DISA Oracle Linux 8 STIG v1r2

Audit Details

Name: DISA Oracle Linux 8 STIG v1r2

Updated: 7/27/2022

Authority: DISA STIG

Plugin: Unix

Revision: 1.1

Estimated Item Count: 548

File Details

Filename: DISA_STIG_Oracle_Linux_8_v1r2.audit

Size: 1.36 MB

MD5: 7cf1aec6b71e0c4a904c98f9e10816e3
SHA256: 3d8c701e131dd7a0b143e0cd9f453a61eae121c9ce8cfb752c7eedcf9682bca9

Audit Items

DescriptionCategories
DISA_STIG_Oracle_Linux_8_v1r2.audit from DISA Oracle Linux 8 v1r2 STIG
OL08-00-010000 - OL 8 must be a vendor-supported release.

CONFIGURATION MANAGEMENT

OL08-00-010001 - The OL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.

SYSTEM AND INFORMATION INTEGRITY

OL08-00-010010 - OL 8 vendor-packaged system security patches and updates must be installed and up to date.

CONFIGURATION MANAGEMENT

OL08-00-010020 - OL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

ACCESS CONTROL, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION

OL08-00-010030 - All OL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.

SYSTEM AND COMMUNICATIONS PROTECTION

OL08-00-010040 - OL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via an SSH logon - /etc/issue

ACCESS CONTROL

OL08-00-010040 - OL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via an SSH logon - /etc/ssh/sshd_config

ACCESS CONTROL

OL08-00-010049 - OL 8 must display a banner before granting local or remote access to the system via a graphical user logon.

ACCESS CONTROL

OL08-00-010050 - OL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.

ACCESS CONTROL

OL08-00-010060 - OL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.

ACCESS CONTROL

OL08-00-010070 - All OL 8 remote access methods must be monitored - auth

ACCESS CONTROL

OL08-00-010070 - All OL 8 remote access methods must be monitored - authpriv

ACCESS CONTROL

OL08-00-010070 - All OL 8 remote access methods must be monitored - daemon

ACCESS CONTROL

OL08-00-010090 - OL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

IDENTIFICATION AND AUTHENTICATION

OL08-00-010100 - OL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key.

IDENTIFICATION AND AUTHENTICATION

OL08-00-010110 - OL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.

IDENTIFICATION AND AUTHENTICATION

OL08-00-010120 - OL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.

IDENTIFICATION AND AUTHENTICATION

OL08-00-010121 - The OL 8 operating system must not have accounts configured with blank or null passwords.

CONFIGURATION MANAGEMENT

OL08-00-010130 - The OL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.

IDENTIFICATION AND AUTHENTICATION

OL08-00-010140 - OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.

ACCESS CONTROL

OL08-00-010141 - OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance.

ACCESS CONTROL

OL08-00-010149 - OL 8 operating systems booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes.

ACCESS CONTROL

OL08-00-010150 - OL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.

ACCESS CONTROL

OL08-00-010151 - OL 8 operating systems must require authentication upon booting into rescue mode.

ACCESS CONTROL

OL08-00-010152 - OL 8 operating systems must require authentication upon booting into emergency mode.

ACCESS CONTROL

OL08-00-010159 - The OL 8 'pam_unix.so' module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication - pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.

IDENTIFICATION AND AUTHENTICATION

OL08-00-010160 - The OL 8 'pam_unix.so' module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication - pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.

IDENTIFICATION AND AUTHENTICATION

OL08-00-010161 - OL 8 must prevent system daemons from using Kerberos for authentication.

IDENTIFICATION AND AUTHENTICATION

OL08-00-010162 - The krb5-workstation package must not be installed on OL 8.

IDENTIFICATION AND AUTHENTICATION

OL08-00-010163 - The krb5-server package must not be installed on OL 8.

IDENTIFICATION AND AUTHENTICATION

OL08-00-010170 - OL 8 must use a Linux Security Module configured to enforce limits on system services.

SYSTEM AND COMMUNICATIONS PROTECTION

OL08-00-010171 - OL 8 must have the 'policycoreutils' package installed - policycoreutils package installed.

SYSTEM AND COMMUNICATIONS PROTECTION

OL08-00-010190 - A sticky bit must be set on all OL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources.

SYSTEM AND COMMUNICATIONS PROTECTION

OL08-00-010200 - OL 8 must be configured so that all network connections associated with SSH traffic are terminate after a period of inactivity.

ACCESS CONTROL, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION

OL08-00-010201 - OL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity.

ACCESS CONTROL, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION

OL08-00-010210 - The OL 8 '/var/log/messages' file must have mode 0640 or less permissive - /var/log/messages file must have mode 0640 or less permissive.

SYSTEM AND INFORMATION INTEGRITY

OL08-00-010220 - The OL 8 '/var/log/messages' file must be owned by root - /var/log/messages file must be owned by root.

SYSTEM AND INFORMATION INTEGRITY

OL08-00-010230 - The OL 8 '/var/log/messages' file must be group-owned by root - /var/log/messages file must be group-owned by root.

SYSTEM AND INFORMATION INTEGRITY

OL08-00-010240 - The OL 8 '/var/log' directory must have mode 0755 or less permissive - /var/log directory must have mode 0755 or less permissive.

SYSTEM AND INFORMATION INTEGRITY

OL08-00-010250 - The OL 8 '/var/log' directory must be owned by root - /var/log directory must be owned by root.

SYSTEM AND INFORMATION INTEGRITY

OL08-00-010260 - The OL 8 '/var/log' directory must be group-owned by root - /var/log directory must be group-owned by root.

SYSTEM AND INFORMATION INTEGRITY

OL08-00-010287 - The OL 8 SSH daemon must be configured to use system-wide crypto policies.

ACCESS CONTROL

OL08-00-010290 - The OL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.

MAINTENANCE

OL08-00-010291 - The OL 8 SSH server must be configured to use only ciphers employing FIPS 140-2 validated cryptographic algorithms.

MAINTENANCE

OL08-00-010292 - The OL 8 SSH server must be configured to use strong entropy.

CONFIGURATION MANAGEMENT

OL08-00-010293 - The OL 8 operating system must implement DoD-approved encryption in the OpenSSL package - /etc/pki/tls/openssl.cnf

ACCESS CONTROL

OL08-00-010293 - The OL 8 operating system must implement DoD-approved encryption in the OpenSSL package - update-crypto-policies

ACCESS CONTROL

OL08-00-010294 - The OL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package.

ACCESS CONTROL

OL08-00-010295 - The OL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package.

ACCESS CONTROL