Skip to content
  • There are no suggestions because the search field is empty.

Exceptions to STIG Compliance

Key to Elements in Exception Descriptions

CCE Number

The Common Configuration Enumeration (CCE), assigns unique entries (also called CCE numbers) to configuration guidance statements and configuration controls to improve workflow by facilitating fast and accurate correlation of configuration issues present in disparate domains. In this way, it is similar to other comparable data standards such as the Common Vulnerability and Exposure (CVE®) List (http://cve.mitre.org/cve), which assigns identifiers to publicly known system vulnerabilities. The OpenSCAP report lists exceptions by CCE number.

This sections lists the exceptions you can receive when you run the OpenSCAP report. The ID or Common Configuration Enumeration (CCE) number in the table is the identification number for the exception from the OpenSCAP report.

Control Group ID

Number that identifies the control group you specify in the manage-stig-controls script to enable or disable the rule.

  • ID:

    1

  • Group: ssh-prevent-root
  • Description: Prevent root login through SSH.
  • Specifiedby Default:

    no


  • ID: 2
  • Group: ssh
  • Description: SSH STIG configuration.
  • Specifiedby Default: yes

  • ID:

    3

  • Group: fips-kernel
  • Description: FIPS Kernel configuration
  • Specifiedby Default:

    no


  • ID: 4
  • Group: auth
  • Description: Authentication STIG configuration
  • Specifiedby Default: yes

  • ID:

    5

  • Group:

    audit

  • Description:

    Audit STIG configuration

  • Specifiedby Default:

    yes


  • ID: 6
  • Group: packages
  • Description: RPM Package STIG configuration
  • Specifiedby Default: yes

  • ID:

    7

  • Group:

    services

  • Description:

    Services STIG configuration

  • Specifiedby Default:

    yes


  • ID:

    8

  • Group:

    mount

  • Description:

    Mount STIG configuration

  • Specifiedby Default:

    yes


Check

Describes what the rule checks to identify exceptions to DISA STIG compliance.

Comments

Provides insight on why you would receive this exception. This section includes one of the following comments that describes the exception:

  • Customer Responsibility - You are responsible to make sure the system meets this requirement.
  • Not a Finding - Exception does not apply to NetWitness Platform. NetWitness has verified that the system meets this requirement.
  • Future Feature - NetWitness Platform does not meet this requirement. NetWitness plans to fix this in a future release of NetWitness Platform.

Customer Responsibility Exceptions

CCE-80844-4 Install AIDE (Control Group = n/a)

  • Check:

    Customer Responsibility. NetWitness Platform does not provide AIDE because it has a negative impact on performance. If you must install it, run as infrequently as possible to adhere to your security policy.


CCE-80869-1 Ensure SELinux State is Enforcing

  • Check:

    SELinux state is default it is set to 'permissive' by default for all the NetWitness Platform hosts instead of 'Enforcing' due to performance impact.


CCE-80901-2 Disable SSH Root Login (Control Group = ssh-prevent-root)

  • Check:

    Customer Responsibility.Disable root login through SSH by adding or editing the following line in the /etc/ssh/sshd_config file: PermitRootLoginNetWitness.


CCE-86260-7 Virus Scanning Software Definitions Are Updated (ENSL) (Control Group = n/a)

  • Check: Customer Responsibility. NetWitness does not provide this software.

CCE-80942-6 Enable FIPS Mode (Control Group = fips-kernel)

  • Check: , append the following line to the existing AIDE line:, , add the following line to the /etc/crontab file:, , , , run as infrequently possible to adhere to your security policy., ,>CCE-84220-3 Configure AIDE to Verify Access Control Lists (Control Group = n/a),>

  • Check: , select a superuser account name and password and modify the /etc/grub.d/01_users configuration file with the new account name. Because plain text passwords are a security risk, generate a hash for the password by running the following command:, , enter the password that was selected., admin, or administrator for the grub2 superuser account. Change the superuser to a different username (The default is 'root')., , the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running:, , , ,>Exceptions That Are Not a Finding ,>The following exceptions do not apply to NetWitness Platform. NetWitness has verified that the system meets these requirements.,>CCE-80852-7 Ensure /var Located On Separate Partition (Control Group = n/a),>

  • Check: , modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth by adding the following line immediately before the pam_unix.so statement in the AUTH section:
    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
    Add the following line immediately after the pam_unix.so statement in the AUTH section:
    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
    Add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
    account required pam_faillock.s, ,>CCE-80854-3 Ensure /var/log/audit Located On Separate Partition (Control Group = audit),>

  • Check: , or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon., ,>CCE-80916-0 Enable Randomized Layout of Virtual Address Space (Control Group = n/a),>

  • Check: , run the following command:
    $ sudo sysctl -w kernel.randomize_va_space=2
    If this is not the system default value, add the following line to the /etc/sysctl.conf file:
    kernel.randomize_va_space = 2, ,>CCE-80763-6 (Control ID = 2) Modify the System Login Banner (Control Group = ssh),>

  • Check: , you consent to the following conditions:, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
  • At any time, the USG may inspect and seize data stored on this IS.
  • Communications using , , ,>CCE-80905-3 Enable SSH Warning Banner (Control Group = na),>Check, customers are required to go into /etc/ssh/sshd_config and add their banner path under the # no default banner path tag. They can then add their Banner content in this file., ,>CCE-80156-3 Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces (Control Group = n/a),>Check, run the following command:
    $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
    If this is not the system default value, add the following line to the /etc/sysctl.conf file:
    t.ipv4.conf.all.send_redirects = 0, ,>CCE-80157-1 Disable Kernel Parameter for IP Forwarding (Control Group = n/a),>Check, run the following command:
    $ sudo sysctl -w net.ipv4.ip_forward=0
    If this is not the system default value, add the following line to the /etc/sysctl.conf file:
    t.ipv4.ip_forward = 0,  MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512).
  • Column 2: , customers are required to go into /etc/ssh/sshd_config and add their banner path under the # no default banner path tag. They can then add their Banner content in this file., ,>CCE-80156-3 Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces (Control Group = n/a),>
  • Column 3: , run the following command:
    $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
    If this is not the system default value, add the following line to the /etc/sysctl.conf file:
    t.ipv4.conf.all.send_redirects = 0, ,>CCE-80157-1 Disable Kernel Parameter for IP Forwarding (Control Group = n/a),>
  • Column 4: , run the following command:
    $ sudo sysctl -w net.ipv4.ip_forward=0
    If this is not the system default value, add the following line to the /etc/sysctl.conf file:
    t.ipv4.ip_forward = 0,  MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512).

  • Check: , customers are required to go into /etc/ssh/sshd_config and add their banner path under the # no default banner path tag. They can then add their Banner content in this file., ,>CCE-80156-3 Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces (Control Group = n/a),>

  • Check: , run the following command:
    $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
    If this is not the system default value, add the following line to the /etc/sysctl.conf file:
    t.ipv4.conf.all.send_redirects = 0, ,>CCE-80157-1 Disable Kernel Parameter for IP Forwarding (Control Group = n/a),>

  • Check: , run the following command:
    $ sudo sysctl -w net.ipv4.ip_forward=0
    If this is not the system default value, add the following line to the /etc/sysctl.conf file:
    t.ipv4.ip_forward = 0,  MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512).

,>CCE-80158-9 Configure Kernel Parameter for Accepting ICMP Redirects for All Interfaces (Control Group = n/a),>, , , run the following command:
$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
If this is not the system default value, add the following line to the /etc/sysctl.conf file:
t.ipv4.conf.all.accept_redirects = 0, , , , , ,>CCE-80163-9 Configure Kernel Parameter for Accepting ICMP Redirects By Default (Control Group = n/a),>, , , run the following command:
$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
If this is not the system default value, add the following line to the /etc/sysctl.conf file:
t.ipv4.conf.default.accept_redirects = 0, , , , , ,>CCE-80165-4 Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requests (Control Group = n/a),>, , , , , , , run the following command:
$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
If this is not the system default value, add the following line to the /etc/sysctl.conf file:
t.ipv4.icmp_echo_ignore_broadcasts = 1, , , , , ,>CCE-80438-5 Configure Multiple DNS Servers in /etc/resolv.conf (Control Group = n/a),> Check, add a corresponding nameserver entry in ip_address /etc/resolv.conf file for each DNS server where ip_address is the IP address of a valid DNS server. For example:
search example.com nameserver 192.168.0.1 nameserver 192.168.0.2, but it is dependent on your environment.,>CCE-80447-6 Configure the Firewalld Ports (Control Group = n/a),> Check, run the following command:
$ sudo firewall-cmd --permanent --add-port= or port_number/tcp $ sudo firewall-cmd --permanent --add-port=, run the following command(s):
firewall-cmd --permanent --add-service=ssh, not FirewallD.,>CCE-80877-4 Verify firewalld Enabled,>Check , , , , ask the System Administrator if another firewall application (such as iptables) is installed., this is a finding., , , , , , this is a finding., , , , this is a finding., 196, 196);width: 95.429px;>Comments Not a Finding. NetWitness Platform firewalldservice is disabled because it uses IP Tables, not FirewallD.,>CCE-80854-3 Ensure /var/log/audit Located On Separate Partition,>Check , , or the operating system is not configured to have "/var/log/audit" on a separate file system, this is a finding., , , or "/var/log/audit" is not on a separate file system, this is a finding., 196, 196);width: 96.733px;>Comments Not a Finding. NetWitness Platform has the /var/log directory as a separate partition., ,