STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Red Hat Enterprise Linux 8 Security Technical Implementation Guide

Version

V2R7

Benchmark ID

RHEL_8_STIG

Total Checks

366

Tags

linux

CAT I: 29CAT II: 311CAT III: 26

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (366)

V-230221HIGHRHEL 8 must be a vendor-supported release.V-230222MEDIUMRHEL 8 vendor packaged system security patches and updates must be installed and up to date.V-230223HIGHRHEL 8 must implement a FIPS 140-3-compliant systemwide cryptographic policy.V-230224HIGHAll RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.V-230225MEDIUMRHEL 8 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a ssh logon.V-230226MEDIUMRHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.V-230227MEDIUMRHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.V-230228MEDIUMAll RHEL 8 remote access methods must be monitored.V-230229MEDIUMRHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.V-230230MEDIUMRHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key.V-230231MEDIUMRHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.V-230232MEDIUMRHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.V-230233MEDIUMThe RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.V-230234HIGHRHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.V-230235HIGHRHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.V-230236MEDIUMRHEL 8 operating systems must require authentication upon booting into rescue mode.V-230237MEDIUMThe RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.V-230238MEDIUMRHEL 8 must prevent system daemons from using Kerberos for authentication.V-230239MEDIUMThe krb5-workstation package must not be installed on RHEL 8.V-230240MEDIUMRHEL 8 must use a Linux Security Module configured to enforce limits on system services.V-230241LOWRHEL 8 must have policycoreutils package installed.V-230243MEDIUMA sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources.V-230244MEDIUMRHEL 8 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.V-230245MEDIUMThe RHEL 8 /var/log/messages file must have mode 0640 or less permissive.V-230246MEDIUMThe RHEL 8 /var/log/messages file must be owned by root.V-230247MEDIUMThe RHEL 8 /var/log/messages file must be group-owned by root.V-230248MEDIUMThe RHEL 8 /var/log directory must have mode 0755 or less permissive.V-230249MEDIUMThe RHEL 8 /var/log directory must be owned by root.V-230250MEDIUMThe RHEL 8 /var/log directory must be group-owned by root.V-230251HIGHThe RHEL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.V-230252HIGHThe RHEL 8 SSH server must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.V-230253LOWRHEL 8 must ensure the SSH server uses strong entropy.V-230257MEDIUMRHEL 8 system commands must have mode 755 or less permissive.V-230258MEDIUMRHEL 8 system commands must be owned by root.V-230259MEDIUMRHEL 8 system commands must be group-owned by root or a system account.V-230260MEDIUMRHEL 8 library files must have mode 755 or less permissive.V-230261MEDIUMRHEL 8 library files must be owned by root.V-230262MEDIUMRHEL 8 library files must be group-owned by root.V-230263MEDIUMThe RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency.V-230264HIGHRHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.V-230265HIGHRHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.V-230266MEDIUMRHEL 8 must prevent the loading of a new kernel for later execution.V-230267MEDIUMRHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks.V-230268MEDIUMRHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.V-230269LOWRHEL 8 must restrict access to the kernel message buffer.V-230270LOWRHEL 8 must prevent kernel profiling by unprivileged users.V-230271MEDIUMRHEL 8 must require users to provide a password for privilege escalation.V-230272MEDIUMRHEL 8 must require users to reauthenticate for privilege escalation.V-230273MEDIUMRHEL 8 must have the packages required for multifactor authentication installed.V-230274MEDIUMRHEL 8 must implement certificate status checking for multifactor authentication.V-230275MEDIUMRHEL 8 must accept Personal Identity Verification (PIV) credentials.V-230276MEDIUMRHEL 8 must implement non-executable data to protect its memory from unauthorized code execution.V-230277MEDIUMRHEL 8 must clear the page allocator to prevent use-after-free attacks.V-230278MEDIUMRHEL 8 must disable virtual syscalls.V-230279MEDIUMRHEL 8 must clear memory when it is freed to prevent use-after-free attacks.V-230280MEDIUMRHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.V-230281LOWYUM must remove all software components after updated versions have been installed on RHEL 8.V-230282MEDIUMRHEL 8 must enable the SELinux targeted policy.V-230283HIGHThere must be no shosts.equiv files on the RHEL 8 operating system.V-230284HIGHThere must be no .shosts files on the RHEL 8 operating system.V-230285LOWRHEL 8 must enable the hardware random number generator entropy gatherer service.V-230286MEDIUMThe RHEL 8 SSH public host key files must have mode 0644 or less permissive.V-230287MEDIUMThe RHEL 8 SSH private host key files must have mode 0640 or less permissive.V-230288MEDIUMThe RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files.V-230290MEDIUMThe RHEL 8 SSH daemon must not allow authentication using known host’s authentication.V-230291MEDIUMThe RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.V-230292LOWRHEL 8 must use a separate file system for /var.V-230293LOWRHEL 8 must use a separate file system for /var/log.V-230294LOWRHEL 8 must use a separate file system for the system audit data path.V-230295MEDIUMA separate RHEL 8 filesystem must be used for the /tmp directory.V-230296MEDIUMRHEL 8 must not permit direct logons to the root account using remote access via SSH.V-230298MEDIUMThe rsyslog service must be running in RHEL 8.V-230299MEDIUMRHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.V-230300MEDIUMRHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.V-230301MEDIUMRHEL 8 must prevent special devices on non-root local partitions.V-230302MEDIUMRHEL 8 must prevent code from being executed on file systems that contain user home directories.V-230303MEDIUMRHEL 8 must prevent special devices on file systems that are used with removable media.V-230304MEDIUMRHEL 8 must prevent code from being executed on file systems that are used with removable media.V-230305MEDIUMRHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.V-230306MEDIUMRHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS).V-230307MEDIUMRHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS).V-230308MEDIUMRHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).V-230310MEDIUMRHEL 8 must disable kernel dumps unless needed.V-230311MEDIUMRHEL 8 must disable the kernel.core_pattern.V-230312MEDIUMRHEL 8 must disable acquiring, saving, and processing core dumps.V-230313MEDIUMRHEL 8 must disable core dumps for all users.V-230314MEDIUMRHEL 8 must disable storing core dumps.V-230315MEDIUMRHEL 8 must disable core dump backtraces.V-230316MEDIUMFor RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.V-230317MEDIUMExecutable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory.V-230318MEDIUMAll RHEL 8 world-writable directories must be owned by root, sys, bin, or an application user.V-230319MEDIUMAll RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.V-230320MEDIUMAll RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file.V-230321MEDIUMAll RHEL 8 local interactive user home directories must have mode 0750 or less permissive.V-230322MEDIUMAll RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group.V-230323MEDIUMAll RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist.V-230324MEDIUMAll RHEL 8 local interactive user accounts must be assigned a home directory upon creation.V-230325MEDIUMAll RHEL 8 local initialization files must have mode 0740 or less permissive.V-230326MEDIUMAll RHEL 8 local files and directories must have a valid owner.V-230327MEDIUMAll RHEL 8 local files and directories must have a valid group owner.V-230328MEDIUMA separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent).V-230329HIGHUnattended or automatic logon via the RHEL 8 graphical user interface must not be allowed.V-230330MEDIUMRHEL 8 must not allow users to override SSH environment variables.V-230332MEDIUMRHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.V-230333MEDIUMRHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.V-230334MEDIUMRHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.V-230335MEDIUMRHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.V-230336MEDIUMRHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.V-230337MEDIUMRHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.V-230338MEDIUMRHEL 8 must ensure account lockouts persist.V-230339MEDIUMRHEL 8 must ensure account lockouts persist.V-230340MEDIUMRHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.V-230341MEDIUMRHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.V-230342MEDIUMRHEL 8 must log user name information when unsuccessful logon attempts occur.V-230343MEDIUMRHEL 8 must log user name information when unsuccessful logon attempts occur.V-230344MEDIUMRHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.V-230345MEDIUMRHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.V-230346LOWRHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types.V-230347MEDIUMRHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions.V-230351MEDIUMRHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed.V-230352MEDIUMRHEL 8 must automatically lock graphical user sessions after 15 minutes of inactivity.V-230354MEDIUMRHEL 8 must prevent a user from overriding the session lock-delay setting for the graphical user interface.V-230355MEDIUMRHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication.V-230356MEDIUMRHEL 8 must ensure the password complexity module is enabled in the password-auth file.V-230357MEDIUMRHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.V-230358MEDIUMRHEL 8 must enforce password complexity by requiring that at least one lower-case character be used.V-230359MEDIUMRHEL 8 must enforce password complexity by requiring that at least one numeric character be used.V-230360MEDIUMRHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.V-230361MEDIUMRHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.V-230362MEDIUMRHEL 8 must require the change of at least four character classes when passwords are changed.V-230363MEDIUMRHEL 8 must require the change of at least 8 characters when passwords are changed.V-230364MEDIUMRHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow.V-230365MEDIUMRHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/login.defs.V-230366MEDIUMRHEL 8 user account passwords must have a 60-day maximum password lifetime restriction.V-230367MEDIUMRHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime.V-230369MEDIUMRHEL 8 passwords must have a minimum of 15 characters.V-230370MEDIUMRHEL 8 passwords for new users must have a minimum of 15 characters.V-230371MEDIUMRHEL 8 duplicate User IDs (UIDs) must not exist for interactive users.V-230372MEDIUMRHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts.V-230373MEDIUMRHEL 8 account identifiers (individuals, groups, roles, and devices) must be disabled after 35 days of inactivity.V-230374MEDIUMRHEL 8 must automatically expire temporary accounts within 72 hours.V-230375MEDIUMAll RHEL 8 passwords must contain at least one special character.V-230376MEDIUMRHEL 8 must prohibit the use of cached authentications after one day.V-230377MEDIUMRHEL 8 must prevent the use of dictionary words for passwords.V-230378MEDIUMRHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.V-230379MEDIUMRHEL 8 must not have unnecessary accounts.V-230380HIGHRHEL 8 must not allow accounts configured with blank or null passwords.V-230382MEDIUMRHEL 8 must display the date and time of the last successful account logon upon an SSH logon.V-230383MEDIUMRHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.V-230384MEDIUMRHEL 8 must set the umask value to 077 for all local interactive user accounts.V-230385MEDIUMRHEL 8 must define default permissions for logon and non-logon shells.V-230386MEDIUMThe RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software.V-230387MEDIUMCron logging must be implemented in RHEL 8.V-230388MEDIUMThe RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.V-230389MEDIUMThe RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure.V-230390MEDIUMThe RHEL 8 System must take appropriate action when an audit processing failure occurs.V-230392MEDIUMThe RHEL 8 audit system must take appropriate action when the audit storage volume is full.V-230393MEDIUMThe RHEL 8 audit system must audit local events.V-230394MEDIUMRHEL 8 must label all off-loaded audit logs before sending them to the central log server.V-230395LOWRHEL 8 must resolve audit information before writing to disk.V-230396MEDIUMRHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access.V-230397MEDIUMRHEL 8 audit logs must be owned by root to prevent unauthorized read access.V-230398MEDIUMRHEL 8 audit logs must be group-owned by root to prevent unauthorized read access.V-230399MEDIUMRHEL 8 audit log directory must be owned by root to prevent unauthorized read access.V-230400MEDIUMRHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access.V-230401MEDIUMRHEL 8 audit log directory must have a mode of 0700 or less permissive to prevent unauthorized read access.V-230402MEDIUMRHEL 8 audit system must protect auditing rules from unauthorized change.V-230403MEDIUMRHEL 8 audit system must protect logon UIDs from unauthorized change.V-230404MEDIUMRHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.V-230405MEDIUMRHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.V-230406MEDIUMRHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.V-230407MEDIUMRHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.V-230408MEDIUMRHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.V-230409MEDIUMRHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.V-230410MEDIUMRHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/.V-230411MEDIUMThe RHEL 8 audit package must be installed.V-230412MEDIUMSuccessful/unsuccessful uses of the su command in RHEL 8 must generate an audit record.V-230413MEDIUMThe RHEL 8 audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.V-230418MEDIUMSuccessful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record.V-230419MEDIUMSuccessful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record.V-230421MEDIUMSuccessful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record.V-230422MEDIUMSuccessful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record.V-230423MEDIUMSuccessful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record.V-230424MEDIUMSuccessful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record.V-230425MEDIUMSuccessful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record.V-230426MEDIUMSuccessful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record.V-230427MEDIUMSuccessful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record.V-230428MEDIUMSuccessful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record.V-230429MEDIUMSuccessful/unsuccessful uses of semanage in RHEL 8 must generate an audit record.V-230430MEDIUMSuccessful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record.V-230431MEDIUMSuccessful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record.V-230432MEDIUMSuccessful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record.V-230433MEDIUMSuccessful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record.V-230434MEDIUMSuccessful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record.V-230435MEDIUMSuccessful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record.V-230436MEDIUMSuccessful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record.V-230437MEDIUMSuccessful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record.V-230438MEDIUMSuccessful/unsuccessful uses of the init_module and finit_module system calls in RHEL 8 must generate an audit record.V-230439MEDIUMSuccessful/unsuccessful uses of the rename, unlink, rmdir, renameat, and unlinkat system calls in RHEL 8 must generate an audit record.V-230444MEDIUMSuccessful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record.V-230446MEDIUMSuccessful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record.V-230447MEDIUMSuccessful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record.V-230448MEDIUMSuccessful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record.V-230449MEDIUMSuccessful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls in RHEL 8 must generate an audit record.V-230455MEDIUMSuccessful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls in RHEL 8 must generate an audit record.V-230456MEDIUMSuccessful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls in RHEL 8 must generate an audit record.V-230462MEDIUMSuccessful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record.V-230463MEDIUMSuccessful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record.V-230464MEDIUMSuccessful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record.V-230465MEDIUMSuccessful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record.V-230466MEDIUMSuccessful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record.V-230467MEDIUMSuccessful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record.V-230468LOWRHEL 8 must enable auditing of processes that start prior to the audit daemon.V-230469LOWRHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.V-230470LOWRHEL 8 must enable Linux audit logging for the USBGuard daemon.V-230471MEDIUMRHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.V-230472MEDIUMRHEL 8 audit tools must have a mode of 0755 or less permissive.V-230473MEDIUMRHEL 8 audit tools must be owned by root.V-230474MEDIUMRHEL 8 audit tools must be group-owned by root.V-230475MEDIUMRHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools.V-230476MEDIUMRHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility.V-230477MEDIUMRHEL 8 must have the packages required for offloading audit logs installed.V-230478MEDIUMRHEL 8 must have the packages required for encrypting offloaded audit logs installed.V-230479MEDIUMThe RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited.V-230480MEDIUMRHEL 8 must take appropriate action when the internal event queue is full.V-230481MEDIUMRHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.V-230482MEDIUMRHEL 8 must authenticate the remote logging server for off-loading audit logs.V-230483MEDIUMRHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.V-230484MEDIUMRHEL 8 must securely compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).V-230485LOWRHEL 8 must disable the chrony daemon from acting as a server.V-230486LOWRHEL 8 must disable network management of the chrony daemon.V-230487HIGHRHEL 8 must not have the telnet-server package installed.V-230488MEDIUMRHEL 8 must not have any automated bug reporting tools installed.V-230489MEDIUMRHEL 8 must not have the sendmail package installed.V-230491LOWRHEL 8 must enable mitigations against processor-based vulnerabilities.V-230492MEDIUMRHEL 8 must not install packages from the Extra Packages for Enterprise Linux (EPEL) repository.V-230493MEDIUMRHEL 8 must cover or disable the built-in or attached camera when not in use.V-230494LOWRHEL 8 must disable the asynchronous transfer mode (ATM) protocol.V-230495LOWRHEL 8 must disable the controller area network (CAN) protocol.V-230496LOWRHEL 8 must disable the stream control transmission protocol (SCTP).V-230497LOWRHEL 8 must disable the transparent inter-process communication (TIPC) protocol.V-230498LOWRHEL 8 must disable mounting of cramfs.V-230499LOWRHEL 8 must disable IEEE 1394 (FireWire) Support.V-230500MEDIUMRHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.V-230502MEDIUMThe RHEL 8 file system automounter must be disabled.V-230503MEDIUMRHEL 8 must be configured to disable USB mass storage.V-230504MEDIUMA RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.V-230505MEDIUMA firewall must be installed on RHEL 8.V-230506MEDIUMRHEL 8 wireless network adapters must be disabled.V-230507MEDIUMRHEL 8 Bluetooth must be disabled.V-230508MEDIUMRHEL 8 must mount /dev/shm with the nodev option.V-230509MEDIUMRHEL 8 must mount /dev/shm with the nosuid option.V-230510MEDIUMRHEL 8 must mount /dev/shm with the noexec option.V-230511MEDIUMRHEL 8 must mount /tmp with the nodev option.V-230512MEDIUMRHEL 8 must mount /tmp with the nosuid option.V-230513MEDIUMRHEL 8 must mount /tmp with the noexec option.V-230514MEDIUMRHEL 8 must mount /var/log with the nodev option.V-230515MEDIUMRHEL 8 must mount /var/log with the nosuid option.V-230516MEDIUMRHEL 8 must mount /var/log with the noexec option.V-230517MEDIUMRHEL 8 must mount /var/log/audit with the nodev option.V-230518MEDIUMRHEL 8 must mount /var/log/audit with the nosuid option.V-230519MEDIUMRHEL 8 must mount /var/log/audit with the noexec option.V-230520MEDIUMRHEL 8 must mount /var/tmp with the nodev option.V-230521MEDIUMRHEL 8 must mount /var/tmp with the nosuid option.V-230522MEDIUMRHEL 8 must mount /var/tmp with the noexec option.V-230523MEDIUMThe RHEL 8 fapolicy module must be installed.V-230524MEDIUMRHEL 8 must block unauthorized peripherals before establishing a connection.V-230525MEDIUMA firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces.V-230526MEDIUMAll RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.V-230527MEDIUMRHEL 8 must force a frequent session key renegotiation for SSH connections to the server.V-230529HIGHThe x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8.V-230530HIGHThe x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed.V-230531HIGHThe systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled.V-230532MEDIUMThe debug-shell systemd service must be disabled on RHEL 8.V-230533HIGHThe Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support.V-230534HIGHThe root account must be the only account having unrestricted access to the RHEL 8 system.V-230535MEDIUMRHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.V-230536MEDIUMRHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.V-230537MEDIUMRHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.V-230538MEDIUMRHEL 8 must not forward IPv6 source-routed packets.V-230539MEDIUMRHEL 8 must not forward IPv6 source-routed packets by default.V-230540MEDIUMRHEL 8 must not enable IPv6 packet forwarding unless the system is a router.V-230541MEDIUMRHEL 8 must not accept router advertisements on all IPv6 interfaces.V-230542MEDIUMRHEL 8 must not accept router advertisements on all IPv6 interfaces by default.V-230543MEDIUMRHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.V-230544MEDIUMRHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.V-230545MEDIUMRHEL 8 must disable access to network bpf syscall from unprivileged processes.V-230546MEDIUMRHEL 8 must restrict usage of ptrace to descendant processes.V-230547MEDIUMRHEL 8 must restrict exposed kernel pointer addresses access.V-230548MEDIUMRHEL 8 must disable the use of user namespaces.V-230549MEDIUMRHEL 8 must use reverse path filtering on all IPv4 interfaces.V-230550MEDIUMRHEL 8 must be configured to prevent unrestricted mail relaying.V-230551LOWThe RHEL 8 file integrity tool must be configured to verify extended attributes.V-230552LOWThe RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs).V-230553MEDIUMThe graphical display manager must not be installed on RHEL 8 unless approved.V-230554MEDIUMRHEL 8 network interfaces must not be in promiscuous mode.V-230555MEDIUMRHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements.V-230556MEDIUMThe RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display.V-230557MEDIUMIf the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode.V-230558HIGHA File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8.V-230559MEDIUMThe gssproxy package must not be installed unless mission essential on RHEL 8.V-230560MEDIUMThe iprutils package must not be installed unless mission essential on RHEL 8.V-230561MEDIUMThe tuned package must not be installed unless mission essential on RHEL 8.V-237640MEDIUMThe krb5-server package must not be installed on RHEL 8.V-237641MEDIUMRHEL 