STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Red Hat Enterprise Linux 10 Security Technical Implementation Guide

Version

V1R1

Benchmark ID

RHEL_10_STIG

Total Checks

434

Tags

linux

CAT I: 30CAT II: 399CAT III: 5

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (434)

V-280094MEDIUMRHEL 10 must disable the debug-shell systemd service.V-280931MEDIUMRHEL 10 must ensure cryptographic verification of vendor software packages.V-280932HIGHRHEL 10 must check the GNU Privacy Guard (GPG) signature of software packages originating from external software repositories before installation.V-280933HIGHRHEL 10 must check the GNU Privacy Guard (GPG) signature of locally installed software packages before installation.V-280934HIGHRHEL 10 must have GNU Privacy Guard (GPG) signature verification enabled for all software repositories.V-280935HIGHRHEL 10 must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information on local disk partitions that requires at-rest protection.V-280936LOWRHEL 10 must use a separate file system for the system audit data path.V-280937MEDIUMRHEL 10 must use a separate file system for user home directories (such as "/home" or an equivalent).V-280938MEDIUMRHEL 10 must use a separate file system for "/tmp".V-280939MEDIUMRHEL 10 must use a separate file system for "/var".V-280940MEDIUMRHEL 10 must use a separate file system for "/var/log".V-280941MEDIUMRHEL 10 must use a separate file system for "/var/tmp".V-280942MEDIUMRHEL 10 must remove all software components after updated versions have been installed.V-280943MEDIUMRHEL 10 must not have the "nfs-utils" package installed.V-280944HIGHRHEL 10 must not have the "telnet-server" package installed.V-280945MEDIUMRHEL 10 must not have the "gssproxy" package installed.V-280946MEDIUMRHEL 10 must not have the tuned package installed.V-280947MEDIUMRHEL 10 must not have a Trivial File Transfer Protocol (TFTP) server package installed unless it is required by the mission, and if required, the TFTP daemon must be configured to operate in secure mode.V-280948MEDIUMRHEL 10 must not have the unbound package installed.V-280949HIGHRHEL 10 must not have the "tftp" package installed.V-280950MEDIUMRHEL 10 must not have the "gdm" package installed.V-280951HIGHRHEL 10 must not have a File Transfer Protocol (FTP) server package installed.V-280952MEDIUMRHEL 10 must have the "subscription-manager" package installed.V-280953MEDIUMRHEL 10 must have the "nss-tools" package installed.V-280954MEDIUMRHEL 10 must have the "s-nail" package installed.V-280955MEDIUMRHEL 10 must have the "firewalld" package installed.V-280956MEDIUMRHEL 10 must have the "firewalld" service set to active.V-280957MEDIUMRHEL 10 must employ a deny-all, allow-by-exception policy for allowing connections to other systems.V-280958MEDIUMRHEL 10 must have the "chrony" package installed.V-280959MEDIUMRHEL 10 must enable the chronyd service.V-280960MEDIUMRHEL 10 must disable the chrony daemon from acting as a server.V-280961MEDIUMRHEL 10 must disable network management of the chrony daemon.V-280962MEDIUMRHEL 10 must have the USBGuard package installed.V-280963MEDIUMRHEL 10 must have the USBGuard package enabled.V-280964MEDIUMRHEL 10 must block unauthorized peripherals before establishing a connection.V-280965MEDIUMRHEL 10 must enable audit logging for the USBGuard daemon.V-280966MEDIUMRHEL 10 must have the "policycoreutils" package installed.V-280967MEDIUMRHEL 10 must have the "policycoreutils-python-utils" package installed.V-280968MEDIUMRHEL 10 must have the "sudo" package installed.V-280969MEDIUMRHEL 10 must have the "fapolicy" module installed.V-280970MEDIUMRHEL 10 must enable the "fapolicy" module.V-280971MEDIUMRHEL 10 must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.V-280972MEDIUMRHEL 10 must have the "pcsc-lite" package installed.V-280973MEDIUMRHEL 10 must have the "pcscd" service set to active.V-280974MEDIUMRHEL 10 must have the "pcsc-lite-ccid" package installed.V-280975MEDIUMRHEL 10 must have the "opensc" package installed.V-280976MEDIUMRHEL 10 must use the common access card (CAC) smart card driver.V-280977MEDIUMRHEL 10 must have the Advanced Intrusion Detection Environment (AIDE) package installed.V-280978HIGHRHEL 10 must use cryptographic mechanisms to protect the integrity of audit tools.V-280979MEDIUMRHEL 10 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.V-280980MEDIUMRHEL 10 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered.V-280981MEDIUMRHEL 10 must be configured so that the file integrity tool verifies Access Control Lists (ACLs).V-280982MEDIUMRHEL 10 must be configured so that the file integrity tool verifies extended attributes.V-280983MEDIUMRHEL 10 must have the "rsyslog" package installed.V-280984MEDIUMRHEL 10 must have the rsyslog service set to active.V-280985MEDIUMRHEL 10 must be configured to forward audit records via Transmission Control Protocol (TCP) to a different system or media from the system being audited via rsyslog.V-280986MEDIUMRHEL 10 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.V-280987MEDIUMRHEL 10 must authenticate the remote logging server for off-loading audit logs via "rsyslog".V-280988MEDIUMRHEL 10 