Ubuntu Linux 22.04 SCA Policy - Update and rework - checks 1.2 to 1.7.6

72nomada commented 1 year ago

Target version	Related issue	Related PR
4.4.0	#3390	https://github.com/wazuh/wazuh/pull/15051

Check ID	Check Name	Implemented	Ready for review
1.2	Configure Software Updates	⚫
1.2.1	Ensure package manager repositories are configured (Manual)	🔴	Not implemented
1.2.2	Ensure GPG keys are configured (Manual)	🔴	Not implemented
1.3	Filesystem Integrity Checking	⚫
1.3.1	Ensure AIDE is installed (Automated)	🟢
1.3.2	Ensure filesystem integrity is regularly checked (Automated)	🔴	Not implemented
1.4	Secure Boot Settings	⚫
1.4.1	Ensure bootloader password is set (Automated)	🟢
1.4.2	Ensure permissions on bootloader config are configured (Automated)	🟢
1.4.3	Ensure authentication required for single user mode (Automated)	🟢
1.5	Additional Process Hardening	⚫
1.5.1	Ensure address space layout randomization (ASLR) is enabled (Automated)	🔴	Not implemented
1.5.2	Ensure prelink is not installed (Automated)	🟢
1.5.3	Ensure Automatic Error Reporting is not enabled (Automated)	🟢
1.5.4	Ensure core dumps are restricted (Automated)	🟢
1.6	Mandatory Access Control	⚫
1.6.1	Configure AppArmor	⚫
1.6.1.1	Ensure AppArmor is installed (Automated)	🟢
1.6.1.2	Ensure AppArmor is enabled in the bootloader configuration (Automated)	🟢
1.6.1.3	Ensure all AppArmor Profiles are in enforce or complain mode (Automated)	🟢
1.6.1.4	Ensure all AppArmor Profiles are enforcing (Automated)	🟢
1.7	Command Line Warning Banners	⚫
1.7.1	Ensure message of the day is configured properly (Automated)	🟢
1.7.2	Ensure local login warning banner is configured properly (Automated)	🟢
1.7.3	Ensure remote login warning banner is configured properly (Automated)	🟢
1.7.4	Ensure permissions on /etc/motd are configured (Automated)	🟢
1.7.5	Ensure permissions on /etc/issue are configured (Automated)	🟢
1.7.6	Ensure permissions on /etc/issue.net are configured (Automated)	🟢

Rebits commented 1 year ago

Tester review

Tester	PR commit
@Rebits	399e401

Testing environment

OS	OS version	Deployment	Image/AMI
Ubuntu	22	EC2	`ami-003530de8839921c4`

Tested packages

OS	Package
Ubuntu	Manager

Status

[x] In progress
[x] Pending Review
[x] QA team leader approved
[x] QA manager approved @jmv74211
[x] Development team leader approved @72nomada

Rebits commented 1 year ago

Testing results :red_circle:

1.3.1 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Current rule: ``` - 'c:dpkg-query -W -f=''${binary:Package}\t${Status}\t${db:Status-Status}\n'' aide aide-common -> r:aide\s+install ok && r:aide-common\s+install ok ' ``` Expected rule: ``` - 'c:dpkg-query -W -f="\${binary:Package}\t\${Status}\t\${db:Status-Status}\n" aide aide-common -> r:aide\s+install ok && r:aide-common\s+install ok ' ``` Output: ``` ``` Expected True - :red_circle: ``` {"type":"check","id":800667793,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 20.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28526,"title":"Ensure filesystem integrity is regularly checked.","description":"Periodic checking of the filesystem integrity is needed to detect changes to the filesystem.","rationale":"Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion.","remediation":"Run the following commands: # cp ./config/aidecheck.service /etc/systemd/system/aidecheck.service # cp ./config/aidecheck.timer /etc/systemd/system/aidecheck.timer # chmod 0644 /etc/systemd/system/aidecheck.* # systemctl reenable aidecheck.timer # systemctl restart aidecheck.timer # systemctl daemon-reload OR If cron will be used to schedule and run aide check, run the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check","compliance":{"cis":"1.3.2","cis_csc":"14.9","pci_dss":"11.5","tsc":"PI1.4,PI1.5,CC6.8,CC7.2,CC7.3,CC7.4"},"rules":["c:grep -Rh aide /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /etc/crontab -> r:\\.+","c:crontab -u root -l -> r:aide"],"condition":"all","references":"https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.service,https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.timer","command":"grep -Rh aide /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /etc/crontab,crontab -u root -l","result":"failed"}} ```

1.4.1 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Expected False - :green_circle: ``` {"type":"check","id":800667793,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 20.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28527,"title":"Ensure bootloader password is set.","description":"Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters.","rationale":"Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time).","remediation":"Create an encrypted password with grub-mkpasswd-pbkdf2 : # grub-mkpasswd-pbkdf2 Enter password: Reenter password: PBKDF2 hash of your password is Add the following into a custom /etc/grub.d configuration file: cat <\" password_pbkdf2

EOF The superuser/user information and password should not be contained in the /etc/grub.d/00_header file as this file could be overwritten in a package update. If there is a requirement to be able to boot/reboot without entering the password, edit /etc/grub.d/10_linux and add --unrestricted to the line CLASS= Example: CLASS=\"--class gnu-linux --class gnu --class os --unrestricted\" Run the following command to update the grub2 configuration: # update-grub","compliance":{"cis":"1.4.2","cis_csc":"5.1","pci_dss":"2.2.4","nist_800_53":"CM.1","tsc":"CC5.2"},"rules":["f:/boot/grub/grub.cfg -> r:^\\s*\\t*set superusers","f:/boot/grub/grub.cfg -> r:^\\s*\\t*password"],"condition":"all","file":"/boot/grub/grub.cfg","result":"failed"}} ```

1.4.2 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Current rule does not check if `/boot/grub/grub.cfg` permissions are 0400 or more restrictive ``` - 'c:stat /boot/grub/grub.cfg -> r:Uid:\s+$\s*0/\s*root$\s*Gid:\s+$\s*0/\s*root$' ``` Output: ``` root@ip-172-31-12-69:/home/qa# stat /boot/grub/grub.cfg File: /boot/grub/grub.cfg Size: 15178 Blocks: 32 IO Block: 4096 regular file Device: 10301h/66305d Inode: 9913 Links: 1 Access: (0400/-r--------) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2022-10-28 12:57:55.568091160 +0000 Modify: 2022-07-15 08:33:47.081931383 +0000 Change: 2022-10-28 13:00:10.084095796 +0000 Birth: 2022-04-19 09:29:24.799648194 +0000 ``` Expected True - :red_circle: ``` {"type":"check","id":255701096,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 20.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28528,"title":"Ensure permissions on bootloader config are configured.","description":"The grub configuration file contains information on boot settings and passwords for unlocking boot options. The grub configuration is usually grub.cfg stored in /boot/grub.","rationale":"Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them.","remediation":"Run the following commands to set permissions on your grub configuration: chown root:root /boot/grub/grub.cfg, chmod og-rwx /boot/grub/grub.cfg","compliance":{"cis":"1.4.3","cis_csc":"5.1","pci_dss":"2.2.4","nist_800_53":"CM.1","tsc":"CC5.2"},"rules":["c:stat /boot/grub/grub.cfg -> r:Access:\\s*\$0\\d00/-\\w\\w\\w------\$\\s*Uid:\\s*\$\\s*\\t*0/\\s*\\t*root\$\\s*\\t*Gid:\\s*\$\\s*\\t*0/\\s*\\t*root\$"],"condition":"all","command":"stat /boot/grub/grub.cfg","result":"failed"}} ```

1.4.3 :large_blue_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Regarding the audit command proposed for CIS: `grep -Eq '^root:\$[0-9]' /etc/shadow || echo "root is locked"`: ``` root@ip-172-31-12-69:/home/qa# grep -Eq '^root:\$[0-9]' /etc/shadow || echo "root is locked" root is locked ``` Only if no results is return check will be marked as passed. However, it is marked as passed: ``` {"type":"check","id":800667793,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 20.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28529,"title":"Ensure authentication required for single user mode.","description":"Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader.","rationale":"Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials.","remediation":"Run the following command and follow the prompts to set a password for the root user: # passwd root","compliance":{"cis":"1.4.4","cis_csc":"5.1","pci_dss":"2.2.4","nist_800_53":"CM.1","tsc":"CC5.2"},"rules":["f:/etc/shadow -> r:^root:*:|^root:!:"],"condition":"none","file":"/etc/shadow","result":"passed"}} ```

1.5.2 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Error present in check rule `28530` ``` 2022/10/28 13:48:56 wazuh-modulesd: WARNING: Failed to load YAML document in /var/ossec/ruleset/sca/cis_ubuntu22-04.yml:803 2022/10/28 13:48:56 sca: WARNING: Error found while parsing file: '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml'. Skipping it. ```

1.5.3 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Error present in check rule `28531`: ``` 2022/10/28 13:52:29 wazuh-modulesd: WARNING: Failed to load YAML document in /var/ossec/ruleset/sca/cis_ubuntu22-04.yml:822 2022/10/28 13:52:29 sca: WARNING: Error found while parsing file: '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml'. Skipping it. ```

1.5.4 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: - Regarding to CIS the following rules are incompatibles: ``` - 'd:/etc/sysctl.d -> r:\. -> r:^\s*fs.suid_dumpable = 0' - 'f:/etc/sysctl.conf -> r:^\s*fs.suid_dumpable = 0' ``` CIS suggests adding suid parameter only in one of them. - Regarding to CIS the following rules are incompatibles ``` - 'd:/etc/security/limits.d -> r:\. -> !r:^\s*# && r:hard\s+core\s+0' - 'f:/etc/security/limits.conf -> !r:^\s*# && r:hard\s+core\s+0' ``` CIS suggests adding hard parameter only in one of them. - Case of not installed `systemd-coredump` is not considered: ``` root@ip-172-31-12-69:/home/qa# systemctl is-enabled coredump.service Failed to get unit file state for coredump.service: No such file or directory ``` Expected Failed - :green_circle:

1.6.1.1 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Error in check rule: ``` 2022/10/28 15:20:12 wazuh-modulesd: WARNING: Failed to load YAML document in /var/ossec/ruleset/sca/cis_ubuntu22-04.yml:825 2022/10/28 15:20:12 sca: WARNING: Error found while parsing file: '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml'. Skipping it. ``` Current rule: ``` - "dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\n' apparmor -> r:install\s+ok\s+installed" ``` Expected rule: ``` - 'c:dpkg-query -W -f="\${binary:Package}\t\${Status}\t\${db:Status-Status}\n" apparmor -> r:install\s+ok\s+installed' ```

1.6.1.2 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Missing check: ``` - 'not f:/boot/grub/grub.cfg -> r:^\s*linux && !r:apparmor=1' ``` Expected Failed - :green_circle: ``` {"type":"check","id":2140183050,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28534,"title":"Ensure AppArmor is enabled in the bootloader configuration.","description":"Configure AppArmor to be enabled at boot time and verify that it has not been overwritten by the bootloader boot parameters. Note: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.","rationale":"AppArmor must be enabled at boot time in your bootloader configuration to ensure that the controls it provides are not overridden.","remediation":"Edit /etc/default/grub and add the apparmor=1 and security=apparmor parameters to the GRUB_CMDLINE_LINUX= line GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor\" Run the following command to update the grub2 configuration: # update-grub.","compliance":{"cis":"1.6.1.2","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1068,T1565,T1565.001,T1565.003","mitre_tactics":"TA0003","mitre_mitigations":"M1026","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4":"1.3.1,7.1","nist_853":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"rules":["f:/boot/grub/grub.cfg -> r:^\\s*linux && r:apparmor=1","f:/boot/grub/grub.cfg -> r:^\\s*linux && r:security=apparmor","not f:/boot/grub/grub.cfg -> r:^\\s*linux && !r:security=apparmor"],"condition":"all","file":"/boot/grub/grub.cfg","result":"failed"}} ```

Rebits commented 1 year ago

Update - 28/10/2022

Check 1.3.1-1.6.1.2

72nomada commented 1 year ago

Solved syntax and rules Issues. please review faulted checks 1.3.1-1.6.1.2

Rebits commented 1 year ago

Testing after requested changes

Tester: @Rebits
PR commit: https://github.com/wazuh/wazuh/pull/15051/commits/2127c10c36d6b89e7dc25094bde2e2f9c54e0a42

Results

1.3.1 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-13-94:/home/qa# dpkg-query -s aide dpkg-query: package 'aide' is not installed and no information is available Use dpkg --info (= dpkg-deb --info) to examine archive files. root@ip-172-31-13-94:/home/qa# dpkg-query -s aide-common Package: aide-common Status: deinstall ok config-files Priority: optional Section: admin Installed-Size: 409 Maintainer: Ubuntu Developers Architecture: all Source: aide Version: 0.17.4-1 Config-Version: 0.17.4-1 Depends: aide (>= 0.17), bsd-mailx | mailx, liblockfile1, ucf (>= 2.0020), debconf (>= 0.5) | debconf-2.0 Recommends: cron Description: Advanced Intrusion Detection Environment - Common files AIDE is an intrusion detection system that detects changes to files on the local system. It creates a database from the regular expression rules that it finds from the config file. Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (md5, sha1, rmd160, tiger, haval, etc.) that are used to check the integrity of the file. More algorithms can be added with relative ease. All of the usual file attributes can also be checked for inconsistencies. . This package contains base and configuration files that are needed to run the actual binaries. . You will almost certainly want to tweak the configuration file in /etc/aide/aide.conf or drop your own config snippets into /etc/aide/aide.conf.d. Original-Maintainer: Aide Maintainers Homepage: https://aide.github.io root@ip-172-31-13-94:/home/qa# dpkg-query -s aide dpkg-query: package 'aide' is not installed and no information is available Use dpkg --info (= dpkg-deb --info) to examine archive files. root@ip-172-31-13-94:/home/qa# ``` Expected Fail - :green_circle:

1.4.1 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Expected Fail - :green_circle: Changed from ``` - "f:/boot/grub/grub.cfg -> r:set superusers" - "f:/boot/grub/grub.cfg -> r:password_pbkdf2" ``` to: ``` - "f:/boot/grub/grub.cfg -> r:^\\s*\\t*set superusers=" - "f:/boot/grub/grub.cfg -> r:^\\s*\\t*password_pbkdf2\\s*\\t*\\w+" ```

1.4.2 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` File: /boot/grub/grub.cfg Size: 16345 Blocks: 32 IO Block: 4096 regular file Device: 10301h/66305d Inode: 9913 Links: 1 Access: (0444/-r--r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2022-10-31 15:50:07.380180589 +0000 Modify: 2022-10-31 15:49:57.360180243 +0000 Change: 2022-10-31 15:49:57.360180243 +0000 Birth: 2022-04-19 09:29:24.799648194 +0000 ``` Expected Failed - :green_circle:

1.4.3 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Expected Failed - :green_circle:

1.5.2 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-13-94:/home/qa# dpkg-query -s prelink dpkg-query: package 'prelink' is not installed and no information is available Use dpkg --info (= dpkg-deb --info) to examine archive files. root@ip-172-31-13-94:/home/qa# dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\n' prelink dpkg-query: no packages found matching prelink root@ip-172-31-13-94:/home/qa# ``` Expected Fail - :green_circle:

1.5.3 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Bad rule, ` "systemct is-enabled apport.service -> r:disabled"` is not valid, it is required to add `c:`. Also, it is used `systemct is-enabled apport.service` instead of `systemctl is-enabled apport.service` Output: ``` root@ip-172-31-13-94:/home/qa# systemctl is-active apport.service active ``` Expected Failed - :green_circle:

1.5.4 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Users only have to have this configuration in the `sysctl.conf` or in a custom file in `/etc/sysctl.d` but not both ``` - 'd:/etc/sysctl.d -> r:\. -> r:^\s*fs.suid_dumpable = 0' - 'f:/etc/sysctl.conf -> r:^\s*fs.suid_dumpable = 0' ``` Output: ``` root@ip-172-31-13-94:/home/qa# ls get-pip.py s.sh root@ip-172-31-13-94:/home/qa# sysctl fs.suid_dumpable fs.suid_dumpable = 2 root@ip-172-31-13-94:/home/qa# systemctl is-enabled coredump.service Failed to get unit file state for coredump.service: No such file or directory root@ip-172-31-13-94:/home/qa# ``` Expected - :green_circle:

1.6.1.1 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Extra whitespace in command Output: ``` root@ip-172-31-13-94:/home/qa# dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\n' apparmor apparmor install ok installed installed ``` Expected Passed - :green_circle:

1.6.1.2 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Expected Fail- :green_circle: ``` {"type":"check","id":881978711,"policy":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28534,"title":"Ensure AppArmor is enabled in the bootloader configuration.","description":"Configure AppArmor to be enabled at boot time and verify that it has not been overwritten by the bootloader boot parameters. Note: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.","rationale":"AppArmor must be enabled at boot time in your bootloader configuration to ensure that the controls it provides are not overridden.","remediation":"Edit /etc/default/grub and add the apparmor=1 and security=apparmor parameters to the GRUB_CMDLINE_LINUX= line GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor\" Run the following command to update the grub2 configuration: # update-grub.","compliance":{"cis":"1.6.1.2","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1068,T1565,T1565.001,T1565.003","mitre_tactics":"TA0003","mitre_mitigations":"M1026","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"rules":["f:/boot/grub/grub.cfg -> r:^\\s*linux && r:apparmor=1","f:/boot/grub/grub.cfg -> r:^\\s*linux && r:security=apparmor","not f:/boot/grub/grub.cfg -> r:^\\s*linux && !r:apparmor=1","not f:/boot/grub/grub.cfg -> r:^\\s*linux && !r:security=apparmor"],"condition":"all","file":"/boot/grub/grub.cfg","result":"failed"}} ```

1.6.1.3 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Rules do not check if profiles are in enforce or complain mode, only ensure they are loaded. We should ensure no profiles are in kill or unconfined mode. Output: ``` root@ip-172-31-7-190:/home/qa# apparmor_status apparmor module is loaded. 36 profiles are loaded. 34 profiles are in enforce mode. /snap/snapd/15534/usr/lib/snapd/snap-confine /snap/snapd/15534/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /snap/snapd/16292/usr/lib/snapd/snap-confine /snap/snapd/16292/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /snap/snapd/17336/usr/lib/snapd/snap-confine /snap/snapd/17336/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /usr/bin/man /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/connman/scripts/dhclient-script /usr/lib/snapd/snap-confine /usr/lib/snapd/snap-confine//mount-namespace-capture-helper /{,usr/}sbin/dhclient docker-default lsb_release man_filter man_groff nvidia_modprobe nvidia_modprobe//kmod snap-update-ns.amazon-ssm-agent snap-update-ns.lxd snap.lxd.activate snap.lxd.benchmark snap.lxd.buginfo snap.lxd.check-kernel snap.lxd.daemon snap.lxd.hook.configure snap.lxd.hook.install snap.lxd.hook.remove snap.lxd.lxc snap.lxd.lxc-to-lxd snap.lxd.lxd snap.lxd.migrate tcpdump 2 profiles are in complain mode. snap.amazon-ssm-agent.amazon-ssm-agent snap.amazon-ssm-agent.ssm-cli 0 profiles are in kill mode. 0 profiles are in unconfined mode. 2 processes have profiles defined. 0 processes are in enforce mode. 2 processes are in complain mode. /snap/amazon-ssm-agent/6312/amazon-ssm-agent (40125) snap.amazon-ssm-agent.amazon-ssm-agent /snap/amazon-ssm-agent/6312/ssm-agent-worker (40189) snap.amazon-ssm-agent.amazon-ssm-agent 0 processes are unconfined but have a profile defined. 0 processes are in mixed mode. 0 processes are in kill mode. ``` Expected Failed - :green_circle:

1.6.1.4 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: As in 1.6.1.3 check, we should ensure no profiles are in kill or unconfined mode too. Output: ``` root@ip-172-31-7-190:/home/qa# apparmor_status apparmor module is loaded. 36 profiles are loaded. 34 profiles are in enforce mode. /snap/snapd/15534/usr/lib/snapd/snap-confine /snap/snapd/15534/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /snap/snapd/16292/usr/lib/snapd/snap-confine /snap/snapd/16292/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /snap/snapd/17336/usr/lib/snapd/snap-confine /snap/snapd/17336/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /usr/bin/man /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/NetworkManager/nm-dhcp-helper /usr/lib/connman/scripts/dhclient-script /usr/lib/snapd/snap-confine /usr/lib/snapd/snap-confine//mount-namespace-capture-helper /{,usr/}sbin/dhclient docker-default lsb_release man_filter man_groff nvidia_modprobe nvidia_modprobe//kmod snap-update-ns.amazon-ssm-agent snap-update-ns.lxd snap.lxd.activate snap.lxd.benchmark snap.lxd.buginfo snap.lxd.check-kernel snap.lxd.daemon snap.lxd.hook.configure snap.lxd.hook.install snap.lxd.hook.remove snap.lxd.lxc snap.lxd.lxc-to-lxd snap.lxd.lxd snap.lxd.migrate tcpdump 2 profiles are in complain mode. snap.amazon-ssm-agent.amazon-ssm-agent snap.amazon-ssm-agent.ssm-cli 0 profiles are in kill mode. 0 profiles are in unconfined mode. 2 processes have profiles defined. 0 processes are in enforce mode. 2 processes are in complain mode. /snap/amazon-ssm-agent/6312/amazon-ssm-agent (40125) snap.amazon-ssm-agent.amazon-ssm-agent /snap/amazon-ssm-agent/6312/ssm-agent-worker (40189) snap.amazon-ssm-agent.amazon-ssm-agent 0 processes are unconfined but have a profile defined. 0 processes are in mixed mode. 0 processes are in kill mode. ``` Expected - :green_circle:

1.7.2 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Expected Passed - :green_circle: ``` {"type":"check","id":881978711,"policy":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28537,"title":"Ensure message of the day is configured properly.","description":"The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version.","rationale":"Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a \" command once they have logged in.","remediation":"Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform OR if the motd is not used, this file can be removed. Run the following command to remove the motd file: # rm /etc/motd","compliance":{"cis":"1.7.1","mitre_techniques":"T1082,T1592,T1592.004","mitre_tactics":"TA0007"},"rules":["not f:/etc/motd -> r:\\\\v|\\\\r|\\\\m|\\\\s|Debian|Ubuntu","not f:/etc/motd"],"condition":"any","file":"/etc/motd","result":"passed"}} ```

1.7.2 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Expected Failed - :green_circle: ``` {"type":"check","id":881978711,"policy":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28538,"title":"Ensure local login warning banner is configured properly.","description":"The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version - or the operating system's name.","rationale":"Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a \" command once they have logged in.","remediation":"Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.","compliance":{"cis":"1.7.2","mitre_techniques":"T1082,T1592,T1592.004","mitre_tactics":"TA0007"},"rules":["f:/etc/issue -> r:\\\\v|\\\\r|\\\\m|\\\\s|Debian|Ubuntu"],"condition":"none","file":"/etc/issue","result":"failed"}} ```

1.7.3 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Expected Failed - :green_circle: ``` {"type":"check","id":881978711,"policy":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28539,"title":"Ensure remote login warning banner is configured properly.","description":"The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version.","rationale":"Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a \" command once they have logged in.","remediation":"Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue","compliance":{"cis":"1.7.3","mitre_techniques":"T1018,T1082,T1592,T1592.004","mitre_tactics":"TA0007"},"rules":["f:/etc/issue.net -> r:\\\\v|\\\\r|\\\\m|\\\\s|Debian|Ubuntu"],"condition":"none","file":"/etc/issue.net","result":"failed"}} ```

1.7.4 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-7-190:/home/qa# stat /etc/motd File: /etc/motd Size: 14 Blocks: 8 IO Block: 4096 regular file Device: 10301h/66305d Inode: 3746 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2022-11-02 11:30:35.028184092 +0000 Modify: 2022-11-02 11:30:19.984183573 +0000 Change: 2022-11-02 11:46:00.380215984 +0000 ``` Expected Passed- :green_circle: ``` {"type":"check","id":881978711,"policy":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28540,"title":"Ensure permissions on /etc/motd are configured.","description":"The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users.","rationale":"If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information.","remediation":"Run the following commands to set permissions on /etc/motd : # chown root:root $(readlink -e /etc/motd) # chmod u-x,go-wx $(readlink -e /etc/motd) OR run the following command to remove the /etc/motd file: # rm /etc/motd","compliance":{"cis":"1.7.4","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1222,T1222.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"rules":["c:stat /etc/motd -> r:Access:\\s*\$0644/-rw-r--r--\$\\s*Uid:\\s*\$\\s*0/\\s*root\$\\s*\\t*Gid:\\s*\$\\s*0/\\s*root\$","not f:/etc/motd"],"condition":"any","file":"/etc/motd","command":"stat /etc/motd","result":"passed"}} ```

1.7.5 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-7-190:/home/qa# stat /etc/issue File: /etc/issue Size: 24 Blocks: 8 IO Block: 4096 regular file Device: 10301h/66305d Inode: 4072 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2022-11-02 11:41:17.268206226 +0000 Modify: 2022-11-02 11:41:03.012205735 +0000 Change: 2022-11-02 11:41:03.020205735 +0000 Birth: 2022-11-02 11:41:03.012205735 +0000 ``` Expected Passed- :green_circle: ``` {"type":"check","id":881978711,"policy":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28541,"title":"Ensure permissions on /etc/issue are configured.","description":"The contents of the /etc/issue file are displayed to users prior to login for local terminals.","rationale":"If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information.","remediation":"Run the following commands to set permissions on /etc/issue : # chown root:root $(readlink -e /etc/issue) # chmod u-x,go-wx $(readlink -e /etc/issue) Default Value: Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root).","compliance":{"cis":"1.7.5","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1222,T1222.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"rules":["c:stat /etc/issue -> r:Access:\\s*\$0644/-rw-r--r--\$\\s*Uid:\\s*\$\\s*0/\\s*root\$\\s*\\t*Gid:\\s*\$\\s*0/\\s*root\$"],"condition":"all","command":"stat /etc/issue","result":"passed"}} ```

1.7.6 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-7-190:/home/qa# stat /etc/issue.net File: /etc/issue.net Size: 17 Blocks: 8 IO Block: 4096 regular file Device: 10301h/66305d Inode: 18774 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2022-11-02 10:20:36.900039406 +0000 Modify: 2022-04-18 10:28:59.000000000 +0000 Change: 2022-04-19 09:36:19.857339216 +0000 Birth: 2022-04-19 09:36:19.153335666 +0000 ``` Expected Passed - :green_circle: ``` {"type":"check","id":881978711,"policy":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28542,"title":"Ensure permissions on /etc/issue.net are configured.","description":"The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services.","rationale":"If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information.","remediation":"Run the following commands to set permissions on /etc/issue.net : # chown root:root $(readlink -e /etc/issue.net) # chmod u-x,go-wx $(readlink -e /etc/issue.net)","compliance":{"cis":"1.7.6","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1222,T1222.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"rules":["c:stat /etc/issue.net -> r:Access:\\s*\$0644/-rw-r--r--\$\\s*Uid:\\s*\$\\s*0/\\s*root\$\\s*\\t*Gid:\\s*\$\\s*0/\\s*root\$"],"condition":"all","command":"stat /etc/issue.net","result":"passed"}} ```

Conclusion :red_circle:

Invalid syntax in 1.5.3 rule :red_circle:
Audit of some checks is not well performed :red_circle:
Documentation is not correct. According to Checking rules documentation, Content checks are case-sensitive.. However, this is not the case. :yellow_circle:

Rebits commented 1 year ago

Update - 31/10/2022

Work in 1.3.11.7.6 checks

Rebits commented 1 year ago

Update - 02/11/2022

Second policy review

fabamatic commented 1 year ago

Update 02/11/2022

Rework done

Rebits commented 1 year ago

Testing after requested changes

Tester: @Rebits
PR commit: https://github.com/wazuh/wazuh/pull/15051/commits/c95fd71a25a0eedecbaf094136228e7681998472

Checks

Multiple checks from the previous testing were not fixed :red_circle:

Regarding the [second testing](https://github.com/wazuh/wazuh-qa/issues/3443#issuecomment-1297264055), it has been detected that multiple errors in rules were not solved: - The first rule for the `28531` do not have the proper format. It is required to include the `c:` before the command - Bad formatted file ``` rules: - "c:sysctl fs.suid_dumpable -> r:=^fs.suid_dumpable = 0" - 'd:/etc/sysctl.d -> r:\. -> r:^\s*fs.suid_dumpable = 0' - 'f:/etc/sysctl.conf -> r:^\s*fs.suid_dumpable = 0' - 'd:/etc/security/limits.d -> r:\. -> !r:^\s*# && r:hard\s+core\s+0' - 'f:/etc/security/limits.conf -> !r:^\s*# && r:hard\s+core\s+0' - "c:systemctl is-enabled coredump.service -> r:enabled|masked|disabled" condition: all rules: - "c:sysctl fs.suid_dumpable -> r:^fs.suid_dumpable = 0" - "c:systemctl is-enabled coredump.service -> r:enabled|masked|disabled" - 'c:grep -Rh "fs.suid_dumpable" /etc/sysctl.conf /etc/sysctl.d/ -> !r:^\s*\t*# && r:fs.suid_dumpable = 0' - 'c:grep -Rh "hard core 0" /etc/security/limits.conf /etc/security/limits.d/ -> !r:^\s*\t*# && r:\p hard core 0' # 1.6 Mandatory Access Control # 1.6.1 Configure AppArmor # 1.6.1.1 Ensure AppArmor is installed (Automated) - id: 28533 title: "Ensure ``` It is suggested to fix all previously detected issues before performing full manual testing. If some of the previous suggestions do not proceed for the policy, it is necessary a validation with the @wazuh/qa team.

Conclusions :red_circle:

No full manual testing was performed due to some of the errors specified in the first testing were not solved. If any of the proposed suggestions does not proceed, it requires validation for the developer, @fabamatic, and the @wazuh/qa. For more information review the Multiple checks from the previous testing were not fixed check.

Rebits commented 1 year ago

Update - 03/11/2022

Third manual testing

fabamatic commented 1 year ago

Sorry about previous request. Found errors should be fixed now

Rebits commented 1 year ago

Testing after requested changes :red_circle:

Tester: @Rebits
PR commit: https://github.com/wazuh/wazuh/pull/15051/commits/cdd8c21e3c0ad4d3c0dcb1b7a275661db34b8108

Results

Policy misformatting - Failed to load YAML :red_circle:

r:=^fs.suid_dumpable = 0" - 'd:/etc/sysctl.d -> r:\. -> r:^\s*fs.suid_dumpable = 0' - 'f:/etc/sysctl.conf -> r:^\s*fs.suid_dumpable = 0' - 'd:/etc/security/limits.d -> r:\. -> !r:^\s*# && r:hard\s+core\s+0' - 'f:/etc/security/limits.conf -> !r:^\s*# && r:hard\s+core\s+0' - "c:systemctl is-enabled coredump.service -> r:enabled|masked|disabled" condition: all rules: - "c:sysctl fs.suid_dumpable -> r:^fs.suid_dumpable = 0" - "c:systemctl is-enabled coredump.service -> r:enabled|masked|disabled" - 'c:grep -Rh "fs.suid_dumpable" /etc/sysctl.conf /etc/sysctl.d/ -> !r:^\s*\t*# && r:fs.suid_dumpable = 0' - 'c:grep -Rh "hard core 0" /etc/security/limits.conf /etc/security/limits.d/ -> !r:^\s*\t*# && r:\p hard core 0' ```

1.5.3 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` Executing: /lib/systemd/systemd-sysv-install is-enabled apport enabled ``` Expected Failed - :green_circle: ``` {"timestamp":"2022-11-07T16:07:02.905+0000","rule":{"level":7,"description":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.: Ensure Automatic Error Reporting is not enabled.","id":"19007","firedtimes":28,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.5.3"],"cis_csc_v7":["9.2"],"cis_csc_v8":["4.8"],"soc_2":["CC6.3","CC6.6"]},"agent":{"id":"000","name":"ip-172-31-10-66"},"manager":{"name":"ip-172-31-10-66"},"id":"1667837222.127747","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"482217575","policy":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","check":{"id":"28531","title":"Ensure Automatic Error Reporting is not enabled.","description":"The Apport Error Reporting Service automatically generates crash reports for debugging.","rationale":"Apport collects potentially sensitive data, such as core dumps, stack traces, and log files. They can contain passwords, credit card numbers, serial numbers, and other private material.","remediation":"Edit /etc/default/apport and add or edit the enabled parameter to equal 0: enabled=0 Run the following commands to stop and disable the apport service # systemctl stop apport.service # systemctl --now disable apport.service -- OR -Run the following command to remove the apport package: # apt purge apport Default Value: enabled=1.","compliance":{"cis":"1.5.3","cis_csc_v7":"9.2","cis_csc_v8":"4.8","cmmc_v2":{"0":"CM.L2-3.4.7, CM.L2-3.4.8, SC.L2-3.13.6"},"pci_dss_v3":{"2":{"1":"1.1.6, 1.2.1, 2.2.2, 2.2.5"}},"pci_dss_v4":{"0":"1.2.5, 2.2.4, 6.4.1"},"soc_2":"CC6.3, CC6.6"},"command":["systemctl is-enabled apport.service"],"result":"failed"}}},"location":"sca"} ```

1.5.4 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Bad formatting ``` # 1.5.4 Ensure core dumps are restricted (Automated) - id: 28532 title: "Ensure core dumps are restricted." description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user." rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0 Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0 IF systemd-coredump is installed: edit /etc/systemd/coredump.conf and add/modify the following lines: Storage=none ProcessSizeMax=0 Run the command: systemctl daemon-reload" compliance: - cis: ["1.5.4"] - mitre_techniques: ["T1005"] - mitre_tactics: ["TA0007"] condition: all rules: - "c:sysctl fs.suid_dumpable -> r:=^fs.suid_dumpable = 0" - 'd:/etc/sysctl.d -> r:\. -> r:^\s*fs.suid_dumpable = 0' - 'f:/etc/sysctl.conf -> r:^\s*fs.suid_dumpable = 0' - 'd:/etc/security/limits.d -> r:\. -> !r:^\s*# && r:hard\s+core\s+0' - 'f:/etc/security/limits.conf -> !r:^\s*# && r:hard\s+core\s+0' - "c:systemctl is-enabled coredump.service -> r:enabled|masked|disabled" condition: all rules: - "c:sysctl fs.suid_dumpable -> r:^fs.suid_dumpable = 0" - "c:systemctl is-enabled coredump.service -> r:enabled|masked|disabled" - 'c:grep -Rh "fs.suid_dumpable" /etc/sysctl.conf /etc/sysctl.d/ -> !r:^\s*\t*# && r:fs.suid_dumpable = 0' - 'c:grep -Rh "hard core 0" /etc/security/limits.conf /etc/security/limits.d/ -> !r:^\s*\t*# && r:\p hard core 0' ```

1.6.1.1 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-10-66:/home/qa# dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\n' apparmor apparmor install ok installed installed ``` Expected Passed - :green_circle: ``` {"timestamp":"2022-11-07T16:07:02.926+0000","rule":{"level":3,"description":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.: Ensure AppArmor is installed.","id":"19008","firedtimes":5,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.6.1.1"],"cis_csc_v7":["14.6"],"cis_csc_v8":["3.3"],"mitre_techniques":["T1068","T1565","T1565.001","T1565.003"],"mitre_tactics":["TA0003"],"mitre_mitigations":["M1026"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"nist_sp_800-53":["AC-5","AC-6"],"soc_2":["CC5.2","CC6.1"]},"agent":{"id":"000","name":"ip-172-31-10-66"},"manager":{"name":"ip-172-31-10-66"},"id":"1667837222.134399","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"482217575","policy":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","check":{"id":"28533","title":"Ensure AppArmor is installed.","description":"AppArmor provides Mandatory Access Controls.","rationale":"Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available.","remediation":"Install AppArmor. # apt install apparmor.","compliance":{"cis":"1.6.1.1","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1068,T1565,T1565.001,T1565.003","mitre_tactics":"TA0003","mitre_mitigations":"M1026","cmmc_v2":{"0":"AC.L1-3.1.1, AC.L1-3.1.2, AC.L2-3.1.5, AC.L2-3.1.3, MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.312(a)(1)","pci_dss_v3":{"2":{"1":"7.1, 7.1.1, 7.1.2, 7.1.3"}},"pci_dss_v4":{"0":"1.3.1, 7.1"},"nist_sp_800-53":"AC-5, AC-6","soc_2":"CC5.2, CC6.1"},"command":["dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\n' apparmor"],"result":"passed"}}},"location":"sca"} ```

