Skip to content

DISA STIG for Red Hat Enterprise Linux 8

Rules and Groups employed by this XCCDF Profile

  • Only Authorized Local User Accounts Exist on Operating System

    Enterprise Application tends to use the server or virtual machine exclusively. Besides the default operating system user, there should be only auth...
    Rule Medium Severity
  • Set Account Expiration Parameters

    Accounts can be configured to be automatically disabled after a certain time period, meaning that they will require administrator interaction to be...
    Group
  • Set Account Expiration Following Inactivity

    To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the fo...
    Rule Medium Severity
  • Assign Expiration Date to Temporary Accounts

    Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts. In the event tempo...
    Rule Medium Severity
  • Set Password Expiration Parameters

    The file <code>/etc/login.defs</code> controls several password-related settings. Programs such as <code>passwd</code>, <code>su</code>, and <code>...
    Group
  • Set Password Maximum Age

    To specify password maximum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MAX_D...
    Rule Medium Severity
  • Set Password Minimum Age

    To specify password minimum age for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MIN_D...
    Rule Medium Severity
  • Set Password Minimum Length in login.defs

    To specify password length requirements for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PA...
    Rule Medium Severity
  • Set Existing Passwords Maximum Age

    Configure non-compliant accounts to enforce a <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" use="le...
    Rule Medium Severity
  • Set Existing Passwords Minimum Age

    Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command: <pre>$ sudo chage -m 1 <i>...
    Rule Medium Severity
  • Verify Proper Storage and Existence of Password Hashes

    By default, password hashes for local accounts are stored in the second field (colon-separated) in <code>/etc/shadow</code>. This file should be re...
    Group
  • Verify All Account Password Hashes are Shadowed with SHA512

    Verify the operating system requires the shadow password suite configuration be set to encrypt interactive user passwords using a strong cryptograp...
    Rule Medium Severity
  • Prevent Login to Accounts With Empty Password

    If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without ...
    Rule High Severity
  • Ensure There Are No Accounts With Blank or Null Passwords

    Check the "/etc/shadow" file for blank passwords with the following command: <pre>$ sudo awk -F: '!$2 {print $1}' /etc/shadow</pre> If the command ...
    Rule High Severity
  • Restrict Root Logins

    Direct root logins should be allowed only for emergency use. In normal situations, the administrator should access the system via a unique unprivil...
    Group
  • Verify Only Root Has UID 0

    If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or h...
    Rule High Severity
  • Secure Session Configuration Files for Login Accounts

    When a user logs into a Unix account, the system configures the user's session by reading a number of files. Many of these files are located in the...
    Group
  • Ensure Home Directories are Created for New Users

    All local interactive user accounts, upon creation, should be assigned a home directory. <br><br> Configure the operating system to assign home dir...
    Rule Medium Severity
  • Ensure the Logon Failure Delay is Set Correctly in login.defs

    To ensure the logon failure delay controlled by <code>/etc/login.defs</code> is set properly, add or correct the <code>FAIL_DELAY</code> setting in...
    Rule Medium Severity
  • Limit the Number of Concurrent Login Sessions Allowed Per User

    Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions...
    Rule Low Severity
  • User Initialization Files Must Not Run World-Writable Programs

    Set the mode on files being executed by the user initialization files with the following command:
    $ sudo chmod o-w FILE
    Rule Medium Severity
  • Ensure that Users Path Contains Only Local Directories

    Ensure that all interactive user initialization files executable search path statements do not contain statements that will reference a working dir...
    Rule Medium Severity
  • All Interactive Users Must Have A Home Directory Defined

    Assign home directories to all interactive users that currently do not have a home directory assigned. This rule checks if the home directory is p...
    Rule Medium Severity
  • All Interactive Users Home Directories Must Exist

    Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create t...
    Rule Medium Severity
  • All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group

    Change the group of a local interactive users files and directories to a group that the interactive user is a member of. To change the group owner ...
    Rule Medium Severity
  • All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive

    Set the mode on files and directories in the local interactive user home directory with the following command: <pre>$ sudo chmod 0750 /home/<i>USER...
    Rule Medium Severity
  • All Interactive User Home Directories Must Be Group-Owned By The Primary Group

    Change the group owner of interactive users home directory to the group found in <code>/etc/passwd</code>. To change the group owner of interactive...
    Rule Medium Severity
  • Ensure All User Initialization Files Have Mode 0740 Or Less Permissive

    Set the mode of the user initialization files to <code>0740</code> with the following command: <pre>$ sudo chmod 0740 /home/<i>USER</i>/.<i>INIT_FI...
    Rule Medium Severity
  • All Interactive User Home Directories Must Have mode 0750 Or Less Permissive

    Change the mode of interactive users home directories to <code>0750</code>. To change the mode of interactive users home directory, use the followi...
    Rule Medium Severity
  • Ensure that Users Have Sensible Umask Values

    The umask setting controls the default permissions for the creation of new files. With a default <code>umask</code> setting of 077, files and direc...
    Group
  • Ensure the Default Bash Umask is Set Correctly

    To ensure the default umask for users of the Bash shell is set properly, add or correct the <code>umask</code> setting in <code>/etc/bashrc</code> ...
    Rule Medium Severity
  • Ensure the Default C Shell Umask is Set Correctly

    To ensure the default umask for users of the C shell is set properly, add or correct the <code>umask</code> setting in <code>/etc/csh.cshrc</code> ...
    Rule Medium Severity
  • Ensure the Default Umask is Set Correctly in login.defs

    To ensure the default umask controlled by <code>/etc/login.defs</code> is set properly, add or correct the <code>UMASK</code> setting in <code>/etc...
    Rule Medium Severity
  • Ensure the Default Umask is Set Correctly in /etc/profile

    To ensure the default umask controlled by <code>/etc/profile</code> is set properly, add or correct the <code>umask</code> setting in <code>/etc/pr...
    Rule Medium Severity
  • Ensure the Default Umask is Set Correctly For Interactive Users

    Remove the UMASK environment variable from all interactive users initialization files.
    Rule Medium Severity
  • System Accounting with auditd

    The audit service provides substantial capabilities for recording system activities. By default, the service audits about SELinux AVC denials and c...
    Group
  • Ensure the audit Subsystem is Installed

    The audit package should be installed.
    Rule Medium Severity
  • Enable auditd Service

    The <code>auditd</code> service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to...
    Rule Medium Severity
  • Enable Auditing for Processes Which Start Prior to the Audit Daemon

    To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument <code>audit=1</code> to the default GRUB...
    Rule Low Severity
  • Extend Audit Backlog Limit for the Audit Daemon

    To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument <code>audit_backlog_l...
    Rule Low Severity
  • Configure auditd Rules for Comprehensive Auditing

    The <code>auditd</code> program can perform comprehensive monitoring of system activity. This section describes recommended configuration settings ...
    Group
  • Make the auditd Configuration Immutable

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Configure immutable Audit login UIDs

    Configure kernel to prevent modification of login UIDs once they are set. Changing login UIDs while this configuration is enforced requires special...
    Rule Medium Severity
  • Ensure auditd Collects Information on Exporting to Media (successful)

    At a minimum, the audit system should collect media exportation events for all users and root. If the <code>auditd</code> daemon is configured to u...
    Rule Medium Severity
  • Ensure auditd Collects System Administrator Actions - /etc/sudoers

    At a minimum, the audit system should collect administrator actions for all users and root. If the <code>auditd</code> daemon is configured to use ...
    Rule Medium Severity
  • Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/

    At a minimum, the audit system should collect administrator actions for all users and root. If the <code>auditd</code> daemon is configured to use ...
    Rule Medium Severity
  • Record Events When Privileged Executables Are Run

    Verify the system generates an audit record when privileged functions are executed. If audit is using the "auditctl" tool to load the rules, run t...
    Rule Medium Severity
  • Record Events that Modify User/Group Information - /etc/group

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Record Events that Modify User/Group Information - /etc/gshadow

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity
  • Record Events that Modify User/Group Information - /etc/security/opasswd

    If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default),...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules