SysMaint: Exceptions to STIG Compliance

Document created by RSA Information Design and Development on Jul 29, 2016Last modified by Susan Ewald on Nov 1, 2016
Version 2Show Document
  • View in full screen mode
 

This topics lists:

  • Rule exceptions with reasons for their non-compliance and workarounds if any.
  • False positive results.
  • Rules to be supported in future release.

Exceptions

The following list contains the exceptions you can receive when you run the OpenSCAP report. The ID or Common Configuration Enumeration (CCE) number in the table is the identification number for the exception from the OpenSCAP report.

                                                                                                                                                                             
ID CheckReason/Workaround

CCE-26215-4

(For IPDB Extractor only)
Ensure /var/log Located On Separate Partition
Reason:This is a manual task for the system administrator. 
Workaround:  Ensure var/log directory has its own partition or logical volume at installation or migrate it using LVM. 
CCE-26328-5(For IPDB Extractor, Malware Analysis, and SA hosts only)
Require Client SMB Packet Signing, if using smbclient
Reason:This is a manual task for the system administrator. 
WorkaroundTo require samba clients running smbclient to use packet signing, add the following to the [global] section of the Samba configuration file, /etc/samba/smb.conf:
client signing = mandatory

CCE-26435-8

(For IPDB Extractor only)
Ensure /tmp Located On Separate Partition

Reason:This is a manual task for the system administrator. 
Workaround:  Ensure tmp directory has its own partition or logical volume at installation or migrate it using LVM.

CCE-26436-6Ensure that /var/log/audit
directory is located on a
separate partition.
Reason: Requires a change to the Security Analytics architecture.
Workaround: None.
CCE-26506-6Ensure Red Hat GPG Key InstalledReason: Security Analytics runs under CentOS so it does not have a red Hat GPG key.
Workaround: None 

CCE-26557-9

(For IPDB Extractor only)
Ensure /home Located On Separate Partition
Reason:This is a manual task for the system administrator.
Workaround: If you store user home directories locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home is mounted from another system such as an NFS server, you do not need to create a separate partition at installation and you can configure the mount point at a later date.

CCE-26639-5

(For IPDB Extractor only)
Ensure /var Located On Separate Partition
Reason:This is a manual task for the system administrator. 
Workaround:  Ensure var directory has its own partition or logical volume at installation or migrate it using LVM. 
CCE-26647-8 Ensure gpgcheck Enabled For All Yum Package Repositories

Reason: This is a manual task for the system administrator.
Workaround: Set to gpgcheck=1.

CCE-26731-0 Verify and Correct File Permissions with RPMReason: This is a manual task for the system administrator. Workaround: Reinstate permissions set by the vendor.
CCE-26792-2(For IPDB Extractor, Malware Analysis, and SA hosts only)
Require Client SMB Packet Signing, if using mount.cifs
Reason: This is a manual task for the system administrator.
Workaround: Make sure that either the sec=krb5i or sec=ntlmv2i signing options are used. 
CCE-26801-1Ensure Logs Sent To Remote HostReason: This is a manual task for the system administrator.
Workaround: Forward log messages to a remote log host.

CCE-26812-8

Ensure Log Files Are Owned By Appropriate UserReason:This is a manual task for the system administrator.
Workaround:The owner of all log files written by rsyslog should be root. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referred to in /etc/rsyslog.conf, run the following command to inspect the file's owner:
$ ls -l LOGFILE
If the owner is not root, run the following command to correct this:
# chown root LOGFILE

CCE-26910-0

(For Log Decoder only)
Ensure No World-Writable Files Exist
Reason:This is a manual task for the system administrator.
Workaround: Remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of an application or user account that was not configured correctly.
CCE-26966-2Ensure that System Accounts Do Not Run a Shell Upon LoginReasonnwadmin user is the exception. 
Workaround: None
CCE-26969-6Ensure SELinux State is
Enforcing
Reason: Enforcing this rule causes functionality to fail especially on the Decoder.
Workaround: Set SELinux State to Permissive and logs.
CCE-26974-6Modify the System Login BannerReason: User is allowed to modify system banner.
Workaround: None
CCE-27017-3Set GUI Warning Banner TextReason:  Security Analytics does not run an OS level GUI, banner is provided upon login via SSH or the console.
Workaround: None
CCE-27033-0Disable Core Dumps for All UsersReason: The setting is enabled for Product Support. 
WorkaroundTo disable core dumps for all users, add the following line to /etc/security/limits.conf:

*     hard   core    0

CCE-27016-5Disable Modprobe Loading
of USB Storage Driver
Reason: You need USB to boot from the SD cards onboard Security Analytics hosts. 
Workaround: None
CCE-27142-9Enable Logging of All FTP TransactionsReason:Security Analytics does not use FTP.
Workaround: None
CCE-27145-2 Create Warning Banners for All FTP UsersReason:Security Analytics does not use FTP.
Workaround: None
   
CCE-27153-6Disable IPv6 Networking
Support Automatic Loading
Reason: Disabling IPv6 Networking Support Automatic Loading causes functionality to fail.
Workaround: None.
CCE-27196-5Add noexec Option to
Removable Media Partitions
Reason: You need USB to boot from the SD cards.
Workaround: None
CCE-27222-9Configure Periodic Execution of AIDEReason: This is a manual task for the system administrator.
Workaround: Configure a CRON job to run AIDE or the IDS you use.
CCE-27239-3Configure auditd admin_space_left Action on Low Disk SpaceReason: This is a manual task for the system administrator.
Workaround: Provide sufficient disk space.
CCE-27283-1Set Account Expiration Following InactivityReason: This is a manual task for the system administrator. 
Workaround: Add or correct the INACTIVE=NUM_DAYS lines lines in /etc/default/useradd, substituting NUM_DAYS appropriately.
CCE-27289-8(for log Decoder only)
Verify that System Executables Have Restrictive Permissions

Reason: Some files deployed by Erlang do not have permissions set according to STIG guidelines.
Workaround: Change permissions to conform to STIG guidelines using the following command:
# chmod go-w FILE

CCE-27365-6Configure SNMP Service to Use Only SNMPv3 or NewerReason: This is a manual task for the system administrator.
Workaround: Configure SNMPv3.
CCE-27381-3Verify that Shared Library Files Have Restrictive PermissionsReason: This is a manual task for the system administrator.
Workaround: Fix permissions.
CCE-27409-2 Install Intrusion Detection
Software
Reason: This is a manual task for the system administrator.
Workaround: Install intrusion detection software. RSA Does not provide this software.
CCE-27440-7Enable Smart Card Login

Reason: Security Analytics does not support smart card. This is a manual task for the system administrator.

Workaround: Configure smart card authentication.

CCE-27529-7 Install Virus Scanning
Software
Reason: This is a manual task for the system administrator.
Workaround: Install virus scanning software. RSA does not provide this software
CCE-27596-6 Encrypt PartitionsReason: Security Analytics does not encrypt partitions because it degrades performance.
Workaround: None.
CCE-27635-2Ensure Software Patches
Installed
Reason: This is a manual task for the system administrator.
Workaround: Apply the quarterly updates provided by RSA.

False Positive Results 

The following checks for non-compliance to STIG rules produce a false positive result so ignore the results.

                                                                                                                                                  
IDCheck
CCE-26242-8Record attempts to alter time through adjtimex
CCE-26280-8Record Events that Modify the System's Discretionary Access Controls - chmod
CCE-26303-8Set Password Hashing Algorithm in /etc/pam.d/system-auth
CCE-26555-3Use Only Approved Ciphers
CCE-26611-4

Ensure auditd Collects Information on Kernel Module Loading and Unloading

CCE-26648-6Record Events that Modify the System's Network Environment
CCE-26651-0Ensure auditd Collects File Deletion Events by User
CCE-26712-0Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)
CCE-26741-9Limit Password Reuse
CCE-26763-3Disable Bluetooth Kernel Modules
CCE-26774-0Ensure No Device Files are Unlabeled by SELinux
CCE-26785-6Enable Auditing for Processes Which Start Prior to the Audit Daemon
CCE-26801-1Ensure Logs Sent To Remote Host
CCE-26840-9Verify that All World-Writable Directories Have Sticky Bits Set
CCE-26844-1Set Deny For Failed Password Attempts
CCE-26872-2Ensure All Files Are Owned by a Group
CCE-27031-4 Set Daemon Umask
CCE-27110-6Set Lockout Time For Failed Password Attempts
CCE-27123-9Set Password Retry Prompts Permitted Per-Session
CCE-27170-0Record Attempts to Alter Time Through clock_settime
CCE-27173-4Record Events that Modify the System's Discretionary Access Controls - chown
CCE-27174-2Record Events that Modify the System's Discretionary Access Controls - fchmod
CCE-27175-9Record Events that Modify the System's Discretionary Access Controls - fchmodat
CCE-27177-5Record Events that Modify the System's Discretionary Access Controls - fchown
CCE-27178-3Record Events that Modify the System's Discretionary Access Controls - fchownat
CCE-27179-1Record Events that Modify the System's Discretionary Access Controls - fremovexattr
CCE-27180-9Record Events that Modify the System's Discretionary Access Controls - fsetxattr
CCE-27181-7Record Events that Modify the System's Discretionary Access Controls - lchown
CCE-27182-5 Record Events that Modify the System's Discretionary Access Controls - lremovexattr
CCE-27183-3Record Events that Modify the System's Discretionary Access Controls - lsetxattr
CCE-27184-1Record Events that Modify the System's Discretionary Access Controls - removexattr
CCE-27185-8Record Events that Modify the System's Discretionary Access Controls - setxattr
CCE-27203-9Record attempts to alter time through settimeofday
CCE-27215-3Set Interval For Counting Failed Password Attempts
CCE-27291-4Set Last Logon/Access Notification

Rules to Be Supported in Future Release

The following checks for non-compliance to STIG rules are not supported in Security Analytics and will be added in a future release.

                                                                                  
IDCheck
CCE-26282-4(For Log Decoder and Remote Collector hosts only) Set SSH Client Alive Count
CCE-26444-0Set Default iptables Policy for Incoming Packets
CCE-26457-2Ensure auditd Collects Information on the Use of Privileged Commands
CCE-26690-8(For SA host only)
Configure LDAP Client to Use TLS For All Transactions
CCE-26821-9Ensure Log Files Are Owned By Appropriate Group
CCE-26887-0(For Log Decoder and Remote Collector hosts only) Disable SSH Access via Empty Passwords
CCE-26919-1(For Log Decoder and Remote Collector hosts only) Set SSH Idle Timeout Interval
CCE-27093-4(For IPDB Extractor host only) Enable the NTP Daemon
CCE-27167-6Ensure Insecure File Locking is Not Allowed
CCE-27186-6Set Default iptables Policy for Forwarded Packets
CCE-27189-0(For SA host only)
Configure Certificate Directives for LDAP Use of TLS
CCE-27190-8Ensure System Log Files Have Correct Permissions
CCE-27201-3(For Log Decoder and Remote Collector hosts only) Do Not Allow SSH Environment Options
CCE-27227-8Set Password to Maximum of Three Consecutive Repeating Characters
CCE-27379-7All GIDs referenced in /etc/passwd must be defined in /etc/group
CCE-27474-6Assign Expiration Date to Temporary Accounts
CCE-27567-7Disable Ctrl-Alt-Del Reboot Activation
CCE-27593-3Ensure Default Password Is Not Used 
CCE-27609-7Ensure All Accounts on the System Have Unique Names 
You are here: DISA STIG Hardening Guide > Exceptions to STIG Compliance

Attachments

    Outcomes