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited via rsyslog.V-280989MEDIUMRHEL 10 must encrypt, via the gtls driver, the transfer of audit records off-loaded onto a different system or media from the system being audited via rsyslog.V-280990MEDIUMRHEL 10 must monitor all remote access methods.V-280991MEDIUMRHEL 10 must use cron logging.V-280992MEDIUMRHEL 10 must have the packages required for encrypting off-loaded audit logs installed.V-280993MEDIUMRHEL 10 must have the "audit" package installed.V-280994MEDIUMRHEL 10 must enable the audit service.V-280995LOWRHEL 10 must have the "audispd-plugins" package installed.V-280996MEDIUMRHEL 10 must have the "libreswan" package installed.V-280997MEDIUMRHEL 10 must notify designated personnel if baseline configurations are changed in an unauthorized manner.V-280998MEDIUMRHEL 10 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) of an audit processing failure.V-280999MEDIUMRHEL 10 must be configured to prevent unrestricted mail relaying.V-281000MEDIUMRHEL 10 must have the "cronie" package installed.V-281001MEDIUMRHEL 10 must have a Secure Shell (SSH) server installed for all networked systems.V-281002MEDIUMRHEL 10 must, for all networked systems, have and implement Secure Shell (SSH) to protect the confidentiality and integrity of transmitted and received information.V-281003MEDIUMRHEL 10 must have the "openssh-clients" package installed.V-281005MEDIUMRHEL 10 must have the "pkcs11-provider" package installed.V-281006MEDIUMRHEL 10 must have the "gnutls-utils" package installed.V-281007HIGHRHEL 10 must have the "crypto-policies" package installed.V-281008HIGHRHEL 10 must implement a FIPS 140-3-compliant systemwide cryptographic policy.V-281009HIGHRHEL 10 must enable FIPS mode.V-281010HIGHRHEL 10 must be configured so that Secure Shell (SSH) clients use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.V-281011HIGHRHEL 10 must be configured so that Secure Shell (SSH) servers use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.V-281012HIGHRHEL 10 must be configured so that Secure Shell (SSH) clients use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.V-281013HIGHRHEL 10 must be configured so that Secure Shell (SSH) servers use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.V-281014HIGHRHEL 10 must use FIPS 140-3-approved cryptographic algorithms for IP tunnels.V-281015HIGHRHEL 10 must implement DOD-approved encryption in the bind package.V-281016HIGHRHEL 10 cryptographic policy must not be overridden.V-281017MEDIUMRHEL 10 must be configured so that the "/etc/group" file is owned by root.V-281018MEDIUMRHEL 10 must be configured so that the "/etc/group" file is group-owned by "root".V-281019MEDIUMRHEL 10 must be configured so that the "/etc/group-" file is owned by "root".V-281020MEDIUMRHEL 10 must be configured so that the "/etc/group-" file is group-owned by "root".V-281021MEDIUMRHEL 10 must be configured so that the "/etc/gshadow" file is owned by "root".V-281022MEDIUMRHEL 10 must be configured so that the "/etc/gshadow" file is group-owned by "root".V-281023MEDIUMRHEL 10 must be configured so that the "/etc/gshadow-" file is owned by "root".V-281024MEDIUMRHEL 10 must be configured so that the "/etc/gshadow-" file is group-owned by "root".V-281025MEDIUMRHEL 10 must be configured so that the "/etc/passwd" file is owned by "root".V-281026MEDIUMRHEL 10 must be configured so that the "/etc/passwd" file is group-owned by "root".V-281027MEDIUMRHEL 10 must be configured so that the "/etc/passwd-" file is owned by "root".V-281028MEDIUMRHEL 10 must be configured so that the "/etc/passwd-" file is group-owned by "root".V-281029MEDIUMRHEL 10 must be configured so that the "/etc/shadow" file is owned by "root".V-281030MEDIUMRHEL 10 must be configured so that the "/etc/shadow" file is group-owned by "root".V-281031MEDIUMRHEL 10 must be configured so that the "/etc/shadow-" file is owned by "root".V-281032MEDIUMRHEL 10 must be configured so that the "/etc/shadow-" file is group-owned by "root".V-281033MEDIUMRHEL 10 must be configured so that the "/var/log" directory is owned by "root".V-281034MEDIUMRHEL 10 must be configured so that the "/var/log" directory is group-owned by "root".V-281035MEDIUMRHEL 10 must be configured so that the "/var/log/"messages file is owned by root.V-281036MEDIUMRHEL 10 must be configured so that the "/var/log/messages" file is group-owned by "root".V-281037MEDIUMRHEL 10 must be configured so that system commands are owned by "root".V-281038MEDIUMRHEL 10 must be configured so that system commands are group-owned by root or a system account.V-281039MEDIUMRHEL 10 must be configured so that library files are owned by "root".V-281040MEDIUMRHEL 10 must be configured so that library files are group-owned by "root" or a system account.V-281041MEDIUMRHEL 10 must be configured so that library directories are owned by "root".V-281042MEDIUMRHEL 10 must be configured so that library directories are group-owned by "root" or a system account.V-281043MEDIUMRHEL 10 must be configured so that cron configuration file directories are owned by root.V-281044MEDIUMRHEL 10 must be configured so that cron configuration files directories are group-owned by root.V-281045MEDIUMRHEL 10 must be configured so that world-writable directories are owned by root, sys, bin, or an application user.V-281046MEDIUMRHEL 10 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.V-281047MEDIUMRHEL 10 must be configured so that the Secure Shell (SSH) server configuration file is group-owned by "root".V-281048MEDIUMRHEL 10 must be configured so that the Secure Shell (SSH) server configuration file is owned by "root".V-281049MEDIUMRHEL 10 must ensure that all local interactive user home directories are group-owned by the home directory owner's primary group.V-281050MEDIUMRHEL 10 must enforce group ownership of audit logs by "root" or by a restricted logging group to prevent unauthorized read access.V-281051MEDIUMRHEL 10 must enforce "root" ownership of the audit log directory to prevent unauthorized read access.V-281052MEDIUMRHEL 10 must enforce "root" ownership of audit logs to prevent unauthorized access.V-281053MEDIUMRHEL 10 must enforce group ownership by "root" or a restricted logging group for audit log files to prevent unauthorized access.V-281054MEDIUMRHEL 10 must set mode "0600" or less permissive for the audit logs file to prevent unauthorized access to the audit log.V-281055MEDIUMRHEL 10 must enforce the audit log directory to have a mode of "0750" or less permissive to prevent unauthorized read access.V-281056MEDIUMRHEL 10 must enforce root ownership of the "/etc/audit/" directory.V-281057MEDIUMRHEL 10 must enforce root group ownership of the "/etc/audit/" directory.V-281058MEDIUMRHEL 10 must enforce mode "755" or less permissive for system commands.V-281059MEDIUMRHEL 10 must enforce mode "755" or less permissive on library directories.V-281060MEDIUMRHEL 10 must enforce mode "755" or less permissive for library files.V-281061MEDIUMRHEL 10 must enforce mode "0755" or less permissive for the "/var/log" directory.V-281062MEDIUMRHEL 10 must enforce mode "0640" or less permissive for the "/var/log/messages" file.V-281063MEDIUMRHEL 10 must be configured to prohibit modification of permissions for cron configuration files and directories from the operating system defaults.V-281064MEDIUMRHEL 10 must enforce mode "0740" or less permissive for local initialization files.V-281065MEDIUMRHEL 10 must enforce mode "0750" or less permissive for local interactive user home directories.V-281066MEDIUMRHEL 10 must enforce mode "0644" or less permissive for the "/etc/group" file to prevent unauthorized access.V-281067MEDIUMRHEL 10 must enforce mode "0644" or less permissive for the "/etc/group-" file to prevent unauthorized access.V-281068MEDIUMRHEL 10 must enforce mode "0000" or less permissive for the "/etc/gshadow" file to prevent unauthorized access.V-281069MEDIUMRHEL 10 must enforce mode "0000" or less permissive for the "/etc/gshadow-" file to prevent unauthorized access.V-281070MEDIUMRHEL 10 must enforce mode "0644" or less permissive for the "/etc/passwd" file to prevent unauthorized access.V-281071MEDIUMRHEL 10 must enforce mode "0644" or less permissive for "/etc/passwd-" file to prevent unauthorized access.V-281072MEDIUMRHEL 10 must enforce mode "0000" or less permissive for "/etc/shadow-" file to prevent unauthorized access.V-281073MEDIUMRHEL 10 must be configured so that a sticky bit is set on all public directories.V-281074MEDIUMRHEL 10 must be configured so that all local files and directories have a valid group owner.V-281075MEDIUMRHEL 10 must be configured so that all local files and directories must have a valid owner.V-281076MEDIUMRHEL 10 must enforce mode "0000" for "/etc/shadow" to prevent unauthorized access.V-281077MEDIUMRHEL 10 must be configured so that audit tools are owned by "root".V-281078MEDIUMRHEL 10 must be configured so that audit tools are group-owned by "root".V-281079MEDIUMRHEL 10 must set the umask value to "077" for all local interactive user accounts.V-281080MEDIUMRHEL 10 must define default permissions for the bash shell.V-281081MEDIUMRHEL 10 must define default permissions for the c shell.V-281082MEDIUMRHEL 10 must define default permissions for all authenticated users in such a way that the user can read and modify only their own files.V-281083MEDIUMRHEL 10 must define default permissions for the system default profile.V-281084MEDIUMRHEL 10 must enforce that all local initialization files configured by systemd-tmpfiles have mode "0600" or less permissive.V-281085MEDIUMRHEL 10 must enforce mode "0600" or less permissive for Secure Shell (SSH) private host key files.V-281086MEDIUMRHEL 10 must enforce "root" group ownership of the "/boot/grub2/grub.cfg" file.V-281087MEDIUMRHEL 10 must enforce "root" ownership of the "/boot/grub2/grub.cfg" file.V-281088MEDIUMRHEL 10 must prevent device files from being interpreted on file systems that contain user home directories.V-281089MEDIUMRHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on file systems that contain user home directories.V-281090MEDIUMRHEL 10 must prevent code from being executed on file systems that contain user home directories.V-281091MEDIUMRHEL 10 must mount "/var/log/audit" with the "nodev" option.V-281092MEDIUMRHEL 10 must mount "/var/log/audit" with the "noexec" option.V-281093MEDIUMRHEL 10 must mount "/var/log/audit" with the "nosuid" option.V-281094MEDIUMRHEL 10 must enforce a mode of "0755" or less permissive for audit tools.V-281095MEDIUMRHEL 10 must prohibit local initialization files from executing world-writable programs.V-281096MEDIUMRHEL 10 must enable the systemd-journald service.V-281097MEDIUMRHEL 10 must enable auditing of processes that start prior to the audit daemon.V-281098MEDIUMRHEL 10 must audit local events.V-281099MEDIUMRHEL 10 must write audit records to disk.V-281100MEDIUMRHEL 10 must log username information when unsuccessful login attempts occur.V-281101MEDIUMRHEL 10 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.V-281102MEDIUMRHEL 10 must allocate an "audit_backlog_limit" of sufficient size to capture processes that start prior to the audit daemon.V-281103MEDIUMRHEL 10 must take appropriate action when a critical audit processing failure occurs.V-281104MEDIUMRHEL 10 must take action when allocated audit record storage volume reaches 75 percent of the audit record storage capacity.V-281105MEDIUMRHEL 10 must label all off-loaded audit logs before sending them to the central log server.V-281106LOWRHEL 10 must allocate audit record storage capacity to store at least one week's worth of audit records.V-281107MEDIUMRHEL 10 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity.V-281108MEDIUMRHEL 10 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.V-281109MEDIUMRHEL 10 must take appropriate action when the internal event queue is full.V-281110MEDIUMRHEL 10 must produce audit records containing information to establish the identity of any individual or process associated with the event.V-281111MEDIUMRHEL 10 must periodically flush audit records to disk to ensure that audit records are not lost.V-281113MEDIUMRHEL 10 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization.V-281114MEDIUMRHEL 10 must notify the system administrator (SA) and/or information system security officer (ISSO) (at a minimum) of an audit processing failure.V-281115MEDIUMRHEL 10 must log Secure Shell (SSH) connection attempts and failures to the server.V-281116MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "execve" system call.V-281117MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls.V-281118MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of "umount" system calls.V-281119MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "chacl" command.V-281120MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "setfacl" command.V-281121MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "chcon" command.V-281122MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "semanage" command.V-281123MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "setfiles" command.V-281124MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "setsebool" command.V-281125MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls.V-281126MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "delete_module" system call.V-281127MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "init_module" and "finit_module" system calls.V-281128MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "chage" command.V-281129MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "chsh" command.V-281130MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "crontab" command.V-281131MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "gpasswd" command.V-281132MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "kmod" command.V-281133MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "newgrp" command.V-281134MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "pam_timestamp_check" command.V-281135MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "passwd" command.V-281136MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "postdrop" command.V-281137MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "postqueue" command.V-281138MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the ssh-agent command.V-281139MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "ssh-keysign" command.V-281140MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "su" command.V-281141MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "sudo" command.V-281142MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "sudoedit" command.V-281143MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "unix_chkpwd" command.V-281144MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "unix_update" command.V-281145MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "userhelper" command.V-281146MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "usermod" command.V-281147MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "mount" command.V-281148MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "init" command.V-281149MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "poweroff" command.V-281150MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "reboot" command.V-281151MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the shutdown command.V-281152MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "umount" system call.V-281153MEDIUMRHEL 10 must generate audit records for successful and unsuccessful uses of the "umount2" system call.V-281154MEDIUMRHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers".V-281155MEDIUMRHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect the "/etc/sudoers.d/" directory.V-281156MEDIUMRHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group".V-281157MEDIUMRHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".V-281158MEDIUMRHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/opasswd".V-281159MEDIUMRHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".V-281160MEDIUMRHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow".V-281161MEDIUMRHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/faillock".V-281162MEDIUMRHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog".V-281163MEDIUMRHEL 10 must generate audit records for all uses of the "chmod", "fchmod", "fchmodat", and "fchmodat2" syscalls.V-281164MEDIUMRHEL 10 must generate audit records for all uses of the "chown", "fchown", "fchownat", and "lchown" syscalls.V-281165MEDIUMRHEL 10 must generate audit records for all uses of the "rename", "unlink", "rmdir", "renameat", "renameat2", and "unlinkat" system calls.V-281166MEDIUMRHEL 10 must require a boot loader superuser password.V-281167MEDIUMRHEL 10 must require a unique superusers name upon booting into single-user and maintenance modes.V-281168MEDIUMRHEL 10 must not assign an interactive login shell for system accounts.V-281169MEDIUMRHEL 10 must, for new users or password changes, have a 60-day maximum password lifetime restriction for user account passwords in "/etc/login.defs".V-281170MEDIUMRHEL 10 must, for user account passwords, have a 60-day maximum password lifetime restriction.V-281171MEDIUMRHEL 10 must assign a home directory for local interactive user accounts upon creation.V-281172MEDIUMRHEL 10 must not allow duplicate user IDs (UIDs) to exist for interactive users.V-281173MEDIUMRHEL 10 must automatically expire temporary accounts within 72 hours.V-281174MEDIUMRHEL 10 must assign a primary group to all interactive users.V-281175MEDIUMRHEL 10 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.V-281176MEDIUMRHEL 10 must be configured so that all local interactive user initialization file executable search path statements do not contain statements that will reference a working directory other than user home directories.V-281177MEDIUMRHEL 10 must assign a home directory to all local interactive users in the "/etc/passwd" file.V-281178MEDIUMRHEL 10 must ensure that all local interactive user home directories defined in the "/etc/passwd" file must exist.V-281179MEDIUMRHEL 10 must enforce a delay of at least four seconds between login prompts following a failed login attempt.V-281180MEDIUMRHEL 10 must enforce a 24-hours minimum password lifetime restriction for passwords for new users or password changes in "/etc/login.defs".V-281181MEDIUMRHEL 10 must enforce that passwords be created with a minimum of 15 characters.V-281182MEDIUMRHEL 10 must enforce password complexity by requiring at least one special character to be used.V-281183MEDIUMRHEL 10 must enforce password complexity by requiring that at least one lowercase character be used.V-281184MEDIUMRHEL 10 must enforce password complexity by requiring that at least one uppercase character be used.V-281185MEDIUMRHEL 10 must require the change of at least eight characters when passwords are changed.V-281186MEDIUMRHEL 10 must enforce that passwords have a 24 hours/1 day minimum lifetime restriction in "/etc/shadow".V-281187MEDIUMRHEL 10 must require the maximum number of repeating characters of the same character class to be limited to four when passwords are changed.V-281188MEDIUMRHEL 10 must require that the maximum number of repeating characters be limited to three when passwords are changed.V-281189MEDIUMRHEL 10 must require the change of at least four character classes when passwords are changed.V-281190MEDIUMRHEL 10 must enforce password complexity by requiring that at least one numeric character be used.V-281191MEDIUMRHEL 10 must prevent the use of dictionary words for passwords.V-281192MEDIUMRHEL 10 must allow only the root account to have unrestricted access to the system.V-281193MEDIUMRHEL 10 must enforce password complexity rules for the "root" account.V-281194MEDIUMRHEL 10 must automatically lock an account when three unsuccessful login attempts occur.V-281195MEDIUMRHEL 10 must automatically lock the root account until the root account is released by an administrator when three unsuccessful login attempts occur during a 15-minute time period.V-281196MEDIUMRHEL 10 must automatically lock an account when three unsuccessful login attempts occur during a 15-minute time period.V-281197MEDIUMRHEL 10 must maintain an account lock until the locked account is released by an administrator.V-281198MEDIUMRHEL 10 must ensure account lockouts persist.V-281199MEDIUMRHEL 10 must not have unauthorized accounts.V-281200MEDIUMRHEL 10 must not allow blank or null passwords.V-281201MEDIUMRHEL 10 must not have accounts configured with blank or null passwords.V-281202MEDIUMRHEL 10 must have a unique group ID (GID) for each group in "/etc/group".V-281203LOWRHEL 10 must limit the number of concurrent sessions to 10 for all accounts and/or account types.V-281204MEDIUMRHEL 10 must ensure the password complexity module in the system-auth file is configured for three or fewer retries.V-281205MEDIUMRHEL 10 must restrict the use of the "su" command.V-281206MEDIUMRHEL 10 must be configured to not bypass password requirements for privilege escalation.V-281207MEDIUMRHEL 10 must restrict privilege elevation to authorized personnel.V-281208MEDIUMRHEL 10 must require users to reauthenticate for privilege escalation.V-281209MEDIUMRHEL 10 must require reauthentication when using the "sudo" command.V-281210MEDIUMRHEL 10 must use the invoking user's password for privilege escalation when using "sudo".V-281211HIGHRHEL 10 must require users to provide a password for privilege escalation.V-281212MEDIUMRHEL 10 must configure the use of the pam_faillock.so module in the "/etc/pam.d/system-auth" file.V-281213MEDIUMRHEL 10 must configure the use of the pam_faillock.so module in the "/etc/pam.d/password-auth" file.V-281214MEDIUMRHEL 10 must ensure the password complexity module is enabled in the "password-auth" file.V-281215MEDIUMRHEL 10 must ensure the password complexity module is enabled in the "system-auth" file.V-281216HIGHRHEL 10 must enable the Pluggable Authentication Module (PAM) interface for SSHD.V-281217MEDIUMRHEL 10 must ensure that the pam_unix.so module is configured in the password-auth file to use a FIPS 140-3-approved cryptographic hashing algorithm for system authentication.V-281218MEDIUMRHEL 10 must be configured to use a sufficient number of hashing rounds for the shadow password suite.V-281219MEDIUMRHEL 10 must be configured to use a FIPS 140-3-approved cryptographic hashing algorithm for system authentication by ensuring that the pam_unix.so module is configured in the "system-auth" file.V-281220MEDIUMRHEL 10 must be configured so that password-auth uses a sufficient number of hashing rounds.V-281221HIGHRHEL 10 must employ FIPS 140-3-approved cryptographic hashing algorithms for all stored passwords.V-281222HIGHRHEL 10 must be configured to use the shadow file to store only encrypted representations of passwords.V-281223HIGHRHEL 10 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.V-281224MEDIUMRHEL 10 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a Secure Shell (SSH) login.V-281225MEDIUMRHEL 10 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user login.V-281226MEDIUMRHEL 10 must prevent a user from overriding the banner-message-enable setting for the graphical user interface.V-281227MEDIUMRHEL 10 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user login.V-281228MEDIUMRHEL 10 must prevent special devices on file systems that are imported via Network File System (NFS).V-281229MEDIUMRHEL 10 must prevent code from being executed on file systems that are imported via Network File System (NFS).V-281230MEDIUMRHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on file systems that are imported via Network File System (NFS).V-281231MEDIUMRHEL 10 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.V-281232MEDIUMRHEL 10 must mount "/boot" with the "nodev" option.V-281233MEDIUMRHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on the "/boot" directory.V-281234MEDIUMRHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on the "/boot/efi" directory.V-281235MEDIUMRHEL 10 must mount "/dev/shm" with the "nodev" option.V-281236MEDIUMRHEL 10 must mount "/dev/shm" with the "noexec" option.V-281237MEDIUMRHEL 10 must mount "/dev/shm" with the "nosuid" option.V-281238MEDIUMRHEL 10 must mount "/tmp" with the "nodev" option.V-281239MEDIUMRHEL 10 must mount "/tmp" with the "noexec" option.V-281240MEDIUMRHEL 10 must mount "/tmp" with the "nosuid" option.V-281241MEDIUMRHEL 10 must mount "/var" with the "nodev" option.V-281242MEDIUMRHEL 10 must mount "/var/log" with the "nodev" option.V-281243MEDIUMRHEL 10 must mount "/var/log" with the "noexec" option.V-281244MEDIUMRHEL 10 must mount "/var/log" with the "nosuid" option.V-281245MEDIUMRHEL 10 must mount "/var/tmp" with the "nodev" option.V-281246MEDIUMRHEL 10 must mount "/var/tmp" with the "noexec" option.V-281247MEDIUMRHEL 10 must mount "/var/tmp" with the "nosuid" option.V-281248MEDIUMRHEL 10 must prevent special devices on nonroot local partitions.V-281249MEDIUMRHEL 10 must enable the SELinux targeted policy.V-281250MEDIUMRHEL 10 must elevate the SELinux context when an administrator calls the sudo command.V-281251MEDIUMRHEL 10 must use a Linux Security Module configured to enforce limits on system services.V-281252MEDIUMRHEL 10 must configure SELinux context type to allow the use of a nondefault faillock tally directory.V-281253MEDIUMRHEL 10 must be configured so that Secure Shell (SSH) public host key files have mode "0644" or less permissive.V-281254MEDIUMRHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow Generic Security Service Application Program Interface (GSSAPI) authentication.V-281255MEDIUMRHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow Kerberos authentication.V-281256MEDIUMRHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow rhosts