Version: Atlas v3.10

RedHat Enterprise Linux 8 Puppet Module (rhel8stig)

ReadMe
Reference
Changelog

Description
Setup - Getting started with rhel8stig
- What rhel8stig affects
- Beginning with rhel8stig
Usage - Configuration options and additional functionality
Limitations - OS compatibility, etc.
Support - Getting module updates

Description

This Puppet module applies security hardening to Red Hat Enterprise Linux (RHEL) 8 as documented in the Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG). See the CHANGELOG for the history of the module to include the current supported STIG release.

The module implements each STIG finding as a separate puppet class, enabling them to be enabled or disabled individually. Puppet classes for STIG findings are named after the vulnerability ID, beginning with a lower-case "v" followed by the ID number. All findings are enforced by default but can be disabled in hiera by using the 'exclude' parameter with an array of class names.

Setup

Required modules

This modules requires 'secfacts' and 'stdlib' in order to function correctly.

What rhel8stig affects

The STIG checklist addresses MANY system components that can impact operational functionality. It is also likely that you are already using Puppet modules to maintain the system configuration. This module attempts to balance strict enforcement of the STIG while avoiding negative operational impacts and potential conflicts with other puppet resources.

Major system components that will be modified:

Packages that are required by the STIG will be installed
Packages forbidden by the STIG will be removed
Kernel parameters and modules will be updated
PAM files will be updated
SSH files will be updated
The system audit configuration will be updated
AIDE will be installed and configured
SELinux will be set to "enforcing" mode with "targeted" policy
FIPS mode will be enabled
If FIPS or SELinux changes require a reboot, the host will be rebooted at the end of the Puppet run

Beginning with rhel8stig

Add the module to an environment and assign it to nodes. It is recommended to target a few non-production systems at first to assess the impact to the systems and identify any conflicts with other puppet resources. If there are specific STIG findings that are known to cause issues, disable them in hiera. Note that disabling classes in hiera only prevents puppet from enforcing a change, but the custom facts are still collected to enable accurate reporting. See the REFERENCE for a complete list of classes to include descriptions and any optional parameters.

rhel8stig::exclude:
  - v230522  # Mount /var/tmp with 'noexec'
  - v230523  # fapolicy module must be configured to employ a deny-all, permit-by-exception policy

There are a few classes with required parameters, so the module will fail unless values are supplied. Ensure you set values for these:

# GRUB password hash (create with 'grub2-mkpasswd-pbkdf2') - This value is referenced by v230234 and v2302345
rhel8stig::v230234::grub_passwd_hash: grub.pbkdf2.sha512...<EXAMPLE_TRUNCATED>
rhel8stig::v230235::grub_passwd_hash: grub.pbkdf2.sha512...<EXAMPLE_TRUNCATED>

# Central syslog server
rhel8stig::v230479::syslog_host: <FQDN/IP>[:PORT]

By default, the v230234 and v230235 classes will use a lookup of 'rhel8stig::grub_passwd_hash' as the GRUB password hash, so you can put a single GRUB password entry in hiera as follows:

# This GRUB password hash is referenced by v230234 and v230235
rhel8stig::grub_passwd_hash: grub.pbkdf2.sha512...<EXAMPLE_TRUNCATED>

You can also use hiera interpolation to refer to other values that may be set anywhere in hiera. For example, make a single hiera key/value entry for the grub password and reference it from the STIG module:

# Site GRUB password
grub_password: <SUPER_GOOD_PASSWORD>

# Refer to the existing 'grub_password' value for the STIG classes:
rhel8stig::v230234::grub_passwd_hash "%{lookup('grub_password')}"
rhel8stig::v230235::grub_passwd_hash "%{lookup('grub_password')}"

Usage

Many of the STIG classes do not attempt to force a configuration chae. Instead, they use facts to report on the compliance status. For example, if the '/home' path is not on a separate filesystem it makes no attempt to re-partition the system. Instead the discrepancy is noted with the logged event:

SECURITY WARNING! "/home" should be on a separate file system

Review the puppet output or reports and address the 'SECURITY WARNING' messages as needed by following this general process:

Modify the build/deployment process to create separate file systems as required
Define new or update existing puppet resources for security settings like mount options, DNS, and NTP servers, etc.
Observe results of previous steps against remaining security warnings from later puppet runs
Verify reported security warnings against collected facts and resources defined in the environment, correcting as needed.
Finally, when unable to resolve findings due to operational requirements, disable the class in hiera to quiet the security warnings.

note

Many of the STIG puppet classes require data from custom facts produced by the "kgi-secfacts" module. Ensure this module is assigned to nodes to manage collection of the basic facts that support this STIG. See the Security Facts (secfacts) documentation for details.

Also, when running the Puppet agent on a node, there may be some warning message indicating that soft limits were exceeded. These can be remediated by adjusting those soft limits in the 'puppet.conf' file on each node. Example:

top_level_facts_soft_limit = 1024
number_of_facts_soft_limit = 6144

Limitations

This module works with RedHat and CentOS 8 only.

Classes

rhel8stig: Red Hat Enterprise Linux 8 Security Technical Implementation Guide :: Version 1, Release: 6 Benchmark Date: 27 Apr 2022
rhel8stig::v230221: The OS version must be currently supported
rhel8stig::v230222: Security patches and updates must be installed and up to date.
rhel8stig::v230223: The system must implement NIST FIPS-validated cryptography
rhel8stig::v230224: Require at-rest protection by using disk encryption
rhel8stig::v230225: DoD Notice and Consent Banner for local or remote access to the system via a ssh logon.
rhel8stig::v230226: DoD Notice and Consent Banner before graphical user logon.
rhel8stig::v230227: DoD Notice and Consent Banner before command line user logon
rhel8stig::v230228: Remote access methods must be monitored
rhel8stig::v230229: Validate certificates by constructing a certification path to an accepted trust anchor.
rhel8stig::v230230: Protect access to private keys that may be used for authentication.
rhel8stig::v230231: Store passwords with FIPS 140-2 cryptography
rhel8stig::v230232: All passwords must be stored using SHA-512
rhel8stig::v230233: Configure RHEL 8 to encrypt all stored passwords with a strong cryptographic hash.
rhel8stig::v230234: Require authentication upon booting into single-user mode and maintenance (EFI)
rhel8stig::v230235: Require authentication upon booting into single-user mode and maintenance (BIOS)
rhel8stig::v230236: Require authentication upon booting into emergency or rescue modes.
rhel8stig::v230237: FIPS 140-2 approved cryptographic hashing algorithm for system authentication
rhel8stig::v230238: Do not use Kerberos authentication unless the unless the 'krb5-workstation' package is version 1.17-18 or later
rhel8stig::v230239: The system must not have the 'krb5-workstation' package unless it is version 1.17-18 or later
rhel8stig::v230240: SELinux must be active and Enforcing
rhel8stig::v230241: The policycoreutils package must be installed.
rhel8stig::v230243: The sticky bit must be set on all public directories.
rhel8stig::v230244: Set 'ClientAliveCountMax' to 0 in '/etc/ssh/sshd_config'
rhel8stig::v230245: The '/var/log/messages' file must have mode 0640 or less.
rhel8stig::v230246: The '/var/log/messages' file must be owned by root.
rhel8stig::v230247: The '/var/log/messages' file must be group-owned by root.
rhel8stig::v230248: The /var/log directory must have mode 0755 or less permissive.
rhel8stig::v230249: The /var/log directory must be owned by root.
rhel8stig::v230250: The /var/log directory must be group-owned by root.
rhel8stig::v230251: The SSH daemon must only use MACs that are FIPS 140-2 compliant.
rhel8stig::v230252: Implement DoD-approved encryption to protect the confidentiality of SSH connections.
rhel8stig::v230253: The SSH server must use strong entropy.
rhel8stig::v230254: Implement DoD-approved encryption in the OpenSSL package.
rhel8stig::v230255: The system must implement DoD-approved TLS encryption in the OpenSSL package.
rhel8stig::v230256: Implement DoD-approved TLS encryption in the GnuTLS package.
rhel8stig::v230257: System commands must have mode 0755 or less permissive.
rhel8stig::v230258: System commands must be owned by root.
rhel8stig::v230259: System commands must be group-owned by root or a system account.
rhel8stig::v230260: Library files must have mode 0755 or less permissive.
rhel8stig::v230261: Library files must be owned by root.
rhel8stig::v230262: Library files must be group-owned by root or a system account.
rhel8stig::v230263: Verify file integrity at least weekly and notify the administrator of detected change.
rhel8stig::v230264: Package repositories must use gpgcheck
rhel8stig::v230265: dnf.conf 'localpkg_gpgcheck'
rhel8stig::v230266: Prevent the loading of a new kernel for later execution.
rhel8stig::v230267: Enable kernel parameters to enforce discretionary access control on symlinks.
rhel8stig::v230268: Enable kernel parameters to enforce discretionary access control on hardlinks.
rhel8stig::v230269: Restrict access to the kernel message buffer.
rhel8stig::v230270: Prevent kernel profiling by unprivileged users.
rhel8stig::v230271: Require users to provide a password for privilege escalation.
rhel8stig::v230272: Require users to reauthenticate for privilege escalation.
rhel8stig::v230273: The system must have the multifactor authentication packages installed.
rhel8stig::v230274: Implement certificate status checking for multifactor authentication.
rhel8stig::v230275: Accept Personal Identity Verification (PIV) credentials.
rhel8stig::v230276: Implement non-executable data to protect its memory from unauthorized code execution.
rhel8stig::v230277: Clear the page allocator to prevent use-after-free attacks.
rhel8stig::v230278: Disable virtual syscalls.
rhel8stig::v230279: Clear SLUB/SLAB objects to prevent use-after-free attacks.
rhel8stig::v230280: Implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
rhel8stig::v230281: YUM must remove all software components after updated versions have been installed.
rhel8stig::v230282: Enable the SELinux targeted policy.
rhel8stig::v230283: There must be no shosts.equiv files on the RHEL 8 operating system.
rhel8stig::v230284: There must be no .shosts files on the RHEL 8 operating system.
rhel8stig::v230285: Enable the hardware random number generator entropy gatherer service.
rhel8stig::v230286: SSH public host key files must have mode 0644 or less permissive.
rhel8stig::v230287: SSH private host key files must have mode 0640 or less permissive.
rhel8stig::v230288: The SSH daemon must perform strict mode checking of home directory configuration files.
rhel8stig::v230289: The SSH daemon must not allow compression or must only allow compression after successful authentication.
rhel8stig::v230290: The SSH daemon must not allow authentication using known host’s authentication.
rhel8stig::v230291: The SSH daemon must not allow unused methods of authentication.
rhel8stig::v230292: The system must use a separate file system for /var.
rhel8stig::v230293: The system must use a separate file system for /var/log.
rhel8stig::v230294: The system must use a separate file system for the system audit data path.
rhel8stig::v230295: A separate RHEL 8 filesystem must be used for the /tmp directory.
rhel8stig::v230296: Do not permit direct logons to the root account using remote access via SSH.
rhel8stig::v230298: The rsyslog service must be running.
rhel8stig::v230299: File systems that contain user home directories but be mounted with the "nosuid" option.
rhel8stig::v230300: Prevent files with the setuid and setgid bit set from being executed on the /boot directory.
rhel8stig::v230301: Prevent special devices on non-root local partitions.
rhel8stig::v230302: File systems that contain user home directories must be mounted with the "noexec" option.
rhel8stig::v230303: Prevent special devices on file systems that are used with removable media.
rhel8stig::v230304: Prevent code from being executed on file systems that are used with removable media.
rhel8stig::v230305: File systems on removable media must be mounted with the "nosuid" option.
rhel8stig::v230306: File systems being imported via NFS must be mounted with the "noexec" option.
rhel8stig::v230307: File systems that are NFS-imported must be mounted with the "nodev" option.
rhel8stig::v230308: File systems being imported via NFS must be mounted with the "nosuid" option.
rhel8stig::v230309: Initialization files must not execute world-writable programs.
rhel8stig::v230310: Kernel core dumps are disabled unless needed.
rhel8stig::v230311: Disable storing core dumps.
rhel8stig::v230312: Disable acquiring, saving, and processing core dumps.
rhel8stig::v230313: Disable core dumps for all users.
rhel8stig::v230314: Disables storing core dumps for all users from systemd.
rhel8stig::v230315: Disable core dump backtraces.
rhel8stig::v230316: Systems using DNS require at least two name servers.
rhel8stig::v230317: User initialization file executable search paths must be confined to the user home directory
rhel8stig::v230318: World-writable directories must be owned by root, sys, bin, or an application account.
rhel8stig::v230319: World-writable directories must be group-owned by root, sys, bin, or an application group.
rhel8stig::v230320: Local interactive users must have a home directory assigned in the /etc/passwd file.
rhel8stig::v230321: Local interactive user home directories must have mode 0750 or less permissive.
rhel8stig::v230322: Local interactive user home directories must be group-owned by the home directory owner’s primary group.
rhel8stig::v230323: Local interactive user home directories defined in the /etc/passwd file must exist.
rhel8stig::v230324: Local interactive user accounts must be assigned a home directory upon creation.
rhel8stig::v230325: Local initialization files must have mode 0740 or less permissive.
rhel8stig::v230326: All local files and directories must have a valid owner.
rhel8stig::v230327: All local files and directories must have a valid group owner.
rhel8stig::v230328: A separate filesystem must be used for user home directories (such as /home or an equivalent).
rhel8stig::v230329: Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed.
rhel8stig::v230330: Do not allow users to override SSH environment variables.
rhel8stig::v230331: Temporary user accounts must be provisioned with an expiration time of 72 hours or less.
rhel8stig::v230332: Automatically lock an account when three unsuccessful logon attempts occur.
rhel8stig::v230333: Lock an account when three unsuccessful logon attempts occur.
rhel8stig::v230334: Automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
rhel8stig::v230335: Automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
rhel8stig::v230336: Locked accounts must be manually reviewed and released by an administrator.
rhel8stig::v230337: Locked accounts must be manually reviewed and released by an administrator.
rhel8stig::v230338: Ensure account lockouts persist.
rhel8stig::v230339: Ensure account lockouts persist.
rhel8stig::v230340: Prevent system messages from being presented when three unsuccessful logon attempts occur.
rhel8stig::v230341: Prevent system messages from being presented when three unsuccessful logon attempts occur.
rhel8stig::v230342: Log user name information when unsuccessful logon attempts occur.
rhel8stig::v230343: Log user name information when unsuccessful logon attempts occur.
rhel8stig::v230344: Account lockout policy must include the root user.
rhel8stig::v230345: Account lockout policy must include the root user.
rhel8stig::v230346: Limit the number of concurrent sessions to ten for all accounts and/or account types.
rhel8stig::v230347: Require a session lock with authentication for graphical user sessions.
rhel8stig::v230348: Require a session lock with authentication for terminal sessions.
rhel8stig::v230349: Ensure session control is automatically started at shell initialization.
rhel8stig::v230350: Prevent users from disabling session control mechanisms.
rhel8stig::v230351: Initiate a session lock for all connection types using smartcard when the smartcard is removed.
rhel8stig::v230352: Automatically lock graphical user sessions after 15 minutes of inactivity.
rhel8stig::v230353: Automatically lock command line user sessions after 15 minutes of inactivity.
rhel8stig::v230354: Prevent users from overriding graphical user interface settings.
rhel8stig::v230355: Map the authenticated identity to the user or group account for PKI-based authentication.
rhel8stig::v230356: A a password complexity module must be enabled.
rhel8stig::v230357: Enforce password complexity by requiring that at least one uppercase character be used.
rhel8stig::v230358: Enforce password complexity by requiring that at least one lower-case character be used.
rhel8stig::v230359: Enforce password complexity by requiring that at least one numeric character be used.
rhel8stig::v230360: Limit the maximum number of repeating characters of the same class when passwords are changed.
rhel8stig::v230361: Require the maximum number of repeating characters be limited to three when passwords are changed.
rhel8stig::v230362: Require the change of at least four character classes when passwords are changed.
rhel8stig::v230363: Require the change of at least 8 characters when passwords are changed.
rhel8stig::v230364: Passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow.
rhel8stig::v230365: New accounts must have a 24 hours/1 day minimum password lifetime restriction in /etc/logins.def.
rhel8stig::v230366: Account passwords must have a 60-day maximum password lifetime restriction.
rhel8stig::v230367: Account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime.
rhel8stig::v230368: Passwords must be prohibited from reuse for a minimum of five generations.
rhel8stig::v230369: A short summary of the purpose of this class
rhel8stig::v230370: Passwords for new users must have a minimum of 15 characters.
rhel8stig::v230371: Duplicate User IDs (UIDs) must not exist for interactive users.
rhel8stig::v230372: Implement smart card logon for multifactor authentication for access to interactive accounts.
rhel8stig::v230373: Accounts must be disabled after 35 days of inactivity.
rhel8stig::v230374: Emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours.
rhel8stig::v230375: Passwords must contain at least one special character.
rhel8stig::v230376: Prohibit the use of cached authentications after one day.
rhel8stig::v230377: Prevent the use of dictionary words for passwords.
rhel8stig::v230378: Enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
rhel8stig::v230379: The system must not have unnecessary accounts.
rhel8stig::v230380: Accounts must not have blank or null passwords.
rhel8stig::v230381: Display the date and time of the last successful account logon upon logon.
rhel8stig::v230382: Display the date and time of the last successful account logon upon an SSH logon.
rhel8stig::v230383: Default permissions should limit users to only read and modify their own files.
rhel8stig::v230384: Set the umask value to 077 for all local interactive user accounts.
rhel8stig::v230385: Define default permissions for logon and non-logon shells.
rhel8stig::v230386: Audit the execution of privileged functions
rhel8stig::v230387: Cron logging must be implemented.
rhel8stig::v230388: Alert critical personnel in the event of an audit processing failure.
rhel8stig::v230389: Critical personnel must have mail aliases to be notified of an audit processing failure.
rhel8stig::v230390: Take appropriate action when an audit processing failure occurs.
rhel8stig::v230392: The audit system must take appropriate action when the audit storage volume is full.
rhel8stig::v230393: The audit system must audit local events.
rhel8stig::v230394: Label all off-loaded audit logs before sending them to the central log server.
rhel8stig::v230395: Resolve audit information before writing to disk.
rhel8stig::v230396: Audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access.
rhel8stig::v230397: Audit logs must be owned by root to prevent unauthorized read access.
rhel8stig::v230398: Audit logs must be group-owned by root to prevent unauthorized read access.
rhel8stig::v230399: The audit log directory must be owned by root to prevent unauthorized read access.
rhel8stig::v230400: The audit log directory must be group-owned by root to prevent unauthorized read access.
rhel8stig::v230401: The audit log directory must have a mode of 0700 or less permissive to prevent unauthorized read access.
rhel8stig::v230402: The audit system must protect auditing rules from unauthorized change.
rhel8stig::v230403: The audit system must protect logon UIDs from unauthorized change.
rhel8stig::v230404: Audit all account actions that affect /etc/shadow.
rhel8stig::v230405: Audit all account actions that affect /etc/security/opasswd.
rhel8stig::v230406: Audit all account actions that affect /etc/passwd.
rhel8stig::v230407: Audit all account actions that affect /etc/gshadow.
rhel8stig::v230408: Audit all account actions that affect /etc/group.
rhel8stig::v230409: Audit all account actions that affect /etc/sudoers.
rhel8stig::v230410: Audit all account actions that affect /etc/sudoers.d/
rhel8stig::v230411: The audit package must be installed
rhel8stig::v230412: Audit all use of the 'su' command
rhel8stig::v230413: Audit any usage of the lremovexattr system call.
rhel8stig::v230414: Audit any usage of the removexattr system call.
rhel8stig::v230415: Audit any usage of the lsetxattr system call.
rhel8stig::v230416: Audit any usage of the fsetxattr system call.
rhel8stig::v230417: Audit any usage of the fremovexattr system call.
rhel8stig::v230418: Audit all use of the 'chage' command.
rhel8stig::v230419: Audit all use of the 'chcon' command.
rhel8stig::v230420: Audit any usage of the setxattr system call.
rhel8stig::v230421: Audit all use of the 'ssh-agent' command.
rhel8stig::v230422: Audit all use of the 'passwd' command.
rhel8stig::v230423: Audit all use of the 'mount' command.
rhel8stig::v230424: Audit all use of the 'umount' command.
rhel8stig::v230425: Audit any usage of the mount system call.
rhel8stig::v230426: Audit all use of the 'unix_update' command.
rhel8stig::v230427: Audit all use of the 'postdrop' command.
rhel8stig::v230428: Audit all use of the 'postqueue' command.
rhel8stig::v230429: Audit all use of the 'semanage' command.
rhel8stig::v230430: Audit all use of the 'setfiles' command.
rhel8stig::v230431: Audit all use of the 'userhelper' command.
rhel8stig::v230432: Audit all use of the 'setsebool' command.
rhel8stig::v230433: Audit all use of the 'unix_chkpwd' command.
rhel8stig::v230434: Audit all use of the 'ssh-keysign' command.
rhel8stig::v230435: Audit all use of the 'setfacl' command.
rhel8stig::v230436: Audit all use of the 'pam_timestamp_check' command.
rhel8stig::v230437: Audit all use of the 'newgrp' command.
rhel8stig::v230438: Audit all use of the 'init_module' command.
rhel8stig::v230439: Audit all use of the 'rename' command.
rhel8stig::v230440: Audit all use of the 'renameat' command.
rhel8stig::v230441: Audit all use of the 'rmdir' command.
rhel8stig::v230442: Audit all use of the 'unlink' command.
rhel8stig::v230443: Audit all use of the 'unlinkat' command.
rhel8stig::v230444: Audit all use of the 'gpasswd' command.
rhel8stig::v230445: Audit all use of the 'finit_module' command.
rhel8stig::v230446: Audit all use of the 'delete_module' command.
rhel8stig::v230447: Audit all use of the 'crontab' command.
rhel8stig::v230448: Audit all use of the 'chsh' command.
rhel8stig::v230449: Audit all use of the 'truncate' command.
rhel8stig::v230450: Audit all use of the 'openat' command.
rhel8stig::v230451: Audit all use of the 'open' command.
rhel8stig::v230452: Audit all use of the 'open_by_handle_at' command.
rhel8stig::v230453: Audit all use of the 'ftruncate' command.
rhel8stig::v230454: Audit all use of the 'creat' command.
rhel8stig::v230455: Audit all use of the 'chown' command.
rhel8stig::v230456: Audit all use of the 'chmod' command.
rhel8stig::v230457: Audit all use of the 'lchown' command.
rhel8stig::v230458: Audit all use of the 'fchownat' command.
rhel8stig::v230459: Audit all use of the 'fchown' command.
rhel8stig::v230460: Audit all use of the 'fchmodat' command.
rhel8stig::v230461: Audit all use of the 'fchmod' command.
rhel8stig::v230462: Audit all use of the 'sudo' command.
rhel8stig::v230463: Audit all use of the 'usermod' command.
rhel8stig::v230464: Audit all use of the 'chacl' command.
rhel8stig::v230465: Audit all use of the 'kmod' command.
rhel8stig::v230466: Audit activity of the PAM faillock module.
rhel8stig::v230467: Audit activity on the lastlog file.
rhel8stig::v230468: Enable auditing of processes that start prior to the audit daemon.
rhel8stig::v230469: Allocate an audit_backlog_limit large enough to capture processes that start prior to the audit daemon.
rhel8stig::v230470: Enable Linux audit logging for the USBGuard daemon.
rhel8stig::v230471: Permissions on audit configuration files must be 0640 or less.
rhel8stig::v230472: Audit tools must have a mode of 0755 or less permissive.
rhel8stig::v230473: Audit tools must be owned by root.
rhel8stig::v230474: Audit tools must be group-owned by root.
rhel8stig::v230475: Use cryptographic mechanisms to protect the integrity of audit tools.
rhel8stig::v230476: Allocate storage capacity for at least one week of audit records.
rhel8stig::v230477: The packages for offloading audit logs must be installed.
rhel8stig::v230478: The packages for offloading audit logs must be installed.
rhel8stig::v230479: Audit records must be off-loaded from the local system.
rhel8stig::v230480: The system should take appropriate action when the remote logging buffer is full.
rhel8stig::v230481: Encrypt the transfer of audit records off-loaded from the local system.
rhel8stig::v230482: Authenticate the remote logging server for off-loading audit logs.
rhel8stig::v230483: The system must notify the administrator when audit storage reached 75% of capacity.
rhel8stig::v230484: The system must securely synchronize the clock with an authoritative source.
rhel8stig::v230485: Disable the chrony daemon from acting as a server.
rhel8stig::v230486: Disable network management of the chrony daemon.
rhel8stig::v230487: The telnet-server package must not be installed.
rhel8stig::v230488: Automated bug reporting tools must not be installed.
rhel8stig::v230489: The system must not have the sendmail package installed.
rhel8stig::v230491: Enable mitigations against processor-based vulnerabilities.
rhel8stig::v230492: The rsh-server package must not be installed.
rhel8stig::v230493: Cover or disable the built-in or attached camera when not in use.
rhel8stig::v230494: Disable the asynchronous transfer mode (ATM) protocol.
rhel8stig::v230495: Disable the controller area network (CAN) protocol.
rhel8stig::v230496: Disable the stream control transmission (SCTP) protocol.
rhel8stig::v230497: Disable the transparent inter-process communication (TIPC) protocol.
rhel8stig::v230498: Disable mounting of cramfs.
rhel8stig::v230499: Disable IEEE 1394 (FireWire) Support.
rhel8stig::v230500: A short summary of the purpose of this class
rhel8stig::v230502: Disable the autofs service unless required.
rhel8stig::v230503: Disable USB mass storage
rhel8stig::v230504: The firewall must deny-all, allow-by-exception for allowing connections to other systems.
rhel8stig::v230505: A firewall must be installed.
rhel8stig::v230506: Wireless network adapters must be disabled.
rhel8stig::v230507: Bluetooth must be disabled.
rhel8stig::v230508: Mount /dev/shm with the nodev option.
rhel8stig::v230509: Mount /dev/shm with the nosuid option.
rhel8stig::v230510: Mount /dev/shm with the noexec option.
rhel8stig::v230511: Mount /tmp with the nodev option.
rhel8stig::v230512: Mount /tmp with the nosuid option.
rhel8stig::v230513: Mount /tmp with the noexec option.
rhel8stig::v230514: Mount /var/log with the nodev option.
rhel8stig::v230515: Mount /var/log with the nosuid option.
rhel8stig::v230516: Mount /var/log with the noexec option.
rhel8stig::v230517: Mount /var/log/audit with the nodev option.
rhel8stig::v230518: Mount /var/log/audit with the nosuid option.
rhel8stig::v230519: Mount /var/log/audit with the noexec option.
rhel8stig::v230520: Mount /var/tmp with the nodev option.
rhel8stig::v230521: Mount /var/tmp with the nosuid option.
rhel8stig::v230522: Mount /var/tmp with the noexec option.
rhel8stig::v230523: The fapolicy package must be installed.
rhel8stig::v230524: Block unauthorized peripherals before establishing a connection.
rhel8stig::v230525: Implement rate-limiting measures on network interfaces.
rhel8stig::v230526: The 'sshd' service must be enabled and active.
rhel8stig::v230527: Force a frequent session key renegotiation for SSH connections to the server.
rhel8stig::v230529: Disable the x86 Ctrl-Alt-Delete key sequence.
rhel8stig::v230530: The x86 Ctrl-Alt-Delete key sequence must be disabled if a graphical user interface is installed.
rhel8stig::v230531: The systemd Ctrl-Alt-Delete burst key sequence must be disabled.
rhel8stig::v230532: The debug-shell systemd service must be disabled.
rhel8stig::v230533: The tftp-server must not be installed.
rhel8stig::v230534: The root account must be the only account with UID 0
rhel8stig::v230535: Prevent IPv6 ICMP redirect messages from being accepted.
rhel8stig::v230536: Do not send Internet Control Message Protocol (ICMP) redirects.
rhel8stig::v230537: Do not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
rhel8stig::v230538: Do not accept IPv6 source-routed packets.
rhel8stig::v230539: Do not forward IPv6 source-routed packets by default.
rhel8stig::v230540: Do not perform packet forwarding unless the system is a router.
rhel8stig::v230541: Do not accept router advertisements on all IPv6 interfaces.
rhel8stig::v230542: Do not accept router advertisements on all IPv6 interfaces by default.
rhel8stig::v230543: Do not allow interfaces to perform ICMP redirects by default.
rhel8stig::v230544: Ignore IPv6 ICMP redirect messages.
rhel8stig::v230545: Disable access to network bpf syscall from unprivileged processes.
rhel8stig::v230546: Restrict usage of ptrace to descendant processes.
rhel8stig::v230547: Restrict exposed kernel pointer addresses access.
rhel8stig::v230548: Disable the use of user namespaces.
rhel8stig::v230549: Use reverse path filtering on all IPv4 interfaces.
rhel8stig::v230550: Prevent unrestricted mail relaying.
rhel8stig::v230551: A file integrity tool must be configured to verify extended attributes.
rhel8stig::v230552: A file integrity tool must be configured to verify Access Control Lists (ACLs).
rhel8stig::v230553: The graphical display manager must not be installed on RHEL 8 unless approved.
rhel8stig::v230554: A short summary of the purpose of this class
rhel8stig::v230555: Remote X connections for interactive users must be disabled unless documented as a mission requirement.
rhel8stig::v230556: The SSH daemon must prevent remote hosts from connecting to the proxy display.
rhel8stig::v230557: If the TFTP server is required it must be configured to operate in secure mode.
rhel8stig::v230558: The vsftpd package must not be installed.
rhel8stig::v230559: The gssproxy package must not be installed unless documented as mission essential.
rhel8stig::v230560: The iprutils package must not be installed unless documented as mission essential.
rhel8stig::v230561: The tuned package must not be installed unless documented as mission essential.
rhel8stig::v237640: The krb5-server package must not be installed.
rhel8stig::v237641: Restrict privilege elevation to authorized personnel.
rhel8stig::v237642: Privilege escalation with sudo should require the user's own password
rhel8stig::v237643: Require re-authentication when using the "sudo" command.
rhel8stig::v244519: Configure the operating system to display a banner before granting access to the system.
rhel8stig::v244521: Configure the system to have a unique name for the grub superusers account. (UEFI)
rhel8stig::v244522: Configure the system to have a unique name for the grub superusers account. (BIOS)
rhel8stig::v244523: Require authentication upon booting into emergency mode.
rhel8stig::v244524: Use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
rhel8stig::v244525: Set 'ClientAliveInterval' in '/etc/ssh/sshd_config'
rhel8stig::v244526: Configure the SSH daemon to use system-wide crypto policies
rhel8stig::v244527: Install the packages required to enabled the hardware random number generator entropy gatherer service.
rhel8stig::v244528: Configure the SSH daemon to not allow GSSAPI authentication.
rhel8stig::v244529: Use a separate file system for /var/tmp.
rhel8stig::v244530: Configure the "/etc/fstab" to use the "nosuid" option on the /boot/efi directory.
rhel8stig::v244531: Files in user home directories must have permission mode 0750 or less
rhel8stig::v244532: Contents of user home directories must be group-owned by a group where the home directory owner is a member
rhel8stig::v244533: Include the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
rhel8stig::v244534: Include the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
rhel8stig::v244535: Initiate a session lock for graphical user interfaces when the screensaver is activated.
rhel8stig::v244536: Disable the user list at logon for graphical user interfaces.
rhel8stig::v244537: The tmux package must be installed
rhel8stig::v244538: Prevent users from overriding settings for graphical user interfaces.
rhel8stig::v244539: Prevent a user from overriding screensaver/lock-enabled for graphical user interfaces.
rhel8stig::v244540: Do not allow the "nullok" option in the "/etc/pam.d/system-auth" file to prevent logons with empty passwords.
rhel8stig::v244541: Do not allow the "nullok" option in the "/etc/pam.d/password-auth" file to prevent logons with empty passwords.
rhel8stig::v244542: The auditd service must be enabled and active.
rhel8stig::v244543: Notify the SA and ISSO (at a minimum) when allocated audit storage reaches 75 percent
rhel8stig::v244544: The firewalld service must be active
rhel8stig::v244545: The fapolicyd service must be enabled and active
rhel8stig::v244546: The file access policy (fapolicyd) must use a deny-all, permit-by-exception application whitelisting policy.
rhel8stig::v244547: Tthe USBGuard installed.
rhel8stig::v244548: The usbguard service must be enabled and active.
rhel8stig::v244549: Networked systems must have SSH installed.
rhel8stig::v244550: Prevent IPv4 ICMP redirect messages from being accepted.
rhel8stig::v244551: Do not forward IPv4 source-routed packets.
rhel8stig::v244552: Do not forward IPv4 source-routed packets by default.
rhel8stig::v244553: Ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.
rhel8stig::v244554: enable hardening for the Berkeley Packet Filter Just-in-time compiler.
rhel8stig::v245540: Install and enable the latest McAfee ENSLTP package.
rhel8stig::v250315: Configure SELinux context type to allow the use of a non-default faillock tally directory
rhel8stig::v250316: Configure SELinux context type to allow the use of a non-default faillock tally directory
rhel8stig::v250317: Must not enable IPv4 packet forwarding unless the system is a router.
rhel8stig::v251706: operating system must not have accounts configured with blank or null passwords.
rhel8stig::v251707: Don't allow any user to make changes to software libraries
rhel8stig::v251708: library directories must be owned by root.
rhel8stig::v251709: library directories must be group-owned by root or a system account.
rhel8stig::v251710: operating system must use a file integrity tool to verify correct operation of all security functions.
rhel8stig::v251711: RHEL 8 must specify the default "include" directory for the /etc/sudoers file.
rhel8stig::v251712: The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation.
rhel8stig::v251713: RHEL 8 must ensure the password complexity module is enabled in the system-auth file.
rhel8stig::v251714: RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.
rhel8stig::v251715: RHEL 8 must specify the default "include" directory for the /etc/sudoers file.
rhel8stig::v251716: RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.
rhel8stig::v251717: RHEL 8 must specify the default "include" directory for the /etc/sudoers file.
rhel8stig::v251718: The graphical display manager must not be the default target on RHEL 8 unless approved.

Defined types

rhel8stig::audit_rule: Defined type for adding RedHat STIG audit rules
rhel8stig::auditd_setting: Manage individual settings in '/etc/audit/auditd.conf'
rhel8stig::dconf_lock: Manage system wide gnome behavior through dconf setting locks
rhel8stig::dconf_setting: Manage system wide gnome behavior through dconf keyfile settings
rhel8stig::resolv_conf: A defined type to manage DNS client configuration in '/etc/resolv.conf'
rhel8stig::rsyslog_setting: Defined type for adding RedHat STIG rsyslog settings
rhel8stig::sshd_rule: Defined type for managing RedHat STIG sshd configuration
rhel8stig::sysctl_rule: Defined type for managing RedHat STIG sysctl configuration

Classes

`rhel8stig`

Red Hat Enterprise Linux 8 Security Technical Implementation Guide :: Version 1, Release: 6 Benchmark Date: 27 Apr 2022

Examples

Assigning the module will enable all controls by default.

include rhel8stig

Disable specified controls from hiera:

rhel8stig::exclude:
  - v230221
  - v230222

Parameters

The following parameters are available in the rhel8stig class:

vul_id
exclude
enforce

`vul_id`

Data type: Array

The array of STIG puppet classes to be applied. This is defined in the module hiera data and should not be changed.

