SRG-OS-000480-GPOS-00227 Rules

SRG-OS-000480-GPOS-00227 Controls

STIG ID	Version	Title
RHEL-08-010000	V1R6	RHEL 8 must be a vendor-supported release.
RHEL-08-010010	V1R6	RHEL 8 vendor packaged system security patches and updates must be installed and up to date.
RHEL-08-010292	V1R6	RHEL 8 must ensure the SSH server uses strong entropy.
RHEL-08-010460	V1R6	There must be no shosts.equiv files on the RHEL 8 operating system.
RHEL-08-010470	V1R6	There must be no .shosts files on the RHEL 8 operating system.
RHEL-08-010471	V1R6	RHEL 8 must enable the hardware random number generator entropy gatherer service.
RHEL-08-010480	V1R6	The RHEL 8 SSH public host key files must have mode 0644 or less permissive.
RHEL-08-010490	V1R6	The RHEL 8 SSH private host key files must have mode 0600 or less permissive.
RHEL-08-010500	V1R6	The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files.
RHEL-08-010510	V1R6	The RHEL 8 SSH daemon must not allow compression or must only allow compression after successful authentication.
RHEL-08-010520	V1R6	The RHEL 8 SSH daemon must not allow authentication using known host’s authentication.
RHEL-08-010521	V1R6	The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.
RHEL-08-010540	V1R6	RHEL 8 must use a separate file system for /var.
RHEL-08-010541	V1R6	RHEL 8 must use a separate file system for /var/log.
RHEL-08-010542	V1R6	RHEL 8 must use a separate file system for the system audit data path.
RHEL-08-010543	V1R6	A separate RHEL 8 filesystem must be used for the /tmp directory.
RHEL-08-010561	V1R6	The rsyslog service must be running in RHEL 8.
RHEL-08-010570	V1R6	RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
RHEL-08-010571	V1R6	RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
RHEL-08-010580	V1R6	RHEL 8 must prevent special devices on non-root local partitions.
RHEL-08-010590	V1R6	RHEL 8 must prevent code from being executed on file systems that contain user home directories.
RHEL-08-010600	V1R6	RHEL 8 must prevent special devices on file systems that are used with removable media.
RHEL-08-010610	V1R6	RHEL 8 must prevent code from being executed on file systems that are used with removable media.
RHEL-08-010620	V1R6	RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
RHEL-08-010630	V1R6	RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS).
RHEL-08-010640	V1R6	RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS).
RHEL-08-010650	V1R6	RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
RHEL-08-010660	V1R6	Local RHEL 8 initialization files must not execute world-writable programs.
RHEL-08-010670	V1R6	RHEL 8 must disable kernel dumps unless needed.
RHEL-08-010671	V1R6	RHEL 8 must disable the kernel.core_pattern.
RHEL-08-010672	V1R6	RHEL 8 must disable acquiring, saving, and processing core dumps.
RHEL-08-010673	V1R6	RHEL 8 must disable core dumps for all users.
RHEL-08-010674	V1R6	RHEL 8 must disable storing core dumps.
RHEL-08-010675	V1R6	RHEL 8 must disable core dump backtraces.
RHEL-08-010680	V1R6	For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.
RHEL-08-010690	V1R6	Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory.
RHEL-08-010700	V1R6	All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application user.
RHEL-08-010710	V1R6	All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.
RHEL-08-010720	V1R6	All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file.
RHEL-08-010730	V1R6	All RHEL 8 local interactive user home directories must have mode 0750 or less permissive.
RHEL-08-010740	V1R6	All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group.
RHEL-08-010750	V1R6	All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist.
RHEL-08-010760	V1R6	All RHEL 8 local interactive user accounts must be assigned a home directory upon creation.
RHEL-08-010770	V1R6	All RHEL 8 local initialization files must have mode 0740 or less permissive.
RHEL-08-010780	V1R6	All RHEL 8 local files and directories must have a valid owner.
RHEL-08-010790	V1R6	All RHEL 8 local files and directories must have a valid group owner.
RHEL-08-010800	V1R6	A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent).
RHEL-08-020320	V1R6	RHEL 8 must not have unnecessary accounts.
RHEL-08-020330	V1R6	RHEL 8 must not allow accounts configured with blank or null passwords.
RHEL-08-020340	V1R6	RHEL 8 must display the date and time of the last successful account logon upon logon.
RHEL-08-020350	V1R6	RHEL 8 must display the date and time of the last successful account logon upon an SSH logon.
RHEL-08-020353	V1R6	RHEL 8 must define default permissions for logon and non-logon shells.
RHEL-08-030010	V1R6	Cron logging must be implemented in RHEL 8.
RHEL-08-030061	V1R6	The RHEL 8 audit system must audit local events.
RHEL-08-030063	V1R6	RHEL 8 must resolve audit information before writing to disk.
RHEL-08-030670	V1R6	RHEL 8 must have the packages required for offloading audit logs installed.
RHEL-08-030680	V1R6	RHEL 8 must have the packages required for encrypting offloaded audit logs installed.
RHEL-08-040170	V1R6	The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8.
RHEL-08-040171	V1R6	The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed.
RHEL-08-040172	V1R6	The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled.
RHEL-08-040180	V1R6	The debug-shell systemd service must be disabled on RHEL 8.
RHEL-08-040190	V1R6	The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support.
RHEL-08-040200	V1R6	The root account must be the only account having unrestricted access to the RHEL 8 system.
RHEL-08-040210	V1R6	RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
RHEL-08-040220	V1R6	RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.
RHEL-08-040230	V1R6	RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
RHEL-08-040240	V1R6	RHEL 8 must not forward IPv6 source-routed packets.
RHEL-08-040250	V1R6	RHEL 8 must not forward IPv6 source-routed packets by default.
RHEL-08-040260	V1R6	RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.
RHEL-08-040261	V1R6	RHEL 8 must not accept router advertisements on all IPv6 interfaces.
RHEL-08-040262	V1R6	RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.
RHEL-08-040270	V1R6	RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
RHEL-08-040280	V1R6	RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
RHEL-08-040281	V1R6	RHEL 8 must disable access to network bpf syscall from unprivileged processes.
RHEL-08-040282	V1R6	RHEL 8 must restrict usage of ptrace to descendant processes.
RHEL-08-040283	V1R6	RHEL 8 must restrict exposed kernel pointer addresses access.
RHEL-08-040284	V1R6	RHEL 8 must disable the use of user namespaces.
RHEL-08-040285	V1R6	RHEL 8 must use reverse path filtering on all IPv4 interfaces.
RHEL-08-040290	V1R6	RHEL 8 must be configured to prevent unrestricted mail relaying.
RHEL-08-040300	V1R6	The RHEL 8 file integrity tool must be configured to verify extended attributes.
RHEL-08-040310	V1R6	The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs).
RHEL-08-040320	V1R6	The graphical display manager must not be installed on RHEL 8 unless approved.
RHEL-08-040330	V1R6	RHEL 8 network interfaces must not be in promiscuous mode.
RHEL-08-040340	V1R6	RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements.
RHEL-08-040341	V1R6	The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display.
RHEL-08-040350	V1R6	If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode.
RHEL-08-040360	V1R6	A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8.
RHEL-08-040370	V1R6	The gssproxy package must not be installed unless mission essential on RHEL 8.
RHEL-08-040380	V1R6	The iprutils package must not be installed unless mission essential on RHEL 8.
RHEL-08-040390	V1R6	The tuned package must not be installed unless mission essential on RHEL 8.
RHEL-08-010382	V1R6	RHEL 8 must restrict privilege elevation to authorized personnel.
RHEL-08-010383	V1R6	RHEL 8 must use the invoking user's password for privilege escalation when using "sudo".
RHEL-08-010472	V1R6	RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service.
RHEL-08-010522	V1R6	The RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.
RHEL-08-010544	V1R6	RHEL 8 must use a separate file system for /var/tmp.
RHEL-08-010572	V1R6	RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
RHEL-08-010731	V1R6	All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive.
RHEL-08-010741	V1R6	RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.
RHEL-08-020032	V1R6	RHEL 8 must disable the user list at logon for graphical user interfaces.
RHEL-08-020331	V1R6	RHEL 8 must not allow blank or null passwords in the system-auth file.
RHEL-08-020332	V1R6	RHEL 8 must not allow blank or null passwords in the password-auth file.
RHEL-08-040209	V1R6	RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
RHEL-08-040239	V1R6	RHEL 8 must not forward IPv4 source-routed packets.
RHEL-08-040249	V1R6	RHEL 8 must not forward IPv4 source-routed packets by default.
RHEL-08-040279	V1R6	RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.
RHEL-08-040286	V1R6	RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.
RHEL-08-040259	V1R6	RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.
RHEL-08-010121	V1R6	The RHEL 8 operating system must not have accounts configured with blank or null passwords.
RHEL-08-010379	V1R6	RHEL 8 must specify the default "include" directory for the /etc/sudoers file.
RHEL-08-020101	V1R6	RHEL 8 must ensure the password complexity module is enabled in the system-auth file.
RHEL-08-020102	V1R6	RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.
RHEL-08-020103	V1R6	RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less.
RHEL-08-020104	V1R6	RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.
RHEL-08-040321	V1R6	The graphical display manager must not be the default target on RHEL 8 unless approved.
SLES-15-010000	V1R4	The SUSE operating system must be a vendor-supported release.
SLES-15-010010	V1R4	Vendor-packaged SUSE operating system security patches and updates must be installed and up to date.
SLES-15-020080	V1R4	The SUSE operating system must display the date and time of the last successful account logon upon logon.
SLES-15-020090	V1R4	The SUSE operating system must not have unnecessary accounts.
SLES-15-020091	V1R4	The SUSE operating system must not have unnecessary account capabilities.
SLES-15-020100	V1R4	The SUSE operating system root account must be the only account with unrestricted access to the system.
SLES-15-020101	V1R4	The SUSE operating system must restrict privilege elevation to authorized personnel.
SLES-15-020103	V1R4	The SUSE operating system must use the invoking user's password for privilege escalation when using "sudo".
SLES-15-020110	V1R4	All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory.
SLES-15-020120	V1R4	The SUSE operating system must display the date and time of the last successful account logon upon an SSH logon.
SLES-15-020300	V1R4	The SUSE operating system must not be configured to allow blank or null passwords.
SLES-15-030810	V1R4	The SUSE operating system must use a separate file system for the system audit data path.
SLES-15-030820	V1R4	The SUSE operating system must not disable syscall auditing.
SLES-15-040020	V1R4	There must be no .shosts files on the SUSE operating system.
SLES-15-040030	V1R4	There must be no shosts.equiv files on the SUSE operating system.
SLES-15-040040	V1R4	The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs).
SLES-15-040050	V1R4	The SUSE operating system file integrity tool must be configured to verify extended attributes.
SLES-15-040060	V1R4	The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence.
SLES-15-040061	V1R4	The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces.
SLES-15-040062	V1R4	The SUSE operating system must disable the systemd Ctrl-Alt-Delete burst key sequence.
SLES-15-040070	V1R4	All SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file.
SLES-15-040080	V1R4	All SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist.
SLES-15-040090	V1R4	All SUSE operating system local interactive user home directories must have mode 0750 or less permissive.
SLES-15-040100	V1R4	All SUSE operating system local interactive user home directories must be group-owned by the home directory owner's primary group.
SLES-15-040110	V1R4	All SUSE operating system local initialization files must have mode 0740 or less permissive.
SLES-15-040120	V1R4	All SUSE operating system local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory.
SLES-15-040130	V1R4	All SUSE operating system local initialization files must not execute world-writable programs.
SLES-15-040140	V1R4	SUSE operating system file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.
SLES-15-040150	V1R4	SUSE operating system file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.
SLES-15-040160	V1R4	SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.
SLES-15-040170	V1R4	SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.
SLES-15-040180	V1R4	All SUSE operating system world-writable directories must be group-owned by root, sys, bin, or an application group.
SLES-15-040190	V1R4	SUSE operating system kernel core dumps must be disabled unless needed.
SLES-15-040200	V1R4	A separate file system must be used for SUSE operating system user home directories (such as /home or an equivalent).
SLES-15-040210	V1R4	The SUSE operating system must use a separate file system for /var.
SLES-15-040220	V1R4	The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.
SLES-15-040230	V1R4	The SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication.
SLES-15-040240	V1R4	The SUSE operating system SSH daemon public host key files must have mode 0644 or less permissive.
SLES-15-040250	V1R4	The SUSE operating system SSH daemon private host key files must have mode 0600 or less permissive.
SLES-15-040260	V1R4	The SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files.
SLES-15-040280	V1R4	The SUSE operating system SSH daemon must not allow compression or must only allow compression after successful authentication.
SLES-15-040290	V1R4	The SUSE operating system SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements.
SLES-15-040300	V1R4	The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
SLES-15-040310	V1R4	The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets.
SLES-15-040320	V1R4	The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
SLES-15-040321	V1R4	The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets by default.
SLES-15-040330	V1R4	The SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
SLES-15-040340	V1R4	The SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
SLES-15-040341	V1R4	The SUSE operating system must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
SLES-15-040350	V1R4	The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.
SLES-15-040360	V1R4	The SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
SLES-15-040370	V1R4	The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
SLES-15-040380	V1R4	The SUSE operating system must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.
SLES-15-040381	V1R4	The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.
SLES-15-040382	V1R4	The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router.
SLES-15-040390	V1R4	The SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented.
SLES-15-040400	V1R4	All SUSE operating system files and directories must have a valid owner.
SLES-15-040410	V1R4	All SUSE operating system files and directories must have a valid group owner.
WN19-00-000010	V3R1	Windows Server 2019 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
WN19-00-000030	V3R1	Windows Server 2019 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
WN19-00-000040	V3R1	Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
WN19-00-000060	V3R1	Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
WN19-00-000090	V3R1	Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
WN19-00-000100	V3R1	Windows Server 2019 must be maintained at a supported servicing level.
WN19-00-000110	V3R1	Windows Server 2019 must use an anti-virus program.
WN19-00-000120	V3R1	Windows Server 2019 must have a host-based intrusion detection or prevention system.
WN19-00-000240	V3R1	Windows Server 2019 must have software certificate installation files removed.
WN19-00-000420	V3R1	Windows Server 2019 FTP servers must be configured to prevent anonymous logons.
WN19-00-000430	V3R1	Windows Server 2019 FTP servers must be configured to prevent access to the system drive.
WN19-00-000450	V3R1	Windows Server 2019 must have orphaned security identifiers (SIDs) removed from user rights.
WN19-00-000460	V3R1	Windows Server 2019 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
WN19-00-000470	V3R1	Windows Server 2019 must have Secure Boot enabled.
WN19-CC-000030	V3R1	Windows Server 2019 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.
WN19-CC-000040	V3R1	Windows Server 2019 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
WN19-CC-000050	V3R1	Windows Server 2019 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
WN19-CC-000070	V3R1	Windows Server 2019 insecure logons to an SMB server must be disabled.
WN19-CC-000080	V3R1	Windows Server 2019 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\\SYSVOL and \\\NETLOGON shares.
WN19-CC-000100	V3R1	Windows Server 2019 must be configured to enable Remote host allows delegation of non-exportable credentials.
WN19-CC-000110	V3R1	Windows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
WN19-CC-000130	V3R1	Windows Server 2019 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
WN19-CC-000140	V3R1	Windows Server 2019 group policy objects must be reprocessed even if they have not changed.
WN19-CC-000180	V3R1	Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (on battery).
WN19-CC-000190	V3R1	Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (plugged in).
WN19-CC-000250	V3R1	Windows Server 2019 Telemetry must be configured to Security or Basic.
WN19-CC-000260	V3R1	Windows Server 2019 Windows Update must not obtain updates from other PCs on the Internet.
WN19-CC-000320	V3R1	Windows Server 2019 Turning off File Explorer heap termination on corruption must be disabled.
WN19-CC-000330	V3R1	Windows Server 2019 File Explorer shell protocol must run in protected mode.
WN19-CC-000390	V3R1	Windows Server 2019 must prevent attachments from being downloaded from RSS feeds.
WN19-CC-000440	V3R1	Windows Server 2019 users must be notified if a web-based program attempts to install software.
WN19-DC-000150	V3R1	Windows Server 2019 directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
WN19-DC-000330	V3R1	Windows Server 2019 domain controllers must be configured to allow reset of machine account passwords.
WN19-DC-000430	V3R1	The password for the krbtgt account on a domain must be reset at least every 180 days.
WN19-MS-000050	V3R1	Windows Server 2019 must limit the caching of logon credentials to four or less on domain-joined member servers.
WN19-MS-000140	V3R1	Windows Server 2019 must be running Credential Guard on domain-joined member servers.
WN19-SO-000020	V3R1	Windows Server 2019 must prevent local accounts with blank passwords from being used from the network.
WN19-SO-000030	V3R1	Windows Server 2019 built-in administrator account must be renamed.
WN19-SO-000040	V3R1	Windows Server 2019 built-in guest account must be renamed.
WN19-SO-000100	V3R1	Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less.
WN19-SO-000150	V3R1	Windows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation.
WN19-SO-000210	V3R1	Windows Server 2019 must not allow anonymous SID/Name translation.
WN19-SO-000220	V3R1	Windows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.
WN19-SO-000240	V3R1	Windows Server 2019 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
WN19-SO-000260	V3R1	Windows Server 2019 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
WN19-SO-000270	V3R1	Windows Server 2019 must prevent NTLM from falling back to a Null session.
WN19-SO-000280	V3R1	Windows Server 2019 must prevent PKU2U authentication using online identities.
WN19-SO-000310	V3R1	Windows Server 2019 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM.
WN19-SO-000320	V3R1	Windows Server 2019 must be configured to at least negotiate signing for LDAP client signing.
WN19-SO-000330	V3R1	Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
WN19-SO-000340	V3R1	Windows Server 2019 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
WN19-SO-000370	V3R1	Windows Server 2019 default permissions of global system objects must be strengthened.
WN19-UC-000010	V3R1	Windows Server 2019 must preserve zone information when saving attachments.
WN19-00-000280	V3R1	Windows Server 2019 must have a host-based firewall installed and enabled.
UBTU-18-010032	V2R12	The Ubuntu operating system must display the date and time of the last successful account logon upon logon.
UBTU-18-010150	V2R12	The Ubuntu Operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed.
UBTU-18-010151	V2R12	The Ubuntu Operating system must disable the x86 Ctrl-Alt-Delete key sequence.
UBTU-18-010418	V2R12	The Ubuntu operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.
UBTU-18-010419	V2R12	The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
UBTU-18-010450	V2R12	All local interactive user home directories defined in the /etc/passwd file must exist.
UBTU-18-010451	V2R12	All local interactive user home directories must have mode 0750 or less permissive.
UBTU-18-010452	V2R12	All local interactive user home directories must be group-owned by the home directory owners primary group.
UBTU-18-010522	V2R12	The Ubuntu operating system must not have accounts configured with blank or null passwords.
UBTU-18-010523	V2R12	The Ubuntu operating system must not allow accounts configured with blank or null passwords.
UBTU-20-010048	V1R6	The Ubuntu operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.
UBTU-20-010049	V1R6	The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
UBTU-20-010453	V1R6	The Ubuntu operating system must display the date and time of the last successful account logon upon logon.
UBTU-20-010459	V1R6	The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed.
UBTU-20-010460	V1R6	The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence.
UBTU-20-010462	V1R6	The Ubuntu operating system must not have accounts configured with blank or null passwords.
UBTU-20-010463	V1R6	The Ubuntu operating system must not allow accounts configured with blank or null passwords.
APPL-14-000016	V1R1	The macOS system must be integrated into a directory services infrastructure.
APPL-14-003013	V1R1	The macOS system must enable firmware password.
APPL-14-005110	V1R1	The macOS system must enforce enrollment in mobile device management.
APPL-14-005120	V1R1	The macOS system must enable recovery lock.
APPL-14-005130	V1R1	The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automatically.
APPL-13-000016	V1R5	The macOS system must be integrated into a directory services infrastructure.
APPL-13-000032	V1R5	The macOS system must be configured with dedicated user accounts to decrypt the hard disk upon startup.
APPL-13-000033	V1R5	The macOS system must be configured to disable password forwarding for FileVault.
APPL-13-002050	V1R5	The macOS system must disable the Screen Sharing feature.
APPL-13-002060	V1R5	The macOS system must only allow applications with a valid digital signature to run.
APPL-13-002070	V1R5	The macOS system must use an approved antivirus program.
APPL-13-003012	V1R5	The macOS system must be configured to prevent displaying password hints.
APPL-13-003013	V1R5	The macOS system must be configured with a firmware password to prevent access to single user mode and booting from alternative media.
APPL-13-003050	V1R5	The macOS system must be configured so that the login command requires smart card authentication.
APPL-13-003051	V1R5	The macOS system must be configured so that the su command requires smart card authentication.
APPL-13-003052	V1R5	The macOS system must be configured so that the sudo command requires smart card authentication.
APPL-13-005051	V1R5	The macOS system must restrict the ability of individuals to use USB storage devices.
APPL-13-005053	V1R5	The macOS system must restrict the ability of individuals to write to external optical media.
OL07-00-010020	V3R1	The Oracle Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.
OL07-00-010290	V3R1	The Oracle Linux operating system must not allow accounts configured with blank or null passwords.
OL07-00-020230	V3R1	The Oracle Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.
OL07-00-020250	V3R1	The Oracle Linux operating system must be a vendor supported release.
OL07-00-020260	V3R1	The Oracle Linux operating system security patches and updates must be installed and up to date.
OL07-00-020270	V3R1	The Oracle Linux operating system must not have unnecessary accounts.
OL07-00-020310	V3R1	The Oracle Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system.
OL07-00-020320	V3R1	The Oracle Linux operating system must be configured so that all files and directories have a valid owner.
OL07-00-020330	V3R1	The Oracle Linux operating system must be configured so that all files and directories have a valid group owner.
OL07-00-020610	V3R1	The Oracle Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory.
OL07-00-020620	V3R1	The Oracle Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file.
OL07-00-020630	V3R1	The Oracle Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive.
OL07-00-020640	V3R1	The Oracle Linux operating system must be configured so that all local interactive user home directories are owned by their respective users.
OL07-00-020650	V3R1	The Oracle Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group.
OL07-00-020660	V3R1	The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a valid owner.
OL07-00-020670	V3R1	The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.
OL07-00-020680	V3R1	The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive.
OL07-00-020690	V3R1	The Oracle Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root.
OL07-00-020700	V3R1	The Oracle Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root.
OL07-00-020710	V3R1	The Oracle Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive.
OL07-00-020720	V3R1	The Oracle Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.
OL07-00-020730	V3R1	The Oracle Linux operating system must be configured so that local initialization files do not execute world-writable programs.
OL07-00-020900	V3R1	The Oracle Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.
OL07-00-021000	V3R1	The Oracle Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed.
OL07-00-021010	V3R1	The Oracle Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
OL07-00-021020	V3R1	The Oracle Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS).
OL07-00-021021	V3R1	The Oracle Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS).
OL07-00-021030	V3R1	The Oracle Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.
OL07-00-021040	V3R1	The Oracle Linux operating system must set the umask value to 077 for all local interactive user accounts.
OL07-00-021100	V3R1	The Oracle Linux operating system must have cron logging implemented.
OL07-00-021110	V3R1	The Oracle Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root.
OL07-00-021120	V3R1	The Oracle Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root.
OL07-00-021300	V3R1	The Oracle Linux operating system must disable Kernel core dumps unless needed.
OL07-00-021310	V3R1	The Oracle Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent).
OL07-00-021320	V3R1	The Oracle Linux operating system must use a separate file system for /var.
OL07-00-021340	V3R1	The Oracle Linux operating system must use a separate file system for /tmp (or equivalent).
OL07-00-021600	V3R1	The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).
OL07-00-021610	V3R1	The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.
OL07-00-021620	V3R1	The Oracle Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.
OL07-00-031000	V3R1	The Oracle Linux operating system must send rsyslog output to a log aggregation server.
OL07-00-031010	V3R1	The Oracle Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
OL07-00-032000	V3R1	The Oracle Linux operating system must use a virus scan program.
OL07-00-040330	V3R1	The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication.
OL07-00-040350	V3R1	The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication.
OL07-00-040360	V3R1	The Oracle Linux operating system must display the date and time of the last successful account logon upon an SSH logon.
OL07-00-040370	V3R1	The Oracle Linux operating system must not permit direct logons to the root account using remote access via SSH.
OL07-00-040380	V3R1	The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication.
OL07-00-040410	V3R1	The Oracle Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive.
OL07-00-040420	V3R1	The Oracle Linux operating system must be configured so the SSH private host key files have mode 0640 or less permissive.
OL07-00-040450	V3R1	The Oracle Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files.
OL07-00-040460	V3R1	The Oracle Linux operating system must be configured so that the SSH daemon uses privilege separation.
OL07-00-040470	V3R1	The Oracle Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.
OL07-00-040520	V3R1	The Oracle Linux operating system must enable an application firewall, if available.
OL07-00-040530	V3R1	The Oracle Linux operating system must display the date and time of the last successful account logon upon logon.
OL07-00-040540	V3R1	The Oracle Linux operating system must not contain .shosts files.
OL07-00-040550	V3R1	The Oracle Linux operating system must not contain shosts.equiv files.
OL07-00-040600	V3R1	For Oracle Linux operating systems using DNS resolution, at least two name servers must be configured.
OL07-00-040610	V3R1	The Oracle Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
OL07-00-040611	V3R1	The Oracle Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
OL07-00-040612	V3R1	The Oracle Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default.
OL07-00-040620	V3R1	The Oracle Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
OL07-00-040630	V3R1	The Oracle Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
OL07-00-040640	V3R1	The Oracle Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
OL07-00-040641	V3R1	The Oracle Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
OL07-00-040650	V3R1	The Oracle Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.
OL07-00-040660	V3R1	The Oracle Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
OL07-00-040670	V3R1	Network interfaces configured on The Oracle Linux operating system must not be in promiscuous mode.
OL07-00-040680	V3R1	The Oracle Linux operating system must be configured to prevent unrestricted mail relaying.
OL07-00-040690	V3R1	The Oracle Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed.
OL07-00-040700	V3R1	The Oracle Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.
OL07-00-040710	V3R1	The Oracle Linux operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.
OL07-00-040720	V3R1	The Oracle Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode.
OL07-00-040730	V3R1	The Oracle Linux operating system must not have a graphical display manager installed unless approved.
OL07-00-040740	V3R1	The Oracle Linux operating system must not be performing packet forwarding unless the system is a router.
OL07-00-040750	V3R1	The Oracle Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.
OL07-00-040800	V3R1	SNMP community strings on the Oracle Linux operating system must be changed from the default.
OL07-00-040810	V3R1	The Oracle Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.
OL07-00-040820	V3R1	The Oracle Linux operating system must not have unauthorized IP tunnels configured.
OL07-00-040830	V3R1	The Oracle Linux operating system must not forward IPv6 source-routed packets.
OL07-00-020231	V3R1	The Oracle Linux operating system must be configured so the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface.
OL07-00-021031	V3R1	The Oracle Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user.
OL07-00-040711	V3R1	The Oracle Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
OL07-00-010341	V3R1	The Oracle Linux operating system must restrict privilege elevation to authorized personnel.
OL07-00-010342	V3R1	The Oracle Linux operating system must use the invoking user's password for privilege escalation when using "sudo".
OL07-00-010291	V3R1	The Oracle Linux operating system must not have accounts configured with blank or null passwords.
OL07-00-010339	V3R1	The Oracle Linux operating system must specify the default "include" directory for the /etc/sudoers file.
OL07-00-010063	V3R1	The Oracle Linux operating system must disable the login screen user list for graphical user interfaces.
RHEL-07-010290	V3R6	The Red Hat Enterprise Linux operating system must not allow accounts configured with blank or null passwords.
RHEL-07-020230	V3R6	The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.
RHEL-07-020231	V3R6	The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface.
RHEL-07-020250	V3R6	The Red Hat Enterprise Linux operating system must be a vendor supported release.
RHEL-07-020260	V3R6	The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date.
RHEL-07-020270	V3R6	The Red Hat Enterprise Linux operating system must not have unnecessary accounts.
RHEL-07-020310	V3R6	The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system.
RHEL-07-020320	V3R6	The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner.
RHEL-07-020330	V3R6	The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner.
RHEL-07-020610	V3R6	The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory.
RHEL-07-020620	V3R6	The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file.
RHEL-07-020630	V3R6	The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive.
RHEL-07-020640	V3R6	The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are owned by their respective users.
RHEL-07-020650	V3R6	The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group.
RHEL-07-020660	V3R6	The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a valid owner.
RHEL-07-020670	V3R6	The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.
RHEL-07-020680	V3R6	The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive.
RHEL-07-020690	V3R6	The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root.
RHEL-07-020700	V3R6	The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root.
RHEL-07-020710	V3R6	The Red Hat Enterprise Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive.
RHEL-07-020720	V3R6	The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.
RHEL-07-020730	V3R6	The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs.
RHEL-07-020900	V3R6	The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.
RHEL-07-021000	V3R6	The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed.
RHEL-07-021010	V3R6	The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
RHEL-07-021020	V3R6	The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS).
RHEL-07-021021	V3R6	The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS).
RHEL-07-021030	V3R6	The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.
RHEL-07-021040	V3R6	The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts.
RHEL-07-021100	V3R6	The Red Hat Enterprise Linux operating system must have cron logging implemented.
RHEL-07-021110	V3R6	The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root.
RHEL-07-021120	V3R6	The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root.
RHEL-07-021300	V3R6	The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed.
RHEL-07-021310	V3R6	The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent).
RHEL-07-021320	V3R6	The Red Hat Enterprise Linux operating system must use a separate file system for /var.
RHEL-07-021330	V3R6	The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data path.
RHEL-07-021340	V3R6	The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent).
RHEL-07-021600	V3R6	The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).
RHEL-07-021610	V3R6	The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.
RHEL-07-021620	V3R6	The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.
RHEL-07-031000	V3R6	The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server.
RHEL-07-031010	V3R6	The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
RHEL-07-040201	V3R6	The Red Hat Enterprise Linux operating system must implement virtual address space randomization.
RHEL-07-040330	V3R6	The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication.
RHEL-07-040350	V3R6	The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication.
RHEL-07-040360	V3R6	The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon an SSH logon.
RHEL-07-040370	V3R6	The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using remote access via SSH.
RHEL-07-040380	V3R6	The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication.
RHEL-07-040410	V3R6	The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive.
RHEL-07-040420	V3R6	The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0600 or less permissive.
RHEL-07-040450	V3R6	The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files.
RHEL-07-040460	V3R6	The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation.
RHEL-07-040470	V3R6	The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.
RHEL-07-040520	V3R6	The Red Hat Enterprise Linux operating system must enable an application firewall, if available.
RHEL-07-040530	V3R6	The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon.
RHEL-07-040540	V3R6	The Red Hat Enterprise Linux operating system must not contain .shosts files.
RHEL-07-040550	V3R6	The Red Hat Enterprise Linux operating system must not contain shosts.equiv files.
RHEL-07-040600	V3R6	For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured.
RHEL-07-040610	V3R6	The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
RHEL-07-040611	V3R6	The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
RHEL-07-040612	V3R6	The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default.
RHEL-07-040620	V3R6	The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
RHEL-07-040630	V3R6	The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
RHEL-07-040640	V3R6	The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
RHEL-07-040641	V3R6	The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
RHEL-07-040650	V3R6	The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.
RHEL-07-040660	V3R6	The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
RHEL-07-040670	V3R6	Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode.
RHEL-07-040680	V3R6	The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying.
RHEL-07-040690	V3R6	The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed.
RHEL-07-040700	V3R6	The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.
RHEL-07-040710	V3R6	The Red Hat Enterprise Linux operating system must be configured so that remote X connections are disabled except to fulfill documented and validated mission requirements.
RHEL-07-040720	V3R6	The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode.
RHEL-07-040730	V3R6	The Red Hat Enterprise Linux operating system must not have a graphical display manager installed unless approved.
RHEL-07-040740	V3R6	The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router.
RHEL-07-040750	V3R6	The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.
RHEL-07-040800	V3R6	SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default.
RHEL-07-040810	V3R6	The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.
RHEL-07-040820	V3R6	The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured.
RHEL-07-040830	V3R6	The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets.
RHEL-07-010020	V3R6	The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.
RHEL-07-020019	V3R6	The Red Hat Enterprise Linux operating system must implement the Endpoint Security for Linux Threat Prevention tool.
RHEL-07-032000	V3R6	The Red Hat Enterprise Linux operating system must use a virus scan program.
RHEL-07-021031	V3R6	The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user.
RHEL-07-040711	V3R6	The Red Hat Enterprise Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
RHEL-07-010341	V3R6	The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel.
RHEL-07-010342	V3R6	The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using "sudo".
RHEL-07-010291	V3R6	The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords.
RHEL-07-010339	V3R6	The Red Hat Enterprise Linux operating system must specify the default "include" directory for the /etc/sudoers file.
SLES-12-010000	V3R1	The SUSE operating system must be a vendor-supported release.
SLES-12-010010	V3R1	Vendor-packaged SUSE operating system security patches and updates must be installed and up to date.
SLES-12-010231	V3R1	The SUSE operating system must not be configured to allow blank or null passwords.
SLES-12-010390	V3R1	The SUSE operating system must display the date and time of the last successful account logon upon logon.
SLES-12-010400	V3R1	There must be no .shosts files on the SUSE operating system.
SLES-12-010410	V3R1	There must be no shosts.equiv files on the SUSE operating system.
SLES-12-010520	V3R1	The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs).
SLES-12-010530	V3R1	The SUSE operating system file integrity tool must be configured to verify extended attributes.
SLES-12-010610	V3R1	The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence.
SLES-12-010611	V3R1	The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces.
SLES-12-010630	V3R1	The SUSE operating system must not have unnecessary accounts.
SLES-12-010650	V3R1	The SUSE operating system root account must be the only account having unrestricted access to the system.
SLES-12-010690	V3R1	All SUSE operating system files and directories must have a valid owner.
SLES-12-010700	V3R1	All SUSE operating system files and directories must have a valid group owner.
SLES-12-010710	V3R1	All SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file.
SLES-12-010720	V3R1	All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory.
SLES-12-010730	V3R1	All SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist.
SLES-12-010740	V3R1	All SUSE operating system local interactive user home directories must have mode 0750 or less permissive.
SLES-12-010750	V3R1	All SUSE operating system local interactive user home directories must be group-owned by the home directory owners primary group.
SLES-12-010760	V3R1	All SUSE operating system local initialization files must have mode 0740 or less permissive.
SLES-12-010770	V3R1	All SUSE operating system local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory.
SLES-12-010780	V3R1	All SUSE operating system local initialization files must not execute world-writable programs.
SLES-12-010790	V3R1	SUSE operating system file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.
SLES-12-010800	V3R1	SUSE operating system file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.
SLES-12-010810	V3R1	SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.
SLES-12-010820	V3R1	SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.
SLES-12-010830	V3R1	All SUSE operating system world-writable directories must be group-owned by root, sys, bin, or an application group.
SLES-12-010840	V3R1	SUSE operating system kernel core dumps must be disabled unless needed.
SLES-12-010850	V3R1	A separate file system must be used for SUSE operating system user home directories (such as /home or an equivalent).
SLES-12-010860	V3R1	The SUSE operating system must use a separate file system for /var.
SLES-12-010870	V3R1	The SUSE operating system must use a separate file system for the system audit data path.
SLES-12-010910	V3R1	The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.
SLES-12-020199	V3R1	The SUSE operating system must not disable syscall auditing.
SLES-12-030130	V3R1	The SUSE operating system must display the date and time of the last successful account logon upon an SSH logon.
SLES-12-030200	V3R1	The SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication.
SLES-12-030210	V3R1	The SUSE operating system SSH daemon public host key files must have mode 0644 or less permissive.
SLES-12-030220	V3R1	The SUSE operating system SSH daemon private host key files must have mode 0640 or less permissive.
SLES-12-030230	V3R1	The SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files.
SLES-12-030240	V3R1	The SUSE operating system SSH daemon must use privilege separation.
SLES-12-030250	V3R1	The SUSE operating system SSH daemon must not allow compression or must only allow compression after successful authentication.
SLES-12-030260	V3R1	The SUSE operating system SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements.
SLES-12-030360	V3R1	The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
SLES-12-030361	V3R1	The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets.
SLES-12-030370	V3R1	The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
SLES-12-030380	V3R1	The SUSE operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
SLES-12-030390	V3R1	The SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
SLES-12-030400	V3R1	The SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
SLES-12-030401	V3R1	The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.
SLES-12-030410	V3R1	The SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
SLES-12-030420	V3R1	The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
SLES-12-030430	V3R1	The SUSE operating system must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.
SLES-12-030440	V3R1	The SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented.
SLES-12-030611	V3R1	The SUSE operating system must use a virus scan program.
SLES-12-030261	V3R1	The SUSE operating system SSH daemon must prevent remote hosts from connecting to the proxy display.
SLES-12-010111	V3R1	The SUSE operating system must restrict privilege elevation to authorized personnel.
SLES-12-010112	V3R1	The SUSE operating system must use the invoking user's password for privilege escalation when using "sudo".
SLES-12-010631	V3R1	The SUSE operating system must not have unnecessary account capabilities.
SLES-12-030362	V3R1	The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets by default.
SLES-12-030363	V3R1	The SUSE operating system must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
SLES-12-030364	V3R1	The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.
SLES-12-030365	V3R1	The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router.
SLES-12-010109	V3R1	The SUSE operating system must specify the default "include" directory for the /etc/sudoers file.
SLES-12-010221	V3R1	The SUSE operating system must not have accounts configured with blank or null passwords.
APPL-15-003013	V1R1	The macOS system must enable firmware password.
APPL-15-005110	V1R1	The macOS system must enforce enrollment in Mobile Device Management (MDM).
APPL-15-005120	V1R1	The macOS system must enable Recovery Lock.
APPL-15-005130	V1R1	The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automatically.
ALMA-09-011240	V1R1	AlmaLinux OS 9 must disable core dumps for all users.
ALMA-09-011350	V1R1	AlmaLinux OS 9 must disable acquiring, saving, and processing core dumps.
ALMA-09-011460	V1R1	AlmaLinux OS 9 must disable storing core dumps.
ALMA-09-011570	V1R1	AlmaLinux OS 9 must disable core dump backtraces.
ALMA-09-011680	V1R1	AlmaLinux OS 9 must disable the kernel.core_pattern.
ALMA-09-011790	V1R1	AlmaLinux OS 9 cron configuration files directory must be group-owned by root.
ALMA-09-011900	V1R1	AlmaLinux OS 9 cron configuration files directory must be owned by root.
ALMA-09-012010	V1R1	AlmaLinux OS 9 cron configuration directories must have a mode of 0700 or less permissive.
ALMA-09-012120	V1R1	AlmaLinux OS 9 /etc/crontab file must have mode 0600.
ALMA-09-012230	V1R1	AlmaLinux OS 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot.
ALMA-09-012340	V1R1	AlmaLinux OS 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.
ALMA-09-012450	V1R1	All AlmaLinux OS 9 local files and directories must have a valid group owner.
ALMA-09-012560	V1R1	All AlmaLinux OS 9 local files and directories must have a valid owner.
ALMA-09-012670	V1R1	AlmaLinux OS 9 /etc/group- file must be group owned by root.
ALMA-09-012780	V1R1	AlmaLinux OS 9 /etc/group- file must be owned by root.
ALMA-09-012890	V1R1	AlmaLinux OS 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.
ALMA-09-013000	V1R1	AlmaLinux OS 9 /etc/group file must be group owned by root.
ALMA-09-013110	V1R1	AlmaLinux OS 9 /etc/group file must be owned by root.
ALMA-09-013220	V1R1	AlmaLinux OS 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.
ALMA-09-013330	V1R1	The /boot/grub2/grub.cfg file must be group-owned by root.
ALMA-09-013440	V1R1	The /boot/grub2/grub.cfg file must be owned by root.
ALMA-09-013550	V1R1	AlmaLinux OS 9 must disable the ability of systemd to spawn an interactive boot process.
ALMA-09-013660	V1R1	AlmaLinux OS 9 /etc/gshadow- file must be group-owned by root.
ALMA-09-013770	V1R1	AlmaLinux OS 9 /etc/gshadow- file must be owned by root.
ALMA-09-013880	V1R1	AlmaLinux OS 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.
ALMA-09-013990	V1R1	AlmaLinux OS 9 /etc/gshadow file must be group-owned by root.
ALMA-09-014100	V1R1	AlmaLinux OS 9 /etc/gshadow file must be owned by root.
ALMA-09-014210	V1R1	AlmaLinux OS 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.
ALMA-09-014320	V1R1	The graphical display manager must not be the default target on AlmaLinux OS 9 unless approved.
ALMA-09-014430	V1R1	AlmaLinux OS 9 must disable the user list at logon for graphical user interfaces.
ALMA-09-015640	V1R1	AlmaLinux OS 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
ALMA-09-015750	V1R1	AlmaLinux OS 9 must not allow blank or null passwords.
ALMA-09-015860	V1R1	AlmaLinux OS 9 must not have accounts configured with blank or null passwords.
ALMA-09-015970	V1R1	AlmaLinux OS 9 /etc/passwd- file must be group-owned by root.
ALMA-09-016080	V1R1	AlmaLinux OS 9 /etc/passwd- file must be owned by root.
ALMA-09-016190	V1R1	AlmaLinux OS 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access.
ALMA-09-016300	V1R1	AlmaLinux OS 9 /etc/passwd file must be group-owned by root.
ALMA-09-016410	V1R1	AlmaLinux OS 9 /etc/passwd file must be owned by root.
ALMA-09-016520	V1R1	AlmaLinux OS 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.
ALMA-09-016630	V1R1	AlmaLinux OS 9 /etc/shadow- file must be group-owned by root.
ALMA-09-016740	V1R1	AlmaLinux OS 9 /etc/shadow- file must be owned by root.
ALMA-09-016850	V1R1	AlmaLinux OS 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access.
ALMA-09-016960	V1R1	AlmaLinux OS 9 /etc/shadow file must be group-owned by root.
ALMA-09-017070	V1R1	AlmaLinux OS 9 /etc/shadow file must be owned by root.
ALMA-09-017180	V1R1	AlmaLinux OS 9 /etc/shadow file must have mode 0000 to prevent unauthorized access.
ALMA-09-017290	V1R1	AlmaLinux OS 9 must restrict privilege elevation to authorized personnel.
ALMA-09-017400	V1R1	AlmaLinux OS 9 must use the invoking user's password for privilege escalation when using "sudo".
ALMA-09-017950	V1R1	AlmaLinux OS 9 must not have unauthorized accounts.
ALMA-09-018060	V1R1	AlmaLinux OS 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs).
ALMA-09-018170	V1R1	AlmaLinux OS 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.
ALMA-09-018280	V1R1	AlmaLinux OS 9 must be configured so that the file integrity tool verifies extended attributes.
ALMA-09-018500	V1R1	AlmaLinux OS 9 must not accept router advertisements on all IPv6 interfaces.
ALMA-09-018610	V1R1	AlmaLinux OS 9 must ignore Internet Control Message Protocol (ICMP) redirect messages.
ALMA-09-018830	V1R1	AlmaLinux OS 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.
ALMA-09-018940	V1R1	AlmaLinux OS 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.
ALMA-09-019050	V1R1	AlmaLinux OS 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
ALMA-09-019160	V1R1	AlmaLinux OS 9 must not enable IP packet forwarding unless the system is a router.
ALMA-09-019270	V1R1	AlmaLinux OS 9 must not have unauthorized IP tunnels configured.
ALMA-09-019380	V1R1	AlmaLinux OS 9 must log packets with impossible addresses.
ALMA-09-019490	V1R1	AlmaLinux OS 9 must be configured to prevent unrestricted mail relaying.
ALMA-09-019600	V1R1	AlmaLinux OS 9 must have the nss-tools package installed.
ALMA-09-019710	V1R1	AlmaLinux OS 9 network interfaces must not be in promiscuous mode.
ALMA-09-019820	V1R1	AlmaLinux OS 9 must use reverse path filtering on all IP interfaces.
ALMA-09-019930	V1R1	AlmaLinux OS 9 must not send Internet Control Message Protocol (ICMP) redirects.
ALMA-09-020040	V1R1	There must be no .shosts files on AlmaLinux OS 9.
ALMA-09-020150	V1R1	There must be no shosts.equiv files on AlmaLinux OS 9.
ALMA-09-020260	V1R1	AlmaLinux OS 9 must not forward source-routed packets.
ALMA-09-020370	V1R1	AlmaLinux OS 9 SSH daemon must not allow compression or must only allow compression after successful authentication.
ALMA-09-020480	V1R1	The AlmaLinux OS 9 SSH server configuration file must be group-owned by root.
ALMA-09-020590	V1R1	The AlmaLinux OS 9 SSH server configuration file must be owned by root.
ALMA-09-020700	V1R1	AlmaLinux OS 9 SSH server configuration files must have mode 0600 or less permissive.
ALMA-09-020810	V1R1	AlmaLinux OS 9 must not allow a noncertificate trusted host SSH logon to the system.
ALMA-09-020920	V1R1	AlmaLinux OS 9 SSH private host key files must have mode 0640 or less permissive.
ALMA-09-021030	V1R1	AlmaLinux OS 9 SSH public host key files must have mode 0644 or less permissive.
ALMA-09-021140	V1R1	AlmaLinux OS 9 SSH daemon must not allow known hosts authentication.
ALMA-09-021250	V1R1	AlmaLinux OS 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon.
ALMA-09-021360	V1R1	AlmaLinux OS 9 SSH daemon must not allow rhosts authentication.
ALMA-09-021470	V1R1	AlmaLinux OS 9 SSH daemon must disable remote X connections for interactive users.
ALMA-09-021580	V1R1	AlmaLinux OS 9 SSH daemon must prevent remote hosts from connecting to the proxy display.
ALMA-09-021690	V1R1	If the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon must be configured to operate in secure mode.
ALMA-09-021800	V1R1	AlmaLinux OS 9 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time (JIT) compiler.
ALMA-09-021910	V1R1	AlmaLinux OS 9 effective dconf policy must match the policy keyfiles.
ALMA-09-022020	V1R1	AlmaLinux OS 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.
ALMA-09-022130	V1R1	All AlmaLinux OS 9 local initialization files must have mode 0740 or less permissive.
ALMA-09-022240	V1R1	AlmaLinux OS 9 must have the gnutls-utils package installed.
ALMA-09-022350	V1R1	The kdump service on AlmaLinux OS 9 must be disabled.
ALMA-09-022460	V1R1	AlmaLinux OS 9 must disable the ability of a user to restart the system from the login screen.
ALMA-09-022570	V1R1	AlmaLinux OS 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.
ALMA-09-022680	V1R1	AlmaLinux OS 9 must prevent special devices on file systems that are used with removable media.
ALMA-09-022790	V1R1	AlmaLinux OS 9 must prevent code from being executed on file systems that are used with removable media.
ALMA-09-022900	V1R1	AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
ALMA-09-023010	V1R1	AlmaLinux OS 9 must disable the use of user namespaces.
ALMA-09-023120	V1R1	AlmaLinux OS 9 must prevent special devices on file systems that are imported via Network File System (NFS).
ALMA-09-023230	V1R1	AlmaLinux OS 9 must prevent code execution on file systems that are imported via Network File System (NFS).
ALMA-09-023450	V1R1	AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
ALMA-09-023560	V1R1	AlmaLinux OS 9 must configure a DNS processing mode set be Network Manager.
ALMA-09-023670	V1R1	AlmaLinux OS 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.
ALMA-09-023780	V1R1	AlmaLinux OS 9 must prevent special devices on nonroot local partitions.
ALMA-09-023890	V1R1	The root account must be the only account having unrestricted access to an AlmaLinux OS 9 system.
ALMA-09-024000	V1R1	AlmaLinux OS 9 must be configured so that the cryptographic hashes of system files match vendor values.
ALMA-09-024110	V1R1	AlmaLinux OS 9 must clear the page allocator to prevent use-after-free attacks.
ALMA-09-024220	V1R1	AlmaLinux OS 9 must display the date and time of the last successful account logon upon logon.
ALMA-09-024330	V1R1	AlmaLinux OS 9 security patches and updates must be installed and up to date.
ALMA-09-024440	V1R1	AlmaLinux OS 9 policycoreutils-python-utils package must be installed.
ALMA-09-024550	V1R1	AlmaLinux OS 9 must enable the hardware random number generator entropy gatherer service.
ALMA-09-024660	V1R1	AlmaLinux OS 9 must have the rng-tools package installed.
ALMA-09-024990	V1R1	AlmaLinux OS 9 system accounts must not have an interactive login shell.
ALMA-09-025100	V1R1	AlmaLinux OS 9 must use a separate file system for /tmp.
ALMA-09-025210	V1R1	Local AlmaLinux OS 9 initialization files must not execute world-writable programs.
ALMA-09-025320	V1R1	AlmaLinux OS 9 must use a separate file system for /var/log.
ALMA-09-025430	V1R1	AlmaLinux OS 9 must use a separate file system for /var.
ALMA-09-025540	V1R1	AlmaLinux OS 9 must use a separate file system for /var/tmp.
ALMA-09-025650	V1R1	AlmaLinux OS 9 must disable virtual system calls.
ALMA-09-025760	V1R1	AlmaLinux OS 9 must use cron logging.
ALMA-09-025870	V1R1	AlmaLinux OS 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
OL08-00-010000	V1R6	OL 8 must be a vendor-supported release.
OL08-00-010010	V1R6	OL 8 vendor-packaged system security patches and updates must be installed and up to date.
OL08-00-010382	V1R6	OL 8 must restrict privilege elevation to authorized personnel.
OL08-00-010383	V1R6	OL 8 must use the invoking user's password for privilege escalation when using "sudo".
OL08-00-010424	V1R6	OL 8 must not let Meltdown and Spectre exploit critical vulnerabilities in modern processors.
OL08-00-010460	V1R6	There must be no "shosts.equiv" files on the OL 8 operating system.
OL08-00-010470	V1R6	There must be no ".shosts" files on the OL 8 operating system.
OL08-00-010471	V1R6	OL 8 must enable the hardware random number generator entropy gatherer service.
OL08-00-010472	V1R6	OL 8 must have the packages required to use the hardware random number generator entropy gatherer service.
OL08-00-010480	V1R6	The OL 8 SSH public host key files must have mode "0644" or less permissive.
OL08-00-010490	V1R6	The OL 8 SSH private host key files must have mode "0640" or less permissive.
OL08-00-010500	V1R6	The OL 8 SSH daemon must perform strict mode checking of home directory configuration files.
OL08-00-010520	V1R6	The OL 8 SSH daemon must not allow authentication using known host's authentication.
OL08-00-010521	V1R6	The OL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.
OL08-00-010522	V1R6	The OL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.
OL08-00-010540	V1R6	OL 8 must use a separate file system for "/var".
OL08-00-010541	V1R6	OL 8 must use a separate file system for "/var/log".
OL08-00-010542	V1R6	OL 8 must use a separate file system for the system audit data path.
OL08-00-010543	V1R6	OL 8 must use a separate file system for "/tmp".
OL08-00-010544	V1R6	OL 8 must use a separate file system for /var/tmp.
OL08-00-010561	V1R6	OL 8 must have the rsyslog service enabled and active.
OL08-00-010570	V1R6	OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
OL08-00-010571	V1R6	OL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
OL08-00-010572	V1R6	OL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
OL08-00-010580	V1R6	OL 8 must prevent special devices on non-root local partitions.
OL08-00-010590	V1R6	OL 8 file systems that contain user home directories must not execute binary files.
OL08-00-010600	V1R6	OL 8 file systems must not interpret character or block special devices from untrusted file systems.
OL08-00-010610	V1R6	OL 8 file systems must not execute binary files on removable media.
OL08-00-010620	V1R6	OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
OL08-00-010630	V1R6	OL 8 file systems must not execute binary files that are imported via Network File System (NFS).
OL08-00-010640	V1R6	OL 8 file systems must not interpret character or block special devices that are imported via NFS.
OL08-00-010650	V1R6	OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
OL08-00-010660	V1R6	Local OL 8 initialization files must not execute world-writable programs.
OL08-00-010671	V1R6	OL 8 must disable the "kernel.core_pattern".
OL08-00-010672	V1R6	OL 8 must disable acquiring, saving, and processing core dumps.
OL08-00-010673	V1R6	OL 8 must disable core dumps for all users.
OL08-00-010674	V1R6	OL 8 must disable storing core dumps.
OL08-00-010675	V1R6	OL 8 must disable core dump backtraces.
OL08-00-010680	V1R6	For OL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.
OL08-00-010690	V1R6	Executable search paths within the initialization files of all local interactive OL 8 users must only contain paths that resolve to the system default or the user's home directory.
OL08-00-010700	V1R6	All OL 8 world-writable directories must be owned by root, sys, bin, or an application user.
OL08-00-010710	V1R6	All OL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.
OL08-00-010720	V1R6	All OL 8 local interactive users must have a home directory assigned in the "/etc/passwd" file.
OL08-00-010730	V1R6	All OL 8 local interactive user home directories must have mode "0750" or less permissive.
OL08-00-010731	V1R6	All OL 8 local interactive user home directory files must have mode "0750" or less permissive.
OL08-00-010740	V1R6	All OL 8 local interactive user home directories must be group-owned by the home directory owner's primary group.
OL08-00-010741	V1R6	OL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.
OL08-00-010750	V1R6	All OL 8 local interactive user home directories defined in the "/etc/passwd" file must exist.
OL08-00-010760	V1R6	All OL 8 local interactive user accounts must be assigned a home directory upon creation.
OL08-00-010770	V1R6	All OL 8 local initialization files must have mode "0740" or less permissive.
OL08-00-010780	V1R6	All OL 8 files and directories must have a valid owner.
OL08-00-010790	V1R6	All OL 8 files and directories must have a valid group owner.
OL08-00-010800	V1R6	A separate OL 8 filesystem must be used for user home directories (such as "/home" or an equivalent).
OL08-00-020032	V1R6	OL 8 must disable the user list at logon for graphical user interfaces.
OL08-00-020320	V1R6	OL 8 must not have unnecessary accounts.
OL08-00-020330	V1R6	OL 8 must not allow accounts configured with blank or null passwords.
OL08-00-020331	V1R6	OL 8 must not allow blank or null passwords in the system-auth file.
OL08-00-020332	V1R6	OL 8 must not allow blank or null passwords in the password-auth file.
OL08-00-020340	V1R6	OL 8 must display the date and time of the last successful account logon upon logon.
OL08-00-020350	V1R6	OL 8 must display the date and time of the last successful account logon upon an SSH logon.
OL08-00-030010	V1R6	Cron logging must be implemented in OL 8.
OL08-00-030061	V1R6	The OL 8 audit system must audit local events.
OL08-00-030063	V1R6	OL 8 must resolve audit information before writing to disk.
OL08-00-030670	V1R6	OL 8 must have the packages required for offloading audit logs installed.
OL08-00-030680	V1R6	OL 8 must have the packages required for encrypting offloaded audit logs installed.
OL08-00-040021	V1R6	OL 8 must not have the asynchronous transfer mode (ATM) kernel module installed if not required for operational support.
OL08-00-040022	V1R6	OL 8 must not have the Controller Area Network (CAN) kernel module installed if not required for operational support.
OL08-00-040023	V1R6	OL 8 must not have the stream control transmission protocol (SCTP) kernel module installed if not required for operational support.
OL08-00-040170	V1R6	The x86 Ctrl-Alt-Delete key sequence must be disabled on OL 8.
OL08-00-040171	V1R6	The x86 Ctrl-Alt-Delete key sequence in OL 8 must be disabled if a graphical user interface is installed.
OL08-00-040172	V1R6	OL 8 must disable the systemd Ctrl-Alt-Delete burst key sequence.
OL08-00-040180	V1R6	OL 8 must disable the debug-shell systemd service.
OL08-00-040190	V1R6	The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for OL 8 operational support.
OL08-00-040200	V1R6	The root account must be the only account having unrestricted access to the OL 8 system.
OL08-00-040209	V1R6	OL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
OL08-00-040210	V1R6	OL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
OL08-00-040220	V1R6	OL 8 must not send Internet Control Message Protocol (ICMP) redirects.
OL08-00-040230	V1R6	OL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
OL08-00-040239	V1R6	OL 8 must not forward IPv4 source-routed packets.
OL08-00-040240	V1R6	OL 8 must not forward IPv6 source-routed packets.
OL08-00-040249	V1R6	OL 8 must not forward IPv4 source-routed packets by default.
OL08-00-040250	V1R6	OL 8 must not forward IPv6 source-routed packets by default.
OL08-00-040260	V1R6	OL 8 must not enable IPv6 packet forwarding unless the system is a router.
OL08-00-040261	V1R6	OL 8 must not accept router advertisements on all IPv6 interfaces.
OL08-00-040262	V1R6	OL 8 must not accept router advertisements on all IPv6 interfaces by default.
OL08-00-040270	V1R6	OL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
OL08-00-040279	V1R6	OL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.
OL08-00-040280	V1R6	OL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
OL08-00-040281	V1R6	OL 8 must disable access to the network "bpf" syscall from unprivileged processes.
OL08-00-040282	V1R6	OL 8 must restrict the use of "ptrace" to descendant processes.
OL08-00-040283	V1R6	OL 8 must restrict exposed kernel pointer addresses access.
OL08-00-040284	V1R6	OL 8 must disable the use of user namespaces.
OL08-00-040285	V1R6	OL 8 must use reverse path filtering on all IPv4 interfaces.
OL08-00-040286	V1R6	OL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.
OL08-00-040290	V1R6	OL 8 must be configured to prevent unrestricted mail relaying.
OL08-00-040300	V1R6	The OL 8 file integrity tool must be configured to verify extended attributes.
OL08-00-040310	V1R6	The OL 8 file integrity tool must be configured to verify Access Control Lists (ACLs).
OL08-00-040320	V1R6	The graphical display manager must not be installed on OL 8 unless approved.
OL08-00-040330	V1R6	OL 8 network interfaces must not be in promiscuous mode.
OL08-00-040340	V1R6	OL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements.
OL08-00-040341	V1R6	The OL 8 SSH daemon must prevent remote hosts from connecting to the proxy display.
OL08-00-040350	V1R6	If the Trivial File Transfer Protocol (TFTP) server is required, the OL 8 TFTP daemon must be configured to operate in secure mode.
OL08-00-040360	V1R6	A File Transfer Protocol (FTP) server package must not be installed unless mission essential on OL 8.
OL08-00-040370	V1R6	OL 8 must not have the "gssproxy" package installed if not required for operational support.
OL08-00-040380	V1R6	OL 8 must not have the "iprutils" package installed if not required for operational support.
OL08-00-040390	V1R6	OL 8 must not have the "tuned" package installed if not required for operational support.
OL08-00-010121	V1R6	The OL 8 operating system must not have accounts configured with blank or null passwords.
OL08-00-010379	V1R6	OL 8 must specify the default "include" directory for the /etc/sudoers file.
OL08-00-020101	V1R6	OL 8 must ensure the password complexity module is enabled in the system-auth file.
OL08-00-020102	V1R6	OL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.
OL08-00-020103	V1R6	OL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less.
OL08-00-020104	V1R6	OL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.
OL08-00-040259	V1R6	OL 8 must not enable IPv4 packet forwarding unless the system is a router.
OL08-00-040321	V1R6	The graphical display manager must not be the default target on OL 8 unless approved.
OL09-00-000003	V1R1	OL 9 must be configured so that a separate file system must be used for user home directories (such as /home or an equivalent).
OL09-00-000004	V1R1	OL 9 must use a separate file system for /tmp.
OL09-00-000005	V1R1	OL 9 must use a separate file system for /var.
OL09-00-000006	V1R1	OL 9 must use a separate file system for /var/log.
OL09-00-000007	V1R1	OL 9 must use a separate file system for /var/tmp.
OL09-00-000015	V1R1	OL 9 vendor packaged system security patches and updates must be installed and up to date.
OL09-00-000020	V1R1	OL 9 must be configured so that the graphical display manager is not the default target unless approved.
OL09-00-000135	V1R1	OL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed.
OL09-00-000140	V1R1	OL 9 must not have the quagga package installed.
OL09-00-000145	V1R1	OL 9 must not have a graphical display manager installed unless approved.
OL09-00-000210	V1R1	OL 9 policycoreutils-python-utils package must be installed.
OL09-00-000224	V1R1	OL 9 must be configured so that the firewall employs a deny-all, allow-by-exception policy for allowing connections to other systems.
OL09-00-000231	V1R1	OL 9 must use the invoking user's password for privilege escalation when using sudo.
OL09-00-000232	V1R1	OL 9 must restrict privilege elevation to authorized personnel.
OL09-00-000243	V1R1	OL 9 must be configured so that the cryptographic hashes of system files match vendor values.
OL09-00-000260	V1R1	OL 9 must have the openssh-clients package installed.
OL09-00-000302	V1R1	OL 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.
OL09-00-000303	V1R1	OL 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs).
OL09-00-000304	V1R1	OL 9 must be configured so that the file integrity tool verifies extended attributes.
OL09-00-000351	V1R1	OL 9 must be configured so that the rsyslog service is active.
OL09-00-000360	V1R1	OL 9 must enable the hardware random number generator entropy gatherer service.
OL09-00-000370	V1R1	OL 9 must have the rng-tools package installed.
OL09-00-000380	V1R1	OL 9 must have the nss-tools package installed.
OL09-00-000430	V1R1	OL 9 must have the gnutls-utils package installed.
OL09-00-000880	V1R1	OL 9 must write audit records to disk.
OL09-00-001000	V1R1	OL 9 must ensure the password complexity module is enabled in the system-auth file.
OL09-00-001110	V1R1	OL 9 must not allow blank or null passwords.
OL09-00-001130	V1R1	OL 9 must not have accounts configured with blank or null passwords.
OL09-00-002010	V1R1	OL 9 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.
OL09-00-002011	V1R1	OL 9 must prevent special devices on file systems that are imported via Network File System (NFS).
OL09-00-002012	V1R1	OL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS).
OL09-00-002013	V1R1	OL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
OL09-00-002020	V1R1	OL 9 must prevent code from being executed on file systems that are used with removable media.
OL09-00-002021	V1R1	OL 9 must prevent special devices on file systems that are used with removable media.
OL09-00-002022	V1R1	OL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
OL09-00-002072	V1R1	OL 9 must prevent code from being executed on file systems that contain user home directories.
OL09-00-002080	V1R1	OL 9 must prevent special devices on nonroot local partitions.
OL09-00-002102	V1R1	OL 9 must disable the user list at logon for graphical user interfaces.
OL09-00-002107	V1R1	OL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot.
OL09-00-002127	V1R1	OL 9 must disable the ability of a user to restart the system from the login screen.
OL09-00-002128	V1R1	OL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.
OL09-00-002129	V1R1	OL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.
OL09-00-002162	V1R1	OL 9 effective dconf policy must match the policy keyfiles.
OL09-00-002301	V1R1	OL 9 must define default permissions for the bash shell.
OL09-00-002302	V1R1	OL 9 must define default permissions for the c shell.
OL09-00-002303	V1R1	OL 9 must define default permissions for the system default profile.
OL09-00-002348	V1R1	OL 9 SSH daemon must not allow rhosts authentication.
OL09-00-002349	V1R1	OL 9 SSH daemon must not allow known hosts authentication.
OL09-00-002350	V1R1	OL 9 SSH daemon must disable remote X connections for interactive users.
OL09-00-002351	V1R1	OL 9 SSH daemon must perform strict mode checking of home directory configuration files.
OL09-00-002352	V1R1	OL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon.
OL09-00-002354	V1R1	OL 9 SSH daemon must prevent remote hosts from connecting to the proxy display.
OL09-00-002355	V1R1	OL 9 SSH daemon must not allow compression or must only allow compression after successful authentication.
OL09-00-002360	V1R1	OL 9 must require reauthentication when using the "sudo" command.
OL09-00-002370	V1R1	OL 9 must disable the use of user namespaces.
OL09-00-002380	V1R1	OL 9 must disable the kernel.core_pattern.
OL09-00-002381	V1R1	OL 9 must disable core dump backtraces.
OL09-00-002382	V1R1	OL 9 must disable storing core dumps.
OL09-00-002383	V1R1	OL 9 must disable core dumps for all users.
OL09-00-002384	V1R1	OL 9 must disable acquiring, saving, and processing core dumps.
OL09-00-002385	V1R1	OL 9 must be configured so that the kdump service is disabled.
OL09-00-002392	V1R1	OL 9 must disable the ability of systemd to spawn an interactive boot process.
OL09-00-002419	V1R1	OL 9 file systems must not contain shosts.equiv files.
OL09-00-002420	V1R1	OL 9 file systems must not contain .shosts files.
OL09-00-002425	V1R1	OL 9 must be configured to prevent unrestricted mail relaying.
OL09-00-002426	V1R1	OL 9 Trivial File Transfer Protocol (TFTP) daemon must be configured to operate in secure mode if the TFTP server is required.
OL09-00-002427	V1R1	OL 9 must be configured so that local initialization files do not execute world-writable programs.
OL09-00-002430	V1R1	OL 9 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time compiler.
OL09-00-002500	V1R1	OL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.
OL09-00-002501	V1R1	OL 9 must not have unauthorized accounts.
OL09-00-002502	V1R1	OL 9 SSH private host key files must have mode 0640 or less permissive.
OL09-00-002503	V1R1	OL 9 SSH public host key files must have mode 0644 or less permissive.
OL09-00-002507	V1R1	OL 9 SSH server configuration file must be group-owned by root.
OL09-00-002508	V1R1	OL 9 SSH server configuration file must be owned by root.
OL09-00-002509	V1R1	OL 9 SSH server configuration file must have mode 0600 or less permissive.
OL09-00-002511	V1R1	OL 9 local files and directories must have a valid group owner.
OL09-00-002512	V1R1	OL 9 local files and directories must have a valid owner.
OL09-00-002513	V1R1	OL 9 local initialization files must have mode 0740 or less permissive.
OL09-00-002514	V1R1	OL 9 local interactive user home directories must be group-owned by the home directory owner's primary group.
OL09-00-002515	V1R1	OL 9 local interactive user home directories must have mode 0750 or less permissive.
OL09-00-002530	V1R1	OL 9 /boot/grub2/grub.cfg file must be group-owned by root.
OL09-00-002531	V1R1	OL 9 /boot/grub2/grub.cfg file must be owned by root.
OL09-00-002532	V1R1	OL 9 /etc/group file must be group-owned by root.
OL09-00-002533	V1R1	OL 9 /etc/group- file must be group-owned by root.
OL09-00-002534	V1R1	OL 9 /etc/group file must be owned by root.
OL09-00-002535	V1R1	OL 9 /etc/group- file must be owned by root.
OL09-00-002536	V1R1	OL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.
OL09-00-002537	V1R1	OL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.
OL09-00-002538	V1R1	OL 9 /etc/gshadow file must be group-owned by root.
OL09-00-002539	V1R1	OL 9 /etc/gshadow- file must be group-owned by root.
OL09-00-002540	V1R1	OL 9 /etc/gshadow file must be owned by root.
OL09-00-002541	V1R1	OL 9 /etc/gshadow- file must be owned by root.
OL09-00-002542	V1R1	OL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.
OL09-00-002543	V1R1	OL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.
OL09-00-002544	V1R1	OL 9 /etc/passwd file must be group-owned by root.
OL09-00-002545	V1R1	OL 9 /etc/passwd- file must be group-owned by root.
OL09-00-002546	V1R1	OL 9 /etc/passwd file must be owned by root.
OL09-00-002547	V1R1	OL 9 /etc/passwd- file must be owned by root.
OL09-00-002548	V1R1	OL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.
OL09-00-002549	V1R1	OL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access.
OL09-00-002550	V1R1	OL 9 /etc/shadow file must be group-owned by root.
OL09-00-002551	V1R1	OL 9 /etc/shadow- file must be group-owned by root.
OL09-00-002552	V1R1	OL 9 /etc/shadow file must be owned by root.
OL09-00-002553	V1R1	OL 9 /etc/shadow- file must be owned by root.
OL09-00-002554	V1R1	OL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access.
OL09-00-002555	V1R1	OL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access.
OL09-00-002580	V1R1	OL 9 cron configuration directories must have a mode of 0700 or less permissive.
OL09-00-002581	V1R1	OL 9 cron configuration files directory must be group-owned by root.
OL09-00-002582	V1R1	OL 9 cron configuration files directory must be owned by root.
OL09-00-002583	V1R1	OL 9 /etc/crontab file must have mode 0600.
OL09-00-003000	V1R1	OL 9 must be configured so that the root account is the only account having unrestricted access to the system.
OL09-00-003002	V1R1	OL 9 local interactive users must have a home directory assigned in the /etc/passwd file.
OL09-00-003050	V1R1	OL 9 local interactive user home directories defined in the /etc/passwd file must exist.
OL09-00-003051	V1R1	OL 9 system accounts must not have an interactive login shell.
OL09-00-003052	V1R1	OL 9 local interactive user accounts must be assigned a home directory upon creation.
OL09-00-003053	V1R1	OL 9 must be configured so that executable search paths within the initialization files of all local interactive users must only contain paths that resolve to the system default or the users home directory.
OL09-00-003060	V1R1	OL 9 must set the umask value to 077 for all local interactive user accounts.
OL09-00-005010	V1R1	OL 9 must use cron logging.
OL09-00-005030	V1R1	OL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
OL09-00-006002	V1R1	OL 9 must configure a DNS processing mode set be Network Manager.
OL09-00-006003	V1R1	OL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.
OL09-00-006004	V1R1	OL 9 network interfaces must not be in promiscuous mode.
OL09-00-006010	V1R1	OL 9 must not have unauthorized IP tunnels configured.
OL09-00-006020	V1R1	OL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
OL09-00-006021	V1R1	OL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets.
OL09-00-006022	V1R1	OL 9 must log IPv4 packets with impossible addresses.
OL09-00-006023	V1R1	OL 9 must log IPv4 packets with impossible addresses by default.
OL09-00-006024	V1R1	OL 9 must use reverse path filtering on all IPv4 interfaces.
OL09-00-006025	V1R1	OL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
OL09-00-006026	V1R1	OL 9 must not forward IPv4 source-routed packets by default.
OL09-00-006027	V1R1	OL 9 must use a reverse-path filter for IPv4 network traffic, when possible, by default.
OL09-00-006028	V1R1	OL 9 must not enable IPv4 packet forwarding unless the system is a router.
OL09-00-006030	V1R1	OL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
OL09-00-006031	V1R1	OL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.
OL09-00-006032	V1R1	OL 9 must not send Internet Control Message Protocol (ICMP) redirects.
OL09-00-006033	V1R1	OL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
OL09-00-006040	V1R1	OL 9 must not accept router advertisements on all IPv6 interfaces.
OL09-00-006041	V1R1	OL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
OL09-00-006042	V1R1	OL 9 must not forward IPv6 source-routed packets.
OL09-00-006043	V1R1	OL 9 must not enable IPv6 packet forwarding unless the system is a router.
OL09-00-006044	V1R1	OL 9 must not accept router advertisements on all IPv6 interfaces by default.
OL09-00-006045	V1R1	OL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
OL09-00-006046	V1R1	OL 9 must not forward IPv6 source-routed packets by default.
UBTU-24-100010	V1R1	Ubuntu 24.04 LTS must not have the "systemd-timesyncd" package installed.
UBTU-24-100020	V1R1	Ubuntu 24.04 LTS must not have the "ntp" package installed.
UBTU-24-100700	V1R1	Ubuntu 24.04 LTS must have the "chrony" package installed.
UBTU-24-300021	V1R1	Ubuntu 24.04 LTS must require users to reauthenticate for privilege escalation or when changing roles.
UBTU-24-300022	V1R1	Ubuntu 24.04 LTS must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.
UBTU-24-300023	V1R1	Ubuntu 24.04 LTS SSH daemon must prevent remote hosts from connecting to the proxy display.
UBTU-24-300024	V1R1	Ubuntu 24.04 LTS must display the date and time of the last successful account logon upon logon.
UBTU-24-300025	V1R1	Ubuntu 24.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed.
UBTU-24-300026	V1R1	Ubuntu 24.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence.
UBTU-24-300027	V1R1	Ubuntu 24.04 LTS must not have accounts configured with blank or null passwords.
UBTU-24-300028	V1R1	Ubuntu 24.04 LTS must not allow accounts configured in Pluggable Authentication Modules (PAM) with blank or null passwords.
UBTU-24-300029	V1R1	Ubuntu 24.04 LTS must generate audit records for all events that affect the systemd journal files.
UBTU-22-211015	V1R1	Ubuntu 22.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence.
UBTU-22-215015	V1R1	Ubuntu 22.04 LTS must have the "chrony" package installed.
UBTU-22-215020	V1R1	Ubuntu 22.04 LTS must not have the "systemd-timesyncd" package installed.
UBTU-22-215025	V1R1	Ubuntu 22.04 LTS must not have the "ntp" package installed.
UBTU-22-255040	V1R1	Ubuntu 22.04 LTS must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.
UBTU-22-255045	V1R1	Ubuntu 22.04 LTS SSH daemon must prevent remote hosts from connecting to the proxy display.
UBTU-22-271030	V1R1	Ubuntu 22.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed.
UBTU-22-412015	V1R1	Ubuntu 22.04 LTS must display the date and time of the last successful account logon upon logon.
UBTU-22-611060	V1R1	Ubuntu 22.04 LTS must not allow accounts configured with blank or null passwords.
UBTU-22-611065	V1R1	Ubuntu 22.04 LTS must not have accounts configured with blank or null passwords.
UBTU-22-654190	V1R1	Ubuntu 22.04 LTS must generate audit records for all events that affect the systemd journal files.
WN11-00-000005	V1R6	Domain-joined systems must use Windows 11 Enterprise Edition 64-bit version.
WN11-00-000040	V1R6	Windows 11 systems must be maintained at a supported servicing level.
WN11-00-000045	V1R6	The Windows 11 system must use an antivirus program.
WN11-00-000055	V1R6	Alternate operating systems must not be permitted on the same system.
WN11-00-000075	V1R6	Only accounts responsible for the backup operations must be members of the Backup Operators group.
WN11-00-000085	V1R6	Standard local user accounts must not exist on a system in a domain.
WN11-00-000130	V1R6	Software certificate installation files must be removed from Windows 11.
WN11-00-000135	V1R6	A host-based firewall must be installed and enabled on the system.
WN11-00-000190	V1R6	Orphaned security identifiers (SIDs) must be removed from user rights on Windows 11.
WN11-00-000230	V1R6	The system must notify the user when a Bluetooth device attempts to connect.
WN11-00-000240	V1R6	Administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.
WN11-CC-000020	V1R6	IPv6 source routing must be configured to highest protection.
WN11-CC-000025	V1R6	The system must be configured to prevent IP source routing.
WN11-CC-000030	V1R6	The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.
WN11-CC-000040	V1R6	Insecure logons to an SMB server must be disabled.
WN11-CC-000050	V1R6	Hardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\\SYSVOL and \\\NETLOGON shares.
WN11-CC-000060	V1R6	Connections to non-domain networks when connected to a domain authenticated network must be blocked.
WN11-CC-000065	V1R6	Wi-Fi Sense must be disabled.
WN11-CC-000068	V1R6	Windows 11 must be configured to enable Remote host allows delegation of non-exportable credentials.
WN11-CC-000070	V1R6	Virtualization-based Security must be enabled on Windows 11 with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
WN11-CC-000075	V1R6	Credential Guard must be running on Windows 11 domain-joined systems.
WN11-CC-000080	V1R6	Virtualization-based protection of code integrity must be enabled.
WN11-CC-000085	V1R6	Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers.
WN11-CC-000090	V1R6	Group Policy objects must be reprocessed even if they have not changed.
WN11-CC-000115	V1R6	Systems must at least attempt device authentication using certificates.
WN11-CC-000170	V1R6	The setting to allow Microsoft accounts to be optional for modern style apps must be enabled.
WN11-CC-000195	V1R6	Enhanced anti-spoofing for facial recognition must be enabled on Windows 11.
WN11-CC-000204	V1R6	Enhanced diagnostic data must be limited to the minimum required to support Windows Analytics.
WN11-CC-000206	V1R6	Windows Update must not obtain updates from other PCs on the internet.
WN11-CC-000225	V1R6	File Explorer shell protocol must run in protected mode.
WN11-CC-000255	V1R6	The use of a hardware security device with Windows Hello for Business must be enabled.
WN11-CC-000260	V1R6	Windows 11 must be configured to require a minimum pin length of six characters or greater.
WN11-CC-000295	V1R6	Attachments must be prevented from being downloaded from RSS feeds.
WN11-CC-000320	V1R6	Users must be notified if a web-based program attempts to install software.
WN11-SO-000015	V1R6	Local accounts with blank passwords must be restricted to prevent access from the network.
WN11-SO-000020	V1R6	The built-in administrator account must be renamed.
WN11-SO-000025	V1R6	The built-in guest account must be renamed.
WN11-SO-000050	V1R6	The computer account password must not be prevented from being reset.
WN11-SO-000055	V1R6	The maximum age for machine account passwords must be configured to 30 days or less.
WN11-SO-000085	V1R6	Caching of logon credentials must be limited.
WN11-SO-000095	V1R6	The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
WN11-SO-000140	V1R6	Anonymous SID/Name translation must not be allowed.
WN11-SO-000145	V1R6	Anonymous enumeration of SAM accounts must not be allowed.
WN11-SO-000160	V1R6	The system must be configured to prevent anonymous users from having the same rights as the Everyone group.
WN11-SO-000180	V1R6	NTLM must be prevented from falling back to a Null session.
WN11-SO-000185	V1R6	PKU2U authentication using online identities must be prevented.
WN11-SO-000205	V1R6	The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
WN11-SO-000210	V1R6	The system must be configured to the required LDAP client signing level.
WN11-SO-000215	V1R6	The system must be configured to meet the minimum session security requirement for NTLM SSP based clients.
WN11-SO-000220	V1R6	The system must be configured to meet the minimum session security requirement for NTLM SSP based servers.
WN11-SO-000240	V1R6	The default permissions of global system objects must be increased.
WN11-UC-000020	V1R6	Zone information must be preserved when saving attachments.
WN11-00-000395	V1R6	Windows 11 must not have portproxy enabled or in use.
RHEL-09-211010	V2R5	RHEL 9 must be a vendor-supported release.
RHEL-09-211015	V2R5	RHEL 9 vendor packaged system security patches and updates must be installed and up to date.
RHEL-09-211030	V2R5	The graphical display manager must not be the default target on RHEL 9 unless approved.
RHEL-09-211035	V2R5	RHEL 9 must enable the hardware random number generator entropy gatherer service.
RHEL-09-212015	V2R5	RHEL 9 must disable the ability of systemd to spawn an interactive boot process.
RHEL-09-212025	V2R5	RHEL 9 /boot/grub2/grub.cfg file must be group-owned by root.
RHEL-09-212030	V2R5	RHEL 9 /boot/grub2/grub.cfg file must be owned by root.
RHEL-09-212035	V2R5	RHEL 9 must disable virtual system calls.
RHEL-09-212040	V2R5	RHEL 9 must clear the page allocator to prevent use-after-free attacks.
RHEL-09-213020	V2R5	RHEL 9 must prevent the loading of a new kernel for later execution.
RHEL-09-213040	V2R5	RHEL 9 must disable the kernel.core_pattern.
RHEL-09-213085	V2R5	RHEL 9 must disable core dump backtraces.
RHEL-09-213090	V2R5	RHEL 9 must disable storing core dumps.
RHEL-09-213095	V2R5	RHEL 9 must disable core dumps for all users.
RHEL-09-213100	V2R5	RHEL 9 must disable acquiring, saving, and processing core dumps.
RHEL-09-213105	V2R5	RHEL 9 must disable the use of user namespaces.
RHEL-09-213115	V2R5	The kdump service on RHEL 9 must be disabled.
RHEL-09-214030	V2R5	RHEL 9 must be configured so that the cryptographic hashes of system files match vendor values.
RHEL-09-215020	V2R5	RHEL 9 must not have the sendmail package installed.
RHEL-09-215060	V2R5	RHEL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed.
RHEL-09-215065	V2R5	RHEL 9 must not have the quagga package installed.
RHEL-09-215070	V2R5	A graphical display manager must not be installed on RHEL 9 unless approved.
RHEL-09-215080	V2R5	RHEL 9 must have the gnutls-utils package installed.
RHEL-09-215085	V2R5	RHEL 9 must have the nss-tools package installed.
RHEL-09-215090	V2R5	RHEL 9 must have the rng-tools package installed.
RHEL-09-231010	V2R5	A separate RHEL 9 file system must be used for user home directories (such as /home or an equivalent).
RHEL-09-231015	V2R5	RHEL 9 must use a separate file system for /tmp.
RHEL-09-231020	V2R5	RHEL 9 must use a separate file system for /var.
RHEL-09-231025	V2R5	RHEL 9 must use a separate file system for /var/log.
RHEL-09-231035	V2R5	RHEL 9 must use a separate file system for /var/tmp.
RHEL-09-231055	V2R5	RHEL 9 must prevent code from being executed on file systems that contain user home directories.
RHEL-09-231065	V2R5	RHEL 9 must prevent special devices on file systems that are imported via Network File System (NFS).
RHEL-09-231070	V2R5	RHEL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS).
RHEL-09-231075	V2R5	RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
RHEL-09-231080	V2R5	RHEL 9 must prevent code from being executed on file systems that are used with removable media.
RHEL-09-231085	V2R5	RHEL 9 must prevent special devices on file systems that are used with removable media.
RHEL-09-231090	V2R5	RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
RHEL-09-231200	V2R5	RHEL 9 must prevent special devices on non-root local partitions.
RHEL-09-232040	V2R5	RHEL 9 permissions of cron configuration files and directories must not be modified from the operating system defaults.
RHEL-09-232045	V2R5	All RHEL 9 local initialization files must have mode 0740 or less permissive.
RHEL-09-232050	V2R5	All RHEL 9 local interactive user home directories must have mode 0750 or less permissive.
RHEL-09-232055	V2R5	RHEL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.
RHEL-09-232060	V2R5	RHEL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.
RHEL-09-232065	V2R5	RHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.
RHEL-09-232070	V2R5	RHEL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.
RHEL-09-232075	V2R5	RHEL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.
RHEL-09-232080	V2R5	RHEL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access.
RHEL-09-232085	V2R5	RHEL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access.
RHEL-09-232090	V2R5	RHEL 9 /etc/group file must be owned by root.
RHEL-09-232095	V2R5	RHEL 9 /etc/group file must be group-owned by root.
RHEL-09-232100	V2R5	RHEL 9 /etc/group- file must be owned by root.
RHEL-09-232105	V2R5	RHEL 9 /etc/group- file must be group-owned by root.
RHEL-09-232110	V2R5	RHEL 9 /etc/gshadow file must be owned by root.
RHEL-09-232115	V2R5	RHEL 9 /etc/gshadow file must be group-owned by root.
RHEL-09-232120	V2R5	RHEL 9 /etc/gshadow- file must be owned by root.
RHEL-09-232125	V2R5	RHEL 9 /etc/gshadow- file must be group-owned by root.
RHEL-09-232130	V2R5	RHEL 9 /etc/passwd file must be owned by root.
RHEL-09-232135	V2R5	RHEL 9 /etc/passwd file must be group-owned by root.
RHEL-09-232140	V2R5	RHEL 9 /etc/passwd- file must be owned by root.
RHEL-09-232145	V2R5	RHEL 9 /etc/passwd- file must be group-owned by root.
RHEL-09-232150	V2R5	RHEL 9 /etc/shadow file must be owned by root.
RHEL-09-232155	V2R5	RHEL 9 /etc/shadow file must be group-owned by root.
RHEL-09-232160	V2R5	RHEL 9 /etc/shadow- file must be owned by root.
RHEL-09-232165	V2R5	RHEL 9 /etc/shadow- file must be group-owned by root.
RHEL-09-232230	V2R5	RHEL 9 cron configuration files directory must be owned by root.
RHEL-09-232235	V2R5	RHEL 9 cron configuration files directory must be group-owned by root.
RHEL-09-232240	V2R5	All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user.
RHEL-09-232250	V2R5	All RHEL 9 local files and directories must have a valid group owner.
RHEL-09-232255	V2R5	All RHEL 9 local files and directories must have a valid owner.
RHEL-09-232260	V2R5	RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.
RHEL-09-232270	V2R5	RHEL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access.
RHEL-09-251020	V2R5	The RHEL 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.
RHEL-09-251040	V2R5	RHEL 9 network interfaces must not be in promiscuous mode.
RHEL-09-251045	V2R5	RHEL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler.
RHEL-09-252035	V2R5	RHEL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.
RHEL-09-252040	V2R5	RHEL 9 must configure a DNS processing mode in Network Manager.
RHEL-09-252045	V2R5	RHEL 9 must not have unauthorized IP tunnels configured.
RHEL-09-252050	V2R5	RHEL 9 must be configured to prevent unrestricted mail relaying.
RHEL-09-252065	V2R5	RHEL 9 libreswan package must be installed.
RHEL-09-252070	V2R5	There must be no shosts.equiv files on RHEL 9.
RHEL-09-252075	V2R5	There must be no .shosts files on RHEL 9.
RHEL-09-253010	V2R5	RHEL 9 must be configured to use TCP syncookies.
RHEL-09-253015	V2R5	RHEL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
RHEL-09-253020	V2R5	RHEL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets.
RHEL-09-253025	V2R5	RHEL 9 must log IPv4 packets with impossible addresses.
RHEL-09-253030	V2R5	RHEL 9 must log IPv4 packets with impossible addresses by default.
RHEL-09-253035	V2R5	RHEL 9 must use reverse path filtering on all IPv4 interfaces.
RHEL-09-253040	V2R5	RHEL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
RHEL-09-253045	V2R5	RHEL 9 must not forward IPv4 source-routed packets by default.
RHEL-09-253050	V2R5	RHEL 9 must use a reverse-path filter for IPv4 network traffic when possible by default.
RHEL-09-253055	V2R5	RHEL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
RHEL-09-253060	V2R5	RHEL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.
RHEL-09-253065	V2R5	RHEL 9 must not send Internet Control Message Protocol (ICMP) redirects.
RHEL-09-253070	V2R5	RHEL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
RHEL-09-253075	V2R5	RHEL 9 must not enable IPv4 packet forwarding unless the system is a router.
RHEL-09-254010	V2R5	RHEL 9 must not accept router advertisements on all IPv6 interfaces.
RHEL-09-254015	V2R5	RHEL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
RHEL-09-254020	V2R5	RHEL 9 must not forward IPv6 source-routed packets.
RHEL-09-254025	V2R5	RHEL 9 must not enable IPv6 packet forwarding unless the system is a router.
RHEL-09-254030	V2R5	RHEL 9 must not accept router advertisements on all IPv6 interfaces by default.
RHEL-09-254035	V2R5	RHEL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
RHEL-09-254040	V2R5	RHEL 9 must not forward IPv6 source-routed packets by default.
RHEL-09-255020	V2R5	RHEL 9 must have the openssh-clients package installed.
RHEL-09-255105	V2R5	RHEL 9 SSH server configuration file must be group-owned by root.
RHEL-09-255110	V2R5	The RHEL 9 SSH server configuration file must be owned by root.
RHEL-09-255115	V2R5	RHEL 9 SSH server configuration files' permissions must not be modified.
RHEL-09-255120	V2R5	RHEL 9 SSH private host key files must have mode 0640 or less permissive.
RHEL-09-255125	V2R5	RHEL 9 SSH public host key files must have mode 0644 or less permissive.
RHEL-09-255130	V2R5	RHEL 9 SSH daemon must not allow compression or must only allow compression after successful authentication.
RHEL-09-255145	V2R5	RHEL 9 SSH daemon must not allow rhosts authentication.
RHEL-09-255150	V2R5	RHEL 9 SSH daemon must not allow known hosts authentication.
RHEL-09-255155	V2R5	RHEL 9 SSH daemon must disable remote X connections for interactive users.
RHEL-09-255160	V2R5	RHEL 9 SSH daemon must perform strict mode checking of home directory configuration files.
RHEL-09-255165	V2R5	RHEL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon.
RHEL-09-255175	V2R5	RHEL 9 SSH daemon must prevent remote hosts from connecting to the proxy display.
RHEL-09-271090	V2R5	RHEL 9 effective dconf policy must match the policy keyfiles.
RHEL-09-271095	V2R5	RHEL 9 must disable the ability of a user to restart the system from the login screen.
RHEL-09-271100	V2R5	RHEL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.
RHEL-09-271105	V2R5	RHEL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot.
RHEL-09-271110	V2R5	RHEL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.
RHEL-09-271115	V2R5	RHEL 9 must disable the user list at logon for graphical user interfaces.
RHEL-09-411020	V2R5	All RHEL 9 local interactive user accounts must be assigned a home directory upon creation.
RHEL-09-411025	V2R5	RHEL 9 must set the umask value to 077 for all local interactive user accounts.
RHEL-09-411035	V2R5	RHEL 9 system accounts must not have an interactive login shell.
RHEL-09-411055	V2R5	Executable search paths within the initialization files of all local interactive RHEL 9 users must only contain paths that resolve to the system default or the users home directory.
RHEL-09-411060	V2R5	All RHEL 9 local interactive users must have a home directory assigned in the /etc/passwd file.
RHEL-09-411065	V2R5	All RHEL 9 local interactive user home directories defined in the /etc/passwd file must exist.
RHEL-09-411070	V2R5	All RHEL 9 local interactive user home directories must be group-owned by the home directory owner's primary group.
RHEL-09-411095	V2R5	RHEL 9 must not have unauthorized accounts.
RHEL-09-411100	V2R5	The root account must be the only account having unrestricted access to RHEL 9 system.
RHEL-09-411115	V2R5	Local RHEL 9 initialization files must not execute world-writable programs.
RHEL-09-412075	V2R5	RHEL 9 must display the date and time of the last successful account logon upon logon.
RHEL-09-431025	V2R5	RHEL 9 must have policycoreutils package installed.
RHEL-09-431030	V2R5	RHEL 9 policycoreutils-python-utils package must be installed.
RHEL-09-432020	V2R5	RHEL 9 must use the invoking user's password for privilege escalation when using "sudo".
RHEL-09-432030	V2R5	RHEL 9 must restrict privilege elevation to authorized personnel.
RHEL-09-611025	V2R5	RHEL 9 must not allow blank or null passwords.
RHEL-09-611045	V2R5	RHEL 9 must ensure the password complexity module is enabled in the system-auth file.
RHEL-09-611155	V2R5	RHEL 9 must not have accounts configured with blank or null passwords.
RHEL-09-651020	V2R5	RHEL 9 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.
RHEL-09-651030	V2R5	RHEL 9 must be configured so that the file integrity tool verifies Access Control Lists (ACLs).
RHEL-09-651035	V2R5	RHEL 9 must be configured so that the file integrity tool verifies extended attributes.
RHEL-09-652015	V2R5	RHEL 9 must have the packages required for encrypting offloaded audit logs installed.
RHEL-09-652020	V2R5	The rsyslog service on RHEL 9 must be active.
RHEL-09-652025	V2R5	RHEL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
RHEL-09-652060	V2R5	RHEL 9 must use cron logging.
RHEL-09-653105	V2R5	RHEL 9 must write audit records to disk.
WN10-00-000005	V3R1	Domain-joined systems must use Windows 10 Enterprise Edition 64-bit version.
WN10-00-000010	V3R1	Windows 10 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
WN10-00-000015	V3R1	Windows 10 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
WN10-00-000020	V3R1	Secure Boot must be enabled on Windows 10 systems.
WN10-00-000040	V3R1	Windows 10 systems must be maintained at a supported servicing level.
WN10-00-000045	V3R1	The Windows 10 system must use an anti-virus program.
WN10-00-000055	V3R1	Alternate operating systems must not be permitted on the same system.
WN10-00-000075	V3R1	Only accounts responsible for the backup operations must be members of the Backup Operators group.
WN10-00-000085	V3R1	Standard local user accounts must not exist on a system in a domain.
WN10-00-000130	V3R1	Software certificate installation files must be removed from Windows 10.
WN10-00-000135	V3R1	A host-based firewall must be installed and enabled on the system.
WN10-00-000140	V3R1	Inbound exceptions to the firewall on Windows 10 domain workstations must only allow authorized remote management hosts.
WN10-00-000190	V3R1	Orphaned security identifiers (SIDs) must be removed from user rights on Windows 10.
WN10-00-000230	V3R1	The system must notify the user when a Bluetooth device attempts to connect.
WN10-00-000240	V3R1	Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
WN10-CC-000020	V3R1	IPv6 source routing must be configured to highest protection.
WN10-CC-000025	V3R1	The system must be configured to prevent IP source routing.
WN10-CC-000030	V3R1	The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.
WN10-CC-000040	V3R1	Insecure logons to an SMB server must be disabled.
WN10-CC-000055	V3R1	Simultaneous connections to the internet or a Windows domain must be limited.
WN10-CC-000060	V3R1	Connections to non-domain networks when connected to a domain authenticated network must be blocked.
WN10-CC-000065	V3R1	Wi-Fi Sense must be disabled.
WN10-CC-000068	V3R1	Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials.
WN10-CC-000070	V3R1	Virtualization Based Security must be enabled on Windows 10 with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
WN10-CC-000075	V3R1	Credential Guard must be running on Windows 10 domain-joined systems.
WN10-CC-000085	V3R1	Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers.
WN10-CC-000090	V3R1	Group Policy objects must be reprocessed even if they have not changed.
WN10-CC-000115	V3R1	Systems must at least attempt device authentication using certificates.
WN10-CC-000170	V3R1	The setting to allow Microsoft accounts to be optional for modern style apps must be enabled.
WN10-CC-000195	V3R1	Enhanced anti-spoofing for facial recognition must be enabled on Window 10.
WN10-CC-000204	V3R1	If Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics.
WN10-CC-000205	V3R1	Windows Telemetry must not be configured to Full.
WN10-CC-000206	V3R1	Windows Update must not obtain updates from other PCs on the internet.
WN10-CC-000225	V3R1	File Explorer shell protocol must run in protected mode.
WN10-CC-000230	V3R1	Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge.
WN10-CC-000235	V3R1	Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge.
WN10-CC-000238	V3R1	Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge.
WN10-CC-000245	V3R1	The password manager function in the Edge browser must be disabled.
WN10-CC-000250	V3R1	The Windows Defender SmartScreen filter for Microsoft Edge must be enabled.
WN10-CC-000255	V3R1	The use of a hardware security device with Windows Hello for Business must be enabled.
WN10-CC-000260	V3R1	Windows 10 must be configured to require a minimum pin length of six characters or greater.
WN10-CC-000295	V3R1	Attachments must be prevented from being downloaded from RSS feeds.
WN10-CC-000320	V3R1	Users must be notified if a web-based program attempts to install software.
WN10-SO-000015	V3R1	Local accounts with blank passwords must be restricted to prevent access from the network.
WN10-SO-000020	V3R1	The built-in administrator account must be renamed.
WN10-SO-000025	V3R1	The built-in guest account must be renamed.
WN10-SO-000050	V3R1	The computer account password must not be prevented from being reset.
WN10-SO-000055	V3R1	The maximum age for machine account passwords must be configured to 30 days or less.
WN10-SO-000085	V3R1	Caching of logon credentials must be limited.
WN10-SO-000095	V3R1	The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
WN10-SO-000140	V3R1	Anonymous SID/Name translation must not be allowed.
WN10-SO-000145	V3R1	Anonymous enumeration of SAM accounts must not be allowed.
WN10-SO-000160	V3R1	The system must be configured to prevent anonymous users from having the same rights as the Everyone group.
WN10-SO-000180	V3R1	NTLM must be prevented from falling back to a Null session.
WN10-SO-000185	V3R1	PKU2U authentication using online identities must be prevented.
WN10-SO-000205	V3R1	The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
WN10-SO-000210	V3R1	The system must be configured to the required LDAP client signing level.
WN10-SO-000215	V3R1	The system must be configured to meet the minimum session security requirement for NTLM SSP based clients.
WN10-SO-000220	V3R1	The system must be configured to meet the minimum session security requirement for NTLM SSP based servers.
WN10-SO-000240	V3R1	The default permissions of global system objects must be increased.
WN10-UC-000020	V3R1	Zone information must be preserved when saving attachments.
WN10-CC-000050	V3R1	Hardened UNC paths must be defined to require mutual authentication and integrity for at least the \\\SYSVOL and \\\NETLOGON shares.
WN10-CC-000080	V3R1	Virtualization-based protection of code integrity must be enabled.
WN10-00-000395	V3R1	Windows 10 must not have portproxy enabled or in use.
WN16-00-000010	V2R9	Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
WN16-00-000040	V2R9	Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
WN16-00-000050	V2R9	Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
WN16-00-000070	V2R9	Manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
WN16-00-000100	V2R9	Windows Server 2016 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
WN16-00-000110	V2R9	Systems must be maintained at a supported servicing level.
WN16-00-000120	V2R9	The Windows Server 2016 system must use an anti-virus program.
WN16-00-000140	V2R9	Servers must have a host-based intrusion detection or prevention system.
WN16-00-000270	V2R9	Software certificate installation files must be removed from Windows Server 2016.
WN16-00-000310	V2R9	A host-based firewall must be installed and enabled on the system.
WN16-00-000430	V2R9	FTP servers must be configured to prevent anonymous logons.
WN16-00-000440	V2R9	FTP servers must be configured to prevent access to the system drive.
WN16-00-000460	V2R9	Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2016.
WN16-00-000470	V2R9	Secure Boot must be enabled on Windows Server 2016 systems.
WN16-00-000480	V2R9	Windows 2016 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
WN16-CC-000040	V2R9	Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.
WN16-CC-000050	V2R9	Source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
WN16-CC-000060	V2R9	Windows Server 2016 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
WN16-CC-000080	V2R9	Insecure logons to an SMB server must be disabled.
WN16-CC-000090	V2R9	Hardened UNC paths must be defined to require mutual authentication and integrity for at least the \\\SYSVOL and \\\NETLOGON shares.
WN16-CC-000110	V2R9	Windows Server 2016 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
WN16-CC-000140	V2R9	Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
WN16-CC-000150	V2R9	Group Policy objects must be reprocessed even if they have not changed.
WN16-CC-000210	V2R9	Users must be prompted to authenticate when the system wakes from sleep (on battery).
WN16-CC-000220	V2R9	Users must be prompted to authenticate when the system wakes from sleep (plugged in).
WN16-CC-000290	V2R9	Windows Telemetry must be configured to Security or Basic.
WN16-CC-000350	V2R9	Turning off File Explorer heap termination on corruption must be disabled.
WN16-CC-000360	V2R9	File Explorer shell protocol must run in protected mode.
WN16-CC-000420	V2R9	Attachments must be prevented from being downloaded from RSS feeds.
WN16-CC-000470	V2R9	Users must be notified if a web-based program attempts to install software.
WN16-DC-000150	V2R9	Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
WN16-DC-000330	V2R9	Domain controllers must be configured to allow reset of machine account passwords.
WN16-DC-000430	V2R9	The password for the krbtgt account on a domain must be reset at least every 180 days.
WN16-MS-000050	V2R9	Caching of logon credentials must be limited.
WN16-MS-000120	V2R9	Windows Server 2016 must be running Credential Guard on domain-joined member servers.
WN16-SO-000020	V2R9	Local accounts with blank passwords must be restricted to prevent access from the network.
WN16-SO-000030	V2R9	Windows Server 2016 built-in administrator account must be renamed.
WN16-SO-000040	V2R9	Windows Server 2016 built-in guest account must be renamed.
WN16-SO-000120	V2R9	The maximum age for machine account passwords must be configured to 30 days or less.
WN16-SO-000180	V2R9	The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
WN16-SO-000250	V2R9	Anonymous SID/Name translation must not be allowed.
WN16-SO-000260	V2R9	Anonymous enumeration of Security Account Manager (SAM) accounts must not be allowed.
WN16-SO-000290	V2R9	Windows Server 2016 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
WN16-SO-000320	V2R9	Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
WN16-SO-000330	V2R9	NTLM must be prevented from falling back to a Null session.
WN16-SO-000340	V2R9	PKU2U authentication using online identities must be prevented.
WN16-SO-000380	V2R9	The LAN Manager authentication level must be set to send NTLMv2 response only and to refuse LM and NTLM.
WN16-SO-000390	V2R9	Windows Server 2016 must be configured to at least negotiate signing for LDAP client signing.
WN16-SO-000400	V2R9	Session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
WN16-SO-000410	V2R9	Session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
WN16-SO-000450	V2R9	The default permissions of global system objects must be strengthened.
WN16-UC-000030	V2R9	Zone information must be preserved when saving attachments.
WN22-00-000010	V2R5	Windows Server 2022 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
WN22-00-000030	V2R5	Windows Server 2022 administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.
WN22-00-000040	V2R5	Windows Server 2022 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
WN22-00-000060	V2R5	Windows Server 2022 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
WN22-00-000090	V2R5	Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
WN22-00-000100	V2R5	Windows Server 2022 must be maintained at a supported servicing level.
WN22-00-000110	V2R5	Windows Server 2022 must use an antivirus program.
WN22-00-000120	V2R5	Windows Server 2022 must have a host-based intrusion detection or prevention system.
WN22-00-000240	V2R5	Windows Server 2022 must have software certificate installation files removed.
WN22-00-000280	V2R5	Windows Server 2022 must have a host-based firewall installed and enabled.
WN22-00-000420	V2R5	Windows Server 2022 FTP servers must be configured to prevent anonymous logons.
WN22-00-000430	V2R5	Windows Server 2022 FTP servers must be configured to prevent access to the system drive.
WN22-00-000450	V2R5	Windows Server 2022 must have orphaned security identifiers (SIDs) removed from user rights.
WN22-00-000460	V2R5	Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
WN22-00-000470	V2R5	Windows Server 2022 must have Secure Boot enabled.
WN22-CC-000030	V2R5	Windows Server 2022 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.
WN22-CC-000040	V2R5	Windows Server 2022 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
WN22-CC-000050	V2R5	Windows Server 2022 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
WN22-CC-000070	V2R5	Windows Server 2022 insecure logons to an SMB server must be disabled.
WN22-CC-000080	V2R5	Windows Server 2022 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\\SYSVOL and \\\NETLOGON shares.
WN22-CC-000100	V2R5	Windows Server 2022 must be configured to enable Remote host allows delegation of nonexportable credentials.
WN22-CC-000110	V2R5	Windows Server 2022 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
WN22-CC-000130	V2R5	Windows Server 2022 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
WN22-CC-000140	V2R5	Windows Server 2022 group policy objects must be reprocessed even if they have not changed.
WN22-CC-000180	V2R5	Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (on battery).
WN22-CC-000190	V2R5	Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (plugged in).
WN22-CC-000250	V2R5	Windows Server 2022 Diagnostic Data must be configured to send "required diagnostic data" or "optional diagnostic data".
WN22-CC-000260	V2R5	Windows Server 2022 Windows Update must not obtain updates from other PCs on the internet.
WN22-CC-000320	V2R5	Windows Server 2022 Turning off File Explorer heap termination on corruption must be disabled.
WN22-CC-000330	V2R5	Windows Server 2022 File Explorer shell protocol must run in protected mode.
WN22-CC-000390	V2R5	Windows Server 2022 must prevent attachments from being downloaded from RSS feeds.
WN22-CC-000440	V2R5	Windows Server 2022 users must be notified if a web-based program attempts to install software.
WN22-DC-000150	V2R5	Windows Server 2022 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access.
WN22-DC-000330	V2R5	Windows Server 2022 domain controllers must be configured to allow reset of machine account passwords.
WN22-DC-000430	V2R5	The password for the krbtgt account on a domain must be reset at least every 180 days.
WN22-MS-000050	V2R5	Windows Server 2022 must limit the caching of logon credentials to four or less on domain-joined member servers.
WN22-MS-000140	V2R5	Windows Server 2022 must be running Credential Guard on domain-joined member servers.
WN22-SO-000020	V2R5	Windows Server 2022 must prevent local accounts with blank passwords from being used from the network.
WN22-SO-000030	V2R5	Windows Server 2022 built-in administrator account must be renamed.
WN22-SO-000040	V2R5	Windows Server 2022 built-in guest account must be renamed.
WN22-SO-000100	V2R5	Windows Server 2022 maximum age for machine account passwords must be configured to 30 days or less.
WN22-SO-000150	V2R5	Windows Server 2022 Smart Card removal option must be configured to Force Logoff or Lock Workstation.
WN22-SO-000210	V2R5	Windows Server 2022 must not allow anonymous SID/Name translation.
WN22-SO-000220	V2R5	Windows Server 2022 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.
WN22-SO-000240	V2R5	Windows Server 2022 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
WN22-SO-000260	V2R5	Windows Server 2022 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
WN22-SO-000270	V2R5	Windows Server 2022 must prevent NTLM from falling back to a Null session.
WN22-SO-000280	V2R5	Windows Server 2022 must prevent PKU2U authentication using online identities.
WN22-SO-000310	V2R5	Windows Server 2022 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM.
WN22-SO-000320	V2R5	Windows Server 2022 must be configured to at least negotiate signing for LDAP client signing.
WN22-SO-000330	V2R5	Windows Server 2022 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
WN22-SO-000340	V2R5	Windows Server 2022 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
WN22-SO-000370	V2R5	Windows Server 2022 default permissions of global system objects must be strengthened.
WN22-UC-000010	V2R5	Windows Server 2022 must preserve zone information when saving attachments.