Oracle Cloud Infrastructure Documentation

Oracle Linux STIG Image

The Oracle Linux STIG Image is an implementation of Oracle Linux that follows the Security Technical Implementation Guide (STIG).

With the STIG image, you can configure an Oracle Linux instance in Oracle Cloud Infrastructure that follows certain security standards and requirements set by the Defense Information Systems Agency (DISA).

Note

Oracle updates the Oracle Linux STIG Image regularly with the latest security errata. This document is updated whenever the STIG benchmark changes, or when changes in the security guidance require manual configuration of the image. See Revision History for Oracle Linux STIG Image for specific changes made in each release.
Important

Any changes that you make to an Oracle Linux STIG Image instance (such as installing other applications or modifying the configuration settings) might impact the compliance score. After making any changes, rescan the instance to check for compliance. See Rescanning an Instance for Compliance.

What's a STIG?

A Security Technical Implementation Guide (STIG) is a document written by the Defense Information Systems Agency (DISA). It provides guidance on configuring a system to meet cybersecurity requirements for deployment within the Department of Defense (DoD) IT network systems. STIG requirements help secure the network against cybersecurity threats by focusing on infrastructure and network security to mitigate vulnerabilities. Compliance with STIGs is a requirement for DoD agencies, or any organization that's a part of the DoD information networks (DoDIN).

The Oracle Linux STIG image helps automate compliance by providing a hardened version of the standard Oracle Linux image. The image is hardened to follow STIG guidelines. However, the image can't meet all STIG requirements and might require additional manual remediation. See Applying Remediations.

Downloading the Latest STIG

DISA provides quarterly updates to the STIGs. This documentation was created using the latest STIG available at the time of publication. However, you should always use the latest STIG when assessing your system.

Download the latest at STIG https://public.cyber.mil/stigs/downloads/. Search for Oracle Linux and then download the appropriate zip file.

Optionally, use the DISA STIG Viewer from https://public.cyber.mil/stigs/srg-stig-tools/. Then, import in the STIG's xccdf.xml file to view the STIG rules.

How's STIG Compliance Assessed?

Compliance assessment often begins with a scan using a Security Content Automation Protocol (SCAP) compliance checker tool. The tool uses a STIG (uploaded in SCAP format) to analyze the security of a system. However, the tool doesn't always test for all rules within a STIG and some STIGs might not have SCAP versions. In these cases, an auditor needs to check the system manually for compliance by going through the STIG rules not covered by the tool.

The following tools are available for automating compliance assessment:

  • SCAP Compliance Checker (SCC) - A tool developed by DISA that can run an evaluation using either the DISA STIG Benchmark or an OpenSCAP upstream profile. Commonly, the DISA STIG Benchmark is used for compliance scanning when using the SCC tool.

    Important

    To scan Arm architecture (aarch64), you must use SCC version 5.5 or later.

  • OpenSCAP - An open source utility available through yum that can run an evaluation using either the DISA STIG Benchmark or an OpenSCAP upstream profile. Oracle Linux distributes an SCAP Security Guide (SSG) package that contains system release specific profiles. For example, the SCAP datastream ssg-ol7-ds.xml file provided by the SSG package includes the DISA STIG for Oracle Linux 7 profile. One advantage to using the OpenSCAP tool is that SSG provides Bash or Ansible scripts to automate remediation and bring the system to a compliant state.

    Caution

    Automatic remediation using scripts might lead to undesired system configuration or make a system nonfunctional. Test the remediation scripts in a nonproduction environment.

See Rescanning an Instance for Compliance for information on running the compliance tools and generating a scan report.

Compliance Targets

The Oracle Linux STIG image contains additional remediations for rules not addressed by the DISA STIG Benchmark. Use the SSG "stig" profile aligned with DISA STIG for Oracle Linux to extend automation on the previously unaddressed rules and determine compliance against the complete DISA STIG.

Two DISA STIG Viewer checklist files are provided with the image, which are based on scan results from SCC and OpenSCAP. The checklist for the DISA STIG Benchmark uses the SCC scan results, while the checklist for the SSG "stig" profile uses the OpenSCAP scan results. These checklists contain comments by Oracle for areas of the image that don't meet guidance. See Using the Checklist to View Additional Configurations.
Note

The higher compliance scores for the DISA STIG Benchmark reflect a more limited scope of rules compared to the complete DISA STIG. However, the SSG "stig" profile accounts for the full DISA STIG, providing a more comprehensive evaluation of the image's compliance.
Oracle Linux 8

Oracle Linux 8 STIG images follow the DISA security standards and are hardened according to the Oracle Linux 8 DISA STIG. For the latest Oracle Linux 8 STIG Image release, the compliance target is the DISA STIG for Oracle Linux 8 Ver 1, Rel 8. The scap-security-guide package (minimum version 0.1.69-2.0.1) available through yum contains the SSG "stig" profile aligned with DISA STIG for Oracle Linux 8 Ver 1, Rel 8.

Compliance Information for Oracle Linux 8.9 January 2024 STIG images:

Target: SSG "stig" profile aligned with DISA STIG for Oracle Linux 8 Ver 1, Rel 8

  • Checklist Compliance Score for x86_64: 67.50%
  • Checklist Compliance Score for aarch64: 67.40%

Target: DISA STIG for Oracle Linux 8 Ver 1, Rel 7 Benchmark profile

  • Checklist Compliance Score for x86_64: 78.92%
  • Checklist Compliance Score for aarch64: 78.92%
Oracle Linux 7

Oracle Linux 7 STIG images follow the DISA security standards and are hardened according to the Oracle Linux 7 DISA STIG. For the latest Oracle Linux 7 STIG Image release, the compliance target has transitioned to the DISA STIG Ver 2, Rel 13. The scap-security-guide package (minimum version 0.1.69-1.0.1) available through yum contains the SSG "stig" profile aligned with DISA STIG for Oracle Linux 7 Ver 2, Rel 13.

Compliance Information for Oracle Linux 7.9 December 2023 STIG images:

Target: SSG "stig" profile aligned with DISA STIG for Oracle Linux 7 Ver 2, Rel 13

  • Checklist Compliance Score x86_64: 81.36%
  • Checklist Compliance Score aarch64: 81.36%

Target: DISA STIG for Oracle Linux 7 Ver 2, Rel 13 Benchmark profile

  • Checklist Compliance Score x86_64: 91.71%
  • Checklist Compliance Score aarch64: 91.71%
Note

The STIG standard from DISA had no significant changes, other than wording, between Oracle Linux 7 Ver 2, Rel 12 and Oracle Linux 7 Ver 2, Rel 13. Because of this, any system compliant with Oracle Linux 7 Ver 2, Rel 12 is also compliant with Oracle Linux 7 Ver 2, Rel 13.

Applying Remediations

The hardened Oracle Linux STIG Image can't be configured for all the recommended guidance. You must manually finalize any configurations not included in the Oracle Linux STIG Image instance.

For each security rule established by DISA, instructions to apply the appropriate security configuration are provided in the corresponding Oracle Linux Security Technical Implementation Guide.

Important

Some changes to the image might affect the instance's default Oracle Cloud Infrastructure account. If you decide to enforce a rule, study the information about each rule and the reasons for exclusion to fully understand the potential impact on the instance.

Using the Checklist to View Additional Configurations

Use the checklists provided with the Oracle Linux STIG image to view additional "Release Notes" on areas of guidance not included in the image, which might require additional configuration. The release notes identify additional configurations that might affect the instances default Oracle Cloud Infrastructure account.

Accessing the Checklist

The Oracle Linux STIG image includes DISA STIG Viewer checklists for both the DISA STIG Benchmark and SCAP Security Guide (SSG) "stig" profile aligned with DISA STIG for Oracle Linux. These checklists are located in the /usr/share/xml/stig directory. See Revision History for the specific filename associated with each release.

  • OL<release>_SSG_STIG_<stig-version>_CHECKLIST_RELEASE.ckl - checklist for DISA STIG for Oracle Linux using the SSG "stig" profile scan results.
  • OL<release>_DISA_BENCHMARK_<stig-version>_CHECKLIST_RELEASE.ckl - checklist for DISA STIG Benchmark for Oracle Linux using the SCC Oracle_Linux_<release>_STIG profile scan results.

Viewing the Checklist Release Notes

  1. Download the DISA STIG Viewer tool from: https://public.cyber.mil/stigs/srg-stig-tools/
  2. Open the STIG Viewer tool.
  3. Under Checklist, select Open Checklist from File... and navigate to the checklist file.
  4. Expand the Filter Panel and add the following filter:
    • Must Match: ALL
    • Filter by: Keyword
    • Filter type: Inclusive (+) Filter
    • Keyword: Oracle Release Notes
  5. The release notes offer additional information for the rules:
    • Open - Rules which have been excluded or deemed out of scope.
      • Excluded - Rules which might affect the instance's default Oracle Cloud Infrastructure account and have been excluded from remediation for the Oracle Linux STIG Image.
      • Out of Scope - Rules which are out of scope for remediation on the current release but might be considered for remediation in a future release.
    • Not Applicable - Rules which have been deemed not applicable to the Oracle Linux STIG Image.
    • Not reviewed - Rules which are out of scope for remediation on the current release but might be considered for remediation in a future release.
  6. For each rule, ensure you fully understand the implications to the instance before applying remediation.

Rescanning an Instance for Compliance

Use the SCC or OpenSCAP tool to scan the instance to verify it remains compliant.

Changes to an Oracle Linux STIG Image instance (such as installing other applications or adding new configuration settings) can affect compliance. We recommend scanning to check that the instance is compliant after any changes. In addition, you might need to perform subsequent scans to check for regular, quarterly DISA STIG updates.

Using the OpenSCAP Tool

The OpenSCAP tool is available in Oracle Linux and certified by the National Institute of Standards and Technologies (NIST).

  1. Sign in to your Oracle Linux STIG Image instance.
  2. Install the openscap-scanner package. 
    sudo yum install openscap-scanner
  3. Identify the XCCDF or datastream file to use for the scan.

    To use the SSG "stig" profile:

    1. Install the scap-security-guide package. 
      sudo yum install scap-security-guide
    2. Locate the file to use for the scan found in /usr/share/xml/scap/ssg/content.
    To use the Oracle Linux DISA STIG Benchmark:
    1. Go to https://public.cyber.mil/stigs/downloads/".
    2. Search for Oracle Linux and download the appropriate DISA STIG Benchmark file.
    3. Unzip the file after downloading it.
  4. To perform a scan, run the following command: 
    sudo oscap xccdf eval --profile profile-name \
--results=path-to-results.xml --oval-results \
--report=path-to-report.html \
--check-engine-results \
--stig-viewer=path-to-stig-viewer-report.xml \
path-to-xccdf-document

    For other options that you can use with the oscap command, see Using OpenSCAP to Scan for Vulnerabilities in the Oracle® Linux 7: Security Guide and Oracle Linux 8: Using OpenSCAP for Security Compliance.

  5. Check the path-to-report.html file for the evaluation results.

Using the SCC Tool

The SCC tool is the official tool for checking government compliance and can be used to scan an Oracle Linux STIG Image instance.

Important

To scan Arm architecture (aarch64), you must use SCC version 5.5 or later.

For instructions on using the SCC tool, see the SCAP Tools table at https://public.cyber.mil/stigs/scap/.

  1. Obtain the SCC tool from the table at https://public.cyber.mil/stigs/scap/.
  2. Install the tool. 
    unzip scc-5.4.2_rhel7_sles12-15_oracle-linux7_x86_64_bundle.zip
cd scc-5.4.2_rhel7_x86_64/
rpm -i scc-5.4.2.rhel7.x86_64.rpm
  3. Zip the SCAP content .xml file before importing in to the SCC tool.

    For the SSG "stig" profile:

    zip ssg_content.zip /usr/share/xml/scap/ssg/content/xml-document
/opt/scc/cscc -is ssg_content.zip

    For the Oracle Linux DISA STIG Benchmark:

    zip scap_content.zip path-to-disa-benchmark-xml-document
/opt/scc/cscc -is scap_content.zip
  4. Configure SCC to scan against the imported content 
    /opt/scc/cscc --config
  5. Perform the scan using the command line menu:
    1. Enter 1 to configure SCAP content.
    2. Enter clear and then enter the number that matches the imported SCAP content.

      In the following example, you would enter 2 for the imported SCAP content for Oracle Linux 7. 

      SCC 5.4.2 Available SCAP Content                        [Version]  [Date]    
1.  [ ]  Mozilla_Firefox_RHEL                           005.003    2021-06-09
2.  [X]  OL-7                                           0.1.54     2021-09-23
3.  [ ]  Oracle_Linux_7_STIG                            002.004    2021-06-14
4.  [ ]  RHEL_6_STIG                                    002.002    2020-12-04
5.  [ ]  RHEL_7_STIG                                    003.004    2021-06-14
6.  [ ]  RHEL_8_STIG                                    001.002    2021-06-14
7.  [ ]  SLES_12_STIG                                   002.004    2021-06-14
    3. Enter 0 to return to the main menu.
    4. Enter 2 to configure the SCAP profile.
    5. Enter 1 to select the profile. Verify "stig" is selected. 
      Available Profiles for OL-7

1.  [ ] no_profile_selected
2.  [X] stig
    6. Return to the main menu. Enter 9 to save changes and perform a scan on the system.
      The scan might take 25 to 30 minutes.

Revision History for Oracle Linux STIG Image

Oracle updates the Oracle Linux STIG Image regularly to address security issues.

If you are deploying an older Oracle Linux STIG Image, you might want to perform a subsequent scan to check for regular, quarterly DISA STIG updates. See Rescanning an Instance for Compliance for more information.

Oracle Linux 8

Oracle-Linux-8.9-STIG January 2024
This information is for:
  • Oracle Linux-8.9-2024.01.25-STIG (for x86_64)
  • Oracle Linux-8.9-aarch64-2024.01.25-STIG (for aarch64)
Image Information
  • kernel-uek: 5.15.0-202.135.2.el8uek
  • First release of Oracle Linux 8.9 hardened against DISA STIG for Oracle Linux 8 Ver 1, Rel 8.
  • Updated system packages to the latest versions that are available, with security fixes.
  • Additional STIG rule remediations applied to the image, see the Using the Checklist to View Additional Configurations.
  • Checklist files in /usr/share/xml/stig:
    • OL8_SSG_STIG_V1R8_CHECKLIST_RELEASE.ckl
    • OL8_DISA_BENCHMARK_V1R7_CHECKLIST_RELEASE.ckl
Compliance Information

Target: SSG "stig" profile aligned with DISA STIG for Oracle Linux 8 Ver 1, Rel 8

  • Checklist Compliance Score for x86_64: 67.50%
  • Checklist Compliance Score for aarch64: 67.40%

Target: DISA STIG for Oracle Linux 8 Ver 1, Rel 7 Benchmark profile

  • Checklist Compliance Score for x86_64: 78.92%
  • Checklist Compliance Score for aarch64: 78.92%
Note

The higher compliance scores for the DISA STIG Benchmark reflect a more limited scope of rules compared to the complete DISA STIG. However, the SSG "stig" profile accounts for the full DISA STIG, providing a more comprehensive evaluation of the image's compliance.
Oracle-Linux-8.8-STIG July 2023
This information is for:
  • Oracle Linux-8.8-2023.07.06-STIG (for x86_64)
  • Oracle Linux-8.8-aarch64-2023.07.06-STIG (for aarch64)
Image Information
  • kernel-uek: 5.15.0-102.110.5.1.el8uek
  • First release of Oracle Linux 8.8 hardened against DISA STIG for Oracle Linux 8 Ver 1, Rel 6.
  • Updated system packages to the latest versions that are available, with security fixes.
  • Additional STIG rule remediations applied to the image, see the Using the Checklist to View Additional Configurations.
  • Checklist files in /usr/share/xml/stig:
    • OL8_SSG_STIG_V1R6_CHECKLIST_RELEASE.ckl
    • OL8_DISA_BENCHMARK_V1R5_CHECKLIST_RELEASE.ckl
Compliance Information

Target: SSG "stig" profile aligned with DISA STIG for Oracle Linux 8 Ver 1, Rel 6

  • Checklist Compliance Score for x86_64: 64.81%
  • Checklist Compliance Score for aarch64: 64.54%

Target: DISA STIG for Oracle Linux 8 Ver 1, Rel 5 Benchmark profile

  • Checklist Compliance Score for x86_64: 78.92%
  • Checklist Compliance Score for aarch64: 78.92%
Note

The higher compliance scores for the DISA STIG Benchmark reflect a more limited scope of rules compared to the complete DISA STIG. However, the SSG "stig" profile accounts for the full DISA STIG, providing a more comprehensive evaluation of the image's compliance.
Oracle-Linux-8.7-STIG April 2023
This information is for:
  • Oracle Linux-8.7-2023.04.26-STIG (for x86_64)
  • Oracle Linux-8.7-aarch64-2023.04.26-STIG (for aarch64)
Image Information
  • kernel-uek: 5.15.0-100.96.32.el8uek
  • First release of Oracle Linux 8.7 hardened against DISA STIG for Oracle Linux 8 Ver 1, Rel 5.
  • Updated system packages to the latest versions that are available, with security fixes.
  • Additional STIG rule remediations applied to the image, see the Using the Checklist to View Additional Configurations.
  • Checklist files in /usr/share/xml/stig:
    • OL8_SSG_STIG_V1R5_CHECKLIST_RELEASE.ckl
    • OL8_DISA_BENCHMARK_V1R4_CHECKLIST_RELEASE.ckl
Compliance Information

Target: SSG "stig" profile aligned with DISA STIG for Oracle Linux 8 Ver 1, Rel 5

  • Checklist Compliance Score for x86_64: 63.78%
  • Checklist Compliance Score for aarch64: 63.50%

Target: DISA STIG for Oracle Linux 8 Ver 1, Rel 4 Benchmark profile

  • Checklist Compliance Score for x86_64: 79.25%
  • Checklist Compliance Score for aarch64: 79.25%
Note

The higher compliance scores for the DISA STIG Benchmark reflect a more limited scope of rules compared to the complete DISA STIG. However, the SSG "stig" profile accounts for the full DISA STIG, providing a more comprehensive evaluation of the image's compliance.

Oracle Linux 7

Oracle-Linux-7.9-STIG December 2023

This information is for:

  • Oracle Linux-7.9-2023.11.30-STIG (for x86_64)
  • Oracle Linux-7.9-aarch64-2023.11.30-STIG (for aarch64)
Image Information
  • kernel-uek: 5.4.17-2136.325.5.1.el7uek
  • Updated system packages to the latest versions that are available, with security fixes.
  • Compliance target is the SSG profile aligned with DISA STIG for Oracle Linux 7 Ver 2, Rel 13.
  • Minimum SSG version: scap-security-guide-0.1.69-1.0.1
  • Additional STIG rule remediations applied to the image, see the Using the Checklist to View Additional Configurations.
  • Checklist files in /usr/share/xml/stig:
    • OL7_SSG_STIG_V2R13_CHECKLIST_RELEASE.ckl
    • OL7_DISA_BENCHMARK_V1R13_CHECKLIST_RELEASE.ckl
Compliance Information

Target: SSG "stig" profile aligned with DISA STIG for Oracle Linux 7 Ver 2, Rel 13

