Detections
Analytics

DISA Red Hat Enterprise Linux 8 STIG v1r1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA Red Hat Enterprise Linux 8 STIG v1r1

Updated: 9/28/2021

Authority: DISA STIG

Plugin: Unix

Revision: 1.7

Estimated Item Count: 524

Audit Changelog

Ā 
Revision 1.7

Sep 28, 2021

Functional Update
  • RHEL-08-030590 - Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record.
Miscellaneous
  • Audit deprecated.
  • Metadata updated.
  • References updated.
Revision 1.6

Sep 1, 2021

Functional Update
  • RHEL-08-030590 - Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record.
  • RHEL-08-030650 - RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools. - auditctl
  • RHEL-08-030650 - RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools. - auditd
  • RHEL-08-030650 - RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools. - augenrules
  • RHEL-08-030650 - RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools. - aureport
  • RHEL-08-030650 - RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools. - ausearch
  • RHEL-08-030650 - RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools. - autrace
  • RHEL-08-030650 - RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools. - rsyslogd
  • RHEL-08-040350 - If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode.
Miscellaneous
  • References updated.
Added
  • RHEL-08-010600 - RHEL 8 must prevent special devices on file systems that are used with removable media.
  • RHEL-08-010610 - RHEL 8 must prevent code from being executed on file systems that are used with removable media.
  • RHEL-08-010620 - RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
  • RHEL-08-010630 - RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS).
  • RHEL-08-010640 - RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS).
  • RHEL-08-010650 - RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
Removed
  • RHEL-08-010600 - RHEL 8 must prevent special devices on file systems that are used with removable media.
  • RHEL-08-010610 - RHEL 8 must prevent code from being executed on file systems that are used with removable media.
  • RHEL-08-010620 - RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
  • RHEL-08-010630 - RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS).
  • RHEL-08-010640 - RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS).
  • RHEL-08-010650 - RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
Revision 1.5

Aug 11, 2021

Functional Update
  • RHEL-08-030000 - The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software. - b32 gid
  • RHEL-08-030000 - The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software. - b32 uid
  • RHEL-08-030000 - The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software. - b64 gid
  • RHEL-08-030000 - The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software. - b64 uid
  • RHEL-08-030590 - Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record.
Miscellaneous
  • References updated.
Revision 1.4

Jul 30, 2021

Functional Update
  • RHEL-08-030590 - Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record.
Miscellaneous
  • Metadata updated.
  • References updated.
Revision 1.3

Jul 12, 2021

Functional Update
  • RHEL-08-030301 - Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record.
  • RHEL-08-030590 - Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record.
  • RHEL-08-040021 - RHEL 8 must disable the asynchronous transfer mode (ATM) protocol. - install
  • RHEL-08-040022 - RHEL 8 must disable the controller area network (CAN) protocol. - install
  • RHEL-08-040023 - RHEL 8 must disable the stream control transmission (SCTP) protocol. - install
  • RHEL-08-040024 - RHEL 8 must disable the transparent inter-process communication (TIPC) protocol. - install
  • RHEL-08-040025 - RHEL 8 must disable mounting of cramfs. - install
  • RHEL-08-040026 - RHEL 8 must disable IEEE 1394 (FireWire) Support. - install
Miscellaneous
  • References updated.
Revision 1.2

Jun 23, 2021

Functional Update
  • RHEL-08-010070 - All RHEL 8 remote access methods must be monitored. - auth
  • RHEL-08-010070 - All RHEL 8 remote access methods must be monitored. - authpriv
  • RHEL-08-010070 - All RHEL 8 remote access methods must be monitored. - daemon
  • RHEL-08-020011 - RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. - deny
  • RHEL-08-020011 - RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. - pam_faillock.so
  • RHEL-08-020013 - RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. - fail_interval
  • RHEL-08-020013 - RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. - pam_faillock.so
  • RHEL-08-020015 - RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. - pam_faillock.so
  • RHEL-08-020015 - RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. - unlock_time
  • RHEL-08-020017 - RHEL 8 must ensure account lockouts persist. - dir
  • RHEL-08-020017 - RHEL 8 must ensure account lockouts persist. - pam_faillock.so
  • RHEL-08-020019 - RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. - pam_faillock.so
  • RHEL-08-020019 - RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. - silent
  • RHEL-08-020021 - RHEL 8 must log user name information when unsuccessful logon attempts occur. - audit
  • RHEL-08-020021 - RHEL 8 must log user name information when unsuccessful logon attempts occur. - pam_faillock.so
  • RHEL-08-020023 - RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. - even_deny_root
  • RHEL-08-020023 - RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. - pam_faillock.so
  • RHEL-08-020024 - RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types.
  • RHEL-08-020353 - RHEL 8 must define default permissions for logon and non-logon shells. - /etc/bashrc
  • RHEL-08-020353 - RHEL 8 must define default permissions for logon and non-logon shells. - /etc/csh.cshrc
  • RHEL-08-030000 - The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software. - b32 gid
  • RHEL-08-030000 - The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software. - b64 gid
  • RHEL-08-030130 - RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
  • RHEL-08-030180 - RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. - installed
  • RHEL-08-030190 - Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record.
  • RHEL-08-030200 - The RHEL 8 audit system must be configured to audit any usage of the lremovexattr system call. - b32 auid=0
  • RHEL-08-030200 - The RHEL 8 audit system must be configured to audit any usage of the lremovexattr system call. - b64 auid=0
  • RHEL-08-030210 - The RHEL 8 audit system must be configured to audit any usage of the removexattr system call. - b32 auid=0
  • RHEL-08-030210 - The RHEL 8 audit system must be configured to audit any usage of the removexattr system call. - b64 auid=0
  • RHEL-08-030220 - The RHEL 8 audit system must be configured to audit any usage of the lsetxattr system call. - b32 auid=0
  • RHEL-08-030220 - The RHEL 8 audit system must be configured to audit any usage of the lsetxattr system call. - b64 auid=0
  • RHEL-08-030230 - The RHEL 8 audit system must be configured to audit any usage of the fsetxattr system call. - b32 auid=0
  • RHEL-08-030230 - The RHEL 8 audit system must be configured to audit any usage of the fsetxattr system call. - b64 auid=0
  • RHEL-08-030240 - The RHEL 8 audit system must be configured to audit any usage of the fremovexattr system call. - b32 auid=0
  • RHEL-08-030240 - The RHEL 8 audit system must be configured to audit any usage of the fremovexattr system call. - b64 auid=0
  • RHEL-08-030250 - Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record.
  • RHEL-08-030260 - Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record.
  • RHEL-08-030270 - The RHEL 8 audit system must be configured to audit any usage of the setxattr system call. - b32 auid=0
  • RHEL-08-030270 - The RHEL 8 audit system must be configured to audit any usage of the setxattr system call. - b32 auid>=1000
  • RHEL-08-030270 - The RHEL 8 audit system must be configured to audit any usage of the setxattr system call. - b64 auid=0
  • RHEL-08-030600 - Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record.
  • RHEL-08-040021 - RHEL 8 must disable the asynchronous transfer mode (ATM) protocol. - blacklist
  • RHEL-08-040021 - RHEL 8 must disable the asynchronous transfer mode (ATM) protocol. - install
  • RHEL-08-040022 - RHEL 8 must disable the controller area network (CAN) protocol. - blacklist
  • RHEL-08-040022 - RHEL 8 must disable the controller area network (CAN) protocol. - install
  • RHEL-08-040023 - RHEL 8 must disable the stream control transmission (SCTP) protocol. - blacklist
  • RHEL-08-040023 - RHEL 8 must disable the stream control transmission (SCTP) protocol. - install
  • RHEL-08-040024 - RHEL 8 must disable the transparent inter-process communication (TIPC) protocol. - blacklist
  • RHEL-08-040024 - RHEL 8 must disable the transparent inter-process communication (TIPC) protocol. - install
  • RHEL-08-040025 - RHEL 8 must disable mounting of cramfs. - blacklist
  • RHEL-08-040025 - RHEL 8 must disable mounting of cramfs. - install
  • RHEL-08-040026 - RHEL 8 must disable IEEE 1394 (FireWire) Support. - blacklist
  • RHEL-08-040026 - RHEL 8 must disable IEEE 1394 (FireWire) Support. - install
  • RHEL-08-040080 - RHEL 8 must be configured to disable USB mass storage. - blacklist
  • RHEL-08-040080 - RHEL 8 must be configured to disable USB mass storage. - install
Miscellaneous
  • Platform check updated.
  • References updated.
Added
  • RHEL-08-010200 - RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements - ClientAliveCountMax
  • RHEL-08-010200 - RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements - ClientAliveInterval
  • RHEL-08-030590 - Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record.
Removed
  • RHEL-08-010200 - RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.
  • RHEL-08-030590 - Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record.
Revision 1.1

Jun 17, 2021

Miscellaneous
  • Metadata updated.
  • References updated.