STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Red Hat Enterprise Linux 9 Security Technical Implementation Guide

Version

V2R8

Benchmark ID

RHEL_9_STIG

Total Checks

446

Tags

linux

CAT I: 28CAT II: 403CAT III: 15

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (446)

V-257777HIGHRHEL 9 must be a vendor-supported release.V-257778MEDIUMRHEL 9 vendor packaged system security patches and updates must be installed and up to date.V-257779MEDIUMRHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.V-257781MEDIUMThe graphical display manager must not be the default target on RHEL 9 unless approved.V-257782LOWRHEL 9 must enable the hardware random number generator entropy gatherer service.V-257783MEDIUMRHEL 9 systemd-journald service must be enabled.V-257784HIGHThe systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled.V-257785HIGHThe x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 9.V-257786MEDIUMRHEL 9 debug-shell systemd service must be disabled.V-257787MEDIUMRHEL 9 must require a boot loader superuser password.V-257788MEDIUMRHEL 9 must disable the ability of systemd to spawn an interactive boot process.V-257789HIGHRHEL 9 must require a unique superusers name upon booting into single-user and maintenance modes.V-257790MEDIUMRHEL 9 /boot/grub2/grub.cfg file must be group-owned by root.V-257791MEDIUMRHEL 9 /boot/grub2/grub.cfg file must be owned by root.V-257792MEDIUMRHEL 9 must disable virtual system calls.V-257793MEDIUMRHEL 9 must clear the page allocator to prevent use-after-free attacks.V-257794MEDIUMRHEL 9 must clear memory when it is freed to prevent use-after-free attacks.V-257795LOWRHEL 9 must enable mitigations against processor-based vulnerabilities.V-257796LOWRHEL 9 must enable auditing of processes that start prior to the audit daemon.V-257797MEDIUMRHEL 9 must restrict access to the kernel message buffer.V-257798MEDIUMRHEL 9 must prevent kernel profiling by nonprivileged users.V-257799MEDIUMRHEL 9 must prevent the loading of a new kernel for later execution.V-257800MEDIUMRHEL 9 must restrict exposed kernel pointer addresses access.V-257801MEDIUMRHEL 9 must enable kernel parameters to enforce discretionary access control (DAC) on hardlinks.V-257802MEDIUMRHEL 9 must enable kernel parameters to enforce discretionary access (DAC) control on symlinks.V-257803MEDIUMRHEL 9 must disable the kernel.core_pattern.V-257804MEDIUMRHEL 9 must be configured to disable the Asynchronous Transfer Mode kernel module.V-257805MEDIUMRHEL 9 must be configured to disable the Controller Area Network kernel module.V-257806MEDIUMRHEL 9 must be configured to disable the FireWire kernel module.V-257807MEDIUMRHEL 9 must disable the Stream Control Transmission Protocol (SCTP) kernel module.V-257808MEDIUMRHEL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module.V-257809MEDIUMRHEL 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.V-257810MEDIUMRHEL 9 must disable access to network bpf system call from nonprivileged processes.V-257811MEDIUMRHEL 9 must restrict usage of ptrace to descendant processes.V-257812MEDIUMRHEL 9 must disable core dump backtraces.V-257813MEDIUMRHEL 9 must disable storing core dumps.V-257814MEDIUMRHEL 9 must disable core dumps for all users.V-257815MEDIUMRHEL 9 must disable acquiring, saving, and processing core dumps.V-257816MEDIUMRHEL 9 must disable the use of user namespaces.V-257817MEDIUMRHEL 9 must implement nonexecutable data to protect its memory from unauthorized code execution.V-257818MEDIUMThe kdump service on RHEL 9 must be disabled.V-257819MEDIUMRHEL 9 must ensure cryptographic verification of vendor software packages.V-257820HIGHRHEL 9 must check the GPG signature of software packages originating from external software repositories before installation.V-257821HIGHRHEL 9 must check the GPG signature of locally installed software packages before installation.V-257822HIGHRHEL 9 must have GPG signature verification enabled for all software repositories.V-257823MEDIUMRHEL 9 must be configured so that the cryptographic hashes of system files match vendor values.V-257824LOWRHEL 9 must remove all software components after updated versions have been installed.V-257825MEDIUMRHEL 9 subscription-manager package must be installed.V-257826HIGHRHEL 9 must not have a File Transfer Protocol (FTP) server package installed.V-257827MEDIUMRHEL 9 must not have the sendmail package installed.V-257828MEDIUMRHEL 9 must not have the nfs-utils package installed.V-257829MEDIUMRHEL 9 must not have the ypserv package installed.V-257830MEDIUMRHEL 9 must not install packages from the Extra Packages for Enterprise Linux (EPEL) repository.V-257831MEDIUMRHEL 9 must not have the telnet-server package installed.V-257832MEDIUMRHEL 9 must not have the gssproxy package installed.V-257833MEDIUMRHEL 9 must not have the iprutils package installed.V-257834MEDIUMRHEL 9 must not have the tuned package installed.V-257835HIGHThe Trivial File Transfer Protocol (TFTP) server must not be installed unless it is required, and if required, the RHEL 9 TFTP daemon must be configured to operate in secure mode.V-257836MEDIUMRHEL 9 must not have the quagga package installed.V-257837MEDIUMA graphical display manager must not be installed on RHEL 9 unless approved.V-257838MEDIUMRHEL 9 must have the openssl-pkcs11 package installed.V-257839MEDIUMRHEL 9 must have the gnutls-utils package installed.V-257840MEDIUMRHEL 9 must have the nss-tools package installed.V-257841MEDIUMRHEL 9 must have the rng-tools package installed.V-257842MEDIUMRHEL 9 must have the s-nail package installed.V-257843MEDIUMA separate RHEL 9 file system must be used for user home directories (such as /home or an equivalent).V-257844MEDIUMRHEL 9 must use a separate file system for /tmp.V-257845LOWRHEL 9 must use a separate file system for /var.V-257846LOWRHEL 9 must use a separate file system for /var/log.V-257847LOWRHEL 9 must use a separate file system for the system audit data path.V-257848MEDIUMRHEL 9 must use a separate file system for /var/tmp.V-257849MEDIUMRHEL 9 file system automount function must be disabled unless required.V-257850MEDIUMRHEL 9 must prevent device files from being interpreted on file systems that contain user home directories.V-257851MEDIUMRHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.V-257852MEDIUMRHEL 9 must prevent code from being executed on file systems that contain user home directories.V-257854MEDIUMRHEL 9 must prevent special devices on file systems that are imported via Network File System (NFS).V-257855MEDIUMRHEL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS).V-257856MEDIUMRHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).V-257857MEDIUMRHEL 9 must prevent code from being executed on file systems that are used with removable media.V-257858MEDIUMRHEL 9 must prevent special devices on file systems that are used with removable media.V-257859MEDIUMRHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.V-257860MEDIUMRHEL 9 must mount /boot with the nodev option.V-257861MEDIUMRHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.V-257862MEDIUMRHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.V-257863MEDIUMRHEL 9 must mount /dev/shm with the nodev option.V-257864MEDIUMRHEL 9 must mount /dev/shm with the noexec option.V-257865MEDIUMRHEL 9 must mount /dev/shm with the nosuid option.V-257866MEDIUMRHEL 9 must mount /tmp with the nodev option.V-257867MEDIUMRHEL 9 must mount /tmp with the noexec option.V-257868MEDIUMRHEL 9 must mount /tmp with the nosuid option.V-257869MEDIUMRHEL 9 must mount /var with the nodev option.V-257870MEDIUMRHEL 9 must mount /var/log with the nodev option.V-257871MEDIUMRHEL 9 must mount /var/log with the noexec option.V-257872MEDIUMRHEL 9 must mount /var/log with the nosuid option.V-257873MEDIUMRHEL 9 must mount /var/log/audit with the nodev option.V-257874MEDIUMRHEL 9 must mount /var/log/audit with the noexec option.V-257875MEDIUMRHEL 9 must mount /var/log/audit with the nosuid option.V-257876MEDIUMRHEL 9 must mount /var/tmp with the nodev option.V-257877MEDIUMRHEL 9 must mount /var/tmp with the noexec option.V-257878MEDIUMRHEL 9 must mount /var/tmp with the nosuid option.V-257879HIGHRHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.V-257880LOWRHEL 9 must disable mounting of cramfs.V-257881MEDIUMRHEL 9 must prevent special devices on non-root local partitions.V-257882MEDIUMRHEL 9 system commands must have mode 755 or less permissive.V-257883MEDIUMRHEL 9 library directories must have mode 755 or less permissive.V-257884MEDIUMRHEL 9 library files must have mode 755 or less permissive.V-257885MEDIUMRHEL 9 /var/log directory must have mode 0755 or less permissive.V-257886MEDIUMRHEL 9 /var/log/messages file must have mode 0640 or less permissive.V-257887MEDIUMRHEL 9 audit tools must have a mode of 0755 or less permissive.V-257888MEDIUMRHEL 9 permissions of cron configuration files and directories must not be modified from the operating system defaults.V-257889MEDIUMAll RHEL 9 local initialization files must have mode 0740 or less permissive.V-257890MEDIUMAll RHEL 9 local interactive user home directories must have mode 0750 or less permissive.V-257891MEDIUMRHEL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.V-257892MEDIUMRHEL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.V-257893MEDIUMRHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.V-257894MEDIUMRHEL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.V-257895MEDIUMRHEL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.V-257896MEDIUMRHEL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access.V-257897MEDIUMRHEL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access.V-257898MEDIUMRHEL 9 /etc/group file must be owned by root.V-257899MEDIUMRHEL 9 /etc/group file must be group-owned by root.V-257900MEDIUMRHEL 9 /etc/group- file must be owned by root.V-257901MEDIUMRHEL 9 /etc/group- file must be group-owned by root.V-257902MEDIUMRHEL 9 /etc/gshadow file must be owned by root.V-257903MEDIUMRHEL 9 /etc/gshadow file must be group-owned by root.V-257904MEDIUMRHEL 9 /etc/gshadow- file must be owned by root.V-257905MEDIUMRHEL 9 /etc/gshadow- file must be group-owned by root.V-257906MEDIUMRHEL 9 /etc/passwd file must be owned by root.V-257907MEDIUMRHEL 9 /etc/passwd file must be group-owned by root.V-257908MEDIUMRHEL 9 /etc/passwd- file must be owned by root.V-257909MEDIUMRHEL 9 /etc/passwd- file must be group-owned by root.V-257910MEDIUMRHEL 9 /etc/shadow file must be owned by root.V-257911MEDIUMRHEL 9 /etc/shadow file must be group-owned by root.V-257912MEDIUMRHEL 9 /etc/shadow- file must be owned by root.V-257913MEDIUMRHEL 9 /etc/shadow- file must be group-owned by root.V-257914MEDIUMRHEL 9 /var/log directory must be owned by root.V-257915MEDIUMRHEL 9 /var/log directory must be group-owned by root.V-257916MEDIUMRHEL 9 /var/log/messages file must be owned by root.V-257917MEDIUMRHEL 9 /var/log/messages file must be group-owned by root.V-257918MEDIUMRHEL 9 system commands must be owned by root.V-257919MEDIUMRHEL 9 system commands must be group-owned by root or a system account.V-257920MEDIUMRHEL 9 library files must be owned by root.V-257921MEDIUMRHEL 9 library files must be group-owned by root or a system account.V-257922MEDIUMRHEL 9 library directories must be owned by root.V-257923MEDIUMRHEL 9 library directories must be group-owned by root or a system account.V-257924MEDIUMRHEL 9 audit tools must be owned by root.V-257925MEDIUMRHEL 9 audit tools must be group-owned by root.V-257926MEDIUMRHEL 9 cron configuration files directory must be owned by root.V-257927MEDIUMRHEL 9 cron configuration files directory must be group-owned by root.V-257928MEDIUMAll RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user.V-257929MEDIUMA sticky bit must be set on all RHEL 9 public directories.V-257930MEDIUMAll RHEL 9 local files and directories must have a valid group owner.V-257931MEDIUMAll RHEL 9 local files and directories must have a valid owner.V-257932MEDIUMRHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.V-257934MEDIUMRHEL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access.V-257935MEDIUMRHEL 9 must have the firewalld package installed.V-257936MEDIUMThe firewalld service on RHEL 9 must be active.V-257937MEDIUMThe RHEL 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.V-257939MEDIUMRHEL 9 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures on impacted network interfaces are implemented.V-257940MEDIUMRHEL 9 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.V-257941MEDIUMRHEL 9 network interfaces must not be in promiscuous mode.V-257942MEDIUMRHEL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler.V-257943MEDIUMRHEL 9 must have the chrony package installed.V-257944MEDIUMRHEL 9 chronyd service must be enabled.V-257945MEDIUMRHEL 9 must securely compare internal information system clocks at least every 24 hours.V-257946LOWRHEL 9 must disable the chrony daemon from acting as a server.V-257947LOWRHEL 9 must disable network management of the chrony daemon.V-257948MEDIUMRHEL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.V-257949MEDIUMRHEL 9 must configure a DNS processing mode in Network Manager.V-257950MEDIUMRHEL 9 must not have unauthorized IP tunnels configured.V-257951MEDIUMRHEL 9 must be configured to prevent unrestricted mail relaying.V-257953MEDIUMRHEL 9 must forward mail from postmaster to the root account using a postfix alias.V-257954MEDIUMRHEL 9 libreswan package must be installed.V-257955HIGHThere must be no shosts.equiv files on RHEL 9.V-257956HIGHThere must be no .shosts files on RHEL 9.V-257957MEDIUMRHEL 9 must be configured to use TCP syncookies.V-257958MEDIUMRHEL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.V-257959MEDIUMRHEL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets.V-257960MEDIUMRHEL 9 must log IPv4 packets with impossible addresses.V-257961MEDIUMRHEL 9 must log IPv4 packets with impossible addresses by default.V-257962MEDIUMRHEL 9 must use reverse path filtering on all IPv4 interfaces.V-257963MEDIUMRHEL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.V-257964MEDIUMRHEL 9 must not forward IPv4 source-routed packets by default.V-257965MEDIUMRHEL 9 must use a reverse-path filter for IPv4 network traffic when possible by default.V-257966MEDIUMRHEL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.V-257967MEDIUMRHEL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.V-257968MEDIUMRHEL 9 must not send Internet Control Message Protocol (ICMP) redirects.V-257969MEDIUMRHEL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.V-257970MEDIUMRHEL 9 must not enable IPv4 packet forwarding unless the system is a router.V-257971MEDIUMRHEL 9 must not accept router advertisements on all IPv6 interfaces.V-257972MEDIUMRHEL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.V-257973MEDIUMRHEL 9 must not forward IPv6 source-routed packets.V-257974MEDIUMRHEL 9 must not enable IPv6 packet forwarding unless the system is a router.V-257975MEDIUMRHEL 9 must not accept router advertisements on all IPv6 interfaces by default.V-257976MEDIUMRHEL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.V-257977MEDIUMRHEL 9 must not forward IPv6 source-routed packets by default.V-257978MEDIUMAll RHEL 9 networked systems must have SSH installed.V-257979MEDIUMAll RHEL 9 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.V-257980MEDIUMRHEL 9 must have the openssh-clients package installed.V-257981MEDIUMRHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a SSH logon.V-257982MEDIUMRHEL 9 must log SSH connection attempts and failures to the server.V-257983MEDIUMRHEL 9 SSHD must accept public key authentication.V-257984HIGHRHEL 9 SSHD must not allow blank passwords.V-257985MEDIUMRHEL 9 must not permit direct logons to the root account using remote access via SSH.V-257986HIGHRHEL 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD.V-257989HIGHThe RHEL 9 SSH server must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.V-257991HIGHThe RHEL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.V-257992MEDIUMRHEL 9 must not allow a noncertificate trusted host SSH logon to the system.V-257993MEDIUMRHEL 9 must not allow users to override SSH environment variables.V-257994MEDIUMRHEL 9 must force a frequent session key renegotiation for SSH connections to the server.V-257995MEDIUMRHEL 9 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.V-257996MEDIUMRHEL 9 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.V-257997MEDIUMRHEL 9 SSH server configuration file must be group-owned by root.V-257998MEDIUMThe RHEL 9 SSH server configuration file must be owned by root.V-257999MEDIUMRHEL 9 SSH server configuration files' permissions must not be modified.V-258000MEDIUMRHEL 9 SSH private host key files must have mode 0640 or less permissive.V-258001MEDIUMRHEL 9 SSH public host key files must have mode 0644 or less permissive.V-258002MEDIUMRHEL 9 SSH daemon must not allow compression or must only allow compression after successful authentication.V-258003MEDIUMRHEL 9 SSH daemon must not allow GSSAPI authentication.V-258004MEDIUMRHEL 9 SSH daemon must not allow Kerberos authentication.V-258005MEDIUMRHEL 9 SSH daemon must not allow rhosts authentication.V-258006MEDIUMRHEL 9 SSH daemon must not allow known hosts authentication.V-258007MEDIUMRHEL 9 SSH daemon must disable remote X connections for interactive users.V-258008MEDIUMRHEL 9 SSH daemon must perform strict mode checking of home directory configuration files.V-258009MEDIUMRHEL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon.V-258011MEDIUMRHEL 9 SSH daemon must prevent remote hosts from connecting to the proxy display.V-258012MEDIUMRHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.V-258013MEDIUMRHEL 9 must prevent a user from overriding the banner-message-enable setting for the graphical user interface.V-258014MEDIUMRHEL 9 must disable the graphical user interface automount function unless required.V-258015MEDIUMRHEL 9 must prevent a user from overriding the disabling of the graphical user interface automount function.V-258016MEDIUMRHEL 9 must disable the graphical user interface autorun function unless required.V-258017MEDIUMRHEL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function.V-258018HIGHRHEL 9 must not allow unattended or automatic logon via the graphical user interface.V-258019MEDIUMRHEL 9 must be able to initiate directly a session lock for all connection types using smart card when the smart card is removed.V-258020MEDIUMRHEL 9 must prevent a user from overriding the disabling of the graphical user smart card removal action.V-258021MEDIUMRHEL 9 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions.V-258022MEDIUMRHEL 9 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.V-258023MEDIUMRHEL 9 must automatically lock graphical user sessions after 10 minutes of inactivity.V-258024MEDIUMRHEL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface.V-258025MEDIUMRHEL 9 must initiate a session lock for graphical user interfaces when the screensaver is activated.V-258026MEDIUMRHEL 9 must prevent a user from overriding the session lock-delay setting for the graphical user interface.V-258027MEDIUMRHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image.V-258028MEDIUMRHEL 9 effective dconf policy must match the policy keyfiles.V-258029MEDIUMRHEL 9 must disable the ability of a user to restart the system from the login screen.V-258030MEDIUMRHEL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.V-258031MEDIUMRHEL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot.V-258032MEDIUMRHEL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.V-258033MEDIUMRHEL 9 must disable the user list at logon for graphical user interfaces.V-258034MEDIUMRHEL 9 must be configured to disable USB mass storage.V-258035MEDIUMRHEL 9 must have the USBGuard package installed.V-258036MEDIUMRHEL 9 must have the USBGuard package enabled.V-258037LOWRHEL 9 must enable Linux audit logging for the USBGuard daemon.V-258038MEDIUMRHEL 9 must block unauthorized peripherals before establishing a connection.V-258039MEDIUMRHEL 9 Bluetooth must be disabled.V-258040MEDIUMRHEL 9 wireless network adapters must be disabled.V-258041MEDIUMRHEL 9 user account passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs.V-258042MEDIUMRHEL 9 user account passwords must have a 60-day maximum password lifetime restriction.V-258043MEDIUMAll RHEL 9 local interactive user accounts must be assigned a home directory upon creation.V-258044MEDIUMRHEL 9 must set the umask value to 077 for all local interactive user accounts.V-258045MEDIUMRHEL 9 duplicate User IDs (UIDs) must not exist for interactive users.V-258046MEDIUMRHEL 9 system accounts must not have an interactive login shell.V-258047MEDIUMRHEL 9 must automatically expire temporary accounts within 72 hours.V-258048MEDIUMAll RHEL 9 interactive users must have a primary group that exists.V-258049MEDIUMRHEL 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.V-258050MEDIUMExecutable search paths within the initialization files of all local interactive RHEL 9 users must only contain paths that resolve to the system default or the users home directory.V-258051MEDIUMAll RHEL 9 local interactive users must have a home directory assigned in the /etc/passwd file.V-258052MEDIUMAll RHEL 9 local interactive user home directories defined in the /etc/passwd file must exist.V-258053MEDIUMAll RHEL 9 local interactive user home directories must be group-owned by the home directory owner's primary group.V-258054MEDIUMRHEL 9 must automatically lock an account when three unsuccessful logon attempts occur.V-258055MEDIUMRHEL 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.V-258056MEDIUMRHEL 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.V-258057MEDIUMRHEL 9 must maintain an account lock until the locked account is released by an administrator.V-258058MEDIUMRHEL 9 must not have unauthorized accounts.V-258059HIGHThe root account must be the only account having unrestricted access to RHEL 9 system.V-258060MEDIUMRHEL 9 must ensure account lockouts persist.V-258061MEDIUMRHEL 9 groups must have unique Group ID (GID).V-258068MEDIUMRHEL 9 must automatically exit interactive command shell user sessions after 10 minutes of inactivity.V-258069LOWRHEL 9 must limit the number of concurrent sessions to ten for all accounts and/or account types.V-258070MEDIUMRHEL 9 must log username information when unsuccessful logon attempts occur.V-258071MEDIUMRHEL 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.V-258072MEDIUMRHEL 9 must define default permissions for the bash shell.V-258073MEDIUMRHEL 9 must define default permissions for the c shell.V-258074MEDIUMRHEL 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.V-258075MEDIUMRHEL 9 must define default permissions for the system default profile.V-258077MEDIUMRHEL 9 must terminate idle user sessions.V-258078HIGHRHEL 9 must use a Linux Security Module configured to enforce limits on system services.V-258079MEDIUMRHEL 9 must enable the SELinux targeted policy.V-258080MEDIUMRHEL 9 must configure SELinux context type to allow the use of a nondefault faillock tally directory.V-258081MEDIUMRHEL 9 must have policycoreutils package installed.V-258082MEDIUMRHEL 9 policycoreutils-python-utils package must be installed.V-258083MEDIUMRHEL 9 must have the sudo package installed.V-258084MEDIUMRHEL 9 must require reauthentication when using the "sudo" command.V-258085MEDIUMRHEL 9 must use the invoking user's password for privilege escalation when using "sudo".V-258086MEDIUMRHEL 9 must require users to reauthenticate for privilege escalation.V-258087MEDIUMRHEL 9 must restrict privilege elevation to authorized personnel.V-258088MEDIUMRHEL 9 must restrict the use of the "su" command.V-258089MEDIUMRHEL 9 fapolicy module must be installed.V-258090MEDIUMRHEL 9 fapolicy module must be enabled.V-258091MEDIUMRHEL 9 must ensure the password complexity module in the system-auth file is configured for three retries or less.V-258094HIGHRHEL 9 must not allow blank or null passwords.V-258095MEDIUMRHEL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.V-258096MEDIUMRHEL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.V-258097MEDIUMRHEL 9 must ensure the password complexity module is enabled in the password-auth file.V-258098MEDIUMRHEL 9 must ensure the password complexity module is enabled in the system-auth file.V-258099MEDIUMRHEL 9 password-auth must be configured to use a sufficient number of hashing rounds.V-258100MEDIUMRHEL 9 system-auth must be configured to use a sufficient number of hashing rounds.V-258101MEDIUMRHEL 9 must enforce password complexity rules for the root account.V-258102MEDIUMRHEL 9 must enforce password complexity by requiring that at least one lowercase character be used.V-258103MEDIUMRHEL 9 must enforce password complexity by requiring that at least one numeric character be used.V-258104MEDIUMRHEL 9 passwords for new users or password changes must have a 24 hours minimum password lifetime restriction in /etc/login.defs.V-258105MEDIUMRHEL 9 passwords must have a 24 hours minimum password lifetime restriction in /etc/shadow.V-258106MEDIUMRHEL 9 must require users to provide a password for privilege escalation.V-258107MEDIUMRHEL 9 passwords must be created with a minimum of 15 characters.V-258109MEDIUMRHEL 9 must enforce password complexity by requiring that at least one special character be used.V-258110MEDIUMRHEL 9 must prevent the use of dictionary words for passwords.V-258111MEDIUMRHEL 9 must enforce password complexity by requiring that at least one uppercase character be used.V-258112MEDIUMRHEL 9 must require the change of at least eight characters when passwords are changed.V-258113MEDIUMRHEL 9 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.V-258114MEDIUMRHEL 9 must require the maximum number of repeating characters be limited to three when passwords are changed.V-258115MEDIUMRHEL 9 must require the change of at least four character classes when passwords are changed.V-258116MEDIUMRHEL 9 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.V-258117MEDIUMRHEL 9 must be configured to use the shadow file to store only encrypted representations of passwords.V-258118MEDIUMRHEL 9 must not be configured to bypass password requirements for privilege escalation.V-258120MEDIUMRHEL 9 must not have accounts configured with blank or null passwords.V-258121MEDIUMRHEL 9 must use the common access card (CAC) smart card driver.V-258122MEDIUMRHEL 9 must enable certificate based smart card authentication.V-258123MEDIUMRHEL 9 must implement certificate status checking for multifactor authentication.V-258124MEDIUMRHEL 9 must have the pcsc-lite package installed.V-258125MEDIUMThe pcscd service on RHEL 9 must be active.V-258126MEDIUMRHEL 9 must have the opensc package installed.V-258127MEDIUMRHEL 9, for