  • Checklist Compliance Score x86_64: 81.36%
  • Checklist Compliance Score aarch64: 81.36%

Target: DISA STIG for Oracle Linux 7 Ver 2, Rel 13 Benchmark profile

  • Checklist Compliance Score x86_64: 91.71%
  • Checklist Compliance Score aarch64: 91.71%
Note

The STIG standard from DISA had no significant changes, other than wording, between Oracle Linux 7 Ver 2, Rel 12 and Oracle Linux 7 Ver 2, Rel 13. Because of this, any system compliant with Oracle Linux 7 Ver 2, Rel 12 is also compliant with Oracle Linux 7 Ver 2, Rel 13.
Note

The higher compliance scores for the DISA STIG Benchmark reflect a more limited scope of rules compared to the complete DISA STIG. However, the SSG "stig" profile accounts for the full DISA STIG, providing a more comprehensive evaluation of the image's compliance.
Oracle-Linux-7.9-STIG May 2023

This information is for:

  • Oracle Linux-7.9-2023.05.31-STIG (for x86_64)
  • Oracle Linux-7.9-aarch64-2023.05.31-STIG (for aarch64)
Image Information
  • kernel-uek: 5.4.17-2136.319.1.3.el7uek
  • Updated system packages to the latest versions that are available, with security fixes.
  • Compliance target transitioned to the SSG profile aligned with DISA STIG for Oracle Linux 7 Ver 2, Rel 11.
  • Additional STIG rule remediations applied to the image, see the Using the Checklist to View Additional Configurations.
  • Checklist files in /usr/share/xml/stig:
    • OL7_SSG_STIG_V2R11_CHECKLIST_RELEASE.ckl
    • OL7_DISA_BENCHMARK_V1R11_CHECKLIST_RELEASE.ckl
Compliance Information

Target: SSG "stig" profile aligned with DISA STIG for Oracle Linux 7 Ver 2, Rel 11

  • Checklist Compliance Score x86_64: 81.36%
  • Checklist Compliance Score aarch64: 81.36%

Target: DISA STIG for Oracle Linux 7 Ver 2, Rel 11 Benchmark profile

  • Checklist Compliance Score x86_64: 91.71%
  • Checklist Compliance Score aarch64: 91.71%
Note

The higher compliance scores for the DISA STIG Benchmark reflect a more limited scope of rules compared to the complete DISA STIG. However, the SSG "stig" profile accounts for the full DISA STIG, providing a more comprehensive evaluation of the image's compliance.

Older Images

Oracle-Linux-7.9-aarch64-2022.08.29-STIG
  • kernel-uek: 5.4.17-2136.310.7.1.el7uek.aarch64
  • Updated system packages to the latest versions that are available, with security fixes.
  • Additional STIG rule remediations applied to the image. See Additional Remediations.
  • Compliance transition from DISA STIG Benchmark Ver 2, Rel 4 to the SSG profile aligned with DISA STIG for Oracle Linux 7 Ver 2, Rel 8.

Compliance Information

  • Target: SSG profile aligned with DISA STIG for Oracle Linux 7 Ver 2, Rel 8
  • OpenSCAP Compliance Score: 80.83%
Additional Remediations

For each security rule established by DISA, instructions to apply the appropriate security configuration are provided in the Oracle Linux 7 Security Technical Implementation Guide.

  1. Review the table that follows and ensure that you understand potential impacts to the instance if you remediate.

  2. Download the latest STIG from https://public.cyber.mil/stigs/downloads/ by searching for Oracle Linux and selecting a version.

  3. Download the DISA STIG Viewer Tool from: https://public.cyber.mil/stigs/srg-stig-tools/
  4. Open the xccdf.xml file for the STIG in the Viewer.

  5. For every rule in the table below that you want to fix, do the following:

    1. Search for the rule's STIG-ID in the guide to go to the appropriate section that explains the rule, the vulnerabilities, and the steps to comply with the rule.

    2. Perform the provided configuration steps.

The following table describes the areas of guidance not included in the Oracle Linux STIG Image, which require additional configuration, and calls out additional configurations that might affect the instance's default Oracle Cloud Infrastructure account.

The rules marked as having automation support have built-in automation to check the rule requirements and apply the required remediations, if needed. Any rules without automation support need to be manually reviewed by a user on a system because automation checks against the rule requirements aren't supported or no remediation script is available.

STIG-ID

Rule Description

Automation Support

Reason for Exclusion

OL07-00-010050 The Oracle Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. Yes Requires user consent of the Standard Mandatory DoD Notice and Consent Agreement.

OL07-00-010230

The Oracle Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime.

Yes

Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.

OL07-00-010240

The Oracle Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime.

Yes

Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.

OL07-00-010250

The Oracle Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime.

Yes

Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.

OL07-00-010260 1

The Oracle Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime.

No

Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access. PAM password lifetime rules likewise affect SSH keys.

IMPORTANT OCI IMPACT: Restricting existing passwords to a 60-day maximum lifetime can result in the OPC account being irretrievably locked after 60 days as a result of the account's passwordless setting.
OL07-00-010320 The Oracle Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute time frame. Yes Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.
OL07-00-010330 The Oracle Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period. Yes Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.

OL07-00-010340

The Oracle Linux operating system must be configured so that users must provide a password for privilege escalation.

Yes

According to Oracle Cloud Infrastructure default schema, NOPASSWD is set for OPC.

OL07-00-010342

The Oracle Linux operating system must use the invoking user's password for privilege escalation when using the sudo command.

Yes

Affects default OPC login account.

OL07-00-010491 1

The Oracle Linux operating systems version 7.2 or later by using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.

No

Requires GRUB 2 password which is not feasible for default image.

IMPORTANT OCI IMPACT: Implementing a GRUB 2 password would introduce a password prompt on instance boot.
OL07-00-010492 Oracle Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance. No Requires change of default super user name. Affects grub superuser booting.
OL07-00-010500 The Oracle Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication. Yes Multifactor authentication is not configured on the default Oracle Cloud Infrastructure image.
OL07-00-020019 The Oracle Linux operating system must implement the Endpoint Security for Linux Threat Prevention tool. No Oracle Linux does not ship with Virus Scan Software. User Configuration is needed.
OL07-00-020020 The Oracle Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. No Requires obtaining specific list of authorized users from user's ISSO.

OL07-00-020021

The Oracle Linux operating system must confine SELinux users to roles that conform to least privilege.

 No Requires review from a user's SA/ISSO to determine SELinux role mapping conformity.

OL07-00-020023

The Oracle Linux operating system must elevate the SELinux context when an administrator calls the sudo command.

 No

Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.

OL07-00-020030

The Oracle Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly.

Yes

AIDE or other intrusion detects system expected to be configured on target image.

OL07-00-020040 The Oracle Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner. Yes Requires AIDE detect system to be installed prior to configuration.
OL07-00-020270 The Oracle Linux operating system must not have unnecessary accounts. No Requires obtaining specific list of authorized system accounts from user's ISSO

OL07-00-020680

The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 750 or less permissive.

 No

Restricts file permission access to system services.

OL07-00-020720

The Oracle Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.

 No

Affects access to user binaries and utilities.
OL07-00-021000 The Oracle Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed. Yes Affects user's access to executing binary files within their home directories.
OL07-00-021300 The Oracle Linux operating system must disable Kernel core dumps unless needed. Yes Kdump service is needed for diagnostic purposes in case of system generated kernel crashes.

OL07-00-021350 1

The Oracle Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

No

Rescue kernel cmdline exclusion of fips=1 parameter.

IMPORTANT OCI IMPACT: Adding fips=1 to the rescue kernel cmdline could result in the instance failing to boot with a Fatal Error.
OL07-00-021600 The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs). Yes Requires AIDE detect system to be installed prior to configuration.
OL07-00-021610 The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes. Yes Requires AIDE detect system to be installed prior to configuration.
OL07-00-021620 The Oracle Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories. Yes Requires AIDE detect system to be installed prior to configuration.

OL07-00-030010 1

The Oracle Linux operating system must shut down upon audit processing failure unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) if an audit processing failure occurs.

Yes

The default setting of the failure parameter is 1, which only sends information to the kernel log regarding the failure instead of shutting down the instance.

IMPORTANT OCI IMPACT: Setting the failure parameter to 2 would result in a system panic and shutdown when an audit processing failure occurs.

OL07-00-030201

The Oracle Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited.

 No

au-remote plugin configuration presumes remote server details.

OL07-00-030300

The Oracle Linux operating system must off-load audit records onto a different system or media from the system being audited.

Yes

au-remote plugin configuration presumes remote server details.

OL07-00-030310

The Oracle Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.

Yes

au-remote plugin configuration presumes remote server details.

OL07-00-030320

The Oracle Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.

No

au-remote plugin configuration presumes remote server details.

OL07-00-030321

The Oracle Linux operating system must be configured so that the audit system takes appropriate action when an error occurs sending audit records to a remote system.

No

au-remote plugin configuration presumes remote server details.

OL07-00-031000 The Oracle Linux operating system must send rsyslog output to a log aggregation server. Yes Requires a remote server for transmitting rsyslog information.
OL07-00-032000 The Oracle Linux operating system must use a virus scan program. No Oracle Linux does not ship with Virus Scan Software. User Configuration is needed.
OL07-00-040100 The Oracle Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments. No Requires review of ports, protocols, and/or services as defined by a user's PPSM CLSA.
OL07-00-040160 The Oracle Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements. Yes May be disruptive to user workloads.
OL07-00-040170 The Oracle Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts. Yes Requires user consent of the Standard Mandatory DoD Notice and Consent Agreement.

OL07-00-040420

The Oracle Linux operating system must be configured so that the SSH private host key files have mode 0600 or less permissive.

 Yes Changes default permissions of SSH private host key generated by system service.

OL07-00-040600

At least two name servers must be configured for the Oracle Linux operating systems using DNS resolution.

No

Oracle Cloud Infrastructure provides a highly available DNS server.

OL07-00-040710 1

The Oracle Linux operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements

Yes

Affects instance serial console connectivity.

IMPORTANT OCI IMPACT: Disabling remote X connections could result in failure to connect to the OCI instance's serial console.
OL07-00-040711 The Oracle Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display. Yes Affects user's access to Oracle Cloud Infrastructure instances.

OL07-00-040810

The Oracle Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.

 No Requires review of specific hosts and services access. Access must be allowed by the user's grant policy.

OL07-00-040820

The Oracle Linux operating system must not have unauthorized IP tunnels configured.

 No Requires review from a user's SA/ISSO to determine authorized IPSec Tunnel connections.

OL07-00-041002

The Oracle Linux operating system must implement multifactor authentication for access to privileged accounts through pluggable authentication modules (PAM).

No

Multifactor authentication is not configured on the default Oracle Cloud Infrastructure image.

OL07-00-041003

The Oracle Linux operating system must implement certificate status checking for PKI authentication.

Yes

Certificate status checking for PKI authentication not configured on default Oracle Cloud Infrastructure image.

1 Remediating these rules can have a significant impact on the systems' accessibility.

Changelog

STIG-ID

Rule Description

Reason for Exclusion

Status Comments
OL07-00-010050 The Oracle Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. Requires user consent of the Standard Mandatory DoD Notice and Consent Agreement. Added Added to exclusion list in V2R8
OL07-00-010320 The Oracle Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute time frame. Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access. Added Added to exclusion list in V2R8
OL07-00-010330 The Oracle Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period. Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access. Added Added to exclusion list in V2R8
OL07-00-010492 Oracle Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance. Requires change if default super user name. Affects grub superuser booting. Added Added to exclusion list in V2R8
OL07-00-010500 The Oracle Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multi factor authentication. Multi factor authentication is not configured on the default Oracle Cloud Infrastructure image. Added Added to exclusion list in V2R8
OL07-00-020019 The Oracle Linux operating system must implement the Endpoint Security for Linux Threat Prevention tool. Oracle Linux does not ship with Virus Scan Software. User Configuration is needed. Added Added to exclusion list in V2R8
OL07-00-020020 The Oracle Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. Requires obtaining specific list of authorized users from user's ISSO. Added Added to exclusion list in V2R8

OL07-00-020021

The Oracle Linux operating system must confine SELinux users to roles that conform to least privilege.

 Requires review from a user's SA/ISSO to determine SELinux role mapping conformity. Added Added to exclusion list in V2R8

OL07-00-020023

The Oracle Linux operating system must elevate the SELinux context when an administrator calls the sudo command.

Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.

 Added Added to exclusion list in V2R8
OL07-00-020040 The Oracle Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner. Requires AIDE detect system to be installed prior to configuration. Added Added to exclusion list in V2R8
OL07-00-020270 The Oracle Linux operating system must not have unnecessary accounts. Requires obtaining specific list of authorized system accounts from user's ISSO Added Added to exclusion list in V2R8

OL07-00-020680

The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 750 or less permissive.

Restricts file permission access to system services.

Added Added to exclusion list in V2R8

OL07-00-020720

The Oracle Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.

Affects access to user binaries and utilities.

 Added Added to exclusion list in V2R8
OL07-00-021000 The Oracle Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed. Affects user's access to executing binary files within their home directories. Added Added to exclusion list in V2R8
OL07-00-021300 The Oracle Linux operating system must disable Kernel core dumps unless needed. Kdump service is needed for diagnostic purposes in case of system generated kernel crashes. Added Added to exclusion list in V2R8
OL07-00-021600 The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs). Requires AIDE detect system to be installed prior to configuration. Added Added to exclusion list in V2R8
OL07-00-021610 The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes. Requires AIDE detect system to be installed prior to configuration. Added Added to exclusion list in V2R8
OL07-00-021620 The Oracle Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories. Requires AIDE detect system to be installed prior to configuration. Added Added to exclusion list in V2R8
OL07-00-031000 The Oracle Linux operating system must send rsyslog output to a log aggregation server. Requires a remote server for transmitting rsyslog information. Added Added to exclusion list in V2R8
OL07-00-032000 The Oracle Linux operating system must use a virus scan program. Oracle Linux does not ship with Virus Scan Software. User Configuration is needed. Added Added to exclusion list in V2R8
OL07-00-040100 The Oracle Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments. Requires review of ports, protocols, and/or services as defined by a user's PPSM CLSA. Added Added to exclusion list in V2R8
OL07-00-040160 The Oracle Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements. May be disruptive to user workloads. Added Added to exclusion list in V2R8
OL07-00-040170 The Oracle Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts. Requires user consent of the Standard Mandatory DoD Notice and Consent Agreement. Added Added to exclusion list in V2R8

OL07-00-040420

The Oracle Linux operating system must be configured so that the SSH private host key files have mode 0600 or less permissive.

 Changes default permissions of SSH private host key generated by system service. Added Added to exclusion list in V2R8
OL07-00-040711 The Oracle Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display. Affects user's access to Oracle Cloud Infrastructure instances. Added Added to exclusion list in V2R8

OL07-00-040810

The Oracle Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.

 Requires review of specific hosts and services access. Access must be allowed by the user's grant policy. Added Added to exclusion list in V2R8

OL07-00-040820

The Oracle Linux operating system must not have unauthorized IP tunnels configured.

 Requires review from a user's SA/ISSO to determine authorized IPSec Tunnel connections. Added Added to exclusion list in V2R8
Oracle-Linux-7.9-aarch64-2021.10.08-STIG

The Oracle Linux STIG Image Oracle-Linux-7.9-aarch64-2021.10.08-STIG was released 12/16/2021.

Image Information

  • 5.4.17-2102.205.7.3.el7uek.aarch64 UEK R6 kernel version.

  • First release of the Oracle Linux STIG Image based on the Arm architecture (aarch64).

  • Latest versions of Oracle Linux 7.9 system packages, with security fixes.

Compliance Information

  • Target: Oracle Linux 7 DISA STIG Benchmark - Ver 2, Rel 4.

  • OpenSCAP compliance score: 89.44%.

Oracle-Linux-7.9-2022.08.29-STIG

Image Information

  • kernel-uek: 5.4.17-2136.310.7.1.el7uek.x86_64
  • Updated system packages to the latest versions that are available, with security fixes.
  • Additional STIG rule remediations applied to the image. See Additional Remediations.
  • Compliance transition from DISA STIG Benchmark Ver 2, Rel 4 to the SSG profile aligned with DISA STIG for Oracle Linux 7 Ver 2, Rel 8.

Compliance Information

  • Target: SSG profile aligned with DISA STIG for Oracle Linux 7 Ver 2, Rel 8.
  • OpenSCAP Compliance Score: 80.76%
  • SCC Compliance Score: 80.77%
Additional Remediations

For each security rule established by DISA, instructions to apply the appropriate security configuration are provided in the Oracle Linux 7 Security Technical Implementation Guide.

  1. Review the table that follows and ensure that you understand potential impacts to the instance if you remediate.

  2. Download the latest STIG from https://public.cyber.mil/stigs/downloads/ by searching for Oracle Linux and selecting a version.

  3. Download the DISA STIG Viewer Tool from: https://public.cyber.mil/stigs/srg-stig-tools/
  4. Open the xccdf.xml file for the STIG in the Viewer.

  5. For every rule in the table below that you want to fix, do the following:

    1. Search for the rule's STIG-ID in the guide to go to the appropriate section that explains the rule, the vulnerabilities, and the steps to comply with the rule.

    2. Perform the provided configuration steps.

The following table describes the areas of guidance not included in the Oracle Linux STIG Image, which require additional configuration, and calls out additional configurations that might affect the instance's default Oracle Cloud Infrastructure account.

The rules marked as having automation support have built-in automation to check the rule requirements and apply the required remediations, if needed. Any rules without automation support need to be manually reviewed by a user on a system because automation checks against the rule requirements aren't supported or no remediation script is available.

STIG-ID

Rule Description

Automation Support

Reason for Exclusion

OL07-00-010050 The Oracle Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. Yes Requires user consent of the Standard Mandatory DoD Notice and Consent Agreement.

OL07-00-010230

The Oracle Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime.

Yes

Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.

OL07-00-010240

The Oracle Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime.

Yes

Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.

OL07-00-010250

The Oracle Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime.

Yes

Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.

OL07-00-010260 1

The Oracle Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime.

No

Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access. PAM password lifetime rules likewise affect SSH keys.

IMPORTANT OCI IMPACT: Restricting existing passwords to a 60-day maximum lifetime can result in the OPC account being irretrievably locked after 60 days as a result of the account's passwordless setting.
OL07-00-010320 The Oracle Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute time frame. Yes Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.
OL07-00-010330 The Oracle Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period. Yes Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.

OL07-00-010340

The Oracle Linux operating system must be configured so that users must provide a password for privilege escalation.

Yes

According to Oracle Cloud Infrastructure default schema, NOPASSWD is set for OPC.

OL07-00-010342

The Oracle Linux operating system must use the invoking user's password for privilege escalation when using the sudo command.

Yes

Affects default OPC login account.

OL07-00-010491 1

The Oracle Linux operating systems version 7.2 or later by using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.

No

Requires GRUB 2 password which is not feasible for default image.

IMPORTANT OCI IMPACT: Implementing a GRUB 2 password would introduce a password prompt on instance boot.
OL07-00-010492 Oracle Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance. No Requires change of default super user name. Affects grub superuser booting.
OL07-00-010500 The Oracle Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication. Yes Multifactor authentication is not configured on the default Oracle Cloud Infrastructure image.
OL07-00-020019 The Oracle Linux operating system must implement the Endpoint Security for Linux Threat Prevention tool. No Oracle Linux does not ship with Virus Scan Software. User Configuration is needed.
OL07-00-020020 The Oracle Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. No Requires obtaining specific list of authorized users from user's ISSO.

OL07-00-020021

The Oracle Linux operating system must confine SELinux users to roles that conform to least privilege.

 No Requires review from a user's SA/ISSO to determine SELinux role mapping conformity.

OL07-00-020023

The Oracle Linux operating system must elevate the SELinux context when an administrator calls the sudo command.

 No

Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.

OL07-00-020030

The Oracle Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly.

Yes

AIDE or other intrusion detects system expected to be configured on target image.

OL07-00-020040 The Oracle Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner. Yes Requires AIDE detect system to be installed prior to configuration.
OL07-00-020270 The Oracle Linux operating system must not have unnecessary accounts. No Requires obtaining specific list of authorized system accounts from user's ISSO

OL07-00-020680

The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 750 or less permissive.

 No

Restricts file permission access to system services.

OL07-00-020720

The Oracle Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.

 No

Affects access to user binaries and utilities.
OL07-00-021000 The Oracle Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed. Yes Affects user's access to executing binary files within their home directories.
OL07-00-021300 The Oracle Linux operating system must disable Kernel core dumps unless needed. Yes Kdump service is needed for diagnostic purposes in case of system generated kernel crashes.

OL07-00-021350 1

The Oracle Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

No

Rescue kernel cmdline exclusion of fips=1 parameter.

IMPORTANT OCI IMPACT: Adding fips=1 to the rescue kernel cmdline could result in the instance failing to boot with a Fatal Error.
OL07-00-021600 The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs). Yes Requires AIDE detect system to be installed prior to configuration.
OL07-00-021610 The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes. Yes Requires AIDE detect system to be installed prior to configuration.
OL07-00-021620 The Oracle Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories. Yes Requires AIDE detect system to be installed prior to configuration.

OL07-00-030010 1

The Oracle Linux operating system must shut down upon audit processing failure unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) if an audit processing failure occurs.

Yes

The default setting of the failure parameter is 1, which only sends information to the kernel log regarding the failure instead of shutting down the instance.

IMPORTANT OCI IMPACT: Setting the failure parameter to 2 would result in a system panic and shutdown when an audit processing failure occurs.

OL07-00-030201

The Oracle Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited.

 No

au-remote plugin configuration presumes remote server details.

OL07-00-030300

The Oracle Linux operating system must off-load audit records onto a different system or media from the system being audited.

Yes

au-remote plugin configuration presumes remote server details.

OL07-00-030310

The Oracle Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.

Yes

au-remote plugin configuration presumes remote server details.

OL07-00-030320

The Oracle Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.

No

au-remote plugin configuration presumes remote server details.

OL07-00-030321

The Oracle Linux operating system must be configured so that the audit system takes appropriate action when an error occurs sending audit records to a remote system.

No

au-remote plugin configuration presumes remote server details.

OL07-00-031000 The Oracle Linux operating system must send rsyslog output to a log aggregation server. Yes Requires a remote server for transmitting rsyslog information.
OL07-00-032000 The Oracle Linux operating system must use a virus scan program. No Oracle Linux does not ship with Virus Scan Software. User Configuration is needed.
OL07-00-040100 The Oracle Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments. No Requires review of ports, protocols, and/or services as defined by a user's PPSM CLSA.
OL07-00-040160 The Oracle Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements. Yes May be disruptive to user workloads.
OL07-00-040170 The Oracle Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts. Yes Requires user consent of the Standard Mandatory DoD Notice and Consent Agreement.

OL07-00-040420

The Oracle Linux operating system must be configured so that the SSH private host key files have mode 0600 or less permissive.

 Yes Changes default permissions of SSH private host key generated by system service.

OL07-00-040600

At least two name servers must be configured for the Oracle Linux operating systems using DNS resolution.

No

Oracle Cloud Infrastructure provides a highly available DNS server.

OL07-00-040710 1

The Oracle Linux operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements

Yes

Affects instance serial console connectivity.

IMPORTANT OCI IMPACT: Disabling remote X connections could result in failure to connect to the OCI instance's serial console.
OL07-00-040711 The Oracle Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display. Yes Affects user's access to Oracle Cloud Infrastructure instances.

OL07-00-040810

The Oracle Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.

 No Requires review of specific hosts and services access. Access must be allowed by the user's grant policy.

OL07-00-040820

The Oracle Linux operating system must not have unauthorized IP tunnels configured.

 No Requires review from a user's SA/ISSO to determine authorized IPSec Tunnel connections.

OL07-00-041002

The Oracle Linux operating system must implement multifactor authentication for access to privileged accounts through pluggable authentication modules (PAM).

No

Multifactor authentication is not configured on the default Oracle Cloud Infrastructure image.

OL07-00-041003

The Oracle Linux operating system must implement certificate status checking for PKI authentication.

Yes

Certificate status checking for PKI authentication not configured on default Oracle Cloud Infrastructure image.

1 Remediating these rules can have a significant impact on the systems' accessibility.

Changelog

STIG-ID

Rule Description

Reason for Exclusion

Status Comments
OL07-00-010050 The Oracle Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. Requires user consent of the Standard Mandatory DoD Notice and Consent Agreement. Added Added to exclusion list in V2R8
OL07-00-010320 The Oracle Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute time frame. Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access. Added Added to exclusion list in V2R8
OL07-00-010330 The Oracle Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period. Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access. Added Added to exclusion list in V2R8
OL07-00-010492 Oracle Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance. Requires change if default super user name. Affects grub superuser booting. Added Added to exclusion list in V2R8
OL07-00-010500 The Oracle Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multi factor authentication. Multi factor authentication is not configured on the default Oracle Cloud Infrastructure image. Added Added to exclusion list in V2R8
OL07-00-020019 The Oracle Linux operating system must implement the Endpoint Security for Linux Threat Prevention tool. Oracle Linux does not ship with Virus Scan Software. User Configuration is needed. Added Added to exclusion list in V2R8
OL07-00-020020 The Oracle Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. Requires obtaining specific list of authorized users from user's ISSO. Added Added to exclusion list in V2R8

OL07-00-020021

The Oracle Linux operating system must confine SELinux users to roles that conform to least privilege.

 Requires review from a user's SA/ISSO to determine SELinux role mapping conformity. Added Added to exclusion list in V2R8

OL07-00-020023

The Oracle Linux operating system must elevate the SELinux context when an administrator calls the sudo command.

Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.

 Added Added to exclusion list in V2R8
OL07-00-020040 The Oracle Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner. Requires AIDE detect system to be installed prior to configuration. Added Added to exclusion list in V2R8
OL07-00-020270 The Oracle Linux operating system must not have unnecessary accounts. Requires obtaining specific list of authorized system accounts from user's ISSO Added Added to exclusion list in V2R8

OL07-00-020680

The Oracle Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 750 or less permissive.

Restricts file permission access to system services.

Added Added to exclusion list in V2R8

OL07-00-020720

The Oracle Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.

Affects access to user binaries and utilities.

 Added Added to exclusion list in V2R8
OL07-00-021000 The Oracle Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed. Affects user's access to executing binary files within their home directories. Added Added to exclusion list in V2R8
OL07-00-021300 The Oracle Linux operating system must disable Kernel core dumps unless needed. Kdump service is needed for diagnostic purposes in case of system generated kernel crashes. Added Added to exclusion list in V2R8
OL07-00-021600 The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs). Requires AIDE detect system to be installed prior to configuration. Added Added to exclusion list in V2R8
OL07-00-021610 The Oracle Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes. Requires AIDE detect system to be installed prior to configuration. Added Added to exclusion list in V2R8
OL07-00-021620 The Oracle Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories. Requires AIDE detect system to be installed prior to configuration. Added Added to exclusion list in V2R8
OL07-00-031000 The Oracle Linux operating system must send rsyslog output to a log aggregation server. Requires a remote server for transmitting rsyslog information. Added Added to exclusion list in V2R8
OL07-00-032000 The Oracle Linux operating system must use a virus scan program. Oracle Linux does not ship with Virus Scan Software. User Configuration is needed. Added Added to exclusion list in V2R8
OL07-00-040100 The Oracle Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments. Requires review of ports, protocols, and/or services as defined by a user's PPSM CLSA. Added Added to exclusion list in V2R8
OL07-00-040160 The Oracle Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements. May be disruptive to user workloads. Added Added to exclusion list in V2R8
OL07-00-040170 The Oracle Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts. Requires user consent of the Standard Mandatory DoD Notice and Consent Agreement. Added Added to exclusion list in V2R8

OL07-00-040420

The Oracle Linux operating system must be configured so that the SSH private host key files have mode 0600 or less permissive.

 Changes default permissions of SSH private host key generated by system service. Added Added to exclusion list in V2R8
OL07-00-040711 The Oracle Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display. Affects user's access to Oracle Cloud Infrastructure instances. Added Added to exclusion list in V2R8

OL07-00-040810

The Oracle Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.

 Requires review of specific hosts and services access. Access must be allowed by the user's grant policy. Added Added to exclusion list in V2R8

OL07-00-040820

The Oracle Linux operating system must not have unauthorized IP tunnels configured.

 Requires review from a user's SA/ISSO to determine authorized IPSec Tunnel connections. Added Added to exclusion list in V2R8
Oracle-Linux-7.9-2021.07.27-STIG

The Oracle Linux STIG Image Oracle-Linux-7.9-2021.07.27-STIG was released 8/10/2021.

The following notes about the update are in comparison to the previous Oracle-Linux-7.9-2021.03.02-STIG release.

Image Updates

  • kernel-uek: 5.4.17-2102.203.6.el7uek.x86_64 Unbreakable Enterprise Kernel Release 6 (UEK R6) kernel version, with a fix for CVE-2021-33909.

  • Updated Oracle Linux 7.9 system packages to the latest versions that are available, with security fixes.

Compliance Updates

  • Target: Benchmark version Oracle Linux7 DISA STIG Benchmark - Ver 2, Rel 4.

  • SCC compliance score: 89.44%.

  • Changes made to the latest STIG image.

    The following table describes the changes that were made in the Oracle-Linux-7.9-2021.07.27-STIG release.

    Note

    Updates for this release are also reflected in Oracle Linux 7 Additional Configurations, which describes areas in the latest image that require manual configuration. See this section for important information that might apply to the rules listed in the following table.

    STIG-ID

    Rule Description

    Reason for Exclusion

    Status

    Comments

    OL07-00-010090

    The Oracle Linux operating system must have the screen package installed.

    Affects default Oracle Public Cloud (OPC) user login account configured for the Oracle Cloud Infrastructure instance access.

    Removed

    Removed from exclusion list in V2R4

    OL07-00-021350

    The Oracle Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

    Rescue kernel cmdline exclusion of fips=1 parameter.

    Added

    Removed from exclusion list in V2R4

    Important: Adding fips=1 to the rescue kernel cmdline could result in the instance failing to boot with a Fatal Error.

    OL07-00-030200

    The Oracle Linux operating system must be configured to use the au-remote plugin.

    au-remote plugin configuration presumes remote server details.

    Removed

    Removed from exclusion list in V2R4

    OL07-00-030201

    The Oracle Linux operating system must be configured to off-load audit logs a different system or storage media from the system being audited.

    au-remote plugin configuration presumes remote server details.

    Updated

    Rule title changed in V2R4

    OL07-00-040600

    For Oracle Linux operating systems that are using DNS resolution, at least two name servers must be configured.

    Oracle National Security Regions (ONSR) image provides just one reliable DNS host.

    Updated

    Rule title changed in V2R4

    OL07-00-041001

    The Oracle Linux operating system must have the required packages for multifactor authentication installed.

    Multifactor authentication is not configured on the default Oracle Cloud Infrastructure image.

    Removed

    Removed from exclusion list in V2R4

    Fixed on the image: Installed pam_pkcs11 package on the instance.

    OL07-00-040710

    The Oracle Linux operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements

    Affects instance serial console connectivity.

    Added

    		Added to exclusion list in V2R4

    OL07-00-010342

    The Oracle Linux operating system must use the invoking user's password for privilege escalation when using the sudo command.

    Affects default OPC login account.

    Added

    Added to exclusion list in V2R4
Oracle-Linux-7.9-2021.03.02-STIG

The Oracle Linux STIG Image Oracle-Linux-7.9-2021.03.02-STIG was released 3/10/2021.

Image Information

  • 5.4.17-2036.103.3.1.el7uek.x86_64 UEK R6 kernel version.

  • Latest versions of Oracle Linux 7.9 system packages, with security fixes.

Compliance Information

  • Target: Benchmark version Oracle Linux 7 DISA STIG Benchmark - Ver 1, Rel 2.

  • SCC compliance score: 89.44%.