Sys Maintenance: DISA STIG

Document created by RSA Information Design and Development on Oct 28, 2019
Version 1Show Document
  • View in full screen mode
 

Note: 11.3.1 feature - DISA STIG (Defense Information Systems Agency Security Technical Implementation Guide) support was introduced in NetWitness Platform 11.3.1. Versions 11.0.0.0 to 11.3.0.0 do not support DISA STIG.

RSA NetWitness Platform version 11.3.1 supports all Audit Rules in the DISA STIG Control Group. RSA will expand its support of STIG rules in future NetWitness Platform versions.

This section includes the following topics.

How STIG Limits Account Access

NetWitness Passwords

Generate the OpenSCAP Report

Manage STIG Controls Script (manage_stig_controls)

Rules List

Exceptions to STIG Compliance

IMPORTANT: All rules are enabled by default except for control goup 1-ssh-prevent-root an control group 3-fips-kernel. You can enable or disable rules by control group using the manage_stig_controls script.

How STIG Limits Account Access

The STIG hardening RPM helps to lock down information, systems, and software, which might otherwise be vulnerable to a malicious computer attack by limiting account access to a system. For example, the STIG script:

  • Ensures that the account password has a length, complexity, expiration period, and lockout period that are in accordance with DISA best practices.
  • Applies auditing and logging of user actions on the host.

NetWitness Passwords

RSA NetWitness Platform requires passwords that are STIG compliant.

Generate the OpenSCAP Report

Security Content Automation Protocol (SCAP) is a line of standards or rules managed by the National Institute of Standards and Technology (NIST). It was created to provide a standardized approach to maintaining the security of enterprise systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise.

The OpenSCAP report evaluates your environment against the SCAP rules. The results are sent to the HOSTNAME-ssg-results. (XML|HTML) depending on the output format you select.

Disable Rules in OpenSCAP Report that Hang the Report

There may be STIG rules that you do not want to include in the OpenSCAP report because they make the report hang. Use the following command to disable items on the SCAP report:

sed -i 's/select idref="rule-id" selected="true"/select idref="rule-id" selected="false"/g' /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

where rule-id is the Rule ID that you can replace with the Rule ID that may hang during a test.

For example, the report has a rule ID called partition_for_audit (shown as Rule ID: partition_for_audit). If you disable a rule, OpenSCAP does not check against that rule. This means that you need to check for compliance to the partition_for_audit rule manually.

Install OpenSCAP

You must

  1. SSH to the host.
  2. Create a centos-Base.repo file under /etc/yum.repos.d directory.
    The following example shows the contents of the centos-Base.repo file.

[base]
name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
#released updates
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
#packages used/produced in the build but not released
[addons]
name=CentOS-$releasever - Addons
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=addons
baseurl=http://mirror.centos.org/centos/$releasever/addons/$basearch/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
baseurl=http://mirror.centos.org/centos/$releasever/extras/$basearch/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=2
#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib
baseurl=http://mirror.centos.org/centos/$releasever/contrib/$basearch/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=2

  1. Execute the following commands.

    yum install openscap-scanner

    yum install scap-security-guide

Report Fields

                                                                                                             
SectionFieldDescription
Introduction - Test ResultResult IDThe Extensible Configuration Checklist Description Format (XCCDF) identifier of the report results. 
ProfileXCCDF profile under which the report results are categorized.
Start timeWhen the report started.
End timeWhen the report ended.
BenchmarkXCCDF benchmark
Benchmark versionVersion number of the benchmark.
Introduction - ScoresystemXCCDF scoring method.
scoreScore attained after running the report.
maxHighest score attainable.
%Score attained after running the report as a percentage.
barNot Applicable.
Results overview - Rule Results SummarypassPassed rule check.
fixedRule check that failed previously is now fixed.
failFailed rule check.
errorCould not perform rule check.
not selectedThis check was not applicable to your NetWitness Platform deployment.
not checkedRule could not be checked. There are several reasons why a rule cannot be checked.  For example, the rule check requires a check engine not supported by the OpenSCAP report.
not applicableRule check does not apply to your NetWitness Platform deployment.
informationalRule checks for informational purposes only (no action required for fail).
unknownReport was able to check the rule. Run steps manually as described in the report to check the rule.
totalTotal number of rules checked.
ExceptionsTitleName of rule being checked.
ResultValid values are pass, fixed, fail, error, not selected, not checked, not applicable, informational, or unknown.

Note: Results values are defined the Results overview - Rule Results Summary.

Create the OpenSCAP Report

The following tasks show you how to create the OpenSCAP Report in HTML, XML, or both HTML and XML.

Create Report in HTML Only

To create an OpenSCAP report in html only:

  1. SSH to the host.
  2. Submit the following command:
    mkdir -p /opt/rsa/openscap
  3. Submit the following command for report upgrades only:
    sed -i -r -e "s/<platform.*//g" /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
  4. Submit the following command:
    oscap xccdf eval --profile "stig-rhel7-disa" --report /root/stigscan/`hostname`.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
  5. Open the report in your browser:
    /tmp/hostname-ssg-results.html

Create Report in XML Only

To create an OpenSCAP report in xml only:

  1. SSH to the host.
  2. Submit the following command:
    mkdir -p /opt/rsa/openscap
  3. Submit the following command for report upgrades only:
    sed -i -r -e "s/<platform.*//g" /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
  1. Submit the following command:
    oscap xccdf eval --profile "stig-rhel7-disa" --results /root/stigscan/`hostname`.xml --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

Create Report in Both XML and HTML

To create an OpenSCAP report in both xml and html:

  1. SSH to the host.
  2. Submit the following command:
    mkdir -p /opt/rsa/openscap
  3. Submit the following command for report upgrades only:
    sed -i -r -e "s/<platform.*//g" /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
  4. Submit the following command:
    oscap xccdf eval --profile "stig-rhel7-disa" --results /root/stigscan/`hostname`.xml --report /root/stigscan/`hostname`.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

Manage STIG Controls Script (manage_stig_controls)

You can use the manage_stig_controls script and its arguments to enable or disable STIG Control groups for which you want to apply STIG configuration. You can specify all hosts or individual hosts as arguments and you can enable or disable all control groups or individual control groups.

To manage STIG controls for a host:

  1. SSH to the NW Server host or use the Console from the NetWitness Platform User Interface.
  2. Submit the manage_stig_controls script with the commands, control groups, and other arguments you want to apply.
  3. Reboot the host.

Commands

                               
CommandDescription
--enable-all-controls

Enables all STIG controls. For example:

manage_stig_controls --enable-all-controls

--disable-all-controls Disables all STIG controls. For example:

manage_stig_controls --disable-all-controls

--enable-default-controls Enables all STIG Controls except ssh-prevent-root and fips-kernel. For example:

manage_stig_controls --enable-default-controls

--enable-control-groups <IDs> Enables (comma delimited) list of STIG Control GroupIDs. For example:
manage_stig_controls --enable-control-groups '1, 2, 3'

--disable-control-groups <IDs>

Disables (comma delimited) list of STIG Control Group IDs For example:

manage_stig_controls --disable-control-groups '1, 2, 3'

Control Groups

You use the ID as an argument for the control group or groups.

                                                         
IDGroupDescriptionSpecified
by Default

1

ssh-prevent-root Prevent root login through SSH.

no

2 ssh SSH STIG configuration.

yes 11.3.1.0

no 11.3.1.1‑later

3

fips-kernel FIPS Kernel configuration

no

4 auth Authentication STIG configuration

yes 11.3.1.0

no 11.3.1.1‑later

5

audit

Audit STIG configuration

yes

6 packages RPM Package STIG configurationyes

7

services

Services STIG configuration

yes

Other Arguments

                                   
ArgumentDescription
--host-all

Apply STIG configuration to all hosts. For example:

manage_stig_controls --host-all

--skip-health-checks Disable health checks for all hosts (not recommended). For example:
manage_stig_controls --skip-health-checks
--host-id <id> Apply STIG configuration for the host identified by <id> (host identification code). For example:
manage_stig_controls --host-id <id>
--host-name <display-name>

Apply STIG configuration for host identified by <display-name>. display-name is the value shown under Name in the ADMIN > Hosts View in the NetWitness Platform Interface. For example:

manage_stig_controls --host-name <display-name>

--host-addr <Hostname-in UI>
or
--host-addr <hostname>

Apply STIG configuration for the host identified by the value shown under Hostname in the ADMIN > Hosts > Edit dialog in the NetWitness Platform Interface. This value can be an ip-addres (default) or a user-specified name. For example:

manage_stig_controls --host-addr <hostname>

-v, --verbose Enable verbose output. For example:
manage_stig_controls -v

Rules List

The following table lists all the STIG rules with their:

  • Control Group - you can use the Control Group ID as an argument in the manage_stig_controls script to expand on reduce the scope of rules checked. (1= ssh-prevent-root, 2 = ssh, 3 = fips-kernel, 4 = auth, 5 = audit, 6 = packages, 7 = services)
  • Default Status - tells you if the rule is enabled or disabled by default.
  • Passed or Exception status - tells you if the rule passed (that is, complies with STIG) or is an exception.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           
CCE NumberRule NameControl
Group
Default
Status
Passed/
Exception
CCE‑26404‑4Ensure /var Located On Separate Partitionn/an/aException
CCE-26631-2Set Password Strength Minimum Different CharactersauthenabledPassed
CCE-26828-4Disable DCCP Supportn/an/aException
CCE-26884-7Set Lockout Time For Failed Password AttemptsauthenabledException
CCE-26892-0Set the GNOME3 Login Warning Banner Textn/aenabledPassed
CCE-26923-3Limit Password Reusen/aenabledPassed
CCE-26952-2Configure Periodic Execution of AIDEauditenabledException
CCE-26970-4Enable GNOME3 Login Warning BannerauditenabledPassed
CCE-26971-2Ensure /var/log/audit Located On Separate PartitionauditenabledException
CCE-26989-4Ensure gpgcheck Enabled In Main Yum Configurationn/aenabledPassed
CCE-27002-5Set Password Minimum Agen/aenabledPassed
CCE-27051-2Set Password Maximum AgeauthenabledPassed
CCE-27053-8Set Password Hashing Algorithm in /etc/libuser.confn/aenabledPassed
CCE-27081-9Limit the Number of Concurrent Login Sessions Allowed Per UserauthenabledPassed
CCE-27082-7Set SSH Client Alive CountsshenabledPassed
CCE-27083-5Record Events that Modify the System's Discretionary Access Controls - lchownauditenabledPassed
CCE-27096-7Install AIDEn/an/aException
CCE-27104-9Set PAM's Password Hashing Algorithmn/aenabledPassed
CCE-27115-5Set Password Strength Minimum Different CategoriesauditenabledPassed
CCE-27124-7Set Password Hashing Algorithm in /etc/login.defsn/aenabledPassed
CCE-27127-0Enable Randomized Layout of Virtual Address Spacen/aenabledException
CCE-27157-7Verify File Hashes with RPMn/an/aException
CCE-27160-1Set Password Retry Prompts Permitted Per-Sessionn/aenabledPassed
CCE-27165-0Uninstall telnet-server Packagen/aenabledPassed
CCE-27173-4Ensure /tmp Located On Separate Partitionn/an/aException
CCE-27175-9Verify Only Root Has UID 0n/aenabledPassed
CCE-27200-5Set Password Strength Minimum Uppercase CharactersauthenabledPassed
CCE-27206-2Ensure auditd Collects File Deletion Events by User - renameauditenabledPassed
CCE-27206-2Ensure auditd Collects File Deletion Events by User - unlinkatauditenabledPassed
CCE-27206-2Ensure auditd Collects File Deletion Events by User - unlinkauditenabledPassed
CCE-27209-6Verify and Correct File Permissions with RPMn/an/aException
CCE-27213-8Record Events that Modify the System's Discretionary Access Controls - setxattrauditenabledPassed
CCE-27214-6Set Password Strength Minimum Digit CharactersauthenabledPassed
CCE-27218-7Remove the X Windows Package Groupn/aenabledPassed
CCE-27275-7Set Last Logon/Access Notificationn/aenabledPassed
CCE-27277-3Disable Modprobe Loading of USB Storage DriverservicesenabledException
CCE-27279-9Configure SELinux Policyn/aenabledPassed
CCE-27280-7Record Events that Modify the System's Discretionary Access Controls - lsetxattrauditenabledPassed
CCE-27286-4Prevent Log In to Accounts With Empty Passwordn/aenabledPassed
CCE-27287-2Require Authentication for Single User Moden/aenabledPassed
CCE-27293-0Set Password Minimum LengthauthenabledPassed
CCE-27295-5Use Only FIPS 140-2 Validated Ciphersn/aenabledException
CCE-27297-1Set Interval For Counting Failed Password AttemptsauthenabledPassed
CCE-27303-7Modify the System Login BannersshenabledException
CCE-27309-4Set Boot Loader Password in grub2n/aenabledException
CCE-27311-0Verify Permissions on SSH Server Public *.pub Key Filesn/aenabledPassed
CCE-27314-4Enable SSH Warning BannersshenabledPassed
CCE-27320-1Allow Only SSH Protocol 2n/aenabledPassed
CCE-27326-8Ensure No Device Files are Unlabeled by SELinuxn/aenabledPassed
CCE-27333-4Set Password Maximum Consecutive Repeating Charactersn/aenabledPassed
CCE-27334-2Ensure SELinux State is Enforcingn/aenabledException
CCE-27339-1Record Events that Modify the System's Discretionary Access Controls - chmodauditenabledPassed
CCE-27342-5Uninstall rsh-server Packagen/aenabledPassed
CCE-27343-3Ensure Logs Sent To Remote Hostn/an/aPassed
CCE-27345-8Set Password Strength Minimum Lowercase CharactersauthenabledPassed
CCE-27349-0Set Default firewalld Zone for Incoming Packetsn/an/aException
CCE-27350-8Set Deny For Failed Password AttemptsauthenabledPassed
CCE-27351-6Install the screen Packagen/aenabledPassed
CCE-27353-2Record Events that Modify the System's Discretionary Access Controls - fremovexattrauditenabledPassed
CCE-27355-7Set Account Expiration Following Inactivityn/aenabledPassed
CCE-27356-5Record Events that Modify the System's Discretionary Access Controls - fchownauditenabledPassed
CCE-27358-1Deactivate Wireless Network Interfacesn/aenabledPassed
CCE-27360-7Set Password Strength Minimum Special CharactersauthenabledPassed
CCE-27361-5Verify firewalld Enabledn/an/aException
CCE-27363-1Do Not Allow SSH Environment OptionssshenabledPassed
CCE-27364-9Record Events that Modify the System's Discretionary Access Controls - chownauditenabledPassed
CCE-27367-2Record Events that Modify the System's Discretionary Access Controls - removexattrauditenabledPassed
CCE-27375-5Configure auditd space_left Action on Low Disk SpaceauditenabledPassed
CCE-27377-1Disable SSH Support for .rhosts Filesn/aenabledPassed
CCE-27386-2Ensure Default SNMP Password Is Not Usedn/an/aException
CCE-27387-0Record Events that Modify the System's Discretionary Access Controls - fchownatauditenabledPassed
CCE-27388-8Record Events that Modify the System's Discretionary Access Controls - fchmodatauditenabledPassed
CCE-27389-6Record Events that Modify the System's Discretionary Access Controls - fsetxattrauditenabledPassed
CCE-27393-8Record Events that Modify the System's Discretionary Access Controls - fchmodauditenabledPassed
CCE-27394-6Configure auditd mail_acct Action on Low Disk SpaceauditenabledPassed
CCE-27399-5Uninstall ypserv Packagen/aenabledPassed
CCE-27407-6Enable auditd ServiceauditenabledPassed
CCE-27410-0Record Events that Modify the System's Discretionary Access Controls - lremovexattrauditenabledPassed
CCE-27413-4Disable Host-Based Authenticationn/aenabledPassed
CCE-27433-2Set SSH Idle Timeout IntervalsshenabledPassed
CCE-27434-0Configure Kernel Parameter for Accepting IPv4 Source-Routed Packets for All Interfacesn/aenabledPassed
CCE-27437-3Ensure auditd Collects Information on the Use of Privileged CommandsauditenabledPassed
CCE-27445-6Disable SSH Root Loginn/an/aException
CCE-27447-2Ensure auditd Collects Information on Exporting to Media (successful)auditenabledPassed
CCE-27455-5Use Only FIPS 140-2 Validated MACsn/aenabledPassed
CCE-27458-9Mount Remote Filesystems with Kerberos Securityn/aenabledPassed
CCE-27461-3Ensure auditd Collects System Administrator ActionsauditenabledPassed
CCE-27471-2Disable SSH Access via Empty Passwordsn/aenabledException
CCE-27485-2Verify Permissions on SSH Server Private *_key Key Filesn/an/aPassed
CCE-27498-5Disable the Automountern/aenabledPassed
CCE-27503-2All GIDs referenced in /etc/passwd must be defined in /etc/groupn/aenabledPassed
CCE-27511-5Disable Ctrl-Alt-Del Reboot ActivationservicesenabledPassed
CCE-27512-3Set Password to Maximum of Consecutive Repeating Characters from Same Character ClassauthenabledPassed
CCE-27557-8Set Interactive Session TimeoutauthenabledPassed
CCE-80104-3Disable GDM Automatic Loginn/aenabledPassed
CCE-80105-0Disable GDM Guest Loginn/aenabledPassed
CCE-80108-4Enable the GNOME3 Login Smartcard Authenticationn/aenabledPassed
CCE-80110-0Set GNOME3 Screensaver Inactivity Timeoutn/aenabledPassed
CCE-80111-8Enable GNOME3 Screensaver Idle Activationn/aenabledPassed
CCE-80112-6Enable GNOME3 Screensaver Lock After Idle Periodn/aenabledPassed
CCE-80127-4Install McAfee Virus Scanning Softwaren/an/aException
CCE-80129-0Virus Scanning Software Definitions Are Updatedn/an/aException
CCE-80134-0Ensure All Files Are Owned by a Usern/aenabledPassed
CCE-80135-7Ensure All Files Are Owned by a Groupn/aenabledPassed
CCE-80136-5Ensure All World-Writable Directories Are Owned by a System Accountn/aenabledPassed
CCE-80144-9Ensure /home Located On Separate Partitionn/aenabledPassed
CCE-80148-0Add nosuid Option to Removable Media Partitionsn/aenabledPassed
CCE-80156-3Disable Kernel Parameter for Sending ICMP Redirects for All Interfacesn/an/aException
CCE-80157-1Disable Kernel Parameter for IP Forwardingn/an/aException
