Closed 72nomada closed 1 year ago
Target version | Related issue | Related PR |
---|---|---|
4.4.0 | #3390 | https://github.com/wazuh/wazuh/pull/15051 |
Check ID | Check Name | Implemented | Ready for review | QA review |
---|---|---|---|---|
1 | Initial Setup | ⚫ | ||
1.1 | Filesystem Configuration | ⚫ | ||
1.1.1 | Disable unused filesystems | ⚫ | ||
1.1.1.1 | Ensure mounting of cramfs filesystems is disabled (Automated) | 🔴 | Not implemented | |
1.1.1.2 | Ensure mounting of squashfs filesystems is disabled (Automated) | 🔴 | Not implemented | |
1.1.1.3 | Ensure mounting of udf filesystems is disabled (Automated) | 🔴 | Not implemented | |
1.1.2 | Configure /tmp | ⚫ | ||
1.1.2.1 | Ensure /tmp is a separate partition (Automated) | 🟢 | ||
1.1.2.2 | Ensure nodev option set on /tmp partition (Automated) | 🟢 | ||
1.1.2.3 | Ensure noexec option set on /tmp partition (Automated) | 🟢 | ||
1.1.2.4 | Ensure nosuid option set on /tmp partition (Automated) | 🟢 | ||
1.1.3 | Configure /var | ⚫ | ||
1.1.3.1 | Ensure separate partition exists for /var (Automated) | 🟢 | ||
1.1.3.2 | Ensure nodev option set on /var partition (Automated) | 🟢 | ||
1.1.3.3 | Ensure nosuid option set on /var partition (Automated) | 🟢 | ||
1.1.4 | Configure /var/tmp | ⚫ | ||
1.1.4.1 | Ensure separate partition exists for /var/tmp (Automated) | 🟢 | ||
1.1.4.2 | Ensure noexec option set on /var/tmp partition (Automated) | 🟢 | ||
1.1.4.3 | Ensure nosuid option set on /var/tmp partition (Automated) | 🟢 | ||
1.1.4.4 | Ensure nodev option set on /var/tmp partition (Automated) | 🟢 | ||
1.1.5 | Configure /var/log | ⚫ | ||
1.1.5.1 | Ensure separate partition exists for /var/log (Automated) | 🟢 | ||
1.1.5.2 | Ensure nodev option set on /var/log partition (Automated) | 🟢 | ||
1.1.5.3 | Ensure noexec option set on /var/log partition (Automated) | 🟢 | ||
1.1.5.4 | Ensure nosuid option set on /var/log partition (Automated) | 🟢 | ||
1.1.6 | Configure /var/log/audit | ⚫ | ||
1.1.6.1 | Ensure separate partition exists for /var/log/audit (Automated) | 🟢 | ||
1.1.6.2 | Ensure noexec option set on /var/log/audit partition (Automated) | 🟢 | ||
1.1.6.3 | Ensure nodev option set on /var/log/audit partition (Automated) | 🟢 | ||
1.1.6.4 | Ensure nosuid option set on /var/log/audit partition (Automated) | 🟢 | ||
1.1.7 | Configure /home | ⚫ | ||
1.1.7.1 | Ensure separate partition exists for /home (Automated) | 🟢 | ||
1.1.7.2 | Ensure nodev option set on /home partition (Automated) | 🟢 | ||
1.1.7.3 | Ensure nosuid option set on /home partition (Automated) | 🟢 | ||
1.1.8 | Configure /dev/shm | ⚫ | ||
1.1.8.1 | Ensure nodev option set on /dev/shm partition (Automated) | 🟢 | ||
1.1.8.2 | Ensure noexec option set on /dev/shm partition (Automated) | 🟢 | ||
1.1.8.3 | Ensure nosuid option set on /dev/shm partition (Automated) | 🟢 | ||
1.1.9 | Disable Automounting (Automated) | 🟢 | ||
1.1.10 | Disable USB Storage (Automated) | 🔴 | Not implemented |
Tester | PR commit |
---|---|
@Rebits | 0e33beb |
OS | OS version | Deployment | Image/AMI |
---|---|---|---|
Ubuntu | 22 | EC2 | ami-003530de8839921c4 |
OS | Package |
---|---|
Ubuntu | Manager |
Minor discrepancies were detected in some of the checks fields:
1.1.52
, 1.1.5.3
, 1.1.5.4
, 1.1.8.2
:red_circle: 1.1.7.2
:red_circle: Command output :green_circle:
- `'c:findmnt --kernel /tmp -> r:\s*/tmp\s'` ``` root@ip-172-31-4-235:/home/qa# findmnt --kernel /tmp root@ip-172-31-4-235:/home/qa# ``` - 'c:systemctl is-enabled tmp.mount -> r:generated|enabled' ``` root@ip-172-31-4-235:/home/qa# systemctl is-enabled tmp.mount Failed to get unit file state for tmp.mount: No such file or directory ```Expected result :green_circle:
- Expected Result: Fail - Alert: ``` Rule: 19007 (level 7) -> 'CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.: Ensure /tmp is a separate partition.' {"type":"check","id":182003034,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28500,"title":"Ensure /tmp is a separate partition.","description":"The /tmp directory is a world-writable directory used for temporary storage by all users and some applications.","rationale":"Making /tmp its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp.","remediation":"First ensure that systemd is correctly configured to ensure that /tmp will be mounted at boot time. # systemctl unmask tmp.mount For specific configuration requirements of the /tmp mount for your environment, modify /etc/fstab or tmp.mount. Example of /etc/fstab configured tmpfs file system with specific mount options: tmpfs 0 /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 Example of tmp.mount configured tmpfs file system with specific mount options: [Unit] Description=Temporary Directory /tmp ConditionPathIsSymbolicLink=!/tmp DefaultDependencies=no Conflicts=umount.target Before=local-fs.target umount.target After=swap.target [Mount] What=tmpfs Where=/tmp Type=tmpfs.","compliance":{"cis":"1.1.2.1","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1499,T1499.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4":"1.3.1,7.1","nist_853":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"rules":["c:findmnt --kernel /tmp -> r:\\s*/tmp\\s","c:systemctl is-enabled tmp.mount -> r:generated|enabled"],"condition":"all","references":"https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/,https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html","command":"findmnt --kernel /tmp","result":"failed"}} ```
Command output :green_circle:
- `'c:findmnt --kernel /tmp -> r:\s*/tmp\s'` ``` root@ip-172-31-4-235:/home/qa# findmnt --kernel /tmp root@ip-172-31-4-235:/home/qa# ```Expected result :green_circle:
- Expected Result: Fail - Alert: ``` {"type":"check","id":182003034,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28501,"title":"Ensure nodev option set on /tmp partition.","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /tmp.","remediation":"Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. Example:/tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp.","compliance":{"cis":"1.1.2.2","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1200","mitre_tactics":"TA0005","mitre_mitigations":"M1022","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4":"1.3.1,7.1","nist_853":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"rules":["c:findmnt --kernel /tmp -> r:nodev"],"condition":"all","references":"See the fstab(5) manual page for more information.","command":"findmnt --kernel /tmp","result":"failed"}} ```
Command output :green_circle:
- `'c:findmnt --kernel /tmp -> r:noexec'` ``` root@ip-172-31-4-235:/home/qa# findmnt --kernel /tmp root@ip-172-31-4-235:/home/qa# ```Expected result :green_circle:
- Expected Result: Fail - Alert: ``` {"type":"check","id":182003034,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28502,"title":"Ensure noexec option set on /tmp partition.","description":"The noexec mount option specifies that the filesystem cannot contain executable binaries.","rationale":"Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp.","remediation":"Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. Example:/tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp.","compliance":{"cis":"1.1.2.3","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1204,T1204.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4":"1.3.1,7.1","nist_853":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"rules":["c:findmnt --kernel /tmp -> r:noexec"],"condition":"all","references":"See the fstab(5) manual page for more information.","command":"findmnt --kernel /tmp","result":"failed"}} ```
Command output :green_circle:
- 'c:findmnt --kernel /tmp -> r:nosuid' ``` root@ip-172-31-4-235:/home/qa# findmnt --kernel /tmp root@ip-172-31-4-235:/home/qa# ```Expected result :green_circle:
- Expected Result: Fail - Alert: ``` {"type":"check","id":182003034,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28503,"title":"Ensure nosuid option set on /tmp partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp.","remediation":"Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. Example:/tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp.","compliance":{"cis":"1.1.2.4","cis_csc_v7":"1@@@ ```
Command output :green_circle:
- ` 'c:findmnt --kernel /var -> r:\s*/var\s'` ``` root@ip-172-31-4-235:/home/qa# findmnt --kernel /var root@ip-172-31-4-235:/home/qa# ```Expected result :green_circle:
- Expected Result: Fail - Alert: ``` {"type":"check","id":182003034,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28504,"title":"Ensure separate partition exists for /var.","description":"The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable.","rationale":"The reasoning for mounting /var on a separate partition is as follow. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var and cause unintended behavior across the system as the disk is full. See man auditd.conf for details. Fine grained control over the mount Configuring /var as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behaviour. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection from exploitation An example of exploiting /var may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.","remediation":"For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.","compliance":{"cis":"1.1.3.1","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1499,T1499.001","mitre_tactics":"TA0006","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4":"1.3.1,7.1","nist_853":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"rules":["c:findmnt --kernel /var -> r:\\s*/var\\s"],"condition":"all","references":"http://tldp.org/HOWTO/LVM-HOWTO/","command":"findmnt --kernel /var","result":"failed"}} ```
Command output :green_circle:
- `'c:findmnt --kernel /var -> r:nodev'` ``` root@ip-172-31-4-235:/home/qa# findmnt --kernel /var root@ip-172-31-4-235:/home/qa# ```Expected result :green_circle:
- Expected Result: Fail - Alert: ``` {"type":"check","id":182003034,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28505,"title":"Ensure nodev option set on /var partition.","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the /var filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var.","remediation":"IF the /var partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var partition. Example:/var defaults,rw,nosuid,nodev,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var.","compliance":{"cis":"1.1.3.2","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1200","mitre_tactics":"TA0005","mitre_mitigations":"M1038","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4":"1.3.1,7.1","nist_853":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"rules":["c:findmnt --kern@@@ ```
Command output :green_circle:
- `'c:findmnt --kernel /var -> r:nosuid'` ``` root@ip-172-31-4-235:/home/qa# findmnt --kernel /var root@ip-172-31-4-235:/home/qa# ```Expected result :green_circle:
- Expected Result: Fail - Alert: ``` {"type":"check","id":182003034,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28506,"title":"Ensure nosuid option set on /var partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Since the /var filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var.","remediation":"IF the /var partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var partition. Example:/var defaults,rw,nosuid,nodev,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var.","compliance":{"cis":"1.1.3.3","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1548,T1548.001","mitre_tactics":"TA0005","mitre_mitigations":"M1038","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4":"1.3.1,7.1","nist_853":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"rules":["c:findmnt --kernel /var -> r:nosuid"],"condition":"all","references":"See the fstab(5) manual page for more information.","command":"findmnt --kernel /var","result":"failed"}} ```
Updated policy to commit d00ad3543b8edc24129d41d117749eb1b48429f5
@Rebits there is no sub-technique for T1200.
https://attack.mitre.org/techniques/T1200/
We think is a typo in the PDF.
Update 25/10/2022
Everything seems to be working properly after the proposed fixes.