authentication.V-281257MEDIUMRHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow known hosts authentication.V-281258MEDIUMRHEL 10 must be configured so that the Secure Shell (SSH) daemon disables remote X connections for interactive users.V-281259MEDIUMRHEL 10 must be configured so that the Secure Shell (SSH) daemon performs strict mode checking of home directory configuration files.V-281260MEDIUMRHEL 10 must be configured so that the Secure Shell (SSH) daemon displays the date and time of the last successful account login upon an SSH login.V-281261MEDIUMRHEL 10 must be configured so that the Secure Shell (SSH) daemon prevents remote hosts from connecting to the proxy display.V-281262MEDIUMRHEL 10 must be configured so that Secure Shell (SSH) server configuration files' permissions are not modified.V-281263MEDIUMRHEL 10 must be configured so that SSHD accepts public key authentication.V-281264MEDIUMRHEL 10 must be configured so that SSHD does not allow blank passwords.V-281265MEDIUMRHEL 10 must not permit direct logins to the root account using remote access via Secure Shell (SSH).V-281266MEDIUMRHEL 10 must not allow a noncertificate trusted host Secure Shell (SSH) login to the system.V-281267HIGHRHEL 10 must not allow users to override Secure Shell (SSH) environment variables.V-281268HIGHRHEL 10 must force a frequent session key renegotiation for Secure Shell (SSH) connections to the server.V-281269MEDIUMRHEL 10 must be configured so that all network connections associated with Secure Shell (SSH) traffic terminate after becoming unresponsive.V-281270MEDIUMRHEL 10 must forward mail from postmaster to the root account using a postfix alias.V-281271MEDIUMRHEL 10 must not have a "shosts.equiv" file on the system.V-281272MEDIUMRHEL 10 must not have any ".shosts" files on the system.V-281273MEDIUMRHEL 10 must prevent a user from overriding the disabling of the graphical user interface automount function.V-281274MEDIUMRHEL 10 must prevent a user from overriding the disabling of the graphical user interface autorun function.V-281275HIGHRHEL 10 must not allow unattended or automatic login via the graphical user interface.V-281276MEDIUMRHEL 10 must prevent a user from overriding the disabling of the graphical user smart card removal action.V-281277MEDIUMRHEL 10 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.V-281278MEDIUMRHEL 10 must automatically lock graphical user sessions after 15 minutes of inactivity.V-281279MEDIUMRHEL 10 must prevent a user from overriding the session idle-delay setting for the graphical user interface.V-281280MEDIUMRHEL 10 must initiate a session lock for graphical user interfaces when the screensaver is activated.V-281281MEDIUMRHEL 10 must prevent a user from overriding the session lock-delay setting for the graphical user interface.V-281282MEDIUMRHEL 10 must conceal, via the session lock, information previously visible on the display with a publicly viewable image.V-281283MEDIUMRHEL 10 must ensure effective dconf policy matches the policy keyfiles.V-281284MEDIUMRHEL 10 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.V-281285MEDIUMRHEL 10 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.V-281286MEDIUMRHEL 10 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot.V-281287MEDIUMRHEL 10 must disable the user list at login for graphical user interfaces.V-281288MEDIUMRHEL 10 must be configured to disable USB mass storage.V-281289MEDIUMRHEL 10 must disable Bluetooth.V-281290MEDIUMRHEL 10 must disable wireless network adapters.V-281291MEDIUMRHEL 10 must disable the graphical user interface automounter unless required.V-281292LOWRHEL 10 must disable the graphical user interface autorunner unless required.V-281293MEDIUMRHEL 10 must implement nonexecutable data to protect its memory from unauthorized code execution.V-281295MEDIUMRHEL 10 must automatically exit interactive command shell user sessions after 15 minutes of inactivity.V-281296MEDIUMRHEL 10 must be configured with a timeout interval for the Secure Shell (SSH) daemon.V-281297MEDIUMRHEL 10 must not default to the graphical display manager unless approved.V-281298HIGHRHEL 10 must disable the systemd Ctrl-Alt-Delete burst key sequence.V-281299HIGHRHEL 10 must disable the x86 Ctrl-Alt-Delete key sequence.V-281300MEDIUMRHEL 10 must disable the ability of systemd to spawn an interactive boot process.V-281301MEDIUMRHEL 10 must disable virtual system calls.V-281302MEDIUMRHEL 10 must clear the page allocator to prevent use-after-free attacks.V-281303MEDIUMRHEL 10 must clear memory when it is freed to prevent use-after-free attacks.V-281304MEDIUMRHEL 10 must enable mitigations against processor-based vulnerabilities.V-281305MEDIUMRHEL 10 must restrict access to the kernel message buffer.V-281306MEDIUMRHEL 10 must prevent kernel profiling by nonprivileged users.V-281307HIGHRHEL 10 must prevent the loading of a new kernel for later execution.V-281308MEDIUMRHEL 10 must restrict exposed kernel pointer address access.V-281309MEDIUMRHEL 10 must enable kernel parameters to enforce discretionary access control (DAC) on hardlinks.V-281310MEDIUMRHEL 10 must enable kernel parameters to enforce discretionary access control (DAC) on symlinks.V-281311MEDIUMRHEL 10 must disable the "kernel.core_pattern".V-281312MEDIUMRHEL 10 must be configured to disable the Controller Area Network (CAN) kernel module.V-281313MEDIUMRHEL 10 must disable the Stream Control Transmission Protocol (SCTP) kernel module.V-281314MEDIUMRHEL 10 must disable the Transparent Inter Process Communication (TIPC) kernel module.V-281315MEDIUMRHEL 10 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.V-281316MEDIUMRHEL 10 must restrict usage of ptrace to descendant processes.V-281317MEDIUMRHEL 10 must disable core dump backtraces.V-281318MEDIUMRHEL 10 must disable storing core dumps.V-281319MEDIUMRHEL 10 must disable core dumps for all users.V-281320MEDIUMRHEL 10 must disable acquiring, saving, and processing core dumps.V-281321MEDIUMRHEL 10 must implement nonexecutable data to protect its memory from unauthorized code execution.V-281322MEDIUMRHEL 10 must disable the kdump service.V-281323MEDIUMRHEL 10 must disable file system automount function unless required.V-281324MEDIUMRHEL 10 must enable certificate-based smart card authentication.V-281325MEDIUMRHEL 10 must implement certificate status checking for multifactor authentication.V-281326MEDIUMRHEL 10 must, for PKI-based authentication, enforce authorized access to the corresponding private key.V-281327MEDIUMRHEL 10 must require authentication to access emergency mode.V-281328MEDIUMRHEL 10 must require authentication to access single-user mode.V-281329MEDIUMRHEL 10 must, for PKI-based authentication, validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.V-281330MEDIUMRHEL 10 must map the authenticated identity to the user or group account for public key infrastructure (PKI)-based authentication.V-281331MEDIUMRHEL 10 must prohibit the use of cached authenticators after one day.V-281332MEDIUMRHEL 10 must control remote access methods.V-281333MEDIUMRHEL 10 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.V-281334MEDIUMRHEL 10 must enforce that network interfaces not be in promiscuous mode.V-281335MEDIUMRHEL 10 must disable access to the network bpf system call from nonprivileged processes.V-281336MEDIUMRHEL 10 must securely compare internal information system clocks at least every 24 hours.V-281337MEDIUMRHEL 10 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time compiler.V-281338MEDIUMRHEL 10 must have at least two name servers configured for systems using Domain Name Server (DNS) resolution.V-281339MEDIUMRHEL 10 must not have unauthorized IP tunnels configured.V-281340MEDIUMRHEL 10 must be configured to use Transmission Control Protocol (TCP) syncookies.V-281341MEDIUMRHEL 10 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.V-281342MEDIUMRHEL 10 must not forward Internet Protocol version 4 (IPv4) source-routed packets.V-281343MEDIUMRHEL 10 must log Internet Protocol version 4 (IPv4) packets with impossible addresses.V-281344MEDIUMRHEL 10 must log Internet Protocol version 4 (IPv4) packets with impossible addresses by default.V-281345MEDIUMRHEL 10 must use reverse path filtering on all Internet Protocol version 4 (IPv4) interfaces.V-281346MEDIUMRHEL 10 must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.V-281347MEDIUMRHEL 10 must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.V-281348MEDIUMRHEL 10 must use a reverse-path filter for Internet Protocol version 4 (IPv4) network traffic when possible by default.V-281349MEDIUMRHEL 10 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.V-281350MEDIUMRHEL 10 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.V-281351MEDIUMRHEL 10 must not send Internet Control Message Protocol (ICMP) redirects.V-281352MEDIUMRHEL 10 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.V-281353MEDIUMRHEL 10 must not enable Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.V-281354MEDIUMRHEL 10 must not accept router advertisements on all Internet Protocol version 6 (IPv6) interfaces.V-281355MEDIUMRHEL 10 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.V-281356MEDIUMRHEL 10 must not forward Internet Protocol version 6 (IPv6) source-routed packets.V-281357MEDIUMRHEL 10 must not enable Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.V-281358MEDIUMRHEL 10 must not accept router advertisements on all Internet Protocol version 6 (IPv6) interfaces by default.V-281359MEDIUMRHEL 10 must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted.V-281360MEDIUMRHEL 10 must not forward Internet Protocol version 6 (IPv6) source-routed packets by default.V-281361MEDIUMRHEL 10 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring that rate-limiting measures on impacted network interfaces are implemented.V-281362MEDIUMRHEL 10 must configure a DNS processing mode in Network Manager to avoid conflicts with other Domain Name Server (DNS) managers and to not leak DNS queries to untrusted networks.V-281363MEDIUMRHEL 10 must be configured to operate in secure mode if the Trivial File Transfer Protocol (TFTP) server service is required.V-281364MEDIUMRHEL 10 must enforce mode "0640" or less for the "/etc/audit/auditd.conf" file to prevent unauthorized access.V-281365MEDIUMRHEL 10 must prevent unauthorized changes to the audit system.V-282965HIGHRHEL 10 must be a vendor-supported release.