SUSE Linux Enterprise 15 SCA Policy duplicated check ids 7521 and 7522

72nomada commented 2 years ago

Target version	Related issue	Related PR
4.4.0	https://github.com/wazuh/wazuh/issues/14725	https://github.com/wazuh/wazuh/pull/15156

Description

There are two duplicated IDS in the SUSE Linux Enterprise 15 SCA policy and will be changed as:

CIS check 5.2.11 Ensure SSH PermitEmptyPasswords is disabled SCA id from 7522 to 7622
CIS check 5.2.10 Ensure SSH root login is disabled SCA id from 7521 to 7621

Proposed checks

Using a SUSE Linux Enterprise 15 SCA

[x] Verify SCA policy for SUSE Linux Enterprise 15 SCA is loaded and executed without errors.

Rebits commented 2 years ago

Tester review

Tester	PR commit
@Rebits	ac81b54

Testing environment

OS	OS version	Deployment	Image/AMI
OpenSuse	Linux Enterprise Server 15 SP4	EC2	`ami-08e167817c87ed7fd`

Tested packages

OS	Package
OpenSuse	Manager

Conclusion :yellow_circle:

Minor unexpected unrelated to the development behaviors were detected

7621 and 7622 checks include outdated CIS control version
Check 7622 does not handle correctly the default PermitEmptyPasswords value
Rootcheck host-based anomaly detection alert in a clean environment. Multiple 510 alerts (Host-based anomaly detection event (rootcheck)) in a fresh OpenSuse manager.

Status

[x] In progress
[x] Pending Review
[x] QA team leader approved
[x] QA manager approved @jmv74211
[x] Development team leader approved @72nomada

Rebits commented 2 years ago

Testing results :yellow_circle:

Verify SCA policy for SUSE Linux Enterprise 15 SCA is loaded and executed without errors :green_circle:

cis_sles15_linux is enabled :green_circle:
Expected policy, `cis_sles15_linux.yml`, is enabled by default. `/var/ossec/ruleset/sca/`: ``` cis_amazon_linux_1.yml.disabled cis_apple_macOS_12.0.yml.disabled cis_mongodb_36.yml.disabled cis_rhel8_linux.yml.disabled cis_sqlserver_2016.yml.disabled cis_win11_enterprise.yml.disabled cis_amazon_linux_2.yml.disabled cis_centos6_linux.yml.disabled cis_mysql5-6_community.yml.disabled cis_rhel9_linux.yml.disabled cis_sqlserver_2017.yml.disabled cis_win2012r2.yml.disabled cis_apache_24.yml.disabled cis_centos7_linux.yml.disabled cis_mysql5-6_enterprise.yml.disabled cis_sles11_linux.yml.disabled cis_sqlserver_2019.yml.disabled cis_win2016.yml.disabled cis_apple_macOS_10.11.yml.disabled cis_centos8_linux.yml.disabled cis_nginx_1.yml.disabled cis_sles12_linux.yml.disabled cis_ubuntu14-04.yml.disabled cis_win2019.yml.disabled cis_apple_macOS_10.12.yml.disabled cis_debian10.yml.disabled cis_oracle_database_19c.yml.disabled cis_sles15_linux.yml cis_ubuntu16-04.yml.disabled cis_win2022.yml.disabled cis_apple_macOS_10.13.yml.disabled cis_debian7.yml.disabled cis_postgre-sql-13.yml.disabled cis_solaris11.4.yml.disabled cis_ubuntu18-04.yml.disabled sca_unix_audit.yml.disabled cis_apple_macOS_10.14.yml.disabled cis_debian8.yml.disabled cis_rhel5_linux.yml.disabled cis_solaris11.yml.disabled cis_ubuntu20-04.yml.disabled web_vulnerabilities.yml.disabled cis_apple_macOS_10.15.yml.disabled cis_debian9.yml.disabled cis_rhel6_linux.yml.disabled cis_sqlserver_2012.yml.disabled cis_ubuntu22-04.yml.disabled cis_apple_macOS_11.1.yml.disabled cis_iis_10.yml.disabled cis_rhel7_linux.yml.disabled cis_sqlserver_2014.yml.disabled cis_win10_enterprise.yml.disabled ```

cis_sles15_linux policy is launched correctly :green_circle:
``` 2022/10/13 09:41:54 sca: INFO: Module started. 2022/10/13 09:41:54 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_sles15_linux.yml' 2022/10/13 09:41:54 sca: INFO: Starting Security Configuration Assessment scan. ... 2022/10/13 09:41:54 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_sles15_linux.yml' 2022/10/13 09:41:55 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/10/13 09:41:58 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_sles15_linux.yml' 2022/10/13 09:41:58 sca: INFO: Security Configuration Assessment scan finished. Duration: 4 seconds. 2022/10/13 09:42:37 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended. 2022/10/13 09:43:07 rootcheck: INFO: Ending rootcheck scan. ```

New ids are not already used :green_circle:

Neither `7621` nor `7622` are present in the current `4.4` ruleset

cis_sles15_linux is correctly formatted :green_circle:

No style errors were detected in the new `cis_sles15_linux` policy.

7621 and 7622 CIS consistency :yellow_circle:

The title, description, rationale remediation, and CIS id seem to be correct in 7621 and 7622. However, the `cis_csc` correspond to the outdated Control Versions V7. - `7621`: - Current Control Version: `4.3` - Expected Control Version: `5.4` - `7622`: - Current Control Version: `16.3` - Expected Control Version: `4.1`

7621 and 7622 rules :yellow_circle:

Regarding `7621` and `7622`, it is necessary to ensure these work as expected, taking into account sshd default values.

7621 :green_circle:
Rules: ``` - 'f:$sshd_file -> !r:^\s*\t*# && r:PermitRootLogin\s*\t*no' ``` - `PermitRootLogin no` :green_circle: As expected, the check is marked as passed if PermitRootLogin is disabled. ``` ** Alert 1665656148.373765: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2, 2022 Oct 13 10:15:48 ip-172-31-20-225->sca Rule: 19010 (level 3) -> 'CIS SUSE Linux Enterprise 15 Benchmark: Ensure SSH root login is disabled.: Status changed from failed to passed' {"type":"check","id":1257676781,"policy":"CIS SUSE Linux Enterprise 15 Benchmark","policy_id":"cis_sles15_linux","check":{"id":7621,"title":"Ensure SSH root login is disabled.","description":"The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no.\n","rationale":"Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident.\n","remediation":"Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no\n","compliance":{"cis":"5.2.10","cis_csc":"4.3"},"rules":["f:$sshd_file -> !r:^\\s*\\t*# && r:PermitRootLogin\\s*\\t*no"],"condition":"all","file":"/etc/ssh/sshd_config","result":"passed"}} sca.type: check sca.scan_id: 1257676781 sca.policy: CIS SUSE Linux Enterprise 15 Benchmark sca.check.id: 7621 sca.check.title: Ensure SSH root login is disabled. sca.check.description: The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no. sca.check.rationale: Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident. sca.check.remediation: Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no sca.check.compliance.cis: 5.2.10 sca.check.compliance.cis_csc: 4.3 sca.check.file: ["/etc/ssh/sshd_config"] sca.check.result: passed sca.check.previous_result: failed ``` - `PermitRootLogin yes` :green_circle: - As expected, the check is marked as failed if PermitRootLogin is enabled. ``` ** Alert 1665659307.378200: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2, 2022 Oct 13 11:08:27 ip-172-31-20-225->sca Rule: 19011 (level 9) -> 'CIS SUSE Linux Enterprise 15 Benchmark: Ensure SSH root login is disabled.: Status changed from passed to failed' {"type":"check","id":224478273,"policy":"CIS SUSE Linux Enterprise 15 Benchmark","policy_id":"cis_sles15_linux","check":{"id":7621,"title":"Ensure SSH root login is disabled.","description":"The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no.\n","rationale":"Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident.\n","remediation":"Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no\n","compliance":{"cis":"5.2.10","cis_csc":"4.3"},"rules":["f:$sshd_file -> !r:^\\s*\\t*# && r:PermitRootLogin\\s*\\t*no"],"condition":"all","file":"/etc/ssh/sshd_config","result":"failed"}} sca.type: check sca.scan_id: 224478273 sca.policy: CIS SUSE Linux Enterprise 15 Benchmark sca.check.id: 7621 sca.check.title: Ensure SSH root login is disabled. sca.check.description: The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no. sca.check.rationale: Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident. sca.check.remediation: Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no sca.check.compliance.cis: 5.2.10 