STIG compliance - BlueCat Integrity - 9.5.0

Address Manager Administration Guide

Locale
English
Product name
BlueCat Integrity
Version
9.5.0

This topic explains STIG compliance security standards and measures.

STIG compliance demands high security standards and measures for servers and other network appliances. Most STIG-compliant configurations are not visible during normal server operation. However, there are three areas in which STIG-compliant changes are visible and affect the operation of the server:

  • User account passwords and usage
  • Direct login to the root account
  • Kernel audit logging
    Note: To maintain backward functional compatibility with previous BlueCat releases, BlueCat appliances and VMs ship with these three STIG features disabled. You must enable STIG compliance in order to activate these STIG features.

User account passwords and usage

A user account must have a password that contains a minimum of 14 characters and uses special characters. User accounts allow a maximum of three failed, consecutive log in attempts before the account is locked out. An account that has not been logged into for a period of 35 days also gets locked out.
Note: For details on freeing a locked account, refer to Resetting a locked user account with STIG enabled.

Direct login to the root account

Logging in to the root account directly on the console or through an SSH session is disabled with STIG enabled. When this restriction is enabled, you must login with the bluecat account and use the su – command to gain access to the root shell. Refer to Setting the bluecat password for configuration of the bluecat user account.

Kernel audit logging

Audit logging of file access and other kernel services is enabled. Currently, the default audit rules required by the DISA SRR scanning scripts create a significant performance slowdown owing to extensive diagnostic logging. BlueCat recommends you define the set of auditing rules that will meet your audit logging requirements while minimizing the impact on the system. For more information, refer to Knowledge Base article 5472 on BlueCat Customer Care.