UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Red Hat Enterprise Linux 8 Security Technical Implementation Guide


Overview

Date Finding Count (375)
2023-06-02 CAT I (High): 21 CAT II (Med): 326 CAT III (Low): 28
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Public)

Finding ID Severity Title
V-230235 High RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.
V-230234 High RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.
V-244540 High RHEL 8 must not allow blank or null passwords in the system-auth file.
V-244541 High RHEL 8 must not allow blank or null passwords in the password-auth file.
V-230380 High RHEL 8 must not allow accounts configured with blank or null passwords.
V-230329 High Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed.
V-230558 High A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8.
V-230529 High The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8.
V-251706 High The RHEL 8 operating system must not have accounts configured with blank or null passwords.
V-230284 High There must be no .shosts files on the RHEL 8 operating system.
V-230283 High There must be no shosts.equiv files on the RHEL 8 operating system.
V-230487 High RHEL 8 must not have the telnet-server package installed.
V-230264 High RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
V-230265 High RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
V-230223 High RHEL 8 must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
V-230221 High RHEL 8 must be a vendor-supported release.
V-230534 High The root account must be the only account having unrestricted access to the RHEL 8 system.
V-230533 High The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support.
V-230530 High The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed.
V-230531 High The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled.
V-230492 High RHEL 8 must not have the rsh-server package installed.
V-230239 Medium The krb5-workstation package must not be installed on RHEL 8.
V-230238 Medium RHEL 8 must prevent system daemons from using Kerberos for authentication.
V-230237 Medium The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
V-230236 Medium RHEL 8 operating systems must require authentication upon booting into rescue mode.
V-230231 Medium RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
V-230230 Medium RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key.
V-230233 Medium The RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.
V-230232 Medium RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.
V-230334 Medium RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
V-230335 Medium RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
V-230336 Medium RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
V-230337 Medium RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
V-230330 Medium RHEL 8 must not allow users to override SSH environment variables.
V-230331 Medium RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less.
V-230332 Medium RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.
V-230333 Medium RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.
V-230338 Medium RHEL 8 must ensure account lockouts persist.
V-230339 Medium RHEL 8 must ensure account lockouts persist.
V-245540 Medium The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.
V-244548 Medium RHEL 8 must enable the USBGuard.
V-244549 Medium All RHEL 8 networked systems must have SSH installed.
V-244544 Medium A firewall must be active on RHEL 8.
V-230257 Medium RHEL 8 system commands must have mode 755 or less permissive.
V-244546 Medium The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
V-244547 Medium RHEL 8 must have the USBGuard installed.
V-244542 Medium RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.
V-244543 Medium RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization.
V-230248 Medium The RHEL 8 /var/log directory must have mode 0755 or less permissive.
V-230520 Medium RHEL 8 must mount /var/tmp with the nodev option.
V-230523 Medium The RHEL 8 fapolicy module must be installed.
V-230522 Medium RHEL 8 must mount /var/tmp with the noexec option.
V-230525 Medium A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces.
V-230524 Medium RHEL 8 must block unauthorized peripherals before establishing a connection.
V-230527 Medium RHEL 8 must force a frequent session key renegotiation for SSH connections to the server.
V-230526 Medium All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
V-230240 Medium RHEL 8 must use a Linux Security Module configured to enforce limits on system services.
V-230243 Medium A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources.
V-230244 Medium RHEL 8 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.
V-230245 Medium The RHEL 8 /var/log/messages file must have mode 0640 or less permissive.
V-230246 Medium The RHEL 8 /var/log/messages file must be owned by root.
V-230247 Medium The RHEL 8 /var/log/messages file must be group-owned by root.
V-230385 Medium RHEL 8 must define default permissions for logon and non-logon shells.
V-230384 Medium RHEL 8 must set the umask value to 077 for all local interactive user accounts.
V-230387 Medium Cron logging must be implemented in RHEL 8.
V-230386 Medium The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software.
V-230383 Medium RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
V-230382 Medium RHEL 8 must display the date and time of the last successful account logon upon an SSH logon.
V-230389 Medium The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure.
V-230388 Medium The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.
V-230411 Medium The RHEL 8 audit package must be installed.
V-230410 Medium RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/.
V-230413 Medium The RHEL 8 audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.
V-230412 Medium Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record.
V-230419 Medium Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record.
V-230418 Medium Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record.
V-230462 Medium Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record.
V-230463 Medium Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record.
V-230464 Medium Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record.
V-230465 Medium Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record.
V-230466 Medium Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record.
V-230467 Medium Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record.
V-230561 Medium The tuned package must not be installed unless mission essential on RHEL 8.
V-230560 Medium The iprutils package must not be installed unless mission essential on RHEL 8.
V-230369 Medium RHEL 8 passwords must have a minimum of 15 characters.
V-230368 Medium RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations.
V-230363 Medium RHEL 8 must require the change of at least 8 characters when passwords are changed.
V-230362 Medium RHEL 8 must require the change of at least four character classes when passwords are changed.
V-230361 Medium RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.
V-230360 Medium RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.
V-230367 Medium RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime.
V-230366 Medium RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction.
V-230365 Medium RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/login.defs.
V-230364 Medium RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow.
V-230518 Medium RHEL 8 must mount /var/log/audit with the nosuid option.
V-230519 Medium RHEL 8 must mount /var/log/audit with the noexec option.
V-230510 Medium RHEL 8 must mount /dev/shm with the noexec option.
V-230511 Medium RHEL 8 must mount /tmp with the nodev option.
V-244519 Medium RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon.
V-230513 Medium RHEL 8 must mount /tmp with the noexec option.
V-230514 Medium RHEL 8 must mount /var/log with the nodev option.
V-230515 Medium RHEL 8 must mount /var/log with the nosuid option.
V-230516 Medium RHEL 8 must mount /var/log with the noexec option.
V-230517 Medium RHEL 8 must mount /var/log/audit with the nodev option.
V-230428 Medium Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record.
V-230429 Medium Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record.
V-230424 Medium Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record.
V-230425 Medium Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record.
V-230426 Medium Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record.
V-230427 Medium Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record.
V-230421 Medium Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record.
V-230422 Medium Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record.
V-230423 Medium Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record.
V-237641 Medium RHEL 8 must restrict privilege elevation to authorized personnel.
V-237640 Medium The krb5-server package must not be installed on RHEL 8.
V-237643 Medium RHEL 8 must require re-authentication when using the "sudo" command.
V-237642 Medium RHEL 8 must use the invoking user's password for privilege escalation when using "sudo".
V-230512 Medium RHEL 8 must mount /tmp with the nosuid option.
V-230327 Medium All RHEL 8 local files and directories must have a valid group owner.
V-230326 Medium All RHEL 8 local files and directories must have a valid owner.
V-230325 Medium All RHEL 8 local initialization files must have mode 0740 or less permissive.
V-230324 Medium All RHEL 8 local interactive user accounts must be assigned a home directory upon creation.
V-230323 Medium All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist.
V-230322 Medium All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group.
V-230321 Medium All RHEL 8 local interactive user home directories must have mode 0750 or less permissive.
V-230320 Medium All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file.
V-230328 Medium A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent).
V-230521 Medium RHEL 8 must mount /var/tmp with the nosuid option.
V-230249 Medium The RHEL 8 /var/log directory must be owned by root.
V-244554 Medium RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.
V-244553 Medium RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.
V-244552 Medium RHEL 8 must not forward IPv4 source-routed packets by default.
V-244551 Medium RHEL 8 must not forward IPv4 source-routed packets.
V-244550 Medium RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
V-230554 Medium RHEL 8 network interfaces must not be in promiscuous mode.
V-230555 Medium RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements.
V-230259 Medium RHEL 8 system commands must be group-owned by root or a system account.
V-230557 Medium If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode.
V-230550 Medium RHEL 8 must be configured to prevent unrestricted mail relaying.
V-230553 Medium The graphical display manager must not be installed on RHEL 8 unless approved.
V-230252 Medium The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections.
V-230251 Medium The RHEL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.
V-230250 Medium The RHEL 8 /var/log directory must be group-owned by root.
V-230559 Medium The gssproxy package must not be installed unless mission essential on RHEL 8.
V-230255 Medium The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package.
V-230254 Medium The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package.
V-254520 Medium RHEL 8 must prevent non-privileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.
V-251707 Medium RHEL 8 library directories must have mode 755 or less permissive.
V-251708 Medium RHEL 8 library directories must be owned by root.
V-251709 Medium RHEL 8 library directories must be group-owned by root or a system account.
V-230378 Medium RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
V-230379 Medium RHEL 8 must not have unnecessary accounts.
V-230279 Medium RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks.
V-230288 Medium The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files.
V-244545 Medium The RHEL 8 fapolicy module must be enabled.
V-230286 Medium The RHEL 8 SSH public host key files must have mode 0644 or less permissive.
V-230287 Medium The RHEL 8 SSH private host key files must have mode 0640 or less permissive.
V-230280 Medium RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
V-230282 Medium RHEL 8 must enable the SELinux targeted policy.
V-230473 Medium RHEL 8 audit tools must be owned by root.
V-230472 Medium RHEL 8 audit tools must have a mode of 0755 or less permissive.
V-230471 Medium RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
V-230477 Medium RHEL 8 must have the packages required for offloading audit logs installed.
V-230476 Medium RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility.
V-230475 Medium RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools.
V-230474 Medium RHEL 8 audit tools must be group-owned by root.
V-230479 Medium The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited.
V-230478 Medium RHEL 8 must have the packages required for encrypting offloaded audit logs installed.
V-230358 Medium RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used.
V-230359 Medium RHEL 8 must enforce password complexity by requiring that at least one numeric character be used.
V-230356 Medium RHEL 8 must ensure the password complexity module is enabled in the password-auth file.
V-230357 Medium RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.
V-230354 Medium RHEL 8 must prevent a user from overriding the session lock-delay setting for the graphical user interface.
V-230355 Medium RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication.
V-230352 Medium RHEL 8 must automatically lock graphical user sessions after 15 minutes of inactivity.
V-230353 Medium RHEL 8 must automatically lock command line user sessions after 15 minutes of inactivity.
V-230344 Medium RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
V-244526 Medium The RHEL 8 SSH daemon must be configured to use system-wide crypto policies.
V-244524 Medium The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
V-244525 Medium RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.
V-244522 Medium RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes.
V-244523 Medium RHEL 8 operating systems must require authentication upon booting into emergency mode.
V-230556 Medium The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display.
V-230503 Medium RHEL 8 must be configured to disable USB mass storage.
V-230502 Medium The RHEL 8 file system automounter must be disabled unless required.
V-230500 Medium RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.
V-230507 Medium RHEL 8 Bluetooth must be disabled.
V-230506 Medium RHEL 8 wireless network adapters must be disabled.
V-244528 Medium The RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.
V-244529 Medium RHEL 8 must use a separate file system for /var/tmp.
V-230439 Medium Successful/unsuccessful uses of the rename, unlink, rmdir, renameat, and unlinkat system calls in RHEL 8 must generate an audit record.
V-230438 Medium Successful/unsuccessful uses of the init_module and finit_module system calls in RHEL 8 must generate an audit record.
V-230437 Medium Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record.
V-230436 Medium Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record.
V-230435 Medium Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record.
V-230434 Medium Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record.
V-230433 Medium Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record.
V-230432 Medium Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record.
V-230431 Medium Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record.
V-230430 Medium Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record.
V-230258 Medium RHEL 8 system commands must be owned by root.
V-230318 Medium All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application user.
V-230319 Medium All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.
V-230312 Medium RHEL 8 must disable acquiring, saving, and processing core dumps.
V-230313 Medium RHEL 8 must disable core dumps for all users.
V-230310 Medium RHEL 8 must disable kernel dumps unless needed.
V-230311 Medium RHEL 8 must disable the kernel.core_pattern.
V-230316 Medium For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.
V-230317 Medium Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory.
V-230314 Medium RHEL 8 must disable storing core dumps.
V-230315 Medium RHEL 8 must disable core dump backtraces.
V-230488 Medium RHEL 8 must not have any automated bug reporting tools installed.
V-230489 Medium RHEL 8 must not have the sendmail package installed.
V-230482 Medium RHEL 8 must authenticate the remote logging server for off-loading audit logs.
V-230483 Medium RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
V-230480 Medium RHEL 8 must take appropriate action when the internal event queue is full.
V-230481 Medium RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.
V-230484 Medium RHEL 8 must securely compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
V-230547 Medium RHEL 8 must restrict exposed kernel pointer addresses access.
V-230546 Medium RHEL 8 must restrict usage of ptrace to descendant processes.
V-230545 Medium RHEL 8 must disable access to network bpf syscall from unprivileged processes.
V-230544 Medium RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
V-230543 Medium RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
V-230542 Medium RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.
V-230541 Medium RHEL 8 must not accept router advertisements on all IPv6 interfaces.
V-230540 Medium RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.
V-230266 Medium RHEL 8 must prevent the loading of a new kernel for later execution.
V-230267 Medium RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks.
V-230262 Medium RHEL 8 library files must be group-owned by root or a system account.
V-230263 Medium The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency.
V-230260 Medium RHEL 8 library files must have mode 755 or less permissive.
V-230548 Medium RHEL 8 must disable the use of user namespaces.
V-251717 Medium RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations.
V-251716 Medium RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.
V-251715 Medium RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less.
V-251714 Medium RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.
V-251713 Medium RHEL 8 must ensure the password complexity module is enabled in the system-auth file.
V-251712 Medium The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation.
V-251711 Medium RHEL 8 must specify the default "include" directory for the /etc/sudoers file.
V-251710 Medium The RHEL 8 operating system must use a file integrity tool to verify correct operation of all security functions.
V-251718 Medium The graphical display manager must not be the default target on RHEL 8 unless approved.
V-230278 Medium RHEL 8 must disable virtual syscalls.
V-230299 Medium RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
V-230298 Medium The rsyslog service must be running in RHEL 8.
V-230296 Medium RHEL 8 must not permit direct logons to the root account using remote access via SSH.
V-230295 Medium A separate RHEL 8 filesystem must be used for the /tmp directory.
V-230291 Medium The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.
V-230290 Medium The RHEL 8 SSH daemon must not allow authentication using known host’s authentication.
V-257258 Medium RHEL 8 must terminate idle user sessions.
V-230446 Medium Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record.
V-230447 Medium Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record.
V-230444 Medium Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record.
V-230448 Medium Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record.
V-230449 Medium Successful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls in RHEL 8 must generate an audit record.
V-230256 Medium The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package.
V-230268 Medium RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.
V-230228 Medium All RHEL 8 remote access methods must be monitored.
V-230229 Medium RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
V-230222 Medium RHEL 8 vendor packaged system security patches and updates must be installed and up to date.
V-230226 Medium RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
V-230227 Medium RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.
V-230224 Medium All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
V-230225 Medium RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon.
V-230341 Medium RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.
V-230340 Medium RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.
V-230343 Medium RHEL 8 must log user name information when unsuccessful logon attempts occur.
V-230342 Medium RHEL 8 must log user name information when unsuccessful logon attempts occur.
V-230345 Medium RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
V-230549 Medium RHEL 8 must use reverse path filtering on all IPv4 interfaces.
V-230347 Medium RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions.
V-230349 Medium RHEL 8 must ensure session control is automatically started at shell initialization.
V-230348 Medium RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions.
V-230261 Medium RHEL 8 library files must be owned by root.
V-244539 Medium RHEL 8 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.
V-244538 Medium RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface.
V-244531 Medium All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive.
V-244530 Medium RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
V-244533 Medium RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
V-244532 Medium RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.
V-244535 Medium RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated.
V-244534 Medium RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
V-244537 Medium RHEL 8 must have the tmux package installed.
V-244536 Medium RHEL 8 must disable the user list at logon for graphical user interfaces.
V-230538 Medium RHEL 8 must not forward IPv6 source-routed packets.
V-230539 Medium RHEL 8 must not forward IPv6 source-routed packets by default.
V-230536 Medium RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.
V-230537 Medium RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
V-230535 Medium RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
V-230532 Medium The debug-shell systemd service must be disabled on RHEL 8.
V-255924 Medium RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms.
V-256973 Medium RHEL 8 must ensure cryptographic verification of vendor software packages.
V-256974 Medium RHEL 8 must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel.
V-230351 Medium RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed.
V-230392 Medium The RHEL 8 audit system must take appropriate action when the audit storage volume is full.
V-230393 Medium The RHEL 8 audit system must audit local events.
V-230390 Medium The RHEL 8 System must take appropriate action when an audit processing failure occurs.
V-230396 Medium RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access.
V-230397 Medium RHEL 8 audit logs must be owned by root to prevent unauthorized read access.
V-230394 Medium RHEL 8 must label all off-loaded audit logs before sending them to the central log server.
V-230398 Medium RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access.
V-230399 Medium RHEL 8 audit log directory must be owned by root to prevent unauthorized read access.
V-230402 Medium RHEL 8 audit system must protect auditing rules from unauthorized change.
V-230403 Medium RHEL 8 audit system must protect logon UIDs from unauthorized change.
V-230400 Medium RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access.
V-230401 Medium RHEL 8 audit log directory must have a mode of 0700 or less permissive to prevent unauthorized read access.
V-230406 Medium RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
V-230407 Medium RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
V-230404 Medium RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
V-230405 Medium RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.
V-230408 Medium RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
V-230409 Medium RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.
