BigFix Compliance Updated DISA STIG Checklist for RHEL 8 with bug fixes, published 2023-01-31 - Updated

Product:
BigFix Compliance

Title:
Updated DISA STIG Checklist for RHEL 8 with bug fixes

Security Benchmark:
DISA STIG Checklist for RHEL 8 Benchmark, V1,R7

Published Sites:
DISA STIG Checklist for RHEL 8, site version 9
(The site version is provided for air-gap customers.)

Details:

  • Added more remediation support for the following check:
    • RHEL 8 must use a Linux Security Module configured to enforce limits on system services.
    • The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package.
    • The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline
      configuration or anomalies in the operation of any security functions are discovered within an
      organizationally defined frequency.
    • RHEL 8 must enable the hardware random number generator entropy gatherer service.
    • RHEL 8 must ensure account lockouts persist.
    • RHEL 8 must cover or disable the built-in or attached camera when not in use.
    • The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2
      approved cryptographic hashing algorithm for system authentication.
    • The RHEL 8 SSH daemon must be configured to use system-wide crypto policies.
    • RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated.
    • RHEL 8 must disable the user list at logon for graphical user interfaces.
    • RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface.
    • RHEL 8 audit records must contain information to establish what type of events occurred, the source of
      events, where events occurred, and the outcome of events.
    • A firewall must be active on RHEL 8.
    • The RHEL 8 fapolicy module must be enabled.
    • RHEL 8 must enable the USBGuard.
    • RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.
    • RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less.
    • RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for
      three retries or less.
    • RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations.
    • RHEL 8 must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
    • The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
    • The rsyslog service must be running in RHEL 8.
    • RHEL 8 must disable core dumps for all users.
    • RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.
    • RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.
    • RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
    • RHEL 8 must automatically lock an account until the locked account is released by an administrator when three
      unsuccessful logon attempts occur during a 15-minute time period.
    • RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.
    • RHEL 8 must log user name information when unsuccessful logon attempts occur.
    • RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
    • RHEL 8 must ensure the password complexity module is enabled in the password-auth file.
    • RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.
    • RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used.
    • RHEL 8 must enforce password complexity by requiring that at least one numeric character be used.
    • RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.
    • RHEL 8 must require the change of at least four character classes when passwords are changed.
    • RHEL 8 must require the change of at least 8 characters when passwords are changed.
    • RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations.
    • RHEL 8 passwords must have a minimum of 15 characters.
    • RHEL 8 passwords for new users must have a minimum of 15 characters.
    • All RHEL 8 passwords must contain at least one special character.
    • RHEL 8 must prevent the use of dictionary words for passwords.
    • RHEL 8 must display the date and time of the last successful account logon upon an SSH logon.
    • The RHEL 8 System must take appropriate action when an audit processing failure occurs.
    • The RHEL 8 audit system must audit local events.
    • RHEL 8 must label all off-loaded audit logs before sending them to the central log server.
    • RHEL 8 must resolve audit information before writing to disk.
    • RHEL 8 audit system must protect auditing rules from unauthorized change.
    • RHEL 8 audit system must protect logon UIDs from unauthorized change.
    • RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.
    • RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/
    • The RHEL 8 audit package must be installed.
    • Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record.
    • Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record.
    • RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
    • RHEL 8 must have the packages required for offloading audit logs installed.
    • RHEL 8 must have the packages required for encrypting offloaded audit logs installed.
    • RHEL 8 must take appropriate action when the internal event queue is full.
    • RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
    • RHEL 8 must not have any automated bug reporting tools installed.
    • RHEL 8 must disable the asynchronous transfer mode (ATM) protocol.
    • RHEL 8 must disable the controller area network (CAN) protocol.
    • RHEL 8 must disable the stream control transmission protocol (SCTP).
    • RHEL 8 must disable the transparent inter-process communication (TIPC) protocol.
    • RHEL 8 must disable mounting of cramfs.
    • RHEL 8 must disable IEEE 1394 (FireWire) Support.
    • RHEL 8 must be configured to disable USB mass storage.
    • RHEL 8 Bluetooth must be disabled.
    • All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
    • RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
    • RHEL 8 must not forward IPv6 source-routed packets.
    • RHEL 8 must not forward IPv6 source-routed packets by default.
    • RHEL 8 must not accept router advertisements on all IPv6 interfaces.
    • RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.
    • RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
    • The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display.
    • If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode.
    • The krb5-server package must not be installed on RHEL 8.

Actions to take:

More information:
To know more about the BigFix Compliance SCM checklists, please see the following resources:

We hope you find this latest release of SCM content useful and effective. Thank you!

– The BigFix Compliance team

1 Like