STIG rules for RHEL6 not applicable to BMC Discovery 11.0

The following section lists the STIG rules for Red Hat Enterprise Linux (RHEL) 6 that are not applicable to BMC Discovery 11.0 and give a brief explanation of reasons and where appropriate gives details of workarounds.

Note

The table provides links to STIG rule descriptions and details on the STIGviewer website. STIGviewer provides an online, searchable index of Public Domain STIG content, though is not related to DISA. Its content may not be up to date.

Rule number

Description

Reason for non-compliance

RHEL-06-000005 V-38470

The audit system must alert designated staff members when the audit storage volume approaches capacity.

Customers should configure this value and configure postfix if they require email notification. An onsite configuration activity.

RHEL-06-000008 V-38476

Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.

BMC Discovery uses and requires third party RPMs that are unsigned. Of the BMC-supplied RPMs only the tideway-devices RPM is signed.

RHEL-06-000011 V-38481

System security patches and updates must be installed and up-to-date.

Security updates can be applied using the monthly operating system upgrade.

RHEL-06-000013 V-38483

The system package management tool must cryptographically verify the authenticity of system software packages during installation.

BMC Discovery does not use the YUM package manager. See also V-38481.

RHEL-06-000015 V-38487

The system package management tool must cryptographically verify the authenticity of all software packages during installation.

BMC Discovery does not use the YUM package manager. See also V-38481.

RHEL-06-000016 V-38489

A file integrity tool must be installed.

BMC Discovery uses tripwire as a file integrity tool.

RHEL-06-000020 V-51363

The system must use a Linux Security Module configured to enforce limits on system services.

The BMC Discovery appliance is not regarded as a multi-user system and won't leverage any advantage from the capabilities provided by the Linux Security Module.

RHEL-06-000048 V-38472

All system command files must be owned by root.

In order to allow the tideway user to run nmap without using sudo, and to avoid any other non-root user running privileged nmap operations, the nmap executable is owned by the tideway user.

RHEL-06-000073 V-38593

The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.

BMC Discovery does not use the default Red Hat login prompt. It will not be replaced with a DoD banner.

RHEL-06-000098 V-38546

The IPv6 protocol handler must not be bound to the network stack unless needed.

BMC Discovery supports discovery using IPv6.
To disable IPv6:

  1. Edit the /etc/sysconfig/network file adding NETWORKING_IPV6=no
  2. Ensure that any other IPv6 (net.ipv6) entry is commented out.
  3. Edit the /etc/sysctl.conf file adding net.ipv6.conf.all.disable_ipv6 = 1
  4. Prevent the IPv6 firewall from starting. Enter:
    service ip6tables stop
    chkconfig ip6tables off

RHEL-06-000136 V-38520

The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited.

This is not applicable for BMC Discovery out-of-the box because it requires additional services to be configured in the customer's environment.

RHEL-06-000137 V-38521

The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components.

This is not applicable for BMC Discovery out-of-the box because it requires additional services to be configured in the customer's environment.

RHEL-06-000240 V-38615

The SSH daemon must be configured with the Department of Defense (DoD) login banner.

We provide a non-standard post-login banner.

RHEL-06-000247 V-38620

The system clock must be synchronized continuously, or at least daily.

Network time synchronization is not configured by default as customers' preferred time server is not known.

RHEL-06-000248 V-38621

The system clock must be synchronized to an authoritative DoD time source.

Network time synchronization is not configured by default as customers' preferred time server is not known.

RHEL-06-000252 V-38625

If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.

LDAP is not configured by default as customer environments are not known.

RHEL-06-000253 V-38626

The LDAP client must use a TLS connection using trust certificates signed by the site CA.

LDAP is not configured by default as customer environments are not known.

RHEL-06-000257 V-38629

The graphical desktop environment must set the idle timeout to no more than 15 minutes.

A GUI is not installed.

RHEL-06-000258 V-38630

The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user to re-authenticate to unlock the environment.

A GUI is not installed.

RHEL-06-000259 V-38638

The graphical desktop environment must have automatic lock enabled.

A GUI is not installed.

RHEL-06-000260 V-38639

The system must display a publicly-viewable pattern during a graphical desktop environment session lock.

A GUI is not installed.

RHEL-06-000269 V-38652

Remote file systems must be mounted with the nodev" option."

We do not ship with any remote file systems.

RHEL-06-000270 V-38654

Remote file systems must be mounted with the nosuid" option."

We do not ship with any remote file systems.

RHEL-06-000271 V-38655

The noexec option must be added to removable media partitions.

We do not ship with any remote file systems.

RHEL-06-000275 V-38659

The operating system must employ cryptographic mechanisms to protect information in storage.

BMC Discovery data is not encrypted in storage so this rule is not applicable.

RHEL-06-000276 V-38661

The operating system must protect the confidentiality and integrity of data at rest.

BMC Discovery data is not encrypted in storage so this rule is not applicable.

RHEL-06-000277 V-38662

The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of data at rest unless otherwise protected by alternative physical measures.

BMC Discovery data is not encrypted in storage so this rule is not applicable.

RHEL-06-000284 V-38666

The system must use and update a DoD-approved virus scan program.

BMC Discovery does not use a virus scan program, though it does use tripwire to detect unauthorized changes to the system.

RHEL-06-000285 V-38667

The system must have a host-based intrusion detection tool installed.

BMC Discovery uses tripwire as a host-based intrusion detection tool.

RHEL-06-000286 V-38668

The x86 CTRL-ALT-DELETE key sequence must be disabled.

The BMC Discovery appliance was configured so that only a log message is generated when the CTRL-ALT-DELETE key sequence is pressed.

RHEL-06-000287 V-38669

The postfix service must be enabled for mail delivery.

Email is not configured or enabled by default in BMC Discovery.

RHEL-06-000290 V-38674

X Windows must not be enabled unless required.

A GUI is not installed.

RHEL-06-000291 V-38676

The xorg-x11-server-common (X Windows) package must not be installed, unless required.

A GUI is not installed.

RHEL-06-000292 V-38679

The DHCP client must be disabled if not needed.

BMC Discovery requires a DHCP client, though this must be configured when the appliance is commissioned.

RHEL-06-000297 V-38685

Temporary accounts must be provisioned with an expiration date.

This is an on site configuration activity so is not applicable.

RHEL-06-000298 V-38690

Emergency accounts must be provisioned with an expiration date.

This is an on site configuration activity so is not applicable.

RHEL-06-000302 V-38695

A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.

BMC Discovery does not use AIDE, though it does use tripwire to detect unauthorized changes to the system.

RHEL-06-000303 V-38696

The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system.

BMC Discovery does not use AIDE, though it does use tripwire to detect unauthorized changes to the system.

RHEL-06-000304 V-38698

The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency.

BMC Discovery does not use AIDE, though it does use tripwire to detect unauthorized changes to the system.

RHEL-06-000305 V-38700

The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs.

BMC Discovery does not use AIDE, though it does use tripwire to detect unauthorized changes to the system.

RHEL-06-000306 V-38670

The operating system must detect unauthorized changes to software and information.

BMC Discovery does not use AIDE, though it does use tripwire to detect unauthorized changes to the system.

RHEL-06-000307 V-38673

The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.

BMC Discovery does not use AIDE, though it does use tripwire to detect unauthorized changes to the system.

RHEL-06-000308 V-38675

Process core dumps must be disabled unless needed.

BMC Discovery relies on core dumps for debug information. However, if you must disable core dumps, this limits BMC Customer Support's ability to resolve problems. To disable core dumps:

  1. Edit the /etc/profile file commenting out the ulimit -S -c unlimited line.
  2. Edit the /etc/security/limits.conf file or commenting out or changing the tideway - core unlimited line to tideway - core 0.
  3. Edit the /etc/sysctl.conf file commenting out the line kernel.core_pattern = /usr/tideway/cores/

RHEL-06-000313 V-38680

The audit system must identify staff members to receive notifications of audit log storage volume capacity issues.

Notification is sent by default to the root user. Sending to any other user requires on site configuration.

RHEL-06-000321 V-38687

The system must provide VPN connectivity for communications over untrusted networks.

ADDM does not ship with any VPN tools.

RHEL-06-000324 V-38688

A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.

A GUI is not installed.

RHEL-06-000326 V-38689

The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.

A GUI is not installed.

RHEL-06-000338 V-38701

The TFTP daemon must operate in secure mode" which provides access only to a single directory on the host file system."

TFTP is not installed.

RHEL-06-000339 V-38702

The FTP daemon must be configured for logging or verbose mode.

No FTP daemons are installed.

RHEL-06-000341 V-38653

The snmpd service must not use a default password.

The snmpd service is disabled by default. If you enable the snmpd service, you must change the password from the default to be STIG compliant.

RHEL-06-000348 V-38599

The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.

No FTP daemons are installed

RHEL-06-000349 V-38595

The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.

CAC, PIV compliant hardware tokens, and Alternate Logon Tokens (ALT) are not supported authentication mechanisms.

RHEL-06-000504 V-38488

The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives.

This is an on site configuration activity so is not applicable.

RHEL-06-000505 V-38486

The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.

This is an on site configuration activity so is not applicable.

RHEL-06-000515 V-38460

The NFS server must not have the all_squash option enabled.

Not applicable as NFS is not installed on a BMC Discovery appliance.

RHEL-06-000521 V-38446

The mail system must forward all mail for root to one or more system administrators.

Mail forwarding is an on site configuration.

RHEL-06-000524 V-38439

The system must provide automated support for account management functions.

This is an on site configuration activity so is not applicable.

 

Was this page helpful? Yes No Submitting... Thank you

Comments