DISA Red Hat Enterprise Linux 8 STIG v1r7

Audit Details

Name: DISA Red Hat Enterprise Linux 8 STIG v1r7

Updated: 11/14/2022

Authority: DISA STIG

Plugin: Unix

Revision: 1.4

Estimated Item Count: 512

File Details

Filename: DISA_STIG_Red_Hat_Enterprise_Linux_8_v1r7.audit

Size: 1.29 MB

MD5: 6f2aec1192f4da0abd4fbc3e36f0e8e3
SHA256: fe8750ed5da07c5cdbe4a23b4f27001f50162ac83ee45a924b2c6f6e230fe3de

Audit Items

DescriptionCategories
DISA_STIG_Red_Hat_Enterprise_Linux_8_v1r7.audit from DISA Red Hat Enterprise Linux 8 v1r7 STIG
RHEL-08-010000 - RHEL 8 must be a vendor-supported release.

CONFIGURATION MANAGEMENT

RHEL-08-010001 - The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.

SYSTEM AND INFORMATION INTEGRITY

RHEL-08-010010 - RHEL 8 vendor packaged system security patches and updates must be installed and up to date.

CONFIGURATION MANAGEMENT

RHEL-08-010020 - RHEL 8 must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards - fips-mode-setup

ACCESS CONTROL

RHEL-08-010020 - RHEL 8 must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards - grub2-editenv

ACCESS CONTROL

RHEL-08-010020 - RHEL 8 must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards - proc

ACCESS CONTROL

RHEL-08-010030 - All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.

SYSTEM AND COMMUNICATIONS PROTECTION

RHEL-08-010040 - RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon - /etc/issue

ACCESS CONTROL

RHEL-08-010040 - RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon - /etc/ssh/sshd_config

ACCESS CONTROL

RHEL-08-010049 - RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon.

ACCESS CONTROL

RHEL-08-010050 - RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.

ACCESS CONTROL

RHEL-08-010060 - RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.

ACCESS CONTROL

RHEL-08-010070 - All RHEL 8 remote access methods must be monitored - auth

ACCESS CONTROL

RHEL-08-010070 - All RHEL 8 remote access methods must be monitored - authpriv

ACCESS CONTROL

RHEL-08-010070 - All RHEL 8 remote access methods must be monitored - daemon

ACCESS CONTROL

RHEL-08-010090 - RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

IDENTIFICATION AND AUTHENTICATION

RHEL-08-010100 - RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key.

IDENTIFICATION AND AUTHENTICATION

RHEL-08-010110 - RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.

IDENTIFICATION AND AUTHENTICATION

RHEL-08-010120 - RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.

IDENTIFICATION AND AUTHENTICATION

RHEL-08-010121 - The RHEL 8 operating system must not have accounts configured with blank or null passwords.

CONFIGURATION MANAGEMENT

RHEL-08-010130 - The RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.

IDENTIFICATION AND AUTHENTICATION

RHEL-08-010140 - RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance - UEFI must require authentication upon booting into single-user mode and maintenance

ACCESS CONTROL

RHEL-08-010141 - RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance.

ACCESS CONTROL

RHEL-08-010149 - RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes.

ACCESS CONTROL

RHEL-08-010150 - RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes - superusers

ACCESS CONTROL

RHEL-08-010151 - RHEL 8 operating systems must require authentication upon booting into rescue mode.

ACCESS CONTROL

RHEL-08-010152 - RHEL 8 operating systems must require authentication upon booting into emergency mode.

ACCESS CONTROL

RHEL-08-010159 - The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.

IDENTIFICATION AND AUTHENTICATION

RHEL-08-010160 - The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.

IDENTIFICATION AND AUTHENTICATION

RHEL-08-010161 - RHEL 8 must prevent system daemons from using Kerberos for authentication.

IDENTIFICATION AND AUTHENTICATION

RHEL-08-010162 - The krb5-workstation package must not be installed on RHEL 8.

IDENTIFICATION AND AUTHENTICATION

RHEL-08-010163 - The krb5-server package must not be installed on RHEL 8.

IDENTIFICATION AND AUTHENTICATION

RHEL-08-010170 - RHEL 8 must use a Linux Security Module configured to enforce limits on system services.

SYSTEM AND COMMUNICATIONS PROTECTION

RHEL-08-010171 - RHEL 8 must have policycoreutils package installed.

SYSTEM AND COMMUNICATIONS PROTECTION

RHEL-08-010190 - A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources.

SYSTEM AND COMMUNICATIONS PROTECTION

RHEL-08-010200 - RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.

SYSTEM AND COMMUNICATIONS PROTECTION

RHEL-08-010201 - The RHEL 8 SSH daemon must be configured with a timeout interval.

SYSTEM AND COMMUNICATIONS PROTECTION

RHEL-08-010210 - The RHEL 8 /var/log/messages file must have mode 0640 or less permissive.

SYSTEM AND INFORMATION INTEGRITY

RHEL-08-010220 - The RHEL 8 /var/log/messages file must be owned by root.

SYSTEM AND INFORMATION INTEGRITY

RHEL-08-010230 - The RHEL 8 /var/log/messages file must be group-owned by root.

SYSTEM AND INFORMATION INTEGRITY

RHEL-08-010240 - The RHEL 8 /var/log directory must have mode 0755 or less permissive.

SYSTEM AND INFORMATION INTEGRITY

RHEL-08-010250 - The RHEL 8 /var/log directory must be owned by root.

SYSTEM AND INFORMATION INTEGRITY

RHEL-08-010260 - The RHEL 8 /var/log directory must be group-owned by root.

SYSTEM AND INFORMATION INTEGRITY

RHEL-08-010287 - The RHEL 8 SSH daemon must be configured to use system-wide crypto policies.

ACCESS CONTROL

RHEL-08-010290 - The RHEL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms - MACs employing FIPS 140-2 validated cryptographic hash algorithms

ACCESS CONTROL

RHEL-08-010291 - The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections.

ACCESS CONTROL

RHEL-08-010292 - RHEL 8 must ensure the SSH server uses strong entropy.

CONFIGURATION MANAGEMENT

RHEL-08-010293 - The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package - /etc/pki/tls/openssl.cnf

ACCESS CONTROL

RHEL-08-010293 - The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package - update-crypto-policies

ACCESS CONTROL