Skip to content

II - Mission Support Sensitive

Rules and Groups employed by this XCCDF Profile

  • SRG-OS-000095-GPOS-00049

    <GroupDescription></GroupDescription>
    Group
  • RHEL 9 must not have the nfs-utils package installed.

    &lt;VulnDiscussion&gt;"nfs-utils" provides a daemon for the kernel NFS server and related tools. This package also contains the "showmount" program...
    Rule Medium Severity
  • SRG-OS-000095-GPOS-00049

    <GroupDescription></GroupDescription>
    Group
  • RHEL 9 must not have the ypserv package installed.

    &lt;VulnDiscussion&gt;The NIS service provides an unencrypted authentication service, which does not provide for the confidentiality and integrity ...
    Rule Medium Severity
  • SRG-OS-000095-GPOS-00049

    <GroupDescription></GroupDescription>
    Group
  • RHEL 9 must not have the rsh-server package installed.

    &lt;VulnDiscussion&gt;The "rsh-server" service provides unencrypted remote access service, which does not provide for the confidentiality and integ...
    Rule Medium Severity
  • SRG-OS-000095-GPOS-00049

    <GroupDescription></GroupDescription>
    Group
  • RHEL 9 must not have the telnet-server package installed.

    &lt;VulnDiscussion&gt;It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission ob...
    Rule Medium Severity
  • SRG-OS-000095-GPOS-00049

    <GroupDescription></GroupDescription>
    Group
  • RHEL 9 must not have the gssproxy package installed.

    &lt;VulnDiscussion&gt;It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission ob...
    Rule Medium Severity
  • SRG-OS-000095-GPOS-00049

    <GroupDescription></GroupDescription>
    Group
  • RHEL 9 must not have the iprutils package installed.

    &lt;VulnDiscussion&gt;It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission ob...
    Rule Medium Severity
  • SRG-OS-000095-GPOS-00049

    <GroupDescription></GroupDescription>
    Group
  • RHEL 9 must not have the tuned package installed.

    &lt;VulnDiscussion&gt;It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission ob...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • RHEL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed.

    &lt;VulnDiscussion&gt;Removing the "tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services. If TFT...
    Rule High Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • RHEL 9 must not have the quagga package installed.

    &lt;VulnDiscussion&gt;Quagga is a network routing software suite providing implementations of Open Shortest Path First (OSPF), Routing Information ...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • A graphical display manager must not be installed on RHEL 9 unless approved.

    &lt;VulnDiscussion&gt;Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers h...
    Rule Medium Severity
  • SRG-OS-000105-GPOS-00052

    <GroupDescription></GroupDescription>
    Group
  • RHEL 9 must have the openssl-pkcs11 package installed.

    &lt;VulnDiscussion&gt;Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor a...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • RHEL 9 must have the gnutls-utils package installed.

    &lt;VulnDiscussion&gt;GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provi...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • RHEL 9 must have the nss-tools package installed.

    &lt;VulnDiscussion&gt;Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled clie...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • RHEL 9 must have the rng-tools package installed.

    &lt;VulnDiscussion&gt;"rng-tools" provides hardware random number generator tools, such as those used in the formation of x509/PKI certificates.&lt...
    Rule Medium Severity
  • SRG-OS-000363-GPOS-00150

    <GroupDescription></GroupDescription>
    Group
  • RHEL 9 must have the s-nail package installed.

    &lt;VulnDiscussion&gt;The "s-nail" package provides the mail command required to allow sending email notifications of unauthorized configuration ch...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • A separate RHEL 9 file system must be used for user home directories (such as /home or an equivalent).

    &lt;VulnDiscussion&gt;Ensuring that "/home" is mounted on its own partition enables the setting of more restrictive mount options, and also helps e...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • RHEL 9 must use a separate file system for /tmp.

    &lt;VulnDiscussion&gt;The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting o...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • RHEL 9 must use a separate file system for /var.

    &lt;VulnDiscussion&gt;Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protec...
    Rule Low Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • RHEL 9 must use a separate file system for /var/log.

    &lt;VulnDiscussion&gt;Placing "/var/log" in its own partition enables better separation between log files and other files in "/var/".&lt;/VulnDiscu...
    Rule Low Severity
  • SRG-OS-000341-GPOS-00132

    <GroupDescription></GroupDescription>
    Group
  • RHEL 9 must use a separate file system for the system audit data path.

    &lt;VulnDiscussion&gt;Placing "/var/log/audit" in its own partition enables better separation between audit files and other system files, and helps...
    Rule Low Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • RHEL 9 must use a separate file system for /var/tmp.

    &lt;VulnDiscussion&gt;The "/var/tmp" partition is used as temporary storage by many programs. Placing "/var/tmp" in its own partition enables the s...
    Rule Medium Severity
  • SRG-OS-000114-GPOS-00059

    <GroupDescription></GroupDescription>
    Group
  • RHEL 9 file system automount function must be disabled unless required.

    &lt;VulnDiscussion&gt;An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and...
    Rule Medium Severity
  • SRG-OS-000368-GPOS-00154

    <GroupDescription></GroupDescription>
    Group
  • RHEL 9 must prevent device files from being interpreted on file systems that contain user home directories.

    &lt;VulnDiscussion&gt;The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block ...
    Rule Medium Severity
  • SRG-OS-000368-GPOS-00154

    <GroupDescription></GroupDescription>
    Group
  • RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.

    &lt;VulnDiscussion&gt;The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option mus...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • RHEL 9 must prevent code from being executed on file systems that contain user home directories.

    &lt;VulnDiscussion&gt;The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file syste...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules