Ubuntu Linux 22.04 SCA Policy - Update and rework - checks 4 to 4.1.3.21

[72nomada]

Target version	Related issue	Related PR
4.4.0	#3390	https://github.com/wazuh/wazuh/pull/15051

Check ID	Check Name	Implemented	Ready for review	QA review
4	Logging and Auditing	⚫
4.1	Configure System Accounting (auditd)	⚫
4.1.1	Ensure auditing is enabled	⚫
4.1.1.1	Ensure auditd is installed (Automated)	🟢	🟢
4.1.1.2	Ensure auditd service is enabled and active (Automated)	🟢	🟢
4.1.1.3	Ensure auditing for processes that start prior to auditd is enabled (Automated)	🟢	🟢
4.1.1.4	Ensure audit_backlog_limit is sufficient (Automated)	🟢	🟢
4.1.2	Configure Data Retention	⚫
4.1.2.1	Ensure audit log storage size is configured (Automated)	🟢	🟢
4.1.2.2	Ensure audit logs are not automatically deleted (Automated)	🟢	🟢
4.1.2.3	Ensure system is disabled when audit logs are full (Automated)	🟢	🟢
4.1.3	Configure auditd rules	⚫
4.1.3.1	Ensure changes to system administration scope (sudoers) is collected (Automated)	🟢	🟢
4.1.3.2	Ensure actions as another user are always logged (Automated)	🟢	🟢
4.1.3.3	Ensure events that modify the sudo log file are collected (Automated)	🔴	Not implemented
4.1.3.4	Ensure events that modify date and time information are collected (Automated)	🟢	🟢
4.1.3.5	Ensure events that modify the system's network environment are collected (Automated)	🟢	🟢
4.1.3.6	Ensure use of privileged commands are collected (Automated)	🔴	Not implemented
4.1.3.7	Ensure unsuccessful file access attempts are collected (Automated)	🔴	Not implemented
4.1.3.8	Ensure events that modify user/group information are collected (Automated)	🟢	🟢
4.1.3.9	Ensure discretionary access control permission modification events are collected (Automated)	🔴	Not implemented
4.1.3.10	Ensure successful file system mounts are collected (Automated)	🔴	Not implemented
4.1.3.11	Ensure session initiation information is collected (Automated)	🟢	🟢
4.1.3.12	Ensure login and logout events are collected (Automated)	🟢	🟢
4.1.3.13	Ensure file deletion events by users are collected (Automated)	🔴	Not implemented
4.1.3.14	Ensure events that modify the system's Mandatory Access Controls are collected (Automated)	🟢	🟢
4.1.3.15	Ensure successful and unsuccessful attempts to use the chcon command are recorded (Automated)	🔴	Not implemented
4.1.3.16	Ensure successful and unsuccessful attempts to use the setfacl command are recorded (Automated)	🔴	Not implemented
4.1.3.17	Ensure successful and unsuccessful attempts to use the chacl command are recorded (Automated)	🔴	Not implemented
4.1.3.18	Ensure successful and unsuccessful attempts to use the usermod command are recorded (Automated)	🔴	Not implemented
4.1.3.19	Ensure kernel module loading unloading and modification is collected (Automated)	🔴	Not implemented
4.1.3.20	Ensure the audit configuration is immutable (Automated)	🟢	🟢
4.1.3.21	Ensure the running and on disk configuration is the same (Manual)	🔴	Not implemented

[Rebits]

Tester review

Tester	PR commit
@Rebits	https://github.com/wazuh/wazuh/pull/15051/commits/c8ddcef08a04ed4bb7d70780431fa0e69ec917f4

Testing environment

OS	OS version	Deployment	Image/AMI	Notes
Ubuntu	Ubuntu 20.04	EC2	ami-003530de8839921c4

Tested packages

wazuh-manager
4.3.9

Status

• [x] In progress
• [x] Pending Review
• [x] QA Manager approved (@jmv74211)
• [x] Development team leader approved (@72nomada)

Conclusion :red_circle:

• Wrong remediation, description, and compliance in some checks :red_circle:
• Multiple rules use alternation in a group which is not supported :red_circle:
• Some rules do not correspond to CIS audit :red_circle:
• Incorrect use of \h+ in the 4.1.3.20 rule :red_circle:

[Rebits]

Testing results :red_circle:

Multiple rules use not supported alternation in a group :red_circle:

According to the [regular expression syntax documentation](https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html), it is not possible to use alternation in a group, e.g. `(foo|bar)`. However multiple rules (not only 4-4.1.3) include invalid regex, making the check always fail. All rules prior to 4.1.3.21, but this problem is found throughout the policy. - `3.5.3.2.1`: ``` - 'c:iptables -L -> r:Chain INPUT \(policy (DROP|REJECT)\)' - 'c:iptables -L -> r:Chain FORWARD \(policy (DROP|REJECT)\)' - 'c:iptables -L -> r:Chain OUTPUT \(policy (DROP|REJECT)\)' ``` - `4.1.2.3`: ``` - "d:/etc/audit" - "f:/etc/audit/auditd.conf" - "f:/etc/audit/auditd.conf -> r:^\\s*space_left_action\\s*=\\s*email" - "f:/etc/audit/auditd.conf -> r:^\\s*action_mail_acct\\s*=\\s*root" - "f:/etc/audit/auditd.conf -> r:^\\s*admin_space_left_action\\s*=\\s*(halt|single))" ``` - `4.1.3.2`: ``` - "d:/etc/audit/rules.d" - 'd:/etc/audit/rules.d -> r:\.+.rules$' - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a\s*always,exit && r:-F\s*arch=b(64|32) && r:-C\s*(euid!=uid|uid!=euid) && r:-F\s*auid!=(unset|-1|4294967295) && r:-S\s*execve && r:(key= |-k)\s*.+$' ``` - `4.1.3.4`: ``` - "d:/etc/audit/rules.d" - 'd:/etc/audit/rules.d -> r:\.+.rules$' - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a\s*always,exit && r:-F\s*arch=b(64|32) && r:-S\s*(adjtimex|settimeofday|clock_settime) && r:(key= |-k)\s*.+$' - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w\s*/etc/localtime && r:-p\s*wa && r:(key= |-k)\s*.+$' ``` - `4.1.3.5`: ``` - "d:/etc/audit/rules.d" - 'd:/etc/audit/rules.d -> r:\.+.rules$' - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a\s*always,exit && r:-F\s*arch=b(64|32) && r:-S\s*(setdomainname|sethostname) && r:(key= |-k)\s*.+$' - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w\s*/etc/issue && r:-p\s*wa && r:(key= |-k)\s*.+$' - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w\s*/etc/issue.net && r:-p\s*wa && r:(key= |-k)\s*.+$' - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w\s*/etc/networks && r:-p\s*wa && r:(key= |-k)\s*.+$' - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w\s*/etc/network/ && r:-p\s*wa && r:(key= |-k)\s*.+$' ``` - `4.1.3.8` ``` - "d:/etc/audit/rules.d" - 'd:/etc/audit/rules.d -> r:\.+.rules$' - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w\s*/etc/group && r:-p\s*wa && r:(key= |-k)\s*.+$' - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w\s*/etc/passwd && r:-p\s*wa && r:(key= |-k)\s*.+$' - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w\s*/etc/gshadow && r:-p\s*wa && r:(key= |-k)\s*.+$' - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w\s*/etc/shadow && r:-p\s*wa && r:(key= |-k)\s*.+$' - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w\s*/etc/security/opasswd && r:-p\s*wa && r:(key= |-k)\s*.+$' ``` - `4.1.3.11`: ``` - "d:/etc/audit/rules.d" - 'd:/etc/audit/rules.d -> r:\.+.rules$' - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w\s*/var/run/utmp && r:-p\s*wa && r:(key= |-k)\s*.+$' - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w\s*/var/log/wtmp && r:-p\s*wa && r:(key= |-k)\s*.+$' - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w\s*/var/log/btmp && r:-p\s*wa && r:(key= |-k)\s*.+$' ``` - `4.1.3.12` ``` - "d:/etc/audit/rules.d" - 'd:/etc/audit/rules.d -> r:\.+.rules$' - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w\s*/var/run/faillock && r:-p\s*wa && r:(key= |-k)\s*\w+$' - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w\s*/var/log/lastlog && r:-p\s*wa && r:(key= |-k)\s*\w+$' ``` - `4.1.3.14` ``` - "d:/etc/audit/rules.d" - 'd:/etc/audit/rules.d -> r:\.+.rules$' - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w\s*/etc/apparmor/ && r:-p\s*wa && r:(key= |-k)\s*\w+$' - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-w\s*/etc/apparmor.d/ && r:-p\s*wa && r:(key= |-k)\s*\w+$' ``` - `4.1.4.3`: ``` - 'f:/etc/audit/auditd.conf -> r:log_group\h*= && !r:(adm|root)' ```

Inconsistent use of \s special character :black_circle:

Different characters are necessary: https://github.com/wazuh/wazuh-qa/issues/3449#issuecomment-1308978760

4.1.1.1 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-7-90:/home/qa# dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\n' auditd audispd-plugins audispd-plugins unknown ok not-installed not-installed auditd install ok installed installed ``` Expected Failed - :green_circle: ``` {"timestamp":"2022-11-09T11:56:42.781+0000","rule":{"level":7,"description":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.: Ensure auditd is installed.","id":"19007","firedtimes":56,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["4.1.1.1"],"cis_csc_v7":["6.2"],"cis_csc_v8":["8.5"],"mitre_techniques":["T1562","T1562.001"],"mitre_tactics":["TA0005"],"nist_sp_800-53":["AU-3(1)","AU-7"],"soc_2":["CC5.2","CC7.2"]},"agent":{"id":"000","name":"ip-172-31-7-90"},"manager":{"name":"ip-172-31-7-90"},"id":"1667995002.324116","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1879328883","policy":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","check":{"id":"28590","title":"Ensure auditd is installed.","description":"auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk.","rationale":"The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring.","remediation":"Run the following command to Install auditd # apt install auditd audispd-plugins.","compliance":{"cis":"4.1.1.1","cis_csc_v7":"6.2","cis_csc_v8":"8.5","mitre_techniques":"T1562,T1562.001","mitre_tactics":"TA0005","cmmc_v2":{"0":"AU.L2-3.3.1"},"pci_dss_3":{"2":{"1":"10.1,10.2.2,10.2.4,10.2.5,10.3"}},"pci_dss_4":{"0":"9.4.5,10.2,10.2.1,10.2.1.2,10.2.1.5"},"nist_sp_800-53":"AU-3(1),AU-7","soc_2":"CC5.2,CC7.2"},"command":["dpkg-query -s auditd","dpkg-query -s audispd-plugins"],"result":"failed"}}},"location":"sca"} ```

4.1.1.2 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-7-90:/home/qa# systemctl is-enabled auditd enabled root@ip-172-31-7-90:/home/qa# systemctl is-active auditd active ``` Expected Passed- :green_circle: ``` {"timestamp":"2022-11-09T11:56:42.791+0000","rule":{"level":3,"description":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.: Ensure auditd service is enabled and active.","id":"19008","firedtimes":35,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["4.1.1.2"],"cis_csc_v7":["6.2","6.3"],"cis_csc_v8":["8.2"],"mitre_techniques":["T1562","T1562.001"],"mitre_tactics":["TA0005"],"hipaa":["164.312(b)"],"nist_sp_800-53":["AU-7"]},"agent":{"id":"000","name":"ip-172-31-7-90"},"manager":{"name":"ip-172-31-7-90"},"id":"1667995002.326776","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1879328883","policy":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","check":{"id":"28591","title":"Ensure auditd service is enabled and active.","description":"Turn on the auditd daemon to record system events.","rationale":"The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring.","remediation":"Run the following command to enable and start auditd: # systemctl --now enable auditd.","compliance":{"cis":"4.1.1.2","cis_csc_v7":"6.2,6.3","cis_csc_v8":"8.2","mitre_techniques":"T1562,T1562.001","mitre_tactics":"TA0005","cmmc_v2":{"0":"AU.L2-3.3.1"},"hipaa":"164.312(b)","pci_dss_3":{"2":{"1":"10.2,10.3"}},"pci_dss_4":{"0":"5.3.4,6.4.1,6.4.2,10.2.1,10.2.1.1,10.2.1.2,10.2.1.3,10.2.1.4,10.2.1.5,10.2.1.6,10.2.1.7,10.2.2"},"nist_sp_800-53":"AU-7"},"command":["systemctl is-enabled auditd","systemctl is-active auditd"],"result":"passed"}}},"location":"sca"} ```

4.1.1.3 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Rules does not correspond to CIS audit. Check marked as failed using CIS audit command: ``` find /boot -type f -name 'grub.cfg' -exec grep -Ph -- '^\h*linux' {} + | grep -v 'audit=1' linux /boot/vmlinuz-5.15.0-1015-aws root=PARTUUID=5198cbc0-01 ro console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 linux /boot/vmlinuz-5.15.0-1015-aws root=PARTUUID=5198cbc0-01 ro console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 panic=-1 linux /boot/vmlinuz-5.15.0-1015-aws root=PARTUUID=5198cbc0-01 ro console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 linux /boot/vmlinuz-5.15.0-1015-aws root=PARTUUID=5198cbc0-01 ro console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 panic=-1 linux /boot/vmlinuz-5.15.0-1015-aws root=PARTUUID=5198cbc0-01 ro recovery nomodeset dis_ucode_ldr linux /boot/vmlinuz-5.15.0-1015-aws root=PARTUUID=5198cbc0-01 ro recovery nomodeset dis_ucode_ldr panic=-1 linux /boot/vmlinuz-5.15.0-1004-aws root=PARTUUID=5198cbc0-01 ro console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 linux /boot/vmlinuz-5.15.0-1004-aws root=PARTUUID=5198cbc0-01 ro console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 panic=-1 linux /boot/vmlinuz-5.15.0-1004-aws root=PARTUUID=5198cbc0-01 ro recovery nomodeset dis_ucode_ldr linux /boot/vmlinuz-5.15.0-1004-aws root=PARTUUID=5198cbc0-01 ro recovery nomodeset dis_ucode_ldr panic=-1 linux /boot/vmlinuz-5.13.0-1021-aws root=PARTUUID=5198cbc0-01 ro console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 linux /boot/vmlinuz-5.13.0-1021-aws root=PARTUUID=5198cbc0-01 ro console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 panic=-1 linux /boot/vmlinuz-5.13.0-1021-aws root=PARTUUID=5198cbc0-01 ro recovery nomodeset dis_ucode_ldr linux /boot/vmlinuz-5.13.0-1021-aws root=PARTUUID=5198cbc0-01 ro recovery nomodeset dis_ucode_ldr panic=-1 linux /boot/vmlinuz-5.15.0-1004-aws root=PARTUUID=5198cbc0-01 ro console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 panic=-1 linux /boot/vmlinuz-5.15.0-1004-aws root=PARTUUID=5198cbc0-01 ro console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 panic=-1 linux /boot/vmlinuz-5.15.0-1004-aws root=PARTUUID=5198cbc0-01 ro console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 panic=-1 linux /boot/vmlinuz-5.15.0-1004-aws root=PARTUUID=5198cbc0-01 ro recovery nomodeset dis_ucode_ldr panic=-1 linux /boot/vmlinuz-5.13.0-1021-aws root=PARTUUID=5198cbc0-01 ro console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 panic=-1 linux /boot/vmlinuz-5.13.0-1021-aws root=PARTUUID=5198cbc0-01 ro recovery nomodeset dis_ucode_ldr panic=-1 ``` But it is marked as passed for SCA. Expected Failed - :red_circle: ``` {"timestamp":"2022-11-09T11:56:42.801+0000","rule":{"level":3,"description":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.: Ensure auditing for processes that start prior to auditd is enabled","id":"19008","firedtimes":36,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["4.1.1.3"],"cis_csc_v7":["6.2"],"cis_csc_v8":["8.2"],"mitre_techniques":["T1562","T1562.001"],"mitre_tactics":["TA0005"],"hipaa":["164.312(b)"],"nist_sp_800-53":["AU-7"]},"agent":{"id":"000","name":"ip-172-31-7-90"},"manager":{"name":"ip-172-31-7-90"},"id":"1667995002.329410","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1879328883","policy":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","check":{"id":"28592","title":"Ensure auditing for processes that start prior to auditd is enabled","description":"Configure grub2 so that processes that are capable of being audited can be audited even if they start up prior to auditd startup.","rationale":"Audit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected.","remediation":"Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX: Example: GRUB_CMDLINE_LINUX=\"audit=1\" Run the following command to update the grub2 configuration: # update-grub.","compliance":{"cis":"4.1.1.3","cis_csc_v7":"6.2","cis_csc_v8":"8.2","mitre_techniques":"T1562,T1562.001","mitre_tactics":"TA0005","cmmc_v2":{"0":"AU.L2-3.3.1"},"hipaa":"164.312(b)","pci_dss_3":{"2":{"1":"10.2,10.3"}},"pci_dss_4":{"0":"5.3.4,6.4.1,6.4.2,10.2.1,10.2.1.1,10.2.1.2,10.2.1.3,10.2.1.4,10.2.1.5,10.2.1.6,10.2.1.7,10.2.2"},"nist_sp_800-53":"AU-7"},"file":["/boot/grub/grub.cfg"],"result":"passed"}}},"location":"sca"} ```

