Skip to content

DRAFT - DISA STIG for Red Hat Enterprise Linux 10

Rules and Groups employed by this XCCDF Profile

  • Set PAM''s Password Hashing Algorithm

    The PAM system service can be configured to only store encrypted representations of passwords. In "/etc/pam.d/system-auth", the <code>password</code> section of the file controls which PAM modules ...
    Rule Medium Severity
  • Set Password Hashing Rounds in /etc/login.defs

    In <code>/etc/login.defs</code>, ensure <code>SHA_CRYPT_MIN_ROUNDS</code> and <code>SHA_CRYPT_MAX_ROUNDS</code> has the minimum value of <code>5000</code>. For example: <pre>SHA_CRYPT_MIN_ROUNDS 50...
    Rule Medium Severity
  • Protect Physical Console Access

    It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be considered a necessary step. However, there are some...
    Group
  • Disable debug-shell SystemD Service

    SystemD's <code>debug-shell</code> service is intended to diagnose SystemD related boot issues with various <code>systemctl</code> commands. Once enabled and following a system reboot, the root she...
    Rule Medium Severity
  • Disable Ctrl-Alt-Del Burst Action

    By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code> key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds. <br> <br> To configure the s...
    Rule High Severity
  • Disable Ctrl-Alt-Del Reboot Activation

    By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code> key sequence is pressed. <br> <br> To configure the system to ignore the <code>Ctrl-Alt-Del</code> k...
    Rule High Severity
  • Verify that Interactive Boot is Disabled

    Red Hat Enterprise Linux 10 systems support an "interactive boot" option that can be used to prevent services from being started. On a Red Hat Enterprise Linux 10 system, interactive boot can be en...
    Rule Medium Severity
  • Require Authentication for Single User Mode

    Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. <br> <br> By default, single-user mode is ...
    Rule Medium Severity
  • Configure Screen Locking

    When a user must temporarily leave an account logged-in, screen locking should be employed to prevent passersby from abusing the account. User education and training is particularly important for s...
    Group
  • Configure Console Screen Locking

    A console screen locking mechanism is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of th...
    Group

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules