Red Hat Enterprise Linux 9 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
RHEL 9 must prevent code from being executed on file systems that contain user home directories.
<VulnDiscussion>The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file syste...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
RHEL 9 must mount /tmp with the noexec option.
<VulnDiscussion>The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file syste...Rule Medium Severity -
RHEL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS).
<VulnDiscussion>The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file syste...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option mus...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
RHEL 9 must prevent code from being executed on file systems that are used with removable media.
<VulnDiscussion>The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file syste...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
RHEL 9 must prevent special devices on file systems that are used with removable media.
<VulnDiscussion>The "nodev" mount option causes the system not to interpret character or block special devices. Executing character or blocki...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option mus...Rule Medium Severity -
SRG-OS-000368-GPOS-00154
<GroupDescription></GroupDescription>Group -
RHEL 9 must mount /boot with the nodev option.
<VulnDiscussion>The only legitimate location for device files is the "/dev" directory located on the root partition. The only exception to th...Rule Medium Severity -
SRG-OS-000368-GPOS-00154
<GroupDescription></GroupDescription>Group -
SRG-OS-000368-GPOS-00154
<GroupDescription></GroupDescription>Group -
RHEL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.
<VulnDiscussion>The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protection of this file ...Rule Medium Severity -
RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option mus...Rule Medium Severity -
SRG-OS-000368-GPOS-00154
<GroupDescription></GroupDescription>Group -
RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option mus...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.