PKI-based authentication, must enforce authorized access to the corresponding private key.V-258128MEDIUMRHEL 9 must require authentication to access emergency mode.V-258129MEDIUMRHEL 9 must require authentication to access single-user mode.V-258131MEDIUMRHEL 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.V-258132MEDIUMRHEL 9 must map the authenticated identity to the user or group account for PKI-based authentication.V-258133MEDIUMRHEL 9 must prohibit the use of cached authenticators after one day.V-258134MEDIUMRHEL 9 must have the AIDE package installed.V-258135MEDIUMRHEL 9 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered.V-258136MEDIUMRHEL 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.V-258137MEDIUMRHEL 9 must use cryptographic mechanisms to protect the integrity of audit tools.V-258138LOWRHEL 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs).V-258139LOWRHEL 9 must be configured so that the file integrity tool verifies extended attributes.V-258140MEDIUMRHEL 9 must have the rsyslog package installed.V-258141MEDIUMRHEL 9 must have the packages required for encrypting offloaded audit logs installed.V-258142MEDIUMThe rsyslog service on RHEL 9 must be active.V-258143MEDIUMRHEL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.V-258144MEDIUMAll RHEL 9 remote access methods must be monitored.V-258146MEDIUMRHEL 9 must authenticate the remote logging server for offloading audit logs via rsyslog.V-258147MEDIUMRHEL 9 must encrypt the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.V-258148MEDIUMRHEL 9 must encrypt via the gtls driver the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.V-258149MEDIUMRHEL 9 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog.V-258150MEDIUMRHEL 9 must use cron logging.V-258151MEDIUMRHEL 9 audit package must be installed.V-258152MEDIUMRHEL 9 audit service must be enabled.V-258153MEDIUMRHEL 9 audit system must take appropriate action when an error writing to the audit storage volume occurs.V-258154MEDIUMRHEL 9 audit system must take appropriate action when the audit storage volume is full.V-258155MEDIUMRHEL 9 must allocate audit record storage capacity to store at least one week's worth of audit records.V-258156MEDIUMRHEL 9 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.V-258157MEDIUMRHEL 9 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent utilization.V-258158MEDIUMRHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity.V-258159MEDIUMRHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.V-258160MEDIUMRHEL 9 audit system must take appropriate action when the audit files have reached maximum size.V-258161MEDIUMRHEL 9 must label all offloaded audit logs before sending them to the central log server.V-258162MEDIUMRHEL 9 must take appropriate action when the internal event queue is full.V-258163MEDIUMRHEL 9 System Administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.V-258164MEDIUMRHEL 9 audit system must audit local events.V-258165MEDIUMRHEL 9 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access.V-258166MEDIUMRHEL 9 audit log directory must be owned by root to prevent unauthorized read access.V-258167MEDIUMRHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log.V-258168MEDIUMRHEL 9 must periodically flush audit records to disk to prevent the loss of audit records.V-258169MEDIUMRHEL 9 must produce audit records containing information to establish the identity of any individual or process associated with the event.V-258170MEDIUMRHEL 9 must write audit records to disk.V-258171MEDIUMRHEL 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.V-258173LOWRHEL 9 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.V-258174MEDIUMRHEL 9 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure.V-258175MEDIUMRHEL 9 audispd-plugins package must be installed.V-258176MEDIUMRHEL 9 must audit uses of the "execve" system call.V-258177MEDIUMRHEL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls.V-258178MEDIUMRHEL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls.V-258179MEDIUMRHEL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.V-258180MEDIUMRHEL 9 must audit all uses of umount system calls.V-258181MEDIUMRHEL 9 must audit all uses of the chacl command.V-258182MEDIUMRHEL 9 must audit all uses of the setfacl command.V-258183MEDIUMRHEL 9 must audit all uses of the chcon command.V-258184MEDIUMRHEL 9 must audit all uses of the semanage command.V-258185MEDIUMRHEL 9 must audit all uses of the setfiles