Reviewing properties in the Server built-in property class

Before running a Compliance Job for the first time based on any of the Compliance Content component templates, ensure that the values for the relevant server properties are correct within the property class instances created for each of the relevant local servers. If local values differ from the default values, tailor these property values to the unique needs of your local system.

The following sections list the properties in the Server built-in property class for each policy type:

For more information about setting property values and creating or modifying property class instances, see Working with properties.

HIPAA properties in the Server built-in property class

The following HIPAA properties are included in the Server built-in property class. Ensure that property values are correct within the property class instances created for each of the relevant local servers.

PropertyDescriptionDefault value
EXCLUDED_DIRDirectory path to be excluded from searches during Compliance Jobs. Separate multiple directories with commas.\-1
MAX_DISK_PERCENTAGEMaximum disk percentage of the temporary directory95
NOT_REVIEWEDThe checks not performed by the tool need manual review.TRUE
POSTGRES_GROUP_IDGroup ID for the postgres user on SuSE Linux26
POSTGRES_USER_IDUser ID for the postgres user on SuSE Linux26
RSCD_DIRRSCD Agent Installation Directory 
SQUID_GROUP_IDGroup ID for the squid user23
SQUID_USER_IDUser ID for the squid user31
STAGING_DIRPath to the staging directory used by BMC Server Automation jobs./var/tmp/stage

WINDIR

Value of WinDir Environment Variable (Microsoft Windows only)

Back to top

DISA properties in the Server built-in property class

The following DISA properties are included in the Server built-in property class. Ensure that property values are correct within the property class instances created for each of the relevant local servers.

PropertyDescriptionDefault value
AIX_SAMBA_HOMEPath to the directory where Samba is installed on an AIX system./etc
AIX_SAMBA_SUBNET
_ALLOW

The subnets permitted in the network for Samba on AIX.

Separate multiple subnets with spaces.

hostname 127.
AIX_SSH_CONFIG_HOMEPath to the configuration home directory on AIX UNIX/etc/ssh
AUDITORS_GROUPThe auditor's account, a local user group with access to Event logsAuditors
BACKUP_ADMINBackup administrator user accountBackup Operator
BUILTIN_ADMINISTRATORThe renamed built-in default Windows Administrator user accountxadministrator
CACHE_HRSFrequency (in hours) at which to refresh the target server cache that contains the target data used during the execution of Compliance Jobs.24
DISA PropertiesThe name and path of the default instance of the DISA STIG Properties classDISA STIG Properties/Default
DISA_APPLACCTA reference to the property that lists UNIX application accounts for DISA in the DISA STIG Properties class??DISA Properties.Unix Application Accounts??
DISA_SYSACCTA reference to the property that lists UNIX system accounts for DISA in the DISA STIG Properties class??DISA Properties.Unix System Accounts??
DISA Windows
Exchange Properties
The relevant instance of the DISA Windows Exchange Server Check custom property class, depending on the type of target server (whether exchange server or not).NONEXCHANGE_SERVER_INSTANCE
DISA Windows
Security Properties
The relevant instance of the DISA Windows DC And Member Server Security Settings custom property class, depending on the type of target server (whether member server or domain controller).MEMBER_SERVER_SETTINGS
DOMAINType of Windows target server, whether Domain Controller (value of DC) or Member Server (value of MS, the default)MS
DUMPSECEXE_HOMEPath to the DUMP SEC exe installation directoryC:\Program Files\SystemTools
EXCLUDED_DIRDirectory path to be excluded from searches during Compliance Jobs. Separate multiple directories with commas.\-1
FTP_HOMEFTP user home directory/home/ftp
HOST_ALLOW_HOMEPath to the home directory for the hosts.allow file/etc
HOST_DENY_HOMEPath to the home directory for the hosts.deny file/etc
HPUX_SAMBA_HOMEPath to the directory where Samba is installed on an HPUX system./etc/opt/samba
HPUX_SAMBA_SUBNET
_ALLOW
The subnets permitted in the network for Samba on HPUX. Separate multiple subnets with spaces.hostname 127.
HPUX_SSH_CONFIG_HOMEPath to the configuration home directory on HP UNIX/opt/ssh/etc
IP_ADDRESSIP Address 
IPV6_TRANSITION
_IMPLEMENTED
Whether IPv6 transition is implemented (true) or not (false) for DISA on Windows 2008FALSE
LINUX_SAMBA_HOMEPath to the directory where Samba is installed on a Linux system./etc/samba
LINUX_SAMBA
_SUBNET_ALLOW
The subnets permitted in the network for Samba on Linux. Separate multiple subnets with spaces.hostname 127.
LINUX_SSH_CONFIG_HOMEPath to the configuration home directory on Linux/etc/ssh
MAX_DISK_PERCENTAGEMaximum disk percentage of the temporary directory95
MISSION_CRITICAL
_PACKAGES
Packages that are mission critical for the system and must be installed. 
NOT_REVIEWEDThe checks not performed by the tool need manual review.TRUE
RSCD_DIRRSCD Agent Installation Directory 
SOFT_CERT_FILE_DIRSA list of directory paths of software certificate filesc:\WINDOWS
SOLARIS_SAMBA_HOMEPath to the directory where Samba is installed on a Solaris system./etc/sfw
SOLARIS_SSH
_CONFIG_HOME
Path to the configuration home directory on Solaris UNIX/etc/ssh
SSHD_HOMEPath to where the sshd executable is stored/usr/sbin
STAGING_DIRPath to the staging directory used by BMC Server Automation jobs./var/tmp/stage
SYSTEMDRIVEThe drive upon which the system folder was placed (for Windows)/C
SYSTEMROOTWindows home directory 
TFTP_HOMEPath to the TFTP home directory./home/tftp
UNNECESSARY_ACCTSA list of unnecessary accounts on Linux, such as games or news.games,news,gopher,ftp
UNNECESSARY
_PRIV_ACCTS
A list of unnecessary privileged accounts on Linux, such as halt or shutdown.halt,shutdown,reboot,who
WINDIRValue of WinDir Environment Variable (Microsoft Windows only) 
XSERVER_FILE_PATHThe Xserver file path on Linux./etc/X11/xdm/Xservers

Notes

  • The DISA Windows Exchange Server Check property class stores properties for differentiating between an Exchange Server and a Non-Exchange Server. Two instances are provided out-of-the-box for this property class — the EXCHANGE_SERVER_INSTANCE instance with property values for an Exchange Server, and the NONEXCHANGE_SERVER_INSTANCE instance with property values for a Non-Exchange Server.
  • The DISA Windows DC And Member Server Security Settings property class stores properties for differentiating between a Domain Controller and a Member Server. Two instances are provided out-of-the-box for this property class — the DOMAIN_CONTROLLER_SETTINGS instance with property values that represent Domain Controller security settings, and the MEMBER_SERVER_SETTINGS instance with property values that represent Member Server security settings.
  • The following directories are excluded from compliance-related operations:
    • The BladeLogic installation directory is excluded by default
    • Locations specified in the EXCLUDED_DIR property
    • The following directories are also excluded: /tcb, /dev, /proc, /vol, /xfn, /cdrom, and /mnt
    • The directories of mounted file system devices are also excluded.

Back to top

CIS properties in the Server built-in property class

The following CIS properties are included in the Server built-in property class. Ensure that property values are correct within the property class instances created for each of the relevant local servers.

PropertyDescriptionDefault value

CACHE_HRSFrequency (in hours) at which to refresh the target server cache that contains the target data used during the execution of Compliance Jobs.24
CIS PropertiesThe name and path of the default instance of the CIS Properties class

CIS Properties/
ENTERPRISE_MEMBER_SERVER

or

CIS Properties/
ENTERPRISE_DOMAIN_CONTROLLER
(for Windows)

DOMAIN

Type of Windows target server, whether Domain Controller (value of DC) or Member Server (value of MS, the default)

MS

EXCLUDED_DIRDirectory to exclude. The value for this property can be a directory or multiple directories separated by comma.\-1
MAX_DISK_PERCENTAGEMaximum disk percentage of target that an EO can use.95
MISSION_CRITICAL_PACKAGESPackages that are mission critical for the system and must be installed. 
NOT_REVIEWEDThe checks not performed by the tool need manual review.TRUE
NTP_SERVERNTP server IP or hostname 
RSCD_DIRRSCD Agent Installation Directory 
STAGING_DIRPath to the staging directory used by BMC Server Automation jobs./var/tmp/stage
SYSTEMDRIVESystem Drive Directory/C
WINDIRValue of WinDir Environment Variable (Microsoft Windows only)*

Note

The following directories are excluded from compliance-related operations:

  • The BladeLogic installation directory is excluded by default
  • Locations specified in the EXCLUDED_DIR property
  • The following directories are also excluded: /tcb, /dev, /proc, /vol, /xfn, /cdrom, and /mnt
  • The directories of mounted file system devices are also excluded.

Back to top

PCI properties in the Server built-in property class

The following PCI properties are included in the Server built-in property class. Ensure that property values are correct within the property class instances created for each of the relevant local servers.

PropertyDescriptionDefault value
AIX_SSH_CONFIG_HOMEPath to the configuration home directory on AIX UNIX/etc/ssh
BSA_CONTENT_DEFAULT_MTADefault MTAPostfix
BSA_CONTENT_IPV_PROTOCOLBSA content protocolsIPV4
CACHE_HRSFrequency (in hours) at which to refresh the target server cache that contains the target data used during the execution of Compliance Jobs.24
DOMAIN

Type of Windows target server, whether Domain Controller (value of DC) or Member Server (value of MS, the default)

MS

EXCLUDED_DIRDirectory path to be excluded from searches during Compliance Jobs. Separate multiple directories with commas.\-1
HPUX_SSH_CONFIG_HOMEPath to the configuration home directory on HP UNIX/opt/ssh/etc
IS_SSLFWhether the server is configured with the SSLF level of security, with a value of either true or falseFALSE

MAX_DISK_PERCENTAGEMaximum disk percentage of the temporary directory95
MISSION_CRITICAL_PACKAGESPackages that are mission critical for the system and must be installed. 
NOT_REVIEWEDThe checks not performed by the tool need manual review.TRUE
NTP_SERVERNTP server IP or hostname 
PCI PropertiesThe name and path of the default instance of the PCI Properties classPCI Properties/Default
POSTGRES_GROUP_IDGroup ID for the user postgres 
POSTGRES_USER_IDUser ID for the user postgres 
RSCD_DIRRSCD Agent Installation Directory 
SOLARIS_SSH_CONFIG_HOMEPath to the configuration home directory on Solaris UNIX/etc/ssh
SQUID_GROUP_IDGroup ID for the user squid 
SQUID_USER_IDUser ID for the user squid 
STAGING_DIRPath to the staging directory on the target server, used by BMC Server Automation jobs./var/tmp/stage
WINDIRValue of WinDir environment variable (Windows only) 

Note

The following directories are excluded from compliance-related operations:

  • The BladeLogic installation directory is excluded by default
  • Locations specified in the EXCLUDED_DIR property
  • The following directories are also excluded: /tcb, /dev, /proc, /vol, /xfn, /cdrom, and /mnt
  • The directories of mounted file system devices are also excluded.
  • For the Group World Writable Directory, Find Unauthorized World-Writable Files, and Find World-Writable Directory with Sticky Bit Set rules: /var/adm/ras/conslog, /var/tmp, /tmp, /dev/screen, /system/contract/process, /var/mail, /var/preserve, and /var/spool.
  • For the Find Unauthorized SUID & SGID System Executables rule: /proc/, /adm/sw, and /usr/nsh.

Back to top

SOX properties in the Server built-in property class

The following SOX properties are included in the Server built-in property class. Ensure that property values are correct within the property class instances created for each of the relevant local servers.

PropertyDescriptionDefault value
AIX_SSH_CONFIG_HOMEPath to the configuration home directory on AIX UNIX/etc/ssh
CACHE_HRSFrequency (in hours) at which to refresh the target server cache that contains the target data used during the execution of Compliance Jobs.24
EXCLUDED_DIRDirectory path to be excluded from searches during Compliance Jobs. Separate multiple directories with commas.\-1
HPUX_SSH_CONFIG_HOMEPath to the configuration home directory on HP UNIX/opt/ssh/etc
LINUX_SSH_CONFIG_HOMEPath to the configuration home directory on Linux/etc/ssh
MAX_DISK_PERCENTAGEMaximum disk percentage of the temporary directory95
NOT_REVIEWEDThe checks not performed by the tool need manual review.TRUE
POSTGRES_GROUP_IDGroup ID for the postgres user on SuSE Linux26
POSTGRES_USER_IDUser ID for the postgres user on SuSE Linux26
RSCD_DIRRSCD Agent Installation Directory 
SOLARIS_SSH_CONFIG_HOMEPath to the configuration home directory on Solaris UNIX/etc/ssh
SOX PropertiesThe name and path of the default instance of the SOX Properties classClass://SystemObject/SOX Properties/Default
SOX_SYSACCTSA reference to the property that lists UNIX system accounts for SOX in the SOX Properties class??SOX Properties.SOX System Accounts??
SQUID_GROUP_IDGroup ID for the squid user23
SQUID_USER_IDUser ID for the squid user31
STAGING_DIRPath to the staging directory used by BMC Server Automation jobs./var/tmp/stage
WINDIRValue of WinDir Environment Variable (Microsoft Windows only) 

Note

The following directories are excluded from compliance-related operations:

  • The BladeLogic installation directory is excluded by default
  • Locations specified in the EXCLUDED_DIR property
  • The following directories are also excluded: /tcb, /dev, /proc, /vol, /xfn, /cdrom, and /mnt
  • The directories of mounted file system devices are also excluded.
  • For the Group World Writable Directory, Find Unauthorized World-Writable Files, and Find World-Writable Directory with Sticky Bit Set rules: /var/adm/ras/conslog, /var/tmp, /tmp, /dev/screen, /system/contract/process, /var/mail, /var/preserve, and /var/spool.
  • For the Find Unauthorized SUID & SGID System Executables rule: /proc/, /adm/sw, and /usr/nsh.

Where to go from here

Modifying out-of-the-box component templates

Was this page helpful? Yes No Submitting... Thank you

Comments