Reviewing properties in Compliance Content custom classes

Before running a Compliance Job for the first time based on any of the Compliance Content component templates, review the values of the editable, local properties included in the various Compliance Content custom property classes (as listed in the following table). If local values differ from the default values, tailor these property values to the unique needs of your local system.

The following sections list the properties in each of the Compliance Content custom property classes:

For more information about setting property values, see Setting values for system object properties.

Properties in the custom CIS Properties class

The following CIS properties are included in the custom CIS Properties class. Tailor these property values to the unique needs of your local system.

Note

The CIS Properties custom property class is provided with the following out-of-the-box instances, which store default property values for different server configurations:

  • ENTERPRISE_MEMBER_SERVER, for a Member Server with Enterprise Client (EC) security
  • ENTERPRISE_DOMAIN_CONTROLLER, for a Domain Controller with Enterprise Client (EC) security
  • SSLF_MEMBER_SERVER, for a Member Server with Specialized Security — Limited Functionality (SSLF)
  • SSLF_DOMAIN_CONTROLLER, for a Domain Controller with SSLF
  • LEGACY_MEMBER_SERVER, for a Member Server with legacy security (not EC or SSLF)
  • LEGACY_DOMAIN_CONTROLLER, for a Domain Controller with legacy security (not EC or SSLF)

Property

Description

Default value

ACCESS_THIS_COMPUTER_
FROM_NETWORK

Additional users on the network that are allowed to connect to this computer.

Separate multiple account names with commas.

For Member Server: BUILTIN\Administrators,
NT AUTHORITY\Authenticated Users

For Domain Controller:
BUILTIN\Administrators,
NT AUTHORITY\Authenticated Users,
NT AUTHORITY
\ENTERPRISE DOMAIN CONTROLLERS

ACCOUNT_LOCKOUT_THRESHOLD

The number of failed logon attempts allowed before a user is locked out of an account

For Enterprise Client (EC) security: 15
for SSLF: 10

ADD_WORKSTATION_TO_DOMAIN

Users that are allowed to add computer workstations to a specific domain

For Domain Controller: BUILTIN\Administrators
No default value for Member Server

ANONYMOUS_ENUMERATION_
OF_SAM_ ACCOUNTS_AND_SHARES

Anonymous enumeration of SAM accounts and shares

1

ANONYMOUS_NAMED_PIPES

The communication sessions, or pipes, that will have attributes and permissions that allow anonymous access

For Domain Controller with SSLF:
netlogon,lsarpc,samr,browser

For Member Server with SSLF: browser

No default value for EC security

BYPASS-SERVER-CHECKING

Users with no Traverse Folder access permission that are allowed to pass through folders as they browse NTFS or the registry

None for Domain Controller with EC

For Member Server with EC: NT AUTHORITY\
LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE,BUILTIN\Administrators,NT AUTHORITY\
Authenticated Users,BUILTIN\Backup Operators

For Domain Controller with SSLF: NT AUTHORITY\
LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE,NT AUTHORITY\Authenticated Users

For Member Server with SSLF: NT AUTHORITY\
LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE,BUILTIN\Administrators,NT AUTHORITY\
Authenticated Users

CIS_LEGAL_NOTICE_TEXT

The text message that displays when a user logs on

No default value; replace with the legal text title
of your organization

CIS_LEGAL_TITLE_TEXT

The text that appears in the title bar of the windows that are displayed when a user logs on to the system

No default value; replace with the legal text title
of your organization

COMPUTER_AND_USER
_ACCOUNTS_TO_BE_TRUSTED
Computer and user accounts to be trusted on Windows 2012. 

DEBUG_PROGRAMS

User accounts that are allowed to attach a debugger to any process or the kernel.
A debugger allows a user to view and manipulate the memory and execution context of any process.

On Member Server with EC: BUILTIN\Administrators
Otherwise, no default value

DO_NOT_ALLOW_ANONYMOUS_ENUM_
OF_SAM_ACCOUNTS_AND_SHARES

Do not allow anonymous enumeration of SAM accounts and shares

1

FORCE_SHUTDOWN_FROM_
REMOTE_SYSTEM

Do not allow anonymous enumeration of SAM accounts and shares

FORCE_STRONG_KEY_PROTECT

Force strong key for protection

GENERATE_SECURITY_AUDITS

Users that are allowed to produce audit records in the Security log

NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE

No default value on Domain Controller
with EC security

HPUX_EXCLUDE_HOME_DIR
_USER_LIST

HP-UX user accounts where home should not be scanned 

IS_REM_SSLF

Used in the remediation of auditpol rules.

MANAGE_AUDITING_AND
_SECURITY_LOG

Manage auditing and security log

Administrators

MAX_USER_TICKET_LIFETIME

Maximum lifetime for user ticket renewal

Set as per the Windows DC or MS computer

MIN_PASSWORD_LENGTH

The minimum number of characters that a user password must contain

For Enterprise Client (EC) security: 8
For SSLF: 12

MODIFY_FIRMWARE_ENVIRONMENT
_VALUES

Modify fireware environment values

NETWORK_LAN_MANAGER_
AUTHENTICATION_
LEVEL

LAN Manager Authentication for network

PERFORM_VOLUME_
MAINTENANCE_TASKS

Users that are allowed to manage the system's volume or disk configuration

No default for EC
For SSLF: BUILTIN\Administrators

REMOTELY_ACCESSIBLE_
REGISTRY_PATHS

The registry paths that can be accessed remotely

No default for EC
For SSLF: System\CurrentControlSet\Control\ProductOptions, System\CurrentControlSet\
Control\Server Applications, Software\
Microsoft\Windows NT\CurrentVersion

REMOVE_COMPUTER_FROM_
DOCKING_STATION

Remove computer from the docking station

Administrators

RESTORE_FILES_DIRS

Users that are allowed to bypass file, directory, registry, and other persistent object permissions when restoring backed-up data

No default for SSLF
For EC security: BUILTIN\Backup Operators

STRONG_PROTECTION_USER_KEY

Force strong key protection for user keys stored on the computer

Set as per the Windows DC or MS computer

Unix System Accounts

UNIX System Accounts

root,rdsmon,rdsroot,bin,daemon,adm,
lp,sync,shutdown,halt,
mail,news,uucp,operator,games,
gopher,nobody,rpm,dbu

Back to top

Properties in the custom CIS AIX Properties class

The following CIS properties for an AIX platform are included in the custom CIS AIX Properties class. All of these properties correspond to AIX configuration attributes or parameters with the same names.

Note

The CIS AIX Properties custom property class is provided with the following out-of-the-box instances, for different levels of security. Property values in these instances differ from the default values listed below.

  • HIGH_LEVEL_POLICY
  • LOW_LEVEL_POLICY
  • MEDIUM_LEVEL_POLICY
PropertySource of AIX attributeDefault value
HISTEXPIRE/etc/security/user13
HISTSIZE/etc/security/user20
IP6SRCROUTEFORWARDNetwork option (/usr/sbin/no)0
IPFORWARDINGNetwork option (/usr/sbin/no)0
IPIGNOREREDIRECTSNetwork option (/usr/sbin/no)3
IPSENDREDIRECTSNetwork option (/usr/sbin/no)0
IPSRCROUTESENDNetwork option (/usr/sbin/no)0
LOGINDELAY/etc/security/login.cfg10
LOGINDISABLE/etc/security/login.cfg10
LOGININTERVAL/etc/security/login.cfg300
LOGINREENABLE/etc/security/login.cfg360
LOGINRETRIES/etc/security/login.cfg3
LOGINTIMEOUT/etc/security/login.cfg30
MAXAGE/etc/security/user13
MAXEXPIRED/etc/security/user2
MAXREPEATS/etc/security/user2
MINAGE/etc/security/user1
MINALPHA/etc/security/user2
MINDIFF/etc/security/user4
MINLEN/etc/security/user8
MINOTHER/etc/security/user2
RLOGIN/etc/security/userfalse
SOCKTHRESHNetwork option (/usr/sbin/no)60
TCP_TCPSECURENetwork option (/usr/sbin/no)7

Properties in the custom DISA STIG Properties class

The following DISA properties are included in the custom DISA Properties class. Tailor these property values to the unique needs of your local system.

Property

Description

Default value

AIX_Audit_bin1

Path to the /audit/bin1 directory, defined in the bin stanza of
/etc/security/audit/config

??AIX_Audit_Directory??/bin1

AIX_Audit_bin2

Path to the /audit/bin2 directory, defined in the bin stanza of
/etc/security/audit/config

??AIX_Audit_Directory??/bin2

AIX_Audit_Directory

Path to the /audit directory, defined in the bin stanza of
/etc/security/audit/config"

/audit

AIX_Audit_trail

Path to the /audit/trail directory, defined in the bin stanza of
/etc/security/audit/config

??AIX_Audit_Directory??/trail

MANAGE_AUDITING_AND_
SECURITY_LOG

Name of group that manages the auditing and security log

Auditors

Ensure that the Auditors group (the default value for this property) is present on the target server.

Unix Application Accounts

UNIX application accounts for DISA.
Separate multiple account names with commas.

smmsp,CBIF,JDISS,SSO,SM,gccsrv,
gtnsmint,irc,Imadmin,netadmin,news,
sm,GCCS,ingres,apache,oracle,oracle7,
oracle8,oracle9, Oracle9i,informix,news,
sybase,tivoli,mqm,www,ftp,tftp,hpdb,
gccs,gcss,COE,esm,ita,sshd,invscout,
ov,openview,predmail,snmp,smtp,xfs,
rpm,gdm

Unix Application Groups

UNIX application groups for DISA.
Separate multiple group names with commas.

smmsp,CBIF,JDISS,SSO,SM,gccsrv,gtnsmint,
irc,Imadmin,netadmin,news,sm,GCCS,ingres,
apache,oracle,oracle7,oracle8,oracle9,
Oracle9i,informix,news,sybase,tivoli,mqm,
www,ftp,tftp,hpdb,gccs,gcss,COE,esm,ita,
sshd,invscout,ov,openview,predmail,snmp,
smtp,xfs,rpm,gdm

Unix Services

UNIX services for DISA.
Separate multiple names of services with commas.

recserv,shell,http,imap,comsat,ssh,klogin,
kshell,ita,esm,ncpm,tivoli,dtspc,admind,
chargen,echo,news,nntp,etherstatd,fingerd,
ftpd,ICQ,server,identd,nit,sysstat,nsed,
nsemntd,pfilt,portd,quak,ed,rexd,
rexecd,rje_mapper,rlogind,rpc_3270,rpcbind,
rpc_alias,rpc_database,rpc_keyserv,
rpc_sched,rqu,otad,rsh,rstatd,rusersd,
selectd,serverd,showfhd,sprayd,statmon,
sunlink_mapper,talkd,telnetd,tfsd,tf,
tpd,timed,ttdb,ugidd,uucpd,pop,pop3,
sendmail,walld

Unix System Accounts

UNIX system accounts for DISA.
Separate multiple account names with commas.

root,daemon,bin,sys,adm,smtp,uucp,
nuucp,listen,lpd,lp,ingres,oracle,
oracle7,oracle8,oracle9,oracle9i,informix,
news,nobody,nobody4,noaccess,
sybase,tivoli,www,ftp,tftp,hpdb,sshd,
invscout,gccs,secm,an,sysadmin,install,
staff,COE,tracker,predmail,snmp,inews,
smmsp,sm,spmadmin,share,
BIF,GCCS,JDISS,SA,SSO,SM,
ftp,gccsrv,gtnsmint,irc,Imadmin,imadmin,
netadmin,oradba,halt,mail,rpm,
vcsa,nscd,rpc,rpcuser,mailnull,
pcap,xfs,ntp,gdm,sync,shutdown,halt,
operator,gopher,nfsnobody,dbus,
haldaemon,netdump,webalizer,pvm,
mysql,mailman,dovecot,cyrus,amanda,
pegasus,HPSMH,hpsmh,
webadmind,webadmin,webservd,avahi,
beagleidx,hsqldb,postfix

USERNAME_FOR_
GRUB_PASSWORD

The name of a user whose system password hash will be used
as the grub password on Linux

root

WIN_APP_ACCOUNTS

Windows application accounts for DISA.
Separate multiple account names with commas.

Administrator,mssql,oracle,aspnet

Back to top

Properties in the custom PCI Properties class

The following PCI properties are included in the custom PCI Properties class. Tailor these property values to the unique needs of your local system.

Note

The PCI Properties custom property class is provided with the following out-of-the-box instances, which store default property values for different server configurations:

  • ENTERPRISE_MEMBER_SERVER, for a Member Server with Enterprise Client (EC) security
  • ENTERPRISE_DOMAIN_CONTROLLER, for a Domain Controller with Enterprise Client (EC) security
  • SSLF_MEMBER_SERVER, for a Member Server with Specialized Security — Limited Functionality (SSLF)
  • SSLF_DOMAIN_CONTROLLER, for a Domain Controller with SSLF
  • LEGACY_MEMBER_SERVER, for a Member Server with legacy security (not EC or SSLF)
  • LEGACY_DOMAIN_CONTROLLER, for a Domain Controller with legacy security (not EC or SSLF)

Property

Description

Default value

ACCESS_THIS_COMPUTER_FROM_NETWORK

Whether to access this computer from a network. 
ACCOUNT_LOCKOUT_THRESHOLD

The number of failed logon attempts allowed before a user is locked out of an account

For Enterprise Client (EC) security: 15
for SSLF: 10
ADD_WORKSTATION_DOMAINUsers that are allowed to add computer workstations to a specific domain

For Domain Controller: BUILTIN\Administrators
No default value for Member Server

ANONYMOUS_NAMED_PIPESThe communication sessions, or pipes, that will have attributes and permissions that allow anonymous access

For Domain Controller with SSLF:
netlogon,lsarpc,samr,browser

For Member Server with SSLF:
browser

No default value for EC security

IS_DOMAINWhether the target is a domain controller 

PCI_BANNER

The standard banner for PCI.

Authorized users only. All activity may be monitored and reported.

Back to top

Properties in the custom SOX Properties class

The following SOX properties are included in the custom SOX Properties class. Tailor these property values to the unique needs of your local system.

Property

Description

Default value

SOX_BANNER

The standard banner for SOX

Authorized users only. All activity may be monitored and reported.

SOX System Accounts

UNIX system accounts for SOX. Separate multiple account names with commas.

root,daemon,bin,sys,adm,smtp,uucp,nuucp,listen,lpd,lp,ing

Where to go from here

Modifying out-of-the-box component templates

Users with no Traverse Folder access permission that are allowed to pass through folders as they browse NTFS or the registry

COMPUTER_AND_USER_ACCOUNTS_TO_BE_TRUSTED

Was this page helpful? Yes No Submitting... Thank you

Comments