search

wazuh / wazuh-qa

Wazuh - Quality Assurance
GNU General Public License v2.0
64 stars 30 forks source link

Red Hat Enterprise Linux 9 SCA policy rework - checks 1 to 1.2.4 #3815

Closed 72nomada closed 1 year ago

72nomada commented 1 year ago
Target version Related issue Related PR
4.4.x #3391 https://github.com/wazuh/wazuh/pull/16016
Check Id and Name Status Ready for QA
1 Initial Setup
1.1 Filesystem Configuration
1.1.1 Disable unused filesystems
1.1.1.1 Ensure mounting of squashfs filesystems is disabled (Automated) ⚫
1.1.1.2 Ensure mounting of udf filesystems is disabled (Automated) ⚫
1.1.2 Configure /tmp
1.1.2.1 Ensure /tmp is a separate partition (Automated) 🟒 🟒
1.1.2.2 Ensure nodev option set on /tmp partition (Automated) 🟒 🟒
1.1.2.3 Ensure noexec option set on /tmp partition (Automated) 🟒 🟒
1.1.2.4 Ensure nosuid option set on /tmp partition (Automated) 🟒 🟒
1.1.3 Configure /var
1.1.3.1 Ensure separate partition exists for /var (Automated) 🟒 🟒
1.1.3.2 Ensure nodev option set on /var partition (Automated) 🟒 🟒
1.1.3.3 Ensure nosuid option set on /var partition (Automated) 🟒 🟒
1.1.4 Configure /var/tmp
1.1.4.1 Ensure separate partition exists for /var/tmp (Automated) 🟒 🟒
1.1.4.2 Ensure noexec option set on /var/tmp partition (Automated) 🟒 🟒
1.1.4.3 Ensure nosuid option set on /var/tmp partition (Automated) 🟒 🟒
1.1.4.4 Ensure nodev option set on /var/tmp partition (Automated) 🟒 🟒
1.1.5 Configure /var/log
1.1.5.1 Ensure separate partition exists for /var/log (Automated) 🟒 🟒
1.1.5.2 Ensure nodev option set on /var/log partition (Automated) 🟒 🟒
1.1.5.3 Ensure noexec option set on /var/log partition (Automated) 🟒 🟒
1.1.5.4 Ensure nosuid option set on /var/log partition (Automated) 🟒 🟒
1.1.6 Configure /var/log/audit
1.1.6.1 Ensure separate partition exists for /var/log/audit (Automated) 🟒 🟒
1.1.6.2 Ensure noexec option set on /var/log/audit partition (Automated) 🟒 🟒
1.1.6.3 Ensure nodev option set on /var/log/audit partition (Automated) 🟒 🟒
1.1.6.4 Ensure nosuid option set on /var/log/audit partition (Automated) 🟒 🟒
1.1.7 Configure /home
1.1.7.1 Ensure separate partition exists for /home (Automated) 🟒 🟒
1.1.7.2 Ensure nodev option set on /home partition (Automated) 🟒 🟒
1.1.7.3 Ensure nosuid option set on /home partition (Automated) 🟒 🟒
1.1.8 Configure /dev/shm
1.1.8.1 Ensure /dev/shm is a separate partition (Automated) 🟒 🟒
1.1.8.2 Ensure nodev option set on /dev/shm partition (Automated) 🟒 🟒
1.1.8.3 Ensure noexec option set on /dev/shm partition (Automated) 🟒 🟒
1.1.8.4 Ensure nosuid option set on /dev/shm partition (Automated) 🟒 🟒
1.1.9 Disable USB Storage (Automated) 🟒 🟒
1.2 Configure Software Updates
1.2.1 Ensure GPG keys are configured (Manual) 🟒 🟒
1.2.2 Ensure gpgcheck is globally activated (Automated) 🟒 🟒
1.2.3 Ensure package manager repositories are configured (Manual) 🟒 🟒
1.2.4 Ensure repo_gpgcheck is globally activated (Manual) 🟒 🟒
Rebits commented 1 year ago

Tester review

Tester PR commit
@Rebits https://github.com/wazuh/wazuh/pull/16016/commits/b49ba8186da356d52343651f2211550ebb9bfa6a

Testing environment

OS OS version Deployment Image/AMI Notes
RHEL 9 Vagrant roboxes/rhel9

Tested packages

wazuh-manager
wazuh-managerv-4.4.0-1

Note Due to the lack of packages of the development branch it has been used a 4.4.0 version, replacing RHEL policies.

Status

Rebits commented 1 year ago

Testing results

Note There are discrepancies between different CIS sources. After a meeting with @72nomada, we have agreed to use https://www.cisecurity.org/controls/cis-controls-navigator for compliance verification. However, for this testing, we have used the sources specified in the preconditions section. So we should check manually every compliance detected error, especially ISO values.

Preconditions ### Compliance review Compliance validation has been performed using the following CIS mapping: - **PCI DSSV3.2.1**: https://learn.cisecurity.org/CIS-Controls-and-Sub-Controls-Mapping-To-PCI-DSS-v1.0-excel - **PCI DSSV4.0**: https://learn.cisecurity.org/CIS-Controls-v8-Mapping-to-PCI-DSS - **SOC2**: https://learn.cisecurity.org/CIS-Controls-v8-SOC2-Mapping - **HIPAA**: https://learn.cisecurity.org/CIS-Controls-v8-HIPAA-Mapping - **ISO**: https://learn.cisecurity.org/controls-sub-controls-mapping-to-ISO-v1.1.a - **NIST_800_53**: https://learn.cisecurity.org/CIS-Controls-v8-nist-sp-800-53-mapping - **CMCv2**: https://learn.cisecurity.org/CIS-Controls-v8-Mapping-to-CMMC
1.1.1.1 :black_circle:
Not implemented. Expected due to SCA limitations
1.1.1.2 :black_circle:
Not implemented. Expected due to SCA limitations
1.1.2.1 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :green_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# findmnt --kernel /tmp TARGET SOURCE FSTYPE OPTIONS /tmp tmpfs tmpfs rw,nosuid,nodev,noexec,relatime,seclabel,size=2097152k,inode64 [root@rhel9 vagrant]# systemctl is-enabled tmp.mount generated ```
Result ``` {"timestamp":"2023-02-22T14:37:33.038+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure /tmp is a separate partition.","id":"19008","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.1.2.1"],"cis_csc_v8":["4.8"],"cis_csc_v7":["9.2"],"nist_sp_800-53":["CM-7"],"iso_27001-2013":["A.13.1.3"],"soc_2":["CC6.3","CC6.6"],"mitre_techniques":["T1499","T1499.001"],"mitre_tactics":["TA0005"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677076653.2006","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"535336894","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28000","title":"Ensure /tmp is a separate partition.","description":"The /tmp directory is a world-writable directory used for temporary storage by all users and some applications.","rationale":"Making /tmp its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp.","remediation":"First ensure that systemd is correctly configured to ensure that /tmp will be mounted at boot time. # systemctl unmask tmp.mount For specific configuration requirements of the /tmp mount for your environment, modify /etc/fstab. Example of using tmpfs with specific mount options: tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 0 Example of using a volume or disk with specific mount options. The source location of the volume or disk will vary depending on your environment. /tmp defaults,nodev,nosuid,noexec 0 0.","compliance":{"cis":"1.1.2.1","cis_csc_v8":"4.8","cis_csc_v7":"9.2","nist_sp_800-53":"CM-7","iso_27001-2013":"A.13.1.3","cmmc_v2":{"0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6"},"pci_dss_3":{"2":{"1":"1.1.6,1.2.1,2.2.2,2.2.5"}},"pci_dss_4":{"0":"1.2.5,2.2.4,6.4.1"},"soc_2":"CC6.3,CC6.6","mitre_techniques":"T1499,T1499.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"references":"https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/,https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html","command":["findmnt --kernel /tmp","systemctl is-enabled tmp.mount"],"result":"passed"}}},"location":"sca"} ```
1.1.2.2 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# findmnt --kernel /tmp TARGET SOURCE FSTYPE OPTIONS /tmp tmpfs tmpfs rw,nosuid,nodev,noexec,relatime,seclabel,size=2097152k,inode64 ```
Expected result ``` {"timestamp":"2023-02-22T14:37:33.048+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure nodev option set on /tmp partition.","id":"19008","firedtimes":2,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.1.2.2"],"cis_csc_v8":["4.8"],"cis_csc_v7":["9.2"],"nist_sp_800-53":["CM-7"],"iso_27001-2013":["A.13.1.3"],"soc_2":["CC6.3","CC6.6"],"mitre_techniques":["T1200"],"mitre_tactics":["TA0005"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677076653.7190","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"535336894","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28001","title":"Ensure nodev option set on /tmp partition.","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /tmp.","remediation":"Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. Example: /tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp.","compliance":{"cis":"1.1.2.2","cis_csc_v8":"4.8","cis_csc_v7":"9.2","nist_sp_800-53":"CM-7","iso_27001-2013":"A.13.1.3","cmmc_v2":{"0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6"},"pci_dss_3":{"2":{"1":"1.1.6,1.2.1,2.2.2,2.2.5"}},"pci_dss_4":{"0":"1.2.5,2.2.4,6.4.1"},"soc_2":"CC6.3,CC6.6","mitre_techniques":"T1200","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"command":["findmnt --kernel /tmp"],"result":"passed"}}},"location":"sca"} ```
1.1.2.3 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# findmnt --kernel /tmp TARGET SOURCE FSTYPE OPTIONS /tmp tmpfs tmpfs rw,nosuid,nodev,noexec,relatime,seclabel,size=2097152k,inode64 ```
Expected result ``` {"timestamp":"2023-02-22T14:37:33.059+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure noexec option set on /tmp partition.","id":"19008","firedtimes":3,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.1.2.3"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1204","T1204.002"],"mitre_tactics":["TA0005"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677076653.10046","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"535336894","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28002","title":"Ensure noexec option set on /tmp partition.","description":"The noexec mount option specifies that the filesystem cannot contain executable binaries.","rationale":"Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp.","remediation":"Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. Example: /tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp.","compliance":{"cis":"1.1.2.3","cis_csc_v8":"3.3","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1204,T1204.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"command":["findmnt --kernel /tmp"],"result":"passed"}}},"location":"sca"} ```
1.1.2.4 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# findmnt --kernel /tmp TARGET SOURCE FSTYPE OPTIONS /tmp tmpfs tmpfs rw,nosuid,nodev,noexec,relatime,seclabel,size=2097152k,inode64 ```
Expected result ``` {"timestamp":"2023-02-22T14:37:33.069+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure nosuid option set on /tmp partition.","id":"19008","firedtimes":4,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.1.2.4"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1548","T1548.001"],"mitre_tactics":["TA0005"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677076653.13099","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"535336894","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28003","title":"Ensure nosuid option set on /tmp partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp.","remediation":"Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. Example: /tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp.","compliance":{"cis":"1.1.2.4","cis_csc_v8":"3.3","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1548,T1548.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"command":["findmnt --kernel /tmp"],"result":"passed"}}},"location":"sca"} ```
1.1.3.1 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :green_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# findmnt --kernel /var [root@rhel9 vagrant]# ```
Expected result ``` {"timestamp":"2023-02-22T14:46:49.565+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure separate partition exists for /var.","id":"19007","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.1.3.1"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"nist_sp_800-53":["AC-5","AC-6"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1499","T1499.001"],"mitre_tactics":["TA0006"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677077209.35169","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"724024244","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28004","title":"Ensure separate partition exists for /var.","description":"The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable.","rationale":"The reasoning for mounting /var on a separate partition is as follows. - Protection from resource exhaustion: The default installation only creates a single / partition. Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var and cause unintended behavior across the system as the disk is full. See man auditd.conf for details. - Fine grained control over the mount: Configuring /var as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. - Protection from exploitation: An example of exploiting /var may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.","remediation":"For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.","compliance":{"cis":"1.1.3.1","cis_csc_v8":"3.3","cis_csc_v7":"14.6","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","mitre_techniques":"T1499,T1499.001","mitre_tactics":"TA0006"},"references":"AJ Lewis, \"LVM HOWTO\", http://tldp.org/HOWTO/LVM-HOWTO/","command":["findmnt --kernel /var"],"result":"failed"}}},"location":"sca"} ```
1.1.3.2 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# findmnt --kernel /var [root@rhel9 vagrant]# ```
Expected result ``` {"timestamp":"2023-02-22T14:46:49.575+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure nodev option set on /var partition.","id":"19007","firedtimes":2,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.1.3.2"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1200"],"mitre_tactics":["TA0005"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677077209.40732","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"724024244","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28005","title":"Ensure nodev option set on /var partition.","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the /var filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var.","remediation":"Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var partition. Example: /var defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var.","compliance":{"cis":"1.1.3.2","cis_csc_v8":"3.3","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1200","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"command":["findmnt --kernel /var"],"result":"failed"}}},"location":"sca"} ```
1.1.3.3 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# findmnt --kernel /var [root@rhel9 vagrant]# ```
Expected result ``` {"timestamp":"2023-02-22T14:46:49.586+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure nosuid option set on /var partition.","id":"19007","firedtimes":3,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.1.3.3"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1548","T1548.001"],"mitre_tactics":["TA0005"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677077209.43767","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"724024244","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28006","title":"Ensure nosuid option set on /var partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Since the /var filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var.","remediation":"Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var partition. Example: /var defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var.","compliance":{"cis":"1.1.3.3","cis_csc_v8":"3.3","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1548,T1548.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"command":["findmnt --kernel /var"],"result":"failed"}}},"location":"sca"} ```
1.1.4.1 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :green_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# findmnt --kernel /var/tmp [root@rhel9 vagrant]# ```
Expected result ``` {"timestamp":"2023-02-22T14:46:49.596+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure separate partition exists for /var/tmp.","id":"19007","firedtimes":4,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.1.4.1"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1499","T1499.001"],"mitre_tactics":["TA0005"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677077209.46804","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"724024244","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28007","title":"Ensure separate partition exists for /var/tmp.","description":"The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications. Temporary files residing in /var/tmp are to be preserved between reboots.","rationale":"The reasoning for mounting /var/tmp on a separate partition is as follows. - Protection from resource exhaustion: The default installation only creates a single / partition. Since the /var/tmp directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/tmp and cause potential disruption to daemons as the disk is full. - Fine grained control over the mount: Configuring /var/tmp as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. - Protection from exploitation: An example of exploiting /var/tmp may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.","remediation":"For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.","compliance":{"cis":"1.1.4.1","cis_csc_v8":"3.3","cis_csc_v7":"14.6","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1499,T1499.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"references":"AJ Lewis, \"LVM HOWTO\", http://tldp.org/HOWTO/LVM-HOWTO/","command":["findmnt --kernel /var/tmp"],"result":"failed"}}},"location":"sca"} ```
1.1.4.2 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# findmnt --kernel /var/tmp [root@rhel9 vagrant]# ```
Expected result ``` {"timestamp":"2023-02-22T14:46:49.607+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure noexec option set on /var/tmp partition.","id":"19007","firedtimes":5,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.1.4.2"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1204","T1204.002"],"mitre_tactics":["TA0005"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677077209.52413","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"724024244","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28008","title":"Ensure noexec option set on /var/tmp partition.","description":"The noexec mount option specifies that the filesystem cannot contain executable binaries.","rationale":"Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp.","remediation":"Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. Example: /var/tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp.","compliance":{"cis":"1.1.4.2","cis_csc_v8":"3.3","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1204,T1204.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"command":["findmnt --kernel /var/tmp"],"result":"failed"}}},"location":"sca"} ```
1.1.4.3 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# findmnt --kernel /var/tmp ```
Expected result ``` {"timestamp":"2023-02-22T14:46:49.617+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure nosuid option set on /var/tmp partition.","id":"19007","firedtimes":6,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.1.4.3"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1548","T1548.001"],"mitre_tactics":["TA0005"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677077209.55538","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"724024244","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28009","title":"Ensure nosuid option set on /var/tmp partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp.","remediation":"Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. Example: /var/tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp.","compliance":{"cis":"1.1.4.3","cis_csc_v8":"3.3","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1548,T1548.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"command":["findmnt --kernel /var/tmp"],"result":"failed"}}},"location":"sca"} ```
1.1.4.4 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# findmnt --kernel /var/tmp [root@rhel9 vagrant]# ```
Expected result ``` {"timestamp":"2023-02-22T14:46:49.627+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure nodev option set on /var/tmp partition.","id":"19007","firedtimes":7,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.1.4.4"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1499","T1499.001"],"mitre_tactics":["TA0005"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677077209.58637","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"724024244","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28010","title":"Ensure nodev option set on /var/tmp partition.","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/tmp.","remediation":"Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. Example: /var/tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp.","compliance":{"cis":"1.1.4.4","cis_csc_v8":"3.3","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1499,T1499.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"command":["findmnt --kernel /var/tmp"],"result":"failed"}}},"location":"sca"} ```
1.1.5.1 :red_circle: - **Title**: :green_circle: - **Description**: :red_circle: - Extra whitespace. Already reported in https://github.com/wazuh/wazuh/issues/15461#issuecomment-1435660990 - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :red_circle: - **CMMC**: :black_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: ISO: No ISO value is mapped for the 8.3 CIS control - **References**: :green_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# findmnt --kernel /var/log ```
Expected result ``` {"timestamp":"2023-02-22T14:46:49.637+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure separate partition exists for /var/log.","id":"19007","firedtimes":8,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.1.5.1"],"cis_csc_v8":["8.3"],"cis_csc_v7":["6.4"],"iso_27001-2013":["A.12.4.1"],"soc_2":["A1.1"],"mitre_techniques":["TA0005","T1499","T1499.001"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677077209.61764","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"724024244","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28011","title":"Ensure separate partition exists for /var/log.","description":"The /var/log directory is used by system services to store log data .","rationale":"The reasoning for mounting /var/log on a separate partition is as follows. - Protection from resource exhaustion: The default installation only creates a single / partition. Since the /var/log directory contains log files which can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. - Fine grained control over the mount: Configuring /var/log as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limit an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. - Protection of log data: As /var/log contains log files, care should be taken to ensure the security and integrity of the data and mount point.","remediation":"For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.","compliance":{"cis":"1.1.5.1","cis_csc_v8":"8.3","cis_csc_v7":"6.4","iso_27001-2013":"A.12.4.1","pci_dss_3":{"2":{"1":"10.7"}},"soc_2":"A1.1","mitre_techniques":"TA0005,T1499,T1499.001","mitre_mitigations":"M1022"},"references":"AJ Lewis, \"LVM HOWTO\", https://tldp.org/HOWTO/LVM-HOWTO/","command":["findmnt --kernel /var/log"],"result":"failed"}}},"location":"sca"} ```
1.1.5.2 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# findmnt --kernel /var/log [root@rhel9 vagrant]# ```
Expected result ``` {"timestamp":"2023-02-22T14:46:49.648+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure nodev option set on /var/log partition.","id":"19007","firedtimes":9,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.1.5.2"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1200"],"mitre_tactics":["TA0005"],"mitre_mitigations":["M1038"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677077209.65837","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"724024244","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28012","title":"Ensure nodev option set on /var/log partition.","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the /var/log filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log.","remediation":"Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log partition. Example: /var/log defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log.","compliance":{"cis":"1.1.5.2","cis_csc_v8":"3.3","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1200","mitre_tactics":"TA0005","mitre_mitigations":"M1038"},"command":["findmnt --kernel /var/log"],"result":"failed"}}},"location":"sca"} ```
1.1.5.3 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# findmnt --kernel /var/log ```
Expected result ``` {"timestamp":"2023-02-22T14:46:49.658+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure noexec option set on /var/log partition.","id":"19007","firedtimes":10,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.1.5.3"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1204","T1204.002"],"mitre_tactics":["TA0005"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677077209.68944","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"724024244","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28013","title":"Ensure noexec option set on /var/log partition.","description":"The noexec mount option specifies that the filesystem cannot contain executable binaries.","rationale":"Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot run executable binaries from /var/log.","remediation":"Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/log partition. Example: /var/log defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log.","compliance":{"cis":"1.1.5.3","cis_csc_v8":"3.3","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1204,T1204.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"command":["findmnt --kernel /var/log"],"result":"failed"}}},"location":"sca"} ```
1.1.5.4 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# findmnt --kernel /var/log [root@rhel9 vagrant]# ```
Expected result ``` {"timestamp":"2023-02-22T14:46:49.668+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure nosuid option set on /var/log partition.","id":"19007","firedtimes":11,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.1.5.4"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1548","T1548.001"],"mitre_tactics":["TA0005"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677077209.72043","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"724024244","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28014","title":"Ensure nosuid option set on /var/log partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot create setuid files in /var/log.","remediation":"Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log partition. Example: /var/log defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log with the configured options: # mount -o remount /var/log.","compliance":{"cis":"1.1.5.4","cis_csc_v8":"3.3","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1548,T1548.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"command":["findmnt --kernel /var/log"],"result":"failed"}}},"location":"sca"} ```
1.1.6.1 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :red_circle: Expected: ``` The reasoning for mounting /var/log/audit on a separate partition is as follow. - Protection from resource exhaustion: The default installation only creates a single / partition. Since the /var/log/audit directory contains the audit.log file which can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/log/audit and cause auditd to trigger it's space_left_action as the disk is full. See man auditd.conf for details. - Fine grained control over the mount: Configuring /var/log/audit as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limit an attacker's ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. - Protection of audit data: As /var/log/audit contains audit logs, care should be taken to ensure the security and integrity of the data and mount point. ``` - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :red_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :red_circle: - **CMMC**: :black_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: ISO: No mapped iso value for CIS 8.3 - **References**: :green_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# findmnt --kernel /var/log/audit [root@rhel9 vagrant]# ```
Expected result ``` {"timestamp":"2023-02-22T14:46:49.678+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure separate partition exists for /var/log/audit.","id":"19007","firedtimes":12,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.1.6.1"],"cis_csc_v8":["8.3"],"cis_csc_v7":["6.4"],"iso_27001-2013":["A.12.4.1"],"soc_2":["A1.1"],"mitre_techniques":["T1499","T1499.001"],"mitre_tactics":["TA0005"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677077209.75116","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"724024244","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28015","title":"Ensure separate partition exists for /var/log/audit.","description":"The auditing daemon, auditd, stores log data in the /var/log/audit directory.","rationale":"The reasoning for mounting /var/log/audit on a separate partition is as follow. - Protection from resource exhaustion: The default installation only creates a single / partition. Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var and cause unintended behavior across the system as the disk is full. See man auditd.conf for details. - Fine grained control over the mount: Configuring /var as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limit an attacker's ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. - Protection from exploitation: An example of exploiting /var may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.","remediation":"For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.","compliance":{"cis":"1.1.6.1","cis_csc_v8":"8.3","cis_csc_v7":"6.4","iso_27001-2013":"A.12.4.1","pci_dss_3":{"2":{"1":"10.7"}},"soc_2":"A1.1","mitre_techniques":"T1499,T1499.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"references":"AJ Lewis, \"LVM HOWTO\", https://tldp.org/HOWTO/LVM-HOWTO/","command":["findmnt --kernel /var/log/audit"],"result":"failed"}}},"location":"sca"} ```
1.1.6.2 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :green_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# findmnt --kernel /var/log/audit ```
Expected result ``` {"timestamp":"2023-02-22T14:46:49.689+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure noexec option set on /var/log/audit partition.","id":"19007","firedtimes":13,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.1.6.2"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1204","T1204.002"],"mitre_tactics":["TA0005"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677077209.80187","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"724024244","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28016","title":"Ensure noexec option set on /var/log/audit partition.","description":"The noexec mount option specifies that the filesystem cannot contain executable binaries.","rationale":"Since the /var/log/audit filesystem is only intended for audit logs, set this option to ensure that users cannot run executable binaries from /var/log/audit.","remediation":"Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var partition. Example: /var/log/audit defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit.","compliance":{"cis":"1.1.6.2","cis_csc_v8":"3.3","cis_csc_v7":"14.6","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1204,T1204.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"command":["findmnt --kernel /var/log/audit"],"result":"failed"}}},"location":"sca"} ```
1.1.6.3 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# findmnt --kernel /var/log/audit [root@rhel9 vagrant]# ```
Expected result ``` {"timestamp":"2023-02-22T14:46:49.699+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure nodev option set on /var/log/audit partition.","id":"19007","firedtimes":14,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.1.6.3"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1200"],"mitre_tactics":["TA0005"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677077209.83300","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"724024244","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28017","title":"Ensure nodev option set on /var/log/audit partition.","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the /var/log/audit filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log/audit.","remediation":"Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log/audit partition. Example: /var/log/audit defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit.","compliance":{"cis":"1.1.6.3","cis_csc_v8":"3.3","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1200","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"command":["findmnt --kernel /var/log/audit"],"result":"failed"}}},"location":"sca"} ```
1.1.6.4 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# findmnt --kernel /var/log/audit ```
Expected result ``` {"timestamp":"2023-02-22T14:46:49.709+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure nosuid option set on /var/log/audit partition.","id":"19007","firedtimes":15,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.1.6.4"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1548","T1548.001"],"mitre_tactics":["TA0005"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677077209.86515","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"724024244","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28018","title":"Ensure nosuid option set on /var/log/audit partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Since the /var/log/audit filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var/log/audit.","remediation":"Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log/audit partition. Example: /var/log/audit defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit.","compliance":{"cis":"1.1.6.4","cis_csc_v8":"3.3","cis_csc_v7":"14.6","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1548,T1548.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"command":["findmnt --kernel /var/log/audit"],"result":"failed"}}},"location":"sca"} ```

1.1.7.1 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :green_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :black_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# findmnt --kernel /home [root@rhel9 vagrant]# ```
Alert ``` {"timestamp":"2023-02-22T14:46:49.720+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure separate partition exists for /home.","id":"19007","firedtimes":16,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.1.7.1"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1499","T1499.001"],"mitre_tactics":["TA0005"],"mitre_mitigations":["M1038"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677077209.89656","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"724024244","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28019","title":"Ensure separate partition exists for /home.","description":"The /home directory is used to support disk storage needs of local users.","rationale":"The reasoning for mounting /home on a separate partition is as follows. - Protection from resource exhaustion: The default installation only creates a single / partition. Since the /home directory contains user generated data, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /home and impact all local users. - Fine grained control over the mount: Configuring /home as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limit an attacker's ability to create exploits on the system. In the case of /home options such as usrquota/grpquota may be considered to limit the impact that users can have on each other with regards to disk resource exhaustion. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. - Protection of user data: As /home contains user data, care should be taken to ensure the security and integrity of the data and mount point.","remediation":"For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.","compliance":{"cis":"1.1.7.1","cis_csc_v8":"3.3","cis_csc_v7":"14.6","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1499,T1499.001","mitre_tactics":"TA0005","mitre_mitigations":"M1038"},"references":"AJ Lewis, \"LVM HOWTO\", https://tldp.org/HOWTO/LVM-HOWTO/","command":["findmnt --kernel /home"],"result":"failed"}}},"location":"sca"} ```
1.1.7.2 :green_circle: Error in CIS policy rationale: ``` Since the /home filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var ``` Expected: ``` Since the /home filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /home ``` - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# findmnt --kernel /home [root@rhel9 vagrant]# ```
Alert ``` {"timestamp":"2023-02-22T14:46:49.730+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure nodev option set on /home partition.","id":"19007","firedtimes":17,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.1.7.2"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1200"],"mitre_tactics":["TA0005"],"mitre_mitigations":["M1038"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677077209.94702","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"724024244","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28020","title":"Ensure nodev option set on /home partition.","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the /home filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /home.","remediation":"Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. Example: /home defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home.","compliance":{"cis":"1.1.7.2","cis_csc_v8":"3.3","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1200","mitre_tactics":"TA0005","mitre_mitigations":"M1038"},"command":["findmnt --kernel /home"],"result":"failed"}}},"location":"sca"} ```
1.1.7.3 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# findmnt --kernel /home [root@rhel9 vagrant]# ```
Alert ``` {"timestamp":"2023-02-22T14:46:49.740+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure nosuid option set on /home partition.","id":"19007","firedtimes":18,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.1.7.3"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1548","T1548.001"],"mitre_tactics":["TA0005"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677077209.97755","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"724024244","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28021","title":"Ensure nosuid option set on /home partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Since the /home filesystem is only intended for user file storage, set this option to ensure that users cannot create setuid files in /home.","remediation":"Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /home partition. Example: /home defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /home with the configured options: # mount -o remount /home.","compliance":{"cis":"1.1.7.3","cis_csc_v8":"3.3","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1548,T1548.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"command":["findmnt --kernel /home"],"result":"failed"}}},"location":"sca"} ```
1.1.8.1 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :red_circle: Bad reference indentation - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# findmnt --kernel /dev/shm TARGET SOURCE FSTYPE OPTIONS /dev/shm tmpfs tmpfs rw,nosuid,nodev,seclabel,inode64 ```
Alert ``` {"timestamp":"2023-02-22T14:46:49.750+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure /dev/shm is a separate partition.","id":"19008","firedtimes":5,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.1.8.1"],"cis_csc_v8":["4.8"],"cis_csc_v7":["9.2"],"nist_sp_800-53":["CM-7"],"iso_27001-2013":["A.13.1.3"],"soc_2":["CC6.3","CC6.6"],"mitre_techniques":["T1499","T1499.001"],"mitre_tactics":["TA0005"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677077209.100790","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"724024244","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28022","title":"Ensure /dev/shm is a separate partition.","description":"The /dev/shm directory is a world-writable directory that can function as shared memory that facilitates inter process communication (IPC).","rationale":"Making /dev/shm its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /dev/shm useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by mounting tmpfs to /dev/shm.","remediation":"For specific configuration requirements of the /dev/shm mount for your environment, modify /etc/fstab. Example of using tmpfs with specific mount options: tmpfs /dev/shm tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 0.","compliance":{"cis":"1.1.8.1","cis_csc_v8":"4.8","cis_csc_v7":"9.2","nist_sp_800-53":"CM-7","iso_27001-2013":"A.13.1.3","cmmc_v2":{"0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6"},"pci_dss_3":{"2":{"1":"1.1.6,1.2.1,2.2.2,2.2.5"}},"pci_dss_4":{"0":"1.2.5,2.2.4,6.4.1"},"soc_2":"CC6.3,CC6.6","mitre_techniques":"T1499,T1499.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"references":"https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/ - https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html","command":["findmnt --kernel /dev/shm"],"result":"passed"}}},"location":"sca"} ```
1.1.8.2 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# findmnt --kernel /dev/shm TARGET SOURCE FSTYPE OPTIONS /dev/shm tmpfs tmpfs rw,nosuid,nodev,seclabel,inode64 ```
Alert ``` {"timestamp":"2023-02-22T14:46:49.760+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure nodev option set on /dev/shm partition.","id":"19008","firedtimes":6,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.1.8.2"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1200"],"mitre_tactics":["TA0005"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677077209.104928","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"724024244","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28023","title":"Ensure nodev option set on /dev/shm partition.","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions.","remediation":"Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm.","compliance":{"cis":"1.1.8.2","cis_csc_v8":"3.3","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1200","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"command":["findmnt --kernel /dev/shm"],"result":"passed"}}},"location":"sca"} ```
1.1.8.3 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# findmnt --kernel /dev/shm TARGET SOURCE FSTYPE OPTIONS /dev/shm tmpfs tmpfs rw,nosuid,nodev,seclabel,inode64 ```
Alert ``` {"timestamp":"2023-02-22T14:46:49.771+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure noexec option set on /dev/shm partition.","id":"19007","firedtimes":19,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.1.8.3"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1204","T1204.002"],"mitre_tactics":["TA0005"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677077209.108006","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"724024244","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28024","title":"Ensure noexec option set on /dev/shm partition.","description":"The noexec mount option specifies that the filesystem cannot contain executable binaries.","rationale":"Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system.","remediation":"Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Example: /dev/shm defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /dev/shm with the configured options: # mount -o remount /dev/shm. NOTE It is recommended to use tmpfs as the device/filesystem type as /dev/shm is used as shared memory space by applications.","compliance":{"cis":"1.1.8.3","cis_csc_v8":"3.3","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1204,T1204.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"command":["findmnt --kernel /dev/shm"],"result":"failed"}}},"location":"sca"} ```
1.1.8.4 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# findmnt --kernel /dev/shm TARGET SOURCE FSTYPE OPTIONS /dev/shm tmpfs tmpfs rw,nosuid,nodev,seclabel,inode64 ```
Alert ``` {"timestamp":"2023-02-22T14:46:49.782+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure nosuid option set on /dev/shm partition.","id":"19008","firedtimes":7,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.1.8.4"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1548","T1548.001"],"mitre_tactics":["TA0005"],"mitre_mitigations":["M1038"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677077209.111422","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"724024244","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28025","title":"Ensure nosuid option set on /dev/shm partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them.","remediation":"Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm.","compliance":{"cis":"1.1.8.4","cis_csc_v8":"3.3","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1548, T1548.001","mitre_tactics":"TA0005","mitre_mitigations":"M1038"},"command":["findmnt --kernel /dev/shm"],"result":"passed"}}},"location":"sca"} ```
1.1.9 :black_circle: Not implemented. Expected due to SCA limitations
1.2.1 :black_circle: Not implemented. Expected due to SCA limitations
1.2.2 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :red_circle: Extra whitespace at the end of the remediation command. Also, it is standard to include `.` at the end of each section, even if it is a command. - **Impact**: :black_circle: - **Compliance**: :red_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :red_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: ISO: No mapped iso value for CIS 8.3 - **References**: :black_circle: - **Rules**: :red_circle: Corner case: Check does not take into account commentaries, replace first rule for ``` - "f:/etc/dnf/dnf.conf -> r:^gpgcheck=1" ``` Also, it does not check in case of invalid gpgcheck value (this will not affect to the integrity of the environment due to global configuration will be applied). Impossible to applicate this logic because SCA limitations
Rules details
Command output ``` [root@rhel9 vagrant]# grep -Rh ^gpgcheck /etc/yum.repos.d/ gpgcheck=Testing ```
Alert ``` {"timestamp":"2023-02-22T14:46:49.802+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure gpgcheck is globally activated.","id":"19008","firedtimes":8,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.2.2"],"cis_csc_v8":["7.3"],"cis_csc_v7":["3.4"],"nist_sp_800-53":["SI-2"],"iso_27001-2013":["A.9.1.1"],"soc_2":["CC7.1"],"mitre_techniques":["T1195","T1195.001"],"mitre_tactics":["TA0005"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677077209.114488","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"724024244","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28026","title":"Ensure gpgcheck is globally activated.","description":"The gpgcheck option, found in the main section of the /etc/dnf/dnf.conf and individual /etc/yum.repos.d/* files, determines if an RPM package's signature is checked prior to its installation.","rationale":"It is important to ensure that an RPM's package signature is always checked prior to installation to ensure that the software is obtained from a trusted source.","remediation":"Edit /etc/dnf/dnf.conf and set gpgcheck=1 in the [main] section. Example: # sed -i 's/^gpgcheck\\s*=\\s*.*/gpgcheck=1/' /etc/dnf/dnf.conf. Edit any failing files in /etc/yum.repos.d/* and set all instances starting with gpgcheck to 1. Example: # find /etc/yum.repos.d/ -name \"*.repo\" -exec echo \"Checking:\" {} \\; -exec sed -i 's/^gpgcheck\\s*=\\s*.*/gpgcheck=1/' {} \\; ","compliance":{"cis":"1.2.2","cis_csc_v8":"7.3","cis_csc_v7":"3.4","nist_sp_800-53":"SI-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"SI.L1-3.14.1"},"pci_dss_3":{"2":{"1":"6.2"}},"soc_2":"CC7.1","mitre_techniques":"T1195,T1195.001","mitre_tactics":"TA0005"},"file":["/etc/dnf/dnf.conf"],"command":["grep -Rh ^gpgcheck /etc/yum.repos.d/"],"result":"passed"}}},"location":"sca"} ```
1.2.3 :black_circle: Not implemented. Impossible to automate
1.2.4 :black_circle: Not implemented. Impossible to automate
Rebits commented 1 year ago

Update 22/02/2023

Rebits commented 1 year ago

Testing results - Second review

During first review it was used an automated script to check compliance data. A bug was introduced and the pci_dss_3.2.1 value was not correctly validated. In this second review, it details every check that includes wrong pci_dss_3 values

1.1.2.1 :red_circle: **Expected**: `['1.2.1', '2.2.2', '2.2.5']` **Current**: ` ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]`
1.1.2.2 :red_circle: **Expected**: `['1.2.1', '2.2.2', '2.2.5']` **Current**: ` ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]`
1.1.8.1 :red_circle: **Expected**: `['1.2.1', '2.2.2', '2.2.5']` **Current**: ` ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]`
1.2.2 :red_circle: **Expected**: None **Current**: `["6.2"]`
jk-olaoluwa commented 1 year ago

As stated in this comment - https://github.com/wazuh/wazuh-qa/issues/3815#issuecomment-1442200903

1.1.2.1 πŸ”΄ - As per the compliance dictionary v8, the pci_dss_3.2.1 values are correct so there is no need to change them 1.1.2.2 πŸ”΄ - As per the compliance dictionary v8, the pci_dss_3.2.1 values are correct so there is no need to change them 1.1.8.1 πŸ”΄ - As per the compliance dictionary v8, the pci_dss_3.2.1 values are correct so there is no need to change them 1.2.2 πŸ”΄ - As per the compliance dictionary v8, the pci_dss_3.2.1 values are correct so there is no need to change them

@Rebits ping me if you need to cross check

https://github.com/wazuh/wazuh/commit/3c6f56709fb2bc17538cdb29b492f50fce7d9e8b

jk-olaoluwa commented 1 year ago

As stated in this comment - https://github.com/wazuh/wazuh-qa/issues/3815#issuecomment-1440526256

1.1.5.1 πŸ”΄ - Solved 1.1.6.1 πŸ”΄ - Solved 1.1.8.1 πŸ”΄ - Solved 1.2.2 πŸ”΄ - Solved

https://github.com/wazuh/wazuh/commit/3c6f56709fb2bc17538cdb29b492f50fce7d9e8b

Rebits commented 1 year ago

Testing results - Second review

As @jk-olaoluwa has noticed here pci_dss_3.2.1 values were correct. In the first review, I used v7 compliance mapping instead of v8 due to a misunderstood.

Note In this second review it was also included a detected error in the 28004 check compliance order as a result of this issue

1.1.3.1 :red_circle: - **Compliance**: Wrong compliance values order. NIST should be placed after the cis_csc_v7 value and before ISO.
1.1.5.1 :green_circle: - **Description**: :green_circle:
1.1.6.1 :green_circle: -**Rationale**: :green_circle:
1.1.8.1 :green_circle: - **References**: :green_circle:
1.2.2 :red_circle: - **Remediation**: Currently, it Is mandatory to include a`.` at the end of each section, even if it is a remediation command. If this is not expected, we should remove the `.` from all of the checks
jk-olaoluwa commented 1 year ago

https://github.com/wazuh/wazuh-qa/issues/3815#issuecomment-1449820511

1.1.3.1 πŸ”΄ - Solved 1.2.2 πŸ”΄ - We are going to let the semi-colon, there is no need for full stop.

Rebits commented 1 year ago

Testing results - Third review

All checks seem to be correct. The compliance order will be fixed in the last RHEL 9 SCA Policy commit. For now, the wrong compliance order should not be considered a failure.

jmv74211 commented 1 year ago

Closing conclusion πŸ‘πŸΌ

The requested changes have been applied and appear to be working correctly.

Good work to both of you πŸ˜„