Detections
Analytics

Revision 1.2

Jun 23, 2021
Functional Update
  • RHEL-08-010070 - All RHEL 8 remote access methods must be monitored. - auth
  • RHEL-08-010070 - All RHEL 8 remote access methods must be monitored. - authpriv
  • RHEL-08-010070 - All RHEL 8 remote access methods must be monitored. - daemon
  • RHEL-08-020011 - RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. - deny
  • RHEL-08-020011 - RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. - pam_faillock.so
  • RHEL-08-020013 - RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. - fail_interval
  • RHEL-08-020013 - RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. - pam_faillock.so
  • RHEL-08-020015 - RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. - pam_faillock.so
  • RHEL-08-020015 - RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. - unlock_time
  • RHEL-08-020017 - RHEL 8 must ensure account lockouts persist. - dir
  • RHEL-08-020017 - RHEL 8 must ensure account lockouts persist. - pam_faillock.so
  • RHEL-08-020019 - RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. - pam_faillock.so
  • RHEL-08-020019 - RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. - silent
  • RHEL-08-020021 - RHEL 8 must log user name information when unsuccessful logon attempts occur. - audit
  • RHEL-08-020021 - RHEL 8 must log user name information when unsuccessful logon attempts occur. - pam_faillock.so
  • RHEL-08-020023 - RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. - even_deny_root
  • RHEL-08-020023 - RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. - pam_faillock.so
  • RHEL-08-020024 - RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types.
  • RHEL-08-020353 - RHEL 8 must define default permissions for logon and non-logon shells. - /etc/bashrc
  • RHEL-08-020353 - RHEL 8 must define default permissions for logon and non-logon shells. - /etc/csh.cshrc
  • RHEL-08-030000 - The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software. - b32 gid
  • RHEL-08-030000 - The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software. - b64 gid
  • RHEL-08-030130 - RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
  • RHEL-08-030180 - RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. - installed
  • RHEL-08-030190 - Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record.
  • RHEL-08-030200 - The RHEL 8 audit system must be configured to audit any usage of the lremovexattr system call. - b32 auid=0
  • RHEL-08-030200 - The RHEL 8 audit system must be configured to audit any usage of the lremovexattr system call. - b64 auid=0
  • RHEL-08-030210 - The RHEL 8 audit system must be configured to audit any usage of the removexattr system call. - b32 auid=0
  • RHEL-08-030210 - The RHEL 8 audit system must be configured to audit any usage of the removexattr system call. - b64 auid=0
  • RHEL-08-030220 - The RHEL 8 audit system must be configured to audit any usage of the lsetxattr system call. - b32 auid=0
  • RHEL-08-030220 - The RHEL 8 audit system must be configured to audit any usage of the lsetxattr system call. - b64 auid=0
  • RHEL-08-030230 - The RHEL 8 audit system must be configured to audit any usage of the fsetxattr system call. - b32 auid=0
  • RHEL-08-030230 - The RHEL 8 audit system must be configured to audit any usage of the fsetxattr system call. - b64 auid=0
  • RHEL-08-030240 - The RHEL 8 audit system must be configured to audit any usage of the fremovexattr system call. - b32 auid=0
  • RHEL-08-030240 - The RHEL 8 audit system must be configured to audit any usage of the fremovexattr system call. - b64 auid=0
  • RHEL-08-030250 - Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record.
  • RHEL-08-030260 - Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record.
  • RHEL-08-030270 - The RHEL 8 audit system must be configured to audit any usage of the setxattr system call. - b32 auid=0
  • RHEL-08-030270 - The RHEL 8 audit system must be configured to audit any usage of the setxattr system call. - b32 auid>=1000
  • RHEL-08-030270 - The RHEL 8 audit system must be configured to audit any usage of the setxattr system call. - b64 auid=0
  • RHEL-08-030600 - Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record.
  • RHEL-08-040021 - RHEL 8 must disable the asynchronous transfer mode (ATM) protocol. - blacklist
  • RHEL-08-040021 - RHEL 8 must disable the asynchronous transfer mode (ATM) protocol. - install
  • RHEL-08-040022 - RHEL 8 must disable the controller area network (CAN) protocol. - blacklist
  • RHEL-08-040022 - RHEL 8 must disable the controller area network (CAN) protocol. - install
  • RHEL-08-040023 - RHEL 8 must disable the stream control transmission (SCTP) protocol. - blacklist
  • RHEL-08-040023 - RHEL 8 must disable the stream control transmission (SCTP) protocol. - install
  • RHEL-08-040024 - RHEL 8 must disable the transparent inter-process communication (TIPC) protocol. - blacklist
  • RHEL-08-040024 - RHEL 8 must disable the transparent inter-process communication (TIPC) protocol. - install
  • RHEL-08-040025 - RHEL 8 must disable mounting of cramfs. - blacklist
  • RHEL-08-040025 - RHEL 8 must disable mounting of cramfs. - install
  • RHEL-08-040026 - RHEL 8 must disable IEEE 1394 (FireWire) Support. - blacklist
  • RHEL-08-040026 - RHEL 8 must disable IEEE 1394 (FireWire) Support. - install
  • RHEL-08-040080 - RHEL 8 must be configured to disable USB mass storage. - blacklist
  • RHEL-08-040080 - RHEL 8 must be configured to disable USB mass storage. - install
Miscellaneous
  • Platform check updated.
  • References updated.
Added
  • RHEL-08-010200 - RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements - ClientAliveCountMax
  • RHEL-08-010200 - RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements - ClientAliveInterval
  • RHEL-08-030590 - Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record.
Removed
  • RHEL-08-010200 - RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.
  • RHEL-08-030590 - Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record.