Issues in DISA compliance analysis and remediation

This topic lists common issues encountered while running compliance analysis and remediation using DISA templates. The page also provides troubleshooting information wherever applicable.

Troubleshooting issues in DISA templates

You might encounter the following issues while running compliance analysis and remediation using DISA templates. These issues can be avoided, if you take the necessary precautions as described in the workarounds below. Choose a specific operating system from the filter to narrow down the list in the table.

Start adding filters for your table either in the macro settings or on the filtration pane.

Oops, it seems that you need to place a table or a macro generating a table within the Table Filter macro.

The table is being loaded. Please wait for a bit ...


Operating systemAffected rulesIssue and workaround
All SolarisGEN 001140, GEN001160, GEN001200, GEN001220, GEN001240, GEN001260, GEN001300, GEN001320, GEN001340, GEN001360, GEN001280

If a rule uses findfiles cache, ensure that you refresh the findfiles cache after remediation to reflect the remediation changes on the target server. If you do not refresh the findfiles cache, the rule continues to display a non-compliant status even after remediation is completed successfully.

By default, the findfiles cache is refreshed in the following cases:

  • When CACHE_HRS time elapses from the last time the cache was created
  • If the cache is not present on the target server in the staging directory

Tip: To ensure that the *findfiles *cache is always refreshed, you can set CACHE_HRS to 0.

Red Hat Enterprise Linux 5-

RPM-related rules fail, if Yellowdog Update Manager (YUM) is not configured.

Workaround: Ensure that Yum is configured and working.

Red Hat Enterprise Linux 5-

The local properties, MAX_INFO_LINES and MAX_DISPLAY, must be set to 40,000, If your compliance job fails with the following error:

com.bladelogic.om.infra.app.collector.AssetCollectionException: Error occurred during 'All files and directories contained in user home directories must have mode 0750 or less permissive' extended object execution: Unable to parse file: /opt/bmc/bladelogic/NSH/tmp/application_server/ WorkItem-Thread-8_75dace97-74e7-4081-bd2d-9f8713e4f56e.ini: Parsing failed. Exceeded max line limit of 50000

Red Hat Enterprise Linux 5V-915Shared USER home directories are scanned separately for each user who shares them. This repetitive scanning increases the time taken for running compliance for this rule.

Workaround: To exclude user entries while home directories are checked, add the users to the custom property UNIX_EXCLUDE_HOME_DIR_USER _LIST.

Red Hat Enterprise Linux 5-Template level jobs may take longer time to finish if the home directory for some users is set to "/".

Workaround: Set the property UNIX_EXCLUDE_HOME_DIR_USER_LIST to point to users that have their home directory set as "/".

All Linux and UNIXGEN001260Rule checks and remediates system log file permissions. If the system logs roll over or if syslog is restarted, the permissions for the log files will be overwritten making the rule non-compliant on subsequent runs. As a workaround for this issue, adjust system log settings to control the rollover of log files and prevent overwriting permissions set for existing files.
All LinuxCAT I: 12.4.1.1-LNX00140Remediation sets the grub password. You can provide the name of a user whose system password hash will be used as the grub password. To do so, specify the name of the appropriate user as the value of the USERNAME_FOR_GRUB_PASSWORD property in the DISA STIG Properties custom property class. The default value of this property is root.
Windows 2008-Compliance jobs fails in RCP client with a run status of Cancelled, but in the background the job is running and EO execution is in progress.

Workaround: Wait for completion of the Compliance job run. If no errors occur during the job run, the run status will change to Completed Successfully.

All Linux and UNIX

GEN004020-GEN004320

Ensure that you have correctly entered the standard default paths of browser directories (.netscape and .mozilla). Non-default paths are not considered.
All Linux and UNIXGEN005000Anonymous FTP Account Shell, of the DISA templates for UNIX or Linux computers is not remediated, in either of the following scenarios:
  • The target server does not have a valid shell (either /bin/true, /usr/bin/false, /bin/false, or /dev/null)
  • The shell is not defined as valid in the login configuration file (in /etc/security/login.cfg ).

Even though the rule is remediated successfully on a target, it appears as non-compliant in subsequent runs.

Red Hat Enterprise Linux 5V-22491,
V-12023,
V-12030,
(and other kernel parameter-related rules)
Rules are evaluated as non-compliant, if multiple entries (that are acceptable by the OS) are present in the configuration file sysctl.conf.
Red Hat Enterprise Linux 7V-72015

The rule appears as non-compliant if the / character is appended at the end of the home directory. For example:

  • Home directory set as /home/Bill is correct
  • Home directory set as /home/Bill/ is incorrect.
Windows 2008 R2 DC-If Maximum password age is set to 0 in Default Domain policy, SECEDIT results in following output:
MaximumPasswordAge = -1
All Linux-Compliance on Linux server fails if the home directory starts with Unicode characters.
All HP-UX-If the names of folders or files on the target server against which compliance is tested contain special characters, compliance fails with the following error:
subexpression backreference number
Red Hat Enterprise Linux 5-A rule always evaluates as non-compliant after remediation, if /etc/audit/audit.rules file is configured with an invalid configuration before remediation.
All Linux and UNIXGEN005540Remediation does not work on any target server where an sshd entry is not included in the /etc/host.allow file for that target server.
Red Hat Enterprise Linux 5V-22470Rule validates for AllowGroups and AllowUsers only; it does not do an effective check if groups or users are appended at the end of AllowGroups and AllowUsers, respectively.
All AIXGEN001570/V-22352,
GEN001490/V-22350
Rules that evaluate the ACLs of files or directories do not support ACLs of type NFS4. Rules do not evaluate correctly, if the files or directories have ACLs of type NFS4.
Solaris 10 (x86)V-924if the name of a non-compliant file constitutes a colon, for example, SolarisSolaris:, the rule evaluates as non-compliant and cannot be fixed by remediation.

Important

Ensure that you have gone through the following points before you run the compliance checks or perform remediation:

  • While running compliance jobs on domain controller targets, set the target server's DOMAIN property to DC.
  • Leave DOMAIN property blank for member servers and standalone systems.
  • For rule V-73263 ensure that you set the APPLICATION_ACCOUNTS and DOMAIN_ACCOUNTS_WITH_CAC Template properties to True to exclude users in policy.

Limitations of DISA templates

The following limitations exist for compliance analysis and remediation using DISA component templates.

Start adding filters for your table either in the macro settings or on the filtration pane.

Oops, it seems that you need to place a table or a macro generating a table within the Table Filter macro.

The table is being loaded. Please wait for a bit ...


Operating systemAffected rulesLimitation
Windows Server 2016V-73249

Because multiple permissions, for a single user, cannot be handled in compliance; only one out of the three User Group permissions are checked for compliance.

Windows Server 2016V-73759,
V-73763,
V-73767,
V-73771
Remediation does not work on the member servers (MS).
Windows Server 2016
V-73259

This rule does not check for user accounts which have never been logged in.

Windows Server 2016V-73763

After remediation, the Windows Diagnostic Service (wdiServiceHost) is added to the policy "Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> The Deny log on as a batch job". Note that guest groups should have been added to the policy on the MS instead of wdiServiceHost.

Windows Server 2016V-73263Ensure that you must set the value for the following local properties:
  • APPLICATION_ACCOUNTS
  • DOMAIN_ACCOUNTS_WITH_CAC
Solaris11 (SPARC)

V-48119,
V-48207

Remediation cannot be performed.
All Solaris

GEN000240,
GEN006080,
GEN006220,
GEN005220,
GEN005600,
GEN001980,
GEN004400,
GEN004420

Always appears as non-compliant on a Solaris target.
All SolarisGEN006640Virus Protection Software rule fails with the following error:
FORCEFIND=n: 0403-009 The specified number is not valid for this command.
All HP-UXGEN006640Virus Protection Software rule fails with the following error:
FORCEFIND=n: 0403-009 The specified number is not valid for this command.
All AIXGEN006640Virus Protection Software rule fails with the following error:
FORCEFIND=n: 0403-009 The specified number is not valid for this command.
All Linux and UNIXGEN000400,
GEN000420
Remediation is common for both rules. If remediation is run for one rule the other rule is also remediated, and will appear as compliant in subsequent runs.
All Linux and UNIXGEN004900,
GEN004780
Remediation is common for both rules. If remediation is run for one rule the other rule is also remediated, and will appear as compliant in subsequent runs.
Windows Server 2008 R2 DC

V-15996,
V-15997,
V-15998,
V-15999,
V-1600

The rules always appear as compliant.
Windows Server 2008 DC/MS-Auditpol remediation is not implemented.
Red Hat Enterprise Linux 5V-22317Rule evaluation takes a long time.
Red Hat Enterprise Linux 7V-71927The DISA checklist recommends that interval for updating password should be less than 24 hours. Because this interval is too short and not of practical use, BMC checks whether the interval defined for updating the password is equal to or greater than 24 hours.
Windows Server 2003-Rules are not marked as exceptions in compliance, even if the IAO document explanation is provided for the rules in the DISA checklist.
Windows Server 2008 DC/MSV-1080Rule is always evaluated as non-compliant.
Windows server 2003 DC/MS-

Remediation fails with the following error while updating Security Settings\Local Policies\User Rights Policy:

Error 1332: No mapping between account names and security IDs was done.

Windows Server 2003 DC

V-1089,
V-1097,
V-1099,
V-3384,
V-8327,
V-26359

Remediation is not performed successfully.
Windows Server 2012 DCV-1099Rule always evaluates as non-compliant.
Windows Server 2012 DCV-8316Rule evaluates as compliant even if permissions for additional users are added on the file.

Windows Server 2016











V-73259, V-73265,
V-73267, V-73269,
V-73287, V-73289,
V-73291, V-73293,
V-73295, V-73297,
V-73299, V-73301,
V-73277

Compliance check and remediation is not performed. Need additional information from the end user to evaluate this rule as the information is stored in an external system, for example, user and role expiry, unused files, and so on.

Windows Server 2016

V-73239

Compliance check and remediation is not performed. Remediation requires patching the system to required patch level which is beyond the scope of rule remediation. We can use our patching solution to mitigate this.

Windows Server 2016

V-73623, V-73625,
V-73685, V-73309,
V-73313,V-73271

Compliance check and remediation is not performed. The remediation might render the server inaccessible to the user or service.

Windows Server 2016

V-73405, V-73407,
V-73409, V-73411,
V-73369, V-73371,
V-73249, V-73251,
V-73253, V-73255

Compliance check and remediation is not performed. The remediation requires an update of permissions on the system for which there is no API available. Additionally, this may require an approval based on the organizational processes and policies.

Windows Server 2016

V-73247

Compliance check and remediation is not performed. Remediation may require reformating the disc which would lead to possible data loss or corruption.

Windows Server 2016

V-73509

Compliance check and remediation is not performed. The remediation is reasonably complex and involves updating in multiple registry entries which can cause errors.

Windows Server 2016

V-73307

Compliance check and remediation is not performed. Updating the time may have an impact on applications running on the operating system. This is governed by an organization policy and processes, which cannot be generically implemented.

Windows Server 2016

V-73223, V-73231

Compliance check and remediation is not performed. The remediation requires user input along with password policy which has to be maintained by the organization.

Windows Server 2016






V-73217, V-73219,
V-73225, V-73227,
V-73233, V-73245,
V-73235, V-73237,
V-73241, V-73243,
V-73273, V-73275,
V-73279, V-73281,
V-73401, V-73403,
V-73229, V-73221
This rule must be manually checked and remediated. More of an informational rule that requires manual interpretation. The checklist doesn't recommend nor provides any specific commands for checking this.

Windows Server 2016

V-73605, V-73607,
V-73609, V-73611,
V-73613, V-73615

This rule must be manually checked and remediated. This rule requires the end user to import and register the certificates provided by DISA. The validation parts do not have any API or command which can be used to check the same.

Windows Server 2016

V-73383

This rule must be manually checked and remediated. This rule refers to organization network diagram/ documentation classification level of the Windows domain controller. More of an informational rule hence can’t be automated.

Windows Server 2016

V-73257, V-73303,
V-73305, V-73373,
V-73375, V-73377,
V-73381, V-73385,
V-73389, V-73391,
V-73393, V-73395,
V-73397, V-73399

This rule must be manually checked and remediated.There is no command or API exposed by Windows to automate this check and hence needs to be done manually.

Windows Server 2016

V-73723, V-73725,
V-73727

This rule must be manually checked and remediated. Currently the BSA asset doesn't provide an option to access user registry and this requires enhancement to the product.

Windows Server 2016

V-73283, V-73285

This rule must be manually checked and remediated. Currently there is no command which provides expected result of Search-AD Account.
Red Hat Enterprise Linux 5-The target level property EXCLUDED_DIR does not take multiple folders.
Red Hat Enterprise Linux 6-The target level property EXCLUDED_DIR does not take multiple folders.
Red Hat Enterprise Linux 7



V-71849, V-71855,
V-72047

This rule checks for compliance but do not provide remediation. The remediation requires an update in system permissions for which there are no APIs available. Additionally, this may require an approval based on the organizational processes and policies.

Red Hat Enterprise Linux 7V-71985, V-72057,
V-72079, V-72019,
V-72271, V-72273,
V-72277, V-72279,
V-72315, V-72223,
V-72275
This rule checks for compliance but do not provide remediation. Remediation might move the system into an irrecoverable state.
Red Hat Enterprise Linux 7V-72043, V-72045,
V-73161, V-72059,
V-72061, V-72069,
V-72065, V-72311,
V-71861, V-72225,
V-71895, V-73155,
V-73157, V-71973
This rule checks for compliance but do not provide remediation. Editing file entries require manual intervention to take effect.
Red Hat Enterprise Linux 7V-72067, V-72071,
V-72073, V-72213,
V-72215, V-72281,
V-72295, V-72317,
V-73177, V-72217,
V-71897
This rule checks for compliance but do not provide remediation. System administrator is required to approve configuration changes based on the organizational processes and policies.

Red Hat Enterprise Linux 7

V-71919, V-71933,
V-71937, V-71943,
V-71945, V-71947,
V-71949, V-71961,
V-71963, V-72313

This rule checks for compliance but do not provide remediation. The remediation requires user input to create passwords based on the organizational policy.
Red Hat Enterprise Linux 7V-71965, V-72435,
V-72075
This rule checks for compliance but do not provide remediation. Remediation is dependent on peripheral devices, which can leave the resource inaccessible to the user or service, if automated.
Red Hat Enterprise Linux 7V-71891, V-71893,
V-71901, V-71997
This rule checks for compliance but do not provide remediation. Need additional information from end user to update system configuration and comply with organizational policies.
Red Hat Enterprise Linux 7V-72035, V-72039,
V-72001, V-72215,
V-72271, V-72307,
V-71971, V-71999,
V-72075, V-71975
This rule must be manually checked and remediated. More of an informational rule that requires manual interpretation. The checklist does not recommend any commands for checking these conditions.
Red Hat Enterprise Linux 7V-72041, V-72095This rule must be manually checked and remediated. No APIs or commands are available to validate the rules.
Red Hat Enterprise Linux 7V-72433This rule must be manually checked and remediated. This rule requires the end user to import and register the certificates suggested by DISA, which cannot be automated.

Limitations in rollback of DISA compliance remediation

The following issues exist in the behavior of certain DISA compliance rules during an undo operation. These issues represent the expected, default behavior (although different from the typical behavior of most other compliance rules).

Operating systemAffected rulesIssue
Windows Server 2016

V-73651,
V-73657,
V-73659

 Unable to perform an undo operation on the remediation (for GPO registry rules) in the first attempt. Undo operation runs successfully only in the second attempt.

-GEN006600

Rule changes from non-compliant to compliant (and vice versa) if Undo is executed for either of the following rules:

  • GEN000440 (Adds a daemon logging entry to the syslog.conf file)
  • GEN004460 (Adds a mail logging entry to the syslog.conf file)
-GEN002120The rule does not have an Undo script.
-GEN004880The rule changes to non-compliant when Undo is executed for either of the following rules.This rule changes to compliant when remediation is run for either of the following rules:
  • GEN004800 (Ensures AORL use for documenting unencrypted FTP and Telnet)
  • GEN004760 (FTP and Telnet Status)
-GEN001420The Undo command does not work when either rule GEN00560 or rule GEN00540 executes a PASSWD command during remediation, causing permission for the /etc/shadow file to be reset.
-GEN001380The Undo command does not work when either rule GEN005000 or rule GEN005120 executes the USERMOD command during remediation, causing permission for the /etc/passwd file to be reset.
Windows Server 2003-Template-level rollback (for undoing remediation performed on all non-compliant rules) might fail due to the behavior of the Terminal Services Session Directory service, which may remain in waiting status for more time than expected.

Related topics

Reviewing properties in Compliance Content custom classes

Was this page helpful? Yes No Submitting... Thank you

Comments