Issues in DISA compliance analysis and remediation

This topic lists common issues encountered while running compliance analysis and remediation using DISA templates. The page also provides troubleshooting information wherever applicable.

Troubleshooting issues in DISA templates

You might encounter the following issues while running compliance analysis and remediation using DISA templates. These issues can be avoided, if you take the necessary precautions as described in the workarounds below. Choose a specific operating system from the filter to narrow down the list in the table.


Limitations of DISA templates

The following limitations exist for compliance analysis and remediation using DISA component templates.


Limitations in rollback of DISA compliance remediation

The following issues exist in the behavior of certain DISA compliance rules during an undo operation. These issues represent the expected, default behavior (although different from the typical behavior of most other compliance rules).

Operating system

Affected rules

Issue

Windows Server 2016

V-73651,
V-73657,
 V-73659

 Unable to perform an undo operation on the remediation (for GPO registry rules) in the first attempt. Undo operation runs successfully only in the second attempt.

-

GEN006600

Rule changes from non-compliant to compliant (and vice versa) if Undo is executed for either of the following rules:

  • GEN000440 (Adds a daemon logging entry to the syslog.conf file)
  • GEN004460 (Adds a mail logging entry to the syslog.conf file)

-

GEN002120

The rule does not have an Undo script.

-

GEN004880

The rule changes to non-compliant when Undo is executed for either of the following rules.This rule changes to compliant when remediation is run for either of the following rules:

  • GEN004800 (Ensures AORL use for documenting unencrypted FTP and Telnet)
  • GEN004760 (FTP and Telnet Status)

-

GEN001420

The Undo command does not work when either rule GEN00560 or rule GEN00540 executes a PASSWD command during remediation, causing permission for the /etc/shadow file to be reset.

-

GEN001380

The Undo command does not work when either rule GEN005000 or rule GEN005120 executes the USERMOD command during remediation, causing permission for the /etc/passwd file to be reset.

Windows Server 2003

-

Template-level rollback (for undoing remediation performed on all non-compliant rules) might fail due to the behavior of the Terminal Services Session Directory service, which may remain in waiting status for more time than expected.

Related topics

Reviewing-properties-in-Compliance-Content-custom-classes

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*