Sys Maintenance: Exceptions to STIG Compliance

Document created by RSA Information Design and Development on May 12, 2016Last modified by RSA Information Design and Development on May 12, 2016
Version 2Show Document
  • View in full screen mode
 
  

This topics contains:

  • Rule exceptions with reasons for their non-compliance and workarounds if any.
  • Rule exceptions that are "Not a Finding" which means that they do not apply to Security Analytics. RSA has verified that the system meets these requirements.

  • Rules to be supported in future release.

Key to Elements in Exception Descriptions

CCE Number

The Common Configuration Enumeration (CCE), assigns unique entries (also called CCE numbers) to configuration guidance statements and configuration controls to improve workflow by facilitating fast and accurate correlation of configuration issues present in disparate domains. In this way, it is similar to other comparable data standards such as the Common Vulnerability and Exposure (CVE®) List (http://cve.mitre.org/cve), which assigns identifiers to publicly known system vulnerabilities.  The OpenSCAP report lists exceptions by CCE number.

Severity

                       
Category 
Category IFindings that allow primary security protections to be bypassed, allowing immediate access by unauthorized personnel or unauthorized assumption of super-user privileges. Category I weaknesses must be corrected before an Authorization to Operate (ATO) is granted.
Category IIFindings that have a potential to lead to unauthorized system access or activity. Category II findings can usually be mitigated and will not prevent an Authorization to Operate from being granted.
Category IIIRecommendations that will improve IA posture but are not required for an authorization to operate.

Vulnerability ID

Vulnerability identification code assigned to exception by the Unified Compliance Framework STIG Viewer (https://www.stigviewer.com/).

STIG ID

Security Technical Implementation Guide (STIG) identification code. 

Rule ID

Rule identification code.

NIST 800-53 SP 800-53

National Institute of Standards and Technology (NIST 800-53) Special Publication 800-53 control list (https://www.stigviewer.com/controls/800-53) information provided by the RedHat STIG Viewer.

CCI

DISA Control Correlation Identifier (https://www.tenable.com/sc-dashboards/disa-control-correlation-identifier-cci-dashboard). 

Check

Describes what the rule checks to identify exceptions to DISA STIG compliance.

Comments

Provides insight on why you would receive this exception.  This section includes one of the following comments that describes the exception:

  • Not a Finding - Exception does not apply to Security Analytics. RSA has verified that the system meets this requirement.
  • Customer Responsibility - You are responsible to make sure the system meets this requirement.
  • Required Functionality - Security Analytics does not meet this requirement.
  • Future Feature - Security Analytics does not meet this requirement. RSA plans to fix this in a future release of Security Analytics.
  • Mitigation Steps Required - Lists steps you can take to mitigate the exception.

Exception Descriptions

The following list contains the exceptions you can receive when you run the OpenSCAP report. The ID or Common Configuration Enumeration (CCE) number in the table is the identification number for the exception from the OpenSCAP report.

CCE-26215-4

                                   

Severity

Category III

Vulnerability
ID

V-38463

STIG ID

RHEL-06-000003

Rule ID

SV-50263r1_rule

NIST 800-53

NIST SP 800-53 :: CM-6 b
NIST SP 800-53A :: CM-6.1 (iv)
NIST SP 800-53 Revision 4 :: CM-6 b

CCI

 CCI-000366

Check

(For the IPDB Extractor only) Verify that /var/log directory on the the host has its own partition or logical volume at installation.

Comments

Customer Responsibility.  If the /var/log directory on the the host does not have its own partition or logical volume, use the Logical Volume Manager (LVM) to migrate it to its own partition or logical volume.

CCE-26328-5

                                   

Severity

Category III

Vulnerability
ID

V-38656

STIG ID

RHEL-06-000272

Rule ID

SV-50457r1_rule 

NIST 800-53 

NIST SP 800-53 :: CM-6 b
NIST SP 800-53A :: CM-6.1 (iv)
NIST SP 800-53 Revision 4 :: CM-6 b

CCI

CCI-000366

Check

(For the IPDB Extractor on Malware Analysis and SA hosts only) Verify that Client Service Message Block (SMB) packet signing exists on the host if you use using an smbclient. SMB is is a protocol for sharing files, printers, serial ports, and communications abstractions such as named pipes and mail slots between computers.

Comments

Customer Responsibility.  To require samba clients running smbclient to use packet signing, add the following to the [global] section of the Samba configuration file, /etc/samba/smb.conf:
client signing = mandatory
.

CCE-26435-8

                                   

Severity

Category III

Vulnerability
ID

V-38455

STIG ID

RHEL-06-000001

Rule ID

SV-50255r1_rule

NIST 800-53 

NIST SP 800-53 :: CM-6 b
NIST SP 800-53A :: CM-6.1 (iv)
NIST SP 800-53 Revision 4 :: CM-6 b

CCI

CCI-000366

Check

(For IPDB Extractor only) Verify that /tmp is located on a separate partition.

Comments

Customer Responsibility. Verify that the tmp directory has its own partition or logical volume at installation or migrate it using the Logical Volume Manager (LVM).

CCE-26436-6

                                   

Severity

Category III

Vulnerability
ID

V-38467

STIG ID

RHEL-06-000004

Rule ID

SV-50267r1_rul

NIST 800-53 

NIST SP 800-53 :: AU-4
NIST SP 800-53A :: AU-4.1 (i)

CCI

CCI-000137

Check

Verify that /var/log/audit directory is located on a separate partition on the host.

Comments

Required Functionality. The Security Analytics architecture does not allow the 
/var/log/audit directory to reside on a separate partition.

CCE-26557-9

                                   

Severity

Category III

Vulnerability
ID

V-38473

STIG ID

RHEL-06-000007

Rule ID

SV-50273r1_rule

NIST 800-53 

NIST SP 800-53 :: CM-6 b
NIST SP 800-53A :: CM-6.1 (iv)
NIST SP 800-53 Revision 4 :: CM-6 b

CCI

CCI-000366

Check

(For IPDB Extractor only) Verify that /home (user home directory) is located on a separate partition.

Comments

Customer Responsibility. If you store user home directories locally, create a separate partition for /home at installation time [or migrate it later using the Logical Volume Manager (LVM)]. If /home is mounted from another system such as an NFS server, you do not need to create a separate partition at installation and you can configure the mount point at a later date.

CCE-26639-5

                                   

Severity

Category III

Vulnerability
ID

V-38456

STIG ID

RHEL-06-000002

Rule ID

SV-50256r1_rule

NIST 800-53 

NIST SP 800-53 :: CM-6 b
NIST SP 800-53A :: CM-6.1 (iv)
NIST SP 800-53 Revision 4 :: CM-6 b

CCI

CCI-000366

Check

(For IPDB Extractor only) Verify that /var is located on a separate partition.

Comments

Customer Responsibility. Verify that the var directory has its own partition or logical volume at installation or migrate it using the Logical Volume Manager (LVM).

CCE-26647-8

                                   

Severity

Category III

Vulnerability
ID

V-38487

STIG ID

RHEL-06-000015 

Rule ID

SV-50288r1_rule

NIST 800-53 

NIST SP 800-53 :: SA-7
NIST SP 800-53A :: SA-7.1 (ii)

CCI

CCI-000663

Check

Verify that gpgcheck is enabled for all YUM package repositories (System package management tool must cryptographically verify the authenticity of all software packages during installation.).

Comments

Customer Responsibility. Set to gpgcheck=1.

CCE-26690-8

                                   
Severity Category II
Vulnerability ID V-38625
STIG ID RHEL-06-000252
Rule ID SV-50426r1_rule
NIST 800-53  NIST SP 800-53 :: AC-17 (2)
NIST SP 800-53A :: AC-17 (2).1
NIST SP 800-53 Revision 4 :: AC-17 (2)
CCI CCI-001453
Check (For Application host only) Verify that the host has the LDAP client configured to use TLS for all transactions.
Comments

Customer Responsibility. Configure LDAP.

CCE-26731-0

                                   

Severity

Category III

Vulnerability
ID

 V-38452

STIG ID

RHEL-06-000518

Rule ID

SV-50252r1_rule

NIST 800-53 

NIST SP 800-53 :: CM-6 b
NIST SP 800-53A :: CM-6.1 (iv)
NIST SP 800-53 Revision 4 :: CM-6 b

CCI

CCI: CCI-000366

Check

Verify and correct file permissions with RPM (System package management tool must verify permissions on all files and directories associated with packages.).

Comments

Customer Responsibility. Reinstate permissions set by the vendor.

CCE-26792-2

                                   

Severity

Category III

Vulnerability
ID

 V-38657

STIG ID

RHEL-06-000273

Rule ID

 SV-50458r2_rule

NIST 800-53 

NIST SP 800-53 :: CM-6 b
NIST SP 800-53A :: CM-6.1 (iv)
NIST SP 800-53 Revision 4 :: CM-6 b

CCI

CCI-000366

Check

Verify that Client Service Message Block (SMB) packet signing exists on the host if you use using an smbclient. SMB is is a protocol for sharing files, printers, serial ports, and communications abstractions such as named pipes and mail slots between computers.

Comments

Customer Responsibility.  To require samba clients running smbclient to use packet signing, add the following to the [global] section of the Samba configuration file, /etc/samba/smb.conf:
client signing = mandatory
.

CCE-26801-1

                                   

Severity

Category II

Vulnerability
ID

V-38520

STIG ID

RHEL-06-000136

Rule ID

Rule ID: SV-50321r1_rule

NIST 800-53 

NIST SP 800-53 :: AU-9 (2)
NIST SP 800-53A :: AU-9 (2).1 (iii)
NIST SP 800-53 Revision 4 :: AU-9 (2)

CCI

CCI-001348

Check

Verify that logs are sent to a remote host (Operating system must back up audit records on an organization defined frequency to a different system or media than the system being audited.).

Comments

Customer Responsibility. Forward log messages to a remote log host.

CCE-26812-8

                                   

Severity

Category II

Vulnerability
ID

 V-38518

STIG ID

RHEL-06-000133 

Rule ID

SV-50319r2_rule 

NIST 800-53 

NIST SP 800-53 :: SI-11 c
NIST SP 800-53A :: SI-11.1 (iv)
NIST SP 800-53 Revision 4 :: SI-11 b

CCI

CCI-001314

Check

Verify that log files are owned by the appropriate user.

Comments

Customer Responsibility. The owner of all log files written by rsyslog should be root. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referred to in /etc/rsyslog.conf, run the following command to inspect the file's owner:
$ ls -l LOGFILE
If the owner is not root, run the following command to correct this:
# chown root LOGFILE

CCE-26910-0

                                   
Severity Category II
Vulnerability
ID
V-38643
STIG ID RHEL-06-000282
Rule ID SV-50444r3_rule
NIST 800-53  NIST SP 800-53 :: CM-6 b
NIST SP 800-53A :: CM-6.1 (iv)
NIST SP 800-53 Revision 4 :: CM-6 b
CCI CCI-000366
Check Verify that there are no world-writable files on the system.
Comments Customer Responsibility. Remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of an application or user account that was not configured correctly.

CCE-26966-2

                                   
Severity  
Vulnerability
ID
 
STIG ID  
Rule ID  
NIST 800-53   
CCI  
Check Verify that system accounts on the host do not run a shell during login.
Comments Required Functionality. In Security Analytics, the nwadmin user is the exception.

CCE-26969-6

                                   

Severity

Category II

Vulnerability
ID

V-51363

STIG ID

RHEL-06-000020

Rule ID

SV-65573r1_rule

NIST 800-53 

NIST SP 800-53 :: CM-6 b
NIST SP 800-53A :: CM-6.1 (iv)
NIST SP 800-53 Revision 4 :: CM-6 b

CCI

CCI-000366

Check

Verify that the host has the SELinux State set to enforcing. You can set the SELinux State to permissive or enforcing mode. In enforcing mode, the SELinux security subsystem enforces policy decisions.

Comments

Required Functionality. If the SELinux State is set to enforcing, Security Analytics functionality does not work (for example, the Decoder will not function properly).

CCE-26974-6

                                   

Severity

Category II

Vulnerability
ID

V-38593

STIG ID

RHEL-06-000073 

Rule ID

SV-50394r1_rule 

NIST 800-53 

NIST SP 800-53 :: AC-8 c
NIST SP 800-53A :: AC-8.2 (i)
NIST SP 800-53 Revision 4 :: AC-8 c 1

CCI

CCI-001384

Check

Verify that the host has the Department of Defense (DoD) login banner displayed immediately prior to, or as part of, console login prompts.

Comments

Required Functionality.  Security Analytics allows user to modify system banner.

CCE-27016-5

                                   

Severity

Category II

Vulnerability
ID

V-38490

STIG ID

RHEL-06-000503 

Rule ID

SV-50291r4_rule 

NIST 800-53 

NIST SP 800-53 :: AC-19 d
NIST SP 800-53A :: AC-19.1 (iv)

CCI

CCI-000086

Check

Verify that the host has Modprobe loading of USB storage driver disabled.

Comments

Required Functionality. You need USB to boot from the SD cards onboard Security Analytics hosts. 

CCE-27017-3

                                   

Severity

Category II

Vulnerability
ID

V-38688

STIG ID

RHEL-06-000324

Rule ID

SV-50489r3_rule 

NIST 800-53 

NIST SP 800-53 :: AC-8 b
NIST SP 800-53A :: AC-8.1 (iii)
NIST SP 800-53 Revision 4 :: AC-8 b

CCI

CCI-000050

Check

Verify that the host has the graphical user interface warning banner text set (A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.).

Comments

Required Functionality. Security Analytics does not run an Operating System level graphical user interface, banner is provided upon login through SSH or the console.

CCE-27033-0

                                   

Severity

Category III

Vulnerability
ID

V-38675

STIG ID

RHEL-06-000308 

Rule ID

SV-50476r2_rule

NIST 800-53 

NIST SP 800-53 :: CM-6 b
NIST SP 800-53A :: CM-6.1 (iv)
NIST SP 800-53 Revision 4 :: CM-6 b

CCI

CCI-000366

Check

Verify that the host has core dumps for all users disabled.

Comments

Customer Responsibility. The setting is enabled for Security Analytics Customer Care. To disable core dumps for all users, add the following line to /etc/security/limits.conf:

*     hard   core    0

CCE-27093-4

                                   
Severity Category II
Vulnerability ID V-38620
STIG ID RHEL-06-000247
Rule ID  SV-50421r1_rule 
NIST 800-53  NIST SP 800-53 :: AU-8 (1)
NIST SP 800-53A :: AU-8 (1).1 (iii)
CCI CCI-000160
Check Verify that the system clock on the host is synchronized continuously, or at least daily.
Comments Customer Responsibility.  Configure Network Time Protocol (NTP) servers.

CCE-27153-6

                                   

Severity

Category II

Vulnerability
ID

 V-38546

STIG ID

RHEL-06-000098

Rule ID

SV-50347r2_rule

NIST 800-53 

NIST SP 800-53 :: CM-6 b
NIST SP 800-53A :: CM-6.1 (iv)
NIST SP 800-53 Revision 4 :: CM-6 b

CCI

CCI-000366

Check

Verify that the host has IPv6 networking support automatic loading disabled.

Comments

Required Functionality. Disabling IPv6 networking support automatic loading causes functionality to fail.

CCE-27186-6

                                   
Severity Category II
Vulnerability ID V-38686
STIG ID RHEL-06-000320 
Rule ID SV-50487r1_rule
NIST 800-53  NIST SP 800-53 :: SC-7 (5)
NIST SP 800-53A :: SC-7 (5).1 (i) (ii)
NIST SP 800-53 Revision 4 :: SC-7 (5)
CCI CCI-001109
Check (For Application host only) Verify that the host has certificate directives for LDAP configured to use TLS.
Comments

Customer Responsibility. Configure LDAP.

CCE-27189-0

                                   
Severity Category II
Vulnerability ID V-38626
STIG ID RHEL-06-000253
Rule ID SV-50427r1_rule
NIST 800-53  NIST SP 800-53 :: IA-2 (9)
NIST SP 800-53A :: IA-2 (9).1 (ii)
CCI CCI-000776
Check Verify that the LDAP client on the host uses a TLS connection that uses trust certificates signed by the site CA.
Comments

Customer Responsibility. Configure LDAP.

CCE-27196-5

                                   

Severity

Category III

Vulnerability
ID

V-38655

STIG ID

RHEL-06-000271

Rule ID

SV-50456r1_rule 

NIST 800-53 

NIST SP 800-53 :: AC-19 e
NIST SP 800-53A :: AC-19.1 (v)

CCI

CCI-000087

Check

Verfiry that the host has noexec option added to removable media partitions.

Comments

Required Functionality. You need USB to boot from the SD cards.

CCE-27222-9

                                   

Severity

Category II

Vulnerability
ID

V-38670

STIG ID

RHEL-06-000306

Rule ID

SV-50471r2_rule

NIST 800-53 

NIST SP 800-53 :: SI-7
NIST SP 800-53A :: SI-7.1

CCI

CCI-001297

Check

Verify that the host has periodic execution of AIDE configured (Operating system must detect unauthorized changes to software and information.).

Comments

Customer Responsibility. Configure a CRON job to run AIDE or the IDS you use.

CCE-27239-3

                                   

Severity

Category II

Vulnerability
ID

V-54381

STIG ID

RHEL-06-000163

Rule ID

SV-68627r2_rule

NIST 800-53 

NIST SP 800-53 :: CM-6 b
NIST SP 800-53A :: CM-6.1 (iv)
NIST SP 800-53 Revision 4 :: CM-6 b

CCI

CCI-000366

Check

Verify that the host has auditd admin_space_left action on low disk space configured.

Comments

Customer Responsibility. Provide sufficient disk space.

CCE-27283-1

                                   

Severity

Category III

Vulnerability
ID

V-38692

STIG ID

RHEL-06-000334 

Rule ID

SV-50493r1_rule

NIST 800-53 

NIST SP 800-53 :: AC-2 (3)
NIST SP 800-53A :: AC-2 (3).1 (ii)
NIST SP 800-53 Revision 4 :: AC-2 (3)

CCI

CCI-000017

Check

Verify that the host has account expiration following inactivity set (Accounts must be locked upon 35 days of inactivity.).

Comments

Customer Responsibility. Add or correct the INACTIVE=NUM_DAYS lines lines in /etc/default/useradd, substituting NUM_DAYS appropriately.

CCE-27289-8

                                   

Severity

Category II

Vulnerability
ID

V-38469

STIG ID

 RHEL-06-000047

Rule ID

Rule ID: SV-50269r3_rule 

NIST 800-53 

NIST SP 800-53 :: CM-5 (6)
NIST SP 800-53A :: CM-5 (6).1
NIST SP 800-53 Revision 4 :: CM-5 (6)

CCI

CCI-001499

Check

Verify that all system command files on the host have mode 755 or less permissive.

Comments

Customer Responsibility. Some files deployed by Erlang do not have permissions set according to STIG guidelines. Change permissions to conform to STIG guidelines using the following command:
# chmod go-w FILE

CCE-27365-6

                                   
Severity Category II
Vulnerability
ID
V-38660
STIG ID RHEL-06-000340 
Rule ID SV-50461r1_rule 
NIST 800-53  NIST SP 800-53 :: CM-6 b
NIST SP 800-53A :: CM-6.1 (iv)
NIST SP 800-53 Revision 4 :: CM-6 b
CCI  CCI-000366
Check Verify that the host has the SNMP service configured to use only SNMPv3 or a newer version of SNMP.
Comments Customer Responsibility. Configure SNMPv3.

CCE-27381-3

                                   
Severity Category II
Vulnerability
ID
V-38465
STIG ID RHEL-06-000045
Rule ID SV-50265r3_rule 
NIST 800-53  NIST SP 800-53 :: CM-5 (6)
NIST SP 800-53A :: CM-5 (6).1
NIST SP 800-53 Revision 4 :: CM-5 (6)
CCI CCI-001499
Check Verify that shared library files on the host have restrictive permissions (Library files must have mode 0755 or less permissive.).
Comments Customer Responsibility. Fix permissions.

CCE-27409-2

                                   
Severity Category II
Vulnerability
ID
V-38667
STIG ID RHEL-06-000285 
Rule ID SV-50468r2_rule
NIST 800-53  NIST SP 800-53 :: SI-4 (5)
NIST SP 800-53A :: SI-4 (5).1 (ii)
CCI CCI-001263
Check Verify that the host has intrusion detection software installed. 
Comments Customer Responsibility. Install intrusion detection software. RSA Does not provide this software.

CCE-27529-7 

                                   
Severity Category I
Vulnerability
ID
V-38666
STIG ID RHEL-06-000284
Rule ID SV-50467r2_rule
NIST 800-53  NIST SP 800-53 :: SI-3 a
NIST SP 800-53A :: SI-3.1 (ii)
CCI CCI-001668
Check Verify that virus scanning software is installed on the host (System must use and update a DoD-approved virus scan program.).
Comments Customer Responsibility. Install virus scanning software. RSA does not provide this software

CCE-27593-3

                                   
Severity Category I
Vulnerability ID V-38653
STIG ID RHEL-06-000341
Rule ID SV-50454r1_rule
NIST 800-53  NIST SP 800-53 :: CM-6 b
NIST SP 800-53A :: CM-6.1 (iv)
NIST SP 800-53 Revision 4 :: CM-6 b
CCI CCI-000366
Check Verify that the host does not use a default password (The snmpd service must not use a default password.).
Comments Customer Responsibility. Change the default password for SNMP.

CCE-27596-6 

                                   
Severity Category III
Vulnerability
ID
V-38659
STIG ID RHEL-06-000275
Rule ID SV-50460r2_rule
NIST 800-53  NIST SP 800-53 :: MP-4 (1)
NIST SP 800-53A :: MP-4 (1).1
CCI CCI-001019
Check Verify that partitions on the host are encrypted.
Comments Required Functionality. Security Analytics does not encrypt partitions because it degrades performance.

CCE-27635-2 

                                   
Severity Category II
Vulnerability
ID
V-38481
STIG ID RHEL-06-000011
Rule ID SV-50281r1_rule
NIST 800-53  NIST SP 800-53 :: SI-2 (2)
NIST SP 800-53A :: SI-2 (2).1 (ii)
NIST SP 800-53 Revision 4 :: SI-2 (2)
CCI CCI-001233
Check Verify that the host has security software patches installed.
Comments Customer Responsibility. Make sure that you have applied the Security Analytics security updates.

Not a Finding 

The following exceptions do not apply to Security Analytics. RSA has verified that the system meets these requirements.

CCE-26242-8

                                   
Severity Category III
Vulnerability ID V-38635
STIG ID RHEL-06-000165
Rule ID SV-50436r3_rule 
NIST 800-53  NIST SP 800-53 :: AU-12 a
NIST SP 800-53A :: AU-12.1 (ii)
NIST SP 800-53 Revision 4 :: AU-12 a
CCI CCI-000169
Check Verify that the host records attempts to alter time through adjtimex (Audit system must be configured to audit all attempts to alter system time through adjtimex.).
Comments Not a Finding. Make sure that you have the correct adjtimex configuration on the host. The following settings are the correct configuration.
[root@localhost nwadmin]# grep adjtimex /etc/audit/*
/etc/audit/audit.rules:-a exit,always -F arch=b64 -S adjtimex -k audit_time_rules
/etc/audit/audit.rules:-a exit,always -F arch=b32 -S adjtimex -k audit_time_rules

CCE-26280-8

                                   
Severity Category III
Vulnerability ID V-38543
STIG ID RHEL-06-000184
Rule ID SV-50344r3_rule 
NIST 800-53  NIST SP 800-53 :: AU-12 c
NIST SP 800-53A :: AU-12.1 (iv)
NIST SP 800-53 Revision 4 :: AU-12 c
CCI CCI-000172
Check Verify that the host records events that modify the system's discretionary access controls - chmod .
Comments

Not a Finding. Make sure that you have the correct chmod configuration on the host. The following settings are the correct configuration.
[root@localhost nwadmin]# grep chmod /etc/audit/*
/etc/audit/audit.rules:-a exit,always -F arch=b64 -S chown -S chmod -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
/etc/audit/audit.rules:-a exit,always -F arch=b32 -S chown -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

CCE-26303-8

                                   
Severity Category II
Vulnerability ID V-38574
STIG ID RHEL-06-000062
Rule ID SV-50375r2_rule
NIST 800-53  NIST SP 800-53 :: IA-7
NIST SP 800-53A :: IA-7.1
NIST SP 800-53 Revision 4 :: IA-7
CCI CCI-000803
Check Verify that the host has the password hashing algorithm in /etc/pam.d/system-auth set.
Comments Not a Finding.Security Analytics has parameter set to 24:
[root@localhost nwadmin]# grep remember= /etc/pam.d/* /etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 remember=24

CCE-26506-6

                                   

Severity

Category I

Vulnerability
ID

V-38476

STIG ID

RHEL-06-000008

Rule ID

SV-50276r3_rul

NIST 800-53 

NIST SP 800-53 :: CM-5 (3)
NIST SP 800-53A :: CM-5 (3).1 (ii)

CCI

CCI-000352

Check

Verify that the Red Hat GPG Key is installed on the host.  All Red Hat Enterprise Linux packages are signed with the Red Hat GPG key. GPG stands for GNU Privacy Guard. GnuPG is compliant with RFC 4880, which is the Internet Engineering task Force (IETF) standards track specification of OpenPGP protocol for encrypting email using public key cryptography.

Comments

Not Finding. Security Analytics runs under CentOS so it does not have a Red Hat GPG key.

CCE-26555-3

                                   
Severity Category II
Vulnerability ID V-38617
STIG ID RHEL-06-000243
Rule ID SV-50418r1_rule
NIST 800-53  NIST SP 800-53 :: SC-13
NIST SP 800-53A :: SC-13.1
CCI CCI-001144
Check Verify that the host only uses approved ciphers (The SSH daemon must be configured to use only FIPS 140-2 approved ciphers.).
Comments Not a Finding. Make sure that you have the correct fchmod configuration on the host. The following settings are the correct configuration.
[root@localhost nwadmin]# grep fchmod /etc/audit/audit.rules
-a exit,always -F arch=b64 -S chown -S chmod -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b32 -S chown -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

CCE-26611-4

                                   
Severity Category II
Vulnerability ID V-38580
STIG ID RHEL-06-00020
Rule ID SV-50381r2_rule
NIST 800-53  NIST SP 800-53 :: AU-12 c
NIST SP 800-53A :: AU-12.1 (iv)
NIST SP 800-53 Revision 4 :: AU-12 c
CCI CCI-000172
Check

Verify that auditd collects information on kernel module loading and unloading on the host.

Comments Not a Finding. Make sure that you have the correct auditd configuration on the host. The following settings are the correct configuration.
[root@localhost nwadmin]# grep module /etc/audit/audit.rules
-a exit,always -F arch=b64 -S init_module -S delete_module -k modules
-a exit,always -F arch=b32 -S init_module -S delete_module -k modules
-w /sbin/insmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-w /sbin/rmmod -p x -k modules

CCE-26648-6

                                     
Severity Category III
Vulnerability ID V-38540
STIG ID RHEL-06-000182
Rule ID SV-50341r3_rule
NIST 800-53  NIST SP 800-53 :: CM-6 b
NIST SP 800-53A :: CM-6.1 (iv)
NIST SP 800-53 Revision 4 :: CM-6 b
CCI CCI-000366
Check

Verify that the host records events that modify its network environment.

Comments Not a Finding. Make sure that you have the correct configuration on the host. The following settings are the correct configuration.
[root@localhost nwadmin]# grep audit_network_modifications /etc/audit/*
/etc/audit/audit.rules:-w /etc/issue -p wa -k audit_network_modifications
/etc/audit/audit.rules:-w /etc/issue.net -p wa -k audit_network_modifications
/etc/audit/audit.rules:-w /etc/hosts -p wa -k audit_network_modifications
/etc/audit/audit.rules:-w /etc/sysconfig/network -p wa -k audit_network_modifications
/etc/audit/audit.rules:-a exit,always -F arch=b64 -S sethostname -S setdomainname -k audit_network_modifications
/etc/audit/audit.rules:-a exit,always -F arch=b32 -S sethostname -S setdomainname -k audit_network_modifications

CCE-26651-0

                                   
Severity Category III
Vulnerability ID V-38575
STIG ID RHEL-06-000200
Rule ID SV-50376r4_rule
NIST 800-53  NIST SP 800-53 :: AU-12 c
NIST SP 800-53A :: AU-12.1 (iv)
NIST SP 800-53 Revision 4 :: AU-12 c
CCI CCI-000172
Check

Verify that auditd collects file deletion events by user on the host.

Comments Not a Finding.  Make sure that you have the correct auditd configuration on the host. The following settings are the correct configuration. [root@localhost nwadmin]# grep unlink /etc/audit/audit.rules-a exit,always -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete-a exit,always -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete-a exit,always -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete-a exit,always -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete[root@localhost nwadmin]#

CCE-26712-0

                                   
Severity Category III
Vulnerability ID V-38566
STIG ID RHEL-06-000197
Rule ID SV-50367r2_rule
NIST 800-53  NIST SP 800-53 :: AU-12 c
NIST SP 800-53A :: AU-12.1 (iv)
NIST SP 800-53 Revision 4 :: AU-12 c
CCI CCI-000172
Check

Verify that auditd collects unauthorized access attempts to files (unsuccessful) on the host.