4.1.1.4 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :red_circle: Do not include default value in the remediation field. - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Rules does not correspond to CIS audit. Check marked as failed using CIS audit command: ``` root@ip-172-31-7-90:/home/qa# find /boot -type f -name 'grub.cfg' -exec grep -Ph -- '^\h*linux' {} + | grep -Pv 'audit_backlog_limit=\d+\b' linux /boot/vmlinuz-5.15.0-1015-aws root=PARTUUID=5198cbc0-01 ro console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 linux /boot/vmlinuz-5.15.0-1015-aws root=PARTUUID=5198cbc0-01 ro console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 panic=-1 linux /boot/vmlinuz-5.15.0-1015-aws root=PARTUUID=5198cbc0-01 ro console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 linux /boot/vmlinuz-5.15.0-1015-aws root=PARTUUID=5198cbc0-01 ro console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 panic=-1 linux /boot/vmlinuz-5.15.0-1015-aws root=PARTUUID=5198cbc0-01 ro recovery nomodeset dis_ucode_ldr linux /boot/vmlinuz-5.15.0-1015-aws root=PARTUUID=5198cbc0-01 ro recovery nomodeset dis_ucode_ldr panic=-1 linux /boot/vmlinuz-5.15.0-1004-aws root=PARTUUID=5198cbc0-01 ro console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 linux /boot/vmlinuz-5.15.0-1004-aws root=PARTUUID=5198cbc0-01 ro console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 panic=-1 linux /boot/vmlinuz-5.15.0-1004-aws root=PARTUUID=5198cbc0-01 ro recovery nomodeset dis_ucode_ldr linux /boot/vmlinuz-5.15.0-1004-aws root=PARTUUID=5198cbc0-01 ro recovery nomodeset dis_ucode_ldr panic=-1 linux /boot/vmlinuz-5.13.0-1021-aws root=PARTUUID=5198cbc0-01 ro console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 linux /boot/vmlinuz-5.13.0-1021-aws root=PARTUUID=5198cbc0-01 ro console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 panic=-1 linux /boot/vmlinuz-5.13.0-1021-aws root=PARTUUID=5198cbc0-01 ro recovery nomodeset dis_ucode_ldr linux /boot/vmlinuz-5.13.0-1021-aws root=PARTUUID=5198cbc0-01 ro recovery nomodeset dis_ucode_ldr panic=-1 linux /boot/vmlinuz-5.15.0-1004-aws root=PARTUUID=5198cbc0-01 ro console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 panic=-1 linux /boot/vmlinuz-5.15.0-1004-aws root=PARTUUID=5198cbc0-01 ro console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 panic=-1 linux /boot/vmlinuz-5.15.0-1004-aws root=PARTUUID=5198cbc0-01 ro console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 panic=-1 linux /boot/vmlinuz-5.15.0-1004-aws root=PARTUUID=5198cbc0-01 ro recovery nomodeset dis_ucode_ldr panic=-1 linux /boot/vmlinuz-5.13.0-1021-aws root=PARTUUID=5198cbc0-01 ro console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 panic=-1 linux /boot/vmlinuz-5.13.0-1021-aws root=PARTUUID=5198cbc0-01 ro recovery nomodeset dis_ucode_ldr panic=-1 ``` Also it uses \\s instead of \s

---

4.1.2.1 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :red_circle: Wrong cis ID, expected `4.1.2.1`. Current `4.1.2.2` - **References**: :green_circle: - **Rules**: :green_circle: Expected Failed - :green_circle: ``` {"timestamp":"2022-11-09T11:56:42.831+0000","rule":{"level":7,"description":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.: Ensure audit logs are not automatically deleted.","id":"19007","firedtimes":58,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["4.1.2.2"],"cis_csc_v7":["6.4"],"cis_csc_v8":["8.3"],"mitre_techniques":["T1562","T1562.006"],"mitre_tactics":["TA0040"],"mitre_mitigations":["M1053"],"soc_2":["A1.1"]},"agent":{"id":"000","name":"ip-172-31-7-90"},"manager":{"name":"ip-172-31-7-90"},"id":"1667995002.339499","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1879328883","policy":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","check":{"id":"28595","title":"Ensure audit logs are not automatically deleted.","description":"The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs.","rationale":"In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history.","remediation":"Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs.","compliance":{"cis":"4.1.2.2","cis_csc_v7":"6.4","cis_csc_v8":"8.3","mitre_techniques":"T1562,T1562.006","mitre_tactics":"TA0040","mitre_mitigations":"M1053","pci_dss_3":{"2":{"1":"10.7"}},"soc_2":"A1.1"},"file":["/etc/audit/auditd.conf"],"directory":["/etc/audit"],"result":"failed"}}},"location":"sca"} ```

