UCF STIG Viewer Logo

Red Hat Enterprise Linux 8 Security Technical Implementation Guide


Overview

Date Finding Count (371)
2022-06-15 CAT I (High): 21 CAT II (Med): 322 CAT III (Low): 28
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-230235 High RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.
V-230234 High RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.
V-244540 High RHEL 8 must not allow blank or null passwords in the system-auth file.
V-244541 High RHEL 8 must not allow blank or null passwords in the password-auth file.
V-230380 High RHEL 8 must not allow accounts configured with blank or null passwords.
V-230329 High Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed.
V-230558 High A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8.
V-230529 High The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8.
V-251706 High The RHEL 8 operating system must not have accounts configured with blank or null passwords.
V-230284 High There must be no .shosts files on the RHEL 8 operating system.
V-230283 High There must be no shosts.equiv files on the RHEL 8 operating system.
V-230487 High RHEL 8 must not have the telnet-server package installed.
V-230264 High RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
V-230265 High RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
V-230223 High RHEL 8 must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
V-230221 High RHEL 8 must be a vendor-supported release.
V-230534 High The root account must be the only account having unrestricted access to the RHEL 8 system.
V-230533 High The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support.
V-230530 High The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed.
V-230531 High The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled.
V-230492 High RHEL 8 must not have the rsh-server package installed.
V-230239 Medium The krb5-workstation package must not be installed on RHEL 8.
V-230238 Medium RHEL 8 must prevent system daemons from using Kerberos for authentication.
V-230237 Medium The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
V-230236 Medium RHEL 8 operating systems must require authentication upon booting into rescue mode.
V-230231 Medium RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
V-230230 Medium RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key.
V-230233 Medium The RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.
V-230232 Medium RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.
V-230334 Medium RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
V-230335 Medium RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
V-230336 Medium RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
V-230337 Medium RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
V-230330 Medium RHEL 8 must not allow users to override SSH environment variables.
V-230331 Medium RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less.
V-230332 Medium RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.
V-230333 Medium RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.
V-230338 Medium RHEL 8 must ensure account lockouts persist.
V-230339 Medium RHEL 8 must ensure account lockouts persist.
V-245540 Medium The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.
V-244548 Medium RHEL 8 must enable the USBGuard.
V-244549 Medium All RHEL 8 networked systems must have SSH installed.
V-244544 Medium A firewall must be active on RHEL 8.
V-230257 Medium RHEL 8 system commands must have mode 755 or less permissive.
V-244546 Medium The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
V-244547 Medium RHEL 8 must have the USBGuard installed.
V-244542 Medium RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.
V-244543 Medium RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization.
V-230248 Medium The RHEL 8 /var/log directory must have mode 0755 or less permissive.
V-230520 Medium RHEL 8 must mount /var/tmp with the nodev option.
V-230523 Medium The RHEL 8 fapolicy module must be installed.
V-230522 Medium RHEL 8 must mount /var/tmp with the noexec option.
V-230525 Medium A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces.
V-230524 Medium RHEL 8 must block unauthorized peripherals before establishing a connection.
V-230527 Medium RHEL 8 must force a frequent session key renegotiation for SSH connections to the server.
V-230526 Medium All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
V-230240 Medium RHEL 8 must use a Linux Security Module configured to enforce limits on system services.
V-230243 Medium A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources.
V-230244 Medium RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.
V-230245 Medium The RHEL 8 /var/log/messages file must have mode 0640 or less permissive.
V-230246 Medium The RHEL 8 /var/log/messages file must be owned by root.
V-230247 Medium The RHEL 8 /var/log/messages file must be group-owned by root.
V-230385 Medium RHEL 8 must define default permissions for logon and non-logon shells.
V-230384 Medium RHEL 8 must set the umask value to 077 for all local interactive user accounts.
V-230387 Medium Cron logging must be implemented in RHEL 8.
V-230386 Medium The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software.
V-230383 Medium RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
V-230382 Medium RHEL 8 must display the date and time of the last successful account logon upon an SSH logon.
V-230389 Medium The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure.
V-230388 Medium The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.
V-230411 Medium The RHEL 8 audit package must be installed.
V-230410 Medium RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/.
V-230413 Medium The RHEL 8 audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.
V-230412 Medium Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record.
V-230419 Medium Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record.
V-230418 Medium Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record.
V-230462 Medium Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record.
V-230463 Medium Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record.
V-230464 Medium Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record.
V-230465 Medium Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record.
V-230466 Medium Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record.
V-230467 Medium Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record.
V-230561 Medium The tuned package must not be installed unless mission essential on RHEL 8.
V-230560 Medium The iprutils package must not be installed unless mission essential on RHEL 8.
V-230369 Medium RHEL 8 passwords must have a minimum of 15 characters.
V-230368 Medium RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations.
V-230363 Medium RHEL 8 must require the change of at least 8 characters when passwords are changed.
V-230362 Medium RHEL 8 must require the change of at least four character classes when passwords are changed.
V-230361 Medium RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.
V-230360 Medium RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.
V-230367 Medium RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime.
V-230366 Medium RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction.
V-230365 Medium RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/logins.def.
V-230364 Medium RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow.
V-230518 Medium RHEL 8 must mount /var/log/audit with the nosuid option.
V-230519 Medium RHEL 8 must mount /var/log/audit with the noexec option.
V-230510 Medium RHEL 8 must mount /dev/shm with the noexec option.
V-230511 Medium RHEL 8 must mount /tmp with the nodev option.
V-244519 Medium RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon.
V-230513 Medium RHEL 8 must mount /tmp with the noexec option.
V-230514 Medium RHEL 8 must mount /var/log with the nodev option.
V-230515 Medium RHEL 8 must mount /var/log with the nosuid option.
V-230516 Medium RHEL 8 must mount /var/log with the noexec option.
V-230517 Medium RHEL 8 must mount /var/log/audit with the nodev option.
V-230428 Medium Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record.
V-230429 Medium Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record.
V-230424 Medium Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record.
V-230425 Medium Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record.
V-230426 Medium Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record.
V-230427 Medium Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record.
V-230421 Medium Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record.
V-230422 Medium Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record.
V-230423 Medium Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record.
V-237641 Medium RHEL 8 must restrict privilege elevation to authorized personnel.
V-237640 Medium The krb5-server package must not be installed on RHEL 8.
V-237643 Medium RHEL 8 must require re-authentication when using the "sudo" command.
V-237642 Medium RHEL 8 must use the invoking user's password for privilege escalation when using "sudo".
V-230512 Medium RHEL 8 must mount /tmp with the nosuid option.
V-230327 Medium All RHEL 8 local files and directories must have a valid group owner.
V-230326 Medium All RHEL 8 local files and directories must have a valid owner.
V-230325 Medium All RHEL 8 local initialization files must have mode 0740 or less permissive.
V-230324 Medium All RHEL 8 local interactive user accounts must be assigned a home directory upon creation.
V-230323 Medium All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist.
V-230322 Medium All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group.
V-230321 Medium All RHEL 8 local interactive user home directories must have mode 0750 or less permissive.
V-230320 Medium All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file.
V-230328 Medium A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent).
V-230521 Medium RHEL 8 must mount /var/tmp with the nosuid option.
V-230249 Medium The RHEL 8 /var/log directory must be owned by root.
V-244554 Medium RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.
V-244553 Medium RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.
V-244552 Medium RHEL 8 must not forward IPv4 source-routed packets by default.
V-244551 Medium RHEL 8 must not forward IPv4 source-routed packets.
V-244550 Medium RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
V-230554 Medium RHEL 8 network interfaces must not be in promiscuous mode.
V-230555 Medium RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements.
V-230259 Medium RHEL 8 system commands must be group-owned by root or a system account.
V-230557 Medium If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode.
V-230550 Medium RHEL 8 must be configured to prevent unrestricted mail relaying.
V-230553 Medium The graphical display manager must not be installed on RHEL 8 unless approved.
V-230252 Medium The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections.
V-230251 Medium The RHEL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.
V-230250 Medium The RHEL 8 /var/log directory must be group-owned by root.
V-230256 Medium The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package.
V-230255 Medium The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package.
V-230254 Medium The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package.
V-251707 Medium RHEL 8 library directories must have mode 755 or less permissive.
V-251708 Medium RHEL 8 library directories must be owned by root.
V-251709 Medium RHEL 8 library directories must be group-owned by root or a system account.
V-230378 Medium RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
V-230379 Medium RHEL 8 must not have unnecessary accounts.
V-230279 Medium RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks.
V-230288 Medium The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files.
V-230289 Medium The RHEL 8 SSH daemon must not allow compression or must only allow compression after successful authentication.
V-244545 Medium The RHEL 8 fapolicy module must be enabled.
V-230286 Medium The RHEL 8 SSH public host key files must have mode 0644 or less permissive.
V-230287 Medium The RHEL 8 SSH private host key files must have mode 0600 or less permissive.
V-230280 Medium RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
V-230282 Medium RHEL 8 must enable the SELinux targeted policy.
V-230473 Medium RHEL 8 audit tools must be owned by root.
V-230472 Medium RHEL 8 audit tools must have a mode of 0755 or less permissive.
V-230471 Medium RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
V-230477 Medium RHEL 8 must have the packages required for offloading audit logs installed.
V-230476 Medium RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility.
V-230475 Medium RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools.
V-230474 Medium RHEL 8 audit tools must be group-owned by root.
V-230479 Medium The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited.
V-230478 Medium RHEL 8 must have the packages required for encrypting offloaded audit logs installed.
V-230358 Medium RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used.
V-230359 Medium RHEL 8 must enforce password complexity by requiring that at least one numeric character be used.
V-230356 Medium RHEL 8 must ensure the password complexity module is enabled in the password-auth file.
V-230357 Medium RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.
V-230354 Medium RHEL 8 must prevent a user from overriding the session lock-delay setting for the graphical user interface.
V-230355 Medium RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication.
V-230352 Medium RHEL 8 must automatically lock graphical user sessions after 15 minutes of inactivity.
V-230353 Medium RHEL 8 must automatically lock command line user sessions after 15 minutes of inactivity.
V-230344 Medium RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
V-244526 Medium The RHEL 8 SSH daemon must be configured to use system-wide crypto policies.
V-244524 Medium The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
V-244525 Medium The RHEL 8 SSH daemon must be configured with a timeout interval.
V-244522 Medium RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes.
V-244523 Medium RHEL 8 operating systems must require authentication upon booting into emergency mode.
V-230556 Medium The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display.
V-230503 Medium RHEL 8 must be configured to disable USB mass storage.
V-230502 Medium The RHEL 8 file system automounter must be disabled unless required.
V-230500 Medium RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.
V-230507 Medium RHEL 8 Bluetooth must be disabled.
V-230506 Medium RHEL 8 wireless network adapters must be disabled.
V-244528 Medium The RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.
V-244529 Medium RHEL 8 must use a separate file system for /var/tmp.
V-230439 Medium Successful/unsuccessful uses of the rename, unlink, rmdir, renameat, and unlinkat system calls in RHEL 8 must generate an audit record.
V-230438 Medium Successful/unsuccessful uses of the init_module and finit_module system calls in RHEL 8 must generate an audit record.
V-230437 Medium Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record.
V-230436 Medium Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record.
V-230435 Medium Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record.
V-230434 Medium Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record.
V-230433 Medium Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record.
V-230432 Medium Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record.
V-230431 Medium Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record.
V-230430 Medium Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record.
V-230258 Medium RHEL 8 system commands must be owned by root.
V-230318 Medium All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application user.
V-230319 Medium All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.
V-230312 Medium RHEL 8 must disable acquiring, saving, and processing core dumps.
V-230313 Medium RHEL 8 must disable core dumps for all users.
V-230310 Medium RHEL 8 must disable kernel dumps unless needed.
V-230311 Medium RHEL 8 must disable the kernel.core_pattern.
V-230316 Medium For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.
V-230317 Medium Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory.
V-230314 Medium RHEL 8 must disable storing core dumps.
V-230315 Medium RHEL 8 must disable core dump backtraces.
V-230488 Medium RHEL 8 must not have any automated bug reporting tools installed.
V-230489 Medium RHEL 8 must not have the sendmail package installed.
V-230482 Medium RHEL 8 must authenticate the remote logging server for off-loading audit logs.
V-230483 Medium RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
V-230480 Medium RHEL 8 must take appropriate action when the internal event queue is full.
V-230481 Medium RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.
V-230484 Medium RHEL 8 must securely compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
V-230547 Medium RHEL 8 must restrict exposed kernel pointer addresses access.
V-230546 Medium RHEL 8 must restrict usage of ptrace to descendant processes.
V-230545 Medium RHEL 8 must disable access to network bpf syscall from unprivileged processes.
V-230544 Medium RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
V-230543 Medium RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
V-230542 Medium RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.
V-230541 Medium RHEL 8 must not accept router advertisements on all IPv6 interfaces.
V-230540 Medium RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.
V-230266 Medium RHEL 8 must prevent the loading of a new kernel for later execution.
