[BESAdmin-Announcements] BigFix Compliance: Updated DISA STIG Checklist for Oracle Linux 8, published 2026-03-05

[Announcements for BES Administrators]

*Product:*
BigFix Compliance

*Title:*
Updated DISA STIG Checklist for Oracle Linux 8.

*Security Benchmark:*
Disa Oracle Linux 8 STIG SCAP Benchmark, V2R7

*Published Sites:*
DISA STIG Checklist for Oracle Linux 8, site version 12.
(The site version is provided for air-gap customers.)

*Details:*

Total New Fixlets: 2

Total Updated Fixlets: 4

Total Deleted Fixlets: 1

Total Fixlets in Site: 366

*New Fixlets:*

●      OL 8 must automatically exit interactive command shell user sessions
after 10 minutes of inactivity.

●      OL 8 must not install packages from the Extra Packages for
Enterprise Linux (EPEL) repository



*Updated Fixlets:*

●      The OL 8 SSH server must be configured to use only Message
Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic
hash algorithms to protect the confidentiality of SSH server connections

●      The OL 8 SSH server must be configured to use only DOD-approved
encryption ciphers employing FIPS 140-3 validated cryptographic hash
algorithms to protect the confidentiality of SSH server connections.

●      The OL 8 operating system must implement DOD-approved encryption in
the OpenSSL package.

●      The OL 8 file system automounter must be disabled.



*Deleted Fixlets:*

●      Local OL 8 initialization files must not execute world-writable
programs.



*Additional details:*


● Both analysis and remediation checks are included
● Some of the checks allow you to use the parameterized setting to enable
customization for compliance evaluation. Note that parameterization and
remediation actions require the creation of a custom site.
Improved a few checks by adding the pending restart feature to them. The
pending restart feature works in the following ways:
● The action results will show “Pending Restart” instead of “Fixed” for
those checks which require OS reboot.
● The check will show relevant for those endpoints until they are rebooted.
*● *Post reboot of the endpoint the action results will show as “Fixed” and
the check will be compliant.


*Actions to take: *● To subscribe to the above site, you can use the
License Overview Dashboard to enable and gather the site. Note that you
must be entitled to the BigFix Compliance product and you must be using
BigFix version 10.0.2 and later.
●If you use custom sites, update your custom sites accordingly to use the
latest content. You can synchronize your content by using the Synchronize
Custom Checks wizard. For more information, see Using the Synchronize
Custom Checks wizard
<https://help.hcltechsw.com/bigfix/11.0/compliance/Compliance/SCM_Users_Guide/c_using_synchronize_custom_checks_wiz.html>


*More information: *To know more about the BigFix Compliance SCM
checklists, please see the following resources:


*● BigFix Forum: *
*https://forum.bigfix.com/c/release-announcements/compliance*
<https://forum.bigfix.com/c/release-announcements/compliance>


*● BigFix Compliance SCM Checklists: **Welcome to Wikis*
<https://bigfix-wiki.hcltechsw.com/wikis/home?lang=enus#!/wiki/BigFix%20Wiki/page/SCM%20Checklists>

We hope you find this latest release of SCM content useful and effective.

Thank you!
*– The BigFix Compliance team*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20260305/3be483e4/attachment.html>