Sys Maintenance: DISA STIG

Document created by RSA Information Design and Development Employee on Jan 30, 2020Last modified by RSA Product Team on Sep 16, 2020
Version 64Show Document
  • View in full screen mode

Note: 11.3.1 feature - DISA STIG (Defense Information Systems Agency Security Technical Implementation Guide) support was introduced in NetWitness Platform 11.3.1. Versions 11.0.0.0 to 11.3.0.0 do not support DISA STIG.

RSA NetWitness Platform version 11.3.1 supports all Audit Rules in the DISA STIG Control Group. RSA will expand its support of STIG rules in future NetWitness Platform versions.

This section includes the following topics.

How STIG Limits Account Access

NetWitness Passwords

Generate the OpenSCAP Report

Manage STIG Controls Script (manage-stig-controls)

Rules List

Exceptions to STIG Compliance

IMPORTANT: All rules are enabled by default except for control goup 1-ssh-prevent-root an control group 3-fips-kernel. You can enable or disable rules by control group using the manage-stig-controls script.

How STIG Limits Account Access

The STIG hardening RPM helps to lock down information, systems, and software, which might otherwise be vulnerable to a malicious computer attack by limiting account access to a system. For example, the STIG script:

  • Ensures that the account password has a length, complexity, expiration period, and lockout period that are in accordance with DISA best practices.
  • Applies auditing and logging of user actions on the host.

NetWitness Passwords

RSA NetWitness Platform requires passwords that are STIG compliant.

Generate the OpenSCAP Report

Security Content Automation Protocol (SCAP) is a line of standards or rules managed by the National Institute of Standards and Technology (NIST). It was created to provide a standardized approach to maintaining the security of enterprise systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise.

The OpenSCAP report evaluates your environment against the SCAP rules. The results are sent to the HOSTNAME-ssg-results. (XML|HTML) depending on the output format you select.

Disable Rules in OpenSCAP Report that Hang the Report

There may be STIG rules that you do not want to include in the OpenSCAP report because they make the report hang. Use the following command to disable items on the SCAP report:

sed -i 's/select idref="rule-id" selected="true"/select idref="rule-id" selected="false"/g' /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

where rule-id is the Rule ID that you can replace with the Rule ID that may hang during a test.

For example, the report has a rule ID called partition_for_audit (shown as Rule ID: partition_for_audit). If you disable a rule, OpenSCAP does not check against that rule. This means that you need to check for compliance to the partition_for_audit rule manually.

Install OpenSCAP

You must

  1. SSH to the host.
  2. Create a centos-Base.repo file under /etc/yum.repos.d directory.
    The following example shows the contents of the centos-Base.repo file.

[base]
name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
#released updates
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
#packages used/produced in the build but not released
[addons]
name=CentOS-$releasever - Addons
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=addons
baseurl=http://mirror.centos.org/centos/$releasever/addons/$basearch/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
baseurl=http://mirror.centos.org/centos/$releasever/extras/$basearch/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=2
#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib
baseurl=http://mirror.centos.org/centos/$releasever/contrib/$basearch/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=2

  1. Execute the following commands.

    yum install openscap-scanner

    yum install scap-security-guide

For fresh installs, the OpenSCAP report is on the Image.

Sample Report

The following report is a sample section from an OpenSCAP report.

OpenSCAP report section sample

Report Fields

SectionFieldDescription
Introduction - Test ResultResult IDThe Extensible Configuration Checklist Description Format (XCCDF) identifier of the report results. 
ProfileXCCDF profile under which the report results are categorized.
Start timeWhen the report started.
End timeWhen the report ended.
BenchmarkXCCDF benchmark
Benchmark versionVersion number of the benchmark.
Introduction - ScoresystemXCCDF scoring method.
scoreScore attained after running the report.
maxHighest score attainable.
%Score attained after running the report as a percentage.
barNot Applicable.
Results overview - Rule Results SummarypassPassed rule check.
fixedRule check that failed previously is now fixed.
failFailed rule check.
errorCould not perform rule check.
not selectedThis check was not applicable to your NetWitness Platform deployment.
not checkedRule could not be checked. There are several reasons why a rule cannot be checked.  For example, the rule check requires a check engine not supported by the OpenSCAP report.
not applicableRule check does not apply to your NetWitness Platform deployment.
informationalRule checks for informational purposes only (no action required for fail).
unknownReport was able to check the rule. Run steps manually as described in the report to check the rule.
totalTotal number of rules checked.
ExceptionsTitleName of rule being checked.
ResultValid values are pass, fixed, fail, error, not selected, not checked, not applicable, informational, or unknown.

Note: Results values are defined the Results overview - Rule Results Summary.

Create the OpenSCAP Report

The following tasks show you how to create the OpenSCAP Report in HTML, XML, or both HTML and XML.

Create Report in HTML Only

To create an OpenSCAP report in HTML only:

  1. SSH to the host.
  2. Submit the following command:

    mkdir -p /opt/rsa/openscap

  3. Submit the following command for report upgrades only:

    sed -i -r -e "s/<platform.*//g" /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

  4. Submit the following command:

    oscap xccdf eval --profile "stig" --report /root/stigscan/`hostname`.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

  5. Open the report in your browser:

    /tmp/hostname-ssg-results.html

Create Report in XML Only

To create an OpenSCAP report in xml only:

  1. SSH to the host.
  2. Submit the following command:

    mkdir -p /opt/rsa/openscap

  3. Submit the following command for report upgrades only:

    sed -i -r -e "s/<platform.*//g" /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

  4. Submit the following command:

    oscap xccdf eval --profile "stig" --results /root/stigscan/`hostname`.xml --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

Create Report in Both XML and HTML

To create an OpenSCAP report in both xml and html:

  1. SSH to the host.
  2. Submit the following command:

    mkdir -p /opt/rsa/openscap

  3. Submit the following command for report upgrades only:

    sed -i -r -e "s/<platform.*//g" /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

  4. Submit the following command:

    oscap xccdf eval --profile "stig" --results /root/stigscan/`hostname`.xml --report /root/stigscan/`hostname`.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

Manage STIG Controls Script (manage-stig-controls)

You can use the manage-stig-controls script and its arguments to enable or disable STIG Control groups for which you want to apply STIG configuration. You can specify all hosts or individual hosts as arguments and you can enable or disable all control groups or individual control groups. This script is available in /usr/bin/ directory.

To manage STIG controls for a host:

  1. SSH to the NW Server host or use the Console from the NetWitness Platform User Interface.
  2. Submit the manage-stig-controls script with the commands, control groups, and other arguments you want to apply.
  3. Reboot the host.

Commands

CommandDescription
--enable-all-controls

Enables all STIG controls. For example:

manage-stig-controls --enable-all-controls

--disable-all-controlsDisables all STIG controls. For example:

manage-stig-controls --disable-all-controls

--enable-default-controlsEnables all STIG Controls except ssh-prevent-root and fips-kernel. For example:

manage-stig-controls --enable-default-controls

--enable-control-groups <IDs>Enables (comma delimited) list of STIG Control GroupIDs. For example:
manage-stig-controls --enable-control-groups '1, 2, 3'

--disable-control-groups <IDs>

Disables (comma delimited) list of STIG Control Group IDs For example:

manage-stig-controls --disable-control-groups '1, 2, 3'

Control Groups

You use the ID as an argument for the control group or groups.

IDGroupDescriptionSpecified
by Default

1

ssh-prevent-rootPrevent root login through SSH.

no

2sshSSH STIG configuration.yes

3

fips-kernelFIPS Kernel configuration

no

4authAuthentication STIG configurationyes

5

audit

Audit STIG configuration

yes

6packagesRPM Package STIG configurationyes

7

services

Services STIG configuration

yes

Other Arguments

ArgumentDescription
--host-all

Apply STIG configuration to all hosts. For example:

manage-stig-controls --host-all

--skip-health-checksDisable health checks for all hosts (not recommended). For example:
manage-stig-controls --skip-health-checks
--host-id <id>Apply STIG configuration for the host identified by <id> (host identification code). For example:
manage-stig-controls --host-id <id>
--host-name <display-name>

Apply STIG configuration for host identified by <display-name>. display-name is the value shown under Name in the (Admin) > Hosts View in the NetWitness Platform Interface. For example:

manage-stig-controls --host-name <display-name>

--host-addr <Hostname-in UI>
or
--host-addr <hostname>

Apply STIG configuration for the host identified by the value shown under Hostname in the (Admin) > Hosts > Edit dialog in the NetWitness Platform Interface. This value can be an ip-addres (default) or a user-specified name. For example:

manage-stig-controls --host-addr <hostname>

-v, --verbose

Enable verbose output. For example:

manage-stig-controls -v

Rules List

The following table lists all the STIG rules with their:

