search

wazuh / wazuh-qa

Wazuh - Quality Assurance
GNU General Public License v2.0
64 stars 30 forks source link

Ubuntu Linux 22.04 SCA Policy - Update and rework - checks 3.5 to 3.5.3.3.4 #3448

Closed 72nomada closed 1 year ago

72nomada commented 1 year ago
Target version Related issue Related PR
4.4.0 #3390 https://github.com/wazuh/wazuh/pull/15051
Check ID Check Name Implemented Ready for review QA review
3.5 Firewall Configuration
3.5.1 Configure UncomplicatedFirewall
3.5.1.1 Ensure ufw is installed (Automated) 🟢
3.5.1.2 Ensure iptables-persistent is not installed with ufw (Automated) 🟢
3.5.1.3 Ensure ufw service is enabled (Automated) 🟢
3.5.1.4 Ensure ufw loopback traffic is configured (Automated) 🟢
3.5.1.5 Ensure ufw outbound connections are configured (Manual) 🔴 Not implemented
3.5.1.6 Ensure ufw firewall rules exist for all open ports (Automated) 🔴 Not implemented
3.5.1.7 Ensure ufw default deny firewall policy (Automated) 🟢
3.5.2 Configure nftables
3.5.2.1 Ensure nftables is installed (Automated) 🟢
3.5.2.2 Ensure ufw is uninstalled or disabled with nftables (Automated) 🔴 Not implemented
3.5.2.3 Ensure iptables are flushed with nftables (Manual) 🔴 Not implemented
3.5.2.4 Ensure a nftables table exists (Automated) 🟢
3.5.2.5 Ensure nftables base chains exist (Automated) 🟢
3.5.2.6 Ensure nftables loopback traffic is configured (Automated) 🔴 Not implemented
3.5.2.7 Ensure nftables outbound and established connections are configured (Manual) 🔴 Not implemented
3.5.2.8 Ensure nftables default deny firewall policy (Automated) 🟢
3.5.2.9 Ensure nftables service is enabled (Automated) 🟢
3.5.2.10 Ensure nftables rules are permanent (Automated) 🔴 Not implemented
3.5.3 Configure iptables
3.5.3.1 Configure iptables software
3.5.3.1.1 Ensure iptables packages are installed (Automated) 🟢
3.5.3.1.2 Ensure nftables is not installed with iptables (Automated) 🟢
3.5.3.1.3 Ensure ufw is uninstalled or disabled with iptables (Automated) 🟢
3.5.3.2 Configure IPv4 iptables
3.5.3.2.1 Ensure iptables default deny firewall policy (Automated) 🟢
3.5.3.2.2 Ensure iptables loopback traffic is configured (Automated) 🟢
3.5.3.2.3 Ensure iptables outbound and established connections are configured (Manual) 🔴 Not implemented
3.5.3.2.4 Ensure iptables firewall rules exist for all open ports (Automated) 🔴 Not implemented
3.5.3.3 Configure IPv6 ip6tables
3.5.3.3.1 Ensure ip6tables default deny firewall policy (Automated) 🟢
3.5.3.3.2 Ensure ip6tables loopback traffic is configured (Automated) 🟢
3.5.3.3.3 Ensure ip6tables outbound and established connections are configured (Manual) 🔴 Not implemented
3.5.3.3.4 Ensure ip6tables firewall rules exist for all open ports (Automated) 🔴 Not implemented
Rebits commented 1 year ago

Tester review

Tester PR commit
@Rebits https://github.com/wazuh/wazuh/pull/15051/commits/f1967aa144ec4537fa4eb68f4d9c00241cf065f3

Testing environment

OS OS version Deployment Image/AMI Notes
Ubuntu Ubuntu 20.04 EC2 ami-003530de8839921c4

Status

Rebits commented 1 year ago

Testing results :red_circle:

3.5.1.1 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` Package: ufw Status: install ok installed Priority: optional Section: admin Installed-Size: 830 Maintainer: Jamie Strandboge Architecture: all Version: 0.36.1-4build1 Depends: iptables, lsb-base (>= 3.0-6), ucf, python3:any, debconf (>= 0.5) | debconf-2.0 Suggests: rsyslog Conffiles: /etc/default/ufw a921dd9d167380b04de4bc911915ea44 /etc/init.d/ufw 4156943ab8a824fcf4b04cc1362eb230 /etc/logrotate.d/ufw 969308e0ddfb74505f0da47b49ada218 /etc/rsyslog.d/20-ufw.conf 98e2f72c9c65ca8d6299886b524e80d1 /etc/ufw/sysctl.conf 7723079fc108eda8f57eddab3079c70a Description: program for managing a Netfilter firewall The Uncomplicated FireWall is a front-end for iptables, to make managing a Netfilter firewall easier. It provides a command line interface with syntax similar to OpenBSD's Packet Filter. It is particularly well-suited as a host-based firewall. Homepage: https://launchpad.net/ufw ``` Expected Passed - :green_circle: ``` {"type":"check","id":1071025106,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 20.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28589,"title":"Ensure ufw service or nftables or iptables is installed.","description":"UFW - The Uncomplicated Firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls. ufw provides a framework for managing netfilter, as well as a command-line interface for manipulating the firewall. NFTABLES - nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queuing and logging subsystem. Notes: - nftables is available in Linux kernel 3.13 and newer - Only one firewall utility should be installed and configured - Changing firewall settings while connected over the network can result in being locked out of the system. IPTABLES - iptables is a utility program that allows a system administrator to configure the tables provided by the Linux kernel firewall, implemented as different Netfilter modules, and the chains and rules it stores. Different kernel modules and programs are used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames.","rationale":"UFW - A firewall utility is required to configure the Linux kernel's netfilter framework via the iptables or nftables back-end. The Linux kernel's netfilter framework host-based firewall can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host. Note: Only one firewall utility should be installed and configured. UFW is dependent on the iptables package. NFTABLES - nftables is a subsystem of the Linux kernel that can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host. IPTABLES - A method of configuring and maintaining firewall rules is necessary to configure a Host Based Firewall.","compliance":{"cis":"3.5.1.1,3.5.2.1,3.5.3.1.1","cis_csc":"9.4","pci_dss":"1.2.1","tsc":"CC8.1"},"rules":["c:dpkg -s ufw -> r:Status: install ok installed","c:dpkg -s nftables -> r:Status: install ok installed","c:dpkg -s iptables -> r:Status: install ok installed"],"condition":"any","command":"dpkg -s ufw","result":"passed"}} ```
3.5.1.2 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` dpkg-query: package 'iptables-persistent' is not installed and no information is available Use dpkg --info (= dpkg-deb --info) to examine archive files. ``` Expected Passed - :green_circle: ``` {"type":"check","id":1071025106,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 20.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28590,"title":"Ensure iptables-persistent is not installed.","description":"The iptables-persistentis a boot-time loader for netfilter rules, iptables plugin","rationale":"Running both ufwand the services included in theiptables-persistent package may lead to conflict","remediation":"Run the following command to install Uncomplicated Firewall (UFW): # apt install ufw OR # apt install nftables OR # apt install iptables","compliance":{"cis":"3.5.1.2","cis_csc":"9.4","pci_dss":"1.2.1","tsc":"CC8.1"},"rules":["not c:dpkg -s iptables-persistent -> r:Status: install ok installed","c:dpkg -s ufw -> r:Status: install ok installed"],"condition":"all","command":"dpkg -s iptables-persistent,dpkg -s ufw","result":"passed"}} ```
3.5.1.3 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-15-36:/home/qa# systemctl is-enabled ufw.service enabled root@ip-172-31-15-36:/home/qa# systemctl is-active ufw inactive root@ip-172-31-15-36:/home/qa# ufw status Status: inactive ``` Expected Failed - :green_circle: ``` {"type":"check","id":1071025106,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 20.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28591,"title":"Ensure ufw service is enabled.","description":"UncomplicatedFirewall (ufw) is a frontend for iptables. ufw provides a framework for managing netfilter, as well as a command-line and available graphical user interface for manipulating the firewall. Ensure that the ufw service is enabled to protect your system.","rationale":"The ufw service must be enabled and running in order for ufw to protect the system","remediation":"Run the following command to enable ufw: # ufw enable","compliance":{"cis":"3.5.1.3","cis_csc":"9.4","pci_dss":"1.2.1","tsc":"CC8.1"},"rules":["c:systemctl is-enabled ufw -> enabled","c:ufw status -> Status: active"],"condition":"all","command":"systemctl is-enabled ufw,ufw status","result":"failed"}} ```
3.5.1.4 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :red_circle: Wrong Mitre tactic **Expected**: `TA0011` **Current**: `TA0005` No mititgations specified, expected `M1031, M1037` - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` Status: inactive ``` Expected Failed - :green_circle: ``` {"type":"check","id":1071025106,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 20.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28592,"title":"Ensure ufw loopback traffic is configured.","description":"Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8 for IPv4 and ::1/128 for IPv6).","rationale":"Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8 for IPv4 and ::1/128 for IPv6) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.","remediation":"Run the following commands to implement the loopback rules: # ufw allow in on lo # ufw allow out on lo # ufw deny in from 127.0.0.0/8 # ufw deny in from ::1","compliance":{"cis":"3.5.1.4","cis_csc":"9.4","pci_dss":"1.2.1","tsc":"CC8.1"},"rules":["c:ufw status verbose -> r:Anywhere on lo\\s*\\t*ALLOW IN\\s*\\t*Anywhere","c:ufw status verbose -> r:Anywhere\\s*\\t*DENY IN\\s*\\t*127.0.0.0/8","c:ufw status verbose -> r:Anywhere \\(v6\\) on lo\\s*\\t*ALLOW IN\\s*\\t*Anywhere \\(v6\\)","c:ufw status verbose -> r:Anywhere \\(v6\\)\\s*\\t*DENY IN\\s*\\t*::1","c:ufw status verbose -> r:Anywhere\\s*\\t*ALLOW OUT\\s*\\t*Anywhere on lo","c:ufw status verbose -> r:Anywhere \\(v6\\)\\s*\\t*ALLOW OUT\\s*\\t*Anywhere \\(v6\\) on lo"],"condition":"all","command":"ufw status verbose","result":"failed"}} ```
3.5.1.7 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :red_circle: Wrong tactic Expected: `TA001` Current: `TA0005` No mititgations where specified - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` Status: inactive ``` Expected Failed - :green_circle: ``` {"type":"check","id":1071025106,"policy":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 20.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28593,"title":"Ensure default deny firewall policy.","description":"A default deny policy on connections ensures that any unconfigured network usage will be rejected. Note: Any port or protocol without a explicit allow before the default deny will be blocked.","rationale":"With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage.","remediation":"Run the following commands to implement a default deny policy: # ufw default deny incoming # ufw default deny outgoing # ufw default deny routed.","compliance":{"cis":"3.5.1.7","cis_csc":"9.4","pci_dss":"1.2.1","tsc":"CC8.1"},"rules":["c:ufw status verbose -> r:^Default && r:deny\\W+(incoming)|reject\\W+(incoming)","c:ufw status verbose -> r:^Default && r:deny\\W+(outgoing)|reject\\W+(outgoing)","c:ufw status verbose -> r:^Default && r:deny\\W+(routed)|reject\\W+(routed)|disabled\\W+(routed)"],"condition":"all","command":"ufw status verbose","result":"failed"}} ```
3.5.2.1 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-15-36:/home/qa# dpkg -s nftables Package: nftables Status: install ok installed Priority: important Section: net Installed-Size: 177 Maintainer: Ubuntu Developers Architecture: amd64 Version: 1.0.2-1ubuntu2 Depends: libnftables1 (= 1.0.2-1ubuntu2), libc6 (>= 2.34), libedit2 (>= 3.1-20130611-0) Recommends: netbase Suggests: firewalld Conffiles: /etc/nftables.conf b10493a168ed8e96d0d56408721425c4 Description: Program to control packet filtering rules by Netfilter project This software provides an in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and the nft userspace command line tool. The nftables framework reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queueing and logging subsystem. . nftables replaces the old popular iptables, ip6tables, arptables and ebtables. . Netfilter software and nftables in particular are used in applications such as Internet connection sharing, firewalls, IP accounting, transparent proxying, advanced routing and traffic control. . A Linux kernel >= 3.13 is required. However, >= 4.14 is recommended. Homepage: https://www.netfilter.org/ Original-Maintainer: Debian Netfilter Packaging Team root@ip-172-31-15-36:/home/qa# dpkg -s iptables Package: iptables Status: install ok installed Priority: optional Section: net Installed-Size: 2837 Maintainer: Ubuntu Developers Architecture: amd64 Multi-Arch: foreign Version: 1.8.7-1ubuntu5 Replaces: iptables-nftables-compat (<< 1.6.2~) Depends: libip4tc2 (= 1.8.7-1ubuntu5), libip6tc2 (= 1.8.7-1ubuntu5), libxtables12 (= 1.8.7-1ubuntu5), netbase (>= 6.0), libc6 (>= 2.34), libmnl0 (>= 1.0.3-4~), libnetfilter-conntrack3 (>= 1.0.6), libnfnetlink0, libnftnl11 (>= 1.1.5) Suggests: firewalld, kmod, nftables Breaks: iptables-nftables-compat (<< 1.6.2~) Description: administration tools for packet filtering and NAT The iptables/xtables framework has been replaced by nftables. You should consider migrating now. . iptables is the userspace command line program used to configure the Linux packet filtering and NAT ruleset. It is targeted towards systems and networks administrators. . This package contains several different utilities, the most important ones: . iptables-nft, iptables-nft-save, iptables-nft-restore (nft-based version) . iptables-legacy, iptables-legacy-save, iptables-legacy-restore (legacy version) . ip6tables-nft, ip6tables-nft-save, ip6tables-nft-restore (nft-based version) . ip6tables-legacy, ip6tables-legacy-save, ip6tables-legacy-restore (legacy version) . arptables-nft, arptables-nft-save, arptables-nft-restore (nft-based version) . ebtables-nft, ebtables-nft-save, ebtables-nft-restore (nft-based version) Homepage: https://www.netfilter.org/ Original-Maintainer: Debian Netfilter Packaging Team root@ip-172-31-15-36:/home/qa# dpkg -s ufw Package: ufw Status: install ok installed Priority: optional Section: admin Installed-Size: 830 Maintainer: Jamie Strandboge Architecture: all Version: 0.36.1-4build1 Depends: iptables, lsb-base (>= 3.0-6), ucf, python3:any, debconf (>= 0.5) | debconf-2.0 Suggests: rsyslog Conffiles: /etc/default/ufw a921dd9d167380b04de4bc911915ea44 /etc/init.d/ufw 4156943ab8a824fcf4b04cc1362eb230 /etc/logrotate.d/ufw 969308e0ddfb74505f0da47b49ada218 /etc/rsyslog.d/20-ufw.conf 98e2f72c9c65ca8d6299886b524e80d1 /etc/ufw/sysctl.conf 7723079fc108eda8f57eddab3079c70a Description: program for managing a Netfilter firewall The Uncomplicated FireWall is a front-end for iptables, to make managing a Netfilter firewall easier. It provides a command line interface with syntax similar to OpenBSD's Packet Filter. It is particularly well-suited as a host-based firewall. Homepage: https://launchpad.net/ufw ``` Expected Failed - :green_circle: ``` {"type":"check","id":1753545054,"policy":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28578,"title":"Ensure nftables is installed.","description":"nftables provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queuing and logging subsystem. Notes: nftables is available in Linux kernel 3.13 and newer Only one firewall utility should be installed and configured Changing firewall settings while connected over the network can result in being locked out of the system","rationale":"nftables is a subsystem of the Linux kernel that can protect against threats originating from within a corporate network to include malicious mobile code and poorly configured software on a host.","remediation":"Run the following command to install nftables: # apt install nftables","compliance":{"cis":"3.5.2.1","cis_csc_v7":"9.4","cis_csc_v8":"4.4,4.5","mitre_techniques":"T1562,T1562.004","mitre_tactics":"TA0011","mitre_mitigations":"M1031,M1037","cmmc_v2.0":"AC.L1-3.1.20,CM.L2-3.4.7,SC.L1-3.13.1,SC.L2-3.13.6","pci_dss_3.2.1":"1.4,1.1.4","pci_dss_4.0":"1.2.1","nist_sp_800-53":"SC-7(5)","soc_2":"CC6.6"},"rules":["c:dpkg -s nftables -> r:Status: install ok installed","c:dpkg -s iptables -> r:package 'iptables' is not installed","c:dpkg -s ufw -> r:package 'ufw' is not installed"],"condition":"all","command":"dpkg -s nftables,dpkg -s iptables","result":"failed"}} ```
3.5.2.4 :yellow_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :yellow_circle: Maybe is better to use the follwing rules: ``` condition: any rules: - "c:dpkg -s nftables -> r:Status: install ok installed" - 'c:nft list tables -> r:\w+' ``` In case of ntftables not installed, it will mark the check as not applicable Output: ``` root@ip-172-31-15-36:/home/qa# nft list tables bash: /usr/sbin/nft: No such file or directory ``` Expected Passed - :green_circle: ``` {"type":"check","id":1753545054,"policy":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28579,"title":"Ensure a nftables table exists.","description":"Tables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of five families.","rationale":"nftables doesn't have any default tables. Without a table being build, nftables will not filter network traffic.","remediation":"Run the following command to create a table in nftables # nft create table inet Example: # nft create table inet filter","compliance":{"cis":"3.5.2.4","cis_csc_v7":"9.4","cis_csc_v8":"4.4,4.5","mitre_techniques":"T1562,T1562.004","mitre_tactics":"TA0011","mitre_mitigations":"M1031,M1037","cmmc_v2.0":"AC.L1-3.1.20,CM.L2-3.4.7,SC.L1-3.13.1,SC.L2-3.13.6","pci_dss_3.2.1":"1.4,1.1.4","pci_dss_4.0":"1.2.1","nist_sp_800-53":"SC-7(5)","soc_2":"CC6.6"},"rules":["c:dpkg -s nftables -> r:Status: install ok installed","c:nft list tables -> r:\\w+"],"condition":"all","command":"dpkg -s nftables,nft list tables","result":"passed"}} ```
3.5.2.5 :yellow_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :red_circle: Wrong tactic: Expected: `TA0005` Current: `TA0011` - **References**: :green_circle: - **Rules**: :yellow_circle: Due to SCA limitations it is not possible include the case of ntftables is not installed Output: ``` root@ip-172-31-15-36:/home/qa# nft list ruleset bash: /usr/sbin/nft: No such file or directory ``` Expected Failed - :green_circle: ``` {"type":"check","id":288746546,"policy":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28580,"title":"Ensure nftables base chains exist.","description":"Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization.","rationale":"If a base chain doesn't exist with a hook for input, forward, and delete, packets that would flow through those chains will not be touched by nftables.","remediation":"Run the following command to create the base chains: # nft create chain inet
{ type filter hook <(input|forward|output)> priority 0 \\; } Example: # nft create chain inet filter input { type filter hook input priority 0 \\; } # nft create chain inet filter forward { type filter hook forward priority 0 \\; } # nft create chain inet filter output { type filter hook output priority 0 \\; }","compliance":{"cis":"3.5.2.5","cis_csc_v7":"9.4","cis_csc_v8":"4.4,4.5","mitre_techniques":"T1562,T1562.004","mitre_tactics":"TA0011","mitre_mitigations":"M1031,M1037","cmmc_v2.0":"AC.L1-3.1.20,CM.L2-3.4.7,SC.L1-3.13.1,SC.L2-3.13.6","pci_dss_3.2.1":"1.4,1.1.4","pci_dss_4.0":"1.2.1","nist_sp_800-53":"SC-7(5)","soc_2":"CC6.6"},"rules":["c:dpkg -s nftables -> r:Status: install ok installed","c:nft list ruleset -> r:type\\s+filter\\s+hook\\s+input\\s+priority;","c:nft list ruleset -> r:type\\s+filter\\s+hook\\s+forward\\s+priority;","c:nft list ruleset -> r:type\\s+filter\\s+hook\\s+output\\s+priority;"],"condition":"all","command":"dpkg -s nftables","result":"failed"}} ```
3.5.2.8 :yellow_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :yellow_circle: Due to SCA limitations it is not possible include the case of ntftables is not installed Output: ``` {"type":"check","id":288746546,"policy":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28581,"title":"Ensure nftables default deny firewall policy.","description":"Base chain policy is the default verdict that will be applied to packets reaching the end of the chain.","rationale":"There are two policies: accept (Default) and drop. If the policy is set to accept, the firewall will accept any packet that is not configured to be denied and the packet will continue transversing the network stack. It is easier to white list acceptable usage than to black list unacceptable usage. Note: Changing firewall settings while connected over network can result in being locked out of the system.","remediation":"Run the following command for the base chains with the input, forward, and output hooks to implement a default DROP policy: # nft chain
{ policy drop \\; } Example: # nft chain inet filter input { policy drop \\; } # nft chain inet filter forward { policy drop \\; } # nft chain inet filter output { policy drop \\; } Default Value: accept","compliance":{"cis":"3.5.2.8","cis_csc_v7":"9.4","cis_csc_v8":"4.4,4.5","mitre_techniques":"T1562,T1562.004","mitre_tactics":"TA0011","mitre_mitigations":"M1031,M1037","cmmc_v2.0":"AC.L1-3.1.20,CM.L2-3.4.7,SC.L1-3.13.1,SC.L2-3.13.6","pci_dss_3.2.1":"1.4,1.1.4","pci_dss_4.0":"1.2.1","nist_sp_800-53":"SC-7(5)","soc_2":"CC6.6"},"rules":["c:dpkg -s nftables -> r:Status: install ok installed","c:nft list ruleset -> r:hook input && r:policy drop","c:nft list ruleset -> r:hook forward && r:policy drop","c:nft list ruleset -> r:hook output && r:policy drop"],"condition":"all","references":"Manual Page nft","command":"dpkg -s nftables","result":"failed"}} ``` Expected Failed - :green_circle:
3.5.2.9 :yellow_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :yellow_circle: Due to SCA limitations it is not possible include the case of ntftables is not installed Output: ``` root@ip-172-31-15-36:/home/qa# dpkg -s nftables Package: nftables Status: deinstall ok config-files Priority: important Section: net Installed-Size: 177 Maintainer: Ubuntu Developers Architecture: amd64 Version: 1.0.2-1ubuntu2 Config-Version: 1.0.2-1ubuntu2 Depends: libnftables1 (= 1.0.2-1ubuntu2), libc6 (>= 2.34), libedit2 (>= 3.1-20130611-0) Recommends: netbase Suggests: firewalld Conffiles: /etc/nftables.conf b10493a168ed8e96d0d56408721425c4 Description: Program to control packet filtering rules by Netfilter project This software provides an in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and the nft userspace command line tool. The nftables framework reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queueing and logging subsystem. . nftables replaces the old popular iptables, ip6tables, arptables and ebtables. . Netfilter software and nftables in particular are used in applications such as Internet connection sharing, firewalls, IP accounting, transparent proxying, advanced routing and traffic control. . A Linux kernel >= 3.13 is required. However, >= 4.14 is recommended. Homepage: https://www.netfilter.org/ Original-Maintainer: Debian Netfilter Packaging Team root@ip-172-31-15-36:/home/qa# systemctl is-enabled nftables masked root@ip-172-31-15-36:/home/qa# dpkg -s nftables Package: nftables Status: deinstall ok config-files Priority: important Section: net Installed-Size: 177 Maintainer: Ubuntu Developers Architecture: amd64 Version: 1.0.2-1ubuntu2 Config-Version: 1.0.2-1ubuntu2 Depends: libnftables1 (= 1.0.2-1ubuntu2), libc6 (>= 2.34), libedit2 (>= 3.1-20130611-0) Recommends: netbase Suggests: firewalld Conffiles: /etc/nftables.conf b10493a168ed8e96d0d56408721425c4 Description: Program to control packet filtering rules by Netfilter project This software provides an in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and the nft userspace command line tool. The nftables framework reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queueing and logging subsystem. . nftables replaces the old popular iptables, ip6tables, arptables and ebtables. . Netfilter software and nftables in particular are used in applications such as Internet connection sharing, firewalls, IP accounting, transparent proxying, advanced routing and traffic control. . A Linux kernel >= 3.13 is required. However, >= 4.14 is recommended. Homepage: https://www.netfilter.org/ Original-Maintainer: Debian Netfilter Packaging Team root@ip-172-31-15-36:/home/qa# ``` Expected Failed - :green_circle: ``` {"type":"check","id":288746546,"policy":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28582,"title":"Ensure nftables service is enabled.","description":"The nftables service allows for the loading of nftables rulesets during boot, or starting on the nftables service.","rationale":"The nftables service restores the nftables rules from the rules files referenced in the /etc/nftables.conf file during boot or the starting of the nftables service.","remediation":"Run the following command to enable the nftables service: # systemctl enable nftables.","compliance":{"cis":"3.5.2.9","cis_csc_v7":"9.4","cis_csc_v8":"4.4,4.5","cmmc_v2.0":"AC.L1-3.1.20,CM.L2-3.4.7,SC.L1-3.13.1,SC.L2-3.13.6","pci_dss_3.2.1":"1.4,1.1.4","pci_dss_4.0":"1.2.1","nist_sp_800-53":"SC-7(5)","soc_2":"CC6.6"},"rules":["c:dpkg -s nftables -> r:Status: install ok installed","c:systemctl is-enabled nftables -> r:enabled"],"condition":"all","command":"dpkg -s nftables","result":"failed"}} ```
3.5.3.1.1 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Expected Failed - :green_circle: ``` {"type":"check","id":288746546,"policy":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28583,"title":"Ensure iptables packages are installed.","description":"iptables is a utility program that allows a system administrator to configure the tables provided by the Linux kernel firewall, implemented as different Netfilter modules, and the chains and rules it stores. Different kernel modules and programs are used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames.","rationale":"A method of configuring and maintaining firewall rules is necessary to configure a Host Based Firewall.","remediation":"Run the following command to install iptables and iptables-persistent # apt install iptables iptables-persistent","compliance":{"cis":"3.5.3.1.1","cis_csc_v7":"9.4","cis_csc_v8":"4.4,4.5","mitre_techniques":"T1562,T1562.004","mitre_tactics":"TA0011","mitre_mitigations":"M1031,M1037","cmmc_v2.0":"AC.L1-3.1.20,CM.L2-3.4.7,SC.L1-3.13.1,SC.L2-3.13.6","pci_dss_3.2.1":"1.4,1.1.4","pci_dss_4.0":"1.2.1","nist_sp_800-53":"SC-7(5)","soc_2":"CC6.6"},"rules":["c:dpkg -s iptables -> r:Status: install ok installed","c:dpkg -s iptables-persistent -> r:Status: install ok installed","c:dpkg -s nftables -> r:package 'nftables' is not installed","c:dpkg -s ufw -> r:package 'ufw' is not installed"],"condition":"all","command":"dpkg -s iptables,dpkg -s iptables-persistent","result":"failed"}} ```
3.5.3.1.2 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` Package: nftables Status: deinstall ok config-files ``` Expected Passed - :green_circle: ``` {"type":"check","id":288746546,"policy":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28584,"title":"Ensure nftables is not installed with iptables.","description":"nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables.","rationale":"Running both iptables and nftables may lead to conflict.","remediation":"Run the following command to remove nftables: # apt purge nftables","compliance":{"cis":"3.5.3.1.2","cis_csc_v7":"9.4","cis_csc_v8":"4.4,4.5","mitre_techniques":"T1562,T1562.004","mitre_tactics":"TA0011","mitre_mitigations":"M1031,M1037","cmmc_v2.0":"AC.L1-3.1.20,CM.L2-3.4.7,SC.L1-3.13.1,SC.L2-3.13.6","pci_dss_3.2.1":"1.4,1.1.4","pci_dss_4.0":"1.2.1","nist_sp_800-53":"SC-7(5)","soc_2":"CC6.6"},"rules":["not c:dpkg-query -s nftables -> r:install ok installed","c:dpkg-query -s iptables -> r:install ok installed"],"condition":"all","command":"dpkg-query -s nftables,dpkg-query -s iptables","result":"passed"}} ```
3.5.3.1.3 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :red_circle: Wrong mitigations: `["M1031", "M1037"]`. This check does not have mitigations - **References**: :green_circle: - **Rules**: :yellow_circle: Due to SCA limitations it is not possible include the case of ufw is disabled Output: ``` root@ip-172-31-15-36:/home/qa# dpkg-query -s ufw Package: ufw Status: install ok installed Priority: optional Section: admin Installed-Size: 830 Maintainer: Jamie Strandboge Architecture: all Version: 0.36.1-4build1 Depends: iptables, lsb-base (>= 3.0-6), ucf, python3:any, debconf (>= 0.5) | debconf-2.0 Suggests: rsyslog Conffiles: /etc/default/ufw a921dd9d167380b04de4bc911915ea44 /etc/init.d/ufw 4156943ab8a824fcf4b04cc1362eb230 /etc/logrotate.d/ufw 969308e0ddfb74505f0da47b49ada218 /etc/rsyslog.d/20-ufw.conf 98e2f72c9c65ca8d6299886b524e80d1 /etc/ufw/sysctl.conf 7723079fc108eda8f57eddab3079c70a Description: program for managing a Netfilter firewall The Uncomplicated FireWall is a front-end for iptables, to make managing a Netfilter firewall easier. It provides a command line interface with syntax similar to OpenBSD's Packet Filter. It is particularly well-suited as a host-based firewall. Homepage: https://launchpad.net/ufw ``` Expected Failed - :green_circle: ``` {"type":"check","id":288746546,"policy":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28585,"title":"Ensure ufw is uninstalled or disabled with iptables.","description":"Uncomplicated Firewall (UFW) is a program for managing a netfilter firewall designed to be easy to use. Uses a command-line interface consisting of a small number of simple commands Uses iptables for configuration.","rationale":"Running iptables.persistent with ufw enabled may lead to conflict and unexpected results.","remediation":"Run one of the following commands to either remove ufw or stop and mask ufw Run the following command to remove ufw: # apt purge ufw OR Run the following commands to disable ufw: # ufw disable # systemctl stop ufw # systemctl mask ufw.","compliance":{"cis":"3.5.3.1.3","cis_csc_v7":"9.4","cis_csc_v8":"4.4,4.5","mitre_techniques":"T1562,T1562.004","mitre_tactics":"TA0011","mitre_mitigations":"M1031,M1037","cmmc_v2.0":"AC.L1-3.1.20,CM.L2-3.4.7,SC.L1-3.13.1,SC.L2-3.13.6","pci_dss_3.2.1":"1.4,1.1.4","pci_dss_4.0":"1.2.1","nist_sp_800-53":"SC-7(5)","soc_2":"CC6.6"},"rules":["not c:dpkg-query -s ufw -> r:install ok installed","c:dpkg-query -s iptables -> r:install ok installed"],"condition":"all","command":"dpkg-query -s ufw","result":"failed"}} ```
3.5.3.2.1 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-15-36:/home/qa# iptables -L | grep Chain Chain INPUT (policy ACCEPT) Chain FORWARD (policy DROP) Chain OUTPUT (policy ACCEPT) Chain DOCKER (1 references) Chain DOCKER-ISOLATION-STAGE-1 (1 references) Chain DOCKER-ISOLATION-STAGE-2 (1 references) Chain DOCKER-USER (1 references) ``` Expected Failed - :green_circle: ``` {"type":"check","id":288746546,"policy":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28586,"title":"Ensure iptables default deny firewall policy.","description":"A default deny all policy on connections ensures that any unconfigured network usage will be rejected. Note: Changing firewall settings while connected over network can result in being locked out of the system Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well.","rationale":"With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage.","remediation":"Run the following commands to implement a default DROP policy: # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD DROP.","compliance":{"cis":"3.5.3.2.1","cis_csc_v7":"9.4","cis_csc_v8":"4.4,4.5","mitre_techniques":"T1562,T1562.004","mitre_tactics":"TA0011","mitre_mitigations":"M1031,M1037","cmmc_v2.0":"AC.L1-3.1.20,CM.L2-3.4.7,SC.L1-3.13.1,SC.L2-3.13.6","pci_dss_3.2.1":"1.4,1.1.4","pci_dss_4.0":"1.2.1","nist_sp_800-53":"SC-7(5)","soc_2":"CC6.6"},"rules":["c:iptables -L -> r:Chain INPUT \\(policy (DROP|REJECT)\\)","c:iptables -L -> r:Chain FORWARD \\(policy (DROP|REJECT)\\)","c:iptables -L -> r:Chain OUTPUT \\(policy (DROP|REJECT)\\)"],"condition":"all","command":"iptables -L","result":"failed"}} ```
3.5.3.2.2 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Unescaped `*` character ``` - 'c:iptables -L INPUT -v -n -> r:\.*ACCEPT\.*all\.*lo\.**\.*0.0.0.0/0\.*0.0.0.0/0' - 'c:iptables -L INPUT -v -n -> r:\.*DROP\.*all\.**\.**\.*127.0.0.0/8\.*0.0.0.0/0' - 'c:iptables -L OUTPUT -v -n -> r:\.*ACCEPT\.*all\.**\.*lo\.*0.0.0.0/0\.*0.0.0.0/0' ``` Output: ``` root@ip-172-31-15-36:/home/qa# iptables -L INPUT -v -n Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination ``` Expected Failed - :green_circle: ``` {"type":"check","id":288746546,"policy":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28587,"title":"Ensure iptables loopback traffic is configured.","description":"Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8). Note: Changing firewall settings while connected over network can result in being locked out of the system Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well.","rationale":"Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.","remediation":"Run the following commands to implement the loopback rules: # iptables -A INPUT -i lo -j ACCEPT # iptables -A OUTPUT -o lo -j ACCEPT # iptables -A INPUT -s 127.0.0.0/8 -j DROP.","compliance":{"cis":"3.5.3.2.2","cis_csc_v7":"9.4","cis_csc_v8":"4.4,4.5","mitre_techniques":"T1562,T1562.004","mitre_tactics":"TA0011","mitre_mitigations":"M1031,M1037","cmmc_v2.0":"AC.L1-3.1.20,CM.L2-3.4.7,SC.L1-3.13.1,SC.L2-3.13.6","pci_dss_3.2.1":"1.4,1.1.4","pci_dss_4.0":"1.2.1","nist_sp_800-53":"SC-7(5)","soc_2":"CC6.6"},"rules":["c:iptables -L INPUT -v -n -> r:\\.*ACCEPT\\.*all\\.*lo\\.**\\.*0.0.0.0/0\\.*0.0.0.0/0","c:iptables -L INPUT -v -n -> r:\\.*DROP\\.*all\\.**\\.**\\.*127.0.0.0/8\\.*0.0.0.0/0","c:iptables -L OUTPUT -v -n -> r:\\.*ACCEPT\\.*all\\.**\\.*lo\\.*0.0.0.0/0\\.*0.0.0.0/0"],"condition":"all","command":"iptables -L INPUT -v -n","result":"failed"}} ```
3.5.3.3.1 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-15-36:/home/qa# ip6tables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ``` Expected Failed - :green_circle: ``` {"type":"check","id":288746546,"policy":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","check":{"id":28588,"title":"Ensure ip6tables default deny firewall policy.","description":"A default deny all policy on connections ensures that any unconfigured network usage will be rejected. Note: Changing firewall settings while connected over network can result in being locked out of the system Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well.","rationale":"With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage.","remediation":"Run the following commands to implement a default DROP policy: # ip6tables -P INPUT DROP # ip6tables -P OUTPUT DROP # ip6tables -P FORWARD DROP.","compliance":{"cis":"3.5.3.3.1","cis_csc_v7":"9.4","cis_csc_v8":"4.4,4.5","mitre_techniques":"T1562,T1562.004","mitre_tactics":"TA0011","mitre_mitigations":"M1031,M1037","cmmc_v2.0":"AC.L1-3.1.20,CM.L2-3.4.7,SC.L1-3.13.1,SC.L2-3.13.6","pci_dss_3.2.1":"1.4,1.1.4","pci_dss_4.0":"1.2.1","nist_sp_800-53":"SC-7(5)","soc_2":"CC6.6"},"rules":["c:ip6tables -L -> r:^Chain INPUT && r:policy DROP","c:ip6tables -L -> r:^Chain FORWARD && r:policy DROP","c:ip6tables -L -> r:^Chain OUTPUT && r:policy DROP"],"condition":"all","command":"ip6tables -L","result":"failed"}} ```
3.5.3.3.2 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Unescaped `*` character ``` - 'c:ip6tables -L INPUT -v -n -> r:\.*ACCEPT\.*all\.*lo\.**\.*::/0\.*::/0' - 'c:ip6tables -L INPUT -v -n -> r:\.*DROP\.*all\.**\.**\.*::1\.*::/0' - 'c:ip6tables -L OUTPUT -v -n -> r:\.*ACCEPT\.*all\.**\.*lo\.*::/0\.*::/0' ``` Output: ``` pkts bytes target prot opt in out source destination ``` Expected Failed - :green_circle:
Rebits commented 1 year ago

Update - 08/11/2022

fabamatic commented 1 year ago

Corrected found defects, with a caveat in checks 3.5.3.3.2 and 3.5.3.2.2 where it's not possible to escape * character, used \p instead

Rebits commented 1 year ago

Testing after requested changes :red_circle:

Results

3.5.1.4 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :red_circle: Wrong **Mitre tactic** **Expected**: TA0011 **Current**: TA0005 - **References**: :green_circle: - **Rules**: :green_circle:
3.5.1.7 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :red_circle: Wrong **Mitre tactic** **Expected**: TA0011 **Current**: TA0005 - **References**: :green_circle: - **Rules**: :green_circle:
3.5.3.1.3 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
3.5.3.2.2 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
3.5.3.3.2 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
72nomada commented 1 year ago

Solved 3.5.15 and 3.5.1.7

Rebits commented 1 year ago

Testing after requested changes :red_circle:

3.5.3.2.1 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: It was detected during https://github.com/wazuh/wazuh-qa/issues/3449#issuecomment-1308839354 that this check use not allowed alternation in a group making check always be marked as failed. Review `Multiple rules use not supported alternation in a group` in referenced issue for more information.
3.5.1.4 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
3.5.1.7 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
72nomada commented 1 year ago

3.5.3.2.1 - Solved

Rebits commented 1 year ago

Testing after requested changes :green_circle:

3.5.3.2.1 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
Rebits commented 1 year ago

Updated - 09/11/2022

jmv74211 commented 1 year ago

Closing conclusion 👍🏼
🟢 Solved

All of the reported issues were fixed in this current development

(1) Errors and improvements in policy checks. 🟢

  • 3.5.1.4: Wrong Mitre tactic and no mititgations were specified.
  • 3.5.1.7: Wrong tactic and no mititgations were specified.
  • 3.5.2.4: Improvements rules suggestions.
  • 3.5.2.5: Wrong tactic.
  • 3.5.3.1.3: Wrong mitigations.
  • 3.5.3.2.2.: Bad character in rule.
  • 3.5.3.3.2: Bad character in rule.