Skip to content
Log In

Red Hat Enterprise Linux 9 Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • RHEL 9 must be configured to disable the FireWire kernel module.

    Disabling firewire protects the system against exploitation of any flaws in its implementation.
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • RHEL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module.

    It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...
    Rule Medium Severity
    Show

  • SRG-OS-000433-GPOS-00193

    Group
    Show

  • SRG-OS-000132-GPOS-00067

    Group
    Show

  • RHEL 9 must disable access to network bpf system call from nonprivileged processes.

    Loading and accessing the packet filters programs and maps using the bpf() system call has the potential of revealing sensitive information about the kernel state. Satisfies: SRG-OS-000132-GPOS-00...
    Rule Medium Severity
    Show

  • SRG-OS-000132-GPOS-00067

    Group
    Show

  • RHEL 9 must restrict usage of ptrace to descendant processes.

    Unrestricted usage of ptrace allows compromised binaries to run ptrace on other processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g., SSH s...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • RHEL 9 must disable storing core dumps.

    A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or sy...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • RHEL 9 must disable core dumps for all users.

    A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers tryin...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • RHEL 9 must disable the use of user namespaces.

    User namespaces are used primarily for Linux containers. The value "0" disallows the use of user namespaces.
    Rule Medium Severity
    Show

  • SRG-OS-000433-GPOS-00192

    Group
    Show

  • RHEL 9 must implement nonexecutable data to protect its memory from unauthorized code execution.

    ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control ...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000366-GPOS-00153

    Group
    Show

  • RHEL 9 must ensure cryptographic verification of vendor software packages.

    Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofing that could lead to installation of malware o...
    Rule Medium Severity
    Show

  • SRG-OS-000366-GPOS-00153

    Group
    Show

  • SRG-OS-000366-GPOS-00153

    Group
    Show

  • RHEL 9 must check the GPG signature of locally installed software packages before installation.

    Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has bee...
    Rule High Severity
    Show

  • SRG-OS-000366-GPOS-00153

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • RHEL 9 must be configured so that the cryptographic hashes of system files match vendor values.

    The hashes of important files such as system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.
    Rule Medium Severity
    Show

  • SRG-OS-000437-GPOS-00194

    Group
    Show

  • SRG-OS-000366-GPOS-00153

    Group
    Show

  • RHEL 9 subscription-manager package must be installed.

    The Red Hat Subscription Manager application manages software subscriptions and software repositories for installed software products on the local system. It communicates with backend servers, such...
    Rule Medium Severity
    Show

  • SRG-OS-000074-GPOS-00042

    Group
    Show

  • RHEL 9 must not have a File Transfer Protocol (FTP) server package installed.

    The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using ...
    Rule High Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • RHEL 9 must not have the sendmail package installed.

    The sendmail software was not developed with security in mind, and its design prevents it from being effectively contained by SELinux. Postfix must be used instead. Satisfies: SRG-OS-000480-GPOS-0...
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • RHEL 9 must not have the nfs-utils package installed.

    "nfs-utils" provides a daemon for the kernel NFS server and related tools. This package also contains the "showmount" program. "showmount" queries the mount daemon on a remote host for information ...
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • RHEL 9 must not have the ypserv package installed.

    The NIS service provides an unencrypted authentication service, which does not provide for the confidentiality and integrity of user passwords or the remote session. Removing the "ypserv" package ...
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • RHEL 9 must not have the gssproxy package installed.

    It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...
    Rule Medium Severity
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • SRG-OS-000095-GPOS-00049

    Group
    Show

  • RHEL 9 must not have the tuned package installed.

    It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • RHEL 9 must not have the quagga package installed.

    Quagga is a network routing software suite providing implementations of Open Shortest Path First (OSPF), Routing Information Protocol (RIP), Border Gateway Protocol (BGP) for Unix and Linux platfor...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules