This documentation supports the 21.3 (12.3) version of BMC Discovery.

STIG rules for RHEL6 met using compliance script

This section lists the STIG rules for Red Hat Enterprise Linux (RHEL) 6, which have been addressed in BMC Discovery. The tw_stig_control script, in turn runs the following scripts, which enable STIG compliance for different functional areas of BMC Discovery. You must enable the following rules to achieve compliance. To enable compliance for all of the rules described in the following tables, run the tw_stig_control script as the root user.

Th following scripts are executed by the tw_stig_control script:

  • tw_stig_auditing — the auditing functionality of BMC Discovery.
  • tw_stig_local_env — the local environment of BMC Discovery.
  • tw_stig_remote_mgmt — the remote management functionality of BMC Discovery.
Possible lock out

One of the changes made to comply with the STIG is to expire OS user passwords every 60 days. After a password has expired, there is a grace period of 35 days during which a user will be allowed to change their password on the first login attempt. After 35 days the user will be completely locked out (this also applies to the root user). Consequently, you should check that the root, tideway and netadmin user passwords have been changed within the last 95 days before applying the STIG scripts described here, or you may be locked out from these accounts (and effectively from the VM itself). The password restrictions are applied by the tw_stig_local_env script.

No automatic reversion

There is no automatic facility to revert the changes applied by these scripts.

Auditing creates significant additional logging

The tw_stig_auditing script enables auditing on the system. Work has been done in the release to limit the number of privileged commands BMC Discovery needs to run during discovery but you will need management processes in place to ensure that there is sufficient space for additional logging in the /var/log and /var/log/audit directories or partitions.

You can choose to run the scripts individually but if you choose not to run a script then the appliance will not comply with all of the STIG rules in that functional area.

Click here to expand...
[root@appliance01 bin]# sh tw_stig_control

The following scripts will be run that change the configuration
required to satisfy the listed DISA RHEL6 STIG requirements.

./tw_stig_auditing:
RHEL-06-000145, RHEL-06-000148, RHEL-06-000154, RHEL-06-000159
RHEL-06-000160, RHEL-06-000161, RHEL-06-000165, RHEL-06-000167
RHEL-06-000169, RHEL-06-000171, RHEL-06-000173, RHEL-06-000174
RHEL-06-000175, RHEL-06-000176, RHEL-06-000177, RHEL-06-000182
RHEL-06-000183, RHEL-06-000184, RHEL-06-000185, RHEL-06-000186
RHEL-06-000187, RHEL-06-000188, RHEL-06-000189, RHEL-06-000190
RHEL-06-000191, RHEL-06-000192, RHEL-06-000193, RHEL-06-000194
RHEL-06-000195, RHEL-06-000196, RHEL-06-000197, RHEL-06-000198
RHEL-06-000199, RHEL-06-000200, RHEL-06-000201, RHEL-06-000202
RHEL-06-000509, RHEL-06-000525

./tw_stig_local_env:
RHEL-06-000051, RHEL-06-000053, RHEL-06-000056, RHEL-06-000057
RHEL-06-000058, RHEL-06-000059, RHEL-06-000060, RHEL-06-000061
RHEL-06-000069, RHEL-06-000070, RHEL-06-000274, RHEL-06-000299
RHEL-06-000334, RHEL-06-000335, RHEL-06-000356, RHEL-06-000357

./tw_stig_remote_mgmt:
RHEL-06-000230, RHEL-06-000231, RHEL-06-000241, RHEL-06-000319
RHEL-06-000340, RHEL-06-000341

Please note: A reboot is required to complete the configuration
changes.

Are you sure you want to perform the configuration changes (yes/no)?
[root@appliance01 bin]# 

STIG rules for auditing

The following table lists the STIG rules for auditing(tw_stig_auditing).

Rule number

Description

RHEL-06-000145 V-38628

Auditing must be implemented.

RHEL-06-000148 V-38631

Auditing must be implemented.

RHEL-06-000154 V-38632

Auditing must be implemented.

RHEL-06-000159 V-38636

The system must retain enough rotated audit logs to cover the required log retention period.

RHEL-06-000160 V-38633

The system must set a maximum audit log file size.

RHEL-06-000161 V-38634

The system must rotate audit log files that reach the maximum file size.

RHEL-06-000167 V-38522

The audit system must be configured to audit all attempts to alter system time through settimeofday.

RHEL-06-000169 V-38525

The audit system must be configured to audit all attempts to alter system time through stime.

RHEL-06-000171 V-38527

The audit system must be configured to audit all attempts to alter system time through clock_settime.

RHEL-06-000173 V-38530

The audit system must be configured to audit all attempts to alter system time through /etc/localtime.

RHEL-06-000174 V-38531

The audit system must be configured to audit account creation and modification.

RHEL-06-000175 V-38534

The audit system must be configured to audit account creation and modification.

RHEL-06-000176 V-38536

The audit system must be configured to audit account creation and modification.

RHEL-06-000177 V-38538

The audit system must be configured to audit account creation and modification.

RHEL-06-000182 V-38540

The audit system must be configured to audit modifications to the systems network configuration.

RHEL-06-000183 V-38541

The audit system must be configured to audit modifications to the system's Mandatory Access Control (MAC) configuration (SELinux).

RHEL-06-000184 V-38543

The audit system must be configured to audit all discretionary access control permission modifications using chmod.

RHEL-06-000185 V-38545

The audit system must be configured to audit all discretionary access control permission modifications using chown.

RHEL-06-000186 V-38547

The audit system must be configured to audit all discretionary access control permission modifications using fchmod.

RHEL-06-000187 V-38550

The audit system must be configured to audit all discretionary access control permission modifications using fchmodat.

RHEL-06-000188 V-38552

The audit system must be configured to audit all discretionary access control permission modifications using fchown.

RHEL-06-000189 V-38554

The audit system must be configured to audit all discretionary access control permission modifications using fchownat.

RHEL-06-000190 V-38556

The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr.

RHEL-06-000191 V-38557

The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr.

RHEL-06-000192 V-38558

The audit system must be configured to audit all discretionary access control permission modifications using lchown.

RHEL-06-000193 V-38559

The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr.

RHEL-06-000194 V-38561

The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr.

RHEL-06-000195 V-38563

The audit system must be configured to audit all discretionary access control permission modifications using removexattr.

RHEL-06-000196 V-38565

The audit system must be configured to audit all discretionary access control permission modifications using setxattr.

RHEL-06-000197 V-38566

The audit system must be configured to audit failed attempts to access files and programs.

RHEL-06-000198 V-38567

The audit system must be configured to audit all use of setuid programs.

RHEL-06-000199 V-38568

The audit system must be configured to audit successful file system mounts.

RHEL-06-000200 V-38575

The audit system must be configured to audit user deletions of files and programs.

RHEL-06-000201 V-38578

The audit system must be configured to audit changes to the /etc/sudoers file.

RHEL-06-000202 V-38580

The audit system must be configured to audit the loading and unloading of dynamic kernel modules.

RHEL-06-000509 V-38471

The system must forward audit records to the syslog service.

RHEL-06-000525 V-38438

Auditing must be enabled at boot by setting a kernel parameter.

STIG rules for local environment

The following table lists the STIG rules for local environment (tw_stig_local_env).

Rule number

Description

RHEL-06-000051 V-38477

Users must not be able to change passwords more than once every 24 hours.

RHEL-06-000053 V-38479

User passwords must be changed at least every 60 days.

RHEL-06-000056 V-38482

The system must require passwords to contain at least one numeric character.

RHEL-06-000057 V-38569

The system must require passwords to contain at least one uppercase alphabetic character.

RHEL-06-000058 V-38570

The system must require passwords to contain at least one special character.

RHEL-06-000059 V-38571

The system must require passwords to contain at least one lowercase alphabetic character.

RHEL-06-000060 V-38572

The system must require at least four characters be changed between the old and new passwords during a password change.

RHEL-06-000061 V-38573

The system must disable accounts after three consecutive unsuccessful login attempts.

RHEL-06-000069 V-38586

The system must require authentication upon booting into single-user and maintenance modes.

RHEL-06-000070 V-38588

The system must not permit interactive boot.

RHEL-06-000274 V-38658

The system must prohibit the reuse of passwords within twenty-four iterations.

RHEL-06-000299 V-38693

The system must require passwords to contain no more than three consecutive repeating characters.

RHEL-06-000334 V-38692

Accounts must be locked upon 35 days of inactivity.

RHEL-06-000335 V-38694

Accounts must be locked upon 35 days of inactivity.

RHEL-06-000356 V-38592

The system must require administrator action to unlock an account locked by excessive failed login attempts.

RHEL-06-000357 V-38501

The system must disable accounts after excessive login failures within a 15-minute interval.

RHEL-06-000372 V-51875

The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access.

STIG rules for remote management

The following table lists the STIG rules for remote management (tw_stig_remote_mgmt).

Rule number

Description

RHEL-06-000230 V-38608

The SSH daemon must set a timeout interval on idle sessions.

RHEL-06-000231 V-38610

The SSH daemon must set a timeout count on idle sessions.

RHEL-06-000241 V-38616

The SSH daemon must not permit user environment settings.

RHEL-06-000319 V-38684

The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.

RHEL-06-000340 V-38660

The snmpd service must use only SNMP protocol version 3 or newer.

RHEL-06-000341 V-38653

The snmpd service must not use a default password.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*