Comments Not a Finding. Make sure that you have the correct configuration on the host. You must add the following settings to /etc/audit/audit.rules on the host. Set  arch to either b32 or b64 as appropriate for your system. The following settings are the correct configuration.
[root@localhost nwadmin]# grep creat /etc/audit/audit.rules
-a exit,always -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid=500 -F auid!=4294967295 -k access
-a exit,always -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid=500 -F auid!=4294967295 -k access
-a exit,always -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid=500 -F auid!=4294967295 -k access
-a exit,always -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid=500 -F auid!=4294967295 -k access

CCE-26741-9

                                   
Severity Category II
Vulnerability ID V-38658
STIG ID RHEL-06-000274
Rule ID SV-50459r2_rule 
NIST 800-53  NIST SP 800-53 :: IA-5 (1) (e)
NIST SP 800-53A :: IA-5 (1).1 (v)
NIST SP 800-53 Revision 4 :: IA-5 (1) (e)
CCI CCI-000200
Check

Verify that the host limits password reuse.

Comments Not a Finding. Security Analytics has password remember set to 24The following settings are the correct configuration.[root@localhost nwadmin]# grep remember= /etc/pam.d/*/etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 remember=24

CCE-27567-7

                                   
Severity Category I
Vulnerability ID V-38668
STIG ID RHEL-06-000286
Rule ID SV-50469r2_rule 
NIST 800-53  NIST SP 800-53 :: CM-6 b
NIST SP 800-53A :: CM-6.1 (iv)
NIST SP 800-53 Revision 4 :: CM-6 b
CCI CCI-000366
Check Verify that the host has the Ctrl-Alt-Del reboot activation disabled (The x86 Ctrl-Alt-Delete key sequence must be disabled.).
Comments Not a Finding. Make sure that you have the correct configuration on the host. /etc/inittab must have: 
ca:nil:ctrlaltdel:/usr/bin/logger -p security.info "Ctrl-Alt-Del was pressed".

CCE-26763-3

                                   
Severity Category II
Vulnerability ID V-38682
STIG ID RHEL-06-000315
Rule ID SV-50483r3_rule
NIST 800-53  NIST SP 800-53 :: AC-19 c
NIST SP 800-53A :: AC-19.1 (iii)
CCI CCI-000085
Check

Verify the host has bluetooth kernel modules disabled.

Comments Not a Finding. Make sure that you have the correct configuration on the host. The following settings are the correct configuration.

[root@localhost nwadmin]# grep net-pf-31 /etc/modprobe.d/*
/etc/modprobe.d/stig.conf:install net-pf-31 /bin/true

[root@localhost nwadmin]# grep bluetooth /etc/modprobe.d/*
/etc/modprobe.d/stig.conf:install bluetooth /bin/false

CCE-26774-0

                                   
Severity Category III
Vulnerability ID V-51379
STIG ID RHEL-06-000025
Rule ID SV-65589r1_rule
NIST 800-53  NIST SP 800-53 :: CM-6 b
NIST SP 800-53A :: CM-6.1 (iv)
NIST SP 800-53 Revision 4 :: CM-6 b
CCI CCI-000366
Check

Verify that the host does not have any device files unlabeled by SELinux.

Comments Not a Finding. Security Analytics requires that device files are labeled with proper SELinux types for communication. 

Run the following command string on the host to check for unlabeled device files.
ls -RZ /dev | grep unlabeled_t
It should produce no output in a correctly configured host.

CCE-26785-6

                                   
Severity Category III
Vulnerability ID  V-38438
STIG ID RHEL-06-000525
Rule ID SV-50238r2_rule
NIST 800-53  NIST SP 800-53 :: AU-12 a
NIST SP 800-53A :: AU-12.1 (ii)
NIST SP 800-53 Revision 4 :: AU-12 a
CCI CCI-000169
Check

Verify that host has auditing for processes which start prior to the audit daemon enabled.

Comments Not a Finding. Make sure that you have the correct configuration on the host. The following settings are the correct configuration.
[root@localhost nwadmin]# grep audit /etc/grub.conf
        kernel /boot/vmlinuz-2.6.32-504.1.3.el6.x86_64 ro root=UUID=03632221-29ef-4fac-b5d5-b5af0b925389 rd_NO_LUKS rd_NO_LVM LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet audit=1

CCE-26801-1

                                   
Severity Category II
Vulnerability ID V-38520
STIG ID RHEL-06-000136
Rule ID SV-50321r1_rule
NIST 800-53  NIST SP 800-53 :: AU-9 (2)
NIST SP 800-53A :: AU-9 (2).1 (iii)
NIST SP 800-53 Revision 4 :: AU-9 (2)
CCI CCI-001348
Check

Verify that logs on the host are sent to remote host.

Comments Not a Finding. Make sure that you have the correct configuration on the host. 

To configure rsyslog to send logs to a remote log server, open /etc/rsyslog.conf and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Comply with these directives and configure the host to forward its logs to a particular log server by adding or correcting one of the following lines, substituting loghost.example.com for your host. You choose a protocol depending on the environment of the host. TCP and RELP provide more reliable message delivery, but they may not be supported in all environments.

Insert  .@ as a prefix to use UDP for log message delivery:
.@loghost.example.com

Insert .@@  as a prefix to use TCP for log message delivery:
.@@loghost.example.com

Insert . :omrelp:  as a prefix to use RELP for log message delivery:
. :omrelp:loghost.example.com
A log server (loghost) receives syslog messages from one or more systems. You can use this data as an additional log source if a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.

CCE-26828-4

                                   

Severity

Category II

Vulnerability
ID

V-38629

STIG ID

RHEL-06-000257 

Rule ID

SV-50430r3_rule 

NIST 800-53 

NIST 800-53 SP 800-53 :: AC-11 a
NIST 800-53 SP 800-53A :: AC-11.1 (ii)
NIST 800-53 SP 800-53 Revision 4 :: AC-11 a

CCI

CCI-000057

Check

Verify that the GNOME Login Inactivity Timeout is set on the host (The graphical desktop environment must set the idle timeout to no more than 15 minutes.).

Comments

Not a Finding. Security Analytics does not use Gnome Graphical User Interface (GUI) Desktop.

CCE-26840-9

                                   
Severity Category III
Vulnerability ID V-38697
STIG ID RHEL-06-000336
Rule ID SV-50498r2_rule
NIST 800-53  NIST SP 800-53 :: CM-6 b
NIST SP 800-53A :: CM-6.1 (iv)
NIST SP 800-53 Revision 4 :: CM-6 b
CCI CCI-000366
Check

Verify that the host has sticky bits set for all world-writable directories.

Comments Not a Finding.

CCE-26844-1

                                   
Severity Category II
Vulnerability ID V-38573
STIG ID RHEL-06-000061
Rule ID SV-50374r4_rule
NIST 800-53  NIST SP 800-53 :: AC-7 a
NIST SP 800-53A :: AC-7.1 (ii)
NIST SP 800-53 Revision 4 :: AC-7 a
CCI CCI-000044
Check

Verify that the host has deny for failed password attempts set.

Comments Not a Finding. Make sure that you have the correct configuration on the host. The following settings are the correct configuration.
[root@localhost nwadmin]# grep  fail_interval=900 /etc/pam.d/*
/etc/pam.d/system-auth-ac:auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
/etc/pam.d/system-auth-ac:auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900

CCE-26872-2

                                   
Severity  
Vulnerability ID  
STIG ID  
Rule ID  
NIST 800-53   
CCI  
Check

Verify that all files on the host are owned by a group.

Comments Not a Finding. No files are owned by a group and this finding is a false positive.
[root@localhost nwadmin]# rpm -V audit | grep '^......G'
[root@localhost nwadmin]# 

CCE-27031-4 

                                   
Severity Category III
Vulnerability ID V-38642
STIG ID RHEL-06-000346
Rule ID SV-50443r1_rule
NIST 800-53  NIST SP 800-53 :: CM-6 b
NIST SP 800-53A :: CM-6.1 (iv)
NIST SP 800-53 Revision 4 :: CM-6 b
CCI CCI-000366
Check

Verify that host has daemon umask set.

Comments Not a Finding. Security Analytics has daemon umask set to 022. Make sure that the host has umask set to 022.
[root@localhost nwadmin]# grep umask /etc/init.d/functions

CCE-27110-6

                                   
Severity Category II
Vulnerability ID V-38592
STIG ID RHEL-06-000356
Rule ID SV-50393r4_rule
NIST 800-53  NIST SP 800-53 :: AC-7 b
NIST SP 800-53A :: AC-7.1 (iv)
CCI CCI-000047
Check

Verify that host has lockout time for failed password attempts set.

Comments Not a Finding. Make sure that you have the correct configuration on the host. The following settings are the correct configuration.
[root@localhost nwadmin]# grep  fail_interval=900 /etc/pam.d/*
/etc/pam.d/system-auth-ac:auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
/etc/pam.d/system-auth-ac:auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900

CCE-27123-9

                                   
Severity  
Vulnerability ID  
STIG ID  
Rule ID  
NIST 800-53   
CCI  
Check

Verify that the host has password retry prompts permitted per session set.

Comments Not a Finding. Make sure that you have the correct configuration on the host. The following settings are the correct configuration.
[root@localhost nwadmin]# grep retry=3 /etc/pam.d/*
/etc/pam.d/system-auth-ac:#password    requisite     pam_cracklib.so try_first_pass retry=3 type=

CCE-27142-9

                                   

Severity

Category III

Vulnerability
ID

V-38702

STIG ID

RHEL-06-000339

Rule ID

SV-50503r1_rule

NIST 800-53 

NIST SP 800-53 :: AU-3
NIST SP 800-53A :: AU-3.1
NIST SP 800-53 Revision 4 :: AU-3

CCI

CCI-000130

Check

Verify that the host has logging of all FTP transactions enabled.

Comments

Not a Finding. Security Analytics does not use FTP. 

CCE-27145-2

                                   

Severity

Category II

Vulnerability
ID

V-38599

STIG ID

RHEL-06-000348

Rule ID

 SV-50400r2_rule 

NIST 800-53 

NIST SP 800-53 :: AC-8 a
NIST SP 800-53A :: AC-8.1 (ii)
NIST SP 800-53 Revision 4 :: AC-8 a

CCI

CCI-000048

Check

Verify that the host has warning banners for All FTP users created (The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.).

Comments

Not a Finding. Security Analytics does not use FTP.

CCE-27170-0

                                   
Severity Category III
Vulnerability ID V-38527
STIG ID RHEL-06-000171
Rule ID SV-50328r3_rule 
NIST 800-53  NIST SP 800-53 :: AU-12 a
NIST SP 800-53A :: AU-12.1 (ii)
NIST SP 800-53 Revision 4 :: AU-12 a
CCI CCI-000169
Check

Verify that the host records attempts to alter time through clock_settime.

Comments Not a Finding. Make sure that you have the correct clock_settime configuration on the host. The following settings are the correct configuration.
[root@localhost nwadmin]# grep clock_settime /etc/audit/*
/etc/audit/audit.rules:-a exit,always -F arch=b64 -S clock_settime -k audit_time_rules
/etc/audit/audit.rules:-a exit,always -F arch=b32 -S clock_settime -k audit_time_rules

CCE-27173-4

                                   
Severity Category III
Vulnerability ID V-38545
STIG ID RHEL-06-000185
Rule ID  SV-50346r3_rule
NIST 800-53  NIST SP 800-53 :: AU-12 c
NIST SP 800-53A :: AU-12.1 (iv)
NIST SP 800-53 Revision 4 :: AU-12 c
CCI CCI-000172
Check

Verify that the host records events that modify the system's discretionary access controls - chown.

Comments Not a Finding. Make sure that you have the correct chown configuration on the host. The following settings are the correct configuration.
[root@localhost nwadmin]# grep chown /etc/audit/*
/etc/audit/audit.rules:-a exit,always -F arch=b64 -S chown -S chmod -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
/etc/audit/audit.rules:-a exit,always -F arch=b32 -S chown -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

CCE-27174-2

                                   
Severity Category III
Vulnerability ID V-38547
STIG ID RHEL-06-000186
Rule ID SV-50348r3_rule 
NIST 800-53  NIST SP 800-53 :: AU-12 c
NIST SP 800-53A :: AU-12.1 (iv)
NIST SP 800-53 Revision 4 :: AU-12 c
CCI CCI-000172
Check

Verify that the host records events that modify the system's discretionary access controls - fchmod.

Comments Not a Finding. Make sure that you have the correct fchmod configuration on the host. The following settings are the correct configuration.
[root@localhost nwadmin]# grep fchmod /etc/audit/audit.rules
-a exit,always -F arch=b64 -S chown -S chmod -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b32 -S chown -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

CCE-27175-9

                                   
Severity Category III
Vulnerability ID V-38550
STIG ID RHEL-06-000187 
Rule ID SV-50351r3_rule
NIST 800-53  NIST SP 800-53 :: AU-12 c
NIST SP 800-53A :: AU-12.1 (iv)
NIST SP 800-53 Revision 4 :: AU-12 c
CCI CCI-000172
Check

Verify that the host records events that modify the system's discretionary access controls - fchmodat.

Comments Not a Finding. Make sure that you have the correct fchmodat configuration on the host. The following settings are the correct configuration.
[root@localhost nwadmin]# grep fchmodat /etc/audit/audit.rules
-a exit,always -F arch=b64 -S chown -S chmod -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b32 -S chown -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

CCE-27177-5

                                   
Severity Category III
Vulnerability ID V-38552
STIG ID RHEL-06-000188
Rule ID SV-50353r3_rule 
NIST 800-53  NIST SP 800-53 :: AU-12 c
NIST SP 800-53A :: AU-12.1 (iv)
NIST SP 800-53 Revision 4 :: AU-12 c
CCI CCI-000172
Check

Verify that the host records events that modify the system's discretionary access controls - fchown.

Comments Not a Finding. Make sure that you have the correct fchown configuration on the host. The following settings are the correct configuration.
[root@localhost nwadmin]# grep fchown /etc/audit/audit.rules
-a exit,always -F arch=b64 -S chown -S chmod -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b32 -S chown -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

CCE-27178-3

                                   
Severity Category III
Vulnerability ID V-38554
STIG ID RHEL-06-000189
Rule ID SV-50355r3_rule
NIST 800-53  NIST SP 800-53 :: AU-12 c
NIST SP 800-53A :: AU-12.1 (iv)
NIST SP 800-53 Revision 4 :: AU-12 c
CCI CCI-000172
Check

Verify that the host records events that modify the system's discretionary access controls - fchownat.

Comments Not a Finding. Make sure that you have the correct fchownat configuration on the host. The following settings are the correct configuration.
[root@localhost nwadmin]# grep fchownat /etc/audit/audit.rules
-a exit,always -F arch=b64 -S chown -S chmod -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b32 -S chown -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

CCE-27179-1

                                   
Severity Category III
Vulnerability ID V-38556
STIG ID RHEL-06-000190
Rule ID SV-50357r3_rule
NIST 800-53  NIST SP 800-53 :: AU-12 c
NIST SP 800-53A :: AU-12.1 (iv)
NIST SP 800-53 Revision 4 :: AU-12 c
CCI CCI-000172
Check

Verify that the host records events that modify the system's discretionary access controls - fremovexattr.

Comments Not a Finding. Make sure that you have the correct fremovexattr configuration on the host. The following settings are the correct configuration.
[root@localhost nwadmin]# grep fremovexattr /etc/audit/audit.rules
-a exit,always -F arch=b64 -S chown -S chmod -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b32 -S chown -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

CCE-27180-9

                                   
Severity Category III
Vulnerability ID  V-38557
STIG ID RHEL-06-000191
Rule ID SV-50358r3_rule 
NIST 800-53  NIST SP 800-53 :: AU-12 c
NIST SP 800-53A :: AU-12.1 (iv)
NIST SP 800-53 Revision 4 :: AU-12 c
CCI CCI-000172
Check

Verify that the host records events that modify the system's discretionary access controls - fsetxattr.

Comments Not a Finding. Make sure that you have the correct fsetxattr configuration on the host. The following settings are the correct configuration.
[root@localhost nwadmin]# grep fsetxattr/etc/audit/audit.rules
-a exit,always -F arch=b64 -S chown -S chmod -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b32 -S chown -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

CCE-27181-7

                                   
Severity Category III
Vulnerability ID  V-38558
STIG ID  RHEL-06-000192
Rule ID SV-50359r3_rule 
NIST 800-53  NIST SP 800-53 :: AU-12 c
NIST SP 800-53A :: AU-12.1 (iv)
NIST SP 800-53 Revision 4 :: AU-12 c
CCI CCI-000172
Check

Verify that the host records events that modify the system's discretionary access controls - lchown.

Comments Not a Finding. Make sure that you have the correct lchown configuration on the host. The following settings are the correct configuration.
[root@localhost nwadmin]# grep lchown /etc/audit/audit.rules
-a exit,always -F arch=b64 -S chown -S chmod -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b32 -S chown -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

CCE-27182-5 

                                   
Severity Category III
Vulnerability ID V-38559
STIG ID RHEL-06-00019
Rule ID SV-50360r3_rule 
NIST 800-53  NIST SP 800-53 :: AU-12 c
NIST SP 800-53A :: AU-12.1 (iv)
NIST SP 800-53 Revision 4 :: AU-12 c
CCI CCI-000172
Check

Verify that the host records events that modify the system's discretionary access controls - lremovexattr.

Comments Not a Finding. Make sure that you have the correct lremovexattr configuration on the host. The following settings are the correct configuration.
[root@localhost nwadmin]# grep lremovexattr /etc/audit/audit.rules
-a exit,always -F arch=b64 -S chown -S chmod -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b32 -S chown -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

CCE-27183-3 

                                   
Severity Category III
Vulnerability ID V-38561
STIG ID RHEL-06-000194 
Rule ID V-50362r3_rule 
NIST 800-53  NIST SP 800-53 :: AU-12 c
NIST SP 800-53A :: AU-12.1 (iv)
NIST SP 800-53 Revision 4 :: AU-12 c
CCI CCI-000172
Check

Verify that the host records events that modify the system's discretionary access controls - lsetxattr.

Comments Not a Finding. Make sure that you have the correct lsetxattr configuration on the host. The following settings are the correct configuration.
[root@localhost nwadmin]# grep lsetxattr /etc/audit/audit.rules
-a exit,always -F arch=b64 -S chown -S chmod -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b32 -S chown -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

CCE-27184-1 

                                   
Severity Category III
Vulnerability ID V-38563
STIG ID RHEL-06-000195 
Rule ID SV-50364r3_rule
NIST 800-53  NIST SP 800-53 :: AU-12 c
NIST SP 800-53A :: AU-12.1 (iv)
NIST SP 800-53 Revision 4 :: AU-12 c
CCI CCI-000172
Check

Verify that the host records events that modify the system's discretionary access controls - removexattr.

Comments Not a Finding. Make sure that you have the correct removexattr 
configuration on the host. The following settings are the correct configuration.
[root@localhost nwadmin]# grep removexattr /etc/audit/audit.rules
-a exit,always -F arch=b64 -S chown -S chmod -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b32 -S chown -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

CCE-27185-8 

                                   
Severity Category III
Vulnerability ID V-38565
STIG ID RHEL-06-000196
Rule ID SV-50366r3_rule 
NIST 800-53  NIST SP 800-53 :: AU-12 c
NIST SP 800-53A :: AU-12.1 (iv)
NIST SP 800-53 Revision 4 :: AU-12 c
CCI CCI-000172
Check

Verify that the host records events that modify the system's discretionary access controls - setxattr.

Comments Not a Finding. Make sure that you have the correct setxattr configuration on the host. The following settings are the correct configuration.
[root@localhost nwadmin]# grep setxattr /etc/audit/audit.rules
-a exit,always -F arch=b64 -S chown -S chmod -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b32 -S chown -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

CCE-27203-9 

                                   
Severity Category III
Vulnerability ID V-38522
STIG ID RHEL-06-000167
Rule ID SV-50323r3_rule 
NIST 800-53  NIST SP 800-53 :: AU-12 a
NIST SP 800-53A :: AU-12.1 (ii)
NIST SP 800-53 Revision 4 :: AU-12 a
CCI CCI-000169
Check

Verify that the host records attempts to alter time through settimeofday.

Comments Not a Finding. Make sure that you have the correct settimeofday 
configuration on the host. The following settings are the correct configuration.
[root@localhost nwadmin]# grep settimeofday /etc/audit/*
/etc/audit/audit.rules:-a exit,always -F arch=b64 -S settimeofday -k audit_time_rules
/etc/audit/audit.rules:-a exit,always -F arch=b32 -S settimeofday -k audit_time_rules

CCE-27215-3 

                                   
Severity Category III
Vulnerability ID V-38501
STIG ID RHEL-06-000357
Rule ID SV-50302r4_rule
NIST 800-53  NIST SP 800-53 :: AC-7 a
NIST SP 800-53A :: AC-7.1 (ii)
CCI CCI-001452
Check

Verify that the host has interval for counting failed password attempts set.

Comments Not a Finding. Make sure that you have the correct fail_interval 
configuration on the host. The following settings are the correct configuration.
[root@localhost nwadmin]# grep  fail_interval=900 /etc/pam.d/*
/etc/pam.d/system-auth-ac:auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
/etc/pam.d/system-auth-ac:auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900

CCE-27291-4 

                                   
Severity Category II
Vulnerability ID V-51875
STIG ID RHEL-06-000372
Rule ID SV-66089r1_rule 
NIST 800-53  NIST SP 800-53 :: CM-6 b
NIST SP 800-53A :: CM-6.1 (iv)
NIST SP 800-53 Revision 4 :: CM-6 b
CCI CCI-000366
Check

Verify that the host has the last logon/access notification set.

Comments Not a Finding. Make sure that you have the correct lastlog configuration on the host. The following settings are the correct configuration.
[root@localhost nwadmin]# grep lastlog /etc/pam.d/*
/etc/pam.d/password-auth:session    required     pam_lastlog.so showfailed
/etc/pam.d/password-auth-local:session    required     pam_lastlog.so
showfailed

Rules to Be Supported in Future Release

The following checks for non-compliance to STIG rules are not supported in Security Analytics and will be added in a future release.

