Skip to Content
Information
Unsupported content This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Issues in DISA compliance analysis and remediation

The following issues and limitations exist for compliance analysis and remediation using DISA component templates:

  • Rules GEN004020 through GEN004320 in the Client Browser Requirements rule group of the component templates for DISA on UNIX and Linux computers check the standard default paths of browser directories (.netscape and .mozilla). Non-default paths are not handled.
  • If remediation is run for rule GEN000400 of the component templates for DISA on UNIX or Linux computers, remediation for GEN000420 (Logon Warning Banner Content) will also occur and will be compliant in the subsequent job runs.
  • Remediation of rule CAT I: 12.4.1.1-LNX00140 of the component template for DISA on Linux sets the grub password. You can provide the name of a user whose system password hash will be used as the grub password. To do so, specify the name of the appropriate user as the value of the USERNAME_FOR_GRUB_PASSWORD property in the DISA STIG Properties custom property class. The default value of this property is root.
  • Rule GEN001260 of the DISA templates for UNIX or Linux computers checks and remediates system log file permissions. If the system logs roll over or if syslog is restarted, the permissions for the log files will be overwritten making the rule non-compliant on subsequent runs. As a workaround for this issue, adjust system log settings to control the rollover of log files and prevent overwriting permissions set for existing files.
  • Rule GEN005000, Anonymous FTP Account Shell, of the DISA templates for UNIX or Linux computers is not remediated if the target server does not have a valid shell (either /bin/true, /usr/bin/false, /bin/false, or /dev/null ) or the shell is not defined as valid in the login configuration file (in /etc/security/login.cfg ). Also, the rule will be non-compliant in subsequent runs. However, remediation for this rule will report as having been successful.
  • When using the component template for DISA on UNIX or Linux computers, remediation for rule GEN004900 will make rule GEN004780 (FTP or Telnet User IDs and Passwords) appear compliant on subsequent compliance job runs for the same target server.
  • The following rules of the component template for DISA on Solaris always show as non-compliant.
    • GEN000240
    • GEN006080
    • GEN006220
    • GEN005220
    • GEN005600
    • GEN001980
    • GEN004400
    • GEN004420
  • Remediation for rule GEN005540 of the DISA templates for UNIX or Linux computers will not work on any target server where an sshd entry is not included in the /etc/host.allow file for that target server.
  • For rules in Section 3.4 of the DISA templates for Solaris that use the findfiles cache, if a rule is non-compliant and remediation is run for that rule, then after remediation you must refresh the findfiles cache to reflect the remediation changes on the target server. If you do not refresh the findfiles cache, the rule continues to display non-compliant status after remediation. The following rules use the findfiles cache: GEN 001140, GEN001160, GEN001200, GEN001220, GEN001240, GEN001260, GEN001300, GEN001320, GEN001340, GEN001360, and GEN001280.
     By default, the findfiles cache is refreshed in the following cases:
    • When CACHE_HRS time elapses from the last time the cache was created
    • If the cache is not present on the target server in the staging directory
Warning

Note

To ensure that the *findfiles *cache is always refreshed, you can set CACHE_HRS to 0.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Server Automation 8.3