DISA STIG 

Note: 11.3.1 feature - DISA STIG (Defense Information Systems Agency Security Technical Implementation Guide) support was introduced in NetWitness Platform 11.3.1. Versions 11.0.0.0 to 11.3.0.0 do not support DISA STIG.

The NetWitness Platform version 12.2.0.0 supports all Audit Rules in the DISA STIG Control Group. The supported version for DISA STIG is Red Hat Enterprise Linux V3R8. NetWitness will expand its support of STIG rules in future NetWitness Platform versions.

This section includes the following topics.

How STIG Limits Account Access

NetWitness Passwords

Generate the OpenSCAP Report

Manage STIG Controls Script (manage-stig-controls)

Rules List

Exceptions to STIG Compliance

IMPORTANT: All rules are enabled by default except for control goup 1-ssh-prevent-root an control group 3-fips-kernel. You can enable or disable rules by control group using the manage-stig-controls script.

How STIG Limits Account Access

The STIG hardening RPM helps to lock down information, systems, and software, which might otherwise be vulnerable to a malicious computer attack by limiting account access to a system. For example, the STIG script:

  • Ensures that the account password has a length, complexity, expiration period, and lockout period that are in accordance with DISA best practices.
  • Applies auditing and logging of user actions on the host.

NetWitness Passwords

NetWitness Platform requires passwords that are STIG compliant.

Generate the OpenSCAP Report

Security Content Automation Protocol (SCAP) is a line of standards or rules managed by the National Institute of Standards and Technology (NIST). It was created to provide a standardized approach to maintaining the security of enterprise systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise.

The OpenSCAP report evaluates your environment against the SCAP rules. The results are sent to the HOSTNAME-ssg-results. (XML|HTML) depending on the output format you select.

Disable Rules in OpenSCAP Report that Hang the ReportDisable Rules in OpenSCAP Report that Hang the Report

There may be STIG rules that you do not want to include in the OpenSCAP report because they make the report hang. Use the following command to disable items on the SCAP report:

sed -i 's/select idref="rule-id" selected="true"/select idref="rule-id" selected="false"/g' /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

where rule-id is the Rule ID that you can replace with the Rule ID that may hang during a test.

For example, the report has a rule ID called partition_for_audit (shown as Rule ID: partition_for_audit). If you disable a rule, OpenSCAP does not check against that rule. This means that you need to check for compliance to the partition_for_audit rule manually.

Install OpenSCAPInstall OpenSCAP

You must

  1. SSH to the host
  2. Execute the following commands.

 

yum install scap-security-guide

 

Sample Report

The following report is a sample section from an OpenSCAP report.

netwitness_openscaprpt.png

Report Fields

Section Field Description
Introduction - Test Result Result ID The Extensible Configuration Checklist Description Format (XCCDF) identifier of the report results.
Profile XCCDF profile under which the report results are categorized.
Start time When the report started.
End time When the report ended.
Benchmark XCCDF benchmark
Benchmark version Version number of the benchmark.
Introduction - Score system XCCDF scoring method.
score Score attained after running the report.
max Highest score attainable.
% Score attained after running the report as a percentage.
bar Not Applicable.
Results overview - Rule Results Summary pass Passed rule check.
fixed Rule check that failed previously is now fixed.
fail Failed rule check.
error Could not perform rule check.
not selected This check was not applicable to your NetWitness Platform deployment.
not checked Rule could not be checked. There are several reasons why a rule cannot be checked. For example, the rule check requires a check engine not supported by the OpenSCAP report.
not applicable Rule check does not apply to your NetWitness Platform deployment.
informational Rule checks for informational purposes only (no action required for fail).
unknown Report was able to check the rule. Run steps manually as described in the report to check the rule.
total Total number of rules checked.
Exceptions Title Name of rule being checked.
Result Valid values are pass, fixed, fail, error, not selected, not checked, not applicable, informational, or unknown.

Note: Results values are defined the Results overview - Rule Results Summary.

Create the OpenSCAP Report

The following tasks show you how to create the OpenSCAP Report in HTML, XML, or both HTML and XML.

Create Report in HTML Only

To create an OpenSCAP report in HTML only:

  1. SSH to the host.
  2. Submit the following command:

    mkdir -p /opt/rsa/openscap

  3. Submit the following command for report upgrades only:

    sed -i -r -e "s/<platform.*//g" /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

  4. Submit the following command:

    oscap xccdf eval --profile "stig" --report /opt/rsa/openscap/`hostname`.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

  5. Report will be available under following location:

    /opt/rsa/openscap/

Create Report in XML Only

To create an OpenSCAP report in xml only:

  1. SSH to the host.
  2. Submit the following command:

    mkdir -p /opt/rsa/openscap

  3. Submit the following command for report upgrades only:

    sed -i -r -e "s/<platform.*//g" /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

  4. Submit the following command:

    oscap xccdf eval --profile "stig" --results /opt/rsa/openscap/`hostname`.xml --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

  5. Report will be available under following location:
    /opt/rsa/openscap/

Create Report in Both XML and HTML

To create an OpenSCAP report in both xml and html:

  1. SSH to the host.
  2. Submit the following command:

    mkdir -p /opt/rsa/openscap

  3. Submit the following command for report upgrades only:

    sed -i -r -e "s/<platform.*//g" /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

  4. Submit the following command:

    oscap xccdf eval --profile "stig" --results /opt/rsa/openscap/`hostname`.xml --report /opt/rsa/openscap/`hostname`.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

  5. Report will be available under following location:
    /opt/rsa/openscap/

Manage STIG Controls Script (manage-stig-controls)

You can use the manage-stig-controls script and its arguments to enable or disable STIG Control groups for which you want to apply STIG configuration. You can specify all hosts or individual hosts as arguments and you can enable or disable all control groups or individual control groups. This script is available in /usr/bin/ directory.

To manage STIG controls for a host:

  1. SSH to the NW Server host or use the Console from the NetWitness Platform User Interface.
  2. Submit the manage-stig-controls script with the commands, control groups, and other arguments you want to apply.
  3. Reboot the host.

Commands

Command Description
--enable-all-controls

Enables all STIG controls. For example:

manage-stig-controls --enable-all-controls

--disable-all-controls Disables all STIG controls. For example:

manage-stig-controls --disable-all-controls

--enable-default-controls Enables all STIG Controls except ssh-prevent-root and fips-kernel. For example:

manage-stig-controls --enable-default-controls

--enable-control-groups <IDs> Enables (comma delimited) list of STIG Control GroupIDs. For example:
manage-stig-controls --enable-control-groups '1, 2, 3'

--disable-control-groups <IDs>

Disables (comma delimited) list of STIG Control Group IDs For example:

manage-stig-controls --disable-control-groups '1, 2, 3'

Control Groups

You use the ID as an argument for the control group or groups.

ID Group Description Specified
by Default

1

ssh-prevent-root Prevent root login through SSH.

no

2 ssh SSH STIG configuration. yes

3

fips-kernel FIPS Kernel configuration

no

4 auth Authentication STIG configuration yes

5

audit

Audit STIG configuration

yes

6 packages RPM Package STIG configuration yes

7

services

Services STIG configuration

yes

Other Arguments

Argument Description
--host-all

Apply STIG configuration to all hosts. For example:

manage-stig-controls --host-all

--skip-health-checks Disable health checks for all hosts (not recommended). For example:
manage-stig-controls --skip-health-checks
--host-id <id> Apply STIG configuration for the host identified by <id> (host identification code). For example:
manage-stig-controls --host-id <id>
--host-name <display-name>

Apply STIG configuration for host identified by <display-name>. display-name is the value shown under Name in the netwitness_adminicon_25x22.png (Admin) > Hosts View in the NetWitness Platform Interface. For example:

manage-stig-controls --host-name <display-name>

--host-addr <Hostname-in UI>
or
--host-addr <hostname>

Apply STIG configuration for the host identified by the value shown under Hostname in the netwitness_adminicon_25x22.png (Admin) > Hosts > Edit dialog in the NetWitness Platform Interface. This value can be an ip-addres (default) or a user-specified name. For example:

manage-stig-controls --host-addr <hostname>
netwitness_hstaddr.png

-v, --verbose

Enable verbose output. For example:

manage-stig-controls -v

Rules List

The following table lists all the STIG rules with their:

  • Control Group - you can use the Control Group ID as an argument in the manage-stig-controls script to expand on reduce the scope of rules checked. (1= ssh-prevent-root, 2 = ssh, 3 = fips-kernel, 4 = auth, 5 = audit, 6 = packages, 7 = services)
  • Default Status - tells you if the rule is enabled or disabled by default.
  • Passed or Exception status - tells you if the rule passed (that is, complies with STIG) or is an exception.
CCE Number Rule Name Control
Group
Default
Status
Passed/
Exception
CCE‑26404‑4 Ensure /var Located On Separate Partition n/a n/a Exception
CCE-26828-4 Disable DCCP Support n/a n/a Passed
CCE-26884-7 Set Lockout Time For Failed Password Attempts auth enabled Exception
CCE-26892-0 Set the GNOME3 Login Warning Banner Text n/a enabled Passed
CCE-26952-2 Configure Periodic Execution of AIDE audit enabled Exception
CCE-26970-4 Enable GNOME3 Login Warning Banner audit enabled Passed
CCE-26971-2 Ensure /var/log/audit Located On Separate Partition audit enabled Exception
CCE-26989-4 Ensure gpgcheck Enabled In Main Yum Configuration n/a enabled Passed
CCE-27051-2 Set Password Maximum Age auth enabled Passed
CCE-27053-8 Set Password Hashing Algorithm in /etc/libuser.conf n/a enabled Passed
CCE-27082-7 Set SSH Client Alive Count ssh disabled Passed
CCE-27096-7 Install AIDE n/a n/a Exception
CCE-27127-0 Enable Randomized Layout of Virtual Address Space n/a enabled Exception
CCE-27157-7 Verify File Hashes with RPM n/a n/a Exception
CCE-27160-1 Set Password Retry Prompts Permitted Per-Session n/a enabled Passed
CCE-27200-5 Set Password Strength Minimum Uppercase Characters auth enabled Passed
CCE-27209-6 Verify and Correct File Permissions with RPM n/a n/a Exception
CCE-27213-8 Record Events that Modify the System's Discretionary Access Controls - setxattr audit enabled Passed
CCE-27214-6 Set Password Strength Minimum Digit Characters auth enabled Passed
CCE-27218-7 Remove the X Windows Package Group n/a enabled Passed
CCE-27275-7 Set Last Logon/Access Notification n/a enabled Passed
CCE-27277-3 Disable Modprobe Loading of USB Storage Driver services enabled Exception
CCE-27279-9 Configure SELinux Policy n/a enabled Passed
CCE-27280-7 Record Events that Modify the System's Discretionary Access Controls - lsetxattr audit enabled Passed
CCE-27286-4 Prevent Log In to Accounts With Empty Password n/a enabled Passed
CCE-27287-2 Require Authentication for Single User Mode n/a enabled Passed
CCE-27293-0 Set Password Minimum Length auth enabled Passed
CCE-27295-5 Use Only FIPS 140-2 Validated Ciphers n/a enabled Exception
CCE-27297-1 Set Interval For Counting Failed Password Attempts auth enabled Passed
CCE-27303-7 Modify the System Login Banner ssh enabled Exception
CCE-27309-4 Set Boot Loader Password in grub2 n/a enabled Exception
CCE-27311-0 Verify Permissions on SSH Server Public *.pub Key Files n/a enabled Passed
CCE-27314-4 Enable SSH Warning Banner ssh enabled Passed
CCE-27320-1 Allow Only SSH Protocol 2 n/a enabled Passed
CCE-27326-8 Ensure No Device Files are Unlabeled by SELinux n/a enabled Passed
CCE-27334-2 Ensure SELinux State is Enforcing n/a enabled Exception
CCE-27339-1 Record Events that Modify the System's Discretionary Access Controls - chmod audit enabled Passed
CCE-27342-5 Uninstall rsh-server Package n/a enabled Passed
CCE-27343-3 Ensure Logs Sent To Remote Host n/a n/a Passed
CCE-27345-8 Set Password Strength Minimum Lowercase Characters auth enabled Passed
CCE-27349-0 Set Default firewalld Zone for Incoming Packets n/a n/a Exception
CCE-27350-8 Set Deny For Failed Password Attempts auth enabled Passed
CCE-27351-6 Install the screen Package n/a enabled Passed
CCE-27353-2 Record Events that Modify the System's Discretionary Access Controls - fremovexattr audit enabled Passed
CCE-27355-7 Set Account Expiration Following Inactivity n/a enabled Passed
CCE-27356-5 Record Events that Modify the System's Discretionary Access Controls - fchown audit enabled Passed
CCE-27358-1 Deactivate Wireless Network Interfaces n/a enabled Passed
CCE-27360-7 Set Password Strength Minimum Special Characters auth enabled Passed
CCE-27363-1 Do Not Allow SSH Environment Options ssh enabled Passed
CCE-27364-9 Record Events that Modify the System's Discretionary Access Controls - chown audit enabled Passed
CCE-27367-2 Record Events that Modify the System's Discretionary Access Controls - removexattr audit enabled Passed
CCE-27375-5 Configure auditd space_left Action on Low Disk Space audit enabled Passed
CCE-27377-1 Disable SSH Support for .rhosts Files n/a enabled Passed
CCE-27386-2 Ensure Default SNMP Password Is Not Used n/a n/a Exception
CCE-27387-0 Record Events that Modify the System's Discretionary Access Controls - fchownat audit enabled Passed
CCE-27388-8 Record Events that Modify the System's Discretionary Access Controls - fchmodat audit enabled Passed
CCE-27389-6 Record Events that Modify the System's Discretionary Access Controls - fsetxattr audit enabled Passed
CCE-27393-8 Record Events that Modify the System's Discretionary Access Controls - fchmod audit enabled Passed
CCE-27394-6 Configure auditd mail_acct Action on Low Disk Space audit enabled Passed

CCE-27401-9

Uninstall telnet-server Package

n/a enabled Passed
CCE-27399-5 Uninstall ypserv Package n/a enabled Passed
CCE-27407-6 Enable auditd Service audit enabled Passed
CCE-27410-0 Record Events that Modify the System's Discretionary Access Controls - lremovexattr audit enabled Passed
CCE-27413-4 Disable Host-Based Authentication n/a enabled Passed
CCE-27433-2 Set SSH Idle Timeout Interval ssh enabled Passed
CCE-27434-0 Configure Kernel Parameter for Accepting IPv4 Source-Routed Packets for All Interfaces n/a enabled Passed
CCE-27437-3 Ensure auditd Collects Information on the Use of Privileged Commands audit enabled Passed
CCE-27445-6 Disable SSH Root Login n/a n/a Exception
CCE-27447-2 Ensure auditd Collects Information on Exporting to Media (successful) audit enabled Passed
CCE-27455-5 Use Only FIPS 140-2 Validated MACs n/a enabled Passed
CCE-27458-9 Mount Remote Filesystems with Kerberos Security n/a enabled Passed
CCE-27461-3 Ensure auditd Collects System Administrator Actions audit enabled Passed
CCE-27471-2 Disable SSH Access via Empty Passwords n/a enabled Exception
CCE-27485-2 Verify Permissions on SSH Server Private *_key Key Files n/a n/a Passed
CCE-27498-5 Disable the Automounter n/a enabled Passed
CCE-27503-2 All GIDs referenced in /etc/passwd must be defined in /etc/group n/a enabled Passed
CCE-27511-5 Disable Ctrl-Alt-Del Reboot Activation services enabled Passed
CCE-27512-3 Set Password Maximum Consecutive Repeating Characters n/a enabled Passed
CCE-27557-8 Set Interactive Session Timeout auth disabled Passed
CCE-80104-3 Disable GDM Automatic Login n/a enabled Passed
CCE-80105-0 Disable GDM Guest Login n/a enabled Passed
CCE-80108-4 Enable the GNOME3 Login Smartcard Authentication n/a enabled Passed
CCE-80110-0 Set GNOME3 Screensaver Inactivity Timeout n/a enabled Passed
CCE-80111-8 Enable GNOME3 Screensaver Idle Activation n/a enabled Passed
CCE-80112-6 Enable GNOME3 Screensaver Lock After Idle Period n/a enabled Passed
CCE-80127-4 Install McAfee Virus Scanning Software n/a n/a Exception
CCE-80129-0 Virus Scanning Software Definitions Are Updated n/a n/a Exception
CCE-80134-0 Ensure All Files Are Owned by a User n/a enabled Passed
CCE-80135-7 Ensure All Files Are Owned by a Group n/a enabled Passed
CCE-80136-5 Ensure All World-Writable Directories Are Owned by a System Account n/a enabled Passed
CCE-80144-9 Ensure /home Located On Separate Partition n/a enabled Passed
CCE-80148-0 Add nosuid Option to Removable Media Partitions n/a enabled Passed
CCE-80156-3 Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces n/a n/a Exception
CCE-80157-1 Disable Kernel Parameter for IP Forwarding n/a n/a Exception
CCE-80158-9 Configure Kernel Parameter for Accepting ICMP Redirects for All Interfaces n/a n/a Exception
CCE-80162-1 Configure Kernel Parameter for Accepting Source-Routed Packets By Default n/a enabled Passed
CCE-80163-9 Configure Kernel Parameter for Accepting ICMP Redirects By Default n/a n/a Exception
CCE-80165-4 Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requests n/a n/a Exception
CCE-80174-6 Ensure System is Not Acting as a Network Sniffer n/a enabled Passed
CCE-80179-5 Configure Kernel Parameter for Accepting IPv6 Source-Routed Packets for All Interfaces n/a n/a Exception
CCE-80192-8 Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server n/a enabled Passed
CCE-80205-8 Ensure the Default Umask is Set Correctly in login.defs n/a enabled Passed
CCE-80207-4 Enable Smart Card Login n/a n/a Exception
CCE-80213-2 Uninstall tftp-server Package n/a enabled Passed
CCE-80214-0 Ensure tftp Daemon Uses Secure Mode n/a enabled Passed
CCE-80215-7 Install the OpenSSH Server Package n/a enabled Passed
CCE-80216-5 Enable the OpenSSH Service n/a enabled Passed
CCE-80220-7 Disable GSSAPI Authentication ssh enabled Passed
CCE-80221-5 Disable Kerberos Authentication n/a enabled Passed
CCE-80222-3 Enable Use of Strict Mode Checking n/a enabled Passed
CCE-80223-1 Enable Use of Privilege Separation n/a enabled Passed
CCE-80224-9 Disable Compression Or Set Compression to delayed n/a enabled Passed
CCE-80225-6 Print Last Log n/a enabled Exception
CCE-80226-4 Enable Encrypted X11 Forwarding n/a n/a Exception
CCE-80240-5 Mount Remote Filesystems with nosuid n/a enabled Passed
CCE-80245-4 Uninstall vsftpd Package n/a enabled Passed
CCE-80258-7 Disable KDump Kernel Crash Analyzer (kdump) services enabled Passed
CCE-80346-0 Ensure YUM Removes Previous Package Versions packages enabled Passed
CCE-80347-8 Ensure gpgcheck Enabled for Local Packages packages enabled Passed
CCE-80348-6 Ensure gpgcheck Enabled for Repository Metadata n/a n/a Exception
CCE-80350-2 Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate n/a enabled Passed
CCE-80351-0 Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD n/a enabled Passed
CCE-80352-8 Ensure the Logon Failure Delay is Set Correctly in login.defs auth enabled Passed
CCE-80353-6 Configure the root Account for Failed Password Attempts auth enabled Passed
CCE-80354-4 Set the UEFI Boot Loader Password fips-kernel disabled Passed
CCE-80359-3 Enable FIPS Mode in GRUB2 fips-kernel disabled Exception
CCE-80370-0 Set GNOME3 Screensaver Lock Delay After Activation Period n/a enabled Passed
CCE-80371-8 Ensure Users Cannot Change GNOME3 Screensaver Settings n/a enabled Passed
CCE-80372-6 Disable SSH Support for User Known Hosts ssh enabled Passed
CCE-80373-4 Disable SSH Support for Rhosts RSA Authentication audit enabled Passed
CCE-80374-2 Configure Notification of Post-AIDE Scan Details n/a n/a Exception
CCE-80375-9 Configure AIDE to Verify Access Control Lists (ACLs) n/a n/a Exception
CCE-80376-7 Configure AIDE to Verify Extended Attributes n/a n/a Exception
CCE-80377-5 Configure AIDE to Use FIPS 140-2 for Validating Hashes n/a n/a Exception
CCE-80378-3 Verify User Who Owns /etc/cron.allow file n/a enabled Passed
CCE-80379-1 Verify Group Who Owns /etc/cron.allow file n/a enabled Passed
CCE-80380-9 Ensure cron Is Logging To Rsyslog n/a enabled Passed
CCE-80381-7 Shutdown System When Auditing Failures Occur audit enabled Passed
CCE-80382-5 Record Attempts to Alter Logon and Logout Events - tallylog audit enabled Passed
CCE-80383-3 Record Attempts to Alter Logon and Logout Events - faillock n/a n/a Passed
CCE-80384-1 Record Attempts to Alter Logon and Logout Events - lastlog audit enabled Passed
CCE-80385-8 Record Unauthorized Access Attempts to Files (unsuccessful) - creat audit enabled Passed
CCE-80386-6 Record Unauthorized Access Attempts to Files (unsuccessful) - open audit enabled Passed
CCE-80387-4 Record Unauthorized Access Attempts to Files (unsuccessful) - openat audit enabled Passed
CCE-80388-2 Record Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_at audit enabled Passed
CCE-80389-0 Record Unauthorized Access Attempts to Files (unsuccessful) - truncate audit enabled Passed
CCE-80390-8 Record Unauthorized Access Attempts to Files (unsuccessful) - ftruncate audit enabled Passed
CCE-80391-6 Record Any Attempts to Run semanage audit enabled Passed
CCE-80392-4 Record Any Attempts to Run setsebool audit enabled Passed
CCE-80393-2 Record Any Attempts to Run chcon audit enabled Passed
CCE-80395-7 Ensure auditd Collects Information on the Use of Privileged Commands - passwd audit enabled Passed
CCE-80396-5 Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd audit enabled Passed
CCE-80397-3 Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd audit enabled Passed
CCE-80398-1 Ensure auditd Collects Information on the Use of Privileged Commands - chage audit enabled Passed
CCE-80399-9 Ensure auditd Collects Information on the Use of Privileged Commands - userhelper audit enabled Passed
CCE-80400-5 Ensure auditd Collects Information on the Use of Privileged Commands - su audit enabled Passed
CCE-80401-3 Ensure auditd Collects Information on the Use of Privileged Commands - sudo audit enabled Passed
CCE-80402-1 Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit audit enabled Passed
CCE-80403-9 Ensure auditd Collects Information on the Use of Privileged Commands - newgrp audit enabled Passed
CCE-80404-7 Ensure auditd Collects Information on the Use of Privileged Commands - chsh audit enabled Passed
CCE-80405-4 Ensure auditd Collects Information on the Use of Privileged Commands - umount audit enabled Passed
CCE-80406-2 Ensure auditd Collects Information on the Use of Privileged Commands - postdrop audit enabled Passed
CCE-80407-0 Ensure auditd Collects Information on the Use of Privileged Commands - postqueue audit enabled Passed
CCE-80408-8 Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign audit enabled Passed
CCE-80410-4 Ensure auditd Collects Information on the Use of Privileged Commands - crontab audit enabled Passed
CCE-80411-2 Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check audit enabled Passed
CCE-80412-0 Ensure auditd Collects File Deletion Events by User - rmdir audit enabled Passed
CCE-80413-8 Ensure auditd Collects File Deletion Events by User - renameat audit enabled Passed
CCE-80414-6 Ensure auditd Collects Information on Kernel Module Loading - init_module audit enabled Passed
CCE-80415-3 Ensure auditd Collects Information on Kernel Module Unloading - delete_module audit enabled Passed
CCE-80430-2 Record Events that Modify User/Group Information - /etc/security/opasswd audit enabled Passed
CCE-80431-0 Record Events that Modify User/Group Information - /etc/shadow audit enabled Passed
CCE-80432-8 Record Events that Modify User/Group Information - /etc/gshadow audit enabled Passed
CCE-80433-6 Record Events that Modify User/Group Information - /etc/group audit enabled Passed
CCE-80434-4 Ensure Home Directories are Created for New Users n/a enabled Passed
CCE-80435-1 Record Events that Modify User/Group Information - /etc/passwd audit enabled Passed
CCE-80436-9 Mount Remote Filesystems with noexec n/a enabled Passed
CCE-80437-7 Configure PAM in SSSD Services n/a n/a Exception
CCE-80438-5 Configure Multiple DNS Servers in /etc/resolv.conf n/a n/a Exception
CCE-80439-3 Configure Time Service Maxpoll Interval services enabled Passed
CCE-80447-6 Configure the Firewalld Ports n/a n/a Exception
CCE-80513-5 Remove Host-Based Authentication Files n/a enabled Passed
CCE-80514-3 Remove User Host-Based Authentication Files n/a enabled Passed
CCE-80515-0 Configure SSSD LDAP Backend Client CA Certificate Location n/a n/a Exception
CCE-80519-2 Install Smart Card Packages For Multifactor Authentication n/a n/a Exception
CCE-80537-4 Configure auditd space_left on Low Disk Space audit enabled Passed
CCE-80544-0 Ensure Users Cannot Change GNOME3 Session Idle Settings n/a enabled Passed
CCE-80545-7 Verify and Correct Ownership with RPM n/a n/a Exception
CCE-80546-5 Configure SSSD LDAP Backend to Use TLS For All Transactions n/a n/a Exception
CCE-80547-3 Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module audit enabled Passed
CCE-80563-0 Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period n/a enabled Passed
CCE-80564-8 Ensure Users Cannot Change GNOME3 Screensaver Idle Activation n/a enabled Passed
CCE-80660-4 Record Any Attempts to Run setfiles audit enabled Exception
CCE-80661-2 Ensure auditd Collects Information on Kernel Module Loading - create_module audit enabled Exception
CCE-80995-4 Ensure auditd Collects File Deletion Events by User - rename audit enabled Exception

CCE-80996-2

Ensure auditd Collects File Deletion Events by User - unlinkat

audit enabled Exception

CCE-80998-8

Verify firewalld Enabled

n/a

n/a

Exception

CCE-81106-7

Ensure auditd Collects File Deletion Events by User - unlink

audit enabled Passed
CCE-81153-9 Add nosuid Option to /home n/a enabled Passed

CCE-82020-9

Set Password Strength Minimum Different Characters

auth

enabled Passed
CCE-82030-8 Limit Password Reuse n/a enabled Passed

CCE-82035-7

Ensure /var/log/audit Located On Separate Partition

audit enabled Exception
CCE-82036-5 Set Password Minimum Age n/a enabled Passed

CCE-82038-1

Set Password Hashing Algorithm in /etc/libuser.conf

n/a enabled Passed
CCE-82041-5 Limit the Number of Concurrent Login Sessions Allowed Per User auth enabled Passed

CCE-82043-1

Set PAM's Password Hashing Algorithm

n/a enabled Passed
CCE-82045-6 Set Password Strength Minimum Different Categories audit enabled Passed

CCE-82050-6

Set Password Hashing Algorithm in /etc/login.defs

n/a enabled Passed
CCE-82053-0 Ensure /tmp Located On Separate Partition n/a n/a Exception

CCE-82054-8

Verify Only Root Has UID 0

n/a enabled Passed
CCE-82353-4 Ensure /var Located On Separate Partition n/a n/a Exception

Exceptions to STIG Compliance

This topic contains:

Key to Elements in Exception Descriptions Key to Elements in Exception Descriptions

CCE Number

The Common Configuration Enumeration (CCE), assigns unique entries (also called CCE numbers) to configuration guidance statements and configuration controls to improve workflow by facilitating fast and accurate correlation of configuration issues present in disparate domains. In this way, it is similar to other comparable data standards such as the Common Vulnerability and Exposure (CVE®) List (http://cve.mitre.org/cve), which assigns identifiers to publicly known system vulnerabilities. The OpenSCAP report lists exceptions by CCE number.

This sections lists the exceptions you can receive when you run the OpenSCAP report. The ID or Common Configuration Enumeration (CCE) number in the table is the identification number for the exception from the OpenSCAP report.

Control Group ID

Number that identifies the control group you specify in the manage-stig-controls script to enable or disable the rule.

ID Group Description Specified
by Default

1

ssh-prevent-root Prevent root login through SSH.

no

2 ssh SSH STIG configuration. yes

3

fips-kernel FIPS Kernel configuration

no

4 auth Authentication STIG configuration yes

5

audit

Audit STIG configuration

yes

6 packages RPM Package STIG configuration yes

7

services

Services STIG configuration

yes

Check

Describes what the rule checks to identify exceptions to DISA STIG compliance.

Comments

Provides insight on why you would receive this exception. This section includes one of the following comments that describes the exception:

  • Customer Responsibility - You are responsible to make sure the system meets this requirement.
  • Not a Finding - Exception does not apply to NetWitness Platform. NetWitness has verified that the system meets this requirement.
  • Future Feature - NetWitness Platform does not meet this requirement. NetWitness plans to fix this in a future release of NetWitness Platform.

Customer Responsibility Exceptions

CCE-26952-2 Configure Periodic Execution of AIDE (Control Group = audit)

Check

At a minimum, configure AIDE to run a weekly scan and at most, daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to the /etc/crontab file:
05 4 * * * root /usr/sbin/aide --check

To implement a weekly execution of AIDE at 4:05am using cron, add the following line to the /etc/crontab file:
05 4 * * 0 root /usr/sbin/aide --check
AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and @weekly is acceptable.

Comments

Customer Responsibility. NetWitness Platform does not provide AIDE because it has a negative impact on performance. If you must install it, run as infrequently as possible to adhere to your security policy.

CCE-27096-7 Install AIDE (Control Group = n/a)

Check

Install the AIDE package with the following command: $ sudo yum install aid

Comments

Customer Responsibility. NetWitness Platform does not provide AIDE because it has a negative impact on performance. If you must install it, run as infrequently possible to adhere to your security policy.

CCE-27218-7 Remove the X Windows Package Group

Check

The Rule CCE-27218-7 "Remove the X Windows Package Group" is an exception for Log Collector and Log Decoder services.

Comments

Customer Responsibility.Log Collector plugin collection framework uses SELinux sandbox technology that has a direct dependency on the given rpm. Removing of the rpm will lead to loss of plugin collection functionality in Log Collector service.

CCE-27295-5 Use Only FIPS 140-2 Validated Ciphers (Control Group = n/a)

Check

Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of FIPS 140-2 validated ciphers:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr

The following ciphers are FIPS 140-2 certified on RHEL 7:

- aes128-ctr - aes192-ctr - aes256-ctr - aes128-cbc - aes192-cbc - aes256-cbc - 3des-cbc - rijndael-cbc@lysator.liu.se

Any combination of the above ciphers will pass this check. Official FIPS 140-2 paperwork for RHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf.

Comments Testing approach results in failed test, but the ciphers defined meet the STIG Rule definition. You can check cipher under this file:
/etc/ssh/sshd_config

CCE-27334-2 Ensure SELinux State is Enforcing

Check

Ensure SELinux State is Enforcing.

Comments

SELinux state is default it is set to 'permissive' by default for all the NetWitness Platform hosts instead of 'Enforcing' due to performance impact.

CCE-27445-6 Disable SSH Root Login (Control Group = ssh-prevent-root)

Check

The root user should never be allowed to login to a system directly over a network.

Comments

Customer Responsibility. Disable root login through SSH by adding or editing the following line in the /etc/ssh/sshd_config file:
PermitRootLoginNetWitness.

CCE-80127-4 Install McAfee Virus Scanning Software (Control Group = n/a)

Check

Install McAfee VirusScan Enterprise for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem.

Comments

Customer Responsibility. Install virus scanning software. NetWitness does not provide this software.

CCE-80129-0 Virus Scanning Software Definitions Are Updated (Control Group = n/a)

Check

Make sure that virus definition files are no older than 7 days or their last release.

Comments

Customer Responsibility. NetWitness does not provide this software.

CCE-80207-4 Enable Smart Card Login (Control Group = n/a)

Check

For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards https://access.redhat.com/solutions/82273

Comments

Customer Responsibility. The NetWitness Platform supports username/certificate for authentication to shell. If you want to configure a smart card log in, you must do this outside of NetWitness NetWitness.

CCE-80359-3 Enable FIPS Mode in GRUB2 (Control Group = fips-kernel)

Check

To ensure FIPS mode is enabled, install the dracut-fips package and rebuild initramfs by running the following commands:

$ sudo yum install dracut-fips dracut -f

After the dracut command has been run, add the fips=1 argument to the default GRUB 2 command line for the Linux operating system in the /etc/default/grub file as shown in the following example:

GRUB_CMDLINE_LINUX='crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 fips=1'

Finally, rebuild the grub.cfg file by using the grub2-mkconfig -o command as follows ( On BIOS-based machines, issue the following command as root):

~]# grub2-mkconfig -o /boot/grub2/grub.cfg

On UEFI-based machines, issue the following command as root:

~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

Comments Customer Responsibility. NetWitness Platform does not enabled by default. You can enable FIPS by following the procedures in the Configure FIPS Support.

CCE-80374-2 Configure Notification of Post-AIDE Scan Details (Control Group = n/a)

Check

AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic execution in the /etc/crontab file, append the following line to the existing AIDE line:
| /bin/mail -s '$(hostname) - AIDE Integrity Check' root@localhost
Otherwise, add the following line to the /etc/crontab file:
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s '$(hostname) - AIDE Integrity Check' root@localhost
AIDE can be executed periodically through other means. This is just one example.

Comments

Customer Responsibility. NetWitness Platform does not provide AIDE because it has a negative impact on performance. If you must install it, run as infrequently possible to adhere to your security policy.

CCE-80375-9 Configure AIDE to Verify Access Control Lists (Control Group = n/a)

Check

By default, the acl option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the acl option is missing, add acl to the appropriate ruleset. For example, add acl to the following line in the /etc/aide.conf file:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.

Comments

Customer Responsibility. NetWitness Platform does not provide AIDE because it has a negative impact on performance. If you must install it, run as infrequently possible to adhere to your security policy.

CCE-80376-7 Configure AIDE to Verify Extended Attributes (Control Group = n/a)

Check

By default, the xattrs option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the xattrs option is missing, add xattrs to the appropriate ruleset. For example, add xattrs to the following line in the /etc/aide.conf file:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways. This is just one example that is already configured by default.

Comments

Customer Responsibility. NetWitness Platform does not provide AIDE because it has a negative impact on performance. If you must install it, run as infrequently possible to adhere to your security policy.

CCE-80377-5 Configure AIDE to Use FIPS 140-2 for Validating Hashes (Control Group = n/a)

Check

By default, the sha512 option is added to the ORMAL ruleset in AIDE. If using a custom ruleset or the sha512 option is missing, add sha512 to the appropriate ruleset. For example, add sha512 to the following line in the /etc/aide.conf file:ORMAL = FIPSR+sha512
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.

Comments

Customer Responsibility. NetWitness Platform does not provide AIDE because it has a negative impact on performance. If you must install it, run as infrequently possible to adhere to your security policy.

CCE-80519-2 Install Smart Card Packages For Multi-Factor Authentication (Control Group = n/a)

Check

Configure the operating system to implement multifactor authentication by installing the required packages with the following command:
$ sudo yum install esc pam_pkcs11 authconfig-gtk

Comments

Customer Responsibility. The NetWitness Platform supports username/certificate for authentication to shell. If you want to configure a smart card log in, you must do this outside of NetWitness NetWitness.

Exceptions That Are Not a Finding

The following exceptions do not apply to NetWitness Platform. NetWitness has verified that the system meets these requirements.

CCE-26404-4 Ensure /var Located On Separate Partition (Control Group = n/a)

Check

The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM.

Comments

Not a Finding.NetWitness software is installed in /var/netwitness by default and has a separate partition on /var/netwitness.

CCE-26828-4 Set GNOME Login Inactivity timeout (Control Group = n/a)

Check

Verify that the GNOME Login Inactivity Timeout is set on the host (The graphical desktop environment must set the idle timeout to no more than 15 minutes.).

Comments

Not a Finding. NetWitness Platform does not use Gnome Graphical User Interface (GUI) Desktop.

CCE-26884-7 Set Lockout Time For Failed Password Attempts (Control Group = auth)

Check

To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth by adding the following line immediately before the pam_unix.so statement in the AUTH section:
auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
Add the following line immediately after the pam_unix.so statement in the AUTH section:
auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
Add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
account required pam_faillock.s

Comments Not a Finding. root_unlock_time is set to 600 seconds.

CCE-26971-2 Ensure /var/log/audit Located On Separate Partition (Control Group = audit)

Check

Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.

Comments Not a Finding.NetWitness Platform has the /var/log directory as a separate partition.

CCE-27127-0 Enable Randomized Layout of Virtual Address Space (Control Group = n/a)

Check

To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command:
$ sudo sysctl -w kernel.randomize_va_space=2
If this is not the system default value, add the following line to the /etc/sysctl.conf file:
kernel.randomize_va_space = 2

Comments Not a Finding. Value of /proc/sys/kernel/randomize_va_space is already 2.

CCE-27157-7 Verify File Hashes with RPM (Control Group = n/a)

Check

Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed software packages, including many that are important to system security. To verify that the cryptographic hash of system files and commands match vendor values, run the following command to list which files on the system with hashes that differ from what is expected by the RPM database:
$ rpm -Va | grep '^..5' A 'c'
in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file:
$ rpm -qf
The package can be reinstalled from a yum repository using the command:
FILENAME $ sudo yum reinstall
Alternatively, the package can be reinstalled from trusted media using the command:
PACKAGENAME $ sudo rpm -Uvh PACKAGENAME

Comments Not a Finding. Only mismatched files not marked as config files in rpms are Commercial Off the Shelf (COTS) product based that cannot be updated.

Most File Hash/RPM combinations are in sync. Any discrepancies are COTS products that cannot be updated.

CCE-27339-1 Record Events that Modify the System's Discretionary Access Controls - chmod

Check

Verify that the host records events that modify the system's discretionary access controls - chown.

Comments Not a Finding. Make sure that you have the correct chown configuration on the host. The following settings are the correct configuration.
[root@localhost nwadmin]# grep chown /etc/audit/*
/etc/audit/audit.rules:-a exit,always -F arch=b64 -S chown -S chmod -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
/etc/audit/audit.rules:-a exit,always -F arch=b32 -S chown -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

CCE-27209-6 Verify and Correct File Permissions with RPM (Control Group = n/a)

Rule Name

 

Check

The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions of system files and commands match vendor values. Check the file permissions with the following command:
$ sudo rpm -Va | grep '^.M'
Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it:
$ rpm -qf FILENAME

Next, run the following command to reset its permissions to the correct values:
$ sudo rpm --quiet --setperms PACKAGENAME

Comments Not a Finding. The file permissions do not match the rpm, they are configured to be stricter during configuration management.

CCE-27303-7 (Control ID = 2) Modify the System Login Banner (Control Group = ssh)

Check

To configure the system login banner edit the /etc/issue file. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:
" You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:

  • The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
  • At any time, the USG may inspect and seize data stored on this IS.
  • Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
  • This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

or

" I've read & consent to terms in IS user agreem't."

Comments Not a Finding. The login banner is displayed but does not hyphenate "agreem't"

CCE-27311-0 Very Permissions on SHH Server *.pub Key Files (Control Group = na)

Check

 

Comments Not a Finding. All public keys are set to with permissions 640 in the /etc/ssh/ directory.

CCE-27314-4 Enable SSH Warning Banner (Control Group = na)

Check

 

Comments Not a Finding. The required configuration exists in the etc/ssh/sshd_conf file.

CCE-27349-0 Set Default firewalld Zone for Incoming Packets (Control Group = n/a)

Check

To set the default zone to drop for the built-in default zone which processes incoming IPv4 and IPv6 packets, modify the following line in the /etc/firewalld/firewalld.conf file to be:
DefaultZone=drop

Comments Not a Finding. NetWitness Platform firewalldservice is disabled because it uses IP Tables, not FirewallD.

CCE-27386-2 Ensure Default SNMP Password Is Not Used (Control Group = n/a)

Check

Edit /etc/snmp/snmpd.conf file by removing or changing the default community strings of public and private. After the default community strings have been changed, restart the SNMP service:
$ sudo service snmpd restart

Comments Not a Finding. NetWitness Platform does not use snmp, and the snmpd service not enabled.

CCE-27455-5 Use Only FIPS 140-2 Validated MACs (Control Group = na)

Check

 

Comments Not a Finding. The following configuration exists in /etc/ssh/sshd_config file:
MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512

CCE-27471-2 Disable SSH Access via Empty Passwords (Control Group = n/a)

Check

Explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in the /etc/ssh/sshd_config file.

Comments Not a Finding. NetWitness Platform sets the permitemptypasswords parameter to no by default. This should pass the DISA STIG rule check.

CCE-27485-2 Very Permissions on SHH Server Private *.key Key Files (Control Group = na)

Check

 

Comments Not a Finding. All private keys are set to with permissions 640 in the /etc/ssh/ directory.

CCE-80156-3 Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces (Control Group = n/a)

Check

To set the runtime status of the t.ipv4.conf.all.send_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
If this is not the system default value, add the following line to the /etc/sysctl.conf file:
t.ipv4.conf.all.send_redirects = 0

Comments Not a Finding. NetWitness Platform does not accept incoming Internet Control Message Protocol (ICMP) traffic.

CCE-80157-1 Disable Kernel Parameter for IP Forwarding (Control Group = n/a)

Check

To set the runtime status of the t.ipv4.ip_forward kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.ip_forward=0
If this is not the system default value, add the following line to the /etc/sysctl.conf file:
t.ipv4.ip_forward = 0

Comments Not a Finding. NetWitness Platform only uses FIPS certified MACs (for example, MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512).

CCE-80158-9 Configure Kernel Parameter for Accepting ICMP Redirects for All Interfaces (Control Group = n/a)

Check

To set the runtime status of the t.ipv4.conf.all.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
If this is not the system default value, add the following line to the /etc/sysctl.conf file:
t.ipv4.conf.all.accept_redirects = 0

Comments

Not a Finding NetWitness Platform does not accept incoming Internet Control Message Protocol (ICMP) traffic.

CCE-80163-9 Configure Kernel Parameter for Accepting ICMP Redirects By Default (Control Group = n/a)

Check

To set the runtime status of the t.ipv4.conf.default.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
If this is not the system default value, add the following line to the /etc/sysctl.conf file:
t.ipv4.conf.default.accept_redirects = 0

Comments

Not a Finding NetWitness Platform does not accept incoming Internet Control Message Protocol (ICMP) traffic.

CCE-80165-4 Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requests (Control Group = n/a)

Rule Name

 

Check

To set the runtime status of the t.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
If this is not the system default value, add the following line to the /etc/sysctl.conf file:
t.ipv4.icmp_echo_ignore_broadcasts = 1

Comments

Not a FindingNetWitness Platform does not accept incoming Internet Control Message Protocol (ICMP) traffic.

CCE-80225-6 Print Last Log (Control Group = n/a)

Check

When enabled, SSH will display the date and time of the last successful account log in. To enable LastLog in SSH, add or correct the following line in the /etc/ssh/sshd_config file:
PrintLastLog yes

Comments Not a Finding. NetWitness Platform sets printlastlog to yes by default.

CCE-80226-4 Enable Encrypted X11 Forwarding (Control Group = n/a)

Check

Enable Encrypted X11 Forwarding - By default, remote X11 connections are not encrypted when initiated by users. SSH has the capability to encrypt remote X11 connections when SSH's X11Forwarding option is enabled. To enable X11 Forwarding, add or correct the following line in the /etc/ssh/sshd_config file:
X11Forwarding yes

Comments Not a Finding.NetWitness Platform does not have X11 installed or running.

CCE-80348-6 Ensure gpgcheck Enabled for Repository Metadata (Control Group = n/a)

Check

Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification of the repository metadata. Check that yum verifies the repository metadata prior to install with the following command. This should be configured by setting repo_gpgcheck to 1 in /etc/yum.conf.

Comments

Not a Finding. .NetWitness Platform rpm signing procedures do not support signing the repo metadata

CCE-80383-3 Record Attempts to ALter Logon Events - failock (Control Group = na)

Check

 

Comments Not a Finding. The required rules are configured in the /etc/audit/rules.d/nw-stig.rules file.

CCE-80399-9 Ensure auditd Collects Information on the Use of Privileged Commands - userhelper (Control Group = na)

Check

 

Comments Not a Finding. The required rules are configured in the /etc/audit/rules.d/nw-stig.rules file.

CCE-80437-7 Configure PAM in SSSD Services (Control Group = n/a)

Check

SSSD should be configured to run SSSD pam services. To configure SSSD to known SSH hosts, add pam to services under the [sssd] section in /etc/sssd/sssd.conf file. For example: [sssd] services = sudo, autofs, pam

Comments Not a Finding. NetWitness Platform does not currently support Multi-Factor authentication. As a result, SSSD service is not installed on a NetWitness Host.

CCE-80438-5 Configure Multiple DNS Servers in /etc/resolv.conf (Control Group = n/a)

Check

Multiple Domain Name System (DNS) Servers should be configured in the /etc/resolv.conf file. This provides redundant name resolution services in the event that a domain server crashes. To configure the system to contain as least 2 DNS servers, add a corresponding nameserver entry in ip_address /etc/resolv.conf file for each DNS server where ip_address is the IP address of a valid DNS server. For example:
search example.com nameserver 192.168.0.1 nameserver 192.168.0.2

Comments Not a Finding. NetWitness Platform orchestrates and configures an internal DNS server that all NetWitness hosts use for name resolution. You can configure external DNS servers, but it is dependent on your environment.

CCE-80439-3 Configure Time Service Maxpoll Interval (Control Group = na)

Check

 

Comments Not a Finding. The required maxpoll 10 value is set in the /etc/ntp.conf file.

CCE-80447-6 Configure the Firewalld Ports (Control Group = n/a)

Check

Configure the firewalld ports to allow approved services to have access to the system. To configure firewalld to open ports, run the following command:
$ sudo firewall-cmd --permanent --add-port= or port_number/tcp $ sudo firewall-cmd --permanent --add-port=

Run the command list above for each of the ports listed below: <ports>
To configure service_nam firewalld to allow access, run the following command(s):
firewall-cmd --permanent --add-service=ssh

Comments Not a Finding. NetWitness Platform firewalld service is disabled because it uses IP Tables, not FirewallD.

CCE-80515-0 Configure SSSD LDAP Backend Client CA Certificate Location (Control Group = n/a)

Check

Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions. By setting the ldap_tls_cacertdir option in /etc/sssd/sssd.conf to point to the path for the X.509 certificates used for peer authentication.
ldap_tls_cacertdir /path/to/tls/cacert

Comments Not a Finding. NetWitness Platform does not currently support Multi-Factor authentication. As a result, SSSD service is not installed on a NetWitness Host.

CCE-80545-7 Verify and Correct Ownership with RPM (Control Group = n/a)

Check

The RPM package management system can check file ownership permissions of installed software packages, including many that are important to system security. After locating a file with incorrect permissions, which can be found with rpm -Va | grep '^.....\(U\|.G\)'
Run the following command to determine which package owns it:
$ rpm -qf

Next, run the following command to reset its permissions to the correct values:
FILENAME $ sudo rpm --setugids PACKAGENAME

Comments Not a Finding.Files/Directories with ownership differing from the rpm are generally COTS based and have been changed from root ownership to a specified COTS related account.

CCE-80546-5 Configure SSSD LDAP Backend to Use TLS For All Transactions (Control Group = n/a)

Check

This check verifies that RHEL7 implements cryptography to protect the integrity of remote LDAP authentication sessions. To determine if LDAP is being used for authentication, use the following command:
$ sudo grep -i useldapauth /etc/sysconfig/authconfig If USELDAPAUTH=yes

To check if LDAP is configured to use TLS, use the following command:
$ sudo grep -i ldap_id_use_start_tls /etc/sssd/sssd.conf

Comments Not a Finding.NetWitness Platform does not currently support Multi-Factor authentication. As a result, the SSSD service is not installed on a NetWitness Host.

CCE-80998-8 Verify firewall Enabled

Check

Verify the operating system enabled an application firewall. Check to see if "firewalld" is installed with the following command:

yum list installed firewalld

firewalld-0.3.9-11.el7.noarch.rpm

If the "firewalld" package is not installed, ask the System Administrator if another firewall application (such as iptables) is installed.

If an application firewall is not installed, this is a finding.

Check to see if the firewall is loaded and active with the following command:

systemctl status firewalld

firewalld.service - firewalld - dynamic firewall daemon

Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)

Active: active (running) since Tue 2014-06-17 11:14:49 CEST; 5 days ago

If "firewalld" does not show a status of "loaded" and "active", this is a finding.

Check the state of the firewall:

firewall-cmd --state

running

If "firewalld" does not show a state of "running", this is a finding.

Comments Not a Finding. NetWitness Platform firewalldservice is disabled because it uses IP Tables, not FirewallD.

CCE-82035-7 Ensure /var/log/audit Located On Separate Partition

Check

Determine if the operating system is configured to have the "/var/log/audit" path is on a separate file system.

grep /var/log/audit /etc/fstab

If no result is returned, or the operating system is not configured to have "/var/log/audit" on a separate file system, this is a finding.

Verify that "/var/log/audit" is mounted on a separate file system:

mount | grep "/var/log/audit"

If no result is returned, or "/var/log/audit" is not on a separate file system, this is a finding.

Comments Not a Finding. NetWitness Platform has the /var/log directory as a separate partition.

CCE-82053-0 Ensure /tmp Located On Separate Partition

Check

Verify that a separate file system/partition has been created for "/tmp". Check that a file system/partition has been created for "/tmp" with the following command:

systemctl is-enabled tmp.mount

enabled

If the "tmp.mount" service is not enabled, check to see if "/tmp" is defined in the fstab with a device and mount point:

grep -i /tmp /etc/fstab

UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /tmp ext4 rw,relatime,discard,data=ordered,nosuid,noexec, 0 0

If "tmp.mount" service is not enabled or the "/tmp" directory is not defined in the fstab with a device and mount point, this is a finding.

Comments Future Feature - NetWitness Platform does not meet this requirement. NetWitness plans to fix this in a future release of NetWitness Platform.

CCE-82353-4 Ensure /var Located On Separate Partition

Check

Verify that a separate file system/partition has been created for "/var". Check that a file system/partition has been created for "/var" with the following command:

grep /var /etc/fstab

UUID=c274f65f /var ext4 noatime,nobarrier 1 2

If a separate entry for "/var" is not in use, this is a finding.

Comments Not a Finding. Hardware is dedicated for NetWitness, and NetWitness software is installed in /var/netwitness by default and a separate partition is on /var/netwitness.

Rules Supported in a Future Release

The following checks for non-compliance to STIG rules are not supported in NetWitness Platform and will be added in a future release.

CCE-27277-3 Disable Modprobe Loading of USB Storage Driver (Control Group = services)

Check

To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the usb-storage kernel module from being loaded, add the following line to a file in the /etc/modprobe.d directory :
install usb-storage /bin/true
This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually.

Comments

Future Feature.

CCE-27309-4 Set Boot Loader Password in grub2 (Control Group = fips-kernel)

Check

The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. To do so, select a superuser account name and password and and modify the /etc/grub.d/01_users configuration file with the new account name. Because plain text passwords are a security risk, generate a hash for the password by running the following command:
$ grub2-setpassword
When prompted, enter the password that was selected.
NOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. Change the superuser to a different username (The default is 'root').
$ sed -i s/root/bootuser/g /etc/grub.d/01_users
To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub.cfg
NOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.

Comments

Future Feature.

CCE-80179-5 Configure Kernel Parameter for Accepting IPv6 Source-Routed Packets for All Interfaces

Check

To set the runtime status of the t.ipv6.conf.all.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
If this is not the system default value, add the following line to the /etc/sysctl.conf file:
t.ipv6.conf.all.accept_source_route = 0

Comments

Future Feature.

CCE-80660-4 Record Any Attempts to Run setfiles (Control Group = audit)

Check

At a minimum, the audit system should collect any execution attempt of the setfiles command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with .rules in /etc/audit/rules.d: -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=429496729as a suffix 5 -F key=privileged-priv_change. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_chang

Comments

Future Feature.

CCE-80661-2 Ensure auditd Collects Information on Kernel Module Loading - create_module (Control Group = audit)

Check

To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=
The place where you add the line depends on the way ARCH -S create_module -F key=modules auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with the .rules suffix in the /etc/audit/rules.d directory. If the auditd daemon is configured to use the auditctl utility, add the line to the /etc/audit/audit.rulesfile .

Comments

Future Feature.