Skip to content

DISA STIG for Oracle Linux 8

Rules and Groups employed by this XCCDF Profile

  • Do Not Show System Messages When Unsuccessful Logon Attempts Occur

    This rule ensures the system prevents informative messages from being presented to the user pertaining to logon information after a number of incor...
    Rule Medium Severity
  • Set Lockout Time for Failed Password Attempts

    This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using <code>pam_fail...
    Rule Medium Severity
  • Set Password Quality Requirements

    The default <code>pam_pwquality</code> PAM module provides strength checking for passwords. It performs a number of checks, such as making sure pas...
    Group
  • Set Password Quality Requirements with pam_pwquality

    The <code>pam_pwquality</code> PAM module can be configured to meet requirements for a variety of policies. <br><br> For example, to configure <cod...
    Group
  • Ensure PAM Enforces Password Requirements - Minimum Digit Characters

    The pam_pwquality module's <code>dcredit</code> parameter controls requirements for usage of digits in a password. When set to a negative number, a...
    Rule Medium Severity
  • Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words

    The pam_pwquality module's <code>dictcheck</code> check if passwords contains dictionary words. When <code>dictcheck</code> is set to <code>1</code...
    Rule Medium Severity
  • Ensure PAM Enforces Password Requirements - Minimum Different Characters

    The pam_pwquality module's <code>difok</code> parameter sets the number of characters in a password that must not be present in and old password du...
    Rule Medium Severity
  • Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters

    The pam_pwquality module's <code>lcredit</code> parameter controls requirements for usage of lowercase letters in a password. When set to a negativ...
    Rule Medium Severity
  • Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class

    The pam_pwquality module's <code>maxclassrepeat</code> parameter controls requirements for consecutive repeating characters from the same character...
    Rule Medium Severity
  • Set Password Maximum Consecutive Repeating Characters

    The pam_pwquality module's <code>maxrepeat</code> parameter controls requirements for consecutive repeating characters. When set to a positive numb...
    Rule Medium Severity
  • Ensure PAM Enforces Password Requirements - Minimum Different Categories

    The pam_pwquality module's <code>minclass</code> parameter controls requirements for usage of different character classes, or types, of character t...
    Rule Medium Severity
  • Ensure PAM Enforces Password Requirements - Minimum Length

    The pam_pwquality module's <code>minlen</code> parameter controls requirements for minimum characters required in a password. Add <code>minlen=<xcc...
    Rule Medium Severity
  • Ensure PAM Enforces Password Requirements - Minimum Special Characters

    The pam_pwquality module's <code>ocredit=</code> parameter controls requirements for usage of special (or "other") characters in a password. When s...
    Rule Medium Severity
  • Ensure PAM password complexity module is enabled in password-auth

    To enable PAM password complexity in password-auth file: Edit the <code>password</code> section in <code>/etc/pam.d/password-auth</code> to show <c...
    Rule Medium Severity
  • Ensure PAM password complexity module is enabled in system-auth

    To enable PAM password complexity in system-auth file: Edit the <code>password</code> section in <code>/etc/pam.d/system-auth</code> to show <code>...
    Rule Medium Severity
  • Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session

    To configure the number of retry prompts that are permitted per-session: Edit the <code>/etc/security/pwquality.conf</code> to include <code>retr...
    Rule Medium Severity
  • Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters

    The pam_pwquality module's <code>ucredit=</code> parameter controls requirements for usage of uppercase letters in a password. When set to a negati...
    Rule Medium Severity
  • Set Password Hashing Algorithm

    The system's default algorithm for storing password hashes in /etc/shadow is SHA-512. This can be configured in several locations.
    Group
  • Set Password Hashing Algorithm in /etc/login.defs

    In <code>/etc/login.defs</code>, add or correct the following line to ensure the system will use <xccdf-1.2:sub idref="xccdf_org.ssgproject.content...
    Rule Medium Severity
  • Set PAM''s Password Hashing Algorithm - password-auth

    The PAM system service can be configured to only store encrypted representations of passwords. In <code>/etc/pam.d/password-auth</code>, the <code>...
    Rule Medium Severity
  • Set PAM''s Password Hashing Algorithm

    The PAM system service can be configured to only store encrypted representations of passwords. In "/etc/pam.d/system-auth", the <code>password</cod...
    Rule Medium Severity
  • Set Password Hashing Rounds in /etc/login.defs

    In <code>/etc/login.defs</code>, ensure <code>SHA_CRYPT_MIN_ROUNDS</code> and <code>SHA_CRYPT_MAX_ROUNDS</code> has the minimum value of <code>5000...
    Rule Medium Severity
  • Protect Physical Console Access

    It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be co...
    Group
  • Disable debug-shell SystemD Service

    SystemD's <code>debug-shell</code> service is intended to diagnose SystemD related boot issues with various <code>systemctl</code> commands. Once e...
    Rule Medium Severity
  • Disable Ctrl-Alt-Del Burst Action

    By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code> key sequence is pressed Ctrl-Alt-Delete more than 7 times ...
    Rule High Severity
  • Disable Ctrl-Alt-Del Reboot Activation

    By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code> key sequence is pressed. <br><br> To configure the system ...
    Rule High Severity
  • Require Authentication for Emergency Systemd Target

    Emergency mode is intended as a system recovery method, providing a single user root access to the system during a failed boot sequence. <br><br> B...
    Rule Medium Severity
  • Require Authentication for Single User Mode

    Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. ...
    Rule Medium Severity
  • Configure Screen Locking

    When a user must temporarily leave an account logged-in, screen locking should be employed to prevent passersby from abusing the account. User educ...
    Group
  • Configure Console Screen Locking

    A console screen locking mechanism is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the in...
    Group
  • Install the tmux Package

    To enable console screen locking, install the <code>tmux</code> package. A session lock is a temporary action taken when a user stops work and move...
    Rule Medium Severity
  • Support session locking with tmux (not enforcing)

    The <code>tmux</code> terminal multiplexer is used to implement automatic session locking. It should be started from <code>/etc/bashrc</code> or dr...
    Rule Medium Severity
  • Configure tmux to lock session after inactivity

    To enable console screen locking in <code>tmux</code> terminal multiplexer after a period of inactivity, the <code>lock-after-time</code> option ha...
    Rule Medium Severity
  • Configure the tmux Lock Command

    To enable console screen locking in <code>tmux</code> terminal multiplexer, the <code>vlock</code> command must be configured to be used as a locki...
    Rule Medium Severity
  • Configure the tmux lock session key binding

    To set a key binding for the screen locking in <code>tmux</code> terminal multiplexer, the <code>session-lock</code> command must be bound to a key...
    Rule Low Severity
  • Prevent user from disabling the screen lock

    The tmux terminal multiplexer is used to implement automatic session locking. It should not be listed in /etc/shells.
    Rule Low Severity
  • Check that vlock is installed to allow session locking

    The Oracle Linux 8 operating system must have vlock installed to allow for session locking. The <code>kbd</code> package can be installed with th...
    Rule Medium Severity
  • Hardware Tokens for Authentication

    The use of hardware tokens such as smart cards for system login provides stronger, two-factor authentication than using a username and password. I...
    Group
  • Install the opensc Package For Multifactor Authentication

    The opensc package can be installed with the following command:
    $ sudo yum install opensc
    Rule Medium Severity
  • Install Smart Card Packages For Multifactor Authentication

    Configure the operating system to implement multifactor authentication by installing the required package with the following command: The <code>op...
    Rule Medium Severity
  • Protect Accounts by Restricting Password-Based Login

    Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness ...
    Group
  • Ensure All Accounts on the System Have Unique User IDs

    Change user IDs (UIDs), or delete accounts, so each has a unique name.
    Rule Medium Severity
  • Only Authorized Local User Accounts Exist on Operating System

    Enterprise Application tends to use the server or virtual machine exclusively. Besides the default operating system user, there should be only auth...
    Rule Medium Severity
  • Set Account Expiration Parameters

    Accounts can be configured to be automatically disabled after a certain time period, meaning that they will require administrator interaction to be...
    Group
  • Set Account Expiration Following Inactivity in password-auth

    Verify the account identifiers (individuals, groups, roles, and devices) are disabled after <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_valu...
    Rule Medium Severity
  • Set Account Expiration Following Inactivity in system-auth

    Verify the account identifiers (individuals, groups, roles, and devices) are disabled after <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_valu...
    Rule Medium Severity
  • Set Account Expiration Following Inactivity

    To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the fo...
    Rule Medium Severity
  • Assign Expiration Date to Emergency Accounts

    Emergency accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. In...
    Rule Medium Severity
  • Assign Expiration Date to Temporary Accounts

    Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts. In the event tempo...
    Rule Medium Severity
  • Set Password Expiration Parameters

    The file <code>/etc/login.defs</code> controls several password-related settings. Programs such as <code>passwd</code>, <code>su</code>, and <code>...
    Group

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules