Closed 72nomada closed 1 year ago
Target version | Related issue | Related PR |
---|---|---|
4.4.0 | #3390 | https://github.com/wazuh/wazuh/pull/15051 |
Check ID | Check Name | Implemented | Ready for review | QA review |
---|---|---|---|---|
4 | Logging and Auditing | ā« | ||
4.1 | Configure System Accounting (auditd) | ā« | ||
4.1.1 | Ensure auditing is enabled | ā« | ||
4.1.1.1 | Ensure auditd is installed (Automated) | š¢ | š¢ | |
4.1.1.2 | Ensure auditd service is enabled and active (Automated) | š¢ | š¢ | |
4.1.1.3 | Ensure auditing for processes that start prior to auditd is enabled (Automated) | š¢ | š¢ | |
4.1.1.4 | Ensure audit_backlog_limit is sufficient (Automated) | š¢ | š¢ | |
4.1.2 | Configure Data Retention | ā« | ||
4.1.2.1 | Ensure audit log storage size is configured (Automated) | š¢ | š¢ | |
4.1.2.2 | Ensure audit logs are not automatically deleted (Automated) | š¢ | š¢ | |
4.1.2.3 | Ensure system is disabled when audit logs are full (Automated) | š¢ | š¢ | |
4.1.3 | Configure auditd rules | ā« | ||
4.1.3.1 | Ensure changes to system administration scope (sudoers) is collected (Automated) | š¢ | š¢ | |
4.1.3.2 | Ensure actions as another user are always logged (Automated) | š¢ | š¢ | |
4.1.3.3 | Ensure events that modify the sudo log file are collected (Automated) | š“ | Not implemented | |
4.1.3.4 | Ensure events that modify date and time information are collected (Automated) | š¢ | š¢ | |
4.1.3.5 | Ensure events that modify the system's network environment are collected (Automated) | š¢ | š¢ | |
4.1.3.6 | Ensure use of privileged commands are collected (Automated) | š“ | Not implemented | |
4.1.3.7 | Ensure unsuccessful file access attempts are collected (Automated) | š“ | Not implemented | |
4.1.3.8 | Ensure events that modify user/group information are collected (Automated) | š¢ | š¢ | |
4.1.3.9 | Ensure discretionary access control permission modification events are collected (Automated) | š“ | Not implemented | |
4.1.3.10 | Ensure successful file system mounts are collected (Automated) | š“ | Not implemented | |
4.1.3.11 | Ensure session initiation information is collected (Automated) | š¢ | š¢ | |
4.1.3.12 | Ensure login and logout events are collected (Automated) | š¢ | š¢ | |
4.1.3.13 | Ensure file deletion events by users are collected (Automated) | š“ | Not implemented | |
4.1.3.14 | Ensure events that modify the system's Mandatory Access Controls are collected (Automated) | š¢ | š¢ | |
4.1.3.15 | Ensure successful and unsuccessful attempts to use the chcon command are recorded (Automated) | š“ | Not implemented | |
4.1.3.16 | Ensure successful and unsuccessful attempts to use the setfacl command are recorded (Automated) | š“ | Not implemented | |
4.1.3.17 | Ensure successful and unsuccessful attempts to use the chacl command are recorded (Automated) | š“ | Not implemented | |
4.1.3.18 | Ensure successful and unsuccessful attempts to use the usermod command are recorded (Automated) | š“ | Not implemented | |
4.1.3.19 | Ensure kernel module loading unloading and modification is collected (Automated) | š“ | Not implemented | |
4.1.3.20 | Ensure the audit configuration is immutable (Automated) | š¢ | š¢ | |
4.1.3.21 | Ensure the running and on disk configuration is the same (Manual) | š“ | Not implemented |
Tester | PR commit |
---|---|
@Rebits | https://github.com/wazuh/wazuh/pull/15051/commits/c8ddcef08a04ed4bb7d70780431fa0e69ec917f4 |
OS | OS version | Deployment | Image/AMI | Notes |
---|---|---|---|---|
Ubuntu | Ubuntu 20.04 | EC2 | ami-003530de8839921c4 |
wazuh-manager |
---|
4.3.9 |
\h+
in the 4.1.3.20
rule :red_circle: 4.1.1.3
it refers to files named grub.cfg. rule change to comply with CIS Solved
4.1.1.4 Solved 4.1.3.1 Solved 4.1.3.5 Solved 4.1.3.11 Solved 4.1.3.12 Solved
Corrected errors in 4.1.1.4 and 4.1.3.5
4.1.1.3 Solved 4.1.1.4 Solved
š¢ | Solved |
The development is approved since all the proposed fixes and improvements have been implemented in this current development: