STIG false-positives
The following STIG items might fail a STIG scan (for example, OpenSCAP scan), but they are implemented in a way that makes them compliant. The STIG scans look for specific changes on the system while the STIG items can be implemented in many ways. Items that are listed are confirmed compliant by IBM® regardless of the STIG scan result.
V-204397
- Finding ID
- For more information, see V-204397.
- Version
- RHEL-07-010061
- Rule ID
-
xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth
- Title
-
The Red Hat® Enterprise Linux® operating system must uniquely identify and authenticate users by using multifactor authentication via a graphical user logon.
- Justification
-
QRadar® does not have GNOME installed; this requirement is not applicable.
V-204471
- Finding ID
- For more information, see V-204471.
- Version
- RHEL-07-020660
- Rule ID
- xccdf_org.ssgproject.content_rule_accounts_users_home_files_ownership
- Title
- The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a valid owner.
- Justification
- All files and directories contained in local interactive user home directories are owned by the correct owner in QRadar.
V-204472
- Finding ID
- For more information, see V-204472.
- Version
- RHEL-07-020670
- Rule ID
- xccdf_org.ssgproject.content_rule_accounts_users_home_files_groupownership
- Title
- The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.
- Justification
- All files and directories contained in local interactive user home directories are group owned by the correct group in QRadar
V-204500
- Finding ID
- For more information, see V-204500.
- Version
- RHEL-07-021620
- Rule ID
- xccdf_org.ssgproject.content_rule_aide_use_fips_hashes
- Title
- The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.
- Justification
- The STIG scripts configure QRadar to be compliant with this item by setting the sha512 option on all applicable rulesets in /etc/aide.conf.
V-204595
- Finding ID
- For more information, see V-204595.
- Version
- RHEL-07-040400
- Rule ID
- xccdf_org.ssgproject.content_rule_sshd_use_approved_macs_ordered_stig
- Title
- The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) that employ FIPS 140-2 approved cryptographic hash algorithms.
- Justification
- The current sshd_config uses a compliant algorithm list, but some scanners might report this item as noncompliant due to the presence of “encrypt then mac” style algorithms. For example, hmac-sha2-512-etm. Based on the NIST provided list (see RHEL OpenSSH ServerCryptographic Module) these are valid algorithms to include, and therefore any reported noncompliance with this item is most likely a false positive.
V-204628
- Finding ID
- For more information, see V-204628.
- Version
- RHEL-07-040810
- Rule ID
- xccdf_org.ssgproject.content_rule_set_firewalld_default_zone
- Title
- The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.
- Justification
-
QRadar uses iptables and the rules for iptables are configured to be compliant by default for this item. However, most scanners check for compliance of this item by using firewalls. Therefore, any reported noncompliance with this item is most likely a false positive.
V-204604
- Finding ID
- For more information, see V-204604.
- Version
- RHEL-07-040520
- Rule ID
- xccdf_org.ssgproject.content_rule_service_firewalld_enabled
- Title
- The Red Hat Enterprise Linux operating system must enable an application firewall, if available.
- Justification
- QRadar uses iptables and the rules for iptables are configured to be compliant by default for this item. However, most scanners check for compliance of this item by using firewalls. Therefore, any reported noncompliance with this item is most likely a false positive.
V-204489
- Finding ID
- For more information, see V-204489.
- Version
- RHEL-07-021100
- Rule ID
- xccdf_org.ssgproject.content_rule_rsyslog_cron_logging
- Title
- The Red Hat Enterprise Linux operating system must have cron logging implemented.
- Justification
- QRadar is configured to implement cron logging with syslog-ng by default. However, most scanners check for compliance with this item by using syslog. Therefore, any reported noncompliance with this item is most likely a false positive.
V-204591
- Finding ID
- For more information, see V-204591.
- Version
- RHEL-07-040360
- Rule ID
- xccdf_org.ssgproject.content_rule_sshd_print_last_log
- Title
- The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon an SSH logon.
- Justification
- QRadar displays the date and time of the last successful account logon upon an SSH logon. Any reported noncompliance with this item is most likely a false positive.
V-204590
- Finding ID
- For more information, see V-204590.
- Version
- RHEL-07-040350
- Rule ID
- xccdf_org.ssgproject.content_rule_sshd_disable_rhosts
- Title
- The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication that uses rhosts authentication.
- Justification
- QRadar is configured to use the "yes" default value for the IgnoreRhosts flag and is compliant by default. However, some scanners might check to determine whether this flag is set. Therefore, any reported noncompliance with this item is most likely a false positive.
V-204622
- Finding ID
- For more information, see V-204622.
- Version
- RHEL-07-040710
- Rule ID
- xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
- Title
- The Red Hat Enterprise Linux operating system must be configured so that remote X connections are unavailable except to fulfill documented and validated mission requirements.
- Justification
- QRadar is configured to use the "no" default value for the X11Forwarding flag and is compliant by default. However, some scanners might check to determine whether this flag is set. Therefore, any reported noncompliance with this item is most likely a false positive.
V-204456
- Finding ID
- For more information, see V-204456.
- Version
- RHEL-07-020231
- Rule ID
- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot
- Title
- The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the graphical user interface.
- Justification
- QRadar does not have a graphical user interface installed. Therefore, any reported noncompliance with this item is most likely a false positive.
V-204440
- Finding ID
- For more information, see V-204440.
- Version
- RHEL-07-010491
- Rule ID
- xccdf_org.ssgproject.content_rule_grub2_uefi_password
- Title
- Red Hat Enterprise Linux operating systems version 7.2 or newer that use Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.
- Justification
- QRadar uses BIOS. Therefore, any reported noncompliance with this item is most likely a false positive.
V-204436
- Finding ID
- For more information, see V-204436.
- Version
- RHEL-07-010480
- Rule ID
- N/A
- Title
- Red Hat Enterprise Linux operating systems before version 7.2 with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.
- Justification
- QRadar is running RHEL newer than 7.2. Therefore, any reported noncompliance with this item is most likely a false positive.
V-219059
- Finding ID
- For more information, see V-219059.
- Version
- RHEL-07-020111
- Rule ID
- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
- Title
- The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required.
- Justification
- QRadar does not have a graphical user interface installed. Therefore, any reported noncompliance with this item is most likely a false positive.
V-204421
- Finding ID
- For more information, see V-204421.
- Version
-
RHEL-07-010260
- Rule ID
-
xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing
- Title
-
The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime.
- Justification
-
Some scanners check all accounts for compliance requirement, but only non-system accounts are subject to this compliance requirement. Our hardening process brings non-system accounts into compliance with this requirement. Therefore, any reported noncompliance with this item is most likely a false positive.