STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← MA-4 (6) — Nonlocal Maintenance

CCI-002890

Definition

Implement organization-defined cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

Parent Control

MA-4 (6)Nonlocal MaintenanceMaintenance

Linked STIG Checks (122)

V-255615CAT IIOperators of the A10 Networks ADC must not use the Telnet client built into the device.A10 Networks ADC NDM Security Technical Implementation Guide V-255622CAT IIThe A10 Networks ADC must only allow the use of secure protocols that implement cryptographic mechanisms to protect the integrity of maintenance and diagnostic communications for nonlocal maintenance sessions.A10 Networks ADC NDM Security Technical Implementation Guide V-274040CAT IAmazon Linux 2023 must have the crypto-policies package installed.Amazon Linux 2023 Security Technical Implementation Guide V-274058CAT IAmazon Linux 2023 crypto policy must not be overridden.Amazon Linux 2023 Security Technical Implementation Guide V-283452CAT IAmazon Linux 2023 must implement a FIPS 140-2/140-3 compliant systemwide cryptographic policy.Amazon Linux 2023 Security Technical Implementation Guide V-268157CAT INixOS must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.Anduril NixOS Security Technical Implementation Guide V-252459CAT IThe macOS system must implement approved ciphers within the SSH server configuration to protect the confidentiality of SSH connections.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-252460CAT IThe macOS system must implement approved Message Authentication Codes (MACs) within the SSH server configuration.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-252461CAT IThe macOS system must implement approved Key Exchange Algorithms within the SSH server configuration.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257773CAT IThe macOS system must implement approved ciphers within the SSH client configuration to protect the confidentiality of SSH connections.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257774CAT IThe macOS system must implement approved Message Authentication Codes (MACs) within the SSH client configuration.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257775CAT IThe macOS system must implement approved Key Exchange Algorithms within the SSH client configuration.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257165CAT IThe macOS system must implement approved ciphers within the SSH server configuration to protect the confidentiality of SSH connections.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257166CAT IThe macOS system must implement approved Message Authentication Codes (MACs) within the SSH server configuration.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257167CAT IThe macOS system must implement approved Key Exchange Algorithms within the SSH server configuration.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257293CAT IThe macOS system must implement approved ciphers within the SSH client configuration to protect the confidentiality of SSH connections.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257294CAT IThe macOS system must implement approved Message Authentication Codes (MACs) within the SSH client configuration.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257295CAT IThe macOS system must implement approved Key Exchange Algorithms within the SSH client configuration.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-268438CAT IThe macOS system must limit SSHD to FIPS-compliant connections.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277046CAT IThe macOS system must limit SSHD to FIPS-compliant connections.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-222562CAT IIApplications used for non-local maintenance sessions must implement cryptographic mechanisms to protect the integrity of non-local maintenance and diagnostic communications.Application Security and Development Security Technical Implementation Guide V-217369CAT IIArista Multilayer Switches used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.Arista MLS DCS-7000 Series NDM Security Technical Implementation Guide V-255960CAT IThe Arista network devices must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.Arista MLS EOS 4.X NDM Security Technical Implementation Guide V-219312CAT IIThe Ubuntu operating system must configure the SSH daemon to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms to protect the integrity of nonlocal maintenance and diagnostic communications.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238216CAT IIThe Ubuntu operating system must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260532CAT IIUbuntu 22.04 LTS must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-3-approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270668CAT IIUbuntu 24.04 LTS must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-3 approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-271966CAT IThe Cisco ACI must use FIPS 140-2/140-3 approved algorithms for authentication to a cryptographic module.Cisco ACI NDM Security Technical Implementation Guide V-239930CAT IThe Cisco ASA must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of non-local maintenance and diagnostic communications.Cisco ASA NDM Security Technical Implementation Guide V-215699CAT IThe Cisco router must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.Cisco IOS Router NDM Security Technical Implementation Guide V-220607CAT IThe Cisco switch must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.Cisco IOS Switch NDM Security Technical Implementation Guide V-215844CAT IThe Cisco router must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.Cisco IOS XE Router NDM Security Technical Implementation Guide V-220555CAT IThe Cisco switch must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.Cisco IOS XE Switch NDM Security Technical Implementation Guide V-216541CAT IThe Cisco router must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.Cisco IOS XR Router NDM Security Technical Implementation Guide V-242654CAT IIThe Cisco ISE must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.Cisco ISE NDM Security Technical Implementation Guide V-242655CAT IThe Cisco ISE must verify the checksum value of any software download, including install files (ISO or OVA), patch files, and upgrade bundles.Cisco ISE NDM Security Technical Implementation Guide V-220503CAT IThe Cisco switch must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.Cisco NX OS Switch NDM Security Technical Implementation Guide V-283454CAT IAlmaLinux OS 9 must have the crypto-policies package installed.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233207CAT IIContainer platform applications and Application Program Interfaces (API) used for nonlocal maintenance sessions must use FIPS-validated keyed-hash message authentication code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.Container Platform Security Requirements Guide V-255573CAT IIApplications used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.DBN-6300 NDM Security Technical Implementation Guide V-269796CAT IThe Dell OS10 Switch must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.Dell OS10 Switch NDM Security Technical Implementation Guide V-235777CAT IFIPS mode must be enabled on all Docker Engine - Enterprise nodes.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-234211CAT IThe FortiGate devices must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.Fortinet FortiGate Firewall NDM Security Technical Implementation Guide V-203736CAT IThe operating system must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.General Purpose Operating System Security Requirements Guide V-217468CAT IIApplications used for nonlocal maintenance sessions must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.HP FlexFabric Switch NDM Security Technical Implementation Guide V-237818CAT IDoD-approved encryption must be implemented to protect the confidentiality and integrity of remote access sessions, information during preparation for transmission, information during reception, and information during transmission in addition to enforcing replay-resistant authentication mechanisms for network access to privileged accounts.HPE 3PAR StoreServ 3.2.x Security Technical Implementation Guide V-255272CAT IThe HPE 3PAR OS must be configured to restrict the encryption algorithms and protocols to comply with DOD-approved encryption to protect the confidentiality and integrity of remote access sessions.HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide V-283387CAT IThe HPE Alletra Storage ArcusOS device must use FIPS 140-approved algorithms for authentication to a cryptographic module.HPE Alletra Storage ArcusOS Network Device Management Security Technical Implementation Guide V-266940CAT IAOS must use FIPS 140-2/140-3 approved algorithms for authentication to a cryptographic module.HPE Aruba Networking AOS NDM Security Technical Implementation Guide V-268270CAT IThe HYCU virtual appliance must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.HYCU Protege Security Technical Implementation Guide V-215284CAT IIAIX must protect the confidentiality and integrity of transmitted information during preparation for transmission and maintain the confidentiality and integrity of information during reception and disable all non-encryption network access methods.IBM AIX 7.x Security Technical Implementation Guide V-65169CAT IIThe IBM DataPower Gateway must only allow the use of protocols that implement cryptographic mechanisms to protect the integrity and confidentiality of management communications.IBM DataPower Network Device Management Security Technical Implementation Guide V-255765CAT IIApplications used for nonlocal maintenance sessions using the MQ Appliance WebGUI must implement cryptographic mechanisms to protect the confidentiality and integrity of nonlocal maintenance and diagnostic communications.IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide V-223610CAT IIIBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.IBM z/OS ACF2 Security Technical Implementation Guide V-223831CAT IIIBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.IBM z/OS RACF Security Technical Implementation Guide V-224067CAT IIIBM z/OS SSL encryption options for the TN3270 Telnet server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.IBM z/OS TSS Security Technical Implementation Guide V-258601CAT IIThe ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.Ivanti Connect Secure NDM Security Technical Implementation Guide V-253928CAT IThe Juniper EX switches must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.Juniper EX Series Switches Network Device Management Security Technical Implementation Guide V-217340CAT IThe Juniper router must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.Juniper Router NDM Security Technical Implementation Guide V-66453CAT IFor nonlocal maintenance sessions using SNMP, the Juniper SRX Services Gateway must use and securely configure SNMPv3 with SHA to protect the integrity of maintenance and diagnostic communications.Juniper SRX SG NDM Security Technical Implementation Guide V-66529CAT IIFor nonlocal maintenance sessions using SSH, the Juniper SRX Services Gateway must securely configure SSHv2 Message Authentication Code (MAC) algorithms to protect the integrity of maintenance and diagnostic communications.Juniper SRX SG NDM Security Technical Implementation Guide V-223224CAT IFor nonlocal maintenance sessions using SNMP, the Juniper SRX Services Gateway must use and securely configure SNMPv3 with SHA256 or higher to protect the integrity of maintenance and diagnostic communications.Juniper SRX Services Gateway NDM Security Technical Implementation Guide V-223225CAT IThe Juniper SRX Services Gateway must securely configure SSHv2 FIPS 140-2/140-3 validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of maintenance and diagnostic communications for nonlocal maintenance sessions.Juniper SRX Services Gateway NDM Security Technical Implementation Guide V-205579CAT IIMainframe Products must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.Mainframe Product Security Requirements Guide V-220852CAT IIRemote Desktop Services must be configured with the client connection encryption set to the required level.Microsoft Windows 10 Security Technical Implementation Guide V-220863CAT IIThe Windows Remote Management (WinRM) client must not allow unencrypted traffic.Microsoft Windows 10 Security Technical Implementation Guide V-220866CAT IIThe Windows Remote Management (WinRM) service must not allow unencrypted traffic.Microsoft Windows 10 Security Technical Implementation Guide V-253417CAT IIThe Windows Remote Management (WinRM) client must not allow unencrypted traffic.Microsoft Windows 11 Security Technical Implementation Guide V-224959CAT IIThe Windows Remote Management (WinRM) client must not allow unencrypted traffic.Microsoft Windows Server 2016 Security Technical Implementation Guide V-224962CAT IIThe Windows Remote Management (WinRM) service must not allow unencrypted traffic.Microsoft Windows Server 2016 Security Technical Implementation Guide V-205816CAT IIWindows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205817CAT IIWindows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254379CAT IIWindows Server 2022 Windows Remote Management (WinRM) client must not allow unencrypted traffic.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254382CAT IIWindows Server 2022 Windows Remote Management (WinRM) service must not allow unencrypted traffic.Microsoft Windows Server 2022 Security Technical Implementation Guide V-278126CAT IIWindows Server 2025 Windows Remote Management (WinRM) client must not allow unencrypted traffic.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278129CAT IIWindows Server 2025 Windows Remote Management (WinRM) service must not allow unencrypted traffic.Microsoft Windows Server 2025 Security Technical Implementation Guide V-260908CAT IFIPS mode must be enabled.Mirantis Kubernetes Engine Security Technical Implementation Guide V-246958CAT IONTAP must be configured to implement cryptographic mechanisms using FIPS 140-2.NetApp ONTAP DSC 9.x Security Technical Implementation Guide V-202117CAT IThe network devices must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.Network Device Management Security Requirements Guide V-254125CAT INutanix AOS must implement DoD-approved encryption to protect the confidentiality of remote access sessions.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-279534CAT INutanix OS must implement cryptography to protect the integrity of remote access sessions by using only HMACs employing FIPS 140-3-approved algorithms.Nutanix Acropolis GPOS Security Technical Implementation Guide V-279535CAT INutanix OS must implement cryptography to protect the integrity of remote access session by setting the systemwide policy to use FIPS mode.Nutanix Acropolis GPOS Security Technical Implementation Guide V-279538CAT INutanix OS must implement cryptography to protect the integrity and confidentiality of remote access and nonlocal maintenance and diagnostic sessions.Nutanix Acropolis GPOS Security Technical Implementation Guide V-279619CAT INutanix OS must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.Nutanix Acropolis GPOS Security Technical Implementation Guide V-221840CAT IIThe Oracle Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.Oracle Linux 7 Security Technical Implementation Guide V-248524CAT IOL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.Oracle Linux 8 Security Technical Implementation Guide V-283447CAT IOL 8 cryptographic policy must not be overridden.Oracle Linux 8 Security Technical Implementation Guide V-271477CAT IOL 9 must have the crypto-policies package installed.Oracle Linux 9 Security Technical Implementation Guide V-271478CAT IOL 9 must implement a FIPS 140-3 compliant systemwide cryptographic policy.Oracle Linux 9 Security Technical Implementation Guide V-271479CAT IOL 9 must not allow the cryptographic policy to be overridden.Oracle Linux 9 Security Technical Implementation Guide V-228669CAT IIThe Palo Alto Networks security platform must only allow the use of secure protocols that implement cryptographic mechanisms to protect the integrity of maintenance and diagnostic communications for nonlocal maintenance sessions.Palo Alto Networks NDM Security Technical Implementation Guide V-273808CAT IThe RUCKUS ICX device must use FIPS 140-2/140-3 approved algorithms for authentication to a cryptographic module.RUCKUS ICX NDM Security Technical Implementation Guide V-281007CAT IRHEL 10 must have the "crypto-policies" package installed.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281008CAT IRHEL 10 must implement a FIPS 140-3-compliant systemwide cryptographic policy.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281009CAT IRHEL 10 must enable FIPS mode.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281010CAT IRHEL 10 must be configured so that Secure Shell (SSH) clients use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281016CAT IRHEL 10 cryptographic policy must not be overridden.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-258234CAT IRHEL 9 must have the crypto-policies package installed.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258236CAT IRHEL 9 cryptographic policy must not be overridden.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258241CAT IRHEL 9 must implement a FIPS 140-3-compliant systemwide cryptographic policy.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257546CAT IOpenShift must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 validated cryptography.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-275625CAT IUbuntu OS must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-2/140-3 -approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.Riverbed NetIM OS Security Technical Implementation Guide V-256090CAT IThe Riverbed NetProfiler must be configured to implement cryptographic mechanisms using a FIPS 140-2/140-3 validated algorithm to protect the confidentiality and integrity of all cryptographic functions.Riverbed NetProfiler Security Technical Implementation Guide V-261334CAT ISLEM 5 must implement DOD-approved encryption to protect the confidentiality of SSH remote connections.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217270CAT IIThe SUSE operating system must implement DoD-approved encryption to protect the confidentiality of SSH remote connections.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-216387CAT IIThe boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).Solaris 11 SPARC Security Technical Implementation Guide V-216150CAT IIThe boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).Solaris 11 X86 Security Technical Implementation Guide V-279248CAT IThe Edge SWG must be configured to use FIPS mode.Symantec Edge SWG NDM Security Technical Implementation Guide V-94711CAT IThe Symantec ProxySG must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.Symantec ProxySG NDM Security Technical Implementation Guide V-242251CAT IThe TippingPoint TPS must have FIPS mode enforced.Trend Micro TippingPoint NDM Security Technical Implementation Guide V-253091CAT IITOSS must implement DoD-approved encryption in the OpenSSL package.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-240514CAT IIThe SLES for vRealize must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.VMware vRealize Automation 7.x SLES Security Technical Implementation Guide V-239609CAT IIThe SLES for vRealize must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide V-256486CAT IIIThe Photon operating system must configure sshd to use approved encryption algorithms.VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide V-258806CAT IThe Photon operating system must have the OpenSSL FIPS provider installed to protect the confidentiality of remote access sessions.VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide V-73595CAT IIThe Windows Remote Management (WinRM) client must not allow unencrypted traffic.Windows Server 2016 Security Technical Implementation Guide V-73595CAT IIThe Windows Remote Management (WinRM) client must not allow unencrypted traffic.Windows Server 2016 Security Technical Implementation Guide V-73601CAT IIThe Windows Remote Management (WinRM) service must not allow unencrypted traffic.Windows Server 2016 Security Technical Implementation Guide V-73601CAT IIThe Windows Remote Management (WinRM) service must not allow unencrypted traffic.Windows Server 2016 Security Technical Implementation Guide V-93499CAT IIWindows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic.Windows Server 2019 Security Technical Implementation Guide V-93501CAT IIWindows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic.Windows Server 2019 Security Technical Implementation Guide V-269573CAT IXylok Security Suite must prevent access except through HTTPS.Xylok Security Suite 20.x Security Technical Implementation Guide