STIGs Search Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 6 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

General Purpose Operating System Security Requirements Guide

Version

V3R3

Release Date

Sep 22, 2025

SCAP Benchmark ID

General_Purpose_Operating_System

Total Checks

203

Tags

other

CAT I: 20CAT II: 173CAT III: 10

This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (203)

V-203591MEDIUMThe operating system must provide automated mechanisms for supporting account management functions.V-203592MEDIUMThe operating system must automatically remove or disable temporary user accounts after 72 hours.V-203593MEDIUMThe operating system must audit all account creations.V-203594MEDIUMThe operating system must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.V-203595MEDIUMThe operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system.V-203596MEDIUMThe operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access.V-203597LOWThe operating system must limit the number of concurrent sessions to ten for all accounts and/or account types.V-203598MEDIUMThe operating system must retain a users session lock until that user reestablishes access using established identification and authentication procedures.V-203599MEDIUMThe operating system must initiate a session lock after a 15-minute period of inactivity for all connection types.V-203600MEDIUMThe operating system must provide the capability for users to directly initiate a session lock for all connection types.V-203601MEDIUMThe operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.V-203602MEDIUMThe operating system must monitor remote access methods.V-203603HIGHThe operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.V-203604MEDIUMThe operating system must produce audit records containing information to establish what type of events occurred.V-203605MEDIUMThe operating system must produce audit records containing information to establish when (date and time) the events occurred.V-203606MEDIUMThe operating system must produce audit records containing information to establish where the events occurred.V-203607MEDIUMThe operating system must produce audit records containing information to establish the source of the events.V-203608MEDIUMThe operating system must produce audit records containing information to establish the outcome of the events.V-203609MEDIUMThe operating system must generate audit records containing the full-text recording of privileged commands.V-203610MEDIUMThe operating system must produce audit records containing the individual identities of group account users.V-203611MEDIUMThe operating system must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.V-203613MEDIUMThe operating system must provide the capability to centrally review and analyze audit records from multiple components within the system.V-203614MEDIUMThe operating system must provide the capability to filter audit records for events of interest based upon all audit fields within audit records.V-203615MEDIUMThe operating system must use internal system clocks to generate time stamps for audit records.V-203616MEDIUMThe operating system must protect audit information from unauthorized read access.V-203617MEDIUMThe operating system must protect audit information from unauthorized modification.V-203618MEDIUMThe operating system must protect audit information from unauthorized deletion.V-203619MEDIUMThe operating system must provide audit record generation capability for DoD-defined auditable events for all operating system components.V-203620MEDIUMThe operating system must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.V-203621MEDIUMThe operating system must generate audit records when successful/unsuccessful attempts to access privileges occur.V-203622MEDIUMThe operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.V-203623MEDIUMThe operating system, for PKI-based authentication, must enforce authorized access to the corresponding private key.V-203624MEDIUMThe operating system must map the authenticated identity to the user or group account for PKI-based authentication.V-203625MEDIUMThe operating system must enforce password complexity by requiring that at least one uppercase character be used.V-203626MEDIUMThe operating system must enforce password complexity by requiring that at least one lowercase character be used.V-203627MEDIUMThe operating system must enforce password complexity by requiring that at least one numeric character be used.V-203628MEDIUMThe operating system must require the change of at least 50 percent of the total number of characters when passwords are changed.V-203629HIGHThe operating system must store only encrypted representations of passwords.V-203630HIGHThe operating system must transmit only encrypted representations of passwords.V-203631MEDIUMOperating systems must enforce 24 hours/1 day as the minimum password lifetime.V-203632MEDIUMOperating systems must enforce a 60-day maximum password lifetime restriction.V-203634MEDIUMThe operating system must enforce a minimum 15-character password length.V-203635MEDIUMThe operating system must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.V-203636MEDIUMThe operating system must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.V-203637MEDIUMThe operating system must be configured to disable non-essential capabilities.V-203638MEDIUMThe operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.V-203639MEDIUMThe operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users).V-203640MEDIUMThe operating system must use multifactor authentication for network access to privileged accounts.V-203641MEDIUMThe operating system must use multifactor authentication for network access to non-privileged accounts.V-203642MEDIUMThe operating system must use multifactor authentication for local access to privileged accounts.V-203643MEDIUMThe operating system must use multifactor authentication for local access