STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 4 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← CM-6 — Configuration Settings

CCI-000368

Definition

Document any deviations from the established configuration settings for organization-defined system components based on organization-defined operational requirements.

Parent Control

CM-6Configuration SettingsConfiguration Management

Linked STIG Checks (13)

V-223475CAT IICA-ACF2 RULEOPTS GSO record values must be set to the values specified.IBM z/OS ACF2 Security Technical Implementation Guide V-223488CAT IIIACF2 APPLDEF GSO record if used must have supporting documentation indicating the reason it was used.IBM z/OS ACF2 Security Technical Implementation Guide V-223512CAT IIACF2 SECVOLS GSO record value must be set to VOLMASK(). Any local changes are justified and documented with the ISSO.IBM z/OS ACF2 Security Technical Implementation Guide V-223513CAT IIACF2 RESVOLS GSO record value must be set to Volmask(-). Any other setting requires documentation justifying the change.IBM z/OS ACF2 Security Technical Implementation Guide V-204479CAT IIThe Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204488CAT IIThe Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204501CAT IIThe Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204575CAT IIThe Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204598CAT IIThe Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204599CAT IIThe Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204621CAT IThe Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-801CAT IIThe owner, group-owner, mode, ACL, and location of files with the setuid bit set must be documented using site-defined procedures.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-802CAT IIThe owner, group-owner, mode, ACL and location of files with the setgid bit set must be documented using site-defined procedures.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide