DISA STIG with GUI for Oracle Linux 8
Rules and Groups employed by this XCCDF Profile
-
Require Authentication for Emergency Systemd Target
Emergency mode is intended as a system recovery method, providing a single user root access to the system during a failed boot sequence. <br> <br> By default, Emergency mode is protected by...Rule Medium Severity -
Require Authentication for Single User Mode
Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. <br> <br> By default, single-user mode is ...Rule Medium Severity -
Configure Screen Locking
When a user must temporarily leave an account logged-in, screen locking should be employed to prevent passersby from abusing the account. User education and training is particularly important for s...Group -
Configure Console Screen Locking
A console screen locking mechanism is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of th...Group -
Install the tmux Package
To enable console screen locking, install the <code>tmux</code> package. The <code>tmux</code> package can be installed with the following command: <pre> $ sudo yum install tmux</pre> A session loc...Rule Medium Severity -
Support session locking with tmux (not enforcing)
Thetmuxterminal multiplexer is used to implement automatic session locking. It should be started from/etc/bashrcor drop-in files within/etc/profile.d/.Rule Medium Severity -
Configure tmux to lock session after inactivity
To enable console screen locking in <code>tmux</code> terminal multiplexer after a period of inactivity, the <code>lock-after-time</code> option has to be set to a value greater than 0 and less tha...Rule Medium Severity -
Configure the tmux Lock Command
To enable console screen locking in <code>tmux</code> terminal multiplexer, the <code>vlock</code> command must be configured to be used as a locking mechanism. Add the following line to <code>/etc...Rule Medium Severity -
Configure the tmux lock session key binding
To set a key binding for the screen locking in <code>tmux</code> terminal multiplexer, the <code>session-lock</code> command must be bound to a key. Add the following line to <code>/etc/tmux.conf</...Rule Low Severity -
Prevent user from disabling the screen lock
Thetmuxterminal multiplexer is used to implement automatic session locking. It should not be listed in/etc/shells.Rule Low Severity -
Check that vlock is installed to allow session locking
The Oracle Linux 8 operating system must have vlock installed to allow for session locking. The <code>kbd</code> package can be installed with the following command: <pre> $ sudo yum install kbd<...Rule Medium Severity -
Hardware Tokens for Authentication
The use of hardware tokens such as smart cards for system login provides stronger, two-factor authentication than using a username and password. In Oracle Linux 8 servers, hardware token login is...Group -
Install the opensc Package For Multifactor Authentication
Theopenscpackage can be installed with the following command:$ sudo yum install opensc
Rule Medium Severity -
Install Smart Card Packages For Multifactor Authentication
Configure the operating system to implement multifactor authentication by installing the required package with the following command: The <code>openssl-pkcs11</code> package can be installed with ...Rule Medium Severity -
Protect Accounts by Restricting Password-Based Login
Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness using the <code>/etc/passwd</code> and <code>/etc/...Group -
Ensure All Accounts on the System Have Unique User IDs
Change user IDs (UIDs), or delete accounts, so each has a unique name.Rule Medium Severity -
Only Authorized Local User Accounts Exist on Operating System
Enterprise Application tends to use the server or virtual machine exclusively. Besides the default operating system user, there should be only authorized local users required by the installed softw...Rule Medium Severity -
Set Account Expiration Parameters
Accounts can be configured to be automatically disabled after a certain time period, meaning that they will require administrator interaction to become usable again. Expiration of accounts after in...Group -
Set Account Expiration Following Inactivity in password-auth
Verify the account identifiers (individuals, groups, roles, and devices) are disabled after <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_account_disable_inactivity" use="legacy"></x...Rule Medium Severity -
Set Account Expiration Following Inactivity in system-auth
Verify the account identifiers (individuals, groups, roles, and devices) are disabled after <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_account_disable_inactivity" use="legacy"></x...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.