DISA Red Hat Enterprise Linux 8 STIG v1r5

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA Red Hat Enterprise Linux 8 STIG v1r5

Updated: 6/10/2022

Authority: Operating Systems and Applications

Plugin: Unix

Revision: 1.4

Estimated Item Count: 514

Audit Items

DescriptionCategories
DISA_STIG_Red_Hat_Enterprise_Linux_8_v1r5.audit from DISA Red Hat Enterprise Linux 8 v1r5 STIG
RHEL-08-010000 - RHEL 8 must be a vendor-supported release.
RHEL-08-010001 - The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.
RHEL-08-010010 - RHEL 8 vendor packaged system security patches and updates must be installed and up to date.
RHEL-08-010020 - RHEL 8 must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. - fips-mode-setup
RHEL-08-010020 - RHEL 8 must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. - grub2-editenv
RHEL-08-010020 - RHEL 8 must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. - proc
RHEL-08-010030 - All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
RHEL-08-010040 - RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon - /etc/issue
RHEL-08-010040 - RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon - /etc/ssh/sshd_config
RHEL-08-010049 - RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon.
RHEL-08-010050 - RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
RHEL-08-010060 - RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.
RHEL-08-010070 - All RHEL 8 remote access methods must be monitored - auth
RHEL-08-010070 - All RHEL 8 remote access methods must be monitored - authpriv
RHEL-08-010070 - All RHEL 8 remote access methods must be monitored - daemon
RHEL-08-010090 - RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
RHEL-08-010100 - RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key.
RHEL-08-010110 - RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
RHEL-08-010120 - RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.
RHEL-08-010121 - The RHEL 8 operating system must not have accounts configured with blank or null passwords.
RHEL-08-010130 - The RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.
RHEL-08-010140 - RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance - UEFI must require authentication upon booting into single-user mode and maintenance
RHEL-08-010141 - RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance.
RHEL-08-010149 - RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes.
RHEL-08-010150 - RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes - superusers
RHEL-08-010151 - RHEL 8 operating systems must require authentication upon booting into rescue mode.
RHEL-08-010152 - RHEL 8 operating systems must require authentication upon booting into emergency mode.
RHEL-08-010159 - The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
RHEL-08-010160 - The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
RHEL-08-010161 - RHEL 8 must prevent system daemons from using Kerberos for authentication.
RHEL-08-010162 - The krb5-workstation package must not be installed on RHEL 8.
RHEL-08-010163 - The krb5-server package must not be installed on RHEL 8.
RHEL-08-010170 - RHEL 8 must use a Linux Security Module configured to enforce limits on system services.
RHEL-08-010171 - RHEL 8 must have policycoreutils package installed.
RHEL-08-010190 - A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources.
RHEL-08-010200 - RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.
RHEL-08-010201 - The RHEL 8 SSH daemon must be configured with a timeout interval.
RHEL-08-010210 - The RHEL 8 /var/log/messages file must have mode 0640 or less permissive.
RHEL-08-010220 - The RHEL 8 /var/log/messages file must be owned by root.
RHEL-08-010230 - The RHEL 8 /var/log/messages file must be group-owned by root.
RHEL-08-010240 - The RHEL 8 /var/log directory must have mode 0755 or less permissive.
RHEL-08-010250 - The RHEL 8 /var/log directory must be owned by root.
RHEL-08-010260 - The RHEL 8 /var/log directory must be group-owned by root.
RHEL-08-010287 - The RHEL 8 SSH daemon must be configured to use system-wide crypto policies.
RHEL-08-010290 - The RHEL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms - MACs employing FIPS 140-2 validated cryptographic hash algorithms
RHEL-08-010291 - The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections.
RHEL-08-010292 - RHEL 8 must ensure the SSH server uses strong entropy.
RHEL-08-010293 - The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package - /etc/pki/tls/openssl.cnf
RHEL-08-010293 - The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package - update-crypto-policies