to nonprivileged accounts.V-203644MEDIUMThe operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.V-203645MEDIUMThe operating system must implement replay-resistant authentication mechanisms for network access to privileged accounts.V-203646MEDIUMThe operating system must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.V-203647MEDIUMThe operating system must uniquely identify peripherals before establishing a connection.V-203648MEDIUMThe operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.V-203649MEDIUMThe operating system must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.V-203650MEDIUMThe operating system must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users).V-203651MEDIUMThe operating system must provide an audit reduction capability that supports on-demand reporting requirements.V-203652MEDIUMThe information system must automatically remove or disable emergency accounts after the crisis is resolved or 72 hours.V-203653HIGHThe operating system must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.V-203655MEDIUMThe operating system must separate user functionality (including user interface services) from operating system management functionality.V-203656MEDIUMThe operating system must isolate security functions from nonsecurity functions.V-203657MEDIUMOperating systems must prevent unauthorized and unintended information transfer via shared system resources.V-203658MEDIUMThe operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.V-203659MEDIUMThe operating system must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements.V-203660MEDIUMThe operating system must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.V-203661MEDIUMThe operating system must protect the confidentiality and integrity of all information at rest.V-203663MEDIUMThe operating system must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.V-203664MEDIUMThe operating system must reveal error messages only to authorized users.V-203665MEDIUMAny publically accessible connection to the operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.V-203666MEDIUMThe operating system must audit all account modifications.V-203667MEDIUMThe operating system must audit all account disabling actions.V-203668MEDIUMThe operating system must audit all account removal actions.V-203669HIGHThe operating system must implement cryptography to protect the integrity of remote access sessions.V-203670MEDIUMThe operating system must initiate session audits at system start-up.V-203671MEDIUMThe operating system must produce audit records containing information to establish the identity of any individual or process associated with the event.V-203672MEDIUMThe operating system must protect audit tools from unauthorized access.V-203673MEDIUMThe operating system must protect audit tools from unauthorized modification.V-203674MEDIUMThe operating system must protect audit tools from unauthorized deletion.V-203675MEDIUMThe operating system must limit privileges to change software resident within software libraries.V-203676MEDIUMThe operating system must enforce password complexity by requiring that at least one special character be used.V-203677MEDIUMIn the event of a system failure, the operating system must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.V-203678MEDIUMThe operating system must notify system administrators and ISSOs when accounts are created.V-203679MEDIUMThe operating system must notify system administrators and ISSOs when accounts are modified.V-203680MEDIUMThe operating system must notify system administrators and ISSOs when accounts are disabled.V-203681MEDIUMThe operating system must notify system administrators and ISSOs when accounts are removed.V-203682HIGHThe operating system must use cryptographic mechanisms to protect the integrity of audit tools.V-203683MEDIUMThe operating system must automatically terminate a user session after inactivity time-outs have expired or at shutdown.V-203684MEDIUMThe operating system must provide a logoff capability for user-initiated communications sessions when requiring user access authentication.V-203685MEDIUMThe operating system must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions.V-203686MEDIUMThe operating system must control remote access methods.V-203687MEDIUMThe operating system must provide the capability to immediately disconnect or disable remote access to the operating system.V-203688MEDIUMThe operating system must protect wireless access to and from the system using encryption.V-203689MEDIUMThe operating system must protect wireless access to the system using authentication of users and/or devices.V-203690MEDIUMThe operating system must audit all account enabling actions.V-203691MEDIUMThe operating system must notify system administrators (SAs) and information system security officers (ISSOs) of account enabling actions.V-203692MEDIUMThe operating system must allow operating system admins to pass information to any other operating system admin or user.V-203693MEDIUMThe operating system must allow operating system admins to grant their privileges to other operating system admins.V-203694MEDIUMThe operating system must allow operating system admins to change security attributes on users, the operating system, or the operating systems components.V-203695HIGHThe operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.V-203696MEDIUMThe operating system must prevent all software from executing at higher privilege levels than users executing the software.V-203697MEDIUMThe operating system must audit the execution of privileged functions.V-203698MEDIUMThe operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.V-203699MEDIUMThe operating system must provide the capability for assigned IMOs/ISSOs or designated SAs to change the auditing to be performed on all operating system components, based on all selectable event criteria in near real time.V-203700LOWThe operating system must