[BESAdmin-Announcements] BigFix Compliance: Updated DISA STIG Checklist for Red Hat Enterprise Linux 8, published 2026-06-02

Announcements for BES Administrators besadmin-announcements at bigmail.bigfix.com
Wed Jun 3 05:26:06 PDT 2026 

*Product:*

BigFix Compliance

*Title:*
Updated DISA STIG Checklist for Red Hat Enterprise Linux 8

*Security Benchmark:*
Red Hat Enterprise Linux 8 STIG SCAP Benchmark V2R7

*Published Sites:*
DISA STIG Checklist for RHEL 8, site version 26
(The site version is provided for air-gap customers.)

*Details:*

●       Total New Fixlets: 6

●       Total Updated Fixlets: 7

●       Total Deleted Fixlets: 10

●       Total Fixlets in Site: 363

*New Fixlets:*

●       RHEL 8 must implement DOD-approved encryption in the bind package.

●       RHEL 8 IP tunnels must use FIPS 140-3-approved cryptographic
algorithms.

●       RHEL 8 must not install packages from the Extra Packages for
Enterprise Linux (EPEL) repository.

●       RHEL 8 must have the crypto-policies package installed.

●       RHEL 8 cryptographic policy must not be overridden.

●      RHEL 8 must automatically exit interactive command shell user
sessions after 10 minutes of inactivity.

*Updated Fixlets:*

●       The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be
disabled.

●       The RHEL 8 SSH client must be configured to use only DOD-approved
encryption ciphers employing FIPS 140-3-validated cryptographic hash
algorithms to protect the confidentiality of SSH client connections.

●       The RHEL 8 SSH server must be configured to use only DOD-approved
encryption ciphers employing FIPS 140-3-validated cryptographic hash
algorithms to protect the confidentiality of SSH server connections.

●       The RHEL 8 SSH server must be configured to use only Message
Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic
hash algorithms to protect the confidentiality of SSH server connections.

●       The RHEL 8 SSH client must be configured to use only DOD-approved
Message Authentication Codes (MACs) employing FIPS 140-3-validated
cryptographic hash algorithms to protect the confidentiality of SSH client
connections

●       RHEL 8 must use a Linux Security Module configured to enforce
limits on system services.

●       RHEL 8 must enable the SELinux targeted policy.

*Deleted Checks:*

·        The RHEL 8 SSH daemon must be configured to use system-wide crypto
policies.

·        RHEL 8 must not have the rsh-server package installed.

·        The RHEL 8 operating system must implement DoD-approved encryption
in the OpenSSL package.

·        The RHEL 8 operating system must implement DoD-approved TLS
encryption in the OpenSSL package.

·        The RHEL 8 operating system must implement DoD-approved TLS
encryption in the GnuTLS package.

·        RHEL 8 SSH server must be configured to use only FIPS-validated
key exchange algorithms.

·        Local RHEL 8 initialization files must not execute world-writable
programs.

·        RHEL 8 must display the date and time of the last successful
account logon upon logon.

·        RHEL 8 must audit any script or executable called by cron as root
or by any privileged user.

·        RHEL 8 temporary user accounts must be provisioned with an
expiration time of 72 hours or less.

*Additional details:*

●      Both analysis and remediation checks are included.

●      Some of the checks allow you to use the parameterized setting to
enable customization for compliance evaluation. Note that parameterization
and remediation actions require the creation of a custom site.

●      Improved a few checks by adding the pending restart feature to them.
The pending restart feature works in the following ways:

●      The action results will show “Pending Restart” instead of “Fixed”
for those checks which require OS reboot.

●       The check will show relevant for those endpoints until they are
rebooted.

●      Post reboot of the endpoint the action results will show as “Fixed”
and the check will be compliant.

*Actions to take:*

●      To subscribe to the above site, you can use the License Overview
Dashboard to enable and gather the site. Note that you must be entitled to
the BigFix Compliance product and you must be using BigFix version 10.0 and
later.

●       If you use custom sites, update your custom sites accordingly to
use the latest content. You can synchronize your content by using the
Synchronize Custom Checks wizard. For more information, see Using the
Synchronize Custom Checks wizard
<https://help.hcltechsw.com/bigfix/11.0/compliance/Compliance/SCM_Users_Guide/c_using_synchronize_custom_checks_wiz.html>

*More information:*
To know more about the BigFix Compliance SCM checklists, please see the
following resources:

●      BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance

●      BigFix Compliance SCM Checklists:
Welcome to Wikis
<https://bigfix-wiki.hcltechsw.com/wikis/home?lang=enus#!/wiki/BigFix%20Wiki/page/SCM%20Checklists>

We hope you find this latest release of SCM content useful and effective.
Thank you!

*– The BigFix Compliance team*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20260603/298703c7/attachment.html>

More information about the Besadmin-announcements mailing list