V-230267 Medium RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks.
V-230262 Medium RHEL 8 library files must be group-owned by root or a system account.
V-230263 Medium The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency.
V-230260 Medium RHEL 8 library files must have mode 755 or less permissive.
V-230548 Medium RHEL 8 must disable the use of user namespaces.
V-251717 Medium RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations.
V-230559 Medium The gssproxy package must not be installed unless mission essential on RHEL 8.
V-251715 Medium RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less.
V-251714 Medium RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.
V-251713 Medium RHEL 8 must ensure the password complexity module is enabled in the system-auth file.
V-251712 Medium The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation.
V-251711 Medium RHEL 8 must specify the default "include" directory for the /etc/sudoers file.
V-251710 Medium The RHEL 8 operating system must use a file integrity tool to verify correct operation of all security functions.
V-251718 Medium The graphical display manager must not be the default target on RHEL 8 unless approved.
V-230278 Medium RHEL 8 must disable virtual syscalls.
V-230299 Medium RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
V-230298 Medium The rsyslog service must be running in RHEL 8.
V-230296 Medium RHEL 8 must not permit direct logons to the root account using remote access via SSH.
V-230295 Medium A separate RHEL 8 filesystem must be used for the /tmp directory.
V-230291 Medium The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.
V-230290 Medium The RHEL 8 SSH daemon must not allow authentication using known host’s authentication.
V-230446 Medium Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record.
V-230447 Medium Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record.
V-230444 Medium Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record.
V-230448 Medium Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record.
V-230449 Medium Successful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls in RHEL 8 must generate an audit record.
V-230268 Medium RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.
V-230228 Medium All RHEL 8 remote access methods must be monitored.
V-230229 Medium RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
V-230222 Medium RHEL 8 vendor packaged system security patches and updates must be installed and up to date.
V-230226 Medium RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
V-230227 Medium RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.
V-230224 Medium All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
V-230225 Medium RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon.
V-230341 Medium RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.
V-230340 Medium RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.
V-230343 Medium RHEL 8 must log user name information when unsuccessful logon attempts occur.
V-230342 Medium RHEL 8 must log user name information when unsuccessful logon attempts occur.
V-230345 Medium RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
V-230549 Medium RHEL 8 must use reverse path filtering on all IPv4 interfaces.
V-230347 Medium RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions.
V-230349 Medium RHEL 8 must ensure session control is automatically started at shell initialization.
V-230348 Medium RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions.
V-230261 Medium RHEL 8 library files must be owned by root.
V-244539 Medium RHEL 8 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.
V-244538 Medium RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface.
V-244531 Medium All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive.
V-244530 Medium RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
V-244533 Medium RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
V-244532 Medium RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.
V-244535 Medium RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated.
V-244534 Medium RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
V-244537 Medium RHEL 8 must have the tmux package installed.
V-244536 Medium RHEL 8 must disable the user list at logon for graphical user interfaces.
V-230538 Medium RHEL 8 must not forward IPv6 source-routed packets.
V-230539 Medium RHEL 8 must not forward IPv6 source-routed packets by default.
V-230536 Medium RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.
V-230537 Medium RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
V-230535 Medium RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
V-230532 Medium The debug-shell systemd service must be disabled on RHEL 8.
V-230351 Medium RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed.
V-230392 Medium The RHEL 8 audit system must take appropriate action when the audit storage volume is full.
V-230393 Medium The RHEL 8 audit system must audit local events.
V-230390 Medium The RHEL 8 System must take appropriate action when an audit processing failure occurs.
V-230396 Medium RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access.
V-230397 Medium RHEL 8 audit logs must be owned by root to prevent unauthorized read access.
V-230394 Medium RHEL 8 must label all off-loaded audit logs before sending them to the central log server.
V-230398 Medium RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access.
V-230399 Medium RHEL 8 audit log directory must be owned by root to prevent unauthorized read access.
V-230402 Medium RHEL 8 audit system must protect auditing rules from unauthorized change.
V-230403 Medium RHEL 8 audit system must protect logon UIDs from unauthorized change.
V-230400 Medium RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access.
V-230401 Medium RHEL 8 audit log directory must have a mode of 0700 or less permissive to prevent unauthorized read access.
V-230406 Medium RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
V-230407 Medium RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
V-230404 Medium RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
V-230405 Medium RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.
V-230408 Medium RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
V-230409 Medium RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.
