DISA STIG 

Note: 11.3.1 feature - DISA STIG (Defense Information Systems Agency Security Technical Implementation Guide) support was introduced in NetWitness Platform 11.3.1. Versions 11.0.0.0 to 11.3.0.0 do not support DISA STIG.

The NetWitness Platform version 12.4.0.0 supports all Audit Rules in the DISA STIG Control Group. The supported version for DISA STIG is Red Hat Enterprise Linux 8 V1R11. NetWitness will expand its support of STIG rules in future NetWitness Platform versions.

This section includes the following topics.

How STIG Limits Account Access

NetWitness Passwords

Generate the OpenSCAP Report

Manage STIG Controls Script (manage-stig-controls)

Rules List

Exceptions to STIG Compliance

IMPORTANT: All rules are enabled by default except for control goup 1-ssh-prevent-root an control group 3-fips-kernel. You can enable or disable rules by control group using the manage-stig-controls script.

How STIG Limits Account Access

The STIG hardening RPM helps to lock down information, systems, and software, which might otherwise be vulnerable to a malicious computer attack by limiting account access to a system. For example, the STIG script:

  • Ensures that the account password has a length, complexity, expiration period, and lockout period that are in accordance with DISA best practices.
  • Applies auditing and logging of user actions on the host.

NetWitness Passwords

NetWitness Platform requires passwords that are STIG compliant.

Generate the OpenSCAP Report

Security Content Automation Protocol (SCAP) is a line of standards or rules managed by the National Institute of Standards and Technology (NIST). It was created to provide a standardized approach to maintaining the security of enterprise systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise.

The OpenSCAP report evaluates your environment against the SCAP rules. The results are sent to the HOSTNAME-ssg-results. (XML|HTML) depending on the output format you select.

Install OpenSCAP

You must

  1. SSH to the host
  2. Execute the following command:

yum install scap-security-guide

 

Sample Report

The following report is a sample section from an OpenSCAP report.

netwitness_openscaprpt.png

Report Fields

Section Field Description
Introduction - Test Result Result ID The Extensible Configuration Checklist Description Format (XCCDF) identifier of the report results.
Profile XCCDF profile under which the report results are categorized.
Start time When the report started.
End time When the report ended.
Benchmark XCCDF benchmark
Benchmark version Version number of the benchmark.
Introduction - Score system XCCDF scoring method.
score Score attained after running the report.
max Highest score attainable.
% Score attained after running the report as a percentage.
bar Not Applicable.
Results overview - Rule Results Summary pass Passed rule check.
fixed Rule check that failed previously is now fixed.
fail Failed rule check.
error Could not perform rule check.
not selected This check was not applicable to your NetWitness Platform deployment.
not checked Rule could not be checked. There are several reasons why a rule cannot be checked. For example, the rule check requires a check engine not supported by the OpenSCAP report.
not applicable Rule check does not apply to your NetWitness Platform deployment.
informational Rule checks for informational purposes only (no action required for fail).
unknown Report was able to check the rule. Run steps manually as described in the report to check the rule.
total Total number of rules checked.
Exceptions Title Name of rule being checked.
Result Valid values are pass, fixed, fail, error, not selected, not checked, not applicable, informational, or unknown.

Note: Results values are defined the Results overview - Rule Results Summary.

Create the OpenSCAP Report

The following tasks show you how to create the OpenSCAP Report :

  1. SSH to the host.
  2. Submit the following commands to make a directory:
    a. mkdir -p /opt/rsa/openscap
    b. cd /opt/rsa/openscap
  3. Install the SCAP-security-guide packages:
    yum install scap-security-guide
  4. Generate report using the “profile stig”:
    oscap xccdf eval --profile stig --results /opt/rsa/openscap/`hostname`-ssg-results.xml --report /opt/rsa/openscap/`hostname`-ssg-results.html --cpe
    /usr/share/xml/scap/ssg/content/ssg-almalinux8-cpe-dictionary.xml
    /usr/share/xml/scap/ssg/content/ssg-almalinux8-xccdf.xml
    Note: This will create reports in both xml and html format.
  5. Report will be available under following location:
    /opt/rsa/openscap/

Manage STIG Controls Script (manage-stig-controls)

You can use the manage-stig-controls script and its arguments to enable or disable STIG Control groups for which you want to apply STIG configuration. You can specify all hosts or individual hosts as arguments and you can enable or disable all control groups or individual control groups. This script is available in /usr/bin/ directory.

To manage STIG controls for a host:

  1. SSH to the NW Server host or use the Console from the NetWitness Platform User Interface.
  2. Submit the manage-stig-controls script with the commands, control groups, and other arguments you want to apply.
  3. Reboot the host.

Commands

Command Description
--enable-all-controls

Enables all STIG controls. For example:

manage-stig-controls --enable-all-controls

--disable-all-controls Disables all STIG controls. For example:

manage-stig-controls --disable-all-controls

--enable-default-controls Enables all STIG Controls except ssh-prevent-root and fips-kernel. For example:

manage-stig-controls --enable-default-controls

--enable-control-groups <IDs> Enables (comma delimited) list of STIG Control GroupIDs. For example:
manage-stig-controls --enable-control-groups '1, 2, 3'

--disable-control-groups <IDs>

Disables (comma delimited) list of STIG Control Group IDs For example:

manage-stig-controls --disable-control-groups '1, 2, 3'

Control Groups

You use the ID as an argument for the control group or groups.

ID Group Description Specified
by Default

1

ssh-prevent-root Prevent root login through SSH.

no

2 ssh SSH STIG configuration. yes

3

fips-kernel FIPS Kernel configuration

no

4 auth Authentication STIG configuration yes

5

audit

Audit STIG configuration

yes

6 packages RPM Package STIG configuration yes

7

services

Services STIG configuration

yes

8

mount

Mount STIG configuration

yes

Other Arguments

Argument Description
--host-all

Apply STIG configuration to all hosts. For example:

manage-stig-controls --host-all

--skip-health-checks Disable health checks for all hosts (not recommended). For example:
manage-stig-controls --skip-health-checks
--host-id <id> Apply STIG configuration for the host identified by <id> (host identification code). For example:
manage-stig-controls --host-id <id>
--host-name <display-name>

Apply STIG configuration for host identified by <display-name>. display-name is the value shown under Name in the netwitness_adminicon_25x22.png (Admin) > Hosts View in the NetWitness Platform Interface. For example:

manage-stig-controls --host-name <display-name>

--host-addr <Hostname-in UI>
or
--host-addr <hostname>

Apply STIG configuration for the host identified by the value shown under Hostname in the netwitness_adminicon_25x22.png (Admin) > Hosts > Edit dialog in the NetWitness Platform Interface. This value can be an ip-addres (default) or a user-specified name. For example:

manage-stig-controls --host-addr <hostname>
netwitness_hstaddr.png

-v, --verbose

Enable verbose output. For example:

manage-stig-controls -v

Rules List

The following table lists all the STIG rules with their:

  • Control Group - you can use the Control Group ID as an argument in the manage-stig-controls script to expand on reduce the scope of rules checked. (1= ssh-prevent-root, 2 = ssh, 3 = fips-kernel, 4 = auth, 5 = audit, 6 = packages, 7 = services)
  • Default Status - tells you if the rule is enabled or disabled by default.
  • Passed or Exception status - tells you if the rule passed (that is, complies with STIG) or is an exception.

CCE Number

Rule Name

Control Group

Default Status

Passed/ Exception

CCE-82155-3

Enable Dracut FIPS Module

fips-kernel

disabled

Exception

CCE-80942-6

Enable FIPS Mode

fips-kernel

disabled

Exception

CCE-84027-2

Set kernel parameter 'crypto.fips_enabled' to 1

fips-kernel

disabled

Exception

CCE-80934-3

Configure BIND to use System Crypto Policy

N/A

N/A

Passed

CCE-80935-0

Configure System Cryptography Policy

fips-kernel

disabled

Exception

CCE-80936-8

Configure Kerberos to use System Crypto Policy

N/A

N/A

Exception

CCE-80937-6

Configure Libreswan to use System Crypto Policy

N/A

N/A

Passed

CCE-85902-5

Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config

N/A

enabled

Passed

CCE-80947-5

The Installed Operating System Is Vendor Supported

N/A

enabled

Passed

CCE-80789-1

Encrypt Partitions

N/A

N/A

Exception

CCE-80823-8

Disable GDM Automatic Login

N/A

N/A

N/A

CCE-84028-0

Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3

N/A

N/A

N/A

CCE-80795-8

Ensure AlmaLinux GPG Key Installed

N/A

enabled

Passed

CCE-80790-9

Ensure gpgcheck Enabled In Main yum Configuration

N/A

enabled

Passed

CCE-80791-7

Ensure gpgcheck Enabled for Local Packages

packages

enabled

Passed

CCE-80792-5

Ensure gpgcheck Enabled for All yum Package Repositories

N/A

enabled

Passed

CCE-80784-2

Disable Ctrl-Alt-Del Burst Action

services

enabled

Passed

CCE-80785-9

Disable Ctrl-Alt-Del Reboot Activation

services

enabled

Passed

CCE-80841-0

Prevent Login to Accounts With Empty Password

ssh

enabled

Passed

CCE-80649-7

Verify Only Root Has UID 0

N/A

enabled

Passed

CCE-83561-1

Set the Boot Loader Admin Username to a Non-Default Value

fips-kernel

disabled

Exception

CCE-80828-7

Set Boot Loader Password in grub2

fips-kernel

disabled

Exception

CCE-80829-5

Set the UEFI Boot Loader Password

N/A

N/A

N/A

CCE-80869-1

Ensure SELinux State is Enforcing

N/A

enabled

Exception

CCE-82414-4

Uninstall vsftpd Package

N/A

enabled

Passed

CCE-82184-3

Uninstall rsh-server Package

N/A

enabled

Passed

CCE-84055-3

Remove Host-Based Authentication Files

N/A

enabled

Passed

CCE-84056-1

Remove User Host-Based Authentication Files

N/A

enabled

Passed

CCE-82182-7

Uninstall telnet-server Package

N/A

enabled

Passed

CCE-82436-7

Uninstall tftp-server Package

N/A

enabled

Passed

CCE-80896-4

Disable SSH Access via Empty Passwords

ssh

enabled

Passed

CCE-80844-4

Install AIDE

N/A

N/A

Exception

CCE-80675-2

Build and Test AIDE Database

N/A

N/A

Exception

CCE-85964-5

Configure AIDE to Verify the Audit Tools

N/A

N/A

Exception

CCE-82891-3

Configure Notification of Post-AIDE Scan Details

N/A

N/A

Exception

CCE-86239-1

Audit Tools Must Be Group-owned by Root

N/A

enabled

Passed

CCE-86259-9

Audit Tools Must Be Owned by Root

N/A

enabled

Passed

CCE-86227-6

Audit Tools Must Have a Mode of 0755 or Less Permissive

N/A

enabled

Passed

CCE-84254-2

Configure GnuTLS library to use DoD-approved TLS Encryption

ssh

enabled

Passed

CCE-80938-4

Configure OpenSSL library to use System Crypto Policy

N/A

enabled

Passed

CCE-84255-9

Configure OpenSSL library to use TLS Encryption

N/A

enabled

Passed

CCE-80939-2

Configure SSH to use System Crypto Policy

N/A

enabled

Passed

CCE-85897-7

Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config

N/A

enabled

Passed

CCE-85870-4

Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config

N/A

enabled

Passed

CCE-85899-3

Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config

N/A

enabled

Passed

CCE-86260-7

Install McAfee Endpoint Security for Linux (ENSL)

N/A

N/A

Exception

CCE-86261-5

Ensure McAfee Endpoint Security for Linux (ENSL) is running

N/A

N/A

Exception

CCE-82730-3

Ensure /var/tmp Located On Separate Partition

N/A

N/A

Exception

CCE-86195-5

Disable the GNOME3 Login User List

N/A

N/A

N/A

CCE-83910-0

Enable the GNOME3 Screen Locking On Smartcard Removal

N/A

N/A

N/A

CCE-80775-0

Set GNOME3 Screensaver Inactivity Timeout

N/A

N/A

N/A

CCE-80776-8

Set GNOME3 Screensaver Lock Delay After Activation Period

N/A

N/A

N/A

CCE-80777-6

Enable GNOME3 Screensaver Lock After Idle Period

N/A

N/A

N/A

CCE-80780-0

Ensure Users Cannot Change GNOME3 Screensaver Settings

N/A

N/A

N/A

CCE-80781-8

Ensure Users Cannot Change GNOME3 Session Idle Settings

N/A

N/A

N/A

CCE-82202-3

Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate

N/A

enabled

Passed

CCE-82197-5

Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD

N/A

disabled

Exception

N/A

The operating system must require Re-Authentication when using the sudo command. Ensure sudo timestamp_timeout is appropriate - sudo timestamp_timeout

N/A

disabled

Exception

CCE-83425-9

The operating system must restrict privilege elevation to authorized personnel

N/A

enabled

Passed

CCE-86377-9

Ensure sudo only includes the default configuration directory

N/A

enabled

Passed

CCE-83422-6

Ensure invoking users password for privilege escalation when using sudo

N/A

N/A

Exception

CCE-82943-2

Uninstall gssproxy Package

N/A

N/A

Exception

CCE-82946-5

Uninstall iprutils Package

N/A

N/A

Exception

CCE-82931-7

Uninstall krb5-workstation Package

N/A

N/A

N/A

CCE-82904-4

Uninstall tuned Package

N/A

N/A

Exception

CCE-80865-9

Ensure Software Patches Installed

N/A

enabled

Passed

CCE-80768-5

Enable GNOME3 Login Warning Banner

N/A

N/A

N/A

CCE-80770-1

Set the GNOME3 Login Warning Banner Text

N/A

N/A

N/A

CCE-80763-6

Modify the System Login Banner

ssh

enabled

EXCEPTION

CCE-86248-2

An SELinux Context must be configured for the pam_faillock.so records directory

auth

enabled

Passed

CCE-83478-8

Limit Password Reuse: password-auth

N/A

N/A

Exception

CCE-83480-4

Limit Password Reuse: system-auth

N/A

N/A

Exception

CCE-86099-9

Account Lockouts Must Be Logged

N/A

N/A

Exception

CCE-80667-9

Lock Accounts After Failed Password Attempts

N/A

N/A

Exception

CCE-80668-7

Configure the root Account for Failed Password Attempts

N/A

N/A

Exception

CCE-86067-6

Lock Accounts Must Persist

N/A

N/A

Exception

CCE-80669-5

Set Interval For Counting Failed Password Attempts

N/A

N/A

Exception

CCE-87096-4

Do Not Show System Messages When Unsuccessful Logon Attempts Occur

N/A

enabled

Passed

CCE-80670-3

Set Lockout Time for Failed Password Attempts

N/A

N/A

Exception

CCE-80653-9

Ensure PAM Enforces Password Requirements - Minimum Digit Characters

auth

enabled

Passed

CCE-86233-4

Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words

N/A

N/A

fail

CCE-80654-7

Ensure PAM Enforces Password Requirements - Minimum Different Characters

auth

enabled

Passed

CCE-80655-4

Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters

auth

enabled

Passed

CCE-81034-1

Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class

auth

enabled

Passed

CCE-82066-2

Set Password Maximum Consecutive Repeating Characters

auth

enabled

Passed

CCE-82046-4

Ensure PAM Enforces Password Requirements - Minimum Different Categories

auth

enabled

Passed

CCE-80656-2

Ensure PAM Enforces Password Requirements - Minimum Length

auth

enabled

Passed

CCE-80663-8

Ensure PAM Enforces Password Requirements - Minimum Special Characters

auth

enabled

Passed

CCE-85877-9

Ensure PAM password complexity module is enabled in password-auth

auth

enabled

Passed

CCE-85872-0

Ensure PAM password complexity module is enabled in system-auth

auth

enabled

Passed

CCE-80664-6

Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session

auth

enabled

Passed

CCE-80665-3

Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters

auth

enabled

Passed

CCE-80892-3

Set Password Hashing Algorithm in /etc/login.defs

N/A

enabled

Passed

CCE-85945-4

Set PAM''s Password Hashing Algorithm - password-auth

auth

enabled

Passed

CCE-80893-1

Set PAM''s Password Hashing Algorithm

auth

enabled

Passed

CCE-89707-4

Set Password Hashing Rounds in /etc/login.defs

N/A

enabled

Passed

CCE-80644-8

Install the tmux Package

N/A

disabled

Exception

CCE-90782-4

Support session locking with tmux (not enforcing)

N/A

N/A

N/A

CCE-82199-1

Configure tmux to lock session after inactivity

N/A

disabled

Exception

CCE-80940-0

Configure the tmux Lock Command

N/A

disabled

Exception

CCE-80846-9

Install the opensc Package For Multifactor Authentication

N/A

disabled

Exception

CCE-84029-8

Install Smart Card Packages For Multifactor Authentication

N/A

disabled

Exception

CCE-80876-6

Disable debug-shell SystemD Service

N/A

enabled

Passed

CCE-82186-8

Require Authentication for Emergency Systemd Target

N/A

enabled

Passed

CCE-80855-0

Require Authentication for Single User Mode

N/A

enabled

Passed

CCE-80954-1

Set Account Expiration Following Inactivity

N/A

enabled

Passed

CCE-85910-8

Assign Expiration Date to Emergency Accounts

N/A

disabled

Exception

CCE-82474-8

Assign Expiration Date to Temporary Accounts

N/A

disabled

Exception

CCE-80647-1

Set Password Maximum Age

auth

enabled

Passed

CCE-80648-9

Set Password Minimum Age

auth

enabled

Passed

CCE-82473-0

Set Existing Passwords Maximum Age

N/A

disabled

Exception

CCE-82472-2

Set Existing Passwords Minimum Age

N/A

disabled

Exception

CCE-83484-6

Verify All Account Password Hashes are Shadowed with SHA512

N/A

disabled

Exception

CCE-89903-9

Ensure All Accounts on the System Have Unique User IDs

N/A

enabled

Passed

CCE-85987-6

Only Authorized Local User Accounts Exist on Operating System

N/A

disabled

Exception

CCE-81036-6

Ensure the Default Bash Umask is Set Correctly

N/A

disabled

Exception

CCE-81037-4

Ensure the Default C Shell Umask is Set Correctly

N/A

disabled

Exception

CCE-82888-9

Ensure the Default Umask is Set Correctly in login.defs

N/A

enabled

Passed

CCE-81035-8

Ensure the Default Umask is Set Correctly in /etc/profile

N/A

disabled

Exception

CCE-84044-7

Ensure the Default Umask is Set Correctly For Interactive Users

N/A

enabled

Passed

CCE-83789-8

Ensure Home Directories are Created for New Users

N/A

enabled

Passed

CCE-84037-1

Ensure the Logon Failure Delay is Set Correctly in login.defs

N/A

enabled

Passed

CCE-84039-7

User Initialization Files Must Not Run World-Writable Programs

N/A

enabled

Passed

CCE-84040-5

Ensure that Users Path Contains Only Local Directories

N/A

N/A

Exception

CCE-84036-3

All Interactive Users Must Have A Home Directory Defined

N/A

enabled

Passed

CCE-83424-2

All Interactive Users Home Directories Must Exist

N/A

disabled

Exception

N/A

All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User

N/A

enabled

Passed

CCE-85888-6

All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive

N/A

disabled

Exception

N/A

All Interactive User Home Directories Must Be Group-Owned By The Primary User

N/A

enabled

Passed

CCE-84043-9

Ensure All User Initialization Files Have Mode 0740 Or Less Permissive

N/A

N/A

Exception

CCE-84038-9

All Interactive User Home Directories Must Have mode 0750 Or Less Permissive

N/A

N/A

Exception

CCE-88248-0

Enable authselect

N/A

N/A

Exception

CCE-80685-1

Record Events that Modify the System's Discretionary Access Controls - chmod

audit

default

Passed

CCE-80686-9

Record Events that Modify the System's Discretionary Access Controls - chown

audit

default

Passed

CCE-80687-7

Record Events that Modify the System's Discretionary Access Controls - fchmod

audit

default

Passed

CCE-80688-5

Record Events that Modify the System's Discretionary Access Controls - fchmodat

audit

default

Passed

CCE-80689-3

Record Events that Modify the System's Discretionary Access Controls - fchown

audit

default

Passed

CCE-80690-1

Record Events that Modify the System's Discretionary Access Controls - fchownat

audit

default

Passed

CCE-80691-9

Record Events that Modify the System's Discretionary Access Controls - fremovexattr

audit

default

Passed

CCE-80692-7

Record Events that Modify the System's Discretionary Access Controls - fsetxattr

audit

default

Passed

CCE-80693-5

Record Events that Modify the System's Discretionary Access Controls - lchown

audit

default

Passed

CCE-80694-3

Record Events that Modify the System's Discretionary Access Controls - lremovexattr

audit

default

Passed

CCE-80695-0

Record Events that Modify the System's Discretionary Access Controls - lsetxattr

audit

default

Passed

CCE-80696-8

Record Events that Modify the System's Discretionary Access Controls - removexattr

audit

default

Passed

CCE-80697-6

Record Events that Modify the System's Discretionary Access Controls - setxattr

audit

default

Passed

CCE-89446-9

Record Any Attempts to Run chacl

audit

disabled

Exception

CCE-88437-9

Record Any Attempts to Run setfacl

audit

disabled

Exception

CCE-80698-4

Record Any Attempts to Run chcon

audit

default

Passed

CCE-80700-8

Record Any Attempts to Run semanage

audit

default

Passed

CCE-82280-9

Record Any Attempts to Run setfiles

audit

default

Passed

CCE-80701-6

Record Any Attempts to Run setsebool

audit

default

Passed

CCE-80703-2

Ensure auditd Collects File Deletion Events by User - rename

audit

default

Passed

CCE-80704-0

Ensure auditd Collects File Deletion Events by User - renameat

audit

default

Passed

CCE-80705-7

Ensure auditd Collects File Deletion Events by User - rmdir

audit

default

Passed

CCE-80706-5

Ensure auditd Collects File Deletion Events by User - unlink

audit

default

Passed

CCE-80707-3

Ensure auditd Collects File Deletion Events by User - unlinkat

audit

default

Passed

CCE-80751-1

Record Unsuccessful Access Attempts to Files - creat

audit

default

Passed

CCE-80752-9

Record Unsuccessful Access Attempts to Files - ftruncate

audit

default

Passed

CCE-80753-7

Record Unsuccessful Access Attempts to Files - open

audit

default

Passed

CCE-80755-2

Record Unsuccessful Access Attempts to Files - open_by_handle_at

audit

default

Passed

CCE-80754-5

Record Unsuccessful Access Attempts to Files - openat

audit

default

Passed

CCE-80756-0

Record Unsuccessful Access Attempts to Files - truncate

audit

default

Passed

CCE-80711-5

Ensure auditd Collects Information on Kernel Module Unloading - delete_module

audit

default

Passed

CCE-80712-3

Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module

audit

default

Passed

CCE-80713-1

Ensure auditd Collects Information on Kernel Module Loading - init_module

audit

default

Passed

CCE-80719-8

Record Attempts to Alter Logon and Logout Events - lastlog

audit

default

Passed

CCE-80725-5

Ensure auditd Collects Information on the Use of Privileged Commands - chage

audit

enabled

Passed

CCE-80726-3

Ensure auditd Collects Information on the Use of Privileged Commands - chsh

audit

enabled

Passed

CCE-80727-1

Ensure auditd Collects Information on the Use of Privileged Commands - crontab

audit

enabled

Passed

CCE-80728-9

Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd

audit

enabled

Passed

CCE-89455-0

Ensure auditd Collects Information on the Use of Privileged Commands - kmod

audit

enabled

Passed

CCE-80989-7

Ensure auditd Collects Information on the Use of Privileged Commands - mount

audit

enabled

Passed

CCE-80729-7

Ensure auditd Collects Information on the Use of Privileged Commands - newgrp

audit

enabled

Passed

CCE-80730-5

Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check

audit

enabled

Passed

CCE-80731-3

Ensure auditd Collects Information on the Use of Privileged Commands - passwd

audit

enabled

Passed

CCE-80732-1

Ensure auditd Collects Information on the Use of Privileged Commands - postdrop

audit

enabled

Passed

CCE-80733-9

Ensure auditd Collects Information on the Use of Privileged Commands - postqueue

audit

enabled

Passed

CCE-85944-7

Record Any Attempts to Run ssh-agent

audit

enabled

Passed

CCE-80735-4

Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign

audit

enabled

Passed

CCE-80736-2

Ensure auditd Collects Information on the Use of Privileged Commands - su

audit

enabled

Passed

CCE-80737-0

Ensure auditd Collects Information on the Use of Privileged Commands - sudo

audit

enabled

Passed

CCE-80739-6

Ensure auditd Collects Information on the Use of Privileged Commands - umount

audit

enabled

Passed

CCE-80740-4

Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd

audit

enabled

Passed

CCE-89480-8

Ensure auditd Collects Information on the Use of Privileged Commands - unix_update

audit

enabled

Passed

CCE-80741-2

Ensure auditd Collects Information on the Use of Privileged Commands - userhelper

audit

enabled

Passed

CCE-86027-0

Ensure auditd Collects Information on the Use of Privileged Commands - usermod

audit

enabled

Passed

CCE-80708-1

Make the auditd Configuration Immutable

audit

disabled

Exception

CCE-90783-2

Configure immutable Audit login UIDs

audit

enabled

Passed

CCE-80722-2

Ensure auditd Collects Information on Exporting to Media (successful)

audit

enabled

Passed

CCE-90175-1

Ensure auditd Collects System Administrator Actions - /etc/sudoers

audit

enabled

Passed

CCE-89497-2

Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/

audit

enabled

Passed

CCE-83556-1

Record Events When Privileged Executables Are Run

audit

enabled

Passed

CCE-80758-6

Record Events that Modify User/Group Information - /etc/group

audit

enabled

Passed

CCE-80759-4

Record Events that Modify User/Group Information - /etc/gshadow

audit

enabled

Passed

CCE-80760-2

Record Events that Modify User/Group Information - /etc/security/opasswd

audit

enabled

Passed

CCE-80761-0

Record Events that Modify User/Group Information - /etc/passwd

audit

enabled

Passed

CCE-80762-8

Record Events that Modify User/Group Information - /etc/shadow

audit

enabled

Passed

CCE-88225-8

System Audit Directories Must Be Group Owned By Root

N/A

enabled

Passed

CCE-88226-6

System Audit Directories Must Be Owned By Root

N/A

enabled

Passed

CCE-84048-8

System Audit Logs Must Have Mode 0750 or Less Permissive

N/A

enabled

Passed

CCE-88227-4

System Audit Logs Must Be Group Owned By Root

N/A

enabled

Passed

CCE-88228-2

System Audit Logs Must Be Owned By Root

N/A

enabled

Passed

CCE-80819-6

System Audit Logs Must Have Mode 0640 or Less Permissive

N/A

enabled

Passed

CCE-84005-8

Configure a Sufficiently Large Partition for Audit Logs

N/A

N/A

Exception

CCE-84046-2

Configure auditd Disk Error Action on Disk Error

audit

enabled

Passed

CCE-84045-4

Configure auditd Disk Full Action when Disk Space Is Full

audit

enabled

Passed

CCE-80678-6

Configure auditd mail_acct Action on Low Disk Space

audit

enabled

Passed

CCE-80684-4

Configure auditd space_left Action on Low Disk Space

audit

enabled

Passed

CCE-86055-1

Configure auditd space_left on Low Disk Space

audit

enabled

Passed

CCE-82233-8

Include Local Events in Audit Logs

N/A

enabled

Passed

CCE-82897-0

Set hostname as computer node name in audit logs

audit

enabled

Passed

CCE-85889-4

Appropriate Action Must be Setup When the Internal Audit Event Queue is Full

audit

enabled

Passed

CCE-81043-2

Ensure the audit Subsystem is Installed

N/A

enabled

Passed

CCE-80872-5

Enable auditd Service

N/A

enabled

Passed

CCE-83542-1

Set the UEFI Boot Loader Admin Username to a Non-Default Value

N/A

N/A

N/A

CCE-80946-7

Disable vsyscalls

N/A

N/A

Exception

CCE-80859-2

Ensure cron Is Logging To Rsyslog

N/A

enabled

Passed

CCE-86339-9

Ensure Rsyslog Authenticates Off-Loaded Audit Records

N/A

disabled

Exception

CCE-85992-6

Ensure Rsyslog Encrypts Off-Loaded Audit Records

N/A

disabled

Exception

CCE-86098-1

Ensure Rsyslog Encrypts Off-Loaded Audit Records

N/A

disabled

Exception

CCE-83426-7

Ensure remote access methods are monitored in Rsyslog

N/A

disabled

Exception

CCE-80863-4

Ensure Logs Sent To Remote Host

N/A

disabled

Exception

CCE-82859-0

Ensure rsyslog-gnutls is installed

N/A

disabled

Exception

CCE-80847-7

Ensure rsyslog is Installed

N/A

enabled

Passed

CCE-80886-5

Enable rsyslog Service

N/A

enabled

Passed

CCE-82998-6

Install firewalld Package

N/A

enabled

Passed

CCE-80877-4

Verify firewalld Enabled

N/A

disabled

Exception

CCE-84300-3

Configure the Firewalld Ports

N/A

disabled

Exception

CCE-81006-9

Configure Accepting Router Advertisements on All IPv6 Interfaces

N/A

disabled

Exception

CCE-81009-3

Disable Accepting ICMP Redirects for All IPv6 Interfaces

N/A

disabled

Exception

CCE-81013-5

Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces

N/A

disabled

Exception

CCE-82863-2

Disable Kernel Parameter for IPv6 Forwarding

N/A

disabled

Exception

CCE-81007-7

Disable Accepting Router Advertisements on all IPv6 Interfaces by Default

N/A

disabled

Exception

CCE-81010-1

Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces

N/A

disabled

Exception

CCE-81015-0

Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default

N/A

disabled

Exception

CCE-80917-8

Disable Accepting ICMP Redirects for All IPv4 Interfaces

N/A

enabled

Passed

CCE-81011-9

Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces

N/A

enabled

Passed

CCE-86220-1

Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces

N/A

disabled

Exception

CCE-81021-8

Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces

N/A

enabled

Passed

CCE-80919-4

Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces

N/A

enabled

Passed

CCE-80920-2

Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default

N/A

disabled

Exception

CCE-80922-8

Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces

N/A

enabled

Passed

CCE-80918-6

Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces

N/A

enabled

Passed

CCE-80921-0

Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default

N/A

enabled

Passed

CCE-82028-2

Disable ATM Support

services

enabled

Passed

CCE-82059-7

Disable CAN Support

services

enabled

Passed

CCE-80834-5

Disable SCTP Support

services

enabled

Passed

CCE-80832-9

Disable Bluetooth Kernel Module

services

enabled

Passed

CCE-83501-7

Deactivate Wireless Network Interfaces

N/A

N/A

N/A

CCE-84049-6

Configure Multiple DNS Servers in /etc/resolv.conf

N/A

enabled

Passed

CCE-82283-3

Ensure System is Not Acting as a Network Sniffer

N/A

enabled

Passed

CCE-83659-3

Verify Group Who Owns /var/log Directory

N/A

enabled

Passed

CCE-83660-1

Verify Group Who Owns /var/log/messages File

N/A

enabled

Passed

CCE-83661-9

Verify User Who Owns /var/log Directory

N/A

enabled

Passed

CCE-83662-7

Verify User Who Owns /var/log/messages File

N/A

enabled

Passed

CCE-83663-5

Verify Permissions on /var/log Directory

N/A

enabled

Passed

CCE-83665-0

Verify Permissions on /var/log/messages File

N/A

disabled

Exception

CCE-85894-4

Verify that Shared Library Directories Have Root Group Ownership

N/A

enabled

Passed

CCE-89021-0

Verify that Shared Library Directories Have Root Ownership

N/A

enabled

Passed

CCE-88692-9

Verify that Shared Library Directories Have Restrictive Permissions

N/A

disabled

fail

CCE-86519-6

Verify that system commands files are group owned by root or a system account

N/A

disabled

fail

CCE-80806-3

Verify that System Executables Have Root Ownership

N/A

disabled

fail

CCE-80807-1

Verify that Shared Library Files Have Root Ownership

N/A

enabled

Passed

CCE-80809-7

Verify that System Executables Have Restrictive Permissions

N/A

enabled

Passed

CCE-80815-4

Verify that Shared Library Files Have Restrictive Permissions

N/A

enabled

Passed

CCE-86523-8

Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.

N/A

enabled

Passed

CCE-83375-6

Ensure All World-Writable Directories Are Owned by root user

N/A

disabled

fail

CCE-80783-4

Verify that All World-Writable Directories Have Sticky Bits Set

N/A

disabled

fail

CCE-85886-0

Ensure All World-Writable Directories Are Group Owned by a System Account

N/A

disabled

fail

CCE-85871-2

Verify Permissions on /etc/audit/auditd.conf

audit

enabled

Passed

CCE-85875-3

Verify Permissions on /etc/audit/rules.d/*.rules

audit

enabled

Passed

CCE-83497-8

Ensure All Files Are Owned by a Group

N/A

enabled

Passed

CCE-83499-4

Ensure All Files Are Owned by a User

N/A

enabled

Passed

CCE-81027-5

Enable Kernel Parameter to Enforce DAC on Hardlinks

N/A

enabled

Passed

CCE-81030-9

Enable Kernel Parameter to Enforce DAC on Symlinks

N/A

enabled

Passed

CCE-80873-3

Disable the Automounter

N/A

enabled

Passed

CCE-80835-2

Disable Modprobe Loading of USB Storage Driver

N/A

enabled

Passed

CCE-86038-7

Add nosuid Option to /boot/efi

N/A

disabled

Exception

CCE-81033-3

Add nosuid Option to /boot

mount

enabled

Passed

CCE-80837-8

Add nodev Option to /dev/shm

mount

enabled

Passed

CCE-80838-6

Add noexec Option to /dev/shm

mount

enabled

Passed

CCE-80839-4

Add nosuid Option to /dev/shm

mount

enabled

Passed

CCE-83328-5

Add noexec Option to /home

mount

disabled

Exception

CCE-81050-7

Add nosuid Option to /home

mount

default

Passed

CCE-82069-6

Add nodev Option to Non-Root Local Partitions

N/A

enabled

Passed

CCE-82742-8

Add nodev Option to Removable Media Partitions

N/A

enabled

Passed

CCE-82746-9

Add noexec Option to Removable Media Partitions

N/A

enabled

Passed

CCE-82744-4

Add nosuid Option to Removable Media Partitions

N/A

enabled

Passed

CCE-82623-0

Add nodev Option to /tmp

N/A

disabled

Exception

CCE-82139-7

Add noexec Option to /tmp

N/A

disabled

Exception

CCE-82140-5

Add nosuid Option to /tmp

N/A

disabled

Exception

CCE-82080-3

Add nodev Option to /var/log/audit

N/A

disabled

Exception

CCE-82975-4

Add noexec Option to /var/log/audit

N/A

disabled

Exception

CCE-82921-8

Add nosuid Option to /var/log/audit

N/A

disabled

Exception

CCE-82077-9

Add nodev Option to /var/log

mount

enabled

Passed

CCE-82008-4

Add noexec Option to /var/log

mount

enabled

Passed

CCE-82065-4

Add nosuid Option to /var/log

mount

enabled

Passed

CCE-82068-8

Add nodev Option to /var/tmp

N/A

disabled

Exception

CCE-82151-2

Add noexec Option to /var/tmp

N/A

disabled

Exception

CCE-82154-6

Add nosuid Option to /var/tmp

N/A

disabled

Exception

CCE-82881-4

Disable acquiring, saving, and processing core dumps

N/A

disabled

Exception

CCE-82251-0

Disable core dump backtraces

N/A

disabled

Exception

CCE-82252-8

Disable storing core dump

N/A

disabled

Exception

CCE-81038-2

Disable Core Dumps for All Users

N/A

disabled

Exception

CCE-80915-2

Restrict Exposed Kernel Pointer Addresses Access

N/A

enabled

Passed

CCE-80916-0

Enable Randomized Layout of Virtual Address Space

N/A

disabled

Exception

CCE-83918-3

Enable NX or XD Support in the BIOS

N/A

enabled

Passed

CCE-80944-2

Enable page allocator poisoning

N/A

disabled

Exception

CCE-80945-9

Enable SLUB/SLAB allocator poisoning

N/A

disabled

Exception

CCE-82215-5

Disable storing core dumps

N/A

disabled

Exception

CCE-80952-5

Disable Kernel Image Loading

N/A

disabled

Exception

CCE-82974-7

Disable Access to Network bpf() Syscall From Unprivileged Processes

N/A

disabled

Exception

CCE-80953-3

Restrict usage of ptrace to descendant processes

N/A

disabled

Exception

CCE-82934-1

Harden the operation of the BPF just-in-time compiler

N/A

disabled

Exception

CCE-82211-4

Disable the use of user namespaces

N/A

disabled

Exception

CCE-80868-3

Configure SELinux Policy

N/A

enabled

Passed

CCE-86353-0

Map System Users To The Appropriate SELinux Role

N/A

disabled

Exception

CCE-80948-3

Uninstall Automatic Bug Reporting Tool (abrt)

N/A

enabled

Passed

CCE-80878-2

Disable KDump Kernel Crash Analyzer (kdump)

N/A

enabled

Passed

CCE-82191-8

Install fapolicyd Package

N/A

disabled

Exception

CCE-82249-4

Enable the File Access Policy Service

N/A

disabled

Exception

CCE-86478-5

Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs.

N/A

disabled

Exception

CCE-85887-8

Remove the Kerberos Server Package

N/A

N/A

N/A

CCE-82175-1

Disable Kerberos by removing host keytab

N/A

N/A

N/A

CCE-89063-2

Configure System to Forward All Mail From Postmaster to The Root Account

N/A

enabled

Passed

CCE-84054-6

Prevent Unrestricted Mail Relaying

N/A

N/A

N/A

CCE-85983-5

The Postfix package is installed

N/A

disabled

Exception

CCE-81039-0

Uninstall Sendmail Package

N/A

enabled

Passed

CCE-84052-0

Mount Remote Filesystems with nodev

N/A

enabled

Passed

CCE-84050-4

Mount Remote Filesystems with noexec

N/A

enabled

Passed

CCE-84053-8

Mount Remote Filesystems with nosuid

N/A

enabled

Passed

CCE-84059-5

Configure Time Service Maxpoll Interval

N/A

enabled

Passed

CCE-86077-5

Ensure Chrony is only configured with the server directive

N/A

disabled

Exception

CCE-82434-2

Ensure tftp Daemon Uses Secure Mode

N/A

disabled

N/A

CCE-80907-9

Set SSH Client Alive Count Max

ssh

disabled

Exception

CCE-80897-2

Disable GSSAPI Authentication

ssh

enabled

Passed

CCE-80898-0

Disable Kerberos Authentication

ssh

enabled

Passed

CCE-80901-2

Disable SSH Root Login

ssh

disabled

Exception

CCE-80902-0

Disable SSH Support for User Known Hosts

ssh

enabled

Passed

CCE-83360-8

Disable X11 Forwarding

ssh

enabled

Passed

CCE-80903-8

Do Not Allow SSH Environment Options

ssh

enabled

Passed

CCE-80904-6

Enable Use of Strict Mode Checking

N/A

disabled

Exception

CCE-80905-3

Enable SSH Warning Banner

ssh

enabled

Passed

CCE-82281-7

Enable SSH Print Last Log

N/A

enabled

Passed

CCE-82177-7

Force frequent session key renegotiation

N/A

disabled

Exception

CCE-84058-7

Prevent remote hosts from connecting to the proxy display

N/A

disabled

Exception

CCE-83303-8

Install the OpenSSH Server Package

N/A

enabled

Passed

CCE-82426-8

Enable the OpenSSH Service

N/A

enabled

Passed

CCE-82424-3

Verify Permissions on SSH Server Private *_key Key Files

N/A

enabled

Passed

CCE-82428-4

Verify Permissions on SSH Server Public *.pub Key Files

N/A

enabled

Passed

CCE-86120-3

Certificate status checking in SSSD

N/A

N/A

Exception

CCE-86060-1

Enable Certmap in SSSD

N/A

N/A

Exception

CCE-80909-5

Enable Smartcards in SSSD

N/A

N/A

Exception

CCE-82460-7

Configure SSSD to Expire Offline Credentials

N/A

N/A

Exception

CCE-82959-8

Install usbguard Package

N/A

N/A

Exception

CCE-82853-3

Enable the USBGuard Service

N/A

N/A

Exception

CCE-83774-0

Generate USBGuard Policy

N/A

N/A

Exception

CCE-83411-9

Disable graphical user interface

N/A

enabled

Passed

CCE-83380-6

Disable X Windows Startup By Setting Default Target

N/A

enabled

Passed

CCE-84220-3

Configure AIDE to Verify Access Control Lists (ACLs)

N/A

disabled

Exception

CCE-83733-6

Configure AIDE to Verify Extended Attributes

N/A

disabled

Exception

CCE-81044-0

Ensure /home Located On Separate Partition

N/A

enabled

Passed

CCE-80851-9

Ensure /tmp Located On Separate Partition

N/A

disabled

Exception

CCE-80852-7

Ensure /var Located On Separate Partition

N/A

disabled

Exception

CCE-80853-5

Ensure /var/log Located On Separate Partition

N/A

enabled

Passed

CCE-80854-3

Ensure /var/log/audit Located On Separate Partition

N/A

disabled

Exception

CCE-82968-9

Install rng-tools Package

N/A

enabled

Passed

CCE-82919-2

Uninstall abrt-addon-ccpp Package

N/A

enabled

Passed

CCE-82926-7

Uninstall abrt-addon-kerneloops Package

N/A

enabled

Passed

CCE-82907-7

Uninstall abrt-cli Package

N/A

enabled

Passed

CCE-82910-1

Uninstall abrt-plugin-sosreport Package

N/A

enabled

Passed

CCE-89201-8

Uninstall libreport-plugin-logger Package

N/A

enabled

Passed

CCE-88955-0

Uninstall libreport-plugin-rhtsupport Package

N/A

enabled

Passed

CCE-86084-1

Uninstall python3-abrt-addon Package

N/A

enabled

Passed

CCE-82476-3

Ensure yum Removes Previous Package Versions

N/A

enabled

Passed

CCE-80788-3

Ensure PAM Displays Last Logon/Access Notification

auth

disabled

Exception

CCE-86135-1

Configure the tmux lock session key binding

auth

disabled

Exception

CCE-82361-7

Prevent user from disabling the screen lock

N/A

enabled

Passed

CCE-80955-8

Limit the Number of Concurrent Login Sessions Allowed Per User

N/A

enabled

Passed

CCE-82201-5

Resolve information before writing to audit logs

N/A

enabled

Passed

CCE-80825-3

Enable Auditing for Processes Which Start Prior to the Audit Daemon

N/A

disabled

Exception

CCE-80943-4

Extend Audit Backlog Limit for the Audit Daemon

N/A

disabled

Exception

CCE-82194-2

Enable Kernel Page-Table Isolation (KPTI)

N/A

disabled

Exception

CCE-82005-0

Disable IEEE 1394 (FireWire) Support

services

enabled

Passed

CCE-82297-3

Disable TIPC Support

services

enabled

Passed

CCE-81031-7

Disable Mounting of cramfs

services

enabled

Passed

CCE-80913-7

Restrict Access to Kernel Message Buffer

N/A

disabled

Exception

CCE-81054-9

Disallow kernel profiling by unprivileged users

N/A

disabled

Exception

CCE-82976-2

Install policycoreutils Package

N/A

enabled

Passed

CCE-82988-7

Disable chrony daemon from acting as server

N/A

disabled

Exception

CCE-82840-0

Disable network management of chrony daemon

N/A

enabled

Passed

CCE-82462-3

SSH server uses strong entropy to seed

N/A

disabled

Exception

CCE-82168-6

Log USBGuard daemon audit events using Linux Audit

N/A

disabled

Exception

Exceptions to STIG Compliance

This topic contains:

Key to Elements in Exception Descriptions

CCE Number

The Common Configuration Enumeration (CCE), assigns unique entries (also called CCE numbers) to configuration guidance statements and configuration controls to improve workflow by facilitating fast and accurate correlation of configuration issues present in disparate domains. In this way, it is similar to other comparable data standards such as the Common Vulnerability and Exposure (CVE®) List (http://cve.mitre.org/cve), which assigns identifiers to publicly known system vulnerabilities. The OpenSCAP report lists exceptions by CCE number.

This sections lists the exceptions you can receive when you run the OpenSCAP report. The ID or Common Configuration Enumeration (CCE) number in the table is the identification number for the exception from the OpenSCAP report.

Control Group ID

Number that identifies the control group you specify in the manage-stig-controls script to enable or disable the rule.

ID Group Description Specified
by Default

1

ssh-prevent-root Prevent root login through SSH.

no

2 ssh SSH STIG configuration. yes

3

fips-kernel FIPS Kernel configuration

no

4 auth Authentication STIG configuration yes

5

audit

Audit STIG configuration

yes

6 packages RPM Package STIG configuration yes

7

services

Services STIG configuration

yes

8

mount

Mount STIG configuration

yes

Check

Describes what the rule checks to identify exceptions to DISA STIG compliance.

Comments

Provides insight on why you would receive this exception. This section includes one of the following comments that describes the exception:

  • Customer Responsibility - You are responsible to make sure the system meets this requirement.
  • Not a Finding - Exception does not apply to NetWitness Platform. NetWitness has verified that the system meets this requirement.
  • Future Feature - NetWitness Platform does not meet this requirement. NetWitness plans to fix this in a future release of NetWitness Platform.

Customer Responsibility Exceptions

CCE-80844-4 Install AIDE (Control Group = n/a)

Check

Install the AIDE package with the following command:
$ sudo yum install aide

Comments

Customer Responsibility. NetWitness Platform does not provide AIDE because it has a negative impact on performance. If you must install it, run as infrequently as possible to adhere to your security policy.

CCE-80869-1 Ensure SELinux State is Enforcing

Check

Ensure SELinux State is Enforcing

Comments

SELinux state is default it is set to 'permissive' by default for all the NetWitness Platform hosts instead of 'Enforcing' due to performance impact.

CCE-80901-2 Disable SSH Root Login (Control Group = ssh-prevent-root)

Check

The root user should never be allowed to login to a system directly over a network.

Comments

Customer Responsibility.Disable root login through SSH by adding or editing the following line in the /etc/ssh/sshd_config file: PermitRootLoginNetWitness.

CCE-86260-7 Virus Scanning Software Definitions Are Updated (ENSL) (Control Group = n/a)

Check

Make sure that virus definition files are no older than 7 days or their last release.

Comments Customer Responsibility. NetWitness does not provide this software.

CCE-80942-6 Enable FIPS Mode (Control Group = fips-kernel)

Check

To ensure FIPS mode is enabled, install the dracut-fips package and rebuild initramfs by running the following commands:

$ yum install dracut-fips dracut

After the packages has been installed, enable fips mode with below command.

fips-mode-setup --enable

After the fips-mode-setup command has been run, add the fips=1 argument to the default GRUB 2 command line for the Linux operating system in the /etc/default/grub file as shown in the following example:

GRUB_CMDLINE_LINUX='crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 fips=1'

Finally, rebuild the grub.cfg file by using the grub2-mkconfig -o command as follows ( On BIOS-based machines, issue the following command as root):

~]# grub2-mkconfig -o /boot/grub2/grub.cfg

On UEFI-based machines, issue the following command as root:

~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

Comments

Customer Responsibility. NetWitness Platform does not enable it by default.

CCE-82891-3 Configure Notification of Post-AIDE Scan Details (Control Group = n/a)

Check

AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic execution in the /etc/crontab file, append the following line to the existing AIDE line:

| /bin/mail -s '$(hostname) - AIDE Integrity Check' root@localhost

Otherwise, add the following line to the /etc/crontab file:

05 4 * * * root /usr/sbin/aide --check | /bin/mail -s '$(hostname) - AIDE Integrity Check' root@localhost

AIDE can be executed periodically through other means. This is just one example.

Comments

Customer Responsibility. NetWitness Platform does not provide AIDE because it has a negative impact on performance. If you must install it, run as infrequently possible to adhere to your security policy.

CCE-84220-3 Configure AIDE to Verify Access Control Lists (Control Group = n/a)

Check

By default, the acl option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the acl option is missing, add acl to the appropriate ruleset. For example, add acl to the following line in the /etc/aide.conf file:

FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256

AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.

Comments

Customer Responsibility. NetWitness Platform does not provide AIDE because it has a negative impact on performance. If you must install it, run as infrequently possible to adhere to your security policy.

CCE-83733-6 Configure AIDE to Verify Extended Attributes (Control Group = n/a)

Check

By default, the xattrs option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the xattrs option is missing, add xattrs to the appropriate ruleset. For example, add xattrs to the following line in the /etc/aide.conf file:

FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256

AIDE rules can be configured in multiple ways. This is just one example that is already configured by default.

Comments

Customer Responsibility. NetWitness does not provide AIDE because it has a negative impact on performance. If you must install it, run as infrequently possible to adhere to your security policy.

CCE-84029-8 Install Smart Card Packages For Multi-Factor Authentication (Control Group = n/a)

Check

Configure the operating system to implement multifactor authentication by installing the required packages with the following command:

$ sudo sudo yum install openssl-pkcs11

Comments

Customer Responsibility. The NetWitness Platform supports username/certificate for authentication to shell. If you want to configure a smart card log in, you must do this outside of NetWitness.

CCE-27309-4 Set Boot Loader Password in grub2 (Control Group = fips-kernel)

Check

The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. To do so, select a superuser account name and password and modify the /etc/grub.d/01_users configuration file with the new account name. Because plain text passwords are a security risk, generate a hash for the password by running the following command:

$ grub2-setpassword

When prompted, enter the password that was selected.

NOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. Change the superuser to a different username (The default is 'root').

$ sed -i s/root/bootuser/g /etc/grub.d/01_users

To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running:

grub2-mkconfig -o /boot/grub2/grub.cfg

NOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.

Comments Customer Responsibility. Netwitness ships with root as the default super user for fips-control. Customer is expected to select a different superuser with the above steps.

Exceptions That Are Not a Finding 

The following exceptions do not apply to NetWitness Platform. NetWitness has verified that the system meets these requirements.

CCE-80852-7 Ensure /var Located On Separate Partition (Control Group = n/a)

Check

The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM.

Comments

Not a Finding.NetWitness software is installed in /var/netwitness by default and has a separate partition on /var/netwitness.

CCE-80775-0 Set GNOME3 Screensaver Inactivity Timeout (Control Group = n/a)

Check

Verify that the GNOME Login Inactivity Timeout is set on the host (The graphical desktop environment must set the idle timeout to no more than 15 minutes.).

Comments

Not a Finding. NetWitness Platform does not use Gnome Graphical User Interface (GUI) Desktop.

CCE-80670-3 Set Lockout Time For Failed Password Attempts (Control Group = auth)

Check

To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth by adding the following line immediately before the pam_unix.so statement in the AUTH section:
auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
Add the following line immediately after the pam_unix.so statement in the AUTH section:
auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
Add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
account required pam_faillock.s

Comments Not a Finding. root_unlock_time is set to 600 seconds.

CCE-80854-3 Ensure /var/log/audit Located On Separate Partition (Control Group = audit)

Check

Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.

Comments Not a Finding.NetWitness Platform has the /var/log directory as a separate partition.

CCE-80916-0 Enable Randomized Layout of Virtual Address Space (Control Group = n/a)

Check

To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command:
$ sudo sysctl -w kernel.randomize_va_space=2
If this is not the system default value, add the following line to the /etc/sysctl.conf file:
kernel.randomize_va_space = 2

Comments Not a Finding. Value of /proc/sys/kernel/randomize_va_space is already 2.

CCE-80763-6 (Control ID = 2) Modify the System Login Banner (Control Group = ssh)

Check

To configure the system login banner edit the /etc/issue file. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:
" You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:

  • The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
  • At any time, the USG may inspect and seize data stored on this IS.
  • Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
  • This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

or

" I've read & consent to terms in IS user agreem't."

Comments Not a Finding. The login banner is displayed but does not hyphenate "agreem't"

CCE-80905-3 Enable SSH Warning Banner (Control Group = na)

Check

To set the default banner SSH banner, customers are required to go into /etc/ssh/sshd_config and add their banner path under the # no default banner path tag. They can then add their Banner content in this file.

Comments Not a Finding. The required configuration exists in the /etc/ssh/sshd_config file.

CCE-80156-3 Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces (Control Group = n/a)

Check

To set the runtime status of the t.ipv4.conf.all.send_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
If this is not the system default value, add the following line to the /etc/sysctl.conf file:
t.ipv4.conf.all.send_redirects = 0

Comments Not a Finding. NetWitness Platform does not accept incoming Internet Control Message Protocol (ICMP) traffic.

CCE-80157-1 Disable Kernel Parameter for IP Forwarding (Control Group = n/a)

Check

To set the runtime status of the t.ipv4.ip_forward kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.ip_forward=0
If this is not the system default value, add the following line to the /etc/sysctl.conf file:
t.ipv4.ip_forward = 0

Comments Not a Finding. NetWitness Platform only uses FIPS certified MACs (for example, MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512).

CCE-80158-9 Configure Kernel Parameter for Accepting ICMP Redirects for All Interfaces (Control Group = n/a)

Check

To set the runtime status of the t.ipv4.conf.all.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
If this is not the system default value, add the following line to the /etc/sysctl.conf file:
t.ipv4.conf.all.accept_redirects = 0

Comments

Not a Finding NetWitness Platform does not accept incoming Internet Control Message Protocol (ICMP) traffic.

CCE-80163-9 Configure Kernel Parameter for Accepting ICMP Redirects By Default (Control Group = n/a)

Check

To set the runtime status of the t.ipv4.conf.default.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
If this is not the system default value, add the following line to the /etc/sysctl.conf file:
t.ipv4.conf.default.accept_redirects = 0

Comments

Not a Finding NetWitness Platform does not accept incoming Internet Control Message Protocol (ICMP) traffic.

CCE-80165-4 Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requests (Control Group = n/a)

Rule Name

 

Check

To set the runtime status of the t.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
If this is not the system default value, add the following line to the /etc/sysctl.conf file:
t.ipv4.icmp_echo_ignore_broadcasts = 1

Comments

Not a FindingNetWitness Platform does not accept incoming Internet Control Message Protocol (ICMP) traffic.

CCE-80438-5 Configure Multiple DNS Servers in /etc/resolv.conf (Control Group = n/a)

Check

Multiple Domain Name System (DNS) Servers should be configured in the /etc/resolv.conf file. This provides redundant name resolution services in the event that a domain server crashes. To configure the system to contain as least 2 DNS servers, add a corresponding nameserver entry in ip_address /etc/resolv.conf file for each DNS server where ip_address is the IP address of a valid DNS server. For example:
search example.com nameserver 192.168.0.1 nameserver 192.168.0.2

Comments Not a Finding. NetWitness Platform orchestrates and configures an internal DNS server that all NetWitness hosts use for name resolution. You can configure external DNS servers, but it is dependent on your environment.

CCE-80447-6 Configure the Firewalld Ports (Control Group = n/a)

Check

Configure the firewalld ports to allow approved services to have access to the system. To configure firewalld to open ports, run the following command:
$ sudo firewall-cmd --permanent --add-port= or port_number/tcp $ sudo firewall-cmd --permanent --add-port=

Run the command list above for each of the ports listed below: <ports>
To configure service_nam firewalld to allow access, run the following command(s):
firewall-cmd --permanent --add-service=ssh

Comments Not a Finding. NetWitness Platform firewalld service is disabled because it uses IP Tables, not FirewallD.

CCE-80877-4 Verify firewalld Enabled

Check

Verify the operating system enabled an application firewall. Check to see if "firewalld" is installed with the following command:

yum list installed firewalld

Installed Packages

firewalld.noarch 0.9.11-1.el8_8 @anaconda

If the "firewalld" package is not installed, ask the System Administrator if another firewall application (such as iptables) is installed.

If an application firewall is not installed, this is a finding.

Check to see if the firewall is loaded and active with the following command:

systemctl status firewalld

firewalld.service - firewalld - dynamic firewall daemon

Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)

Active: active (running) since Tue 2014-06-17 11:14:49 CEST; 5 days ago

If "firewalld" does not show a status of "loaded" and "active", this is a finding.

Check the state of the firewall:

firewall-cmd --state

running

If "firewalld" does not show a state of "running", this is a finding.

Comments Not a Finding. NetWitness Platform firewalldservice is disabled because it uses IP Tables, not FirewallD.

CCE-80854-3 Ensure /var/log/audit Located On Separate Partition

Check

Determine if the operating system is configured to have the "/var/log/audit" path is on a separate file system.

grep /var/log/audit /etc/fstab

If no result is returned, or the operating system is not configured to have "/var/log/audit" on a separate file system, this is a finding.

Verify that "/var/log/audit" is mounted on a separate file system:

mount | grep "/var/log/audit"

If no result is returned, or "/var/log/audit" is not on a separate file system, this is a finding.

Comments Not a Finding. NetWitness Platform has the /var/log directory as a separate partition.

CCE-80851-9 Ensure /tmp Located On Separate Partition

Check

Verify that a separate file system/partition has been created for "/tmp". Check that a file system/partition has been created for "/tmp" with the following command:

systemctl is-enabled tmp.mount

enabled

If the "tmp.mount" service is not enabled, check to see if "/tmp" is defined in the fstab with a device and mount point:

grep -i /tmp /etc/fstab

UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /tmp ext4 rw,relatime,discard,data=ordered,nosuid,noexec, 0 0

If "tmp.mount" service is not enabled or the "/tmp" directory is not defined in the fstab with a device and mount point, this is a finding.

Comments Future Feature - NetWitness Platform does not meet this requirement. NetWitness plans to fix this in a future release of NetWitness Platform.

CCE-80852-7 Ensure /var Located On Separate Partition

Check

Verify that a separate file system/partition has been created for "/var". Check that a file system/partition has been created for "/var" with the following command:

grep /var /etc/fstab

UUID=c274f65f /var ext4 noatime,nobarrier 1 2

If a separate entry for "/var" is not in use, this is a finding.

Comments Not a Finding. Hardware is dedicated for NetWitness, and NetWitness software is installed in /var/netwitness by default and a separate partition is on /var/netwitness.

Rules Supported in a Future Release

The following checks for non-compliance to STIG rules are not supported in NetWitness Platform and will be added in a future release.

CCE-80920-2 Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default

Check

To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.default.accept_source_route = 0

Comments

Future Feature.

CCE-86220-1 Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces

Check

To set the runtime status of the net.ipv4.conf.all.forwarding kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.forwarding=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.all.forwarding = 0

Comments

Future Feature.

CCE-81006-9 Disable Accepting ICMP Redirects for All IPv6 Interfaces

Check

To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv6.conf.all.accept_redirects = 0

Comments

Future Feature.

CCE-81013-5 Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces

Check

To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv6.conf.all.accept_source_route = 0

Comments

Future Feature.

CCE-82863-2 Disable Kernel Parameter for IPv6 Forwarding

Check

To set the runtime status of the net.ipv6.conf.all.forwarding kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.all.forwarding=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv6.conf.all.forwarding = 0

Comments

Future Feature.

CCE-81007-7 Disable Accepting Router Advertisements on all IPv6 Interfaces by Default

Check

To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv6.conf.default.accept_ra = 0

Comments

Future Feature.

CCE-81010-1 Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces

Check

To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv6.conf.default.accept_redirects = 0

Comments

Future Feature.

CCE-81015-0 Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default

Check

To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command:

$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv6.conf.default.accept_source_route = 0

Comments

Future Feature.