DISA Oracle Linux 8 STIG v1r4

Audit Details

Name: DISA Oracle Linux 8 STIG v1r4

Updated: 1/5/2023

Authority: DISA STIG

Plugin: Unix

Revision: 1.0

Estimated Item Count: 491

File Details

Filename: DISA_STIG_Oracle_Linux_8_v1r4.audit

Size: 1.28 MB

MD5: bab55b7464c2ebea6a505d7c96dc5e07
SHA256: 0597e8554d6030750a8855b1278e783940b5f5e6cea38aaee6aeb484352ca56e

Audit Items

DescriptionCategories
DISA_STIG_Oracle_Linux_8_v1r4.audit from DISA Oracle Linux 8 v1r4 STIG
OL08-00-010000 - OL 8 must be a vendor-supported release.

CONFIGURATION MANAGEMENT

OL08-00-010001 - The OL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.

SYSTEM AND INFORMATION INTEGRITY

OL08-00-010010 - OL 8 vendor-packaged system security patches and updates must be installed and up to date.

CONFIGURATION MANAGEMENT

OL08-00-010020 - OL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards - fips-mode-setup

ACCESS CONTROL, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION

OL08-00-010020 - OL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards - grub2-editenv

ACCESS CONTROL, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION

OL08-00-010020 - OL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards - proc

ACCESS CONTROL, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION

OL08-00-010030 - All OL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.

SYSTEM AND COMMUNICATIONS PROTECTION

OL08-00-010040 - OL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via an SSH logon - /etc/ssh/sshd_config

ACCESS CONTROL

OL08-00-010040 - OL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via an SSH logon - banner file

ACCESS CONTROL

OL08-00-010049 - OL 8 must display a banner before granting local or remote access to the system via a graphical user logon.

ACCESS CONTROL

OL08-00-010050 - OL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.

ACCESS CONTROL

OL08-00-010060 - OL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.

ACCESS CONTROL

OL08-00-010070 - All OL 8 remote access methods must be monitored - auth

ACCESS CONTROL

OL08-00-010070 - All OL 8 remote access methods must be monitored - authpriv

ACCESS CONTROL

OL08-00-010070 - All OL 8 remote access methods must be monitored - daemon

ACCESS CONTROL

OL08-00-010090 - OL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor - which includes status information to an accepted trust anchor.

IDENTIFICATION AND AUTHENTICATION

OL08-00-010100 - OL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key.

IDENTIFICATION AND AUTHENTICATION

OL08-00-010110 - OL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.

IDENTIFICATION AND AUTHENTICATION

OL08-00-010120 - OL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.

IDENTIFICATION AND AUTHENTICATION

OL08-00-010121 - The OL 8 operating system must not have accounts configured with blank or null passwords.

CONFIGURATION MANAGEMENT

OL08-00-010130 - The OL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.

IDENTIFICATION AND AUTHENTICATION

OL08-00-010140 - OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance - UEFI must require authentication upon booting into single-user mode and maintenance

ACCESS CONTROL

OL08-00-010141 - OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance - UEFI must require a unique superusers name upon booting into single-user mode and maintenance.

ACCESS CONTROL

OL08-00-010149 - OL 8 operating systems booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes.

ACCESS CONTROL

OL08-00-010150 - OL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes - superusers

ACCESS CONTROL

OL08-00-010151 - OL 8 operating systems must require authentication upon booting into rescue mode.

ACCESS CONTROL

OL08-00-010152 - OL 8 operating systems must require authentication upon booting into emergency mode.

ACCESS CONTROL

OL08-00-010159 - The OL 8 'pam_unix.so' module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.

IDENTIFICATION AND AUTHENTICATION

OL08-00-010160 - The OL 8 'pam_unix.so' module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.

IDENTIFICATION AND AUTHENTICATION

OL08-00-010161 - OL 8 must prevent system daemons from using Kerberos for authentication.

IDENTIFICATION AND AUTHENTICATION

OL08-00-010162 - The krb5-workstation package must not be installed on OL 8.

IDENTIFICATION AND AUTHENTICATION

OL08-00-010163 - The krb5-server package must not be installed on OL 8.

IDENTIFICATION AND AUTHENTICATION

OL08-00-010170 - OL 8 must use a Linux Security Module configured to enforce limits on system services.

SYSTEM AND COMMUNICATIONS PROTECTION

OL08-00-010171 - OL 8 must have the 'policycoreutils' package installed.

SYSTEM AND COMMUNICATIONS PROTECTION

OL08-00-010190 - A sticky bit must be set on all OL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources.

SYSTEM AND COMMUNICATIONS PROTECTION

OL08-00-010200 - OL 8 must be configured so that all network connections associated with SSH traffic are terminate after a period of inactivity.

ACCESS CONTROL, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION

OL08-00-010201 - OL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity.

ACCESS CONTROL, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION

OL08-00-010210 - The OL 8 '/var/log/messages' file must have mode 0640 or less permissive.

SYSTEM AND INFORMATION INTEGRITY

OL08-00-010220 - The OL 8 '/var/log/messages' file must be owned by root.

SYSTEM AND INFORMATION INTEGRITY

OL08-00-010230 - The OL 8 '/var/log/messages' file must be group-owned by root.

SYSTEM AND INFORMATION INTEGRITY

OL08-00-010240 - The OL 8 '/var/log' directory must have mode 0755 or less permissive.

SYSTEM AND INFORMATION INTEGRITY

OL08-00-010250 - The OL 8 '/var/log' directory must be owned by root.

SYSTEM AND INFORMATION INTEGRITY

OL08-00-010260 - The OL 8 '/var/log' directory must be group-owned by root.

SYSTEM AND INFORMATION INTEGRITY

OL08-00-010287 - The OL 8 SSH daemon must be configured to use system-wide crypto policies.

ACCESS CONTROL

OL08-00-010290 - The OL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms - MACs employing FIPS 140-2 validated cryptographic hash algorithms

MAINTENANCE

OL08-00-010291 - The OL 8 SSH server must be configured to use only ciphers employing FIPS 140-2 validated cryptographic algorithms.

MAINTENANCE

OL08-00-010292 - The OL 8 SSH server must be configured to use strong entropy.

CONFIGURATION MANAGEMENT

OL08-00-010293 - The OL 8 operating system must implement DoD-approved encryption in the OpenSSL package - /etc/pki/tls/openssl.cnf

ACCESS CONTROL

OL08-00-010293 - The OL 8 operating system must implement DoD-approved encryption in the OpenSSL package - update-crypto-policies

ACCESS CONTROL