Control updates introduced for Red Hat Enterprise Linux 8 STIG, Version 1, Release 11

CEM for Linux v1.7.0 introduced enforcement for an updated Security Technical Implementation Guide (STIG) standard: Red Hat Enterprise Linux STIG - Version 1, Release 11. The transition from the previously supported version (Version 1, Release 8) resulted in module updates.

  • Added
    • The following controls are added to the module:
      • V-255924 - RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms.
      • V-256974 - RHEL 8 must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel.
      • V-257258 - RHEL 8 must terminate idle user sessions.
  • Changed
    • The following controls are changed in the module:
      • V-230244 - RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.

        Previously, the system could send up to 600 messages to a client without receiving a response, and the session was still considered active. In the new release, the ClientAliveCountMax threshold is changed from 600 to 1. As a result, if the system sends a single message without receiving a response, the session is considered inactive and is terminated. This termination reduces the window of opportunity for unauthorized personnel to take control of a management system that is unattended.

      • V-230251 - The RHEL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.

        The control is updated with the following new default setting to help prevent unauthorized access to data:

        oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

      • V-230252 - The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections.

        The control is updated with the following new default setting to help prevent unauthorized users from altering data:

        CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com'

      • V-230525 - A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces.

        The control is updated to ensure that nftables is the backend used by firewalld.

      • A Puppet Bolt task was updated to support the functionality in the following control:

        V-256973 - RHEL 8 must ensure cryptographic verification of vendor software packages.

        The Bolt task query_rpm_gpg_keys can now be used to report the data required by this control. To ensure compliance with this control, run the Bolt task query_rpm_gpg_keys and verify the output.
  • Removed
    • The following control is removed from the module:
      • V-230289 - The RHEL 8 SSH daemon must not allow compression or must only allow compression after successful authentication.