Reviewing properties in Compliance Content custom classes

Before running a Compliance Job for the first time based on any of the Compliance Content component templates, review the values of the editable, local properties included in the various Compliance Content custom property classes (as listed in the following table). If local values differ from the default values, tailor these property values to the unique needs of your local system.

The following sections list the properties in each of the Compliance Content custom property classes:

For more information about setting property values, see Setting-values-for-system-object-properties.

Properties in the custom CIS Properties class

The following CIS properties are included in the custom CIS Properties class. Tailor these property values to the unique needs of your local system.

Note

The CIS Properties custom property class is provided with the following out-of-the-box instances, which store default property values for different server configurations:

  • ENTERPRISE_MEMBER_SERVER, for a Member Server with Enterprise Client (EC) security
  • ENTERPRISE_DOMAIN_CONTROLLER, for a Domain Controller with Enterprise Client (EC) security
  • SSLF_MEMBER_SERVER, for a Member Server with Specialized Security — Limited Functionality (SSLF)
  • SSLF_DOMAIN_CONTROLLER, for a Domain Controller with SSLF
  • LEGACY_MEMBER_SERVER, for a Member Server with legacy security (not EC or SSLF)
  • LEGACY_DOMAIN_CONTROLLER, for a Domain Controller with legacy security (not EC or SSLF)



Back to top


Properties in the custom CIS AIX Properties class

The following CIS properties for an AIX platform are included in the custom CIS AIX Properties class. All of these properties correspond to AIX configuration attributes or parameters with the same names.

Note

The CIS AIX Properties custom property class is provided with the following out-of-the-box instances, for different levels of security. Property values in these instances differ from the default values listed below.

  • HIGH_LEVEL_POLICY
  • LOW_LEVEL_POLICY
  • MEDIUM_LEVEL_POLICY

Property

Source of AIX attribute

Default value

HISTEXPIRE

/etc/security/user

13

HISTSIZE

/etc/security/user

20

IP6SRCROUTEFORWARD

Network option (/usr/sbin/no)

0

IPFORWARDING

Network option (/usr/sbin/no)

0

IPIGNOREREDIRECTS

Network option (/usr/sbin/no)

3

IPSENDREDIRECTS

Network option (/usr/sbin/no)

0

IPSRCROUTESEND

Network option (/usr/sbin/no)

0

LOGINDELAY

/etc/security/login.cfg

10

LOGINDISABLE

/etc/security/login.cfg

10

LOGININTERVAL

/etc/security/login.cfg

300

LOGINREENABLE

/etc/security/login.cfg

360

LOGINRETRIES

/etc/security/login.cfg

3

LOGINTIMEOUT

/etc/security/login.cfg

30

MAXAGE

/etc/security/user

13

MAXEXPIRED

/etc/security/user

2

MAXREPEATS

/etc/security/user

2

MINAGE

/etc/security/user

1

MINALPHA

/etc/security/user

2

MINDIFF

/etc/security/user

4

MINLEN

/etc/security/user

8

MINOTHER

/etc/security/user

2

RLOGIN

/etc/security/user

false

SOCKTHRESH

Network option (/usr/sbin/no)

60

TCP_TCPSECURE

Network option (/usr/sbin/no)

7


Properties in the custom DISA STIG Properties class

The following DISA properties are included in the custom DISA Properties class. Tailor these property values to the unique needs of your local system.


Back to top

Properties in the custom PCI Properties class

The following PCI properties are included in the custom PCI Properties class. Tailor these property values to the unique needs of your local system.

Note

The PCI Properties custom property class is provided with the following out-of-the-box instances, which store default property values for different server configurations:

  • ENTERPRISE_MEMBER_SERVER, for a Member Server with Enterprise Client (EC) security
  • ENTERPRISE_DOMAIN_CONTROLLER, for a Domain Controller with Enterprise Client (EC) security
  • SSLF_MEMBER_SERVER, for a Member Server with Specialized Security — Limited Functionality (SSLF)
  • SSLF_DOMAIN_CONTROLLER, for a Domain Controller with SSLF
  • LEGACY_MEMBER_SERVER, for a Member Server with legacy security (not EC or SSLF)
  • LEGACY_DOMAIN_CONTROLLER, for a Domain Controller with legacy security (not EC or SSLF)


Property

Description

Default value

ACCESS_THIS_COMPUTER
_FROM_NETWORK

Whether to access this computer from a network.


ACCOUNT_LOCKOUT_THRESHOLD

The number of failed logon attempts allowed before a user is locked out of an account

For Enterprise Client (EC) security: 15
for SSLF: 10

ADD_WORKSTATION_DOMAIN

Users that are allowed to add computer workstations to a specific domain

For Domain Controller: BUILTIN\Administrators
No default value for Member Server

AIX_EXCLUDE_HOME_DIR
_USER_LIST

AIX user accounts where home should not be scanned


ANONYMOUS_NAMED_PIPES

The communication sessions, or pipes, that will have attributes and permissions that allow anonymous access

For Domain Controller with SSLF:
netlogon,lsarpc,samr,browser

For Member Server with SSLF:
browser

No default value for EC security

BYPASS-SERVER-CHECKING

Users with no Traverse Folder access permission that are allowed to pass through folders as they browse NTFS or the registry

None for Domain Controller with EC

For Member Server with EC: NT AUTHORITY\
LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE,BUILTIN\Administrators,NT AUTHORITY\
Authenticated Users,BUILTIN\Backup Operators

For Domain Controller with SSLF: NT AUTHORITY\
LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE,NT AUTHORITY\Authenticated Users

For Member Server with SSLF: NT AUTHORITY\
LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE,BUILTIN\Administrators,NT AUTHORITY\
Authenticated Users

DEBUG_PROGRAMS

User accounts that are allowed to attach a debugger to any process or the kernel.
A debugger allows a user to view and manipulate the memory and execution context of any process.

On Member Server with EC: BUILTIN\Administrators
Otherwise, no default value

IS_DOMAIN

Whether the target is a domain controller


MANAGE_AUDITING_AND
_SECURITY_LOG

Manage auditing and security log

Administrators

MIN_PASSWORD_LENGTH

The minimum number of characters that a user password must contain

For Enterprise Client (EC) security: 8
For SSLF: 12

NETWORK_LAN_MANAGER
_AUTHENTICATION_LEVEL

LAN Manager Authentication for network


PCI_BANNER

The standard banner for PCI.

Authorized users only. All activity may be monitored and reported.

PCI_LEGAL_NOTICE_TEXT

The text message that displays when a user logs on

No default value; replace with the legal text title
of your organization

PCI_LEGAL_TITLE_TEXT

The text that appears in the title bar of the windows that are displayed when a user logs on to the system

No default value; replace with the legal text title
of your organization

RESTORE_FILES_DIRS

Users that are allowed to bypass file, directory, registry, and other persistent object permissions when restoring backed-up data

No default for SSLF
For EC security: BUILTIN\Backup Operators

SOLARIS_EXCLUDE_HOME
_DIR_USER_LIST

Solaris user accounts where home should not be scanned

Solaris user accounts where home should not be scanned

UNIX_EXCLUDE_HOME
_DIR_USER_LIST

HP-UX user accounts where home should not be scanned

HP-UX user accounts where home should not be scanned


Back to top

Properties in the custom SOX Properties class

The following SOX properties are included in the custom SOX Properties class. Tailor these property values to the unique needs of your local system.


Where to go from here

Modifying-out-of-the-box-component-templates