-
Notifications
You must be signed in to change notification settings - Fork 706
RHEL7 STIG Settings Review
The first step in authoring the RHEL7 STIG is to determine which requirements are applicable to RHEL. As you skim the RHEL7 STIG Requirements (.xlsx), please indicate if any are not applicable, questionable, or infeasible. Additionally, if you've ideas on settings which should be included (but not specifically called out in the SRG), please list them below.
Please add to this list, and do not delete. We'll discuss these sections on TBD community calls, where decisions can be made in a collaborative nature.
Use the "CCI-*" value to reference the control.
RHEL 7 cannot support these requirement without assistance from an external application, policy, or service. These requirements will be "not applicable," and likely have no correlation with an operating system.
- CCI-001662: The operating system is not an antivirus provider
The following requirements cannot be configured to be out of compliance. These should be "permanent not a finding"
- CCI-000056: Session locks always applied until user re-authenticates.
- CCI-000206: Passwords are automatically shadowed
- CCI-000131: Timestamps automatically part of audit logs
These requirements are permanent findings and cannot be fixed. An appropriate mitigation for the system must be implemented but this finding cannot be considered fixed.
- CCI-001294: The O/S isn't a certification and accreditation product
The following requirements are questionable/infeasible/may impact operational procedures (e.g. SSH timeout settings to low). *
The following contains a list of concepts/best practices that should be implemented in the STIG, though are not specifically addressed in the OS SRG requirements. *