Skip to content
Log In

General Purpose Operating System Security Requirements Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-OS-000001

    Group
    Show

  • SRG-OS-000002

    Group
    Show

  • The operating system must automatically remove or disable temporary user accounts after 72 hours.

    If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of al...
    Rule Medium Severity
    Show

  • SRG-OS-000004

    Group
    Show

  • SRG-OS-000021

    Group
    Show

  • The operating system must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.

    By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking...
    Rule Medium Severity
    Show

  • SRG-OS-000023

    Group
    Show

  • SRG-OS-000024

    Group
    Show

  • The operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access.

    The banner must be acknowledged by the user prior to allowing the user access to the operating system. This provides assurance that the user has seen the message and accepted the conditions for acc...
    Rule Medium Severity
    Show

  • SRG-OS-000027

    Group
    Show

  • SRG-OS-000028

    Group
    Show

  • SRG-OS-000029

    Group
    Show

  • The operating system must initiate a session lock after a 15-minute period of inactivity for all connection types.

    A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporar...
    Rule Medium Severity
    Show

  • SRG-OS-000030

    Group
    Show

  • The operating system must provide the capability for users to directly initiate a session lock for all connection types.

    A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary...
    Rule Medium Severity
    Show

  • SRG-OS-000031

    Group
    Show

  • The operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.

    A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature ...
    Rule Medium Severity
    Show

  • SRG-OS-000032

    Group
    Show

  • SRG-OS-000033

    Group
    Show

  • The operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.

    Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information s...
    Rule High Severity
    Show

  • SRG-OS-000037

    Group
    Show

  • SRG-OS-000038

    Group
    Show

  • The operating system must produce audit records containing information to establish when (date and time) the events occurred.

    Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In order to compile an accurate risk assessment a...
    Rule Medium Severity
    Show

  • SRG-OS-000039

    Group
    Show

  • SRG-OS-000040

    Group
    Show

  • The operating system must produce audit records containing information to establish the source of the events.

    Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In addition to logging where events occur with...
    Rule Medium Severity
    Show

  • SRG-OS-000041

    Group
    Show

  • SRG-OS-000042

    Group
    Show

  • The operating system must generate audit records containing the full-text recording of privileged commands.

    Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privi...
    Rule Medium Severity
    Show

  • SRG-OS-000042

    Group
    Show

  • SRG-OS-000046

    Group
    Show

  • The operating system must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

    It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an ...
    Rule Medium Severity
    Show

  • SRG-OS-000051

    Group
    Show

  • SRG-OS-000054

    Group
    Show

  • SRG-OS-000055

    Group
    Show

  • The operating system must use internal system clocks to generate time stamps for audit records.

    Without an internal clock used as the reference for the time stored on each event to provide a trusted common reference for the time, forensic analysis would be impeded. Determining the correct tim...
    Rule Medium Severity
    Show

  • SRG-OS-000057

    Group
    Show

  • SRG-OS-000058

    Group
    Show

  • The operating system must protect audit information from unauthorized modification.

    If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity o...
    Rule Medium Severity
    Show

  • SRG-OS-000059

    Group
    Show

  • The operating system must protect audit information from unauthorized deletion.

    If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity o...
    Rule Medium Severity
    Show

  • SRG-OS-000062

    Group
    Show

  • SRG-OS-000063

    Group
    Show

  • The operating system must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.

    Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audi...
    Rule Medium Severity
    Show

  • SRG-OS-000064

    Group
    Show

  • The operating system must generate audit records when successful/unsuccessful attempts to access privileges occur.

    Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...
    Rule Medium Severity
    Show

  • SRG-OS-000066

    Group
    Show

  • The operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

    Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entit...
    Rule Medium Severity
    Show

  • SRG-OS-000067

    Group
    Show

  • SRG-OS-000068

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules