Apr 12, 2023 Functional Update- OL08-00-010110 - OL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
- OL08-00-020110 - OL 8 must enforce password complexity by requiring that at least one uppercase character be used.
- OL08-00-020120 - OL 8 must enforce password complexity by requiring that at least one lowercase character be used.
- OL08-00-020130 - OL 8 must enforce password complexity by requiring that at least one numeric character be used.
- OL08-00-020140 - OL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.
- OL08-00-020150 - OL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.
- OL08-00-020160 - OL 8 must require the change of at least four character classes when passwords are changed.
- OL08-00-020170 - OL 8 must require the change of at least 8 characters when passwords are changed.
- OL08-00-020230 - OL 8 passwords must have a minimum of 15 characters.
- OL08-00-020280 - All OL 8 passwords must contain at least one special character.
- OL08-00-020310 - OL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
- OL08-00-020351 - OL 8 default permissions must be defined in such a way that all authenticated users can read and modify only their own files.
|
Apr 3, 2023 Functional Update- OL08-00-010730 - All OL 8 local interactive user home directories must have mode '0750' or less permissive - 0750 or less permissive.
|
Mar 27, 2023 Miscellaneous- Audit deprecated.
- Metadata updated.
- References updated.
|
Mar 7, 2023 Miscellaneous- Metadata updated.
- References updated.
|
Jan 4, 2023 Functional Update- OL08-00-010001 - The OL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.
- OL08-00-010120 - OL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.
- OL08-00-010162 - The krb5-workstation package must not be installed on OL 8.
- OL08-00-010163 - The krb5-server package must not be installed on OL 8.
- OL08-00-010287 - The OL 8 SSH daemon must be configured to use system-wide crypto policies.
- OL08-00-010293 - The OL 8 operating system must implement DoD-approved encryption in the OpenSSL package - /etc/pki/tls/openssl.cnf
- OL08-00-010360 - The OL 8 file integrity tool must notify the System Administrator (SA) when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency - grep aide /etc/crontab /var/spool/cron/root
- OL08-00-010370 - YUM must be configured to prevent the installation of patches, service packs, device drivers, or OL 8 system components that have not been digitally signed using a certificate that is recognized and approved by the organization.
- OL08-00-010390 - OL 8 must have the package required for multifactor authentication installed.
- OL08-00-010400 - OL 8 must implement certificate status checking for multifactor authentication.
- OL08-00-010410 - OL 8 must accept Personal Identity Verification (PIV) credentials - opensc
- OL08-00-010471 - OL 8 must enable the hardware random number generator entropy gatherer service - is-active
- OL08-00-010471 - OL 8 must enable the hardware random number generator entropy gatherer service - is-enabled
- OL08-00-010472 - OL 8 must have the packages required to use the hardware random number generator entropy gatherer service.
- OL08-00-010500 - The OL 8 SSH daemon must perform strict mode checking of home directory configuration files.
- OL08-00-010510 - The OL 8 SSH daemon must not allow compression or must only allow compression after successful authentication.
- OL08-00-010520 - The OL 8 SSH daemon must not allow authentication using known host's authentication.
- OL08-00-010521 - The OL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.
- OL08-00-010522 - The OL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.
- OL08-00-010540 - OL 8 must use a separate file system for '/var' - /var.
- OL08-00-010541 - OL 8 must use a separate file system for '/var/log' - /var/log.
- OL08-00-010542 - OL 8 must use a separate file system for the system audit data path.
- OL08-00-010543 - OL 8 must use a separate file system for '/tmp' - /tmp.
- OL08-00-010544 - OL 8 must use a separate file system for /var/tmp.
- OL08-00-010550 - OL 8 must not permit direct logons to the root account using remote access via SSH.
- OL08-00-010570 - OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
- OL08-00-010571 - OL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
- OL08-00-010572 - OL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
- OL08-00-010590 - OL 8 file systems that contain user home directories must not execute binary files.
- OL08-00-010600 - OL 8 file systems must not interpret character or block special devices from untrusted file systems.
- OL08-00-010610 - OL 8 file systems must not execute binary files on removable media.
- OL08-00-010620 - OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
- OL08-00-010660 - Local OL 8 initialization files must not execute world-writable programs.
- OL08-00-010680 - For OL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured - nameserver 1
- OL08-00-010680 - For OL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured - nameserver 2
- OL08-00-010690 - Executable search paths within the initialization files of all local interactive OL 8 users must only contain paths that resolve to the system default or the user's home directory.
- OL08-00-010700 - All OL 8 world-writable directories must be owned by root, sys, bin, or an application user.
- OL08-00-010710 - All OL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.
- OL08-00-020024 - OL 8 must limit the number of concurrent sessions to 10 for all accounts and/or account types.
- OL08-00-020031 - OL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated.
- OL08-00-020032 - OL 8 must disable the user list at logon for graphical user interfaces.
- OL08-00-020080 - OL 8 must prevent a user from overriding the session lock-delay setting for the graphical user interface.
- OL08-00-020081 - OL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface.
- OL08-00-020082 - OL 8 must prevent a user from overriding the session lock-enabled setting for the graphical user interface.
- OL08-00-020250 - OL 8 must implement multifactor authentication for access to interactive accounts - pam_sss.so
- OL08-00-030180 - The OL 8 audit package must be installed.
- OL08-00-030603 - OL 8 must enable Linux audit logging for the USBGuard daemon.
- OL08-00-030700 - OL 8 must take appropriate action when the internal event queue is full.
- OL08-00-040001 - OL 8 must not have any automated bug reporting tools installed.
- OL08-00-040111 - OL 8 Bluetooth must be disabled.
- OL08-00-040161 - OL 8 must force a frequent session key renegotiation for SSH connections to the server.
- OL08-00-040170 - The x86 Ctrl-Alt-Delete key sequence must be disabled on OL 8.
- OL08-00-040171 - The x86 Ctrl-Alt-Delete key sequence in OL 8 must be disabled if a graphical user interface is installed.
Informational Update- OL08-00-010660 - Local OL 8 initialization files must not execute world-writable programs.
|
Dec 7, 2022 |
Nov 4, 2022 Functional Update- OL08-00-010420 - OL 8 must implement non-executable data to protect its memory from unauthorized code execution - /proc/cpuinfo
- OL08-00-040070 - The OL 8 file system automounter must be disabled unless required.
|
Oct 26, 2022 Removed- OL08-00-040150 - A firewall must be able to protect against or limit the effects of denial-of-service (DoS) attacks by ensuring OL 8 can implement rate-limiting measures on impacted network interfaces - nftables status
|
Oct 18, 2022 Functional Update- OL08-00-010382 - OL 8 must restrict privilege elevation to authorized personnel - sudoers.d
- OL08-00-040300 - The OL 8 file integrity tool must be configured to verify extended attributes.
- OL08-00-040310 - The OL 8 file integrity tool must be configured to verify Access Control Lists (ACLs).
Informational Update- OL08-00-040300 - The OL 8 file integrity tool must be configured to verify extended attributes.
- OL08-00-040310 - The OL 8 file integrity tool must be configured to verify Access Control Lists (ACLs).
|
Oct 4, 2022 Functional Update- OL08-00-020352 - OL 8 must set the umask value to 077 for all local interactive user accounts.
|
