DISA_STIG_Oracle_Linux_8_v1r6.audit from DISA Oracle Linux 8 v1r6 STIG

OL08-00-010000 - OL 8 must be a vendor-supported release.

CAT|I

CCI|CCI-000366

Rule-ID|SV-248521r779129_rule

STIG-ID|OL08-00-010000

Vuln-ID|V-248521

OL08-00-010001 - The OL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.

CAT|II

CCI|CCI-001233

Rule-ID|SV-248522r779132_rule

STIG-ID|OL08-00-010001

Vuln-ID|V-248522

OL08-00-010010 - OL 8 vendor-packaged system security patches and updates must be installed and up to date.

Rule-ID|SV-248523r779135_rule

STIG-ID|OL08-00-010010

Vuln-ID|V-248523

OL08-00-010019 - OL 8 must ensure cryptographic verification of vendor software packages.

CCI|CCI-001749

Rule-ID|SV-256978r902784_rule

STIG-ID|OL08-00-010019

Vuln-ID|V-256978

OL08-00-010020 - OL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards - fips-mode-setup

CCI|CCI-000068

CCI|CCI-000877

CCI|CCI-001453

CCI|CCI-002418

CCI|CCI-002890

CCI|CCI-003123

Rule-ID|SV-248524r877398_rule

STIG-ID|OL08-00-010020

Vuln-ID|V-248524

OL08-00-010020 - OL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards - grub2-editenv

OL08-00-010020 - OL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards - proc

OL08-00-010030 - All OL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.

CCI|CCI-001199

CCI|CCI-002475

CCI|CCI-002476

Rule-ID|SV-248525r853748_rule

STIG-ID|OL08-00-010030

Vuln-ID|V-248525

OL08-00-010040 - OL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via an SSH logon - /etc/ssh/sshd_config

CCI|CCI-000048

CCI|CCI-001384

CCI|CCI-001385

CCI|CCI-001386

CCI|CCI-001387

CCI|CCI-001388

Rule-ID|SV-248526r858561_rule

STIG-ID|OL08-00-010040

Vuln-ID|V-248526

OL08-00-010040 - OL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via an SSH logon - banner file

OL08-00-010049 - OL 8 must display a banner before granting local or remote access to the system via a graphical user logon.

Rule-ID|SV-248527r779147_rule

STIG-ID|OL08-00-010049

Vuln-ID|V-248527

OL08-00-010050 - OL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.

Rule-ID|SV-248528r779150_rule

STIG-ID|OL08-00-010050

Vuln-ID|V-248528

OL08-00-010060 - OL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.

Rule-ID|SV-248529r779153_rule

STIG-ID|OL08-00-010060

Vuln-ID|V-248529

OL08-00-010070 - All OL 8 remote access methods must be monitored - auth

CCI|CCI-000067

Rule-ID|SV-248530r779156_rule

STIG-ID|OL08-00-010070

Vuln-ID|V-248530

OL08-00-010070 - All OL 8 remote access methods must be monitored - authpriv

OL08-00-010070 - All OL 8 remote access methods must be monitored - daemon

OL08-00-010090 - OL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor - which includes status information to an accepted trust anchor.

CCI|CCI-000185

CCI|CCI-001991

Rule-ID|SV-248531r860907_rule

STIG-ID|OL08-00-010090

Vuln-ID|V-248531

OL08-00-010100 - OL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key.

CCI|CCI-000186

Rule-ID|SV-248532r779162_rule

STIG-ID|OL08-00-010100

Vuln-ID|V-248532

OL08-00-010110 - OL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.

CCI|CCI-000196

Rule-ID|SV-248533r877397_rule

STIG-ID|OL08-00-010110

Vuln-ID|V-248533

OL08-00-010120 - OL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.

Rule-ID|SV-248534r877397_rule

STIG-ID|OL08-00-010120

Vuln-ID|V-248534

OL08-00-010121 - The OL 8 operating system must not have accounts configured with blank or null passwords.

Rule-ID|SV-252650r818746_rule

STIG-ID|OL08-00-010121

Vuln-ID|V-252650

OL08-00-010130 - The OL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.

Rule-ID|SV-248535r880546_rule

STIG-ID|OL08-00-010130

Vuln-ID|V-248535

OL08-00-010140 - OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance - UEFI must require authentication upon booting into single-user mode and maintenance

CCI|CCI-000213

Rule-ID|SV-248537r779177_rule

STIG-ID|OL08-00-010140

Vuln-ID|V-248537

OL08-00-010141 - OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance - UEFI must require a unique superusers name upon booting into single-user mode and maintenance.

Rule-ID|SV-248538r818603_rule

STIG-ID|OL08-00-010141

Vuln-ID|V-248538

OL08-00-010149 - OL 8 operating systems booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes.

Rule-ID|SV-248539r818605_rule

STIG-ID|OL08-00-010149

Vuln-ID|V-248539

OL08-00-010150 - OL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes - superusers

Rule-ID|SV-248540r779186_rule

STIG-ID|OL08-00-010150

Vuln-ID|V-248540

OL08-00-010151 - OL 8 operating systems must require authentication upon booting into rescue mode.

Rule-ID|SV-248541r779189_rule

STIG-ID|OL08-00-010151

Vuln-ID|V-248541

OL08-00-010152 - OL 8 operating systems must require authentication upon booting into emergency mode.

Rule-ID|SV-248542r779192_rule

STIG-ID|OL08-00-010152

Vuln-ID|V-248542

OL08-00-010159 - The OL 8 'pam_unix.so' module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication - pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.

CCI|CCI-000803

Rule-ID|SV-248543r818608_rule

STIG-ID|OL08-00-010159

Vuln-ID|V-248543

OL08-00-010160 - The OL 8 'pam_unix.so' module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication - pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.

Rule-ID|SV-248544r818611_rule

STIG-ID|OL08-00-010160

Vuln-ID|V-248544

OL08-00-010161 - OL 8 must prevent system daemons from using Kerberos for authentication.

Rule-ID|SV-248545r779201_rule

STIG-ID|OL08-00-010161

Vuln-ID|V-248545

OL08-00-010162 - The krb5-workstation package must not be installed on OL 8.

Rule-ID|SV-248546r779204_rule

STIG-ID|OL08-00-010162

Vuln-ID|V-248546

OL08-00-010163 - The krb5-server package must not be installed on OL 8.

Rule-ID|SV-248547r779207_rule

STIG-ID|OL08-00-010163

Vuln-ID|V-248547

OL08-00-010170 - OL 8 must use a Linux Security Module configured to enforce limits on system services.

CCI|CCI-001084

Rule-ID|SV-248548r779210_rule

STIG-ID|OL08-00-010170

Vuln-ID|V-248548

OL08-00-010171 - OL 8 must have the 'policycoreutils' package installed - policycoreutils package installed.

CAT|III

Rule-ID|SV-248549r779213_rule

STIG-ID|OL08-00-010171

Vuln-ID|V-248549

OL08-00-010190 - A sticky bit must be set on all OL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources.

CCI|CCI-001090

Rule-ID|SV-248551r779219_rule

STIG-ID|OL08-00-010190

Vuln-ID|V-248551

OL08-00-010200 - OL 8 must be configured so that all network connections associated with SSH traffic are terminate after a period of inactivity.

CCI|CCI-000879

CCI|CCI-001133

CCI|CCI-002361

Rule-ID|SV-248552r860908_rule

STIG-ID|OL08-00-010200

Vuln-ID|V-248552

OL08-00-010201 - OL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity.

Rule-ID|SV-248553r860909_rule

STIG-ID|OL08-00-010201

Vuln-ID|V-248553

OL08-00-010210 - The OL 8 '/var/log/messages' file must have mode 0640 or less permissive - /var/log/messages file must have mode 0640 or less permissive.

CCI|CCI-001314

Rule-ID|SV-248554r779228_rule

STIG-ID|OL08-00-010210

Vuln-ID|V-248554

OL08-00-010220 - The OL 8 '/var/log/messages' file must be owned by root - /var/log/messages file must be owned by root.

Rule-ID|SV-248555r779231_rule

STIG-ID|OL08-00-010220

Vuln-ID|V-248555

OL08-00-010230 - The OL 8 '/var/log/messages' file must be group-owned by root - /var/log/messages file must be group-owned by root.

Rule-ID|SV-248556r779234_rule

STIG-ID|OL08-00-010230

Vuln-ID|V-248556

OL08-00-010240 - The OL 8 '/var/log' directory must have mode 0755 or less permissive - /var/log directory must have mode 0755 or less permissive.

Rule-ID|SV-248557r779237_rule

STIG-ID|OL08-00-010240

Vuln-ID|V-248557

OL08-00-010250 - The OL 8 '/var/log' directory must be owned by root - /var/log directory must be owned by root.

Rule-ID|SV-248558r779240_rule

STIG-ID|OL08-00-010250

Vuln-ID|V-248558

OL08-00-010260 - The OL 8 '/var/log' directory must be group-owned by root - /var/log directory must be group-owned by root.

Rule-ID|SV-248559r779243_rule

STIG-ID|OL08-00-010260

Vuln-ID|V-248559

OL08-00-010287 - The OL 8 SSH daemon must be configured to use system-wide crypto policies.

Rule-ID|SV-248560r877394_rule

STIG-ID|OL08-00-010287

Vuln-ID|V-248560

OL08-00-010290 - The OL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms - MACs employing FIPS 140-2 validated cryptographic hash algorithms

Detections

Analytics

Revision 1.2

May 24, 2023

Functional Update