Update RHEL 8 STIG to V2R3 #13360

Mab879 · 2025-04-18T16:14:19Z

Description:

Update RHEL 8 STIG to V2R3

Rationale:

Keep the STIG up-to-date.

github-actions · 2025-04-18T16:18:43Z

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New content has different text for rule 'xccdf_org.ssgproject.content_rule_enable_dracut_fips_module'.
--- xccdf_org.ssgproject.content_rule_enable_dracut_fips_module
+++ xccdf_org.ssgproject.content_rule_enable_dracut_fips_module
@@ -80,7 +80,7 @@
 RHEL-08-010020
 
 [reference]:
-SV-230223r1017042_rule
+SV-230223r1069327_rule
 
 [rationale]:
 Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to

New content has different text for rule 'xccdf_org.ssgproject.content_rule_enable_fips_mode'.
--- xccdf_org.ssgproject.content_rule_enable_fips_mode
+++ xccdf_org.ssgproject.content_rule_enable_fips_mode
@@ -96,7 +96,7 @@
 RHEL-08-010020
 
 [reference]:
-SV-230223r1017042_rule
+SV-230223r1069327_rule
 
 [rationale]:
 Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to

New content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled'.
--- xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled
+++ xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled
@@ -100,7 +100,7 @@
 RHEL-08-010020
 
 [reference]:
-SV-230223r1017042_rule
+SV-230223r1069327_rule
 
 [rationale]:
 Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to

New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy
@@ -44,7 +44,7 @@
 RHEL-08-010020
 
 [reference]:
-SV-230223r1017042_rule
+SV-230223r1069327_rule
 
 [rationale]:
 Overriding the system crypto policy makes the behavior of the BIND service violate expectations,

New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_configure_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_crypto_policy
@@ -143,7 +143,7 @@
 2.2
 
 [reference]:
-SV-230223r1017042_rule
+SV-230223r1069327_rule
 
 [rationale]:
 Centralized cryptographic policies simplify applying secure ciphers across an operating system and

New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy
@@ -44,7 +44,7 @@
 RHEL-08-010020
 
 [reference]:
-SV-230223r1017042_rule
+SV-230223r1069327_rule
 
 [rationale]:
 Overriding the system crypto policy makes the behavior of Kerberos violate expectations,

New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy
@@ -47,7 +47,7 @@
 RHEL-08-010020
 
 [reference]:
-SV-230223r1017042_rule
+SV-230223r1069327_rule
 
 [rationale]:
 Overriding the system crypto policy makes the behavior of the Libreswan

New content has different text for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy
@@ -61,7 +61,7 @@
 RHEL-08-010020
 
 [reference]:
-SV-230223r1017042_rule
+SV-230223r1069327_rule
 
 [rationale]:
 Overriding the system crypto policy makes the behavior of the OpenSSH client

New content has different text for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy
@@ -49,7 +49,7 @@
 RHEL-08-010291
 
 [reference]:
-SV-230252r1044817_rule
+SV-230252r1067104_rule
 
 [rationale]:
 Overriding the system crypto policy makes the behavior of the OpenSSH server

New content has different text for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy
@@ -52,7 +52,7 @@
 RHEL-08-010020
 
 [reference]:
-SV-230223r1017042_rule
+SV-230223r1069327_rule
 
 [rationale]:
 Overriding the system crypto policy makes the behavior of the OpenSSH

New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_locked'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_locked
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_locked
@@ -128,7 +128,7 @@
 RHEL-08-020082
 
 [reference]:
-SV-244539r1017346_rule
+SV-244539r1069325_rule
 
 [rationale]:
 A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity

New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks
@@ -122,7 +122,7 @@
 1.8.5
 
 [reference]:
-SV-230354r1017167_rule
+SV-230354r1069323_rule
 
 [rationale]:
 A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate

New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks
@@ -134,7 +134,7 @@
 8.2
 
 [reference]:
-SV-244538r1017345_rule
+SV-244538r1069324_rule
 
 [rationale]:
 A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate

New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot
@@ -161,7 +161,7 @@
 RHEL-08-040171
 
 [reference]:
-SV-230530r1017290_rule
+SV-230530r1069317_rule
 
 [rationale]:
 A locally logged-in user who presses Ctrl-Alt-Del, when at the console,

New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate'.
--- xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
+++ xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
@@ -147,7 +147,7 @@
 RHEL-08-010381
 
 [reference]:
-SV-230272r1050789_rule
+SV-230272r1069289_rule
 
 [rationale]:
 Without re-authentication, users may access resources or perform tasks for which they

New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd'.
--- xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
+++ xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
@@ -152,7 +152,7 @@
 RHEL-08-010380
 
 [reference]:
-SV-230271r1050789_rule
+SV-230271r1069290_rule
 
 [rationale]:
 Without re-authentication, users may access resources or perform tasks for which they

New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudo_restrict_privilege_elevation_to_authorized'.
--- xccdf_org.ssgproject.content_rule_sudo_restrict_privilege_elevation_to_authorized
+++ xccdf_org.ssgproject.content_rule_sudo_restrict_privilege_elevation_to_authorized
@@ -31,7 +31,7 @@
 RHEL-08-010382
 
 [reference]:
-SV-237641r1017324_rule
+SV-237641r1069288_rule
 
 [rationale]:
 If the "sudoers" file is not configured correctly, any user defined

New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text
@@ -153,7 +153,7 @@
 1.8.2
 
 [reference]:
-SV-230226r1017045_rule
+SV-230226r1069298_rule
 
 [rationale]:
 An appropriate warning message reinforces policy awareness during the logon

New content has different text for rule 'xccdf_org.ssgproject.content_rule_display_login_attempts'.
--- xccdf_org.ssgproject.content_rule_display_login_attempts
+++ xccdf_org.ssgproject.content_rule_display_login_attempts
@@ -162,7 +162,7 @@
 10.2
 
 [reference]:
-SV-230381r991589_rule
+SV-230381r1069295_rule
 
 [rationale]:
 Users need to be aware of activity that occurs regarding their account. Providing users with

New content has different text for rule 'xccdf_org.ssgproject.content_rule_account_password_pam_faillock_password_auth'.
--- xccdf_org.ssgproject.content_rule_account_password_pam_faillock_password_auth
+++ xccdf_org.ssgproject.content_rule_account_password_pam_faillock_password_auth
@@ -21,7 +21,7 @@
 4.4.2.2
 
 [reference]:
-SV-244534r1017341_rule
+SV-244534r1069319_rule
 
 [rationale]:
 If the pam_faillock.so module is not loaded the system will not correctly lockout accounts to prevent

New content has different text for rule 'xccdf_org.ssgproject.content_rule_account_password_pam_faillock_system_auth'.
--- xccdf_org.ssgproject.content_rule_account_password_pam_faillock_system_auth
+++ xccdf_org.ssgproject.content_rule_account_password_pam_faillock_system_auth
@@ -21,7 +21,7 @@
 4.4.2.2
 
 [reference]:
-SV-244533r1017340_rule
+SV-244533r1069318_rule
 
 [rationale]:
 If the pam_faillock.so module is not loaded the system will not correctly lockout accounts to prevent

New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time'.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
@@ -219,7 +219,7 @@
 SV-230336r1017148_rule
 
 [reference]:
-SV-230337r1017149_rule
+SV-230337r1069292_rule
 
 [rationale]:
 By limiting the number of failed logon attempts the risk of unauthorized system

New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_retry
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_retry
@@ -235,7 +235,7 @@
 R68
 
 [reference]:
-SV-251716r1017369_rule
+SV-251716r1069329_rule
 
 [rationale]:
 Setting the password retry prompts that are permitted on a per-session basis to a low value

New content has different text for rule 'xccdf_org.ssgproject.content_rule_logind_session_timeout'.
--- xccdf_org.ssgproject.content_rule_logind_session_timeout
+++ xccdf_org.ssgproject.content_rule_logind_session_timeout
@@ -308,7 +308,7 @@
 R32
 
 [reference]:
-SV-257258r1017375_rule
+SV-257258r1069328_rule
 
 [rationale]:
 Terminating an idle session within a short time period reduces the window of

New content has different text for rule 'xccdf_org.ssgproject.content_rule_account_temp_expire_date'.
--- xccdf_org.ssgproject.content_rule_account_temp_expire_date
+++ xccdf_org.ssgproject.content_rule_account_temp_expire_date
@@ -209,7 +209,7 @@
 SV-230331r1017143_rule
 
 [reference]:
-SV-230374r1017186_rule
+SV-230374r1069293_rule
 
 [rationale]:
 If temporary user accounts remain active when no longer needed or for

New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions'.
--- xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions
+++ xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions
@@ -80,7 +80,7 @@
 RHEL-08-020024
 
 [reference]:
-SV-230346r1017159_rule
+SV-230346r1069306_rule
 
 [rationale]:
 Limiting simultaneous user logins can insulate the system from denial of service

New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_user_home_paths_only'.
--- xccdf_org.ssgproject.content_rule_accounts_user_home_paths_only
+++ xccdf_org.ssgproject.content_rule_accounts_user_home_paths_only
@@ -17,7 +17,7 @@
 RHEL-08-010690
 
 [reference]:
-SV-230317r1017128_rule
+SV-230317r1069320_rule
 
 [rationale]:
 The executable search path (typically the PATH environment variable) contains a

New content has different text for rule 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode'.
--- xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode
+++ xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode
@@ -32,7 +32,7 @@
 RHEL-08-030720
 
 [reference]:
-SV-230482r958754_rule
+SV-230482r1069330_rule
 
 [rationale]:
 The audit records generated by Rsyslog contain valuable information regarding system

New content has different text for rule 'xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring'.
--- xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring
+++ xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring
@@ -28,7 +28,7 @@
 RHEL-08-010070
 
 [reference]:
-SV-230228r1017047_rule
+SV-230228r1069299_rule
 
 [rationale]:
 Logging remote access methods can be used to trace the decrease the risks

New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled
@@ -31,7 +31,7 @@
 RHEL-08-040021
 
 [reference]:
-SV-230494r1017277_rule
+SV-230494r1069310_rule
 
 [rationale]:
 Disabling ATM protects the system against exploitation of any

New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_can_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_can_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_can_disabled
@@ -34,7 +34,7 @@
 RHEL-08-040022
 
 [reference]:
-SV-230495r1017278_rule
+SV-230495r1069311_rule
 
 [rationale]:
 Disabling CAN protects the system against exploitation of any

New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled
@@ -27,7 +27,7 @@
 RHEL-08-040026
 
 [reference]:
-SV-230499r1017282_rule
+SV-230499r1069315_rule
 
 [rationale]:
 Disabling FireWire protects the system against exploitation of any

New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled
@@ -251,7 +251,7 @@
 1.4
 
 [reference]:
-SV-230496r1017279_rule
+SV-230496r1069312_rule
 
 [rationale]:
 Disabling SCTP protects

New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled
@@ -238,7 +238,7 @@
 3.2.2
 
 [reference]:
-SV-230497r1017280_rule
+SV-230497r1069313_rule
 
 [rationale]:
 Disabling TIPC protects

New content has different text for rule 'xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits'.
--- xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits
+++ xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits
@@ -195,7 +195,7 @@
 2.2
 
 [reference]:
-SV-230243r1017061_rule
+SV-230243r1069294_rule
 
 [rationale]:
 Failing to set the sticky bit on public directories allows unauthorized users to delete files

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned'.
--- xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned
+++ xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned
@@ -354,7 +354,7 @@
 2.2
 
 [reference]:
-SV-230327r1017138_rule
+SV-230327r1069285_rule
 
 [rationale]:
 Unowned files do not directly imply a security problem, but they are generally a sign that

New content has different text for rule 'xccdf_org.ssgproject.content_rule_no_files_unowned_by_user'.
--- xccdf_org.ssgproject.content_rule_no_files_unowned_by_user
+++ xccdf_org.ssgproject.content_rule_no_files_unowned_by_user
@@ -362,7 +362,7 @@
 2.2
 
 [reference]:
-SV-230326r1017137_rule
+SV-230326r1069284_rule
 
 [rationale]:
 Unowned files do not directly imply a security problem, but they are generally a sign that

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_var_log'.
--- xccdf_org.ssgproject.content_rule_file_permissions_var_log
+++ xccdf_org.ssgproject.content_rule_file_permissions_var_log
@@ -19,7 +19,7 @@
 RHEL-08-010240
 
 [reference]:
-SV-230248r1017066_rule
+SV-230248r1069291_rule
 
 [rationale]:
 The /var/log directory contains files with logs of error

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_ownership_library_dirs'.
--- xccdf_org.ssgproject.content_rule_file_ownership_library_dirs
+++ xccdf_org.ssgproject.content_rule_file_ownership_library_dirs
@@ -187,7 +187,7 @@
 RHEL-08-010340
 
 [reference]:
-SV-230261r1017081_rule
+SV-230261r1069326_rule
 
 [rationale]:
 Files from shared library directories are loaded into the address

New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled
@@ -235,7 +235,7 @@
 1.1.1.1
 
 [reference]:
-SV-230498r1017281_rule
+SV-230498r1069314_rule
 
 [rationale]:
 Removing support for unneeded filesystem types reduces the local attack surface

New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled
@@ -265,7 +265,7 @@
 3.4
 
 [reference]:
-SV-2
8000
30503r1017285_rule
+SV-230503r1069316_rule
 
 [rationale]:
 USB storage devices such as thumb drives can be used to introduce

New content has different text for rule 'xccdf_org.ssgproject.content_rule_disable_users_coredumps'.
--- xccdf_org.ssgproject.content_rule_disable_users_coredumps
+++ xccdf_org.ssgproject.content_rule_disable_users_coredumps
@@ -93,7 +93,7 @@
 3.3
 
 [reference]:
-SV-230313r1017124_rule
+SV-230313r1069304_rule
 
 [rationale]:
 A core dump includes a memory image taken at the time the operating system

New content has different text for rule 'xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument'.
--- xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument
+++ xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument
@@ -38,7 +38,7 @@
 R8
 
 [reference]:
-SV-230279r1017092_rule
+SV-230279r1069286_rule
 
 [rationale]:
 Poisoning writes an arbitrary value to freed objects, so any modification or

New content has different text for rule 'xccdf_org.ssgproject.content_rule_selinux_user_login_roles'.
--- xccdf_org.ssgproject.content_rule_selinux_user_login_roles
+++ xccdf_org.ssgproject.content_rule_selinux_user_login_roles
@@ -32,7 +32,7 @@
 RHEL-08-040400
 
 [reference]:
-SV-254520r958726_rule
+SV-254520r1069331_rule
 
 [rationale]:
 Preventing non-privileged users from executing privileged functions mitigates

New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_mailx_installed'.
--- xccdf_org.ssgproject.content_rule_package_mailx_installed
+++ xccdf_org.ssgproject.content_rule_package_mailx_installed
@@ -21,7 +21,7 @@
 RHEL-08-010358
 
 [reference]:
-SV-256974r1017374_rule
+SV-256974r1069321_rule
 
 [rationale]:
 Emails can be used to notify designated personnel about important

New content has different text for rule 'xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode'.
--- xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode
+++ xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode
@@ -372,12 +372,6 @@
 [reference]:
 SRG-OS-000480-GPOS-00227
 
-[reference]:
-RHEL-08-040350
-
-[reference]:
-SV-230557r1017319_rule
-
 [rationale]:
 Using the -s option causes the TFTP service to only serve files from the
 given directory. Serving files from an intentionally-specified directory

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode' differs.
--- xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode
+++ xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode
@@ -3,7 +3,6 @@
     manager: auto
   tags:
   - CCE-82434-2
-  - DISA-STIG-RHEL-08-040350
   - NIST-800-53-AC-6
   - NIST-800-53-CM-6(b)
   - NIST-800-53-CM-7(a)
@@ -28,7 +27,6 @@
   when: '"tftp-server" in ansible_facts.packages'
   tags:
   - CCE-82434-2
-  - DISA-STIG-RHEL-08-040350
   - NIST-800-53-AC-6
   - NIST-800-53-CM-6(b)
   - NIST-800-53-CM-7(a)
@@ -51,7 +49,6 @@
   - tftpd_secure_config_line is defined and tftpd_secure_config_line.matched > 0
   tags:
   - CCE-82434-2
-  - DISA-STIG-RHEL-08-040350
   - NIST-800-53-AC-6
   - NIST-800-53-CM-6(b)
   - NIST-800-53-CM-7(a)
@@ -73,7 +70,6 @@
   - tftpd_secure_config_line is defined and tftpd_secure_config_line.matched == 0
   tags:
   - CCE-82434-2
-  - DISA-STIG-RHEL-08-040350
   - NIST-800-53-AC-6
   - NIST-800-53-CM-6(b)
   - NIST-800-53-CM-7(a)

New content has different text for rule 'xccdf_org.ssgproject.content_rule_ssh_keys_passphrase_protected'.
--- xccdf_org.ssgproject.content_rule_ssh_keys_passphrase_protected
+++ xccdf_org.ssgproject.content_rule_ssh_keys_passphrase_protected
@@ -19,7 +19,7 @@
 RHEL-08-010100
 
 [reference]:
-SV-230230r1017049_rule
+SV-230230r1069287_rule
 
 [rationale]:
 If an unauthorized user obtains access to a private key without a passcode,

New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive'.
--- xccdf_org.ssgproject.content_rule_sshd_set_keepalive
+++ xccdf_org.ssgproject.content_rule_sshd_set_keepalive
@@ -336,7 +336,7 @@
 8.2
 
 [reference]:
-SV-230244r1017062_rule
+SV-230244r1069300_rule
 
 [rationale]:
 This ensures a user login will be terminated as soon as the ClientAliveInterval

New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
+++ xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
@@ -400,7 +400,7 @@
 2.2
 
 [reference]:
-SV-230380r1017191_rule
+SV-230380r1069308_rule
 
 [rationale]:
 Configuring this setting for the SSH daemon provides additional assurance

New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
@@ -164,7 +164,7 @@
 RHEL-08-010521
 
 [reference]:
-SV-230291r1017102_rule
+SV-230291r1069303_rule
 
 [rationale]:
 Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos

New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_login
@@ -446,7 +446,7 @@
 2.2
 
 [reference]:
-SV-230296r1017107_rule
+SV-230296r1069322_rule
 
 [rationale]:
 Even though the communications channel may be encrypted, an additional layer of

New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
+++ xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
@@ -108,7 +108,7 @@
 RHEL-08-010520
 
 [reference]:
-SV-230290r1017100_rule
+SV-230290r1069302_rule
 
 [rationale]:
 Configuring this setting for the SSH daemon provides additional

New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env'.
--- xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
+++ xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
@@ -124,7 +124,7 @@
 2.2
 
 [reference]:
-SV-230330r1017141_rule
+SV-230330r1069305_rule
 
 [rationale]:
 SSH environment options potentially allow users to bypass

New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes'.
--- xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
+++ xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
@@ -204,7 +204,7 @@
 RHEL-08-010500
 
 [reference]:
-SV-230288r1017099_rule
+SV-230288r1069301_rule
 
 [rationale]:
 If other users have access to modify user-specific SSH configuration files, they

New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner'.
--- xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
+++ xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
@@ -173,7 +173,7 @@
 RHEL-08-010040
 
 [reference]:
-SV-230225r1017044_rule
+SV-230225r1069297_rule
 
 [rationale]:
 The warning message reinforces policy awareness during the logon process and

New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_print_last_log'.
--- xccdf_org.ssgproject.content_rule_sshd_print_last_log
+++ xccdf_org.ssgproject.content_rule_sshd_print_last_log
@@ -121,7 +121,7 @@
 RHEL-08-020350
 
 [reference]:
-SV-230382r991589_rule
+SV-230382r1069309_rule
 
 [rationale]:
 Providing users feedback on when account accesses last occurred facilitates user

New content has different text for rule 'xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration'.
--- xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
+++ xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
@@ -178,7 +178,7 @@
 RHEL-08-020290
 
 [reference]:
-SV-230376r958828_rule
+SV-230376r1069307_rule
 
 [rationale]:
 If cached authentication information is out-of-date, the validity of the

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_auditd'.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_auditd
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_auditd
@@ -19,7 +19,7 @@
 RHEL-08-030610
 
 [reference]:
-SV-230471r1017262_rule
+SV-230471r1069296_rule
 
 [rationale]:
 Without the capability to restrict the roles and individuals that can select which events

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd'.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd
@@ -19,7 +19,7 @@
 RHEL-08-030610
 
 [reference]:
-SV-230471r1017262_rule
+SV-230471r1069296_rule
 
 [rationale]:
 Without the capability to restrict the roles and individuals that can select which events

github-actions · 2025-04-18T16:19:00Z

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

linux_os/guide/system/bootloader-grub2/grub2_init_on_free/rule.yml

….yml Co-authored-by: Jan Černý <jcerny@redhat.com>

github-actions · 2025-04-22T12:32:40Z

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

github-actions · 2025-04-22T13:05:12Z

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

codeclimate · 2025-04-22T13:29:56Z

Code Climate has analyzed commit 78964b6 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.9% (0.0% change).

View more on Code Climate.

jan-cerny · 2025-04-23T11:48:10Z

/packit build

Mab879 added 8 commits April 18, 2025 09:09

Add new rule grub2_init_on_free for RHEL 8 STIG

1be213c

Add selinux_context_elevation_for_sudo to RHEL 8 STIG

591c995

Remove drop in files for sssd_offline_cred_expiration on RHEL 8

6bf24b8

RHEL-08-020102 and RHEL-08-020103 have been removed.

ff4223c

Move RHEL-08-040350 to use systemd

9f1a3d7

Add missing cces

b03f82e

Update stable profiles

101a074

Update RHEL 8 STIG to V2R3

ba0f39e

Mab879 added RHEL8 Red Hat Enterprise Linux 8 product related. STIG STIG Benchmark related. labels Apr 18, 2025

Mab879 added this to the 0.1.77 milestone Apr 18, 2025

Mab879 requested review from a team, matusmarhefka, vojtapolasek and jan-cerny as code owners April 18, 2025 16:14

jan-cerny self-assigned this Apr 22, 2025

jan-cerny reviewed Apr 22, 2025

View reviewed changes

linux_os/guide/system/bootloader-grub2/grub2_init_on_free/rule.yml Outdated Show resolved Hide resolved

Update linux_os/guide/system/bootloader-grub2/grub2_init_on_free/rule…

2900d1e

….yml Co-authored-by: Jan Černý <jcerny@redhat.com>

Mab879 requested a review from jan-cerny April 22, 2025 12:28

Add tftpd_uses_secure_mode to RHEL 8 default profile

78964b6

Xeicker mentioned this pull request Apr 22, 2025

Add OL08-00-010423 to OL8 STIG profile #13377

Merged

jan-cerny approved these changes Apr 23, 2025

View reviewed changes

jan-cerny merged commit 3699c3c into ComplianceAsCode:master Apr 23, 2025
107 of 110 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Update RHEL 8 STIG to V2R3 #13360

Update RHEL 8 STIG to V2R3 #13360

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Update RHEL 8 STIG to V2R3 #13360

Update RHEL 8 STIG to V2R3 #13360

Uh oh!

Conversation

Description:

Rationale:

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!