Oracle Linux 9 STIG updates

There is no STIG for Oracle Linux 9 now; however, in anticipation of the introduction of an official Oracle Linux 9 STIG, we have prepared a benchmark against the current STIG for Red Hat Enterprise Linux 9, Version 2, Release 1. See https://public.cyber.mil/stigs/ for general and version information about STIGs.

You can install the package on any BMC Discovery appliance running Oracle Linux 9. To do so, you apply the 2 July Operating System (or later) upgrade and run the script to apply the STIG rules. The script cannot be reverted automatically. You must back up the appliance before running the script and restore it if necessary.

If you are running BMC Discovery 23.3 or 24.1 and are planning to upgrade to BMC Discovery 24.2 or later, we recommend that you apply the upgrade in advance of applying the STIG. The upgrade will overwrite some of the STIG configuration files, and this can be fixed by running the STIG script. When you have installed the July (or a later) OSU, you can then install the STIG.

FIPS

FIPS is not a requirement for applying the STIG script. The RHEL 9 STIG states that FIPS must be enabled; however, there are deployment considerations. See Running in FIPS-compliant mode for more information.

Applying the STIG for Oracle Linux 9

You apply the STIG for Oracle Linux 9 by running the tw_ol9_stig script. 

  • The appliance should be FIPS-enabled.
  • You must back up the appliance before applying the STIG.
  • You must be the root user.

To apply, the STIG for Oracle Linux 9:

  1. Apply the latest Oracle Linux 9 OSU.

  2. As the root user, run the tw_ol9_stig script. The script is not executable, so run it by entering:

    [root@appliance bin]# sh tw_ol9_stig

    This script will make configuration changes to this Discovery
    appliance that will impact the usage and management of the
    appliance.

    Note that the changes made by this script will need to be manually
    reverted. Please review the documentation for more information.

    Are you sure you want to perform the configuration changes (yes/no)? 
  3. Confirm that you want to run the script by answering yes and pressing Enter.
  4. When the script has finished, reboot the appliance for the changes to take effect.

STIG for BMC Discovery on Oracle Linux 9

The updated STIG for BMC Discovery on Oracle Linux 9 was published on 7 August 2024.

Oracle Linux 9 STIG updates

The STIG for BMC Discovery on Oracle Linux 9 will be updated when necessary. Updates are likely to be less frequent than OSUs but will be released with OSUs.

Rules not applicable or met with caveats

The following table describes the STIG rules that are not applicable or are met with caveats. 

Rules currently under review

The following table describes the STIG rules that are currently under review for operational analysis for inclusion in future OSUs. 

STIG ID

STIG Rule Title

RHEL-09-212010

RHEL 9 must require a bootloader superuser password.

RHEL-09-212015

RHEL 9 must disable the ability of systemd to spawn an interactive boot process.

RHEL-09-212020

RHEL 9 must require a unique superuser name on booting into single-user and maintenance modes.

RHEL-09-213020

RHEL 9 must prevent the loading of a new kernel for later execution.

RHEL-09-214030

RHEL 9 must be configured so that the cryptographic hashes of system files match vendor values.

RHEL-09-231035

RHEL 9 must use a separate file system for /var/tmp.

RHEL-09-231200

RHEL 9 must prevent special devices on non-root local partitions.

RHEL-09-232050

All RHEL 9 local interactive user home directories must have mode 0750 or less permissive.

RHEL-09-252015

RHEL 9 chronyd service must be enabled.

RHEL-09-252020

RHEL 9 must securely compare internal information system clocks at least every 24 hours.

RHEL-09-252040

RHEL 9 must configure a DNS processing mode set be Network Manager.

RHEL-09-255030

RHEL 9 must log SSH connection attempts and failures to the server.

RHEL-09-255055

RHEL 9 SSH daemon must be configured to use system-wide crypto policies.

RHEL-09-255060

RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH client connections.

RHEL-09-255065

RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH server connections.

RHEL-09-255075

RHEL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms.

RHEL-09-255170

RHEL 9 SSH daemon must be configured to use privilege separation.

RHEL-09-411035

RHEL 9 system accounts must not have an interactive login shell.

RHEL-09-432035

RHEL 9 must restrict the use of the "su" command.

RHEL-09-433010

RHEL 9 fapolicy module must be installed.

RHEL-09-611190

RHEL 9, for PKI-based authentication, must enforce authorized access to the corresponding private key.

RHEL-09-651025

RHEL 9 must use cryptographic mechanisms to protect the integrity of audit tools.

RHEL-09-653040

RHEL 9 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization.

RHEL-09-653125

RHEL 9 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*