report.
ID Check Reason/Workaround
CCE-26215-4
(For IPDB Extractor only)
Ensure /var/log Located On Separate Partition
Reason:This is a manual task for the system administrator.
Workaround: Ensure
var/
log
directory has its own partition or logical volume at installation or migrate it using LVM.CCE-26328-5 (For IPDB Extractor, Malware Analysis, and SA hosts only) Require Client SMB Packet Signing, if using smbclient
Reason:This is a manual task for the system administrator.
Workaround: To require samba clients runningsmbclientto use packet signing, add the following to the[global]section of the Samba configuration file,/etc/samba/
smb.conf:
client signing = mandatory
Reason:This is a manual task for the
Overview
ID Check Reason/Workaround
CCE-26436-6
Ensure that /var/log/audit directory is located on a separate partition.
Reason:Requires a change to the Security Analytics architecture.
Workaround:None.
CCE-26506-6 Ensure Red Hat GPG Key Installed
Reason: Security Analytics runs
under CentOS so it does not have a red Hat GPG key.
Workaround: None
CCE-26557-9
(For IPDB Extractor only)Ensure /home Located On Separate Partition
Reason:This is a manual task for the system administrator.
Workaround: If you store user home directories locally, create a separate partition for/homeat installation time (or migrate it later using LVM). If /homeis mounted from another system such as an NFS server, you do not need to create a separate partition at installation and you can configure the mount point at a later date.
CCE-26639-5
(For IPDB Extractor only)
Ensure /var Located On Separate Partition
Reason:This is a manual task for the system administrator.
Workaround: Ensure
var
directory has its own partition or logical volume atinstallation or migrate it using LVM.
CCE-26647-8 Ensure gpgcheck Enabled For All Yum Package Repositories Reason: This is a manual task for the
system administrator.
Workaround: Set togpgcheck=1.
CCE-26731-0 Verify and Correct File Permissions with RPM
Reason: This is a manual task for the system administrator. Workaround:
Reinstate permissions set by the vendor.
CCE-26792-2 (For IPDB Extractor, Malware Analysis, and SA hosts only) Require Client SMB Packet Signing, if using mount.cifs
Reason: This is a manual task for the system administrator.
Workaround: Make sure that either thesec=krb5iorsec=ntlmv2isigning options are used.
CCE-26801-1 Ensure Logs Sent To Remote Host
Reason: This is a manual task for the system administrator.
Workaround: Forward log messages to a remote log host.
CCE-26812-8
Ensure Log Files Are Owned By Appropriate UserReason:This is a manual task for the system administrator.
Workaround:The owner of all log files written byrsyslogshould be root. These log files are determined by the second part of each Rule line in/etc/rsyslog.confand typically all
Exceptions
© 2010 - 2015 RSA, The Security Division of EMC.
Last Modified: August 10 2015, 10:20AM
ID Check Reason/Workaround
appear in /var/log. For each log fileLOGFILEreferred to in/etc/
rsyslog.conf, run the following command to inspect the file's owner:
$ ls -l LOGFILE
If the owner is not root, run the following command to correct this:
# chown root LOGFILE
CCE-26910-0
(For Log Decoder only)
Ensure No World-Writable Files Exist
Reason:This is a manual task for the system administrator.
Workaround: Remove global (other) write access to a file when it is discovered.
However, check with documentation for specific applications before making changes.
Also, monitor for recurring world-writable files, as these may be symptoms of an application or user account that was not
configured correctly.
CCE-26966-2 Ensure that System Accounts Do Not Run a Shell Upon Login Reason:nwadmin user is the exception.
Workaround: None
CCE-26969-6 Ensure SELinux State is Enforcing
Reason:Enforcing this rule causes
functionality to fail especially on the Decoder.
Workaround:Set SELinux State to Permissive and logs.
CCE-26974-6 Modify the System Login Banner
Reason: User is allowed to modify system banner.
Workaround: None
CCE-27017-3 Set GUI Warning Banner Text
Reason: Security Analytics does not run an OS level GUI, banner is provided upon login via SSH or the console.
Workaround: None
CCE-27033-0 Disable Core Dumps for All Users
Reason: The setting is enabled for Product Support.
Workaround:To disable core dumps for all users, add the following line to/etc/
security/limits.conf:
* hard core 0
CCE-27016-5 Disable Modprobe Loading of USB Storage Driver
Reason:You need USB to boot from the SD cards onboard Security Analytics hosts.
Exceptions
ID Check Reason/Workaround
CCE-27145-2 Create Warning Banners for All FTP Users Reason:Security Analytics does not use FTP.
Workaround: None
CCE-27153-6 Disable IPv6 Networking Support Automatic Loading
Reason:Disabling IPv6 Networking Support Automatic Loading causes functionality to fail.
Workaround:None.
CCE-27196-5 Add noexec Option to Removable Media Partitions
Reason:You need USB to boot from the SD cards.
Workaround:None
CCE-27222-9 Configure Periodic Execution of AIDE
Reason: This is a manual task for the system administrator.
Workaround: Configure a CRON job to run AIDE or the IDS you use.
CCE-27239-3 Configure auditd admin_space_left Action on Low Disk Space
Reason: This is a manual task for the system administrator.
Workaround: Provide sufficient disk space.
CCE-27283-1 Set Account Expiration Following Inactivity
Reason: This is a manual task for the system administrator.
Workaround: Add or correct
theINACTIVE=NUM_DAYSlines lines in /etc/default/useradd, substituting NUM_DAYSappropriately.
CCE-27289-8 (for log Decoder only)
Verify that System Executables Have Restrictive Permissions
Reason: Some files deployed by
Erlang do not have permissions set according to STIG guidelines.
Workaround: Change permissions to
conform to STIG guidelines using the following command:
# chmod go-w FILE
CCE-27365-6 Configure SNMP Service to Use Only SNMPv3 or Newer
Reason: This is a manual task for the system administrator.
Workaround: Configure SNMPv3.
CCE-27381-3 Verify that Shared Library Files Have Restrictive Permissions
Reason: This is a manual task for the system administrator.
Workaround: Fix permissions.
CCE-27409-2 Install Intrusion Detection Software
Reason: This is a manual task for the system administrator.
Workaround:Install intrusion detection software. RSA Does not provide this software.
Exceptions
© 2010 - 2015 RSA, The Security Division of EMC.
Last Modified: August 10 2015, 10:20AM
ID Check Reason/Workaround
CCE-27440-7 Enable Smart Card Login
Reason: Security Analytics does not
support smart card. This is a manual task for the system administrator.
Workaround: Configure smart card
authentication.
CCE-27529-7 Install Virus Scanning Software
Reason: This is a manual task for the system administrator.
Workaround: Install virus scanning software.
RSA does not provide this software
CCE-27596-6 Encrypt Partitions
Reason:Security Analytics does not encrypt partitions because it degrades performance.
Workaround:None.
CCE-27635-2 Ensure Software Patches Installed
Reason: This is a manual task for the system administrator.
Workaround:Apply the quarterly updates provided by RSA.