search

CISOfy / lynis

Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
https://cisofy.com/lynis/
GNU General Public License v3.0
13.46k stars 1.49k forks source link

FINT-4350 - Consider Wazuh to satisfy requirement #1319

Closed zbalkan closed 1 year ago

zbalkan commented 2 years ago

Is your feature request related to a problem? Please describe. Wazuh is a SIEM and XDR solution, that is a fork of OSSEC. It is actively developed and supported. The agent includes a daemon that works on Linux, Windows and MacOS clients called wazuh-syscheckd. The agent does the file integrity checks on the endpoints that are configured for FIM via syscheck configuration.

The OSSEC is already included in the current tests (FINT-4328). Since Wazuh is a continuation to now defunct OSSEC project, it is also acceptable by current standards.

Therefore, wazuh-sysceckd should be able to satisfy remote logging capabilities.

Describe the solution you'd like Include wazuh-sysceckd in the accepted FIM utilities in test FINT-4350.

Required changes File integrity tests need a new check

Additional context Wazuh is an open source solution that helps PCI-DSS compliance with built-in capabilities. FIM is one of them.

https://documentation.wazuh.com/current/pci-dss/file-integrity-monitoring.html https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/how-it-works.html

xnoguer commented 1 year ago

@zbalkan Why do you say that OSSEC is defunct ? It seems to be active: https://github.com/ossec/ossec-hids/compare/3.7.0...master

zbalkan commented 1 year ago

15 PRs merged in 3 years for a security product look defunct for me. Half of them are just documentation updates and some of the others are regex pattern fixes for edge cases. There is less than 5 actual improvements in 3 years.

But of course, it is subjective.

xnoguer commented 1 year ago

@zbalkan Ok. Sounds sensible.

zbalkan commented 1 year ago

Also, I know many people still stick to OSSEC due to various reasons. I don't suggest removal of OSSEC from LYNIS as an approved product. I suggest adding Wazuh along with it.

xnoguer commented 1 year ago

@zbalkan Added an alternative pull request with the same FINT-4344 test and also a TOOL-5128 test.

zbalkan commented 1 year ago

There was already a PR I created last year. I might have missed some details but it is linked already. I am open for review.