Issues in CIS compliance analysis and remediation
This topic lists the limitations and troubleshooting issues found in CIS compliance analysis and remediation:
Limitations in CIS templates
The following issues exist for compliance analysis and remediation using CIS component templates:
For certain rules, the CIS benchmark does not recommend any value.
For the Enterprise Domain Controller, SSLF Member Server, and SSLF Domain Controller profiles, the recommended value of rule 1.8.36, User Rights: Log on as a batch job, is No one. However, the rule is implemented for a null value as well as for BladeLogicRSCD, as the agent requires this special permission to run batch jobs on the target.
- Rules in the CIS - Red Hat Enterprise Linux 5 template that check permissions in system log files — rule 5.1.2 Create and Set Permissions on syslog Log Files and rule 5.2.4 Create and Set Permissions on rsyslog Log Files — are set to be compliant only for 0600 for root user or 0640 for secure group user. However, these rules are shown to be compliant even if setuid, setid or sticky bit are set in the log files mentioned in /etc/syslog.conf or /etc/rsyslog.conf.
- For the 1.6.2 Set Permissions on /etc/grub.conf rule of the CIS - Red Hat Enterprise Linux 5 template, the rule returns non-compliance if the configuration file is a symbolic link because the permissions of the file to which the configuration file points could not be obtained.
- When multiple entries of NTP server are provided in ntp.conf, for the CIS - Red Hat Enterprise Linux 5 template, 3.5 rule, compliance result will be non-compliant.
- For the CIS - Red Hat Enterprise Linux 5 template, the following behavior occurs during the remediation of the rule 6.3.5:
- If multiple commented and non-commented entries of PASSWDALGORITH are set in /etc/sysconfig/authconfig file, the command authconfig --update --passalgo=sha512 deletes a few non-commented entries of PASSALGORITH. After remediation, you might observe that a few commented entries are removed for authconfig file.
If you run the command authconfig --update --passalgo=sha512 and then update the parameter PASSWDALGORITH of /etc/sysconfig/authconfig file to some invalid value (for example, PASSWDALGORITH=sha512ABC), re-running the authconfig -update command does not update the entries in /etc/sysconfig/authconfig file for the parameter PASSWDALGORITH and remediation is not supported.
- For rules in the CIS - Red Hat Enterprise Linux 5 template that check for the presence of parameters in configuration files, if the configuration files contain multiple entries of parameters, the rules display non-compliant (Not Reviewed) status. Even after remediation, the configuration files contain multiple entries of those parameters, and the rules display non-compliant (Not Reviewed) status.
For CIS - Red Hat Enterprise Linux 5 template and rule 1.1.17, an intermediate file will be created on the target while running compliance. This file will contain list of non-complaint entries, such as files present in Transactions directory, located at NSH directory in the target machine. This directory contains files which are created when remediation jobs are initiated. Remediation of this rule remediates all entries present in the intermediate file. A file present in Transactions Directory will not be present in the intermediate file, as it was not present while running compliance, but got created while running remediation. Therefore, the rule remains non-compliant, even though previous remediation was successful, that is, there will be always a non complaint value after remediation for this rule.
- For CIS - Red Hat Enterprise Linux 7 template, you cannot access the target after running the remediation job. Therefore, we recommend checking the remediation rules before remediating the target.
Troubleshooting issues in CIS templates
The following issues exist with workarounds for compliance analysis and remediation using CIS component templates:
- For CIS - SuSE 11 template, Cache creator job fails with Exit code 1 (without an error message), for either less disk space or time out. It is recommended that you add more disk space and run the job again.
3.16 rule in the CIS - Red Hat Enterprise Linux 5 template does not work on a pure IPv6 RHEL5 target that was associated with the TrueSight Server Automation Application Server because the IPV_PROTOCOL property value remains IPV4 and does not get changed automatically to IPV6 for an IPv6 target.
Workaround:
To enable the use of this rule, you must manually change the value of the to IPV_PROTOCOL property in the Server built-in property class to IPV6 for any IPv6 target that you associate with the Application Server. For more information about this property, see CIS properties in the Server built-in property class.
- For 1.5.2 Set the SELinux state and 1.5.3 Set the SELinux policy rules of the CIS - RedHat Enterprise Linux 5 template, the target agent fails to restart after remediation is applied for the rules. For details about how to resolve this issue, see Step 9 in Installing-only-the-RSCD-agent-Linux-and-UNIX.
For CIS - RedHat Enterprise Linux 5/6 templates, if a target host has a staging directory configured under /tmp partition, for example /tmp/stage, remediation restricts permissions to the /tmp partition and causes the Remediation Job to fail with the following error:
Unable to run bldeploycmd.X.bat (13:Permission denied)Workaround: Change the STAGING_DIR server property to /var/tmp/stage and run the job again.
- For rules in the CIS - Red Hat Enterprise Linux 5 template that use the findfiles cache, if a rule is non-compliant and remediation is run for that rule, then after remediation you must refresh the findfiles cache to reflect the remediation changes on the target server. If you do not refresh the findfiles cache, the rule continues to display non-compliant status after remediation. The following rules use the findfiles cache: 1.1.17, 5.3.12, 10.23, 10.24, 10.25, 10.26, and 10.27.
By default, the findfiles cache is refreshed in the following cases:- When CACHE_HRS time elapses from the last time the cache was created
- If the cache is not present on the target server in the staging directory