Product:
BigFix Compliance
Title:
Updated DISA STIG Checklist for Red Hat Enterprise Linux 9
Security Benchmark:
Red Hat Enterprise Linux 9 STIG SCAP Benchmark V2R7
Published Sites:
DISA STIG Checklist for RHEL 9, site version 8
(The site version is provided for air-gap customers.)
Details:
● Total New Fixlets: 0
● Total Updated Fixlets: 9
● Total Deleted Fixlets: 3
● Total Fixlets in Site: 439
Updated Fixlets:
● The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled.
● RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
● RHEL 9 must automatically lock graphical user sessions after 10 minutes of inactivity.
● RHEL 9 must terminate idle user sessions.
● RHEL 9 must require authentication to access emergency mode.
● RHEL 9 must enable FIPS mode.
● The Trivial File Transfer Protocol (TFTP) server must not be installed unless it is required, and if required, the RHEL 9 TFTP daemon must be configured to operate in secure mode.
● RHEL 9 must not install packages from the Extra Packages for Enterprise Linux (EPEL) repository.
● RHEL 9 SSH server configuration files' permissions must not be modified.
Deleted Checks:
● Local RHEL 9 initialization files must not execute world-writable programs.
● RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog.
● RHEL 9 must display the date and time of the last successful account logon upon logon.
Additional details:
● Both analysis and remediation checks are included.
● Some of the checks allow you to use the parameterized setting to enable customization for compliance evaluation. Note that parameterization and remediation actions require the creation of a custom site.
● Improved a few checks by adding the pending restart feature to them. The pending restart feature works in the following ways:
● The action results will show “Pending Restart” instead of “Fixed” for those checks which require OS reboot.
● The check will show relevant for those endpoints until they are rebooted.
● Post reboot of the endpoint the action results will show as “Fixed” and the check will be compliant.
Actions to take:
● To subscribe to the above site, you can use the License Overview Dashboard to enable and gather the site. Note that you must be entitled to the BigFix Compliance product and you must be using BigFix version 10.0 and later.
● If you use custom sites, update your custom sites accordingly to use the latest content. You can synchronize your content by using the Synchronize Custom Checks wizard. For more information, see Using the Synchronize Custom Checks wizard
More information:
To know more about the BigFix Compliance SCM checklists, please see the following resources:
● BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance
● BigFix Compliance SCM Checklists:
Welcome to Wikis
We hope you find this latest release of SCM content useful and effective. Thank you!
– The BigFix Compliance team