Skip to Content
Information
Unsupported content This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Issues in CIS compliance analysis and remediation

The following issues and limitations exist for compliance analysis and remediation using CIS component templates:

  • For certain rules, the CIS benchmark does not recommend any value. Such rules in the component template for CIS on Windows Server 2008 always result in compliant status.
  • For the Enterprise Domain Controller, SSLF Member Server, and SSLF Domain Controller profiles, the recommended value of rule 1.8.36, User Rights: Log on as a batch job, is No one. However, the rule is implemented for a null value as well as for BladeLogicRSCD, as the agent requires this special permission to run batch jobs on the target.
  • Not all rules in the component template for CIS on Windows Server 2008 provide remediation (as indicated by whether or not they have a remediation package associated).
  • For rules in the CIS - Red Hat Enterprise Linux 5 template that use the findfiles cache, if a rule is non-compliant and remediation is run for that rule, then after remediation you must refresh the findfiles cache to reflect the remediation changes on the target server. If you do not refresh the findfiles cache, the rule continues to display non-compliant status after remediation. The following rules use the findfiles cache: 1.1.17, 5.3.12, 10.23, 10.24, 10.25, 10.26, and 10.27.
     By default, the findfiles cache is refreshed in the following cases:
    • When CACHE_HRS time elapses from the last time the cache was created
    • If the cache is not present on the target server in the staging directory
  • For rules in the CIS - Red Hat Enterprise Linux 5 template that check for the presence of parameters in configuration files, if the configuration files contain multiple entries of parameters, the rules display non-compliant (Not Reviewed) status. Even after remediation, the configuration files contain multiple entries of those parameters, and the rules display non-compliant (Not Reviewed) status.
  • For CIS - Red Hat Enterprise Linux 5 Rule 1.1.17, an intermediate file will be created on the target while running compliance. This file will contain list of non-complaint entries, such as files present in Transactions directory, located at NSH directory in the target machine. This directory contains files which are created when remediation jobs are initiated. Remediation of this rule remediates all entries present in the intermediate file. A file present in Transactions Directory will not be present in the intermediate file, as it was not present while running compliance, but got created while running remediation. Therefore, the rule remains non-compliant, even though previous remediation was successful, that is, there will be always a non complaint value after remediation for this rule.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Server Automation 8.3