V-230309 Medium Local RHEL 8 initialization files must not execute world-writable programs.
V-230308 Medium RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
V-230305 Medium RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
V-230304 Medium RHEL 8 must prevent code from being executed on file systems that are used with removable media.
V-230307 Medium RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS).
V-230306 Medium RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS).
V-230301 Medium RHEL 8 must prevent special devices on non-root local partitions.
V-230300 Medium RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
V-230303 Medium RHEL 8 must prevent special devices on file systems that are used with removable media.
V-230302 Medium RHEL 8 must prevent code from being executed on file systems that contain user home directories.
V-230493 Medium RHEL 8 must cover or disable the built-in or attached camera when not in use.
V-250315 Medium RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory.
V-250316 Medium RHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory.
V-250317 Medium RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.
V-230271 Medium RHEL 8 must require users to provide a password for privilege escalation.
V-230273 Medium RHEL 8 must have the packages required for multifactor authentication installed.
V-230272 Medium RHEL 8 must require users to reauthenticate for privilege escalation.
V-230275 Medium RHEL 8 must accept Personal Identity Verification (PIV) credentials.
V-230274 Medium RHEL 8 must implement certificate status checking for multifactor authentication.
V-230277 Medium RHEL 8 must clear the page allocator to prevent use-after-free attacks.
V-230276 Medium RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution.
V-230370 Medium RHEL 8 passwords for new users must have a minimum of 15 characters.
V-230371 Medium RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users.
V-230372 Medium RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts.
V-230373 Medium RHEL 8 account identifiers (individuals, groups, roles, and devices) must be disabled after 35 days of inactivity.
V-230374 Medium RHEL 8 must automatically expire temporary accounts within 72 hours.
V-230375 Medium All RHEL 8 passwords must contain at least one special character.
V-230376 Medium RHEL 8 must prohibit the use of cached authentications after one day.
V-230377 Medium RHEL 8 must prevent the use of dictionary words for passwords.
V-230509 Medium RHEL 8 must mount /dev/shm with the nosuid option.
V-230508 Medium RHEL 8 must mount /dev/shm with the nodev option.
V-244521 Medium RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance.
V-230455 Medium Successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls in RHEL 8 must generate an audit record.
V-230456 Medium Successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls in RHEL 8 must generate an audit record.
V-230505 Medium A firewall must be installed on RHEL 8.
V-230504 Medium A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.
V-230241 Low RHEL 8 must have policycoreutils package installed.
V-230381 Low RHEL 8 must display the date and time of the last successful account logon upon logon.
V-230468 Low RHEL 8 must enable auditing of processes that start prior to the audit daemon.
V-230469 Low RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.
V-230551 Low The RHEL 8 file integrity tool must be configured to verify extended attributes.
V-230552 Low The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs).
V-230253 Low RHEL 8 must ensure the SSH server uses strong entropy.
V-230285 Low RHEL 8 must enable the hardware random number generator entropy gatherer service.
V-230281 Low YUM must remove all software components after updated versions have been installed on RHEL 8.
V-230470 Low RHEL 8 must enable Linux audit logging for the USBGuard daemon.
V-230350 Low RHEL 8 must prevent users from disabling session control mechanisms.
V-244527 Low RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service.
V-230486 Low RHEL 8 must disable network management of the chrony daemon.
V-230485 Low RHEL 8 must disable the chrony daemon from acting as a server.
V-230294 Low RHEL 8 must use a separate file system for the system audit data path.
V-230293 Low RHEL 8 must use a separate file system for /var/log.
V-230292 Low RHEL 8 must use a separate file system for /var.
V-230269 Low RHEL 8 must restrict access to the kernel message buffer.
V-230346 Low RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types.
V-230395 Low RHEL 8 must resolve audit information before writing to disk.
V-230499 Low RHEL 8 must disable IEEE 1394 (FireWire) Support.
V-230498 Low RHEL 8 must disable mounting of cramfs.
V-230495 Low RHEL 8 must disable the controller area network (CAN) protocol.
V-230494 Low RHEL 8 must disable the asynchronous transfer mode (ATM) protocol.
V-230497 Low RHEL 8 must disable the transparent inter-process communication (TIPC) protocol.
V-230496 Low RHEL 8 must disable the stream control transmission protocol (SCTP).
V-230491 Low RHEL 8 must enable mitigations against processor-based vulnerabilities.
V-230270 Low RHEL 8 must prevent kernel profiling by unprivileged users.