1.6.1.3 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Some rules does not contains comprator value: ``` - 'c:apparmor_status -> n:^0\s+profiles\s+are\s+in\s+kill\s+mode' - 'c:apparmor_status -> n:^0\s+profiles\s+are\s+in\s+unconfined\s+mode' ``` Expected Passed - :red_circle: ``` {"timestamp":"2022-11-07T16:07:02.946+0000","rule":{"level":3,"description":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.: Ensure all AppArmor Profiles are in enforce or complain mode.","id":"19009","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.6.1.3"],"cis_csc_v7":["14.6"],"cis_csc_v8":["3.3"],"mitre_tactics":["TA0005"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"nist_sp_800-53":["AC-5","AC-6"],"soc_2":["CC5.2","CC6.1"]},"agent":{"id":"000","name":"ip-172-31-10-66"},"manager":{"name":"ip-172-31-10-66"},"id":"1667837222.140789","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"482217575","policy":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","check":{"id":"28535","title":"Ensure all AppArmor Profiles are in enforce or complain mode.","description":"AppArmor profiles define what resources applications are able to access.","rationale":"Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.","remediation":"Run the following command to set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* OR Run the following command to set all profiles to complain mode: # aa-complain /etc/apparmor.d/* Note: Any unconfined processes may need to have a profile created or activated for them and then be restarted.","compliance":{"cis":"1.6.1.3","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_tactics":"TA0005","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_v4":{"0":"1.3.1,7.1"},"nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"command":["apparmor_status"],"status":"Not applicable","reason":"Keyword 'compare' not found. Did you forget adding 'compare COMPARATOR VALUE' to your rule?' ^0\\s+profiles\\s+are\\s+in\\s+kill\\s+mode'"}}},"location":"sca"} ```

1.6.1.4 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Some rules does not contains comprator value: ``` - 'c:apparmor_status -> n:^0\s+profiles\s+are\s+in\s+kill\s+mode' - 'c:apparmor_status -> n:^0\s+profiles\s+are\s+in\s+unconfined\s+mode' ``` Expected Passed - :red_circle: ``` {"timestamp":"2022-11-07T16:07:02.956+0000","rule":{"level":7,"description":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.: Ensure all AppArmor Profiles are enforcing.","id":"19007","firedtimes":31,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.6.1.4"],"cis_csc_v7":["14.6"],"cis_csc_v8":["3.3"],"mitre_techniques":["T1068","T1565","T1565.001","T1565.003"],"mitre_tactics":["TA0005"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"nist_sp_800-53":["AC-5","AC-6"],"soc_2":["CC5.2","CC6.1"]},"agent":{"id":"000","name":"ip-172-31-10-66"},"manager":{"name":"ip-172-31-10-66"},"id":"1667837222.144571","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"482217575","policy":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","check":{"id":"28536","title":"Ensure all AppArmor Profiles are enforcing.","description":"AppArmor profiles define what resources applications are able to access.","rationale":"Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.","remediation":"Run the following command to set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* Note: Any unconfined processes may need to have a profile created or activated for them and then be restarted.","compliance":{"cis":"1.6.1.4","cis_csc_v7":"14.6","cis_csc_v8":"3.3","mitre_techniques":"T1068,T1565,T1565.001,T1565.003","mitre_tactics":"TA0005","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_v3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_v4":{"0":"1.3.1,7.1"},"nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1"},"command":["apparmor_status"],"result":"failed"}}}," ```

Rebits commented 1 year ago

Update - 07/11/2022

Fourth manual testing iteration

fabamatic commented 1 year ago

Sorry again, somehow commited wrong format in 1.5.4. Should be fixed now

Rebits commented 1 year ago

Testing after requested changes :yellow_circle:

Tester: @Rebits
PR commit: https://github.com/wazuh/wazuh/pull/15051/commits/f1967aa144ec4537fa4eb68f4d9c00241cf065f3

Results

1.5.4 :yellow_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :yellow_circle: Check marked as fail in case of code dump not installed in the system. Impossible to handle due to current SCA limitations.

1.6.1.3 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

1.6.1.4 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

jmv74211 commented 1 year ago

Closing conclusion 👍🏼


🟢	Solved

All bugs encountered and reported have been solved in this development:

(1) Error in rules and checks 🟢

1.3.1: Malformed regex
1.4.2: Current rule does not check if /boot/grub/grub.cfg permissions are 0400 or more restrictive
1.4.3: Only if no results is return check will be marked as passed, however, it is marked as passed
1.5.2: Error present in check rule 28530
1.5.4: Regarding to CIS the following rules are incompatibles. Also includes an error in formatting, making all policy fails.
1.6.1.1: Error in check rule.
1.6.1.2: Missing check:
1.5.3: Invalid syntax in 1.5.3 rule
1.6.1.3: Some rules does not contains comprator value.
1.6.1.4: Some rules does not contains comprator value.

LukaszC86 commented 1 year ago

Hello, I think that rule 1.4.3 has wrong regexp: f:/etc/shadow -> r:^root:\$\d+

it checks if the password hash starts with "$" and digit, but the password hash can also start with "$" and a letter:

72nomada commented 1 year ago

Will review, will open issue in the wazuh/wazuh repo for better tracking.

Thanks.

wazuh / wazuh-qa