diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
index 0845bd49d442..47fb7a0810d9 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
@@ -42,7 +42,6 @@ references:
nist: IA-5(f),IA-5(1)(a),CM-6(a)
nist-csf: PR.AC-1,PR.AC-6,PR.AC-7
srg: SRG-OS-000078-GPOS-00046
- stigid@ol8: OL08-00-020231
ocil_clause: 'it is not set to the required value'
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
index 104c9a9ac28f..25d2d0206bba 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
@@ -30,7 +30,7 @@ references:
nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1
nist: SC-13,SC-12(2),SC-12(3)
srg: SRG-OS-000423-GPOS-00187,SRG-OS-000426-GPOS-00190
- stigid@ol8: OL08-00-010020
+ stigid@ol8: OL08-00-010020,OL08-00-010187
ocil_clause: |-
BIND is installed and the BIND config file doesn't contain the
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
index 0a37f3de46de..11bbd91c8b83 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
@@ -68,7 +68,7 @@ references:
nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3)
ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4),FCS_CKM.1,FCS_CKM.2,FCS_TLSC_EXT.1
srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
- stigid@ol8: OL08-00-010020
+ stigid@ol8: OL08-00-010020,OL08-00-010183,OL08-00-010181
ocil_clause: 'cryptographic policy is not configured or is configured incorrectly'
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_gnutls_tls_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_gnutls_tls_crypto_policy/rule.yml
index 2305601e885b..849d62a869ed 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_gnutls_tls_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_gnutls_tls_crypto_policy/rule.yml
@@ -29,7 +29,6 @@ identifiers:
references:
nist: AC-17(2)
srg: SRG-OS-000250-GPOS-00093,SRG-OS-000423-GPOS-00187
- stigid@ol8: OL08-00-010295
ocil_clause: 'cryptographic policy for gnutls is not configured or is configured incorrectly'
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml
index 33b23289bda7..6329b0864f0d 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml
@@ -34,7 +34,7 @@ references:
nist: CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3)
pcidss: Req-2.2
srg: SRG-OS-000033-GPOS-00014
- stigid@ol8: OL08-00-010020
+ stigid@ol8: OL08-00-010020,OL08-00-010186
ocil_clause: |-
the "IPsec" service is active and the ipsec configuration file does not contain does not contain include /etc/crypto-policies/back-ends/libreswan.config
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml
index 01899322dda3..af136814fa7a 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml
@@ -43,7 +43,6 @@ identifiers:
references:
nist: AC-17(2)
srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
- stigid@ol8: OL08-00-010294
ocil_clause: 'cryptographic policy for openssl is not configured or is configured incorrectly'
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
index ccd2d2b2b5e5..a9c819fde913 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
@@ -33,7 +33,6 @@ references:
ospp: FCS_SSH_EXT.1,FCS_SSHS_EXT.1,FCS_SSHC_EXT.1
pcidss: Req-2.2
srg: SRG-OS-000250-GPOS-00093
- stigid@ol8: OL08-00-010287
ocil_clause: 'the CRYPTO_POLICY variable is set or is not commented out in {{{ sshd_sysconfig }}}'
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
index d31c210b09a3..eead135e343f 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
@@ -29,6 +29,7 @@ identifiers:
references:
nist: AC-17(2)
srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093
+ stigid@ol8: OL08-00-010185
ocil_clause: 'Crypto Policy for OpenSSH client is not configured correctly'
diff --git a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
index c3ed2b166ca3..90a04202b1ab 100644
--- a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
@@ -21,6 +21,7 @@ identifiers:
references:
ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4),FCS_CKM.1,FCS_CKM.2,FCS_TLSC_EXT.1
srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
+ stigid@ol8: OL08-00-010180
{{{ complete_ocil_entry_package_installed("crypto-policies") }}}
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
index ea08f8e52b0a..8648f0127783 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
@@ -56,7 +56,7 @@ references:
nist: CM-3(6),SC-12(2),SC-12(3),IA-7,SC-13,CM-6(a),SC-12
ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4),FCS_CKM.1,FCS_CKM.2,FCS_TLSC_EXT.1,FCS_RBG_EXT.1
srg: SRG-OS-000478-GPOS-00223,SRG-OS-000396-GPOS-00176
- stigid@ol8: OL08-00-010020,OL08-00-010293
+ stigid@ol8: OL08-00-010020,OL08-00-010182
ocil_clause: 'FIPS mode is not enabled'
diff --git a/linux_os/guide/system/software/integrity/fips/fips_crypto_subpolicy/rule.yml b/linux_os/guide/system/software/integrity/fips/fips_crypto_subpolicy/rule.yml
index b6f4415705c6..90ee25c43814 100644
--- a/linux_os/guide/system/software/integrity/fips/fips_crypto_subpolicy/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/fips_crypto_subpolicy/rule.yml
@@ -19,6 +19,7 @@ identifiers:
references:
srg: SRG-OS-000033-GPOS-00014
+ stigid@ol8: OL08-00-010184,OL08-00-010182,OL08-00-010181
severity: medium
diff --git a/linux_os/guide/system/software/integrity/fips/fips_custom_stig_sub_policy/rule.yml b/linux_os/guide/system/software/integrity/fips/fips_custom_stig_sub_policy/rule.yml
index d812375e6e5a..42583a3260cb 100644
--- a/linux_os/guide/system/software/integrity/fips/fips_custom_stig_sub_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/fips_custom_stig_sub_policy/rule.yml
@@ -16,6 +16,7 @@ identifiers:
references:
srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
+ stigid@ol8: OL08-00-010181
ocil_clause: 'the STIG subpolicy does not exist'
diff --git a/products/ol8/profiles/stig.profile b/products/ol8/profiles/stig.profile
index 4c8cd06f5fc0..1fffb98a55db 100644
--- a/products/ol8/profiles/stig.profile
+++ b/products/ol8/profiles/stig.profile
@@ -1,7 +1,7 @@
documentation_complete: true
metadata:
- version: V2R7
+ version: V2R8
reference: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
@@ -9,7 +9,7 @@ title: 'DISA STIG for Oracle Linux 8'
description: |-
This profile contains configuration checks that align to the
- DISA STIG for Oracle Linux 8 V2R7.
+ DISA STIG for Oracle Linux 8 V2R8.
selections:
### Variables
@@ -28,7 +28,6 @@ selections:
- var_password_pam_remember_control_flag=ol8
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted
- - var_accounts_password_minlen_login_defs=15
- var_password_pam_unix_rounds=5000
- var_password_pam_minlen=15
- var_password_pam_ocredit=1
@@ -68,11 +67,22 @@ selections:
- var_multiple_time_servers=stig
### Enable / Configure FIPS
- # OL08-00-010293, OL08-00-010020
+ # OL08-00-010020, OL08-00-010182
- enable_fips_mode
- - var_system_crypto_policy=fips
+ - var_system_crypto_policy=fips_stig
+ # OL08-00-010180
+ - package_crypto-policies_installed
+ - package_crypto-policies_installed.severity=high
+ # OL08-00-010183
- configure_crypto_policy
+ # OL08-00-010181, OL08-00-010184, OL08-00-010182
+ - fips_crypto_subpolicy
+ - fips_crypto_subpolicy.severity=high
+ - fips_custom_stig_sub_policy
+ - fips_custom_stig_sub_policy.severity=high
+ # OL08-00-010187
- configure_bind_crypto_policy
+ # OL08-00-010186
- configure_libreswan_crypto_policy
- configure_kerberos_crypto_policy
- enable_dracut_fips_module
@@ -165,6 +175,10 @@ selections:
# OL08-00-010171
- package_policycoreutils_installed
+ # OL08-00-010185
+ - harden_sshd_macs_openssh_conf_crypto_policy
+ - harden_sshd_macs_openssh_conf_crypto_policy.severity=high
+
# OL08-00-010190
- dir_perms_world_writable_sticky_bits
@@ -193,24 +207,17 @@ selections:
# OL08-00-010260
- file_groupowner_var_log
- # OL08-00-010287
- - configure_ssh_crypto_policy
-
# OL08-00-010290
- harden_sshd_macs_opensshserver_conf_crypto_policy
+ - harden_sshd_macs_opensshserver_conf_crypto_policy.severity=high
# OL08-00-010291
- harden_sshd_ciphers_opensshserver_conf_crypto_policy
+ - harden_sshd_ciphers_opensshserver_conf_crypto_policy.severity=high
# OL08-00-010292
- sshd_use_strong_rng
- # OL08-00-010294
- - configure_openssl_tls_crypto_policy
-
- # OL08-00-010295
- - configure_gnutls_tls_crypto_policy
-
# OL08-00-010300
- file_permissions_binary_dirs
@@ -608,9 +615,6 @@ selections:
# OL08-00-020230
- accounts_password_pam_minlen
- # OL08-00-020231
- - accounts_password_minlen_login_defs
-
# OL08-00-020240
- account_unique_id
@@ -1193,9 +1197,6 @@ selections:
# OL08-00-040341
- sshd_x11_use_localhost
- # OL08-00-040342
- - sshd_use_approved_kex_ordered_stig
-
# OL08-00-040350
- tftp_uses_secure_mode_systemd
diff --git a/products/ol8/profiles/stig_gui.profile b/products/ol8/profiles/stig_gui.profile
index 109fd4d08f8c..1c53fa35fdd0 100644
--- a/products/ol8/profiles/stig_gui.profile
+++ b/products/ol8/profiles/stig_gui.profile
@@ -1,13 +1,13 @@
documentation_complete: true
metadata:
- version: V2R7
+ version: V2R8
title: 'DISA STIG with GUI for Oracle Linux 8'
description: |-
This profile contains configuration checks that align to the
- DISA STIG with GUI for Oracle Linux V2R7.
+ DISA STIG with GUI for Oracle Linux V2R8.
Warning: The installation and use of a Graphical User Interface (GUI)
increases your attack vector and decreases your overall security posture. If
diff --git a/shared/references/disa-stig-ol8-v2r7-xccdf-manual.xml b/shared/references/disa-stig-ol8-v2r8-xccdf-manual.xml
similarity index 87%
rename from shared/references/disa-stig-ol8-v2r7-xccdf-manual.xml
rename to shared/references/disa-stig-ol8-v2r8-xccdf-manual.xml
index b0668a886a3d..0c51b379d13f 100644
--- a/shared/references/disa-stig-ol8-v2r7-xccdf-manual.xml
+++ b/shared/references/disa-stig-ol8-v2r8-xccdf-manual.xml
@@ -1,4 +1,4 @@
-acceptedOracle Linux 8 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 7 Benchmark Date: 05 Jan 20263.5.21.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>OL08-00-030180The OL 8 audit package must be installed.<VulnDiscussion>Without establishing what type of events occurred and their source, location, and outcome, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
+acceptedOracle Linux 8 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 8 Benchmark Date: 01 Apr 20263.5.21.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>OL08-00-030180The OL 8 audit package must be installed.<VulnDiscussion>Without establishing what type of events occurred and their source, location, and outcome, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
@@ -47,9 +47,11 @@ Check the version of the operating system with the following command:
$ sudo cat /etc/oracle-release
Oracle Linux Server release 8.10
-If the release is not supported by the vendor, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010010OL 8 vendor-packaged system security patches and updates must be installed and up to date.<VulnDiscussion>Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals.
+If the release is not supported by the vendor, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010010OL 8 vendor-packaged system security patches and updates must be installed and up to date.<VulnDiscussion>Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals.
-New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Install the operating system patches or updated packages available from Oracle within 30 days or sooner as local policy dictates.Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO).
+New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Install the operating system patches or updated packages available from Oracle within 30 days or sooner as local policy dictates.Note: If the system is not an internet connected system, this requirement is not applicable.
+
+Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO).
Obtain the list of available package security updates from Oracle. The URL for updates is https://linux.oracle.com/errata/. It is important to note that updates provided by Oracle may not be present on the system if the underlying packages are not installed.
@@ -741,74 +743,7 @@ $ sudo stat -c "%G" /var/log
root
-If "root" is not returned as a result, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>OL08-00-010287The OL 8 SSH daemon must be configured to use system-wide crypto policies.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
-
-Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
-
-Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
-
-OL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-001453Configure the OL 8 SSH daemon to use system-wide crypto policies by adding the following line to /etc/sysconfig/sshd:
-
-# CRYPTO_POLICY=
-
-A reboot is required for the changes to take effect.Verify that system-wide crypto policies are in effect:
-
-$ sudo grep -i CRYPTO_POLICY /etc/sysconfig/sshd
-
-# CRYPTO_POLICY=
-
-If the "CRYPTO_POLICY" is uncommented, this is a finding.SRG-OS-000125-GPOS-00065<GroupDescription></GroupDescription>OL08-00-010290The OL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
-
-Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
-
-Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
-
-OL 8 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000877Configure the OL 8 SSH server to use only MACs employing FIPS 140-3-approved algorithms.
-
-Reinstall crypto-policies with the following command:
-
-$ sudo dnf -y reinstall crypto-policies
-
-Set the crypto-policy to FIPS with the following command:
-
-$ sudo update-crypto-policies --set FIPS
-
-Setting system policy to FIPS
-
-Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.Verify the OL 8 SSH server is configured to use only MACs employing FIPS 140-3-approved algorithms.
-
-To verify the MACs in the systemwide SSH configuration file, use the following command:
-
-$ sudo grep -i MACs /etc/crypto-policies/back-ends/opensshserver.config
-
--oMACs=hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
-
-If the MACs entries in the "opensshserver.config" file have any hashes other than "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256", or they are missing or commented out, this is a finding.SRG-OS-000125-GPOS-00065<GroupDescription></GroupDescription>OL08-00-010291The OL 8 SSH server must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
-
-Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
-
-Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
-
-OL 8 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000877Configure the OL 8 SSH server to use only ciphers employing FIPS 140-3-approved algorithms.
-
-Reinstall crypto-policies with the following command:
-
-$ sudo dnf -y reinstall crypto-policies
-
-Set the crypto-policy to FIPS with the following command:
-
-$ sudo update-crypto-policies --set FIPS
-
-Setting system policy to FIPS
-
-Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.Verify the OL 8 SSH server is configured to use only ciphers employing FIPS 140-3-approved algorithms.
-
-To verify the ciphers in the systemwide SSH configuration file, use the following command:
-
-$ sudo grep -i Ciphers /etc/crypto-policies/back-ends/opensshserver.config
-CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
-
-If the cipher entries in the "opensshserver.config" file have any ciphers other than "aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr", or they are missing or commented out, this is a finding.SRG-OS-000480-GPOS-00232<GroupDescription></GroupDescription>OL08-00-010292The OL 8 SSH server must be configured to use strong entropy.<VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems.
