ComplianceAsCode · mrkanon · Apr 24, 2026 · May 4, 2026 · May 6, 2026
diff --git a/...ts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml b/...ts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
@@ -42,7 +42,6 @@ references:
     nist: IA-5(f),IA-5(1)(a),CM-6(a)
     nist-csf: PR.AC-1,PR.AC-6,PR.AC-7
     srg: SRG-OS-000078-GPOS-00046
-    stigid@ol8: OL08-00-020231
 
 ocil_clause: 'it is not set to the required value'
 

diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml
@@ -30,7 +30,7 @@ references:
     nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1
     nist: SC-13,SC-12(2),SC-12(3)
     srg: SRG-OS-000423-GPOS-00187,SRG-OS-000426-GPOS-00190
-    stigid@ol8: OL08-00-010020
+    stigid@ol8: OL08-00-010020,OL08-00-010187
 
 ocil_clause: |-
     BIND is installed and the BIND config file doesn't contain the

diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
@@ -68,7 +68,7 @@ references:
     nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3)
     ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4),FCS_CKM.1,FCS_CKM.2,FCS_TLSC_EXT.1
     srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
-    stigid@ol8: OL08-00-010020
+    stigid@ol8: OL08-00-010020,OL08-00-010183,OL08-00-010181
 
 ocil_clause: 'cryptographic policy is not configured or is configured incorrectly'
 

diff --git a/linux_os/guide/system/software/integrity/crypto/configure_gnutls_tls_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_gnutls_tls_crypto_policy/rule.yml
@@ -29,7 +29,6 @@ identifiers:
 references:
     nist: AC-17(2)
     srg: SRG-OS-000250-GPOS-00093,SRG-OS-000423-GPOS-00187
-    stigid@ol8: OL08-00-010295
 
 ocil_clause: 'cryptographic policy for gnutls is not configured or is configured incorrectly'
 

diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml
@@ -34,7 +34,7 @@ references:
     nist: CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3)
     pcidss: Req-2.2
     srg: SRG-OS-000033-GPOS-00014
-    stigid@ol8: OL08-00-010020
+    stigid@ol8: OL08-00-010020,OL08-00-010186
 
 ocil_clause: |-
     the "IPsec" service is active and the ipsec configuration file does not contain does not contain <tt>include /etc/crypto-policies/back-ends/libreswan.config</tt>

diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml
@@ -43,7 +43,6 @@ identifiers:
 references:
     nist: AC-17(2)
     srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
-    stigid@ol8: OL08-00-010294
 
 ocil_clause: 'cryptographic policy for openssl is not configured or is configured incorrectly'
 

diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml
@@ -33,7 +33,6 @@ references:
     ospp: FCS_SSH_EXT.1,FCS_SSHS_EXT.1,FCS_SSHC_EXT.1
     pcidss: Req-2.2
     srg: SRG-OS-000250-GPOS-00093
-    stigid@ol8: OL08-00-010287
 
 ocil_clause: 'the CRYPTO_POLICY variable is set or is not commented out in {{{ sshd_sysconfig }}}'
 

diff --git a/...ide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml b/...ide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
@@ -29,6 +29,7 @@ identifiers:
 references:
     nist: AC-17(2)
     srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093
+    stigid@ol8: OL08-00-010185
 
 ocil_clause: 'Crypto Policy for OpenSSH client is not configured correctly'
 

diff --git a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
@@ -21,6 +21,7 @@ identifiers:
 references:
     ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4),FCS_CKM.1,FCS_CKM.2,FCS_TLSC_EXT.1
     srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
+    stigid@ol8: OL08-00-010180
 
 {{{ complete_ocil_entry_package_installed("crypto-policies") }}}
 

diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
@@ -56,7 +56,7 @@ references:
     nist: CM-3(6),SC-12(2),SC-12(3),IA-7,SC-13,CM-6(a),SC-12
     ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4),FCS_CKM.1,FCS_CKM.2,FCS_TLSC_EXT.1,FCS_RBG_EXT.1
     srg: SRG-OS-000478-GPOS-00223,SRG-OS-000396-GPOS-00176
-    stigid@ol8: OL08-00-010020,OL08-00-010293
+    stigid@ol8: OL08-00-010020,OL08-00-010182
 
 ocil_clause: 'FIPS mode is not enabled'
 

diff --git a/linux_os/guide/system/software/integrity/fips/fips_crypto_subpolicy/rule.yml b/linux_os/guide/system/software/integrity/fips/fips_crypto_subpolicy/rule.yml
@@ -19,6 +19,7 @@ identifiers:
 
 references:
     srg: SRG-OS-000033-GPOS-00014
+    stigid@ol8: OL08-00-010184,OL08-00-010182,OL08-00-010181
 
 severity: medium
 

diff --git a/linux_os/guide/system/software/integrity/fips/fips_custom_stig_sub_policy/rule.yml b/linux_os/guide/system/software/integrity/fips/fips_custom_stig_sub_policy/rule.yml
@@ -16,6 +16,7 @@ identifiers:
 
 references:
     srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
+    stigid@ol8: OL08-00-010181
 
 ocil_clause: 'the STIG subpolicy does not exist'
 

@@ -1,15 +1,15 @@
 documentation_complete: true
 
 metadata:
-    version: V2R7
+    version: V2R8
 
 reference: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
 
 title: 'DISA STIG for Oracle Linux 8'
 
 description: |-
     This profile contains configuration checks that align to the
-    DISA STIG for Oracle Linux 8 V2R7.
+    DISA STIG for Oracle Linux 8 V2R8.
 
 selections:
     ### Variables
@@ -28,7 +28,6 @@ selections:
     - var_password_pam_remember_control_flag=ol8
     - var_selinux_state=enforcing
     - var_selinux_policy_name=targeted
-    - var_accounts_password_minlen_login_defs=15
     - var_password_pam_unix_rounds=5000
     - var_password_pam_minlen=15
     - var_password_pam_ocredit=1
@@ -68,11 +67,22 @@ selections:
     - var_multiple_time_servers=stig
 
     ### Enable / Configure FIPS
-    # OL08-00-010293, OL08-00-010020
+    # OL08-00-010020, OL08-00-010182
     - enable_fips_mode
-    - var_system_crypto_policy=fips
+    - var_system_crypto_policy=fips_stig
+    # OL08-00-010180
+    - package_crypto-policies_installed
+    - package_crypto-policies_installed.severity=high
+    # OL08-00-010183
     - configure_crypto_policy
+    # OL08-00-010181, OL08-00-010184, OL08-00-010182
+    - fips_crypto_subpolicy
+    - fips_crypto_subpolicy.severity=high
+    - fips_custom_stig_sub_policy
+    - fips_custom_stig_sub_policy.severity=high
+    # OL08-00-010187
     - configure_bind_crypto_policy
+    # OL08-00-010186
     - configure_libreswan_crypto_policy
     - configure_kerberos_crypto_policy
     - enable_dracut_fips_module
@@ -165,6 +175,10 @@ selections:
     # OL08-00-010171
     - package_policycoreutils_installed
 
+    # OL08-00-010185
+    - harden_sshd_macs_openssh_conf_crypto_policy
+    - harden_sshd_macs_openssh_conf_crypto_policy.severity=high
+
     # OL08-00-010190
     - dir_perms_world_writable_sticky_bits
 
@@ -193,24 +207,17 @@ selections:
     # OL08-00-010260
     - file_groupowner_var_log
 
-    # OL08-00-010287
-    - configure_ssh_crypto_policy
-
     # OL08-00-010290
     - harden_sshd_macs_opensshserver_conf_crypto_policy
+    - harden_sshd_macs_opensshserver_conf_crypto_policy.severity=high
 
     # OL08-00-010291
     - harden_sshd_ciphers_opensshserver_conf_crypto_policy
+    - harden_sshd_ciphers_opensshserver_conf_crypto_policy.severity=high
 
     # OL08-00-010292
     - sshd_use_strong_rng
 
-    # OL08-00-010294
-    - configure_openssl_tls_crypto_policy
-
-    # OL08-00-010295
-    - configure_gnutls_tls_crypto_policy
-
     # OL08-00-010300
     - file_permissions_binary_dirs
 
@@ -608,9 +615,6 @@ selections:
     # OL08-00-020230
     - accounts_password_pam_minlen
 
-    # OL08-00-020231
-    - accounts_password_minlen_login_defs
-
     # OL08-00-020240
     - account_unique_id
 
@@ -1193,9 +1197,6 @@ selections:
     # OL08-00-040341
     - sshd_x11_use_localhost
 
-    # OL08-00-040342
-    - sshd_use_approved_kex_ordered_stig
-
     # OL08-00-040350
     - tftp_uses_secure_mode_systemd
 

@@ -1,13 +1,13 @@
 documentation_complete: true
 
 metadata:
-    version: V2R7
+    version: V2R8
 
 title: 'DISA STIG with GUI for Oracle Linux 8'
 
 description: |-
     This profile contains configuration checks that align to the
-    DISA STIG with GUI for Oracle Linux V2R7.
+    DISA STIG with GUI for Oracle Linux V2R8.
 
     Warning: The installation and use of a Graphical User Interface (GUI)
     increases your attack vector and decreases your overall security posture. If

diff --git a/...ences/disa-stig-ol8-v2r7-xccdf-manual.xml → ...ences/disa-stig-ol8-v2r8-xccdf-manual.xml b/...ences/disa-stig-ol8-v2r7-xccdf-manual.xml → ...ences/disa-stig-ol8-v2r8-xccdf-manual.xml