CCE-80158-9Configure Kernel Parameter for Accepting ICMP Redirects for All Interfacesn/an/aException
CCE-80162-1Configure Kernel Parameter for Accepting Source-Routed Packets By Defaultn/aenabledPassed
CCE-80163-9Configure Kernel Parameter for Accepting ICMP Redirects By Defaultn/an/aException
CCE-80165-4Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requestsn/an/aException
CCE-80174-6Ensure System is Not Acting as a Network Sniffern/aenabledPassed
CCE-80179-5Configure Kernel Parameter for Accepting IPv6 Source-Routed Packets for All Interfacesn/an/aException
CCE-80192-8Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Servern/aenabledPassed
CCE-80205-8Ensure the Default Umask is Set Correctly in login.defsn/aenabledPassed
CCE-80207-4Enable Smart Card Loginn/an/aException
CCE-80213-2Uninstall tftp-server Packagen/aenabledPassed
CCE-80214-0Ensure tftp Daemon Uses Secure Moden/aenabledPassed
CCE-80215-7Install the OpenSSH Server Packagen/aenabledPassed
CCE-80216-5Enable the OpenSSH Servicen/aenabledPassed
CCE-80220-7Disable GSSAPI AuthenticationsshenabledPassed
CCE-80221-5Disable Kerberos Authenticationn/aenabledPassed
CCE-80222-3Enable Use of Strict Mode Checkingn/aenabledPassed
CCE-80223-1Enable Use of Privilege Separationn/aenabledPassed
CCE-80224-9Disable Compression Or Set Compression to delayedn/aenabledPassed
CCE-80225-6Print Last Logn/aenabledException
CCE-80226-4Enable Encrypted X11 Forwardingn/an/aException
CCE-80240-5Mount Remote Filesystems with nosuidn/aenabledPassed
CCE-80245-4Uninstall vsftpd Packagen/aenabledPassed
CCE-80258-7Disable KDump Kernel Crash Analyzer (kdump)servicesenabledPassed
CCE-80346-0Ensure YUM Removes Previous Package VersionspackagesenabledPassed
CCE-80347-8Ensure gpgcheck Enabled for Local PackagespackagesenabledPassed
CCE-80348-6Ensure gpgcheck Enabled for Repository Metadatan/an/aException
CCE-80349-4The Installed Operating System Is Vendor Supported and Certifiedn/an/aException
CCE-80350-2Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticaten/aenabledPassed
CCE-80351-0Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWDn/aenabledPassed
CCE-80352-8Ensure the Logon Failure Delay is Set Correctly in login.defsauthenabledPassed
CCE-80353-6Configure the root Account for Failed Password AttemptsauthenabledPassed
CCE-80354-4Set the UEFI Boot Loader Passwordfips-kerneldisabledPassed
CCE-80359-3Enable FIPS Mode in GRUB2fips-kerneldisabledException
CCE-80370-0Set GNOME3 Screensaver Lock Delay After Activation Periodn/aenabledPassed
CCE-80371-8Ensure Users Cannot Change GNOME3 Screensaver Settingsn/aenabledPassed
CCE-80372-6Disable SSH Support for User Known HostssshenabledPassed
CCE-80373-4Disable SSH Support for Rhosts RSA AuthenticationauditenabledPassed
CCE-80374-2Configure Notification of Post-AIDE Scan Detailsn/an/aException
CCE-80375-9Configure AIDE to Verify Access Control Lists (ACLs)n/an/aException
CCE-80376-7Configure AIDE to Verify Extended Attributesn/an/aException
CCE-80377-5Configure AIDE to Use FIPS 140-2 for Validating Hashesn/an/aException
CCE-80378-3Verify User Who Owns /etc/cron.allow filen/aenabledPassed
CCE-80379-1Verify Group Who Owns /etc/cron.allow filen/aenabledPassed
CCE-80380-9Ensure cron Is Logging To Rsyslogn/aenabledPassed
CCE-80381-7Shutdown System When Auditing Failures OccurauditenabledPassed
CCE-80382-5Record Attempts to Alter Logon and Logout Events - tallylogauditenabledPassed
CCE-80383-3Record Attempts to Alter Logon and Logout Events - faillockn/an/aPassed
CCE-80384-1Record Attempts to Alter Logon and Logout Events - lastlogauditenabledPassed
CCE-80385-8Record Unauthorized Access Attempts to Files (unsuccessful) - creatauditenabledPassed
CCE-80386-6Record Unauthorized Access Attempts to Files (unsuccessful) - openauditenabledPassed
CCE-80387-4Record Unauthorized Access Attempts to Files (unsuccessful) - openatauditenabledPassed
CCE-80388-2Record Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_atauditenabledPassed
CCE-80389-0Record Unauthorized Access Attempts to Files (unsuccessful) - truncateauditenabledPassed
CCE-80390-8Record Unauthorized Access Attempts to Files (unsuccessful) - ftruncateauditenabledPassed
CCE-80391-6Record Any Attempts to Run semanageauditenabledPassed
CCE-80392-4Record Any Attempts to Run setseboolauditenabledPassed
CCE-80393-2Record Any Attempts to Run chconauditenabledPassed
CCE-80395-7Ensure auditd Collects Information on the Use of Privileged Commands - passwdauditenabledPassed
CCE-80396-5Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwdauditenabledPassed
CCE-80397-3Ensure auditd Collects Information on the Use of Privileged Commands - gpasswdauditenabledPassed
CCE-80398-1Ensure auditd Collects Information on the Use of Privileged Commands - chageauditenabledPassed
CCE-80399-9Ensure auditd Collects Information on the Use of Privileged Commands - userhelperauditenabledPassed
CCE-80400-5Ensure auditd Collects Information on the Use of Privileged Commands - suauditenabledPassed
CCE-80401-3Ensure auditd Collects Information on the Use of Privileged Commands - sudoauditenabledPassed
CCE-80402-1Ensure auditd Collects Information on the Use of Privileged Commands - sudoeditauditenabledPassed
CCE-80403-9Ensure auditd Collects Information on the Use of Privileged Commands - newgrpauditenabledPassed
CCE-80404-7Ensure auditd Collects Information on the Use of Privileged Commands - chshauditenabledPassed
CCE-80405-4Ensure auditd Collects Information on the Use of Privileged Commands - umountauditenabledPassed
CCE-80406-2Ensure auditd Collects Information on the Use of Privileged Commands - postdropauditenabledPassed
CCE-80407-0Ensure auditd Collects Information on the Use of Privileged Commands - postqueueauditenabledPassed
CCE-80408-8Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysignauditenabledPassed
CCE-80410-4Ensure auditd Collects Information on the Use of Privileged Commands - crontabauditenabledPassed
CCE-80411-2Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_checkauditenabledPassed
CCE-80412-0Ensure auditd Collects File Deletion Events by User - rmdirauditenabledPassed
CCE-80413-8Ensure auditd Collects File Deletion Events by User - renameatauditenabledPassed
CCE-80414-6Ensure auditd Collects Information on Kernel Module Loading - init_moduleauditenabledPassed
CCE-80415-3Ensure auditd Collects Information on Kernel Module Unloading - delete_moduleauditenabledPassed
CCE-80416-1Ensure auditd Collects Information on Kernel Module Unloading - rmmodauditenabledPassed
CCE-80417-9Ensure auditd Collects Information on Kernel Module Loading and Unloading - modprobeauditenabledPassed
CCE-80430-2Record Events that Modify User/Group Information - /etc/security/opasswdauditenabledPassed
CCE-80431-0Record Events that Modify User/Group Information - /etc/shadowauditenabledPassed
CCE-80432-8Record Events that Modify User/Group Information - /etc/gshadowauditenabledPassed
CCE-80433-6Record Events that Modify User/Group Information - /etc/groupauditenabledPassed
CCE-80434-4Ensure Home Directories are Created for New Usersn/aenabledPassed
CCE-80435-1Record Events that Modify User/Group Information - /etc/passwdauditenabledPassed
CCE-80436-9Mount Remote Filesystems with noexecn/aenabledPassed
CCE-80437-7Configure PAM in SSSD Servicesn/an/aException
CCE-80438-5Configure Multiple DNS Servers in /etc/resolv.confn/an/aException
CCE-80439-3Configure Time Service Maxpoll IntervalservicesenabledPassed
CCE-80446-8Ensure auditd Collects Information on Kernel Module Loading - insmodauditenabledPassed
CCE-80447-6Configure the Firewalld Portsn/an/aException
CCE-80513-5Remove Host-Based Authentication Filesn/aenabledPassed
CCE-80514-3Remove User Host-Based Authentication Filesn/aenabledPassed
CCE-80515-0Configure SSSD LDAP Backend Client CA Certificate Locationn/an/aException
CCE-80519-2Install Smart Card Packages For Multifactor Authenticationn/an/aException
CCE-80537-4Configure auditd space_left on Low Disk SpaceauditenabledPassed
CCE-80544-0Ensure Users Cannot Change GNOME3 Session Idle Settingsn/aenabledPassed
CCE-80545-7Verify and Correct Ownership with RPMn/an/aException
CCE-80546-5Configure SSSD LDAP Backend to Use TLS For All Transactionsn/an/aException
CCE-80547-3Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_moduleauditenabledPassed
CCE-80563-0Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Periodn/aenabledPassed
CCE-80564-8Ensure Users Cannot Change GNOME3 Screensaver Idle Activationn/aenabledPassed
CCE-80660-4Record Any Attempts to Run setfilesauditenabledException
CCE-80661-2Ensure auditd Collects Information on Kernel Module Loading - create_moduleauditenabledException
CCE-81153-9Add nosuid Option to /homen/aenabledPassed

Exceptions to STIG Compliance

This topic contains:

Key to Elements in Exception Descriptions

CCE Number

The Common Configuration Enumeration (CCE), assigns unique entries (also called CCE numbers) to configuration guidance statements and configuration controls to improve workflow by facilitating fast and accurate correlation of configuration issues present in disparate domains. In this way, it is similar to other comparable data standards such as the Common Vulnerability and Exposure (CVE) List (http://cve.mitre.org/cve), which assigns identifiers to publicly known system vulnerabilities.  The OpenSCAP report lists exceptions by CCE number.

This sections lists the exceptions you can receive when you run the OpenSCAP report. The ID or Common Configuration Enumeration (CCE) number in the table is the identification number for the exception from the OpenSCAP report.

Control Group ID

Number that identifies the control group you specify in the manage_stig_controls script to enable or disable the rule.

                                                         
IDGroupDescriptionSpecified
by Default

1

ssh-prevent-root Prevent root login through SSH.

no

2 ssh SSH STIG configuration.yes

3

fips-kernel FIPS Kernel configuration

no

4 auth Authentication STIG configurationyes

5

audit

Audit STIG configuration

yes

6 packages RPM Package STIG configurationyes

7

services

Services STIG configuration

yes

Check

Describes what the rule checks to identify exceptions to DISA STIG compliance.

Comments

Provides insight on why you would receive this exception.  This section includes one of the following comments that describes the exception:

  • Customer Responsibility - You are responsible to make sure the system meets this requirement.
  • Not a Finding - Exception does not apply to NetWitness Platform. RSA has verified that the system meets this requirement.
  • Future Feature - NetWitness Platform does not meet this requirement. RSA plans to fix this in a future release of NetWitness Platform.

Customer Responsibility Exceptions

CCE-26952-2 Configure Periodic Execution of AIDE (Control Group = audit)

             

Check

At a minimum, configure AIDE to run a weekly scan and at most, daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to the /etc/crontab file:
05 4 * * * root /usr/sbin/aide --check

To implement a weekly execution of AIDE at 4:05am using cron, add the following line to the /etc/crontab file:
05 4 * * 0 root /usr/sbin/aide --check
AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and @weekly is acceptable.

Comments

Customer Responsibility. NetWitness Platform does not provide AIDE because it has a negative impact on performance. If you must install it, run as infrequently as possible to adhere to your security policy.

CCE-27096-7 Install AIDE (Control Group = n/a)

             

Check

Install the AIDE package with the following command: $ sudo yum install aid

Comments

Customer Responsibility. NetWitness Platform does not provide AIDE because it has a negative impact on performance. If you must install it, run as infrequently possible to adhere to your security policy.

CCE-27295-5 Use Only FIPS 140-2 Validated Ciphers (Control Group = n/a)

             
Check

Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of FIPS 140-2 validated ciphers:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
The following ciphers are FIPS 140-2 certified on RHEL 7:
- aes128-ctr - aes192-ctr - aes256-ctr - aes128-cbc - aes192-cbc - aes256-cbc - 3des-cbc - rijndael-cbc@lysator.liu.se
Any combination of the above ciphers will pass this check. Official FIPS 140-2 paperwork for RHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf.

Comments Customer Responsibility. Enable FIPS Mode. Refer to the System Maintenance Guide for RSA NetWitness Platform version 11.3 for instructions.

CCE-27445-6 Disable SSH Root Login (Control Group = ssh-prevent-root)

             
Check

The root user should never be allowed to login to a system directly over a network.

Comments

Customer Responsibility. Disable root login through SSH by adding or editing the following line in the /etc/ssh/sshd_config file:
PermitRootLoginNetWitness.

CCE-80127-4 Install McAfee Virus Scanning Software (Control Group = n/a)

             

Check

Install McAfee VirusScan Enterprise for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem.

Comments

Customer Responsibility. Install virus scanning software. RSA does not provide this software.

CCE-80129-0 Virus Scanning Software Definitions Are Updated (Control Group = n/a)

             

Check

Make sure that virus definition files are no older than 7 days or their last release.

Comments

Customer Responsibility. RSA does not provide this software.

CCE-80207-4 Enable Smart Card Login (Control Group = n/a)

             

Check

For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards https://access.redhat.com/solutions/82273

Comments

Customer Responsibility. The NetWitness Platform supports username/certificate for authentication to shell. If you want to configure a smart card log in, you must do this outside of RSA NetWitness.

CCE-80359-3 Enable FIPS Mode in GRUB2 (Control Group = fips-kernel)

             
Check

To ensure FIPS mode is enabled, install the dracut-fips package and rebuild initramfs by running the following commands:
$ sudo yum install dracut-fips dracut -f
After the dracut command has been run, add the fips=1 argument to the default GRUB 2 command line for the Linux operating system in the /etc/default/grub file as shown in the following example:
GRUB_CMDLINE_LINUX='crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 fips=1'
Finally, rebuild the grub.cfg file by using the grub2-mkconfig -o command as follows ( On BIOS-based machines, issue the following command as root):
~]# grub2-mkconfig -o /boot/grub2/grub.cfg
On UEFI-based machines, issue the following command as root:
~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

Comments Customer Responsibility. NetWitness Platform does not enabled by default. You can enable FIPS by following the procedures in the Configure FIPS Support.

CCE-80374-2 Configure Notification of Post-AIDE Scan Details (Control Group = n/a)

             

Check

AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic execution in the /etc/crontab file, append the following line to the existing AIDE line:
| /bin/mail -s '$(hostname) - AIDE Integrity Check' root@localhost
Otherwise, add the following line to the /etc/crontab file:
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s '$(hostname) - AIDE Integrity Check' root@localhost
AIDE can be executed periodically through other means. This is just one example.

Comments

Customer Responsibility. NetWitness Platform does not provide AIDE because it has a negative impact on performance. If you must install it, run as infrequently possible to adhere to your security policy.

CCE-80375-9 Configure AIDE to Verify Access Control Lists (Control Group = n/a)

             

Check

By default, the acl option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the acl option is missing, add acl to the appropriate ruleset. For example, add acl to the following line in the /etc/aide.conf file:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.

Comments

Customer Responsibility. NetWitness Platform does not provide AIDE because it has a negative impact on performance. If you must install it, run as infrequently possible to adhere to your security policy.

CCE-80376-7 Configure AIDE to Verify Extended Attributes (Control Group = n/a)

             

Check

By default, the xattrs option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the xattrs option is missing, add xattrs to the appropriate ruleset. For example, add xattrs to the following line in the /etc/aide.conf file:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways. This is just one example that is already configured by default.

Comments

Customer Responsibility. NetWitness Platform does not provide AIDE because it has a negative impact on performance. If you must install it, run as infrequently possible to adhere to your security policy.

CCE-80377-5 Configure AIDE to Use FIPS 140-2 for Validating Hashes (Control Group = n/a)

             

Check

By default, the sha512 option is added to the ORMAL ruleset in AIDE. If using a custom ruleset or the sha512 option is missing, add sha512 to the appropriate ruleset. For example, add sha512 to the following line in the /etc/aide.conf file:ORMAL = FIPSR+sha512
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.

Comments

Customer Responsibility. NetWitness Platform does not provide AIDE because it has a negative impact on performance. If you must install it, run as infrequently possible to adhere to your security policy.

CCE-80519-2 Install Smart Card Packages For Multi-Factor Authentication (Control Group = n/a)

             

Check

Configure the operating system to implement multifactor authentication by installing the required packages with the following command:
$ sudo yum install esc pam_pkcs11 authconfig-gtk

Comments

Customer Responsibility. The NetWitness Platform supports username/certificate for authentication to shell. If you want to configure a smart card log in, you must do this outside of RSA NetWitness.

Exceptions That Are Not a Finding 

The following exceptions do not apply to NetWitness Platform. RSA has verified that the system meets these requirements.

CCE-26404-4 Ensure /var Located On Separate Partition (Control Group = n/a)

             

Check

The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM.

Comments

Not a Finding.NetWitness software is installed in /var/netwitness by default and has a separate partition on /var/netwitness.

CCE-26828-4 Disable DCCP Support (Control Group = n/a)

             

Check

Verify that the GNOME Login Inactivity Timeout is set on the host (The graphical desktop environment must set the idle timeout to no more than 15 minutes.).

Comments

Not a Finding. NetWitness Platform does not use Gnome Graphical User Interface (GUI) Desktop.

CCE-26884-7 Set Lockout Time For Failed Password Attempts (Control Group = auth)

             
Check

To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth by adding the following line immediately before the pam_unix.so statement in the AUTH section:
auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
Add the following line immediately after the pam_unix.so statement in