DISA STIG
Note: 11.3.1 feature - DISA STIG (Defense Information Systems Agency Security Technical Implementation Guide) support was introduced in NetWitness Platform 11.3.1. Versions 11.0.0.0 to 11.3.0.0 do not support DISA STIG.
The NetWitness Platform version 12.2.0.0 supports all Audit Rules in the DISA STIG Control Group. The supported version for DISA STIG is Red Hat Enterprise Linux V3R8. NetWitness will expand its support of STIG rules in future NetWitness Platform versions.
This section includes the following topics.
How STIG Limits Account Access
Manage STIG Controls Script (manage-stig-controls)
IMPORTANT: All rules are enabled by default except for control goup 1-ssh-prevent-root an control group 3-fips-kernel. You can enable or disable rules by control group using the manage-stig-controls script.
How STIG Limits Account AccessHow STIG Limits Account Access
The STIG hardening RPM helps to lock down information, systems, and software, which might otherwise be vulnerable to a malicious computer attack by limiting account access to a system. For example, the STIG script:
- Ensures that the account password has a length, complexity, expiration period, and lockout period that are in accordance with DISA best practices.
- Applies auditing and logging of user actions on the host.
NetWitness PasswordsNetWitness Passwords
NetWitness Platform requires passwords that are STIG compliant.
Generate the OpenSCAP ReportGenerate the OpenSCAP Report
Security Content Automation Protocol (SCAP) is a line of standards or rules managed by the National Institute of Standards and Technology (NIST). It was created to provide a standardized approach to maintaining the security of enterprise systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise.
The OpenSCAP report evaluates your environment against the SCAP rules. The results are sent to the HOSTNAME-ssg-results. (XML|HTML) depending on the output format you select.
Disable Rules in OpenSCAP Report that Hang the ReportDisable Rules in OpenSCAP Report that Hang the Report
There may be STIG rules that you do not want to include in the OpenSCAP report because they make the report hang. Use the following command to disable items on the SCAP report:
sed -i 's/select idref="rule-id" selected="true"/select idref="rule-id" selected="false"/g' /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
where rule-id is the Rule ID that you can replace with the Rule ID that may hang during a test.
For example, the report has a rule ID called partition_for_audit (shown as Rule ID: partition_for_audit). If you disable a rule, OpenSCAP does not check against that rule. This means that you need to check for compliance to the partition_for_audit rule manually.
Install OpenSCAPInstall OpenSCAP
You must
- SSH to the host
- Execute the following commands.
yum install scap-security-guide
Sample Report
The following report is a sample section from an OpenSCAP report.
Report Fields
Section | Field | Description |
---|---|---|
Introduction - Test Result | Result ID | The Extensible Configuration Checklist Description Format (XCCDF) identifier of the report results. |
Profile | XCCDF profile under which the report results are categorized. | |
Start time | When the report started. | |
End time | When the report ended. | |
Benchmark | XCCDF benchmark | |
Benchmark version | Version number of the benchmark. | |
Introduction - Score | system | XCCDF scoring method. |
score | Score attained after running the report. | |
max | Highest score attainable. | |
% | Score attained after running the report as a percentage. | |
bar | Not Applicable. | |
Results overview - Rule Results Summary | pass | Passed rule check. |
fixed | Rule check that failed previously is now fixed. | |
fail | Failed rule check. | |
error | Could not perform rule check. | |
not selected | This check was not applicable to your NetWitness Platform deployment. | |
not checked | Rule could not be checked. There are several reasons why a rule cannot be checked. For example, the rule check requires a check engine not supported by the OpenSCAP report. | |
not applicable | Rule check does not apply to your NetWitness Platform deployment. | |
informational | Rule checks for informational purposes only (no action required for fail). | |
unknown | Report was able to check the rule. Run steps manually as described in the report to check the rule. | |
total | Total number of rules checked. | |
Exceptions | Title | Name of rule being checked. |
Result | Valid values are pass, fixed, fail, error, not selected, not checked, not applicable, informational, or unknown.
Note: Results values are defined the Results overview - Rule Results Summary. |
Create the OpenSCAP Report
The following tasks show you how to create the OpenSCAP Report in HTML, XML, or both HTML and XML.
Create Report in HTML Only
To create an OpenSCAP report in HTML only:
- SSH to the host.
-
Submit the following command:
mkdir -p /opt/rsa/openscap
-
Submit the following command for report upgrades only:
sed -i -r -e "s/<platform.*//g" /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
-
Submit the following command:
oscap xccdf eval --profile "stig" --report /opt/rsa/openscap/`hostname`.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
-
Report will be available under following location:
/opt/rsa/openscap/
Create Report in XML Only
To create an OpenSCAP report in xml only:
- SSH to the host.
-
Submit the following command:
mkdir -p /opt/rsa/openscap
-
Submit the following command for report upgrades only:
sed -i -r -e "s/<platform.*//g" /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
-
Submit the following command:
oscap xccdf eval --profile "stig" --results /opt/rsa/openscap/`hostname`.xml --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
- Report will be available under following location:
/opt/rsa/openscap/
Create Report in Both XML and HTML
To create an OpenSCAP report in both xml and html:
- SSH to the host.
-
Submit the following command:
mkdir -p /opt/rsa/openscap
-
Submit the following command for report upgrades only:
sed -i -r -e "s/<platform.*//g" /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
-
Submit the following command:
oscap xccdf eval --profile "stig" --results /opt/rsa/openscap/`hostname`.xml --report /opt/rsa/openscap/`hostname`.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
- Report will be available under following location:
/opt/rsa/openscap/
Manage STIG Controls Script (manage-stig-controls)Manage STIG Controls Script (manage-stig-controls)
You can use the manage-stig-controls script and its arguments to enable or disable STIG Control groups for which you want to apply STIG configuration. You can specify all hosts or individual hosts as arguments and you can enable or disable all control groups or individual control groups. This script is available in /usr/bin/ directory.
To manage STIG controls for a host:
- SSH to the NW Server host or use the Console from the NetWitness Platform User Interface.
- Submit the manage-stig-controls script with the commands, control groups, and other arguments you want to apply.
- Reboot the host.
CommandsCommands
Command | Description |
---|---|
--enable-all-controls |
Enables all STIG controls. For example: manage-stig-controls --enable-all-controls |
--disable-all-controls | Disables all STIG controls. For example:
manage-stig-controls --disable-all-controls |
--enable-default-controls | Enables all STIG Controls except ssh-prevent-root and fips-kernel. For example: manage-stig-controls --enable-default-controls |
--enable-control-groups <IDs> | Enables (comma delimited) list of STIG Control GroupIDs. For example: manage-stig-controls --enable-control-groups '1, 2, 3' |
--disable-control-groups <IDs> |
Disables (comma delimited) list of STIG Control Group IDs For example: manage-stig-controls --disable-control-groups '1, 2, 3' |
Control GroupsControl Groups
You use the ID as an argument for the control group or groups.
ID | Group | Description | Specified by Default |
---|---|---|---|
1 |
ssh-prevent-root | Prevent root login through SSH. |
no |
2 | ssh | SSH STIG configuration. | yes |
3 |
fips-kernel | FIPS Kernel configuration |
no |
4 | auth | Authentication STIG configuration | yes |
5 |
audit |
Audit STIG configuration |
yes |
6 | packages | RPM Package STIG configuration | yes |
7 |
services |
Services STIG configuration |
yes |
Other ArgumentsOther Arguments
Argument | Description |
---|---|
--host-all |
Apply STIG configuration to all hosts. For example: manage-stig-controls --host-all |
--skip-health-checks | Disable health checks for all hosts (not recommended). For example: manage-stig-controls --skip-health-checks |
--host-id <id> | Apply STIG configuration for the host identified by <id> (host identification code). For example: manage-stig-controls --host-id <id> |
--host-name <display-name> |
Apply STIG configuration for host identified by <display-name>. display-name is the value shown under Name in the manage-stig-controls --host-name <display-name> |
--host-addr <Hostname-in UI> |
Apply STIG configuration for the host identified by the value shown under Hostname in the manage-stig-controls --host-addr <hostname> |
-v, --verbose |
Enable verbose output. For example: manage-stig-controls -v |
Rules ListRules List
The following table lists all the STIG rules with their:
- Control Group - you can use the Control Group ID as an argument in the manage-stig-controls script to expand on reduce the scope of rules checked. (1= ssh-prevent-root, 2 = ssh, 3 = fips-kernel, 4 = auth, 5 = audit, 6 = packages, 7 = services)
- Default Status - tells you if the rule is enabled or disabled by default.
- Passed or Exception status - tells you if the rule passed (that is, complies with STIG) or is an exception.
CCE Number | Rule Name | Control Group |
Default Status |
Passed/ Exception |
---|---|---|---|---|
CCE‑26404‑4 | Ensure /var Located On Separate Partition | n/a | n/a | Exception |
CCE-26828-4 | Disable DCCP Support | n/a | n/a | Passed |
CCE-26884-7 | Set Lockout Time For Failed Password Attempts | auth | enabled | Exception |
CCE-26892-0 | Set the GNOME3 Login Warning Banner Text | n/a | enabled | Passed |
CCE-26952-2 | Configure Periodic Execution of AIDE | audit | enabled | Exception |
CCE-26970-4 | Enable GNOME3 Login Warning Banner | audit | enabled | Passed |
CCE-26971-2 | Ensure /var/log/audit Located On Separate Partition | audit | enabled | Exception |
CCE-26989-4 | Ensure gpgcheck Enabled In Main Yum Configuration | n/a | enabled | Passed |
CCE-27051-2 | Set Password Maximum Age | auth | enabled | Passed |
CCE-27053-8 | Set Password Hashing Algorithm in /etc/libuser.conf | n/a | enabled | Passed |
CCE-27082-7 | Set SSH Client Alive Count | ssh | disabled | Passed |
CCE-27096-7 | Install AIDE | n/a | n/a | Exception |
CCE-27127-0 | Enable Randomized Layout of Virtual Address Space | n/a | enabled | Exception |
CCE-27157-7 | Verify File Hashes with RPM | n/a | n/a | Exception |
CCE-27160-1 | Set Password Retry Prompts Permitted Per-Session | n/a | enabled | Passed |
CCE-27200-5 | Set Password Strength Minimum Uppercase Characters | auth | enabled | Passed |
CCE-27209-6 | Verify and Correct File Permissions with RPM | n/a | n/a | Exception |
CCE-27213-8 | Record Events that Modify the System's Discretionary Access Controls - setxattr | audit | enabled | Passed |
CCE-27214-6 | Set Password Strength Minimum Digit Characters | auth | enabled | Passed |
CCE-27218-7 | Remove the X Windows Package Group | n/a | enabled | Passed |
CCE-27275-7 | Set Last Logon/Access Notification | n/a | enabled | Passed |
CCE-27277-3 | Disable Modprobe Loading of USB Storage Driver | services | enabled | Exception |
CCE-27279-9 | Configure SELinux Policy | n/a | enabled | Passed |
CCE-27280-7 | Record Events that Modify the System's Discretionary Access Controls - lsetxattr | audit | enabled | Passed |
CCE-27286-4 | Prevent Log In to Accounts With Empty Password | n/a | enabled | Passed |
CCE-27287-2 | Require Authentication for Single User Mode | n/a | enabled | Passed |
CCE-27293-0 | Set Password Minimum Length | auth | enabled | Passed |
CCE-27295-5 | Use Only FIPS 140-2 Validated Ciphers | n/a | enabled | Exception |
CCE-27297-1 | Set Interval For Counting Failed Password Attempts | auth | enabled | Passed |
CCE-27303-7 | Modify the System Login Banner | ssh | enabled | Exception |
CCE-27309-4 | Set Boot Loader Password in grub2 | n/a | enabled | Exception |
CCE-27311-0 | Verify Permissions on SSH Server Public *.pub Key Files | n/a | enabled | Passed |
CCE-27314-4 | Enable SSH Warning Banner | ssh | enabled | Passed |
CCE-27320-1 | Allow Only SSH Protocol 2 | n/a | enabled | Passed |
CCE-27326-8 | Ensure No Device Files are Unlabeled by SELinux | n/a | enabled | Passed |
CCE-27334-2 | Ensure SELinux State is Enforcing | n/a | enabled | Exception |
CCE-27339-1 | Record Events that Modify the System's Discretionary Access Controls - chmod | audit | enabled | Passed |
CCE-27342-5 | Uninstall rsh-server Package | n/a | enabled | Passed |
CCE-27343-3 | Ensure Logs Sent To Remote Host | n/a | n/a | Passed |
CCE-27345-8 | Set Password Strength Minimum Lowercase Characters | auth | enabled | Passed |
CCE-27349-0 | Set Default firewalld Zone for Incoming Packets | n/a | n/a | Exception |
CCE-27350-8 | Set Deny For Failed Password Attempts | auth | enabled | Passed |
CCE-27351-6 | Install the screen Package | n/a | enabled | Passed |
CCE-27353-2 | Record Events that Modify the System's Discretionary Access Controls - fremovexattr | audit | enabled | Passed |
CCE-27355-7 | Set Account Expiration Following Inactivity | n/a | enabled | Passed |
CCE-27356-5 | Record Events that Modify the System's Discretionary Access Controls - fchown | audit | enabled | Passed |
CCE-27358-1 | Deactivate Wireless Network Interfaces | n/a | enabled | Passed |
CCE-27360-7 | Set Password Strength Minimum Special Characters | auth | enabled | Passed |
CCE-27363-1 | Do Not Allow SSH Environment Options | ssh | enabled | Passed |
CCE-27364-9 | Record Events that Modify the System's Discretionary Access Controls - chown | audit | enabled | Passed |
CCE-27367-2 | Record Events that Modify the System's Discretionary Access Controls - removexattr | audit | enabled | Passed |
CCE-27375-5 | Configure auditd space_left Action on Low Disk Space | audit | enabled | Passed |
CCE-27377-1 | Disable SSH Support for .rhosts Files | n/a | enabled | Passed |
CCE-27386-2 | Ensure Default SNMP Password Is Not Used | n/a | n/a | Exception |
CCE-27387-0 | Record Events that Modify the System's Discretionary Access Controls - fchownat | audit | enabled | Passed |
CCE-27388-8 | Record Events that Modify the System's Discretionary Access Controls - fchmodat | audit | enabled | Passed |
CCE-27389-6 | Record Events that Modify the System's Discretionary Access Controls - fsetxattr | audit | enabled | Passed |
CCE-27393-8 | Record Events that Modify the System's Discretionary Access Controls - fchmod | audit | enabled | Passed |
CCE-27394-6 | Configure auditd mail_acct Action on Low Disk Space | audit | enabled | Passed |
CCE-27401-9 |
Uninstall telnet-server Package |
n/a | enabled | Passed |
CCE-27399-5 | Uninstall ypserv Package | n/a | enabled | Passed |
CCE-27407-6 | Enable auditd Service | audit | enabled | Passed |
CCE-27410-0 | Record Events that Modify the System's Discretionary Access Controls - lremovexattr | audit | enabled | Passed |
CCE-27413-4 | Disable Host-Based Authentication | n/a | enabled | Passed |
CCE-27433-2 | Set SSH Idle Timeout Interval | ssh | enabled | Passed |
CCE-27434-0 | Configure Kernel Parameter for Accepting IPv4 Source-Routed Packets for All Interfaces | n/a | enabled | Passed |
CCE-27437-3 | Ensure auditd Collects Information on the Use of Privileged Commands | audit | enabled | Passed |
CCE-27445-6 | Disable SSH Root Login | n/a | n/a | Exception |
CCE-27447-2 | Ensure auditd Collects Information on Exporting to Media (successful) | audit | enabled | Passed |
CCE-27455-5 | Use Only FIPS 140-2 Validated MACs | n/a | enabled | Passed |
CCE-27458-9 | Mount Remote Filesystems with Kerberos Security | n/a | enabled | Passed |
CCE-27461-3 | Ensure auditd Collects System Administrator Actions | audit | enabled | Passed |
CCE-27471-2 | Disable SSH Access via Empty Passwords | n/a | enabled | Exception |
CCE-27485-2 | Verify Permissions on SSH Server Private *_key Key Files | n/a | n/a | Passed |
CCE-27498-5 | Disable the Automounter | n/a | enabled | Passed |
CCE-27503-2 | All GIDs referenced in /etc/passwd must be defined in /etc/group | n/a | enabled | Passed |
CCE-27511-5 | Disable Ctrl-Alt-Del Reboot Activation | services | enabled | Passed |
CCE-27512-3 | Set Password Maximum Consecutive Repeating Characters | n/a | enabled | Passed |
CCE-27557-8 | Set Interactive Session Timeout | auth | disabled | Passed |
CCE-80104-3 | Disable GDM Automatic Login | n/a | enabled | Passed |
CCE-80105-0 | Disable GDM Guest Login | n/a | enabled | Passed |
CCE-80108-4 | Enable the GNOME3 Login Smartcard Authentication | n/a | enabled | Passed |
CCE-80110-0 | Set GNOME3 Screensaver Inactivity Timeout | n/a | enabled | Passed |
CCE-80111-8 | Enable GNOME3 Screensaver Idle Activation | n/a | enabled | Passed |
CCE-80112-6 | Enable GNOME3 Screensaver Lock After Idle Period | n/a | enabled | Passed |
CCE-80127-4 | Install McAfee Virus Scanning Software | n/a | n/a | Exception |
CCE-80129-0 | Virus Scanning Software Definitions Are Updated | n/a | n/a | Exception |
CCE-80134-0 | Ensure All Files Are Owned by a User | n/a | enabled | Passed |
CCE-80135-7 | Ensure All Files Are Owned by a Group | n/a | enabled | Passed |
CCE-80136-5 | Ensure All World-Writable Directories Are Owned by a System Account | n/a | enabled | Passed |
CCE-80144-9 | Ensure /home Located On Separate Partition | n/a | enabled | Passed |
CCE-80148-0 | Add nosuid Option to Removable Media Partitions | n/a | enabled | Passed |
CCE-80156-3 | Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces | n/a | n/a | Exception |
CCE-80157-1 | Disable Kernel Parameter for IP Forwarding | n/a | n/a | Exception |
CCE-80158-9 | Configure Kernel Parameter for Accepting ICMP Redirects for All Interfaces | n/a | n/a | Exception |
CCE-80162-1 | Configure Kernel Parameter for Accepting Source-Routed Packets By Default | n/a | enabled | Passed |
CCE-80163-9 | Configure Kernel Parameter for Accepting ICMP Redirects By Default | n/a | n/a | Exception |
CCE-80165-4 | Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requests | n/a | n/a | Exception |
CCE-80174-6 | Ensure System is Not Acting as a Network Sniffer | n/a | enabled | Passed |
CCE-80179-5 | Configure Kernel Parameter for Accepting IPv6 Source-Routed Packets for All Interfaces | n/a | n/a | Exception |
CCE-80192-8 | Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server | n/a | enabled | Passed |
CCE-80205-8 | Ensure the Default Umask is Set Correctly in login.defs | n/a | enabled | Passed |
CCE-80207-4 | Enable Smart Card Login | n/a | n/a | Exception |
CCE-80213-2 | Uninstall tftp-server Package | n/a | enabled | Passed |
CCE-80214-0 | Ensure tftp Daemon Uses Secure Mode | n/a | enabled | Passed |
CCE-80215-7 | Install the OpenSSH Server Package | n/a | enabled | Passed |
CCE-80216-5 | Enable the OpenSSH Service | n/a | enabled | Passed |
CCE-80220-7 | Disable GSSAPI Authentication | ssh | enabled | Passed |
CCE-80221-5 | Disable Kerberos Authentication | n/a | enabled | Passed |
CCE-80222-3 | Enable Use of Strict Mode Checking | n/a | enabled | Passed |
CCE-80223-1 | Enable Use of Privilege Separation | n/a | enabled | Passed |
CCE-80224-9 | Disable Compression Or Set Compression to delayed | n/a | enabled | Passed |
CCE-80225-6 | Print Last Log | n/a | enabled | Exception |
CCE-80226-4 | Enable Encrypted X11 Forwarding | n/a | n/a | Exception |
CCE-80240-5 | Mount Remote Filesystems with nosuid | n/a | enabled | Passed |
CCE-80245-4 | Uninstall vsftpd Package | n/a | enabled | Passed |
CCE-80258-7 | Disable KDump Kernel Crash Analyzer (kdump) | services | enabled | Passed |
CCE-80346-0 | Ensure YUM Removes Previous Package Versions | packages | enabled | Passed |
CCE-80347-8 | Ensure gpgcheck Enabled for Local Packages | packages | enabled | Passed |
CCE-80348-6 | Ensure gpgcheck Enabled for Repository Metadata | n/a | n/a | Exception |
CCE-80350-2 | Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate | n/a | enabled | Passed |
CCE-80351-0 | Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD | n/a | enabled | Passed |
CCE-80352-8 | Ensure the Logon Failure Delay is Set Correctly in login.defs | auth | enabled | Passed |
CCE-80353-6 | Configure the root Account for Failed Password Attempts | auth | enabled | Passed |
CCE-80354-4 | Set the UEFI Boot Loader Password | fips-kernel | disabled | Passed |
CCE-80359-3 | Enable FIPS Mode in GRUB2 | fips-kernel | disabled | Exception |
CCE-80370-0 | Set GNOME3 Screensaver Lock Delay After Activation Period | n/a | enabled | Passed |
CCE-80371-8 | Ensure Users Cannot Change GNOME3 Screensaver Settings | n/a | enabled | Passed |
CCE-80372-6 | Disable SSH Support for User Known Hosts | ssh | enabled | Passed |
CCE-80373-4 | Disable SSH Support for Rhosts RSA Authentication | audit | enabled | Passed |
CCE-80374-2 | Configure Notification of Post-AIDE Scan Details | n/a | n/a | Exception |
CCE-80375-9 | Configure AIDE to Verify Access Control Lists (ACLs) | n/a | n/a | Exception |
CCE-80376-7 | Configure AIDE to Verify Extended Attributes | n/a | n/a | Exception |
CCE-80377-5 | Configure AIDE to Use FIPS 140-2 for Validating Hashes | n/a | n/a | Exception |
CCE-80378-3 | Verify User Who Owns /etc/cron.allow file | n/a | enabled | Passed |
CCE-80379-1 | Verify Group Who Owns /etc/cron.allow file | n/a | enabled | Passed |
CCE-80380-9 | Ensure cron Is Logging To Rsyslog | n/a | enabled | Passed |
CCE-80381-7 | Shutdown System When Auditing Failures Occur | audit | enabled | Passed |
CCE-80382-5 | Record Attempts to Alter Logon and Logout Events - tallylog | audit | enabled | Passed |
CCE-80383-3 | Record Attempts to Alter Logon and Logout Events - faillock | n/a | n/a | Passed |
CCE-80384-1 | Record Attempts to Alter Logon and Logout Events - lastlog | audit | enabled | Passed |
CCE-80385-8 | Record Unauthorized Access Attempts to Files (unsuccessful) - creat | audit | enabled | Passed |
CCE-80386-6 | Record Unauthorized Access Attempts to Files (unsuccessful) - open | audit | enabled | Passed |
CCE-80387-4 | Record Unauthorized Access Attempts to Files (unsuccessful) - openat | audit | enabled | Passed |
CCE-80388-2 | Record Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_at | audit | enabled | Passed |
CCE-80389-0 | Record Unauthorized Access Attempts to Files (unsuccessful) - truncate | audit | enabled | Passed |
CCE-80390-8 | Record Unauthorized Access Attempts to Files (unsuccessful) - ftruncate | audit | enabled | Passed |
CCE-80391-6 | Record Any Attempts to Run semanage | audit | enabled | Passed |
CCE-80392-4 | Record Any Attempts to Run setsebool | audit | enabled | Passed |
CCE-80393-2 | Record Any Attempts to Run chcon | audit | enabled | Passed |
CCE-80395-7 | Ensure auditd Collects Information on the Use of Privileged Commands - passwd | audit | enabled | Passed |
CCE-80396-5 | Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd | audit | enabled | Passed |
CCE-80397-3 | Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd | audit | enabled | Passed |
CCE-80398-1 | Ensure auditd Collects Information on the Use of Privileged Commands - chage | audit | enabled | Passed |
CCE-80399-9 | Ensure auditd Collects Information on the Use of Privileged Commands - userhelper | audit | enabled | Passed |
CCE-80400-5 | Ensure auditd Collects Information on the Use of Privileged Commands - su | audit | enabled | Passed |
CCE-80401-3 | Ensure auditd Collects Information on the Use of Privileged Commands - sudo | audit | enabled | Passed |
CCE-80402-1 | Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit | audit | enabled | Passed |
CCE-80403-9 | Ensure auditd Collects Information on the Use of Privileged Commands - newgrp | audit | enabled | Passed |
CCE-80404-7 | Ensure auditd Collects Information on the Use of Privileged Commands - chsh | audit | enabled | Passed |
CCE-80405-4 | Ensure auditd Collects Information on the Use of Privileged Commands - umount | audit | enabled | Passed |
CCE-80406-2 | Ensure auditd Collects Information on the Use of Privileged Commands - postdrop | audit | enabled | Passed |
CCE-80407-0 | Ensure auditd Collects Information on the Use of Privileged Commands - postqueue | audit | enabled | Passed |
CCE-80408-8 | Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign | audit | enabled | Passed |
CCE-80410-4 | Ensure auditd Collects Information on the Use of Privileged Commands - crontab | audit | enabled | Passed |
CCE-80411-2 | Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check | audit | enabled | Passed |
CCE-80412-0 | Ensure auditd Collects File Deletion Events by User - rmdir | audit | enabled | Passed |
CCE-80413-8 | Ensure auditd Collects File Deletion Events by User - renameat | audit | enabled | Passed |
CCE-80414-6 | Ensure auditd Collects Information on Kernel Module Loading - init_module | audit | enabled | Passed |
CCE-80415-3 | Ensure auditd Collects Information on Kernel Module Unloading - delete_module | audit | enabled | Passed |
CCE-80430-2 | Record Events that Modify User/Group Information - /etc/security/opasswd | audit | enabled | Passed |
CCE-80431-0 | Record Events that Modify User/Group Information - /etc/shadow | audit | enabled | Passed |
CCE-80432-8 | Record Events that Modify User/Group Information - /etc/gshadow | audit | enabled | Passed |
CCE-80433-6 | Record Events that Modify User/Group Information - /etc/group | audit | enabled | Passed |
CCE-80434-4 | Ensure Home Directories are Created for New Users | n/a | enabled | Passed |
CCE-80435-1 | Record Events that Modify User/Group Information - /etc/passwd | audit | enabled | Passed |
CCE-80436-9 | Mount Remote Filesystems with noexec | n/a | enabled | Passed |
CCE-80437-7 | Configure PAM in SSSD Services | n/a | n/a | Exception |
CCE-80438-5 | Configure Multiple DNS Servers in /etc/resolv.conf | n/a | n/a | Exception |
CCE-80439-3 | Configure Time Service Maxpoll Interval | services | enabled | Passed |
CCE-80447-6 | Configure the Firewalld Ports | n/a | n/a | Exception |
CCE-80513-5 | Remove Host-Based Authentication Files | n/a | enabled | Passed |
CCE-80514-3 | Remove User Host-Based Authentication Files | n/a | enabled | Passed |
CCE-80515-0 | Configure SSSD LDAP Backend Client CA Certificate Location | n/a | n/a | Exception |
CCE-80519-2 | Install Smart Card Packages For Multifactor Authentication | n/a | n/a | Exception |
CCE-80537-4 | Configure auditd space_left on Low Disk Space | audit | enabled | Passed |
CCE-80544-0 | Ensure Users Cannot Change GNOME3 Session Idle Settings | n/a | enabled | Passed |
CCE-80545-7 | Verify and Correct Ownership with RPM | n/a | n/a | Exception |
CCE-80546-5 | Configure SSSD LDAP Backend to Use TLS For All Transactions | n/a | n/a | Exception |
CCE-80547-3 | Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module | audit | enabled | Passed |
CCE-80563-0 | Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period | n/a | enabled | Passed |
CCE-80564-8 | Ensure Users Cannot Change GNOME3 Screensaver Idle Activation | n/a | enabled | Passed |
CCE-80660-4 | Record Any Attempts to Run setfiles | audit | enabled | Exception |
CCE-80661-2 | Ensure auditd Collects Information on Kernel Module Loading - create_module | audit | enabled | Exception |
CCE-80995-4 | Ensure auditd Collects File Deletion Events by User - rename | audit | enabled | Exception |
CCE-80996-2 |
Ensure auditd Collects File Deletion Events by User - unlinkat |
audit | enabled | Exception |
CCE-80998-8 |
Verify firewalld Enabled |
n/a |
n/a |
Exception |
CCE-81106-7 |
Ensure auditd Collects File Deletion Events by User - unlink |
audit | enabled | Passed |
CCE-81153-9 | Add nosuid Option to /home | n/a | enabled | Passed |
CCE-82020-9 |
Set Password Strength Minimum Different Characters |
auth |
enabled | Passed |
CCE-82030-8 | Limit Password Reuse | n/a | enabled | Passed |
CCE-82035-7 |
Ensure /var/log/audit Located On Separate Partition |
audit | enabled | Exception |
CCE-82036-5 | Set Password Minimum Age | n/a | enabled | Passed |
CCE-82038-1 |
Set Password Hashing Algorithm in /etc/libuser.conf |
n/a | enabled | Passed |
CCE-82041-5 | Limit the Number of Concurrent Login Sessions Allowed Per User | auth | enabled | Passed |
CCE-82043-1 |
Set PAM's Password Hashing Algorithm |
n/a | enabled | Passed |
CCE-82045-6 | Set Password Strength Minimum Different Categories | audit | enabled | Passed |
CCE-82050-6 |
Set Password Hashing Algorithm in /etc/login.defs |
n/a | enabled | Passed |
CCE-82053-0 | Ensure /tmp Located On Separate Partition | n/a | n/a | Exception |
CCE-82054-8 |
Verify Only Root Has UID 0 |
n/a | enabled | Passed |
CCE-82353-4 | Ensure /var Located On Separate Partition | n/a | n/a | Exception |
Exceptions to STIG ComplianceExceptions to STIG Compliance
This topic contains:
- Rule exceptions that are the responsibility of the customer to resolve.
-
Rule exceptions that are "Not a Finding" which means that they do not apply to NetWitness Platform. NetWitness has verified that the system meets these requirements.
- Rules to be supported in future release.
Key to Elements in Exception Descriptions Key to Elements in Exception Descriptions
CCE Number
The Common Configuration Enumeration (CCE), assigns unique entries (also called CCE numbers) to configuration guidance statements and configuration controls to improve workflow by facilitating fast and accurate correlation of configuration issues present in disparate domains. In this way, it is similar to other comparable data standards such as the Common Vulnerability and Exposure (CVE®) List (http://cve.mitre.org/cve), which assigns identifiers to publicly known system vulnerabilities. The OpenSCAP report lists exceptions by CCE number.
This sections lists the exceptions you can receive when you run the OpenSCAP report. The ID or Common Configuration Enumeration (CCE) number in the table is the identification number for the exception from the OpenSCAP report.
Control Group ID
Number that identifies the control group you specify in the manage-stig-controls script to enable or disable the rule.
ID | Group | Description | Specified by Default |
---|---|---|---|
1 |
ssh-prevent-root | Prevent root login through SSH. |
no |
2 | ssh | SSH STIG configuration. | yes |
3 |
fips-kernel | FIPS Kernel configuration |
no |
4 | auth | Authentication STIG configuration | yes |
5 |
audit |
Audit STIG configuration |
yes |
6 | packages | RPM Package STIG configuration | yes |
7 |
services |
Services STIG configuration |
yes |
Check
Describes what the rule checks to identify exceptions to DISA STIG compliance.
Comments
Provides insight on why you would receive this exception. This section includes one of the following comments that describes the exception:
- Customer Responsibility - You are responsible to make sure the system meets this requirement.
- Not a Finding - Exception does not apply to NetWitness Platform. NetWitness has verified that the system meets this requirement.
- Future Feature - NetWitness Platform does not meet this requirement. NetWitness plans to fix this in a future release of NetWitness Platform.
Customer Responsibility ExceptionsCustomer Responsibility Exceptions
CCE-26952-2 Configure Periodic Execution of AIDE (Control Group = audit)
Check |
At a minimum, configure AIDE to run a weekly scan and at most, daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to the /etc/crontab file: |
---|---|
Comments |
Customer Responsibility. NetWitness Platform does not provide AIDE because it has a negative impact on performance. If you must install it, run as infrequently as possible to adhere to your security policy. |
CCE-27096-7 Install AIDE (Control Group = n/a)
Check |
Install the AIDE package with the following command: $ sudo yum install aid |
---|---|
Comments |
Customer Responsibility. NetWitness Platform does not provide AIDE because it has a negative impact on performance. If you must install it, run as infrequently possible to adhere to your security policy. |
CCE-27218-7 Remove the X Windows Package Group
Check |
The Rule CCE-27218-7 "Remove the X Windows Package Group" is an exception for Log Collector and Log Decoder services. |
---|---|
Comments |
Customer Responsibility.Log Collector plugin collection framework uses SELinux sandbox technology that has a direct dependency on the given rpm. Removing of the rpm will lead to loss of plugin collection functionality in Log Collector service. |
CCE-27295-5 Use Only FIPS 140-2 Validated Ciphers (Control Group = n/a)
Check |
Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of FIPS 140-2 validated ciphers: Ciphers aes128-ctr,aes192-ctr,aes256-ctr The following ciphers are FIPS 140-2 certified on RHEL 7: - aes128-ctr - aes192-ctr - aes256-ctr - aes128-cbc - aes192-cbc - aes256-cbc - 3des-cbc - rijndael-cbc@lysator.liu.se Any combination of the above ciphers will pass this check. Official FIPS 140-2 paperwork for RHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf. |
---|---|
Comments | Testing approach results in failed test, but the ciphers defined meet the STIG Rule definition. You can check cipher under this file: /etc/ssh/sshd_config |
CCE-27334-2 Ensure SELinux State is Enforcing
Check |
Ensure SELinux State is Enforcing. |
---|---|
Comments |
SELinux state is default it is set to 'permissive' by default for all the NetWitness Platform hosts instead of 'Enforcing' due to performance impact. |
CCE-27445-6 Disable SSH Root Login (Control Group = ssh-prevent-root)
Check |
The root user should never be allowed to login to a system directly over a network. |
---|---|
Comments |
Customer Responsibility. Disable root login through SSH by adding or editing the following line in the /etc/ssh/sshd_config file: |
CCE-80127-4 Install McAfee Virus Scanning Software (Control Group = n/a)
Check |
Install McAfee VirusScan Enterprise for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem. |
---|---|
Comments |
Customer Responsibility. Install virus scanning software. NetWitness does not provide this software. |
CCE-80129-0 Virus Scanning Software Definitions Are Updated (Control Group = n/a)
Check |
Make sure that virus definition files are no older than 7 days or their last release. |
---|---|
Comments |
Customer Responsibility. NetWitness does not provide this software. |
CCE-80207-4 Enable Smart Card Login (Control Group = n/a)
Check |
For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards https://access.redhat.com/solutions/82273 |
---|---|
Comments |
Customer Responsibility. The NetWitness Platform supports username/certificate for authentication to shell. If you want to configure a smart card log in, you must do this outside of NetWitness NetWitness. |
CCE-80359-3 Enable FIPS Mode in GRUB2 (Control Group = fips-kernel)
Check |
To ensure FIPS mode is enabled, install the dracut-fips package and rebuild initramfs by running the following commands: $ sudo yum install dracut-fips dracut -f After the dracut command has been run, add the fips=1 argument to the default GRUB 2 command line for the Linux operating system in the /etc/default/grub file as shown in the following example: GRUB_CMDLINE_LINUX='crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 fips=1' Finally, rebuild the grub.cfg file by using the grub2-mkconfig -o command as follows ( On BIOS-based machines, issue the following command as root): ~]# grub2-mkconfig -o /boot/grub2/grub.cfg On UEFI-based machines, issue the following command as root: ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg |
---|---|
Comments | Customer Responsibility. NetWitness Platform does not enabled by default. You can enable FIPS by following the procedures in the Configure FIPS Support. |
CCE-80374-2 Configure Notification of Post-AIDE Scan Details (Control Group = n/a)
Check |
AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic execution in the /etc/crontab file, append the following line to the existing AIDE line: |
---|---|
Comments |
Customer Responsibility. NetWitness Platform does not provide AIDE because it has a negative impact on performance. If you must install it, run as infrequently possible to adhere to your security policy. |
CCE-80375-9 Configure AIDE to Verify Access Control Lists (Control Group = n/a)
Check |
By default, the acl option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the acl option is missing, add acl to the appropriate ruleset. For example, add acl to the following line in the /etc/aide.conf file: |
---|---|
Comments |
Customer Responsibility. NetWitness Platform does not provide AIDE because it has a negative impact on performance. If you must install it, run as infrequently possible to adhere to your security policy. |
CCE-80376-7 Configure AIDE to Verify Extended Attributes (Control Group = n/a)
Check |
By default, the xattrs option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the xattrs option is missing, add xattrs to the appropriate ruleset. For example, add xattrs to the following line in the /etc/aide.conf file: |
---|---|
Comments |
Customer Responsibility. NetWitness Platform does not provide AIDE because it has a negative impact on performance. If you must install it, run as infrequently possible to adhere to your security policy. |
CCE-80377-5 Configure AIDE to Use FIPS 140-2 for Validating Hashes (Control Group = n/a)
Check |
By default, the sha512 option is added to the ORMAL ruleset in AIDE. If using a custom ruleset or the sha512 option is missing, add sha512 to the appropriate ruleset. For example, add sha512 to the following line in the /etc/aide.conf file:ORMAL = FIPSR+sha512 |
---|---|
Comments |
Customer Responsibility. NetWitness Platform does not provide AIDE because it has a negative impact on performance. If you must install it, run as infrequently possible to adhere to your security policy. |
CCE-80519-2 Install Smart Card Packages For Multi-Factor Authentication (Control Group = n/a)
Check |
Configure the operating system to implement multifactor authentication by installing the required packages with the following command: |
---|---|
Comments |
Customer Responsibility. The NetWitness Platform supports username/certificate for authentication to shell. If you want to configure a smart card log in, you must do this outside of NetWitness NetWitness. |
Exceptions That Are Not a Finding Exceptions That Are Not a Finding
The following exceptions do not apply to NetWitness Platform. NetWitness has verified that the system meets these requirements.
CCE-26404-4 Ensure /var Located On Separate Partition (Control Group = n/a)
Check |
The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM. |
---|---|
Comments |
Not a Finding.NetWitness software is installed in /var/netwitness by default and has a separate partition on /var/netwitness. |
CCE-26828-4 Set GNOME Login Inactivity timeout (Control Group = n/a)
Check |
Verify that the GNOME Login Inactivity Timeout is set on the host (The graphical desktop environment must set the idle timeout to no more than 15 minutes.). |
---|---|
Comments |
Not a Finding. NetWitness Platform does not use Gnome Graphical User Interface (GUI) Desktop. |
CCE-26884-7 Set Lockout Time For Failed Password Attempts (Control Group = auth)
Check |
To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth by adding the following line immediately before the pam_unix.so statement in the AUTH section: |
---|---|
Comments | Not a Finding. root_unlock_time is set to 600 seconds. |
CCE-26971-2 Ensure /var/log/audit Located On Separate Partition (Control Group = audit)
Check |
Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon. |
---|---|
Comments | Not a Finding.NetWitness Platform has the /var/log directory as a separate partition. |
CCE-27127-0 Enable Randomized Layout of Virtual Address Space (Control Group = n/a)
Check |
To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: |
---|---|
Comments | Not a Finding. Value of /proc/sys/kernel/randomize_va_space is already 2. |
CCE-27157-7 Verify File Hashes with RPM (Control Group = n/a)
Check |
Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed software packages, including many that are important to system security. To verify that the cryptographic hash of system files and commands match vendor values, run the following command to list which files on the system with hashes that differ from what is expected by the RPM database: |
---|---|
Comments | Not a Finding. Only mismatched files not marked as config files in rpms are Commercial Off the Shelf (COTS) product based that cannot be updated.
Most File Hash/RPM combinations are in sync. Any discrepancies are COTS products that cannot be updated. |
CCE-27339-1 Record Events that Modify the System's Discretionary Access Controls - chmod
Check |
Verify that the host records events that modify the system's discretionary access controls - chown. |
---|---|
Comments | Not a Finding. Make sure that you have the correct chown configuration on the host. The following settings are the correct configuration. [root@localhost nwadmin]# grep chown /etc/audit/* /etc/audit/audit.rules:-a exit,always -F arch=b64 -S chown -S chmod -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod /etc/audit/audit.rules:-a exit,always -F arch=b32 -S chown -S fchmod -S fchmodat -S fchown -S fchownat -S fremovexattr -S fsetxattr -S lchown -S lremovexattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod |
CCE-27209-6 Verify and Correct File Permissions with RPM (Control Group = n/a)
Rule Name |
|
Check |
The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions of system files and commands match vendor values. Check the file permissions with the following command: Next, run the following command to reset its permissions to the correct values: |
---|---|
Comments | Not a Finding. The file permissions do not match the rpm, they are configured to be stricter during configuration management. |
CCE-27303-7 (Control ID = 2) Modify the System Login Banner (Control Group = ssh)
Check |
To configure the system login banner edit the /etc/issue file. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:
or " I've read & consent to terms in IS user agreem't." |
---|---|
Comments | Not a Finding. The login banner is displayed but does not hyphenate "agreem't" |
CCE-27311-0 Very Permissions on SHH Server *.pub Key Files (Control Group = na)
Check |
|
---|---|
Comments | Not a Finding. All public keys are set to with permissions 640 in the /etc/ssh/ directory. |
CCE-27314-4 Enable SSH Warning Banner (Control Group = na)
Check |
|
---|---|
Comments | Not a Finding. The required configuration exists in the etc/ssh/sshd_conf file. |
CCE-27349-0 Set Default firewalld Zone for Incoming Packets (Control Group = n/a)
Check |
To set the default zone to drop for the built-in default zone which processes incoming IPv4 and IPv6 packets, modify the following line in the /etc/firewalld/firewalld.conf file to be: |
---|---|
Comments | Not a Finding. NetWitness Platform firewalldservice is disabled because it uses IP Tables, not FirewallD. |
CCE-27386-2 Ensure Default SNMP Password Is Not Used (Control Group = n/a)
Check |
Edit /etc/snmp/snmpd.conf file by removing or changing the default community strings of public and private. After the default community strings have been changed, restart the SNMP service: |
---|---|
Comments | Not a Finding. NetWitness Platform does not use snmp, and the snmpd service not enabled. |
CCE-27455-5 Use Only FIPS 140-2 Validated MACs (Control Group = na)
Check |
|
---|---|
Comments | Not a Finding. The following configuration exists in /etc/ssh/sshd_config file: MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512 |
CCE-27471-2 Disable SSH Access via Empty Passwords (Control Group = n/a)
Check |
Explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in the /etc/ssh/sshd_config file. |
---|---|
Comments | Not a Finding. NetWitness Platform sets the permitemptypasswords parameter to no by default. This should pass the DISA STIG rule check. |
CCE-27485-2 Very Permissions on SHH Server Private *.key Key Files (Control Group = na)
Check |
|
---|---|
Comments | Not a Finding. All private keys are set to with permissions 640 in the /etc/ssh/ directory. |
CCE-80156-3 Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces (Control Group = n/a)
Check |
To set the runtime status of the t.ipv4.conf.all.send_redirects kernel parameter, run the following command: |
---|---|
Comments | Not a Finding. NetWitness Platform does not accept incoming Internet Control Message Protocol (ICMP) traffic. |
CCE-80157-1 Disable Kernel Parameter for IP Forwarding (Control Group = n/a)
Check |
To set the runtime status of the t.ipv4.ip_forward kernel parameter, run the following command: |
---|---|
Comments | Not a Finding. NetWitness Platform only uses FIPS certified MACs (for example, MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512). |
CCE-80158-9 Configure Kernel Parameter for Accepting ICMP Redirects for All Interfaces (Control Group = n/a)
Check |
To set the runtime status of the t.ipv4.conf.all.accept_redirects kernel parameter, run the following command: |
---|---|
Comments |
Not a Finding NetWitness Platform does not accept incoming Internet Control Message Protocol (ICMP) traffic. |
CCE-80163-9 Configure Kernel Parameter for Accepting ICMP Redirects By Default (Control Group = n/a)
Check |
To set the runtime status of the t.ipv4.conf.default.accept_redirects kernel parameter, run the following command: |
---|---|
Comments |
Not a Finding NetWitness Platform does not accept incoming Internet Control Message Protocol (ICMP) traffic. |
CCE-80165-4 Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requests (Control Group = n/a)
Rule Name |
|
Check |
To set the runtime status of the t.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: |
---|---|
Comments |
Not a FindingNetWitness Platform does not accept incoming Internet Control Message Protocol (ICMP) traffic. |
CCE-80225-6 Print Last Log (Control Group = n/a)
Check |
When enabled, SSH will display the date and time of the last successful account log in. To enable LastLog in SSH, add or correct the following line in the /etc/ssh/sshd_config file: |
---|---|
Comments | Not a Finding. NetWitness Platform sets printlastlog to yes by default. |
CCE-80226-4 Enable Encrypted X11 Forwarding (Control Group = n/a)
Check |
Enable Encrypted X11 Forwarding - By default, remote X11 connections are not encrypted when initiated by users. SSH has the capability to encrypt remote X11 connections when SSH's X11Forwarding option is enabled. To enable X11 Forwarding, add or correct the following line in the /etc/ssh/sshd_config file: |
---|---|
Comments | Not a Finding.NetWitness Platform does not have X11 installed or running. |
CCE-80348-6 Ensure gpgcheck Enabled for Repository Metadata (Control Group = n/a)
Check |
Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification of the repository metadata. Check that yum verifies the repository metadata prior to install with the following command. This should be configured by setting repo_gpgcheck to 1 in /etc/yum.conf. |
---|---|
Comments |
Not a Finding. .NetWitness Platform rpm signing procedures do not support signing the repo metadata |
CCE-80383-3 Record Attempts to ALter Logon Events - failock (Control Group = na)
Check |
|
---|---|
Comments | Not a Finding. The required rules are configured in the /etc/audit/rules.d/nw-stig.rules file. |
CCE-80399-9 Ensure auditd Collects Information on the Use of Privileged Commands - userhelper (Control Group = na)
Check |
|
---|---|
Comments | Not a Finding. The required rules are configured in the /etc/audit/rules.d/nw-stig.rules file. |
CCE-80437-7 Configure PAM in SSSD Services (Control Group = n/a)
Check |
SSSD should be configured to run SSSD pam services. To configure SSSD to known SSH hosts, add pam to services under the [sssd] section in /etc/sssd/sssd.conf file. For example: [sssd] services = sudo, autofs, pam |
---|---|
Comments | Not a Finding. NetWitness Platform does not currently support Multi-Factor authentication. As a result, SSSD service is not installed on a NetWitness Host. |
CCE-80438-5 Configure Multiple DNS Servers in /etc/resolv.conf (Control Group = n/a)
Check |
Multiple Domain Name System (DNS) Servers should be configured in the /etc/resolv.conf file. This provides redundant name resolution services in the event that a domain server crashes. To configure the system to contain as least 2 DNS servers, add a corresponding nameserver entry in ip_address /etc/resolv.conf file for each DNS server where ip_address is the IP address of a valid DNS server. For example: |
---|---|
Comments | Not a Finding. NetWitness Platform orchestrates and configures an internal DNS server that all NetWitness hosts use for name resolution. You can configure external DNS servers, but it is dependent on your environment. |
CCE-80439-3 Configure Time Service Maxpoll Interval (Control Group = na)
Check |
|
---|---|
Comments | Not a Finding. The required maxpoll 10 value is set in the /etc/ntp.conf file. |
CCE-80447-6 Configure the Firewalld Ports (Control Group = n/a)
Check |
Configure the firewalld ports to allow approved services to have access to the system. To configure firewalld to open ports, run the following command: Run the command list above for each of the ports listed below: <ports> |
---|---|
Comments | Not a Finding. NetWitness Platform firewalld service is disabled because it uses IP Tables, not FirewallD. |
CCE-80515-0 Configure SSSD LDAP Backend Client CA Certificate Location (Control Group = n/a)
Check |
Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions. By setting the ldap_tls_cacertdir option in /etc/sssd/sssd.conf to point to the path for the X.509 certificates used for peer authentication. |
---|---|
Comments | Not a Finding. NetWitness Platform does not currently support Multi-Factor authentication. As a result, SSSD service is not installed on a NetWitness Host. |
CCE-80545-7 Verify and Correct Ownership with RPM (Control Group = n/a)
Check |
The RPM package management system can check file ownership permissions of installed software packages, including many that are important to system security. After locating a file with incorrect permissions, which can be found with rpm -Va | grep '^.....\(U\|.G\)' Next, run the following command to reset its permissions to the correct values: |
---|---|
Comments | Not a Finding.Files/Directories with ownership differing from the rpm are generally COTS based and have been changed from root ownership to a specified COTS related account. |
CCE-80546-5 Configure SSSD LDAP Backend to Use TLS For All Transactions (Control Group = n/a)
Check |
This check verifies that RHEL7 implements cryptography to protect the integrity of remote LDAP authentication sessions. To determine if LDAP is being used for authentication, use the following command: To check if LDAP is configured to use TLS, use the following command: |
---|---|
Comments | Not a Finding.NetWitness Platform does not currently support Multi-Factor authentication. As a result, the SSSD service is not installed on a NetWitness Host. |
CCE-80998-8 Verify firewall Enabled
Check |
Verify the operating system enabled an application firewall. Check to see if "firewalld" is installed with the following command: yum list installed firewalld firewalld-0.3.9-11.el7.noarch.rpm If the "firewalld" package is not installed, ask the System Administrator if another firewall application (such as iptables) is installed. If an application firewall is not installed, this is a finding. Check to see if the firewall is loaded and active with the following command: systemctl status firewalld firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) Active: active (running) since Tue 2014-06-17 11:14:49 CEST; 5 days ago If "firewalld" does not show a status of "loaded" and "active", this is a finding. Check the state of the firewall: firewall-cmd --state running If "firewalld" does not show a state of "running", this is a finding. |
Comments | Not a Finding. NetWitness Platform firewalldservice is disabled because it uses IP Tables, not FirewallD. |
CCE-82035-7 Ensure /var/log/audit Located On Separate Partition
Check |
Determine if the operating system is configured to have the "/var/log/audit" path is on a separate file system. grep /var/log/audit /etc/fstab If no result is returned, or the operating system is not configured to have "/var/log/audit" on a separate file system, this is a finding. Verify that "/var/log/audit" is mounted on a separate file system: mount | grep "/var/log/audit" If no result is returned, or "/var/log/audit" is not on a separate file system, this is a finding. |
Comments | Not a Finding. NetWitness Platform has the /var/log directory as a separate partition. |
CCE-82053-0 Ensure /tmp Located On Separate Partition
Check |
Verify that a separate file system/partition has been created for "/tmp". Check that a file system/partition has been created for "/tmp" with the following command: systemctl is-enabled tmp.mount enabled If the "tmp.mount" service is not enabled, check to see if "/tmp" is defined in the fstab with a device and mount point: grep -i /tmp /etc/fstab UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /tmp ext4 rw,relatime,discard,data=ordered,nosuid,noexec, 0 0 If "tmp.mount" service is not enabled or the "/tmp" directory is not defined in the fstab with a device and mount point, this is a finding. |
Comments | Future Feature - NetWitness Platform does not meet this requirement. NetWitness plans to fix this in a future release of NetWitness Platform. |
CCE-82353-4 Ensure /var Located On Separate Partition
Check |
Verify that a separate file system/partition has been created for "/var". Check that a file system/partition has been created for "/var" with the following command: grep /var /etc/fstab UUID=c274f65f /var ext4 noatime,nobarrier 1 2 If a separate entry for "/var" is not in use, this is a finding. |
Comments | Not a Finding. Hardware is dedicated for NetWitness, and NetWitness software is installed in /var/netwitness by default and a separate partition is on /var/netwitness. |
Rules Supported in a Future ReleaseRules Supported in a Future Release
The following checks for non-compliance to STIG rules are not supported in NetWitness Platform and will be added in a future release.
CCE-27277-3 Disable Modprobe Loading of USB Storage Driver (Control Group = services)
Check |
To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the usb-storage kernel module from being loaded, add the following line to a file in the /etc/modprobe.d directory : |
---|---|
Comments |
Future Feature. |
CCE-27309-4 Set Boot Loader Password in grub2 (Control Group = fips-kernel)
Check |
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. To do so, select a superuser account name and password and and modify the /etc/grub.d/01_users configuration file with the new account name. Because plain text passwords are a security risk, generate a hash for the password by running the following command: |
---|---|
Comments |
Future Feature. |
CCE-80179-5 Configure Kernel Parameter for Accepting IPv6 Source-Routed Packets for All Interfaces
Check |
To set the runtime status of the t.ipv6.conf.all.accept_source_route kernel parameter, run the following command: |
---|---|
Comments |
Future Feature. |
CCE-80660-4 Record Any Attempts to Run setfiles (Control Group = audit)
Check |
At a minimum, the audit system should collect any execution attempt of the setfiles command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with .rules in /etc/audit/rules.d: -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=429496729as a suffix 5 -F key=privileged-priv_change. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: |
---|---|
Comments |
Future Feature. |
CCE-80661-2 Ensure auditd Collects Information on Kernel Module Loading - create_module (Control Group = audit)
Check |
To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: |
---|---|
Comments |
Future Feature. |