+If "root" is not returned as a result, this is a finding.SRG-OS-000480-GPOS-00232<GroupDescription></GroupDescription>OL08-00-010292The OL 8 SSH server must be configured to use strong entropy.<VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems.
The SSH implementation in OL 8 uses the OPENSSL library, which does not use high-entropy sources by default. By using the SSH_USE_STRONG_RNG environment variable, the OPENSSL random generator is reseeded from "/dev/random". This setting is not recommended on computers without the hardware random generator because insufficient entropy causes the connection to be blocked until enough entropy is available.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure the operating system SSH server to use strong entropy.
@@ -822,80 +757,7 @@ $ sudo grep -i ssh_use_strong_rng /etc/sysconfig/sshd
SSH_USE_STRONG_RNG=32
-If the "SSH_USE_STRONG_RNG" line does not equal "32" or is commented out or missing, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>OL08-00-010293The OL 8 operating system must implement DOD-approved encryption in the OpenSSL package.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
-
-Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
-
-Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography, enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
-
-OL 8 incorporates systemwide crypto policies by default. The employed algorithms can be viewed in the "/etc/crypto-policies/back-ends/openssl.config" file.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-001453Configure the OL 8 OpenSSL library to use only ciphers employing FIPS 140-2/140-3 approved algorithms with the following command:
-
-$ sudo fips-mode-setup --enable
-
-A reboot is required for the changes to take effect.Verify that OL 8 is in FIPS mode with the following command:
-
-$ sudo fips-mode-setup --check
-FIPS mode is enabled.
-
-If FIPS mode is not enabled, this is a finding.
-
-If any other lines are returned by the above command, run the following command to view the currently applied crypto-policy:
-
-$ update-crypto-policies --show
-FIPS
-
-If the policy is not "FIPS" or a FIPS policy authorized by and documented with the ISSO, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>OL08-00-010294The OL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
-
-Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
-
-Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography, enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
-
-OL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the "/etc/crypto-policies/back-ends/openssl.config" file.
-
-Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-001453Configure the OL 8 OpenSSL library to use only DoD-approved TLS encryption by editing the following line in the "/etc/crypto-policies/back-ends/opensslcnf.config" file:
-
-For versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch:
-
-MinProtocol = TLSv1.2
-
-For version crypto-policies-20210617-1.gitc776d3e.el8.noarch and newer:
-TLS.MinProtocol = TLSv1.2
-DTLS.MinProtocol = DTLSv1.2
-
-A reboot is required for the changes to take effect.Verify the OpenSSL library is configured to use only DoD-approved TLS encryption:
-
-For versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch:
-
-$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config
-
-MinProtocol = TLSv1.2
-
-If the "MinProtocol" is set to anything older than "TLSv1.2", this is a finding.
-
-For version crypto-policies-20210617-1.gitc776d3e.el8.noarch and newer:
-
-$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config
-
-TLS.MinProtocol = TLSv1.2
-DTLS.MinProtocol = DTLSv1.2
-
-If the "TLS.MinProtocol" is set to anything older than "TLSv1.2" or the "DTLS.MinProtocol" is set to anything older than "DTLSv1.2", this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>OL08-00-010295The OL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
-
-Transport Layer Security (TLS) encryption is a required security setting as a number of known vulnerabilities have been reported against Secure Sockets Layer (SSL) and earlier versions of TLS. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. SQL Server must use a minimum of FIPS 140-2 approved TLS version 1.2, and all non-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems.
-
-Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography, enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
-
-The GnuTLS library offers an API to access secure communications protocols. SSLv2 is not available in the GnuTLS library. The OL 8 system-wide crypto policy defines employed algorithms in the "/etc/crypto-policies/back-ends/gnutls.config" file.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-001453Configure the OL 8 GnuTLS library to use only DoD-approved encryption by adding the following line to "/etc/crypto-policies/back-ends/gnutls.config":
-
-+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0
-
-A reboot is required for the changes to take effect.Verify the GnuTLS library is configured to only allow DoD-approved SSL/TLS versions:
-
-$ sudo grep -io +vers.* /etc/crypto-policies/back-ends/gnutls.config
-
-+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM
-
-If the "gnutls.config" does not list "-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0" to disable unapproved SSL/TLS versions, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>OL08-00-010300OL 8 system commands must have mode 755 or less permissive.<VulnDiscussion>If OL 8 were to allow any user to make changes to software libraries, those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
+If the "SSH_USE_STRONG_RNG" line does not equal "32" or is commented out or missing, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>OL08-00-010300OL 8 system commands must have mode 755 or less permissive.<VulnDiscussion>If OL 8 were to allow any user to make changes to software libraries, those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
This requirement applies to OL 8 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-001499Configure the system commands to be protected from unauthorized access.
@@ -1692,7 +1554,7 @@ $ sudo mount | grep '\s/boot\s'
/dev/sda1 on /boot type xfs (rw,nosuid,relatime,seclabe,attr2,inode64,noquota)
-If the /boot file system does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010572OL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure the "/etc/fstab" to use the "nosuid" option on the /boot/efi directory.Note: For vfat file systems and for systems that use BIOS, this is Not Applicable.
+If the /boot file system does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010572OL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure the "/etc/fstab" to use the "nosuid" option on the /boot/efi directory.Note: For systems that use BIOS, this is not applicable.
Verify the /boot/efi directory is mounted with the "nosuid" option with the following command:
@@ -1700,9 +1562,7 @@ $ sudo mount | grep '\s/boot/efi\s'
/dev/sda1 on /boot/efi type vfat (rw,nosuid,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=winnt,errors=remount-ro)
-If the /boot/efi file system does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010580OL 8 must prevent special devices on nonroot local partitions.<VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the /dev directory located on the root partition.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure the "/etc/fstab" to use the "nodev" option on all nonroot local partitions.Note: This control is not applicable to vfat file systems.
-
-Verify all nonroot local partitions are mounted with the "nodev" option with the following command:
+If the /boot/efi file system does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-010580OL 8 must prevent special devices on nonroot local partitions.<VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the /dev directory located on the root partition.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure the "/etc/fstab" to use the "nodev" option on all nonroot local partitions.Verify all nonroot local partitions are mounted with the "nodev" option with the following command:
$ sudo mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev'
@@ -2136,7 +1996,7 @@ $ sudo chage -l system_account_name
Verify each of these accounts has an expiration date set within 72 hours.
-If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>OL08-00-020010OL 8 systems below version 8.2 must automatically lock an account when three unsuccessful logon attempts occur.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
+If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>OL08-00-020010OL 8 systems below version 8.2 must automatically lock an account when three unsuccessful logon attempts occur.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
OL 8 can use the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program.
@@ -2150,9 +2010,7 @@ account required pam_faillock.so
The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command:
-$ sudo systemctl restart sssd.serviceVerify the system locks an account after three unsuccessful logon attempts with the following commands.
-
-Note: If the System Administrator demonstrates the use of an approved centralized account management method that locks an account after three unsuccessful logon attempts within a period of 15 minutes, this requirement is not applicable.
+$ sudo systemctl restart sssd.serviceVerify the system locks an account after three unsuccessful logon attempts with the following commands.
Note: This check applies to OL versions 8.0 and 8.1. If the system is OL version 8.2 or newer, this check is not applicable.
@@ -2192,7 +2050,7 @@ $ sudo grep 'deny =' /etc/security/faillock.conf
deny = 3
-If the "deny" option is not set to "3" or less (but not "0") or is missing or commented out, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>OL08-00-020012OL 8 systems below version 8.2 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
+If the "deny" option is not set to "3" or less (but not "0") or is missing or commented out, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>OL08-00-020012OL 8 systems below version 8.2 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
OL 8 can use the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program.
@@ -2208,9 +2066,7 @@ account required pam_faillock.so
The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command:
-$ sudo systemctl restart sssd.serviceVerify the system locks an account after three unsuccessful logon attempts within a period of 15 minutes with the following commands.
-
-Note: If the System Administrator demonstrates the use of an approved centralized account management method that locks an account after three unsuccessful logon attempts within a period of 15 minutes, this requirement is not applicable.
+$ sudo systemctl restart sssd.serviceVerify the system locks an account after three unsuccessful logon attempts within a period of 15 minutes with the following commands.
Note: This check applies to OL versions 8.0 and 8.1. If the system is OL version 8.2 or newer, this check is not applicable.
@@ -2246,7 +2102,7 @@ $ sudo grep 'fail_interval =' /etc/security/faillock.conf
fail_interval = 900
-If the "fail_interval" option is not set to "900" or more or is missing or commented out, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>OL08-00-020014OL 8 systems below version 8.2 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
+If the "fail_interval" option is not set to "900" or more or is missing or commented out, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>OL08-00-020014OL 8 systems below version 8.2 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
OL 8 can use the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program.
@@ -2262,9 +2118,7 @@ account required pam_faillock.so
The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command:
-$ sudo systemctl restart sssd.serviceVerify the system locks an account after three unsuccessful logon attempts within a period of 15 minutes until released by an administrator with the following commands.
-
-Note: If the System Administrator demonstrates the use of an approved centralized account management method that locks an account after three unsuccessful logon attempts within a period of 15 minutes, this requirement is not applicable.
+$ sudo systemctl restart sssd.serviceVerify the system locks an account after three unsuccessful logon attempts within a period of 15 minutes until released by an administrator with the following commands.
Note: This check applies to OL versions 8.0 and 8.1. If the system is OL version 8.2 or newer, this check is not applicable.
@@ -2300,7 +2154,7 @@ $ sudo grep 'unlock_time =' /etc/security/faillock.conf
unlock_time = 0
-If the "unlock_time" option is not set to "0" or is missing or commented out, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>OL08-00-020016OL 8 systems below version 8.2 must ensure account lockouts persist.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
+If the "unlock_time" option is not set to "0" or is missing or commented out, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>OL08-00-020016OL 8 systems below version 8.2 must ensure account lockouts persist.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
OL 8 can use the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program.
@@ -2318,9 +2172,7 @@ account required pam_faillock.so
The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command:
-$ sudo systemctl restart sssd.serviceVerify the faillock directory contents persist after a reboot with the following commands:
-
-Note: If the System Administrator demonstrates the use of an approved centralized account management method that locks an account after three unsuccessful logon attempts within a period of 15 minutes, this requirement is not applicable.
+$ sudo systemctl restart sssd.serviceVerify the faillock directory contents persist after a reboot with the following commands:
Note: This check applies to OL versions 8.0 and 8.1. If the system is OL version 8.2 or newer, this check is not applicable.
@@ -2356,7 +2208,7 @@ $ sudo grep 'dir =' /etc/security/faillock.conf
dir = /var/log/faillock
-If the "dir" option is not set to a non-default documented tally log directory or is missing or commented out, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>OL08-00-020018OL 8 systems below version 8.2 must prevent system messages from being presented when three unsuccessful logon attempts occur.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
+If the "dir" option is not set to a non-default documented tally log directory or is missing or commented out, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>OL08-00-020018OL 8 systems below version 8.2 must prevent system messages from being presented when three unsuccessful logon attempts occur.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
OL 8 can use the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program.
@@ -2372,9 +2224,7 @@ account required pam_faillock.so
The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command:
-$ sudo systemctl restart sssd.serviceVerify the system prevents informative messages from being presented to the user pertaining to logon information with the following commands.
-
-Note: If the System Administrator demonstrates the use of an approved centralized account management method that locks an account after three unsuccessful logon attempts within a period of 15 minutes, this requirement is not applicable.
+$ sudo systemctl restart sssd.serviceVerify the system prevents informative messages from being presented to the user pertaining to logon information with the following commands.
Note: This check applies to OL versions 8.0 and 8.1. If the system is OL version 8.2 or newer, this check is not applicable.
@@ -2410,7 +2260,7 @@ $ sudo grep silent /etc/security/faillock.conf
silent
-If the "silent" option is not set or is missing or commented out, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>OL08-00-020020OL 8 systems below version 8.2 must log user name information when unsuccessful logon attempts occur.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
+If the "silent" option is not set or is missing or commented out, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>OL08-00-020020OL 8 systems below version 8.2 must log user name information when unsuccessful logon attempts occur.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
OL 8 can use the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program.
@@ -2426,9 +2276,7 @@ account required pam_faillock.so
The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command:
-$ sudo systemctl restart sssd.serviceVerify the system logs user name information when unsuccessful logon attempts occur with the following commands.
-
-Note: If the System Administrator demonstrates the use of an approved centralized account management method that locks an account after three unsuccessful logon attempts within a period of 15 minutes, this requirement is not applicable.
+$ sudo systemctl restart sssd.serviceVerify the system logs user name information when unsuccessful logon attempts occur with the following commands.
Note: This check applies to OL versions 8.0 and 8.1. If the system is OL version 8.2 or newer, this check is not applicable.
@@ -2464,7 +2312,7 @@ $ sudo grep audit /etc/security/faillock.conf
audit
-If the "audit" option is not set, is missing or commented out, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>OL08-00-020022OL 8 systems below version 8.2 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
+If the "audit" option is not set, is missing or commented out, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>OL08-00-020022OL 8 systems below version 8.2 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
OL 8 can use the "pam_faillock.so" for this purpose. Note that manual changes to the listed files may be overwritten by the "authselect" program.
@@ -2480,9 +2328,7 @@ account required pam_faillock.so
The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command:
-$ sudo systemctl restart sssd.serviceVerify the system includes the root account when locking an account after three unsuccessful logon attempts within a period of 15 minutes with the following commands.
-
-Note: If the System Administrator demonstrates the use of an approved centralized account management method that locks an account after three unsuccessful logon attempts within a period of 15 minutes, this requirement is not applicable.
+$ sudo systemctl restart sssd.serviceVerify the system includes the root account when locking an account after three unsuccessful logon attempts within a period of 15 minutes with the following commands.
Note: This check applies to OL versions 8.0 and 8.1. If the system is OL version 8.2 or newer, this check is not applicable.
@@ -3118,21 +2964,7 @@ $ sudo grep -r minlen /etc/security/pwquality.conf*
/etc/security/pwquality.conf:minlen = 15
If the command does not return a "minlen" value of 15 or greater or is commented out, this is a finding.
-If conflicting results are returned, this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>OL08-00-020231OL 8 passwords for new users must have a minimum of 15 characters.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
-
-Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password.
-
-The DOD minimum password requirement is 15 characters.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-004066CCI-000205Configure operating system to enforce a minimum 15-character password length for new user accounts.
-
-Add or modify the following line in the "/etc/login.defs" file:
-
-PASS_MIN_LEN 15Verify that OL 8 enforces a minimum 15-character password length for new user accounts by running the following command:
-
-$ sudo grep -i pass_min_len /etc/login.defs
-
-PASS_MIN_LEN 15
-
-If the "PASS_MIN_LEN" parameter value is less than "15" or is commented out, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>OL08-00-020240OL 8 duplicate User IDs (UIDs) must not exist for interactive users.<VulnDiscussion>To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system.
+If conflicting results are returned, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>OL08-00-020240OL 8 duplicate User IDs (UIDs) must not exist for interactive users.<VulnDiscussion>To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system.
Interactive users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Interactive users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following:
@@ -3219,15 +3051,7 @@ If the pam_lastlog.so module is listed below the pam_unix.so module in the "pass
If the value of "inactive" is set to zero, a negative number, or is greater than 35, this is a finding.
-If the line is commented out or missing, ask the administrator to indicate how the system disables access for account identifiers. If there is no evidence that the system is disabling access for account identifiers after 35 days of inactivity, this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>OL08-00-020262The OL 8 lastlog command must have a mode of "0750" or less permissive.<VulnDiscussion>Unauthorized disclosure of the contents of the /var/log/lastlog file can reveal system data to attackers, thus compromising its confidentiality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-001314Configure the mode of the "lastlog" command for OL 8 to "0750" with the following command:
-
-$ sudo chmod 0750 /usr/bin/lastlogVerify the "lastlog" command has a mode of "0750" or less permissive with the following command:
-
-$ sudo stat -c "%a %n" /usr/bin/lastlog
-
-750 /usr/bin/lastlog
-
-If the "lastlog" command has a mode more permissive than "0750", this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>OL08-00-020263The OL 8 lastlog command must be owned by root.<VulnDiscussion>Unauthorized disclosure of the contents of the /var/log/lastlog file can reveal system data to attackers, thus compromising its confidentiality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-001314Configure the "lastlog" command for OL 8 to be owned by root with the following command:
+If the line is commented out or missing, ask the administrator to indicate how the system disables access for account identifiers. If there is no evidence that the system is disabling access for account identifiers after 35 days of inactivity, this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>OL08-00-020263The OL 8 lastlog command must be owned by root.<VulnDiscussion>Unauthorized disclosure of the contents of the /var/log/lastlog file can reveal system data to attackers, thus compromising its confidentiality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-001314Configure the "lastlog" command for OL 8 to be owned by root with the following command:
$ sudo chown root /usr/bin/lastlogVerify the "lastlog" command is owned by root with the following command:
@@ -6551,7 +6375,7 @@ Check the value of the "accept_redirects" variables with the following command:
$ sysctl net.ipv6.conf.all.accept_redirects
net.ipv6.conf.all.accept_redirects = 0
-If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040281OL 8 must disable access to the network "bpf" syscall from nonprivileged processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040281OL 8 must disable access to the network "bpf" syscall from nonprivileged processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
/etc/sysctl.d/*.conf
@@ -6565,12 +6389,12 @@ kernel.nonprivileged_bpf_disabled = 1
The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
-$ sudo sysctl --systemVerify OL 8 prevents privilege escalation thru the kernel by disabling access to the bpf system call with the following commands:
+$ sudo sysctl --systemVerify OL 8 prevents privilege escalation thru the kernel by disabling access to the bpf system call with the following commands:
-$ sysctl kernel.nonprivileged_bpf_disabled
-kernel.nonprivileged_bpf_disabled = 1
+$ sysctl kernel.unprivileged_bpf_disabled
+kernel.unprivileged_bpf_disabled = 1
-If the returned line does not have a value of "1", or a line is not returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040282OL 8 must restrict the use of "ptrace" to descendant processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+If the returned line does not have a value of "1" or a line is not returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040282OL 8 must restrict the use of "ptrace" to descendant processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
/etc/sysctl.d/*.conf
@@ -6815,11 +6639,13 @@ $ sudo yum list installed | grep ftpd
vsftpd-3.0.3.el8.x86_64.rpm
-If an FTP server is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040370OL 8 must not have the "gssproxy" package installed if not required for operational support.<VulnDiscussion>Verify the operating system is configured to disable nonessential capabilities. The most secure way of ensuring a nonessential capability is disabled is to not have the capability installed.
+If an FTP server is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>OL08-00-040370OL 8 must not have the "gssproxy" package installed if not required for operational support.<VulnDiscussion>Verify the operating system is configured to disable nonessential capabilities. The most secure way of ensuring a nonessential capability is disabled is to not have the capability installed.
When an application uses Generic Security Services API (GSSAPI), typically it will have direct access to its security credentials, and all cryptographic operations are performed in the application's process. This is undesirable, but "gssproxy" can help in almost all use cases. It provides privilege separation to applications using the GSSAPI: The gssproxy daemon runs on the system, holds the application's credentials, and performs operations on behalf of the application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000366Configure OL 8 to disable nonessential capabilities by removing the "gssproxy" package from the system with the following command:
-$ sudo yum remove gssproxyNote: For Oracle Linux systems, if there is an operational need for gssproxy to be installed, this requirement is Not Applicable.
+$ sudo yum remove gssproxyNote: For Oracle Linux systems, if there is an operational need for gssproxy to be installed, this is not applicable.
+
+Note: If NFS mounts are authorized and in use on the system, this control is not applicable.
Determine if the "gssproxy" package is installed with the following command:
@@ -7132,21 +6958,7 @@ A reboot is required for the changes to take effect.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>OL08-00-040342OL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms.<VulnDiscussion>Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection.
-
-OL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.
-
-The system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest algorithm available to secure the SSH connection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-001453Configure the SSH server to use only FIPS-validated key exchange algorithms by adding or modifying the following line in "/etc/crypto-policies/back-ends/opensshserver.config":
-
--oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
-
-A reboot is required for the changes to take effect.Verify that the SSH server is configured to use only FIPS-validated key exchange algorithms:
-
- $ sudo grep -i kexalgorithms /etc/crypto-policies/back-ends/opensshserver.config
-
- CRYPTO_POLICY='-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512'
-
-If the entries following "KexAlgorithms" have any algorithms defined other than "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512", appear in a different order than shown, or are missing or commented out, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>OL08-00-010019OL 8 must ensure cryptographic verification of vendor software packages.<VulnDiscussion>Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofing that could lead to installation of malware on the system. Oracle cryptographically signs all software packages, which includes updates, with a GPG key to verify that they are valid.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-003992CCI-001749Install Oracle package-signing key on the system and verify its fingerprint matches vendor value.
+If the system default target is not set to "multi-user.target" and the Information System Security Officer (ISSO) lacks a documented requirement for a graphical user interface, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>OL08-00-010019OL 8 must ensure cryptographic verification of vendor software packages.<VulnDiscussion>Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofing that could lead to installation of malware on the system. Oracle cryptographically signs all software packages, which includes updates, with a GPG key to verify that they are valid.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-003992CCI-001749Install Oracle package-signing key on the system and verify its fingerprint matches vendor value.
Insert OL 8 installation disc or attach OL 8 installation image to the system. Mount the disc or image to make the contents accessible inside the system.
@@ -7250,4 +7062,244 @@ $ sudo grep -i tmout /etc/profile /etc/profile.d/*.sh
/etc/profile.d/tmout.sh:declare -xr TMOUT=600
-If "TMOUT" is not set to "600" or less in a script located in the "/etc/'profile.d/ directory, is missing or is commented out, this is a finding.
\ No newline at end of file
+If "TMOUT" is not set to "600" or less in a script located in the "/etc/'profile.d/ directory, is missing or is commented out, this is a finding.SRG-OS-000396-GPOS-00176<GroupDescription></GroupDescription>OL08-00-010180OL 8 must have the crypto-policies package installed.<VulnDiscussion>Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Using weak or untested encryption algorithms undermines the purposes of using encryption to protect data.
+
+Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-002450Install the crypto-policies package with the following command:
+
+$ sudo dnf -y install crypto-policiesVerify the OL 8 crypto-policies package is installed with the following command:
+
+$ dnf list --installed crypto-policies
+Installed Packages
+crypto-policies.noarch 20230731-1.git3177e06.el8 @ol8_baseos_latest
+
+If the crypto-policies package is not installed, this is a finding.SRG-OS-000396-GPOS-00176<GroupDescription></GroupDescription>OL08-00-010181OL 8 must implement a FIPS 140-3-compliant systemwide cryptographic policy.<VulnDiscussion>Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Using weak or untested encryption algorithms undermines the purposes of using encryption to protect data.
+
+Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-002450Configure OL 8 to use a FIPS 140-3-compliant systemwide cryptographic policy.
+
+Create a subpolicy for enhancements to the base systemwide crypto-policy by creating the file /etc/crypto-policies/policies/modules/STIG.pmod with the following content:
+
+# Define ciphers and MACs for OpenSSH and libssh
+cipher@SSH=AES-256-GCM AES-256-CTR AES-128-GCM AES-128-CTR
+mac@SSH=HMAC-SHA2-512 HMAC-SHA2-256
+
+Apply the policy enhancements to the FIPS systemwide cryptographic policy level with the following command:
+
+$ sudo update-crypto-policies --set FIPS:STIG
+
+Note: If additional subpolicies are being employed, they must be added to the update-crypto-policies command.
+
+To make the cryptographic settings effective for already running services and applications, restart the system:
+
+$ sudo rebootVerify OL 8 is set to use a FIPS 140-3-compliant systemwide cryptographic policy with the following command:
+
+$ update-crypto-policies --show
+
+FIPS
+
+If the systemwide crypto policy is not set to "FIPS", this is a finding.
+
+Note: If subpolicies have been configured, they could be listed in a colon-separated list starting with "FIPS" as follows FIPS:<SUBPOLICY-NAME>. This is not a finding.
+
+Note: Subpolicies like AD-SUPPORT must be configured according to the latest guidance from the operating system vendor.
+
+Verify the current minimum crypto-policy configuration with the following commands:
+
+$ grep -E 'rsa_size|hash' /etc/crypto-policies/state/CURRENT.pol
+
+hash = SHA2-256 SHA2-384 SHA2-512 SHA2-224 SHA3-256 SHA3-384 SHA3-512 SHAKE-256
+min_rsa_size = 2048
+
+If the "hash" values do not include at least the following FIPS 140-3-compliant algorithms "SHA2-256 SHA2-384 SHA2-512 SHA2-224 SHA3-256 SHA3-384 SHA3-512 SHAKE-256", this is a finding.
+
+If there are algorithms that include "SHA1" or a hash value less than "224" this is a finding.
+
+If the "min_rsa_size" is not set to a value of at least "2048", this is a finding.
+
+If these commands do not return any output, this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>OL08-00-010182OL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.<VulnDiscussion>Using weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
+
+OL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the "kernelopts" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command "fips-mode-setup" modifies the "kernelopts" variable, which in turn updates all kernel boot entries.
+
+The fips=1 kernel option must be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key.
+
+Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187, SRG-OS-000478-GPOS-00223</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000068CCI-000877CCI-002418CCI-002450Configure OL 8 to implement DOD-approved encryption by following the steps below:
+
+To enable strict FIPS compliance, the fips=1 kernel option must be added to the kernel boot parameters during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place.
+
+Enable FIPS mode after installation (not strict FIPS-compliant) with the following command:
+
+$ sudo fips-mode-setup --enable
+
+Reboot the system for the changes to take effect.Verify OL 8 implements DOD-approved encryption to protect the confidentiality of remote access sessions.
+
+Show the configured systemwide cryptographic policy by running the following command:
+
+$ sudo update-crypto-policies --show
+FIPS
+
+If the main policy name is not "FIPS", this is a finding.
+
+If the AD-SUPPORT subpolicy module is included (e.g., "FIPS:AD-SUPPORT"), and Active Directory support is not documented as an operational requirement with the information system security officer (ISSO), this is a finding.
+
+If the NO-ENFORCE-EMS subpolicy module is included (e.g., "FIPS:NO-ENFORCE-EMS"), and not enforcing EMS is not documented as an operational requirement with the ISSO, this is a finding.
+
+If any other subpolicy module is included, this is a finding.SRG-OS-000396-GPOS-00176<GroupDescription></GroupDescription>OL08-00-010183OL 8 cryptographic policy must not be overridden.<VulnDiscussion>Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Using weak or untested encryption algorithms undermines the purposes of using encryption to protect data.
+
+Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-002450CCI-002890CCI-003123Configure OL 8 to correctly implement the systemwide cryptographic policies by reinstalling the crypto-policies package contents.
+
+Reinstall crypto-policies with the following command:
+
+$ sudo dnf -y reinstall crypto-policies
+
+Set the crypto-policy to FIPS with the following command:
+
+$ sudo update-crypto-policies --set FIPS
+
+Setting system policy to FIPS
+
+Note: Systemwide crypto policies are applied on application startup. Restart the system for the changs to take place.Verify OL 8 cryptographic policies are not overridden.
+
+Verify the configured policy matches the generated policy with the following command:
+
+$ sudo update-crypto-policies --is-applied
+
+The configured policy is applied
+
+If the returned message does not match the above, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>OL08-00-010184The OL 8 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography, enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
+
+OL 8 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssh.config file.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-001453Configure the SSH client to use only ciphers employing FIPS 140-3-approved algorithms.
+
+Reinstall crypto-policies with the following command:
+
+$ sudo dnf -y reinstall crypto-policies
+
+Set the crypto-policy to FIPS with the following command:
+
+$ sudo update-crypto-policies --set FIPS
+
+Setting system policy to FIPS
+
+Note: Systemwide crypto policies are applied on application startup. Restart the system for the changes to take place.Verify the SSH client is configured to use only ciphers employing FIPS 140-3-approved algorithms.
+
+Verify the ciphers in the systemwide SSH configuration file using the following command:
+
+$ grep -i Ciphers /etc/crypto-policies/back-ends/openssh.config
+
+Ciphers aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+
+If the cipher entries in the "openssh.config" file have any ciphers other than "aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr", or they are missing or commented out, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>OL08-00-010185The OL 8 SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography, enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
+
+OL 8 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssh.config file.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-001453Configure the SSH client to use only MACs employing FIPS 140-3-approved algorithms.
+
+Reinstall crypto-policies with the following command:
+
+$ sudo dnf -y reinstall crypto-policies
+
+Set the crypto-policy to FIPS with the following command:
+
+$ sudo update-crypto-policies --set FIPS
+Setting system policy to FIPS
+
+Note: Systemwide crypto policies are applied on application startup. Restart the system for the changes to take place.Verify the SSH client is configured to use only MACs employing FIPS 140-3-approved algorithms.
+
+To verify the MACs in the systemwide SSH configuration file, use the following command:
+
+$ grep -i MACs /etc/crypto-policies/back-ends/openssh.config
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
+
+If the MACs entries in the "openssh.config" file have any hashes other than "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512", or they are missing or commented out, this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>OL08-00-010186OL 8 IP tunnels must use FIPS 140-3-approved cryptographic algorithms.<VulnDiscussion>Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations, and makes system configuration more fragmented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000068Configure Libreswan to use the system cryptographic policy.
+
+Add the following line to "/etc/ipsec.conf":
+
+include /etc/crypto-policies/back-ends/libreswan.configVerify the IPsec service uses the system crypto policy with the following command:
+
+Note: If the IPsec service is not installed, this is not applicable.
+
+$ sudo grep include /etc/ipsec.conf /etc/ipsec.d/*.conf
+/etc/ipsec.conf:include /etc/crypto-policies/back-ends/libreswan.config
+
+If the IPsec configuration file does not contain "include /etc/crypto-policies/back-ends/libreswan.config", this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>OL08-00-010187OL 8 must implement DOD-approved encryption in the bind package.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
+
+OL 8 incorporates systemwide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory.
+
+Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-002418CCI-002422Configure BIND to use the system crypto policy.
+
+Add the following line to the "options" section in "/etc/named.conf":
+
+include "/etc/crypto-policies/back-ends/bind.config";Verify BIND uses the system crypto policy with the following command:
+
+Note: If the "bind" package is not installed, this is not applicable.
+
+$ sudo grep include /etc/named.conf
+
+include "/etc/crypto-policies/back-ends/bind.config";'
+
+If BIND is installed and the BIND config file does not include "/etc/crypto-policies/back-ends/bind.config" directive or the line is commented out, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>OL08-00-010290The OL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
+
+OL 8 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000877CCI-001453Configure the OL 8 SSH server to use only MACs employing FIPS 140-3-approved algorithms.
+
+Reinstall crypto-policies with the following command:
+
+$ sudo dnf -y reinstall crypto-policies
+
+Set the crypto-policy to FIPS with the following command:
+
+$ sudo update-crypto-policies --set FIPS
+
+Setting system policy to FIPS
+
+Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.Verify the OL 8 SSH server is configured to use only MACs employing FIPS 140-3-approved algorithms.
+
+To verify the MACs in the systemwide SSH configuration file, use the following command:
+
+$ sudo grep -i MACs /etc/crypto-policies/back-ends/opensshserver.config
+
+-oMACs=hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
+
+If the MACs entries in the "opensshserver.config" file have any hashes other than "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256", or they are missing or commented out, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>OL08-00-010291The OL 8 SSH server must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
+
+OL 8 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000877CCI-001453Configure the OL 8 SSH server to use only ciphers employing FIPS 140-3-approved algorithms.
+
+Reinstall crypto-policies with the following command:
+
+$ sudo dnf -y reinstall crypto-policies
+
+Set the crypto-policy to FIPS with the following command:
+
+$ sudo update-crypto-policies --set FIPS
+
+Setting system policy to FIPS
+
+Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.Verify the OL 8 SSH server is configured to use only ciphers employing FIPS 140-3-approved algorithms.
+
+To verify the ciphers in the systemwide SSH configuration file, use the following command:
+
+$ sudo grep -i Ciphers /etc/crypto-policies/back-ends/opensshserver.config
+CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+
+If the cipher entries in the "opensshserver.config" file have any ciphers other than "aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr", or they are missing or commented out, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>OL08-00-020262The OL 8 lastlog command must have a mode of "0750" or less permissive.<VulnDiscussion>Unauthorized disclosure of the contents of the /var/log/lastlog file can reveal system data to attackers, thus compromising its confidentiality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Oracle Linux 8DISADPMS TargetOracle Linux 85416CCI-000213Configure the mode of the "lastlog" command for OL 8 to "0750" with the following command:
+
+$ sudo chmod 0750 /usr/bin/lastlogVerify the "lastlog" command has a mode of "0750" or less permissive with the following command:
+
+$ sudo stat -c "%a %n" /usr/bin/lastlog
+
+750 /usr/bin/lastlog
+
+If the "lastlog" command has a mode more permissive than "0750", this is a finding.
\ No newline at end of file
diff --git a/shared/references/disa-stig-ol8-v2r7-xccdf-scap.xml b/shared/references/disa-stig-ol8-v2r8-xccdf-scap.xml
similarity index 96%
rename from shared/references/disa-stig-ol8-v2r7-xccdf-scap.xml
rename to shared/references/disa-stig-ol8-v2r8-xccdf-scap.xml
index 830a6defd592..4d29d433c02d 100644
--- a/shared/references/disa-stig-ol8-v2r7-xccdf-scap.xml
+++ b/shared/references/disa-stig-ol8-v2r8-xccdf-scap.xml
@@ -1,36 +1,36 @@
-
-
+
+
-
+
-
+
-
+
-
+
-
-
+
+
-
+ Oracle Linux 8
- oval:mil.disa.stig.ol8os:def:1
+ oval:mil.disa.stig.ol8os:def:1
-
+
- accepted
+ acceptedOracle Linux 8 STIG SCAP BenchmarkThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
@@ -40,109 +40,115 @@
DISASTIG.DOD.MIL
- Benchmark Date: 05 Jan 2026
+ Benchmark Date: 01 Apr 20263.5.21.10.0Linux krb5 workstation 1.17 or higher is not installed
-
+ Oracle Linux 8.3 or Lower
-
+
+
+
+
+ Linux with BIND installed
+
+ Linux krb5 server 1.17 or higher is not installed
-
+ Oracle Linux 8.2 or Higher
-
+ Linux with NFS mounts configured
-
+ Linux IPv6 Enabled
-
+
+
+
+
+ Linux with Libreswan installed
+
+ Linux BIOS Boot
-
+ Gnome-shell Package
-
+ Linux with no NFS mounts configured
-
+ Linux UEFI Boot
-
+ Linux with TFTP installed
-
+ Oracle Linux 8.1 or Lower
-
-
-
-
- Linux UEFI system with boot partition file type other than VFAT
-
-
+ Kernel dumps are enabled
-
+ Linux with postfix installed
-
+ Linux with autofs installed
-
+
- 002.007
+ 002.008DISADISA
@@ -181,7 +187,6 @@
-
@@ -190,6 +195,7 @@
+
@@ -252,6 +258,7 @@
+
@@ -269,9 +276,7 @@
-
-
@@ -436,6 +441,13 @@
+
+
+
+
+
+
+ I - Mission Critical Public
@@ -469,7 +481,6 @@
-
@@ -478,6 +489,7 @@
+
@@ -540,6 +552,7 @@
+
@@ -557,9 +570,7 @@
-
-
@@ -724,6 +735,13 @@
+
+
+
+
+
+
+ I - Mission Critical Sensitive
@@ -757,7 +775,6 @@
-
@@ -766,6 +783,7 @@
+
@@ -828,6 +846,7 @@
+
@@ -845,9 +864,7 @@
-
-
@@ -1012,6 +1029,13 @@
+
+
+
+
+
+
+ II - Mission Support Classified
@@ -1045,7 +1069,6 @@
-
@@ -1054,6 +1077,7 @@
+
@@ -1116,6 +1140,7 @@
+
@@ -1133,9 +1158,7 @@
-
-
@@ -1300,6 +1323,13 @@
+
+
+
+
+
+
+ II - Mission Support Public
@@ -1333,7 +1363,6 @@
-
@@ -1342,6 +1371,7 @@
+
@@ -1404,6 +1434,7 @@
+
@@ -1421,9 +1452,7 @@
-
-
@@ -1588,6 +1617,13 @@
+
+
+
+
+
+
+ II - Mission Support Sensitive
@@ -1621,7 +1657,6 @@
-
@@ -1630,6 +1665,7 @@
+
@@ -1692,6 +1728,7 @@
+
@@ -1709,9 +1746,7 @@
-
-
@@ -1876,6 +1911,13 @@
+
+
+
+
+
+
+ III - Administrative Classified
@@ -1909,7 +1951,6 @@
-
@@ -1918,6 +1959,7 @@
+
@@ -1980,6 +2022,7 @@
+
@@ -1997,9 +2040,7 @@
-
-
@@ -2164,6 +2205,13 @@
+
+
+
+
+
+
+ III - Administrative Public
@@ -2197,7 +2245,6 @@
-
@@ -2206,6 +2253,7 @@
+
@@ -2268,6 +2316,7 @@
+
@@ -2285,9 +2334,7 @@
-
-
@@ -2452,6 +2499,13 @@
+
+
+
+
+
+
+ III - Administrative Sensitive
@@ -2485,7 +2539,6 @@
-
@@ -2494,6 +2547,7 @@
+
@@ -2556,6 +2610,7 @@
+
@@ -2573,9 +2628,7 @@
-
-
@@ -2740,6 +2793,13 @@
+
+
+
+
+
+
+ Disable Slow Rules
@@ -2762,7 +2822,6 @@
-
@@ -2794,6 +2853,7 @@
+
@@ -2807,6 +2867,7 @@
+
@@ -2818,10 +2879,8 @@
-
-
@@ -2843,13 +2902,13 @@
-
-
+
+
@@ -2858,19 +2917,15 @@
-
-
-
-
@@ -2883,11 +2938,14 @@
+
+
+
@@ -2913,7 +2971,9 @@
+
+
@@ -2921,12 +2981,12 @@
+
-
@@ -2939,7 +2999,6 @@
-
@@ -2975,13 +3034,14 @@
+
-
+
@@ -3009,12 +3069,13 @@
-
+
+
@@ -3072,7 +3133,7 @@ Install the audit service (if the audit service is not already installed) with t
$ sudo yum install audit
-
+
@@ -3129,7 +3190,7 @@ $ sudo systemctl enable auditd.service
$ sudo systemctl start auditd.service
-
+
@@ -3159,7 +3220,7 @@ Each minor version reaches end of life when the new version is released.</Vul
Upgrade to a supported version of the operating system.
-
+
@@ -3200,7 +3261,7 @@ Enable FIPS mode after installation (not strict FIPS-compliant) with the followi
Reboot the system for the changes to take effect.
-
+
@@ -3248,7 +3309,7 @@ Run the following command to update the database:
$ sudo dconf update
-
+
@@ -3284,7 +3345,7 @@ The "rsyslog" service must be restarted for the changes to take effect. To resta
$ sudo systemctl restart rsyslog.service
-
+
@@ -3315,7 +3376,7 @@ Edit/modify the following line in the "/etc/login.defs" file and set "[ENCRYPT_M
ENCRYPT_METHOD SHA512
-
+
@@ -3340,7 +3401,7 @@ Passwords need to be protected at all times, and encryption is the standard meth
Lock all interactive user accounts not using SHA-512 hashing until the passwords can be regenerated with SHA-512.
-
+
@@ -3369,7 +3430,7 @@ Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_
SHA_CRYPT_MIN_ROUNDS 100000
-
+
@@ -3398,7 +3459,7 @@ Enter password:
Confirm password:
-
+
@@ -3427,7 +3488,7 @@ Enter password:
Confirm password:
-
+
@@ -3451,7 +3512,7 @@ Confirm password:
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
-
+
@@ -3475,7 +3536,7 @@ ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
-
+
@@ -3505,7 +3566,7 @@ Edit/modify the following line in the "/etc/pam.d/system-auth" file to include t
password sufficient pam_unix.so sha512
-
+
@@ -3535,7 +3596,7 @@ Edit/modify the following line in the "/etc/pam.d/password-auth" file to include
password sufficient pam_unix.so sha512
-
+
@@ -3567,7 +3628,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access
Remove any files with the .keytab extension from the operating system.
-
+
@@ -3598,7 +3659,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access
$ sudo yum remove krb5-workstation
-
+
@@ -3629,7 +3690,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access
$ sudo yum remove krb5-server
-
+
@@ -3661,7 +3722,7 @@ SELINUX=enforcing
A reboot is required for the changes to take effect.
-
+
@@ -3685,7 +3746,7 @@ A reboot is required for the changes to take effect.
$ sudo yum install policycoreutils
-
+
@@ -3724,7 +3785,7 @@ For the changes to take effect, the SSH daemon must be restarted.
$ sudo systemctl restart sshd.service
-
+
@@ -3763,7 +3824,7 @@ The SSH daemon must be restarted for changes to take effect.
$ sudo systemctl restart sshd.service
-
+
@@ -3789,7 +3850,7 @@ The structure and content of error messages must be carefully considered by the
$ sudo chmod 0640 /var/log/messages
-
+
@@ -3815,7 +3876,7 @@ The structure and content of error messages must be carefully considered by the
$ sudo chown root /var/log/messages
-
+
@@ -3841,7 +3902,7 @@ The structure and content of error messages must be carefully considered by the
$ sudo chgrp root /var/log/messages
-
+
@@ -3867,7 +3928,7 @@ The structure and content of error messages must be carefully considered by the
$ sudo chmod 0755 /var/log
-
+
@@ -3893,7 +3954,7 @@ The structure and content of error messages must be carefully considered by the
$ sudo chown root /var/log
-
+
@@ -3919,7 +3980,7 @@ The structure and content of error messages must be carefully considered by the
$ sudo chgrp root /var/log
-
+
@@ -3949,47 +4010,7 @@ SSH_USE_STRONG_RNG=32
The SSH service must be restarted for changes to take effect.
-
-
-
-
-
- SRG-OS-000250-GPOS-00093
- <GroupDescription></GroupDescription>
-
- OL08-00-010294
- The OL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package.
- <VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
-
-Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
-
-Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography, enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
-
-OL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the "/etc/crypto-policies/back-ends/openssl.config" file.
-
-Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-
- DPMS Target Oracle Linux 8
- DISA
- DPMS Target
- Oracle Linux 8
- 5416
-
- CCI-001453
- Configure the OL 8 OpenSSL library to use only DoD-approved TLS encryption by editing the following line in the "/etc/crypto-policies/back-ends/opensslcnf.config" file:
-
-For versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch:
-
-MinProtocol = TLSv1.2
-
-For version crypto-policies-20210617-1.gitc776d3e.el8.noarch and newer:
-TLS.MinProtocol = TLSv1.2
-DTLS.MinProtocol = DTLSv1.2
-
-A reboot is required for the changes to take effect.
-
-
-
+
@@ -4017,7 +4038,7 @@ Run the following command, replacing "[FILE]" with any system command with a mod
$ sudo chmod 755 [FILE]
-
+
@@ -4045,7 +4066,7 @@ Run the following command, replacing "[FILE]" with any system command file not o
$ sudo chown root [FILE]
-
+
@@ -4073,7 +4094,7 @@ Run the following command, replacing "[FILE]" with any system command file not g
$ sudo chgrp root [FILE]
-
+
@@ -4099,7 +4120,7 @@ This requirement applies to OL 8 with software libraries that are accessible and
$ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' -perm /022 -exec chmod go-w {} +
-
+
@@ -4125,7 +4146,7 @@ This requirement applies to OL 8 with software libraries that are accessible and
$ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -user root -exec chown root {} +
-
+
@@ -4151,7 +4172,7 @@ This requirement applies to OL 8 with software libraries that are accessible and
$ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -group root -exec chown :root {} +
-
+
@@ -4180,7 +4201,7 @@ Verifying the authenticity of the software prior to installation validates the i
gpgcheck=1
-
+
@@ -4211,7 +4232,48 @@ Set the "localpkg_gpgcheck" option to "True" in the "/etc/dnf/dnf.conf" file:
localpkg_gpgcheck=True
-
+
+
+
+
+
+ SRG-OS-000366-GPOS-00153
+ <GroupDescription></GroupDescription>
+
+ OL08-00-010372
+ OL 8 must prevent the loading of a new kernel for later execution.
+ <VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
+
+Disabling "kexec_load" prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used to subvert the entire secureboot process and should be avoided at all costs, especially since it can load unsigned kernel images.
+
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+/etc/sysctl.d/*.conf
+/run/sysctl.d/*.conf
+/usr/local/lib/sysctl.d/*.conf
+/usr/lib/sysctl.d/*.conf
+/lib/sysctl.d/*.conf
+/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+
+ DPMS Target Oracle Linux 8
+ DISA
+ DPMS Target
+ Oracle Linux 8
+ 5416
+
+ CCI-003992
+ CCI-001749
+ Configure OL 8 to prevent the loading of a new kernel for later execution.
+
+Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory:
+
+kernel.kexec_load_disabled = 1
+
+Load settings from all system configuration files with the following command:
+
+$ sudo sysctl --system
+
+
+
@@ -4253,7 +4315,7 @@ Load settings from all system configuration files with the following command:
$ sudo sysctl --system
-
+
@@ -4295,7 +4357,7 @@ Load settings from all system configuration files with the following command:
$ sudo sysctl --system
-
+
@@ -4339,7 +4401,7 @@ Load settings from all system configuration files with the following command:
$ sudo sysctl --system
-
+
@@ -4383,7 +4445,7 @@ Load settings from all system configuration files with the following command:
$ sudo sysctl --system
-
+
@@ -4420,7 +4482,7 @@ $ sudo grep -ir nopasswd /etc/sudoers.d
Remove any occurrences of "NOPASSWD" tags in the file.
-
+
@@ -4447,7 +4509,7 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO
Remove any occurrence of "!authenticate" found in the "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.
-
+
@@ -4471,7 +4533,7 @@ ALL ALL=(ALL) ALL
ALL ALL=(ALL:ALL) ALL
-
+
@@ -4501,7 +4563,7 @@ Remove any configurations that conflict with the above from the following locati
/etc/sudoers.d/
-
+
@@ -4540,7 +4602,7 @@ Note: The "[value]" must be a number that is greater than or equal to "0".
Remove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ files.
-
+
@@ -4574,7 +4636,7 @@ This requirement only applies to components where this is specific to the functi
$ sudo yum install openssl-pkcs11
-
+
@@ -4614,7 +4676,7 @@ Reload settings from all system configuration files with the following command:
$ sudo sysctl --system
-
+
@@ -4640,7 +4702,7 @@ Set the "clean_requirements_on_remove" option to "True" in the "/etc/yum.conf" f
clean_requirements_on_remove=True
-
+
@@ -4670,7 +4732,7 @@ SELINUXTYPE=targeted
A reboot is required for the changes to take effect.
-
+
@@ -4694,7 +4756,7 @@ A reboot is required for the changes to take effect.
$ sudo rm /etc/ssh/shosts.equiv
-
+
@@ -4718,7 +4780,7 @@ $ sudo rm /etc/ssh/shosts.equiv
$ sudo rm /[path]/[to]/[file]/.shosts
-
+
@@ -4744,7 +4806,7 @@ The rngd service feeds random data from hardware device to kernel random device.
$ sudo yum install rng-tools
-
+
@@ -4772,7 +4834,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
$ sudo systemctl restart sshd.service
-
+
@@ -4800,7 +4862,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
$ sudo systemctl restart sshd.service
-
+
@@ -4830,7 +4892,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
$ sudo systemctl restart sshd.service
-
+
@@ -4860,7 +4922,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
$ sudo systemctl restart sshd.service
-
+
@@ -4890,7 +4952,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
$ sudo systemctl restart sshd.service
-
+
@@ -4920,7 +4982,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
$ sudo systemctl restart sshd.service
-
+
@@ -4942,7 +5004,7 @@ $ sudo systemctl restart sshd.service
Migrate the "/var" path onto a separate file system.
-
+
@@ -4964,7 +5026,7 @@ $ sudo systemctl restart sshd.service
Migrate the "/var/log" path onto a separate file system.
-
+
@@ -4986,7 +5048,7 @@ $ sudo systemctl restart sshd.service
Migrate the system audit data path onto a separate file system.
-
+
@@ -5008,7 +5070,7 @@ $ sudo systemctl restart sshd.service
Migrate the "/tmp" directory onto a separate file system/partition.
-
+
@@ -5030,7 +5092,7 @@ $ sudo systemctl restart sshd.service
Migrate the "/var/tmp" path onto a separate file system.
-
+
@@ -5061,7 +5123,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
$ sudo systemctl restart sshd.service
-
+
@@ -5089,7 +5151,7 @@ $ sudo systemctl start rsyslog.service
$ sudo systemctl enable rsyslog.service
-
+
@@ -5111,7 +5173,7 @@ $ sudo systemctl enable rsyslog.service
Configure "/etc/fstab" to use the "nosuid" option on file systems that contain user home directories for interactive users.
-
+
@@ -5134,14 +5196,14 @@ $ sudo systemctl enable rsyslog.service
Configure the "/etc/fstab" to use the "nosuid" option on the /boot directory.
-
+ SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>
-
+ OL08-00-010572OL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
@@ -5152,19 +5214,19 @@ $ sudo systemctl enable rsyslog.service
Oracle Linux 85416
-
+ CCI-000366Configure the "/etc/fstab" to use the "nosuid" option on the /boot/efi directory.
-
+ SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>
-
+ OL08-00-010580OL 8 must prevent special devices on nonroot local partitions.<VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the /dev directory located on the root partition.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
@@ -5179,7 +5241,7 @@ $ sudo systemctl enable rsyslog.service
Configure the "/etc/fstab" to use the "nodev" option on all nonroot local partitions.
-
+
@@ -5202,7 +5264,7 @@ $ sudo systemctl enable rsyslog.service
Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS.
-
+
@@ -5225,7 +5287,7 @@ $ sudo systemctl enable rsyslog.service
Configure the "/etc/fstab" to use the "nodev" option on file systems that are being imported via NFS.
-
+
@@ -5248,7 +5310,7 @@ $ sudo systemctl enable rsyslog.service
Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS.
-
+
@@ -5286,7 +5348,7 @@ The system configuration files must be reloaded for the changes to take effect.
$ sudo sysctl --system
-
+
@@ -5319,7 +5381,7 @@ $ sudo systemctl mask systemd-coredump.socket
Created symlink /etc/systemd/system/systemd-coredump.socket -> /dev/null
-
+
@@ -5350,7 +5412,7 @@ Add the following line to the top of the /etc/security/limits.conf or in a singl
Remove or comment out any entries for users or groups with a value set to anything other than "0".
-
+
@@ -5379,7 +5441,7 @@ Add or modify the following line in "/etc/systemd/coredump.conf":
Storage=none
-
+
@@ -5408,7 +5470,7 @@ Add or modify the following line in "/etc/systemd/coredump.conf":
ProcessSizeMax=0
-
+
@@ -5438,7 +5500,7 @@ If local host resolution is being performed, the "/etc/resolv.conf" file must be
$ sudo echo -n > /etc/resolv.conf
-
+
@@ -5460,7 +5522,7 @@ $ sudo echo -n > /etc/resolv.conf
Assign home directories to all local interactive users on OL 8 that currently do not have a home directory assigned.
-
+
@@ -5486,7 +5548,7 @@ Note: The example will be for the user "smithj".
$ sudo chmod 0750 /home/smithj
-
+
@@ -5510,7 +5572,7 @@ $ sudo chmod 0750 /home/smithj
CREATE_HOME yes
-
+
@@ -5536,7 +5598,7 @@ Note: The example will be for the smithj user, who has a home directory of "/hom
$ sudo chmod 0740 /home/smithj/.<INIT_FILE>
-
+
@@ -5558,7 +5620,7 @@ $ sudo chmod 0740 /home/smithj/.<INIT_FILE>
Migrate the "/home" directory onto a separate file system.
-
+
@@ -5586,7 +5648,7 @@ Add or edit the line for the "AutomaticLoginEnable" parameter in the [daemon] se
AutomaticLoginEnable=false
-
+
@@ -5616,14 +5678,14 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
$ sudo systemctl restart sshd.service
-
+ SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>
-
+ OL08-00-020010OL 8 systems below version 8.2 must automatically lock an account when three unsuccessful logon attempts occur.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
@@ -5654,7 +5716,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart
$ sudo systemctl restart sssd.service
-
+
@@ -5688,14 +5750,14 @@ Add/modify the "/etc/security/faillock.conf" file to match the following line:
deny = 3
-
+ SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>
-
+ OL08-00-020012OL 8 systems below version 8.2 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
@@ -5728,7 +5790,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart
$ sudo systemctl restart sssd.service
-
+
@@ -5762,14 +5824,14 @@ Add/modify the "/etc/security/faillock.conf" file to match the following line:
fail_interval = 900
-
+ SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>
-
+ OL08-00-020014OL 8 systems below version 8.2 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
@@ -5802,7 +5864,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart
$ sudo systemctl restart sssd.service
-
+
@@ -5836,14 +5898,14 @@ Add/modify the "/etc/security/faillock.conf" file to match the following line:
unlock_time = 0
-
+ SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>
-
+ OL08-00-020018OL 8 systems below version 8.2 must prevent system messages from being presented when three unsuccessful logon attempts occur.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
@@ -5876,7 +5938,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart
$ sudo systemctl restart sssd.service
-
+
@@ -5910,14 +5972,14 @@ Add/modify the "/etc/security/faillock.conf" file to match the following line:
silent
-
+ SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>
-
+ OL08-00-020020OL 8 systems below version 8.2 must log user name information when unsuccessful logon attempts occur.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
@@ -5950,7 +6012,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart
$ sudo systemctl restart sssd.service
-
+
@@ -5984,14 +6046,14 @@ Add/modify the "/etc/security/faillock.conf" file to match the following line:
audit
-
+ SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>
-
+ OL08-00-020022OL 8 systems below version 8.2 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
@@ -6024,7 +6086,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart
$ sudo systemctl restart sssd.service
-
+
@@ -6058,7 +6120,7 @@ Add/modify the "/etc/security/faillock.conf" file to match the following line:
even_deny_root
-
+
@@ -6086,7 +6148,49 @@ Add the following line to the top of "/etc/security/limits.conf" or in a ".conf"
* hard maxlogins 10
-
+
+
+
+
+
+ SRG-OS-000021-GPOS-00005
+ <GroupDescription></GroupDescription>
+
+ OL08-00-020027
+ OL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory.
+ <VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
+
+From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be re-enabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option.
+
+SELinux, enforcing a targeted policy, will require any non-default tally directory's security context type to match the default directory's security context type. Without updating the security context type, the pam_faillock module will not write failed login attempts to the non-default tally directory.
+
+Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+
+ DPMS Target Oracle Linux 8
+ DISA
+ DPMS Target
+ Oracle Linux 8
+ 5416
+
+
+ CCI-000044
+ CCI-002238
+ Configure OL 8 to allow the use of a non-default faillock tally directory while SELinux enforces a targeted policy.
+
+Create a non-default faillock tally directory (if it does not already exist) with the following example:
+
+$ sudo mkdir /var/log/faillock
+
+Update the /etc/selinux/targeted/contexts/files/file_contexts.local with "faillog_t" context type for the non-default faillock tally directory with the following command:
+
+$ sudo semanage fcontext -a -t faillog_t "/var/log/faillock(/.*)?"
+
+Next, update the context type of the non-default faillock directory/subdirectories and files with the following command:
+
+$ sudo restorecon -R -v /var/log/faillock
+
+
+
@@ -6120,7 +6224,7 @@ Update the system databases:
$ sudo dconf update
-
+
@@ -6167,7 +6271,7 @@ Update the system databases:
$ sudo dconf update
-
+
@@ -6209,7 +6313,7 @@ Add the following setting to prevent non-privileged users from modifying it:
/org/gnome/desktop/screensaver/lock-delay
-
+
@@ -6251,7 +6355,7 @@ Add the following setting to prevent non-privileged users from modifying it:
/org/gnome/desktop/screensaver/lock-enabled
-
+
@@ -6283,7 +6387,7 @@ Add the following line to the "/etc/pam.d/password-auth" file (or modify the lin
password requisite pam_pwquality.so
-
+
@@ -6319,7 +6423,7 @@ ucredit = -1
Remove any configurations that conflict with the above value.
-
+
@@ -6352,7 +6456,7 @@ lcredit = -1
Remove any configurations that conflict with the above value.
-
+
@@ -6385,7 +6489,7 @@ dcredit = -1
Remove any configurations that conflict with the above value.
-
+
@@ -6418,7 +6522,7 @@ maxclassrepeat = 4
Remove any configurations that conflict with the above value.
-
+
@@ -6451,7 +6555,7 @@ maxrepeat = 3
Remove any configurations that conflict with the above value.
-
+
@@ -6484,7 +6588,7 @@ minclass = 4
Remove any configurations that conflict with the above value.
-
+
@@ -6517,7 +6621,7 @@ difok = 8
Remove any configurations that conflict with the above value.
-
+
@@ -6542,7 +6646,7 @@ Remove any configurations that conflict with the above value.
$ sudo chage -m 1 [user]
-
+
@@ -6569,7 +6673,7 @@ Add the following line in "/etc/login.defs" (or modify the line to have the requ
PASS_MIN_DAYS 1
-
+
@@ -6596,7 +6700,7 @@ Add or modify the following line in the "/etc/login.defs" file:
PASS_MAX_DAYS 60
-
+
@@ -6621,7 +6725,7 @@ PASS_MAX_DAYS 60
$ sudo chage -M 60 [user]
-
+
@@ -6654,38 +6758,7 @@ minlen = 15
Remove any configurations that conflict with the above value.
-
-
-
-
-
- SRG-OS-000078-GPOS-00046
- <GroupDescription></GroupDescription>
-
- OL08-00-020231
- OL 8 passwords for new users must have a minimum of 15 characters.
- <VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
-
-Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password.
-
-The DOD minimum password requirement is 15 characters.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-
- DPMS Target Oracle Linux 8
- DISA
- DPMS Target
- Oracle Linux 8
- 5416
-
- CCI-004066
- CCI-000205
- Configure operating system to enforce a minimum 15-character password length for new user accounts.
-
-Add or modify the following line in the "/etc/login.defs" file:
-
-PASS_MIN_LEN 15
-
-
-
+
@@ -6717,31 +6790,7 @@ Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPO
Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID.
-
-
-
-
-
- SRG-OS-000206-GPOS-00084
- <GroupDescription></GroupDescription>
-
- OL08-00-020262
- The OL 8 lastlog command must have a mode of "0750" or less permissive.
- <VulnDiscussion>Unauthorized disclosure of the contents of the /var/log/lastlog file can reveal system data to attackers, thus compromising its confidentiality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
-
- DPMS Target Oracle Linux 8
- DISA
- DPMS Target
- Oracle Linux 8
- 5416
-
- CCI-001314
- Configure the mode of the "lastlog" command for OL 8 to "0750" with the following command:
-
-$ sudo chmod 0750 /usr/bin/lastlog
-
-
-
+
@@ -6765,7 +6814,7 @@ $ sudo chmod 0750 /usr/bin/lastlog
$ sudo chown root /usr/bin/lastlog
-
+
@@ -6789,7 +6838,7 @@ $ sudo chown root /usr/bin/lastlog
$ sudo chgrp root /usr/bin/lastlog
-
+
@@ -6822,7 +6871,7 @@ ocredit = -1
Remove any configurations that conflict with the above value.
-
+
@@ -6850,7 +6899,7 @@ Add or change the following line in "/etc/sssd/sssd.conf" just below the line "[
offline_credentials_expiration = 1
-
+
@@ -6878,7 +6927,7 @@ dictcheck=1
Remove any configurations that conflict with the above value.
-
+
@@ -6906,7 +6955,7 @@ Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to "4" or gr
FAIL_DELAY 4
-
+
@@ -6934,7 +6983,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the
$ sudo systemctl restart sshd.service
-
+
@@ -6958,7 +7007,7 @@ $ sudo systemctl restart sshd.service
Note: Manual changes to the listed file may be overwritten by the "authselect" program.
-
+
@@ -6982,7 +7031,7 @@ Note: Manual changes to the listed file may be overwritten by the "authselect" p
Note: Manual changes to the listed file may be overwritten by the "authselect" program.
-
+
@@ -7010,7 +7059,7 @@ PrintLastLog yes
The SSH service must be restarted for changes to "sshd_config" to take effect.
-
+
@@ -7036,7 +7085,7 @@ Edit the "UMASK" parameter in the "/etc/login.defs" file to match the example be
UMASK 077
-
+
@@ -7073,7 +7122,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -7103,7 +7152,7 @@ Edit the following line in "/etc/audit/auditd.conf" to ensure that administrator
action_mail_acct = root
-
+
@@ -7133,7 +7182,7 @@ Add/update the following line in "/etc/aliases":
postmaster: root
-
+
@@ -7165,7 +7214,7 @@ disk_error_action = HALT
If availability has been determined to be more important, and this decision is documented with the ISSO, configure OL 8 to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_error_action" to "SYSLOG".
-
+
@@ -7199,7 +7248,7 @@ disk_full_action = HALT
If availability has been determined to be more important, and this decision is documented with the ISSO, configure OL 8 to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG".
-
+
@@ -7227,7 +7276,7 @@ Add or update the following line in "/etc/audit/auditd.conf" file:
local_events = yes
-
+
@@ -7259,7 +7308,7 @@ name_format = hostname
The audit daemon must be restarted for changes to take effect.
-
+
@@ -7289,7 +7338,7 @@ log_format = ENRICHED
The audit daemon must be restarted for changes to take effect.
-
+
@@ -7321,7 +7370,7 @@ $ sudo chmod 0600 [audit_log_file]
Replace "[audit_log_file]" to the correct audit log path. By default, this location is "/var/log/audit/audit.log".
-
+
@@ -7353,7 +7402,7 @@ $ sudo chown root [audit_log_file]
Replace "[audit_log_file]" to the correct audit log path. By default, this location is "/var/log/audit/audit.log".
-
+
@@ -7385,7 +7434,7 @@ $ sudo chgrp root [audit_log_file]
Replace "[audit_log_file]" to the correct audit log path. By default, this location is "/var/log/audit/audit.log".
-
+
@@ -7417,7 +7466,7 @@ $ sudo chown root [audit_log_directory]
Replace "[audit_log_directory]" with the correct audit log directory path. By default, this location is usually "/var/log/audit".
-
+
@@ -7449,7 +7498,7 @@ $ sudo chgrp root [audit_log_directory]
Replace "[audit_log_directory]" with the correct audit log directory path. By default, this location is usually "/var/log/audit".
-
+
@@ -7481,7 +7530,7 @@ $ sudo chmod 0700 [audit_log_directory]
Replace "[audit_log_directory]" to the correct audit log directory path. By default, this location is "/var/log/audit".
-
+
@@ -7515,7 +7564,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO
Note: Once set, the system must be rebooted for auditing to be changed. It is recommended to add this option as the last step in securing the system.
-
+
@@ -7547,7 +7596,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO
--loginuid-immutable
-
+
@@ -7591,7 +7640,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -7635,7 +7684,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -7679,7 +7728,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -7724,7 +7773,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -7768,7 +7817,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -7812,7 +7861,7 @@ The audit daemon must be restarted for the changes to take effect.
$ sudo service auditd restart
-
+
@@ -7856,7 +7905,7 @@ The audit daemon must be restarted for the changes to take effect.
$ sudo service auditd restart
-
+
@@ -7894,7 +7943,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -7944,7 +7993,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -7982,7 +8031,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -8020,7 +8069,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -8058,7 +8107,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -8096,7 +8145,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -8134,7 +8183,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -8172,7 +8221,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -8211,7 +8260,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -8249,7 +8298,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -8287,7 +8336,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -8325,7 +8374,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -8357,7 +8406,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -8389,7 +8438,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -8421,7 +8470,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -8459,7 +8508,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -8497,7 +8546,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -8535,7 +8584,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -8573,7 +8622,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -8611,7 +8660,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -8649,7 +8698,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -8690,7 +8739,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -8736,7 +8785,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -8774,7 +8823,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -8813,7 +8862,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -8851,7 +8900,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -8889,7 +8938,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -8937,7 +8986,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -8982,7 +9031,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -9025,7 +9074,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -9063,7 +9112,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -9101,7 +9150,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -9139,7 +9188,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -9187,7 +9236,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -9235,7 +9284,7 @@ The audit daemon must be restarted for the changes to take effect. To restart th
$ sudo service auditd restart
-
+
@@ -9260,7 +9309,7 @@ $ sudo chmod 0640 /etc/audit/rules.d/*.rules
$ sudo chmod 0640 /etc/audit/auditd.conf
-
+
@@ -9290,7 +9339,7 @@ $ sudo chmod 0755 [audit_tool]
Replace "[audit_tool]" with the audit tool that does not have the correct permissive mode.
-
+
@@ -9324,7 +9373,7 @@ $ sudo chown root [audit_tool]
Replace "[audit_tool]" with each audit tool not owned by "root".
-
+
@@ -9358,7 +9407,7 @@ $ sudo chgrp root [audit_tool]
Replace "[audit_tool]" with each audit tool not group-owned by "root".
-
+
@@ -9395,7 +9444,7 @@ Note that a port number was given as there is no standard port for RELP.</Vul
$ sudo yum install rsyslog
-
+
@@ -9432,7 +9481,7 @@ Note that a port number was given as there is no standard port for RELP.</Vul
$ sudo yum install rsyslog-gnutls
-
+
@@ -9464,7 +9513,7 @@ overflow_action = syslog
The audit daemon must be restarted for changes to take effect.
-
+
@@ -9500,7 +9549,7 @@ Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion
$ActionSendStreamDriverAuthMode x509/name
-
+
@@ -9524,7 +9573,7 @@ $ActionSendStreamDriverAuthMode x509/name
space_left = 25%
-
+
@@ -9550,7 +9599,7 @@ space_left_action = email
Note: Option names and values in the auditd.conf file are case insensitive.
-
+
@@ -9578,7 +9627,7 @@ Note that USNO offers authenticated NTP service to DOD and U.S. Government agenc
port 0
-
+
@@ -9606,7 +9655,7 @@ Note that USNO offers authenticated NTP service to DOD and U.S. Government agenc
cmdport 0
-
+
@@ -9640,7 +9689,7 @@ If a privileged user were to log on using this service, the privileged user pass
$ sudo yum remove telnet-server
-
+
@@ -9670,7 +9719,7 @@ Verify the operating system is configured to disable non-essential capabilities.
$ sudo yum remove abrt*
-
+
@@ -9700,7 +9749,7 @@ Verify the operating system is configured to disable non-essential capabilities.
$ sudo yum remove sendmail
-
+
@@ -9739,7 +9788,7 @@ Add or update the line:
blacklist atm
-
+
@@ -9777,7 +9826,7 @@ Add or update the line:
blacklist can
-
+
@@ -9815,7 +9864,7 @@ Add or update the line:
blacklist sctp
-
+
@@ -9848,7 +9897,7 @@ Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf":
Reboot the system for the settings to take effect.
-
+
@@ -9881,7 +9930,7 @@ Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf":
Reboot the system for the settings to take effect.
-
+
@@ -9912,7 +9961,7 @@ Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf":
Reboot the system for the settings to take effect.
-
+
@@ -9950,7 +9999,7 @@ $ sudo systemctl stop autofs
$ sudo systemctl disable autofs
-
+
@@ -9982,7 +10031,7 @@ Add or update the lines:
Reboot the system for the settings to take effect.
-
+
@@ -10012,7 +10061,7 @@ OL 8 functionality (e.g., RDP) must be capable of taking enforcement action if t
$ sudo yum install firewalld.noarch
-
+
@@ -10044,7 +10093,7 @@ $ sudo systemctl enable firewalld
$ sudo systemctl start firewalld
-
+
@@ -10086,7 +10135,7 @@ Add or update the line:
Reboot the system for the settings to take effect.
-
+
@@ -10116,7 +10165,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
-
+
@@ -10146,7 +10195,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
-
+
@@ -10176,7 +10225,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
-
+
@@ -10206,7 +10255,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
/dev/mapper/ol-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0
-
+
@@ -10236,7 +10285,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
/dev/mapper/ol-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0
-
+
@@ -10266,7 +10315,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
/dev/mapper/ol-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0
-
+
@@ -10296,7 +10345,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
/dev/mapper/ol-var_log /var/log xfs defaults,nodev,nosuid,noexec 0 0
-
+
@@ -10326,7 +10375,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
/dev/mapper/ol-var_log /var/log xfs defaults,nodev,nosuid,noexec 0 0
-
+
@@ -10356,7 +10405,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
/dev/mapper/ol-var_log /var/log xfs defaults,nodev,nosuid,noexec 0 0
-
+
@@ -10386,7 +10435,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
/dev/mapper/ol-var_log_audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0
-
+
@@ -10416,7 +10465,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
/dev/mapper/ol-var_log_audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0
-
+
@@ -10446,7 +10495,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
/dev/mapper/ol-var_log_audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0
-
+
@@ -10476,7 +10525,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
/dev/mapper/ol-var_tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0
-
+
@@ -10506,7 +10555,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
/dev/mapper/ol-var_tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0
-
+
@@ -10536,7 +10585,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid"
/dev/mapper/ol-var_tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0
-
+
@@ -10571,7 +10620,7 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155</VulnDiscussion
$ sudo yum install fapolicyd.x86_64
-
+
@@ -10606,7 +10655,7 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155</VulnDiscussion
$ sudo systemctl enable --now fapolicyd
-
+
@@ -10637,7 +10686,7 @@ The system administrator (SA) must work with the site information system securit
$ sudo yum install usbguard.x86_64
-
+
@@ -10672,7 +10721,7 @@ $ sudo systemctl start usbguard.service
Note: Enabling and starting usbguard without properly configuring it for an individual system will immediately prevent any access over a usb device such as a keyboard or mouse.
-
+
@@ -10706,7 +10755,7 @@ FirewallBackend=nftables
Establish rate-limiting rules based on organization-defined types of DoS attacks on impacted network interfaces.
-
+
@@ -10739,7 +10788,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPO
$ sudo yum install openssh-server.x86_64
-
+
@@ -10772,7 +10821,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPO
$ sudo systemctl enable sshd.service
-
+
@@ -10802,7 +10851,7 @@ The SSH daemon must be restarted for the settings to take effect.
$ sudo systemctl restart sshd.service
-
+
@@ -10834,7 +10883,7 @@ Reload the daemon to take effect:
$ sudo systemctl daemon-reload
-
+
@@ -10866,7 +10915,7 @@ Update the dconf settings:
$ sudo dconf update
-
+
@@ -10900,7 +10949,7 @@ Reload the daemon for this change to take effect.
$ sudo systemctl daemon-reload
-
+
@@ -10930,7 +10979,7 @@ Reload the daemon to take effect:
$ sudo systemctl daemon-reload
-
+
@@ -10954,7 +11003,7 @@ $ sudo systemctl daemon-reload
$ sudo yum remove tftp-server
-
+
@@ -10978,7 +11027,7 @@ $ sudo yum remove tftp-server
If the account is associated with system commands or applications, change the UID to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned.
-
+
@@ -11016,7 +11065,7 @@ Load settings from all system configuration files with the following command:
$ sudo sysctl --system
-
+
@@ -11055,7 +11104,7 @@ Load settings from all system configuration files with the following command:
$ sudo sysctl --system
-
+
@@ -11095,7 +11144,7 @@ Load settings from all system configuration files with the following command:
$ sudo sysctl --system
-
+
@@ -11135,7 +11184,7 @@ Load settings from all system configuration files with the following command:
$ sudo sysctl --system
-
+
@@ -11173,7 +11222,7 @@ Load settings from all system configuration files with the following command:
$ sudo sysctl --system
-
+
@@ -11212,7 +11261,7 @@ Load settings from all system configuration files with the following command:
$ sudo sysctl --system
-
+
@@ -11250,7 +11299,7 @@ Load settings from all system configuration files with the following command:
$ sudo sysctl --system
-
+
@@ -11289,7 +11338,7 @@ Load settings from all system configuration files with the following command:
$ sudo sysctl --system
-
+
@@ -11328,7 +11377,7 @@ Load settings from all system configuration files with the following command:
$ sudo sysctl --system
-
+
@@ -11369,7 +11418,7 @@ Load settings from all system configuration files with the following command:
$ sudo sysctl --system
-
+
@@ -11410,7 +11459,7 @@ Load settings from all system configuration files with the following command:
$ sudo sysctl --system
-
+
@@ -11450,7 +11499,7 @@ Load settings from all system configuration files with the following command:
$ sudo sysctl --system
-
+
@@ -11488,7 +11537,7 @@ Load settings from all system configuration files with the following command:
$ sudo sysctl --system
-
+
@@ -11527,14 +11576,14 @@ Load settings from all system configuration files with the following command:
$ sudo sysctl --system
-
+ SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>
-
+ OL08-00-040281OL 8 must disable access to the network "bpf" syscall from nonprivileged processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
@@ -11563,7 +11612,7 @@ The system configuration files must be reloaded for the changes to take effect.
$ sudo sysctl --system
-
+
@@ -11599,7 +11648,7 @@ The system configuration files must be reloaded for the changes to take effect.
$ sudo sysctl --system
-
+
@@ -11637,7 +11686,7 @@ Reload settings from all system configuration files with the following command:
$ sudo sysctl --system
-
+
@@ -11677,7 +11726,7 @@ The system configuration files must be reloaded for the changes to take effect.
$ sudo sysctl --system
-
+
@@ -11716,7 +11765,7 @@ The system configuration files must be reloaded for the changes to take effect.
$ sudo sysctl --system
-
+
@@ -11754,7 +11803,7 @@ The system configuration files must be reloaded for the changes to take effect.
$ sudo sysctl --system
-
+
@@ -11779,7 +11828,7 @@ $ sudo sysctl --system
$ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'
-
+
@@ -11803,7 +11852,7 @@ $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'
-
+
@@ -11831,7 +11880,7 @@ Set the promiscuous mode of an interface to "off" with the following command:
$ sudo ip link set dev <devicename> multicast off promisc off
-
+
@@ -11863,7 +11912,7 @@ The SSH service must be restarted for changes to take effect:
$ sudo systemctl restart sshd
-
+
@@ -11889,7 +11938,7 @@ Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Us
X11UseLocalhost yes
-
+
@@ -11921,7 +11970,7 @@ $ sudo systemctl daemon-reload
$ sudo systemctl restart tftp.service
-
+
@@ -11945,14 +11994,14 @@ $ sudo systemctl restart tftp.service
$ sudo yum remove vsftpd
-
+ SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>
-
+ OL08-00-040370OL 8 must not have the "gssproxy" package installed if not required for operational support.<VulnDiscussion>Verify the operating system is configured to disable nonessential capabilities. The most secure way of ensuring a nonessential capability is disabled is to not have the capability installed.
@@ -11972,7 +12021,7 @@ When an application uses Generic Security Services API (GSSAPI), typically it wi
$ sudo yum remove gssproxy
-
+
@@ -11996,7 +12045,7 @@ $ sudo yum remove gssproxy
$ sudo yum remove iprutils
-
+
@@ -12020,7 +12069,7 @@ $ sudo yum remove iprutils
$ sudo yum remove tuned
-
+
@@ -12047,7 +12096,7 @@ Lock an account:
$ sudo passwd -l [username]
-
+
@@ -12073,7 +12122,7 @@ This requirement applies to OL 8 with software libraries that are accessible and
$ sudo chmod 755 [DIRECTORY]
-
+
@@ -12101,7 +12150,7 @@ Run the following command, replacing "[DIRECTORY]" with any library directory no
$ sudo chown root [DIRECTORY]
-
+
@@ -12129,7 +12178,7 @@ Run the following command, replacing "[DIRECTORY]" with any library directory no
$ sudo chgrp root [DIRECTORY]
-
+
@@ -12161,7 +12210,7 @@ $ sudo vi /etc/pam.d/sudo
Remove any occurrences of " pam_succeed_if " in the file.
-
+
@@ -12191,7 +12240,7 @@ Add the following line to the "/etc/pam.d/system-auth" file (or modify the line
password requisite pam_pwquality.so
-
+
@@ -12223,7 +12272,7 @@ Add the following line to the "/etc/pam.d/system-auth" file (or modify the line
password requisite pam_pwquality.so retry=3
-
+
@@ -12255,7 +12304,7 @@ Add the following line to the "/etc/pam.d/password-auth" file (or modify the lin
password requisite pam_pwquality.so retry=3
-
+
@@ -12283,7 +12332,7 @@ $ sudo systemctl set-default multi-user.target
A reboot is required for the changes to take effect.
-
+
@@ -12319,138 +12368,358 @@ Restart systemd-logind:
$ systemctl restart systemd-logind
-
+
-
-
-
-
-
- Security Content Tool 1.7.0
- 5.11
- 2026-01-05T02:25:45
-
-
-
-
- The operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
-
-
-
-
-
-
-
-
-
- All the operating system remote access methods must be monitored.
-
-
-
-
-
-
-
-
-
-
- The operating system must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
-
-
-
-
-
-
-
-
- The operating system must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.
-
-
-
-
-
-
-
-
- The operating system shadow password suite must be configured to use a sufficient number of hashing rounds.
-
-
-
-
-
-
-
-
-
-
-
-
-
- Operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.
-
-
-
-
-
-
-
-
-
- The operating system operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.
-
-
-
-
-
-
-
-
-
- The operating system operating systems must require authentication upon booting into rescue mode.
-
-
-
-
-
-
-
-
- The operating system pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
-
-
-
-
-
-
-
-
- The operating system must prevent system daemons from using Kerberos for authentication.
-
-
-
-
-
-
-
-
- The krb5-workstation package must not be installed on the operating system.
-
-
-
-
-
-
-
-
- The operating system must use a Linux Security Module configured to enforce limits on system services.
-
-
-
-
-
-
+
+ SRG-OS-000163-GPOS-00072
+ <GroupDescription></GroupDescription>
+
+ OL08-00-020040
+ OL 8 must automatically exit interactive command shell user sessions after 10 minutes of inactivity.
+ <VulnDiscussion>Terminating an idle interactive command shell user session within a short time period reduces the window of opportunity for unauthorized personnel to take control of it when left unattended in a virtual terminal or physical console.
+
+Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000029-GPOS-00010</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+
+ DPMS Target Oracle Linux 8
+ DISA
+ DPMS Target
+ Oracle Linux 8
+ 5416
+
+ CCI-001133
+ Configure OL 8 to exit interactive command shell user sessions after 10 minutes of inactivity.
+
+Add or edit the following line in "/etc/profile.d/tmout.sh":
+
+#!/bin/bash
+
+declare -xr TMOUT=600
+
+
+
+
+
+
+
+ SRG-OS-000396-GPOS-00176
+ <GroupDescription></GroupDescription>
+
+ OL08-00-010180
+ OL 8 must have the crypto-policies package installed.
+ <VulnDiscussion>Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Using weak or untested encryption algorithms undermines the purposes of using encryption to protect data.
+
+Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+
+ DPMS Target Oracle Linux 8
+ DISA
+ DPMS Target
+ Oracle Linux 8
+ 5416
+
+ CCI-002450
+ Install the crypto-policies package with the following command:
+
+$ sudo dnf -y install crypto-policies
+
+
+
+
+
+
+
+ SRG-OS-000250-GPOS-00093
+ <GroupDescription></GroupDescription>
+
+ OL08-00-010184
+ The OL 8 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
+ <VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography, enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
+
+OL 8 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssh.config file.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+
+ DPMS Target Oracle Linux 8
+ DISA
+ DPMS Target
+ Oracle Linux 8
+ 5416
+
+ CCI-001453
+ Configure the SSH client to use only ciphers employing FIPS 140-3-approved algorithms.
+
+Reinstall crypto-policies with the following command:
+
+$ sudo dnf -y reinstall crypto-policies
+
+Set the crypto-policy to FIPS with the following command:
+
+$ sudo update-crypto-policies --set FIPS
+
+Setting system policy to FIPS
+
+Note: Systemwide crypto policies are applied on application startup. Restart the system for the changes to take place.
+
+
+
+
+
+
+
+ SRG-OS-000250-GPOS-00093
+ <GroupDescription></GroupDescription>
+
+ OL08-00-010185
+ The OL 8 SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
+ <VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography, enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
+
+OL 8 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssh.config file.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+
+ DPMS Target Oracle Linux 8
+ DISA
+ DPMS Target
+ Oracle Linux 8
+ 5416
+
+ CCI-001453
+ Configure the SSH client to use only MACs employing FIPS 140-3-approved algorithms.
+
+Reinstall crypto-policies with the following command:
+
+$ sudo dnf -y reinstall crypto-policies
+
+Set the crypto-policy to FIPS with the following command:
+
+$ sudo update-crypto-policies --set FIPS
+Setting system policy to FIPS
+
+Note: Systemwide crypto policies are applied on application startup. Restart the system for the changes to take place.
+
+
+
+
+
+
+
+ SRG-OS-000033-GPOS-00014
+ <GroupDescription></GroupDescription>
+
+ OL08-00-010186
+ OL 8 IP tunnels must use FIPS 140-3-approved cryptographic algorithms.
+ <VulnDiscussion>Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations, and makes system configuration more fragmented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+
+ DPMS Target Oracle Linux 8
+ DISA
+ DPMS Target
+ Oracle Linux 8
+ 5416
+
+
+ CCI-000068
+ Configure Libreswan to use the system cryptographic policy.
+
+Add the following line to "/etc/ipsec.conf":
+
+include /etc/crypto-policies/back-ends/libreswan.config
+
+
+
+
+
+
+
+ SRG-OS-000423-GPOS-00187
+ <GroupDescription></GroupDescription>
+
+ OL08-00-010187
+ OL 8 must implement DOD-approved encryption in the bind package.
+ <VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
+
+OL 8 incorporates systemwide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory.
+
+Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+
+ DPMS Target Oracle Linux 8
+ DISA
+ DPMS Target
+ Oracle Linux 8
+ 5416
+
+
+ CCI-002418
+ CCI-002422
+ Configure BIND to use the system crypto policy.
+
+Add the following line to the "options" section in "/etc/named.conf":
+
+include "/etc/crypto-policies/back-ends/bind.config";
+
+
+
+
+
+
+
+ SRG-OS-000080-GPOS-00048
+ <GroupDescription></GroupDescription>
+
+ OL08-00-020262
+ The OL 8 lastlog command must have a mode of "0750" or less permissive.
+ <VulnDiscussion>Unauthorized disclosure of the contents of the /var/log/lastlog file can reveal system data to attackers, thus compromising its confidentiality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
+
+ DPMS Target Oracle Linux 8
+ DISA
+ DPMS Target
+ Oracle Linux 8
+ 5416
+
+ CCI-000213
+ Configure the mode of the "lastlog" command for OL 8 to "0750" with the following command:
+
+$ sudo chmod 0750 /usr/bin/lastlog
+
+
+
+
+
+
+
+
+
+
+
+ Security Content Tool 1.8.0
+ 5.11
+ 2026-03-24T05:54:02
+
+
+
+
+ The operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
+
+
+
+
+
+
+
+
+
+ All the operating system remote access methods must be monitored.
+
+
+
+
+
+
+
+
+
+
+ The operating system must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
+
+
+
+
+
+
+
+
+ The operating system must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.
+
+
+
+
+
+
+
+
+ The operating system shadow password suite must be configured to use a sufficient number of hashing rounds.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.
+
+
+
+
+
+
+
+
+
+ The operating system operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.
+
+
+
+
+
+
+
+
+
+ The operating system operating systems must require authentication upon booting into rescue mode.
+
+
+
+
+
+
+
+
+ The operating system pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
+
+
+
+
+
+
+
+
+ The operating system must prevent system daemons from using Kerberos for authentication.
+
+
+
+
+
+
+
+
+ The krb5-workstation package must not be installed on the operating system.
+
+
+
+
+
+
+
+
+ The operating system must use a Linux Security Module configured to enforce limits on system services.
+
+
+
+
+
+
@@ -12534,23 +12803,6 @@ $ systemctl restart systemd-logind
-
-
- The operating system operating system must implement DoD-approved TLS encryption in the OpenSSL package.
-
-
-
-
-
-
-
-
-
-
-
-
-
- The operating system system commands must have mode 755 or less permissive.
@@ -12804,14 +13056,13 @@ $ systemctl restart systemd-logind
-
+ The operating system must prevent code from being executed on file systems that are imported via Network File System (NFS).
-
@@ -13166,15 +13417,6 @@ $ systemctl restart systemd-logind
-
-
- The operating system passwords for new users must have a minimum of 15 characters.
-
-
-
-
-
- All the operating system passwords must contain at least one special character.
@@ -14481,14 +14723,13 @@ $ systemctl restart systemd-logind
-
+ The operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
-
@@ -14928,6 +15169,25 @@ $ systemctl restart systemd-logind
+
+
+ The operating system must automatically exit interactive command shell user sessions after 10 minutes of inactivity.
+
+
+
+
+
+
+
+
+ Systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory.
+
+
+
+
+
+
+ The operating system must require users to reauthenticate for privilege escalation.
@@ -14989,6 +15249,37 @@ $ systemctl restart systemd-logind
+
+
+ The operating system IP tunnels must use FIPS 140-2/140-3 approved cryptographic algorithms.
+
+
+
+
+
+
+
+
+
+
+
+
+ The operating system must have the crypto-policies package installed.
+
+
+
+
+
+
+
+
+ The operating system must implement DOD-approved encryption in the bind package.
+
+
+
+
+
+ The operating system library directories must have mode 0755 or less permissive.
@@ -15002,6 +15293,24 @@ $ systemctl restart systemd-logind
+
+
+ The operating system SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
+
+
+
+
+
+
+
+
+ The operating system SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
+
+
+
+
+
+ The operating system must not allow users to override SSH environment variables.
@@ -15038,6 +15347,15 @@ $ systemctl restart systemd-logind
+
+
+ The operating system must prevent the loading of a new kernel for later execution.
+
+
+
+
+
+ The operating system must enable hardening for the Berkeley Packet Filter Just-in-time compiler.
@@ -15209,6 +15527,24 @@ $ systemctl restart systemd-logind
+
+
+ The libreswan package is installed.
+
+
+
+
+
+
+
+
+ The system has BIND installed.
+
+
+
+
+
+ The system is Oracle Linux 8.1 or lower
@@ -15334,22 +15670,6 @@ $ systemctl restart systemd-logind
-
-
- Linux UEFI Boot Partition Not VFAT File Type
-
- Linux Systems
-
-
-
-
-
-
-
-
-
-
- OL08-00-030180 - The OL 8 audit package must be installed.
@@ -15790,26 +16110,6 @@ The SSH implementation in OL 8 uses the OPENSSL library, which does not use high
-
-
- OL08-00-010294 - The OL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package.
-
- Oracle Linux 8
-
- Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
-
-Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
-
-Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography, enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
-
-OL 8 incorporates system-wide crypto policies by default. The employed algorithms can be viewed in the "/etc/crypto-policies/back-ends/openssl.config" file.
-
-Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065
-
-
-
-
- OL08-00-010300 - OL 8 system commands must have mode 755 or less permissive.
@@ -15926,6 +16226,28 @@ Verifying the authenticity of the software prior to installation validates the i
+
+
+ OL08-00-010372 - OL 8 must prevent the loading of a new kernel for later execution.
+
+ Oracle Linux 8
+
+ Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
+
+Disabling "kexec_load" prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used to subvert the entire secureboot process and should be avoided at all costs, especially since it can load unsigned kernel images.
+
+The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.
+/etc/sysctl.d/*.conf
+/run/sysctl.d/*.conf
+/usr/local/lib/sysctl.d/*.conf
+/usr/lib/sysctl.d/*.conf
+/lib/sysctl.d/*.conf
+/etc/sysctl.conf
+
+
+
+
+ OL08-00-010373 - OL 8 must enable kernel parameters to enforce Discretionary Access Control (DAC) on symlinks.
@@ -16853,6 +17175,24 @@ This requirement addresses concurrent sessions for information system accounts a
+
+
+ OL08-00-020027 - OL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory.
+
+ Oracle Linux 8
+
+ By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
+
+From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be re-enabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option.
+
+SELinux, enforcing a targeted policy, will require any non-default tally directory's security context type to match the default directory's security context type. Without updating the security context type, the pam_faillock module will not write failed login attempts to the non-default tally directory.
+
+Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128
+
+
+
+
+ OL08-00-020032 - OL 8 must disable the user list at logon for graphical user interfaces.
@@ -17121,22 +17461,6 @@ The "minlen", sometimes noted as minimum length, acts as a "score" of complexity
-
-
- OL08-00-020231 - OL 8 passwords for new users must have a minimum of 15 characters.
-
- Oracle Linux 8
-
- The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
-
-Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password.
-
-The DoD minimum password requirement is 15 characters.
-
-
-
-
- OL08-00-020240 - OL 8 duplicate User IDs (UIDs) must not exist for interactive users.
@@ -17157,18 +17481,6 @@ Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPO
-
-
- OL08-00-020262 - The OL 8 lastlog command must have a mode of "0750" or less permissive.
-
- Oracle Linux 8
-
- Unauthorized disclosure of the contents of the /var/log/lastlog file can reveal system data to attackers, thus compromising its confidentiality.
-
-
-
-
- OL08-00-020263 - The OL 8 lastlog command must be owned by root.
@@ -19976,6 +20288,112 @@ By limiting the number of attempts to meet the pwquality module complexity requi
+
+
+ OL08-00-020040 - OL 8 must automatically exit interactive command shell user sessions after 10 minutes of inactivity.
+
+ Oracle Linux 8
+
+ Terminating an idle interactive command shell user session within a short time period reduces the window of opportunity for unauthorized personnel to take control of it when left unattended in a virtual terminal or physical console.
+
+ Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000029-GPOS-00010
+
+
+
+
+
+
+
+ OL08-00-010180 - OL 8 must have the crypto-policies package installed.
+
+ Oracle Linux 8
+
+ Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Using weak or untested encryption algorithms undermines the purposes of using encryption to protect data.
+
+ Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
+
+
+
+
+
+
+
+ OL08-00-010184 - The OL 8 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
+
+ Oracle Linux 8
+
+ Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+ Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+ Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography, enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
+
+ OL 8 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssh.config file.
+
+
+
+
+
+
+
+ OL08-00-010185 - The OL 8 SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
+
+ Oracle Linux 8
+
+ Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+ Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+ Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography, enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
+
+ OL 8 incorporates systemwide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssh.config file.
+
+
+
+
+
+
+
+ OL08-00-010186 - OL 8 IP tunnels must use FIPS 140-3-approved cryptographic algorithms.
+
+ Oracle Linux 8
+
+ Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations, and makes system configuration more fragmented.
+
+
+
+
+
+
+
+ OL08-00-010187 - OL 8 must implement DOD-approved encryption in the bind package.
+
+ Oracle Linux 8
+
+ Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+ Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
+
+ OL 8 incorporates systemwide crypto policies by default. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/ directory.
+
+ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190
+
+
+
+
+
+
+
+ OL08-00-020262 - The OL 8 lastlog command must have a mode of "0750" or less permissive.
+
+ Oracle Linux 8
+
+ Unauthorized disclosure of the contents of the /var/log/lastlog file can reveal system data to attackers, thus compromising its confidentiality.
+
+
+
+
+
@@ -19988,10 +20406,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
-
-
-
-
@@ -20067,18 +20481,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
-
-
-
-
-
-
-
-
-
-
-
-
@@ -20136,7 +20538,7 @@ By limiting the number of attempts to meet the pwquality module complexity requi
-
+
@@ -20144,10 +20546,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
-
-
-
-
@@ -20318,10 +20716,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
-
-
-
-
@@ -20856,13 +21250,9 @@ By limiting the number of attempts to meet the pwquality module complexity requi
-
+
-
-
-
-
-
+
@@ -21045,6 +21435,13 @@ By limiting the number of attempts to meet the pwquality module complexity requi
+
+
+
+
+
+
+
@@ -21073,6 +21470,32 @@ By limiting the number of attempts to meet the pwquality module complexity requi
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -21109,10 +21532,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
-
-
-
-
@@ -21123,10 +21542,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
-
-
-
-
@@ -21150,7 +21565,7 @@ By limiting the number of attempts to meet the pwquality module complexity requi
-
+
@@ -21315,6 +21730,10 @@ By limiting the number of attempts to meet the pwquality module complexity requi
+
+
+
+
@@ -21330,6 +21749,15 @@ By limiting the number of attempts to meet the pwquality module complexity requi
+
+
+
+
+
+
+
+
+
@@ -21385,6 +21813,10 @@ By limiting the number of attempts to meet the pwquality module complexity requi
+
+
+
+
@@ -21407,11 +21839,11 @@ By limiting the number of attempts to meet the pwquality module complexity requi
-
+
-
+
@@ -21671,11 +22103,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
\bipv6\.disable=1\b1
-
- /etc/fstab
- ^\s*[^#\s]+\s+/boot/efi\s+(\S+)\s+\S+\s+\S+\s+\S+\s*$
- 1
- /etc/audit/auditd.conf^\s*log_file\s*=\s*(\S+)\s*(?:#.*)?$
@@ -21859,21 +22286,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
^[ \t]*SSH_USE_STRONG_RNG[ \t]*=[ \t]*32[ \t]*$1
-
- /etc/crypto-policies/back-ends/opensslcnf.config
- ^\s*MinProtocol\s*=\s*([\.\w]+)\s*(?:#.*)?$
- 1
-
-
- /etc/crypto-policies/back-ends/opensslcnf.config
- ^\s*TLS\.MinProtocol\s*=\s*([\.\w]+)\s*(?:#.*)?$
- 1
-
-
- /etc/crypto-policies/back-ends/opensslcnf.config
- ^\s*DTLS\.MinProtocol\s*=\s*([\.\w]+)\s*(?:#.*)?$
- 1
- /etc/yum.repos.d\.repo$
@@ -21983,19 +22395,19 @@ By limiting the number of attempts to meet the pwquality module complexity requi
^\s*[^#\s]+\s+/boot\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$1
-
+ /etc/fstab
- ^\s*/dev\S*\s+/\S+\s+(?!vfat\s+)\S+\s+(\S+)\s+\S+\s+\S+\s*$
+ ^\s*/dev\S*\s+/\S+\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$1
-
+ /etc/fstab
- ^\s*\[?[\.\w:-]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$
+ ^\s*[^#\s][^\s]*\s+[^\s]+\s+nfs[^\s]*\s+([^\s]+)0
-
+ /etc/mtab
- ^\s*\[?[\.\w:-]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$
+ ^\s*[^#\s][^\s]*\s+[^\s]+\s+nfs[^\s]*\s+([^\s]+)0
@@ -22374,11 +22786,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
^\s*minlen\s*=\s*(-?\d*)\s*(?:#.*)?$1
-
- /etc/login.defs
- ^\s*PASS_MIN_LEN\s+(\d+)\s*$
- 1
- oval:mil.disa.stig.ind:obj:23037501
@@ -23555,6 +23962,29 @@ By limiting the number of attempts to meet the pwquality module complexity requi
oval:mil.disa.stig.defs:var:25804500
+
+
+ oval:mil.disa.stig.ind:obj:25806801
+ oval:mil.disa.stig.ind:obj:25806802
+
+
+
+ /etc/profile
+ ^[^#]*\s*TMOUT=(\d+)\s*$
+ 1
+
+
+
+ /etc/profile.d
+ ^.+\.sh$
+ ^[^#]*\s*TMOUT=(\d+)\s*$
+ 1
+
+
+ /etc/security/faillock.conf
+ ^\s*dir\s*=\s*(.*)\s*$
+ 1
+ /etc/sudoers
@@ -23605,6 +24035,32 @@ By limiting the number of attempts to meet the pwquality module complexity requi
^\$ActionSendStreamDriverAuthMode\s+(\S+)\s*$1
+
+ /etc/ipsec.conf
+ ^\s*include\s+(.*)\s*$
+ 1
+
+
+ /etc/ipsec.d
+ ^.*\.conf$
+ ^\s*include\s+(.*)\s*$
+ 1
+
+
+ /etc/named.conf
+ ^\s*include\s+"(.*)"\s*;\s*$
+ 1
+
+
+ /etc/crypto-policies/back-ends/openssh.config
+ ^\s*(?i)Ciphers(?-i)[ \t]+(\S+)[\s]*(?:|(?:#.*))?$
+ 1
+
+
+ /etc/crypto-policies/back-ends/openssh.config
+ ^\s*MACs\s+(\S+)\s*$
+ 1
+ oval:mil.disa.stig.ind:obj:27172001
@@ -23638,18 +24094,12 @@ By limiting the number of attempts to meet the pwquality module complexity requi
krb5-workstation
-
- /boot/efi
- /sys/fs/selinuxpolicycoreutils
-
- crypto-policies
- openssl-pkcs11
@@ -23668,9 +24118,8 @@ By limiting the number of attempts to meet the pwquality module complexity requi
/boot
-
+ ^/\S+$
- oval:mil.disa.stig.linux:ste:23030103oval:mil.disa.stig.linux:ste:23030102
@@ -23788,6 +24237,10 @@ By limiting the number of attempts to meet the pwquality module complexity requi
usbguard.serviceActiveState
+
+
+
+ fapolicyd
@@ -23803,6 +24256,15 @@ By limiting the number of attempts to meet the pwquality module complexity requi
auditd.serviceSubState
+
+ crypto-policies
+
+
+ bind
+
+
+ libreswan
+ /sys/firmware/efi
@@ -23887,6 +24349,9 @@ By limiting the number of attempts to meet the pwquality module complexity requi
oval:mil.disa.stig.unix:ste:20000015oval:mil.disa.stig.unix:ste:20000006
+
+ kernel.kexec_load_disabled
+ kernel.randomize_va_space
@@ -23912,15 +24377,17 @@ By limiting the number of attempts to meet the pwquality module complexity requi
kernel.core_pattern
-
+ ^\.[^\s\.]+
+ oval:mil.disa.stig.unix:ste:20000021
-
+ ^\.[^\s\.]+
+ oval:mil.disa.stig.unix:ste:20000021
@@ -24143,9 +24610,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
(?:^nosuid$|^nosuid,|,nosuid$|,nosuid,)
-
- vfat
- false
@@ -24188,6 +24652,9 @@ By limiting the number of attempts to meet the pwquality module complexity requi
0
+
+ 600
+ (?i)(?:^|\n)[^#]*\btype\s*=\s*"omfwd"
@@ -24215,12 +24682,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
enforcing
-
- TLSv1\.[2|3]
-
-
- DTLSv1\.[2|3]
- \n\s*gpgcheck\s*=\s*(True|1|yes)\s*(\n|$)
@@ -24233,8 +24694,11 @@ By limiting the number of attempts to meet the pwquality module complexity requi
(?:^nodev$|^nodev,|,nodev$|,nodev,)
-
- ^.*noexec.*$
+
+ (^|,)noexec(,|$)
+
+
+ (^|,)nosuid(,|$)0
@@ -24368,6 +24832,18 @@ By limiting the number of attempts to meet the pwquality module complexity requi
/etc/ssh/sshd_config.d/*.conf
+
+ aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+
+
+ "aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr"
+
+
+ hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
+
+
+ "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512"
+ 600
@@ -24386,6 +24862,15 @@ By limiting the number of attempts to meet the pwquality module complexity requi
(?i)(?:^|\n)[^#]*\bStreamDriver\.?AuthMode\b
+
+ /etc/crypto-policies/back-ends/libreswan.config
+
+
+ /etc/ipsec.d/*.conf
+
+
+ /etc/crypto-policies/back-ends/bind.config
+ 8\.[0-1]$
@@ -24405,9 +24890,6 @@ By limiting the number of attempts to meet the pwquality module complexity requi
1.17
-
- vfat
- noexec
@@ -24435,21 +24917,18 @@ By limiting the number of attempts to meet the pwquality module complexity requi
selinuxfs
-
- 20210617
- ^/dev\S*$
-
- vfat
- nosuidactive
+
+ faillog_t
+ falsefalse
@@ -24867,6 +25346,9 @@ By limiting the number of attempts to meet the pwquality module complexity requi
+
+
+
@@ -24877,12 +25359,12 @@ By limiting the number of attempts to meet the pwquality module complexity requi
-
+
- Security Content Tool 1.7.0
+ Security Content Tool 1.8.05.11
- 2026-01-05T02:25:57
+ 2026-03-24T05:54:02