Skip to content
Log In

Red Hat Enterprise Linux 9 Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • A graphical display manager must not be installed on RHEL 9 unless approved.

    Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unl...
    Rule Medium Severity
    Show

  • SRG-OS-000105-GPOS-00052

    Group
    Show

  • RHEL 9 must have the openssl-pkcs11 package installed.

    Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authenticati...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • RHEL 9 must have the gnutls-utils package installed.

    GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to acces...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • RHEL 9 must have the nss-tools package installed.

    Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Install the "nss-tools" package to install c...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000363-GPOS-00150

    Group
    Show

  • RHEL 9 must have the s-nail package installed.

    The "s-nail" package provides the mail command required to allow sending email notifications of unauthorized configuration changes to designated personnel.
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • A separate RHEL 9 file system must be used for user home directories (such as /home or an equivalent).

    Ensuring that "/home" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit ...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • RHEL 9 must use a separate file system for /tmp.

    The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that u...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • RHEL 9 must use a separate file system for /var.

    Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is ...
    Rule Low Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • RHEL 9 must use a separate file system for /var/log.

    Placing "/var/log" in its own partition enables better separation between log files and other files in "/var/".
    Rule Low Severity
    Show

  • SRG-OS-000341-GPOS-00132

    Group
    Show

  • RHEL 9 must use a separate file system for the system audit data path.

    Placing "/var/log/audit" in its own partition enables better separation between audit files and other system files, and helps ensure that auditing cannot be halted due to the partition running out ...
    Rule Low Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000114-GPOS-00059

    Group
    Show

  • RHEL 9 file system automount function must be disabled unless required.

    An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Satisfies: SRG-OS-000114-...
    Rule Medium Severity
    Show

  • SRG-OS-000368-GPOS-00154

    Group
    Show

  • RHEL 9 must prevent device files from being interpreted on file systems that contain user home directories.

    The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity fo...
    Rule Medium Severity
    Show

  • SRG-OS-000368-GPOS-00154

    Group
    Show

  • RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.

    The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" ...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • RHEL 9 must prevent code from being executed on file systems that contain user home directories.

    The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Exe...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • RHEL 9 must prevent special devices on file systems that are imported via Network File System (NFS).

    The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity fo...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • RHEL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS).

    The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing ...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).

    The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" ...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • RHEL 9 must prevent code from being executed on file systems that are used with removable media.

    The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Exe...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • RHEL 9 must prevent special devices on file systems that are used with removable media.

    The "nodev" mount option causes the system not to interpret character or block special devices. Executing character or blocking special devices from untrusted file systems increases the opportunity...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.

    The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" ...
    Rule Medium Severity
    Show

  • SRG-OS-000368-GPOS-00154

    Group
    Show

  • SRG-OS-000368-GPOS-00154

    Group
    Show

  • RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.

    The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" ...
    Rule Medium Severity
    Show

  • SRG-OS-000368-GPOS-00154

    Group
    Show

  • RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.

    The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" ...
    Rule Medium Severity
    Show

  • SRG-OS-000368-GPOS-00154

    Group
    Show

  • RHEL 9 must mount /dev/shm with the nodev option.

    The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity fo...
    Rule Medium Severity
    Show

  • SRG-OS-000368-GPOS-00154

    Group
    Show

  • RHEL 9 must mount /dev/shm with the noexec option.

    The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Exe...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules