Skip to Content

Issues in CIS compliance analysis and remediation

The following issues and limitations exist for compliance analysis and remediation using CIS component templates:

  • For certain rules, the CIS benchmark does not recommend any value. Such rules in the component template for CIS on Windows Server 2008 always result in compliant status.
  • For the Enterprise Domain Controller, SSLF Member Server, and SSLF Domain Controller profiles, the recommended value of rule 1.8.36, User Rights: Log on as a batch job, is No one. However, the rule is implemented for a null value as well as for BladeLogicRSCD, as the agent requires this special permission to run batch jobs on the target.
  • Not all rules in the component template for CIS on Windows Server 2008 provide remediation (as indicated by whether or not they have a remediation package associated).
  • For rules in the CIS - Red Hat Enterprise Linux 5 template that use the findfiles cache, if a rule is non-compliant and remediation is run for that rule, then after remediation you must refresh the findfiles cache to reflect the remediation changes on the target server. If you do not refresh the findfiles cache, the rule continues to display non-compliant status after remediation. The following rules use the findfiles cache: 1.1.17, 5.3.12, 10.23, 10.24, 10.25, 10.26, and 10.27.
     By default, the findfiles cache is refreshed in the following cases:
    • When CACHE_HRS time elapses from the last time the cache was created
    • If the cache is not present on the target server in the staging directory
  • For rules in the CIS - Red Hat Enterprise Linux 5 template that check for the presence of parameters in configuration files, if the configuration files contain multiple entries of parameters, the rules display non-compliant (Not Reviewed) status. Even after remediation, the configuration files contain multiple entries of those parameters, and the rules display non-compliant (Not Reviewed) status.
  • Rules in the CIS - Red Hat Enterprise Linux 5 template that check permissions in system log files — rule 5.1.2 Create and Set Permissions on syslog Log Files and rule 5.2.4 Create and Set Permissions on rsyslog Log Files — are set to be compliant only for 0600 for root user or 0640 for secure group user. However, these rules are shown to be compliant even if setuid, setid or sticky bit are set in the log files mentioned in /etc/syslog.conf or /etc/rsyslog.conf.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Server Automation 8.2