Control updates introduced for Red Hat Enterprise Linux 8 STIG, Version 1, Release 14
SCE for Linux v2.2.0 introduced enforcement for an updated Security Technical Implementation Guide (STIG) standard: Red Hat Enterprise Linux STIG - Version 1, Release 14. The transition from the previously supported version (Version 1, Release 11) resulted in module updates.
- Added
-
No controls were added to the module for this release.
-
- Changed
- The following controls were changed in the module:
V-230493 - RHEL 8 must cover or disable the built-in or attached camera when not in use.
Cameras can be turned off when not in use to help protect organizational data. For this reason, the default value in the configuration file was changed from 'install uvcvideo /bin/true' to 'install uvcvideo /bin/false'.- V-230494 - RHEL 8 must disable the asynchronous transfer mode (ATM) protocol.
ATM is a protocol operating on network, data link, and physical layers. To help protect systems against exploitation, ATM can be disabled. For this reason, the default value in the configuration file was changed from 'install atm /bin/true' to 'install atm /bin/false'. V-230495 - RHEL 8 must disable the controller area network (CAN) protocol.
CAN is a serial communications protocol used across many industries. To help protect systems against exploitation, CAN can be disabled. For this reason, the default value in the configuration file was changed from 'install can /bin/true' to 'install can /bin/false'.V-230496 - RHEL 8 must disable the stream control transmission protocol (SCTP).
SCTP is a transport layer protocol that supports several streams of messages within one connection. To help prevent a system compromise, SCTP can be disabled. For this reason, the default value in the configuration file was changed from 'install sctp /bin/true' to 'install sctp /bin/false'.V-230497 - RHEL 8 must disable the transparent inter-process communication (TIPC) protocol.
The TIPC protocol supports communications between nodes in a cluster. TIPC can be disabled to help protect systems against exploitation. For this reason, the default value in the configuration file was changed from 'install tipc /bin/true' to 'install tipc /bin/false'.V-230498 - RHEL 8 must disable mounting of cramfs.
The compressed ROM/RAM file system (cramfs) is a read-only file system. The use of cramfs can be avoided to help reduce the local attack surface of the server. For this reason, the default value in the configuration file was changed from 'install cramfs /bin/true' to 'install cramfs /bin/false'. In addition, a new variable, load_module, was set to 'false'.V-230499 - RHEL 8 must disable IEEE 1394 (FireWire) Support.
FireWire is a serial bus standard for high-speed real-time communication. Disabling FireWire can help to protect systems against the exploitation of implementation flaws. For this reason, the default value in the configuration file was changed from 'install firewire-core /bin/true' to 'install firewire-core /bin/false'.V-230503 - RHEL 8 must be configured to disable USB mass storage.
USB mass storage permits the introduction of unknown devices, which can facilitate malicious activity. To disable USB mass storage, the default value in the configuration file was changed from 'install usb-storage /bin/true' to 'install usb-storage /bin/false'. In addition, a new variable,load_module
, was set to'false'
.V-230507 - RHEL 8 Bluetooth must be disabled.
Bluetooth communications can be intercepted, thus posing a risk to data and the RHEL 8 operating system. To reduce the risk, Bluetooth communications can be disabled. For this reason, the default value in the configuration file was changed from 'install bluetooth /bin/true' to 'install bluetooth /bin/false'.
- The following controls were changed in the module:
- Removed
- No controls were removed from the module for this release.