OL08-00-010001 - The OL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.
OL08-00-010120 - OL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.
OL08-00-010162 - The krb5-workstation package must not be installed on OL 8.
OL08-00-010163 - The krb5-server package must not be installed on OL 8.
OL08-00-010287 - The OL 8 SSH daemon must be configured to use system-wide crypto policies.
OL08-00-010293 - The OL 8 operating system must implement DoD-approved encryption in the OpenSSL package - /etc/pki/tls/openssl.cnf
OL08-00-010360 - The OL 8 file integrity tool must notify the System Administrator (SA) when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency - grep aide /etc/crontab /var/spool/cron/root
OL08-00-010370 - YUM must be configured to prevent the installation of patches, service packs, device drivers, or OL 8 system components that have not been digitally signed using a certificate that is recognized and approved by the organization.
OL08-00-010390 - OL 8 must have the package required for multifactor authentication installed.
OL08-00-010400 - OL 8 must implement certificate status checking for multifactor authentication.
OL08-00-010410 - OL 8 must accept Personal Identity Verification (PIV) credentials - opensc
OL08-00-010471 - OL 8 must enable the hardware random number generator entropy gatherer service - is-active
OL08-00-010471 - OL 8 must enable the hardware random number generator entropy gatherer service - is-enabled
OL08-00-010472 - OL 8 must have the packages required to use the hardware random number generator entropy gatherer service.
OL08-00-010500 - The OL 8 SSH daemon must perform strict mode checking of home directory configuration files.
OL08-00-010510 - The OL 8 SSH daemon must not allow compression or must only allow compression after successful authentication.
OL08-00-010520 - The OL 8 SSH daemon must not allow authentication using known host's authentication.
OL08-00-010521 - The OL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.
OL08-00-010522 - The OL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.
OL08-00-010540 - OL 8 must use a separate file system for '/var' - /var.
OL08-00-010541 - OL 8 must use a separate file system for '/var/log' - /var/log.
OL08-00-010542 - OL 8 must use a separate file system for the system audit data path.
OL08-00-010543 - OL 8 must use a separate file system for '/tmp' - /tmp.
OL08-00-010544 - OL 8 must use a separate file system for /var/tmp.
OL08-00-010550 - OL 8 must not permit direct logons to the root account using remote access via SSH.
OL08-00-010570 - OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
OL08-00-010571 - OL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
OL08-00-010572 - OL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
OL08-00-010590 - OL 8 file systems that contain user home directories must not execute binary files.
OL08-00-010600 - OL 8 file systems must not interpret character or block special devices from untrusted file systems.
OL08-00-010610 - OL 8 file systems must not execute binary files on removable media.
OL08-00-010620 - OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
OL08-00-010660 - Local OL 8 initialization files must not execute world-writable programs.
OL08-00-010680 - For OL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured - nameserver 1
OL08-00-010680 - For OL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured - nameserver 2
OL08-00-010690 - Executable search paths within the initialization files of all local interactive OL 8 users must only contain paths that resolve to the system default or the user's home directory.
OL08-00-010700 - All OL 8 world-writable directories must be owned by root, sys, bin, or an application user.
OL08-00-010710 - All OL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.
OL08-00-020024 - OL 8 must limit the number of concurrent sessions to 10 for all accounts and/or account types.
OL08-00-020031 - OL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated.
OL08-00-020032 - OL 8 must disable the user list at logon for graphical user interfaces.
OL08-00-020080 - OL 8 must prevent a user from overriding the session lock-delay setting for the graphical user interface.
OL08-00-020081 - OL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface.
OL08-00-020082 - OL 8 must prevent a user from overriding the session lock-enabled setting for the graphical user interface.
OL08-00-020250 - OL 8 must implement multifactor authentication for access to interactive accounts - pam_sss.so
OL08-00-030180 - The OL 8 audit package must be installed.
OL08-00-030603 - OL 8 must enable Linux audit logging for the USBGuard daemon.
OL08-00-030700 - OL 8 must take appropriate action when the internal event queue is full.
OL08-00-040001 - OL 8 must not have any automated bug reporting tools installed.
OL08-00-040111 - OL 8 Bluetooth must be disabled.
OL08-00-040161 - OL 8 must force a frequent session key renegotiation for SSH connections to the server.
OL08-00-040170 - The x86 Ctrl-Alt-Delete key sequence must be disabled on OL 8.
OL08-00-040171 - The x86 Ctrl-Alt-Delete key sequence in OL 8 must be disabled if a graphical user interface is installed.
Informational Update
OL08-00-010660 - Local OL 8 initialization files must not execute world-writable programs.
