search

wazuh / wazuh-qa

Wazuh - Quality Assurance
GNU General Public License v2.0
61 stars 30 forks source link

Red Hat Enterprise Linux 9 SCA policy rework - checks 1.3 to 1.10 #3817

Closed 72nomada closed 1 year ago

72nomada commented 1 year ago
Target version Related issue Related PR
4.4.x #3391 https://github.com/wazuh/wazuh/pull/16016
Check Id and Name Status Ready for QA
1.3 Filesystem Integrity Checking
1.3.1 Ensure AIDE is installed (Automated) 🟒 🟒
1.3.2 Ensure filesystem integrity is regularly checked (Automated) 🟒 🟒
1.3.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools (Automated) 🟒 🟒
1.4 Secure Boot Settings
1.4.1 Ensure bootloader password is set (Automated) 🟒 🟒
1.4.2 Ensure permissions on bootloader config are configured (Automated) 🟒 🟒
1.5 Additional Process Hardening
1.5.1 Ensure core dump storage is disabled (Automated) 🟒 🟒
1.5.2 Ensure core dump backtraces are disabled (Automated) 🟒 🟒
1.5.3 Ensure address space layout randomization (ASLR) is enabled (Automated) 🟒 🟒
1.6 Mandatory Access Control
1.6.1 Configure SELinux
1.6.1.1 Ensure SELinux is installed (Automated) 🟒 🟒
1.6.1.2 Ensure SELinux is not disabled in bootloader configuration (Automated) 🟒 🟒
1.6.1.3 Ensure SELinux policy is configured (Automated) 🟒 🟒
1.6.1.4 Ensure the SELinux mode is not disabled (Automated) 🟒 🟒
1.6.1.5 Ensure the SELinux mode is enforcing (Automated) 🟒 🟒
1.6.1.6 Ensure no unconfined services exist (Automated) 🟒 🟒
1.6.1.7 Ensure SETroubleshoot is not installed (Automated) 🟒 🟒
1.6.1.8 Ensure the MCS Translation Service (mcstrans) is not installed (Automated) 🟒 🟒
1.7 Command Line Warning Banners
1.7.1 Ensure message of the day is configured properly (Automated) 🟒 🟒
1.7.2 Ensure local login warning banner is configured properly (Automated) 🟒 🟒
1.7.3 Ensure remote login warning banner is configured properly (Automated) 🟒 🟒
1.7.4 Ensure permissions on /etc/motd are configured (Automated) 🟒 🟒
1.7.5 Ensure permissions on /etc/issue are configured (Automated) 🟒 🟒
1.7.6 Ensure permissions on /etc/issue.net are configured (Automated) 🟒 🟒
1.8 GNOME Display Manager
1.8.1 Ensure GNOME Display Manager is removed (Automated) 🟒 🟒
1.8.2 Ensure GDM login banner is configured (Automated) 🟒 🟒
1.8.3 Ensure GDM disable-user-list option is enabled (Automated) 🟒 🟒
1.8.4 Ensure GDM screen locks when the user is idle (Automated) 🟒 🟒
1.8.5 Ensure GDM screen locks cannot be overridden (Automated) 🟒 🟒
1.8.6 Ensure GDM automatic mounting of removable media is disabled (Automated) 🟒 🟒
1.8.7 Ensure GDM disabling automatic mounting of removable media is not overridden (Automated) 🟒 🟒
1.8.8 Ensure GDM autorun-never is enabled (Automated) 🟒 🟒
1.8.9 Ensure GDM autorun-never is not overridden (Automated) 🟒 🟒
1.8.10 Ensure XDCMP is not enabled (Automated) 🟒 🟒
1.9 Ensure updates, patches, and additional security software are installed (Manual) 🟒 🟒
1.10 Ensure system-wide crypto policy is not legacy (Automated) 🟒 🟒
Rebits commented 1 year ago

Tester review

Tester PR commit
@Rebits https://github.com/wazuh/wazuh/pull/16016/commits/68323ce7575e8b5f561a440e16828e2588e37dec

Testing environment

OS OS version Deployment Image/AMI Notes
RHEL 9 Vagrant roboxes/rhel9

Tested packages

wazuh-manager
wazuh-managerv-4.4.0-1

Status

Conclusion :green_circle:

After the requested changes the policy seems to fit correctly with the CIS Red Hat Enterprise Linux 9 Benchmark. In addition, every audit rule seems to work as expected.

Rebits commented 1 year ago

Testing results

Note There are discrepancies between different CIS sources. After a meeting with @72nomada, we have agreed to use https://www.cisecurity.org/controls/cis-controls-navigator for compliance verification. However, for this testing, we have used the sources specified in the preconditions section. So we should check manually every compliance detected error, especially ISO values.

1.3.1 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# rpm -q aide package aide is not installed ```
Alert ``` {"timestamp":"2023-02-23T13:22:39.800+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure AIDE is installed.","id":"19007","firedtimes":20,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.3.1"],"cis_csc_v8":["3.14"],"cis_csc_v7":["14.9"],"nist_sp_800-53":["AU-2"],"hipaa":["164.312(b)","164.312(c)(1)","164.312(c)(2)"],"soc_2":["CC6.1"],"mitre_techniques":["T1565","T1565.001"],"mitre_tactics":["TA0001"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677158559.105821","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1830270131","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28027","title":"Ensure AIDE is installed.","description":"Advanced Intrusion Detection Environment (AIDE) is a intrusion detection tool that uses predefined rules to check the integrity of files and directories in the Linux operating system. AIDE has its own database to check the integrity of files and directories. AIDE takes a snapshot of files and directories including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system.","rationale":"By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries.","remediation":"Run the following command to install AIDE: # dnf install aide. Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: Run the following commands: # aide --init # mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz.","compliance":{"cis":"1.3.1","cis_csc_v8":"3.14","cis_csc_v7":"14.9","nist_sp_800-53":"AU-2","cmmc_v2":{"0":"AC.L2-3.1.7"},"hipaa":"164.312(b),164.312(c)(1),164.312(c)(2)","pci_dss_3":{"2":{"1":"10.2.1,11.5"}},"pci_dss_4":{"0":"10.2.1,10.2.1.1"},"soc_2":"CC6.1","mitre_techniques":"T1565,T1565.001","mitre_tactics":"TA0001"},"references":"AIDE stable manual: http://aide.sourceforge.net/stable/manual.html","command":["rpm -q aide"],"result":"failed"}}},"location":"sca"} ```
1.3.2 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :red_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :red_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: ISO: Expected `A.12.4.3` - **References**: :green_circle: - **Rules**: :red_circle: Expected: ``` - "c:systemctl is-enabled aidecheck.service -> r:enable" - "c:systemctl is-enabled aidecheck.timer -> r:enable" - "c:systemctl status aidecheck.timer -> r:active" ```
Rules details
Command output ``` [root@rhel9 vagrant]# systemctl is-enabled aidecheck.service Failed to get unit file state for aidecheck.service: No such file or directory [root@rhel9 vagrant]# systemctl is-enabled aidecheck.timer Failed to get unit file state for aidecheck.timer: No such file or directory [root@rhel9 vagrant]# systemctl status aidecheck.timer Unit aidecheck.timer could not be found. ```
Alert ``` {"timestamp":"2023-02-23T13:22:39.810+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure filesystem integrity is regularly checked.","id":"19007","firedtimes":21,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.3.2"],"cis_csc_v8":["3.14"],"cis_csc_v7":["14.9"],"nist_sp_800-53":["AU-2"],"hipaa":["164.312(b)","164.312(c)(1)","164.312(c)(2)"],"soc_2":["CC6.1"],"mitre_techniques":["T1036","T1036.005"],"mitre_tactics":["TA0040"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677158559.109489","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1830270131","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28028","title":"Ensure filesystem integrity is regularly checked.","description":"Periodic checking of the filesystem integrity is needed to detect changes to the filesystem.","rationale":"Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion.","remediation":"If cron will be used to schedule and run aide check. Run the following command: # crontab -u root -e. Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check. OR if aidecheck.service and aidecheck.timer will be used to schedule and run aide check: Create or edit the file /etc/systemd/system/aidecheck.service and add the following lines: [Unit] Description=Aide Check [Service] Type=simple ExecStart=/usr/sbin/aide --check [Install] WantedBy=multi-user.target. Create or edit the file /etc/systemd/system/aidecheck.timer: [Unit] Description=Aide check every day at 5AM [Timer] OnCalendar=*-*-* 05:00:00 Unit=aidecheck.service [Install] WantedBy=multi-user.target. Run the following commands: # chown root:root /etc/systemd/system/aidecheck.* # chmod 0644 /etc/systemd/system/aidecheck.* # systemctl daemon-reload # systemctl enable aidecheck.service # systemctl --now enable aidecheck.timer.","compliance":{"cis":"1.3.2","cis_csc_v8":"3.14","cis_csc_v7":"14.9","nist_sp_800-53":"AU-2","cmmc_v2":{"0":"AC.L2-3.1.7"},"hipaa":"164.312(b),164.312(c)(1),164.312(c)(2)","pci_dss_3":{"2":{"1":"10.2.1,11.5"}},"pci_dss_4":{"0":"10.2.1,10.2.1.1"},"soc_2":"CC6.1","mitre_techniques":"T1036,T1036.005","mitre_tactics":"TA0040","mitre_mitigations":"M1022"},"references":"https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.service,https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.timer","command":["systemctl is-enabled aidecheck.service"],"result":"failed"}}},"location":"sca"} ```
1.3.3 :red_circle: Why this check is not implemented? Maybe something like this should be enough: ``` > grep -Ps -- '(\/sbin\/(audit|au)\H*\b)' /etc/aide.conf.d/*.conf /etc/aide.conf /etc/aide.conf.d/testing.conf:/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 /etc/aide.conf.d/testing.conf:/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 /etc/aide.conf.d/testing.conf:/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 /etc/aide.conf.d/testing.conf:/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /etc/aide.conf.d/testing.conf:/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 /etc/aide.conf.d/testing.conf:/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 /etc/aide.conf:/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 /etc/aide.conf:/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 /etc/aide.conf:/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 /etc/aide.conf:/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /etc/aide.conf:/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 /etc/aide.conf:/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 ```
1.4.1 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :green_circle: - **Compliance**: :red_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :red_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :red_circle: - **PCI**: :red_circle: - **MITRE**: :green_circle: ISO: Expected ['A.9.1.1'] NIST & PCI: Wrong order, nist should be placed before PCI - **References**: :black_circle: - **Rules**: :green_circle:
1.4.2 :red_circle: - **Title**: :red_circle: The `(Automated)` string should not be included in check title - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :red_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :red_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :red_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: ISO: Expected `A.9.1.1` NIST: Policy's check does not include any NIST value - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# stat -Lc "%#a %u %U %g %G" /boot/grub2/grub.cfg 0600 0 root 0 root [root@rhel9 vagrant]# stat -Lc "%#a %u %U %g %G" /boot/grub2/grubenv 0600 0 root 0 root [root@rhel9 vagrant]# stat -Lc "%#a %u %U %g %G" /boot/grub2/user.cfg 0600 0 root 0 roo ```
Alert ``` {"timestamp":"2023-02-23T15:58:06.467+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure permissions on bootloader config are configured (Automated).","id":"19008","firedtimes":10,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.4.2"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"nist_sp_800-53":["AC-5","AC-6"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1542"],"mitre_tactics":["TA0005","TA0007"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.233135","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28030","title":"Ensure permissions on bootloader config are configured (Automated).","description":"The grub files contain information on boot settings and passwords for unlocking boot options.","rationale":"Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them.","remediation":"Run the following commands to set ownership and permissions on your grub configuration files: Run the following command to set ownership and permissions on grub.cfg: # chown root:root /boot/grub2/grub.cfg # chmod og-rwx /boot/grub2/grub.cfg Run the following command to set ownership and permissions on grubenv: # chown root:root /boot/grub2/grubenv # chmod u-x,og-rwx /boot/grub2/grubenv Run the following command to set ownership and permissions on user.cfg: # chown root:root /boot/grub2/user.cfg # chmod u-x,og-rwx /boot/grub2/user.cfg Note: This may require a re-boot to enable the change.","compliance":{"cis":"1.4.2","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","mitre_techniques":"T1542","mitre_tactics":"TA0005,TA0007","mitre_mitigations":"M1022"},"command":["stat -Lc \"%#a %u %U %g %G\" /boot/grub2/grub.cfg","stat -Lc \"%#a %u %U %g %G\" /boot/grub2/grubenv","stat -Lc \"%#a %u %U %g %G\" /boot/grub2/user.cfg"],"result":"passed"}}},"location":"sca"} ```
