Closed 72nomada closed 1 year ago
Target version | Related issue | Related PR |
---|---|---|
4.4.x | #3391 | https://github.com/wazuh/wazuh/pull/16016 |
Check Id and Name | Status | Ready for QA |
---|---|---|
1.3 Filesystem Integrity Checking | ||
1.3.1 Ensure AIDE is installed (Automated) | π’ | π’ |
1.3.2 Ensure filesystem integrity is regularly checked (Automated) | π’ | π’ |
1.3.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools (Automated) | π’ | π’ |
1.4 Secure Boot Settings | ||
1.4.1 Ensure bootloader password is set (Automated) | π’ | π’ |
1.4.2 Ensure permissions on bootloader config are configured (Automated) | π’ | π’ |
1.5 Additional Process Hardening | ||
1.5.1 Ensure core dump storage is disabled (Automated) | π’ | π’ |
1.5.2 Ensure core dump backtraces are disabled (Automated) | π’ | π’ |
1.5.3 Ensure address space layout randomization (ASLR) is enabled (Automated) | π’ | π’ |
1.6 Mandatory Access Control | ||
1.6.1 Configure SELinux | ||
1.6.1.1 Ensure SELinux is installed (Automated) | π’ | π’ |
1.6.1.2 Ensure SELinux is not disabled in bootloader configuration (Automated) | π’ | π’ |
1.6.1.3 Ensure SELinux policy is configured (Automated) | π’ | π’ |
1.6.1.4 Ensure the SELinux mode is not disabled (Automated) | π’ | π’ |
1.6.1.5 Ensure the SELinux mode is enforcing (Automated) | π’ | π’ |
1.6.1.6 Ensure no unconfined services exist (Automated) | π’ | π’ |
1.6.1.7 Ensure SETroubleshoot is not installed (Automated) | π’ | π’ |
1.6.1.8 Ensure the MCS Translation Service (mcstrans) is not installed (Automated) | π’ | π’ |
1.7 Command Line Warning Banners | ||
1.7.1 Ensure message of the day is configured properly (Automated) | π’ | π’ |
1.7.2 Ensure local login warning banner is configured properly (Automated) | π’ | π’ |
1.7.3 Ensure remote login warning banner is configured properly (Automated) | π’ | π’ |
1.7.4 Ensure permissions on /etc/motd are configured (Automated) | π’ | π’ |
1.7.5 Ensure permissions on /etc/issue are configured (Automated) | π’ | π’ |
1.7.6 Ensure permissions on /etc/issue.net are configured (Automated) | π’ | π’ |
1.8 GNOME Display Manager | ||
1.8.1 Ensure GNOME Display Manager is removed (Automated) | π’ | π’ |
1.8.2 Ensure GDM login banner is configured (Automated) | π’ | π’ |
1.8.3 Ensure GDM disable-user-list option is enabled (Automated) | π’ | π’ |
1.8.4 Ensure GDM screen locks when the user is idle (Automated) | π’ | π’ |
1.8.5 Ensure GDM screen locks cannot be overridden (Automated) | π’ | π’ |
1.8.6 Ensure GDM automatic mounting of removable media is disabled (Automated) | π’ | π’ |
1.8.7 Ensure GDM disabling automatic mounting of removable media is not overridden (Automated) | π’ | π’ |
1.8.8 Ensure GDM autorun-never is enabled (Automated) | π’ | π’ |
1.8.9 Ensure GDM autorun-never is not overridden (Automated) | π’ | π’ |
1.8.10 Ensure XDCMP is not enabled (Automated) | π’ | π’ |
1.9 Ensure updates, patches, and additional security software are installed (Manual) | π’ | π’ |
1.10 Ensure system-wide crypto policy is not legacy (Automated) | π’ | π’ |
Tester | PR commit |
---|---|
@Rebits | https://github.com/wazuh/wazuh/pull/16016/commits/68323ce7575e8b5f561a440e16828e2588e37dec |
OS | OS version | Deployment | Image/AMI | Notes |
---|---|---|---|---|
RHEL | 9 | Vagrant | roboxes/rhel9 |
wazuh-manager |
---|
wazuh-managerv-4.4.0-1 |
After the requested changes the policy seems to fit correctly with the CIS Red Hat Enterprise Linux 9 Benchmark. In addition, every audit rule seems to work as expected.
Note There are discrepancies between different CIS sources. After a meeting with @72nomada, we have agreed to use https://www.cisecurity.org/controls/cis-controls-navigator for compliance verification. However, for this testing, we have used the sources specified in the preconditions section. So we should check manually every compliance detected error, especially ISO values.
Command output
``` [root@rhel9 vagrant]# rpm -q aide package aide is not installed ```Alert
``` {"timestamp":"2023-02-23T13:22:39.800+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure AIDE is installed.","id":"19007","firedtimes":20,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.3.1"],"cis_csc_v8":["3.14"],"cis_csc_v7":["14.9"],"nist_sp_800-53":["AU-2"],"hipaa":["164.312(b)","164.312(c)(1)","164.312(c)(2)"],"soc_2":["CC6.1"],"mitre_techniques":["T1565","T1565.001"],"mitre_tactics":["TA0001"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677158559.105821","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1830270131","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28027","title":"Ensure AIDE is installed.","description":"Advanced Intrusion Detection Environment (AIDE) is a intrusion detection tool that uses predefined rules to check the integrity of files and directories in the Linux operating system. AIDE has its own database to check the integrity of files and directories. AIDE takes a snapshot of files and directories including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system.","rationale":"By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries.","remediation":"Run the following command to install AIDE: # dnf install aide. Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: Run the following commands: # aide --init # mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz.","compliance":{"cis":"1.3.1","cis_csc_v8":"3.14","cis_csc_v7":"14.9","nist_sp_800-53":"AU-2","cmmc_v2":{"0":"AC.L2-3.1.7"},"hipaa":"164.312(b),164.312(c)(1),164.312(c)(2)","pci_dss_3":{"2":{"1":"10.2.1,11.5"}},"pci_dss_4":{"0":"10.2.1,10.2.1.1"},"soc_2":"CC6.1","mitre_techniques":"T1565,T1565.001","mitre_tactics":"TA0001"},"references":"AIDE stable manual: http://aide.sourceforge.net/stable/manual.html","command":["rpm -q aide"],"result":"failed"}}},"location":"sca"} ```
Command output
``` [root@rhel9 vagrant]# systemctl is-enabled aidecheck.service Failed to get unit file state for aidecheck.service: No such file or directory [root@rhel9 vagrant]# systemctl is-enabled aidecheck.timer Failed to get unit file state for aidecheck.timer: No such file or directory [root@rhel9 vagrant]# systemctl status aidecheck.timer Unit aidecheck.timer could not be found. ```Alert
``` {"timestamp":"2023-02-23T13:22:39.810+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure filesystem integrity is regularly checked.","id":"19007","firedtimes":21,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.3.2"],"cis_csc_v8":["3.14"],"cis_csc_v7":["14.9"],"nist_sp_800-53":["AU-2"],"hipaa":["164.312(b)","164.312(c)(1)","164.312(c)(2)"],"soc_2":["CC6.1"],"mitre_techniques":["T1036","T1036.005"],"mitre_tactics":["TA0040"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677158559.109489","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1830270131","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28028","title":"Ensure filesystem integrity is regularly checked.","description":"Periodic checking of the filesystem integrity is needed to detect changes to the filesystem.","rationale":"Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion.","remediation":"If cron will be used to schedule and run aide check. Run the following command: # crontab -u root -e. Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check. OR if aidecheck.service and aidecheck.timer will be used to schedule and run aide check: Create or edit the file /etc/systemd/system/aidecheck.service and add the following lines: [Unit] Description=Aide Check [Service] Type=simple ExecStart=/usr/sbin/aide --check [Install] WantedBy=multi-user.target. Create or edit the file /etc/systemd/system/aidecheck.timer: [Unit] Description=Aide check every day at 5AM [Timer] OnCalendar=*-*-* 05:00:00 Unit=aidecheck.service [Install] WantedBy=multi-user.target. Run the following commands: # chown root:root /etc/systemd/system/aidecheck.* # chmod 0644 /etc/systemd/system/aidecheck.* # systemctl daemon-reload # systemctl enable aidecheck.service # systemctl --now enable aidecheck.timer.","compliance":{"cis":"1.3.2","cis_csc_v8":"3.14","cis_csc_v7":"14.9","nist_sp_800-53":"AU-2","cmmc_v2":{"0":"AC.L2-3.1.7"},"hipaa":"164.312(b),164.312(c)(1),164.312(c)(2)","pci_dss_3":{"2":{"1":"10.2.1,11.5"}},"pci_dss_4":{"0":"10.2.1,10.2.1.1"},"soc_2":"CC6.1","mitre_techniques":"T1036,T1036.005","mitre_tactics":"TA0040","mitre_mitigations":"M1022"},"references":"https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.service,https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.timer","command":["systemctl is-enabled aidecheck.service"],"result":"failed"}}},"location":"sca"} ```
Command output
``` [root@rhel9 vagrant]# stat -Lc "%#a %u %U %g %G" /boot/grub2/grub.cfg 0600 0 root 0 root [root@rhel9 vagrant]# stat -Lc "%#a %u %U %g %G" /boot/grub2/grubenv 0600 0 root 0 root [root@rhel9 vagrant]# stat -Lc "%#a %u %U %g %G" /boot/grub2/user.cfg 0600 0 root 0 roo ```Alert
``` {"timestamp":"2023-02-23T15:58:06.467+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure permissions on bootloader config are configured (Automated).","id":"19008","firedtimes":10,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.4.2"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"nist_sp_800-53":["AC-5","AC-6"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1542"],"mitre_tactics":["TA0005","TA0007"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.233135","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28030","title":"Ensure permissions on bootloader config are configured (Automated).","description":"The grub files contain information on boot settings and passwords for unlocking boot options.","rationale":"Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them.","remediation":"Run the following commands to set ownership and permissions on your grub configuration files: Run the following command to set ownership and permissions on grub.cfg: # chown root:root /boot/grub2/grub.cfg # chmod og-rwx /boot/grub2/grub.cfg Run the following command to set ownership and permissions on grubenv: # chown root:root /boot/grub2/grubenv # chmod u-x,og-rwx /boot/grub2/grubenv Run the following command to set ownership and permissions on user.cfg: # chown root:root /boot/grub2/user.cfg # chmod u-x,og-rwx /boot/grub2/user.cfg Note: This may require a re-boot to enable the change.","compliance":{"cis":"1.4.2","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","mitre_techniques":"T1542","mitre_tactics":"TA0005,TA0007","mitre_mitigations":"M1022"},"command":["stat -Lc \"%#a %u %U %g %G\" /boot/grub2/grub.cfg","stat -Lc \"%#a %u %U %g %G\" /boot/grub2/grubenv","stat -Lc \"%#a %u %U %g %G\" /boot/grub2/user.cfg"],"result":"passed"}}},"location":"sca"} ```
Alert
``` {"timestamp":"2023-02-23T15:58:06.478+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure core dump storage is disabled.","id":"19007","firedtimes":22,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.5.1"],"mitre_techniques":["T1005"],"mitre_tactics":["TA0007"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.237564","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28031","title":"Ensure core dump storage is disabled.","description":"A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file.","rationale":"A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.","remediation":"Edit /etc/systemd/coredump.conf and edit or add the following line: Storage=none.","compliance":{"cis":"1.5.1","mitre_techniques":"T1005","mitre_tactics":"TA0007"},"references":"https://www.freedesktop.org/software/systemd/man/coredump.conf.html","file":["/etc/systemd/coredump.conf"],"result":"failed"}}},"location":"sca"} ```
Alert
``` {"timestamp":"2023-02-23T15:58:06.488+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure core dump backtraces are disabled.","id":"19007","firedtimes":23,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.5.2"],"nist_sp_800-53":["CM-6b"],"mitre_techniques":["T1005"],"mitre_tactics":["TA0007"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.239833","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28032","title":"Ensure core dump backtraces are disabled.","description":"A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file.","rationale":"A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems, increasing the risk to the system.","remediation":"Edit or add the following line in /etc/systemd/coredump.conf: ProcessSizeMax=0.","compliance":{"cis":"1.5.2","nist_sp_800-53":"CM-6b","mitre_techniques":"T1005","mitre_tactics":"TA0007"},"references":"https://www.freedesktop.org/software/systemd/man/coredump.conf.html","file":["/etc/systemd/coredump.conf"],"result":"failed"}}},"location":"sca"} ```
Command output
``` [root@rhel9 vagrant]# rpm -q libselinux libselinux-3.4-3.el9.x86_64 ```Alert
``` {"timestamp":"2023-02-23T15:58:06.498+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure SELinux is installed.","id":"19008","firedtimes":11,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.6.1.1"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1068"],"mitre_tactics":["TA0003"],"mitre_mitigations":["M1026"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.242252","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28033","title":"Ensure SELinux is installed.","description":"SELinux provides Mandatory Access Control.","rationale":"Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available.","remediation":"Run the following command to install SELinux : # dnf install libselinux.","compliance":{"cis":"1.6.1.1","cis_csc_v8":"3.3","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1068","mitre_tactics":"TA0003","mitre_mitigations":"M1026"},"command":["rpm -q libselinux"],"result":"passed"}}},"location":"sca"} ```
Alert
``` {"timestamp":"2023-02-23T15:58:06.510+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure SELinux is not disabled in bootloader configuration.","id":"19008","firedtimes":12,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.6.1.2"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"nist_sp_800-53":["AC-5","AC-6"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1068"],"mitre_tactics":["TA0003"],"mitre_mitigations":["M1026"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.244683","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28034","title":"Ensure SELinux is not disabled in bootloader configuration.","description":"Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters.","rationale":"SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden.","remediation":"Run the following command to remove the selinux=0 and enforcing=0 parameters:grubby --update-kernel ALL --remove-args \"selinux=0 enforcing=0\" Run the following command to remove the selinux=0 and enforcing=0 parameters if they were created by the deprecated grub2-mkconfig command: # grep -Prsq -- \"\\h\\*(\\[^#\\n\\r]+\\h+)?kernelopts=([^#\\n\\r]+\\h+)?(selinux|enforcing)=0\\b\" /boot/grub2 /boot/efi && grub2-mkconfig -o \"$(grep -Prl -- \"\\h*([^#\\n\\r]+\\h+)?kernelopts=([^#\\n\\r]+\\h+)?(selinux|enforcing)=0\\b\" /boot/grub2 /boot/efi).","compliance":{"cis":"1.6.1.2","cis_csc_v8":"3.3","cis_csc_v7":"14.6","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","mitre_techniques":"T1068","mitre_tactics":"TA0003","mitre_mitigations":"M1026"},"file":["/boot/grub2/grubenv","/boot/grub2/grub.cfg"],"result":"passed"}}},"location":"sca"} ```
Command output
Alert
``` {"timestamp":"2023-02-23T15:58:06.521+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure SELinux policy is configured.","id":"19008","firedtimes":13,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.6.1.3"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1068"],"mitre_tactics":["TA0005"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.248449","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28035","title":"Ensure SELinux policy is configured.","description":"Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only.","rationale":"Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met.","remediation":"Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted.","compliance":{"cis":"1.6.1.3","cis_csc_v8":"3.3","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1068","mitre_tactics":"TA0005"},"file":["/etc/selinux/config"],"command":["sestatus"],"result":"passed"}}},"location":"sca"} ```
Command output
``` [root@rhel9 vagrant]# getenforce Enforcing ```Alert
``` {"timestamp":"2023-02-23T15:58:06.533+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure the SELinux mode is not disabled.","id":"19008","firedtimes":14,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.6.1.4"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1068","T1565","T1565.001","T1565.003"],"mitre_tactics":["TA0003"],"mitre_mitigations":["M1026"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.251442","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28036","title":"Ensure the SELinux mode is not disabled.","description":"SELinux can run in one of three modes: disabled, permissive, or enforcing: - Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. - Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. - Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future. Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: # semanage permissive -a httpd_t.","rationale":"Running SELinux in disabled mode is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future.","remediation":"Run one of the following commands to set SELinux's running mode: To set SELinux mode to Enforcing: # setenforce 1 OR To set SELinux mode to Permissive: # setenforce 0 Edit the /etc/selinux/config file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing OR For Permissive mode: SELINUX=permissive.","compliance":{"cis":"1.6.1.4","cis_csc_v8":"3.3","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1068,T1565,T1565.001,T1565.003","mitre_tactics":"TA0003","mitre_mitigations":"M1026"},"references":"https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-introduction-selinux_modes","file":["/etc/selinux/config"],"command":["getenforce"],"result":"passed"}}},"location":"sca"} ```
Command output
``` [root@rhel9 vagrant]# getenforce Enforcing ```Alert
``` {"timestamp":"2023-02-23T15:58:06.553+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure the SELinux mode is enforcing.","id":"19008","firedtimes":15,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.6.1.5"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1068","T1565","T1565.001","T1565.003"],"mitre_tactics":["TA0005"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.257024","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28037","title":"Ensure the SELinux mode is enforcing.","description":"SELinux can run in one of three modes: disabled, permissive, or enforcing: - Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. - Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. - Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future. Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: # semanage permissive -a httpd_t.","rationale":"Running SELinux in disabled mode the system not only avoids enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future. Running SELinux in Permissive mode, though helpful for developing SELinux policy, only logs access denial entries, but does not deny any operations.","remediation":"Run the following command to set SELinux's running mode: # setenforce 1 Edit the /etc/selinux/config file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing.","compliance":{"cis":"1.6.1.5","cis_csc_v8":"3.3","cis_csc_v7":"14.6","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1068,T1565,T1565.001,T1565.003","mitre_tactics":"TA0005"},"references":"https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-introduction-selinux_modes,CCI-002165: The information system enforces organization-defined discretionary access control policies over defined subjects and objects.,NIST SP 800-53 Revision 4 :: AC-3 (4),CCI-002696: The information system verifies correct operation of organization-defined security functions.,NIST SP 800-53 Revision 4 :: SI-6 a","file":["/etc/selinux/config"],"command":["getenforce"],"result":"passed"}}},"location":"sca"} ```
Command output
``` ps -eZ | grep unconfined_service_t system_u:system_r:unconfined_service_t:s0 863 ? 00:00:04 VBoxService system_u:system_r:unconfined_service_t:s0 9262 ? 00:00:09 python3 system_u:system_r:unconfined_service_t:s0 9303 ? 00:00:01 wazuh-authd system_u:system_r:unconfined_service_t:s0 9320 ? 00:00:09 wazuh-db system_u:system_r:unconfined_service_t:s0 9345 ? 00:00:00 wazuh-execd system_u:system_r:unconfined_service_t:s0 9348 ? 00:00:00 python3 system_u:system_r:unconfined_service_t:s0 9351 ? 00:00:00 python3 system_u:system_r:unconfined_service_t:s0 9366 ? 00:00:02 wazuh-analysisd system_u:system_r:unconfined_service_t:s0 9379 ? 00:00:08 wazuh-syscheckd system_u:system_r:unconfined_service_t:s0 9422 ? 00:00:11 wazuh-remoted system_u:system_r:unconfined_service_t:s0 9455 ? 00:00:01 wazuh-logcollec system_u:system_r:unconfined_service_t:s0 9472 ? 00:00:00 wazuh-monitord ```Alert
``` {"timestamp":"2023-02-23T15:58:06.566+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure no unconfined services exist.","id":"19007","firedtimes":24,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.6.1.6"],"cis_csc_v8":["3.3"],"cis_csc_v7":["9.2"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.13.1.3"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1068","T1565","T1565.001","T1565.003"],"mitre_tactics":["TA0004"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.263004","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28038","title":"Ensure no unconfined services exist.","description":"Unconfined processes run in unconfined domains.","rationale":"For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules - it does not replace them.","remediation":"Investigate any unconfined processes found during the audit action. They may need to have an existing security context assigned to them or a policy built for them.","compliance":{"cis":"1.6.1.6","cis_csc_v8":"3.3","cis_csc_v7":"9.2","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.13.1.3","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1068,T1565,T1565.001,T1565.003","mitre_tactics":"TA0004","mitre_mitigations":"M1022"},"command":["ps -eZ"],"result":"failed"}}},"location":"sca"} ```
Command output
``` [root@rhel9 vagrant]# rpm -q setroubleshoot package setroubleshoot is not installed ```Alert
``` {"timestamp":"2023-02-23T15:58:06.577+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure SETroubleshoot is not installed.","id":"19008","firedtimes":16,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.6.1.7"],"cis_csc_v8":["4.8"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"soc_2":["CC6.3","CC6.6"],"mitre_techniques":["T1543","T1543.002"],"mitre_tactics":["TA0005"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.266403","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28039","title":"Ensure SETroubleshoot is not installed.","description":"The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors.","rationale":"The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled.","remediation":"Run the following command to uninstall setroubleshoot: # dnf remove setroubleshoot.","compliance":{"cis":"1.6.1.7","cis_csc_v8":"4.8","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6"},"pci_dss_3":{"2":{"1":"1.1.6,1.2.1,2.2.2,2.2.5"}},"pci_dss_4":{"0":"1.2.5,2.2.4,6.4.1"},"soc_2":"CC6.3,CC6.6","mitre_techniques":"T1543,T1543.002","mitre_tactics":"TA0005"},"command":["rpm -qa setroubleshoot"],"result":"passed"}}},"location":"sca"} ```
Command output
``` [root@rhel9 vagrant]# rpm -qa mcstrans [root@rhel9 vagrant]# ```Alert
``` {"timestamp":"2023-02-23T15:58:06.588+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure the MCS Translation Service (mcstrans) is not installed.","id":"19008","firedtimes":17,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.6.1.8"],"cis_csc_v8":["4.8"],"cis_csc_v7":["9.2"],"iso_27001-2013":["A.13.1.3"],"soc_2":["CC6.3","CC6.6"],"mitre_techniques":["T1543","T1543.002"],"mitre_tactics":["TA0005"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.269045","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28040","title":"Ensure the MCS Translation Service (mcstrans) is not installed.","description":"The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf.","rationale":"Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system.","remediation":"Run the following command to uninstall mcstrans: # dnf remove mcstrans.","compliance":{"cis":"1.6.1.8","cis_csc_v8":"4.8","cis_csc_v7":"9.2","iso_27001-2013":"A.13.1.3","cmmc_v2":{"0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6"},"pci_dss_3":{"2":{"1":"1.1.6,1.2.1,2.2.2,2.2.5"}},"pci_dss_4":{"0":"1.2.5,2.2.4,6.4.1"},"soc_2":"CC6.3,CC6.6","mitre_techniques":"T1543,T1543.002","mitre_tactics":"TA0005"},"command":["rpm -qa mcstrans"],"result":"passed"}}},"location":"sca"} ```
Alert
``` {"timestamp":"2023-02-23T15:58:06.598+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure message of the day is configured properly.","id":"19008","firedtimes":18,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.7.1"],"mitre_techniques":["T1082","T1592","T1592.004"],"mitre_tactics":["TA0007"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.271547","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28041","title":"Ensure message of the day is configured properly.","description":"The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version.","rationale":"Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \"uname -a\" command once they have logged in.","remediation":"Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform OR If the motd is not used, this file can be removed. Run the following command to remove the motd file: # rm /etc/motd.","compliance":{"cis":"1.7.1","mitre_techniques":"T1082,T1592,T1592.004","mitre_tactics":"TA0007"},"file":["/etc/motd"],"result":"passed"}}},"location":"sca"} ```
Alert
``` {"timestamp":"2023-02-23T15:58:06.609+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure local login warning banner is configured properly.","id":"19007","firedtimes":25,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.7.2"],"mitre_techniques":["T1082","T1592","T1592.004"],"mitre_tactics":["TA0007"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.275456","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28042","title":"Ensure local login warning banner is configured properly.","description":"The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version - or the operating system's name.","rationale":"Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a \" command once they have logged in.","remediation":"Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.","compliance":{"cis":"1.7.2","mitre_techniques":"T1082,T1592,T1592.004","mitre_tactics":"TA0007"},"file":["/etc/issue"],"result":"failed"}}},"location":"sca" ```
Alert
``` {"timestamp":"2023-02-23T15:58:06.619+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure remote login warning banner is configured properly.","id":"19007","firedtimes":26,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.7.3"],"mitre_techniques":["T1018","T1082","T1592","T1592.004"],"mitre_tactics":["TA0007"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.279330","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28043","title":"Ensure remote login warning banner is configured properly.","description":"The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version.","rationale":"Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a \" command once they have logged in.","remediation":"Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net.","compliance":{"cis":"1.7.3","mitre_techniques":"T1018,T1082,T1592,T1592.004","mitre_tactics":"TA0007"},"file":["/etc/issue.net"],"result":"failed"}}},"location":"sca"} ```
Command output
``` [root@rhel9 vagrant]# stat -L /etc/motd File: /etc/motd Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: fd00h/64768d Inode: 134346169 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Context: system_u:object_r:etc_t:s0 Access: 2023-02-23 14:54:52.710131187 +0000 Modify: 2023-02-16 04:00:45.164695176 +0000 Change: 2023-02-16 04:00:45.164695176 +0000 Birth: 2023-02-16 03:40:24.594069458 +0000 ```Alert
``` {"timestamp":"2023-02-23T15:58:06.640+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure permissions on /etc/issue are configured.","id":"19008","firedtimes":20,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.7.5"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1122","T1122.002"],"mitre_tactics":["TA0003"],"mitre_mitigations":["M1026"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.286157","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28045","title":"Ensure permissions on /etc/issue are configured.","description":"The contents of the /etc/issue file are displayed to users prior to login for local terminals.","rationale":"If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information.","remediation":"Run the following commands to set permissions on /etc/issue: # chown root:root /etc/issue # chmod u-x,go-wx /etc/issue.","compliance":{"cis":"1.7.5","cis_csc_v8":"3.3","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1122,T1122.002","mitre_tactics":"TA0003","mitre_mitigations":"M1026"},"command":["stat -L /etc/issue"],"result":"passed"}}},"location":"sca"} ```
Command output
``` stat -L /etc/issue File: /etc/issue Size: 23 Blocks: 8 IO Block: 4096 regular file Device: fd00h/64768d Inode: 134346143 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Context: system_u:object_r:etc_t:s0 Access: 2023-02-24 09:32:54.296294418 +0000 Modify: 2022-09-27 18:07:19.000000000 +0000 Change: 2023-02-24 09:32:52.272999921 +0000 Birth: 2023-02-16 03:40:24.547070048 +0000 ```Alert
``` {"timestamp":"2023-02-23T15:58:06.640+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure permissions on /etc/issue are configured.","id":"19008","firedtimes":20,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.7.5"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1122","T1122.002"],"mitre_tactics":["TA0003"],"mitre_mitigations":["M1026"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.286157","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28045","title":"Ensure permissions on /etc/issue are configured.","description":"The contents of the /etc/issue file are displayed to users prior to login for local terminals.","rationale":"If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information.","remediation":"Run the following commands to set permissions on /etc/issue: # chown root:root /etc/issue # chmod u-x,go-wx /etc/issue.","compliance":{"cis":"1.7.5","cis_csc_v8":"3.3","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1122,T1122.002","mitre_tactics":"TA0003","mitre_mitigations":"M1026"},"command":["stat -L /etc/issue"],"result":"passed"}}},"location":"sca"} ```
Command output
``` [root@rhel9 vagrant]# stat -L /etc/issue.net File: /etc/issue.net Size: 22 Blocks: 8 IO Block: 4096 regular file Device: fd00h/64768d Inode: 134346144 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Context: system_u:object_r:etc_t:s0 Access: 2023-02-23 14:54:51.888129662 +0000 Modify: 2022-09-27 18:07:19.000000000 +0000 Change: 2023-02-16 03:40:24.547070048 +0000 Birth: 2023-02-16 03:40:24.547070048 +0000 ```Alert
``` {"timestamp":"2023-02-23T15:58:06.650+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure permissions on /etc/issue.net are configured.","id":"19008","firedtimes":21,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.7.6"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1122","T1122.002"],"mitre_tactics":["TA0005"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.289009","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28046","title":"Ensure permissions on /etc/issue.net are configured.","description":"The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services.","rationale":"If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information.","remediation":"Run the following commands to set permissions on /etc/issue.net: # chown root:root /etc/issue.net # chmod u-x,go-wx /etc/issue.net.","compliance":{"cis":"1.7.6","cis_csc_v8":"3.3","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1122,T1122.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"command":["stat -L /etc/issue.net"],"result":"passed"}}},"location":"sca"} ```
Command output
``` [root@rhel9 vagrant]# rpm -q gdm package gdm is not installed ```Alert :red_circle:
``` {"timestamp":"2023-02-23T15:58:06.660+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure GNOME Display Manager is removed.","id":"19009","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.8.1"],"cis_csc_v8":["4.8"],"cis_csc_v7":["9.2"],"iso_27001-2013":["A.13.1.3"],"soc_2":["CC6.3","CC6.6"],"mitre_techniques":["T1543","T1543.002"],"mitre_tactics":["TA0002"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.291981","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28047","title":"Ensure GNOME Display Manager is removed.","description":"The GNOME Display Manager (GDM) is a program that manages graphical display servers and handles graphical user logins.","rationale":"If a Graphical User Interface (GUI) is not required, it should be removed to reduce the attack surface of the system.","remediation":"Run the following command to remove the gdm package # dnf remove gdm.","compliance":{"cis":"1.8.1","cis_csc_v8":"4.8","cis_csc_v7":"9.2","iso_27001-2013":"A.13.1.3","cmmc_v2":{"0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6"},"pci_dss_3":{"2":{"1":"1.1.6,1.2.1,2.2.2,2.2.5"}},"pci_dss_4":{"0":"1.2.5,2.2.4,6.4.1"},"soc_2":"CC6.3,CC6.6","mitre_techniques":"T1543,T1543.002","mitre_tactics":"TA0002"},"references":"https://wiki.gnome.org/Projects/GDM","file":["rpm -q gdm"],"result":"not applicable","reason":"Could not open file 'rpm -q gdm'"}}},"location":"sca"} ```
Command output
Alert :red_circle:
``` {"timestamp":"2023-02-23T15:58:06.671+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure XDCMP is not enabled.","id":"19009","firedtimes":2,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.8.10"],"cis_csc_v8":["4.8"],"cis_csc_v7":["9.2"],"iso_27001-2013":["A.13.1.3"],"soc_2":["CC6.3","CC6.6"],"mitre_techniques":["T1040","T1056","T1056.001","T1557"],"mitre_tactics":["TA0002"],"mitre_mitigations":["M1050"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.294477","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28048","title":"Ensure XDCMP is not enabled.","description":"X Display Manager Control Protocol (XDMCP) is designed to provide authenticated access to display management services for remote displays.","rationale":"XDMCP is inherently insecure. - XDMCP is not a ciphered protocol. This may allow an attacker to capture keystrokes entered by a user. - XDMCP is vulnerable to man-in-the-middle attacks. This may allow an attacker to steal the credentials of legitimate users by impersonating the XDMCP server.","remediation":"Edit the file /etc/gdm/custom.conf and remove the line: Enable=true.","compliance":{"cis":"1.8.10","cis_csc_v8":"4.8","cis_csc_v7":"9.2","iso_27001-2013":"A.13.1.3","cmmc_v2":{"0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6"},"pci_dss_3":{"2":{"1":"1.1.6,1.2.1,2.2.2,2.2.5"}},"pci_dss_4":{"0":"1.2.5,2.2.4,6.4.1"},"soc_2":"CC6.3,CC6.6","mitre_techniques":"T1040,T1056,T1056.001,T1557","mitre_tactics":"TA0002","mitre_mitigations":"M1050"},"file":[" /etc/gdm/custom.conf"],"result":"not applicable","reason":"Could not open file ' /etc/gdm/custom.conf'"}}},"location":"sca"} ```
Command output
``` [root@rhel9 vagrant]# sh -c "dnf check-update | egrep -v \"Updating|Last metadata|^$\"" [root@rhel9 vagrant]# ```Alert
``` {"timestamp":"2023-02-23T18:23:43.086+0000","rule":{"level":9,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure updates, patches, and additional security software are installed.: Status changed from passed to failed","id":"19011","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.9"],"cis_csc_v8":["7.3","7.4"],"cis_csc_v7":["3.4"],"iso_27001-2013":["A.13.1.3"],"nist_sp_800-53":["SI-2(2)"],"soc_2":["CC7.1"],"mitre_techniques":["T1211"],"mitre_tactics":["TA0004","TA0008"],"mitre_mitigations":["M1051"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677176623.363638","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1146114865","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28049","title":"Ensure updates, patches, and additional security software are installed.","description":"Periodically patches are released for included software either due to security flaws or to include additional functionality.","rationale":"Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected.","remediation":"Use your package manager to update all packages on the system according to site policy. The following command will install all available updates: # dnf update.","compliance":{"cis":"1.9","cis_csc_v8":"7.3,7.4","cis_csc_v7":"3.4","iso_27001-2013":"A.13.1.3","cmmc_v2":{"0":"SI.L1-3.14.1"},"pci_dss_3":{"2":{"1":"6.2"}},"nist_sp_800-53":"SI-2(2)","soc_2":"CC7.1","mitre_techniques":"T1211","mitre_tactics":"TA0004,TA0008","mitre_mitigations":"M1051"},"command":["sh -c \"dnf check-update | egrep -v \\\"Updating|Last metadata|^$\\\"\""],"result":"failed","previous_result":"passed"}}},"location":"sca"} ```
Alert
``` {"timestamp":"2023-02-23T15:58:06.691+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure system-wide crypto policy is not legacy.","id":"19008","firedtimes":23,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.10"],"cis_csc_v8":["3.10"],"cis_csc_v7":["14.4"],"nist_sp_800-53":["SC-8"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.312(a)(2)(iv)","164.312(e)(1)","164.312(e)(2)(i)","164.312(e)(2)(ii)"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.300763","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28050","title":"Ensure system-wide crypto policy is not legacy.","description":"The system-wide crypto-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system-wide. The individual policy levels (DEFAULT, LEGACY, FUTURE, and FIPS) are included in the crypto-policies(7) package.","rationale":"If the Legacy system-wide crypto policy is selected, it includes support for TLS 1.0, TLS 1.1, and SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are allowed, while RSA and Diffie-Hellman parameters are accepted if larger than 1023-bits. These legacy protocols and algorithms can make the system vulnerable to attacks, including those listed in RFC 7457.","remediation":"Run the following command to change the system-wide crypto policy # update-crypto-policies --setExample: # update-crypto-policies --set DEFAULT Run the following to make the updated system-wide crypto policy active # update-crypto-policies.","compliance":{"cis":"1.10","cis_csc_v8":"3.10","cis_csc_v7":"14.4","nist_sp_800-53":"SC-8","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L2-3.1.17,AC.L2-3.1.13,IA.L2-3.5.10,SC.L2-3.13.11,SC.L2-3.13.8,SC.L2-3.13.15"},"hipaa":"164.312(a)(2)(iv),164.312(e)(1),164.312(e)(2)(i),164.312(e)(2)(ii)","pci_dss_3":{"2":{"1":"2.1.1,4.1,4.1.1,8.2.1"}},"pci_dss_4":{"0":"2.2.7,4.1.1,4.2.1,4.2.1.2,4.2.2,8.3.2"}},"references":"CRYPTO-POLICIES(7),https://access.redhat.com/articles/3642912#what-polices-are-provided-1","file":["/etc/crypto-policies/config"],"result":"passed"}}},"location":"sca"} ```
As stated here - https://github.com/wazuh/wazuh-qa/issues/3817#issuecomment-1442264848
1.3.2 π΄ - Solved 1.3.3 π΄ - not implemented
grep command sometimes will return error code 1. that means we have to implement a logic like:
.conf file in the folder has multiple lines (AND) OR aide.conf file has multiple lines (AND)
(AND) OR ( AND) is not possible with the current SCA.
@Rebits ping me if you need to chat
1.4.1 π΄
1.4.2 π΄
1.6.1.2 π΄
Rule - grep commands usually ends with exit code 1 so SCA check will fail
[root@localhost rhel]# grubby --info=ALL | grep -Po '(selinux|enforcing)=0\b'
[root@localhost rhel]# echo $?
1
1.6.1.4 π΄ - Solved
1.6.1.5 π΄ - Solved
1.6.1.6 π΄ - PCI - This check is okay as stated in the compliance dictionary v8
1.6.1.8 π΄
1.7.5 π΄ - Solved
1.8.1 π΄
1.8.10 π΄
1.9 π΄
1.10 π΄
https://github.com/wazuh/wazuh/commit/bb7c3ae000329d5abf54091abcbd4ca60423856b
Note In this second review it was also included new errors as a result of this issue
1.3.2 π΄ 1.4.1 π΄ 1.4.2 π΄
We solved these ones but we will improve the compliance order by including alphabetical order to them. So, these shouldn't be checked until we have the order done. We are expecting to do this check with the last commit to RHEL 9 SCA Policy.
PR Commit |
---|
https://github.com/wazuh/wazuh/commit/b558c2f83e9ec723d3aad369e58cc54c14ee0776 |
PR Commit |
---|
https://github.com/wazuh/wazuh/commit/eb937587622e6798b50a698cb4c309ac4f69585c |
During https://github.com/wazuh/wazuh-qa/issues/3827 it was detected a minor error in 1.3.2
check. Rule should be
condition: all
rules:
- "c:systemctl is-enabled aidecheck.service -> r:enabled"
- "c:systemctl is-enabled aidecheck.timer -> r:enabled"
- "c:systemctl status aidecheck.timer -> r:active"
Replacing enabled by enabled.
[root@rhel9 vagrant]# systemctl is-enabled aidecheck.service
enabled
https://github.com/wazuh/wazuh-qa/issues/3817#issuecomment-1456128389
It was detected a minor error in 1.3.2 check - Solved
https://github.com/wazuh/wazuh/commit/d45bc0a322c4a8b399282621530e011d565d8ae6
PR Commit |
---|
https://github.com/wazuh/wazuh/commit/24405eb600b03d6556fea30d7d4a9dd45f74df1a |
The suggested changes have been applied and everything appears to be correct.
PR Commit |
---|
https://github.com/wazuh/wazuh/commit/24405eb600b03d6556fea30d7d4a9dd45f74df1a |
After the development of a PDF policy parser and a compliance mapping tool it has been detected some new unexpected values:
https://github.com/wazuh/wazuh-qa/issues/3817#issuecomment-1462439180
1.3.2 π΄ - Solved 1.4.1 π΄ - Solved 1.7.4 π΄ - Solved 1.7.5 π΄ - Solved 1.7.6 π΄ - Solved
https://github.com/wazuh/wazuh/commit/7f4e24311e64fcae337eb33914c74d644b21df2f
Tester | PR commit |
---|---|
@Rebits | https://github.com/wazuh/wazuh/pull/16016/commits/86fc6094f60ecbc45fae42b789507e8ad4b04538 |
The suggested changes have been applied and everything appears to be correct.