DISA STIG for Oracle Linux 8
Rules and Groups employed by this XCCDF Profile
-
Ensure PAM Enforces Password Requirements - Minimum Different Characters
The pam_pwquality module's <code>difok</code> parameter sets the number of characters in a password that must not be present in and old password during a password change. <br> <br> Modify...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
The pam_pwquality module's <code>lcredit</code> parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class
The pam_pwquality module's <code>maxclassrepeat</code> parameter controls requirements for consecutive repeating characters from the same character class. When set to a positive number, it will rej...Rule Medium Severity -
Set Password Maximum Consecutive Repeating Characters
The pam_pwquality module's <code>maxrepeat</code> parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more th...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Different Categories
The pam_pwquality module's <code>minclass</code> parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is consider...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Length
The pam_pwquality module's <code>minlen</code> parameter controls requirements for minimum characters required in a password. Add <code>minlen=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_val...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Special Characters
The pam_pwquality module's <code>ocredit=</code> parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be requ...Rule Medium Severity -
Ensure PAM password complexity module is enabled in password-auth
To enable PAM password complexity in password-auth file: Edit the <code>password</code> section in <code>/etc/pam.d/password-auth</code> to show <code>password requisite ...Rule Medium Severity -
Ensure PAM password complexity module is enabled in system-auth
To enable PAM password complexity in system-auth file: Edit the <code>password</code> section in <code>/etc/pam.d/system-auth</code> to show <code>password requisite ...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
To configure the number of retry prompts that are permitted per-session: Edit the <code>/etc/security/pwquality.conf</code> to include <code>retry=<xccdf-1.2:sub idref="xccdf_org.ssgproject.conte...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
The pam_pwquality module's <code>ucredit=</code> parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contai...Rule Medium Severity -
Set Password Hashing Algorithm
The system's default algorithm for storing password hashes in/etc/shadowis SHA-512. This can be configured in several locations.Group -
Set Password Hashing Algorithm in /etc/login.defs
In <code>/etc/login.defs</code>, add or update the following line to ensure the system will use <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_password_hashing_algorithm" use="legacy"...Rule Medium Severity -
Set PAM''s Password Hashing Algorithm - password-auth
The PAM system service can be configured to only store encrypted representations of passwords. In <code>/etc/pam.d/password-auth</code>, the <code>password</code> section of the file controls which...Rule Medium Severity -
Set PAM''s Password Hashing Algorithm
The PAM system service can be configured to only store encrypted representations of passwords. In "/etc/pam.d/system-auth", the <code>password</code> section of the file controls which PAM modules ...Rule Medium Severity -
Set Password Hashing Rounds in /etc/login.defs
In <code>/etc/login.defs</code>, ensure <code>SHA_CRYPT_MIN_ROUNDS</code> and <code>SHA_CRYPT_MAX_ROUNDS</code> has the minimum value of <code>5000</code>. For example: <pre>SHA_CRYPT_MIN_ROUNDS 50...Rule Medium Severity -
Protect Physical Console Access
It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be considered a necessary step. However, there are some...Group -
Disable debug-shell SystemD Service
SystemD's <code>debug-shell</code> service is intended to diagnose SystemD related boot issues with various <code>systemctl</code> commands. Once enabled and following a system reboot, the root she...Rule Medium Severity -
Disable Ctrl-Alt-Del Burst Action
By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code> key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds. <br> <br> To configure the s...Rule High Severity -
Disable Ctrl-Alt-Del Reboot Activation
By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code> key sequence is pressed. <br> <br> To configure the system to ignore the <code>Ctrl-Alt-Del</code> k...Rule High Severity -
Require Authentication for Emergency Systemd Target
Emergency mode is intended as a system recovery method, providing a single user root access to the system during a failed boot sequence. <br> <br> By default, Emergency mode is protected by...Rule Medium Severity -
Require Authentication for Single User Mode
Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. <br> <br> By default, single-user mode is ...Rule Medium Severity -
Configure Screen Locking
When a user must temporarily leave an account logged-in, screen locking should be employed to prevent passersby from abusing the account. User education and training is particularly important for s...Group -
Configure Console Screen Locking
A console screen locking mechanism is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of th...Group -
Install the tmux Package
To enable console screen locking, install the <code>tmux</code> package. The <code>tmux</code> package can be installed with the following command: <pre> $ sudo yum install tmux</pre> A session loc...Rule Medium Severity -
Support session locking with tmux (not enforcing)
Thetmuxterminal multiplexer is used to implement automatic session locking. It should be started from/etc/bashrcor drop-in files within/etc/profile.d/.Rule Medium Severity -
Configure tmux to lock session after inactivity
To enable console screen locking in <code>tmux</code> terminal multiplexer after a period of inactivity, the <code>lock-after-time</code> option has to be set to a value greater than 0 and less tha...Rule Medium Severity -
Configure the tmux Lock Command
To enable console screen locking in <code>tmux</code> terminal multiplexer, the <code>vlock</code> command must be configured to be used as a locking mechanism. Add the following line to <code>/etc...Rule Medium Severity -
Configure the tmux lock session key binding
To set a key binding for the screen locking in <code>tmux</code> terminal multiplexer, the <code>session-lock</code> command must be bound to a key. Add the following line to <code>/etc/tmux.conf</...Rule Low Severity -
Prevent user from disabling the screen lock
Thetmuxterminal multiplexer is used to implement automatic session locking. It should not be listed in/etc/shells.Rule Low Severity -
Check that vlock is installed to allow session locking
The Oracle Linux 8 operating system must have vlock installed to allow for session locking. The <code>kbd</code> package can be installed with the following command: <pre> $ sudo yum install kbd<...Rule Medium Severity -
Hardware Tokens for Authentication
The use of hardware tokens such as smart cards for system login provides stronger, two-factor authentication than using a username and password. In Oracle Linux 8 servers, hardware token login is...Group -
Install the opensc Package For Multifactor Authentication
Theopenscpackage can be installed with the following command:$ sudo yum install opensc
Rule Medium Severity -
Install Smart Card Packages For Multifactor Authentication
Configure the operating system to implement multifactor authentication by installing the required package with the following command: The <code>openssl-pkcs11</code> package can be installed with ...Rule Medium Severity -
Protect Accounts by Restricting Password-Based Login
Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness using the <code>/etc/passwd</code> and <code>/etc/...Group -
Ensure All Accounts on the System Have Unique User IDs
Change user IDs (UIDs), or delete accounts, so each has a unique name.Rule Medium Severity -
Only Authorized Local User Accounts Exist on Operating System
Enterprise Application tends to use the server or virtual machine exclusively. Besides the default operating system user, there should be only authorized local users required by the installed softw...Rule Medium Severity -
Set Account Expiration Parameters
Accounts can be configured to be automatically disabled after a certain time period, meaning that they will require administrator interaction to become usable again. Expiration of accounts after in...Group -
Set Account Expiration Following Inactivity in password-auth
Verify the account identifiers (individuals, groups, roles, and devices) are disabled after <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_account_disable_inactivity" use="legacy"></x...Rule Medium Severity -
Set Account Expiration Following Inactivity in system-auth
Verify the account identifiers (individuals, groups, roles, and devices) are disabled after <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_account_disable_inactivity" use="legacy"></x...Rule Medium Severity -
Set Account Expiration Following Inactivity
To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following line in <code>/etc/default/useradd</code>:...Rule Medium Severity -
Assign Expiration Date to Temporary Accounts
Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts. In the event temporary accounts are required, configure the system t...Rule Medium Severity -
Set Password Expiration Parameters
The file <code>/etc/login.defs</code> controls several password-related settings. Programs such as <code>passwd</code>, <code>su</code>, and <code>login</code> consult <code>/etc/login.defs</code> ...Group -
Set Password Maximum Age
To specify password maximum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MAX_DAYS <xccdf-1.2:sub idref="xccdf_org.ssgproject.con...Rule Medium Severity -
Set Password Minimum Age
To specify password minimum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MIN_DAYS <xccdf-1.2:sub idref="xccdf_org.ssgproject.con...Rule Medium Severity -
Set Password Minimum Length in login.defs
To specify password length requirements for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MIN_LEN <xccdf-1.2:sub idref="xccdf_org.ssgproj...Rule Medium Severity -
Set Existing Passwords Maximum Age
Configure non-compliant accounts to enforce a <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" use="legacy"></xccdf-1.2:sub>-day maximum password lifeti...Rule Medium Severity -
Set Existing Passwords Minimum Age
Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command:$ sudo chage -m 1 USERRule Medium Severity -
Verify Proper Storage and Existence of Password Hashes
By default, password hashes for local accounts are stored in the second field (colon-separated) in <code>/etc/shadow</code>. This file should be readable only by processes running with root credent...Group -
Verify All Account Password Hashes are Shadowed with SHA512
Verify the operating system requires the shadow password suite configuration be set to encrypt interactive user passwords using a strong cryptographic hash. Check that the interactive user account ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.