sca.check.compliance.cis_csc: 4.3 sca.check.file: ["/etc/ssh/sshd_config"] sca.check.result: failed sca.check.previous_result: passed ``` - `#PermitRootLogin no` :green_circle: The default value is `PermitRootLogin yes`. So it is expected this check be marked as fails with `#PermitRootLogin no`: ``` ** Alert 1665660913.398359: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2, 2022 Oct 13 11:35:13 ip-172-31-20-225->sca Rule: 19011 (level 9) -> 'CIS SUSE Linux Enterprise 15 Benchmark: Ensure SSH root login is disabled.: Status changed from passed to failed' {"type":"check","id":1435309258,"policy":"CIS SUSE Linux Enterprise 15 Benchmark","policy_id":"cis_sles15_linux","check":{"id":7621,"title":"Ensure SSH root login is disabled.","description":"The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no.\n","rationale":"Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident.\n","remediation":"Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no\n","compliance":{"cis":"5.2.10","cis_csc":"4.3"},"rules":["f:$sshd_file -> !r:^\\s*\\t*# && r:PermitRootLogin\\s*\\t*no"],"condition":"all","file":"/etc/ssh/sshd_config","result":"failed"}} sca.type: check sca.scan_id: 1435309258 sca.policy: CIS SUSE Linux Enterprise 15 Benchmark sca.check.id: 7621 sca.check.title: Ensure SSH root login is disabled. sca.check.description: The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no. sca.check.rationale: Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident. sca.check.remediation: Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no sca.check.compliance.cis: 5.2.10 sca.check.compliance.cis_csc: 4.3 sca.check.file: ["/etc/ssh/sshd_config"] sca.check.result: failed sca.check.previous_result: passed ```

7622 :yellow_circle:
- `PermitEmptyPasswords no` :green_circle: As expected, the check is marked as pass if PermitEmptyPasswords is disabled. ``` ** Alert 1665659617.382631: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2, 2022 Oct 13 11:13:37 ip-172-31-20-225->sca Rule: 19010 (level 3) -> 'CIS SUSE Linux Enterprise 15 Benchmark: Ensure SSH PermitEmptyPasswords is disabled.: Status changed from failed to passed' {"type":"check","id":1978203359,"policy":"CIS SUSE Linux Enterprise 15 Benchmark","policy_id":"cis_sles15_linux","check":{"id":7622,"title":"Ensure SSH PermitEmptyPasswords is disabled.","description":"The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings.\n","rationale":"Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system\n","remediation":"Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no\n","compliance":{"cis":"5.2.11","cis_csc":"16.3"},"rules":["f:$sshd_file -> !r:^\\s*\\t*# && r:PermitEmptyPasswords\\s*\\t*no"],"condition":"all","file":"/etc/ssh/sshd_config","result":"passed"}} sca.type: check sca.scan_id: 1978203359 sca.policy: CIS SUSE Linux Enterprise 15 Benchmark sca.check.id: 7622 sca.check.title: Ensure SSH PermitEmptyPasswords is disabled. sca.check.description: The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings. sca.check.rationale: Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system sca.check.remediation: Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no sca.check.compliance.cis: 5.2.11 sca.check.compliance.cis_csc: 16.3 sca.check.file: ["/etc/ssh/sshd_config"] sca.check.result: passed sca.check.previous_result: failed ``` - `PermitEmptyPasswords yes` :green_circle: As expected, the check is marked as fail if PermitEmptyPasswords is enabled. ``` ** Alert 1665659910.387812: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2, 2022 Oct 13 11:18:30 ip-172-31-20-225->sca Rule: 19011 (level 9) -> 'CIS SUSE Linux Enterprise 15 Benchmark: Ensure SSH PermitEmptyPasswords is disabled.: Status changed from passed to failed' {"type":"check","id":1987024553,"policy":"CIS SUSE Linux Enterprise 15 Benchmark","policy_id":"cis_sles15_linux","check":{"id":7622,"title":"Ensure SSH PermitEmptyPasswords is disabled.","description":"The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings.\n","rationale":"Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system\n","remediation":"Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no\n","compliance":{"cis":"5.2.11","cis_csc":"16.3"},"rules":["f:$sshd_file -> !r:^\\s*\\t*# && r:PermitEmptyPasswords\\s*\\t*no"],"condition":"all","file":"/etc/ssh/sshd_config","result":"failed"}} sca.type: check sca.scan_id: 1987024553 sca.policy: CIS SUSE Linux Enterprise 15 Benchmark sca.check.id: 7622 sca.check.title: Ensure SSH PermitEmptyPasswords is disabled. sca.check.description: The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings. sca.check.rationale: Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system sca.check.remediation: Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no sca.check.compliance.cis: 5.2.11 sca.check.compliance.cis_csc: 16.3 sca.check.file: ["/etc/ssh/sshd_config"] sca.check.result: failed sca.check.previous_result: passed ``` - `#PermitEmptyPasswords no` :yellow_circle: The default value is `no`, so, in this case, the check should be marked as pass instead of failed. ``` ** Alert 1665661198.407040: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2, 2022 Oct 13 11:39:58 ip-172-31-20-225->sca Rule: 19011 (level 9) -> 'CIS SUSE Linux Enterprise 15 Benchmark: Ensure SSH PermitEmptyPasswords is disabled.: Status changed from passed to failed' {"type":"check","id":1169529539,"policy":"CIS SUSE Linux Enterprise 15 Benchmark","policy_id":"cis_sles15_linux","check":{"id":7622,"title":"Ensure SSH PermitEmptyPasswords is disabled.","description":"The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings.\n","rationale":"Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system\n","remediation":"Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no\n","compliance":{"cis":"5.2.11","cis_csc":"16.3"},"rules":["f:$sshd_file -> !r:^\\s*\\t*# && r:PermitEmptyPasswords\\s*\\t*no"],"condition":"all","file":"/etc/ssh/sshd_config","result":"failed"}} sca.type: check sca.scan_id: 1169529539 sca.policy: CIS SUSE Linux Enterprise 15 Benchmark sca.check.id: 7622 sca.check.title: Ensure SSH PermitEmptyPasswords is disabled. sca.check.description: The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings. sca.check.rationale: Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system sca.check.remediation: Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no sca.check.compliance.cis: 5.2.11 sca.check.compliance.cis_csc: 16.3 sca.check.file: ["/etc/ssh/sshd_config"] sca.check.result: failed sca.check.previous_result: passed ```

Rootcheck host-based anomaly detection in clean environment :yellow_circle:

The following alerts were produced in a fresh environment: ``` ** Alert 1665661185.406360: - ossec,rootcheck,pci_dss_10.6.1,gdpr_IV_35.7.d, 2022 Oct 13 11:39:45 ip-172-31-20-225->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' Rootkit 'ZK' detected by the presence of file '/etc/sysconfig/console/load.zk'. title: Rootkit 'ZK' detected by the presence of file '/etc/sysconfig/console/load.zk'. ** Alert 1665661188.406727: - ossec,rootcheck,pci_dss_10.6.1,gdpr_IV_35.7.d, 2022 Oct 13 11:39:48 ip-172-31-20-225->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' File '/dev/.blkid.tab' present on /dev. Possible hidden file. title: File present on /dev. file: /dev/.blkid.tab ``` It is necessary to research the following ZK rootcheck rules (`/home/rebits/Wazuh/wazuh/ruleset/rootcheck/db/rootkit_trojans.txt`) ensuring no false positives are triggered. ``` # ZK rootkit (http://honeyblog.org/junkyard/reports/redhat-compromise2.pdf) /etc/sysconfig/console/load.zk !/bin/sh! ZK rootkit /etc/sysconfig/console/load.zk !usr/bin/run! ZK rootkit ```

jmv74211 commented 2 years ago

QA review

Type: Manual testing.
Status: Requested improvements 🟡
Comments: Some non related erros have been found, but it is necessary to review them in order to make the decision to fix it now, or to open a new issue. These are as follows:
- (1) 7621 and 7622 checks include outdated CIS control version (cc @wazuh/threat-intel).
- (2) Check 7622 does not handle correctly the default PermitEmptyPasswords value (cc @wazuh/threat-intel).
- (3) Multiple alerts from rootcheck (Host-based anomaly detection) in a fresh OpenSuse manager (cc @wazuh/threat-intel).

This will be discussed with the development team, and the PR will be approved or not on this basis.

jmv74211 commented 2 years ago

Closing conclusion 👍🏼


🔵	Proposed to be fixed in future versions or developments

The testing has been approved taking into account the following considerations proposed in the QA review and discussed with the related development team:

(1): 7621 and 7622 checks include outdated CIS control version (cc @wazuh/threat-intel). 🔵

Known issue and will be fixed for future versions in the policy rework wazuh#15167.

(2): Check 7622 does not handle correctly the default PermitEmptyPasswords value 🔵

Known issue and will be fixed for future versions in the policy rework wazuh#15167.

(3): Multiple alerts from rootcheck (Host-based anomaly detection) in a fresh OpenSuse manager 🔵

This will be investigated and fixed in future versions. The following issue has been opened wazuh#15168.

wazuh / wazuh-qa