DISA Oracle Linux 8 STIG v1r2

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA Oracle Linux 8 STIG v1r2

Updated: 4/12/2023

Authority: Operating Systems and Applications

Plugin: Unix

Revision: 1.11

Estimated Item Count: 547

Audit Items

DescriptionCategories
DISA_STIG_Oracle_Linux_8_v1r2.audit from DISA Oracle Linux 8 v1r2 STIG
OL08-00-010000 - OL 8 must be a vendor-supported release.
OL08-00-010001 - The OL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.
OL08-00-010010 - OL 8 vendor-packaged system security patches and updates must be installed and up to date.
OL08-00-010020 - OL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
OL08-00-010030 - All OL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.
OL08-00-010040 - OL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via an SSH logon - /etc/issue
OL08-00-010040 - OL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via an SSH logon - /etc/ssh/sshd_config
OL08-00-010049 - OL 8 must display a banner before granting local or remote access to the system via a graphical user logon.
OL08-00-010050 - OL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
OL08-00-010060 - OL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.
OL08-00-010070 - All OL 8 remote access methods must be monitored - auth
OL08-00-010070 - All OL 8 remote access methods must be monitored - authpriv
OL08-00-010070 - All OL 8 remote access methods must be monitored - daemon
OL08-00-010090 - OL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
OL08-00-010100 - OL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key.
OL08-00-010110 - OL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
OL08-00-010120 - OL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.
OL08-00-010121 - The OL 8 operating system must not have accounts configured with blank or null passwords.
OL08-00-010130 - The OL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.
OL08-00-010140 - OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.
OL08-00-010141 - OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance.
OL08-00-010149 - OL 8 operating systems booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes.
OL08-00-010150 - OL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.
OL08-00-010151 - OL 8 operating systems must require authentication upon booting into rescue mode.
OL08-00-010152 - OL 8 operating systems must require authentication upon booting into emergency mode.
OL08-00-010159 - The OL 8 'pam_unix.so' module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication - pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
OL08-00-010160 - The OL 8 'pam_unix.so' module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication - pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
OL08-00-010161 - OL 8 must prevent system daemons from using Kerberos for authentication.
OL08-00-010162 - The krb5-workstation package must not be installed on OL 8.
OL08-00-010163 - The krb5-server package must not be installed on OL 8.
OL08-00-010170 - OL 8 must use a Linux Security Module configured to enforce limits on system services.
OL08-00-010171 - OL 8 must have the 'policycoreutils' package installed - policycoreutils package installed.
OL08-00-010190 - A sticky bit must be set on all OL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources.
OL08-00-010200 - OL 8 must be configured so that all network connections associated with SSH traffic are terminate after a period of inactivity.
OL08-00-010201 - OL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity.
OL08-00-010210 - The OL 8 '/var/log/messages' file must have mode 0640 or less permissive - /var/log/messages file must have mode 0640 or less permissive.
OL08-00-010220 - The OL 8 '/var/log/messages' file must be owned by root - /var/log/messages file must be owned by root.
OL08-00-010230 - The OL 8 '/var/log/messages' file must be group-owned by root - /var/log/messages file must be group-owned by root.
OL08-00-010240 - The OL 8 '/var/log' directory must have mode 0755 or less permissive - /var/log directory must have mode 0755 or less permissive.
OL08-00-010250 - The OL 8 '/var/log' directory must be owned by root - /var/log directory must be owned by root.
OL08-00-010260 - The OL 8 '/var/log' directory must be group-owned by root - /var/log directory must be group-owned by root.
OL08-00-010287 - The OL 8 SSH daemon must be configured to use system-wide crypto policies.
OL08-00-010290 - The OL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.
OL08-00-010291 - The OL 8 SSH server must be configured to use only ciphers employing FIPS 140-2 validated cryptographic algorithms.
OL08-00-010292 - The OL 8 SSH server must be configured to use strong entropy.
OL08-00-010293 - The OL 8 operating system must implement DoD-approved encryption in the OpenSSL package - /etc/pki/tls/openssl.cnf
OL08-00-010293 - The OL 8 operating system must implement DoD-approved encryption in the OpenSSL package - update-crypto-policies
OL08-00-010294 - The OL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package.
OL08-00-010295 - The OL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package.