Sep 19, 2023 Functional Update- RHEL-08-010190 - A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources.
- RHEL-08-010300 - RHEL 8 system commands must have mode 755 or less permissive.
- RHEL-08-010310 - RHEL 8 system commands must be owned by root.
- RHEL-08-010320 - RHEL 8 system commands must be group-owned by root or a system account.
- RHEL-08-010330 - RHEL 8 library files must have mode 755 or less permissive.
- RHEL-08-010331 - RHEL 8 library directories must have mode 755 or less permissive.
- RHEL-08-010340 - RHEL 8 library files must be owned by root.
- RHEL-08-010341 - RHEL 8 library directories must be owned by root.
- RHEL-08-010350 - RHEL 8 library files must be group-owned by root or a system account.
- RHEL-08-010351 - RHEL 8 library directories must be group-owned by root or a system account.
- RHEL-08-010460 - There must be no shosts.equiv files on the RHEL 8 operating system.
- RHEL-08-010470 - There must be no .shosts files on the RHEL 8 operating system.
- RHEL-08-010660 - Local RHEL 8 initialization files must not execute world-writable programs.
- RHEL-08-010700 - All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application user.
- RHEL-08-010710 - All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group.
- RHEL-08-010780 - All RHEL 8 local files and directories must have a valid owner.
- RHEL-08-010790 - All RHEL 8 local files and directories must have a valid group owner.
|
Sep 6, 2023 Miscellaneous- Audit deprecated.
- Metadata updated.
- References updated.
|
Aug 15, 2023 Functional Update- RHEL-08-020220 - RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations.
- RHEL-08-020221 - RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations.
- RHEL-08-020352 - RHEL 8 must set the umask value to 077 for all local interactive user accounts.
|
Jun 27, 2023 Miscellaneous- Metadata updated.
- Platform check updated.
|
May 24, 2023 Functional Update- RHEL-08-010161 - RHEL 8 must prevent system daemons from using Kerberos for authentication.
- RHEL-08-010600 - RHEL 8 must prevent special devices on file systems that are used with removable media.
- RHEL-08-010610 - RHEL 8 must prevent code from being executed on file systems that are used with removable media.
- RHEL-08-010620 - RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
- RHEL-08-030000 - The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software.
- RHEL-08-030200 - The RHEL 8 audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.
- RHEL-08-030361 - Successful/unsuccessful uses of the rename, unlink, rmdir, renameat, and unlinkat system calls in RHEL 8 must generate an audit record.
- RHEL-08-030420 - Successful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls in RHEL 8 must generate an audit record.
- RHEL-08-030480 - Successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls in RHEL 8 must generate an audit record.
- RHEL-08-040001 - RHEL 8 must not have any automated bug reporting tools installed.
- RHEL-08-040342 - RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms.
Informational Update- RHEL-08-020041 - RHEL 8 must ensure session control is automatically started at shell initialization - tmux running
- RHEL-08-020041 - RHEL 8 must ensure session control is automatically started at shell initialization - tmux shell
- RHEL-08-030000 - The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software.
Added- RHEL-08-010360 - The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency.
Removed- RHEL-08-010360 - The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency - /usr/sbin/aide --check
- RHEL-08-010360 - The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency - grep aide /etc/crontab /var/spool/cron/root
- RHEL-08-010360 - The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency - ls -la /etc/cron.* | grep aide
|
May 19, 2023 Functional Update- RHEL-08-020220 - RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations.
- RHEL-08-020221 - RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations.
|
May 16, 2023 |
Apr 12, 2023 Functional Update- RHEL-08-010110 - RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
- RHEL-08-010130 - The RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.
- RHEL-08-010291 - The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections.
- RHEL-08-010571 - RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
- RHEL-08-010760 - All RHEL 8 local interactive user accounts must be assigned a home directory upon creation.
- RHEL-08-020190 - RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/login.defs.
- RHEL-08-020200 - RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction.
- RHEL-08-020231 - RHEL 8 passwords for new users must have a minimum of 15 characters.
- RHEL-08-020310 - RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
- RHEL-08-020351 - RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
Miscellaneous- Metadata updated.
- Variables updated.
|
Mar 27, 2023 Functional Update- RHEL-08-010400 - RHEL 8 must implement certificate status checking for multifactor authentication.
- RHEL-08-010430 - RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution - conf files
- RHEL-08-020025 - RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
- RHEL-08-020026 - RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
- RHEL-08-040281 - RHEL 8 must disable access to network bpf syscall from unprivileged processes - conf files
- RHEL-08-040282 - RHEL 8 must restrict usage of ptrace to descendant processes - conf files
- RHEL-08-040283 - RHEL 8 must restrict exposed kernel pointer addresses access - conf files
- RHEL-08-040285 - RHEL 8 must use reverse path filtering on all IPv4 interfaces - conf files
|
Mar 21, 2023 Functional Update- RHEL-08-040284 - RHEL 8 must disable the use of user namespaces - conf files
|
