Compliance Content updates for SP2-Patch 1
BMC Server Automation version 8.3 SP2 Patch 1 includes the following Content updates:
- Added support for new component templates
- Properties introduced for CIS Windows Server 2012 template
- New DISA STIG properties
Added support for new component templates
The following new component templates are supported:
Policy/Benchmarks | Available templates and versions | Template feature ID (used in silent installation) | Versions | Release | Update |
|---|---|---|---|---|---|
Defense Information Systems Agency (DISA) | DISA - Red Hat Enterprise Linux 5 | featureCisRedhat5Template | 1 | 4 | July 26, 2013 |
Defense Information Systems Agency (DISA) | DISA - Windows Server 2003 DC | featureDisaWin03R2DCTemplate | 6 | 1.30 | October 25, 2013 |
Defense Information Systems Agency (DISA) | DISA - Windows Server 2003 MS | featureDisaWin03R2MSTemplate | 6 | 1.30 | October 25, 2013 |
Center for Internet Security (CIS) | CIS - Windows Server 2012 | featureCisWin12Template | 1 |
| January 31, 2013 |
Properties introduced for CIS Windows Server 2012 template
The following CIS properties are added for CIS Windows Server 2012 template:
Property | Description | Default Value |
|---|---|---|
ALLOW_PKU2U_AUTHENTICATION_REQUESTS | Allow PKU2U authentication requests to this computer to use online identities | 0-disable |
ALLOW_UNDOCK_WITHOUT_LOG_ON | Allow undock without having to log on configuration. | 1-Enable |
AUDIT_ACCESS_OF_GLOBAL_SYSTEM_OBJECTS | Audit access of global system objects configuration. | 0-disable |
AUDIT_INCOMING_NTLM_TRAFFIC | Configure Network Security Restrict NTLM Audit Incoming NTLM Traffic | 0-disable |
AUDIT_NTLM_AUTHENTICATION_IN_THIS_DOMAIN | Configure Network Security Restrict NTLM Audit NTLM authentication in this domain | 0-disable |
AUDIT_USE_OF_BACKUP_AND_RESTORE_PRIVILEGE | Audit use of backup and restore privilege configuration | 0-disable |
AUTO_REBOOT_AFTER_SYSTEM_CRASH | Allow Windows to automatically restart after a system crash configuration | 0-disable |
DCOM_MACHINE_ACCESS_RESTRICTIONS_SDDL | Configure DCOM Machine Access Restrictions in SDDL (Security Descriptor Definition Language) syntax. | O:BAG:BAD:(A;;CCDCLCSWRP;;;S-1-5-32-562) |
DCOM_MACHINE_LAUNCH_RESTRICTIONS_SDDL | Configure DCOM Machine Launch Restrictions in SDDL (Security Descriptor Definition Language) syntax. |
|
DENY_LOG_ON_THROUGH_REMOTE_DESKTOP_SERVICES | Deny log on through remote desktop services | none |
DISABLE_DOMAIN_CREDENTIALS | Do not allow storage of passwords and credentials for network authentication configuration. | 1-Enable |
DISPLAY_USER_INFO_WHEN_SESSION_IS_LOCKED | Interactive logon: Display user information when the session is locked configuration |
|
ENABLE_ADMINISTRATIVE_SHARES | Enable Administrative Shares configuration | 1-Enable |
ENABLE_ICMP_REDIRECT | Allow ICMP redirects to override OSPF generated routes configuration | 0-disable |
ENCRYPTION_TYPE_FOR_KERBEROS | Configure encryption types allowed for Kerberos |
|
ENCRYPTION_LEVEL_TYPE | Configure Encryption Level | 3 |
FORCE_KEY_PROTECTION | Configure Force strong key protection. | 2-User must enter a password each time they use a key |
FORCE_LOGOFF_WHEN_LOGON_HOURS_EXPIRE | Configure force log-off when logon hours expire. | 1-Enable |
HIDE_COMPUTER_FROM_THE_BROWSE_LIST | Hide Computer From the Browse List | 1-Enable |
INCOMING_NTLM_TRAFFIC | Configure Audit Incoming NTLM Traffic | 0-Allow all |
KEEP_ALIVE_TIME | Keep-alive packets are sent in milliseconds | 300000 |
LOG_ON_AS_A_SERVICE | comma separated list of users and groups | none |
PERFORM_ROUTER_DISCOVERY | Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) | 0-disable |
REQUIRE_SMART_CARD | Smart card required configuration | 1-Enable |
RENAME_ADMINISTRATOR_ACCOUNT | Rename of administrator account |
|
RENAME_GUEST_ACCOUNT | Rename of Guest account |
|
REMOTE_SERVERS_FOR_NTLM_AUTHENTICATION | Comma separated list of Remote servers. |
|
REMOTE_SERVERS_INDOMAIN_FOR_NTLM_AUTHENTICATION | Comma seperated list of Remote servers. |
|
RESTRICT_CD-ROM_ACCESS_TO_INTERACTIVE_USER | Configure Restrict CD-ROM access to locally logged-on user only | 1-Enable |
RESTRICT_FLOPPY_ACCESS_TO_INTERACTIVE_USER | Configure Restrict floppy access to locally logged-on user only | 1-Enable |
NO_DEFAULT_EXEMPT | Configure IPSec exemptions for various types of network traffic | 3="Exempts ISAKMP only" |
NO_NAME_RELEASE_ON_DEMAND | Allow the computer to ignore NetBIOS name release requests except from WINS servers. | 1-Enable |
NTLM_AUTHENTICATION_IN_THIS_DOMAIN | configure NTLM authentication in this domain | 0-disable |
NULL_SESSION_SHARES | Shares that can be accessed anonymously | null |
OPTIONAL_SUBSYSTEMS | Configure Optional subsystems | postfix |
OUTGOING_NTLM_TRAFFIC_TO_REMOTE_SERVERS | Configure Outgoing NTLM traffic to remote servers | 0-Allow all |
SERVER_SPN_TARGET_NAME_VALIDATION_LEVEL | Microsoft network server: Server SPN target name validation level configuration | 0-Off |
TCP_MAX_DATA_RETRANSMISSIONS | Describes the number of times unacknowledged data is retransmitted. | 3 |
??TARGET.CIS Properties.ANONYMOUS_NAMED_PIPES?? | Named Pipes that can be accessed anonymously. |
|
??TARGET.CIS Properties.CIS_LEGAL_NOTICE_TEXT?? | Legal notice text configuration |
|
??TARGET.CIS Properties.CIS_LEGAL_TITLE_TEXT? | Legal notice title configuration |
|
|
|
|
New DISA STIG properties
The following DISA properties are added in the local property class:
Property | DISA Template Version | Description | Default Value |
|---|---|---|---|
ACL_ALLOWED_FILES | Red Hat Enterprise Linux 5 | Comma separated ACLs allowed files | /tmp,/pqr |
ACL_EXCEPTIONAL_LIST | Red Hat Enterprise Linux 5 | Comma separated list of ACLs to be excluded. |
|
AIDE_CONF_PATH | Red Hat Enterprise Linux 5 | File location of aide configuration. | /etc/aide.conf |
ALIASES_FILE | Red Hat Enterprise Linux 5 | /etc/aliases file or equivalent | ??SENDMAIL_ALIASES?? |
ALLOWED_WINDOWS_FEATURES | Windows Server 2003 DC, Windows Server 2003 MS, Windows Server 2008 DC, Windows Server 2008 MS, Windows Server 2008 R2 DC, Windows Server 2008 R2 MS | These features will be allowed. | GPMC BACKUP BitLocker |
ALLOWED_FILES_WITH_UNEVEN_ | Red Hat Enterprise Linux 5 | List of allowed files with uneven permission |
|
ALWAYS_COMPLIANT | Windows Server 2003 DC, Windows Server 2003 MS |
| TRUE |
ANONYMOUS_FTP_EMAIL_ID | Red Hat Enterprise Linux 5 | Email ID used for anonymous ftp test. | |
APPLICATION_ACCOUNTS | Windows Server 2003 DC, Windows Server 2003 MS, Windows Server 2008 DC, Windows Server 2008 MS, Windows Server 2008 R2 DC, Windows Server 2008 R2 MS | Comma separated list of application accounts | Guest,Application |
APPLICATION_GROUP | Red Hat Enterprise Linux 5 | Semi colon separated list of application group |
|
APPLICATION_USER | Red Hat Enterprise Linux 5 | Semi colon separated list of application users | root |
APPROVED_SHELLS | Red Hat Enterprise Linux 5 | Comma seperated list of approved shells | /usr/bin/false,/bin/false,/dev/null,/sbin/nologin,/bin/sync,/sbin/halt,/sbin/shutdown |
AT_ALLOW_USER_LIST | Red Hat Enterprise Linux 5 | Pipe separated lists of users allowed to submit 'at' jobs. |
|
AT_DENY_USER_LIST | Red Hat Enterprise Linux 5 | Pipe separated lists of users denied to submit 'at' jobs. |
|
AT_SPOOL_DIR | Red Hat Enterprise Linux 5 | Location of at spool directory | /var/spool/at |
AUDISP_SYSLOG_CONF_PATH | Red Hat Enterprise Linux 5 | File location of audisp and syslog. | /etc/audisp/plugins.d/syslog.conf |
AUDIT_MAIL_ACCNT | Red Hat Enterprise Linux 5 | Audit mail account. | root |
AUDIT_RULES | Red Hat Enterprise Linux 5 | Audit Rules | \-a,\-w |
AUDIT_RULES_COMMAND | Red Hat Enterprise Linux 5 | Command - Audit | auditctl -l |
AUDIT_RULES_FILE | Red Hat Enterprise Linux 5 | Path to audit.rules file | /etc/audit/audit.rules |
AUDITD_CONF_PATH | Red Hat Enterprise Linux 5 | File location of auditd configuration. | /etc/audit/auditd.conf |
AUDITD_RESTART_COMMAND | Red Hat Enterprise Linux 5 | Command for auditd restart | /etc/rc.d/init.d/auditd restart |
AUDITORS_GROUP | Windows Server 2003 DC, Windows Server 2003 MS, Windows Server 2008 DC, Windows Server 2008 MS, Windows Server 2008 R2 DC, Windows Server 2008 R2 MS | Auditors group | Auditors |
AUTHPRIV_LOG_FILTER | Red Hat Enterprise Linux 5 | The authpriv selector to be used in /etc/syslog.conf | authpriv |
AUTHPRIV_SYSLOG_LOG_LIST | Red Hat Enterprise Linux 5 | syslog authpriv action list | /var/log/secure |
BACKUP_DEVICES | Red Hat Enterprise Linux 5 | Comma separated list of backup devices |
|
BACKUP_USERS | Red Hat Enterprise Linux 5 | Semicolon separated list of backup users. | root |
BANNER_FILE_NAMES | Red Hat Enterprise Linux 5 | Banner File Names | /etc/issue |
BANNER_MSG1 | Red Hat Enterprise Linux 5 | Banner Message | |
BANNER_LONG_PART1 | Red Hat Enterprise Linux 5 | Banner Information Line 1 | |
BANNER_LONG_PART2 | Red Hat Enterprise Linux 5 | Banner Information Line 2 | |
BANNER_LONG_PART3 | Red Hat Enterprise Linux 5 | Banner Information Line 3 | |
BANNER_LONG_PART4 | Red Hat Enterprise Linux 5 | Banner Information Line 4 | |
BANNER_LONG_PART5 | Red Hat Enterprise Linux 5 | Banner Information Line 5 | |
BANNER_LONG_PART6 | Red Hat Enterprise Linux 5 | Banner Information Line 6 | |
BANNER_LONG_PART7 | Red Hat Enterprise Linux 5 | Banner Information Line 7 | |
DEBUG_PROGRAMS | Windows Server 2003 DC, Windows Server 2003 MS, Windows Server 2008 DC, Windows Server 2008 MS, Windows Server 2008 R2 DC, Windows Server 2008 R2 MS | List for User Right - Debug Programs | Administrators |
CRASH_DUMP_SUPPORTED_FS_ | Red Hat Enterprise Linux 5 | Crash dump supported file system type values seperated by comma | ext3,ext2,nfs |
CRON_DENIED_USER_LIST | Red Hat Enterprise Linux 5 | Pipe seprated user list | daemon|bin |
CRON_GLOBAL_FILES | Red Hat Enterprise Linux 5 | Space separated list of global cron files | /etc/cron.d /etc/crontab /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly |
CRON_LOG_FILTER | Red Hat Enterprise Linux 5 | The cron selector to be used in /etc/syslog.conf | cron |
CRON_SYSLOG_LOG_LIST | Red Hat Enterprise Linux 5 | syslog cron action list | /var/log/cron |
CONFIGURATION_LEVELS | Red Hat Enterprise Linux 5 | Configuration levels represent increasing levels of security assurance | All |
CONSOLE_PERM_FILE | Red Hat Enterprise Linux 5 | This file determines the permissions that will be given to priviledged users of the console at login time, and the permissions to which to revert when the users log out. | /etc/security/console.perms |
CENTRALIZED_SYSLOG_SERVERS | Red Hat Enterprise Linux 5 | The FQ_HOST server property of systems that are authorized syslog server. |
|
CMDEXEC_ROOT_ENV | Red Hat Enterprise Linux 5 | Command to fetch root environment | su -c env - root |
COMMUNITY_PASSWORD | Red Hat Enterprise Linux 5 | The community name or password in snmpd.conf file | public,private,snmp-trap,password |
CUPSD_ACCESS_TO_SPECIFIC_ | Red Hat Enterprise Linux 5 | Comma separated list of hosts allowed to have access to cupsd | @LOCAL |
CUPSD_CONF_FILE_PATH | Red Hat Enterprise Linux 5 | cupsd.conf file path | /etc/cups/cupsd.conf |
BOOTLOADER_PATH | Red Hat Enterprise Linux 5 | The path of the bootloader on the system. | /boot/grub/grub.conf |
BOOT_LOADER_CONFIG_FILE | Red Hat Enterprise Linux 5 | This file specifies the config details of boot loader. By default, it is /boot/grub/grub.conf. | /etc/security/access.conf |
BLOCKED_FTPUSERS | Red Hat Enterprise Linux 5 | List of users to whom ftp access must be blocked separated by newline character (\n) | nobody |
DEFAULT_CRASH_DIRECTORY | Red Hat Enterprise Linux 5 | Default File location - Crash Directory | /var/crash |
DEFAULT_SHELL_FOR_USER | Red Hat Enterprise Linux 5 | Default Shell for user | /bin/sh |
DEFAULT_SHELLS_TOBE_ | Red Hat Enterprise Linux 5 | Pipe seperated list of shells to be used in /etc/shells. These values are added to /etc/shells file if /etc/shells file doesnt exist or is empty. |
|
DENY_LOGON_THROUGH_ | Windows Server 2003 DC, Windows Server 2003 MS | If terminal service is in used set value to Guests else set it to Everyone | Everyone |
DHCLIENT_CONF_PATH | Red Hat Enterprise Linux 5 | File Path - DHCP Configuration | /etc/dhclient.conf |
DISA_LEGAL_NOTICE_TEXT | Windows Server 2003 DC, Windows Server 2003 MS, Windows Server 2008 DC, Windows Server 2008 MS, Windows Server 2008 R2 DC, Windows Server 2008 R2 MS | DISA Legal Notice text |
|
DISA_LEGAL_NOTICE_TEXT_1 | Windows Server 2003 DC, Windows Server 2003 MS, Windows Server 2008 DC, Windows Server 2008 MS, Windows Server 2008 R2 DC, Windows Server 2008 R2 MS | DISA Legal Notice text. | |
DISA_LEGAL_NOTICE_TEXT_2 | |||
DISA_LEGAL_NOTICE_TEXT_3 | |||
DISA_LEGAL_NOTICE_TEXT_4 | |||
DISA_LEGAL_TITLE_TEXT | Windows Server 2003 DC, Windows Server 2003 MS, Windows Server 2008 DC, Windows Server 2008 MS, Windows Server 2008 R2 DC, Windows Server 2008 R2 MS | DISA Legal title |
|
DOD_APRVD_TLC_CERT_PATH | Red Hat Enterprise Linux 5 | DOD approved TLC certificate path | /etc/pki/tls/cert.pem |
DOMAIN_ACCOUNTS_WITH_CAC | Windows Server 2003 DC, Windows Server 2003 MS, Windows Server 2008 DC, Windows Server 2008 MS, Windows Server 2008 R2 DC, Windows Server 2008 R2 MS | Comma separated list of Domain Accounts requiring smart card (CAC) |
|
DOMAIN_SUPPORTS_EXCHANGE_ | Windows Server 2008 DC, Windows Server 2008 MS, Windows Server 2008 R2 DC, Windows Server 2008 R2 MS | DOMAIN SUPPORTS EXCHANGE 2003 | FALSE |
DOMAIN_SUPPORTS_EXCHANGE_ | Windows Server 2003 DC, Windows Server 2003 MS | DOMAIN SUPPORTS EXCHANGE 2003 SERVERS | 1 |
EO_TIMEOUT | Red Hat Enterprise Linux 5 | Time out in minutes value for EO execution | 0 |
ETC_SHELLS_PATH | Red Hat Enterprise Linux 5 | Path of ete shells. | /etc/shells |
EXCLUDE_HOME_DIR_USER_LIST | Red Hat Enterprise Linux 5 | Comma separated list of users to be excluded from compliance where shared home directory is present | rdsmon,rdsroot |
EXCLUDED_USER_LIST | Red Hat Enterprise Linux 5 | Comma separated list of the users to be excluded from compliance check. | root,sync,shutdown,halt |
EVENT_LOGS_DIR | Windows Server 2003 DC, Windows Server 2003 MS | Event log directory | ??TARGET.SYSTEMROOT??/System32/config |
Windows Server 2008 DC, Windows Server 2008 MS, Windows Server 2008 R2 DC, Windows Server 2008 R2 MS | Event log directory | ??TARGET.SYSTEMROOT??/System32/Winevt/Logs | |
FRS_DIRECTORY_DATA_LOCATION | Windows Server 2003 DC, Windows Server 2003 MS, Windows Server 2008 DC, Windows Server 2008 MS, Windows Server 2008 R2 DC, Windows Server 2008 R2 MS | FRS directory data location | /C/Windows/NTDS/ |
FIND_FILES_TIMEOUT | Red Hat Enterprise Linux 5 | Time out in minutes value for find files | 0 |
FIND_SOUND_DEVICE_CMD | Red Hat Enterprise Linux 5 | Command - Find audio device | find /dev/audio /dev/snd -type c; exit 0 |
FIPS_CRYPT_ALGO | Red Hat Enterprise Linux 5 | FIPS 140-2 approved cryptographic algorithms. | aes128-ctr,aes192-ctr,aes256-ctr,3des256,3des128-ctr,3des192 |
FIPS_HASHING_ALGO | Red Hat Enterprise Linux 5 | Pipe seperated list of FIPS approved cryptographic hashing algorithm | sha256|sha512 |
FSTAB_FILE_PATH | Red Hat Enterprise Linux 5 | the path for system configuration file fstab | /etc/fstab |
FTP_PASSWORD | Windows Server 2003 DC, Windows Server 2003 MS, Windows Server 2008 DC, Windows Server 2008 MS, Windows Server 2008 R2 DC, Windows Server 2008 R2 MS | FTP password | password |
FTP_PORT | Red Hat Enterprise Linux 5 | Port on which ftp service is run within the organization (default 21). | 21 |
FTP_USER | Windows Server 2003 DC, Windows Server 2003 MS, Windows Server 2008 DC, Windows Server 2008 MS, Windows Server 2008 R2 DC, Windows Server 2008 R2 MS | FTP user | anonymous |
FTP_USERS_FILES | Red Hat Enterprise Linux 5 | The list of ftpusers file. | /etc/ftpusers /etc/vsftpd.ftpusers /etc/vsftpd/ftpusers |
GNOME_BANNER_MESSAGE | Red Hat Enterprise Linux 5 | Gnome Banner Message | |
GLOBAL_INITIALIZATION_FILES | Red Hat Enterprise Linux 5 | All the global initialization files that are used to configure the users shell environment upon login. | /etc/bashrc /etc/csh.cshrc /etc/csh.login /etc/csh.logout /etc/environment /etc/ksh.kshrc /etc/profile /etc/suid_profile /etc/profile.d/* |
GRUB_CONF_PATH | Red Hat Enterprise Linux 5 | File location of grub configuration. | /boot/grub/grub.conf |
GRUB_MENU_LST_PATH | Red Hat Enterprise Linux 5 | Grub menu.lst file path. | /boot/grub/menu.lst |
GSSFTP_SERVICES_ENCRYPTED | Red Hat Enterprise Linux 5 | TO CHECK IF GSSFTP SERVICES ARE ENCRYPTED OR NOT | N |
GSSFTP_USER_FILE | Red Hat Enterprise Linux 5 | The path for ftpusers file used for gssftp service. | /etc/ftpusers |
HIDS_INSTALLED | Red Hat Enterprise Linux 5 | Is HIDS Installed | FALSE |
HIPS | Red Hat Enterprise Linux 5 | Deamon process name for host-based intrusion detection application. |
|
HIPS_DEAMON_NAME | Red Hat Enterprise Linux 5 | The name of host-based intrusion detection application deamon | Hip |
HIPS_PACKAGE_NAME | Red Hat Enterprise Linux 5 | The name of rpm package for host-based intrusion detection application | MFEhiplsm |
INND_SPEC_FILE | Red Hat Enterprise Linux 5 | file where you specify which hosts will be feeding you news using the NNTP protocol. | /etc/news/incoming.conf |
INND_UNRESTRICTED_HOSTS_FILE | Red Hat Enterprise Linux 5 | File whose purpose is to cross reference those hosts that have unrestricted incoming connection limits. | /etc/news/infeed.conf |
IS_ALL_INTERFACES_AUTHORIZED_ | Red Hat Enterprise Linux 5 | If all interfaces on the system are authorized for management traffic | FALSE |
IS_AUDIT_LOG_ARCHIVED | Windows Server 2003 DC, Windows Server 2003 MS | if Audit logs are archived | TRUE |
IPV6_TRANSITION_COMPLETE | Windows Server 2008 DC, Windows Server 2008 MS | IPv6 Transition Complete | FALSE |
IS_DHCP_CLIENT_ENABLED | Red Hat Enterprise Linux 5 | Parameter indicating DHCP client is enabled or disabled. Possible values- yes/no | no |
IS_GOLD_DISK | Windows Server 2008 DC | It is TRUE, if target server is a GOLD DISK. | TRUE |
IS_F_SECURE_SSH_SERVER_ | Red Hat Enterprise Linux 5 | If the SSH server is F-Secure | FALSE |
IS_PROCESS_CORE_DUMPS_ | Red Hat Enterprise Linux 5 | This property used to specify core dumps has been approved by the IAO or not. By default it is not approved and value is False. | FALSE |
IS_SYSLOG_ALTERNATE_ACCESS_ | Red Hat Enterprise Linux 5 | Instead of Syslog, it checks if there is any alternate access control program used which sucessfully logs access attempts | FALSE |
IS_SYSTEM_CONNECTED_TO_GIG | Red Hat Enterprise Linux 5 | If the system part of a stand alone network which is not connected to the GIG set to false. | TRUE |
JOURNALING_SUPPORTED_ | Red Hat Enterprise Linux 5 | Comma seperated file systems which supports journaling | ext3,ext4,jfs,vxfs,xfs,​reiserfs,zfs,udf |
KERNEL_CORE_DUMP_DIRECTORY | Red Hat Enterprise Linux 5 | the kernel core dump data directory path | /var/crash |
LDAP_CONF_FILE | Red Hat Enterprise Linux 5 | LDAP configuration file path | /etc/ldap.conf |
LOCAL_ADMINISTRATOR_ | Windows Server 2003 MS, Windows Server 2008 MS, Windows Server 2008 R2 MS | Comma separated list of local administrator accounts |
|
LOGHOSTS_SEND | Red Hat Enterprise Linux 5 | The documented value/values for remote log host |
|
LOGIN_ACCESS_CONTROL_FILE | Red Hat Enterprise Linux 5 | login access control table file | /etc/security/access.conf |
MAIL_ALIAS_CONF_FILE | Red Hat Enterprise Linux 5 | This file contains the mail alias entries for system program | /etc/aliases |
MAIL_SYSLOG_LOG_LIST | Red Hat Enterprise Linux 5 | syslog mail action list | /var/log/maillog |
MAIL_LOG_FILTER | Red Hat Enterprise Linux 5 | The mail selector to be used in /etc/syslog.conf | |
MAX_DISPLAY | Red Hat Enterprise Linux 5 | Maximum lines to be displayed | all |
MAX_INFO_LINES | Red Hat Enterprise Linux 5 | Maximum info lines to be displayed | all |
MAXLOGINS | Red Hat Enterprise Linux 5 | Maximum number of simultaneous system logins attempts per user. | 10 |
MAX_OUTPUT_LINES | Red Hat Enterprise Linux 5 | Represents no of lines that can be used output by EO. As OM do not parse output more than 50000 lines. | 1000 |
MANUAL_PAGE_FILES | Red Hat Enterprise Linux 5 | Manual page files | /usr/share/man/* /usr/share/info/* /usr/share/infopage/* |
MESSAGES_SYSLOG_LOG_LIST | Red Hat Enterprise Linux 5 | syslog message action list | /var/log/messages |
MODPROBE_CONF_PATH | Red Hat Enterprise Linux 5 | File location of modprobe configuration. | /etc/modprobe.conf |
NETWORK_HOST_ACCESS_FILES | Red Hat Enterprise Linux 5 | Comma seprated network host access files | .rhosts,.shosts,.netrc |
NEWS_INCOMING_CONF_FILE | Red Hat Enterprise Linux 5 | Location of incoming news configuration file. | /etc/news/incoming.conf |
NFS_EXPORTS_CONF_FILE | Red Hat Enterprise Linux 5 | The NFS export configuration file path | /etc/exports |
NFS_EXPORTS_SQUASH_OPTION_ | Red Hat Enterprise Linux 5 | The squash option to be used in NFS exports (usually /etc/exports) file. | root_squash |
NON_LOGIN_SHELLS | Red Hat Enterprise Linux 5 | Non login shells |
|
NON_APPROVED_DEVICE_ | Red Hat Enterprise Linux 5 | Semicolon separated list of Removable media, remote file systems, and any file system not containing approved device files. |
|
NSSWITCH_CONF_FILE | Red Hat Enterprise Linux 5 | Location of nsswitch configuration file. | /etc/nsswitch.conf |
NTP_AUTHORIZED_SERVER | Windows Server 2003 DC, Windows Server 2003 MS, Windows Server 2008 DC, Windows Server 2008 MS, Windows Server 2008 R2 DC, Windows Server 2008 R2 MS | NTP Authorized time server |
|
NTP_CONF_PATH | Red Hat Enterprise Linux 5 | File location of NTP configuration. | /etc/ntp.conf |
NTP_ENCLAVE | Red Hat Enterprise Linux 5 | Comma separated list of NTP enclave servers. | 0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org |
NOGROUP_FILE_GROUP | Red Hat Enterprise Linux 5 | NOGROUP | root |
OS_LATEST_RELEASE | Red Hat Enterprise Linux 5 | OS Latest release | ON |
OPTIONAL_SUBSYSTEMS | Windows Server 2003 DC, Windows Server 2003 MS, Windows Server 2008 DC, Windows Server 2008 MS, Windows Server 2008 R2 DC, Windows Server 2008 R2 MS | V-4445 Optional Subsystems | Posix |
OTHER_SYSTEM_GROUP | Red Hat Enterprise Linux 5 | The groups other than root, sys, bin, other, system. |
|
PAM_SYSTEM_AUTH_FILE | Red Hat Enterprise Linux 5 | The pam system-auth file path | /etc/pam.d/system-auth |
POSTFIX_ALIASES | Red Hat Enterprise Linux 5 | File location of Postfix - aliases | /etc/postfix/aliases |
POSTFIX_ALIASES_DB | Red Hat Enterprise Linux 5 | File location of Postfix - aliases.db | /etc/postfix/aliases.db |
POSTFIX_MAIN_CF | Red Hat Enterprise Linux 5 | Postfix main.cf configuration file | /etc/postfix/main.cf |
PRINTER_SERVICE_CONF_FILE | Red Hat Enterprise Linux 5 | path for print service configuration file | /etc/cups/printers.conf |
REM_DIR_PREFIX | Red Hat Enterprise Linux 5 | Temporary directory internally used by system to keep remediation related files. | DISA |
REMEDIATE_SETTING_FOR_GPO | Windows Server 2003 DC, Windows Server 2003 MS, Windows Server 2008 DC, Windows Server 2008 MS, Windows Server 2008 R2 DC, Windows Server 2008 R2 MS | Remediation setting for GPO | Default Domain Controller Security Policy and Default Domain Security Policy |
REMOTE_LOGGING_SERVER | Red Hat Enterprise Linux 5 | Remote logging Server | test-server |
REMOVE_PACKAGES | Red Hat Enterprise Linux 5 | Remove Packages |
|
RESTRICTED_FTP_USERS | Red Hat Enterprise Linux 5 | The names of all accounts not authorized to use FTP. User names should be seperated by |(pipe). For reference we have added bin and root account. | bin|root |
RSYSLOG_CONF_PATH | Red Hat Enterprise Linux 5 | File location syslog configuration. | /etc/syslog.conf |
REQUIRED_MODPROBE_ | Red Hat Enterprise Linux 5 | List of all required applcations for modprobe |
|
REQUIRED_SAMBA_SWAT_PKG | Red Hat Enterprise Linux 5 | This property defines the name of samba swat package in use. Keep empty if no package is in use. | TRUE |
RPM_SIGNATURE_FILES | Red Hat Enterprise Linux 5 | files to verify RPM signature. Files are space seperated. | /etc/rpmrc /usr/lib/rpm/rpmrc /usr/lib/rpm/redhat/rpmrc /root/.rpmrc |
SAMBA_AUTHORIZED_HOSTS | Red Hat Enterprise Linux 5 | This parameter is a comma delimited set of hosts which are permitted to access a samba service | 127 |
SAMBA_CONF_FILE | Red Hat Enterprise Linux 5 | Samba configuration file path | /etc/samba/smb.conf |
SAMBA_PASSWORD_FILES | Red Hat Enterprise Linux 5 | SAMBA_PASSWORD_FILES | /etc/samba/passdb.tdb /etc/samba/secrets.tdb |
SECURE_TERMINALS | Red Hat Enterprise Linux 5 | Comma separated list of valid terminals that may be logged in directly as root | console,tty |
SENDMAIL_ALIASES | Red Hat Enterprise Linux 5 | Location of aliases | /etc/aliases |
SENDMAIL_ALIASES_DB | Red Hat Enterprise Linux 5 | File location of SendMail - aliases.db | /etc/aliases.db |
SENDMAIL_ALIASES_DB_GRP | Red Hat Enterprise Linux 5 | SendMail Aliases DB Group | smmsp |
SENDMAIL-CONF-FILE | Red Hat Enterprise Linux 5 | The sendmail configuration file path | /etc/mail/sendmail.cf |
SERVICES_CHECK_STARTUP_ | Windows Server 2003 DC, Windows Server 2003 MS, Windows Server 2008 DC, Windows Server 2008 MS, Windows Server 2008 R2 DC, Windows Server 2008 R2 MS | Specifies comma separated list of services whose startup type should be automatic | |
SERVICES_CHECK_STARTUP_ | Windows Server 2003 DC, Windows Server 2003 MS, Windows Server 2008 DC, Windows Server 2008 MS, Windows Server 2008 R2 DC, Windows Server 2008 R2 MS | Specifies comma separated list of services whose startup type should be Automatic (delayed) | Diagnostic Policy Service,Distributed Transaction Coordinator,Software Protection,Windows Remote Management (WS-Management),Windows Update,Network Policy Server |
SERVICES_CHECK_STARTUP_ | Windows Server 2003 DC, Windows Server 2003 MS | Specifies comma separated list of services whose startup type should be disabled | Alerter,Application Layer Gateway Service,Application Management,ASP .NET State Service,Certificate Services,Client Service for NetWare,ClipBook,Cluster Service,COM+ System Application,DHCP |
Windows Server 2008 DC, Windows Server 2008 MS, Windows Server 2008 R2 DC, Windows Server 2008 R2 MS |
| Computer Browser,Internet Connection Sharing (ICS),PnP-X IP Bus Enumerator,Routing and Remote Access,SSDP Discovery,UPnP Device Host,Net.Tcp Port Sharing Service | |
SERVICES_CHECK_STARTUP_ | Windows Server 2003 DC, Windows Server 2003 MS | Specifies comma separated list of services whose startup type should be disabled. | Wireless Configuration,World Wide Web Publishing Service |
SERVICES_CHECK_STARTUP_ | Windows Server 2003 DC, Windows Server 2003 MS, Windows Server 2008 DC, Windows Server 2008 MS, Windows Server 2008 R2 DC, Windows Server 2008 R2 MS | Specifies comma separated list of services whose startup type should be manual | |
SERVICES_CHECK_STARTUP_ | Windows Server 2008 DC | Specifies comma separated list of services whose startup type should be Manual | SL UI Notification Service,Smart Card,Smart Card Removal Policy,SNMP Trap,Special Administration Console Helper,Telephony,Terminal Services Configuration,Terminal Services UserMode Port Redirector,Thread |
Windows Server 2003 DC, Windows Server 2003 MS, Windows Server 2008 MS, Windows Server 2008 R2 DC, Windows Server 2008 R2 MS | Specifies comma separated list of services whose startup type should be Manual. | Windows Modules Installer,WinHTTP Web Proxy Auto-Discovery Service,Wired AutoConfig,WMI Performance Adapter,Windows CardSpace,Windows Presentation Foundation Font Cache 3.0.0.0,Remote Desktop Configuration,Remote Desktop Services UserMode Port,Windows Process Activation | |
TIME_SYNC_SOURCE | All versions | Specifies the type of time synchronization source to be used. | Possible values are: Nt5DS or NTP or AllSync |
TCP_BACKLOG | Red Hat Enterprise Linux 5 | TCP backlog queue size | 1280 |
TFTP_USER | Red Hat Enterprise Linux 5 | Dedicated TFTP user account | tftp |
SKELETON_DIRECTORY | Red Hat Enterprise Linux 5 | The skeleton directory that contain skeleton files | /etc/skel |
SMTP_VERSION | Red Hat Enterprise Linux 5 | The version of SMTP service | 8.13.8 |
SNMPD_CONF_FILE | Red Hat Enterprise Linux 5 | The default path for snmpd.conf file | /etc/snmp/snmpd.conf |
SPECIAL_PRIVILEGE_ACCOUNTS | Red Hat Enterprise Linux 5 | The comma seperated list of accounts with special privileges such as shutdown, halt, reboot. | shutdown,halt,reboot |
SSHD_CONFIG_FILE | Red Hat Enterprise Linux 5 | sshd_config file path | /etc/ssh/sshd_config |
SUPPORTED_FS_TYPE | Red Hat Enterprise Linux 5 | Supported file system types for partitions like /home, etc | ext2,ext3,ext4,jfs,vxfs,hfs,xfs,reiserfs,zfs |
SYSCONFIG_NETWORK_FILE | Red Hat Enterprise Linux 5 | File location sysconfig - network. | /etc/sysconfig/network |
SYSCTL_CONF_PATH | Red Hat Enterprise Linux 5 | File location - sysctl configuration. | /etc/sysctl.conf |
SYSCTL_PATH | Red Hat Enterprise Linux 5 | Path of sysctl | /sbin/sysctl |
SYSLOG_CONF_PATH | Red Hat Enterprise Linux 5 | The syslog.conf configuration file path | /etc/syslog.conf |
SYSLOG_APPROVED_REMOTE_ | Red Hat Enterprise Linux 5 | Pipe separeted list of approved remote syslog servers |
|
SYSTEM_GROUP | Red Hat Enterprise Linux 5 | Group name for the public directory | root |
SYSTEM_USER | Red Hat Enterprise Linux 5 | System User | root |
UNIX_SYSTEM_ACCOUNTS | Red Hat Enterprise Linux 5 | Unix System Accounts | root, bin, daemon, adm, lp, sync, shutdown, halt, mail, news, uucp, operator, games, gopher, nobody, rpm, dbus, avahi, nscd, mailnull, smmsp, vcsa, haldaemon, rpc, rpcuser, sshd, pcap, ntp, xfs, gdm, sabayon, squid, aaa, testapp |
UNIX_SYSTEM_GROUPS | Red Hat Enterprise Linux 5 | Comma separated list of Unix system groups. | root, bin, daemon, sys, adm, tty, disk, lp, mem, kmem, wheel, mail, news, uucp, man, games, gopher, dip, ftp, lock, nobody, users, nscd, floppy, vcsa, audio, utmp, rpc, mailnull, smmsp, pcap, utempter, slocate, sshd, rpcuser, dbus, |
UMASK_GLOBAL_INITIALIZATION_ | Red Hat Enterprise Linux 5 | Specify global initialization files for the configured umask value | /etc/bashrc /etc/csh.cshrc /etc/csh.login /etc/csh.logout /etc/environment /etc/ksh.kshrc /etc/profile /etc/suid_profile /etc/profile.d/* |
UNNECESSARY_ACCOUNTS | Red Hat Enterprise Linux 5 | Comma seperated list of Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system. |
|
UNOWNED_FILE_USER | Red Hat Enterprise Linux 5 | UNOWNED FILE USER | root |
VSFTP_USER_FILE | Red Hat Enterprise Linux 5 | The path for ftpusers file used for vsftp service. | /etc/vsftpd.ftpusers /etc/vsftpd/ftpusers |
VSFTPD_SERVICES_ENCRYPTED | Red Hat Enterprise Linux 5 | TO CHECK IF VSFTPD SERVICES ARE ENCRYPTED OR NOT | N |
VSFTPD_CONF_FILE_PATH | Red Hat Enterprise Linux 5 | vsftpd.conf file path | /etc/vsftpd/vsftpd.conf |
XINETD_CONF_FILE_PATH | Red Hat Enterprise Linux 5 | Xinetd configuration file path (default value is /etc/xinetd.conf) | /etc/xinetd.conf |
X_SERVER_NC_OPTIONS | Red Hat Enterprise Linux 5 | Pipe separated list of non compliant X server options. An X server must have none of the following options enabled: -ac, -core (except for debugging purposes), or -nolock. | -ac|-core|-nolock |
X_AUTHORIZED_HOSTS | Red Hat Enterprise Linux 5 | Specifies separated X authorized hosts. For example, a.b.c.d:0,p.q.r/unix:0,10.20.20.80:1 If empty, implies SA trusts the configured system. |
|
Default value for BANNER_MSG1, BANNER_LONG_PART1, BANNER_LONG_PART2, BANNER_LONG_PART3, BANNER_LONG_PART4, BANNER_LONG_PART5, BANNER_LONG_PART6, BANNER_LONG_PART7, DISA_LEGAL_NOTICE_TEXT_1, DISA_LEGAL_NOTICE_TEXT_2, DISA_LEGAL_NOTICE_TEXT_3, and DISA_LEGAL_NOTICE_TEXT_4, GNOME_BANNER_MESSAGE
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
- The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
- At any time, the USG may inspect and seize data stored on this IS.
- Communications using, or data stored on, this IS are not private, are subject toroutine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
- This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
- Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
Default value for SERVICES_CHECK_STARTUP_AUTOMATIC
Base Filtering Engine,COM+ Event System,Cryptographic Services,DCOM Server Process Launcher,Desktop Window Manager Session Manager,DHCP Client,Distributed Link Tracking Client,DNS Client,Group Policy Client,IP Helper,Network Location Awareness,Network Store Interface Service,Plug and Play,Power,Print Spooler,Remote Procedure Call (RPC),Remote Registry,RPC Endpoint Mapper,Security Accounts Manager,Shell Hardware Detection,System Event Notification Service,Task Scheduler,TCP/IP NetBIOS Helper,User Profile Service,Windows Event Log,Windows Firewall,Windows Management Instrumentation,Windows Time,Workstation,Active Directory Certificate Services,Active Directory Domain Services,Active Directory Web Services,DFS Namespace,DFS Replication,DNS Server,Intersite Messaging,Kerberos Key Distribution Center,DHCP Server,DNS Server,Workstation,Hyper-V Image Management Service,Hyper-V Networking Management Service,Virtual Machine Management Service,Print Spooler,Remote Desktop Services,Application Host Helper Service,World Wide Web Publishing Service
Default value for SERVICES_CHECK_STARTUP_MANUAL
Application Experience,Application Identity,Application Information,Application Layer Gateway Service,Application Management,Background Intelligent Transfer Service,Certificate Propagation,COM+ System Application,Credential Manager,Diagnostic Service Host,Diagnostic System Host,Disk Defragmenter,Encrypting File System (EFS),Extensible Authentication Protocol,Function Discovery Provider Host,Function Discovery Resource Publication,Health Key and Certificate Management,Human Interface Device Access,IKE and AuthIP IPsec Keying Modules,Interactive Services Detection,IPsec Policy Agent,KtmRm for Distributed Transaction Coordinator,Link-Layer Topology Discovery Mapper,Microsoft .NET Framework NGEN v2.0.50727_X64,Microsoft .NET Framework NGEN v2.0.50727_X86,Microsoft Fibre Channel Platform Registration Service,Microsoft iSCSI Initiator Service,Microsoft Software Shadow Copy Provider,Multimedia Class Scheduler,Netlogon,Network Access Protection Agent,Network Connections,Network List Service,Performance Counter DLL Host,Performance Logs & Alerts,Portable Device Enumerator Service,Problem Reports and Solutions Control Panel Support,Protected Storage,Remote Access Auto Connection Manager,Remote Access Connection Manager,Remote Desktop Configuration,Remote Desktop Services,Remote Desktop Services UserMode Port Redirector,Remote Procedure Call (RPC) Locator,Resultant Set of Policy Provider,Secondary Logon,Secure Socket Tunneling Protocol Service,Smart Card,SNMP Trap,Special Administration Console Helper,SPP Notification Service,Telephony,Thread Ordering Server,TP AutoConnect Service,TPM Base Services,Virtual Disk,Volume Shadow Copy,Windows Audio,Windows Audio Endpoint Builder,Windows Color System,Windows Driver Foundation - User-mode Driver Framework,Windows Error Reporting Service,Windows Event Collector,Windows Font Cache Service,Windows Installer
For existing properties in the Server built-in property class, see DISA-properties-in-the-Server-built-in-property-class.