TickYouOff
Sign in
Back
🔒

Oracle Linux 9 STIG (Ver 1, Rel 3) Checklist

Medium 19 items · 4 hours
testuser's avatar
testuser Published 1 month ago
Security

A practical checklist to implement Oracle Linux 9 STIG (Ver 1, Rel 3) controls on servers. Ideal for system administrators and security teams preparing DoD compliance or hardening OL9 hosts.

Source: https://ncp.nist.gov/checklist/1281

Progress
0 / 19
  1. Read the Oracle Linux 9 STIG overview and scope — Note key objectives, applicability, and version (Ver 1, Rel 3).
  2. Download official STIG resources — Get SCAP, XCCDF and automated content from DISA.
  3. Download SCAP 1.3 content — Use SCAP 1.3 benchmark for automated scanning.
  4. Download Standalone XCCDF and automated content (Ansible/Chef/SCC) — Grab XCCDF for Ansible/Chef and SCC automated content as needed.
  5. Verify system CPE and applicability — Confirm target matches Oracle Linux 9.0 (cpe:/o:oracle:linux:9.0).
  6. Backup system and relevant configurations — Take full system or config backups before making changes.
  7. Apply all available OS updates and patches — Install latest errata to remediate known CVEs.
  8. Enable and enforce SELinux — Set SELinux to enforcing and confirm policies are active.
  9. Enable and configure auditd with persistent logs — Ensure audit rules capture authentication and admin actions.
  10. Harden SSH configuration — Disable root login, enforce key auth, and restrict ciphers.
  11. Configure firewall and restrict open ports — Use firewalld to allow only required services and zones.
  12. Enforce password and account policies — Set complexity, expiration, lockout, and minimum length rules.
  13. Remove or disable unnecessary packages and services — Uninstall unused daemons to reduce attack surface.
  14. Set secure file permissions and check SUID/SGID files — Restrict sensitive files and remediate unsafe permissions.
  15. Install and run SCAP/XCCDF scanner — Execute scans using the downloaded SCAP/XCCDF content.
  16. Review scan findings and remediate high-severity issues — Prioritize fixes, apply remediations, and retest.
  17. Document exceptions and obtain approvals — Record accepted deviations and approval rationale.
  18. Schedule recurring compliance scans and patch cycles — Automate regular scans and updates to maintain compliance.
  19. Submit comments or change requests to DISA — Email DISA at [email protected] for feedback or proposed revisions.
Sign in to save
📝 My Notes