Sys Maintenance: Exceptions to STIG Compliance

Document created by RSA Information Design and Development on Jun 26, 2017Last modified by RSA Information Design and Development on Jul 27, 2017
Version 2Show Document
  • View in full screen mode
  

This topics contains:

  • Rule exceptions with reasons for their non-compliance and workarounds if any.
  • Rule exceptions that are "Not a Finding" which means that they do not apply to Security Analytics. RSA has verified that the system meets these requirements.

  • Rules to be supported in future release.

Key to Elements in Exception Descriptions

CCE Number

The Common Configuration Enumeration (CCE), assigns unique entries (also called CCE numbers) to configuration guidance statements and configuration controls to improve workflow by facilitating fast and accurate correlation of configuration issues present in disparate domains. In this way, it is similar to other comparable data standards such as the Common Vulnerability and Exposure (CVE®) List (http://cve.mitre.org/cve), which assigns identifiers to publicly known system vulnerabilities.  The OpenSCAP report lists exceptions by CCE number.

Severity

                       
Category 
Category IFindings that allow primary security protections to be bypassed, allowing immediate access by unauthorized personnel or unauthorized assumption of super-user privileges. Category I weaknesses must be corrected before an Authorization to Operate (ATO) is granted.
Category IIFindings that have a potential to lead to unauthorized system access or activity. Category II findings can usually be mitigated and will not prevent an Authorization to Operate from being granted.
Category IIIRecommendations that will improve IA posture but are not required for an authorization to operate.

Vulnerability ID

Vulnerability identification code assigned to exception by the Unified Compliance Framework STIG Viewer (https://www.stigviewer.com/).

STIG ID

Security Technical Implementation Guide (STIG) identification code. 

Rule ID

Rule identification code.

NIST 800-53 SP 800-53

National Institute of Standards and Technology (NIST 800-53) Special Publication 800-53 control list (https://www.stigviewer.com/controls/800-53) information provided by the RedHat STIG Viewer.

CCI

DISA Control Correlation Identifier (https://www.tenable.com/sc-dashboards/disa-control-correlation-identifier-cci-dashboard). 

Check

Describes what the rule checks to identify exceptions to DISA STIG compliance.

Comments

Provides insight on why you would receive this exception.  This section includes one of the following comments that describes the exception:

  • Not a Finding - Exception does not apply to Security Analytics. RSA has verified that the system meets this requirement.
  • Customer Responsibility - You are responsible to make sure the system meets this requirement.
  • Required Functionality - Security Analytics does not meet this requirement.
  • Future Feature - Security Analytics does not meet this requirement. RSA plans to fix this in a future release of Security Analytics.
  • Mitigation Steps Required - Lists steps you can take to mitigate the exception.

Exception Descriptions

The following list contains the exceptions you can receive when you run the OpenSCAP report. The ID or Common Configuration Enumeration (CCE) number in the table is the identification number for the exception from the OpenSCAP report.

CCE-26215-4

                                   

Severity

Category III

Vulnerability
ID

V-38463

STIG ID

RHEL-06-000003

Rule ID

SV-50263r1_rule

NIST 800-53

NIST SP 800-53 :: CM-6 b
NIST SP 800-53A :: CM-6.1 (iv)
NIST SP 800-53 Revision 4 :: CM-6 b

CCI

 CCI-000366

Check

(For the IPDB Extractor only) Verify that /var/log directory on the the host has its own partition or logical volume at installation.

Comments

Customer Responsibility.  If the /var/log directory on the the host does not have its own partition or logical volume, use the Logical Volume Manager (LVM) to migrate it to its own partition or logical volume.

CCE-26328-5

                                   

Severity

Category III

Vulnerability
ID

V-38656