forked from ComplianceAsCode/content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathstig_rhel8.yml
2872 lines (2872 loc) · 98.1 KB
/
stig_rhel8.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
policy: Red Hat Enterprise Linux 8 Security Technical Implementation Guide
title: Red Hat Enterprise Linux 8 Security Technical Implementation Guide
id: stig_rhel8
source: https://public.cyber.mil/stigs/downloads/
levels:
- id: high
- id: medium
- id: low
controls:
- id: RHEL-08-010000
levels:
- high
title: RHEL 8 must be a vendor-supported release.
rules:
- installed_OS_is_vendor_supported
status: automated
- id: RHEL-08-010010
levels:
- medium
title: RHEL 8 vendor packaged system security patches and updates must be installed
and up to date.
rules:
- security_patches_up_to_date
status: automated
- id: RHEL-08-010020
levels:
- high
title: 'RHEL 8 must implement NIST FIPS-validated cryptography for the following:
to provision digital signatures, to generate cryptographic hashes, and to protect
data requiring data-at-rest protections in accordance with applicable federal
laws, Executive Orders, directives, policies, regulations, and standards.'
rules:
- configure_bind_crypto_policy
- configure_crypto_policy
- configure_kerberos_crypto_policy
- configure_libreswan_crypto_policy
- enable_dracut_fips_module
- enable_fips_mode
- sysctl_crypto_fips_enabled
status: automated
- id: RHEL-08-010030
levels:
- medium
title: All RHEL 8 local disk partitions must implement cryptographic mechanisms
to prevent unauthorized disclosure or modification of all information that requires
at rest protection.
rules:
- encrypt_partitions
status: automated
- id: RHEL-08-010040
levels:
- medium
title: RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner
before granting local or remote access to the system via a ssh logon.
rules:
- sshd_enable_warning_banner
status: automated
- id: RHEL-08-010050
levels:
- medium
title: RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner
before granting local or remote access to the system via a graphical user logon.
rules:
- dconf_gnome_login_banner_text
status: automated
- id: RHEL-08-010060
levels:
- medium
title: RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner
before granting local or remote access to the system via a command line user logon.
rules:
- banner_etc_issue
- login_banner_text=dod_banners
status: automated
- id: RHEL-08-010070
levels:
- medium
title: All RHEL 8 remote access methods must be monitored.
rules:
- rsyslog_remote_access_monitoring
status: automated
- id: RHEL-08-010090
levels:
- medium
title: RHEL 8, for PKI-based authentication, must validate certificates by constructing
a certification path (which includes status information) to an accepted trust
anchor.
status: pending
- id: RHEL-08-010100
levels:
- medium
title: RHEL 8, for certificate-based authentication, must enforce authorized access
to the corresponding private key.
status: pending
- id: RHEL-08-010110
levels:
- medium
title: RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic
hashing algorithm.
rules:
- set_password_hashing_algorithm_logindefs
status: automated
- id: RHEL-08-010120
levels:
- medium
title: RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for
all stored passwords.
rules:
- accounts_password_all_shadowed_sha512
status: automated
- id: RHEL-08-010130
levels:
- medium
title: The RHEL 8 password-auth file must be configured to use a sufficient number
of hashing rounds.
rules:
- accounts_password_pam_unix_rounds_password_auth
status: automated
- id: RHEL-08-010140
levels:
- high
title: RHEL 8 operating systems booted with United Extensible Firmware Interface
(UEFI) must require authentication upon booting into single-user mode and maintenance.
rules:
- grub2_uefi_password
status: automated
- id: RHEL-08-010150
levels:
- high
title: RHEL 8 operating systems booted with a BIOS must require authentication upon
booting into single-user and maintenance modes.
rules:
- grub2_password
status: automated
- id: RHEL-08-010151
levels:
- medium
title: RHEL 8 operating systems must require authentication upon booting into rescue
mode.
rules:
- require_singleuser_auth
status: automated
- id: RHEL-08-010160
levels:
- medium
title: The RHEL 8 pam_unix.so module must be configured in the password-auth file
to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
rules:
- set_password_hashing_algorithm_systemauth
status: automated
- id: RHEL-08-010161
levels:
- medium
title: RHEL 8 must prevent system daemons from using Kerberos for authentication.
rules:
- kerberos_disable_no_keytab
status: automated
- id: RHEL-08-010162
levels:
- medium
title: The krb5-workstation package must not be installed on RHEL 8.
