1 Reply Latest reply on Jul 1, 2010 8:00 PM by Bill Robinson

    Compliance Checking with DISA-STIG's



      Is anyone using the DISA-STIG's for compliance checking within their organization?  We are doing this and I have a question.  First, I'm starting with Solaris.  I've got a number of checks that the STIG's do massive finds for (actually the security readiness review scripts provided by disa do massive finds) files.  The results are placed by the scripts in /tmp.  One of the checks GEN001500 does a search of this file and compare's users's home directories to the file.  It checks to be sure that the user actually owns that home directory.  HOWEVER, as most of you know many of the default users installed by Solaris, (linux,aix,and hp/ux for that matter) do NOT have their own home directories.  For example:








      Notice the homedir of daemon is:  "/"

      Notice the homedir of bin is:  "/usr/bin"

      Notice the homedir of sys is:  "/"

      Notice the homedir of adm is:  "/var/adm"


      Those directories are NOT owned by those users EVER, in any of those cases.  For example:


      # ls -ld /var/adm

      drwxrwxr-x   9 root     sys         2048 Jul  1 02:00 /var/adm

      # ls -ld /usr/bin

      drwxr-xr-x   4 root     bin        18432 Mar  9 15:05 /usr/bin

      # ls -ld /

      drwxr-xr-x  25 root     root         512 Mar 31 14:52 /




      Now, there is an Extended Property that the script (disa-GEN001500) can call called:   ??TARGET.EXCLUDED_DIR ??  I can add those fs's into a list "/var/adm,/usr/bin,/" etc....BUT, do I really want to do that?  Maybe...(haven't tried it yet).  Will it effect other checks?  YES.  Check GEN001480,GEN001260/1280/1520/1540/1560 ALL use the EXCLUDED_DIR value.


      Question is:  Is there a way for me to use that variable ONLY for each RULE/TEST rather than setting it GLOBALLY for each system?


      Thanks guys, Sorry for the long drawn out explanation.



        • 1. Re: Complance Checking with DISA-STIG's
          Bill Robinson

          That property is for each server object so there's no way to do this for each test unless you change the rules and add your own properties.  I thought the check would ignore the 'system' accounts, as may of the other checks do.  you could open a ticket w/ support on this for clarification and/or fix.

          1 of 1 people found this helpful