V-230309 Medium Local RHEL 8 initialization files must not execute world-writable programs.
V-230308 Medium RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
V-230305 Medium RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
V-230304 Medium RHEL 8 must prevent code from being executed on file systems that are used with removable media.
V-230307 Medium RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS).
V-230306 Medium RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS).
V-230301 Medium RHEL 8 must prevent special devices on non-root local partitions.
V-230300 Medium RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
V-230303 Medium RHEL 8 must prevent special devices on file systems that are used with removable media.
V-230302 Medium RHEL 8 must prevent code from being executed on file systems that contain user home directories.
V-230493 Medium RHEL 8 must cover or disable the built-in or attached camera when not in use.
V-250315 Medium RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory.
V-250316 Medium RHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory.
V-250317 Medium RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.
V-230271 Medium RHEL 8 must require users to provide a password for privilege escalation.
V-230273 Medium RHEL 8 must have the packages required for multifactor authentication installed.
V-230272 Medium RHEL 8 must require users to reauthenticate for privilege escalation.
V-230275 Medium RHEL 8 must accept Personal Identity Verification (PIV) credentials.
V-230274 Medium RHEL 8 must implement certificate status checking for multifactor authentication.
V-230277 Medium RHEL 8 must clear the page allocator to prevent use-after-free attacks.
V-230276 Medium RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution.
V-230370 Medium RHEL 8 passwords for new users must have a minimum of 15 characters.
V-230371 Medium RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users.
V-230372 Medium RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts.
V-230373 Medium RHEL 8 account identifiers (individuals, groups, roles, and devices) must be disabled after 35 days of inactivity.
V-230374 Medium RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours.
V-230375 Medium All RHEL 8 passwords must contain at least one special character.
V-230376 Medium RHEL 8 must prohibit the use of cached authentications after one day.
V-230377 Medium RHEL 8 must prevent the use of dictionary words for passwords.
V-251716 Medium RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.
V-230509 Medium RHEL 8 must mount /dev/shm with the nosuid option.
V-230508 Medium RHEL 8 must mount /dev/shm with the nodev option.
V-244521 Medium RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance.
V-230455 Medium Successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls in RHEL 8 must generate an audit record.
V-230456 Medium Successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls in RHEL 8 must generate an audit record.
V-230505 Medium A firewall must be installed on RHEL 8.
V-230504 Medium A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.
V-230241 Low RHEL 8 must have policycoreutils package installed.
V-230381 Low RHEL 8 must display the date and time of the last successful account logon upon logon.
V-230468 Low RHEL 8 must enable auditing of processes that start prior to the audit daemon.
V-230469 Low RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.
V-230551 Low The RHEL 8 file integrity tool must be configured to verify extended attributes.
V-230552 Low The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs).
V-230253 Low RHEL 8 must ensure the SSH server uses strong entropy.
V-230285 Low RHEL 8 must enable the hardware random number generator entropy gatherer service.
V-230281 Low YUM must remove all software components after updated versions have been installed on RHEL 8.
V-230470 Low RHEL 8 must enable Linux audit logging for the USBGuard daemon.
V-230350 Low RHEL 8 must prevent users from disabling session control mechanisms.
V-244527 Low RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service.
V-230486 Low RHEL 8 must disable network management of the chrony daemon.
V-230485 Low RHEL 8 must disable the chrony daemon from acting as a server.
V-230294 Low RHEL 8 must use a separate file system for the system audit data path.
V-230293 Low RHEL 8 must use a separate file system for /var/log.
V-230292 Low RHEL 8 must use a separate file system for /var.
V-230269 Low RHEL 8 must restrict access to the kernel message buffer.
V-230346 Low RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types.
V-230395 Low RHEL 8 must resolve audit information before writing to disk.
V-230499 Low RHEL 8 must disable IEEE 1394 (FireWire) Support.
V-230498 Low RHEL 8 must disable mounting of cramfs.
V-230495 Low RHEL 8 must disable the controller area network (CAN) protocol.
V-230494 Low RHEL 8 must disable the asynchronous transfer mode (ATM) protocol.
V-230497 Low RHEL 8 must disable the transparent inter-process communication (TIPC) protocol.
V-230496 Low RHEL 8 must disable the stream control transmission protocol (SCTP).
V-230491 Low RHEL 8 must enable mitigations against processor-based vulnerabilities.
V-230270 Low RHEL 8 must prevent kernel profiling by unprivileged users.