CCE-26282-4

                                   
Severity Category III
Vulnerability ID V-38610
STIG ID RHEL-06-000231
Rule ID SV-50411r1_rule
NIST 800-53  NIST SP 800-53 :: MA-4 e
NIST SP 800-53A :: MA-4.1 (vi)
NIST SP 800-53 Revision 4 :: MA-4 e
CCI CCI-000879
Check (For Log Decoder and Remote Collector hosts only) Verify that the host has the SSH Client alive count set.
Comments

Future Feature

CCE-26444-0

                                   
Severity Category II
Vulnerability ID V-38513
STIG ID RHEL-06-000120
Rule ID SV-50314r1_rule
NIST 800-53 

NIST 800-53 SP 800-53 :: AC-17 e
NIST 800-53 SP 800-53A :: AC-17.1 (v)

CCI CCI-000066
Check Verify that the host has default iptables policy for incoming packets set (Local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets).
Comments

Future Feature

CCE-26457-2

                                   
Severity Category III
Vulnerability ID V-38567
STIG ID RHEL-06-000198
Rule ID SV-50368r4_rule 
NIST 800-53  NIST SP 800-53 :: AC-6 (2)
NIST SP 800-53A :: AC-6 (2).1 (iii)
CCI CCI-000040
Check Verify that auditd collects information on the Use of Privileged commands on the host.
Comments

Future Feature

CCE-26638-7

                                   

Severity

Category III

Vulnerability
ID

 V-38639

STIG ID

RHEL-06-000260

Rule ID

 SV-50440r3_rule

NIST 800-53 

NIST 800-53 SP 800-53 :: AC-11 (1)
NIST 800-53 SP 800-53A :: AC-11 (1).1
NIST 800-53 SP 800-53 Revision 4 :: AC-11 (1)

CCI

CCI-000060

Check

Verify that the blank screen saver is implemented on the host (System must display a publicly-viewable pattern during a graphical desktop environment session lock.).

Comments

Future Feature

CCE-26821-9

                                   
Severity Category III
Vulnerability ID V-38699
STIG ID RHEL-06-000337
Rule ID SV-50500r2_rule
NIST 800-53  NIST SP 800-53 :: CM-6 b
NIST SP 800-53A :: CM-6.1 (iv)
NIST SP 800-53 Revision 4 :: CM-6 b
CCI  CCI-000366
Check Verify that log files on the host are owned by appropriate group (All public directories must be owned by a system account.).
Comments

Future Feature

CCE-26887-0

                                   
Severity Category I
Vulnerability ID V-38614
STIG ID RHEL-06-000239 
Rule ID SV-50415r1_rule
NIST 800-53  NIST SP 800-53 :: IA-2 (2)
NIST SP 800-53A :: IA-2 (2).1
NIST SP 800-53 Revision 4 :: IA-2 (2)
CCI CCI-000766
Check (For Log Decoder and Remote Collector hosts only) Verify that the host has the SSH access through empty passwords disabled.
Comments

Future Feature

CCE-26919-1

                                   
Severity Category III
Vulnerability ID V-38608
STIG ID RHEL-06-000230
Rule ID SV-50409r1_rule
NIST 800-53  NIST SP 800-53 :: SC-10
NIST SP 800-53A :: SC-10.1 (ii)
NIST SP 800-53 Revision 4 :: SC-10
CCI CCI-001133
Check (For Log Decoder and Remote Collector hosts only) Verify that the host has the SSH idle timeout interval set.
Comments

Future Feature

CCE-27167-6

                                   
Severity Category I
Vulnerability ID V-38677
STIG ID RHEL-06-00030
Rule ID  SV-50478r1_rule
NIST 800-53  NIST 800-53 SP 800-53 :: IA-2
NIST 800-53 SP 800-53A :: IA-2.1
NIST 800-53 SP 800-53 Revision 4 :: IA-2
CCI CCI-000764
Check Verify that the host prohibits insecure file locking (The NFS server must not have the insecure file locking option enabled.).
Comments Future Feature 

CCE-27190-8

                                   
Severity Category II
Vulnerability ID V-38623
STIG ID RHEL-06-000135
Rule ID SV-50424r2_rule
NIST 800-53  NIST SP 800-53 :: SI-11 c
NIST SP 800-53A :: SI-11.1 (iv)
NIST SP 800-53 Revision 4 :: SI-11 b
CCI CCI-001314
Check Verify that host has correct permissions configured for system log files (All rsyslog-generated log files must have mode 0600 or less permissive.).
Comments Future Feature

CCE-27201-3

                                   
Severity Category III
Vulnerability ID V-38616
STIG ID RHEL-06-000241 
Rule ID SV-50417r1_rule 
NIST 800-53  NIST SP 800-53 :: AC-4
NIST SP 800-53A :: AC-4.1 (iii)
NIST SP 800-53 Revision 4 :: AC-4
CCI CCI-001414
Check (For Log Decoder and Remote Collector hosts only) Verify that the host does not allow SSH environment options.
Comments Future Feature

CCE-27227-8

                                   
Severity Category III
Vulnerability ID V-38693
STIG ID  RHEL-06-000299
Rule ID SV-50494r2_rule
NIST 800-53  NIST 800-53 SP 800-53 :: CM-6 b
NIST 800-53 SP 800-53A :: CM-6.1 (iv)
NIST 800-53 SP 800-53 Revision 4 :: CM-6 b
CCI CCI-000366
Check Verify that the host has the password set to a maximum of three consecutive repeating characters (The system must require passwords to contain no more than three consecutive repeating characters.).
Comments Future Feature

CCE-27379-7

                                   
Severity Category III
Vulnerability ID V-38681
STIG ID RHEL-06-000294
Rule ID SV-50482r2_rule
NIST 800-53  NIST 800-53 SP 800-53 :: CM-6 b
NIST 800-53 SP 800-53A :: CM-6.1 (iv)
NIST 800-53 SP 800-53 Revision 4 :: CM-6 b
CCI CCI-000366
Check Verify that the host has all GIDs referenced in /etc/passwd defined in /etc/group (All GIDs referenced in /etc/passwd must be defined in /etc/group.).
Comments Future Feature

CCE-27440-7

                                   
Severity Category II
Vulnerability
ID
V-38595
STIG ID RHEL-06-000349
Rule ID SV-50396r3_rule 
NIST 800-53  NIST SP 800-53 :: IA-2 (1)
NIST SP 800-53A :: IA-2 (1).1
NIST SP 800-53 Revision 4 :: IA-2 (1)
CCI CCI-000765
Check Verify that the host has smart card login enabled (System must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.).
Comments Future Feature

CCE-27474-6

                                   
Severity Category III
Vulnerability ID V-38685
STIG ID RHEL-06-000297
Rule ID SV-50486r1_rule
NIST 800-53  NIST 800-53 SP 800-53 :: AC-2 (2)
NIST 800-53 SP 800-53A :: AC-2 (2).1 (ii)
NIST 800-53 SP 800-53 Revision 4 :: AC-2 (2)
CCI CCI-000016
Check Verify that the host has an expiration date assigned to temporary accounts (Temporary accounts must be provisioned with an expiration date.).
Comments Future Feature

CCE-27609-7

                                   
Severity Category III
Vulnerability ID  V-38683
STIG ID RHEL-06-000296
Rule ID SV-50484r1_rule
NIST 800-53  NIST SP 800-53 :: IA-8
NIST SP 800-53A :: IA-8.1
NIST SP 800-53 Revision 4 :: IA-8
CCI CCI-000804
Check

Verify that all accounts on the host have unique names (All accounts on the system must have unique user or account names.).

Comments Future Feature
You are here: DISA STIG Hardening Guide > Exceptions to STIG Compliance

Attachments

    Outcomes