Control updates introduced for Red Hat Enterprise Linux 8 STIG, Version 1, Release 11
The Compliance Enforcement Module (CEM) for Linux v1.7.0 introduces enforcement for an updated Security Technical Implementation Guide (STIG) standard: Red Hat Enterprise Linux STIG - Version 1, Release 11. The transition from the previously supported version (Version 1, Release 8) resulted in module updates.
-
Added
- The following controls are added to the module:
- V-255924 - RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms.
- V-256974 - RHEL 8 must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel.
- V-257258 - RHEL 8 must terminate idle user sessions.
- The following controls are added to the module:
-
Changed
- The following controls are changed in the module:
- V-230244 - RHEL 8 must be configured so that all network
connections associated with SSH traffic are terminated at
the end of the session or after 10 minutes of inactivity,
except to fulfill documented and validated mission
requirements.
Previously, the system could send up to 600 messages to a client without receiving a response, and the session was still considered active. In the new release, the
ClientAliveCountMaxthreshold is changed from 600 to 1. As a result, if the system sends a single message without receiving a response, the session is considered inactive and is terminated. This termination reduces the window of opportunity for unauthorized personnel to take control of a management system that is unattended. - V-230251 - The RHEL 8 SSH server must be configured to use
only Message Authentication Codes (MACs) employing FIPS
140-2 validated cryptographic hash algorithms. The control is updated with the following new default setting to help prevent unauthorized access to data:
oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com - V-230252 - The RHEL 8 operating system must implement
DoD-approved encryption to protect the confidentiality of
SSH server connections. The control is updated with the following new default setting to help prevent unauthorized users from altering data:
CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com' - V-230525 - A firewall must be able to protect against or
limit the effects of Denial of Service (DoS) attacks by
ensuring RHEL 8 can implement rate-limiting measures on
impacted network interfaces.
The control is updated to ensure that
nftablesis the backend used byfirewalld. - A Puppet Bolt task was
updated to support the functionality in the following
control:
V-256973 - RHEL 8 must ensure cryptographic verification of vendor software packages.
The Bolt taskquery_rpm_gpg_keyscan now be used to report the data required by this control. To ensure compliance with this control, run the Bolt taskquery_rpm_gpg_keysand verify the output.
- V-230244 - RHEL 8 must be configured so that all network
connections associated with SSH traffic are terminated at
the end of the session or after 10 minutes of inactivity,
except to fulfill documented and validated mission
requirements.
- The following controls are changed in the module:
-
Removed
- The following control is removed from the module:
- V-230289 - The RHEL 8 SSH daemon must not allow compression or must only allow compression after successful authentication.
- The following control is removed from the module: