STIG rules for RHEL6 not applicable to BMC Discovery 11.2
The following section lists the STIG rules for Red Hat Enterprise Linux (RHEL) 6 that are not applicable to BMC Discovery 11.2 and give a brief explanation of reasons and where appropriate gives details of workarounds.
Note
The table provides links to STIG rule descriptions and details on the STIGviewer website. STIGviewer provides an online, searchable index of Public Domain STIG content, though is not related to DISA. Its content may not be up to date.
Rule number | Description | Reason for non-compliance |
---|---|---|
RHEL-06-000005 V-38470 | The audit system must alert designated staff members when the audit storage volume approaches capacity. | Customers should configure this value and configure postfix if they require email notification. An onsite configuration activity. |
RHEL-06-000008 V-38476 | Vendor-provided cryptographic certificates must be installed to verify the integrity of system software. | BMC Discovery uses and requires third party RPMs that are unsigned. Of the BMC-supplied RPMs only the |
RHEL-06-000011 V-38481 | System security patches and updates must be installed and up-to-date. | Security updates can be applied using the monthly operating system upgrade. |
RHEL-06-000013 V-38483 | The system package management tool must cryptographically verify the authenticity of system software packages during installation. | BMC Discovery does not use the YUM package manager. See also V-38481. |
RHEL-06-000015 V-38487 | The system package management tool must cryptographically verify the authenticity of all software packages during installation. | BMC Discovery does not use the YUM package manager. See also V-38481. |
RHEL-06-000016 V-38489 | A file integrity tool must be installed. | BMC Discovery uses tripwire as a file integrity tool. |
RHEL-06-000020 V-51363 | The system must use a Linux Security Module configured to enforce limits on system services. | The BMC Discovery appliance is not regarded as a multi-user system and won't leverage any advantage from the capabilities provided by the Linux Security Module. |
RHEL-06-000048 V-38472 | All system command files must be owned by root. | In order to allow the tideway user to run nmap without using sudo, and to avoid any other non-root user running privileged nmap operations, the nmap executable is owned by the tideway user. |
RHEL-06-000073 V-38593 | The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts. | BMC Discovery does not use the default Red Hat login prompt. It will not be replaced with a DoD banner. |
RHEL-06-000136 V-38520 | The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited. | This is not applicable for BMC Discovery out-of-the box because it requires additional services to be configured in the customer's environment. |
RHEL-06-000137 V-38521 | The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components. | This is not applicable for BMC Discovery out-of-the box because it requires additional services to be configured in the customer's environment. |
RHEL-06-000240 V-38615 | The SSH daemon must be configured with the Department of Defense (DoD) login banner. | We provide a non-standard post-login banner. |
RHEL-06-000247 V-38620 | The system clock must be synchronized continuously, or at least daily. | Network time synchronization is not configured by default as customers' preferred time server is not known. |
RHEL-06-000248 V-38621 | The system clock must be synchronized to an authoritative DoD time source. | Network time synchronization is not configured by default as customers' preferred time server is not known. |
RHEL-06-000257 V-38629 | The graphical desktop environment must set the idle timeout to no more than 15 minutes. | A GUI is not installed. |
RHEL-06-000258 V-38630 | The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user to re-authenticate to unlock the environment. | A GUI is not installed. |
RHEL-06-000259 V-38638 | The graphical desktop environment must have automatic lock enabled. | A GUI is not installed. |
RHEL-06-000260 V-38639 | The system must display a publicly-viewable pattern during a graphical desktop environment session lock. | A GUI is not installed. |
RHEL-06-000269 V-38652 | Remote file systems must be mounted with the nodev" option." | We do not ship with any remote file systems. |
RHEL-06-000270 V-38654 | Remote file systems must be mounted with the nosuid" option." | We do not ship with any remote file systems. |
RHEL-06-000271 V-38655 | The noexec option must be added to removable media partitions. | We do not ship with any remote file systems. |
RHEL-06-000275 V-38659 | The operating system must employ cryptographic mechanisms to protect information in storage. | BMC Discovery data is not encrypted in storage so this rule is not applicable. |
RHEL-06-000276 V-38661 | The operating system must protect the confidentiality and integrity of data at rest. | BMC Discovery data is not encrypted in storage so this rule is not applicable. |
RHEL-06-000277 V-38662 | The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of data at rest unless otherwise protected by alternative physical measures. | BMC Discovery data is not encrypted in storage so this rule is not applicable. |
RHEL-06-000284 V-38666 | The system must use and update a DoD-approved virus scan program. | BMC Discovery does not use a virus scan program, though it does use tripwire to detect unauthorized changes to the system. |
RHEL-06-000285 V-38667 | The system must have a host-based intrusion detection tool installed. | BMC Discovery uses tripwire as a host-based intrusion detection tool. |
RHEL-06-000286 V-38668 | The x86 CTRL-ALT-DELETE key sequence must be disabled. | The BMC Discovery appliance was configured so that only a log message is generated when the CTRL-ALT-DELETE key sequence is pressed. |
RHEL-06-000287 V-38669 | The postfix service must be enabled for mail delivery. | Email is not configured or enabled by default in BMC Discovery. |
RHEL-06-000290 V-38674 | X Windows must not be enabled unless required. | A GUI is not installed. |
RHEL-06-000291 V-38676 | The xorg-x11-server-common (X Windows) package must not be installed, unless required. | A GUI is not installed. |
RHEL-06-000292 V-38679 | The DHCP client must be disabled if not needed. | BMC Discovery requires a DHCP client, though this must be configured when the appliance is commissioned. |
RHEL-06-000293 V-72817 | Verify that there are no wireless interfaces configured on the system. | Discovery does not ship with wireless interfaces. |
RHEL-06-000297 V-38685 | Temporary accounts must be provisioned with an expiration date. | This is an on site configuration activity so is not applicable. |
RHEL-06-000298 V-38690 | Emergency accounts must be provisioned with an expiration date. | This is an on site configuration activity so is not applicable. |
RHEL-06-000302 V-38695 | A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries. | BMC Discovery does not use AIDE, though it does use tripwire to detect unauthorized changes to the system. |
RHEL-06-000303 V-38696 | The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system. | BMC Discovery does not use AIDE, though it does use tripwire to detect unauthorized changes to the system. |
RHEL-06-000304 V-38698 | The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency. | BMC Discovery does not use AIDE, though it does use tripwire to detect unauthorized changes to the system. |
RHEL-06-000305 V-38700 | The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs. | BMC Discovery does not use AIDE, though it does use tripwire to detect unauthorized changes to the system. |
RHEL-06-000306 V-38670 | The operating system must detect unauthorized changes to software and information. | BMC Discovery does not use AIDE, though it does use tripwire to detect unauthorized changes to the system. |
RHEL-06-000307 V-38673 | The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked. | BMC Discovery does not use AIDE, though it does use tripwire to detect unauthorized changes to the system. |
RHEL-06-000308 V-38675 | Process core dumps must be disabled unless needed. | BMC Discovery relies on core dumps for debug information. However, if you must disable core dumps, this limits BMC Customer Support's ability to resolve problems. To disable core dumps:
|
RHEL-06-000313 V-38680 | The audit system must identify staff members to receive notifications of audit log storage volume capacity issues. | Notification is sent by default to the root user. Sending to any other user requires on site configuration. |
RHEL-06-000321 V-38687 | The system must provide VPN connectivity for communications over untrusted networks. | ADDM does not ship with any VPN tools. |
RHEL-06-000324 V-38688 | A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts. | A GUI is not installed. |
RHEL-06-000326 V-38689 | The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts. | A GUI is not installed. |
RHEL-06-000338 V-38701 | The TFTP daemon must operate in secure mode" which provides access only to a single directory on the host file system." | TFTP is not installed. |
RHEL-06-000339 V-38702 | The FTP daemon must be configured for logging or verbose mode. | No FTP daemons are installed. |
RHEL-06-000341 V-38653 | The snmpd service must not use a default password. | The snmpd service is disabled by default. If you enable the snmpd service, you must change the password from the default to be STIG compliant. |
RHEL-06-000348 V-38599 | The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner. | No FTP daemons are installed |
RHEL-06-000349 V-38595 | The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication. | CAC, PIV compliant hardware tokens, and Alternate Logon Tokens (ALT) are not supported authentication mechanisms. |
RHEL-06-000504 V-38488 | The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives. | This is an on site configuration activity so is not applicable. |
RHEL-06-000505 V-38486 | The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives. | This is an on site configuration activity so is not applicable. |
RHEL-06-000515 V-38460 | The NFS server must not have the all_squash option enabled. | Not applicable as NFS is not installed on a BMC Discovery appliance. |
RHEL-06-000521 V-38446 | The mail system must forward all mail for root to one or more system administrators. | Mail forwarding is an on site configuration. |
RHEL-06-000524 V-38439 | The system must provide automated support for account management functions. | This is an on site configuration activity so is not applicable. |
Comments
Log in or register to comment.