allocate audit record storage capacity to store at least one week's worth of audit records, when audit records are not immediately sent to a central audit record storage facility.V-203701LOWThe operating system must offload audit records onto a different system or media from the system being audited.V-203702LOWThe operating system must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.V-203703MEDIUMThe operating system must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.V-203704LOWThe operating system must provide an audit reduction capability that supports on-demand audit review and analysis.V-203705LOWThe operating system must provide an audit reduction capability that supports after-the-fact investigations of security incidents.V-203706LOWThe operating system must provide a report generation capability that supports on-demand audit review and analysis.V-203707LOWThe operating system must provide a report generation capability that supports on-demand reporting requirements.V-203708LOWThe operating system must provide a report generation capability that supports after-the-fact investigations of security incidents.V-203709MEDIUMThe operating system must not alter original content or time ordering of audit records when it provides an audit reduction capability.V-203710MEDIUMThe operating system must not alter original content or time ordering of audit records when it provides a report generation capability.V-203711MEDIUMThe operating system must, for networked systems, compare internal information system clocks at least every 24 hours with an authoritative time source.V-203712MEDIUMThe operating system must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.V-203713MEDIUMThe operating system must record time stamps for audit records that meet a minimum granularity of one second for a minimum degree of precision.V-203714LOWThe operating system must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).V-203715MEDIUMThe operating system must enforce dual authorization for movement and/or deletion of all audit information, when such movement or deletion is not part of an authorized automatic process.V-203716MEDIUMThe operating system must prohibit user installation of system software without explicit privileged status.V-203717MEDIUMThe operating system must notify designated personnel if baseline configurations are changed in an unauthorized manner.V-203718MEDIUMThe operating system must enforce access restrictions.V-203719MEDIUMThe operating system must audit the enforcement actions used to restrict access associated with changes to the system.V-203720HIGHThe operating system must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.V-203721MEDIUMThe operating system must prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage.V-203722MEDIUMThe operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.V-203723MEDIUMThe operating system must require users to reauthenticate for privilege escalation.V-203724MEDIUMThe operating system must require users to reauthenticate when changing roles.V-203725MEDIUMThe operating system must require users to reauthenticate when changing authenticators.V-203727MEDIUMThe operating system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.V-203728MEDIUMThe operating system must accept Personal Identity Verification (PIV) credentials.V-203729MEDIUMThe operating system must electronically verify Personal Identity Verification (PIV) credentials.V-203730MEDIUMThe operating system must authenticate peripherals before establishing a connection.V-203731MEDIUMThe operating system must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.V-203733MEDIUMThe operating system must prohibit the use of cached authenticators after one day.V-203734MEDIUMThe operating system, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.V-203735MEDIUMThe operating system must audit all activities performed during nonlocal maintenance and diagnostic sessions.V-203736HIGHThe operating system must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.V-203737HIGHThe operating system must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.V-203738MEDIUMThe operating system must verify remote disconnection at the termination of nonlocal maintenance and diagnostic sessions, when used for nonlocal maintenance sessions.V-203739HIGHThe operating system must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.V-203744MEDIUMThe operating system must only allow the use of DoD PKI-established certificate authorities for authentication in the establishment of protected sessions to the operating system.V-203745HIGHThe operating system must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest on all operating system components.V-203746HIGHThe operating system must implement cryptographic mechanisms to prevent unauthorized disclosure of all information at rest on all operating system components.V-203747MEDIUMThe operating system must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.V-203748HIGHThe operating system must protect the confidentiality and integrity of transmitted information.V-203749HIGHThe operating system must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).V-203750MEDIUMThe operating system must maintain the confidentiality and integrity of information during preparation for transmission.V-203751MEDIUMThe operating system must maintain the confidentiality and integrity of information during reception.V-203752MEDIUMThe operating system must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.V-203753MEDIUMThe operating system must implement non-executable data to protect its memory from unauthorized code execution.V-203754MEDIUMThe operating system must implement address space layout randomization to protect its memory from unauthorized code execution.V-203755MEDIUMThe operating system must remove all software components after updated versions have been installed.V-203756MEDIUMThe operating system must verify