command.V-258186MEDIUMRHEL 9 must audit all uses of the setsebool command.V-258187MEDIUMRHEL 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.V-258188MEDIUMRHEL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.V-258189MEDIUMRHEL 9 must audit all uses of the delete_module system call.V-258190MEDIUMRHEL 9 must audit all uses of the init_module and finit_module system calls.V-258191MEDIUMRHEL 9 must audit all uses of the chage command.V-258192MEDIUMRHEL 9 must audit all uses of the chsh command.V-258193MEDIUMRHEL 9 must audit all uses of the crontab command.V-258194MEDIUMRHEL 9 must audit all uses of the gpasswd command.V-258195MEDIUMRHEL 9 must audit all uses of the kmod command.V-258196MEDIUMRHEL 9 must audit all uses of the newgrp command.V-258197MEDIUMRHEL 9 must audit all uses of the pam_timestamp_check command.V-258198MEDIUMRHEL 9 must audit all uses of the passwd command.V-258199MEDIUMRHEL 9 must audit all uses of the postdrop command.V-258200MEDIUMRHEL 9 must audit all uses of the postqueue command.V-258201MEDIUMRHEL 9 must audit all uses of the ssh-agent command.V-258202MEDIUMRHEL 9 must audit all uses of the ssh-keysign command.V-258203MEDIUMRHEL 9 must audit all uses of the su command.V-258204MEDIUMRHEL 9 must audit all uses of the sudo command.V-258205MEDIUMRHEL 9 must audit all uses of the sudoedit command.V-258206MEDIUMRHEL 9 must audit all uses of the unix_chkpwd command.V-258207MEDIUMRHEL 9 must audit all uses of the unix_update command.V-258208MEDIUMRHEL 9 must audit all uses of the userhelper command.V-258209MEDIUMRHEL 9 must audit all uses of the usermod command.V-258210MEDIUMRHEL 9 must audit all uses of the mount command.V-258211MEDIUMSuccessful/unsuccessful uses of the init command in RHEL 9 must generate an audit record.V-258212MEDIUMSuccessful/unsuccessful uses of the poweroff command in RHEL 9 must generate an audit record.V-258213MEDIUMSuccessful/unsuccessful uses of the reboot command in RHEL 9 must generate an audit record.V-258214MEDIUMSuccessful/unsuccessful uses of the shutdown command in RHEL 9 must generate an audit record.V-258215MEDIUMSuccessful/unsuccessful uses of the umount system call in RHEL 9 must generate an audit record.V-258216MEDIUMSuccessful/unsuccessful uses of the umount2 system call in RHEL 9 must generate an audit record.V-258217MEDIUMRHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.V-258218MEDIUMRHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory.V-258219MEDIUMRHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.V-258220MEDIUMRHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.V-258221MEDIUMRHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.V-258222MEDIUMRHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.V-258223MEDIUMRHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.V-258224MEDIUMRHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock.V-258225MEDIUMRHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.V-258227MEDIUMRHEL 9 must take appropriate action when a critical audit processing failure occurs.V-258228MEDIUMRHEL 9 audit system must protect logon UIDs from unauthorized change.V-258229MEDIUMRHEL 9 audit system must protect auditing rules from unauthorized change.V-258230HIGHRHEL 9 must enable FIPS mode.V-258231MEDIUMRHEL 9 must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.V-258232HIGHRHEL 9 IP tunnels must use FIPS 140-3 approved cryptographic algorithms.V-258233MEDIUMRHEL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.V-258234HIGHRHEL 9 must have the crypto-policies package installed.V-258236HIGHRHEL 9 cryptographic policy must not be overridden.V-258241HIGHRHEL 9 must implement a FIPS 140-3-compliant systemwide cryptographic policy.V-258242HIGHRHEL 9 must implement DOD-approved encryption in the bind package.V-270174MEDIUMRHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.V-270175MEDIUMRHEL 9 "/etc/audit/" must be owned by root.V-270176MEDIUMRHEL 9 "/etc/audit/" must be group-owned by root.V-270177HIGHThe RHEL 9 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.V-270178HIGHThe RHEL 9 SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.V-270180MEDIUMThe RHEL 9 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.V-272488MEDIUMRHEL 9 must have the Postfix package installed.V-272496MEDIUMRHEL 9 must elevate the SELinux context when an administrator calls the sudo command.V-279936MEDIUMRHEL 9 must audit any script or executable called by cron as root or by any privileged user.