This topic explains STIG compliance security standards and measures.
STIG compliance demands high security standards and measures for servers and other network appliances. Most STIG-compliant configurations are not visible during normal server operation. However, there are three areas in which STIG-compliant changes are visible and affect the operation of the server:
- User account passwords and usage
- Direct login to the root account
- Kernel audit loggingNote: To maintain backward functional compatibility with previous BlueCat releases, BlueCat appliances and VMs ship with these three STIG features disabled. You must enable STIG compliance in order to activate these STIG features.
User account passwords and usage
Direct login to the root account
Logging in to the root account directly on the console or through an SSH session is disabled with STIG enabled. When this restriction is enabled, you must login with the bluecat account and use the su – command to gain access to the root shell. Refer to Setting the bluecat password for configuration of the bluecat user account.
Kernel audit logging
Audit logging of file access and other kernel services is enabled. Currently, the default audit rules required by the DISA SRR scanning scripts create a significant performance slowdown owing to extensive diagnostic logging. BlueCat recommends you define the set of auditing rules that will meet your audit logging requirements while minimizing the impact on the system. For more information, refer to Knowledge Base article 5472 on BlueCat Customer Care.