Issues in DISA compliance analysis and remediation

This topic lists common issues encountered while running compliance analysis and remediation using DISA templates. The page also provides troubleshooting information wherever applicable.

Troubleshooting issues in DISA templates

You might encounter the following issues while running compliance analysis and remediation using DISA templates. These issues can be avoided, if you take the necessary precautions as described in the workarounds below. Choose a specific operating system from the filter to narrow down the list in the table.

Oops, it seems that you need to place a table or a macro generating a table within the Table Filter macro.

Operating system	Affected rules	Issue and workaround
All Solaris	GEN 001140, GEN001160, GEN001200, GEN001220, GEN001240, GEN001260, GEN001300, GEN001320, GEN001340, GEN001360, GEN001280	If a rule uses findfiles cache, ensure that you refresh the findfiles cache after remediation to reflect the remediation changes on the target server. If you do not refresh the findfiles cache, the rule continues to display a non-compliant status even after remediation is completed successfully. By default, the findfiles cache is refreshed in the following cases: When CACHE_HRS time elapses from the last time the cache was created If the cache is not present on the target server in the staging directory Tip: To ensure that the findfiles cache is always refreshed, you can set CACHE_HRS to 0.
Red Hat Enterprise Linux 5	-	RPM-related rules fail, if Yellowdog Update Manager (YUM) is not configured. Workaround: Ensure that Yum is configured and working.
Red Hat Enterprise Linux 5	-	The local properties, `MAX_INFO_LINES` and `MAX_DISPLAY`, must be set to 40,000, If your compliance job fails with the following error: `com.bladelogic.om.infra.app.collector.AssetCollectionException: Error occurred during 'All files and directories contained in user home directories must have mode 0750 or less permissive' extended object execution: Unable to parse file: /opt/bmc/bladelogic/NSH/tmp/application_server/ WorkItem-Thread-8_75dace97-74e7-4081-bd2d-9f8713e4f56e.ini: Parsing failed. Exceeded max line limit of 50000`
Red Hat Enterprise Linux 5	V-915	Shared USER home directories are scanned separately for each user who shares them. This repetitive scanning increases the time taken for running compliance for this rule. Workaround: To exclude user entries while home directories are checked, add the users to the custom property `UNIX_EXCLUDE_HOME_DIR_USER _LIST`.
Red Hat Enterprise Linux 5	-	Template level jobs may take longer time to finish if the home directory for some users is set to "/". Workaround: Set the property `UNIX_EXCLUDE_HOME_DIR_USER_LIST` to point to users that have their home directory set as "/".
All Linux and UNIX	GEN001260	Rule checks and remediates system log file permissions. If the system logs roll over or if syslog is restarted, the permissions for the log files will be overwritten making the rule non-compliant on subsequent runs. As a workaround for this issue, adjust system log settings to control the rollover of log files and prevent overwriting permissions set for existing files.
All Linux	CAT I: 12.4.1.1-LNX00140	Remediation sets the grub password. You can provide the name of a user whose system password hash will be used as the grub password. To do so, specify the name of the appropriate user as the value of the USERNAME_FOR_GRUB_PASSWORD property in the DISA STIG Properties custom property class. The default value of this property is root.
Windows 2008	-	Compliance jobs fails in RCP client with a run status of Cancelled, but in the background the job is running and EO execution is in progress. Workaround: Wait for completion of the Compliance job run. If no errors occur during the job run, the run status will change to Completed Successfully.
All Linux and UNIX	GEN004020-GEN004320	Ensure that you have correctly entered the standard default paths of browser directories (.netscape and .mozilla). Non-default paths are not considered.
All Linux and UNIX	GEN005000	Anonymous FTP Account Shell, of the DISA templates for UNIX or Linux computers is not remediated, in either of the following scenarios: The target server does not have a valid shell (either /bin/true, /usr/bin/false, /bin/false, or /dev/null) The shell is not defined as valid in the login configuration file (in /etc/security/login.cfg ). Even though the rule is remediated successfully on a target, it appears as non-compliant in subsequent runs.
Red Hat Enterprise Linux 5	V-22491, V-12023, V-12030, (and other kernel parameter-related rules)	Rules are evaluated as non-compliant, if multiple entries (that are acceptable by the OS) are present in the configuration file sysctl.conf.
Red Hat Enterprise Linux 7	V-72015	The rule appears as non-compliant if the / character is appended at the end of the home directory. For example: Home directory set as /home/Bill is correct Home directory set as /home/Bill/ is incorrect.
Windows 2008 R2 DC	-	If Maximum password age is set to 0 in Default Domain policy, SECEDIT results in following output:`MaximumPasswordAge = -1`
All Linux	-	Compliance on Linux server fails if the home directory starts with Unicode characters.
All HP-UX	-	If the names of folders or files on the target server against which compliance is tested contain special characters, compliance fails with the following error: subexpression backreference number
Red Hat Enterprise Linux 5	-	A rule always evaluates as non-compliant after remediation, if /etc/audit/audit.rules file is configured with an invalid configuration before remediation.
All Linux and UNIX	GEN005540	Remediation does not work on any target server where an sshd entry is not included in the /etc/host.allow file for that target server.
Red Hat Enterprise Linux 5	V-22470	Rule validates for AllowGroups and AllowUsers only; it does not do an effective check if groups or users are appended at the end of AllowGroups and AllowUsers, respectively.
All AIX	GEN001570/V-22352, GEN001490/V-22350	Rules that evaluate the ACLs of files or directories do not support ACLs of type NFS4. Rules do not evaluate correctly, if the files or directories have ACLs of type NFS4.
Solaris 10 (x86)	V-924	if the name of a non-compliant file constitutes a colon, for example, SolarisSolaris:, the rule evaluates as non-compliant and cannot be fixed by remediation.

Limitations of DISA templates

The following limitations exist for compliance analysis and remediation using DISA component templates.

Oops, it seems that you need to place a table or a macro generating a table within the Table Filter macro.

Operating system	Affected rules	Limitation
Windows Server 2016	V-73249	Because multiple permissions, for a single user, cannot be handled in compliance; only one out of the three User Group permissions are checked for compliance.
Windows Server 2016	V-73759, V-73763, V-73767, V-73771	Remediation does not work on the member servers (MS).
Windows Server 2016	V-73259	This rule does not check for user accounts which have never been logged in.
Windows Server 2016	V-73763	After remediation, the Windows Diagnostic Service (wdiServiceHost) is added to the policy "Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> The Deny log on as a batch job". Note that guest groups should have been added to the policy on the MS instead of wdiServiceHost.
Windows Server 2016	V-73263	Ensure that you must set the value for the following local properties: APPLICATION_ACCOUNTS DOMAIN_ACCOUNTS_WITH_CAC
Solaris11 (SPARC)	V-48119, V-48207	Remediation cannot be performed.
All Solaris	GEN000240, GEN006080, GEN006220, GEN005220, GEN005600, GEN001980, GEN004400, GEN004420	Always appears as non-compliant on a Solaris target.
All Solaris	GEN006640	Virus Protection Software rule fails with the following error: FORCEFIND=n: 0403-009 The specified number is not valid for this command.
All HP-UX	GEN006640	Virus Protection Software rule fails with the following error: FORCEFIND=n: 0403-009 The specified number is not valid for this command.
All AIX	GEN006640	Virus Protection Software rule fails with the following error: FORCEFIND=n: 0403-009 The specified number is not valid for this command.
All Linux and UNIX	GEN000400, GEN000420	Remediation is common for both rules. If remediation is run for one rule the other rule is also remediated, and will appear as compliant in subsequent runs.
All Linux and UNIX	GEN004900, GEN004780	Remediation is common for both rules. If remediation is run for one rule the other rule is also remediated, and will appear as compliant in subsequent runs.
Windows Server 2008 R2 DC	V-15996, V-15997, V-15998, V-15999, V-1600	The rules always appear as compliant.
Windows Server 2008 DC/MS	-	Auditpol remediation is not implemented.
Red Hat Enterprise Linux 5	V-22317	Rule evaluation takes a long time.
Red Hat Enterprise Linux 7	V-71927	The DISA checklist recommends that interval for updating password should be less than 24 hours. Because this interval is too short and not of practical use, BMC checks whether the interval defined for updating the password is equal to or greater than 24 hours.
Windows Server 2003	-	Rules are not marked as exceptions in compliance, even if the IAO document explanation is provided for the rules in the DISA checklist.
Windows Server 2008 DC/MS	V-1080	Rule is always evaluated as non-compliant.
Windows server 2003 DC/MS	-	Remediation fails with the following error while updating Security Settings\Local Policies\User Rights Policy: `Error 1332: No mapping between account names and security IDs was done.`
Windows Server 2003 DC	V-1089, V-1097, V-1099, V-3384, V-8327, V-26359	Remediation is not performed successfully.
Windows Server 2012 DC	V-1099	Rule always evaluates as non-compliant.
Windows Server 2012 DC	V-8316	Rule evaluates as compliant even if permissions for additional users are added on the file.
Windows Server 2016	V-73259, V-73265, V-73267, V-73269, V-73287, V-73289, V-73291, V-73293, V-73295, V-73297, V-73299, V-73301, V-73277	Compliance check and remediation is not performed. Need additional information from the end user to evaluate this rule as the information is stored in an external system, for example, user and role expiry, unused files, and so on.
Windows Server 2016	V-73239	Compliance check and remediation is not performed. Remediation requires patching the system to required patch level which is beyond the scope of rule remediation. We can use our patching solution to mitigate this.
Windows Server 2016	V-73623, V-73625, V-73685, V-73309, V-73313,V-73271	Compliance check and remediation is not performed. The remediation might render the server inaccessible to the user or service.
Windows Server 2016	V-73405, V-73407, V-73409, V-73411, V-73369, V-73371, V-73249, V-73251, V-73253, V-73255	Compliance check and remediation is not performed. The remediation requires an update of permissions on the system for which there is no API available. Additionally, this may require an approval based on the organizational processes and policies.
Windows Server 2016	V-73247	Compliance check and remediation is not performed. Remediation may require reformating the disc which would lead to possible data loss or corruption.
Windows Server 2016	V-73509	Compliance check and remediation is not performed. The remediation is reasonably complex and involves updating in multiple registry entries which can cause errors.
Windows Server 2016	V-73307	Compliance check and remediation is not performed. Updating the time may have an impact on applications running on the operating system. This is governed by an organization policy and processes, which cannot be generically implemented.
Windows Server 2016	V-73223, V-73231	Compliance check and remediation is not performed. The remediation requires user input along with password policy which has to be maintained by the organization.
Windows Server 2016	V-73217, V-73219, V-73225, V-73227, V-73233, V-73245, V-73235, V-73237, V-73241, V-73243, V-73273, V-73275, V-73279, V-73281, V-73401, V-73403, V-73229, V-73221	This rule must be manually checked and remediated. More of an informational rule that requires manual interpretation. The checklist doesn't recommend nor provides any specific commands for checking this.
Windows Server 2016	V-73605, V-73607, V-73609, V-73611, V-73613, V-73615	This rule must be manually checked and remediated. This rule requires the end user to import and register the certificates provided by DISA. The validation parts do not have any API or command which can be used to check the same.
Windows Server 2016	V-73383	This rule must be manually checked and remediated. This rule refers to organization network diagram/ documentation classification level of the Windows domain controller. More of an informational rule hence can’t be automated.
Windows Server 2016	V-73257, V-73303, V-73305, V-73373, V-73375, V-73377, V-73381, V-73385, V-73389, V-73391, V-73393, V-73395, V-73397, V-73399	This rule must be manually checked and remediated.There is no command or API exposed by Windows to automate this check and hence needs to be done manually.
Windows Server 2016	V-73723, V-73725, V-73727	This rule must be manually checked and remediated. Currently the BSA asset doesn't provide an option to access user registry and this requires enhancement to the product.
Windows Server 2016	V-73283, V-73285	This rule must be manually checked and remediated. Currently there is no command which provides expected result of Search-AD Account.
Red Hat Enterprise Linux 5	-	The target level property `EXCLUDED_DIR` does not take multiple folders.
Red Hat Enterprise Linux 6	-	The target level property `EXCLUDED_DIR` does not take multiple folders.
Red Hat Enterprise Linux 7	V-71849, V-71855, V-72047	This rule checks for compliance but do not provide remediation. The remediation requires an update in system permissions for which there are no APIs available. Additionally, this may require an approval based on the organizational processes and policies.
Red Hat Enterprise Linux 7	V-71985, V-72057, V-72079, V-72019, V-72271, V-72273, V-72277, V-72279, V-72315, V-72223, V-72275	This rule checks for compliance but do not provide remediation. Remediation might move the system into an irrecoverable state.
Red Hat Enterprise Linux 7	V-72043, V-72045, V-73161, V-72059, V-72061, V-72069, V-72065, V-72311, V-71861, V-72225, V-71895, V-73155, V-73157, V-71973	This rule checks for compliance but do not provide remediation. Editing file entries require manual intervention to take effect.
Red Hat Enterprise Linux 7	V-72067, V-72071, V-72073, V-72213, V-72215, V-72281, V-72295, V-72317, V-73177, V-72217, V-71897	This rule checks for compliance but do not provide remediation. System administrator is required to approve configuration changes based on the organizational processes and policies.
Red Hat Enterprise Linux 7	V-71919, V-71933, V-71937, V-71943, V-71945, V-71947, V-71949, V-71961, V-71963, V-72313	This rule checks for compliance but do not provide remediation. The remediation requires user input to create passwords based on the organizational policy.
Red Hat Enterprise Linux 7	V-71965, V-72435, V-72075	This rule checks for compliance but do not provide remediation. Remediation is dependent on peripheral devices, which can leave the resource inaccessible to the user or service, if automated.
Red Hat Enterprise Linux 7	V-71891, V-71893, V-71901, V-71997	This rule checks for compliance but do not provide remediation. Need additional information from end user to update system configuration and comply with organizational policies.
Red Hat Enterprise Linux 7	V-72035, V-72039, V-72001, V-72215, V-72271, V-72307, V-71971, V-71999, V-72075, V-71975	This rule must be manually checked and remediated. More of an informational rule that requires manual interpretation. The checklist does not recommend any commands for checking these conditions.
Red Hat Enterprise Linux 7	V-72041, V-72095	This rule must be manually checked and remediated. No APIs or commands are available to validate the rules.
Red Hat Enterprise Linux 7	V-72433	This rule must be manually checked and remediated. This rule requires the end user to import and register the certificates suggested by DISA, which cannot be automated.

Limitations in rollback of DISA compliance remediation

The following issues exist in the behavior of certain DISA compliance rules during an undo operation. These issues represent the expected, default behavior (although different from the typical behavior of most other compliance rules).

Operating system	Affected rules	Issue
Windows Server 2016	V-73651, V-73657, V-73659	Unable to perform an undo operation on the remediation (for GPO registry rules) in the first attempt. Undo operation runs successfully only in the second attempt.
-	GEN006600	Rule changes from non-compliant to compliant (and vice versa) if Undo is executed for either of the following rules: GEN000440 (Adds a daemon logging entry to the syslog.conf file) GEN004460 (Adds a mail logging entry to the syslog.conf file)
-	GEN002120	The rule does not have an Undo script.
-	GEN004880	The rule changes to non-compliant when Undo is executed for either of the following rules.This rule changes to compliant when remediation is run for either of the following rules: GEN004800 (Ensures AORL use for documenting unencrypted FTP and Telnet) GEN004760 (FTP and Telnet Status)
-	GEN001420	The Undo command does not work when either rule GEN00560 or rule GEN00540 executes a PASSWD command during remediation, causing permission for the /etc/shadow file to be reset.
-	GEN001380	The Undo command does not work when either rule GEN005000 or rule GEN005120 executes the USERMOD command during remediation, causing permission for the /etc/passwd file to be reset.
Windows Server 2003	-	Template-level rollback (for undoing remediation performed on all non-compliant rules) might fail due to the behavior of the Terminal Services Session Directory service, which may remain in waiting status for more time than expected.

Issues in DISA compliance analysis and remediation

Troubleshooting issues in DISA templates

Limitations of DISA templates

Limitations in rollback of DISA compliance remediation

Related topics

Comments