Issues in CIS compliance analysis and remediation
This topic lists the limitations and troubleshooting issues found in CIS compliance analysis and remediation:
Limitations in CIS templates
The following issues exist for compliance analysis and remediation using CIS component templates:
- For certain rules, the CIS benchmark does not recommend any value. Such rules in the component template for CIS - Windows Server 2008 always result in compliant status.
- For the Enterprise Domain Controller, SSLF Member Server, and SSLF Domain Controller profiles, the recommended value of rule 1.8.36, User Rights: Log on as a batch job, is No one. However, the rule is implemented for a null value as well as for BladeLogicRSCD, as the agent requires this special permission to run batch jobs on the target.
- Not all rules in the component template for CIS - Windows Server 2008 provide remediation (as indicated by whether or not they have a remediation package associated).
- Rules in the CIS - RedHat Enterprise Linux 5 template that check permissions in system log files — rule
5.1.2 Create and Set Permissions on syslog Log Filesand rule
5.2.4 Create and Set Permissions on rsyslog Log Files— are set to be compliant only for 0600 for root user or 0640 for secure group user. However, these rules are shown to be compliant even if setuid, setid or sticky bit are set in the log files mentioned in /etc/syslog.conf or /etc/rsyslog.conf.
- For the
1.6.2 Set Permissions on /etc/grub.confrule of the CIS - RedHat Enterprise Linux 5 template, the rule returns non-compliance if the configuration file is a symbolic link because the permissions of the file to which the configuration file points could not be obtained.
- When multiple entries of NTP server are provided in ntp.conf, for the CIS - RedHat Enterprise Linux 5 template, 3.5 rule, compliance result will be non-compliant.
For the CIS - RedHat Enterprise Linux 5 template, the following behavior occurs during the remediation of the rule
If multiple commented and non-commented entries of PASSWDALGORITH are set in /etc/sysconfig/authconfig file, the command
authconfig --update --passalgo=sha512deletes a few non-commented entries of PASSALGORITH. After remediation, you might observe that a few commented entries are removed for authconfig file.
If you run the command
authconfig --update --passalgo=sha512and then update the parameter
PASSWDALGORITHof /etc/sysconfig/authconfig file to some invalid value (for example, PASSWDALGORITH=sha512ABC), re-running the
authconfig -updatecommand does not update the entries in /etc/sysconfig/authconfig file for the parameter
PASSWDALGORITHand remediation is not supported.
- Remediation of rules in the Detailed Security Auditing rule group of the CIS - Windows Server 2008 template fails on template level and on group level.
- For rules in the CIS - Red Hat Enterprise Linux 5 template that check for the presence of parameters in configuration files, if the configuration files contain multiple entries of parameters, the rules display non-compliant (Not Reviewed) status. Even after remediation, the configuration files contain multiple entries of those parameters, and the rules display non-compliant (Not Reviewed) status.
- For CIS - Red Hat Enterprise Linux 5 template and rule 1.1.17, an intermediate file will be created on the target while running compliance. This file will contain list of non-complaint entries, such as files present in Transactions directory, located at NSH directory in the target machine. This directory contains files which are created when remediation jobs are initiated. Remediation of this rule remediates all entries present in the intermediate file. A file present in Transactions Directory will not be present in the intermediate file, as it was not present while running compliance, but got created while running remediation. Therefore, the rule remains non-compliant, even though previous remediation was successful, that is, there will be always a non complaint value after remediation for this rule.
- For CIS - Windows Server 2008 DC and MS templates, Audit Pol remediation does not work.
- For CIS - Windows Server 2008 template, remediation is not supported for custom Group Policy Objects (GPO) templates (for example, if you create new GPO templates).
Troubleshooting issues in CIS templates
The following issues exist with workarounds for compliance analysis and remediation using CIS component templates:
- For CIS - SuSE 11 template, Cache creator job fails with Exit code 1 (without an error message), for either less disk space or time out. It is recommended that you add more disk space and run the job again.
3.16rule in the CIS - RedHat Enterprise Linux 5 template does not work on a pure IPv6 RHEL5 target that was associated with the BMC Server Automation Application Server because the IPV_PROTOCOL property value remains IPV4 and does not get changed automatically to IPV6 for an IPv6 target.
1.5.2 Set the SELinux stateand
1.5.3 Set the SELinux policyrules of the CIS - RedHat Enterprise Linux 5 template, the target agent fails to restart after remediation is applied for the rules. For details about how to resolve this issue, see Step 9 in Installing only the RSCD agent (Linux and UNIX).
For CIS - RedHat Enterprise Linux 5/6 templates, if a target host has a staging directory configured under /tmp partition, for example /tmp/stage, remediation restricts permissions to the /tmp partition and causes the Remediation Job to fail with the following error:
Unable to run bldeploycmd.X.bat (13:Permission denied)
Workaround: Change the
STAGING_DIRserver property to /var/tmp/stage and run the job again.
- For rules in the CIS - Red Hat Enterprise Linux 5 template that use the findfiles cache, if a rule is non-compliant and remediation is run for that rule, then after remediation you must refresh the findfiles cache to reflect the remediation changes on the target server. If you do not refresh the findfiles cache, the rule continues to display non-compliant status after remediation. The following rules use the findfiles cache: 1.1.17, 5.3.12, 10.23, 10.24, 10.25, 10.26, and 10.27.
By default, the findfiles cache is refreshed in the following cases:
- When CACHE_HRS time elapses from the last time the cache was created
- If the cache is not present on the target server in the staging directory
For the 1.8.1, 1.8.15, 1.8.28, and 1.8.29 rules of the CIS - Windows Server 2008 template, the RSCD Agent modifies the permissions of the following Group Policy Objects (GPOs):
- Deny log on locally: RSCD Agent adds BladeLogicRSCD group permissions
- Manage auditing and security log: RSCD Agent adds Administrators group permissions
- Access compute from Network: RSCD Agent adds Administrators group permissions
- Change the system time: RSCD Agent adds Administrators group permissions
- Enable computer and user accounts to be trusted for delegation: If this GPO contains Administrators group permissions, the RSCD Agent removes this group from the GPO.
Workaround: To prevent this issue from occurring, add a registry entry GrantMASL of type Binary or DWORD with value 0 in the BSA RSCD registry
HKEY_LOCAL_MACHINE\SOFTWARE\BladeLogic\RSCD Agent, and then restart the RSCD Agent. After you apply this workaround, the RSCD Agent will not modify any of the above GPOs.
- For the CIS - Windows Server 2008 and template, after remediating network-related MSS Group Policy Object (GPO) rules for Domain Controllers (DC) targets, the gpttmpl.inf file(s) are corrupted.
Workaround: The issue occurs because lack of access to the sceregvl.inf file causes remediation to create spurious entries in the gpttmpl.inf files that may be invalid if the entries were not registered earlier. To resolve the issue, you must provide access to the sceregvl.inf file, or you must register the entries, making them valid.
To provide access to the sceregvl.inf file, run the following commands:
C:\Windows\inf>takeown /f sceregvl.inf
C:\Windows\inf>icacls sceregvl.inf /grant Administrators:(F)