STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 5 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide

Version

V2R5

Release Date

Feb 19, 2026

SCAP Benchmark ID

TOSS_4_STIG

Total Checks

226

Tags

other

CAT I: 15CAT II: 202CAT III: 9

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (226)

V-252911MEDIUMTOSS must display the Standard Mandatory DoD Notice and Consent Banner or equivalent US Government Agency Notice and Consent Banner before granting local or remote access to the system.V-252912MEDIUMTOSS, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.V-252913MEDIUMTOSS, for PKI-based authentication, must enforce authorized access to the corresponding private key.V-252914MEDIUMTOSS must require authentication upon booting into emergency or rescue modes.V-252915MEDIUMTOSS must not permit direct logons to the root account using remote access from outside of the system via SSH.V-252916MEDIUMThe TOSS file system automounter must be disabled unless required.V-252917MEDIUMThe TOSS pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2-approved cryptographic hashing algorithm for system authentication.V-252918MEDIUMThe TOSS pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2-approved cryptographic hashing algorithm for system authentication.V-252919HIGHThe TOSS operating system must implement DOD-approved encryption in the OpenSSL package.V-252920MEDIUMTOSS must use a Linux Security Module configured to enforce limits on system services.V-252921MEDIUMTOSS must prevent unauthorized and unintended information transfer via shared system resources.V-252922MEDIUMThe TOSS operating system must be configured to use TCP syncookies.V-252923LOWTOSS must display the Standard Mandatory DoD Notice and Consent Banner or equivalent US Government Agency Notice and Consent Banner before granting local or remote access to the system via a ssh logon.V-252924HIGHThe TOSS operating system must implement DOD-approved encryption to protect the confidentiality of SSH connections.V-252925HIGHThe TOSS operating system must implement DOD-approved TLS encryption in the GnuTLS package.V-252926MEDIUMThe TOSS SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.V-252927MEDIUMThe TOSS operating system must be configured to preserve log records from failure events.V-252928MEDIUMTOSS must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).V-252929MEDIUMThe TOSS file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency.V-252930HIGHTOSS must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.V-252931MEDIUMTOSS must require reauthentication when using the "sudo" command.V-252932MEDIUMTOSS must have the packages required for multifactor authentication installed.V-252933MEDIUMTOSS must prohibit the use of cached authentications after one day.V-252934MEDIUMAll TOSS networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.V-252935MEDIUMFor TOSS systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.V-252936MEDIUMThe debug-shell systemd service must be disabled on TOSS.V-252937HIGHThe root account must be the only account having unrestricted access to the TOSS system.V-252938HIGHThe systemd Ctrl-Alt-Delete burst key sequence in TOSS must be disabled.V-252939MEDIUMThere must be no ".shosts" files on The TOSS operating system.V-252940HIGHTOSS must not allow blank or null passwords in the system-auth file.V-252941MEDIUMTOSS must not be performing packet forwarding unless the system is a router.V-252942MEDIUMThe TOSS SSH daemon must not allow authentication using known host's authentication.V-252943MEDIUMThe TOSS SSH daemon must not allow compression or must only allow compression after successful authentication.V-252944MEDIUMThe TOSS SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.V-252945HIGHTOSS must not allow an unattended or automatic logon to the system.V-252946MEDIUMTOSS must enforce the limit of five consecutive invalid logon attempts by a user during a 15-minute time period.V-252947LOWTOSS must limit the number of concurrent sessions to 256 for all accounts and/or account types.V-252948MEDIUMTOSS must retain a user's session lock until that user reestablishes access using established identification and authentication procedures.V-252949MEDIUMTOSS must automatically lock graphical user sessions after 10 minutes of inactivity.V-252950MEDIUMTOSS must map the authenticated identity to the user or group account for PKI-based authentication.V-252951MEDIUMTOSS duplicate User IDs (UIDs) must not exist for interactive users.V-252952MEDIUMTOSS must use multifactor authentication for network and local access to privileged and nonprivileged accounts.V-252953MEDIUMTOSS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.V-252954MEDIUMTOSS must automatically remove or disable emergency accounts after the crisis is resolved or 72 hours.V-252955MEDIUMTOSS must reveal error messages only to authorized users.V-252956MEDIUMTOSS must protect wireless access to the system using authentication of users and/or devices.V-252957MEDIUMTOSS must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.V-252958MEDIUMTOSS must require users to reauthenticate for privilege escalation.V-252959MEDIUMTOSS must require users to provide a password for privilege escalation.V-252960MEDIUMAll TOSS local interactive user accounts must be assigned a home directory upon creation.V-252961MEDIUMAll TOSS local interactive user home directories must be group-owned by the home directory owner's primary group.V-252962MEDIUMAll TOSS local interactive users must have a home directory assigned in the /etc/passwd file.V-252963HIGHThe x86 Ctrl-Alt-Delete key sequence in TOSS must be disabled if a graphical user interface is installed.V-252964MEDIUMTOSS must disable the user list at logon for graphical user interfaces.V-252965MEDIUMTOSS must display the date and time of the last successful account logon upon an SSH logon.V-252966HIGHTOSS must not allow accounts configured with blank or null passwords.V-252967MEDIUMTOSS must not have unnecessary accounts.V-252968MEDIUMTOSS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.V-252969MEDIUMAll TOSS local interactive user home directories must have mode 0750 or less permissive.V-252970MEDIUMAll TOSS local interactive user home directories must be owned by root.V-252971MEDIUMAll TOSS local interactive user home directories must be owned by the user's primary group.V-252972MEDIUMTOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.V-252973MEDIUMTOSS audit records must contain information to establish what type of events occurred, when the events occurred, the source of events, where events occurred, and the outcome of events.V-252974MEDIUMTOSS must generate audit records containing the full-text recording of privileged commands.V-252975MEDIUMTOSS must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.V-252976MEDIUMTOSS must take appropriate action when an audit processing failure occurs.V-252977MEDIUMTOSS audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access.V-252978MEDIUMTOSS audit log directory must have a mode of 0700 or less permissive to prevent unauthorized read access.V-252979MEDIUMTOSS audit logs must be owned by user root to prevent unauthorized read access.V-252980MEDIUMTOSS audit logs must be owned by group root to prevent unauthorized read access.V-252981MEDIUMTOSS audit log directory must be owned by user root to prevent unauthorized read access.V-252982MEDIUMTOSS audit log directory must be owned by group root to prevent unauthorized read access.V-252983MEDIUMThe TOSS audit system must protect auditing rules from unauthorized change.V-252984MEDIUMThe TOSS audit system must protect logon UIDs from unauthorized change.V-252985MEDIUMSuccessful/unsuccessful uses of the "chage" command in TOSS must generate an audit record.V-252986MEDIUMSuccessful/unsuccessful uses of the "chcon" command in TOSS must generate an audit record.V-252987MEDIUMSuccessful/unsuccessful uses of the ssh-agent in TOSS must generate an audit record.V-252988MEDIUMSuccessful/unsuccessful uses of the "passwd" command in TOSS must generate an audit record.V-252989MEDIUMSuccessful/unsuccessful uses of postdrop in TOSS must generate an audit record.V-252990MEDIUMSuccessful/unsuccessful uses of postqueue in TOSS must generate an audit record.V-252991MEDIUMSuccessful/unsuccessful uses of setsebool in TOSS must generate an audit record.V-252992MEDIUMSuccessful/unsuccessful uses of the ssh-keysign in TOSS must generate an audit record.V-252993MEDIUMSuccessful/unsuccessful uses of the "setfacl" command in RTOSS must generate an audit record.V-252994MEDIUMSuccessful/unsuccessful uses of the "pam_timestamp_check" command in TOSS must generate an audit record.V-252995MEDIUMSuccessful/unsuccessful uses of the "newgrp" command in TOSS must generate an audit record.V-252996MEDIUMSuccessful/unsuccessful uses of the "init_module" command in TOSS must generate an audit record.V-252997MEDIUMSuccessful/unsuccessful uses of the "rename" command in TOSS must generate an audit record.V-252998MEDIUMSuccessful/unsuccessful uses of the "renameat" command in TOSS must generate an audit record.V-252999MEDIUMSuccessful/unsuccessful uses of the "rmdir" command in TOSS must generate an audit record.V-253000MEDIUMSuccessful/unsuccessful uses of the "unlink" command in TOSS must generate an audit record.V-253001MEDIUMSuccessful/unsuccessful uses of the "unlinkat" command in TOSS must generate an audit record.V-253002MEDIUMSuccessful/unsuccessful uses of the "finit_module" command in TOSS must generate an audit record.V-253003MEDIUMSuccessful/unsuccessful uses of the "delete_module" command in TOSS must generate an audit record.V-253004MEDIUMSuccessful/unsuccessful uses of the "crontab" command in TOSS must generate an audit record.V-253005MEDIUMSuccessful/unsuccessful uses of the "chsh" command in TOSS must generate an audit record.V-253006MEDIUMSuccessful/unsuccessful uses of setfiles in TOSS must generate an audit record.V-253007MEDIUMSuccessful/unsuccessful uses of the "chacl" command in TOSS must generate an audit record.V-253008MEDIUMTOSS must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.V-253009MEDIUMSuccessful/unsuccessful uses of the chmod system call in TOSS must generate an audit record.V-253010MEDIUMSuccessful/unsuccessful uses of the chown system call in TOSS must generate an audit record.V-253011MEDIUMSuccessful/unsuccessful uses of the creat system call in TOSS must generate an audit record.V-253012MEDIUMSuccessful/unsuccessful uses of the fchmod system call in TOSS must generate an audit record.V-253013MEDIUMSuccessful/unsuccessful uses of the fchmodat system call in TOSS must generate an audit record.V-253014MEDIUMSuccessful/unsuccessful uses of the fchown system call in TOSS must generate an audit record.V-253015MEDIUMSuccessful/unsuccessful uses of the fchownat system call in TOSS must generate an audit record.V-253016MEDIUMSuccessful/unsuccessful uses of the ftruncate system call system call in TOSS must generate an audit record.V-253017MEDIUMSuccessful/unsuccessful uses of the lchown system call in TOSS must generate an audit record.V-253018MEDIUMSuccessful/unsuccessful uses of the open system call in TOSS must generate an audit record.V-253019MEDIUMSuccessful/unsuccessful uses of the open_by_handle_at system call system call in TOSS must generate an audit record.V-253020MEDIUMSuccessful/unsuccessful uses of the openat system call in TOSS must generate an audit record.V-253021MEDIUMSuccessful/unsuccessful uses of the truncate system call in TOSS must generate an audit record.V-253022MEDIUMTOSS audit tools must be owned by "root".V-253023MEDIUMTOSS must use cryptographic mechanisms to protect the integrity of audit tools.V-253024MEDIUMTOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group".V-253025MEDIUMTOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".V-253026MEDIUMTOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".V-253027MEDIUMTOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd".V-253028MEDIUMTOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers".V-253029MEDIUMTOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/".V-253030MEDIUMThe TOSS audit system must prevent all software from executing at higher privilege levels than users executing the software and the audit system must be configured to audit the execution of privileged functions.V-253031MEDIUMTOSS must allocate audit record storage capacity to store at least one week's worth of audit records, when audit records are not immediately sent to a central audit record storage facility.V-253032MEDIUMThe TOSS audit records must be offloaded onto a different system or storage media from the system being audited.V-253033MEDIUMTOSS must label all off-loaded audit logs before sending them to the central log server.V-253034MEDIUMThe TOSS audit system must be configured to audit any usage of the "fsetxattr" system call.V-253035MEDIUMThe TOSS audit system must be configured to audit any usage of the "lsetxattr" system call.V-253036MEDIUMSuccessful/unsuccessful uses of the fremovexattr system call in TOSS must generate an audit record.V-253037MEDIUMSuccessful/unsuccessful uses of the "lremovexattr" system call in TOSS must generate an audit record.V-253038MEDIUMSuccessful/unsuccessful uses of the "removexattr" system call in TOSS must generate an audit record.V-253039MEDIUMSuccessful/unsuccessful modifications to the "lastlog" file in TOSS must generate an audit record.V-253040MEDIUMSuccessful/unsuccessful uses of "semanage" in TOSS must generate an audit record.V-253041MEDIUMSuccessful/unsuccessful uses of the "gpasswd" command in TOSS must generate an audit record.V-253042MEDIUMSuccessful/unsuccessful uses of the "mount" command in TOSS must generate an audit record.V-253043MEDIUMSuccessful/unsuccessful uses of the "mount" syscall in TOSS must generate an audit record.V-253044MEDIUMSuccessful/unsuccessful uses of the "su" command in TOSS must generate an audit record.V-253045MEDIUMSuccessful/unsuccessful uses of the "umount" command in TOSS must generate an audit record.V-253046MEDIUMSuccessful/unsuccessful uses of the "unix_update" in TOSS must generate an audit record.V-253047MEDIUMSuccessful/unsuccessful uses of the "usermod" command in TOSS must generate an audit record.V-253048MEDIUMSuccessful/unsuccessful uses of "unix_chkpwd" in TOSS must generate an audit record.V-253049MEDIUMSuccessful/unsuccessful uses of "userhelper" in TOSS must generate an audit record.V-253050MEDIUMSuccessful/unsuccessful uses of the "kmod" command in TOSS must generate an audit record.V-253051MEDIUMThe auditd service must be running in TOSS.V-253052MEDIUMThe TOSS audit system must audit local events.V-253053LOWTOSS must resolve audit information before writing to disk.V-253054MEDIUMTOSS must have the packages required for offloading audit logs installed.V-253055MEDIUMTOSS must have the packages required for encrypting offloaded audit logs installed.V-253056MEDIUMTOSS must monitor remote access methods.V-253057MEDIUMTOSS must force a frequent session key renegotiation for SSH connections by the client.V-253058MEDIUMTOSS must force a frequent session key renegotiation for SSH connections to the server.V-253059HIGHTOSS must implement NIST FIPS-validated cryptography for the following: to provision digital signatures; to generate cryptographic hashes; and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.V-253060MEDIUMTOSS must enforce password complexity by requiring that at least one uppercase character be used.V-253061MEDIUMTOSS must enforce password complexity by requiring that at least one lowercase character be used.V-253062MEDIUMTOSS must enforce password complexity by requiring that at least one numeric character be used.V-253063MEDIUMTOSS must require the change of at least eight characters when passwords are changed.V-253064MEDIUMTOSS must store only encrypted representations of passwords.V-253065MEDIUMTOSS must not have the rsh-server package installed.V-253066MEDIUMTOSS must enforce 24 hours/one day as the minimum password lifetime.V-253067MEDIUMTOSS must enforce a 60-day maximum password lifetime restriction.V-253069MEDIUMTOSS must enforce a minimum 15-character password length.V-253070MEDIUMTOSS must cover or disable the built-in or attached camera when not in use.V-253071MEDIUMTOSS must disable IEEE 1394 (FireWire) Support.V-253072MEDIUMTOSS must disable mounting of cramfs.V-253073MEDIUMTOSS must disable network management of the chrony daemon.V-253074MEDIUMTOSS must disable the asynchronous transfer mode (ATM) protocol.V-253075MEDIUMTOSS must disable the controller area network (CAN) protocol.V-253076MEDIUMTOSS must disable the stream control transmission (SCTP) protocol.V-253077MEDIUMTOSS must disable the transparent inter-process communication (TIPC) protocol.V-253078MEDIUMTOSS must not have any automated bug reporting tools installed.V-253079MEDIUMTOSS must not have the sendmail package installed.V-253080MEDIUMTOSS must not have the telnet-server package installed.V-253081MEDIUMTOSS must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.V-253082MEDIUMTOSS must be configured to disable USB mass storage.V-253083MEDIUMTOSS must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.V-253084LOWTOSS must have policycoreutils package installed.V-253085MEDIUMAll TOSS local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.V-253086MEDIUMTOSS must limit privileges to change software resident within software libraries.V-253087MEDIUMTOSS must enforce password complexity by requiring that at least one special character be used.V-253088MEDIUMA firewall must be installed on TOSS.V-253089MEDIUMTOSS must take appropriate action when the internal event queue is full.V-253090MEDIUMTOSS must accept Personal Identity Verification (PIV) credentials.V-253091MEDIUMTOSS must implement DoD-approved encryption in the OpenSSL package.V-253092MEDIUMA firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring TOSS can implement rate-limiting measures on impacted network interfaces.V-253093MEDIUMTOSS must implement non-executable data to protect its memory from unauthorized code execution.V-253094LOWYUM must remove all software components after updated versions have been installed on TOSS.V-253095MEDIUMTOSS must enable the "SELinux" targeted policy.V-253096MEDIUMTOSS must prevent the use of dictionary words for passwords.V-253097MEDIUMTOSS must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.V-253098HIGHA File Transfer Protocol (FTP) server package must not be installed unless mission essential on TOSS.V-253099MEDIUMAll TOSS local files and directories must have a valid group owner.V-253100MEDIUMAll TOSS local files and directories must have a valid owner.V-253101MEDIUMCron logging must be implemented in TOSS.V-253102MEDIUMIf the Trivial File Transfer Protocol (TFTP) server is required, the TOSS TFTP daemon must be configured to operate in secure mode.V-253103MEDIUMThe graphical display manager must not be installed on TOSS unless approved.V-253104LOWThe TOSS file integrity tool must be configured to verify Access Control Lists (ACLs).V-253105LOWThe TOSS file integrity tool must be configured to verify extended attributes.V-253106MEDIUMThe TOSS SSH daemon must perform strict mode checking of home directory configuration files.V-253107MEDIUMThe TOSS SSH private host key files must have mode 0600 or less permissive.V-253108MEDIUMThe TOSS SSH public host key files must have mode 0644 or less permissive.V-253109HIGHThe x86 Ctrl-Alt-Delete key sequence must be disabled on TOSS.V-253110HIGHTOSS must be a vendor-supported release.V-253111MEDIUMTOSS must be configured to prevent unrestricted mail relaying.V-253112MEDIUMTOSS must define default permissions for logon and non-logon shells.V-253113MEDIUMTOSS must disable access to network bpf syscall from unprivileged processes.V-253114MEDIUMTOSS must enable hardening for the Berkeley Packet Filter Just-in-time compiler.V-253115MEDIUMTOSS must enable the hardware random number generator entropy gatherer service.V-253116LOWTOSS must ensure the SSH server uses strong entropy.V-253117LOWTOSS must have the packages required to use the hardware random number generator entropy gatherer service.V-253118MEDIUMTOSS must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.V-253119MEDIUMTOSS must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.V-253120MEDIUMTOSS must not accept router advertisements on all IPv6 interfaces by default.V-253121MEDIUMTOSS must not accept router advertisements on all IPv6 interfaces.V-253122HIGHTOSS must not allow blank or null passwords in the password-auth file.V-253123MEDIUMTOSS must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.V-253124MEDIUMTOSS must not forward IPv4 source-routed packets by default.V-253125MEDIUMTOSS must not forward IPv4 source-routed packets.V-253126MEDIUMTOSS must not forward IPv6 source-routed packets by default.V-253127MEDIUMTOSS must not forward IPv6 source-routed packets.V-253128MEDIUMTOSS must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.V-253129MEDIUMTOSS must not send Internet Control Message Protocol (ICMP) redirects.V-253130MEDIUMTOSS must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.V-253131MEDIUMTOSS must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.V-253132MEDIUMTOSS must restrict exposed kernel pointer addresses access.V-253133MEDIUMTOSS must restrict privilege elevation to authorized personnel.V-253134MEDIUMTOSS must use reverse path filtering on all IPv4 interfaces.V-253135MEDIUMTOSS network interfaces must not be in promiscuous mode.V-253136MEDIUMTOSS must enable kernel parameters to enforce discretionary access control on symlinks.V-253137MEDIUMTOSS must enable kernel parameters to enforce discretionary access control on hardlinks.