Product:
BigFix Compliance
Title:
Updated DISA STIG Checklist for RHEL 8 with bug fixes
Security Benchmark:
DISA STIG Checklist for RHEL 8 Benchmark, V1,R7
Published Sites:
DISA STIG Checklist for RHEL 8, site version 9
(The site version is provided for air-gap customers.)
Details:
- Added more remediation support for the following check:
- RHEL 8 must use a Linux Security Module configured to enforce limits on system services.
- The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package.
- The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline
configuration or anomalies in the operation of any security functions are discovered within an
organizationally defined frequency.
- RHEL 8 must enable the hardware random number generator entropy gatherer service.
- RHEL 8 must ensure account lockouts persist.
- RHEL 8 must cover or disable the built-in or attached camera when not in use.
- The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2
approved cryptographic hashing algorithm for system authentication.
- The RHEL 8 SSH daemon must be configured to use system-wide crypto policies.
- RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated.
- RHEL 8 must disable the user list at logon for graphical user interfaces.
- RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface.
- RHEL 8 audit records must contain information to establish what type of events occurred, the source of
events, where events occurred, and the outcome of events.
- A firewall must be active on RHEL 8.
- The RHEL 8 fapolicy module must be enabled.
- RHEL 8 must enable the USBGuard.
- RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.
- RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less.
- RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for
three retries or less.
- RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations.
- RHEL 8 must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
- The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
- The rsyslog service must be running in RHEL 8.
- RHEL 8 must disable core dumps for all users.
- RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.
- RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.
- RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
- RHEL 8 must automatically lock an account until the locked account is released by an administrator when three
unsuccessful logon attempts occur during a 15-minute time period.
- RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.
- RHEL 8 must log user name information when unsuccessful logon attempts occur.
- RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
- RHEL 8 must ensure the password complexity module is enabled in the password-auth file.
- RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.
- RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used.
- RHEL 8 must enforce password complexity by requiring that at least one numeric character be used.
- RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.
- RHEL 8 must require the change of at least four character classes when passwords are changed.
- RHEL 8 must require the change of at least 8 characters when passwords are changed.
- RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations.
- RHEL 8 passwords must have a minimum of 15 characters.
- RHEL 8 passwords for new users must have a minimum of 15 characters.
- All RHEL 8 passwords must contain at least one special character.
- RHEL 8 must prevent the use of dictionary words for passwords.
- RHEL 8 must display the date and time of the last successful account logon upon an SSH logon.
- The RHEL 8 System must take appropriate action when an audit processing failure occurs.
- The RHEL 8 audit system must audit local events.
- RHEL 8 must label all off-loaded audit logs before sending them to the central log server.
- RHEL 8 must resolve audit information before writing to disk.
- RHEL 8 audit system must protect auditing rules from unauthorized change.
- RHEL 8 audit system must protect logon UIDs from unauthorized change.
- RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.
- RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/
- The RHEL 8 audit package must be installed.
- Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record.
- Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record.
- RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
- RHEL 8 must have the packages required for offloading audit logs installed.
- RHEL 8 must have the packages required for encrypting offloaded audit logs installed.
- RHEL 8 must take appropriate action when the internal event queue is full.
- RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
- RHEL 8 must not have any automated bug reporting tools installed.
- RHEL 8 must disable the asynchronous transfer mode (ATM) protocol.
- RHEL 8 must disable the controller area network (CAN) protocol.
- RHEL 8 must disable the stream control transmission protocol (SCTP).
- RHEL 8 must disable the transparent inter-process communication (TIPC) protocol.
- RHEL 8 must disable mounting of cramfs.
- RHEL 8 must disable IEEE 1394 (FireWire) Support.
- RHEL 8 must be configured to disable USB mass storage.
- RHEL 8 Bluetooth must be disabled.
- All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
- RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
- RHEL 8 must not forward IPv6 source-routed packets.
- RHEL 8 must not forward IPv6 source-routed packets by default.
- RHEL 8 must not accept router advertisements on all IPv6 interfaces.
- RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.
- RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
- The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display.
- If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode.
- The krb5-server package must not be installed on RHEL 8.
Actions to take:
More information:
To know more about the BigFix Compliance SCM checklists, please see the following resources:
We hope you find this latest release of SCM content useful and effective. Thank you!
– The BigFix Compliance team