search

wazuh / wazuh-qa

Wazuh - Quality Assurance
GNU General Public License v2.0
65 stars 32 forks source link

Add SCA Policy for HP-UX B.11.31 #3387

Closed 72nomada closed 2 years ago

72nomada commented 2 years ago
Target version Related issue Related PR
4.4.0 https://github.com/wazuh/wazuh/issues/10696 https://github.com/wazuh/wazuh/pull/15157

Description

Create Security Assessment Policies for HP-UX B.11.31.

The only document found is this, and it is from 2009 and for version 11i: https://www.cisecurity.org/wp-content/uploads/2017/04/CIS_HP-UX_11i_Benchmark_v1.5.0.pdf

There will be two different policies for the same OS, one will use the bastille tool from HP, the other one will use standard UNIX commands

Proposed checks

...

Configuration and considerations

Rebits commented 2 years ago

Tester review

Tester PR commit
@Rebits 92cf3fe

Testing environment

OS OS version Deployment Image/AMI
HPUX # B.11.31 CICD Requested -

Tested packages

OS Package
HPUX Requested in https://github.com/wazuh/wazuh-packages/issues/1881

Status

Conclusion :red_circle:

Some errors were detected in new policies:

Rebits commented 2 years ago

Testing results :red_circle:

Use of the character U+2013 (–) instead of - in `21001` check :red_circle: The checks 21001 in `cis_hpux_11i` and `cis_hpux_11_bastille` use the character `–` instead of `-` in the first rule: ``` - 'c:swlist –l bundle SecureShell -> r:HP-UX Secure Shell' ``` This probably will produce an error in shell parameters gathering, making this rule consistently fail.
Incorrect characters in checks' fields :red_circle: Multiple checks contain not expected characters (like U+2013 – ), in remediation and descriptions. This could produce failure in the remediation process if the user copy-pastes these commands. For instance, consider check 21029 of the `cis_hpux_11i` ``` - id: 21029 title: "Use more random TCP sequence numbers." description: "Generate initial TCP sequence numbers that comply with RFC1948. Note: In HP-UX 11i v1 and later, an algorithm largely compliant with RFC1948 is already used. However, setting the isn passphrase closes the small remaining gap, and adds entropy to the seed." rationale: "Makes remote off-net session hijacking attacks more difficult." remediation: "Perform the following to use more random TCP sequence numbers upon system startup: 1. Create/open the file /sbin/rc2.d/S999tcpisn 2. Add the following line: ndd –set /dev/tcp tcp_isn_passphrase= replacing with a string of random characters. 3. Save the file. 4. Set root as the owner and bin as the group owner of the file. 5. Restrict write access to the file. 6. Set the execution bit for the file." ``` We can see that `ndd –set /dev/tcp tcp_isn_passphrase= replacing ` use `–` instead of `-`
Policies are correctly formatted :red_circle:
Bad rules indentation Rules block should be indented one level. Currently, rules are not indented correctly in any of the new policies files `cis_hpux_11i_bastille` and `cis_hpux_11i`. Example: - Current ``` rules: - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.user_rc_files="N"' ``` - Expected ``` rules: - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.user_rc_files="N"' ```
Inconsistent use of " and '' Rules should be defined using the character `"` as surrounding character instead of `'`. The `'` should surround checks rules only in the case of using `"` in the rule syntax. This is the style used in the newest policies like `cis_ubuntu_22`. Both `cis_hpux_11i_bastille` and `cis_hpux_11i` contains this format error. Example: - Current ``` rules: - 'f:/etc/ftpd' - 'c: sh -c "ls -la /etc/ftpd | grep -e ^-.*root.*sys | grep -v total" -> r:ftpd' - 'c: sh -c "ls -la /etc/ftpd/ftpaccess | grep -e ^-.*root.*sys | grep -v total" -> r:ftpaccess' ``` - Expected ``` rules: - "f:/etc/ftpd" - 'c: sh -c "ls -la /etc/ftpd | grep -e ^-.*root.*sys | grep -v total" -> r:ftpd' - 'c: sh -c "ls -la /etc/ftpd/ftpaccess | grep -e ^-.*root.*sys | grep -v total" -> r:ftpaccess' ```
HP-UX and HP-UX use same policy id :red_circle: HP-UX and HP-UX bastille use the same policy ID `cis_hpux`. This produce errors in the sca module even if one of the policies is skipped ``` 2022/10/21 05:37:55 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended. 2022/10/21 05:38:10 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml' 2022/10/21 05:38:10 sca: WARNING: Found duplicated policy ID: cis_hpux. File 'cis_hpux_11i_bastille.yml' contains the same ID. 2022/10/21 05:38:10 sca: WARNING: Error found while validating policy file: '/var/ossec/ruleset/sca/cis_hpux_11i.yml'. Skipping it. ```
HP-UX and HP-UX checks use the same ids :red_circle: HP-UX and HP-UX bastille checks use the same ids. This produce errors in the sca module even if one of the policies is skipped ``` 2022/10/21 06:03:33 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_hpux_11i_bastille.yml' 2022/10/21 06:03:33 sca: ERROR: Error validating duplicated ID. Check cis_hpux in policy cis_hpux is duplicated 2022/10/21 06:03:33 sca: WARNING: Error found while validating policy file: '/var/ossec/ruleset/sca/cis_hpux_11i.yml'. Skipping it. ```
Checks 1.1.2-1.2.10/1.3.8-1.3.14 make the policy difficult to understand :red_circle: The new policies implemented in the development were based on [Security Configuration Benchmark For HP-UX 11i](https://www.cisecurity.org/wp-content/uploads/2017/04/CIS_HP-UX_11i_Benchmark_v1.5.0.pdf), nevertheless, the exact implementation of the proposed recommendations may cause users confusion and misunderstandings. Check `1.2.1` recommend disabling all standard services like telnet, ftp, klogin, etc. In the remediation of this check, it is proposed a script to disable all the services. Also, it is recommended to configure bastille to `SecureInetd.inetd_general="N"'` (to disable unneeded services in the TODO list) However, the description also said the following regarding the checks 1.1.2-1.2.10: ``` The rest of the actions in this section give the administrator the option of re-enabling certain services—in particular, the services that are disabled in the last two loops in the Action section below. ``` Currently, new policies check these recommendations as follows: The check `1.2.1` with id `21003` ensure the following services are disabled: echo, discard, daytime, chargen, dtspc, exec, ntalk, rpc, rpc.rwalld, rpc.sprayd, rpc.cmsd, kcms_server, printer, shell, login (some of the recommended services are missing). But it does not check some of the services like telnet or FTP which are reviewed in a separate check (21004 and 21005). These checks (21004, 21005, and so on) are reserved **only for the case that these services are required in the system**. So for a user, those checks do not have sense independently for the following reasons: - Check rules to ensure services are disabled but descriptions indicate that that service should be re-enabled. Also, remediation specify the steps to re-enable the service, making recommendation impossible to follow only with policy indications - Check `21003` remediation specify to disable all the services including those that are reviewed in other checks It is always suggested to include exactly CIS recommendations and not new messages or indications. However, in this case, since the resolution of these recommendations will not be carried out by the user in a sequential manner (which is the case in the SCA policies), one of the following is recommended: - Remove checks `1.1.2-1.2.10` and include all the services in `21003` - Change descriptions and remediations to match the rules in checks 1.1.2-1.2.10
1.1.2 :red_circle: - Title :green_circle: - Description :red_circle: - Character U+2019 instead of U+0060. - Extra white spaces - Rationale :red_circle: - Extra white spaces - Remediation :red_circle: - Extra whitespaces - Mutiple typos - `itis` - `groupowner` - Compliance :green_circle: - References :red_circle: - Expected three referecences. It is required to add `http://h20293.www2.hp.com/portal/swdepot/displayInstallInfo.do?productNumber=T1471AA` - Rules :red_circle: Inconsistences between hpux policies: **Bastille**: ``` rules: - "c:swlist -l bundle SecureShell -> r:HP-UX Secure Shell" - "f:/opt/ssh/etc/sshd_config -> r:protocol 2$" - "f:/opt/ssh/etc/sshd_config -> r:X11Forwarding yes" - "f:/opt/ssh/etc/sshd_config -> r:IgnoreRhosts yes" - "f:/opt/ssh/etc/sshd_config -> r:RhostsAuthentication no" - "f:/opt/ssh/etc/sshd_config -> r:RhostsRSAAuthentication no" - "f:/opt/ssh/etc/sshd_config -> r:PermitRootLogin no" - "f:/opt/ssh/etc/sshd_config -> r:PermitEmptyPasswords no" - "f:/opt/ssh/etc/sshd_config -> r:Banner /etc/issue." ``` **No Bastille**: ``` rules: - "c:swlist -l bundle SecureShell -> r:HP-UX Secure Shell" - 'f:/opt/ssh/etc/sshd_config -> r:^\s*Protocol 2' - 'f:/opt/ssh/etc/sshd_config -> r:^\s*X11Forwarding yes' - 'f:/opt/ssh/etc/sshd_config -> r:^\s*IgnoreRhosts yes' - 'f:/opt/ssh/etc/sshd_config -> r:^\s*RhostsAuthentication no' - 'f:/opt/ssh/etc/sshd_config -> r:^\s*RhostsRSAAuthentication no' - 'f:/opt/ssh/etc/sshd_config -> r:^\s*PermitRootLogin no' - 'f:/opt/ssh/etc/sshd_config -> r:^\s*PermitEmptyPasswords no' - 'f:/opt/ssh/etc/sshd_config -> r:^\s*Banner /\.+' ``` Both should be the same.
1.1.3 :red_circle: - **Title**: :green_circle: - **Description**: :red_circle: - Extra white space - **Rationale**: :red_circle: - Extra white space - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
1.2.1 :red_circle: - Title :green_circle: - Description :red_circle: - Extra whitespaces - Missing text block ``` The rest of the actions in this section give the administrator the option of re-enabling certain services—in particular, the services that are disabled in the last two loops in the Action section below. ``` - Rationale :green_circle: - Remediation: :red_circle: - Extra whitespaces - Character U+2019 instead of U+0060. - Compliance :green_circle: - References :green_circle: - Rules :red_circle: Multiple services were not checked: ``` finger i. uucp j. ident k. auth l. instl_boots m. registrar n. recserv o. rpc.rstatd p. rpc.rusersd x. telnet y. ftp z. tftp aa. bootps bb. kshell cc. klogin dd. rpc.rquotad ee. rpc.ttdbserver ``` Some of them, are revie in future checks, but some of them, like finger or registrar, not. So, we should reivew the status of those standard services Also, we should check the following: ``` 5. Set root as the owner of inetd.conf. 6. Set sys as the group owner of inetd.conf. 7. Restrict write access to inetd.conf to the file owner. 8. Remove the executable and sticky bit from inetd.conf. ``` In addition, bastille rule is wrong. It si recommended the following ``` SecureInetd.inetd_general="Y"' ```
1.2.2 :red_circle: Review check comment according to 1.1-1.2 checks - **Title** :green_circle: - **Description** :green_circle: - **Rationale** :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance** :green_circle: - **References** :black_circle: - **Rules** :green_circle:
1.2.3 :red_circle: Review check comment according to 1.1-1.2 checks - **Title** :green_circle: - **Description** :red_circle: - Typo - `onthe` - Extra whitespaces - **Rationale** :green_circle: - **Remediation**: green_circle: - **Impact**: :black_circle: - **Compliance** :green_circle: - **References** :black_circle: - **Rules** :green_circle:
1.2.4 :red_circle: Review check comment according to 1.1-1.2 checks - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: : :red_circle: Condition should be `all` instead of `any`.
1.2.5 :red_circle: Review check comment according to 1.1-1.2 checks - **Title**: :green_circle: - **Description**: :red_circle: - Text block missing: `Re-enable TFTP.` - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
1.2.6 :red_circle: Review check comment according to 1.1-1.2 checks - **Title**: :green_circle: - **Description**: :red_circle: Text block missing: ``` Re-enable rlpdaemon based printer service. ``` - **Rationale**: :green_circle: - **Remediation**: :red_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
1.2.7 :red_circle: Review check comments according to 1.1-1.2 checks - **Title**: :green_circle: - **Description**: :red_circle: Text block missing: ``` Re-enable rquotad. ``` - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
1.2.8 :red_circle: Review check comment according to 1.1-1.2 checks - **Title**: :green_circle: - **Description**: :red_circle: - Extra whitespaces - Missing text block: `Re-enable CDE-related daemons.` - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle:
1.2.9 :red_circle: Review check comment according to 1.1-1.2 checks - **Title**: :green_circle: - **Description**: :red_circle: - Missing text block ``` Re-enable Kerberos-related daemons. ``` - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: Condition should be `all` instead of `any`
1.2.10 :red_circle: Review check comment according to 1.1-1.2 checks - **Title**: :green_circle: - **Description**: :red_circle: - Missing text block ``` Re-enable BOOTP/DHCP services. ``` - **Remediation**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle:
1.3.1 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :red_circle: - Extra white spaces - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: Wrong rule for bastille: ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.serial_port_login="N"' ``` Expected: ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.serial_port_login="Y"' ```
1.3.2 :red_circle: - **Title**: :green_circle: - **Description**: :red_circle: - Extra white spaces - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: Wrong bastille rules: ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nis_client="N"' - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nis_server="N"' - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nisplus_server="N"' - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nisplus_client="N"' ``` Expected: ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nis_client="Y"' - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nis_server="Y"' - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nisplus_server="Y"' - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nisplus_client="Y"' ``` Wrong rules for non bastille: Remediation suggest: ``` ch_rc -a -p NIS_MASTER_SERVER=0 -p NIS_SLAVE_SERVER=0 \ -p NIS_CLIENT=0 -p NISPLUS_SERVER=0 \ -p NISPLUS_CLIENT=0 /etc/rc.config.d/namesvrs ``` Expected: ``` - "f:/etc/rc.config.d/namesvrs -> r:^NIS_MASTER_SERVER=0" - "f:/etc/rc.config.d/namesvrs -> r:^NIS_CLIENT=0" - "f:/etc/rc.config.d/namesvrs -> r:^NIS_SLAVE_SERVER=0" - "f:/etc/rc.config.d/namesvrs -> r:^NISPLUS_SERVER=0" - "f:/etc/rc.config.d/namesvrs -> r:^NISPLUS_CLIENT=0" ```
1.3.3 :red_circle: Duplicated checks for this recommendation (`21015`, `21115`). - **Title**: :green_circle: - **Description**: :red_circle: - Extra white spaces - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Rules split in multiple checks in non bastille Wrong bastille rule: ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:Printing.printing="N"' ``` Expected: ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:Printing.printing="Y"' ```
1.3.4 :red_circle: - **Title**: :green_circle: - **Description**: :red_circle: - Extra white spaces - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: Wrong bastille rule: ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecutity.gui_login="N"' ``` Expected: ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecutity.gui_login="Y"' ```
1.3.5 :red_circle: - **Title**: :green_circle: - **Description**: :red_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: Wrong bastille rule: ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:Sendmail.sendmaildaemon="N"' ``` Expected: ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:Sendmail.sendmaildaemon="Y"' ```
1.3.6 :red_circle: - **Title**: :red_circle: Double `.` - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :red_circle: - Extra white spaces - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: Wrong bastille rule: ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.snmpd="N"' ``` Expected: ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.snmpd="Y"' ```
1.3.7 :red_circle: - **Title**: :green_circle: - **Description**: :red_circle: - Extra white spaces - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: Wrong bastille rule ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.disable_rbootd="Y"' - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nfs_server="N"' - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nfs_client="N"' - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.disable_ptydaemon="N"' - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:Apache.deactivate_hpws_apache="Y"' - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.snmpd="N"' - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.license_server="N"' - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nfs_core="N"' ``` Expected ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.disable_rbootd="Y"' - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nfs_server="Y"' - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nfs_client="Y"' - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.disable_ptydaemon="Y"' - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:Apache.deactivate_hpws_apache="Y"' - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.snmpd="Y"' - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.license_server="Y"' - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nfs_core="Y"' ```
1.3.8 :red_circle: - **Title**: :green_circle: - **Description**: :red_circle: - Missing text block and extra white spaces - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: - Check `Checks 1.1.2-1.2.10/1.3.8-1.3.14 make the policy difficult to understand`
1.3.9 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: - Check `Checks 1.1.2-1.2.10/1.3.8-1.3.14 make the policy difficult to understand`
1.3.10 :red_circle: - **Title**: :green_circle: - **Description**: :red_circle: - Extra white spaces, missing text block `Re-enable the NFS file service` - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: - Check `Checks 1.1.2-1.2.10/1.3.8-1.3.14 make the policy difficult to understand` Missing rules for Non bastille check: ``` - "f:/etc/rc.config.d/nfsconf -> r:NFS_SERVER=0" - "f:/etc/rc.config.d/nfsconf -> r:NUM_NFSD=0" - "f:/etc/rc.config.d/nfsconf -> r:NUM_NFSIOD=0" ```
1.3.11 :red_circle: - **Title**: :green_circle: - **Description**: :red_circle: - Extra white spaces, missing text block `Re-enable RPC-based services` - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: - Check `Checks 1.1.2-1.2.10/1.3.8-1.3.14 make the policy difficult to understand`
1.3.12 :red_circle: - **Title**: :green_circle: - **Description**: :red_circle: - Extra white spaces, missing text block `Re-enable RPC-based services` - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: - Check `Checks 1.1.2-1.2.10/1.3.8-1.3.14 make the policy difficult to understand`
1.3.13 :red_circle: - **Title**: :green_circle: - **Description**: :red_circle: - Extra white spaces, missing text blocks `Re-enable the Web server suite` and `Note that this action only disables the default web server shipped with the system. Other webservers instances may still be runnin` - **Rationale**: :red_circle: Extra whitespaces - **Remediation**: :red_circle: - Extra whitespaces - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: - Check `Checks 1.1.2-1.2.10/1.3.8-1.3.14 make the policy difficult to understand`
1.3.14 :red_circle: - **Title**: :green_circle: - **Description**: :red_circle: - Missing text block `Re-enable the BIND DNS service.` - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: - Check `Checks 1.1.2-1.2.10/1.3.8-1.3.14 make the policy difficult to understand`
1.4.1 :red_circle: - **Title**: :green_circle: - **Description**: :red_circle: Missing text block ``` Note that this action requires a subsequent reboot to take effect in some versions of HP-UX. ``` Extra whitespaces - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: Non bastille Output: :green_circle: ``` # sh -c "kctune | grep executable_stack" executable_stack 0 Default Immed ``` Bastille :red_circle: Bastille report does not include `stack_executate` value, so default value `executable_stack=0` is marked as failed.
1.4.2 :red_circle: - **Title**: :green_circle: - **Description**: :red_circle: - Extra white spaces - **Rationale**: :green_circle: - **Remediation**: :red_circle: - Extra white spaces - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle: Non bastille output ``` # ndd -get /dev/tcp tcp_syn_rcvd_max 500 # ndd -get /dev/arp arp_cleanup_interval 300000 # ndd -get /dev/ip ip_forward_src_routed 1 # ndd -get /dev/ip ip_forward_directed_broadcasts 1 # ndd -get /dev/ip ip_respond_to_timestamp 0 # ndd -get /dev/ip ip_respond_to_timestamp_broadcast 0 # ndd -get /dev/ip ip_respond_to_address_mask_broadcast 0 # ndd -get /dev/ip ip_respond_to_echo_broadcast 1 ```
1.4.3 :red_circle: - **Title**: :green_circle: - **Description**: :red_circle: - Extra white spaces - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: Nonbastille output ``` # ndd -get /dev/tcp tcp_isn_passphrase 0 ```
1.4.4 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :red_circle: - Extra whitespaces - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :large_blue_circle:
1.6.1 :red_circle: - **Title**: :green_circle: - **Description**: :red_circle: - Missing text block: ``` Note: do not perform this if the system runs applications that read the encrypted password entries in /etc/passwd directly. ``` - **Rationale**: :red_circle: - Use of `’` instead of `'` - **Remediation**: :large_blue_circle: - **Impact**: :black_circle: - **Compliance**: :large_blue_circle: - **References**: :large_blue_circle: - **Rules**: :green_circle:
1.6.2 :red_circle: - **Title**: :green_circle: - **Description**: :red_circle: - Extra white spaces - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: Nonbastille policy does not check correctly that the users `root daemon bin sys adm lp uucp nuucp nobody hpdb useradm` are present in the `ftpusers`, only check the existence of the file Wrong bastille rule ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:FTP.ftpusers="N"' ``` Expected ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:FTP.ftpusers="Y"' ```
1.6.3 :red_circle: - **Title**: :green_circle: - **Description**: :red_circle: - Missing text block ``` Note: Do not perform this action if this machine is a log server, or needs to receive Syslog messages via the network from other systems. Note: It is considered good practice to setup one or more machines as central “log servers” to aggregate log traffic from all machines at a site. However, unless a system is set up to be one of these “log server” systems, it should not be listening on 514/udp for incoming log messages. ``` - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
1.6.4 :red_circle: - **Title**: :green_circle: - **Description**: :large_blue_circle: - **Rationale**: :large_blue_circle: - **Remediation**: :red_circle: - Extra whitespaces - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: Wrong bastille rule: ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.xaccess="N"' ``` Expected: ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.xaccess="Y"' ```
1.6.5 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
1.6.6 :red_circle: - **Title**: :green_circle: - **Description**: :red_circle: Extra white spaces - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: Wrong bastille rule ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:IPFilter.configure_ipfilter="Y"' ``` Expected ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:IPFilter.configure_ipfilter="N"' ```
1.6.7 :red_circle: - **Title**: :green_circle: - **Description**: :red_circle: Missing text block ``` Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. cron.allow only controls administrative access to the crontab command for scheduling and modifying cron jobs. ``` - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: In non bastille policy, it is not checked the following: ``` - Ensure that the files are owned by root and group owned by sys - Ensure that no users have write/execute permission to the files, and that only root has read access to the files ``` Wrong bastille rule: ``` rules: - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.cronuser="N"' ``` Expected ``` rules: - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.cronuser="Y"' ```
1.6.8 :green_circle: - **Title**: :green_circle: - **Rationale**: :green_circle:: - **Description**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
1.6.9 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
1.6.11 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
1.7.1 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
1.7.2 :green_circle: - **Title**: :green_circle: - **Description**: :red_circle: - Use of `‟` instead of `'` - **Rationale**: :large_blue_circle: - **Remediation**: :large_blue_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :large_blue_circle: - **Rules**: :green_circle:
1.7.3 :green_circle: - **Title**: :large_blue_circle: - **Description**: :red_circle: - Use `’` isntead of `'` - **Rationale**: :large_blue_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :large_blue_circle: - **Rules**: :large_blue_circle:
1.8.1 :red_circle: - **Title**: :large_blue_circle: - **Description**: :large_blue_circle: - **Rationale**: :large_blue_circle: - **Remediation**: :large_blue_circle: - **Impact**: :black_circle: - **Compliance**: :large_blue_circle: - **References**: :large_blue_circle: - **Rules**: :red_circle: No bastille policy rule does not check correctly the configuration. It is needed to include the following rules ``` - "f:/etc/passwd -> r:^nobody && r:/bin/false" - "f:/etc/passwd -> r:^noaccess && r:/bin/false" - "f:/etc/passwd -> r:^hpdb && r:/bin/false" - "f:/etc/passwd -> r:^useradm && r:/bin/false" ```
1.8.2 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
1.8.3 :red_circle: - **Title**: :green_circle: - **Description**: :red_circle: Missing text block ``` These are recommended starting values, but sites may choose to make them more restrictive depending on local policies. ``` - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: Non bastille policies does not check the following: ``` 2.- Set password expiration parameters for the account (logname) by executing the following: passwd –x 91 –n 7 –w 28 logname for trusted systems, perform the following: /usr/lbin/modprpw -m exptm=90,mintm=7,expwarn=30 logname 4.- Set the default parameters for trusted systems with: /usr/lbin/modprdef -m exptm=90,mintm=7,expwarn=30 ``` Bastille policies wrong rules: ``` rules: - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.PASSWORD_MAXDAYS="Y"' - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.PASSWORD_MINDAYS="Y"' - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.PASSWORD_WARNDAYS="Y"' ``` Expected ``` rules: - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.PASSWORD_MAXDAYS="91"' - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.PASSWORD_MINDAYS="7"' - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.PASSWORD_WARNDAYS="28"' ```
1.8.4 :red_circle: - **Title**: :green_circle: - **Description**: :red_circle: - Extra white spaces - **Rationale**: :green_circle: - **Remediation**: :red_circle: - Extra white spaces - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: Wrong rules for non bastille ``` - 'f:/etc/default/security -> r:^\s*MIN_PASSORD_LENGTH=' - 'f:/etc/default/security -> r:^\s*PASSWORD_HISTORY_DEPTH=' - 'f:/etc/default/security -> r:^\s*PASSWORD_MIN_UPPER_CASE_CHARS=' - 'f:/etc/default/security -> r:^\s*PASSWORD_MIN_DIGIT_CHARS=' - 'f:/etc/default/security -> r:^\s*PASSWORD_MIN_SPECIAL_CHARS=' - 'f:/etc/default/security -> r:^\s*PASSWORD_MIN_LOWER_CASE_CHARS=' ``` Expected ``` - 'f:/etc/default/security -> r:^\s*MIN_PASSORD_LENGTH=7' - 'f:/etc/default/security -> r:^\s*PASSWORD_HISTORY_DEPTH=10' - 'f:/etc/default/security -> r:^\s*PASSWORD_MIN_UPPER_CASE_CHARS=1' - 'f:/etc/default/security -> r:^\s*PASSWORD_MIN_DIGIT_CHARS=1' - 'f:/etc/default/security -> r:^\s*PASSWORD_MIN_SPECIAL_CHARS=1' - 'f:/etc/default/security -> r:^\s*PASSWORD_MIN_LOWER_CASE_CHARS=1' ``` Wrong rules for bastille policy: ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.PASSWORD_HISTORY_DEPTH="10"' - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.MIN_PASSWORD_LENGTH="7"' ```
1.8.5 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :red_circle: - Use of `‘` instead of `'` - **Remediation**: :red_circle: - Use of `‘` instead of `'` - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: Wrong bastille rules ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nis_client="N"' ``` Expected ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nis_client="Y"' ```
1.8.6 :red_circle: - **Title**: :large_blue_circle: - **Description**: :red_circle: - Use of `‘` instead of `'` - **Rationale**: :green_circle: - **Remediation**: :red_circle: - Use of `‘` instead of `'` - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: Wrong bastille rule ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.root_path="N"' ``` Expected ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.root_path="Y"' ```
1.8.7 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
1.8.8 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :red_circle: Use of `‘.` instead of `'` - **Impact**: :black_circle: - **Compliance**: :large_blue_circle: - **References**: :large_blue_circle: - **Rules**: :red_circle: Wrong bastille rule ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.user_dot_files="N"' ``` Expected ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.user_dot_files="Y"' ```
1.8.9 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: Wrong bastille rule ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.user_rc_files="N"' ``` Expected ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.user_rc_files="Y"' ```
1.8.10 :red_circle: - **Title**: :green_circle: - **Description**: :red_circle: - Missing text block ``` Bastille Note: sets the default umask, but uses a umask of 027 rather than the 077 ``` - **Rationale**: :red_circle: - Use of `’` instead of `'` - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: Wrong Non bastille policy. Missing the following check ``` Append the line umask 077 to the following files: a. profile b. csh.login c. d.profile d. d.login ``` Wrong bastille policy rule ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.umask="Y"' ``` Expected ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.umask="077"' ```
1.8.11 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
1.9.1 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: For non bastille rules, missing following checks: ``` 3. Change the owner to root and group owner to sys for the file /etc/motd 4. Change the owner to root and group owner to root for the file /etc/issue 5. Change file permissions to (644) for the files /etc/motd and /etc/issue ```
1.9.2 :red_circle: - **Title**: :green_circle: - **Description**: :red_circle: - Missing text block ``` Note that system administrators may wish to consult with their site’s legal council about the specifics of any warning banners. ``` - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
1.9.3 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: Missing checks for non bastille policy: ``` Append the line “banner /etc/issue” to the file /etc/ftpd/ftpaccess ```
Rebits commented 2 years ago

Update - 17/10/2022

Rebits commented 2 years ago

@72nomada and @DFolchA detected that 4.4 does not compile HPUX properly. Manual testing is marked as blocked for https://github.com/wazuh/wazuh/issues/15182

Rebits commented 2 years ago

Update - 20/10/2022

Rebits commented 2 years ago

Generated packages for https://github.com/wazuh/wazuh/pull/15157 does not compile correctly. After agent installation, the agent does not contain any daemon in the wazuh binaries directory:

# ls /var/ossec/bin
wazuh-control
# /var/ossec/bin/wazuh-control restart
/var/ossec/bin/wazuh-control[4]: /var/ossec/bin/wazuh-execd:  not found.
wazuh-execd: Configuration error. Exiting
#

@DFolchA has been noticed. For now, only static testing is going to be performed.

Rebits commented 2 years ago

Update - 21/10/2022

Rebits commented 2 years ago

Update - 24/10/2022

Rebits commented 2 years ago

Testing after requested changes :red_circle:

Results

Multiple checks from the previous testing were not fixed :red_circle: Regarding the [first testing](https://github.com/wazuh/wazuh-qa/issues/3387#issuecomment-1280452805), it has been detected that multiple errors in rules were not solved: - Most of the bastille's rules are wrong. Take for example [1.2.1](https://github.com/wazuh/wazuh/blob/b1124fdedaa565ad02983e9586e3b3bfb43fbb9d/ruleset/sca/hpux/cis_hpux_11i_bastille.yml#L87): ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.inetd_general="N"' ``` As specified in the first testing, the expected bastille value is `Y`: ![bastille](https://user-images.githubusercontent.com/11089305/199551077-34bf0d48-5ce1-4579-a8b7-e97dd0f3f1bb.png) It is suggested to fix all bastille rules before performing full manual testing. If some of the previous suggestions do not proceed for the policy, it is necessary for the validation of @72nomada and @jmv74211 to continue.
References :red_circle:
1.1.2 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :red_circle: - Wrong parsing, including Page string `ssh_config to the file owner. The following script will perform the above procedure: 13 | P a g e cd /opt/ssh/etc cp -p sshd_config sshd_config.tmp awk '' /^Protocol/ /^IgnoreRhosts/ /^RhostsAuthentication`. (non-bastille and bastille) - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :red_circle: - Missing `Secure Shell installation instructions at http://h20293.www2.hp.com/portal/swdepot/displayInstallInfo.do?productNumb (non-bastille and bastille) er=T1471AA` reference - **Rules**: :red_circle: Wrong audit. It is required to check (non-bastille and bastille): - Set the Banner token to /etc/issue. If it is absent, add and set it. Current rule`f:/opt/ssh/etc/sshd_config -> r:^\s*Banner /\.+` is not restrictive enough - Set root as the owner of sshd_config and ssh_config. - Set sys as the group owner of sshd_config and ssh_config. - Restrict write access to sshd_config and ssh_config to the file owner Expected Failed - :green_circle:
1.1.3 :red_circle: - **Title**: :green_circle: - **Description**: :red_circle: - Extra white spaces - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Expected Pass - :green_circle:
1.2.1 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: **For non bastille**: Audit does not check the following conditions: - Set root as the owner of inetd.conf. - Set sys as the group owner of inetd.conf. - Restrict write access to inetd.conf to the file owner. - Remove the executable and sticky bit from inetd.conf. - Invoke inetd to reread it’s config file: inetd **For bastille** - Wrong audit Current rule: ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.inetd_general="N"' ``` Expected: ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:SecureInetd.inetd_general="Y"' ``` Expected - :green_circle:

Conclusions :red_circle:

No full manual testing was performed due to some of the errors specified in the first testing were not solved. If any of the proposed suggestions does not proceed, it requires validation for the developer, @72nomada, and the @wazuh/qa. For more information review the Multiple checks from the previous testing were not fixed check:

  • Bastille rules are incorrect. Values should be the same as the referenced CIS file :red_circle:
  • Some non-bastille rules are incomplete. :red_circle:
  • Errors in 1.1.2 and 1.1.3 remediation and description fields.
Rebits commented 2 years ago

Update - 02/11/2022

72nomada commented 2 years ago

Updates applied.

Rebits commented 2 years ago

Testing after requested changes :red_circle:

Results

1.1.2 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :red_circle: Missing `Secure Shell installation instructions at http://h20293.www2.hp.com/portal/swdepot/displayInstallInfo.do?productNumb (non-bastille and bastille) er=T1471AA` reference - **Rules**: :red_circle: Wrong audit. It is required to check (non-bastille and bastille): - Set the Banner token to /etc/issue. If it is absent, add and set it. Current rule`f:/opt/ssh/etc/sshd_config -> r:^\s*Banner /\.+` is not restrictive enough - Set root as the owner of sshd_config and ssh_config. - Set sys as the group owner of sshd_config and ssh_config. - Restrict write access to sshd_config and ssh_config to the file owner Expected Failed - :green_circle:
1.1.3 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Expected Pass - :green_circle:
1.2.1 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Wrong audit rule: ``` - 'not c:sh -c "ls -la /var/spool/cron/crontabs | grep -v -e ^-rw-r--r--.*root.*sys | grep -v -e ^d | grep -v total" -> r:^\w' ``` This rule does not fit with CIS audit specifications. It is required to check permissions and ownership of the `initetd.conf` file Expected False - :red_circle:
1.2.2 :yellow_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :yellow_circle: Confusing Rule/Remediation. Remediation suggests enabling but rule is based on disabling the service Expected Failed - :green_circle:
1.2.3 :yellow_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :yellow_circle: Confusing Rule/Remediation. Remediation suggests enabling but rule is based on disabling the service Expected Failed - :green_circle:
1.2.4 :yellow_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :yellow_circle: Confusing Rule/Remediation. Remediation suggests enabling but rule is based on disabling the service Expected Failed - :green_circle:
1.2.6 :yellow_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :yellow_circle: Confusing Rule/Remediation. Remediation suggests enabling but rule is based on disabling the service Expected Failed - :green_circle:
1.2.7 :yellow_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :yellow_circle:: Confusing Rule/Remediation. Remediation suggests enabling but rule is based on disabling the service Expected Failed - :yellow_circle:
1.2.8 :yellow_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :yellow_circle: Confusing Rule/Remediation. Remediation suggests enabling but rule is based on disabling the service Expected Failed - :green_circle:
1.2.10 :yellow_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Confusing Rule/Remediation. Remediation suggests enabling but rule is based on disabling the service Expected - :green_circle:
1.3.1 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: File output: ``` cons:123456:respawn:/usr/sbin/getty console console # system console #ttp1:234:respawn:/usr/sbin/getty -h tty0p1 9600 #ttp2:234:respawn:/usr/sbin/getty -h tty0p2 9600 #ttp3:234:respawn:/usr/sbin/getty -h tty0p3 9600 #ttp4:234:respawn:/usr/sbin/getty -h tty0p4 9600 #ttp5:234:respawn:/usr/sbin/getty -h tty0p5 9600 ``` Expected Failed - :green_circle:
1.3.2 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: File Output: ``` NIS_MASTER_SERVER=0 NIS_SLAVE_SERVER=0 NIS_CLIENT=0 ``` Expected Failed - :green_circle:
1.3.3 :yellow_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: In case of TPS not installed in the system this check will be marked as failed Expected Failed - :green_circle:
1.3.4 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Expected Passed - :green_circle:
1.3.5 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Rule: ``` - 'c:crontab -l -> r:^0\.*sendmail -q' ``` too restrictive. User should be able to configure regular intervals depending of their needs. It is not necessary to force O'clock hours. Output: ``` export SENDMAIL_SERVER=1 ``` ``` export SENDMAIL_SENDONLY=0 # crontab -l 5,20,35,50 * * * * /etc/opt/resmon/lbin/mon_EMSHAProvider_state.sh 5,20,35,50 * * * * /opt/psb/bin/restart_logserv.sh 5,20,35,50 * * * * /opt/raidsaprovider/bin/restart_raidsaprovider.sh 5,20,35,50 * * * * /opt/sas/provider/bin/restart_sasprovider.sh 5,20,35,50 * * * * /opt/sfm/bin/restart_sfm.sh 5,20,35,50 * * * * /opt/fcprovider/bin/restart_fcprovider.sh 5,20,35,50 * * * * /opt/iotreeip/lib/restart_iotreeip.sh 5,20,35,50 * * * * /opt/lanprovider/lib/restart_lanp.sh 5,20,35,50 * * * * /opt/dasprovider/bin/restart_dasprovider.sh ``` Expected Failed - :green_circle:
1.3.6 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Expected Failed - :green_circle:
1.3.7 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Expected Failed - :green_circle:
1.3.8 :yellow_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Confusing Rule/Remediation. Remediation suggests enabling but rule is based on disabling the service Expected Failed - :green_circle:
1.3.9 :yellow_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :yellow_circle: Confusing Rule/Remediation. Remediation suggests enabling but rule is based on disabling the service Expected - :green_circle:
1.3.10 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Missing checks: - NUM_NFSD=0 - NUM_NFSIOD=0 Confusing Rule/Remediation. Remediation suggests enabling but rule is based on disabling the service Expected Failed - :green_circle:
1.3.11 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Rules ``` - "f:/etc/rc.config.d/nfsconf -> r:NUM_NFSD=0" - "f:/etc/rc.config.d/nfsconf -> r:NUM_NFSIOD=0" ``` Do not correspond to this check Expected Failed - :green_circle:
1.3.12 :yellow_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :yellow_circle: Confusing Rule/Remediation. Remediation suggests enabling but rule is based on disabling the service Expected - :green_circle:
1.3.13 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :red_circle: - Wrong remediation. Expected ``` Perform the following: ch_rc -a -p NS_FTRACK=1 /etc/rc.config.d/ns-ftrack ch_rc -a -p APACHE_START=1 /etc/rc.config.d/apacheconf ch_rc -a -p HPWS_APACHE32_START=1 /etc/rc.config.d/hpws_apache32conf ch_rc -a -p HPWS_TOMCAT_START=1 /etc/rc.config.d/hpws_tomcatconf ch_rc -a -p NS_FTRACK=1 /etc/rc.config.d/ns-ftrack ch_rc -a -p HPWS_WEBMIN_START=1 /etc/rc.config.d/hpws_webminconf ``` - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Expected Failed - :green_circle:
1.3.14 :yellow_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Confusing Rule/Remediation. Remediation suggests enabling but rule is based on disabling the service Expected - :green_circle:
1.4.1 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` # kctune | grep executable_stack executable_stack 0 Default Immed ``` Expected Passed - :green_circle:
1.4.2 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` # ls -la /etc/rc.config.d/nddconf | grep -v -e ^-rw-r--r--.*root.*sys | grep -v -e ^d | grep -v total -r--r--r-- 1 bin bin 1999 Oct 25 08:08 /etc/rc.config.d/nddconf ``` Expected - :green_circle:
1.4.3 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` # ndd -get /dev/tcp tcp_isn_passphrase 0 # ^-r-xr-xr-x.*root.*bin | grep -v -e ^d | grep -v total" -rwxr-xr-x 1 root bin 46 Nov 2 05:34 /sbin/rc2.d/S999tcpisn ``` Expected - :green_circle:
1.4.4 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output ``` # ls -la /etc/rc.config.d/nddconf | grep -v -e ^-rw-r--r--.*root.*sys | grep -v -e ^d | grep -v total -r--r--r-- 1 bin bin 1999 Oct 25 08:08 /etc/rc.config.d/nddconf ``` Expected Failed - :green_circle:
1.5.3 :yellow_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :yellow_circle: Why not use `/` instead? In case of not existing some of the specified directories it will be marked as Not applicable Output: ``` # find /home \( -nouser -o -nogroup \) # ``` Expected Failed - :green_circle:
1.6.1 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: In case of `using a system management program smh or sam to convert to a trusted system` will be marked as failed Expected Passed - :green_circle:
1.6.2 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Wrong audit rules: - Missing: ``` - "f:/etc/ftpd/ftpusers -> r:^lp$" ``` - Rule `"f:/etc/initd.conf -> r:^ftp"` do not proceed for this check - Wrong permissions in rule `'not c:sh -c "ls -la /etc/ftpd/ftpusers | grep -v -e ^-rw-r--r--.*bin.*bin | grep -v -e ^d | grep -v total" -> r:^\w'`, expected `-rw-------` Output: ``` # -r--r--.*bin.*bin | grep -v -e ^d | grep -v total" /etc/ftpd/ftpusers not found ``` Expected - :green_circle:
1.6.3 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Expected - :green_circle:
1.6.4 :yellow_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: In case of not existing the file `/etc/dt/config/Xconfig` this will be marked as fail. XDMCP is disabled or enabled by default? Expected Passed - :green_circle:
1.6.5 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Expected Passed - :green_circle:
1.6.6 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` # ipfstat -io empty list for ipfilter(out) empty list for ipfilter(in) # ipfilter -e /bin/sh: ipfilter: not found. ``` Expected - :green_circle:
1.6.7 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` # ls -la /var/adm/cron/cron.allow | grep -v -e ^-r--------.*root.*sys | grep -v -e ^d | grep -v total -r--r--r-- 1 bin bin 14 Feb 15 2007 /var/adm/cron/cron.allow ``` Expected - :green_circle:
1.6.8 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Wrong permissions: ``` - 'not c:sh -c "ls -la /var/spool/cron/crontabs | grep -v -e ^-.*root.*sys | grep -v -e ^d | grep -v total" -> r:^\w' ``` Expected `og-rwx` (`-rwxrwx---`) Output: ``` # ls -la /var/spool/cron/crontabs | grep -v -e ^-.*root.*sys | grep -v -e ^d | grep -v total ``` Expected Failed - :green_circle:
1.6.9 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Wrong permissions. Expected `og-rwx` Output: ``` # ls -la /etc/securetty | grep -e ^-.*root.*sys | grep -v total" -> r:/etc/securetty > > " /etc/securetty not found ``` Expected Failed - :green_circle:
1.6.11 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Wrong bastille rule. Expected: ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nobody_secure_rpc="N"' ``` Expected Failed - :green_circle:
1.7.1 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Expected Passed - :green_circle:
1.7.2 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Expected - :green_circle:
1.7.3 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Expected Failed - :green_circle:
1.8.1 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
1.8.2 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` # logins -p # ``` Expected - :green_circle:
1.8.3 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Account expiration values should be the same as the recommendation or more restrictive ``` - 'f:/etc/default/security -> n:^\s*PASSWORD_MAXDAYS=(\d+) compare >= 91' - 'f:/etc/default/security -> n:^\s*PASSWORD_WARNDAYS=(\d+) compare >= 28' - 'f:/etc/default/security -> n:^\s*PASSWORD_MINDAYS=(\d+) compare >= 7' ``` It is recommended to change to ``` - 'f:/etc/default/security -> n:^\s*PASSWORD_MAXDAYS=(\d+) compare <= 91' - 'f:/etc/default/security -> n:^\s*PASSWORD_WARNDAYS=(\d+) compare <= 28' - 'f:/etc/default/security -> n:^\s*PASSWORD_MINDAYS=(\d+) compare <= 7' ``` Expected Failed - :green_circle:
1.8.4 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Wrong bastille rule ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> n:AccountSecurity.MIN_PASSWORD_LENGTH="(\d+) compare >= 0"' ``` Expected ``` - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> n:AccountSecurity.MIN_PASSWORD_LENGTH="(\d+) compare >= 7"' ``` Expected - :green_circle:
1.8.5 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :red_circle: Extra `''`: `Legacy '+'' entries are no longer required` - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Expected Passed - :green_circle:
1.8.6 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Expected Passed - :green_circle:
1.8.7 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Expected Passed - :green_circle:
1.8.8 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Expected Failed - :green_circle:
1.8.9 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Expected Failed - :green_circle:
1.8.10 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Expected Failed - :green_circle:
1.8.11 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Expected Failed - :green_circle:
1.9.1 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Expected Failed - :green_circle:
1.9.2 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Expected Failed - :green_circle:
1.9.3 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Missing rule: ``` - "f:/etc/issue -> r:\w" ``` Expected Passed - :green_circle:
72nomada commented 2 years ago

1.1.2 - Solved 1.2.1 - Solved 1.3.5 - Solved 1.3.10 - Solved 1.3.11 - Solved 1.3.13 - Solved 1.6.1 - SCA Limitation, can't be changed 1.6.2 - Solved 1.6.8 - Solved 1.6.9 - Solved 1.6.11 - Solved 1.8.3 - Solved 1.8.4 - Solved 1.8.5 - Solved 1.9.3 - Solved

Rebits commented 2 years ago

Update - 03/11/2022

Rebits commented 2 years ago

Testing after requested changes :red_circle:

Results

1.1.2 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
1.2.1 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
1.3.5 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
1.3.10 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Use of `UM_NFSIOD` instead of `NUM_NFSIOD`
1.3.11 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
1.3.13 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
1.6.1 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
1.6.2 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
1.6.8 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
1.6.9 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
1.6.11 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
1.8.3 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
1.8.4 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
1.8.5 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
1.8.3 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
1.9.3 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
Rebits commented 2 years ago

Update - 04/11/2022

Rebits commented 2 years ago

Update - 07/11/2022

Rebits commented 2 years ago

Testing after requested changes :red_circle:

Results

No title for check 30049 :red_circle: ``` - id: 30049 description: "'+' entries in various passwd and group files served as markers for systems to insert data from NIS maps at a certain point in a system configuration file. HP-UX does not use these markers, but they may exist in files that have been imported from other platforms. They should be deleted if they exist." rationale: "Legacy '+' entries are no longer required on HP-UX systems, and may provide an avenue for attackers to gain privileged access on the system." remediation: "Perform the following to remove any legacy '+' entries in passwd and group files: 1. Display legacy '+' entries: grep '^+:' /etc/passwd /etc/group 2. Remove any entries found from the passwd and group files." compliance: - cis: ["1.8.5"] - cis_level: ["1"] condition: all rules: - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:MiscellaneousDaemons.nis_client="Y"' ``` ``` 2022/11/08 02:54:00 sca: ERROR: Skipping check with id: 30049: Check name is invalid. ```
Use Bastille to report security configuration state check command fails for time overtaken :red_circle: Basic Bastille rule to generate a report fail due to timeout: ``` {"type":"check","id":14790,"policy":"CIS HP-UX 11i Benchmark","policy_id":"cis_hpux_bastille","check":{"id":30002,"title":"Use Bastille to report security configuration state.","description":"Bastille is a security hardening, lockdown tool supplied with HP-UX to assist administrators in securing their systems. Included is an assessment function that covers a wide range of lockdown items including most all items in this Benchmark. Bastille can serve as a reporting and audit tool. Appendix D provides a mapping of Benchmark items to related Bastille configuration items.","rationale":"An automated, tested, and vendor supported reporting tool such as Bastille is more efficient and less error-prone than most manual or custom scripted methods.","remediation":"Run Bastille to create an assessment report as shown: /opt/sec_mgmt/bastille/bin/bastille --assessnobrowser","compliance":{"cis":"1.1.3"},"rules":["c:/opt/sec_mgmt/bastille/bin/bastille --assessnobrowser -> f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config"],"condition":"all","references":"https://www.hp.com/go/bastille","command":"/opt/sec_mgmt/bastille/bin/bastille --assessnobrowser","status":"Not applicable","reason":"Timeout overtaken running command '/opt/sec_mgmt/bastille/bin/bastille --assessnobrowser'"}} ``` SCA commands timeout is set by default to 30 seconds. This can be changed using the `sca.commands_timeout` internal option. However, this could lead to a total failure of the policy. It is mandatory to inform the users about this. It is also suggested to increase this value by default in every HP-UX agent. For future developments, it could be a good idea to allow change timeout in some commands.
HP-UX requirements title is not descriptive enough :red_circle:
Inconsistencies between bastille and non-bastille results :red_circle: Using the same system, bastille and non-bastille rules present slightly different results. | | Batille | Non-Bastille | | -------------- | ------- | ------------ | | Passed | 15 | 10 | | Failed | 41 | 37 | | Not applicable | 1 | 3 | **List of inconsistent checks** - `1.3.4`: Detected error in Bastille rule. Wrong field name. Expected `AccountSecurity.gui_login`. Current `Account- `Secutity.gui_login` - `1.4.1`: Bastille report does not include `HP_UX.stack_execute`, making the check fails. Further research is required. - `1.6.8`: Bastille rule report check as passed, even if the permissions are incorrect. Further research is required. - `1.6.4`: Bastille rule report check as passed, even if `/etc/dt/config/Xconfig` does not exists. - `1.3.2`: It seems that `NISPLUS_SERVER` and `NISPLUS_CLIENT` are not defined in the default configuration. This causes a failure check for no bastille check but passes for bastille. - `1.3.1`: Non bastille rule output is the following: ``` cons:123456:respawn:/usr/sbin/getty console console # system console ``` This marks the check as failed, but the bastille report specified `AccountSecurity.serial_port_login="Y", marking this check as passed. Further research is required. - `1.3.13`, `1.3.9`, `1.9.1` are marked as Not applicable in non-bastille policy due to SCA limitations.
Rebits commented 2 years ago

Requested changes apply in https://github.com/wazuh/wazuh/pull/15157/commits/bb56b286a4cc490ad28e7e70fd3f254f5582eac5

Rebits commented 2 years ago

Testing after requested changes :green_circle:

Results

Not title for check 30049 :green_circle:
Use Bastille to report security configuration state check command fails for time overtaken :green_circle: r:HPUX11i" - "d:/opt/sec_mgmt/bastille/" - "f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config" ```
HP-UX requirements title is not descriptive enough :green_circle:
Inconsistencies between bastille and non-bastille results :green_circle:
jmv74211 commented 2 years ago

Closing conclusion 👍🏼
🟢 Solved

All the proposed fixes and changes have been implemented in this current development, so development is approved taking into account the reported and fixed things:

Observations

There are some checks in which the remediation fields and the rules themselves are inconsistent, indicating a different remediation than the rule commands themselves. For example:

Check: Activate service. Remediation: Activate service. Rule: Check that the service is deactivated.

This is so, because the check itself recommends that the service is only activated if it is really necessary, but nevertheless it must be given as failed in the case of being enabled, assuming that the user is aware of the use of such service. In addition, there are other checks in the policy itself that would conflict, because they expect a set of services to be disabled in order to give PASSED checks.

By this is meant, that the logical and user-safe implementation has been carried out, but that the check itself is inconsistent.