Product:
BigFix Compliance
Title:
Updated DISA STIG Checklist for Oracle Linux 9**.**
Security Benchmark:
Oracle Linux 9 STIG V1R4
Published Sites:
DISA STIG Checklist for Oracle Linux 9, site version 2
(The site version is provided for air-gap customers.)
Details:
Total New Fixlets: 2
Total Updated Fixlets: 11
Total Deleted Fixlets: 5
Total Fixlets in Site: 442
New Fixlets:
● OL 9 must audit any script or executable called by cron as root or by any privileged user.
● OL 9 must terminate idle user sessions.
Updated Fixlets:
● OL 9 must be a vendor supported release.
● OL 9 must automatically lock graphical user sessions after 15 minutes of inactivity.
● OL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
● OL 9 must be configured so that the systemd Ctrl-Alt-Delete burst key sequence is disabled.
● OL 9 must not install packages from the Extra Packages for Enterprise Linux (EPEL) repository.
● OL 9 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
● OL 9 library files must be group owned by root or a system account.
● OL 9 library files must be owned by root.
● OL 9 library files must have mode 0755 or less permissive.
● OL 9 groups must have unique Group ID (GID)
● OL 9 duplicate User IDs (UIDs) must not exist for interactive users.
Deleted Fixlets:
● OL 9 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.
● OL 9 must be configured so that local initialization files do not execute world-writable programs.
● OL 9 must prevent system daemons from using Kerberos for authentication.
● OL 9 must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
● OL 9 must disable automatic mounting of Universal Serial Bus (USB) mass storage driver.
Additional details:
● Both analysis and remediation checks are included
● Some of the checks allow you to use the parameterized setting to enable customization for compliance evaluation. Note that parameterization and remediation actions require the creation of a custom site..
● Improved a few checks by adding the pending restart feature to them. The pending restart feature works in the following ways:
● The action results will show “Pending Restart” instead of “Fixed” for those checks which requires OS reboot.
● The check will show relevant for those endpoints until they are rebooted.
● Post reboot of the endpoint the action results will show as “Fixed”, and the check will be compliant.
Actions to take:
● To subscribe to the above site, you can use the License Overview Dashboard to enable and gather the site. Note that you must be entitled to the BigFix Compliance product, and you must be using BigFix version 10.0.8 and later.
● If you use custom sites, update your custom sites accordingly to use the latest content. You can synchronize your content by using the Synchronize Custom Checks wizard. For more information, see
https://help.hcl-software.com/bigfix/11.0/compliance/Compliance/SCM_Users_Guide/c_using_synchronize_custom_checks_wiz.html
More information:
To know more about the BigFix Compliance SCM checklists, please see the following resources:
● BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance
● BigFix Compliance SCM Checklists:
https://bigfix-wiki.hcltechsw.com/wikis/home?lang=en-us#!/wiki/BigFix%20Wiki/page/SCM%20Checklists
We hope you find this latest release of SCM content useful and effective. Thank you!
– The BigFix Compliance team