8 must restrict privilege elevation to authorized personnel.V-237642MEDIUMRHEL 8 must use the invoking user's password for privilege escalation when using "sudo".V-237643MEDIUMRHEL 8 must require re-authentication when using the "sudo" command.V-244519MEDIUMRHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon.V-244521MEDIUMRHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance.V-244522MEDIUMRHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes.V-244523MEDIUMRHEL 8 operating systems must require authentication upon booting into emergency mode.V-244524MEDIUMThe RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.V-244525MEDIUMRHEL 8 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.V-244527LOWRHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service.V-244528MEDIUMThe RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.V-244529MEDIUMRHEL 8 must use a separate file system for /var/tmp.V-244530MEDIUMRHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.V-244531MEDIUMAll RHEL 8 local interactive user home directory files must have mode 0750 or less permissive.V-244532MEDIUMRHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.V-244533MEDIUMRHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.V-244534MEDIUMRHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.V-244535MEDIUMRHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated.V-244536MEDIUMRHEL 8 must disable the user list at logon for graphical user interfaces.V-244538MEDIUMRHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface.V-244539MEDIUMRHEL 8 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.V-244541HIGHRHEL 8 must not allow blank or null passwords in the password-auth file.V-244542MEDIUMRHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.V-244543MEDIUMRHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization.V-244544MEDIUMA firewall must be active on RHEL 8.V-244545MEDIUMThe RHEL 8 fapolicy module must be enabled.V-244546MEDIUMThe RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.V-244547MEDIUMRHEL 8 must have the USBGuard installed.V-244548MEDIUMRHEL 8 must enable the USBGuard.V-244549MEDIUMAll RHEL 8 networked systems must have SSH installed.V-244550MEDIUMRHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.V-244551MEDIUMRHEL 8 must not forward IPv4 source-routed packets.V-244552MEDIUMRHEL 8 must not forward IPv4 source-routed packets by default.V-244553MEDIUMRHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.V-244554MEDIUMRHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.V-250315MEDIUMRHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory.V-250316MEDIUMRHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory.V-250317MEDIUMRHEL 8 must not enable IPv4 packet forwarding unless the system is a router.V-251706HIGHThe RHEL 8 operating system must not have accounts configured with blank or null passwords.V-251707MEDIUMRHEL 8 library directories must have mode 755 or less permissive.V-251708MEDIUMRHEL 8 library directories must be owned by root.V-251709MEDIUMRHEL 8 library directories must be group-owned by root or a system account.V-251710MEDIUMThe RHEL 8 operating system must use a file integrity tool to verify correct operation of all security functions.V-251711MEDIUMRHEL 8 must specify the default "include" directory for the /etc/sudoers file.V-251712MEDIUMThe RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation.V-251713MEDIUMRHEL 8 must ensure the password complexity module is enabled in the system-auth file.V-251716MEDIUMRHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.V-251718MEDIUMThe graphical display manager must not be the default target on RHEL 8 unless approved.V-254520MEDIUMRHEL 8 must prevent nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.V-256973MEDIUMRHEL 8 must ensure cryptographic verification of vendor software packages.V-256974MEDIUMRHEL 8 must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel.V-257258MEDIUMRHEL 8.7 and higher must terminate idle user sessions.V-268322HIGHRHEL 8 must not allow blank or null passwords in the system-auth file.V-272482HIGHThe RHEL 8 SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.V-272483HIGHThe RHEL 8 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.V-272484MEDIUMRHEL 8 must elevate the SELinux context when an administrator calls the sudo command.V-274877MEDIUMRHEL 8 must audit any script or executable called by cron as root or by any privileged user.V-279929MEDIUMRHEL 8 must automatically exit interactive command shell user sessions after 10 minutes of inactivity.V-279930HIGHRHEL 8 IP tunnels must use FIPS 140-3-approved cryptographic algorithms.V-279931HIGHRHEL 8 must implement DOD-approved encryption in the bind package.V-279932HIGHRHEL 8 cryptographic policy must not be overridden.V-279933HIGHRHEL 8 must have the crypto-policies package installed.