rules:
- package_krb5-workstation_removed
status: automated
- id: RHEL-08-010170
levels:
- medium
title: RHEL 8 must use a Linux Security Module configured to enforce limits on system
services.
rules:
- selinux_state
status: automated
- id: RHEL-08-010171
levels:
- low
title: RHEL 8 must have policycoreutils package installed.
rules:
- package_policycoreutils_installed
status: automated
- id: RHEL-08-010190
levels:
- medium
title: A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized
and unintended information transferred via shared system resources.
rules:
- dir_perms_world_writable_sticky_bits
status: automated
- id: RHEL-08-010200
levels:
- medium
title: RHEL 8 must be configured so that all network connections associated with
SSH traffic are terminated at the end of the session or after 10 minutes of inactivity,
except to fulfill documented and validated mission requirements.
rules:
- sshd_set_keepalive_0
status: automated
- id: RHEL-08-010210
levels:
- medium
title: The RHEL 8 /var/log/messages file must have mode 0640 or less permissive.
rules:
- file_permissions_var_log_messages
status: automated
- id: RHEL-08-010220
levels:
- medium
title: The RHEL 8 /var/log/messages file must be owned by root.
rules:
- file_owner_var_log_messages
status: automated
- id: RHEL-08-010230
levels:
- medium
title: The RHEL 8 /var/log/messages file must be group-owned by root.
rules:
- file_groupowner_var_log_messages
status: automated
- id: RHEL-08-010240
levels:
- medium
title: The RHEL 8 /var/log directory must have mode 0755 or less permissive.
rules:
- file_permissions_var_log
status: automated
- id: RHEL-08-010250
levels:
- medium
title: The RHEL 8 /var/log directory must be owned by root.
rules:
- file_owner_var_log
status: automated
- id: RHEL-08-010260
levels:
- medium
title: The RHEL 8 /var/log directory must be group-owned by root.
rules:
- file_groupowner_var_log
status: automated
- id: RHEL-08-010290
levels:
- medium
title: The RHEL 8 SSH server must be configured to use only Message Authentication
Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.
rules:
- harden_sshd_macs_opensshserver_conf_crypto_policy
status: automated
- id: RHEL-08-010291
levels:
- medium
title: The RHEL 8 operating system must implement DoD-approved encryption to protect
the confidentiality of SSH server connections.
rules:
- harden_sshd_ciphers_opensshserver_conf_crypto_policy
status: automated
- id: RHEL-08-010292
levels:
- low
title: RHEL 8 must ensure the SSH server uses strong entropy.
rules:
- sshd_use_strong_rng
status: automated
- id: RHEL-08-010293
levels:
- medium
title: The RHEL 8 operating system must implement DoD-approved encryption in the
OpenSSL package.
rules:
- configure_openssl_crypto_policy
status: automated
- id: RHEL-08-010294
levels:
- medium
title: The RHEL 8 operating system must implement DoD-approved TLS encryption in
the OpenSSL package.
rules:
- configure_openssl_tls_crypto_policy
status: automated
- id: RHEL-08-010295
levels:
- medium
title: The RHEL 8 operating system must implement DoD-approved TLS encryption in
the GnuTLS package.
rules:
- configure_gnutls_tls_crypto_policy
status: automated
- id: RHEL-08-010300
levels:
- medium
title: RHEL 8 system commands must have mode 0755 or less permissive.
rules:
- file_permissions_binary_dirs
status: automated
- id: RHEL-08-010310
levels:
- medium
title: RHEL 8 system commands must be owned by root.
rules:
- file_ownership_binary_dirs
status: automated
- id: RHEL-08-010320
levels:
- medium
title: RHEL 8 system commands must be group-owned by root or a system account.
rules:
- file_groupownership_system_commands_dirs
status: automated
- id: RHEL-08-010330
levels:
- medium
title: RHEL 8 library files must have mode 0755 or less permissive.
rules:
- file_permissions_library_dirs
status: automated
- id: RHEL-08-010340
levels:
- medium
title: RHEL 8 library files must be owned by root.
rules:
- file_ownership_library_dirs
status: automated
- id: RHEL-08-010350
levels:
- medium
title: RHEL 8 library files must be group-owned by root or a system account.
