TickYouOff
Sign in
Back
🔒

RHEL 8 STIG

Hard 17 items · 1 day
testuser's avatar
testuser Published 1 month ago
Security

This checklist guides administrators and security teams through key steps to implement the Red Hat Enterprise Linux 8 STIG (Ver 2, Rel 6). It is intended for general IT staff responsible for baseline hardening, scanning, remediation, and documentation of RHEL 8 systems to meet DISA guidance.

Source: https://ncp.nist.gov/checklist/980

Progress
0 / 17
  1. Download SCAP 1.3 content for RHEL 8 STIG (Ver 2, Rel 6) — Get the official DISA SCAP 1.3 benchmark content for automated scanning.
  2. Download Standalone XCCDF and XCCDF-for-Ansible/Chef content — Grab XCCDF files and automation content for your configuration management tool.
  3. Import SCAP/XCCDF content into your compliance tool — Use OpenSCAP, SCC, or your SCAP-compatible scanner to load the content.
  4. Run an automated STIG scan against target RHEL 8 systems — Scan desktops and servers to generate findings and severity ratings.
  5. Review scan results and prioritize high-severity findings — Identify vulnerabilities and configuration deviations that require immediate remediation.
  6. Apply available security patches and package updates — Install vendor updates and reboot systems if required to remediate CVEs.
  7. Harden SSH configuration per STIG — Implement STIG SSH best-practices in /etc/ssh/sshd_config.
  8. Set PermitRootLogin to no — Disable direct root SSH login to enforce account-based access.
  9. Disable SSH protocol 1 and weak ciphers/KEX algorithms — Ensure only secure algorithms and Protocol 2 are allowed.
  10. Configure system authentication and password policies per STIG — Set complexity, history, lockout, and max password age in PAM and /etc/login.defs.
  11. Enable and configure auditd to collect required logs — Ensure audit rules capture login, privilege use, and system changes.
  12. Enable SELinux in enforcing mode and verify policies — Confirm SELinux status and resolve AVC denials before production enforcement.
  13. Disable unnecessary services and remove unused packages — Reduce attack surface by stopping and uninstalling nonessential services.
  14. Restrict access to cron, at, and scheduled task controls — Lock down cron.allow/cron.deny and limit privileged scheduling.
  15. Verify and secure firewall and network configuration per STIG — Configure nftables/iptables and host-based firewall rules to required policy.
  16. Document deviations, exceptions, and obtain formal acceptance — Record any accepted waivers or mitigations with justification and approval.
  17. Schedule regular STIG rescans and update benchmark content — Plan recurring scans and refresh SCAP/XCCDF content to stay current.
Sign in to save
📝 My Notes