Red Hat Enterprise Linux 7 Security Technical Implementation Guide¶
Release: 1 Benchmark Date: 27 Feb 2017
Cat I (High Severity)¶
- Cat I (High Severity)
- V-71849 - The file permissions, ownership, and group membership of system files and commands must match the vendor values. - RHEL-07-010010
- V-71855 - The cryptographic hash of system files and commands must match vendor values. - RHEL-07-010020
- V-71937 - The system must not have accounts configured with blank or null passwords. - RHEL-07-010290
- V-71939 - The SSH daemon must not allow authentication using an empty password. - RHEL-07-010300
- V-71953 - The operating system must not allow an unattended or automatic logon to the system via a graphical user interface. - RHEL-07-010440
- V-71955 - The operating system must not allow an unrestricted logon to the system. - RHEL-07-010450
- V-71961 - Systems with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes. - RHEL-07-010480
- V-71963 - Systems using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes. - RHEL-07-010490
- V-71967 - The rsh-server package must not be installed. - RHEL-07-020000
- V-71969 - The ypserv package must not be installed. - RHEL-07-020010
- V-71977 - The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. - RHEL-07-020050
- V-71979 - The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. - RHEL-07-020060
- V-71981 - The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of packages without verification of the repository metadata. - RHEL-07-020070
- V-71989 - The operating system must enable SELinux. - RHEL-07-020210
- V-71991 - The operating system must enable the SELinux targeted policy. - RHEL-07-020220
- V-71993 - The x86 Ctrl-Alt-Delete key sequence must be disabled. - RHEL-07-020230
- V-71997 - The operating system must be a vendor supported release. - RHEL-07-020250
- V-72005 - The root account must be the only account having unrestricted access to the system. - RHEL-07-020310
- V-72067 - The operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. - RHEL-07-021350
- V-72077 - The telnet-server package must not be installed. - RHEL-07-021710
- These audit records must also identify individual identities of group account users. - RHEL-07-030000
- V-72213 - The system must use a DoD-approved virus scan program. - RHEL-07-032000
- V-72251 - The SSH daemon must be configured to only use the SSHv2 protocol. - RHEL-07-040390
- V-72277 - There must be no .shosts files on the system. - RHEL-07-040540
- V-72279 - There must be no shosts.equiv files on the system. - RHEL-07-040550
- V-72299 - A File Transfer Protocol (FTP) server package must not be installed unless needed. - RHEL-07-040690
- V-72301 - The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for operational support. - RHEL-07-040700
- V-72303 - Remote X connections for interactive users must be encrypted. - RHEL-07-040710
- V-72313 - SNMP community strings must be changed from the default. - RHEL-07-040800
Cat II (Medium Severity)¶
- Cat II (Medium Severity)
- V-71859 - The operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. - RHEL-07-010030
- V-71861 - The operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. - RHEL-07-010040
- V-71863 - The operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. - RHEL-07-010050
- V-71891 - The operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures. - RHEL-07-010060
- V-71893 - The operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces. - RHEL-07-010070
- V-71895 - The operating system must set the idle delay setting for all connection types. - RHEL-07-010080
- V-71897 - The operating system must have the screen package installed. - RHEL-07-010090
- V-71899 - The operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces. - RHEL-07-010100
- V-71901 - The operating system must initiate a session lock for graphical user interfaces when the screensaver is activated. - RHEL-07-010110
- V-71903 - When passwords are changed or new passwords are established, the new password must contain at least one upper-case character. - RHEL-07-010120
- V-71905 - When passwords are changed or new passwords are established, the new password must contain at least one lower-case character. - RHEL-07-010130
- V-71907 - When passwords are changed or new passwords are assigned, the new password must contain at least one numeric character. - RHEL-07-010140
- V-71909 - When passwords are changed or new passwords are assigned, the new password must contain at least one special character. - RHEL-07-010150
- V-71911 - When passwords are changed a minimum of eight of the total number of characters must be changed. - RHEL-07-010160
- V-71913 - When passwords are changed a minimum of four character classes must be changed. - RHEL-07-010170
- V-71915 - When passwords are changed the number of repeating consecutive characters must not be more than four characters. - RHEL-07-010180
- V-71917 - When passwords are changed the number of repeating characters of the same character class must not be more than four characters. - RHEL-07-010190
- V-71919 - The PAM system service must be configured to store only encrypted representations of passwords. - RHEL-07-010200
- V-71921 - The shadow file must be configured to store only encrypted representations of passwords. - RHEL-07-010210
- V-71923 - User and group account administration utilities must be configured to store only encrypted representations of passwords. - RHEL-07-010220
- V-71925 - Passwords for new users must be restricted to a 24 hours/1 day minimum lifetime. - RHEL-07-010230
- V-71927 - Passwords must be restricted to a 24 hours/1 day minimum lifetime. - RHEL-07-010240
- V-71929 - Passwords for new users must be restricted to a 60-day maximum lifetime. - RHEL-07-010250
- V-71931 - Existing passwords must be restricted to a 60-day maximum lifetime. - RHEL-07-010260
- V-71933 - Passwords must be prohibited from reuse for a minimum of five generations. - RHEL-07-010270
- V-71935 - Passwords must be a minimum of 15 characters in length. - RHEL-07-010280
- V-71941 - The operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires. - RHEL-07-010310
- V-71943 - Accounts subject to three unsuccessful logon attempts within 15 minutes must be locked for the maximum configurable period. - RHEL-07-010320
- V-71945 - If three unsuccessful root logon attempts within 15 minutes occur the associated account must be locked. - RHEL-07-010330
- V-71947 - Users must provide a password for privilege escalation. - RHEL-07-010340
- V-71949 - Users must re-authenticate for privilege escalation. - RHEL-07-010350
- V-71951 - The delay between logon prompts following a failed console logon attempt must be at least four seconds. - RHEL-07-010430
- V-71957 - The operating system must not allow users to override SSH environment variables. - RHEL-07-010460
- V-71959 - The operating system must not allow a non-certificate trusted host SSH logon to the system. - RHEL-07-010470
- V-71965 - The operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication. - RHEL-07-010500
- V-71971 - The operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. - RHEL-07-020020
- V-71973 - A file integrity tool must verify the baseline operating system configuration at least weekly. - RHEL-07-020030
- V-71975 - Designated personnel must be notified if baseline configurations are changed in an unauthorized manner. - RHEL-07-020040
- V-71983 - USB mass storage must be disabled. - RHEL-07-020100
- V-71985 - File system automounter must be disabled unless required. - RHEL-07-020110
- V-71995 - The operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. - RHEL-07-020240
- V-71999 - Vendor packaged system security patches and updates must be installed and up to date. - RHEL-07-020260
- V-72001 - The system must not have unnecessary accounts. - RHEL-07-020270
- V-72007 - All files and directories must have a valid owner. - RHEL-07-020320
- V-72009 - All files and directories must have a valid group owner. - RHEL-07-020330
- V-72011 - All local interactive users must have a home directory assigned in the /etc/passwd file. - RHEL-07-020600
- V-72013 - All local interactive user accounts, upon creation, must be assigned a home directory. - RHEL-07-020610
- V-72015 - All local interactive user home directories defined in the /etc/passwd file must exist. - RHEL-07-020620
- V-72017 - All local interactive user home directories must have mode 0750 or less permissive. - RHEL-07-020630
- V-72019 - All local interactive user home directories must be owned by their respective users. - RHEL-07-020640
- V-72021 - All local interactive user home directories must be group-owned by the home directory owners primary group. - RHEL-07-020650
- V-72023 - All files and directories contained in local interactive user home directories must be owned by the owner of the home directory. - RHEL-07-020660
- V-72025 - All files and directories contained in local interactive user home directories must be group-owned by a group of which the home directory owner is a member. - RHEL-07-020670
- V-72027 - All files and directories contained in local interactive user home directories must have mode 0750 or less permissive. - RHEL-07-020680
- V-72029 - All local initialization files for interactive users must be owned by the home directory user or root. - RHEL-07-020690
- V-72031 - Local initialization files for local interactive users must be group-owned by the users primary group or root. - RHEL-07-020700
- V-72033 - All local initialization files must have mode 0740 or less permissive. - RHEL-07-020710
- V-72035 - All local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory. - RHEL-07-020720
- V-72037 - Local initialization files must not execute world-writable programs. - RHEL-07-020730
- V-72039 - All system device files must be correctly labeled to prevent unauthorized modification. - RHEL-07-020900
- V-72041 - File systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed. - RHEL-07-021000
- V-72043 - File systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed. - RHEL-07-021010
- V-72045 - File systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed. - RHEL-07-021020
- V-72047 - All world-writable directories must be group-owned by root, sys, bin, or an application group. - RHEL-07-021030
- V-72049 - The umask must be set to 077 for all local interactive user accounts. - RHEL-07-021040
- V-72051 - Cron logging must be implemented. - RHEL-07-021100
- V-72053 - If the cron.allow file exists it must be owned by root. - RHEL-07-021110
- V-72055 - If the cron.allow file exists it must be group-owned by root. - RHEL-07-021120
- V-72057 - Kernel core dumps must be disabled unless needed. - RHEL-07-021300
- V-72073 - The file integrity tool must use FIPS 140-2 approved cryptographic hashes for validating file contents and directories. - RHEL-07-021620
- V-72075 - The system must not allow removable media to be used as the boot loader unless approved. - RHEL-07-021700
- V-72081 - The operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure. - RHEL-07-030010
- V-72083 - The operating system must off-load audit records onto a different system or media from the system being audited. - RHEL-07-030300
- V-72085 - The operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited. - RHEL-07-030310
- V-72087 - The audit system must take appropriate action when the audit storage volume is full. - RHEL-07-030320
- V-72089 - The operating system must immediately notify the System Administrator (SA) and Information System Security Officer ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. - RHEL-07-030330
- V-72091 - The operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached. - RHEL-07-030340
- V-72093 - The operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. - RHEL-07-030350
- V-72095 - All privileged function executions must be audited. - RHEL-07-030360
- V-72097 - All uses of the chown command must be audited. - RHEL-07-030370
- V-72099 - All uses of the fchown command must be audited. - RHEL-07-030380
- V-72101 - All uses of the lchown command must be audited. - RHEL-07-030390
- V-72103 - All uses of the fchownat command must be audited. - RHEL-07-030400
- V-72105 - All uses of the chmod command must be audited. - RHEL-07-030410
- V-72107 - All uses of the fchmod command must be audited. - RHEL-07-030420
- V-72109 - All uses of the fchmodat command must be audited. - RHEL-07-030430
- V-72111 - All uses of the setxattr command must be audited. - RHEL-07-030440
- V-72113 - All uses of the fsetxattr command must be audited. - RHEL-07-030450
- V-72115 - All uses of the lsetxattr command must be audited. - RHEL-07-030460
- V-72117 - All uses of the removexattr command must be audited. - RHEL-07-030470
- V-72119 - All uses of the fremovexattr command must be audited. - RHEL-07-030480
- V-72121 - All uses of the lremovexattr command must be audited. - RHEL-07-030490
- V-72123 - All uses of the creat command must be audited. - RHEL-07-030500
- V-72125 - All uses of the open command must be audited. - RHEL-07-030510
- V-72127 - All uses of the openat command must be audited. - RHEL-07-030520
- V-72129 - All uses of the open_by_handle_at command must be audited. - RHEL-07-030530
- V-72131 - All uses of the truncate command must be audited. - RHEL-07-030540
- V-72133 - All uses of the ftruncate command must be audited. - RHEL-07-030550
- V-72135 - All uses of the semanage command must be audited. - RHEL-07-030560
- V-72137 - All uses of the setsebool command must be audited. - RHEL-07-030570
- V-72139 - All uses of the chcon command must be audited. - RHEL-07-030580
- V-72141 - All uses of the restorecon command must be audited. - RHEL-07-030590
- V-72143 - The operating system must generate audit records for all successful/unsuccessful account access count events. - RHEL-07-030600
- V-72145 - The operating system must generate audit records for all unsuccessful account access events. - RHEL-07-030610
- V-72147 - The operating system must generate audit records for all successful account access events. - RHEL-07-030620
- V-72149 - All uses of the passwd command must be audited. - RHEL-07-030630
- V-72151 - All uses of the unix_chkpwd command must be audited. - RHEL-07-030640
- V-72153 - All uses of the gpasswd command must be audited. - RHEL-07-030650
- V-72155 - All uses of the chage command must be audited. - RHEL-07-030660
- V-72157 - All uses of the userhelper command must be audited. - RHEL-07-030670
- V-72159 - All uses of the su command must be audited. - RHEL-07-030680
- V-72161 - All uses of the sudo command must be audited. - RHEL-07-030690
- V-72163 - All uses of the sudoers command must be audited. - RHEL-07-030700
- V-72165 - All uses of the newgrp command must be audited. - RHEL-07-030710
- V-72167 - All uses of the chsh command must be audited. - RHEL-07-030720
- V-72169 - All uses of the sudoedit command must be audited. - RHEL-07-030730
- V-72171 - All uses of the mount command must be audited. - RHEL-07-030740
- V-72173 - All uses of the umount command must be audited. - RHEL-07-030750
- V-72175 - All uses of the postdrop command must be audited. - RHEL-07-030760
- V-72177 - All uses of the postqueue command must be audited. - RHEL-07-030770
- V-72179 - All uses of the ssh-keysign command must be audited. - RHEL-07-030780
- V-72181 - All uses of the pt_chown command must be audited. - RHEL-07-030790
- V-72183 - All uses of the crontab command must be audited. - RHEL-07-030800
- V-72185 - All uses of the pam_timestamp_check command must be audited. - RHEL-07-030810
- V-72187 - All uses of the init_module command must be audited. - RHEL-07-030820
- V-72189 - All uses of the delete_module command must be audited. - RHEL-07-030830
- V-72191 - All uses of the insmod command must be audited. - RHEL-07-030840
- V-72193 - All uses of the rmmod command must be audited. - RHEL-07-030850
- V-72195 - All uses of the modprobe command must be audited. - RHEL-07-030860
- V-72197 - The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. - RHEL-07-030870
- V-72199 - All uses of the rename command must be audited. - RHEL-07-030880
- V-72201 - All uses of the renameat command must be audited. - RHEL-07-030890
- V-72203 - All uses of the rmdir command must be audited. - RHEL-07-030900
- V-72205 - All uses of the unlink command must be audited. - RHEL-07-030910
- V-72207 - All uses of the unlinkat command must be audited. - RHEL-07-030920
- V-72209 - The system must send rsyslog output to a log aggregation server. - RHEL-07-031000
- V-72211 - The rsyslog daemon must not accept log messages from other servers unless the server is being used for log aggregation. - RHEL-07-031010
- V-72215 - The system must update the DoD-approved virus scan program every seven days or more frequently. - RHEL-07-032010
- V-72219 - The host must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments. - RHEL-07-040100
- V-72221 - A FIPS 140-2 approved cryptographic algorithm must be used for SSH communications. - RHEL-07-040110
- V-72223 - All network connections associated with a communication session must be terminated at the end of the session or after 10 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements. - RHEL-07-040160
- V-72225 - The Standard Mandatory DoD Notice and Consent Banner must be displayed immediately prior to, or as part of, remote access logon prompts. - RHEL-07-040170
- V-72227 - The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications. - RHEL-07-040180
- V-72229 - The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications. - RHEL-07-040190
- V-72231 - The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications. - RHEL-07-040200
- V-72233 - All networked systems must have SSH installed. - RHEL-07-040300
- V-72235 - All networked systems must use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission. - RHEL-07-040310
- V-72237 - All network connections associated with SSH traffic must terminate at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements. - RHEL-07-040320
- V-72239 - The SSH daemon must not allow authentication using RSA rhosts authentication. - RHEL-07-040330
- V-72241 - All network connections associated with SSH traffic must terminate after a period of inactivity. - RHEL-07-040340
- V-72243 - The SSH daemon must not allow authentication using rhosts authentication. - RHEL-07-040350
- V-72245 - The system must display the date and time of the last successful account logon upon an SSH logon. - RHEL-07-040360
- V-72247 - The system must not permit direct logons to the root account using remote access via SSH. - RHEL-07-040370
- V-72249 - The SSH daemon must not allow authentication using known hosts authentication. - RHEL-07-040380
- V-72253 - The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. - RHEL-07-040400
- V-72255 - The SSH public host key files must have mode 0644 or less permissive. - RHEL-07-040410
- V-72257 - The SSH private host key files must have mode 0600 or less permissive. - RHEL-07-040420
- V-72259 - The SSH daemon must not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed. - RHEL-07-040430
- V-72261 - The SSH daemon must not permit Kerberos authentication unless needed. - RHEL-07-040440
- V-72263 - The SSH daemon must perform strict mode checking of home directory configuration files. - RHEL-07-040450
- V-72265 - The SSH daemon must use privilege separation. - RHEL-07-040460
- V-72267 - The SSH daemon must not allow compression or must only allow compression after successful authentication. - RHEL-07-040470
- V-72269 - The operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). - RHEL-07-040500
- V-72271 - The operating system must protect against or limit the effects of Denial of Service (DoS) attacks by validating the operating system is implementing rate-limiting measures on impacted network interfaces. - RHEL-07-040510
- V-72273 - The operating system must enable an application firewall, if available. - RHEL-07-040520
- V-72283 - The system must not forward Internet Protocol version 4 (IPv4) source-routed packets. - RHEL-07-040610
- V-72285 - The system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default. - RHEL-07-040620
- V-72287 - The system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. - RHEL-07-040630
- V-72289 - The system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted. - RHEL-07-040640
- V-72291 - The system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default. - RHEL-07-040650
- V-72293 - The system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects. - RHEL-07-040660
- V-72295 - Network interfaces must not be in promiscuous mode. - RHEL-07-040670
- V-72297 - The system must be configured to prevent unrestricted mail relaying. - RHEL-07-040680
- V-72305 - If the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon must be configured to operate in secure mode. - RHEL-07-040720
- V-72307 - An X Windows display manager must not be installed unless approved. - RHEL-07-040730
- V-72309 - The system must not be performing packet forwarding unless the system is a router. - RHEL-07-040740
- V-72311 - The Network File System (NFS) must be configured to use RPCSEC_GSS. - RHEL-07-040750
- V-72315 - The system access control program must be configured to grant or deny system access to specific hosts and services. - RHEL-07-040810
- V-72317 - The system must not have unauthorized IP tunnels configured. - RHEL-07-040820
- V-72319 - The system must not forward IPv6 source-routed packets. - RHEL-07-040830
- V-72417 - The operating system must have the required packages for multifactor authentication installed. - RHEL-07-041001
- V-72427 - The operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM). - RHEL-07-041002
- V-72433 - The operating system must implement certificate status checking for PKI authentication. - RHEL-07-041003
- V-72435 - The operating system must implement smart card logons for multifactor authentication for access to privileged accounts. - RHEL-07-041004
- V-73155 - The operating system must set the lock delay setting for all connection types. - RHEL-07-010081
- V-73157 - The operating system must set the session idle delay setting for all connection types. - RHEL-07-010082
- V-73159 - When passwords are changed or new passwords are established, pwquality must be used. - RHEL-07-010119
- V-73161 - File systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed. - RHEL-07-021021
- V-73163 - The audit system must take appropriate action when there is an error sending audit records to a remote system. - RHEL-07-030321
- V-73165 - The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. - RHEL-07-030871
- V-73167 - The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. - RHEL-07-030872
- V-73171 - The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. - RHEL-07-030873
- V-73173 - The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd. - RHEL-07-030874
- V-73175 - The system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages. - RHEL-07-040641
- V-73177 - Wireless network adapters must be disabled. - RHEL-07-041010
Cat III (Low Severity)¶
- Cat III (Low Severity)
- V-71987 - The operating system must remove all software components after updated versions have been installed. - RHEL-07-020200
- V-72003 - All Group Identifiers (GIDs) referenced in the /etc/passwd file must be defined in the /etc/group file. - RHEL-07-020300
- V-72059 - A separate file system must be used for user home directories (such as /home or an equivalent). - RHEL-07-021310
- V-72061 - The system must use a separate file system for /var. - RHEL-07-021320
- V-72063 - The system must use a separate file system for the system audit data path. - RHEL-07-021330
- V-72065 - The system must use a separate file system for /tmp (or equivalent). - RHEL-07-021340
- V-72069 - The file integrity tool must be configured to verify Access Control Lists (ACLs). - RHEL-07-021600
- V-72071 - The file integrity tool must be configured to verify extended attributes. - RHEL-07-021610
- V-72217 - The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types. - RHEL-07-040000
- V-72275 - The system must display the date and time of the last successful account logon upon logon. - RHEL-07-040530
- V-72281 - For systems using DNS resolution, at least two name servers must be configured. - RHEL-07-040600