rules:
- dir_group_ownership_library_dirs
- root_permissions_syslibrary_files
status: automated
- id: RHEL-08-010360
levels:
- medium
title: The RHEL 8 file integrity tool must notify the system administrator when
changes to the baseline configuration or anomalies in the operation of any security
functions are discovered within an organizationally defined frequency.
rules:
- aide_scan_notification
- package_aide_installed
status: automated
- id: RHEL-08-010370
levels:
- high
title: RHEL 8 must prevent the installation of software, patches, service packs,
device drivers, or operating system components from a repository without verification
they have been digitally signed using a certificate that is issued by a Certificate
Authority (CA) that is recognized and approved by the organization.
rules:
- ensure_gpgcheck_globally_activated
status: automated
- id: RHEL-08-010371
levels:
- high
title: RHEL 8 must prevent the installation of software, patches, service packs,
device drivers, or operating system components of local packages without verification
they have been digitally signed using a certificate that is issued by a Certificate
Authority (CA) that is recognized and approved by the organization.
rules:
- ensure_gpgcheck_local_packages
status: automated
- id: RHEL-08-010372
levels:
- medium
title: RHEL 8 must prevent the loading of a new kernel for later execution.
rules:
- sysctl_kernel_kexec_load_disabled
status: automated
- id: RHEL-08-010373
levels:
- medium
title: RHEL 8 must enable kernel parameters to enforce discretionary access control
on symlinks.
rules:
- sysctl_fs_protected_symlinks
status: automated
- id: RHEL-08-010374
levels:
- medium
title: RHEL 8 must enable kernel parameters to enforce discretionary access control
on hardlinks.
rules:
- sysctl_fs_protected_hardlinks
status: automated
- id: RHEL-08-010375
levels:
- low
title: RHEL 8 must restrict access to the kernel message buffer.
rules:
- sysctl_kernel_dmesg_restrict
status: automated
- id: RHEL-08-010376
levels:
- low
title: RHEL 8 must prevent kernel profiling by unprivileged users.
rules:
- sysctl_kernel_perf_event_paranoid
status: automated
- id: RHEL-08-010380
levels:
- medium
title: RHEL 8 must require users to provide a password for privilege escalation.
rules:
- sudo_remove_nopasswd
status: automated
- id: RHEL-08-010381
levels:
- medium
title: RHEL 8 must require users to reauthenticate for privilege escalation.
rules:
- sudo_remove_no_authenticate
status: automated
- id: RHEL-08-010390
levels:
- medium
title: RHEL 8 must have the packages required for multifactor authentication installed.
rules:
- install_smartcard_packages
status: automated
- id: RHEL-08-010400
levels:
- medium
title: RHEL 8 must implement certificate status checking for multifactor authentication.
rules:
- sssd_certificate_verification
status: automated
- id: RHEL-08-010410
levels:
- medium
title: RHEL 8 must accept Personal Identity Verification (PIV) credentials.
rules:
- package_opensc_installed
status: automated
- id: RHEL-08-010420
levels:
- medium
title: RHEL 8 must implement non-executable data to protect its memory from unauthorized
code execution.
rules:
- bios_enable_execution_restrictions
status: automated
- id: RHEL-08-010421
levels:
- medium
title: RHEL 8 must clear the page allocator to prevent use-after-free attacks.
rules:
- grub2_page_poison_argument
status: automated
- id: RHEL-08-010422
levels:
- medium
title: RHEL 8 must disable virtual syscalls.
rules:
- grub2_vsyscall_argument
status: automated
- id: RHEL-08-010423
levels:
- medium
title: RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks.
rules:
- grub2_slub_debug_argument
status: automated
- id: RHEL-08-010430
levels:
- medium
title: RHEL 8 must implement address space layout randomization (ASLR) to protect
its memory from unauthorized code execution.
rules:
- sysctl_kernel_randomize_va_space
status: automated
- id: RHEL-08-010440
levels:
- low
title: YUM must remove all software components after updated versions have been
installed on RHEL 8.
rules:
- clean_components_post_updating
status: automated
- id: RHEL-08-010450
levels:
- medium
title: RHEL 8 must enable the SELinux targeted policy.
rules:
- selinux_policytype
status: automated
- id: RHEL-08-010460
levels:
- high
title: There must be no shosts.equiv files on the RHEL 8 operating system.
rules:
- no_host_based_files
status: automated
- id: RHEL-08-010470
levels:
- high
title: There must be no .shosts files on the RHEL 8 operating system.