1.5.1 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :black_circle: - **ISO**: :black_circle: - **CMMC**: :black_circle: - **SOC**: :black_circle: - **NIST**: :black_circle: - **PCI**: :black_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
Rules details
Alert ``` {"timestamp":"2023-02-23T15:58:06.478+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure core dump storage is disabled.","id":"19007","firedtimes":22,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.5.1"],"mitre_techniques":["T1005"],"mitre_tactics":["TA0007"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.237564","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28031","title":"Ensure core dump storage is disabled.","description":"A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file.","rationale":"A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.","remediation":"Edit /etc/systemd/coredump.conf and edit or add the following line: Storage=none.","compliance":{"cis":"1.5.1","mitre_techniques":"T1005","mitre_tactics":"TA0007"},"references":"https://www.freedesktop.org/software/systemd/man/coredump.conf.html","file":["/etc/systemd/coredump.conf"],"result":"failed"}}},"location":"sca"} ```
1.5.2 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :black_circle: - **ISO**: :black_circle: - **CMMC**: :black_circle: - **SOC**: :black_circle: - **NIST**: :black_circle: - **PCI**: :black_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
Rules details
Alert ``` {"timestamp":"2023-02-23T15:58:06.488+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure core dump backtraces are disabled.","id":"19007","firedtimes":23,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.5.2"],"nist_sp_800-53":["CM-6b"],"mitre_techniques":["T1005"],"mitre_tactics":["TA0007"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.239833","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28032","title":"Ensure core dump backtraces are disabled.","description":"A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file.","rationale":"A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems, increasing the risk to the system.","remediation":"Edit or add the following line in /etc/systemd/coredump.conf: ProcessSizeMax=0.","compliance":{"cis":"1.5.2","nist_sp_800-53":"CM-6b","mitre_techniques":"T1005","mitre_tactics":"TA0007"},"references":"https://www.freedesktop.org/software/systemd/man/coredump.conf.html","file":["/etc/systemd/coredump.conf"],"result":"failed"}}},"location":"sca"} ```
1.5.3 :black_circle: Not implemented. Expected due to SCA limitations
1.6.1.1 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# rpm -q libselinux libselinux-3.4-3.el9.x86_64 ```
Alert ``` {"timestamp":"2023-02-23T15:58:06.498+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure SELinux is installed.","id":"19008","firedtimes":11,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.6.1.1"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1068"],"mitre_tactics":["TA0003"],"mitre_mitigations":["M1026"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.242252","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28033","title":"Ensure SELinux is installed.","description":"SELinux provides Mandatory Access Control.","rationale":"Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available.","remediation":"Run the following command to install SELinux : # dnf install libselinux.","compliance":{"cis":"1.6.1.1","cis_csc_v8":"3.3","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1068","mitre_tactics":"TA0003","mitre_mitigations":"M1026"},"command":["rpm -q libselinux"],"result":"passed"}}},"location":"sca"} ```
1.6.1.2 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :red_circle: Expected: ``` Run the following command to remove the selinux=0 and enforcing=0 parameters if they were created by the deprecated grub2-mkconfig command: # grep -Prsq --'\h*([^#\n\r]+\h+)?kernelopts=([^#\n\r]+\h+)?(selinux|enforcing)=0\b' /boot/grub2 /boot/efi && grub2-mkconfig -o "$(grep -Prl -- '\h*([^#\n\r]+\h+)?kernelopts=([^#\n\r]+\h+)?(selinux|enforcing)=0\b' /boot/grub2 /boot/efi)" ``` Current: ``` Run the following command to remove the selinux=0 and enforcing=0 parameters:grubby --update-kernel ALL --remove-args "selinux=0 enforcing=0" Run the following command to remove the selinux=0 and enforcing=0 parameters if they were created by the deprecated grub2-mkconfig command: # grep -Prsq -- "\h\*(\[^#\n\r]+\h+)?kernelopts=([^#\n\r]+\h+)?(selinux|enforcing)=0\b" /boot/grub2 /boot/efi && grub2-mkconfig -o "$(grep -Prl -- "\h*([^#\n\r]+\h+)?kernelopts=([^#\n\r]+\h+)?(selinux|enforcing)=0\b" /boot/grub2 /boot/efi). ``` > **Note** > Notice the mismatch. For example `grep -Prsq -- "\h\*(\` instead of `grep -Prsq -- "\h*(` - **Impact**: :black_circle: - **Compliance**: :red_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :red_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: No NIST value specified in the PDF - **References**: :black_circle: - **Rules**: :yellow_circle: Why don't use CIS audit command? ``` [root@rhel9 vagrant]# grubby --info=ALL | grep -Po '(selinux|enforcing)=0\b' [root@rhel9 vagrant]# ```
Rules details
Alert ``` {"timestamp":"2023-02-23T15:58:06.510+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure SELinux is not disabled in bootloader configuration.","id":"19008","firedtimes":12,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.6.1.2"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"nist_sp_800-53":["AC-5","AC-6"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1068"],"mitre_tactics":["TA0003"],"mitre_mitigations":["M1026"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.244683","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28034","title":"Ensure SELinux is not disabled in bootloader configuration.","description":"Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters.","rationale":"SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden.","remediation":"Run the following command to remove the selinux=0 and enforcing=0 parameters:grubby --update-kernel ALL --remove-args \"selinux=0 enforcing=0\" Run the following command to remove the selinux=0 and enforcing=0 parameters if they were created by the deprecated grub2-mkconfig command: # grep -Prsq -- \"\\h\\*(\\[^#\\n\\r]+\\h+)?kernelopts=([^#\\n\\r]+\\h+)?(selinux|enforcing)=0\\b\" /boot/grub2 /boot/efi && grub2-mkconfig -o \"$(grep -Prl -- \"\\h*([^#\\n\\r]+\\h+)?kernelopts=([^#\\n\\r]+\\h+)?(selinux|enforcing)=0\\b\" /boot/grub2 /boot/efi).","compliance":{"cis":"1.6.1.2","cis_csc_v8":"3.3","cis_csc_v7":"14.6","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","mitre_techniques":"T1068","mitre_tactics":"TA0003","mitre_mitigations":"M1026"},"file":["/boot/grub2/grubenv","/boot/grub2/grub.cfg"],"result":"passed"}}},"location":"sca"} ```
1.6.1.3 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circled: - **Rules**: :green_circle:
Rules details
Command output
Alert ``` {"timestamp":"2023-02-23T15:58:06.521+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure SELinux policy is configured.","id":"19008","firedtimes":13,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.6.1.3"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1068"],"mitre_tactics":["TA0005"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.248449","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28035","title":"Ensure SELinux policy is configured.","description":"Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only.","rationale":"Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met.","remediation":"Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted.","compliance":{"cis":"1.6.1.3","cis_csc_v8":"3.3","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1068","mitre_tactics":"TA0005"},"file":["/etc/selinux/config"],"command":["sestatus"],"result":"passed"}}},"location":"sca"} ```
1.6.1.4 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: Expected ``` - "c:getenforce -> r:^Enforcing$|^Permissive$" - 'f:/etc/selinux/config -> r:^\s*SELINUX\s*=\s*enforcing|\s*SELINUX\s*=\s*permissive' ``` Current: ``` - "c:getenforce -> r:^Enforcing$|^Permissive$" - 'f:/etc/selinux/config -> r:^\s*SELINUX\s*=\s*enforcing|\s*SELINUX\s*=\s*permisive' ``` > Typo `permisive`
Rules details
Command output ``` [root@rhel9 vagrant]# getenforce Enforcing ```
Alert ``` {"timestamp":"2023-02-23T15:58:06.533+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure the SELinux mode is not disabled.","id":"19008","firedtimes":14,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.6.1.4"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1068","T1565","T1565.001","T1565.003"],"mitre_tactics":["TA0003"],"mitre_mitigations":["M1026"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.251442","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28036","title":"Ensure the SELinux mode is not disabled.","description":"SELinux can run in one of three modes: disabled, permissive, or enforcing: - Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. - Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. - Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future. Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: # semanage permissive -a httpd_t.","rationale":"Running SELinux in disabled mode is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future.","remediation":"Run one of the following commands to set SELinux's running mode: To set SELinux mode to Enforcing: # setenforce 1 OR To set SELinux mode to Permissive: # setenforce 0 Edit the /etc/selinux/config file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing OR For Permissive mode: SELINUX=permissive.","compliance":{"cis":"1.6.1.4","cis_csc_v8":"3.3","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1068,T1565,T1565.001,T1565.003","mitre_tactics":"TA0003","mitre_mitigations":"M1026"},"references":"https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-introduction-selinux_modes","file":["/etc/selinux/config"],"command":["getenforce"],"result":"passed"}}},"location":"sca"} ```
1.6.1.5 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :red_circle: References without associated link should be removed - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# getenforce Enforcing ```
Alert ``` {"timestamp":"2023-02-23T15:58:06.553+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure the SELinux mode is enforcing.","id":"19008","firedtimes":15,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.6.1.5"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1068","T1565","T1565.001","T1565.003"],"mitre_tactics":["TA0005"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.257024","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28037","title":"Ensure the SELinux mode is enforcing.","description":"SELinux can run in one of three modes: disabled, permissive, or enforcing: - Enforcing - Is the default, and recommended, mode of operation; in enforcing mode SELinux operates normally, enforcing the loaded security policy on the entire system. - Permissive - The system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not recommended for production systems, permissive mode can be helpful for SELinux policy development. - Disabled - Is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future. Note: you can set individual domains to permissive mode while the system runs in enforcing mode. For example, to make the httpd_t domain permissive: # semanage permissive -a httpd_t.","rationale":"Running SELinux in disabled mode the system not only avoids enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future. Running SELinux in Permissive mode, though helpful for developing SELinux policy, only logs access denial entries, but does not deny any operations.","remediation":"Run the following command to set SELinux's running mode: # setenforce 1 Edit the /etc/selinux/config file to set the SELINUX parameter: For Enforcing mode: SELINUX=enforcing.","compliance":{"cis":"1.6.1.5","cis_csc_v8":"3.3","cis_csc_v7":"14.6","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1068,T1565,T1565.001,T1565.003","mitre_tactics":"TA0005"},"references":"https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-introduction-selinux_modes,CCI-002165: The information system enforces organization-defined discretionary access control policies over defined subjects and objects.,NIST SP 800-53 Revision 4 :: AC-3 (4),CCI-002696: The information system verifies correct operation of organization-defined security functions.,NIST SP 800-53 Revision 4 :: SI-6 a","file":["/etc/selinux/config"],"command":["getenforce"],"result":"passed"}}},"location":"sca"} ```
1.6.1.6 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :red_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :red_circle: - **MITRE**: :green_circle: PCI: Wrong 3.2.1 value Expected: `'1.2.1', '2.2.2', '2.2.5'` Current: ["7.1", "7.1.1", "7.1.2", "7.1.3"] - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` ps -eZ | grep unconfined_service_t system_u:system_r:unconfined_service_t:s0 863 ? 00:00:04 VBoxService system_u:system_r:unconfined_service_t:s0 9262 ? 00:00:09 python3 system_u:system_r:unconfined_service_t:s0 9303 ? 00:00:01 wazuh-authd system_u:system_r:unconfined_service_t:s0 9320 ? 00:00:09 wazuh-db system_u:system_r:unconfined_service_t:s0 9345 ? 00:00:00 wazuh-execd system_u:system_r:unconfined_service_t:s0 9348 ? 00:00:00 python3 system_u:system_r:unconfined_service_t:s0 9351 ? 00:00:00 python3 system_u:system_r:unconfined_service_t:s0 9366 ? 00:00:02 wazuh-analysisd system_u:system_r:unconfined_service_t:s0 9379 ? 00:00:08 wazuh-syscheckd system_u:system_r:unconfined_service_t:s0 9422 ? 00:00:11 wazuh-remoted system_u:system_r:unconfined_service_t:s0 9455 ? 00:00:01 wazuh-logcollec system_u:system_r:unconfined_service_t:s0 9472 ? 00:00:00 wazuh-monitord ```
Alert ``` {"timestamp":"2023-02-23T15:58:06.566+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure no unconfined services exist.","id":"19007","firedtimes":24,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.6.1.6"],"cis_csc_v8":["3.3"],"cis_csc_v7":["9.2"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.13.1.3"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1068","T1565","T1565.001","T1565.003"],"mitre_tactics":["TA0004"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.263004","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28038","title":"Ensure no unconfined services exist.","description":"Unconfined processes run in unconfined domains.","rationale":"For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules - it does not replace them.","remediation":"Investigate any unconfined processes found during the audit action. They may need to have an existing security context assigned to them or a policy built for them.","compliance":{"cis":"1.6.1.6","cis_csc_v8":"3.3","cis_csc_v7":"9.2","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.13.1.3","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1068,T1565,T1565.001,T1565.003","mitre_tactics":"TA0004","mitre_mitigations":"M1022"},"command":["ps -eZ"],"result":"failed"}}},"location":"sca"} ```
1.6.1.7 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# rpm -q setroubleshoot package setroubleshoot is not installed ```
Alert ``` {"timestamp":"2023-02-23T15:58:06.577+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure SETroubleshoot is not installed.","id":"19008","firedtimes":16,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.6.1.7"],"cis_csc_v8":["4.8"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"soc_2":["CC6.3","CC6.6"],"mitre_techniques":["T1543","T1543.002"],"mitre_tactics":["TA0005"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.266403","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28039","title":"Ensure SETroubleshoot is not installed.","description":"The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors.","rationale":"The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled.","remediation":"Run the following command to uninstall setroubleshoot: # dnf remove setroubleshoot.","compliance":{"cis":"1.6.1.7","cis_csc_v8":"4.8","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6"},"pci_dss_3":{"2":{"1":"1.1.6,1.2.1,2.2.2,2.2.5"}},"pci_dss_4":{"0":"1.2.5,2.2.4,6.4.1"},"soc_2":"CC6.3,CC6.6","mitre_techniques":"T1543,T1543.002","mitre_tactics":"TA0005"},"command":["rpm -qa setroubleshoot"],"result":"passed"}}},"location":"sca"} ```
1.6.1.8 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :red_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :red_circle: - **MITRE**: :green_circle: PCI3: Expected `['1.2.1', '2.2.2', '2.2.5']`, current `["1.1.6", "1.2.1", "2.2.2", "2.2.5"]` - **References**: :black_circle: - **Rules**: :red_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# rpm -qa mcstrans [root@rhel9 vagrant]# ```
Alert ``` {"timestamp":"2023-02-23T15:58:06.588+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure the MCS Translation Service (mcstrans) is not installed.","id":"19008","firedtimes":17,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.6.1.8"],"cis_csc_v8":["4.8"],"cis_csc_v7":["9.2"],"iso_27001-2013":["A.13.1.3"],"soc_2":["CC6.3","CC6.6"],"mitre_techniques":["T1543","T1543.002"],"mitre_tactics":["TA0005"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.269045","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28040","title":"Ensure the MCS Translation Service (mcstrans) is not installed.","description":"The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf.","rationale":"Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system.","remediation":"Run the following command to uninstall mcstrans: # dnf remove mcstrans.","compliance":{"cis":"1.6.1.8","cis_csc_v8":"4.8","cis_csc_v7":"9.2","iso_27001-2013":"A.13.1.3","cmmc_v2":{"0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6"},"pci_dss_3":{"2":{"1":"1.1.6,1.2.1,2.2.2,2.2.5"}},"pci_dss_4":{"0":"1.2.5,2.2.4,6.4.1"},"soc_2":"CC6.3,CC6.6","mitre_techniques":"T1543,T1543.002","mitre_tactics":"TA0005"},"command":["rpm -qa mcstrans"],"result":"passed"}}},"location":"sca"} ```
1.7.1 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Alert ``` {"timestamp":"2023-02-23T15:58:06.598+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure message of the day is configured properly.","id":"19008","firedtimes":18,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.7.1"],"mitre_techniques":["T1082","T1592","T1592.004"],"mitre_tactics":["TA0007"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.271547","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28041","title":"Ensure message of the day is configured properly.","description":"The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version.","rationale":"Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \"uname -a\" command once they have logged in.","remediation":"Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform OR If the motd is not used, this file can be removed. Run the following command to remove the motd file: # rm /etc/motd.","compliance":{"cis":"1.7.1","mitre_techniques":"T1082,T1592,T1592.004","mitre_tactics":"TA0007"},"file":["/etc/motd"],"result":"passed"}}},"location":"sca"} ```
1.7.2 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Alert ``` {"timestamp":"2023-02-23T15:58:06.609+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure local login warning banner is configured properly.","id":"19007","firedtimes":25,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.7.2"],"mitre_techniques":["T1082","T1592","T1592.004"],"mitre_tactics":["TA0007"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.275456","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28042","title":"Ensure local login warning banner is configured properly.","description":"The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version - or the operating system's name.","rationale":"Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a \" command once they have logged in.","remediation":"Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.","compliance":{"cis":"1.7.2","mitre_techniques":"T1082,T1592,T1592.004","mitre_tactics":"TA0007"},"file":["/etc/issue"],"result":"failed"}}},"location":"sca" ```
1.7.3 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Alert ``` {"timestamp":"2023-02-23T15:58:06.619+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure remote login warning banner is configured properly.","id":"19007","firedtimes":26,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.7.3"],"mitre_techniques":["T1018","T1082","T1592","T1592.004"],"mitre_tactics":["TA0007"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.279330","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28043","title":"Ensure remote login warning banner is configured properly.","description":"The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version.","rationale":"Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a \" command once they have logged in.","remediation":"Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net.","compliance":{"cis":"1.7.3","mitre_techniques":"T1018,T1082,T1592,T1592.004","mitre_tactics":"TA0007"},"file":["/etc/issue.net"],"result":"failed"}}},"location":"sca"} ```
1.7.4 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :large_blue_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# stat -L /etc/motd File: /etc/motd Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: fd00h/64768d Inode: 134346169 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Context: system_u:object_r:etc_t:s0 Access: 2023-02-23 14:54:52.710131187 +0000 Modify: 2023-02-16 04:00:45.164695176 +0000 Change: 2023-02-16 04:00:45.164695176 +0000 Birth: 2023-02-16 03:40:24.594069458 +0000 ```
Alert ``` {"timestamp":"2023-02-23T15:58:06.640+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure permissions on /etc/issue are configured.","id":"19008","firedtimes":20,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.7.5"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1122","T1122.002"],"mitre_tactics":["TA0003"],"mitre_mitigations":["M1026"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.286157","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28045","title":"Ensure permissions on /etc/issue are configured.","description":"The contents of the /etc/issue file are displayed to users prior to login for local terminals.","rationale":"If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information.","remediation":"Run the following commands to set permissions on /etc/issue: # chown root:root /etc/issue # chmod u-x,go-wx /etc/issue.","compliance":{"cis":"1.7.5","cis_csc_v8":"3.3","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1122,T1122.002","mitre_tactics":"TA0003","mitre_mitigations":"M1026"},"command":["stat -L /etc/issue"],"result":"passed"}}},"location":"sca"} ```
1.7.5 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :red_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :red_circle: MITRE: Expected mitigation `M1022` and tactic `TA0005` - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` stat -L /etc/issue File: /etc/issue Size: 23 Blocks: 8 IO Block: 4096 regular file Device: fd00h/64768d Inode: 134346143 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Context: system_u:object_r:etc_t:s0 Access: 2023-02-24 09:32:54.296294418 +0000 Modify: 2022-09-27 18:07:19.000000000 +0000 Change: 2023-02-24 09:32:52.272999921 +0000 Birth: 2023-02-16 03:40:24.547070048 +0000 ```
Alert ``` {"timestamp":"2023-02-23T15:58:06.640+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure permissions on /etc/issue are configured.","id":"19008","firedtimes":20,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.7.5"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1122","T1122.002"],"mitre_tactics":["TA0003"],"mitre_mitigations":["M1026"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.286157","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28045","title":"Ensure permissions on /etc/issue are configured.","description":"The contents of the /etc/issue file are displayed to users prior to login for local terminals.","rationale":"If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information.","remediation":"Run the following commands to set permissions on /etc/issue: # chown root:root /etc/issue # chmod u-x,go-wx /etc/issue.","compliance":{"cis":"1.7.5","cis_csc_v8":"3.3","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1122,T1122.002","mitre_tactics":"TA0003","mitre_mitigations":"M1026"},"command":["stat -L /etc/issue"],"result":"passed"}}},"location":"sca"} ```
1.7.6 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# stat -L /etc/issue.net File: /etc/issue.net Size: 22 Blocks: 8 IO Block: 4096 regular file Device: fd00h/64768d Inode: 134346144 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Context: system_u:object_r:etc_t:s0 Access: 2023-02-23 14:54:51.888129662 +0000 Modify: 2022-09-27 18:07:19.000000000 +0000 Change: 2023-02-16 03:40:24.547070048 +0000 Birth: 2023-02-16 03:40:24.547070048 +0000 ```
Alert ``` {"timestamp":"2023-02-23T15:58:06.650+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure permissions on /etc/issue.net are configured.","id":"19008","firedtimes":21,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.7.6"],"cis_csc_v8":["3.3"],"cis_csc_v7":["14.6"],"nist_sp_800-53":["AC-3","MP-2"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.308(a)(3)(i)","164.308(a)(3)(ii)(A)","164.312(a)(1)"],"soc_2":["CC5.2","CC6.1"],"mitre_techniques":["T1122","T1122.002"],"mitre_tactics":["TA0005"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.289009","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28046","title":"Ensure permissions on /etc/issue.net are configured.","description":"The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services.","rationale":"If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information.","remediation":"Run the following commands to set permissions on /etc/issue.net: # chown root:root /etc/issue.net # chmod u-x,go-wx /etc/issue.net.","compliance":{"cis":"1.7.6","cis_csc_v8":"3.3","cis_csc_v7":"14.6","nist_sp_800-53":"AC-3,MP-2","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2"},"hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3":{"2":{"1":"7.1,7.1.1,7.1.2,7.1.3"}},"pci_dss_4":{"0":"1.3.1,7.1"},"soc_2":"CC5.2,CC6.1","mitre_techniques":"T1122,T1122.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"command":["stat -L /etc/issue.net"],"result":"passed"}}},"location":"sca"} ```
1.8.1 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :red_circle: PCIv3: Expected `['1.2.1', '2.2.2', '2.2.5']` current ["1.1.6", "1.2.1", "2.2.2", "2.2.5"] - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: Expected ``` - "c:rpm -q gdm -> r:is not installed" ``` Current: ``` - "f:rpm -q gdm -> r:is not installed" ```
Rules details
Command output ``` [root@rhel9 vagrant]# rpm -q gdm package gdm is not installed ```
Alert :red_circle: ``` {"timestamp":"2023-02-23T15:58:06.660+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure GNOME Display Manager is removed.","id":"19009","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.8.1"],"cis_csc_v8":["4.8"],"cis_csc_v7":["9.2"],"iso_27001-2013":["A.13.1.3"],"soc_2":["CC6.3","CC6.6"],"mitre_techniques":["T1543","T1543.002"],"mitre_tactics":["TA0002"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.291981","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28047","title":"Ensure GNOME Display Manager is removed.","description":"The GNOME Display Manager (GDM) is a program that manages graphical display servers and handles graphical user logins.","rationale":"If a Graphical User Interface (GUI) is not required, it should be removed to reduce the attack surface of the system.","remediation":"Run the following command to remove the gdm package # dnf remove gdm.","compliance":{"cis":"1.8.1","cis_csc_v8":"4.8","cis_csc_v7":"9.2","iso_27001-2013":"A.13.1.3","cmmc_v2":{"0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6"},"pci_dss_3":{"2":{"1":"1.1.6,1.2.1,2.2.2,2.2.5"}},"pci_dss_4":{"0":"1.2.5,2.2.4,6.4.1"},"soc_2":"CC6.3,CC6.6","mitre_techniques":"T1543,T1543.002","mitre_tactics":"TA0002"},"references":"https://wiki.gnome.org/Projects/GDM","file":["rpm -q gdm"],"result":"not applicable","reason":"Could not open file 'rpm -q gdm'"}}},"location":"sca"} ```
1.8.2 :black_circle: Not implemented. Expected due to SCA limitations
1.8.3 :black_circle: Not implemented. Expected due to SCA limitations
1.8.4 :black_circle: Not implemented. Expected due to SCA limitations
1.8.5 :black_circle: Not implemented. Expected due to SCA limitations
1.8.6 :black_circle: Not implemented. Expected due to SCA limitations
1.8.7 :black_circle: Not implemented. Expected due to SCA limitations
1.8.8 :black_circle: Not implemented. Expected due to SCA limitations
1.8.9 :black_circle: Not implemented. Expected due to SCA limitations
1.8.10 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :red_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :red_circle: - **MITRE**: :green_circle: PCIv3: Expected `['1.2.1', '2.2.2', '2.2.5']` Current: `["1.1.6", "1.2.1", "2.2.2", "2.2.5"]` - **References**: :black_circle: - **Rules**: :red_circle: Unexpected whitespace: `'f: /etc/gdm/custom.conf` In addition, it is marked as not applicable when it should be passed due to the default value is false.
Rules details
Command output
Alert :red_circle: ``` {"timestamp":"2023-02-23T15:58:06.671+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure XDCMP is not enabled.","id":"19009","firedtimes":2,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.8.10"],"cis_csc_v8":["4.8"],"cis_csc_v7":["9.2"],"iso_27001-2013":["A.13.1.3"],"soc_2":["CC6.3","CC6.6"],"mitre_techniques":["T1040","T1056","T1056.001","T1557"],"mitre_tactics":["TA0002"],"mitre_mitigations":["M1050"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.294477","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28048","title":"Ensure XDCMP is not enabled.","description":"X Display Manager Control Protocol (XDMCP) is designed to provide authenticated access to display management services for remote displays.","rationale":"XDMCP is inherently insecure. - XDMCP is not a ciphered protocol. This may allow an attacker to capture keystrokes entered by a user. - XDMCP is vulnerable to man-in-the-middle attacks. This may allow an attacker to steal the credentials of legitimate users by impersonating the XDMCP server.","remediation":"Edit the file /etc/gdm/custom.conf and remove the line: Enable=true.","compliance":{"cis":"1.8.10","cis_csc_v8":"4.8","cis_csc_v7":"9.2","iso_27001-2013":"A.13.1.3","cmmc_v2":{"0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6"},"pci_dss_3":{"2":{"1":"1.1.6,1.2.1,2.2.2,2.2.5"}},"pci_dss_4":{"0":"1.2.5,2.2.4,6.4.1"},"soc_2":"CC6.3,CC6.6","mitre_techniques":"T1040,T1056,T1056.001,T1557","mitre_tactics":"TA0002","mitre_mitigations":"M1050"},"file":[" /etc/gdm/custom.conf"],"result":"not applicable","reason":"Could not open file ' /etc/gdm/custom.conf'"}}},"location":"sca"} ```
1.9 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :red_circle: Incomplete remediation. It is necessary to include: ``` Once the update process is complete, verify if reboot is required to load changes. dnf needs-restarting -r ``` - **Impact**: :black_circle: - **Compliance**: :red_circle: - **CIS ID**: :large_blue_circle: - **CSC**: :large_blue_circle: - **ISO**: :large_blue_circle: - **CMMC**: :large_blue_circle: - **SOC**: :large_blue_circle: - **NIST**: :large_blue_circle: - **PCI**: :red_circle: - **MITRE**: :large_blue_circle: No mapping value for PCIv3. - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# sh -c "dnf check-update | egrep -v \"Updating|Last metadata|^$\"" [root@rhel9 vagrant]# ```
Alert ``` {"timestamp":"2023-02-23T18:23:43.086+0000","rule":{"level":9,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure updates, patches, and additional security software are installed.: Status changed from passed to failed","id":"19011","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.9"],"cis_csc_v8":["7.3","7.4"],"cis_csc_v7":["3.4"],"iso_27001-2013":["A.13.1.3"],"nist_sp_800-53":["SI-2(2)"],"soc_2":["CC7.1"],"mitre_techniques":["T1211"],"mitre_tactics":["TA0004","TA0008"],"mitre_mitigations":["M1051"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677176623.363638","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1146114865","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28049","title":"Ensure updates, patches, and additional security software are installed.","description":"Periodically patches are released for included software either due to security flaws or to include additional functionality.","rationale":"Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected.","remediation":"Use your package manager to update all packages on the system according to site policy. The following command will install all available updates: # dnf update.","compliance":{"cis":"1.9","cis_csc_v8":"7.3,7.4","cis_csc_v7":"3.4","iso_27001-2013":"A.13.1.3","cmmc_v2":{"0":"SI.L1-3.14.1"},"pci_dss_3":{"2":{"1":"6.2"}},"nist_sp_800-53":"SI-2(2)","soc_2":"CC7.1","mitre_techniques":"T1211","mitre_tactics":"TA0004,TA0008","mitre_mitigations":"M1051"},"command":["sh -c \"dnf check-update | egrep -v \\\"Updating|Last metadata|^$\\\"\""],"result":"failed","previous_result":"passed"}}},"location":"sca"} ```
1.10 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :red_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :red_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :red_circle: - **PCI**: :red_circle: - **MITRE**: :green_circle: ISO: Expected `["A.13.1.1", "A.10.1.1"]`, currently `["A.9.1.1"]` NIST: Duplicated NIST value. Only the first one is expected PCIv3: Expected `4.1`, currently `["2.1.1", "4.1", "4.1.1", "8.2.1"]` - **References**: :red_circle: Remove references without links - **Rules**: :green_circle:
Rules details
Alert ``` {"timestamp":"2023-02-23T15:58:06.691+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure system-wide crypto policy is not legacy.","id":"19008","firedtimes":23,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["1.10"],"cis_csc_v8":["3.10"],"cis_csc_v7":["14.4"],"nist_sp_800-53":["SC-8"],"iso_27001-2013":["A.9.1.1"],"hipaa":["164.312(a)(2)(iv)","164.312(e)(1)","164.312(e)(2)(i)","164.312(e)(2)(ii)"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1677167886.300763","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"170236259","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28050","title":"Ensure system-wide crypto policy is not legacy.","description":"The system-wide crypto-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system-wide. The individual policy levels (DEFAULT, LEGACY, FUTURE, and FIPS) are included in the crypto-policies(7) package.","rationale":"If the Legacy system-wide crypto policy is selected, it includes support for TLS 1.0, TLS 1.1, and SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are allowed, while RSA and Diffie-Hellman parameters are accepted if larger than 1023-bits. These legacy protocols and algorithms can make the system vulnerable to attacks, including those listed in RFC 7457.","remediation":"Run the following command to change the system-wide crypto policy # update-crypto-policies --set Example: # update-crypto-policies --set DEFAULT Run the following to make the updated system-wide crypto policy active # update-crypto-policies.","compliance":{"cis":"1.10","cis_csc_v8":"3.10","cis_csc_v7":"14.4","nist_sp_800-53":"SC-8","iso_27001-2013":"A.9.1.1","cmmc_v2":{"0":"AC.L2-3.1.17,AC.L2-3.1.13,IA.L2-3.5.10,SC.L2-3.13.11,SC.L2-3.13.8,SC.L2-3.13.15"},"hipaa":"164.312(a)(2)(iv),164.312(e)(1),164.312(e)(2)(i),164.312(e)(2)(ii)","pci_dss_3":{"2":{"1":"2.1.1,4.1,4.1.1,8.2.1"}},"pci_dss_4":{"0":"2.2.7,4.1.1,4.2.1,4.2.1.2,4.2.2,8.3.2"}},"references":"CRYPTO-POLICIES(7),https://access.redhat.com/articles/3642912#what-polices-are-provided-1","file":["/etc/crypto-policies/config"],"result":"passed"}}},"location":"sca"} ```
Rebits commented 1 year ago

Update 23/02/2023

jk-olaoluwa commented 1 year ago

As stated here - https://github.com/wazuh/wazuh-qa/issues/3817#issuecomment-1442264848

1.3.2 πŸ”΄ - Solved 1.3.3 πŸ”΄ - not implemented

 grep command sometimes will return error code 1. that means we have to implement a logic like: 
 .conf file in the folder has multiple lines (AND) OR aide.conf file has multiple lines (AND) 
 (AND) OR ( AND) is not possible with the current SCA.

@Rebits ping me if you need to chat

1.4.1 πŸ”΄

1.4.2 πŸ”΄

1.6.1.2 πŸ”΄

1.6.1.4 πŸ”΄ - Solved

1.6.1.5 πŸ”΄ - Solved

1.6.1.6 πŸ”΄ - PCI - This check is okay as stated in the compliance dictionary v8

1.6.1.8 πŸ”΄

1.7.5 πŸ”΄ - Solved

1.8.1 πŸ”΄

1.8.10 πŸ”΄

1.9 πŸ”΄

1.10 πŸ”΄

https://github.com/wazuh/wazuh/commit/bb7c3ae000329d5abf54091abcbd4ca60423856b

Rebits commented 1 year ago

Testing results - Second review

Note In this second review it was also included new errors as a result of this issue

1.3.2 :red_circle: - **Compliance**: Wrong compliance order **actual**: ``` - cis - cis_csc_v8 - cis_csc_v7 - nist_sp_800-53 - cmmc_v2.0 - hipaa - pci_dss_3.2.1 - pci_dss_4.0 - soc_2 - iso_27001-2013 - mitre_techniques - mitre_tactics - mitre_mitigations ``` **expected**: ``` - cis - cis_csc_v8 - cis_csc_v7 - nist_sp_800-53 - iso_27001-2013 - cmmc_v2.0 - hipaa - pci_dss_3.2.1 - pci_dss_4.0 - soc_2 - mitre_techniques - mitre_tactics - mitre_mitigations ```
1.3.3 :green_circle: As @jk-olaoluwa has noticed [here](https://github.com/wazuh/wazuh-qa/issues/3817#issuecomment-1447987872), it could not be possible
1.4.1 :red_circle: - **Compliance**: Wrong compliance values order: ``` actual: - cis - cis_csc_v8 - cis_csc_v7 - cmmc_v2.0 - hipaa - pci_dss_3.2.1 - pci_dss_4.0 - nist_sp_800-53 - soc_2 - iso_27001-2013 - mitre_techniques - mitre_tactics - mitre_mitigations expected: - cis - cis_csc_v8 - cis_csc_v7 - nist_sp_800-53 - iso_27001-2013 - cmmc_v2.0 - hipaa - pci_dss_3.2.1 - pci_dss_4.0 - soc_2 - mitre_techniques - mitre_tactics - mitre_mitigations ```
1.4.2 :red_circle: - **Title**: `Automated` is still included in the title - **Compliance**: Wrong compliance order: ``` actual: - cis - cis_csc_v8 - cis_csc_v7 - cmmc_v2.0 - hipaa - pci_dss_3.2.1 - pci_dss_4.0 - nist_sp_800-53 - soc_2 - iso_27001-2013 - mitre_techniques - mitre_tactics - mitre_mitigations expected: - cis - cis_csc_v8 - cis_csc_v7 - nist_sp_800-53 - iso_27001-2013 - cmmc_v2.0 - hipaa - pci_dss_3.2.1 - pci_dss_4.0 - soc_2 - mitre_techniques - mitre_tactics - mitre_mitigations ```
1.6.1.2 :green_circle: - **Remediation**: :green_circle: - **Rule**: :green_circle: - **Compliance**: :red_circle: Wrong compliance order: ``` actual: - cis - cis_csc_v8 - cis_csc_v7 - iso_27001-2013 - cmmc_v2.0 - hipaa - pci_dss_3.2.1 - pci_dss_4.0 - nist_sp_800-53 - soc_2 - mitre_techniques - mitre_tactics - mitre_mitigations expected: - cis - cis_csc_v8 - cis_csc_v7 - nist_sp_800-53 - iso_27001-2013 - cmmc_v2.0 - hipaa - pci_dss_3.2.1 - pci_dss_4.0 - soc_2 - mitre_techniques - mitre_tactics - mitre_mitigations ```
1.6.1.4 :green_circle: - **Rule**: :green_circle:
1.6.1.5 :green_circle: - **References**: :green_circle:
1.6.1.6 :green_circle: - **Compliance**: :green_circle:
1.6.1.8 :green_circle: **Rule**: :green_circle:
1.7.5 :green_circle: - **Compliance**: :green_circle:
1.8.1 :green_circle: - **Rule**: :green_circle: - **Compliance**: :green_circle:
1.8.10 :green_circle: - **Rule**: :green_circle: - **Compliance**: :green_circle:
1.9 :green_circle: **Remediation**: :green_circle:
1.10 :green_circle: - **Compliance**: :green_circle:
jk-olaoluwa commented 1 year ago

1.3.2 πŸ”΄ 1.4.1 πŸ”΄ 1.4.2 πŸ”΄

We solved these ones but we will improve the compliance order by including alphabetical order to them. So, these shouldn't be checked until we have the order done. We are expecting to do this check with the last commit to RHEL 9 SCA Policy.

Rebits commented 1 year ago

Testing results - Third review

PR Commit
https://github.com/wazuh/wazuh/commit/b558c2f83e9ec723d3aad369e58cc54c14ee0776
1.4.2 :red_circle: **Title**: `(Automated)` is still included in the title.
jk-olaoluwa commented 1 year ago

https://github.com/wazuh/wazuh-qa/issues/3817#issuecomment-1451726914

1.4.2 πŸ”΄ - Solved

https://github.com/wazuh/wazuh/commit/eb937587622e6798b50a698cb4c309ac4f69585c

Rebits commented 1 year ago

Testing results - Fourth review

PR Commit
https://github.com/wazuh/wazuh/commit/eb937587622e6798b50a698cb4c309ac4f69585c
1.4.2 :green_circle: - **Title**: :green_circle:
Rebits commented 1 year ago

During https://github.com/wazuh/wazuh-qa/issues/3827 it was detected a minor error in 1.3.2 check. Rule should be

    condition: all
    rules:
      - "c:systemctl is-enabled aidecheck.service -> r:enabled"
      - "c:systemctl is-enabled aidecheck.timer -> r:enabled"
      - "c:systemctl status aidecheck.timer -> r:active"

Replacing enabled by enabled.

[root@rhel9 vagrant]# systemctl is-enabled aidecheck.service
enabled
jk-olaoluwa commented 1 year ago

https://github.com/wazuh/wazuh-qa/issues/3817#issuecomment-1456128389

It was detected a minor error in 1.3.2 check - Solved

https://github.com/wazuh/wazuh/commit/d45bc0a322c4a8b399282621530e011d565d8ae6

Rebits commented 1 year ago

Testing result - Fifth review

PR Commit
https://github.com/wazuh/wazuh/commit/24405eb600b03d6556fea30d7d4a9dd45f74df1a
1.3.2 :green_circle: - **Rules**: Regex fixed correctly
jmv74211 commented 1 year ago

Closing conclusion πŸ‘πŸΌ

The suggested changes have been applied and everything appears to be correct.

Rebits commented 1 year ago

Testing result - Sixth review

PR Commit
https://github.com/wazuh/wazuh/commit/24405eb600b03d6556fea30d7d4a9dd45f74df1a

After the development of a PDF policy parser and a compliance mapping tool it has been detected some new unexpected values:

1.3.2 :red_circle: **Remediation**: :red_circle: Include `add the following lines` after `Create or edit the file /etc/systemd/system/aidecheck.timer:`
1.4.1 :red_circle: **Remediation**: :red_circle: Include `.` at the end of the section
1.7.4 :red_circle: **Compliance**: :red_circle: MITRE Techniques: Expected ``` - mitre_techniques: ["T1222", "T1222.002"] ``` Current: ``` - mitre_techniques: ["T1122", "T1122.002"] ```
1.7.5 :red_circle: **Compliance**: :red_circle: MITRE Techniques: Expected ``` - mitre_techniques: ["T1222", "T1222.002"] ``` Current: ``` - mitre_techniques: ["T1122", "T1122.002"] ```
1.7.6 :red_circle: **Compliance**: :red_circle: MITRE Techniques: Expected ``` - mitre_techniques: ["T1222", "T1222.002"] ``` Current: ``` - 'mitre_techniques': ['T1122', 'T1122.002'] ```
jk-olaoluwa commented 1 year ago

https://github.com/wazuh/wazuh-qa/issues/3817#issuecomment-1462439180

1.3.2 πŸ”΄ - Solved 1.4.1 πŸ”΄ - Solved 1.7.4 πŸ”΄ - Solved 1.7.5 πŸ”΄ - Solved 1.7.6 πŸ”΄ - Solved

https://github.com/wazuh/wazuh/commit/7f4e24311e64fcae337eb33914c74d644b21df2f

Rebits commented 1 year ago

Testing results

Tester PR commit
@Rebits https://github.com/wazuh/wazuh/pull/16016/commits/86fc6094f60ecbc45fae42b789507e8ad4b04538
1.3.2 :green_circle: - **Remediation**: :green_circle:
1.4.1 :green_circle: - **Remediation**: :green_circle:
1.7.4 :green_circle: - **Compliance**: :green_circle:
1.7.5 :green_circle: - **Compliance**: :green_circle:
1.7.6 :green_circle:
jmv74211 commented 1 year ago

Closing conclusion πŸ‘πŸΌ

The suggested changes have been applied and everything appears to be correct.