4.1.2.2 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

4.1.2.3 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Rule use not allowed alternation in a group making check always be marked as failed. Review `Multiple rules use not supported alternation in a group` for more information. Also, extra white space included. Expected Failed- :green_circle: ``` {"timestamp":"2022-11-09T11:56:42.841+0000","rule":{"level":7,"description":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.: Ensure system is disabled when audit logs are full.","id":"19007","firedtimes":59,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["4.1.2.3"],"cis_csc_v7":["6.4"],"cis_csc_v8":["8.2","8.3"],"mitre_techniques":["T1562","T1562.006"],"mitre_tactics":["TA0005"],"hipaa":["164.312(b)"],"nist_sp_800-53":["AU-7"]},"agent":{"id":"000","name":"ip-172-31-7-90"},"manager":{"name":"ip-172-31-7-90"},"id":"1667995002.342002","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1879328883","policy":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","check":{"id":"28596","title":"Ensure system is disabled when audit logs are full.","description":"The auditd daemon can be configured to halt the system when the audit logs are full. The admin_space_left_action parameter tells the system what action to take when the system has detected that it is low on disk space. Valid values are ignore, syslog, suspend, single, and halt. ignore, the audit daemon does nothing Syslog, the audit daemon will issue a warning to syslog Suspend, the audit daemon will stop writing records to the disk single, the audit daemon will put the computer system in single user mode halt, the audit daemon will shutdown the system.","rationale":"In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.","remediation":"Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root set admin_space_left_action to either halt or single in /etc/audit/auditd.conf. Example: admin_space_left_action = halt.","compliance":{"cis":"4.1.2.3","cis_csc_v7":"6.4","cis_csc_v8":"8.2,8.3","mitre_techniques":"T1562,T1562.006","mitre_tactics":"TA0005","cmmc_v2":{"0":"AU.L2-3.3.1"},"hipaa":"164.312(b)","pci_dss_3":{"2":{"1":"10.2,10.3"}},"pci_dss_4":{"0":"5.3.4,6.4.1,6.4.2,10.2.1,10.2.1.1,10.2.1.2,10.2.1.3,10.2.1.4,10.2.1.5,10.2.1.6,10.2.1.7,10.2.2"},"nist_sp_800-53":"AU-7"},"file":["/etc/audit/auditd.conf"],"directory":["/etc/audit"],"result":"failed"}}},"location":"sca"} ```

---

4.1.3.1 :red_circle:

- **Title**: :green_circle: - **Description**: :red_circle: - Replace `administrations` by `administrators`. - **Rationale**: :red_circle: Current: ``` rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity." ``` Expected: ``` rationale: "Changes in the /etc/sudoers file and /etc/sudoers.d can indicate that an unauthorized change has been made to the scope of system administrator activity." ``` - **Remediation**: :red_circle: - Wrong remediation - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` root@ip-172-31-7-90:/home/qa# auditctl -l | awk '/^ *-w/ && /\/etc\/sudoers/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d -p wa -k scope root@ip-172-31-7-90:/home/qa# auditctl -l | awk '/^ *-w/ && /\/etc\/sudoers/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d -p wa -k scope ``` Expected Passed - :green_circle: ``` {"timestamp":"2022-11-09T12:37:51.547+0000","rule":{"level":3,"description":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.: Ensure changes to system administration scope (sudoers) is collected.: Status changed from failed to passed","id":"19010","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["4.1.3.1"],"cis_csc_v7":["4.8"],"cis_csc_v8":["8.5"],"mitre_techniques":["T1562","T1562.006"],"mitre_tactics":["TA0004"],"mitre_mitigations":["M1047"],"nist_sp_800-53":["AU-3(1)","AU-7"],"soc_2":["CC5.2","CC7.2"]},"agent":{"id":"000","name":"ip-172-31-7-90"},"manager":{"name":"ip-172-31-7-90"},"id":"1667997471.402563","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"733162663","policy":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","check":{"id":"28597","title":"Ensure changes to system administration scope (sudoers) is collected.","description":"Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier \"scope.\". Note: Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.","rationale":"Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.","remediation":"Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/50-scope.rules Add the following lines: -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d/ -p wa -k scope","compliance":{"cis":"4.1.3.1","cis_csc_v7":"4.8","cis_csc_v8":"8.5","mitre_techniques":"T1562,T1562.006","mitre_tactics":"TA0004","mitre_mitigations":"M1047","cmmc_v2":{"0":"AU.L2-3.3.1"},"pci_dss_3":{"2":{"1":"10.1,10.2.2,10.2.4,10.2.5,10.3"}},"pci_dss_4":{"0":"9.4.5,10.2,10.2.1,10.2.1.2,10.2.1.5"},"nist_sp_800-53":"AU-3(1),AU-7","soc_2":"CC5.2,CC7.2"},"directory":["/etc/audit/rules.d"],"command":["auditctl -l"],"result":"passed","previous_result":"failed"}}},"location":"sca"} ```

4.1.3.2 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Wrong rule. Using CIS audit command, check passsed: ``` awk '/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&(/ -C *euid!=uid/||/ -C *uid!=euid/) &&/ -S *execve/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation ``` However using SCA check is marked as failed. ``` - 'd:/etc/audit/rules.d -> r:\.+.rules$ -> r:^-a\s*always,exit && r:-F\s*arch=b(64|32) && r:-C\s*(euid!=uid|uid!=euid) && r:-F\s*auid!=(unset|-1|4294967295) && r:-S\s*execve && r:(key= |-k)\s*.+$' ``` Rule use not allowed alternation in a group making check always be marked as failed. Review `Multiple rules use not supported alternation in a group` for more information.

4.1.3.4 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Rule use not allowed alternation in a group making check always be marked as failed. Review `Multiple rules use not supported alternation in a group` for more information.

4.1.3.5 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Rule use not allowed alternation in a group making check always be marked as failed. Review `Multiple rules use not supported alternation in a group` for more information.

4.1.3.8 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Rule use not allowed alternation in a group making check always be marked as failed. Review `Multiple rules use not supported alternation in a group` for more information.

4.1.3.11 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :red_circle: Additional information was not added - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Rule use not allowed alternation in a group making check always be marked as failed. Review `Multiple rules use not supported alternation in a group` for more information.

4.1.3.12 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :red_circle: Additional information was not added - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Rule use not allowed alternation in a group making check always be marked as failed. Review `Multiple rules use not supported alternation in a group` for more information.

4.1.3.14 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :red_cicle: - Additional information was not included - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Rule use not allowed alternation in a group making check always be marked as failed. Review `Multiple rules use not supported alternation in a group` for more information.

4.1.3.20 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Use `\s+` instead of `\h+` Expected Passed - :red_circle: ``` {"timestamp":"2022-11-09T13:59:22.588+0000","rule":{"level":7,"description":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.: Ensure the audit configuration is immutable","id":"19007","firedtimes":65,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["4.1.3.20"],"cis_csc_v7":["6.2","6.3"],"cis_csc_v8":["3.3","8.5"],"mitre_techniques":["T1562","T1562.001"],"mitre_tactics":["TA0005"],"nist_sp_800-53":["AU-3(1)","AU-7"],"soc_2":["CC5.2","CC7.2"]},"agent":{"id":"000","name":"ip-172-31-7-90"},"manager":{"name":"ip-172-31-7-90"},"id":"1668002362.793729","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"758565085","policy":"SCA policy for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","check":{"id":"28605","title":"Ensure the audit configuration is immutable","description":"Set system audit so that audit rules cannot be modified with auditctl . Setting the flag \"-e 2\" forces audit to be put in immutable mode. Audit changes can only be made on system reboot. Note: This setting will require the system to be rebooted to update the active auditd configuration settings.","rationale":"In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes.","remediation":"Edit or create the file /etc/audit/rules.d/99-finalize.rules and add the line -e 2 at the end of the file: Example: # printf -- \"-e 2 \" >> /etc/audit/rules.d/99-finalize.rules Load audit rules Merge and load the rules into active configuration: # augenrules --load Check if reboot is required. # if [[ $(auditctl -s | grep \"enabled\") =~ \"2\" ]]; then printf \"Reboot required to load rules\\ \"; fi Additional Information: NIST SP 800-53 Rev. 5: AC-3 AU-3 AU-3(1) MP-2","compliance":{"cis":"4.1.3.20","cis_csc_v7":"6.2,6.3","cis_csc_v8":"3.3,8.5","mitre_techniques":"T1562,T1562.001","mitre_tactics":"TA0005","cmmc_v2":{"0":"AU.L2-3.3.1"},"pci_dss_3":{"2":{"1":"10.1,10.2.2,10.2.4,10.2.5,10.3"}},"pci_dss_4":{"0":"9.4.5,10.2,10.2.1,10.2.1.2,10.2.1.5"},"nist_sp_800-53":"AU-3(1),AU-7","soc_2":"CC5.2,CC7.2"},"directory":["/etc/audit/rules.d"],"result":"failed"}}},"location":"sca"} ```

[Rebits]

Update - 09/11/2022

• First manual testing iteration

[72nomada]

• Inconsistent use of \s spcial character
  • ' ' is allowed as a single space and will remain.
  • \s and \s depend on using " or ' in the rule, if " we must use \s if ' we must use \s
• 4.1.1.3 Solved
• 4.1.1.4 Solved
• 4.1.2.3 Solved
• 4.1.3.1 Solved
• 4.1.3.2 Solved
• 4.1.3.4 Solved
• 4.1.3.11 Solved
• 4.1.3.12 Solved
• 4.1.3.14 Solved
• 4.1.3.20 Solved

[Rebits]

Testing after requested changes :red_circle:

• Tester: @Rebits
• PR commit: https://github.com/wazuh/wazuh/pull/15051/commits/df9289ac63157f325c787c0935a92bba5e1bb2b2

---

Results

4.1.1.3 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: CIS audit command not only refers to `/boot/grub/grub.cfg` but all the files in /boot directory.

4.1.1.4 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :red_circle: - Do not include default value in the remediation field - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Rules does not correspond to CIS audit. Check marked as failed using CIS audit command: - CIS audit all files in boot directory - The parameters to check is `audit_backlog_limit`

4.1.3.1 :red_circle:

- **Title**: :green_circle: - **Description**: :red_circle: - Replace `administrations` by `administrators` - **Rationale**: :green_circle: - **Remediation**: :red_circle: - Incomplete remediation. Also it is required to include additional information - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

4.1.3.2 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

4.1.3.4 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

4.1.3.5 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Missing rules to ensure `-w /etc/hosts -p wa -k system-locale`

4.1.3.8 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

4.1.3.11 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :red_circle: - Additional information was not included. - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

4.1.3.12 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :red_circle: - Additional information was not added - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

4.1.3.14 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

4.1.3.20 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

[Rebits]

Update - 09/11/2022

• Second manual testing iteration

[72nomada]

4.1.1.3

it refers to files named grub.cfg. rule change to comply with CIS Solved

4.1.1.4 Solved 4.1.3.1 Solved 4.1.3.5 Solved 4.1.3.11 Solved 4.1.3.12 Solved

[Rebits]

Testing after requested changes :red_circle:

• Tester: @Rebits
• PR commit: https://github.com/wazuh/wazuh/pull/15051/commits/502e822e491fab00ad7acab5ab4f1c78b8d21264

---

4.1.1.3 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

4.1.1.4 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: The CIS audit command uses the following regex: ``` grep -Ph -- '^\h*linux' {} + | grep -Pv 'audit_backlog_limit=\d+\b' ``` Currently, it is used the following rule: ``` - 'not d:/boot -> r:\.*grub.cfg -> r:^\s*\t*/boot && r:audit_backlog_limit=\d+' ``` `/boot` is not expected.

4.1.3.1 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

4.1.3.5 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Unsupported regex: ``` r:^\s*\t*-a\s*always,exit|^\s*\t*-a\s*exit,always && r:-F\s*arch=b64|-F\s*arch=b32 && r:-S\s*(setdomainname|sethostname) && r:key=\s*\.+$|-k\s*\.+$ ``` `(setdomainname|sethostname)` is not available for OS_REGEX

4.1.3.11 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

4.1.3.12 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

[fabamatic]

Corrected errors in 4.1.1.4 and 4.1.3.5

[Rebits]

Testing after requested changes :red_circle:

• Tester: @Rebits
• PR commit: https://github.com/wazuh/wazuh/pull/15051/commits/194fd06ee11e051ab8a7c82dab68790b8d76e568

---

4.1.1.3 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Detected some errors in rules: ``` - 'not d:/boot -> r:\.*grub.cfg -> r:^\s*\t*linux && r:audit=1' ``` - The rule should not be negated. - We are ensuring that processes are capable of being audited. The current rule only checks one line

4.1.1.4 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: Some errors were detected in the current rules: ``` - 'not d:/boot -> r:\.*grub.cfg -> r:audit_backlog_limit=\d+' ``` - Rule should not be negated - The current rule only checks one line Expected Passed - :red_circle:

4.1.3.5 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

[72nomada]

4.1.1.3 Solved 4.1.1.4 Solved

[Rebits]

Testing after requested changes :red_circle:

• Tester: @Rebits
• PR commit: https://github.com/wazuh/wazuh/pull/15051/commits/c2e60889e814dca639d535b46f3f5e0e0d8b1e6c

---

Empty rule in 4.1.1.1 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: ``` rules: - "c:dpkg-query -s auditd -> r:install ok installed" - "c:dpkg-query -s audispd-plugins -> r:install ok installed" - ```

4.1.1.3 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

4.1.1.4 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

[Rebits]

Testing after requested changes :green_circle:

• Tester: @Rebits
• PR commit: https://github.com/wazuh/wazuh/pull/15051/commits/323708429f0936adca7853249e09276df380a023

---

4.1.1.1 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle: Output: ``` ``` Expected - :green_circle:

[jmv74211]

Closing conclusion 👍🏼

🟢	Solved

The development is approved since all the proposed fixes and improvements have been implemented in this current development:

• Wrong remediation, description, and compliance in some checks 🟢
• Multiple rules use alternation in a group which is not supported 🟢
• Some rules do not correspond to CIS audit 🟢
• Incorrect use of \h+ in the 4.1.3.20 rule 🟢