STIG false-positives
The following STIG items might fail a STIG scan (for example, OpenSCAP scan using DISA STIG for Red Hat® Enterprise Linux® 8 V2R3 or later), but they are implemented in a way that makes them compliant. The STIG scans look for specific changes on the system while the STIG items can be implemented in many ways. Items that are listed are confirmed compliant by IBM® regardless of the STIG scan result.
V-230256
- Finding ID
- For more information, see V-230256.
- Version
- RHEL-08-010295
- Rule ID
- xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy
- Title
- Configure GnuTLS library to use DoD-approved TLS encryption
- Justification
- Manual confirmation of symlinks is required. Scanners are often out of date
V-230223 and V-272482
- Version
- RHEL-08-010020 & RHEL-08-010296
- Rule ID
- xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy
- Title
- Configure SSH Client to use FIPS 140-2. Validated Ciphers:
openssh.config
- Justification
- Manual confirmation of symlinks is required. Scanners are often out of date
V-230252
- Finding ID
- For more information, see V-230252.
- Version
- RHEL-08-010291
- Rule ID
- xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy
- Title
- Configure SSH Server to use FIPS 140-2. Validated Ciphers:
opensshserver.config
- Justification
- Manual confirmation of symlinks is required. Scanners are often out of date
V-230251
- Finding ID
- For more information, see V-230251.
- Version
- RHEL-08-010290
- Rule ID
- xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy
- Title
- Configure SSH Server to use FIPS 140-2. Validated MACs:
opensshserver.config
- Justification
- Manual confirmation of symlinks is required. Scanners are often out of date
V-230379
- Finding ID
- For more information, see V-230379.
- Version
- RHEL-08-020320
- Rule ID
- xccdf_org.ssgproject.content_rule_accounts_authorized_local_users
- Title
- Only authorized local user accounts exist on operating system
- Justification
- QRadar team does verify the correct set of user accounts. These differ from the standard RHEL8 user accounts
V-230491
- Finding ID
- For more information, see V-230491.
- Version
- RHEL-08-040004
- Rule ID
- xccdf_org.ssgproject.content_rule_grub2_pti_argument
- Title
- Enable Kernel Page-Table Isolation (KPTI)
- Justification
- PTI is enabled by default on RHEL8. Mitigation is not required
V-230387
- Finding ID
- For more information, see V-230387.
- Version
- RHEL-08-030010
- Rule ID
- xccdf_org.ssgproject.content_rule_rsyslog_cron_logging
- Title
- Ensure cron is logging To rsyslog
- Justification
- QRadar uses syslog-ng instead of rsyslog. Cron logging is enabled in syslog-ng
V-230228
- Finding ID
- For more information, see V-230228.
- Version
- RHEL-08-010070
- Rule ID
- xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring
- Title
- Ensure remote access methods are monitored in rsyslog
- Justification
- QRadar uses syslog-ng instead of rsyslog. Access logging is enabled in syslog-ng
V-230478
- Finding ID
- For more information, see V-230478.
- Version
- RHEL-08-030680
- Rule ID
- xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed
- Title
- Ensure rsyslog-gnutls is installed
- Justification
- QRadar uses syslog-ng instead of rsyslog.
V-230477
- Finding ID
- For more information, see V-230477.
- Version
- RHEL-08-030670
- Rule ID
- xccdf_org.ssgproject.content_rule_package_rsyslog_installed
- Title
- Ensure rsyslog is Installed
- Justification
- QRadar uses syslog-ng instead of rsyslog
V-230298
- Finding ID
- For more information, see V-230298.
- Version
- RHEL-08-010561
- Rule ID
- xccdf_org.ssgproject.content_rule_service_rsyslog_enabled
- Title
- Enable rsyslog service
- Justification
- QRadar uses syslog-ng instead of rsyslog
V-244544
- Finding ID
- For more information, see V-244544.
- Version
- RHEL-08-040101
- Rule ID
- xccdf_org.ssgproject.content_rule_service_firewalld_enabled
- Title
- Verify firewalld enabled
- Justification
- QRadar uses iptables instead of firewalld
V-230550
- Finding ID
- For more information, see V-230550.
- Version
- RHEL-08-040290
- Rule ID
- xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay
- Title
- Prevent unrestricted mail relaying
- Justification
- QRadar employs an alternative by using relayhost
V-230504
- Finding ID
- For more information, see V-230504.
- Version
- RHEL-08-040090
- Rule ID
- xccdf_org.ssgproject.content_rule_configured_firewalld_default_deny
- Title
- Set default firewalld zone for incoming packets
- Justification
- QRadar uses iptables instead of firewalld. There is a default-deny policy in place.
V-230264
- Finding ID
- For more information, see V-230264.
- Version
- RHEL-08-010370
- Rule ID
- xccdf_org.ssgproject.content_rule_enable_gpgcheck_for_all_repositories
- Title
- Ensure gpgcheck is enabled for All Package Repositories
- Justification
- Red Hat added a benign placeholder repository config which can lead to false positives