Skip to content

The STIGLord Blog!

"STIG worms, you know I hate 'em." - Stigglejuice

  • 3 min read

RHEL 8 V2R6 Changes

The big overall push in this revision seems to be a focus on the crypto-policies package with some other general updates and fixes.

Also, after having tried to post this to /r/redhat 3 different times, I have decided that the next quartely update will be my final attempt to contribute this information to the Reddit community. You can always come read it here. It's not like there are any ads or anything.

Added Rules

  • RHEL-08-010015 - RHEL 8 must have the crypto-policies package installed.
  • RHEL-08-010270 - RHEL 8 cryptographic policy must not be overridden.
  • RHEL-08-010275 - RHEL 8 must implement DOD-approved encryption in the bind package.
  • RHEL-08-010280 - RHEL 8 IP tunnels must use FIPS 140-3-approved cryptographic algorithms.
  • RHEL-08-020360 - RHEL 8 must automatically exit interactive command shell user sessions after 10 minutes of inactivity.

Removed Rules

  • RHEL-08-010287 - The RHEL 8 SSH daemon must be configured to use system-wide crypto policies.
  • RHEL-08-010293 - The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package.
  • RHEL-08-010294 - The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package.
  • RHEL-08-010295 - The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package.
  • RHEL-08-010660 - Local RHEL 8 initialization files must not execute world-writable programs.
  • RHEL-08-020340 - RHEL 8 must display the date and time of the last successful account logon upon logon.
  • RHEL-08-040342 - RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms.

Rule ID Changes Only

  • RHEL-08-010140
  • RHEL-08-010141
  • RHEL-08-010149
  • RHEL-08-010150
  • RHEL-08-010151
  • RHEL-08-010152
  • RHEL-08-010190
  • RHEL-08-010375
  • RHEL-08-010376

Rule ID and Check Changes

  • RHEL-08-010572 - Added "For vfat file systems and for systems that use BIOS, this is Not Applicable."
  • RHEL-08-010630 - Added "If no NFS mounts are configured, this requirement is Not Applicable."
  • RHEL-08-010640 - Added "If no NFS mounts are configured, this requirement is Not Applicable."
  • RHEL-08-010650 - Added "If no NFS mounts are configured, this requirement is Not Applicable."
  • RHEL-08-010670 - No material changes
  • RHEL-08-010800 - No material changes
  • RHEL-08-040370 - Added "If NFS mounts are authorized and in use on the system, this control is not applicable."

Rule ID, Check, and Fix Changes

  • RHEL-08-010700 - Updated check and fix syntax for ownership of "public directories" (formerly "world-writable directories")
  • RHEL-08-020060 - No material changes - still 900 seconds
  • RHEL-08-040172 - Moved fix into a drop file
  • RHEL-08-030655 - Corrected audit.rules syntax

Rule ID, Title, and Other Changes

  • RHEL-08-010350 - Dropped system account ownership
  • RHEL-08-040070 - Removed "and is not documented with the Information System Security Officer (ISSO) as an operational requirement"
  • RHEL-08-010020 - Added language for crypto sub-policies like AD-SUPPORT, specifies the FIPS 140-3 hashing algos, and min_rsa_size=2048
  • RHEL-08-010290 - Changed fix to reinstall crypto-policies package and re-enforce FIPS policy - Removes requirement for same order of MACs
  • RHEL-08-010291 - Changed fix to reinstall crypto-policies package and re-enforce FIPS policy - Removes requirement for same order of MACs
  • RHEL-08-010296 - Changed fix to reinstall crypto-policies package and re-enforce FIPS policy - MACs entry changed to [email protected],[email protected],hmac-sha2-512,hmac-sha2-2562
  • RHEL-08-010297 - Changed fix to reinstall crypto-policies package and re-enforce FIPS policy - Removes ordering language, ciphers changed to [email protected],aes256-ctr,[email protected],aes128-ctr
  • RHEL-08-010580 - Added "This control is not applicable to vfat file systems."
  • RHEL-08-010671 - Fix moved into a drop file
  • RHEL-08-010673 - Fix updated drop file language
  • RHEL-08-040282 - Fix moved into a drop file
  • RHEL-08-040285 - Fix moved into a drop file
  • RHEL-08-040140 - Updated capitalization, added command to restart usbguard service
  • 4 min read

RHEL 9 V2R7 Changes

There is a session lock timer lowered this go around, so check your remediation products. :)

Added Rules

  • RHEL-09-654097 - (Cat 2) RHEL 9 must audit any script or executable called by cron as root or by any privileged user

Removed Rules

  • RHEL-09-411115 - (Cat 2) Local RHEL 9 initialization files must not execute world-writable programs
  • RHEL-09-412075 - (Cat 3) RHEL 9 must display the date and time of the last successful account logon upon logon

Stuff that might bite you

  • RHEL-09-412080 - MATERIAL CHANGE: StopIdleSessionSec lowered from 900 to 600 (15 minutes to 10 minutes)
  • RHEL-09-271065 - MATERIAL CHANGE: GUI session lock changed from 900 to 600 (15 minutes to 10 minutes)
  • RHEL-09-671010 - Fix text adds fips=1 kernel parameter in addition to fips-mode-setup --enable
  • RHEL-09-253035 - net.ipv4.conf.all.rp_filter must be 1. Previously it could have been 1 or 2.

Rule ID Changes Only

  • RHEL-09-212010
  • RHEL-09-212020
  • RHEL-09-232103
  • RHEL-09-232104
  • RHEL-09-232245

Rule ID and Check Changes

  • RHEL-09-214025 - Added subdirectory sample output and clarifies that gpgcheck must be 1 in all repo files
  • RHEL-09-215045 - (no gssproxy) Added "If NFS mounts are authorized and in use on the system, this control is not applicable."
  • RHEL-09-215101 - (must have postfix) Added "If the admin can demonstrate that there is another system/service to send audit failure notifications to the administrator/ISSO, this control is not applicable."
  • RHEL-09-231105 - Added vfat file systems in addition to BIOS systems to the N/A statement
  • RHEL-09-231200 - Added N/A for vfat file systems
  • RHEL-09-271035 - Added clarification/correction to check language
  • RHEL-09-431016 - Slight grammar change
  • RHEL-09-432035 - Grammar, clarification
  • RHEL-09-651010 - Language shuffled around
  • RHEL-09-653090 - Updated command sample output
  • RHEL-09-654010 - corrected audit.rules syntax
  • RHEL-09-654025 - corrected audit.rules syntax
  • RHEL-09-654065 - corrected audit.rules syntax
  • RHEL-09-654070 - corrected audit.rules syntax
  • RHEL-09-654075 - corrected audit.rules syntax
  • RHEL-09-654080 - corrected audit.rules syntax
  • RHEL-09-654205 - corrected audit.rules syntax
  • RHEL-09-654210 - corrected audit.rules syntax

Rule ID, Check, and Fix Changes

  • RHEL-09-211045 - Updated check to look for a drop file and fix text to prescribe the use of a drop file
  • RHEL-09-213080 - Updated text, but nothing materially different about the control
  • RHEL-09-213095 - Updated fix notes that core dumps should be disabled for all users and all non zero entries should be removed
  • RHEL-09-231110 - Updated text uses a different command for checking, fix text has more instructions on how to implement the fix
  • RHEL-09-231115 - Streamlined check and fix
  • RHEL-09-231120 - Changed command used to locate mount, explicit instructions for updating the mount options immediately
  • RHEL-09-232240 - Updated check command syntax, fix allows for designated system accounts besides root
  • RHEL-09-253050 - STIG author self identifies as a vi lover. No material change.
  • RHEL-09-411065 - Added clarification for non-interactive (human) user accounts
  • RHEL-09-611160 - Corrected fix syntax and check sample output
  • RHEL-09-611195 - Fix text prescribes using a drop file instead of modifying emergency.service directly
  • RHEL-09-652025 - Returns N/A caveat for systems designated as log aggregation servers
  • RHEL-09-652055 - Fix text adds sample alternative syntax
  • RHEL-09-611200 - Check and fix updated to use a drop file
  • RHEL-09-213030 - Use a drop file
  • RHEL-09-213035 - Use a drop file
  • RHEL-09-215060 - Completely reworked so that it is N/A if TFTP is not installed, but if it is installed it needs to operate in secure mode
  • RHEL-09-255155 - Added sudo to fix command
  • RHEL-09-611190 - changed flag from -n to -N

Rule ID, Check, and Vuln Discussion

  • RHEL-09-211010 - Added EOL dates for EL9 releases. Good news, Maintenance support until 31 May 3032. (LOL!)
  • RHEL-09-214030 - Grammar
  • RHEL-09-255130 - Added compression options explanation
  • RHEL-09-654015 - Grammar, corrected audit.rules syntax
  • RHEL-09-654020 - Grammar, corrected audit.rules syntax

Sysctl Changes

These items are flagged with changes to rule id, vuln discussion, check, and fix. Collectively they appear to be sysctl parameter rules where the control specifies placing the individual fixes in different drop files under /etc/sysctl.d/. Unless otherwise noted, not much else has changed in the rule. I already noted the one with a value change earlier in this document.

  • RHEL-09-213010
  • RHEL-09-213015
  • RHEL-09-213020
  • RHEL-09-213025
  • RHEL-09-213040
  • RHEL-09-213070
  • RHEL-09-213075
  • RHEL-09-213105
  • RHEL-09-251045
  • RHEL-09-253010
  • RHEL-09-253015
  • RHEL-09-253020
  • RHEL-09-253025
  • RHEL-09-253030
  • RHEL-09-253040
  • RHEL-09-253045
  • RHEL-09-253055
  • RHEL-09-253060
  • RHEL-09-253065
  • RHEL-09-253070
  • RHEL-09-253075
  • RHEL-09-254010
  • RHEL-09-254015
  • RHEL-09-254020
  • RHEL-09-254025
  • RHEL-09-254030
  • RHEL-09-254035
  • RHEL-09-254040
  • 6 min read

RHEL 9 V2R5 Changes

It's that time again! These are my notes from examining a diff between V2R4 and V2R5. I always write one of these summaries when I get my hands on the new release of the STIG so I know where to spend my time when updating automation content like Ansible Playbooks, Anaconda kickstart files, etc. Unfortunately, there is more fluff than there is substance in this release, and it is riddled with errors. I get the feeling that people rotate in and out of whatever office actually writes the content, and things like consulting the man pages for various features is something that happens as an afterthought, if at all.

  • 5 min read

Remediating RHEL-09-431016

I get a lot of questions about how to remediate RHEL-09-431016. People report issues like sudo or SSH no longer working afterwards. I was discussing this with my partner in crime, and we ultimately came to the conclusion that unless you really know the RHEL product or you were intimately familiar with the RHEL 7 STIG you would never know that there are a couple of missing links in the process for making RHEL-09-431016 work properly. We had to learn these things the hard way by watching test systems brick over the years, so keep in mind these are lessons we learned back with RHEL 7 and carried forward because not only would we have consistent baselines between generations, but we genuinely believed that the STIG would eventually catch up because these controls are necessary in the context of RHEL-09-431016. You'll see some of that reflected in the Ansible task naming included in this post where we carried forward two critical controls that enable RHEL-09-431016 to function without bricking the system.

  • 2 min read

Where did the time go?

I have been a busy bee. I started this little project in 2023, got busy, and then forgot about it. I originally started this blog on a hosted Wordpress site. I am not impressed with my former host. I am not particularly amused with the antics going around with Wordpress, nevermind that it's a nightmare to manage and maintain.

I finally got around to shutting down the old blog, turning off anything resembling an automatic renewal, and harvesting the content for re-publishing.

  • 5 min read

STIGLord Begins

I would have loved to kick things off with a technical deep dive, but I'm waiting on some things to simmer in the background. Instead, I'm going to give you some of the history that drives my thought processes. When I joined my current team back in 2017 I felt like I had finally arrived, even though I was frantically teaching myself all of the ins and outs of the technology, policies, and processes present at my new workplace. The position was pitched to me as becoming the "virtualization guy" on the core infrastructure team. I had been a "network guy" for an ISP for about 7 years (and loved what I did). Then, I spent the next 7 in the world of Government acquisitions. (Business and regulatory hell, how lovely!) Still, I was excited to be somewhere new. Besides, how much could there possibly be to learn?

  • 2 min read

Hello? Is this thing on?

I was starting to think I would never get to this point! Welcome to my pet project, The STIGLord Blog! If you know what STIGs are, you probably know where I'm eventually going with all of this. Like some of you, I'm hurting for affordable CEPs, so I'm milking one of the options available to us: blogging and technical papers. (There is no way I am cranking out a book.)

  • 1 min read

Hello STIG World!

Got the STIG blues? Have you been Googling until your eyes bleed but still can't figure out why XYZ won't work the way it's supposed to? I know how you feel.