most of the rules that use this property are for things that cannot be programatically checked. or were difficult to automate.
for example, one of the rules is:
DISA - Windows Server 2008 R2 DC,PPOCWBLAPP01,DISA - Windows Server 2008 R2 DC (PPOCWBLAPP01),/Shared User Accounts,Review Required: Shared user accounts will not be permitted on the system.,SV-32241r1_rule
how do you check if there are multiple people using the same login account ?
Review Required: Audit logs will be reviewed on a daily basis.,SV-32267r2_rule,
how do you programmatically check that someone or something is reviewing the audit logs ?
NOT_REVIEWED The checks not performed by the tool need manual review. The value for this property should be True if manual review is not complete, False otherwise. TRUE
due to one of the following reasons we kept rules as manual:
lack of information in DISA check list for automation of rules.
technical limitation of BSA or EOs
we kept these rules as manual. these rules will be non-compliant for the first time. you need to review all rules manually and mark TARGET property "NOT_REVIEWED" to False. so these rules will be compliant.
the rule name of these rules will start with "Review Required: "
you can refer to doc link provided by bill for all property used in DISA templates.
The issue with this approach is that you're effectively marking a collection of rules as reviewed/compliant all at once. What if some rules need further review or are not compliant? We address this by employing a stub rule condition that directs the user to create an exception instead.
these are manual rules and review is must, once the target is reviewed than only we need to set this property. this is a target/server level property. if we set this property false mean target is completed reviewed. We can mark any rule as exception when review is done.
we should not set property without reviewing all rules.
we can change rules as below, these will always be non compliant so that exception is only way to make them compliant.
??TARGET.NOT_REVIEWED?? does not equal ??TARGET.NOT_REVIEWED??
suresh - what drew is saying is that the same property value is checked for multiple rules. what would be more accurate is to have a psc or multiple properties so that each manual check rule has its own property.? because the server might pass one manual check but not another and the current implementation has no way to track this.
we cant use PSC property as they are common to appserver and not specific to target. we cant have too many target properties and it may confusing and not only this each property need to set after review of rules, these rules vary across different templates so having properties name vary. we cant keep template properties as they need to edit template for every review.
marking exceptions is the best ways for reviewing of rules per target we also recommended it. Not only this if we can set this property after reviewing rules on target, all rules will show as compliant.If at least one rule is pending from review, than we cant set this property. this property need to set after all rules done.
Idea behind this usage of property, the operator run compliance job and auditor will review rules. once review is done this target property will be set for the targets which are review completed.
we thought to use list property and evaluate rules, this list have all rule id which are reviewed. but rule id are specific to template and its hard to track which rule id of template.
You can make a psc, and each server gets it’s own psi in that psc.
PSC would also help. I'll suggest if you create properties like MANUAL_CHECK_<DISA rule id> for each manual rule then it would help. I am sure there are not many rules within DISA that requires manual check. What will benefit here is that if an admin performs manual review for 2 rules out of 10 manual check rules then he can set the server property value for the 2 rules for those servers.
IMO, psc is overkill. And it doesn't provide a way to expire the completion of the manual review. For instance, what if the client has an annual requirement to review all rules on every managed server? We simply build a compliance rule for each manual check where the condition is:
??TARGET.NAME?? = "Create an exception to mark this rule compliant"
This way the admin can create an exception that expires one year in the future. It's a little messy, but works fine in lieu of a "manual review" condition.