Issues in rollback of DISA compliance remediation

The following special issues exist in the behavior of certain DISA compliance rules during an undo operation. These issues represent the expected, default behavior (although different from the typical behavior of most other compliance rules).

• Rule GEN006600 changes from non-compliant to compliant (and vice versa) if Undo is executed for either of the following rules:
  • GEN000440 (Adds a daemon logging entry to the syslog.conf file)
  • GEN004460 (Adds a mail logging entry to the syslog.conf file)
• Rule GEN002120 does not have an Undo script.
• Rule GEN004880 changes to non-compliant when Undo is executed for either of the following rules. This rule changes to compliant when remediation is run for either of the following rules:
  • GEN004800 (Ensures AORL use for documenting unencrypted FTP and Telnet)
  • GEN004760 (FTP and Telnet Status)
• For rule GEN001420, the Undo command does not work when either rule GEN00560 or rule GEN00540 executes a PASSWD command during remediation, causing permission for the /etc/shadow file to be reset.
• For rule GEN001380, the Undo command does not work when either rule GEN005000 or rule GEN005120 executes the USERMOD command during remediation, causing permission for the /etc/passwd file to be reset.
• Template-level rollback (for undoing remediation performed on all noncompliant rules) based on the component template for DISA on Windows Server 2003 may fail due to the behavior of the Terminal Services Session Directory service, which may remain in waiting status for more time than expected.