  • Control Group - you can use the Control Group ID as an argument in the manage-stig-controls script to expand on reduce the scope of rules checked. (1= ssh-prevent-root, 2 = ssh, 3 = fips-kernel, 4 = auth, 5 = audit, 6 = packages, 7 = services)
  • Default Status - tells you if the rule is enabled or disabled by default.
  • Passed or Exception status - tells you if the rule passed (that is, complies with STIG) or is an exception.
CCE NumberRule NameControl
Group
Default
Status
Passed/
Exception
CCE‑26404‑4Ensure /var Located On Separate Partitionn/an/aException
CCE-26631-2Set Password Strength Minimum Different CharactersauthenabledPassed
CCE-26828-4Disable DCCP Supportn/an/aException
CCE-26884-7Set Lockout Time For Failed Password AttemptsauthenabledException
CCE-26892-0Set the GNOME3 Login Warning Banner Textn/aenabledPassed
CCE-26923-3Limit Password Reusen/aenabledPassed
CCE-26952-2Configure Periodic Execution of AIDEauditenabledException
CCE-26970-4Enable GNOME3 Login Warning BannerauditenabledPassed
CCE-26971-2Ensure /var/log/audit Located On Separate PartitionauditenabledException
CCE-26989-4Ensure gpgcheck Enabled In Main Yum Configurationn/aenabledPassed
CCE-27002-5Set Password Minimum Agen/aenabledPassed
CCE-27051-2Set Password Maximum AgeauthenabledPassed
CCE-27053-8Set Password Hashing Algorithm in /etc/libuser.confn/aenabledPassed
CCE-27081-9Limit the Number of Concurrent Login Sessions Allowed Per UserauthenabledPassed
CCE-27082-7Set SSH Client Alive CountsshdisabledPassed
CCE-27083-5Record Events that Modify the System's Discretionary Access Controls - lchownauditenabledPassed
CCE-27096-7Install AIDEn/an/aException
CCE-27104-9Set PAM's Password Hashing Algorithmn/aenabledPassed
CCE-27115-5Set Password Strength Minimum Different CategoriesauditenabledPassed
CCE-27124-7Set Password Hashing Algorithm in /etc/login.defsn/aenabledPassed
CCE-27127-0Enable Randomized Layout of Virtual Address Spacen/aenabledException
CCE-27157-7Verify File Hashes with RPMn/an/aException
CCE-27160-1Set Password Retry Prompts Permitted Per-Sessionn/aenabledPassed
CCE-27165-0Uninstall telnet-server Packagen/aenabledPassed
CCE-27173-4Ensure /tmp Located On Separate Partitionn/an/aException
CCE-27175-9Verify Only Root Has UID 0n/aenabledPassed
CCE-27200-5Set Password Strength Minimum Uppercase CharactersauthenabledPassed
CCE-27206-2Ensure auditd Collects File Deletion Events by User - renameauditenabledPassed
CCE-27206-2Ensure auditd Collects File Deletion Events by User - unlinkatauditenabledPassed
CCE-27206-2Ensure auditd Collects File Deletion Events by User - unlinkauditenabledPassed
CCE-27209-6Verify and Correct File Permissions with RPMn/an/aException
CCE-27213-8Record Events that Modify the System's Discretionary Access Controls - setxattrauditenabledPassed
CCE-27214-6Set Password Strength Minimum Digit CharactersauthenabledPassed
CCE-27218-7Remove the X Windows Package Groupn/aenabledPassed
CCE-27275-7Set Last Logon/Access Notificationn/aenabledPassed
CCE-27277-3Disable Modprobe Loading of USB Storage DriverservicesenabledException
CCE-27279-9Configure SELinux Policyn/aenabledPassed
CCE-27280-7Record Events that Modify the System's Discretionary Access Controls - lsetxattrauditenabledPassed
CCE-27286-4Prevent Log In to Accounts With Empty Passwordn/aenabledPassed
CCE-27287-2Require Authentication for Single User Moden/aenabledPassed
CCE-27293-0Set Password Minimum LengthauthenabledPassed
CCE-27295-5Use Only FIPS 140-2 Validated Ciphersn/aenabledException
CCE-27297-1Set Interval For Counting Failed Password AttemptsauthenabledPassed
CCE-27303-7Modify the System Login BannersshenabledException
CCE-27309-4Set Boot Loader Password in grub2n/aenabledException
CCE-27311-0Verify Permissions on SSH Server Public *.pub Key Filesn/aenabledPassed
CCE-27314-4Enable SSH Warning BannersshenabledPassed
CCE-27320-1Allow Only SSH Protocol 2n/aenabledPassed
CCE-27326-8Ensure No Device Files are Unlabeled by SELinuxn/aenabledPassed
CCE-27333-4Set Password Maximum Consecutive Repeating Charactersn/aenabledPassed
CCE-27334-2Ensure SELinux State is Enforcingn/aenabledException
CCE-27339-1Record Events that Modify the System's Discretionary Access Controls - chmodauditenabledPassed
CCE-27342-5Uninstall rsh-server Packagen/aenabledPassed
CCE-27343-3Ensure Logs Sent To Remote Hostn/an/aPassed
CCE-27345-8Set Password Strength Minimum Lowercase CharactersauthenabledPassed
CCE-27349-0Set Default firewalld Zone for Incoming Packetsn/an/aException
CCE-27350-8Set Deny For Failed Password AttemptsauthenabledPassed
CCE-27351-6Install the screen Packagen/aenabledPassed
CCE-27353-2Record Events that Modify the System's Discretionary Access Controls - fremovexattrauditenabledPassed
CCE-27355-7Set Account Expiration Following Inactivityn/aenabledPassed
CCE-27356-5Record Events that Modify the System's Discretionary Access Controls - fchownauditenabledPassed
CCE-27358-1Deactivate Wireless Network Interfacesn/aenabledPassed
CCE-27360-7Set Password Strength Minimum Special CharactersauthenabledPassed
CCE-27361-5Verify firewalld Enabledn/an/aException
CCE-27363-1Do Not Allow SSH Environment OptionssshenabledPassed
CCE-27364-9Record Events that Modify the System's Discretionary Access Controls - chownauditenabledPassed
CCE-27367-2Record Events that Modify the System's Discretionary Access Controls - removexattrauditenabledPassed
CCE-27375-5Configure auditd space_left Action on Low Disk SpaceauditenabledPassed
CCE-27377-1Disable SSH Support for .rhosts Filesn/aenabledPassed
CCE-27386-2Ensure Default SNMP Password Is Not Usedn/an/aException
CCE-27387-0Record Events that Modify the System's Discretionary Access Controls - fchownatauditenabledPassed
CCE-27388-8Record Events that Modify the System's Discretionary Access Controls - fchmodatauditenabledPassed
CCE-27389-6Record Events that Modify the System's Discretionary Access Controls - fsetxattrauditenabledPassed
CCE-27393-8Record Events that Modify the System's Discretionary Access Controls - fchmodauditenabledPassed
CCE-27394-6Configure auditd mail_acct Action on Low Disk SpaceauditenabledPassed
CCE-27399-5Uninstall ypserv Packagen/aenabledPassed
CCE-27407-6Enable auditd ServiceauditenabledPassed
CCE-27410-0Record Events that Modify the System's Discretionary Access Controls - lremovexattrauditenabledPassed
CCE-27413-4Disable Host-Based Authenticationn/aenabledPassed
CCE-27433-2Set SSH Idle Timeout IntervalsshenabledPassed
CCE-27434-0Configure Kernel Parameter for Accepting IPv4 Source-Routed Packets for All Interfacesn/aenabledPassed
CCE-27437-3Ensure auditd Collects Information on the Use of Privileged CommandsauditenabledPassed
CCE-27445-6Disable SSH Root Loginn/an/aException
CCE-27447-2Ensure auditd Collects Information on Exporting to Media (successful)auditenabledPassed
CCE-27455-5Use Only FIPS 140-2 Validated MACsn/aenabledPassed
CCE-27458-9Mount Remote Filesystems with Kerberos Securityn/aenabledPassed
CCE-27461-3Ensure auditd Collects System Administrator ActionsauditenabledPassed
CCE-27471-2Disable SSH Access via Empty Passwordsn/aenabledException
CCE-27485-2Verify Permissions on SSH Server Private *_key Key Filesn/an/aPassed
CCE-27498-5Disable the Automountern/aenabledPassed
CCE-27503-2All GIDs referenced in /etc/passwd must be defined in /etc/groupn/aenabledPassed
CCE-27511-5Disable Ctrl-Alt-Del Reboot ActivationservicesenabledPassed
CCE-27512-3Set Password to Maximum of Consecutive Repeating Characters from Same Character ClassauthenabledPassed
CCE-27557-8Set Interactive Session TimeoutauthdisabledPassed
CCE-80104-3Disable GDM Automatic Loginn/aenabledPassed
CCE-80105-0Disable GDM Guest Loginn/aenabledPassed
CCE-80108-4Enable the GNOME3 Login Smartcard Authenticationn/aenabledPassed
CCE-80110-0Set GNOME3 Screensaver Inactivity Timeoutn/aenabledPassed
CCE-80111-8Enable GNOME3 Screensaver Idle Activationn/aenabledPassed
CCE-80112-6Enable GNOME3 Screensaver Lock After Idle Periodn/aenabledPassed
CCE-80127-4Install McAfee Virus Scanning Softwaren/an/aException
CCE-80129-0Virus Scanning Software Definitions Are Updatedn/an/aException
CCE-80134-0Ensure All Files Are Owned by a Usern/aenabledPassed
CCE-80135-7Ensure All Files Are Owned by a Groupn/aenabledPassed
CCE-80136-5Ensure All World-Writable Directories Are Owned by a System Accountn/aenabledPassed
CCE-80144-9Ensure /home Located On Separate Partitionn/aenabledPassed
CCE-80148-0Add nosuid Option to Removable Media Partitionsn/aenabledPassed
CCE-80156-3Disable Kernel Parameter for Sending ICMP Redirects for All Interfacesn/an/aException
CCE-80157-1Disable Kernel Parameter for IP Forwardingn/an/aException
CCE-80158-9Configure Kernel Parameter for Accepting ICMP Redirects for All Interfacesn/an/aException
CCE-80162-1Configure Kernel Parameter for Accepting Source-Routed Packets By Defaultn/aenabledPassed
CCE-80163-9Configure Kernel Parameter for Accepting ICMP Redirects By Defaultn/an/aException
CCE-80165-4Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requestsn/an/aException
CCE-80174-6Ensure System is Not Acting as a Network Sniffern/aenabledPassed
CCE-80179-5Configure Kernel Parameter for Accepting IPv6 Source-Routed Packets for All Interfacesn/an/aException
CCE-80192-8Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Servern/aenabledPassed
CCE-80205-8Ensure the Default Umask is Set Correctly in login.defsn/aenabledPassed
CCE-80207-4Enable Smart Card Loginn/an/aException
CCE-80213-2Uninstall tftp-server Packagen/aenabledPassed
CCE-80214-0Ensure tftp Daemon Uses Secure Moden/aenabledPassed
CCE-80215-7Install the OpenSSH Server Packagen/aenabledPassed
CCE-80216-5Enable the OpenSSH Servicen/aenabledPassed
CCE-80220-7Disable GSSAPI AuthenticationsshenabledPassed
CCE-80221-5Disable Kerberos Authenticationn/aenabledPassed
CCE-80222-3Enable Use of Strict Mode Checkingn/aenabledPassed
CCE-80223-1Enable Use of Privilege Separationn/aenabledPassed
CCE-80224-9Disable Compression Or Set Compression to delayedn/aenabledPassed
CCE-80225-6Print Last Logn/aenabledException
CCE-80226-4Enable Encrypted X11 Forwardingn/an/aException
CCE-80240-5Mount Remote Filesystems with nosuidn/aenabledPassed
CCE-80245-4Uninstall vsftpd Packagen/aenabledPassed
CCE-80258-7Disable KDump Kernel Crash Analyzer (kdump)servicesenabledPassed
CCE-80346-0Ensure YUM Removes Previous Package VersionspackagesenabledPassed
CCE-80347-8Ensure gpgcheck Enabled for Local PackagespackagesenabledPassed
CCE-80348-6Ensure gpgcheck Enabled for Repository Metadatan/an/aException
CCE-80349-4The Installed Operating System Is Vendor Supported and Certifiedn/an/aException
CCE-80350-2Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticaten/aenabledPassed
CCE-80351-0Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWDn/aenabledPassed
CCE-80352-8Ensure the Logon Failure Delay is Set Correctly in login.defsauthenabledPassed
CCE-80353-6Configure the root Account for Failed Password AttemptsauthenabledPassed
CCE-80354-4Set the UEFI Boot Loader Passwordfips-kerneldisabledPassed
CCE-80359-3Enable FIPS Mode in GRUB2fips-kerneldisabledException
CCE-80370-0Set GNOME3 Screensaver Lock Delay After Activation Periodn/aenabledPassed
CCE-80371-8Ensure Users Cannot Change GNOME3 Screensaver Settingsn/aenabledPassed
CCE-80372-6Disable SSH Support for User Known HostssshenabledPassed
CCE-80373-4Disable SSH Support for Rhosts RSA AuthenticationauditenabledPassed
CCE-80374-2Configure Notification of Post-AIDE Scan Detailsn/an/aException
CCE-80375-9Configure AIDE to Verify Access Control Lists (ACLs)n/an/aException
CCE-80376-7Configure AIDE to Verify Extended Attributesn/an/aException
CCE-80377-5Configure AIDE to Use FIPS 140-2 for Validating Hashesn/an/aException
CCE-80378-3Verify User Who Owns /etc/cron.allow filen/aenabledPassed
CCE-80379-1Verify Group Who Owns /etc/cron.allow filen/aenabledPassed
CCE-80380-9Ensure cron Is Logging To Rsyslogn/aenabledPassed
CCE-80381-7Shutdown System When Auditing Failures OccurauditenabledPassed
CCE-80382-5Record Attempts to Alter Logon and Logout Events - tallylogauditenabledPassed
CCE-80383-3Record Attempts to Alter Logon and Logout Events - faillockn/an/aPassed
CCE-80384-1Record Attempts to Alter Logon and Logout Events - lastlogauditenabledPassed
CCE-80385-8Record Unauthorized Access Attempts to Files (unsuccessful) - creatauditenabledPassed
CCE-80386-6Record Unauthorized Access Attempts to Files (unsuccessful) - openauditenabledPassed
CCE-80387-4Record Unauthorized Access Attempts to Files (unsuccessful) - openatauditenabledPassed
CCE-80388-2Record Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_atauditenabledPassed
CCE-80389-0Record Unauthorized Access Attempts to Files (unsuccessful) - truncateauditenabledPassed
CCE-80390-8Record Unauthorized Access Attempts to Files (unsuccessful) - ftruncateauditenabledPassed
CCE-80391-6Record Any Attempts to Run semanageauditenabledPassed
CCE-80392-4Record Any Attempts to Run setseboolauditenabledPassed
CCE-80393-2Record Any Attempts to Run chconauditenabledPassed
CCE-80395-7Ensure auditd Collects Information on the Use of Privileged Commands - passwdauditenabledPassed
CCE-80396-5Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwdauditenabledPassed
CCE-80397-3Ensure auditd Collects Information on the Use of Privileged Commands - gpasswdauditenabledPassed
CCE-80398-1Ensure auditd Collects Information on the Use of Privileged Commands - chageauditenabledPassed
CCE-80399-9Ensure auditd Collects Information on the Use of Privileged Commands - userhelperauditenabledPassed
CCE-80400-5Ensure auditd Collects Information on the Use of Privileged Commands - suauditenabledPassed
CCE-80401-3Ensure auditd Collects Information on the Use of Privileged Commands - sudoauditenabledPassed
CCE-80402-1Ensure auditd Collects Information on the Use of Privileged Commands - sudoeditauditenabledPassed
CCE-80403-9Ensure auditd Collects Information on the Use of Privileged Commands - newgrpauditenabledPassed
CCE-80404-7Ensure auditd Collects Information on the Use of Privileged Commands - chshauditenabledPassed
CCE-80405-4Ensure auditd Collects Information on the Use of Privileged Commands - umountauditenabledPassed
CCE-80406-2Ensure auditd Collects Information on the Use of Privileged Commands - postdropauditenabledPassed
CCE-80407-0Ensure auditd Collects Information on the Use of Privileged Commands - postqueueauditenabledPassed
CCE-80408-8Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysignauditenabledPassed
CCE-80410-4Ensure auditd Collects Information on the Use of Privileged Commands - crontabauditenabledPassed
CCE-80411-2Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_checkauditenabledPassed
CCE-80412-0Ensure auditd Collects File Deletion Events by User - rmdirauditenabledPassed
CCE-80413-8Ensure auditd Collects File Deletion Events by User - renameatauditenabledPassed
CCE-80414-6Ensure auditd Collects Information on Kernel Module Loading - init_moduleauditenabledPassed
CCE-80415-3Ensure auditd Collects Information on Kernel Module Unloading - delete_moduleauditenabledPassed
CCE-80416-1Ensure auditd Collects Information on Kernel Module Unloading - rmmodauditenabledPassed
CCE-80417-9Ensure auditd Collects Information on Kernel Module Loading and Unloading - modprobeauditenabledPassed
CCE-80430-2Record Events that Modify User/Group Information - /etc/security/opasswdauditenabledPassed
CCE-80431-0Record Events that Modify User/Group Information - /etc/shadowauditenabledPassed
CCE-80432-8Record Events that Modify User/Group Information - /etc/gshadowauditenabledPassed
CCE-80433-6Record Events that Modify User/Group Information - /etc/groupauditenabledPassed
CCE-80434-4Ensure Home Directories are Created for New Usersn/aenabledPassed
CCE-80435-1Record Events that Modify User/Group Information - /etc/passwdauditenabledPassed
CCE-80436-9Mount Remote Filesystems with noexecn/aenabledPassed
CCE-80437-7Configure PAM in SSSD Servicesn/an/aException
CCE-80438-5Configure Multiple DNS Servers in /etc/resolv.confn/an/aException
CCE-80439-3Configure Time Service Maxpoll IntervalservicesenabledPassed
CCE-80446-8Ensure auditd Collects Information on Kernel Module Loading - insmodauditenabledPassed
CCE-80447-6Configure the Firewalld Portsn/an/aException
CCE-80513-5Remove Host-Based Authentication Filesn/aenabledPassed
CCE-80514-3Remove User Host-Based Authentication Filesn/aenabledPassed
CCE-80515-0Configure SSSD LDAP Backend Client CA Certificate Locationn/an/aException
CCE-80519-2Install Smart Card Packages For Multifactor Authenticationn/an/aException
CCE-80537-4Configure auditd space_left on Low Disk SpaceauditenabledPassed
CCE-80544-0Ensure Users Cannot Change GNOME3 Session Idle Settingsn/aenabledPassed
CCE-80545-7Verify and Correct Ownership with RPMn/an/aException
CCE-80546-5Configure SSSD LDAP Backend to Use TLS For All Transactionsn/an/aException
CCE-80547-3Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_moduleauditenabledPassed
CCE-80563-0Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Periodn/aenabledPassed
CCE-80564-8Ensure Users Cannot Change GNOME3 Screensaver Idle Activationn/aenabledPassed
CCE-80660-4Record Any Attempts to Run setfilesauditenabledException
CCE-80661-2Ensure auditd Collects Information on Kernel Module Loading - create_moduleauditenabledException
CCE-81153-9Add nosuid Option to /homen/aenabledPassed

Exceptions to STIG Compliance

This topic contains:

Key to Elements in Exception Descriptions

CCE Number

The Common Configuration Enumeration (CCE), assigns unique entries (also called CCE numbers) to configuration guidance statements and configuration controls to improve workflow by facilitating fast and accurate correlation of configuration issues present in disparate domains. In this way, it is similar to other comparable data standards such as the Common Vulnerability and Exposure (CVE) List (http://cve.mitre.org/cve), which assigns identifiers to publicly known system vulnerabilities.  The OpenSCAP report lists exceptions by CCE number.

This sections lists the exceptions you can receive when you run the OpenSCAP report. The ID or Common Configuration Enumeration (CCE) number in the table is the identification number for the exception from the OpenSCAP report.

Control Group ID

Number that identifies the control group you specify in the manage-stig-controls script to enable or disable the rule.

IDGroupDescriptionSpecified
by Default

1

ssh-prevent-rootPrevent root login through SSH.

no

2sshSSH STIG configuration.yes

3

fips-kernelFIPS Kernel configuration

no

4auth Authentication STIG configurationyes

5

audit

Audit STIG configuration

yes

6packagesRPM Package STIG configurationyes

7

services

Services STIG configuration

yes

Check

Describes what the rule checks to identify exceptions to DISA STIG compliance.

Comments

Provides insight on why you would receive this exception.  This section includes one of the following comments that describes the exception:

  • Customer Responsibility - You are responsible to make sure the system meets this requirement.
  • Not a Finding - Exception does not apply to NetWitness Platform. RSA has verified that the system meets this requirement.
  • Future Feature - NetWitness Platform does not meet this requirement. RSA plans to fix this in a future release of NetWitness Platform.

Customer Responsibility Exceptions

CCE-26952-2 Configure Periodic Execution of AIDE (Control Group = audit)

Check

At a minimum, configure AIDE to run a weekly scan and at most, daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to the /etc/crontab file:
05 4 * * * root /usr/sbin/aide --check

To implement a weekly execution of AIDE at 4:05am using cron, add the following line to the /etc/crontab file:
05 4 * * 0 root /usr/sbin/aide --check
AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and @weekly is acceptable.

Comments

Customer Responsibility. NetWitness Platform does not provide AIDE because it has a negative impact on performance. If you must install it, run as infrequently as possible to adhere to your security policy.

CCE-27096-7 Install AIDE (Control Group = n/a)

Check

Install the AIDE package with the following command: $ sudo yum install aid

Comments

Customer Responsibility. NetWitness Platform does not provide AIDE because it has a negative impact on performance. If you must install it, run as infrequently possible to adhere to your security policy.

CCE-27218-7 Remove the X Windows Package Group

Check

The Rule CCE-27218-7 "Remove the X Windows Package Group" is an exception for Log Collector and Log Decoder services.

Comments

Customer Responsibility. Log Collector plugin collection framework uses SELinux sandbox technology that has a direct dependency on the given rpm. Removing of the rpm will lead to loss of plugin collection functionality in Log Collector service.

CCE-27295-5 Use Only FIPS 140-2 Validated Ciphers (Control Group = n/a)

Check

Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of FIPS 140-2 validated ciphers:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr

The following ciphers are FIPS 140-2 certified on RHEL 7:

- aes128-ctr - aes192-ctr - aes256-ctr - aes128-cbc - aes192-cbc - aes256-cbc - 3des-cbc - rijndael-cbc@lysator.liu.se

Any combination of the above ciphers will pass this check. Official FIPS 140-2 paperwork for RHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf.

CommentsCustomer Responsibility. Enable FIPS Mode. Refer to the System Maintenance Guide for RSA NetWitness Platform version 11.3 for instructions.

CCE-27445-6 Disable SSH Root Login (Control Group = ssh-prevent-root)

Check

The root user should never be allowed to login to a system directly over a network.

Comments

Customer Responsibility. Disable root login through SSH by adding or editing the following line in the /etc/ssh/sshd_config file:
PermitRootLoginNetWitness.

CCE-80127-4 Install McAfee Virus Scanning Software (Control Group = n/a)

Check

Install McAfee VirusScan Enterprise for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem.

Comments

Customer Responsibility. Install virus scanning software. RSA does not provide this software.

CCE-80129-0 Virus Scanning Software Definitions Are Updated (Control Group = n/a)

Check

Make sure that virus definition files are no older than 7 days or their last release.

Comments

Customer Responsibility. RSA does not provide this software.

CCE-80207-4 Enable Smart Card Login (Control Group = n/a)

Check

For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards https://access.redhat.com/solutions/82273

Comments

Customer Responsibility. The NetWitness Platform supports username/certificate for authentication to shell. If you want to configure a smart card log in, you must do this outside of RSA NetWitness.

CCE-80359-3 Enable FIPS Mode in GRUB2 (Control Group = fips-kernel)

Check

To ensure FIPS mode is enabled, install the dracut-fips package and rebuild initramfs by running the following commands:

$ sudo yum install dracut-fips dracut -f

After the dracut command has been run, add the fips=1 argument to the default GRUB 2 command line for the Linux operating system in the /etc/default/grub file as shown in the following example:

GRUB_CMDLINE_LINUX='crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 fips=1'

Finally, rebuild the grub.cfg file by using the grub2-mkconfig -o command as follows ( On BIOS-based machines, issue the following command as root):

~]# grub2-mkconfig -o /boot/grub2/grub.cfg

On UEFI-based machines, issue the following command as root:

~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

CommentsCustomer Responsibility. NetWitness Platform does not enabled by default. You can enable FIPS by following the procedures in the Configure FIPS Support.

CCE-80374-2 Configure Notification of Post-AIDE Scan Details (Control Group = n/a)

Check

AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic execution in the /etc/crontab file, append the following line to the existing AIDE line:
| /bin/mail -s '$(hostname) - AIDE Integrity Check' root@localhost
Otherwise, add the following line to the /etc/crontab file:
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s '$(hostname) - AIDE Integrity Check' root@localhost
AIDE can be executed periodically through other means. This is just one example.

Comments

Customer Responsibility. NetWitness Platform does not provide AIDE because it has a negative impact on performance. If you must install it, run as infrequently possible to adhere to your security policy.

CCE-80375-9 Configure AIDE to Verify Access Control Lists (Control Group = n/a)

Check

By default, the acl option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the acl option is missing, add acl to the appropriate ruleset. For example, add acl to the following line in the /etc/aide.conf file:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.

Comments

Customer Responsibility. NetWitness Platform does not provide AIDE because it has a negative impact on performance. If you must install it, run as infrequently possible to adhere to your security policy.

CCE-80376-7 Configure AIDE to Verify Extended Attributes (Control Group = n/a)

Check

By default, the xattrs option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the xattrs option is missing, add xattrs to the appropriate ruleset. For example, add xattrs to the following line in the /etc/aide.conf file:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways. This is just one example that is already configured by default.

Comments

Customer Responsibility. NetWitness Platform does not provide AIDE because it has a negative impact on performance. If you must install it, run as infrequently possible to adhere to your security policy.

CCE-80377-5 Configure AIDE to Use FIPS 140-2 for Validating Hashes (Control Group = n/a)

Check

By default, the sha512 option is added to the ORMAL ruleset in AIDE. If using a custom ruleset or the sha512 option is missing, add sha512 to the appropriate ruleset. For example, add sha512 to the following line in the /etc/aide.conf file:ORMAL = FIPSR+sha512
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.

Comments

Customer Responsibility. NetWitness Platform does not provide AIDE because it has a negative impact on performance. If you must install it, run as infrequently possible to adhere to your security policy.

CCE-80519-2 Install Smart Card Packages For Multi-Factor Authentication (Control Group = n/a)

Check

Configure the operating system to implement multifactor authentication by installing the required packages with the following command:
$ sudo yum install esc pam_pkcs11 authconfig-gtk

Comments

Customer Responsibility. The NetWitness Platform supports username/certificate for authentication to shell. If you want to configure a smart card log in, you must do this outside of RSA NetWitness.

Exceptions That Are Not a Finding 

The following exceptions do not apply to NetWitness Platform. RSA has verified that the system meets these requirements.

CCE-26404-4 Ensure /var Located On Separate Partition (Control Group = n/a)

Check

The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM.

Comments

Not a Finding.NetWitness software is installed in /var/netwitness by default and has a separate partition on /var/netwitness.

CCE-26828-4 Disable DCCP Support (Control Group = n/a)

Check

Verify that the GNOME Login Inactivity Timeout is set on the host (The graphical desktop environment must set the idle timeout to no more than 15 minutes.).

Comments

Not a Finding. NetWitness Platform does not use Gnome Graphical User Interface (GUI) Desktop.

CCE-26884-7 Set Lockout Time For Failed Password Attempts (Control Group = auth)

Check

To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth by adding the following line immediately before the pam_unix.so statement in the AUTH section:
auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
Add the following line immediately after the pam_unix.so statement in the AUTH section:
auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
Add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
account required pam_faillock.s

CommentsNot a Finding. root_unlock_time is set to 600 seconds.

CCE-26971-2 Ensure /var/log/audit Located On Separate Partition (Control Group = audit)

Check

Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.

CommentsNot a Finding.NetWitness Platform has the /var/log directory as a separate partition.

CCE-27127-0 Enable Randomized Layout of Virtual Address Space (Control Group = n/a)

Check

To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command:
$ sudo sysctl -w kernel.randomize_va_space=2
If this is not the system default value, add the following line to the /etc/sysctl.conf file:
kernel.randomize_va_space = 2

CommentsNot a Finding. Value of /proc/sys/kernel/randomize_va_space is already 2.

CCE-27157-7 Verify File Hashes with RPM (Control Group = n/a)

Check

Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed software packages, including many that are important to system security. To verify that the cryptographic hash of system files and commands match vendor values, run the following command to list which files on the system with hashes that differ from what is expected by the RPM database:
$ rpm -Va | grep '^..5' A 'c'
in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file:
$ rpm -qf
The package can be reinstalled from a yum repository using the command:
FILENAME $ sudo yum reinstall
Alternatively, the package can be reinstalled from trusted media using the command:
PACKAGENAME $ sudo rpm -Uvh PACKAGENAME

CommentsNot a Finding. Only mismatched files not marked as config files in rpms are Commercial Off the Shelf (COTS) product based that cannot be updated.

Most File Hash/RPM combinations are in sync. Any discrepancies are COTS products that cannot be updated.

CCE-27339-1 Record Events that Modify the System's Discretionary Access Controls - chmod

Check

Verify that the host records events that modify the system's discretionary access controls - chown.

CommentsNot a Finding. Make sure that you have the correct chown configuration on the host. The following settings are the correct configuration.
[root@localhost nwadmin]# grep chown /etc/audit/*
/etc/audit/audit.rules:-a exit,always -F arch=b64 -S chown -S chmod -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
/etc/audit/audit.rules:-a exit,always -F arch=b32 -S chown -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

CCE-27209-6 Verify and Correct File Permissions with RPM (Control Group = n/a)

Rule Name

 

Check

The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions of system files and commands match vendor values. Check the file permissions with the following command:
$ sudo rpm -Va | grep '^.M'
Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it:
$ rpm -qf FILENAME

Next, run the following command to reset its permissions to the correct values:
$ sudo rpm --quiet --setperms PACKAGENAME

CommentsNot a Finding. The file permissions do not match the rpm, they are configured to be stricter during configuration management.

CCE-27303-7 (Control ID = 2) Modify the System Login Banner (Control Group = ssh)

Check

To configure the system login banner edit the /etc/issue file. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:
" You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:

  • The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
  • At any time, the USG may inspect and seize data stored on this IS.
  • Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
  • This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

or

" I've read & consent to terms in IS user agreem't."

CommentsNot a Finding. The login banner is displayed but does not hyphenate "agreem't"

CCE-27311-0 Very Permissions on SHH Server *.pub Key Files (Control Group = na)

Check

 

CommentsNot a Finding. All public keys are set to with permissions 640 in the /etc/ssh/ directory.

CCE-27314-4 Enable SSH Warning Banner (Control Group = na)

Check

 

CommentsNot a Finding. The required configuration exists in the etc/ssh/sshd_conf file.

CCE-27349-0 Set Default firewalld Zone for Incoming Packets (Control Group = n/a)

Check

To set the default zone to drop for the built-in default zone which processes incoming IPv4 and IPv6 packets, modify the following line in the /etc/firewalld/firewalld.conf file to be:
DefaultZone=drop

CommentsNot a Finding. NetWitness Platform firewalldservice is disabled because it uses IP Tables, not FirewallD.

CCE-27361-5 Verify firewalld Enabled (Control Group = n/a)

Check

The firewalld service can be enabled with the following command:
$ sudo systemctl enable firewalld.service

CommentsNot a Finding. NetWitness Platform firewalld service is disabled because it uses IP Tables, not FirewallD.

CCE-27386-2 Ensure Default SNMP Password Is Not Used (Control Group = n/a)

Check

Edit /etc/snmp/snmpd.conf file by removing or changing the default community strings of public and private. After the default community strings have been changed, restart the SNMP service:
$ sudo service snmpd restart

CommentsNot a Finding. NetWitness Platform does not use snmp, and the snmpd service not enabled.

CCE-27455-5 Use Only FIPS 140-2 Validated MACs (Control Group = na)

Check

 

CommentsNot a Finding. The following configuration exists in /etc/ssh/sshd_config file:
MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512

CCE-27471-2 Disable SSH Access via Empty Passwords (Control Group = n/a)

Check

Explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in the /etc/ssh/sshd_config file.

CommentsNot a Finding. NetWitness Platform sets the permitemptypasswords parameter to no by default. This should pass the DISA STIG rule check.

CCE-27485-2 Very Permissions on SHH Server Private *.key Key Files (Control Group = na)

Check

 

CommentsNot a Finding. All private keys are set to with permissions 640 in the /etc/ssh/ directory.

CCE-80156-3 Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces (Control Group = n/a)

Check

To set the runtime status of the t.ipv4.conf.all.send_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
If this is not the system default value, add the following line to the /etc/sysctl.conf file:
t.ipv4.conf.all.send_redirects = 0

CommentsNot a Finding. NetWitness Platform does not accept incoming Internet Control Message Protocol (ICMP) traffic.

CCE-80157-1 Disable Kernel Parameter for IP Forwarding (Control Group = n/a)

Check

To set the runtime status of the t.ipv4.ip_forward kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.ip_forward=0
If this is not the system default value, add the following line to the /etc/sysctl.conf file:
t.ipv4.ip_forward = 0

CommentsNot a Finding. NetWitness Platform only uses FIPS certified MACs (for example, MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512).

CCE-80158-9 Configure Kernel Parameter for Accepting ICMP Redirects for All Interfaces (Control Group = n/a)

Check

To set the runtime status of the t.ipv4.conf.all.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
If this is not the system default value, add the following line to the /etc/sysctl.conf file:
t.ipv4.conf.all.accept_redirects = 0

Comments

Not a Finding NetWitness Platform does not accept incoming Internet Control Message Protocol (ICMP) traffic.

CCE-80163-9 Configure Kernel Parameter for Accepting ICMP Redirects By Default (Control Group = n/a)

Check

To set the runtime status of the t.ipv4.conf.default.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
If this is not the system default value, add the following line to the /etc/sysctl.conf file:
t.ipv4.conf.default.accept_redirects = 0

Comments

Not a Finding NetWitness Platform does not accept incoming Internet Control Message Protocol (ICMP) traffic.

CCE-80165-4 Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requests (Control Group = n/a)

Rule Name

 

Check

To set the runtime status of the t.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
If this is not the system default value, add the following line to the /etc/sysctl.conf file:
t.ipv4.icmp_echo_ignore_broadcasts = 1

Comments

Not a FindingNetWitness Platform does not accept incoming Internet Control Message Protocol (ICMP) traffic.

CCE-80225-6 Print Last Log (Control Group = n/a)

Check

When enabled, SSH will display the date and time of the last successful account log in. To enable LastLog in SSH, add or correct the following line in the /etc/ssh/sshd_config file:
PrintLastLog yes

CommentsNot a Finding. NetWitness Platform sets printlastlog to yes by default.

CCE-80226-4 Enable Encrypted X11 Forwarding (Control Group = n/a)

Check

Enable Encrypted X11 Forwarding - By default, remote X11 connections are not encrypted when initiated by users. SSH has the capability to encrypt remote X11 connections when SSH's X11Forwarding option is enabled. To enable X11 Forwarding, add or correct the following line in the /etc/ssh/sshd_config file:
X11Forwarding yes

CommentsNot a Finding.NetWitness Platform does not have X11 installed or running.

CCE-80348-6 Ensure gpgcheck Enabled for Repository Metadata (Control Group = n/a)

Check

Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification of the repository metadata. Check that yum verifies the repository metadata prior to install with the following command. This should be configured by setting repo_gpgcheck to 1 in /etc/yum.conf.

Comments

Not a Finding. .NetWitness Platform rpm signing procedures do not support signing the repo metadata

CCE-80349-4 The Installed Operating System Is Vendor Supported and Certified (Control Group = n/a)

Check

The installed operating system must be maintained and certified by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for providing security patches and meeting and maintaining government certifications and standards.

CommentsNot a Finding. The Operating System is a vendor supported and certified by CentOS.

CCE-80383-3 Record Attempts to ALter Logon Events - failock (Control Group = na)

Check

 

CommentsNot a Finding. The required rules are configured in the /etc/audit/rules.d/nw-stig.rules file.

CCE-80399-9 Ensure auditd Collects Information on the Use of Privileged Commands - userhelper (Control Group = na)

Check

 

CommentsNot a Finding. The required rules are configured in the /etc/audit/rules.d/nw-stig.rules file.

CCE-80437-7 Configure PAM in SSSD Services (Control Group = n/a)

Check

SSSD should be configured to run SSSD pam services. To configure SSSD to known SSH hosts, add pam to services under the [sssd] section in /etc/sssd/sssd.conf file. For example: [sssd] services = sudo, autofs, pam

CommentsNot a Finding. NetWitness Platform does not currently support Multi-Factor authentication. As a result, SSSD service is not installed on a NetWitness Host.

CCE-80438-5 Configure Multiple DNS Servers in /etc/resolv.conf (Control Group = n/a)

Check

Multiple Domain Name System (DNS) Servers should be configured in the /etc/resolv.conf file. This provides redundant name resolution services in the event that a domain server crashes. To configure the system to contain as least 2 DNS servers, add a corresponding nameserver entry in ip_address /etc/resolv.conf file for each DNS server where ip_address is the IP address of a valid DNS server. For example:
search example.com nameserver 192.168.0.1 nameserver 192.168.0.2

CommentsNot a Finding. NetWitness Platform orchestrates and configures an internal DNS server that all NetWitness hosts use for name resolution. You can configure external DNS servers, but it is dependent on your environment.

CCE-80439-3 Configure Time Service Maxpoll Interval (Control Group = na)

Check

 

CommentsNot a Finding. The required maxpoll 10 value is set in the /etc/ntp.conf file.

CCE-80447-6 Configure the Firewalld Ports (Control Group = n/a)

Check

Configure the firewalld ports to allow approved services to have access to the system. To configure firewalld to open ports, run the following command:
$ sudo firewall-cmd --permanent --add-port= or port_number/tcp $ sudo firewall-cmd --permanent --add-port=

Run the command list above for each of the ports listed below: <ports>
To configure service_nam firewalld to allow access, run the following command(s):
firewall-cmd --permanent --add-service=ssh

CommentsNot a Finding. NetWitness Platform firewalld service is disabled because it uses IP Tables, not FirewallD.

CCE-80515-0 Configure SSSD LDAP Backend Client CA Certificate Location (Control Group = n/a)

Check

Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions. By setting the ldap_tls_cacertdir option in /etc/sssd/sssd.conf to point to the path for the X.509 certificates used for peer authentication.
ldap_tls_cacertdir /path/to/tls/cacert

CommentsNot a Finding. NetWitness Platform does not currently support Multi-Factor authentication. As a result, SSSD service is not installed on a NetWitness Host.

CCE-80545-7 Verify and Correct Ownership with RPM (Control Group = n/a)

Check

The RPM package management system can check file ownership permissions of installed software packages, including many that are important to system security. After locating a file with incorrect permissions, which can be found with rpm -Va | grep '^.....\(U\|.G\)'
Run the following command to determine which package owns it:
$ rpm -qf

Next, run the following command to reset its permissions to the correct values:
FILENAME $ sudo rpm --setugids PACKAGENAME

CommentsNot a Finding.Files/Directories with ownership differing from the rpm are generally COTS based and have been changed from root ownership to a specified COTS related account.

CCE-80546-5 Configure SSSD LDAP Backend to Use TLS For All Transactions (Control Group = n/a)

Check

This check verifies that RHEL7 implements cryptography to protect the integrity of remote LDAP authentication sessions. To determine if LDAP is being used for authentication, use the following command:
$ sudo grep -i useldapauth /etc/sysconfig/authconfig If USELDAPAUTH=yes

To check if LDAP is configured to use TLS, use the following command:
$ sudo grep -i ldap_id_use_start_tls /etc/sssd/sssd.conf

CommentsNot a Finding.NetWitness Platform does not currently support Multi-Factor authentication. As a result, the SSSD service is not installed on a NetWitness Host.

Rules Supported in a Future Release

The following checks for non-compliance to STIG rules are not supported in NetWitness Platform and will be added in a future release.

CCE-27277-3 Disable Modprobe Loading of USB Storage Driver (Control Group = services)

Check

To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the usb-storage kernel module from being loaded, add the following line to a file in the /etc/modprobe.d directory :
install usb-storage /bin/true
This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually.

Comments

Future Feature.

CCE-27309-4 Set Boot Loader Password in grub2 (Control Group = fips-kernel)

Check

The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. To do so, select a superuser account name and password and and modify the /etc/grub.d/01_users configuration file with the new account name. Because plain text passwords are a security risk, generate a hash for the password by running the following command:
$ grub2-setpassword
When prompted, enter the password that was selected.
NOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. Change the superuser to a different username (The default is 'root').
$ sed -i s/root/bootuser/g /etc/grub.d/01_users
To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub.cfg
NOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.

Comments

Future Feature.

CCE-80179-5 Configure Kernel Parameter for Accepting IPv6 Source-Routed Packets for All Interfaces

Check

To set the runtime status of the t.ipv6.conf.all.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
If this is not the system default value, add the following line to the /etc/sysctl.conf file:
t.ipv6.conf.all.accept_source_route = 0

Comments

Future Feature.

CCE-80660-4 Record Any Attempts to Run setfiles (Control Group = audit)

Check

At a minimum, the audit system should collect any execution attempt of the setfiles command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with .rules in /etc/audit/rules.d: -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=429496729as a suffix 5 -F key=privileged-priv_change. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_chang

Comments

Future Feature.

CCE-80661-2 Ensure auditd Collects Information on Kernel Module Loading - create_module (Control Group = audit)

Check

To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=
The place where you add the line depends on the way ARCH -S create_module -F key=modules auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with the .rules suffix in the /etc/audit/rules.d directory. If the auditd daemon is configured to use the auditctl utility, add the line to the /etc/audit/audit.rulesfile .

Comments

Future Feature.

 

Previous Topic:Configure FIPS Support
You are here

Table of Contents > Configure DISA STIG Hardening

Attachments

    Outcomes