STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← CM-7 (2) — Least Functionality

CCI-001764

Definition

Prevent program execution in accordance with organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions; rules authorizing the terms and conditions of software program usage.

Parent Control

CM-7 (2)Least FunctionalityConfiguration Management

Linked STIG Checks (200)

V-274178CAT IIAmazon Linux 2023 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.Amazon Linux 2023 Security Technical Implementation Guide V-274179CAT IIAmazon Linux 2023 must mount /dev/shm with the nodev option.Amazon Linux 2023 Security Technical Implementation Guide V-274180CAT IIAmazon Linux 2023 must mount /dev/shm with the nosuid option.Amazon Linux 2023 Security Technical Implementation Guide V-268173CAT IINixOS must be configured to use AppArmor.Anduril NixOS Security Technical Implementation Guide V-222516CAT IIThe application must prevent program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.Application Security and Development Security Technical Implementation Guide V-219323CAT IIThe Ubuntu operating system must be configured to use AppArmor.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238360CAT IIThe Ubuntu operating system must be configured to use AppArmor.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260556CAT IIUbuntu 22.04 LTS must have the "apparmor" package installed.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-260557CAT IIUbuntu 22.04 LTS must be configured to use AppArmor.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270659CAT IIUbuntu 24.04 LTS must have AppArmor installed.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-270660CAT IIUbuntu 24.04 LTS must be configured to use AppArmor.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-259877CAT IIFor Impact Levels 4 and 5, the Mission Owner must register all cloud-based services, their CSP/CSO, and connection method in the DISA Systems/Network Approval Process (SNAP) database Cloud Module.Cloud Computing Mission Owner Operating System Security Requirements Guide V-259878CAT IIFor Impact Level 6, the Mission Owner must process connection approval to the SIPRNet through the DISA classified connection approval process.Cloud Computing Mission Owner Operating System Security Requirements Guide V-259879CAT IIThe Mission Owner of the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) must remove orphaned or unused virtual machine (VM) instances.Cloud Computing Mission Owner Operating System Security Requirements Guide V-269309CAT IIAlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269310CAT IIAlmaLinux OS 9 must prevent device files from being interpreted on file systems that contain user home directories.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269311CAT IIAlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269312CAT IIAlmaLinux OS 9 must mount /boot with the nodev option.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269313CAT IIAlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269314CAT IIAlmaLinux OS 9 must mount /dev/shm with the nodev option.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269315CAT IIAlmaLinux OS 9 must mount /dev/shm with the noexec option.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269316CAT IIAlmaLinux OS 9 must mount /dev/shm with the nosuid option.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269317CAT IIAlmaLinux OS 9 must mount /tmp with the nodev option.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269318CAT IIAlmaLinux OS 9 must mount /tmp with the noexec option.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269319CAT IIAlmaLinux OS 9 must mount /tmp with the nosuid option.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269320CAT IIAlmaLinux OS 9 must mount /var/log/audit with the nodev option.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269321CAT IIAlmaLinux OS 9 must mount /var/log/audit with the noexec option.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269322CAT IIAlmaLinux OS 9 must mount /var/log/audit with the nosuid option.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269323CAT IIAlmaLinux OS 9 must mount /var/log with the nodev option.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269324CAT IIAlmaLinux OS 9 must mount /var/log with the noexec option.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269325CAT IIAlmaLinux OS 9 must mount /var/log with the nosuid option.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269326CAT IIAlmaLinux OS 9 must mount /var with the nodev option.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269327CAT IIAlmaLinux OS 9 must mount /var/tmp with the nodev option.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269328CAT IIAlmaLinux OS 9 must mount /var/tmp with the noexec option.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269329CAT IIAlmaLinux OS 9 must mount /var/tmp with the nosuid option.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233191CAT IIThe container platform must prevent component execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.Container Platform Security Requirements Guide V-235781CAT IIA policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235782CAT IIA policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-270947CAT IDragos Platforms must limit privileges and not allow the ability to run shell.Dragos Platform 2.x Security Technical Implementation Guide V-278398CAT IINGINX must be configured with a deny-all, permit-by-exception policy to allow the execution of authorized software programs.F5 NGINX Security Technical Implementation Guide V-203721CAT IIThe operating system must prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage.General Purpose Operating System Security Requirements Guide V-258481CAT IIGoogle Android 13 must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].Google Android 13 BYOAD Security Technical Implementation Guide V-254771CAT IIGoogle Android 13 must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].Google Android 13 COPE Security Technical Implementation Guide V-258384CAT IIGoogle Android 14 must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].Google Android 14 COBO Security Technical Implementation Guide V-258415CAT IIGoogle Android 14 must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].Google Android 14 COPE Security Technical Implementation Guide V-260131CAT IIGoogle Android 14 must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].Google Android 14 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-267436CAT IIGoogle Android 15 must be configured to enforce an application installation policy by specifying an application allow list that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].Google Android 15 COBO Security Technical Implementation Guide V-267531CAT IIGoogle Android 15 must be configured to enforce an application installation policy by specifying an application allow list that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].Google Android 15 COPE Security Technical Implementation Guide V-276754CAT IIGoogle Android 16 must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].Google Android 16 COBO Security Technical Implementation Guide V-276856CAT IIGoogle Android 16 must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].Google Android 16 COPE Security Technical Implementation Guide V-274288CAT IIHoneywell Android 13 must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].Honeywell Android 13 COBO Security Technical Implementation Guide V-274383CAT IIHoneywell Android 13 must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].Honeywell Android 13 COPE Security Technical Implementation Guide V-215335CAT IIAIX must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.IBM AIX 7.x Security Technical Implementation Guide V-223489CAT IIACF2 MAINT GSO record value if specified must be restricted to production storage management user.IBM z/OS ACF2 Security Technical Implementation Guide V-223490CAT IIACF2 LINKLST GSO record if specified must only contains trusted system data sets.IBM z/OS ACF2 Security Technical Implementation Guide V-223561CAT IUnsupported IBM z/OS system software must not be installed and/or active on the system.IBM z/OS ACF2 Security Technical Implementation Guide V-223562CAT IIIBM z/OS must not allow non-existent or inaccessible LINKLIST libraries.IBM z/OS ACF2 Security Technical Implementation Guide V-223563CAT IIIBM z/OS must not allow non-existent or inaccessible Link Pack Area (LPA) libraries.IBM z/OS ACF2 Security Technical Implementation Guide V-223781CAT IUnsupported system software must not be installed and/ or active on the system.IBM z/OS RACF Security Technical Implementation Guide V-223782CAT IIIBM z/OS must not allow nonexistent or inaccessible LINKLIST libraries.IBM z/OS RACF Security Technical Implementation Guide V-223783CAT IIIBM z/OS must not allow nonexistent or inaccessible Link Pack Area (LPA) libraries.IBM z/OS RACF Security Technical Implementation Guide V-224001CAT IIIBM z/OS must specify SMF data options to ensure appropriate activation.IBM z/OS TSS Security Technical Implementation Guide V-224017CAT IUnsupported IBM z/OS system software must not be installed and/or active on the system.IBM z/OS TSS Security Technical Implementation Guide V-224018CAT IIIBM z/OS must not allow nonexistent or inaccessible Link Pack Area (LPA) libraries.IBM z/OS TSS Security Technical Implementation Guide V-224019CAT IIIBM z/OS must not allow nonexistent or inaccessible LINKLIST libraries.IBM z/OS TSS Security Technical Implementation Guide V-220827CAT IAutoplay must be turned off for non-volume devices.Microsoft Windows 10 Security Technical Implementation Guide V-220828CAT IThe default autorun behavior must be configured to prevent autorun commands.Microsoft Windows 10 Security Technical Implementation Guide V-220829CAT IAutoplay must be disabled for all drives.Microsoft Windows 10 Security Technical Implementation Guide V-253386CAT IAutoplay must be turned off for non-volume devices.Microsoft Windows 11 Security Technical Implementation Guide V-253387CAT IThe default autorun behavior must be configured to prevent autorun commands.Microsoft Windows 11 Security Technical Implementation Guide V-253388CAT IAutoplay must be disabled for all drives.Microsoft Windows 11 Security Technical Implementation Guide V-224932CAT IAutoPlay must be turned off for non-volume devices.Microsoft Windows Server 2016 Security Technical Implementation Guide V-224933CAT IThe default AutoRun behavior must be configured to prevent AutoRun commands.Microsoft Windows Server 2016 Security Technical Implementation Guide V-224934CAT IAutoPlay must be disabled for all drives.Microsoft Windows Server 2016 Security Technical Implementation Guide V-205804CAT IWindows Server 2019 Autoplay must be turned off for non-volume devices.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205805CAT IWindows Server 2019 default AutoRun behavior must be configured to prevent AutoRun commands.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205806CAT IWindows Server 2019 AutoPlay must be disabled for all drives.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254352CAT IWindows Server 2022 Autoplay must be turned off for nonvolume devices.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254353CAT IWindows Server 2022 default AutoRun behavior must be configured to prevent AutoRun commands.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254354CAT IWindows Server 2022 AutoPlay must be disabled for all drives.Microsoft Windows Server 2022 Security Technical Implementation Guide V-278099CAT IWindows Server 2025 AutoPlay must be turned off for nonvolume devices.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278100CAT IWindows Server 2025 default AutoRun behavior must be configured to prevent AutoRun commands.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278101CAT IWindows Server 2025 AutoPlay must be disabled for all drives.Microsoft Windows Server 2025 Security Technical Implementation Guide V-260906CAT ILeast privilege access and need to know must be required to access MKE runtime and instantiate container images.Mirantis Kubernetes Engine Security Technical Implementation Guide V-272178CAT IIMotorola Solutions Android 13 must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].Motorola Solutions Android 13 COBO Security Technical Implementation Guide V-272315CAT IIMotorola Solutions Android 13 must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].Motorola Solutions Android 13 COPE Security Technical Implementation Guide V-254199CAT IINutanix AOS must be configured with nodev, nosuid, and noexec options for /dev/shm.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-279582CAT IINutanix OS must set the SCMA framework to check the baseline daily.Nutanix Acropolis GPOS Security Technical Implementation Guide V-279586CAT IINutanix OS must enable an application firewall.Nutanix Acropolis GPOS Security Technical Implementation Guide V-279587CAT IINutanix OS must mount /dev/shm with secure options.Nutanix Acropolis GPOS Security Technical Implementation Guide V-279588CAT IINutanix OS must mount /tmp with secure options.Nutanix Acropolis GPOS Security Technical Implementation Guide V-279589CAT IINutanix OS must mount /var/log/audit with secure options.Nutanix Acropolis GPOS Security Technical Implementation Guide V-279590CAT IINutanix OS must mount /var/tmp with secure options.Nutanix Acropolis GPOS Security Technical Implementation Guide V-279591CAT IINutanix OS must mount /var/log with secure options.Nutanix Acropolis GPOS Security Technical Implementation Guide V-279592CAT IINutanix OS must have the fapolicyd.service installed and active.Nutanix Acropolis GPOS Security Technical Implementation Guide V-221747CAT IIIThe Oracle Linux operating system must mount /dev/shm with secure options.Oracle Linux 7 Security Technical Implementation Guide V-248844CAT IIOL 8 must mount "/dev/shm" with the "nodev" option.Oracle Linux 8 Security Technical Implementation Guide V-248845CAT IIOL 8 must mount "/dev/shm" with the "nosuid" option.Oracle Linux 8 Security Technical Implementation Guide V-248846CAT IIOL 8 must mount "/dev/shm" with the "noexec" option.Oracle Linux 8 Security Technical Implementation Guide V-248847CAT IIOL 8 must mount "/tmp" with the "nodev" option.Oracle Linux 8 Security Technical Implementation Guide V-248848CAT IIOL 8 must mount "/tmp" with the "nosuid" option.Oracle Linux 8 Security Technical Implementation Guide V-248849CAT IIOL 8 must mount "/tmp" with the "noexec" option.Oracle Linux 8 Security Technical Implementation Guide V-248850CAT IIOL 8 must mount "/var/log" with the "nodev" option.Oracle Linux 8 Security Technical Implementation Guide V-248851CAT IIOL 8 must mount "/var/log" with the "nosuid" option.Oracle Linux 8 Security Technical Implementation Guide V-248852CAT IIOL 8 must mount "/var/log" with the "noexec" option.Oracle Linux 8 Security Technical Implementation Guide V-248853CAT IIOL 8 must mount "/var/log/audit" with the "nodev" option.Oracle Linux 8 Security Technical Implementation Guide V-248854CAT IIOL 8 must mount "/var/log/audit" with the "nosuid" option.Oracle Linux 8 Security Technical Implementation Guide V-248855CAT IIOL 8 must mount "/var/log/audit" with the "noexec" option.Oracle Linux 8 Security Technical Implementation Guide V-248856CAT IIOL 8 must mount "/var/tmp" with the "nodev" option.Oracle Linux 8 Security Technical Implementation Guide V-248857CAT IIOL 8 must mount "/var/tmp" with the "nosuid" option.Oracle Linux 8 Security Technical Implementation Guide V-248858CAT IIOL 8 must mount "/var/tmp" with the "noexec" option.Oracle Linux 8 Security Technical Implementation Guide V-248859CAT IIThe OL 8 "fapolicy" module must be installed.Oracle Linux 8 Security Technical Implementation Guide V-248860CAT IIThe OL 8 "fapolicy" module must be enabled.Oracle Linux 8 Security Technical Implementation Guide V-248861CAT IIThe OL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.Oracle Linux 8 Security Technical Implementation Guide V-271506CAT IIOL 9 must have the fapolicy module installed.Oracle Linux 9 Security Technical Implementation Guide V-271507CAT IIOL 9 must enable the fapolicy module.Oracle Linux 9 Security Technical Implementation Guide V-271647CAT IIOL 9 must mount /boot with the nodev option.Oracle Linux 9 Security Technical Implementation Guide V-271648CAT IIOL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.Oracle Linux 9 Security Technical Implementation Guide V-271649CAT IIOL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.Oracle Linux 9 Security Technical Implementation Guide V-271650CAT IIOL 9 must mount /dev/shm with the nodev option.Oracle Linux 9 Security Technical Implementation Guide V-271651CAT IIOL 9 must mount /dev/shm with the noexec option.Oracle Linux 9 Security Technical Implementation Guide V-271652CAT IIOL 9 must mount /dev/shm with the nosuid option.Oracle Linux 9 Security Technical Implementation Guide V-271653CAT IIOL 9 must mount /tmp with the nodev option.Oracle Linux 9 Security Technical Implementation Guide V-271654CAT IIOL 9 must mount /tmp with the noexec option.Oracle Linux 9 Security Technical Implementation Guide V-271655CAT IIOL 9 must mount /tmp with the nosuid option.Oracle Linux 9 Security Technical Implementation Guide V-271656CAT IIOL 9 must mount /var with the nodev option.Oracle Linux 9 Security Technical Implementation Guide V-271657CAT IIOL 9 must mount /var/log with the nodev option.Oracle Linux 9 Security Technical Implementation Guide V-271658CAT IIOL 9 must mount /var/log with the noexec option.Oracle Linux 9 Security Technical Implementation Guide V-271659CAT IIOL 9 must mount /var/log with the nosuid option.Oracle Linux 9 Security Technical Implementation Guide V-271660CAT IIOL 9 must mount /var/log/audit with the nodev option.Oracle Linux 9 Security Technical Implementation Guide V-271661CAT IIOL 9 must mount /var/log/audit with the noexec option.Oracle Linux 9 Security Technical Implementation Guide V-271662CAT IIOL 9 must mount /var/log/audit with the nosuid option.Oracle Linux 9 Security Technical Implementation Guide V-271663CAT IIOL 9 must mount /var/tmp with the nodev option.Oracle Linux 9 Security Technical Implementation Guide V-271664CAT IIOL 9 must mount /var/tmp with the noexec option.Oracle Linux 9 Security Technical Implementation Guide V-271665CAT IIOL 9 must mount /var/tmp with the nosuid option.Oracle Linux 9 Security Technical Implementation Guide V-271666CAT IIOL 9 must prevent device files from being interpreted on file systems that contain user home directories.Oracle Linux 9 Security Technical Implementation Guide V-271667CAT IIOL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.Oracle Linux 9 Security Technical Implementation Guide V-271671CAT IIOL 9 must disable the graphical user interface autorun function unless required.Oracle Linux 9 Security Technical Implementation Guide V-253529CAT IThe configuration integrity of the container platform must be ensured and runtime policies must be configured.Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-253531CAT IPrisma Cloud Compute host compliance baseline policies must be set.Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-253532CAT IThe configuration integrity of the container platform must be ensured and compliance policies must be configured.Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-253543CAT IThe configuration integrity of the container platform must be ensured and vulnerabilities policies must be configured.Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-252843CAT IRancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.Rancher Government Solutions Multi-Cluster Manager Security Technical Implementation Guide V-254565CAT IIRancher RKE2 must be configured with only essential configurations.Rancher Government Solutions RKE2 Security Technical Implementation Guide V-280969CAT IIRHEL 10 must have the "fapolicy" module installed.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-280970CAT IIRHEL 10 must enable the "fapolicy" module.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-280971CAT IIRHEL 10 must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281088CAT IIRHEL 10 must prevent device files from being interpreted on file systems that contain user home directories.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281089CAT IIRHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on file systems that contain user home directories.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281091CAT IIRHEL 10 must mount "/var/log/audit" with the "nodev" option.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281092CAT IIRHEL 10 must mount "/var/log/audit" with the "noexec" option.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281093CAT IIRHEL 10 must mount "/var/log/audit" with the "nosuid" option.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281232CAT IIRHEL 10 must mount "/boot" with the "nodev" option.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281233CAT IIRHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on the "/boot" directory.