Skip to content

2026

  • 3 min read

RHEL 8 V2R6 Changes

The big overall push in this revision seems to be a focus on the crypto-policies package with some other general updates and fixes.

Also, after having tried to post this to /r/redhat 3 different times, I have decided that the next quartely update will be my final attempt to contribute this information to the Reddit community. You can always come read it here. It's not like there are any ads or anything.

Added Rules

  • RHEL-08-010015 - RHEL 8 must have the crypto-policies package installed.
  • RHEL-08-010270 - RHEL 8 cryptographic policy must not be overridden.
  • RHEL-08-010275 - RHEL 8 must implement DOD-approved encryption in the bind package.
  • RHEL-08-010280 - RHEL 8 IP tunnels must use FIPS 140-3-approved cryptographic algorithms.
  • RHEL-08-020360 - RHEL 8 must automatically exit interactive command shell user sessions after 10 minutes of inactivity.

Removed Rules

  • RHEL-08-010287 - The RHEL 8 SSH daemon must be configured to use system-wide crypto policies.
  • RHEL-08-010293 - The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package.
  • RHEL-08-010294 - The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package.
  • RHEL-08-010295 - The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package.
  • RHEL-08-010660 - Local RHEL 8 initialization files must not execute world-writable programs.
  • RHEL-08-020340 - RHEL 8 must display the date and time of the last successful account logon upon logon.
  • RHEL-08-040342 - RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms.

Rule ID Changes Only

  • RHEL-08-010140
  • RHEL-08-010141
  • RHEL-08-010149
  • RHEL-08-010150
  • RHEL-08-010151
  • RHEL-08-010152
  • RHEL-08-010190
  • RHEL-08-010375
  • RHEL-08-010376

Rule ID and Check Changes

  • RHEL-08-010572 - Added "For vfat file systems and for systems that use BIOS, this is Not Applicable."
  • RHEL-08-010630 - Added "If no NFS mounts are configured, this requirement is Not Applicable."
  • RHEL-08-010640 - Added "If no NFS mounts are configured, this requirement is Not Applicable."
  • RHEL-08-010650 - Added "If no NFS mounts are configured, this requirement is Not Applicable."
  • RHEL-08-010670 - No material changes
  • RHEL-08-010800 - No material changes
  • RHEL-08-040370 - Added "If NFS mounts are authorized and in use on the system, this control is not applicable."

Rule ID, Check, and Fix Changes

  • RHEL-08-010700 - Updated check and fix syntax for ownership of "public directories" (formerly "world-writable directories")
  • RHEL-08-020060 - No material changes - still 900 seconds
  • RHEL-08-040172 - Moved fix into a drop file
  • RHEL-08-030655 - Corrected audit.rules syntax

Rule ID, Title, and Other Changes

  • RHEL-08-010350 - Dropped system account ownership
  • RHEL-08-040070 - Removed "and is not documented with the Information System Security Officer (ISSO) as an operational requirement"
  • RHEL-08-010020 - Added language for crypto sub-policies like AD-SUPPORT, specifies the FIPS 140-3 hashing algos, and min_rsa_size=2048
  • RHEL-08-010290 - Changed fix to reinstall crypto-policies package and re-enforce FIPS policy - Removes requirement for same order of MACs
  • RHEL-08-010291 - Changed fix to reinstall crypto-policies package and re-enforce FIPS policy - Removes requirement for same order of MACs
  • RHEL-08-010296 - Changed fix to reinstall crypto-policies package and re-enforce FIPS policy - MACs entry changed to [email protected],[email protected],hmac-sha2-512,hmac-sha2-2562
  • RHEL-08-010297 - Changed fix to reinstall crypto-policies package and re-enforce FIPS policy - Removes ordering language, ciphers changed to [email protected],aes256-ctr,[email protected],aes128-ctr
  • RHEL-08-010580 - Added "This control is not applicable to vfat file systems."
  • RHEL-08-010671 - Fix moved into a drop file
  • RHEL-08-010673 - Fix updated drop file language
  • RHEL-08-040282 - Fix moved into a drop file
  • RHEL-08-040285 - Fix moved into a drop file
  • RHEL-08-040140 - Updated capitalization, added command to restart usbguard service
  • 4 min read

RHEL 9 V2R7 Changes

There is a session lock timer lowered this go around, so check your remediation products. :)

Added Rules

  • RHEL-09-654097 - (Cat 2) RHEL 9 must audit any script or executable called by cron as root or by any privileged user

Removed Rules

  • RHEL-09-411115 - (Cat 2) Local RHEL 9 initialization files must not execute world-writable programs
  • RHEL-09-412075 - (Cat 3) RHEL 9 must display the date and time of the last successful account logon upon logon

Stuff that might bite you

  • RHEL-09-412080 - MATERIAL CHANGE: StopIdleSessionSec lowered from 900 to 600 (15 minutes to 10 minutes)
  • RHEL-09-271065 - MATERIAL CHANGE: GUI session lock changed from 900 to 600 (15 minutes to 10 minutes)
  • RHEL-09-671010 - Fix text adds fips=1 kernel parameter in addition to fips-mode-setup --enable
  • RHEL-09-253035 - net.ipv4.conf.all.rp_filter must be 1. Previously it could have been 1 or 2.

Rule ID Changes Only

  • RHEL-09-212010
  • RHEL-09-212020
  • RHEL-09-232103
  • RHEL-09-232104
  • RHEL-09-232245

Rule ID and Check Changes

  • RHEL-09-214025 - Added subdirectory sample output and clarifies that gpgcheck must be 1 in all repo files
  • RHEL-09-215045 - (no gssproxy) Added "If NFS mounts are authorized and in use on the system, this control is not applicable."
  • RHEL-09-215101 - (must have postfix) Added "If the admin can demonstrate that there is another system/service to send audit failure notifications to the administrator/ISSO, this control is not applicable."
  • RHEL-09-231105 - Added vfat file systems in addition to BIOS systems to the N/A statement
  • RHEL-09-231200 - Added N/A for vfat file systems
  • RHEL-09-271035 - Added clarification/correction to check language
  • RHEL-09-431016 - Slight grammar change
  • RHEL-09-432035 - Grammar, clarification
  • RHEL-09-651010 - Language shuffled around
  • RHEL-09-653090 - Updated command sample output
  • RHEL-09-654010 - corrected audit.rules syntax
  • RHEL-09-654025 - corrected audit.rules syntax
  • RHEL-09-654065 - corrected audit.rules syntax
  • RHEL-09-654070 - corrected audit.rules syntax
  • RHEL-09-654075 - corrected audit.rules syntax
  • RHEL-09-654080 - corrected audit.rules syntax
  • RHEL-09-654205 - corrected audit.rules syntax
  • RHEL-09-654210 - corrected audit.rules syntax

Rule ID, Check, and Fix Changes

  • RHEL-09-211045 - Updated check to look for a drop file and fix text to prescribe the use of a drop file
  • RHEL-09-213080 - Updated text, but nothing materially different about the control
  • RHEL-09-213095 - Updated fix notes that core dumps should be disabled for all users and all non zero entries should be removed
  • RHEL-09-231110 - Updated text uses a different command for checking, fix text has more instructions on how to implement the fix
  • RHEL-09-231115 - Streamlined check and fix
  • RHEL-09-231120 - Changed command used to locate mount, explicit instructions for updating the mount options immediately
  • RHEL-09-232240 - Updated check command syntax, fix allows for designated system accounts besides root
  • RHEL-09-253050 - STIG author self identifies as a vi lover. No material change.
  • RHEL-09-411065 - Added clarification for non-interactive (human) user accounts
  • RHEL-09-611160 - Corrected fix syntax and check sample output
  • RHEL-09-611195 - Fix text prescribes using a drop file instead of modifying emergency.service directly
  • RHEL-09-652025 - Returns N/A caveat for systems designated as log aggregation servers
  • RHEL-09-652055 - Fix text adds sample alternative syntax
  • RHEL-09-611200 - Check and fix updated to use a drop file
  • RHEL-09-213030 - Use a drop file
  • RHEL-09-213035 - Use a drop file
  • RHEL-09-215060 - Completely reworked so that it is N/A if TFTP is not installed, but if it is installed it needs to operate in secure mode
  • RHEL-09-255155 - Added sudo to fix command
  • RHEL-09-611190 - changed flag from -n to -N

Rule ID, Check, and Vuln Discussion

  • RHEL-09-211010 - Added EOL dates for EL9 releases. Good news, Maintenance support until 31 May 3032. (LOL!)
  • RHEL-09-214030 - Grammar
  • RHEL-09-255130 - Added compression options explanation
  • RHEL-09-654015 - Grammar, corrected audit.rules syntax
  • RHEL-09-654020 - Grammar, corrected audit.rules syntax

Sysctl Changes

These items are flagged with changes to rule id, vuln discussion, check, and fix. Collectively they appear to be sysctl parameter rules where the control specifies placing the individual fixes in different drop files under /etc/sysctl.d/. Unless otherwise noted, not much else has changed in the rule. I already noted the one with a value change earlier in this document.

  • RHEL-09-213010
  • RHEL-09-213015
  • RHEL-09-213020
  • RHEL-09-213025
  • RHEL-09-213040
  • RHEL-09-213070
  • RHEL-09-213075
  • RHEL-09-213105
  • RHEL-09-251045
  • RHEL-09-253010
  • RHEL-09-253015
  • RHEL-09-253020
  • RHEL-09-253025
  • RHEL-09-253030
  • RHEL-09-253040
  • RHEL-09-253045
  • RHEL-09-253055
  • RHEL-09-253060
  • RHEL-09-253065
  • RHEL-09-253070
  • RHEL-09-253075
  • RHEL-09-254010
  • RHEL-09-254015
  • RHEL-09-254020
  • RHEL-09-254025
  • RHEL-09-254030
  • RHEL-09-254035
  • RHEL-09-254040