rules:
- no_user_host_based_files
status: automated
- id: RHEL-08-010471
levels:
- low
title: RHEL 8 must enable the hardware random number generator entropy gatherer
service.
rules:
- service_rngd_enabled
status: automated
- id: RHEL-08-010480
levels:
- medium
title: The RHEL 8 SSH public host key files must have mode 0644 or less permissive.
rules:
- file_permissions_sshd_pub_key
status: automated
- id: RHEL-08-010490
levels:
- medium
title: The RHEL 8 SSH private host key files must have mode 0600 or less permissive.
rules:
- file_permissions_sshd_private_key
status: automated
- id: RHEL-08-010500
levels:
- medium
title: The RHEL 8 SSH daemon must perform strict mode checking of home directory
configuration files.
rules:
- sshd_enable_strictmodes
status: automated
- id: RHEL-08-010510
levels:
- medium
title: The RHEL 8 SSH daemon must not allow compression or must only allow compression
after successful authentication.
rules:
- sshd_disable_compression
status: automated
- id: RHEL-08-010520
levels:
- medium
title: "The RHEL 8 SSH daemon must not allow authentication using known host\u2019\
s authentication."
rules:
- sshd_disable_user_known_hosts
status: automated
- id: RHEL-08-010521
levels:
- medium
title: The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill
documented and validated mission requirements.
rules:
- sshd_disable_kerb_auth
status: automated
- id: RHEL-08-010540
levels:
- low
title: RHEL 8 must use a separate file system for /var.
rules:
- partition_for_var
status: automated
- id: RHEL-08-010541
levels:
- low
title: RHEL 8 must use a separate file system for /var/log.
rules:
- partition_for_var_log
status: automated
- id: RHEL-08-010542
levels:
- low
title: RHEL 8 must use a separate file system for the system audit data path.
rules:
- partition_for_var_log_audit
status: automated
- id: RHEL-08-010543
levels:
- medium
title: A separate RHEL 8 filesystem must be used for the /tmp directory.
rules:
- partition_for_tmp
status: automated
- id: RHEL-08-010550
levels:
- medium
title: RHEL 8 must not permit direct logons to the root account using remote access
via SSH.
rules:
- sshd_disable_root_login
status: automated
- id: RHEL-08-010561
levels:
- medium
title: The rsyslog service must be running in RHEL 8.
rules:
- service_rsyslog_enabled
status: automated
- id: RHEL-08-010570
levels:
- medium
title: RHEL 8 must prevent files with the setuid and setgid bit set from being executed
on file systems that contain user home directories.
rules:
- mount_option_home_nosuid
status: automated
- id: RHEL-08-010571
levels:
- medium
title: RHEL 8 must prevent files with the setuid and setgid bit set from being executed
on the /boot directory.
rules:
- mount_option_boot_nosuid
status: automated
- id: RHEL-08-010580
levels:
- medium
title: RHEL 8 must prevent special devices on non-root local partitions.
rules:
- mount_option_nodev_nonroot_local_partitions
status: automated
- id: RHEL-08-010590
levels:
- medium
title: RHEL 8 must prevent code from being executed on file systems that contain
user home directories.
rules:
- mount_option_home_noexec
status: automated
- id: RHEL-08-010600
levels:
- medium
title: RHEL 8 must prevent special devices on file systems that are used with removable
media.
rules:
- mount_option_nodev_removable_partitions
status: automated
- id: RHEL-08-010610
levels:
- medium
title: RHEL 8 must prevent code from being executed on file systems that are used
with removable media.
rules:
- mount_option_noexec_removable_partitions
status: automated
- id: RHEL-08-010620
levels:
- medium
title: RHEL 8 must prevent files with the setuid and setgid bit set from being executed
on file systems that are used with removable media.
rules:
- mount_option_nosuid_removable_partitions
status: automated
- id: RHEL-08-010630
levels:
- medium
title: RHEL 8 must prevent code from being executed on file systems that are imported
via Network File System (NFS).
rules:
- mount_option_noexec_remote_filesystems
status: automated
- id: RHEL-08-010640
levels:
- medium
title: RHEL 8 must prevent special devices on file systems that are imported via
Network File System (NFS).
rules:
- mount_option_nodev_remote_filesystems
status: automated
- id: RHEL-08-010650
levels:
- medium
title: RHEL 8 must prevent files with the setuid and setgid bit set from being executed
on file systems that are imported via Network File System (NFS).
