BigFix Compliance Updated DISA STIG Checklist for RHEL 8 with bug fixes, published 2023-01-31 - Updated

SJPutman 2023-02-01 21:07:52 UTC #1

Product:
BigFix Compliance

Title:
Updated DISA STIG Checklist for RHEL 8 with bug fixes

Security Benchmark:
DISA STIG Checklist for RHEL 8 Benchmark, V1,R7

Published Sites:
DISA STIG Checklist for RHEL 8, site version 9
(The site version is provided for air-gap customers.)

Details:

Added more remediation support for the following check:
- RHEL 8 must use a Linux Security Module configured to enforce limits on system services.
- The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package.
- The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline
  configuration or anomalies in the operation of any security functions are discovered within an
  organizationally defined frequency.
- RHEL 8 must enable the hardware random number generator entropy gatherer service.
- RHEL 8 must ensure account lockouts persist.
- RHEL 8 must cover or disable the built-in or attached camera when not in use.
- The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2
  approved cryptographic hashing algorithm for system authentication.
- The RHEL 8 SSH daemon must be configured to use system-wide crypto policies.
- RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated.
- RHEL 8 must disable the user list at logon for graphical user interfaces.
- RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface.
- RHEL 8 audit records must contain information to establish what type of events occurred, the source of
  events, where events occurred, and the outcome of events.
- A firewall must be active on RHEL 8.
- The RHEL 8 fapolicy module must be enabled.
- RHEL 8 must enable the USBGuard.
- RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.
- RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less.
- RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for
  three retries or less.
- RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations.
- RHEL 8 must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
- The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
- The rsyslog service must be running in RHEL 8.
- RHEL 8 must disable core dumps for all users.
- RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.
- RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.
- RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
- RHEL 8 must automatically lock an account until the locked account is released by an administrator when three
  unsuccessful logon attempts occur during a 15-minute time period.
- RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.
- RHEL 8 must log user name information when unsuccessful logon attempts occur.
- RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
- RHEL 8 must ensure the password complexity module is enabled in the password-auth file.
- RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.
- RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used.
- RHEL 8 must enforce password complexity by requiring that at least one numeric character be used.
- RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.
- RHEL 8 must require the change of at least four character classes when passwords are changed.
- RHEL 8 must require the change of at least 8 characters when passwords are changed.
- RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations.
- RHEL 8 passwords must have a minimum of 15 characters.
- RHEL 8 passwords for new users must have a minimum of 15 characters.
- All RHEL 8 passwords must contain at least one special character.
- RHEL 8 must prevent the use of dictionary words for passwords.
- RHEL 8 must display the date and time of the last successful account logon upon an SSH logon.
- The RHEL 8 System must take appropriate action when an audit processing failure occurs.
- The RHEL 8 audit system must audit local events.
- RHEL 8 must label all off-loaded audit logs before sending them to the central log server.
- RHEL 8 must resolve audit information before writing to disk.
- RHEL 8 audit system must protect auditing rules from unauthorized change.
- RHEL 8 audit system must protect logon UIDs from unauthorized change.
- RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.
- RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/
- The RHEL 8 audit package must be installed.
- Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record.
- Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record.
- RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
- RHEL 8 must have the packages required for offloading audit logs installed.
- RHEL 8 must have the packages required for encrypting offloaded audit logs installed.
- RHEL 8 must take appropriate action when the internal event queue is full.
- RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
- RHEL 8 must not have any automated bug reporting tools installed.
- RHEL 8 must disable the asynchronous transfer mode (ATM) protocol.
- RHEL 8 must disable the controller area network (CAN) protocol.
- RHEL 8 must disable the stream control transmission protocol (SCTP).
- RHEL 8 must disable the transparent inter-process communication (TIPC) protocol.
- RHEL 8 must disable mounting of cramfs.
- RHEL 8 must disable IEEE 1394 (FireWire) Support.
- RHEL 8 must be configured to disable USB mass storage.
- RHEL 8 Bluetooth must be disabled.
- All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
- RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
- RHEL 8 must not forward IPv6 source-routed packets.
- RHEL 8 must not forward IPv6 source-routed packets by default.
- RHEL 8 must not accept router advertisements on all IPv6 interfaces.
- RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.
- RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
- The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display.
- If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode.
- The krb5-server package must not be installed on RHEL 8.

Actions to take:

To subscribe to the above site, you can use the License Overview Dashboard to enable and gather the site. Note that you must be entitled to the BigFix Compliance product, and you must be using BigFix version 9.2 and later.
If you use custom sites, update your custom sites accordingly to use the latest content. You can synchronize your content by using the Synchronize Custom Checks wizard. For more information, see https://help.hcltechsw.com/bigfix/10.0/compliance/Compliance/SCM_Users_Guide/c_using_synchronize_custom_checks_wiz.html

More information:
To know more about the BigFix Compliance SCM checklists, please see the following resources:

BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance
BigFix Compliance SCM Checklists:
https://bigfix-wiki.hcltechsw.com/wikis/home?lang=en-us#!/wiki/BigFix%20Wiki/page/SCM%20Checklists

We hope you find this latest release of SCM content useful and effective. Thank you!

– The BigFix Compliance team