Skip to content

RHEL 9 V2R8 Changes

Here is my change summary notes based on a diff analysis of the RHEL 9 STIG V2R8 and V2R7. Reminder: I am no longer posting to /r/redhat since they keep blocking my posts. I have reached out, but their mod team is not responding.

Added Rules

  • None

Removed Rules

  • None

Stuff that might bite you

  • RHEL-09-671010: RHEL 9 must enable FIPS mode - The check alters how FIPS mode is detected (/proc/sys/crypto/fips_enabled) and essentially declares that if the system fails this FIPS mode check iti s an open CAT I until the system is reinstalled in FIPS mode. Newer RHEL 9 media has a line that is 'install in FIPS mode', but you set this via a grub kernel parameter (fips=1) prior to install if you don't see the menu item. Chances are, if you don't see the menu item for FIPS mode installation, you need to update your boot/install media.

Rule ID and Severity Changes (All of these are CAT 2 Upgrades to CAT 1!)

  • RHEL-09-215100: RHEL 9 must have the crypto-policies package installed.
  • RHEL-09-215105: RHEL 9 must implement a FIPS 140-3-compliant systemwide cryptographic policy.
  • RHEL-09-255064: The RHEL 9 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
  • RHEL-09-255065: The RHEL 9 SSH server must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.
  • RHEL-09-255070: The RHEL 9 SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
  • RHEL-09-255075: The RHEL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.
  • RHEL-09-671020: RHEL 9 IP tunnels must use FIPS 140-3 approved cryptographic algorithms.
  • RHEL-09-672050: RHEL 9 must implement DOD-approved encryption in the bind package.

Rule ID and Check Changes

  • RHEL-09-212010: Control is N/A for UEFI systems.
  • RHEL-09-215010: Control is N/A "[i]f the system is not an internet connected system".
  • RHEL-09-231105: Removes vfat comment, N/A for BIOS systems.
  • RHEL-09-231120: Removes a blank line.
  • RHEL-09-231200: Removes vfat comment, editorial change.
  • RHEL-09-252025: Adds N/A condition for systems acting as NTP servers.
  • RHEL-09-411025: Check changes the supplied username to a generic disauser.
  • RHEL-09-412055: Editorial change.
  • RHEL-09-412060: Editorial change.
  • RHEL-09-412070: Editorial change.
  • RHEL-09-652025: Editorial changes, spacing variance in check command.
  • RHEL-09-653065: Editorial change.

Rule ID, Check, and Fix Changes

  • RHEL-09-232045: Slightly altered check syntax (find depth 2 at /root and /home). Check and fix change the supplied username to a generic disauser.
  • RHEL-09-232050: Check and fix change the supplied username to a generic disauser.
  • RHEL-09-411070: Check and fix change the supplied username to a generic disauser.
  • RHEL-09-433016: Mostly a language change, but fapolicyd must be in enforcement mode and have a deny-all, permit-by-exception policy. deny_log and deny_audit satisfy the requirements of this control. I think most folks who have this implemented have this one under control already and probably don't run Trellix unless they fixed the whole 'let's hard lock the system while we try to update the modules by sideloading an RPM' deal.

Rule ID and Fix Changes

  • RHEL-09-411065: Fix changes the supplied username to a generic disauser.

Rule ID and Vuln Discussion

  • RHEL-09-212035 Changes some stuff around in the vsyscall discussion. No material change to posture requirements.