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281235CAT IIRHEL 10 must mount "/dev/shm" with the "nodev" option.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281236CAT IIRHEL 10 must mount "/dev/shm" with the "noexec" option.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281237CAT IIRHEL 10 must mount "/dev/shm" with the "nosuid" option.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281238CAT IIRHEL 10 must mount "/tmp" with the "nodev" option.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281239CAT IIRHEL 10 must mount "/tmp" with the "noexec" option.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281240CAT IIRHEL 10 must mount "/tmp" with the "nosuid" option.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281241CAT IIRHEL 10 must mount "/var" with the "nodev" option.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281242CAT IIRHEL 10 must mount "/var/log" with the "nodev" option.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281243CAT IIRHEL 10 must mount "/var/log" with the "noexec" option.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281244CAT IIRHEL 10 must mount "/var/log" with the "nosuid" option.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281245CAT IIRHEL 10 must mount "/var/tmp" with the "nodev" option.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281246CAT IIRHEL 10 must mount "/var/tmp" with the "noexec" option.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281247CAT IIRHEL 10 must mount "/var/tmp" with the "nosuid" option.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281248CAT IIRHEL 10 must prevent special devices on nonroot local partitions.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-204486CAT IIIThe Red Hat Enterprise Linux operating system must mount /dev/shm with secure options.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-230508CAT IIRHEL 8 must mount /dev/shm with the nodev option.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230509CAT IIRHEL 8 must mount /dev/shm with the nosuid option.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230510CAT IIRHEL 8 must mount /dev/shm with the noexec option.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230511CAT IIRHEL 8 must mount /tmp with the nodev option.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230512CAT IIRHEL 8 must mount /tmp with the nosuid option.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230513CAT IIRHEL 8 must mount /tmp with the noexec option.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230514CAT IIRHEL 8 must mount /var/log with the nodev option.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230515CAT IIRHEL 8 must mount /var/log with the nosuid option.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230516CAT IIRHEL 8 must mount /var/log with the noexec option.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230517CAT IIRHEL 8 must mount /var/log/audit with the nodev option.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230518CAT IIRHEL 8 must mount /var/log/audit with the nosuid option.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230519CAT IIRHEL 8 must mount /var/log/audit with the noexec option.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230520CAT IIRHEL 8 must mount /var/tmp with the nodev option.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230521CAT IIRHEL 8 must mount /var/tmp with the nosuid option.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230522CAT IIRHEL 8 must mount /var/tmp with the noexec option.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230523CAT IIThe RHEL 8 fapolicy module must be installed.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-244545CAT IIThe RHEL 8 fapolicy module must be enabled.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-244546CAT IIThe RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-257850CAT IIRHEL 9 must prevent device files from being interpreted on file systems that contain user home directories.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257851CAT IIRHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257860CAT IIRHEL 9 must mount /boot with the nodev option.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257861CAT IIRHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257862CAT IIRHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257863CAT IIRHEL 9 must mount /dev/shm with the nodev option.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257864CAT IIRHEL 9 must mount /dev/shm with the noexec option.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257865CAT IIRHEL 9 must mount /dev/shm with the nosuid option.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257866CAT IIRHEL 9 must mount /tmp with the nodev option.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257867CAT IIRHEL 9 must mount /tmp with the noexec option.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257868CAT IIRHEL 9 must mount /tmp with the nosuid option.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257869CAT IIRHEL 9 must mount /var with the nodev option.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257870CAT IIRHEL 9 must mount /var/log with the nodev option.Red Hat Enterprise Linux 9 Security Technical Implementation Guide