258221 | RHEL-09-654235 | CAT II | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd. | — |
| V-258222 | RHEL-09-654240 | CAT II | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. | — |
| V-258223 | RHEL-09-654245 | CAT II | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. | — |
| V-258224 | RHEL-09-654250 | CAT II | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock. | — |
| V-258225 | RHEL-09-654255 | CAT II | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog. | — |
| V-258227 | RHEL-09-654265 | CAT II | RHEL 9 must take appropriate action when a critical audit processing failure occurs. | — |
| V-258228 | RHEL-09-654270 | CAT II | RHEL 9 audit system must protect logon UIDs from unauthorized change. | — |
| V-258229 | RHEL-09-654275 | CAT II | RHEL 9 audit system must protect auditing rules from unauthorized change. | — |
| V-258231 | RHEL-09-671015 | CAT II | RHEL 9 must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords. | — |
| V-258232 | RHEL-09-671020 | CAT II | RHEL 9 IP tunnels must use FIPS 140-3 approved cryptographic algorithms. | — |
| V-258233 | RHEL-09-671025 | CAT II | RHEL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication. | — |
| V-258242 | RHEL-09-672050 | CAT II | RHEL 9 must implement DOD-approved encryption in the bind package. | — |
| V-257782 | RHEL-09-211035 | CAT III | RHEL 9 must enable the hardware random number generator entropy gatherer service. | — |
| V-257795 | RHEL-09-212050 | CAT III | RHEL 9 must enable mitigations against processor-based vulnerabilities. | — |
| V-257796 | RHEL-09-212055 | CAT III | RHEL 9 must enable auditing of processes that start prior to the audit daemon. | — |
| V-257824 | RHEL-09-214035 | CAT III | RHEL 9 must remove all software components after updated versions have been installed. | — |
| V-257845 | RHEL-09-231020 | CAT III | RHEL 9 must use a separate file system for /var. | — |
| V-257846 | RHEL-09-231025 | CAT III | RHEL 9 must use a separate file system for /var/log. | — |
| V-257847 | RHEL-09-231030 | CAT III | RHEL 9 must use a separate file system for the system audit data path. | — |
| V-257880 | RHEL-09-231195 | CAT III | RHEL 9 must disable mounting of cramfs. | — |
| V-257946 | RHEL-09-252025 | CAT III | RHEL 9 must disable the chrony daemon from acting as a server. | — |
| V-257947 | RHEL-09-252030 | CAT III | RHEL 9 must disable network management of the chrony daemon. | — |
| V-258037 | RHEL-09-291025 | CAT III | RHEL 9 must enable Linux audit logging for the USBGuard daemon. | — |
| V-258069 | RHEL-09-412040 | CAT III | RHEL 9 must limit the number of concurrent sessions to ten for all accounts and/or account types. | — |
| V-258138 | RHEL-09-651030 | CAT III | RHEL 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs). | — |
| V-258139 | RHEL-09-651035 | CAT III | RHEL 9 must be configured so that the file integrity tool verifies extended attributes. | — |
| V-258173 | RHEL-09-653120 | CAT III | RHEL 9 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | — |
No rules match your search.