correct operation of all security functions.V-203757MEDIUMThe operating system must perform verification of the correct operation of security functions: upon system start-up and/or restart; upon command by a user with privileged access; and/or every 30 days.V-203758MEDIUMThe operating system must shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered.V-203759MEDIUMThe operating system must generate audit records when successful/unsuccessful attempts to access security objects occur.V-203760MEDIUMThe operating system must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur.V-203761MEDIUMThe operating system must generate audit records when successful/unsuccessful attempts to modify privileges occur.V-203762MEDIUMThe operating system must generate audit records when successful/unsuccessful attempts to modify security objects occur.V-203763MEDIUMThe operating system must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur.V-203764MEDIUMThe operating system must generate audit records when successful/unsuccessful attempts to delete privileges occur.V-203765MEDIUMThe operating system must generate audit records when successful/unsuccessful attempts to delete security levels occur.V-203766MEDIUMThe operating system must generate audit records when successful/unsuccessful attempts to delete security objects occur.V-203767MEDIUMThe operating system must generate audit records when successful/unsuccessful logon attempts occur.V-203768MEDIUMThe operating system must generate audit records for privileged activities or other system-level access.V-203769MEDIUMThe audit system must be configured to audit the loading and unloading of dynamic kernel modules.V-203770MEDIUMThe operating system must generate audit records showing starting and ending time for user access to the system.V-203771MEDIUMThe operating system must generate audit records when concurrent logons to the same account occur from different sources.V-203772MEDIUMThe operating system must generate audit records when successful/unsuccessful accesses to objects occur.V-203773MEDIUMThe operating system must generate audit records for all direct access to the information system.V-203774MEDIUMThe operating system must generate audit records for all account creations, modifications, disabling, and termination events.V-203775MEDIUMThe operating system must generate audit records for all kernel module load, unload, and restart actions, and also for all program initiations.V-203776HIGHThe operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.V-203777MEDIUMThe operating system must, at a minimum, off-load audit data from interconnected systems in real time and off-load audit data from standalone systems weekly.V-203778MEDIUMThe operating system must prevent the use of dictionary words for passwords.V-203779MEDIUMThe operating system must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.V-203780MEDIUMThe operating system must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.V-203781MEDIUMThe operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.V-203782HIGHThe operating system must not allow an unattended or automatic logon to the system.V-203783MEDIUMThe operating system must limit the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders.V-203784MEDIUMThe operating system must enable an application firewall, if available.V-252688HIGHThe operating system must protect the confidentiality and integrity of communications with wireless peripherals.V-259333HIGHThe operating system must install security-relevant software updates within 30 days unless the time period is directed by an authoritative source (e.g., IAVM, CTOs, DTMs, STIGs).V-263650MEDIUMThe operating system must disable accounts when the accounts are no longer associated to a user.V-263651MEDIUMThe operating system must prohibit the use or connection of unauthorized hardware components.V-263652MEDIUMThe operating system must implement multifactor authentication for local, network, and/or remote access to privileged accounts and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.V-263653MEDIUMThe operating system must, for password-based authentication, verify when users create or update passwords the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).V-263654MEDIUMThe operating system must for password-based authentication, require immediate selection of a new password upon account recovery.V-263655MEDIUMThe operating system must for password-based authentication, allow user selection of long passwords and passphrases, including spaces and all printable characters.V-263656MEDIUMThe operating system must, for password-based authentication, employ automated tools to assist the user in selecting strong password authenticators.V-263657MEDIUMThe operating system must accept only external credentials that are NIST-compliant.V-263658MEDIUMThe operating system must monitor the use of maintenance tools that execute with increased privilege.V-263659MEDIUMThe operating system must include only approved trust anchors in trust stores or certificate stores managed by the organization.V-263660MEDIUMThe operating system must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.V-263661MEDIUMThe operating system must synchronize system clocks within and between systems or system components.V-278973MEDIUMThe operating system must separate user functionality (including user interface services) from operating system management functionality.V-278974MEDIUMThe operating system must enforce a role-based access control (RBAC) policy over defined subjects and objects.V-278975MEDIUMThe operating system must use a FIPS-validated cryptographic module to provision digital signatures.V-278976MEDIUMThe operating system must enforce attribute-based access control policy over defined subjects and objects based upon organization-defined attributes to assume access permissions.V-278977HIGHThe operating system must be a version supported by the vendor.