STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← SI-6 — Security and Privacy Function Verification

CCI-002696

Definition

Verify correct operation of organization-defined security functions.

Parent Control

SI-6Security and Privacy Function VerificationSystem and Information Integrity

Linked STIG Checks (81)

V-274024CAT IIAmazon Linux 2023 must have the Advanced Intrusion Detection Environment (AIDE) package installed.Amazon Linux 2023 Security Technical Implementation Guide V-274152CAT IIAmazon Linux 2023 must enable the SELinux targeted policy.Amazon Linux 2023 Security Technical Implementation Guide V-274153CAT IAmazon Linux 2023 must use a Linux Security Module configured to enforce limits on system services.Amazon Linux 2023 Security Technical Implementation Guide V-268153CAT IINixOS must notify designated personnel if baseline configurations are changed in an unauthorized manner.Anduril NixOS Security Technical Implementation Guide V-259573CAT IIThe macOS system must ensure secure boot level set to full.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-268568CAT IIThe macOS system must ensure Secure Boot level is set to "full".Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277178CAT IIThe macOS system must ensure Secure Boot level is set to "full".Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-222615CAT IIThe application performing organization-defined security functions must verify correct operation of security functions.Application Security and Development Security Technical Implementation Guide V-276005CAT IIAx-OS must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-219343CAT IIThe Ubuntu operating system must use a file integrity tool to verify correct operation of all security functions.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238371CAT IIThe Ubuntu operating system must use a file integrity tool to verify correct operation of all security functions.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260582CAT IIUbuntu 22.04 LTS must use a file integrity tool to verify correct operation of all security functions.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-260583CAT IIUbuntu 22.04 LTS must configure Advanced Intrusion Detection Environment (AIDE) to perform file integrity checking on the file system.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270649CAT IIUbuntu 24.04 LTS must use a file integrity tool to verify correct operation of all security functions.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-270650CAT IIUbuntu 24.04 LTS must configure AIDE to perform file integrity checking on the file system if installed.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-269455CAT IIAlmaLinux OS 9 must enable the SELinux targeted policy.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269456CAT IIAlmaLinux OS 9 must have the Advanced Intrusion Detection Environment (AIDE) package installed.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233242CAT IIThe organization-defined role must verify correct operation of security functions in the container platform.Container Platform Security Requirements Guide V-203756CAT IIThe operating system must verify correct operation of all security functions.General Purpose Operating System Security Requirements Guide V-252631CAT IIThe IBM Aspera High-Speed Transfer Server must configure the SELinux context type to allow the "aspshell".IBM Aspera Platform 4.2 Security Technical Implementation Guide V-251419CAT IIThe Ivanti EPMM server must be configured with the periodicity of the following commands to the agent of six hours or less: - query connectivity status - query the current version of the managed device firmware/software - query the current version of installed mobile applications - read audit logs kept by the managed device.Ivanti EPMM Server Security Technical Implementation Guide V-251419CAT IIThe Ivanti MobileIron Core server must be configured with the periodicity of the following commands to the agent of six hours or less: - query connectivity status - query the current version of the managed device firmware/software - query the current version of installed mobile applications - read audit logs kept by the managed device. Ivanti MobileIron Core MDM Server Security Technical Implementation Guide V-205591CAT IIThe Mainframe Product performing organization-defined security functions must verify correct operation of security functions.Mainframe Product Security Requirements Guide V-91815CAT IIThe MobileIron Core v10 server must be configured with a periodicity for reachable events of six hours or less for the following commands to the agent: - query connectivity status; - query the current version of the MD firmware/software; - query the current version of the hardware model of the device; - query the current version of installed mobile applications; - read audit logs kept by the MD.MobileIron Core v10.x MDM Security Technical Implementation Guide V-254237CAT IINutanix AOS must be configured to use SELinux Enforcing mode.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-279623CAT IINutanix OS must isolate security functions from nonsecurity functions.Nutanix Acropolis GPOS Security Technical Implementation Guide V-221716CAT IIThe Oracle Linux operating system must enable SELinux.Oracle Linux 7 Security Technical Implementation Guide V-228570CAT IIThe Oracle Linux operating system must enable the SELinux targeted policy.Oracle Linux 7 Security Technical Implementation Guide V-251701CAT IIThe Oracle Linux operating system must use a file integrity tool to verify correct operation of all security functions.Oracle Linux 7 Security Technical Implementation Guide V-248596CAT IIOL 8 must enable the SELinux targeted policy.Oracle Linux 8 Security Technical Implementation Guide V-252654CAT IIThe OL 8 operating system must use a file integrity tool to verify correct operation of all security functions.Oracle Linux 8 Security Technical Implementation Guide V-271452CAT IOL 9 must use a Linux Security Module configured to enforce limits on system services.Oracle Linux 9 Security Technical Implementation Guide V-271453CAT IIOL 9 must enable the SELinux targeted policy.Oracle Linux 9 Security Technical Implementation Guide V-271496CAT IIOL 9 must have the Advanced Intrusion Detection Environment (AIDE) package installed.Oracle Linux 9 Security Technical Implementation Guide V-253532CAT IThe configuration integrity of the container platform must be ensured and compliance policies must be configured.Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-280977CAT IIRHEL 10 must have the Advanced Intrusion Detection Environment (AIDE) package installed.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281043CAT IIRHEL 10 must be configured so that cron configuration file directories are owned by root.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281168CAT IIRHEL 10 must not assign an interactive login shell for system accounts.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281207CAT IIRHEL 10 must restrict privilege elevation to authorized personnel.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281249CAT IIRHEL 10 must enable the SELinux targeted policy.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281251CAT IIRHEL 10 must use a Linux Security Module configured to enforce limits on system services.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281253CAT IIRHEL 10 must be configured so that Secure Shell (SSH) public host key files have mode "0644" or less permissive.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281256CAT IIRHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow rhosts authentication.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281257CAT IIRHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow known hosts authentication.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281258CAT IIRHEL 10 must be configured so that the Secure Shell (SSH) daemon disables remote X connections for interactive users.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281259CAT IIRHEL 10 must be configured so that the Secure Shell (SSH) daemon performs strict mode checking of home directory configuration files.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281260CAT IIRHEL 10 must be configured so that the Secure Shell (SSH) daemon displays the date and time of the last successful account login upon an SSH login.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281261CAT IIRHEL 10 must be configured so that the Secure Shell (SSH) daemon prevents remote hosts from connecting to the proxy display.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281284CAT IIRHEL 10 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-204453CAT IIThe Red Hat Enterprise Linux operating system must enable SELinux.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204454CAT IIThe Red Hat Enterprise Linux operating system must enable the SELinux targeted policy.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-251705CAT IIThe Red Hat Enterprise Linux operating system must use a file integrity tool to verify correct operation of all security functions.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-230282CAT IIRHEL 8 must enable the SELinux targeted policy.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-251710CAT IIThe RHEL 8 operating system must use a file integrity tool to verify correct operation of all security functions.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-258078CAT IRHEL 9 must use a Linux Security Module configured to enforce limits on system services.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258079CAT IIRHEL 9 must enable the SELinux targeted policy.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258134CAT IIRHEL 9 must have the AIDE package installed.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257573CAT IIThe Compliance Operator must be configured.Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide V-257573CAT IIThe Compliance Operator must be configured.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-275669CAT IIUbuntu OS must use a file integrity tool to verify correct operation of all security functions.Riverbed NetIM OS Security Technical Implementation Guide V-275670CAT IIUbuntu OS must configure AIDE to perform file integrity checking on the file system.Riverbed NetIM OS Security Technical Implementation Guide V-255916CAT IIThe SUSE operating system must use a file integrity tool to verify correct operation of all security functions.SLES 12 Security Technical Implementation Guide V-261370CAT IISLEM 5 must enable the SELinux targeted policy.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-261407CAT IIAdvanced Intrusion Detection Environment (AIDE) must verify the baseline SLEM 5 configuration at least weekly.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217148CAT IIAdvanced Intrusion Detection Environment (AIDE) must verify the baseline SUSE operating system configuration at least weekly.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-255916CAT IIThe SUSE operating system must use a file integrity tool to verify correct operation of all security functions.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-225645CAT IIThe Samsung SDS EMM must be configured with a periodicity for reachable events of six hours or less for the following commands to the agent: - query connectivity status; - query the current version of the MD firmware/software; - query the current version of installed mobile applications; - read audit logs kept by the MD.Samsung SDS EMM Security Technical Implementation Guide V-219987CAT IIThe operating system must verify the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification).Solaris 11 SPARC Security Technical Implementation Guide V-224671CAT IIThe operating system must identify potentially security-relevant error conditions.Solaris 11 SPARC Security Technical Implementation Guide V-220015CAT IIThe operating system must verify the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification).Solaris 11 X86 Security Technical Implementation Guide V-224673CAT IIThe operating system must identify potentially security-relevant error conditions.Solaris 11 X86 Security Technical Implementation Guide V-253095CAT IITOSS must enable the "SELinux" targeted policy.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282579CAT IITOSS 5 must have the Advanced Intrusion Detection Environment (AIDE) package installed.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282580CAT IITOSS 5 must routinely check the baseline configuration for unauthorized changes and notify the system administrator (SA) when anomalies in the operation of any security functions are discovered.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282613CAT IITOSS 5 must enable the "SELinux" targeted policy.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-234622CAT IIThe UEM server must be configured with the periodicity of the following commands to the agent of six hours or less: - query connectivity status - query the current version of the managed device firmware/software - query the current version of installed mobile applications - read audit logs kept by the managed device.Unified Endpoint Management Server Security Requirements Guide V-221642CAT IIThe Workspace ONE UEM server must be configured with a periodicity for reachable events of six hours or less for the following commands to the agent: - query connectivity status; - query the current version of the MD firmware/software; - query the current version of installed mobile applications; - read audit logs kept by the MD.VMware Workspace ONE UEM Security Technical Implementation Guide V-240522CAT IIThe SLES for vRealize must verify correct operation of all security functions.VMware vRealize Automation 7.x SLES Security Technical Implementation Guide V-256490CAT IIThe Photon operating system must have the auditd service running.VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide V-258740CAT IIThe ESXi host must implement Secure Boot enforcement.VMware vSphere 8.0 ESXi Security Technical Implementation Guide V-207506CAT IIThe VMM must verify correct operation of all security functions.Virtual Machine Manager Security Requirements Guide