Known issues and limitations

The current release includes known issues and limitations. In most cases, workarounds are provided.

Security Compliance Management scan issues

During a Security Compliance Management scan, you might see errors about CIS or STIG controls that are not enforced. These error messages are triggered by bugs in the Security Compliance Management console. SCE does correctly enforce these settings.

Security Compliance Management (SCM) was previously known as Puppet Comply.

The following scan errors might be reported:

 

  • Red Hat Enterprise Linux (RHEL) 8 STIG, Version 1:

    • V-230333: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.

      • No action is required.

    • V-230334: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.

      • No action is required.

    • V-230345: RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.

      • No action is required.

    • V-244533: RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.

      • No action is required.

    • V-244534: RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.

      • No action is required.

 

  • RHEL 8 CIS Benchmark v2.0.0:
    • 1.4.2 - Ensure permissions on bootloader are configured
      • On EFI systems, the script that was run by the SCM console did not locate the correct grub file path. Permissions are set correctly by SCE. No action is required.
    • 1.4.1 - Ensure bootloader password is set
      • On EFI systems, the script that was run by the SCM console did not locate the correct grub file path. It is not mandatory to set a bootloader password. However, if you want to set a password to protect your system against unauthorized startup, follow the instructions in Set a bootloader password.
    • 4.1.2.3 Ensure system is disabled when audit logs are full
      • This is set to halt by SCE. The SCM console incorrectly shows this as a scan failure. No action is required.
    • 5.2.18 Ensure SSH MaxSessions is set to 10 or less
      • This is set to 10 by default. The SCM console incorrectly shows this as a scan failure. The scanner is looking for <=4 instead of <=10. No action is required.

 

  • RHEL 8 CIS Benchmark, v3.0.0:

    • 1.3.1 - Ensure bootloader password is set

      • The SCM console incorrectly reports a scan failure because the scanner searches for the user.cfg file while ignoring the settings in the grub.cfg file. Permissions are set correctly by SCE. No action is required.

 

  • Ubuntu Linux 22.04 CIS Benchmark v2.0.0:
    • Ensure GDM disabling automatic mounting of removable media is not overridden.
      • If you are using Gnome Desktop Manager (GDM), SCE correctly enforces the control, but a scan error is reported. No action is required.
    • Ensure GDM automatic mounting of removable media is disabled.
      • If you are using GDM, SCE correctly enforces the control, but a scan error is reported. No action is required.
    • Ensure GDM autorun-never is not overridden.
      • If you are using GDM, SCE correctly enforces the control, but a scan error is reported. No action is required.

General issues and limitations

  • SCE enforces PAM-related controls based on the values specified in the PAM configuration files in the /etc/pam.d directory. However, the Center for Internet Security (CIS) controls are based on the assumption that PAM authentication is specified through other files, such as /etc/security/pwhistory.conf. For this reason, you might see scan errors even though SCE correctly enforces the PAM-related controls.

  • If you are running SCE for Linux on an Ubuntu operating system and are enforcing CIS controls related to the auditd service, you might see Puppet run failures. Failures can occur when the $audit_files array variable points to the /sbin directory, but your system has no symbolic link to packages in that directory. As a workaround, you can install a usrmerge package, which will create the links that are required for successful Puppet runs.

  • If you are running SCE for Linux v2.2.1 on an Ubuntu Linux 22.04 operating system, and you exclude CIS control 1.3.1.2 - 'Ensure AppArmor is enabled in the bootloader configuration' - from the sce_linux configuration, you might see error messages with the phrase 'Could not autoload puppet.' To resolve the issue, add the control to the sce_linux configuration. To enforce the control, add it to the only list.

  • If you are running SCE for Linux on a RHEL 8 system, you might see an extraneous configuration file, SCE Disable bluetooth kernel module.conf, in the /etc/modprobe.d directory. You can safely delete this file.

  • After you upgrade to SCE for Linux v2.2.0 on Puppet Enterprise versions earlier than 2023.8.0, you might see catalog compilation errors on nodes. The messages might reference Error 500, an undefined reload method, or both. To resolve the issue, restart the pe-puppetserver service. If you are using Continuous Delivery with Puppet Enterprise versions earlier than 2023.8.0, you might have to manually deploy SCE for Linux v2.2.0. Follow the instructions in Deploy code manually.

  • When usernames with uppercase letters are included in the /etc/sudoers file and SCE enforces controls to manage sudoers, Puppet runs fail.

  • If you are using SCE for Linux on a RHEL 9 or Oracle Linux 9 operating system and you are enforcing a CIS Benchmark that requires auditd rules to be loaded, you must manually load the auditd rules by using the "augenrules --load" command. In this way, you can meet the requirements of auditd controls that require auditd rules and help to prevent scan failures.
  • If you run SCE for Linux on Oracle Linux 7, Oracle Linux 8, or AlmaLinux 8, two Puppet runs might be required to ensure that the required intentional changes, corrective changes, or both are made on the nodes in the infrastructure. Subsequent Puppet runs are idempotent.
  • CEM for Linux v1.6.0 and later provides limited support for the System Security Services Daemon (SSSD), which manages access to remote directory services and authentication mechanisms. However, the following US Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) controls are not implemented:
    • Control V-230274 - 'RHEL 8 must implement certificate status checking for multifactor authentication'
    • Control V-230372 - 'RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts'
    • Control V-230376 - 'RHEL 8 must prohibit the use of cached authentications after one day'
  • The DISA STIG standard for RHEL 8 includes controls that help to manage and secure removable media file systems. Support for the related controls is currently outside the scope of SCE for Linux. As a result, the following controls are not enforced:
    • Control V-230303 - 'RHEL 8 must prevent special devices on file systems that are used with removable media'
    • Control V-230304 - 'RHEL 8 must prevent code from being executed on file systems that are used with removable media'
    • Control V-230305 - 'RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media'
  • The DISA STIG standard for RHEL 8 includes controls related to the file access policy (fapolicy) module, which helps to ensure that only authorized applications can be run on a system. The fapolicy module must be configured with caution because improper configuration can result in a non-functional system. Because of the potential risk to system operations, controls related to the fapolicy module are currently outside the scope of SCE for Linux. The following controls are not enforced:
    • Control V-230523 - 'The RHEL 8 fapolicy module must be installed'
    • Control V-244545 - 'The RHEL 8 fapolicy module must be enabled'
    • Control V-244546 - 'The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs'
  • Multifactor controls and configurations are outside the scope of SCE for Linux. However, you can set up multifactor authentication for an infrastructure that is protected by SCE for Linux by implementing a network authentication system. For example, you can set up one-time password authentication on the client side by following the instructions in Setting up multi-factor authentication on Linux systems.
  • If you are enforcing the DISA STIG standard on the RHEL 7 operating system, the V-204392 auditing control is not working as designed. The control is missing a script that audits file permissions, ownership, and group membership of system files and commands. As a workaround, you can audit file permissions manually.
  • You cannot use the iolog_dir option to specify a directory for sudo log files. If you attempt to use the iolog_dir option in the sudoers file to specify a log directory other than the default, errors are reported by the Augeas program. Augeas is a tool used for configuration editing in SCE.
  • SCE cannot create file system partitions. This limitation can cause certain scanner checks to fail.
  • SCE cannot set permissions on removable media partitions. To set the required permissions on these partitions, ensure that nodev,nosuid,noexec exists in the options portion of /etc/fstab for the partition.
  • Support for the eXecute Disable/No eXecute (XD/NX) hardware feature is dependent on the host kernel and cannot be configured by SCE. If you plan to enable XD/NX support, ensure that you are using up-to-date kernels. If you plan to enable XD/NX support on newer kernels, be aware that SCE cannot manage this feature.
  • To comply with CIS recommendations, you must prevent root users from logging onto the system console. Because this action requires knowledge of the site, you must configure this control manually by removing entries in /etc/securetty for consoles that are not in secure locations.
  • SCE does not enforce authselect controls for CIS 2.0.0 5.4.x on Red Hat Enterprise Linux 8. Enforcement requires site knowledge and can break network authentication. CIS recommends that these controls not be enforced in specific environments. For example, the controls should not be enforced if the node is joined to an Active Directory domain or to Red Hat Identity Management. If you enforce authselect controls, you must ignore all other controls that affect authentication and use a predefined authselect profile or manage a custom profile. For more information, see Configure system authentication with the authselect utility. SCE includes a Puppet Bolt task, audit_authselect, to audit these controls.
  • You can configure the ensure_nodev_option_set_on_home_partition control only if the /home setting is mounted on its own partition. Puppet does not create a partition for /home.
  • If your system is running on Red Hat Enterprise Linux 8:
    • The 'ensure_nis_server_is_not_installed' control is dependent on 'ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked.' If you enforce 'ensure_nis_server_is_not_installed,' you must also enforce 'ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked.'
    • The 'ensure_nfs_utils_is_not_installed_or_the__nfs_server_service_is_masked' control is dependent on 'ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked.' If you do not enforce 'ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked,' you must also not enforce 'ensure_nfs_utils_is_not_installed_or_the__nfs_server_service_is_masked.'
    • The 'ensure_the_running_and_on_disk_configuration_is_the_same' control is always enforced if auditd is managed by SCE.
  • The 'ensure_users_must_provide_password_for_escalation' control is disabled by default. You might want to enable this control to help ensure CIS compliance. However, a potential risk exists: It is possible that removing NOPASSWD: from sudoers files could invalidate the syntax of those files and break system authentication. If you accept the risk and want to enable this control, set the top-level configuration option enable_nopasswd_sudo_prune to true.
  • If your system is running on Red Hat Enterprise Linux 7 or CentOS 7:
    • The 'ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked' control is dependent on 'ensure_nfsutils_is_not_installed_or_the__nfsserver_service_is_masked.' If you enforce 'ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked,' you must also enforce 'ensure_nfsutils_is_not_installed_or_the__nfsserver_service_is_masked.'
  • The 'disable_wireless_interfaces' control requires that you install the NetworkManager package and that the service is running.