DISA Red Hat Enterprise Linux 9 STIG v2r1

Audit Details

Name: DISA Red Hat Enterprise Linux 9 STIG v2r1

Updated: 9/17/2024

Authority: DISA STIG

Plugin: Unix

Revision: 1.1

Estimated Item Count: 463

File Details

Filename: DISA_STIG_Red_Hat_Enterprise_Linux_9_v2r1.audit

Size: 1.04 MB

MD5: eb87b9c2bb82f83c2044ffbf0ad71632
SHA256: 93b12650950db87fbde2a2a7aa04b88e96eeb7f46c02d3ae955fc558fa61dea8

Audit Items

DescriptionCategories
DISA_STIG_Red_Hat_Enterprise_Linux_9_v2r1.audit from DISA Red Hat Enterprise Linux 9 v2r1 STIG
RHEL-09-211010 - RHEL 9 must be a vendor-supported release.

CONFIGURATION MANAGEMENT

RHEL-09-211015 - RHEL 9 vendor packaged system security patches and updates must be installed and up to date.

CONFIGURATION MANAGEMENT

RHEL-09-211020 - RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.

ACCESS CONTROL

RHEL-09-211030 - The graphical display manager must not be the default target on RHEL 9 unless approved.

CONFIGURATION MANAGEMENT

RHEL-09-211035 - RHEL 9 must enable the hardware random number generator entropy gatherer service.

CONFIGURATION MANAGEMENT

RHEL-09-211040 - RHEL 9 systemd-journald service must be enabled.

SYSTEM AND COMMUNICATIONS PROTECTION

RHEL-09-211045 - The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

RHEL-09-211050 - The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 9.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

RHEL-09-211055 - RHEL 9 debug-shell systemd service must be disabled.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

RHEL-09-212010 - RHEL 9 must require a boot loader superuser password.

ACCESS CONTROL

RHEL-09-212015 - RHEL 9 must disable the ability of systemd to spawn an interactive boot process.

CONFIGURATION MANAGEMENT

RHEL-09-212020 - RHEL 9 must require a unique superusers name upon booting into single-user and maintenance modes.

ACCESS CONTROL

RHEL-09-212025 - RHEL 9 /boot/grub2/grub.cfg file must be group-owned by root.

CONFIGURATION MANAGEMENT

RHEL-09-212030 - RHEL 9 /boot/grub2/grub.cfg file must be owned by root.

CONFIGURATION MANAGEMENT

RHEL-09-212035 - RHEL 9 must disable virtual system calls.

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

RHEL-09-212040 - RHEL 9 must clear the page allocator to prevent use-after-free attacks.

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

RHEL-09-212045 - RHEL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks.

SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

RHEL-09-212050 - RHEL 9 must enable mitigations against processor-based vulnerabilities.

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

RHEL-09-212055 - RHEL 9 must enable auditing of processes that start prior to the audit daemon.

AUDIT AND ACCOUNTABILITY, MAINTENANCE

RHEL-09-213010 - RHEL 9 must restrict access to the kernel message buffer.

SYSTEM AND COMMUNICATIONS PROTECTION

RHEL-09-213015 - RHEL 9 must prevent kernel profiling by nonprivileged users.

SYSTEM AND COMMUNICATIONS PROTECTION

RHEL-09-213020 - RHEL 9 must prevent the loading of a new kernel for later execution.

CONFIGURATION MANAGEMENT

RHEL-09-213025 - RHEL 9 must restrict exposed kernel pointer addresses access.

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

RHEL-09-213030 - RHEL 9 must enable kernel parameters to enforce discretionary access control on hardlinks.

ACCESS CONTROL

RHEL-09-213035 - RHEL 9 must enable kernel parameters to enforce discretionary access control on symlinks.

ACCESS CONTROL

RHEL-09-213040 - RHEL 9 must disable the kernel.core_pattern.

CONFIGURATION MANAGEMENT

RHEL-09-213045 - RHEL 9 must be configured to disable the Asynchronous Transfer Mode kernel module.

CONFIGURATION MANAGEMENT

RHEL-09-213050 - RHEL 9 must be configured to disable the Controller Area Network kernel module.

CONFIGURATION MANAGEMENT

RHEL-09-213055 - RHEL 9 must be configured to disable the FireWire kernel module.

CONFIGURATION MANAGEMENT

RHEL-09-213060 - RHEL 9 must disable the Stream Control Transmission Protocol (SCTP) kernel module.

CONFIGURATION MANAGEMENT

RHEL-09-213065 - RHEL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module.

CONFIGURATION MANAGEMENT

RHEL-09-213070 - RHEL 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

RHEL-09-213075 - RHEL 9 must disable access to network bpf system call from nonprivileged processes.

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

RHEL-09-213080 - RHEL 9 must restrict usage of ptrace to descendant processes.

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

RHEL-09-213085 - RHEL 9 must disable core dump backtraces.

CONFIGURATION MANAGEMENT

RHEL-09-213090 - RHEL 9 must disable storing core dumps.

CONFIGURATION MANAGEMENT

RHEL-09-213095 - RHEL 9 must disable core dumps for all users.

CONFIGURATION MANAGEMENT

RHEL-09-213100 - RHEL 9 must disable acquiring, saving, and processing core dumps.

CONFIGURATION MANAGEMENT

RHEL-09-213105 - RHEL 9 must disable the use of user namespaces.

CONFIGURATION MANAGEMENT

RHEL-09-213110 - RHEL 9 must implement nonexecutable data to protect its memory from unauthorized code execution.

SYSTEM AND INFORMATION INTEGRITY

RHEL-09-213115 - The kdump service on RHEL 9 must be disabled.

CONFIGURATION MANAGEMENT

RHEL-09-214010 - RHEL 9 must ensure cryptographic verification of vendor software packages.

CONFIGURATION MANAGEMENT

RHEL-09-214015 - RHEL 9 must check the GPG signature of software packages originating from external software repositories before installation.

CONFIGURATION MANAGEMENT

RHEL-09-214020 - RHEL 9 must check the GPG signature of locally installed software packages before installation.

CONFIGURATION MANAGEMENT

RHEL-09-214025 - RHEL 9 must have GPG signature verification enabled for all software repositories.

CONFIGURATION MANAGEMENT

RHEL-09-214030 - RHEL 9 must be configured so that the cryptographic hashes of system files match vendor values.

CONFIGURATION MANAGEMENT

RHEL-09-214035 - RHEL 9 must remove all software components after updated versions have been installed.

SYSTEM AND INFORMATION INTEGRITY

RHEL-09-215010 - RHEL 9 subscription-manager package must be installed.

CONFIGURATION MANAGEMENT

RHEL-09-215015 - RHEL 9 must not have a File Transfer Protocol (FTP) server package installed.

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION