Reviewing local properties in individual templates

 

Each of the Compliance Content templates contains several editable, local properties that control various aspects of connecting with target servers. A typical set of local properties includes the following properties:

  • password attributes (such as length, numbers of different character types to be included, and expiration period) and logon specifications (number of attempts, lockout attributes)
  • for SUSE Linux: pathway to the postgres.log file
  • for Windows: specifications of the NTFS drive, the SMTP service, and the NNTP service

Ordinarily, the default values for these local properties should be sufficient at your site. You may still want to review these properties to tailor them to the unique needs of your local system.

The following table lists several properties that call for special attention and often require customization:

Templates

Property customization

CIS - Red Hat Enterprise Linux 5

PCIv2 - Red Hat Enterprise Linux 5

Before discovering targets, adjust the following property values:

  • To customize the Banner message, update the BANNER_MSG<1/2/3/4/5> property.
  • To customize the Gnome Banner message, update the GNOME_BANNER_MSG property.

To list users that need to be excluded from compliance where shared home directory is present, adjust the value of the EXCLUDE_HOME_DIR_USER_LIST property.

The default value for this property lists the rdsmon and rdsroot users for exclusion.

CIS, DISA, HIPAA, PCIv2, and PCIv3 templates for Windows

To specify the type of domain setting to be used during remediation, specify policy types through the REMEDIATE_SETTING_FOR_GPO property. This property is an enumerated string with a default value of Default Domain Controller Security Policy and Default Domain Security Policy. If necessary, you can set the value to only one of the two policies (either Default Domain Controller Security Policy or Default Domain Security Policy). See also Remediating-compliance-results.

DISA - Windows Server 2016

For V-73263 rule, ensure that you must set the value for the following local properties:

  • APPLICATION_ACCOUNTS

  • DOMAIN_ACCOUNTS_WITH_CAC


For V-73231 rule, ensure that you must set the value for APPLICATION_ACCOUNTS local property. The default value for APPLICATION_ACCOUNTS property lists the Guests and Application users. 


For V-73271 rule, ensure that you must set the value for SCAN_WHOLE_SYSTEM property. By default, the value is set to False but you can set it to True to evaluate the rule.

For more information about setting property values, see Setting-values-for-system-object-properties.

Where to go from here

Modifying-out-of-the-box-component-templates

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*