search

mondoohq / cnspec-policies

This repository contains security policies for cnspec maintained by Mondoo and the cnspec community.
Other
44 stars 18 forks source link

`Linux Security Policy: Ensure events that modify the system's network environment are collected` does not work on Ubuntu/Debian #453

Closed tas50 closed 6 days ago

tas50 commented 3 weeks ago

Describe the bug

The Ensure events that modify the system's network environment are collected check includes Debian/Ubuntu specific remediation steps that the query does not account for. The query is RHEL only

[failed] props.mondooLinuxSecurityAuditFiles.flat.unique.any(_ == /sethostname/)
props.mondooLinuxSecurityAuditFiles.flat.unique.any(_ == /setdomainname/)
props.mondooLinuxSecurityAuditFiles.flat.unique.where(_ == /sethostname|setdomainname/).all(
  split("-").containsAll(["a always,exit ",])
    && split("-").containsAll(["F arch=b64 "])
      || split("-").containsAll(["F arch=b32 "])
    && split(" ").containsAll(["-k","system-locale"])
      || split(" ").containsAll(["-F","key=system-locale"])
)
props.mondooLinuxSecurityAuditFiles.flat.unique.any(_ == /\/etc\/issue/)
props.mondooLinuxSecurityAuditFiles.flat.unique.any(_ == /\/etc\/issue.net/)
props.mondooLinuxSecurityAuditFiles.flat.unique.any(_ == /\/etc\/hosts/)
props.mondooLinuxSecurityAuditFiles.flat.unique.any(_ == /\/etc\/sysconfig\/network/)
props.mondooLinuxSecurityAuditFiles.flat.unique.where(_ == /\/etc\/issue|\/etc\/issue.net|\/etc\/hosts|\/etc\/sysconfig\/network/).all(
  split("-").contains(/p wa/)
    && split(" ").containsAll(["-k","system-locale"])
      || split(" ").containsAll(["-F","key=system-locale"])
)

  [ok] value: true
  [ok] value: true
  [ok] value: true
  [ok] value: true
  [ok] value: true
  [ok] value: true
  [failed] [].any()
    actual:   []
  [ok] value: true

My on disk file per the remediation steps:

-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale

-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale

-w /etc/network -p wa -k system-locale
mm-weber commented 1 week ago

Can be solved best with a variant

mm-weber commented 1 week ago

Actually an or-check is enough on this one. Fixed here: https://github.com/mondoohq/cnspec-policies/pull/455