rules:
- mount_option_nosuid_remote_filesystems
status: automated
- id: RHEL-08-010660
levels:
- medium
title: Local RHEL 8 initialization files must not execute world-writable programs.
rules:
- accounts_user_dot_no_world_writable_programs
status: automated
- id: RHEL-08-010670
levels:
- medium
title: RHEL 8 must disable kernel dumps unless needed.
rules:
- service_kdump_disabled
status: automated
- id: RHEL-08-010671
levels:
- medium
title: RHEL 8 must disable the kernel.core_pattern.
rules:
- sysctl_kernel_core_pattern
status: automated
- id: RHEL-08-010672
levels:
- medium
title: RHEL 8 must disable acquiring, saving, and processing core dumps.
rules:
- service_systemd-coredump_disabled
status: automated
- id: RHEL-08-010673
levels:
- medium
title: RHEL 8 must disable core dumps for all users.
rules:
- disable_users_coredumps
status: automated
- id: RHEL-08-010674
levels:
- medium
title: RHEL 8 must disable storing core dumps.
rules:
- coredump_disable_storage
status: automated
- id: RHEL-08-010675
levels:
- medium
title: RHEL 8 must disable core dump backtraces.
rules:
- coredump_disable_backtraces
status: automated
- id: RHEL-08-010680
levels:
- medium
title: For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two
name servers must be configured.
rules:
- network_configure_name_resolution
status: automated
- id: RHEL-08-010690
levels:
- medium
title: Executable search paths within the initialization files of all local interactive
RHEL 8 users must only contain paths that resolve to the system default or the
users home directory.
rules:
- accounts_user_home_paths_only
status: automated
- id: RHEL-08-010700
levels:
- medium
title: All RHEL 8 world-writable directories must be owned by root, sys, bin, or
an application user.
rules:
- dir_perms_world_writable_root_owned
status: automated
- id: RHEL-08-010710
levels:
- medium
title: All RHEL 8 world-writable directories must be group-owned by root, sys, bin,
or an application group.
status: pending
- id: RHEL-08-010720
levels:
- medium
title: All RHEL 8 local interactive users must have a home directory assigned in
the /etc/passwd file.
rules:
- accounts_user_interactive_home_directory_defined
status: automated
- id: RHEL-08-010730
levels:
- medium
title: All RHEL 8 local interactive user home directories must have mode 0750 or
less permissive.
rules:
- file_permissions_home_directories
status: automated
- id: RHEL-08-010740
levels:
- medium
title: "All RHEL 8 local interactive user home directories must be group-owned by\
\ the home directory owner\u2019s primary group."
rules:
- file_groupownership_home_directories
status: automated
- id: RHEL-08-010750
levels:
- medium
title: All RHEL 8 local interactive user home directories defined in the /etc/passwd
file must exist.
rules:
- accounts_user_interactive_home_directory_exists
status: automated
- id: RHEL-08-010760
levels:
- medium
title: All RHEL 8 local interactive user accounts must be assigned a home directory
upon creation.
rules:
- accounts_have_homedir_login_defs
status: automated
- id: RHEL-08-010770
levels:
- medium
title: All RHEL 8 local initialization files must have mode 0740 or less permissive.
rules:
- file_permission_user_init_files
status: automated
- id: RHEL-08-010780
levels:
- medium
title: All RHEL 8 local files and directories must have a valid owner.
rules:
- no_files_unowned_by_user
status: automated
- id: RHEL-08-010790
levels:
- medium
title: All RHEL 8 local files and directories must have a valid group owner.
rules:
- file_permissions_ungroupowned
status: automated
- id: RHEL-08-010800
levels:
- medium
title: A separate RHEL 8 filesystem must be used for user home directories (such
as /home or an equivalent).
rules:
- partition_for_home
status: automated
- id: RHEL-08-010820
levels:
- high
title: Unattended or automatic logon via the RHEL 8 graphical user interface must
not be allowed.
rules:
- gnome_gdm_disable_automatic_login
status: automated
- id: RHEL-08-010830
levels:
- medium
title: RHEL 8 must not allow users to override SSH environment variables.
rules:
- sshd_do_not_permit_user_env
status: automated
- id: RHEL-08-020000
levels:
- medium
title: RHEL 8 temporary user accounts must be provisioned with an expiration time
of 72 hours or less.
rules:
- account_temp_expire_date
status: automated
- id: RHEL-08-020010
levels:
- medium
title: RHEL 8 must automatically lock an account when three unsuccessful logon attempts
occur.
rules:
- accounts_passwords_pam_faillock_deny
status: automated
- id: RHEL-08-020011
levels:
- medium
title: RHEL 8 must automatically lock an account when three unsuccessful logon attempts
occur.
rules:
- accounts_passwords_pam_faillock_deny
status: automated
- id: RHEL-08-020012
levels:
- medium
title: RHEL 8 must automatically lock an account when three unsuccessful logon attempts
occur during a 15-minute time period.
rules:
- accounts_passwords_pam_faillock_interval
status: automated
- id: RHEL-08-020013
levels:
- medium
title: RHEL 8 must automatically lock an account when three unsuccessful logon attempts
occur during a 15-minute time period.
rules:
- accounts_passwords_pam_faillock_interval
status: automated
- id: RHEL-08-020014
levels:
- medium
title: RHEL 8 must automatically lock an account until the locked account is released
by an administrator when three unsuccessful logon attempts occur during a 15-minute
time period.
rules:
- accounts_passwords_pam_faillock_unlock_time
status: automated
- id: RHEL-08-020015
levels:
- medium
title: RHEL 8 must automatically lock an account until the locked account is released
by an administrator when three unsuccessful logon attempts occur during a 15-minute
time period.
status: pending
- id: RHEL-08-020016
levels:
- medium
title: RHEL 8 must ensure account lockouts persist.
rules:
- accounts_passwords_pam_faillock_unlock_time
status: automated
- id: RHEL-08-020017
levels:
- medium
title: RHEL 8 must ensure account lockouts persist.
rules:
- accounts_passwords_pam_faillock_unlock_time
status: automated
- id: RHEL-08-020018
levels:
- medium
title: RHEL 8 must prevent system messages from being presented when three unsuccessful
logon attempts occur.
rules:
- accounts_passwords_pam_faillock_deny
status: automated
- id: RHEL-08-020019
levels:
- medium
title: RHEL 8 must prevent system messages from being presented when three unsuccessful
logon attempts occur.
rules:
- accounts_passwords_pam_faillock_deny
status: automated
- id: RHEL-08-020020
levels:
- medium
title: RHEL 8 must log user name information when unsuccessful logon attempts occur.
status: pending
- id: RHEL-08-020021
levels:
- medium
title: RHEL 8 must log user name information when unsuccessful logon attempts occur.
status: pending
- id: RHEL-08-020022
levels:
- medium
title: RHEL 8 must include root when automatically locking an account until the
locked account is released by an administrator when three unsuccessful logon attempts
occur during a 15-minute time period.
rules:
- accounts_passwords_pam_faillock_deny_root
status: automated
- id: RHEL-08-020023
levels:
- medium
title: RHEL 8 must include root when automatically locking an account until the
locked account is released by an administrator when three unsuccessful logon attempts
occur during a 15-minute time period.
rules:
- accounts_passwords_pam_faillock_deny_root
status: automated
- id: RHEL-08-020024
levels:
- low
title: RHEL 8 must limit the number of concurrent sessions to ten for all accounts
and/or account types.
rules:
- accounts_max_concurrent_login_sessions
status: automated
- id: RHEL-08-020030
levels:
- medium
title: RHEL 8 must enable a user session lock until that user re-establishes access
using established identification and authentication procedures for graphical user
sessions.
rules:
- dconf_gnome_screensaver_lock_enabled
status: automated
- id: RHEL-08-020040
levels:
- medium
title: RHEL 8 must enable a user session lock until that user re-establishes access
using established identification and authentication procedures for command line
sessions.
rules:
- configure_tmux_lock_command
status: automated
- id: RHEL-08-020041
levels:
- medium
title: RHEL 8 must ensure session control is automatically started at shell initialization.
rules:
- configure_bashrc_exec_tmux
status: automated
- id: RHEL-08-020042
levels:
- low
title: RHEL 8 must prevent users from disabling session control mechanisms.
rules:
- no_tmux_in_shells
status: automated
- id: RHEL-08-020050
levels:
- medium
title: RHEL 8 must be able to initiate directly a session lock for all connection
types using smartcard when the smartcard is removed.
rules:
- dconf_gnome_lock_screen_on_smartcard_removal
status: automated
- id: RHEL-08-020060
levels: