Oracle Linux STIG Image

What's a STIG?

A Security Technical Implementation Guide (STIG) is a document written by the Defense Information Systems Agency (DISA). It provides guidance on configuring a system to meet cybersecurity requirements for deployment within the Department of Defense (DoD) IT network systems. STIG requirements help secure the network against cybersecurity threats by focusing on infrastructure and network security to mitigate vulnerabilities. Compliance with STIGs is a requirement for DoD agencies, or any organization that's a part of the DoD information networks (DoDIN).

The Oracle Linux STIG image helps automate compliance by providing a hardened version of the standard Oracle Linux image. The image is hardened to follow STIG guidelines. However, the image can't meet all STIG requirements and might require additional manual remediation. See Applying Remediations.

Downloading the Latest STIG

DISA provides quarterly updates to the STIGs. This documentation was created using the latest STIG available at the time of publication. However, you should always use the latest STIG when assessing your system.

Download the latest at STIG https://public.cyber.mil/stigs/downloads/. Search for Oracle Linux and then download the appropriate zip file.

Optionally, use the DISA STIG Viewer from https://public.cyber.mil/stigs/srg-stig-tools/. Then, import in the STIG's xccdf.xml file to view the STIG rules.

How's STIG Compliance Assessed?

Compliance assessment often begins with a scan using a Security Content Automation Protocol (SCAP) compliance checker tool. The tool uses a STIG (uploaded in SCAP format) to analyze the security of a system. However, the tool doesn't always test for all rules within a STIG and some STIGs might not have SCAP versions. In these cases, an auditor needs to check the system manually for compliance by going through the STIG rules not covered by the tool.

The following tools are available for automating compliance assessment:

SCAP Compliance Checker (SCC) - A tool developed by DISA that can run an evaluation using either the DISA STIG Benchmark or an OpenSCAP upstream profile. Commonly, the DISA STIG Benchmark is used for compliance scanning when using the SCC tool.

Important

To scan Arm architecture (aarch64), you must use SCC version 5.5 or later.
OpenSCAP - An open source utility available through yum that can run an evaluation using either the DISA STIG Benchmark or an OpenSCAP upstream profile. Oracle Linux distributes an SCAP Security Guide (SSG) package that contains system release specific profiles. For example, the SCAP datastream ssg-ol7-ds.xml file provided by the SSG package includes the DISA STIG for Oracle Linux 7 profile. One advantage to using the OpenSCAP tool is that SSG provides Bash or Ansible scripts to automate remediation and bring the system to a compliant state.

Caution

Automatic remediation using scripts might lead to undesired system configuration or make a system nonfunctional. Test the remediation scripts in a nonproduction environment.

See Rescanning an Instance for Compliance for information on running the compliance tools and generating a scan report.

Compliance Targets

The Oracle Linux STIG image contains additional remediations for rules not addressed by the DISA STIG Benchmark. Use the SSG "stig" profile aligned with DISA STIG for Oracle Linux to extend automation on the previously unaddressed rules and determine compliance against the complete DISA STIG.

Two DISA STIG Viewer checklist files are provided with the image, which are based on scan results from SCC and OpenSCAP. The checklist for the DISA STIG Benchmark uses the SCC scan results, while the checklist for the SSG "stig" profile uses the OpenSCAP scan results. These checklists contain comments by Oracle for areas of the image that don't meet guidance. See Using the Checklist to View Additional Configurations.

Note

The higher compliance scores for the DISA STIG Benchmark reflect a more limited scope of rules compared to the complete DISA STIG. However, the SSG "stig" profile accounts for the full DISA STIG, providing a more comprehensive evaluation of the image's compliance.

Oracle Linux 8

Oracle Linux 8 STIG images follow the DISA security standards and are hardened according to the Oracle Linux 8 DISA STIG. For the latest Oracle Linux 8 STIG Image release, the compliance target is the DISA STIG for Oracle Linux 8 Ver 1, Rel 10. The scap-security-guide package (minimum version 0.1.73-1.0.1) available through yum contains the SSG "stig" profile aligned with DISA STIG for Oracle Linux 8 Ver 1, Rel 10.

Compliance Information for Oracle Linux 8.10 September 2024 STIG images:

Target: SSG "stig" profile aligned with DISA STIG for Oracle Linux 8 Ver 1, Rel 10

Checklist Compliance Score for x86_64: 74.63%
Checklist Compliance Score for aarch64: 74.55%

Target: DISA STIG for Oracle Linux 8 Ver 1, Rel 8 Benchmark profile

Checklist Compliance Score for x86_64: 80.57%
Checklist Compliance Score for aarch64: 80.57%

Oracle Linux 7 (extended support)

Oracle Linux 7 STIG images follow the DISA security standards and are hardened according to the Oracle Linux 7 DISA STIG. For the latest Oracle Linux 7 STIG Image release, the compliance target has transitioned to the DISA STIG Ver 3, Rel 1. The scap-security-guide package (minimum version 0.1.73-1.0.3) available through yum contains the SSG "stig" profile aligned with DISA STIG for Oracle Linux 7 Version 3, Release 1.

Compliance Information for Oracle Linux 7.9 February 2025 STIG images:

Target: SSG "stig" profile aligned with DISA STIG for Oracle Linux 7 Ver 3, Rel 1

Checklist Compliance Score x86_64: 81.65%
Checklist Compliance Score aarch64: 81.65%

Target: DISA STIG for Oracle Linux 7 Ver 3, Rel 1 Benchmark profile

Checklist Compliance Score x86_64: 91.71%
Checklist Compliance Score aarch64: 91.71%

Note

The STIG standard from DISA had no significant changes, other than wording, between Oracle Linux 7 Ver 3, Rel 1 and Oracle Linux 7 Ver 2, Rel 14. Because of this, any system compliant with Oracle Linux 7 Ver 2, Rel 14 is also compliant with Oracle Linux 7 Ver 3, Rel 1.

Creating and Connecting to an Instance

See Creating an Instance and Accessing an Instance.

Available images:

Applying Remediations

The hardened Oracle Linux STIG Image can't be configured for all the recommended guidance. You must manually finalize any configurations not included in the Oracle Linux STIG Image instance.

For each security rule established by DISA, instructions to apply the appropriate security configuration are provided in the corresponding Oracle Linux Security Technical Implementation Guide.

Important

Some changes to the image might affect the instance's default Oracle Cloud Infrastructure account. If you decide to enforce a rule, study the information about each rule and the reasons for exclusion to fully understand the potential impact on the instance.

Using the Checklist to View Additional Configurations

Use the checklists provided with the Oracle Linux STIG image to view additional "Release Notes" on areas of guidance not included in the image, which might require additional configuration. The release notes identify additional configurations that might affect the instances default Oracle Cloud Infrastructure account.

Accessing the Checklist

The Oracle Linux STIG image includes DISA STIG Viewer checklists for both the DISA STIG Benchmark and SCAP Security Guide (SSG) "stig" profile aligned with DISA STIG for Oracle Linux. These checklists are located in the /usr/share/xml/stig directory. See Revision History for the specific filename associated with each release.

OL<release>_SSG_STIG_<stig-version>_CHECKLIST_RELEASE.ckl - checklist for DISA STIG for Oracle Linux using the SSG "stig" profile scan results.
OL<release>_DISA_BENCHMARK_<stig-version>_CHECKLIST_RELEASE.ckl - checklist for DISA STIG Benchmark for Oracle Linux using the SCC Oracle_Linux_<release>_STIG profile scan results.

Viewing the Checklist Release Notes

Download the DISA STIG Viewer tool from: https://public.cyber.mil/stigs/srg-stig-tools/
Open the STIG Viewer tool.
Under Checklist, select Open Checklist from File... and navigate to the checklist file.
Expand the Filter Panel and add the following filter:
- Must Match: ALL
- Filter by: Keyword
- Filter type: Inclusive (+) Filter
- Keyword: Oracle Release Notes
The release notes offer additional information for the rules:
- Open - Rules which have been excluded or deemed out of scope.
  - Excluded - Rules which might affect the instance's default Oracle Cloud Infrastructure account and have been excluded from remediation for the Oracle Linux STIG Image.
  - Out of Scope - Rules which are out of scope for remediation on the current release but might be considered for remediation in a future release.
- Not Applicable - Rules which have been deemed not applicable to the Oracle Linux STIG Image.
- Not reviewed - Rules which are out of scope for remediation on the current release but might be considered for remediation in a future release.
For each rule, ensure you fully understand the implications to the instance before applying remediation.

Rescanning an Instance for Compliance

Use the SCC or OpenSCAP tool to scan the instance to verify it remains compliant.

Changes to an Oracle Linux STIG Image instance (such as installing other applications or adding new configuration settings) can affect compliance. We recommend scanning to check that the instance is compliant after any changes. In addition, you might need to perform subsequent scans to check for regular, quarterly DISA STIG updates.

Using the OpenSCAP Tool

The OpenSCAP tool is available in Oracle Linux and certified by the National Institute of Standards and Technologies (NIST).

Sign in to your Oracle Linux STIG Image instance.
Install the openscap-scanner package.
```
sudo yum install openscap-scanner
```
Identify the XCCDF or datastream file to use for the scan.

To use the SSG "stig" profile:
1. Install the scap-security-guide package.
```
sudo yum install scap-security-guide
```
2. Locate the file to use for the scan found in /usr/share/xml/scap/ssg/content.
To use the Oracle Linux DISA STIG Benchmark:
1. Go to https://public.cyber.mil/stigs/downloads/".
2. Search for Oracle Linux and download the appropriate DISA STIG Benchmark file.
3. Unzip the file after downloading it.
To perform a scan, run the following command:
```
sudo oscap xccdf eval --profile profile-name \
--results=path-to-results.xml --oval-results \
--report=path-to-report.html \
--check-engine-results \
--stig-viewer=path-to-stig-viewer-report.xml \
path-to-xccdf-document
```
For other options that you can use with the oscap command, see Using OpenSCAP to Scan for Vulnerabilities in the Oracle® Linux 7: Security Guide and Oracle Linux 8: Using OpenSCAP for Security Compliance.
Check the path-to-report.html file for the evaluation results.

Using the SCC Tool

The SCC tool is the official tool for checking government compliance and can be used to scan an Oracle Linux STIG Image instance.

Important

To scan Arm architecture (aarch64), you must use SCC version 5.5 or later.

For instructions on using the SCC tool, see the SCAP Tools table at https://public.cyber.mil/stigs/scap/.

Obtain the SCC tool from the table at https://public.cyber.mil/stigs/scap/.

Install the tool.

unzip scc-5.4.2_rhel7_sles12-15_oracle-linux7_x86_64_bundle.zip
cd scc-5.4.2_rhel7_x86_64/
rpm -i scc-5.4.2.rhel7.x86_64.rpm

Zip the SCAP content .xml file before importing in to the SCC tool.

For the SSG "stig" profile:

zip ssg_content.zip /usr/share/xml/scap/ssg/content/xml-document
/opt/scc/cscc -is ssg_content.zip

For the Oracle Linux DISA STIG Benchmark:

zip scap_content.zip path-to-disa-benchmark-xml-document
/opt/scc/cscc -is scap_content.zip

Configure SCC to scan against the imported content
```
/opt/scc/cscc --config
```

Perform the scan using the command line menu:

Enter 1 to configure SCAP content.

Enter clear and then enter the number that matches the imported SCAP content.

In the following example, you would enter 2 for the imported SCAP content for Oracle Linux 7.

SCC 5.4.2 Available SCAP Content                        [Version]  [Date]    
1.  [ ]  Mozilla_Firefox_RHEL                           005.003    2021-06-09
2.  [X]  OL-7                                           0.1.54     2021-09-23
3.  [ ]  Oracle_Linux_7_STIG                            002.004    2021-06-14
4.  [ ]  RHEL_6_STIG                                    002.002    2020-12-04
5.  [ ]  RHEL_7_STIG                                    003.004    2021-06-14
6.  [ ]  RHEL_8_STIG                                    001.002    2021-06-14
7.  [ ]  SLES_12_STIG                                   002.004    2021-06-14

Enter 0 to return to the main menu.
Enter 2 to configure the SCAP profile.

Enter 1 to select the profile. Verify "stig" is selected.

Available Profiles for OL-7

1.  [ ] no_profile_selected
2.  [X] stig

Return to the main menu. Enter 9 to save changes and perform a scan on the system.
The scan might take 25 to 30 minutes.

Revision History for Oracle Linux STIG Image

Oracle updates the Oracle Linux STIG Image regularly to address security issues.

If you are deploying an older Oracle Linux STIG Image, you might want to perform a subsequent scan to check for regular, quarterly DISA STIG updates. See Rescanning an Instance for Compliance for more information.

kernel-uek: 5.4.17-2136.310.7.1.el7uek.aarch64
Updated system packages to the latest versions that are available, with security fixes.
Additional STIG rule remediations applied to the image. See Additional Remediations.
Compliance transition from DISA STIG Benchmark Ver 2, Rel 4 to the SSG profile aligned with DISA STIG for Oracle Linux 7 Ver 2, Rel 8.

Compliance Information

Target: SSG profile aligned with DISA STIG for Oracle Linux 7 Ver 2, Rel 8
OpenSCAP Compliance Score: 80.83%

Additional Remediations

For each security rule established by DISA, instructions to apply the appropriate security configuration are provided in the Oracle Linux 7 Security Technical Implementation Guide.

Review the table that follows and ensure that you understand potential impacts to the instance if you remediate.
Download the latest STIG from https://public.cyber.mil/stigs/downloads/ by searching for Oracle Linux and selecting a version.
Download the DISA STIG Viewer Tool from: https://public.cyber.mil/stigs/srg-stig-tools/
Open the xccdf.xml file for the STIG in the Viewer.
For every rule in the table below that you want to fix, do the following:
1. Search for the rule's STIG-ID in the guide to go to the appropriate section that explains the rule, the vulnerabilities, and the steps to comply with the rule.
2. Perform the provided configuration steps.

The following table describes the areas of guidance not included in the Oracle Linux STIG Image, which require additional configuration, and calls out additional configurations that might affect the instance's default Oracle Cloud Infrastructure account.

The rules marked as having automation support have built-in automation to check the rule requirements and apply the required remediations, if needed. Any rules without automation support need to be manually reviewed by a user on a system because automation checks against the rule requirements aren't supported or no remediation script is available.


STIG-ID	Rule Description	Automation Support	Reason for Exclusion
OL07-00-010050	The Oracle Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.	Yes	Requires user consent of the Standard Mandatory DoD Notice and Consent Agreement.
OL07-00-010230	The Oracle Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime.	Yes	Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.
OL07-00-010240	The Oracle Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime.	Yes	Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.
OL07-00-010250	The Oracle Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime.	Yes	Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.
OL07-00-010260 ¹	The Oracle Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime.	No	Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access. PAM password lifetime rules likewise affect SSH keys. IMPORTANT OCI IMPACT: Restricting existing passwords to a 60-day maximum lifetime can result in the OPC account being irretrievably locked after 60 days as a result of the account's passwordless setting.
OL07-00-010320	The Oracle Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute time frame.	Yes	Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.
OL07-00-010330	The Oracle Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period.	Yes	Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.
OL07-00-010340	The Oracle Linux operating system must be configured so that users must provide a password for privilege escalation.	Yes	According to Oracle Cloud Infrastructure default schema, `NOPASSWD` is set for OPC.
OL07-00-010342	The Oracle Linux operating system must use the invoking user's password for privilege escalation when using the sudo command.	Yes	Affects default OPC login account.
OL07-00-010491 ¹	The Oracle Linux operating systems version 7.2 or later by using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.	No	Requires GRUB 2 password which is not feasible for default image. IMPORTANT OCI IMPACT: Implementing a GRUB 2 password would introduce a password prompt on instance boot.
OL07-00-010492	Oracle Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance.	No	Requires change of default super user name. Affects grub superuser booting.
OL07-00-010500	The Oracle Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.	Yes	Multifactor authentication is not configured on the default Oracle Cloud Infrastructure image.
OL07-00-020019	The Oracle Linux operating system must implement the Endpoint Security for Linux Threat Prevention tool.	No	Oracle Linux does not ship with Virus Scan Software. User Configuration is needed.
OL07-00-020020	The Oracle Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.	No	Requires obtaining specific list of authorized users from user's ISSO.
OL07-00-020021	The Oracle Linux operating system must confine SELinux users to roles that conform to least privilege.	No	Requires review from a user's SA/ISSO to determine SELinux role mapping conformity.
OL07-00-020023	The Oracle Linux operating system must elevate the SELinux context when an administrator calls the sudo command.	No	Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.
OL07-00-020030	The Oracle Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly.	Yes	AIDE or other intrusion detects system expected to be configured on target image.
OL07-00-020040	The Oracle Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner.	Yes	Requires AIDE detect system to be installed prior to configuration.
OL07-00-020270	The Oracle Linux operating system must not have unnecessary accounts.	No	Requires obtaining specific list of authorized system accounts from user's ISSO
OL07-00-020680	The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 750 or less permissive.	No	Restricts file permission access to system services.
OL07-00-020720	The Oracle Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.	No	Affects access to user binaries and utilities.
OL07-00-021000	The Oracle Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed.	Yes	Affects user's access to executing binary files within their home directories.
OL07-00-021300	The Oracle Linux operating system must disable Kernel core dumps unless needed.	Yes	Kdump service is needed for diagnostic purposes in case of system generated kernel crashes.
OL07-00-021350 ¹	The Oracle Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.	No	Rescue kernel cmdline exclusion of `fips=1` parameter. IMPORTANT OCI IMPACT: Adding `fips=1` to the rescue kernel cmdline could result in the instance failing to boot with a Fatal Error.
OL07-00-021600	The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).	Yes	Requires AIDE detect system to be installed prior to configuration.
OL07-00-021610	The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.	Yes	Requires AIDE detect system to be installed prior to configuration.
OL07-00-021620	The Oracle Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.	Yes	Requires AIDE detect system to be installed prior to configuration.
OL07-00-030010 ¹	The Oracle Linux operating system must shut down upon audit processing failure unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) if an audit processing failure occurs.	Yes	The default setting of the `failure` parameter is `1`, which only sends information to the kernel log regarding the failure instead of shutting down the instance. IMPORTANT OCI IMPACT: Setting the `failure` parameter to `2` would result in a system panic and shutdown when an audit processing failure occurs.
OL07-00-030201	The Oracle Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited.	No	`au-remote` plugin configuration presumes remote server details.
OL07-00-030300	The Oracle Linux operating system must off-load audit records onto a different system or media from the system being audited.	Yes	`au-remote` plugin configuration presumes remote server details.
OL07-00-030310	The Oracle Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.	Yes	`au-remote` plugin configuration presumes remote server details.
OL07-00-030320	The Oracle Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.	No	`au-remote` plugin configuration presumes remote server details.
OL07-00-030321	The Oracle Linux operating system must be configured so that the audit system takes appropriate action when an error occurs sending audit records to a remote system.	No	`au-remote` plugin configuration presumes remote server details.
OL07-00-031000	The Oracle Linux operating system must send rsyslog output to a log aggregation server.	Yes	Requires a remote server for transmitting rsyslog information.
OL07-00-032000	The Oracle Linux operating system must use a virus scan program.	No	Oracle Linux does not ship with Virus Scan Software. User Configuration is needed.
OL07-00-040100	The Oracle Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments.	No	Requires review of ports, protocols, and/or services as defined by a user's PPSM CLSA.
OL07-00-040160	The Oracle Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.	Yes	May be disruptive to user workloads.
OL07-00-040170	The Oracle Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts.	Yes	Requires user consent of the Standard Mandatory DoD Notice and Consent Agreement.
OL07-00-040420	The Oracle Linux operating system must be configured so that the SSH private host key files have mode 0600 or less permissive.	Yes	Changes default permissions of SSH private host key generated by system service.
OL07-00-040600	At least two name servers must be configured for the Oracle Linux operating systems using DNS resolution.	No	Oracle Cloud Infrastructure provides a highly available DNS server.
OL07-00-040710 ¹	The Oracle Linux operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements	Yes	Affects instance serial console connectivity. IMPORTANT OCI IMPACT: Disabling remote X connections could result in failure to connect to the OCI instance's serial console.
OL07-00-040711	The Oracle Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display.	Yes	Affects user's access to Oracle Cloud Infrastructure instances.
OL07-00-040810	The Oracle Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.	No	Requires review of specific hosts and services access. Access must be allowed by the user's grant policy.
OL07-00-040820	The Oracle Linux operating system must not have unauthorized IP tunnels configured.	No	Requires review from a user's SA/ISSO to determine authorized IPSec Tunnel connections.
OL07-00-041002	The Oracle Linux operating system must implement multifactor authentication for access to privileged accounts through pluggable authentication modules (PAM).	No	Multifactor authentication is not configured on the default Oracle Cloud Infrastructure image.
OL07-00-041003	The Oracle Linux operating system must implement certificate status checking for PKI authentication.	Yes	Certificate status checking for PKI authentication not configured on default Oracle Cloud Infrastructure image.

¹ Remediating these rules can have a significant impact on the systems' accessibility.

Changelog


STIG-ID	Rule Description	Reason for Exclusion	Status	Comments
OL07-00-010050	The Oracle Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.	Requires user consent of the Standard Mandatory DoD Notice and Consent Agreement.	Added	Added to exclusion list in V2R8
OL07-00-010320	The Oracle Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute time frame.	Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.	Added	Added to exclusion list in V2R8
OL07-00-010330	The Oracle Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period.	Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.	Added	Added to exclusion list in V2R8
OL07-00-010492	Oracle Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance.	Requires change if default super user name. Affects grub superuser booting.	Added	Added to exclusion list in V2R8
OL07-00-010500	The Oracle Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multi factor authentication.	Multi factor authentication is not configured on the default Oracle Cloud Infrastructure image.	Added	Added to exclusion list in V2R8
OL07-00-020019	The Oracle Linux operating system must implement the Endpoint Security for Linux Threat Prevention tool.	Oracle Linux does not ship with Virus Scan Software. User Configuration is needed.	Added	Added to exclusion list in V2R8
OL07-00-020020	The Oracle Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.	Requires obtaining specific list of authorized users from user's ISSO.	Added	Added to exclusion list in V2R8
OL07-00-020021	The Oracle Linux operating system must confine SELinux users to roles that conform to least privilege.	Requires review from a user's SA/ISSO to determine SELinux role mapping conformity.	Added	Added to exclusion list in V2R8
OL07-00-020023	The Oracle Linux operating system must elevate the SELinux context when an administrator calls the sudo command.	Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.	Added	Added to exclusion list in V2R8
OL07-00-020040	The Oracle Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner.	Requires AIDE detect system to be installed prior to configuration.	Added	Added to exclusion list in V2R8
OL07-00-020270	The Oracle Linux operating system must not have unnecessary accounts.	Requires obtaining specific list of authorized system accounts from user's ISSO	Added	Added to exclusion list in V2R8
OL07-00-020680	The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 750 or less permissive.	Restricts file permission access to system services.	Added	Added to exclusion list in V2R8
OL07-00-020720	The Oracle Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.	Affects access to user binaries and utilities.	Added	Added to exclusion list in V2R8
OL07-00-021000	The Oracle Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed.	Affects user's access to executing binary files within their home directories.	Added	Added to exclusion list in V2R8
OL07-00-021300	The Oracle Linux operating system must disable Kernel core dumps unless needed.	Kdump service is needed for diagnostic purposes in case of system generated kernel crashes.	Added	Added to exclusion list in V2R8
OL07-00-021600	The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).	Requires AIDE detect system to be installed prior to configuration.	Added	Added to exclusion list in V2R8
OL07-00-021610	The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.	Requires AIDE detect system to be installed prior to configuration.	Added	Added to exclusion list in V2R8
OL07-00-021620	The Oracle Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.	Requires AIDE detect system to be installed prior to configuration.	Added	Added to exclusion list in V2R8
OL07-00-031000	The Oracle Linux operating system must send rsyslog output to a log aggregation server.	Requires a remote server for transmitting rsyslog information.	Added	Added to exclusion list in V2R8
OL07-00-032000	The Oracle Linux operating system must use a virus scan program.	Oracle Linux does not ship with Virus Scan Software. User Configuration is needed.	Added	Added to exclusion list in V2R8
OL07-00-040100	The Oracle Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments.	Requires review of ports, protocols, and/or services as defined by a user's PPSM CLSA.	Added	Added to exclusion list in V2R8
OL07-00-040160	The Oracle Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.	May be disruptive to user workloads.	Added	Added to exclusion list in V2R8
OL07-00-040170	The Oracle Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts.	Requires user consent of the Standard Mandatory DoD Notice and Consent Agreement.	Added	Added to exclusion list in V2R8
OL07-00-040420	The Oracle Linux operating system must be configured so that the SSH private host key files have mode 0600 or less permissive.	Changes default permissions of SSH private host key generated by system service.	Added	Added to exclusion list in V2R8
OL07-00-040711	The Oracle Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display.	Affects user's access to Oracle Cloud Infrastructure instances.	Added	Added to exclusion list in V2R8
OL07-00-040810	The Oracle Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.	Requires review of specific hosts and services access. Access must be allowed by the user's grant policy.	Added	Added to exclusion list in V2R8
OL07-00-040820	The Oracle Linux operating system must not have unauthorized IP tunnels configured.	Requires review from a user's SA/ISSO to determine authorized IPSec Tunnel connections.	Added	Added to exclusion list in V2R8

Oracle-Linux-7.9-aarch64-2021.10.08-STIG

Oracle-Linux-7.9-2022.08.29-STIG

Image Information

kernel-uek: 5.4.17-2136.310.7.1.el7uek.x86_64
Updated system packages to the latest versions that are available, with security fixes.
Additional STIG rule remediations applied to the image. See Additional Remediations.
Compliance transition from DISA STIG Benchmark Ver 2, Rel 4 to the SSG profile aligned with DISA STIG for Oracle Linux 7 Ver 2, Rel 8.

Compliance Information

Target: SSG profile aligned with DISA STIG for Oracle Linux 7 Ver 2, Rel 8.
OpenSCAP Compliance Score: 80.76%
SCC Compliance Score: 80.77%

Additional Remediations

For each security rule established by DISA, instructions to apply the appropriate security configuration are provided in the Oracle Linux 7 Security Technical Implementation Guide.

Review the table that follows and ensure that you understand potential impacts to the instance if you remediate.
Download the latest STIG from https://public.cyber.mil/stigs/downloads/ by searching for Oracle Linux and selecting a version.
Download the DISA STIG Viewer Tool from: https://public.cyber.mil/stigs/srg-stig-tools/
Open the xccdf.xml file for the STIG in the Viewer.
For every rule in the table below that you want to fix, do the following:
1. Search for the rule's STIG-ID in the guide to go to the appropriate section that explains the rule, the vulnerabilities, and the steps to comply with the rule.
2. Perform the provided configuration steps.

The following table describes the areas of guidance not included in the Oracle Linux STIG Image, which require additional configuration, and calls out additional configurations that might affect the instance's default Oracle Cloud Infrastructure account.

The rules marked as having automation support have built-in automation to check the rule requirements and apply the required remediations, if needed. Any rules without automation support need to be manually reviewed by a user on a system because automation checks against the rule requirements aren't supported or no remediation script is available.


STIG-ID	Rule Description	Automation Support	Reason for Exclusion
OL07-00-010050	The Oracle Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.	Yes	Requires user consent of the Standard Mandatory DoD Notice and Consent Agreement.
OL07-00-010230	The Oracle Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime.	Yes	Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.
OL07-00-010240	The Oracle Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime.	Yes	Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.
OL07-00-010250	The Oracle Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime.	Yes	Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.
OL07-00-010260 ¹	The Oracle Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime.	No	Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access. PAM password lifetime rules likewise affect SSH keys. IMPORTANT OCI IMPACT: Restricting existing passwords to a 60-day maximum lifetime can result in the OPC account being irretrievably locked after 60 days as a result of the account's passwordless setting.
OL07-00-010320	The Oracle Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute time frame.	Yes	Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.
OL07-00-010330	The Oracle Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period.	Yes	Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.
OL07-00-010340	The Oracle Linux operating system must be configured so that users must provide a password for privilege escalation.	Yes	According to Oracle Cloud Infrastructure default schema, `NOPASSWD` is set for OPC.
OL07-00-010342	The Oracle Linux operating system must use the invoking user's password for privilege escalation when using the sudo command.	Yes	Affects default OPC login account.
OL07-00-010491 ¹	The Oracle Linux operating systems version 7.2 or later by using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.	No	Requires GRUB 2 password which is not feasible for default image. IMPORTANT OCI IMPACT: Implementing a GRUB 2 password would introduce a password prompt on instance boot.
OL07-00-010492	Oracle Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance.	No	Requires change of default super user name. Affects grub superuser booting.
OL07-00-010500	The Oracle Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.	Yes	Multifactor authentication is not configured on the default Oracle Cloud Infrastructure image.
OL07-00-020019	The Oracle Linux operating system must implement the Endpoint Security for Linux Threat Prevention tool.	No	Oracle Linux does not ship with Virus Scan Software. User Configuration is needed.
OL07-00-020020	The Oracle Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.	No	Requires obtaining specific list of authorized users from user's ISSO.
OL07-00-020021	The Oracle Linux operating system must confine SELinux users to roles that conform to least privilege.	No	Requires review from a user's SA/ISSO to determine SELinux role mapping conformity.
OL07-00-020023	The Oracle Linux operating system must elevate the SELinux context when an administrator calls the sudo command.	No	Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.
OL07-00-020030	The Oracle Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly.	Yes	AIDE or other intrusion detects system expected to be configured on target image.
OL07-00-020040	The Oracle Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner.	Yes	Requires AIDE detect system to be installed prior to configuration.
OL07-00-020270	The Oracle Linux operating system must not have unnecessary accounts.	No	Requires obtaining specific list of authorized system accounts from user's ISSO
OL07-00-020680	The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 750 or less permissive.	No	Restricts file permission access to system services.
OL07-00-020720	The Oracle Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.	No	Affects access to user binaries and utilities.
OL07-00-021000	The Oracle Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed.	Yes	Affects user's access to executing binary files within their home directories.
OL07-00-021300	The Oracle Linux operating system must disable Kernel core dumps unless needed.	Yes	Kdump service is needed for diagnostic purposes in case of system generated kernel crashes.
OL07-00-021350 ¹	The Oracle Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.	No	Rescue kernel cmdline exclusion of `fips=1` parameter. IMPORTANT OCI IMPACT: Adding `fips=1` to the rescue kernel cmdline could result in the instance failing to boot with a Fatal Error.
OL07-00-021600	The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).	Yes	Requires AIDE detect system to be installed prior to configuration.
OL07-00-021610	The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.	Yes	Requires AIDE detect system to be installed prior to configuration.
OL07-00-021620	The Oracle Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.	Yes	Requires AIDE detect system to be installed prior to configuration.
OL07-00-030010 ¹	The Oracle Linux operating system must shut down upon audit processing failure unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) if an audit processing failure occurs.	Yes	The default setting of the `failure` parameter is `1`, which only sends information to the kernel log regarding the failure instead of shutting down the instance. IMPORTANT OCI IMPACT: Setting the `failure` parameter to `2` would result in a system panic and shutdown when an audit processing failure occurs.
OL07-00-030201	The Oracle Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited.	No	`au-remote` plugin configuration presumes remote server details.
OL07-00-030300	The Oracle Linux operating system must off-load audit records onto a different system or media from the system being audited.	Yes	`au-remote` plugin configuration presumes remote server details.
OL07-00-030310	The Oracle Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.	Yes	`au-remote` plugin configuration presumes remote server details.
OL07-00-030320	The Oracle Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.	No	`au-remote` plugin configuration presumes remote server details.
OL07-00-030321	The Oracle Linux operating system must be configured so that the audit system takes appropriate action when an error occurs sending audit records to a remote system.	No	`au-remote` plugin configuration presumes remote server details.
OL07-00-031000	The Oracle Linux operating system must send rsyslog output to a log aggregation server.	Yes	Requires a remote server for transmitting rsyslog information.
OL07-00-032000	The Oracle Linux operating system must use a virus scan program.	No	Oracle Linux does not ship with Virus Scan Software. User Configuration is needed.
OL07-00-040100	The Oracle Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments.	No	Requires review of ports, protocols, and/or services as defined by a user's PPSM CLSA.
OL07-00-040160	The Oracle Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.	Yes	May be disruptive to user workloads.
OL07-00-040170	The Oracle Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts.	Yes	Requires user consent of the Standard Mandatory DoD Notice and Consent Agreement.
OL07-00-040420	The Oracle Linux operating system must be configured so that the SSH private host key files have mode 0600 or less permissive.	Yes	Changes default permissions of SSH private host key generated by system service.
OL07-00-040600	At least two name servers must be configured for the Oracle Linux operating systems using DNS resolution.	No	Oracle Cloud Infrastructure provides a highly available DNS server.
OL07-00-040710 ¹	The Oracle Linux operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements	Yes	Affects instance serial console connectivity. IMPORTANT OCI IMPACT: Disabling remote X connections could result in failure to connect to the OCI instance's serial console.
OL07-00-040711	The Oracle Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display.	Yes	Affects user's access to Oracle Cloud Infrastructure instances.
OL07-00-040810	The Oracle Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.	No	Requires review of specific hosts and services access. Access must be allowed by the user's grant policy.
OL07-00-040820	The Oracle Linux operating system must not have unauthorized IP tunnels configured.	No	Requires review from a user's SA/ISSO to determine authorized IPSec Tunnel connections.
OL07-00-041002	The Oracle Linux operating system must implement multifactor authentication for access to privileged accounts through pluggable authentication modules (PAM).	No	Multifactor authentication is not configured on the default Oracle Cloud Infrastructure image.
OL07-00-041003	The Oracle Linux operating system must implement certificate status checking for PKI authentication.	Yes	Certificate status checking for PKI authentication not configured on default Oracle Cloud Infrastructure image.

¹ Remediating these rules can have a significant impact on the systems' accessibility.

Changelog


STIG-ID	Rule Description	Reason for Exclusion	Status	Comments
OL07-00-010050	The Oracle Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.	Requires user consent of the Standard Mandatory DoD Notice and Consent Agreement.	Added	Added to exclusion list in V2R8
OL07-00-010320	The Oracle Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute time frame.	Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.	Added	Added to exclusion list in V2R8
OL07-00-010330	The Oracle Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period.	Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.	Added	Added to exclusion list in V2R8
OL07-00-010492	Oracle Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance.	Requires change if default super user name. Affects grub superuser booting.	Added	Added to exclusion list in V2R8
OL07-00-010500	The Oracle Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multi factor authentication.	Multi factor authentication is not configured on the default Oracle Cloud Infrastructure image.	Added	Added to exclusion list in V2R8
OL07-00-020019	The Oracle Linux operating system must implement the Endpoint Security for Linux Threat Prevention tool.	Oracle Linux does not ship with Virus Scan Software. User Configuration is needed.	Added	Added to exclusion list in V2R8
OL07-00-020020	The Oracle Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.	Requires obtaining specific list of authorized users from user's ISSO.	Added	Added to exclusion list in V2R8
OL07-00-020021	The Oracle Linux operating system must confine SELinux users to roles that conform to least privilege.	Requires review from a user's SA/ISSO to determine SELinux role mapping conformity.	Added	Added to exclusion list in V2R8
OL07-00-020023	The Oracle Linux operating system must elevate the SELinux context when an administrator calls the sudo command.	Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.	Added	Added to exclusion list in V2R8
OL07-00-020040	The Oracle Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner.	Requires AIDE detect system to be installed prior to configuration.	Added	Added to exclusion list in V2R8
OL07-00-020270	The Oracle Linux operating system must not have unnecessary accounts.	Requires obtaining specific list of authorized system accounts from user's ISSO	Added	Added to exclusion list in V2R8
OL07-00-020680	The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 750 or less permissive.	Restricts file permission access to system services.	Added	Added to exclusion list in V2R8
OL07-00-020720	The Oracle Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.	Affects access to user binaries and utilities.	Added	Added to exclusion list in V2R8
OL07-00-021000	The Oracle Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed.	Affects user's access to executing binary files within their home directories.	Added	Added to exclusion list in V2R8
OL07-00-021300	The Oracle Linux operating system must disable Kernel core dumps unless needed.	Kdump service is needed for diagnostic purposes in case of system generated kernel crashes.	Added	Added to exclusion list in V2R8
OL07-00-021600	The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).	Requires AIDE detect system to be installed prior to configuration.	Added	Added to exclusion list in V2R8
OL07-00-021610	The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.	Requires AIDE detect system to be installed prior to configuration.	Added	Added to exclusion list in V2R8
OL07-00-021620	The Oracle Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.	Requires AIDE detect system to be installed prior to configuration.	Added	Added to exclusion list in V2R8
OL07-00-031000	The Oracle Linux operating system must send rsyslog output to a log aggregation server.	Requires a remote server for transmitting rsyslog information.	Added	Added to exclusion list in V2R8
OL07-00-032000	The Oracle Linux operating system must use a virus scan program.	Oracle Linux does not ship with Virus Scan Software. User Configuration is needed.	Added	Added to exclusion list in V2R8
OL07-00-040100	The Oracle Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments.	Requires review of ports, protocols, and/or services as defined by a user's PPSM CLSA.	Added	Added to exclusion list in V2R8
OL07-00-040160	The Oracle Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.	May be disruptive to user workloads.	Added	Added to exclusion list in V2R8
OL07-00-040170	The Oracle Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts.	Requires user consent of the Standard Mandatory DoD Notice and Consent Agreement.	Added	Added to exclusion list in V2R8
OL07-00-040420	The Oracle Linux operating system must be configured so that the SSH private host key files have mode 0600 or less permissive.	Changes default permissions of SSH private host key generated by system service.	Added	Added to exclusion list in V2R8
OL07-00-040711	The Oracle Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display.	Affects user's access to Oracle Cloud Infrastructure instances.	Added	Added to exclusion list in V2R8
OL07-00-040810	The Oracle Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.	Requires review of specific hosts and services access. Access must be allowed by the user's grant policy.	Added	Added to exclusion list in V2R8
OL07-00-040820	The Oracle Linux operating system must not have unauthorized IP tunnels configured.	Requires review from a user's SA/ISSO to determine authorized IPSec Tunnel connections.	Added	Added to exclusion list in V2R8

Oracle-Linux-7.9-2021.07.27-STIG

The Oracle Linux STIG Image Oracle-Linux-7.9-2021.07.27-STIG was released 8/10/2021.

The following notes about the update are in comparison to the previous Oracle-Linux-7.9-2021.03.02-STIG release.

Image Updates

kernel-uek: 5.4.17-2102.203.6.el7uek.x86_64 Unbreakable Enterprise Kernel Release 6 (UEK R6) kernel version, with a fix for CVE-2021-33909.
Updated Oracle Linux 7.9 system packages to the latest versions that are available, with security fixes.

Compliance Updates

Target: Benchmark version Oracle Linux7 DISA STIG Benchmark - Ver 2, Rel 4.
SCC compliance score: 89.44%.

Changes made to the latest STIG image.

The following table describes the changes that were made in the Oracle-Linux-7.9-2021.07.27-STIG release.

Note

Updates for this release are also reflected in Oracle Linux 7 Additional Configurations, which describes areas in the latest image that require manual configuration. See this section for important information that might apply to the rules listed in the following table.


STIG-ID	Rule Description	Reason for Exclusion	Status	Comments
OL07-00-010090	The Oracle Linux operating system must have the screen package installed.	Affects default Oracle Public Cloud (OPC) user login account configured for the Oracle Cloud Infrastructure instance access.	Removed	Removed from exclusion list in V2R4
OL07-00-021350	The Oracle Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.	Rescue kernel cmdline exclusion of `fips=1` parameter.	Added	Removed from exclusion list in V2R4 Important: Adding `fips=1` to the rescue kernel cmdline could result in the instance failing to boot with a Fatal Error.
OL07-00-030200	The Oracle Linux operating system must be configured to use the au-remote plugin.	`au-remote` plugin configuration presumes remote server details.	Removed	Removed from exclusion list in V2R4
OL07-00-030201	The Oracle Linux operating system must be configured to off-load audit logs a different system or storage media from the system being audited.	`au-remote` plugin configuration presumes remote server details.	Updated	Rule title changed in V2R4
OL07-00-040600	For Oracle Linux operating systems that are using DNS resolution, at least two name servers must be configured.	Oracle National Security Regions (ONSR) image provides just one reliable DNS host.	Updated	Rule title changed in V2R4
OL07-00-041001	The Oracle Linux operating system must have the required packages for multifactor authentication installed.	Multifactor authentication is not configured on the default Oracle Cloud Infrastructure image.	Removed	Removed from exclusion list in V2R4 Fixed on the image: Installed `pam_pkcs11 package` on the instance.
OL07-00-040710	The Oracle Linux operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements	Affects instance serial console connectivity.	Added	Added to exclusion list in V2R4
OL07-00-010342	The Oracle Linux operating system must use the invoking user's password for privilege escalation when using the sudo command.	Affects default OPC login account.	Added	Added to exclusion list in V2R4

Oracle-Linux-7.9-2021.03.02-STIG

More Information

Use these resources for additional information on the Oracle Linux STIG Image.

Department of Defense web resource at https://public.cyber.mil/.

For DISA STIG and SCAP catalogs, see the following resources:
- STIG catalog at https://public.cyber.mil/stigs/.
- SCAP catalog at https://public.cyber.mil/stigs/scap/.

Oracle Cloud Infrastructure Documentation Try Free Tier

Oracle Linux STIG Image

What's a STIG? 🔗

Downloading the Latest STIG

How's STIG Compliance Assessed? 🔗

Compliance Targets 🔗

Creating and Connecting to an Instance 🔗

Applying Remediations 🔗

Using the Checklist to View Additional Configurations 🔗

Accessing the Checklist

Viewing the Checklist Release Notes

Rescanning an Instance for Compliance 🔗

Using the OpenSCAP Tool 🔗

Using the SCC Tool 🔗

Revision History for Oracle Linux STIG Image 🔗

Oracle Linux 8 🔗

Oracle Linux 7 (extended support) 🔗

Older Images 🔗

Additional Remediations

Changelog

Additional Remediations

Changelog

More Information 🔗

Oracle Cloud Infrastructure Documentation
Try Free Tier

What's a STIG?

How's STIG Compliance Assessed?

Compliance Targets

Creating and Connecting to an Instance

Applying Remediations

Using the Checklist to View Additional Configurations

Rescanning an Instance for Compliance

Using the OpenSCAP Tool

Using the SCC Tool

Revision History for Oracle Linux STIG Image

Oracle Linux 8

Oracle Linux 7 (extended support)

Older Images

More Information