`exclude`

Data type: Array

An optional array of STIG puppet classes to exclude.

Default value: []

`enforce`

Data type: Array

STIG puppet classes that are excluded can be overriden and enforced here for targeting flexibility.

Default value: []

`rhel8stig::v230221`

The OS version must be currently supported

Note Vul ID: V-230221 Rule ID: SV-230221r627750_rule STIG ID: RHEL-08-010000 Severity: CAT I Classification: Unclass

`rhel8stig::v230222`

Security patches and updates must be installed and up to date.

Note Vul ID: V-230222 Rule ID: SV-230222r627750_rule STIG ID: RHEL-08-010010 Severity: CAT II Classification: Unclass

`rhel8stig::v230223`

The system must implement NIST FIPS-validated cryptography

Note Vul ID: V-230223 Rule ID: SV-230223r627750_rule STIG ID: RHEL-08-010020 Severity: CAT I Classification: Unclass

`rhel8stig::v230224`

Require at-rest protection by using disk encryption

Note Vul ID: V-230224 Rule ID: SV-230224r627750_rule STIG ID: RHEL-08-010030 Severity: CAT II Classification: Unclass Legacy IDs:

`rhel8stig::v230225`

DoD Notice and Consent Banner for local or remote access to the system via a ssh logon.

Note Vul ID: V-230225 Rule ID: SV-230225r627750_rule STIG ID: RHEL-08-010040 Severity: CAT II Classification: Unclass Legacy IDs:

`rhel8stig::v230226`

DoD Notice and Consent Banner before graphical user logon.

Note Vul ID: V-230226 Rule ID: SV-230226r627750_rule STIG ID: RHEL-08-010050 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230227`

DoD Notice and Consent Banner before command line user logon

Note Vul ID: V-230227 Rule ID: SV-230227r627750_rule STIG ID: RHEL-08-010060 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230228`

Remote access methods must be monitored

Note Vul ID: V-230228 Rule ID: SV-230228r627750_rule STIG ID: RHEL-08-010070 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230229`

Validate certificates by constructing a certification path to an accepted trust anchor.

Note Vul ID: V-230229 Rule ID: SV-230229r627750_rule STIG ID: RHEL-08-010090 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230229 class:

cert
cert_source

`cert`

Data type: Optional[String]

The full text of the pem encoded CA certificate to deploy. Takes precedent over @cert_source

Default value: undef

`cert_source`

Data type: Optional[String]

Any valid path supported by the 'source' parameter of the puppet 'file' resource.

Default value: undef

`rhel8stig::v230230`

Protect access to private keys that may be used for authentication.

Note Vul ID: V-230230 Rule ID: SV-230230r627750_rule STIG ID: RHEL-08-010100 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230231`

Store passwords with FIPS 140-2 cryptography

Note Vul ID: V-230231 Rule ID: SV-230231r627750_rule STIG ID: RHEL-08-010110 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230232`

All passwords must be stored using SHA-512

Note Vul ID: V-230232 Rule ID: SV-230232r627750_rule STIG ID: RHEL-08-010120 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230233`

Configure RHEL 8 to encrypt all stored passwords with a strong cryptographic hash.

Note Vul ID: V-230233 Rule ID: SV-230233r627750_rule STIG ID: RHEL-08-010130 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230234`

Require authentication upon booting into single-user mode and maintenance (EFI)

Note Vul ID: V-230234 Rule ID: SV-230234r627750_rule STIG ID: RHEL-08-010140 Severity: CAT I Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230234 class:

grub_passwd_hash

`grub_passwd_hash`

Data type: String

A GRUB password hash generated using the 'grub2-mkpasswd-pbkdf2' command.

Default value: lookup('rhel8stig::grub_passwd_hash', String, first, '')

`rhel8stig::v230235`

Require authentication upon booting into single-user mode and maintenance (BIOS)

Note Vul ID: V-230235 Rule ID: SV-230235r627750_rule STIG ID: RHEL-08-010150 Severity: CAT I Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230235 class:

grub_passwd_hash

`grub_passwd_hash`

Data type: String

A GRUB password hash, created using 'grub2-mkpasswd-pbkdf2'

Default value: lookup('rhel8stig::grub_passwd_hash', String, first, '')

`rhel8stig::v230236`

Require authentication upon booting into emergency or rescue modes.

Note Vul ID: V-230236 Rule ID: SV-230236r627750_rule STIG ID: RHEL-08-010151 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230237`

FIPS 140-2 approved cryptographic hashing algorithm for system authentication

Note Vul ID: V-230237 Rule ID: SV-230237r627750_rule STIG ID: RHEL-08-010160 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230238`

Do not use Kerberos authentication unless the unless the 'krb5-workstation' package is version 1.17-18 or later

Note Vul ID: V-230238 Rule ID: SV-230238r646862_rule STIG ID: RHEL-08-010161 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230239`

The system must not have the 'krb5-workstation' package unless it is version 1.17-18 or later

Note Vul ID: V-230239 Rule ID: SV-230239r646864_rule STIG ID: RHEL-08-010162 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230240`

SELinux must be active and Enforcing

Note Vul ID: V-230240 Rule ID: SV-230240r627750_rule STIG ID: RHEL-08-010170 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230241`

The policycoreutils package must be installed.

Note Vul ID: V-230241 Rule ID: SV-230241r627750_rule STIG ID: RHEL-08-010171 Severity: CAT III Classification: Unclass Legacy IDs: ;

`rhel8stig::v230243`

The sticky bit must be set on all public directories.

Note Vul ID: V-230243 Rule ID: SV-230243r627750_rule STIG ID: RHEL-08-010190 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230244`

Set 'ClientAliveCountMax' to 0 in '/etc/ssh/sshd_config'

Note Vul ID: V-230244 Rule ID: SV-230244r627750_rule STIG ID: RHEL-08-010200 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230245`

The '/var/log/messages' file must have mode 0640 or less.

Note Vul ID: V-230245 Rule ID: SV-230245r627750_rule STIG ID: RHEL-08-010210 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230246`

The '/var/log/messages' file must be owned by root.

Note Vul ID: V-230246 Rule ID: SV-230246r627750_rule STIG ID: RHEL-08-010220 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230247`

The '/var/log/messages' file must be group-owned by root.

Note Vul ID: V-230247 Rule ID: SV-230247r627750_rule STIG ID: RHEL-08-010230 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230248`

The /var/log directory must have mode 0755 or less permissive.

Note Vul ID: V-230248 Rule ID: SV-230248r627750_rule STIG ID: RHEL-08-010240 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230249`

#note Vul ID: V-230249 Rule ID: SV-230249r627750_rule STIG ID: RHEL-08-010250 Severity: CAT II Classification: Unclass Legacy IDs: ;

Note Rule Title: The RHEL 8 /var/log directory must be owned by root.

`rhel8stig::v230250`

The /var/log directory must be group-owned by root.

Note Vul ID: V-230250 Rule ID: SV-230250r627750_rule STIG ID: RHEL-08-010260 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230251`

The SSH daemon must only use MACs that are FIPS 140-2 compliant.

Note Vul ID: V-230251 Rule ID: SV-230251r646866_rule STIG ID: RHEL-08-010290 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230252`

Implement DoD-approved encryption to protect the confidentiality of SSH connections.

Note Vul ID: V-230252 Rule ID: SV-230252r646869_rule STIG ID: RHEL-08-010291 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230253`

The SSH server must use strong entropy.

Note Vul ID: V-230253 Rule ID: SV-230253r627750_rule STIG ID: RHEL-08-010292 Severity: CAT III Classification: Unclass Legacy IDs: ;

`rhel8stig::v230254`

Implement DoD-approved encryption in the OpenSSL package.

Note Vul ID: V-230254 Rule ID: SV-230254r627750_rule STIG ID: RHEL-08-010293 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230255`

The system must implement DoD-approved TLS encryption in the OpenSSL package.

Note Vul ID: V-230255 Rule ID: SV-230255r627750_rule STIG ID: RHEL-08-010294 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230256`

Implement DoD-approved TLS encryption in the GnuTLS package.

Note Vul ID: V-230256 Rule ID: SV-230256r627750_rule STIG ID: RHEL-08-010295 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230257`

System commands must have mode 0755 or less permissive.

Note Vul ID: V-230257 Rule ID: SV-230257r627750_rule STIG ID: RHEL-08-010300 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230258`

System commands must be owned by root.

Note Vul ID: V-230258 Rule ID: SV-230258r627750_rule STIG ID: RHEL-08-010310 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230259`

System commands must be group-owned by root or a system account.

Note Vul ID: V-230259 Rule ID: SV-230259r627750_rule STIG ID: RHEL-08-010320 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230260`

Library files must have mode 0755 or less permissive.

Note Vul ID: V-230260 Rule ID: SV-230260r627750_rule STIG ID: RHEL-08-010330 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230261`

Library files must be owned by root.

Note Vul ID: V-230261 Rule ID: SV-230261r627750_rule STIG ID: RHEL-08-010340 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230262`

Library files must be group-owned by root or a system account.

Note Vul ID: V-230262 Rule ID: SV-230262r627750_rule STIG ID: RHEL-08-010350 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230263`

Verify file integrity at least weekly and notify the administrator of detected change.

Note Vul ID: V-230263 Rule ID: SV-230263r627750_rule STIG ID: RHEL-08-010360 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230263 class:

frequency
email

`frequency`

Data type: Enum['daily', 'weekly']

Should the AIDE cron job be run daily or weekly? (weekly)

Default value: 'weekly'

`email`

Data type: String

Email address as the notification destination

Default value: "root@${facts['fqdn']}"

`rhel8stig::v230264`

Package repositories must use gpgcheck

Note Vul ID: V-230264 Rule ID: SV-230264r627750_rule STIG ID: RHEL-08-010370 Severity: CAT I Classification: Unclass Legacy IDs: ;

`rhel8stig::v230265`

dnf.conf 'localpkg_gpgcheck'

Note Vul ID: V-230265 Rule ID: SV-230265r627750_rule STIG ID: RHEL-08-010371 Severity: CAT I Classification: Unclass Legacy IDs: ;

`rhel8stig::v230266`

Prevent the loading of a new kernel for later execution.

Note Vul ID: V-230266 Rule ID: SV-230266r627750_rule STIG ID: RHEL-08-010372 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230267`

Enable kernel parameters to enforce discretionary access control on symlinks.

Note Vul ID: V-230267 Rule ID: SV-230267r627750_rule STIG ID: RHEL-08-010373 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230268`

Enable kernel parameters to enforce discretionary access control on hardlinks.

Note Vul ID: V-230268 Rule ID: SV-230268r627750_rule STIG ID: RHEL-08-010374 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230269`

Restrict access to the kernel message buffer.

Note Vul ID: V-230269 Rule ID: SV-230269r627750_rule STIG ID: RHEL-08-010375 Severity: CAT III Classification: Unclass Legacy IDs: ;

`rhel8stig::v230270`

Prevent kernel profiling by unprivileged users.

Note Vul ID: V-230270 Rule ID: SV-230270r627750_rule STIG ID: RHEL-08-010376 Severity: CAT III Classification: Unclass Legacy IDs: ;

`rhel8stig::v230271`

Require users to provide a password for privilege escalation.

Note Vul ID: V-230271 Rule ID: SV-230271r627750_rule STIG ID: RHEL-08-010380 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230272`

Require users to reauthenticate for privilege escalation.

Note Vul ID: V-230272 Rule ID: SV-230272r627750_rule STIG ID: RHEL-08-010381 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230273`

The system must have the multifactor authentication packages installed.

Note Vul ID: V-230273 Rule ID: SV-230273r627750_rule STIG ID: RHEL-08-010390 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230274`

Implement certificate status checking for multifactor authentication.

Note Vul ID: V-230274 Rule ID: SV-230274r627750_rule STIG ID: RHEL-08-010400 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230274 class:

ocsp_dgst

`ocsp_dgst`

Data type: Enum['sha1', 'sha256', 'sha384', 'sha512']

The digest (hash function) used to create the certificate ID for sssd OCSP requests.

Default value: 'sha1'

`rhel8stig::v230275`

Accept Personal Identity Verification (PIV) credentials.

Note Vul ID: V-230275 Rule ID: SV-230275r627750_rule STIG ID: RHEL-08-010410 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230276`

Implement non-executable data to protect its memory from unauthorized code execution.

Note Vul ID: V-230276 Rule ID: SV-230276r627750_rule STIG ID: RHEL-08-010420 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230277`

Clear the page allocator to prevent use-after-free attacks.

Note Vul ID: V-230277 Rule ID: SV-230277r627750_rule STIG ID: RHEL-08-010421 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230278`

Disable virtual syscalls.

Note Vul ID: V-230278 Rule ID: SV-230278r627750_rule STIG ID: RHEL-08-010422 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230279`

Clear SLUB/SLAB objects to prevent use-after-free attacks.

Note Vul ID: V-230279 Rule ID: SV-230279r627750_rule STIG ID: RHEL-08-010423 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230280`

Implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.

Note Vul ID: V-230280 Rule ID: SV-230280r627750_rule STIG ID: RHEL-08-010430 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230281`

YUM must remove all software components after updated versions have been installed.

Note Vul ID: V-230281 Rule ID: SV-230281r627750_rule STIG ID: RHEL-08-010440 Severity: CAT III Classification: Unclass Legacy IDs: ;

`rhel8stig::v230282`

Enable the SELinux targeted policy.

Note Vul ID: V-230282 Rule ID: SV-230282r627750_rule STIG ID: RHEL-08-010450 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230283`

There must be no shosts.equiv files on the RHEL 8 operating system.

Note Vul ID: V-230283 Rule ID: SV-230283r627750_rule STIG ID: RHEL-08-010460 Severity: CAT I Classification: Unclass Legacy IDs: ;

`rhel8stig::v230284`

There must be no .shosts files on the RHEL 8 operating system.

Note Vul ID: V-230284 Rule ID: SV-230284r627750_rule STIG ID: RHEL-08-010470 Severity: CAT I Classification: Unclass Legacy IDs: ;

`rhel8stig::v230285`

Enable the hardware random number generator entropy gatherer service.

Note Vul ID: V-230285 Rule ID: SV-230285r627750_rule STIG ID: RHEL-08-010471 Severity: CAT III Classification: Unclass Legacy IDs: ;

`rhel8stig::v230286`

SSH public host key files must have mode 0644 or less permissive.

Note Vul ID: V-230286 Rule ID: SV-230286r627750_rule STIG ID: RHEL-08-010480 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230287`

SSH private host key files must have mode 0640 or less permissive.

Note Vul ID: V-230287 Rule ID: SV-230287r627750_rule STIG ID: RHEL-08-010490 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230288`

The SSH daemon must perform strict mode checking of home directory configuration files.

Note Vul ID: V-230288 Rule ID: SV-230288r627750_rule STIG ID: RHEL-08-010500 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230289`

The SSH daemon must not allow compression or must only allow compression after successful authentication.

Note Vul ID: V-230289 Rule ID: SV-230289r627750_rule STIG ID: RHEL-08-010510 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230290`

The SSH daemon must not allow authentication using known host’s authentication.

Note Vul ID: V-230290 Rule ID: SV-230290r627750_rule STIG ID: RHEL-08-010520 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230291`

The SSH daemon must not allow unused methods of authentication.

Note Vul ID: V-230291 Rule ID: SV-230291r627750_rule STIG ID: RHEL-08-010521 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230292`

The system must use a separate file system for /var.

Note Vul ID: V-230292 Rule ID: SV-230292r627750_rule STIG ID: RHEL-08-010540 Severity: CAT III Classification: Unclass Legacy IDs: ;

`rhel8stig::v230293`

The system must use a separate file system for /var/log.

Note Vul ID: V-230293 Rule ID: SV-230293r627750_rule STIG ID: RHEL-08-010541 Severity: CAT III Classification: Unclass Legacy IDs: ;

`rhel8stig::v230294`

The system must use a separate file system for the system audit data path.

Note Vul ID: V-230294 Rule ID: SV-230294r627750_rule STIG ID: RHEL-08-010542 Severity: CAT III Classification: Unclass Legacy IDs: ;

`rhel8stig::v230295`

A separate RHEL 8 filesystem must be used for the /tmp directory.

Note Vul ID: V-230295 Rule ID: SV-230295r627750_rule STIG ID: RHEL-08-010543 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230296`

Do not permit direct logons to the root account using remote access via SSH.

Note Vul ID: V-230296 Rule ID: SV-230296r627750_rule STIG ID: RHEL-08-010550 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230298`

The rsyslog service must be running.

Note Vul ID: V-230298 Rule ID: SV-230298r627750_rule STIG ID: RHEL-08-010561 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230299`

File systems that contain user home directories but be mounted with the "nosuid" option.

Note Vul ID: V-230299 Rule ID: SV-230299r627750_rule STIG ID: RHEL-08-010570 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230300`

Prevent files with the setuid and setgid bit set from being executed on the /boot directory.

Note Vul ID: V-230300 Rule ID: SV-230300r627750_rule STIG ID: RHEL-08-010571 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230301`

Prevent special devices on non-root local partitions.

Note Vul ID: V-230301 Rule ID: SV-230301r627750_rule STIG ID: RHEL-08-010580 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230302`

File systems that contain user home directories must be mounted with the "noexec" option.

Note Vul ID: V-230302 Rule ID: SV-230302r627750_rule STIG ID: RHEL-08-010590 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230303`

Prevent special devices on file systems that are used with removable media.

Note Vul ID: V-230303 Rule ID: SV-230303r627750_rule STIG ID: RHEL-08-010600 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230304`

Prevent code from being executed on file systems that are used with removable media.

Note Vul ID: V-230304 Rule ID: SV-230304r627750_rule STIG ID: RHEL-08-010610 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230305`

File systems on removable media must be mounted with the "nosuid" option.

Note Vul ID: V-230305 Rule ID: SV-230305r627750_rule STIG ID: RHEL-08-010620 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230306`

File systems being imported via NFS must be mounted with the "noexec" option.

Note Vul ID: V-230306 Rule ID: SV-230306r627750_rule STIG ID: RHEL-08-010630 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230307`

File systems that are NFS-imported must be mounted with the "nodev" option.

Note Vul ID: V-230307 Rule ID: SV-230307r627750_rule STIG ID: RHEL-08-010640 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230308`

File systems being imported via NFS must be mounted with the "nosuid" option.

Note Vul ID: V-230308 Rule ID: SV-230308r627750_rule STIG ID: RHEL-08-010650 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230309`

Initialization files must not execute world-writable programs.

Note Vul ID: V-230309 Rule ID: SV-230309r627750_rule STIG ID: RHEL-08-010660 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230310`

Kernel core dumps are disabled unless needed.

Note Vul ID: V-230310 Rule ID: SV-230310r627750_rule STIG ID: RHEL-08-010670 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230311`

Disable storing core dumps.

Note Vul ID: V-230311 Rule ID: SV-230311r627750_rule STIG ID: RHEL-08-010671 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230312`

Disable acquiring, saving, and processing core dumps.

Note Vul ID: V-230312 Rule ID: SV-230312r627750_rule STIG ID: RHEL-08-010672 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230313`

Disable core dumps for all users.

Note Vul ID: V-230313 Rule ID: SV-230313r627750_rule STIG ID: RHEL-08-010673 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230314`

Disables storing core dumps for all users from systemd.

Note Vul ID: V-230314 Rule ID: SV-230314r627750_rule STIG ID: RHEL-08-010674 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230315`

Disable core dump backtraces.

Note Vul ID: V-230315 Rule ID: SV-230315r627750_rule STIG ID: RHEL-08-010675 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230316`

Systems using DNS require at least two name servers.

Note Vul ID: V-230316 Rule ID: SV-230316r627750_rule STIG ID: RHEL-08-010680 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230316 class:

nameserver
purge_nameserver

`nameserver`

Data type: Optional[Array]

An optional array of nameservers to configure in '/etc/resolv.conf'

Default value: []

`purge_nameserver`

Data type: Optional[Array]

An optional array of nameservers to be removed. Entries are ignored if they are also present in 'nameserver'

Default value: []

`rhel8stig::v230317`

User initialization file executable search paths must be confined to the user home directory

Note Vul ID: V-230317 Rule ID: SV-230317r627750_rule STIG ID: RHEL-08-010690 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230318`

World-writable directories must be owned by root, sys, bin, or an application account.

Note Vul ID: V-230318 Rule ID: SV-230318r627750_rule STIG ID: RHEL-08-010700 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230319`

World-writable directories must be group-owned by root, sys, bin, or an application group.

Note Vul ID: V-230319 Rule ID: SV-230319r627750_rule STIG ID: RHEL-08-010710 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230320`

Local interactive users must have a home directory assigned in the /etc/passwd file.

Note Vul ID: V-230320 Rule ID: SV-230320r627750_rule STIG ID: RHEL-08-010720 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230321`

Local interactive user home directories must have mode 0750 or less permissive.

Note Vul ID: V-230321 Rule ID: SV-230321r627750_rule STIG ID: RHEL-08-010730 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230322`

Local interactive user home directories must be group-owned by the home directory owner’s primary group.

Note Vul ID: V-230322 Rule ID: SV-230322r627750_rule STIG ID: RHEL-08-010740 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230323`

Local interactive user home directories defined in the /etc/passwd file must exist.

Note Vul ID: V-230323 Rule ID: SV-230323r627750_rule STIG ID: RHEL-08-010750 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230324`

Local interactive user accounts must be assigned a home directory upon creation.

Note Vul ID: V-230324 Rule ID: SV-230324r627750_rule STIG ID: RHEL-08-010760 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230325`

Local initialization files must have mode 0740 or less permissive.

Note Vul ID: V-230325 Rule ID: SV-230325r627750_rule STIG ID: RHEL-08-010770 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230326`

All local files and directories must have a valid owner.

Note Vul ID: V-230326 Rule ID: SV-230326r627750_rule STIG ID: RHEL-08-010780 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230327`

All local files and directories must have a valid group owner.

Note Vul ID: V-230327 Rule ID: SV-230327r627750_rule STIG ID: RHEL-08-010790 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230328`

A separate filesystem must be used for user home directories (such as /home or an equivalent).

Note Vul ID: V-230328 Rule ID: SV-230328r627750_rule STIG ID: RHEL-08-010800 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230329`

Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed.

Note Vul ID: V-230329 Rule ID: SV-230329r627750_rule STIG ID: RHEL-08-010820 Severity: CAT I Classification: Unclass Legacy IDs: ;

`rhel8stig::v230330`

Do not allow users to override SSH environment variables.

Note Vul ID: V-230330 Rule ID: SV-230330r646870_rule STIG ID: RHEL-08-010830 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230331`

Temporary user accounts must be provisioned with an expiration time of 72 hours or less.

Note Vul ID: V-230331 Rule ID: SV-230331r627750_rule STIG ID: RHEL-08-020000 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230331 class:

temp_accounts
days_to_expiry

`temp_accounts`

Data type: Array

An array of temporary accounts to define expiration at 3 days

Default value: []

`days_to_expiry`

Data type: Integer[1, 3]

The number of days until temporary accounts will expire

Default value: 3

`rhel8stig::v230332`

Automatically lock an account when three unsuccessful logon attempts occur.

Note Vul ID: V-230332 Rule ID: SV-230332r627750_rule STIG ID: RHEL-08-020010 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230333`

Lock an account when three unsuccessful logon attempts occur.

Note Vul ID: V-230333 Rule ID: SV-230333r627750_rule STIG ID: RHEL-08-020011 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230334`

Automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.

Note Vul ID: V-230334 Rule ID: SV-230334r627750_rule STIG ID: RHEL-08-020012 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230335`

Automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.

Note Vul ID: V-230335 Rule ID: SV-230335r627750_rule STIG ID: RHEL-08-020013 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230335 class:

fail_interval

`fail_interval`

Data type: Integer[10, 900]

Number of seconds before the timer on failed logons will reset.

Default value: 900

`rhel8stig::v230336`

Locked accounts must be manually reviewed and released by an administrator.

Note Vul ID: V-230336 Rule ID: SV-230336r627750_rule STIG ID: RHEL-08-020014 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230337`

Locked accounts must be manually reviewed and released by an administrator.

Note Vul ID: V-230337 Rule ID: SV-230337r627750_rule STIG ID: RHEL-08-020015 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230338`

Ensure account lockouts persist.

Note Vul ID: V-230338 Rule ID: SV-230338r627750_rule STIG ID: RHEL-08-020016 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230339`

fileline resource relates to v250315

Note Vul ID: V-230339 Rule ID: SV-230389r627750_rule STIG ID: RHEL-08-030030 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230340`

Prevent system messages from being presented when three unsuccessful logon attempts occur.

Note Vul ID: V-230340 Rule ID: SV-230340r627750_rule STIG ID: RHEL-08-020018 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230341`

Prevent system messages from being presented when three unsuccessful logon attempts occur.

Note Vul ID: V-230341 Rule ID: SV-230341r627750_rule STIG ID: RHEL-08-020019 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230342`

Log user name information when unsuccessful logon attempts occur.

Note Vul ID: V-230342 Rule ID: SV-230342r646872_rule STIG ID: RHEL-08-020020 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230343`

Log user name information when unsuccessful logon attempts occur.

Note Vul ID: V-230343 Rule ID: SV-230343r627750_rule STIG ID: RHEL-08-020021 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230344`

Account lockout policy must include the root user.

Note Vul ID: V-230344 Rule ID: SV-230344r646874_rule STIG ID: RHEL-08-020022 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230345`

Account lockout policy must include the root user.

Note Vul ID: V-230345 Rule ID: SV-230345r627750_rule STIG ID: RHEL-08-020023 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230346`

Limit the number of concurrent sessions to ten for all accounts and/or account types.

Note Vul ID: V-230346 Rule ID: SV-230346r627750_rule STIG ID: RHEL-08-020024 Severity: CAT III Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230346 class:

maxlogins

`maxlogins`

Data type: Integer[1, 10]

Maximum number of permitted concurrent login sessions. Will be set in '/etc/security/limits.d/99-puppet.conf'

Default value: 10

`rhel8stig::v230347`

Require a session lock with authentication for graphical user sessions.

Note Vul ID: V-230347 Rule ID: SV-230347r627750_rule STIG ID: RHEL-08-020030 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230348`

Require a session lock with authentication for terminal sessions.

Note Vul ID: V-230348 Rule ID: SV-230348r627750_rule STIG ID: RHEL-08-020040 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230349`

Ensure session control is automatically started at shell initialization.

Note Vul ID: V-230349 Rule ID: SV-230349r627750_rule STIG ID: RHEL-08-020041 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230350`

Prevent users from disabling session control mechanisms.

Note Vul ID: V-230350 Rule ID: SV-230350r627750_rule STIG ID: RHEL-08-020042 Severity: CAT III Classification: Unclass Legacy IDs: ;

`rhel8stig::v230351`

Initiate a session lock for all connection types using smartcard when the smartcard is removed.

Note Vul ID: V-230351 Rule ID: SV-230351r627750_rule STIG ID: RHEL-08-020050 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230352`

Automatically lock graphical user sessions after 15 minutes of inactivity.

Note Vul ID: V-230352 Rule ID: SV-230352r646876_rule STIG ID: RHEL-08-020060 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230352 class:

delay

`delay`

Data type: Integer[1, 900]

Seconds of idle time until the screensaver will activate.

Default value: 900

`rhel8stig::v230353`

Automatically lock command line user sessions after 15 minutes of inactivity.

Note Vul ID: V-230353 Rule ID: SV-230353r627750_rule STIG ID: RHEL-08-020070 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230353 class:

delay

`delay`

Data type: Integer[1, 900]

Seconds of idle time until the screensaver will activate.

Default value: 900

`rhel8stig::v230354`

Prevent users from overriding graphical user interface settings.

Note Vul ID: V-230354 Rule ID: SV-230354r627750_rule STIG ID: RHEL-08-020080 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230355`

Map the authenticated identity to the user or group account for PKI-based authentication.

Note Vul ID: V-230355 Rule ID: SV-230355r627750_rule STIG ID: RHEL-08-020090 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230355 class:

domain
domain_settings

`domain`

Data type: Optional[String]

The SSSD domain name that should be configured for LDAP and smart card ID mapping

Default value: undef

`domain_settings`

Data type: Hash

Values

Default value: {}

`rhel8stig::v230356`

A a password complexity module must be enabled.

Note Vul ID: V-230356 Rule ID: SV-230356r627750_rule STIG ID: RHEL-08-020100 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230357`

Enforce password complexity by requiring that at least one uppercase character be used.

Note Vul ID: V-230357 Rule ID: SV-230357r627750_rule STIG ID: RHEL-08-020110 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230358`

Enforce password complexity by requiring that at least one lower-case character be used.

Note Vul ID: V-230358 Rule ID: SV-230358r627750_rule STIG ID: RHEL-08-020120 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230359`

Enforce password complexity by requiring that at least one numeric character be used.

Note Vul ID: V-230359 Rule ID: SV-230359r627750_rule STIG ID: RHEL-08-020130 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230360`

Limit the maximum number of repeating characters of the same class when passwords are changed.

Note Vul ID: V-230360 Rule ID: SV-230360r627750_rule STIG ID: RHEL-08-020140 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230361`

Require the maximum number of repeating characters be limited to three when passwords are changed.

Note Vul ID: V-230361 Rule ID: SV-230361r627750_rule STIG ID: RHEL-08-020150 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230362`

Require the change of at least four character classes when passwords are changed.

Note Vul ID: V-230362 Rule ID: SV-230362r627750_rule STIG ID: RHEL-08-020160 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230363`

Require the change of at least 8 characters when passwords are changed.

Note Vul ID: V-230363 Rule ID: SV-230363r627750_rule STIG ID: RHEL-08-020170 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230364`

Passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow.

Note Vul ID: V-230364 Rule ID: SV-230364r627750_rule STIG ID: RHEL-08-020180 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230365`

New accounts must have a 24 hours/1 day minimum password lifetime restriction in /etc/logins.def.

Note Vul ID: V-230365 Rule ID: SV-230365r627750_rule STIG ID: RHEL-08-020190 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230366`

Account passwords must have a 60-day maximum password lifetime restriction.

Note Vul ID: V-230366 Rule ID: SV-230366r646878_rule STIG ID: RHEL-08-020200 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230367`

Account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime.

Note Vul ID: V-230367 Rule ID: SV-230367r627750_rule STIG ID: RHEL-08-020210 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230367 class:

password_max_age

`password_max_age`

Data type: Integer[1, 60]

Maximum number of days for password lifetime.

Default value: 60

`rhel8stig::v230368`

Passwords must be prohibited from reuse for a minimum of five generations.

Note Vul ID: V-230368 Rule ID: SV-230368r627750_rule STIG ID: RHEL-08-020220 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230368 class:

remember

`remember`

Data type: Integer[5]

The minimum number of password changes before a password may be re-used

Default value: 5

`rhel8stig::v230369`

A short summary of the purpose of this class

Note Vul ID: V-230369 Rule ID: SV-230369r627750_rule STIG ID: RHEL-08-020230 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230369 class:

minlen

`minlen`

Data type: Integer[15]

Minimum number of required characters in a password.

Default value: 15

`rhel8stig::v230370`

Passwords for new users must have a minimum of 15 characters.

Note Vul ID: V-230370 Rule ID: SV-230370r627750_rule STIG ID: RHEL-08-020231 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230370 class:

pass_min_len

`pass_min_len`

Data type: Integer[15]

The minimum number of characters required for new user passwords.

Default value: 15

`rhel8stig::v230371`

Duplicate User IDs (UIDs) must not exist for interactive users.

Note Vul ID: V-230371 Rule ID: SV-230371r627750_rule STIG ID: RHEL-08-020240 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230372`

Implement smart card logon for multifactor authentication for access to interactive accounts.

Note Vul ID: V-230372 Rule ID: SV-230372r627750_rule STIG ID: RHEL-08-020250 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230373`

Accounts must be disabled after 35 days of inactivity.

Note Vul ID: V-230373 Rule ID: SV-230373r627750_rule STIG ID: RHEL-08-020260 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230373 class:

inactive

`inactive`

Data type: Integer[0, 35]

Number of inactive days before accounts will be disabled. A value of 0 disables the account when the password expires.

Default value: 35

`rhel8stig::v230374`

Emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours.

Note Vul ID: V-230374 Rule ID: SV-230374r627750_rule STIG ID: RHEL-08-020270 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230374 class:

emergency_accounts
days_to_expiry

`emergency_accounts`

Data type: Array

An array of emergency accounts to define expiration at 3 days

Default value: []

`days_to_expiry`

Data type: Integer[1, 3]

The number of days before emergency accounts will expire

Default value: 3

`rhel8stig::v230375`

Passwords must contain at least one special character.

Note Vul ID: V-230375 Rule ID: SV-230375r627750_rule STIG ID: RHEL-08-020280 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230376`

Prohibit the use of cached authentications after one day.

Note Vul ID: V-230376 Rule ID: SV-230376r627750_rule STIG ID: RHEL-08-020290 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230377`

Prevent the use of dictionary words for passwords.

Note Vul ID: V-230377 Rule ID: SV-230377r627750_rule STIG ID: RHEL-08-020300 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230378`

Enforce a delay of at least four seconds between logon prompts following a failed logon attempt.

Note Vul ID: V-230378 Rule ID: SV-230378r627750_rule STIG ID: RHEL-08-020310 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230378 class:

fail_delay

`fail_delay`

Data type: Integer[4]

The number of seconds to delay after a failed logon attempt.

Default value: 4

`rhel8stig::v230379`

The system must not have unnecessary accounts.

Note Vul ID: V-230379 Rule ID: SV-230379r627750_rule STIG ID: RHEL-08-020320 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230379 class:

unauthorized

`unauthorized`

Data type: Array

An array of user names known to be unauthorized.

Default value: []

`rhel8stig::v230380`

Accounts must not have blank or null passwords.

Note Vul ID: V-230380 Rule ID: SV-230380r627750_rule STIG ID: RHEL-08-020330 Severity: CAT I Classification: Unclass Legacy IDs: ;

`rhel8stig::v230381`

Display the date and time of the last successful account logon upon logon.

Note Vul ID: V-230381 Rule ID: SV-230381r627750_rule STIG ID: RHEL-08-020340 Severity: CAT III Classification: Unclass Legacy IDs: ;

`rhel8stig::v230382`

Display the date and time of the last successful account logon upon an SSH logon.

Note Vul ID: V-230382 Rule ID: SV-230382r627750_rule STIG ID: RHEL-08-020350 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230383`

Default permissions should limit users to only read and modify their own files.

Note Vul ID: V-230383 Rule ID: SV-230383r627750_rule STIG ID: RHEL-08-020351 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230384`

Set the umask value to 077 for all local interactive user accounts.

Note Vul ID: V-230384 Rule ID: SV-230384r627750_rule STIG ID: RHEL-08-020352 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230385`

Define default permissions for logon and non-logon shells.

Note Vul ID: V-230385 Rule ID: SV-230385r627750_rule STIG ID: RHEL-08-020353 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230386`

Audit the execution of privileged functions

Note Vul ID: V-230386 Rule ID: SV-230386r627750_rule STIG ID: RHEL-08-030000 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230387`

Cron logging must be implemented.

Note Vul ID: V-230387 Rule ID: SV-230387r627750_rule STIG ID: RHEL-08-030010 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230388`

Alert critical personnel in the event of an audit processing failure.

Note Vul ID: V-230388 Rule ID: SV-230388r627750_rule STIG ID: RHEL-08-030020 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230388 class:

action_mail_acct

`action_mail_acct`

Data type: String

Account to notify when the audit storage threshold is reached

Default value: 'root'

`rhel8stig::v230389`

Critical personnel must have mail aliases to be notified of an audit processing failure.

Note Vul ID: V-230389 Rule ID: SV-230389r627750_rule STIG ID: RHEL-08-030030 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230389 class:

address

`address`

Data type: Array

An array of email addresses who should receive email addressed to the root user.

Default value: []

`rhel8stig::v230390`

Take appropriate action when an audit processing failure occurs.

Note Vul ID: V-230390 Rule ID: SV-230390r627750_rule STIG ID: RHEL-08-030040 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230390 class:

disk_error_action

`disk_error_action`

Data type: Enum['syslog', 'single', 'halt']

System response when unable to store audit logs due to a storage issue.

Default value: 'syslog'

`rhel8stig::v230392`

The audit system must take appropriate action when the audit storage volume is full.

Note Vul ID: V-230392 Rule ID: SV-230392r627750_rule STIG ID: RHEL-08-030060 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230392 class:

disk_full_action

`disk_full_action`

Data type: Enum['syslog', 'single', 'halt']

The action to take when the audit storage volume is full

Default value: 'syslog'

`rhel8stig::v230393`

The audit system must audit local events.

Note Vul ID: V-230393 Rule ID: SV-230393r627750_rule STIG ID: RHEL-08-030061 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230394`

Label all off-loaded audit logs before sending them to the central log server.

Note Vul ID: V-230394 Rule ID: SV-230394r627750_rule STIG ID: RHEL-08-030062 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230394 class:

name_format

`name_format`

Data type: Enum['hostname', 'fqd', 'numeric']

The format to label off-loaded autdit logs

Default value: 'hostname'

`rhel8stig::v230395`

Resolve audit information before writing to disk.

Note Vul ID: V-230395 Rule ID: SV-230395r627750_rule STIG ID: RHEL-08-030063 Severity: CAT III Classification: Unclass Legacy IDs: ;

`rhel8stig::v230396`

Audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access.

Note Vul ID: V-230396 Rule ID: SV-230396r627750_rule STIG ID: RHEL-08-030070 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230397`

Audit logs must be owned by root to prevent unauthorized read access.

Note Vul ID: V-230397 Rule ID: SV-230397r627750_rule STIG ID: RHEL-08-030080 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230398`

Audit logs must be group-owned by root to prevent unauthorized read access.

Note Vul ID: V-230398 Rule ID: SV-230398r627750_rule STIG ID: RHEL-08-030090 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230399`

The audit log directory must be owned by root to prevent unauthorized read access.

Note Vul ID: V-230399 Rule ID: SV-230399r627750_rule STIG ID: RHEL-08-030100 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230400`

The audit log directory must be group-owned by root to prevent unauthorized read access.

Note Vul ID: V-230400 Rule ID: SV-230400r627750_rule STIG ID: RHEL-08-030110 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230401`

The audit log directory must have a mode of 0700 or less permissive to prevent unauthorized read access.

Note Vul ID: V-230401 Rule ID: SV-230401r627750_rule STIG ID: RHEL-08-030120 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230402`

The audit system must protect auditing rules from unauthorized change.

Note Vul ID: V-230402 Rule ID: SV-230402r627750_rule STIG ID: RHEL-08-030121 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230403`

The audit system must protect logon UIDs from unauthorized change.

Note Vul ID: V-230403 Rule ID: SV-230403r627750_rule STIG ID: RHEL-08-030122 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230404`

Audit all account actions that affect /etc/shadow.

Note Vul ID: V-230404 Rule ID: SV-230404r627750_rule STIG ID: RHEL-08-030130 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230405`

Audit all account actions that affect /etc/security/opasswd.

Note Vul ID: V-230405 Rule ID: SV-230405r627750_rule STIG ID: RHEL-08-030140 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230406`

Audit all account actions that affect /etc/passwd.

Note Vul ID: V-230406 Rule ID: SV-230406r627750_rule STIG ID: RHEL-08-030150 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230407`

Audit all account actions that affect /etc/gshadow.

Note Vul ID: V-230407 Rule ID: SV-230407r627750_rule STIG ID: RHEL-08-030160 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230408`

Audit all account actions that affect /etc/group.

Note Vul ID: V-230408 Rule ID: SV-230408r627750_rule STIG ID: RHEL-08-030170 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230409`

Audit all account actions that affect /etc/sudoers.

Note Vul ID: V-230409 Rule ID: SV-230409r627750_rule STIG ID: RHEL-08-030171 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230410`

Audit all account actions that affect /etc/sudoers.d/

Note Vul ID: V-230410 Rule ID: SV-230410r627750_rule STIG ID: RHEL-08-030172 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230411`

The audit package must be installed

Note Vul ID: V-230411 Rule ID: SV-230411r646881_rule STIG ID: RHEL-08-030180 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230412`

Audit all use of the 'su' command

Note Vul ID: V-230412 Rule ID: SV-230412r627750_rule STIG ID: RHEL-08-030190 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230413`

Audit any usage of the lremovexattr system call.

Note Vul ID: V-230413 Rule ID: SV-230413r627750_rule STIG ID: RHEL-08-030200 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230413 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel8stig::v230414`

Audit any usage of the removexattr system call.

Note Vul ID: V-230414 Rule ID: SV-230414r627750_rule STIG ID: RHEL-08-030210 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230414 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel8stig::v230415`

Audit any usage of the lsetxattr system call.

Note Vul ID: V-230415 Rule ID: SV-230415r627750_rule STIG ID: RHEL-08-030220 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230415 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel8stig::v230416`

Audit any usage of the fsetxattr system call.

Note Vul ID: V-230416 Rule ID: SV-230416r627750_rule STIG ID: RHEL-08-030230 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230416 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel8stig::v230417`

Audit any usage of the fremovexattr system call.

Note Vul ID: V-230417 Rule ID: SV-230417r627750_rule STIG ID: RHEL-08-030240 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230417 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel8stig::v230418`

Audit all use of the 'chage' command.

Note Vul ID: V-230418 Rule ID: SV-230418r627750_rule STIG ID: RHEL-08-030250 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230419`

Audit all use of the 'chcon' command.

Note Vul ID: V-230419 Rule ID: SV-230419r627750_rule STIG ID: RHEL-08-030260 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230420`

Audit any usage of the setxattr system call.

Note Vul ID: V-230420 Rule ID: SV-230420r627750_rule STIG ID: RHEL-08-030270 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230420 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel8stig::v230421`

Audit all use of the 'ssh-agent' command.

Note Vul ID: V-230421 Rule ID: SV-230421r627750_rule STIG ID: RHEL-08-030280 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230422`

Audit all use of the 'passwd' command.

Note Vul ID: V-230422 Rule ID: SV-230422r627750_rule STIG ID: RHEL-08-030290 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230423`

Audit all use of the 'mount' command.

Note Vul ID: V-230423 Rule ID: SV-230423r627750_rule STIG ID: RHEL-08-030300 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230424`

Audit all use of the 'umount' command.

Note Vul ID: V-230424 Rule ID: SV-230424r627750_rule STIG ID: RHEL-08-030301 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230425`

Audit any usage of the mount system call.

Note Vul ID: V-230425 Rule ID: SV-230425r627750_rule STIG ID: RHEL-08-030302 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230426`

Audit all use of the 'unix_update' command.

Note Vul ID: V-230426 Rule ID: SV-230426r627750_rule STIG ID: RHEL-08-030310 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230427`

Audit all use of the 'postdrop' command.

Note Vul ID: V-230427 Rule ID: SV-230427r627750_rule STIG ID: RHEL-08-030311 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230428`

Audit all use of the 'postqueue' command.

Note Vul ID: V-230428 Rule ID: SV-230428r627750_rule STIG ID: RHEL-08-030312 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230429`

Audit all use of the 'semanage' command.

Note Vul ID: V-230429 Rule ID: SV-230429r627750_rule STIG ID: RHEL-08-030313 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230430`

Audit all use of the 'setfiles' command.

Note Vul ID: V-230430 Rule ID: SV-230430r627750_rule STIG ID: RHEL-08-030314 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230431`

Audit all use of the 'userhelper' command.

Note Vul ID: V-230431 Rule ID: SV-230431r627750_rule STIG ID: RHEL-08-030315 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230432`

Audit all use of the 'setsebool' command.

Note Vul ID: V-230432 Rule ID: SV-230432r627750_rule STIG ID: RHEL-08-030316 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230433`

Audit all use of the 'unix_chkpwd' command.

Note Vul ID: V-230433 Rule ID: SV-230433r627750_rule STIG ID: RHEL-08-030317 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230434`

Audit all use of the 'ssh-keysign' command.

Note Vul ID: V-230434 Rule ID: SV-230434r627750_rule STIG ID: RHEL-08-030320 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230435`

Audit all use of the 'setfacl' command.

Note Vul ID: V-230435 Rule ID: SV-230435r627750_rule STIG ID: RHEL-08-030330 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230436`

Audit all use of the 'pam_timestamp_check' command.

Note Vul ID: V-230436 Rule ID: SV-230436r627750_rule STIG ID: RHEL-08-030340 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230437`

Audit all use of the 'newgrp' command.

Note Vul ID: V-230437 Rule ID: SV-230437r627750_rule STIG ID: RHEL-08-030350 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230438`

Audit all use of the 'init_module' command.

Note Vul ID: V-230438 Rule ID: SV-230438r627750_rule STIG ID: RHEL-08-030360 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230438 class:

efficient

`efficient`

Data type: Boolean

Default value: true

`rhel8stig::v230439`

Audit all use of the 'rename' command.

Note Vul ID: V-230439 Rule ID: SV-230439r627750_rule STIG ID: RHEL-08-030361 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230439 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel8stig::v230440`

Audit all use of the 'renameat' command.

Note Vul ID: V-230440 Rule ID: SV-230440r627750_rule STIG ID: RHEL-08-030362 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230440 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel8stig::v230441`

Audit all use of the 'rmdir' command.

Note Vul ID: V-230441 Rule ID: SV-230441r627750_rule STIG ID: RHEL-08-030363 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230441 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel8stig::v230442`

Audit all use of the 'unlink' command.

Note Vul ID: V-230442 Rule ID: SV-230442r627750_rule STIG ID: RHEL-08-030364 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230442 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel8stig::v230443`

Audit all use of the 'unlinkat' command.

Note Vul ID: V-230443 Rule ID: SV-230443r627750_rule STIG ID: RHEL-08-030365 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230443 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel8stig::v230444`

Audit all use of the 'gpasswd' command.

Note Vul ID: V-230444 Rule ID: SV-230444r627750_rule STIG ID: RHEL-08-030370 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230445`

Audit all use of the 'finit_module' command.

Note Vul ID: V-230445 Rule ID: SV-230445r627750_rule STIG ID: RHEL-08-030380 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230445 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel8stig::v230446`

Audit all use of the 'delete_module' command.

Note Vul ID: V-230446 Rule ID: SV-230446r627750_rule STIG ID: RHEL-08-030390 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230446 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel8stig::v230447`

Audit all use of the 'crontab' command.

Note Vul ID: V-230447 Rule ID: SV-230447r627750_rule STIG ID: RHEL-08-030400 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230448`

Audit all use of the 'chsh' command.

Note Vul ID: V-230448 Rule ID: SV-230448r627750_rule STIG ID: RHEL-08-030410 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230449`

Audit all use of the 'truncate' command.

Note Vul ID: V-230449 Rule ID: SV-230449r627750_rule STIG ID: RHEL-08-030420 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230449 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel8stig::v230450`

Audit all use of the 'openat' command.

Note Vul ID: V-230450 Rule ID: SV-230450r627750_rule STIG ID: RHEL-08-030430 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230450 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel8stig::v230451`

Audit all use of the 'open' command.

Note Vul ID: V-230451 Rule ID: SV-230451r627750_rule STIG ID: RHEL-08-030440 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230451 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel8stig::v230452`

Audit all use of the 'open_by_handle_at' command.

Note Vul ID: V-230452 Rule ID: SV-230452r627750_rule STIG ID: RHEL-08-030450 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230452 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel8stig::v230453`

Audit all use of the 'ftruncate' command.

Note Vul ID: V-230453 Rule ID: SV-230453r627750_rule STIG ID: RHEL-08-030460 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230453 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel8stig::v230454`

Audit all use of the 'creat' command.

Note Vul ID: V-230454 Rule ID: SV-230454r627750_rule STIG ID: RHEL-08-030470 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230454 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel8stig::v230455`

Audit all use of the 'chown' command.

Note Vul ID: V-230455 Rule ID: SV-230455r627750_rule STIG ID: RHEL-08-030480 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230455 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel8stig::v230456`

Audit all use of the 'chmod' command.

Note Vul ID: V-230456 Rule ID: SV-230456r627750_rule STIG ID: RHEL-08-030490 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230456 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel8stig::v230457`

Audit all use of the 'lchown' command.

Note Vul ID: V-230457 Rule ID: SV-230457r627750_rule STIG ID: RHEL-08-030500 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230457 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel8stig::v230458`

Audit all use of the 'fchownat' command.

Note Vul ID: V-230458 Rule ID: SV-230458r627750_rule STIG ID: RHEL-08-030510 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230458 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel8stig::v230459`

Audit all use of the 'fchown' command.

Note Vul ID: V-230459 Rule ID: SV-230459r627750_rule STIG ID: RHEL-08-030520 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230459 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel8stig::v230460`

Audit all use of the 'fchmodat' command.

Note Vul ID: V-230460 Rule ID: SV-230460r627750_rule STIG ID: RHEL-08-030530 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230460 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel8stig::v230461`

Audit all use of the 'fchmod' command.

Note Vul ID: V-230461 Rule ID: SV-230461r627750_rule STIG ID: RHEL-08-030540 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230461 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel8stig::v230462`

Audit all use of the 'sudo' command.

Note Vul ID: V-230462 Rule ID: SV-230462r627750_rule STIG ID: RHEL-08-030550 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230463`

Audit all use of the 'usermod' command.

Note Vul ID: V-230463 Rule ID: SV-230463r627750_rule STIG ID: RHEL-08-030560 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230464`

Audit all use of the 'chacl' command.

Note Vul ID: V-230464 Rule ID: SV-230464r627750_rule STIG ID: RHEL-08-030570 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230465`

Audit all use of the 'kmod' command.

Note Vul ID: V-230465 Rule ID: SV-230465r627750_rule STIG ID: RHEL-08-030580 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230466`

Audit activity of the PAM faillock module.

Note Vul ID: V-230466 Rule ID: SV-230466r627750_rule STIG ID: RHEL-08-030590 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230467`

Audit activity on the lastlog file.

Note Vul ID: V-230467 Rule ID: SV-230467r627750_rule STIG ID: RHEL-08-030600 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230468`

Enable auditing of processes that start prior to the audit daemon.

Note Vul ID: V-230468 Rule ID: SV-230468r627750_rule STIG ID: RHEL-08-030601 Severity: CAT III Classification: Unclass Legacy IDs: ;

`rhel8stig::v230469`

Allocate an audit_backlog_limit large enough to capture processes that start prior to the audit daemon.

Note Vul ID: V-230469 Rule ID: SV-230469r627750_rule STIG ID: RHEL-08-030602 Severity: CAT III Classification: Unclass Legacy IDs: ;

`rhel8stig::v230470`

Enable Linux audit logging for the USBGuard daemon.

Note Vul ID: V-230470 Rule ID: SV-230470r627750_rule STIG ID: RHEL-08-030603 : CAT III Classification: Unclass Legacy IDs: ;

`rhel8stig::v230471`

Permissions on audit configuration files must be 0640 or less.

Note Vul ID: V-230471 Rule ID: SV-230471r627750_rule STIG ID: RHEL-08-030610 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230472`

Audit tools must have a mode of 0755 or less permissive.

Note Vul ID: V-230472 Rule ID: SV-230472r627750_rule STIG ID: RHEL-08-030620 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230473`

Audit tools must be owned by root.

Note Vul ID: V-230473 Rule ID: SV-230473r627750_rule STIG ID: RHEL-08-030630 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230474`

Audit tools must be group-owned by root.

Note Vul ID: V-230474 Rule ID: SV-230474r627750_rule STIG ID: RHEL-08-030640 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230475`

Use cryptographic mechanisms to protect the integrity of audit tools.

Note Vul ID: V-230475 Rule ID: SV-230475r627750_rule STIG ID: RHEL-08-030650 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230475 class:

aide_rule

`aide_rule`

Data type: String

An AIDE group definition or custom combination of groups

Default value: 'CONTENT_EX'

`rhel8stig::v230476`

Allocate storage capacity for at least one week of audit records.

Note Vul ID: V-230476 Rule ID: SV-230476r627750_rule STIG ID: RHEL-08-030660 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230476 class:

min_size

`min_size`

Data type: Integer

The minimum size (MB) required to store one week of audit data

Default value: 10000

`rhel8stig::v230477`

The packages for offloading audit logs must be installed.

Note Vul ID: V-230477 Rule ID: SV-230477r627750_rule STIG ID: RHEL-08-030670 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230478`

The packages for offloading audit logs must be installed.

Note Vul ID: V-230478 Rule ID: SV-230478r627750_rule STIG ID: RHEL-08-030680 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230479`

Audit records must be off-loaded from the local system.

Note Vul ID: V-230479 Rule ID: SV-230479r627750_rule STIG ID: RHEL-08-030690 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230479 class:

syslog_host

`syslog_host`

Data type: String

The hostname (or IP address) and optional port of the remote systlog server. Example: "loghost:6514"

`rhel8stig::v230480`

The system should take appropriate action when the remote logging buffer is full.

Note Vul ID: V-230480 Rule ID: SV-230480r627750_rule STIG ID: RHEL-08-030700 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230480 class:

overflow_action

`overflow_action`

Data type: Enum['syslog', 'single', 'halt']

The action to be taken when the log buffer is full

Default value: 'syslog'

`rhel8stig::v230481`

Encrypt the transfer of audit records off-loaded from the local system.

Note Vul ID: V-230481 Rule ID: SV-230481r627750_rule STIG ID: RHEL-08-030710 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230482`

Authenticate the remote logging server for off-loading audit logs.

Note Vul ID: V-230482 Rule ID: SV-230482r627750_rule STIG ID: RHEL-08-030720 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230483`

The system must notify the administrator when audit storage reached 75% of capacity.

Note Vul ID: V-230483 Rule ID: SV-230483r627750_rule STIG ID: RHEL-08-030730 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230484`

The system must securely synchronize the clock with an authoritative source.

Note Vul ID: V-230484 Rule ID: SV-230484r627750_rule STIG ID: RHEL-08-030740 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230485`

Disable the chrony daemon from acting as a server.

Note Vul ID: V-230485 Rule ID: SV-230485r627750_rule STIG ID: RHEL-08-030741 Severity: CAT III Classification: Unclass Legacy IDs: ;

`rhel8stig::v230486`

Disable network management of the chrony daemon.

Note Vul ID: V-230486 Rule ID: SV-230486r627750_rule STIG ID: RHEL-08-030742 Severity: CAT III Classification: Unclass Legacy IDs: ;

`rhel8stig::v230487`

The telnet-server package must not be installed.

Note Vul ID: V-230487 Rule ID: SV-230487r627750_rule STIG ID: RHEL-08-040000 Severity: CAT I Classification: Unclass Legacy IDs: ;

`rhel8stig::v230488`

Automated bug reporting tools must not be installed.

Note Vul ID: V-230488 Rule ID: SV-230488r627750_rule STIG ID: RHEL-08-040001 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230489`

The system must not have the sendmail package installed.

Note Vul ID: V-230489 Rule ID: SV-230489r627750_rule STIG ID: RHEL-08-040002 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230491`

Enable mitigations against processor-based vulnerabilities.

Note Vul ID: V-230491 Rule ID: SV-230491r627750_rule STIG ID: RHEL-08-040004 Severity: CAT III Classification: Unclass Legacy IDs: ;

`rhel8stig::v230492`

The rsh-server package must not be installed.

Note Vul ID: V-230492 Rule ID: SV-230492r627750_rule STIG ID: RHEL-08-040010 Severity: CAT I Classification: Unclass Legacy IDs: ;

`rhel8stig::v230493`

Cover or disable the built-in or attached camera when not in use.

Note Vul ID: V-230493 Rule ID: SV-230493r627750_rule STIG ID: RHEL-08-040020 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230494`

Disable the asynchronous transfer mode (ATM) protocol.

Note Vul ID: V-230494 Rule ID: SV-230494r627750_rule STIG ID: RHEL-08-040021 Severity: CAT III Classification: Unclass Legacy IDs: ;

`rhel8stig::v230495`

Disable the controller area network (CAN) protocol.

Note Vul ID: V-230495 Rule ID: SV-230495r627750_rule STIG ID: RHEL-08-040022 Severity: CAT III Classification: Unclass Legacy IDs: ;

`rhel8stig::v230496`

Disable the stream control transmission (SCTP) protocol.

Note Vul ID: V-230496 Rule ID: SV-230496r627750_rule STIG ID: RHEL-08-040023 Severity: CAT III Classification: Unclass Legacy IDs: ;

`rhel8stig::v230497`

Disable the transparent inter-process communication (TIPC) protocol.

Note Vul ID: V-230497 Rule ID: SV-230497r627750_rule STIG ID: RHEL-08-040024 Severity: CAT III Classification: Unclass Legacy IDs: ;

`rhel8stig::v230498`

Disable mounting of cramfs.

Note Vul ID: V-230498 Rule ID: SV-230498r627750_rule STIG ID: RHEL-08-040025 Severity: CAT III Classification: Unclass Legacy IDs: ;

`rhel8stig::v230499`

Disable IEEE 1394 (FireWire) Support.

Note Vul ID: V-230499 Rule ID: SV-230499r627750_rule STIG ID: RHEL-08-040026 Severity: CAT III Classification: Unclass Legacy IDs: ;

`rhel8stig::v230500`

A short summary of the purpose of this class

Note Vul ID: V-230500 Rule ID: SV-230500r627750_rule STIG ID: RHEL-08-040030 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230502`

Disable the autofs service unless required.

Note Vul ID: V-230502 Rule ID: SV-230502r627750_rule STIG ID: RHEL-08-040070 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230503`

Disable USB mass storage

Note Vul ID: V-230503 Rule ID: SV-230503r627750_rule STIG ID: RHEL-08-040080 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230504`

The firewall must deny-all, allow-by-exception for allowing connections to other systems.

Note Vul ID: V-230504 Rule ID: SV-230504r627750_rule STIG ID: RHEL-08-040090 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230505`

A firewall must be installed.

Note Vul ID: V-230505 Rule ID: SV-230505r627750_rule STIG ID: RHEL-08-040100 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230506`

Wireless network adapters must be disabled.

Note Vul ID: V-230506 Rule ID: SV-230506r627750_rule STIG ID: RHEL-08-040110 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230507`

Bluetooth must be disabled.

Note Vul ID: V-230507 Rule ID: SV-230507r627750_rule STIG ID: RHEL-08-040111 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230508`

Mount /dev/shm with the nodev option.

Note Vul ID: V-230508 Rule ID: SV-230508r627750_rule STIG ID: RHEL-08-040120 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230509`

Mount /dev/shm with the nosuid option.

Note Vul ID: V-230509 Rule ID: SV-230509r627750_rule STIG ID: RHEL-08-040121 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230510`

Mount /dev/shm with the noexec option.

Note Vul ID: V-230510 Rule ID: SV-230510r627750_rule STIG ID: RHEL-08-040122 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230511`

Mount /tmp with the nodev option.

Note Vul ID: V-230511 Rule ID: SV-230511r627750_rule STIG ID: RHEL-08-040123 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230512`

Mount /tmp with the nosuid option.

Note Vul ID: V-230512 Rule ID: SV-230512r627750_rule STIG ID: RHEL-08-040124 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230513`

Mount /tmp with the noexec option.

Note Vul ID: V-230513 Rule ID: SV-230513r627750_rule STIG ID: RHEL-08-040125 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230514`

Mount /var/log with the nodev option.

Note Vul ID: V-230514 Rule ID: SV-230514r627750_rule STIG ID: RHEL-08-040126 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230515`

Mount /var/log with the nosuid option.

Note Vul ID: V-230515 Rule ID: SV-230515r627750_rule STIG ID: RHEL-08-040127 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230516`

Mount /var/log with the noexec option.

Note Vul ID: V-230516 Rule ID: SV-230516r627750_rule STIG ID: RHEL-08-040128 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230517`

Mount /var/log/audit with the nodev option.

Note Vul ID: V-230517 Rule ID: SV-230517r627750_rule STIG ID: RHEL-08-040129 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230518`

Mount /var/log/audit with the nosuid option.

Note Vul ID: V-230518 Rule ID: SV-230518r627750_rule STIG ID: RHEL-08-040130 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230519`

Mount /var/log/audit with the noexec option.

Note Vul ID: V-230519 Rule ID: SV-230519r627750_rule STIG ID: RHEL-08-040131 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230520`

Mount /var/tmp with the nodev option.

Note Vul ID: V-230520 Rule ID: SV-230520r627750_rule STIG ID: RHEL-08-040132 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230521`

Mount /var/tmp with the nosuid option.

Note Vul ID: V-230521 Rule ID: SV-230521r627750_rule STIG ID: RHEL-08-040133 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230522`

Mount /var/tmp with the noexec option.

Note Vul ID: V-230522 Rule ID: SV-230522r627750_rule STIG ID: RHEL-08-040134 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230523`

The fapolicy package must be installed.

Note Vul ID: V-230523 Rule ID: SV-230523r627750_rule STIG ID: RHEL-08-040135 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230524`

Block unauthorized peripherals before establishing a connection.

Note Vul ID: V-230524 Rule ID: SV-230524r627750_rule STIG ID: RHEL-08-040140 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230525`

Implement rate-limiting measures on network interfaces.

Note Vul ID: V-230525 Rule ID: SV-230525r627750_rule STIG ID: RHEL-08-040150 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230526`

The 'sshd' service must be enabled and active.

Note Vul ID: V-230526 Rule ID: SV-230526r627750_rule STIG ID: RHEL-08-040160 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230527`

Force a frequent session key renegotiation for SSH connections to the server.

Note Vul ID: V-230527 Rule ID: SV-230527r627750_rule STIG ID: RHEL-08-040161 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230529`

Disable the x86 Ctrl-Alt-Delete key sequence.

Note Vul ID: V-230529 Rule ID: SV-230529r627750_rule STIG ID: RHEL-08-040170 Severity: CAT I Classification: Unclass Legacy IDs: ;

`rhel8stig::v230530`

The x86 Ctrl-Alt-Delete key sequence must be disabled if a graphical user interface is installed.

Note Vul ID: V-230530 Rule ID: SV-230530r646883_rule STIG ID: RHEL-08-040171 Severity: CAT I Classification: Unclass Legacy IDs: ;

`rhel8stig::v230531`

The systemd Ctrl-Alt-Delete burst key sequence must be disabled.

Note Vul ID: V-230531 Rule ID: SV-230531r627750_rule STIG ID: RHEL-08-040172 Severity: CAT I Classification: Unclass Legacy IDs: ;

`rhel8stig::v230532`

The debug-shell systemd service must be disabled.

Note Vul ID: V-230532 Rule ID: SV-230532r627750_rule STIG ID: RHEL-08-040180 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230533`

The tftp-server must not be installed.

Note Vul ID: V-230533 Rule ID: SV-230533r627750_rule STIG ID: RHEL-08-040190 Severity: CAT I Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230533 class:

authorized

`authorized`

Data type: Boolean

When true, the 'tftp-server' package will not be removed

Default value: false

`rhel8stig::v230534`

The root account must be the only account with UID 0

Note Vul ID: V-230534 Rule ID: SV-230534r627750_rule STIG ID: RHEL-08-040200 Severity: CAT I Classification: Unclass Legacy IDs: ;

`rhel8stig::v230535`

Prevent IPv6 ICMP redirect messages from being accepted.

Note Vul ID: V-230535 Rule ID: SV-230535r627750_rule STIG ID: RHEL-08-040210 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230536`

Do not send Internet Control Message Protocol (ICMP) redirects.

Note Vul ID: V-230536 Rule ID: SV-230536r627750_rule STIG ID: RHEL-08-040220 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230537`

Do not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.

Note Vul ID: V-230537 Rule ID: SV-230537r627750_rule STIG ID: RHEL-08-040230 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230538`

Do not accept IPv6 source-routed packets.

Note Vul ID: V-230538 Rule ID: SV-230538r627750_rule STIG ID: RHEL-08-040240 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230539`

Do not forward IPv6 source-routed packets by default.

Note Vul ID: V-230539 Rule ID: SV-230539r627750_rule STIG ID: RHEL-08-040250 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230540`

Do not perform packet forwarding unless the system is a router.

Note Vul ID: V-230540 Rule ID: SV-230540r627750_rule STIG ID: RHEL-08-040260 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230541`

Do not accept router advertisements on all IPv6 interfaces.

Note Vul ID: V-230541 Rule ID: SV-230541r627750_rule STIG ID: RHEL-08-040261 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230542`

Do not accept router advertisements on all IPv6 interfaces by default.

Note Vul ID: V-230542 Rule ID: SV-230542r627750_rule STIG ID: RHEL-08-040262 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230543`

Do not allow interfaces to perform ICMP redirects by default.

Note Vul ID: V-230543 Rule ID: SV-230543r627750_rule STIG ID: RHEL-08-040270 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230544`

Ignore IPv6 ICMP redirect messages.

Note Vul ID: V-230544 Rule ID: SV-230544r627750_rule STIG ID: RHEL-08-040280 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230545`

Disable access to network bpf syscall from unprivileged processes.

Note Vul ID: V-230545 Rule ID: SV-230545r627750_rule STIG ID: RHEL-08-040281 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230546`

Restrict usage of ptrace to descendant processes.

Note Vul ID: V-230546 Rule ID: SV-230546r627750_rule STIG ID: RHEL-08-040282 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230547`

Restrict exposed kernel pointer addresses access.

Note Vul ID: V-230547 Rule ID: SV-230547r627750_rule STIG ID: RHEL-08-040283 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230548`

Disable the use of user namespaces.

Note Vul ID: V-230548 Rule ID: SV-230548r627750_rule STIG ID: RHEL-08-040284 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230549`

Use reverse path filtering on all IPv4 interfaces.

Note Vul ID: V-230549 Rule ID: SV-230549r627750_rule STIG ID: RHEL-08-040285 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230550`

Prevent unrestricted mail relaying.

Note Vul ID: V-230550 Rule ID: SV-230550r627750_rule STIG ID: RHEL-08-040290 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230551`

A file integrity tool must be configured to verify extended attributes.

Note Vul ID: V-230551 Rule ID: SV-230551r627750_rule STIG ID: RHEL-08-040300 Severity: CAT III Classification: Unclass Legacy IDs: ;

`rhel8stig::v230552`

A file integrity tool must be configured to verify Access Control Lists (ACLs).

Note Vul ID: V-230552 Rule ID: SV-230552r627750_rule STIG ID: RHEL-08-040310 Severity: CAT III Classification: Unclass Legacy IDs: ;

`rhel8stig::v230553`

The graphical display manager must not be installed on RHEL 8 unless approved.

Note Vul ID: V-230553 Rule ID: SV-230553r646886_rule STIG ID: RHEL-08-040320 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230553 class:

authorized

`authorized`

Data type: Boolean

When true, the 'xorg-x11-server-common' will remain installed and the systemd default target will not be modifed.

Default value: false

`rhel8stig::v230554`

A short summary of the purpose of this class

Note Vul ID: V-230554 Rule ID: SV-230554r627750_rule STIG ID: RHEL-08-040330 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230555`

Remote X connections for interactive users must be disabled unless documented as a mission requirement.

Note Vul ID: V-230555 Rule ID: SV-230555r627750_rule STIG ID: RHEL-08-040340 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230556`

The SSH daemon must prevent remote hosts from connecting to the proxy display.

Note Vul ID: V-230556 Rule ID: SV-230556r627750_rule STIG ID: RHEL-08-040341 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v230557`

If the TFTP server is required it must be configured to operate in secure mode.

Note Vul ID: V-230557 Rule ID: SV-230557r627750_rule STIG ID: RHEL-08-040350 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230557 class:

tftpdir

`tftpdir`

Data type: String

The root directory to be shared by the tftp server

Default value: '/var/lib/tftpboot'

`rhel8stig::v230558`

The vsftpd package must not be installed.

Note Vul ID: V-230558 Rule ID: SV-230558r627750_rule STIG ID: RHEL-08-040360 Severity: CAT I Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230558 class:

authorized

`authorized`

Data type: Boolean

When true, the 'vsftpd' package will not be removed

Default value: false

`rhel8stig::v230559`

The gssproxy package must not be installed unless documented as mission essential.

Note Vul ID: V-230559 Rule ID: SV-230559r646887_rule STIG ID: RHEL-08-040370 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230559 class:

authorized

`authorized`

Data type: Boolean

When true, the 'gssproxy' will remain installed.

Default value: false

`rhel8stig::v230560`

The iprutils package must not be installed unless documented as mission essential.

Note Vul ID: V-230560 Rule ID: SV-230560r627750_rule STIG ID: RHEL-08-040380 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230560 class:

authorized

`authorized`

Data type: Boolean

When true, the 'iprutils' will remain installed.

Default value: false

`rhel8stig::v230561`

The tuned package must not be installed unless documented as mission essential.

Note Vul ID: V-230561 Rule ID: SV-230561r627750_rule STIG ID: RHEL-08-040390 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v230561 class:

authorized

`authorized`

Data type: Boolean

When true, the 'tuned' will remain installed.

Default value: false

`rhel8stig::v237640`

The krb5-server package must not be installed.

Note Vul ID: V-237640 Rule ID: SV-237640r646890_rule STIG ID: RHEL-08-010163 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v237641`

Restrict privilege elevation to authorized personnel.

Note Vul ID: V-237641 Rule ID: SV-237641r646893_rule STIG ID: RHEL-08-010382 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v237642`

Privilege escalation with sudo should require the user's own password

Note Vul ID: V-237642 Rule ID: SV-237642r646896_rule STIG ID: RHEL-08-010383 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v237643`

Require re-authentication when using the "sudo" command.

Note Vul ID: V-237643 Rule ID: SV-237643r646899_rule STIG ID: RHEL-08-010384 Severity: CAT II Classification: Unclass Legacy IDs: ;

Parameters

The following parameters are available in the rhel8stig::v237643 class:

timestamp_timeout

`timestamp_timeout`

Data type: Integer[1, 99]

Time in minutes before sudo will require re-authentication

Default value: 5

`rhel8stig::v244519`

Configure the operating system to display a banner before granting access to the system.

Note Vul ID: V-244519 Rule ID: SV-244519r743806_rule STIG ID: RHEL-08-010049 Severity: CAT II Classification: Unclass

`rhel8stig::v244521`

Configure the system to have a unique name for the grub superusers account. (UEFI)

Note Vul ID: V-244521 Rule ID: SV-244521r743812_rule STIG ID: RHEL-08-010141 Severity: CAT II Classification: Unclass

Parameters

The following parameters are available in the rhel8stig::v244521 class:

grub_superusers

`grub_superusers`

Data type: String

The login name to set for use with GRUB authentication.

Default value: 'admin'

`rhel8stig::v244522`

Configure the system to have a unique name for the grub superusers account. (BIOS)

Note Vul ID: V-244522 Rule ID: SV-244522r743815_rule STIG ID: RHEL-08-010149 Severity: CAT II Classification: Unclass

Parameters

The following parameters are available in the rhel8stig::v244522 class:

grub_superusers

`grub_superusers`

Data type: String

The login name to set for use with GRUB authentication.

Default value: 'admin'

`rhel8stig::v244523`

Require authentication upon booting into emergency mode.

Note Vul ID: V-244523 Rule ID: SV-244523r743818_rule STIG ID: RHEL-08-010152 Severity: CAT II Classification: Unclass

`rhel8stig::v244524`

Use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.

Note Vul ID: V-244524 Rule ID: SV-244524r743821_rule STIG ID: RHEL-08-010159 Severity: CAT II Classification: Unclass

`rhel8stig::v244525`

Set 'ClientAliveInterval' in '/etc/ssh/sshd_config'

Note Vul ID: V-244525 Rule ID: SV-244525r743824_rule STIG ID: RHEL-08-010201 Severity: CAT II Classification: Unclass

Parameters

The following parameters are available in the rhel8stig::v244525 class:

client_alive_interval

`client_alive_interval`

Data type: Integer[1, 600]

Number of seconds before idle SSH sessions are terminated.

Default value: 600

`rhel8stig::v244526`

Configure the SSH daemon to use system-wide crypto policies

Note Vul ID: V-244526 Rule ID: SV-244526r743827_rule STIG ID: RHEL-08-010287 Severity: CAT II Classification: Unclass

`rhel8stig::v244527`

Install the packages required to enabled the hardware random number generator entropy gatherer service.

Note Vul ID: V-244527 Rule ID: SV-244527r743830_rule STIG ID: RHEL-08-010472 Severity: CAT III Classification: Unclass

`rhel8stig::v244528`

Configure the SSH daemon to not allow GSSAPI authentication.

Note Vul ID: V-244528 Rule ID: SV-244528r743833_rule STIG ID: RHEL-08-010522 Severity: CAT II Classification: Unclass

`rhel8stig::v244529`

Use a separate file system for /var/tmp.

Note Vul ID: V-244529 Rule ID: SV-244529r743836_rule STIG ID: RHEL-08-010544 Severity: CAT II Classification: Unclass

`rhel8stig::v244530`

Configure the "/etc/fstab" to use the "nosuid" option on the /boot/efi directory.

Note Vul ID: V-244530 Rule ID: SV-244530r743839_rule STIG ID: RHEL-08-010572 Severity: CAT II Classification: Unclass

`rhel8stig::v244531`

Files in user home directories must have permission mode 0750 or less

Note Vul ID: V-244531 Rule ID: SV-244531r743842_rule STIG ID: RHEL-08-010731 Severity: CAT II Classification: Unclass

`rhel8stig::v244532`

Contents of user home directories must be group-owned by a group where the home directory owner is a member

Note Vul ID: V-244532 Rule ID: SV-244532r743845_rule STIG ID: RHEL-08-010741 Severity: CAT II Classification: Unclass

`rhel8stig::v244533`

Include the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.

Note Vul ID: V-244533 Rule ID: SV-244533r743848_rule STIG ID: RHEL-08-020025 Severity: CAT II Classification: Unclass

`rhel8stig::v244534`

Include the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.

Note Vul ID: V-244534 Rule ID: SV-244534r743851_rule STIG ID: RHEL-08-020026 Severity: CAT II Classification: Unclass

`rhel8stig::v244535`

Initiate a session lock for graphical user interfaces when the screensaver is activated.

Note Vul ID: V-244535 Rule ID: SV-244535r743854_rule STIG ID: RHEL-08-020031 Severity: CAT II Classification: Unclass

Parameters

The following parameters are available in the rhel8stig::v244535 class:

delay

`delay`

Data type: Integer[1, 5]

Minutes until the GNOME screen lock will activate (5)

Default value: 5

`rhel8stig::v244536`

Disable the user list at logon for graphical user interfaces.

Note Vul ID: V-244536 Rule ID: SV-244536r743857_rule STIG ID: RHEL-08-020032 Severity: CAT II Classification: Unclass

`rhel8stig::v244537`

The tmux package must be installed

Note Vul ID: V-244537 Rule ID: SV-244537r743860_rule STIG ID: RHEL-08-020039 Severity: CAT II Classification: Unclass

`rhel8stig::v244538`

Prevent users from overriding settings for graphical user interfaces.

Note Vul ID: V-244538 Rule ID: SV-244538r743863_rule STIG ID: RHEL-08-020081 Severity: CAT II Classification: Unclass

`rhel8stig::v244539`

Prevent a user from overriding screensaver/lock-enabled for graphical user interfaces.

Note Vul ID: V-244539 Rule ID: SV-244539r743866_rule STIG ID: RHEL-08-020082 Severity: CAT II Classification: Unclass

`rhel8stig::v244540`

Do not allow the "nullok" option in the "/etc/pam.d/system-auth" file to prevent logons with empty passwords.

Note Vul ID: V-244540 Rule ID: SV-244540r743869_rule STIG ID: RHEL-08-020331 Severity: CAT I Classification: Unclass

`rhel8stig::v244541`

Do not allow the "nullok" option in the "/etc/pam.d/password-auth" file to prevent logons with empty passwords.

Note Vul ID: V-244541 Rule ID: SV-244541r743872_rule STIG ID: RHEL-08-020332 Severity: CAT I Classification: Unclass

`rhel8stig::v244542`

The auditd service must be enabled and active.

Note Vul ID: V-244542 Rule ID: SV-244542r743875_rule STIG ID: RHEL-08-030181 Severity: CAT II Classification: Unclass

`rhel8stig::v244543`

Notify the SA and ISSO (at a minimum) when allocated audit storage reaches 75 percent

Note Vul ID: V-244543 Rule ID: SV-244543r743878_rule STIG ID: RHEL-08-030731 Severity: CAT II Classification: Unclass

`rhel8stig::v244544`

The firewalld service must be active

Note Vul ID: V-244544 Rule ID: SV-244544r743881_rule STIG ID: RHEL-08-040101 Severity: CAT II Classification: Unclass

`rhel8stig::v244545`

The fapolicyd service must be enabled and active

Note Vul ID: V-244545 Rule ID: SV-244545r743884_rule STIG ID: RHEL-08-040136 Severity: CAT II Classification: Unclass

`rhel8stig::v244546`

The file access policy (fapolicyd) must use a deny-all, permit-by-exception application whitelisting policy.

Note Vul ID: V-244546 Rule ID: SV-244546r743887_rule STIG ID: RHEL-08-040137 Severity: CAT II Classification: Unclass

`rhel8stig::v244547`

Tthe USBGuard installed.

Note Vul ID: V-244547 Rule ID: SV-244547r743890_rule STIG ID: RHEL-08-040139 Severity: CAT II Classification: Unclass

`rhel8stig::v244548`

The usbguard service must be enabled and active.

Note Vul ID: V-244548 Rule ID: SV-244548r743893_rule STIG ID: RHEL-08-040141 Severity: CAT II Classification: Unclass

`rhel8stig::v244549`

Networked systems must have SSH installed.

Note Vul ID: V-244549 Rule ID: SV-244549r743896_rule STIG ID: RHEL-08-040159 Severity: CAT II Classification: Unclass

`rhel8stig::v244550`

Prevent IPv4 ICMP redirect messages from being accepted.

Note Vul ID: V-244550 Rule ID: SV-244550r743899_rule STIG ID: RHEL-08-040209 Severity: CAT II Classification: Unclass

`rhel8stig::v244551`

Do not forward IPv4 source-routed packets.

Note Vul ID: V-244551 Rule ID: SV-244551r743902_rule STIG ID: RHEL-08-040239 Severity: CAT II Classification: Unclass

`rhel8stig::v244552`

Do not forward IPv4 source-routed packets by default.

Note Vul ID: V-244552 Rule ID: SV-244552r743905_rule STIG ID: RHEL-08-040249 Severity: CAT II Classification: Unclass

`rhel8stig::v244553`

Ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.

Note Vul ID: V-244553 Rule ID: SV-244553r743908_rule STIG ID: RHEL-08-040279 Severity: CAT II Classification: Unclass

`rhel8stig::v244554`

enable hardening for the Berkeley Packet Filter Just-in-time compiler.

Note Vul ID: V-244554 Rule ID: SV-244554r743911_rule STIG ID: RHEL-08-040286 Severity: CAT II Classification: Unclass

`rhel8stig::v245540`

Install and enable the latest McAfee ENSLTP package.

Note Vul ID: V-245540 Rule ID: SV-245540r754730_rule STIG ID: RHEL-08-010001 Severity: CAT II Classification: Unclass

`rhel8stig::v250315`

fileline resource relates to v230339

Note Vul ID: V-250315 Rule ID: SV-250315r793009_rule STIG ID: RHEL-08-020027 Severity: CAT II Classification: Unclass

`rhel8stig::v250316`

Configure SELinux context type to allow the use of a non-default faillock tally directory

Note Vul ID: V-250315 Rule ID: SV-250316r793010_rule STIG ID: RHEL-08-020028 Severity: CAT II Classification: Unclass

`rhel8stig::v250317`

Must not enable IPv4 packet forwarding unless the system is a router.

Note Vul ID: V-250317 Rule ID: SV-250317r793008_rule STIG ID: RHEL-08-040259 Severity: CAT II Classification: Unclass

`rhel8stig::v251706`

operating system must not have accounts configured with blank or null passwords.

Note Vul ID: V-251706 Rule ID: SV-251706r809342_rule STIG ID: RHEL-08-010121 Severity: CAT I Classification: Unclass Legacy IDs: ;

`rhel8stig::v251707`

Don't allow any user to make changes to software libraries

Note Vul ID: V-251707 Rule ID: SV-251707r809345_rule STIG ID: RHEL-08-010331 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel8stig::v251708`

library directories must be owned by root.

Note Vul ID: V-251708 Rule ID: SV-251708r810012_rule STIG ID: RHEL-08-010341 Severity: CAT II Classification: Unclass Legacy IDs: ;

Examples

include rhel8stig::v251708

`rhel8stig::v251709`

library directories must be group-owned by root or a system account.

Note Vul ID: V-251709 Rule ID: SV-251709r810014_rule STIG ID: RHEL-08-010351 Severity: CAT II Classification: Unclass Legacy IDs: ;

Examples

include rhel8stig::v251709

`rhel8stig::v251710`

operating system must use a file integrity tool to verify correct operation of all security functions.

Note Vul ID: V-251710 Rule ID: SV-251710r809354_rule STIG ID: RHEL-08-010359 Severity: CAT II Classification: Unclass Legacy IDs: ;

Examples

include rhel8stig::v251710

`rhel8stig::v251711`

RHEL 8 must specify the default "include" directory for the /etc/sudoers file.

Note Vul ID: V-251711 Rule ID: SV-251711r810015_rule STIG ID: RHEL-08-010379 Severity: CAT II Classification: Unclass Legacy IDs: ;

Examples

include rhel8stig::v251711

`rhel8stig::v251712`

The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation.

Note Vul ID: V-251712 Rule ID: SV-251712r810017_rule STIG ID: RHEL-08-010385 Severity: CAT II Classification: Unclass Legacy IDs: ;

Examples

include rhel8stig::v251712

`rhel8stig::v251713`

RHEL 8 must ensure the password complexity module is enabled in the system-auth file.

Note Vul ID: V-251713 Rule ID: SV-251713r810407_rule STIG ID: RHEL-08-020101 Severity: CAT II Classification: Unclass Legacy IDs: ;

Examples

include rhel8stig::v251713

`rhel8stig::v251714`

RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.

Note Vul ID: V-251714 Rule ID: SV-251714r810410_rule STIG ID: RHEL-08-020102 Severity: CAT II Classification: Unclass Legacy IDs: ;

Examples

include rhel8stig::v251714

`rhel8stig::v251715`

RHEL 8 must specify the default "include" directory for the /etc/sudoers file.

Note Vul ID: V-251715 Rule ID: SV-251715r810412_rule STIG ID: RHEL-08-020103 Severity: CAT II Classification: Unclass Legacy IDs: ;

Examples

include rhel8stig::v251715

`rhel8stig::v251716`

RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.

Note Vul ID: V-251716 Rule ID: SV-251716r809372_rule STIG ID: RHEL-08-020104 Severity: CAT II Classification: Unclass Legacy IDs: ;

Examples

include rhel8stig::v251716

`rhel8stig::v251717`

RHEL 8 must specify the default "include" directory for the /etc/sudoers file.

Note Vul ID: V-251717 Rule ID: SV-251717r810415_rule STIG ID: RHEL-08-020221 Severity: CAT II Classification: Unclass Legacy IDs: ;

Examples

include rhel8stig::v251717

Parameters

The following parameters are available in the rhel8stig::v251717 class:

remember

`remember`

Data type: Integer[5]

Default value: 5

`rhel8stig::v251718`

The graphical display manager must not be the default target on RHEL 8 unless approved.

Note Vul ID: V-251718 Rule ID: SV-251718r809378_rule STIG ID: RHEL-08-040321 Severity: CAT II Classification: Unclass Legacy IDs: ;

Examples

include rhel8stig::v251718

Defined types

`rhel8stig::audit_rule`

Defined type for adding RedHat STIG audit rules

Examples

rhel8stig::audit_rule { 'rule_xyz':
  rule => '-a always,exit -F path=/usr/local/bin/myapp -F auid>=1000 -F auid!=unset -k myapp',
}

Parameters

The following parameters are available in the rhel8stig::audit_rule defined type:

rule
ensure

`rule`

Data type: String

The full text of the audit rule to be added to file: '/etc/audit/rules.d/20-puppet-stig.rules'.

`ensure`

Data type: Enum['present','absent']

Control whether the specified rule will be added or removed.

Default value: 'present'

`rhel8stig::auditd_setting`

Manage individual settings in '/etc/audit/auditd.conf'

Parameters

The following parameters are available in the rhel8stig::auditd_setting defined type:

setting
value

`setting`

Data type: String

The name of the setting to manage.

`value`

Data type: String

The value of the setting being managed.

`rhel8stig::dconf_lock`

Manage system wide gnome behavior through dconf setting locks

Parameters

The following parameters are available in the rhel8stig::dconf_lock defined type:

ensure
profile
file
setting

`ensure`

Data type: Enum['present', 'absent']

Control whether the the setting will be added (locked) or removed (unlocked)

Default value: 'present'

`profile`

Data type: String

The name of a defined 'system-db' dconf profile that corresponds to a directory under '/etc/dconf/db', where system-level keyfiles for the profile are stored.

`file`

Data type: String

The target file for the assigned setting

`setting`

Data type: String

The name of the setting to manage

`rhel8stig::dconf_setting`

Manage system wide gnome behavior through dconf keyfile settings

Parameters

The following parameters are available in the rhel8stig::dconf_setting defined type:

ensure
profile
file
section
setting
value

`ensure`

Data type: Enum['present', 'absent']

Control whether the the setting will be added or removed

Default value: 'present'

`profile`

Data type: String

The name of a defined 'system-db' dconf profile that corresponds to a directory under '/etc/dconf/db', where system-level keyfiles for the profile are stored.

`file`

Data type: String

The target file for the assigned setting

`section`

Data type: String

The keyfile section where the setting is defined

`setting`

Data type: String

The name of the setting to manage

`value`

Data type: String

The value to assign to a setting

`rhel8stig::resolv_conf`

A defined type to manage DNS client configuration in '/etc/resolv.conf'

Note Using this defined type will manage the '/etc/resolv.conf' file and also make it immutable so it will not be updated by other utilities such as NetworkManager.

Examples

rhel8stig::resolv_conf { 'DNS primary':
  keyword => 'nameserver',
  value   => '10.0.0.1',
}

Parameters

The following parameters are available in the rhel8stig::resolv_conf defined type:

keyword
value
ensure

`keyword`

Data type: String

The keyword to be used for the managed entry

`value`

Data type: String

The value assigned to the keyword for the managed entry

`ensure`

Data type: Enum['present', 'absent']

Whether the keyword/value combination will be added or removed from '/etc/resolv.conf'

Default value: 'present'

`rhel8stig::rsyslog_setting`

Defined type for adding RedHat STIG rsyslog settings

Examples

rhel8stig::audit_rule { 'rule_xyz':
  setting => '-a always,exit -F path=/usr/local/bin/myapp -F auid>=1000 -F auid!=unset -k myapp',
}

Parameters

The following parameters are available in the rhel8stig::rsyslog_setting defined type:

setting
ensure

`setting`

Data type: String

The complete text of the rsyslog setting to be added to file: '/etc/rsyslog.d/20-puppet.conf'.

`ensure`

Data type: Enum['present','absent']

Control whether the specified rule will be added or removed.

Default value: 'present'

`rhel8stig::sshd_rule`

Defined type for managing RedHat STIG sshd configuration

Examples

rhel8stig::sshd_rule { 'finding name':
  keyword  => 'UsePAM',
  argument => 'yes',
}

Parameters

The following parameters are available in the rhel8stig::sshd_rule defined type:

key
value
ensure

`key`

Data type: String

The "sshd_config" keyword being managed

`value`

Data type: String

The "sshd_config" argument to the given keyword

`ensure`

Data type: Enum['present', 'absent']

Default value: 'present'

`rhel8stig::sysctl_rule`

Defined type for managing RedHat STIG sysctl configuration

Examples

rhel8stig::sysctl_rule { 'some_name':
  key   => 'kernel.randomize_va_space',
  value => '2',
}

Parameters

The following parameters are available in the rhel8stig::sysctl_rule defined type:

key
value

`key`

Data type: String

The kernel parameter to manage

`value`

Data type: String

The value to assign to the kernel parameter key

Table of Contents
Description
Setup
Usage
Limitations
Table of Contents
- Classes
- Defined types
Classes
- rhel8stig
- rhel8stig::v230221
- rhel8stig::v230222
- rhel8stig::v230223
- rhel8stig::v230224
- rhel8stig::v230225
- rhel8stig::v230226
- rhel8stig::v230227
- rhel8stig::v230228
- rhel8stig::v230229
- rhel8stig::v230230
- rhel8stig::v230231
- rhel8stig::v230232
- rhel8stig::v230233
- rhel8stig::v230234
- rhel8stig::v230235
- rhel8stig::v230236
- rhel8stig::v230237
- rhel8stig::v230238
- rhel8stig::v230239
- rhel8stig::v230240
- rhel8stig::v230241
- rhel8stig::v230243
- rhel8stig::v230244
- rhel8stig::v230245
- rhel8stig::v230246
- rhel8stig::v230247
- rhel8stig::v230248
- rhel8stig::v230249
- rhel8stig::v230250
- rhel8stig::v230251
- rhel8stig::v230252
- rhel8stig::v230253
- rhel8stig::v230254
- rhel8stig::v230255
- rhel8stig::v230256
- rhel8stig::v230257
- rhel8stig::v230258
- rhel8stig::v230259
- rhel8stig::v230260
- rhel8stig::v230261
- rhel8stig::v230262
- rhel8stig::v230263
- rhel8stig::v230264
- rhel8stig::v230265
- rhel8stig::v230266
- rhel8stig::v230267
- rhel8stig::v230268
- rhel8stig::v230269
- rhel8stig::v230270
- rhel8stig::v230271
- rhel8stig::v230272
- rhel8stig::v230273
- rhel8stig::v230274
- rhel8stig::v230275
- rhel8stig::v230276
- rhel8stig::v230277
- rhel8stig::v230278
- rhel8stig::v230279
- rhel8stig::v230280
- rhel8stig::v230281
- rhel8stig::v230282
- rhel8stig::v230283
- rhel8stig::v230284
- rhel8stig::v230285
- rhel8stig::v230286
- rhel8stig::v230287
- rhel8stig::v230288
- rhel8stig::v230289
- rhel8stig::v230290
- rhel8stig::v230291
- rhel8stig::v230292
- rhel8stig::v230293
- rhel8stig::v230294
- rhel8stig::v230295
- rhel8stig::v230296
- rhel8stig::v230298
- rhel8stig::v230299
- rhel8stig::v230300
- rhel8stig::v230301
- rhel8stig::v230302
- rhel8stig::v230303
- rhel8stig::v230304
- rhel8stig::v230305
- rhel8stig::v230306
- rhel8stig::v230307
- rhel8stig::v230308
- rhel8stig::v230309
- rhel8stig::v230310
- rhel8stig::v230311
- rhel8stig::v230312
- rhel8stig::v230313
- rhel8stig::v230314
- rhel8stig::v230315
- rhel8stig::v230316
- rhel8stig::v230317
- rhel8stig::v230318
- rhel8stig::v230319
- rhel8stig::v230320
- rhel8stig::v230321
- rhel8stig::v230322
- rhel8stig::v230323
- rhel8stig::v230324
- rhel8stig::v230325
- rhel8stig::v230326
- rhel8stig::v230327
- rhel8stig::v230328
- rhel8stig::v230329
- rhel8stig::v230330
- rhel8stig::v230331
- rhel8stig::v230332
- rhel8stig::v230333
- rhel8stig::v230334
- rhel8stig::v230335
- rhel8stig::v230336
- rhel8stig::v230337
- rhel8stig::v230338
- rhel8stig::v230339
- rhel8stig::v230340
- rhel8stig::v230341
- rhel8stig::v230342
- rhel8stig::v230343
- rhel8stig::v230344
- rhel8stig::v230345
- rhel8stig::v230346
- rhel8stig::v230347
- rhel8stig::v230348
- rhel8stig::v230349
- rhel8stig::v230350
- rhel8stig::v230351
- rhel8stig::v230352
- rhel8stig::v230353
- rhel8stig::v230354
- rhel8stig::v230355
- rhel8stig::v230356
- rhel8stig::v230357
- rhel8stig::v230358
- rhel8stig::v230359
- rhel8stig::v230360
- rhel8stig::v230361
- rhel8stig::v230362
- rhel8stig::v230363
- rhel8stig::v230364
- rhel8stig::v230365
- rhel8stig::v230366
- rhel8stig::v230367
- rhel8stig::v230368
- rhel8stig::v230369
- rhel8stig::v230370
- rhel8stig::v230371
- rhel8stig::v230372
- rhel8stig::v230373
- rhel8stig::v230374
- rhel8stig::v230375
- rhel8stig::v230376
- rhel8stig::v230377
- rhel8stig::v230378
- rhel8stig::v230379
- rhel8stig::v230380
- rhel8stig::v230381
- rhel8stig::v230382
- rhel8stig::v230383
- rhel8stig::v230384
- rhel8stig::v230385
- rhel8stig::v230386
- rhel8stig::v230387
- rhel8stig::v230388
- rhel8stig::v230389
- rhel8stig::v230390
- rhel8stig::v230392
- rhel8stig::v230393
- rhel8stig::v230394
- rhel8stig::v230395
- rhel8stig::v230396
- rhel8stig::v230397
- rhel8stig::v230398
- rhel8stig::v230399
- rhel8stig::v230400
- rhel8stig::v230401
- rhel8stig::v230402
- rhel8stig::v230403
- rhel8stig::v230404
- rhel8stig::v230405
- rhel8stig::v230406
- rhel8stig::v230407
- rhel8stig::v230408
- rhel8stig::v230409
- rhel8stig::v230410
- rhel8stig::v230411
- rhel8stig::v230412
- rhel8stig::v230413
- rhel8stig::v230414
- rhel8stig::v230415
- rhel8stig::v230416
- rhel8stig::v230417
- rhel8stig::v230418
- rhel8stig::v230419
- rhel8stig::v230420
- rhel8stig::v230421
- rhel8stig::v230422
- rhel8stig::v230423
- rhel8stig::v230424
- rhel8stig::v230425
- rhel8stig::v230426
- rhel8stig::v230427
- rhel8stig::v230428
- rhel8stig::v230429
- rhel8stig::v230430
- rhel8stig::v230431
- rhel8stig::v230432
- rhel8stig::v230433
- rhel8stig::v230434
- rhel8stig::v230435
- rhel8stig::v230436
- rhel8stig::v230437
- rhel8stig::v230438
- rhel8stig::v230439
- rhel8stig::v230440
- rhel8stig::v230441
- rhel8stig::v230442
- rhel8stig::v230443
- rhel8stig::v230444
- rhel8stig::v230445
- rhel8stig::v230446
- rhel8stig::v230447
- rhel8stig::v230448
- rhel8stig::v230449
- rhel8stig::v230450
- rhel8stig::v230451
- rhel8stig::v230452
- rhel8stig::v230453
- rhel8stig::v230454
- rhel8stig::v230455
- rhel8stig::v230456
- rhel8stig::v230457
- rhel8stig::v230458
- rhel8stig::v230459
- rhel8stig::v230460
- rhel8stig::v230461
- rhel8stig::v230462
- rhel8stig::v230463
- rhel8stig::v230464
- rhel8stig::v230465
- rhel8stig::v230466
- rhel8stig::v230467
- rhel8stig::v230468
- rhel8stig::v230469
- rhel8stig::v230470
- rhel8stig::v230471
- rhel8stig::v230472
- rhel8stig::v230473
- rhel8stig::v230474
- rhel8stig::v230475
- rhel8stig::v230476
- rhel8stig::v230477
- rhel8stig::v230478
- rhel8stig::v230479
- rhel8stig::v230480
- rhel8stig::v230481
- rhel8stig::v230482
- rhel8stig::v230483
- rhel8stig::v230484
- rhel8stig::v230485
- rhel8stig::v230486
- rhel8stig::v230487
- rhel8stig::v230488
- rhel8stig::v230489
- rhel8stig::v230491
- rhel8stig::v230492
- rhel8stig::v230493
- rhel8stig::v230494
- rhel8stig::v230495
- rhel8stig::v230496
- rhel8stig::v230497
- rhel8stig::v230498
- rhel8stig::v230499
- rhel8stig::v230500
- rhel8stig::v230502
- rhel8stig::v230503
- rhel8stig::v230504
- rhel8stig::v230505
- rhel8stig::v230506
- rhel8stig::v230507
- rhel8stig::v230508
- rhel8stig::v230509
- rhel8stig::v230510
- rhel8stig::v230511
- rhel8stig::v230512
- rhel8stig::v230513
- rhel8stig::v230514
- rhel8stig::v230515
- rhel8stig::v230516
- rhel8stig::v230517
- rhel8stig::v230518
- rhel8stig::v230519
- rhel8stig::v230520
- rhel8stig::v230521
- rhel8stig::v230522
- rhel8stig::v230523
- rhel8stig::v230524
- rhel8stig::v230525
- rhel8stig::v230526
- rhel8stig::v230527
- rhel8stig::v230529
- rhel8stig::v230530
- rhel8stig::v230531
- rhel8stig::v230532
- rhel8stig::v230533
- rhel8stig::v230534
- rhel8stig::v230535
- rhel8stig::v230536
- rhel8stig::v230537
- rhel8stig::v230538
- rhel8stig::v230539
- rhel8stig::v230540
- rhel8stig::v230541
- rhel8stig::v230542
- rhel8stig::v230543
- rhel8stig::v230544
- rhel8stig::v230545
- rhel8stig::v230546
- rhel8stig::v230547
- rhel8stig::v230548
- rhel8stig::v230549
- rhel8stig::v230550
- rhel8stig::v230551
- rhel8stig::v230552
- rhel8stig::v230553
- rhel8stig::v230554
- rhel8stig::v230555
- rhel8stig::v230556
- rhel8stig::v230557
- rhel8stig::v230558
- rhel8stig::v230559
- rhel8stig::v230560
- rhel8stig::v230561
- rhel8stig::v237640
- rhel8stig::v237641
- rhel8stig::v237642
- rhel8stig::v237643
- rhel8stig::v244519
- rhel8stig::v244521
- rhel8stig::v244522
- rhel8stig::v244523
- rhel8stig::v244524
- rhel8stig::v244525
- rhel8stig::v244526
- rhel8stig::v244527
- rhel8stig::v244528
- rhel8stig::v244529
- rhel8stig::v244530
- rhel8stig::v244531
- rhel8stig::v244532
- rhel8stig::v244533
- rhel8stig::v244534
- rhel8stig::v244535
- rhel8stig::v244536
- rhel8stig::v244537
- rhel8stig::v244538
- rhel8stig::v244539
- rhel8stig::v244540
- rhel8stig::v244541
- rhel8stig::v244542
- rhel8stig::v244543
- rhel8stig::v244544
- rhel8stig::v244545
- rhel8stig::v244546
- rhel8stig::v244547
- rhel8stig::v244548
- rhel8stig::v244549
- rhel8stig::v244550
- rhel8stig::v244551
- rhel8stig::v244552
- rhel8stig::v244553
- rhel8stig::v244554
- rhel8stig::v245540
- rhel8stig::v250315
- rhel8stig::v250316
- rhel8stig::v250317
- rhel8stig::v251706
- rhel8stig::v251707
- rhel8stig::v251708
- rhel8stig::v251709
- rhel8stig::v251710
- rhel8stig::v251711
- rhel8stig::v251712
- rhel8stig::v251713
- rhel8stig::v251714
- rhel8stig::v251715
- rhel8stig::v251716
- rhel8stig::v251717
- rhel8stig::v251718
Defined types
- rhel8stig::audit_rule
- rhel8stig::auditd_setting
- rhel8stig::dconf_lock
- rhel8stig::dconf_setting
- rhel8stig::resolv_conf
- rhel8stig::rsyslog_setting
- rhel8stig::sshd_rule
- rhel8stig::sysctl_rule
Changelog

Table of Contents​

Description​

Setup​

Required modules​

What rhel8stig affects​

Beginning with rhel8stig​

Usage​

note

Limitations​

Table of Contents​

Classes​

Defined types​

Classes​

rhel8stig​

Examples​

Assigning the module will enable all controls by default.​

Disable specified controls from hiera:​

Parameters​

vul_id​

exclude​

enforce​

rhel8stig::v230221​

rhel8stig::v230222​

rhel8stig::v230223​

rhel8stig::v230224​

rhel8stig::v230225​

rhel8stig::v230226​

rhel8stig::v230227​

rhel8stig::v230228​

rhel8stig::v230229​

Parameters​

cert​

cert_source​

rhel8stig::v230230​

rhel8stig::v230231​

rhel8stig::v230232​

rhel8stig::v230233​

rhel8stig::v230234​

Parameters​

grub_passwd_hash​

rhel8stig::v230235​

Parameters​

grub_passwd_hash​

rhel8stig::v230236​

rhel8stig::v230237​

rhel8stig::v230238​

rhel8stig::v230239​

rhel8stig::v230240​

rhel8stig::v230241​

rhel8stig::v230243​

rhel8stig::v230244​

rhel8stig::v230245​

rhel8stig::v230246​

rhel8stig::v230247​

rhel8stig::v230248​

rhel8stig::v230249​

rhel8stig::v230250​

rhel8stig::v230251​

rhel8stig::v230252​

rhel8stig::v230253​

rhel8stig::v230254​

rhel8stig::v230255​

rhel8stig::v230256​

rhel8stig::v230257​

rhel8stig::v230258​

rhel8stig::v230259​

rhel8stig::v230260​

rhel8stig::v230261​

rhel8stig::v230262​

rhel8stig::v230263​

Parameters​

frequency​

email​

rhel8stig::v230264​

rhel8stig::v230265​

rhel8stig::v230266​

rhel8stig::v230267​

rhel8stig::v230268​

rhel8stig::v230269​

rhel8stig::v230270​

Table of Contents

Description

Setup

Required modules

What rhel8stig affects

Beginning with rhel8stig

Usage

Limitations

Table of Contents

Classes

Defined types

Classes

`rhel8stig`

Examples

Assigning the module will enable all controls by default.

Disable specified controls from hiera:

Parameters

`vul_id`

`exclude`

`enforce`

`rhel8stig::v230221`

`rhel8stig::v230222`

`rhel8stig::v230223`

`rhel8stig::v230224`

`rhel8stig::v230225`

`rhel8stig::v230226`

`rhel8stig::v230227`

`rhel8stig::v230228`

`rhel8stig::v230229`

Parameters

`cert`

`cert_source`

`rhel8stig::v230230`

`rhel8stig::v230231`

`rhel8stig::v230232`

`rhel8stig::v230233`

`rhel8stig::v230234`

Parameters

`grub_passwd_hash`

`rhel8stig::v230235`

Parameters

`grub_passwd_hash`

`rhel8stig::v230236`

`rhel8stig::v230237`

`rhel8stig::v230238`

`rhel8stig::v230239`

`rhel8stig::v230240`

`rhel8stig::v230241`

`rhel8stig::v230243`

`rhel8stig::v230244`

`rhel8stig::v230245`

`rhel8stig::v230246`

`rhel8stig::v230247`

`rhel8stig::v230248`

`rhel8stig::v230249`

`rhel8stig::v230250`

`rhel8stig::v230251`

`rhel8stig::v230252`

`rhel8stig::v230253`

`rhel8stig::v230254`

`rhel8stig::v230255`

`rhel8stig::v230256`

`rhel8stig::v230257`

`rhel8stig::v230258`

`rhel8stig::v230259`

`rhel8stig::v230260`

`rhel8stig::v230261`

`rhel8stig::v230262`

`rhel8stig::v230263`

Parameters

`frequency`

`email`

`rhel8stig::v230264`

`rhel8stig::v230265`

`rhel8stig::v230266`

`rhel8stig::v230267`

`rhel8stig::v230268`

`rhel8stig::v230269`

`rhel8stig::v230270`

`rhel8stig::v230271`