search

wazuh / wazuh-qa

Wazuh - Quality Assurance
GNU General Public License v2.0
64 stars 30 forks source link

Red Hat Enterprise Linux 9 SCA policy rework - checks 2 to 2.4 #3818

Closed 72nomada closed 1 year ago

72nomada commented 1 year ago
Target version Related issue Related PR
4.4.x #3391 https://github.com/wazuh/wazuh/pull/16016
Check Id and Name Status Ready for QA
2 Services
2.1 Time Synchronization
2.1.1 Ensure time synchronization is in use (Automated) 🟒 🟒
2.1.2 Ensure chrony is configured (Automated) 🟒 🟒
2.2 Special Purpose Services
2.2.1 Ensure xorg-x11-server-common is not installed (Automated) 🟒 🟒
2.2.2 Ensure Avahi Server is not installed (Automated) 🟒 🟒
2.2.3 Ensure CUPS is not installed (Automated) 🟒 🟒
2.2.4 Ensure DHCP Server is not installed (Automated) 🟒 🟒
2.2.5 Ensure DNS Server is not installed (Automated) 🟒 🟒
2.2.6 Ensure VSFTP Server is not installed (Automated) 🟒 🟒
2.2.7 Ensure TFTP Server is not installed (Automated) 🟒 🟒
2.2.8 Ensure a web server is not installed (Automated) 🟒 🟒
2.2.9 Ensure IMAP and POP3 server is not installed (Automated) 🟒 🟒
2.2.10 Ensure Samba is not installed (Automated) 🟒 🟒
2.2.11 Ensure HTTP Proxy Server is not installed (Automated) 🟒 🟒
2.2.12 Ensure net-snmp is not installed (Automated) 🟒 🟒
2.2.13 Ensure telnet-server is not installed (Automated) 🟒 🟒
2.2.14 Ensure dnsmasq is not installed (Automated) 🟒 🟒
2.2.15 Ensure mail transfer agent is configured for local-only mode (Automated) 🟒 🟒
2.2.16 Ensure nfs-utils is not installed or the nfs-server service is masked (Automated) 🟒 🟒
2.2.17 Ensure rpcbind is not installed or the rpcbind services are masked (Automated) 🟒 🟒
2.2.18 Ensure rsync-daemon is not installed or the rsyncd service is masked (Automated) 🟒 🟒
2.3 Service Clients
2.3.1 Ensure telnet client is not installed (Automated) 🟒 🟒
2.3.2 Ensure LDAP client is not installed (Automated) 🟒 🟒
2.3.3 Ensure TFTP client is not installed (Automated) 🟒 🟒
2.3.4 Ensure FTP client is not installed (Automated) 🟒 🟒
2.4 Ensure nonessential services listening on the system are removed or masked (Manual) ⚫
Rebits commented 1 year ago

Tester review

Tester PR commit
@Rebits https://github.com/wazuh/wazuh/pull/16016/commits/d68f83668ef50d872e3deba294e4b98f6352cc55

Testing environment

OS OS version Deployment Image/AMI Notes
RHEL 9 Vagrant roboxes/rhel9

Tested packages

wazuh-manager
wazuh-managerv-4.4.0-1

Status

Conclusion :green_circle:

After the requested changes the policy seems to fit correctly with the CIS Red Hat Enterprise Linux 9 Benchmark. In addition, every audit rule seems to work as expected.

Rebits commented 1 year ago

Testing results

2.1.1 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :red_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :red_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: **NIST** Expected: ``` - cis_csc_v7: ["6.1"] - nist_sp_800-53: ["AU-3", "AU-12"] ``` Current: ``` - cis_csc_v7: ["6.1"] nist_sp_800-53: ["AU-3", "AU-12"] ``` - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` chrony-4.2-1.el9.x86_64 ```
Alert ``` {"type":"check","id":770809971,"policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","policy_id":"cis_rhel9_linux","check":{"id":28051,"title":"Ensure time synchronization is in use.","description":"System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. Note: If another method for time synchronization is being used, this section may be skipped.","rationale":"Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations.","remediation":"Run the following command to install chrony: # dnf install chrony.","compliance":{"cis":"2.1.1","cis_csc_v8":"8.4","cis_csc_v7":"6.1","cmmc_v2.0":"AU.L2-3.3.7","pci_dss_3.2.1":"10.4","pci_dss_4.0":"10.6,10.6.1,10.6.2,10.6.3","soc_2":"CC4.1,CC5.2","iso_27001-2013":"A.12.4.4","mitre_techniques":"T1070,T1070.002,T1562,T1562.001","mitre_tactics":"TA0005"},"rules":["c:rpm -q chrony -> r:^chrony-"],"condition":"all","command":"rpm -q chrony","result":"passed"}} ```
2.1.2 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :red_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :red_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: **NIST** Expected: ``` - cis_csc_v7: ["6.1"] - nist_sp_800-53: ["AU-3", "AU-12"] ``` Current: ``` - cis_csc_v7: ["6.1"] nist_sp_800-53: ["AU-3", "AU-12"] ``` - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Alert ``` {"type":"check","id":1491291600,"policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","policy_id":"cis_rhel9_linux","check":{"id":28052,"title":"Ensure chrony is configured.","description":"chrony is a daemon which implements the Network Time Protocol (NTP) and is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server.","rationale":"If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly.","remediation":"Add or edit server or pool lines to /etc/chrony.conf as appropriate: server Add or edit the OPTIONS in /etc/sysconfig/chronyd to include '-u chrony': OPTIONS=\"-u chrony\"","compliance":{"cis":"2.1.2","cis_csc_v8":"8.4","cis_csc_v7":"6.1","cmmc_v2.0":"AU.L2-3.3.7","pci_dss_3.2.1":"10.4","pci_dss_4.0":"10.6,10.6.1,10.6.2,10.6.3","soc_2":"CC4.1,CC5.2","iso_27001-2013":"A.12.4.4","mitre_techniques":"T1070,T1070.002","mitre_tactics":"TA0002","mitre_mitigations":"M1022"},"rules":["f:/etc/chrony.conf","f:/etc/chrony.conf -> r:^\\s*\\t*server|^\\s*\\t*pool","f:/etc/sysconfig/chronyd -> r:^\\s*\\t*OPTIONS\\.*-u chrony"],"condition":"all","file":"/etc/chrony.conf,/etc/sysconfig/chronyd","result":"passed"}} ```
2.2.1 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :red_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :red_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: **NIST** Expected ``` - cis_csc_v7: ["9.2"] - nist_sp_800-53: ["CM-7"] ``` Current: ``` - cis_csc_v7: ["9.2"] nist_sp_800-53: ["CM-7"] ``` - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# rpm -q xorg-x11-server-common package xorg-x11-server-common is not installed ```
Alert ``` {"type":"check","id":770809971,"policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","policy_id":"cis_rhel9_linux","check":{"id":28053,"title":"Ensure xorg-x11-server-common is not installed.","description":"The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login.","rationale":"Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface.","remediation":"Run the following command to remove the X Windows Server packages: # dnf remove xorg-x11-server-common.","compliance":{"cis":"2.2.1","cis_csc_v8":"4.8","cis_csc_v7":"9.2","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.13.1.3","mitre_techniques":"T1203,T1210,T1543,T1543.002","mitre_tactics":"TA0008","mitre_mitigations":"M1042"},"rules":["c:rpm -q xorg-x11-server-common -> r:^package xorg-x11-server-common is not installed"],"condition":"all","command":"rpm -q xorg-x11-server-common","result":"passed"}} ```
2.2.2 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# rpm -q avahi package avahi is not installed ```
Alert ``` {"type":"check","id":770809971,"policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","policy_id":"cis_rhel9_linux","check":{"id":28054,"title":"Ensure Avahi Server is not installed.","description":"Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine.","rationale":"Automatic discovery of network services is not normally required for system functionality. It is recommended to remove this package to reduce the potential attack surface.","remediation":"Run the following commands to stop, mask and remove avahi: # systemctl stop avahi-daemon.socket avahi-daemon.service # dnf remove avahi.","compliance":{"cis":"2.2.2","cis_csc_v8":"4.8","cis_csc_v7":"9.2","nist_800_53":"CM-7","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.13.1.3","mitre_techniques":"T1203,T1210,T1543,T1543.002","mitre_tactics":"TA0008","mitre_mitigations":"M1042"},"rules":["c:rpm -q avahi -> r:^package avahi is not installed"],"condition":"all","command":"rpm -q avahi","result":"passed"}} ```
2.2.3 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# rpm -q cups package cups is not installed ```
Alert ``` {"type":"check","id":770809971,"policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","policy_id":"cis_rhel9_linux","check":{"id":28055,"title":"Ensure CUPS is not installed.","description":"The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability.","rationale":"If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be removed to reduce the potential attack surface. Note: Removing CUPS will prevent printing from the system.","remediation":"Run the following command to remove cups: # dnf remove cups.","compliance":{"cis":"2.2.3","cis_csc_v8":"4.8","cis_csc_v7":"9.2","nist_800_53":"CM-7","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.13.1.3","mitre_techniques":"T1203,T1210,T1543,T1543.002","mitre_tactics":"TA0008","mitre_mitigations":"M1042"},"rules":["c:rpm -q cups -> r:^package cups is not installed"],"condition":"all","references":"More detailed documentation on CUPS is available at the project homepage at http://www.cups.org.","command":"rpm -q cups","result":"passed"}} ```
2.2.4 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# rpm -q dhcp-server package dhcp-server is not installed ```
Alert ``` {"type":"check","id":770809971,"policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","policy_id":"cis_rhel9_linux","check":{"id":28056,"title":"Ensure DHCP Server is not installed.","description":"The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses.","rationale":"Unless a system is specifically set up to act as a DHCP server, it is recommended that the dhcp-server package be removed to reduce the potential attack surface.","remediation":"Run the following command to remove dhcp: # dnf remove dhcp-server.","compliance":{"cis":"2.2.4","cis_csc_v8":"4.8","cis_csc_v7":"9.2","nist_800_53":"CM-7","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.13.1.3","mitre_techniques":"T1203,T1210,T1543,T1543.002","mitre_tactics":"TA0008","mitre_mitigations":"M1042"},"rules":["c:rpm -q dhcp-server -> r:^package dhcp-server is not installed"],"condition":"all","command":"rpm -q dhcp-server","result":"passed"}} ```
2.2.5 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# rpm -q bind package bind is not installed ```
Alert ``` {"type":"check","id":770809971,"policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","policy_id":"cis_rhel9_linux","check":{"id":28057,"title":"Ensure DNS Server is not installed.","description":"The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network.","rationale":"Unless a system is specifically designated to act as a DNS server, it is recommended that the package be removed to reduce the potential attack surface.","remediation":"Run the following command to remove bind: # dnf remove bind.","compliance":{"cis":"2.2.5","cis_csc_v8":"4.8","cis_csc_v7":"9.2","nist_800_53":"CM-7","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.13.1.3","mitre_techniques":"T1203,T1210,T1543,T1543.002","mitre_tactics":"TA0008","mitre_mitigations":"M1042"},"rules":["c:rpm -q bind -> r:^package bind is not installed"],"condition":"all","command":"rpm -q bind","result":"passed"}} ```
2.2.6 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :red_circle: Expected: ``` Unless there is a need to run the system as a FTP server, it is recommended that the package be removed to reduce the potential attack surface. ``` Current: ``` Unless there is a need to run the system as an FTP server, it is recommended that the package be removed to reduce the potential attack surface ``` - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# rpm -q vsftpd package vsftpd is not installed ```
Alert ``` {"type":"check","id":770809971,"policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","policy_id":"cis_rhel9_linux","check":{"id":28058,"title":"Ensure VSFTP Server is not installed.","description":"FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary (permits anonymous users to connect to a server).","rationale":"Unless there is a need to run the system as an FTP server, it is recommended that the package be removed to reduce the potential attack surface.","remediation":"Run the following command to remove vsftpd: # dnf remove vsftpd.","compliance":{"cis":"2.2.6","cis_csc_v8":"4.8","cis_csc_v7":"9.2","nist_800_53":"CM-7","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.13.1.3","mitre_techniques":"T1203,T1210,T1543,T1543.002","mitre_tactics":"TA0008","mitre_mitigations":"M1042"},"rules":["c:rpm -q vsftpd -> r:^package vsftpd is not installed"],"condition":"all","command":"rpm -q vsftpd","result":"passed"}} ```
2.2.7 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :green_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# rpm -q tftp-serve package tftp-serve is not installed ```
Alert ``` {"type":"check","id":770809971,"policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","policy_id":"cis_rhel9_linux","check":{"id":28059,"title":"Ensure TFTP Server is not installed.","description":"Trivial File Transfer Protocol (TFTP) is a simple protocol for exchanging files between two TCP/IP machines. TFTP servers allow connections from a TFTP Client for sending and receiving files.","rationale":"Unless there is a need to run the system as a TFTP server, it is recommended that the package be removed to reduce the potential attack surface. TFTP does not have built-in encryption, access control or authentication. This makes it very easy for an attacker to exploit TFTP to gain access to files.","remediation":"Run the following command to remove tftp-server: # dnf remove tftp-server.","compliance":{"cis":"2.2.7","cis_csc_v8":"4.8","cis_csc_v7":"9.2","nist_800_53":"CM-7","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.13.1.3","mitre_techniques":"T1203,T1210,T1543,T1543.002","mitre_tactics":"TA0008","mitre_mitigations":"M1042"},"rules":["c:rpm -q tftp-server -> r:^package tftp-server is not installed"],"condition":"all","command":"rpm -q tftp-server","result":"passed"}} ```
2.2.8 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# rpm -q nginx package nginx is not installed [root@rhel9 vagrant]# rpm -q httpd package httpd is not installed [root@rhel9 vagrant]# ```
Alert ``` {"type":"check","id":770809971,"policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","policy_id":"cis_rhel9_linux","check":{"id":28060,"title":"Ensure a web server is not installed.","description":"Web servers provide the ability to host web site content.","rationale":"Unless there is a need to run the system as a web server, it is recommended that the packages be removed to reduce the potential attack surface. Note: Several http servers exist. They should also be audited, and removed, if not required.","remediation":"Run the following command to remove httpd and nginx: # dnf remove httpd nginx.","compliance":{"cis":"2.2.8","cis_csc_v8":"4.8","cis_csc_v7":"9.2","nist_800_53":"CM-7","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.13.1.3","mitre_techniques":"T1203,T1210,T1543,T1543.002","mitre_tactics":"TA0008","mitre_mitigations":"M1042"},"rules":["c:rpm -q nginx -> r:^package nginx is not installed","c:rpm -q httpd -> r:^package httpd is not installed"],"condition":"all","command":"rpm -q nginx,rpm -q httpd","result":"passed"}} ```
2.2.9 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# rpm -q dovecot package dovecot is not installed [root@rhel9 vagrant]# rpm -q cyrus-imapd package cyrus-imapd is not installed ```
Alert ``` {"type":"check","id":770809971,"policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","policy_id":"cis_rhel9_linux","check":{"id":28061,"title":"Ensure IMAP and POP3 server is not installed.","description":"dovecot is an open source IMAP and POP3 server for Linux based systems.","rationale":"Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface. Note: Several IMAP/POP3 servers exist and can use other service names. These should also be audited and the packages removed if not required.","remediation":"Run the following command to remove dovecot and cyrus-imapd: # dnf remove dovecot cyrus-imapd.","compliance":{"cis":"2.2.9","cis_csc_v8":"4.8","cis_csc_v7":"9.2","nist_800_53":"CM-7","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.13.1.3","mitre_techniques":"T1203,T1210,T1543,T1543.002","mitre_tactics":"TA0008","mitre_mitigations":"M1042"},"rules":["c:rpm -q dovecot -> r:^package dovecot is not installed","c:rpm -q cyrus-imapd -> r:^package cyrus-imapd is not installed"],"condition":"all","command":"rpm -q dovecot,rpm -q cyrus-imapd","result":"passed"}} ```
2.2.10 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# rpm -q samba package samba is not installed ```
Alert ``` {"type":"check","id":770809971,"policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","policy_id":"cis_rhel9_linux","check":{"id":28062,"title":"Ensure Samba is not installed.","description":"The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Server Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems.","rationale":"If there is no need to mount directories and file systems to Windows systems, then this package can be removed to reduce the potential attack surface.","remediation":"Run the following command to remove samba: # dnf remove samba.","compliance":{"cis":"2.2.10","cis_csc_v8":"4.8","cis_csc_v7":"9.2","nist_800_53":"CM-7","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.13.1.3","mitre_techniques":"T1005,T1039,T1083,T1135,T1203,T1210,T1543,T1543.002","mitre_tactics":"TA0008","mitre_mitigations":"M1042"},"rules":["c:rpm -q samba -> r:^package samba is not installed"],"condition":"all","command":"rpm -q samba","result":"passed"}} ```
2.2.11 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# rpm -q squid package squid is not installed ```
Alert ``` {"type":"check","id":770809971,"policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","policy_id":"cis_rhel9_linux","check":{"id":28063,"title":"Ensure HTTP Proxy Server is not installed.","description":"Squid is a standard proxy server used in many distributions and environments.","rationale":"Unless a system is specifically set up to act as a proxy server, it is recommended that the squid package be removed to reduce the potential attack surface. Note: Several HTTP proxy servers exist. These should be checked and removed unless required.","remediation":"Run the following command to remove the squid package: # dnf remove squid.","compliance":{"cis":"2.2.11","cis_csc_v8":"4.8","cis_csc_v7":"9.2","nist_800_53":"CM-7","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.13.1.3","mitre_techniques":"T1203,T1210,T1543,T1543.002","mitre_tactics":"TA0008","mitre_mitigations":"M1042"},"rules":["c:rpm -q squid -> r:^package squid is not installed"],"condition":"all","command":"rpm -q squid","result":"passed"}} ```
2.2.12 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# rpm -q net-snmp package net-snmp is not installed ```
Alert ``` {"type":"check","id":770809971,"policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","policy_id":"cis_rhel9_linux","check":{"id":28064,"title":"Ensure net-snmp is not installed.","description":"Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the health and welfare of network equipment, computer equipment and devices like UPSs. Net-SNMP is a suite of applications used to implement SNMPv1 (RFC 1157), SNMPv2 (RFCs 1901-1908), and SNMPv3 (RFCs 3411-3418) using both IPv4 and IPv6. Support for SNMPv2 classic (a.k.a. \"SNMPv2 historic\" - RFCs 1441-1452) was dropped with the 4.0 release of the UCD-snmp package. The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system.","rationale":"The SNMP server can communicate using SNMPv1, which transmits data in the clear and does not require authentication to execute commands. SNMPv3 replaces the simple/clear text password sharing used in SNMPv2 with more securely encoded parameters. If the the SNMP service is not required, the net-snmp package should be removed to reduce the attack surface of the system. Note: If SNMP is required: - The server should be configured for SNMP v3 only. User Authentication and Message Encryption should be configured. - If SNMP v2 is absolutely necessary, modify the community strings' values.","remediation":"Run the following command to remove net-snmpd: # dnf remove net-snmp.","compliance":{"cis":"2.2.12","cis_csc_v8":"4.8","cis_csc_v7":"2.6,9.2","nist_800_53":"CM-7","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.13.1.3,A.12.5.1,A.12.6.2","mitre_techniques":"T1203,T1210,T1543,T1543.002","mitre_tactics":"TA0008","mitre_mitigations":"M1042"},"rules":["c:rpm -q net-snmp -> r:^package net-snmp is not installed"],"condition":"all","command":"rpm -q net-snmp","result":"passed"}} ```
2.1.13 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# rpm -q telnet-server package telnet-server is not installed ```
Alert ``` {"type":"check","id":770809971,"policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","policy_id":"cis_rhel9_linux","check":{"id":28065,"title":"Ensure telnet-server is not installed.","description":"The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol.","rationale":"The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security.","remediation":"Run the following command to remove the telnet-server package: # dnf remove telnet-server.","compliance":{"cis":"2.2.13","cis_csc_v8":"4.8","cis_csc_v7":"2.6,9.2","nist_800_53":"CM-7","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.13.1.3,A.12.5.1,A.12.6.2","mitre_techniques":"T1203,T1210,T1543,T1543.002","mitre_tactics":"TA0008","mitre_mitigations":"M1042"},"rules":["c:rpm -q telnet-server -> r:^package telnet-server is not installed"],"condition":"all","command":"rpm -q telnet-server","result":"passed"}} ```
2.2.14 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# rpm -q dnsmasq package dnsmasq is not installed ```
Alert ``` {"type":"check","id":770809971,"policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","policy_id":"cis_rhel9_linux","check":{"id":28066,"title":"Ensure dnsmasq is not installed.","description":"dnsmasq is a lightweight tool that provides DNS caching, DNS forwarding and DHCP (Dynamic Host Configuration Protocol) services.","rationale":"Unless a system is specifically designated to act as a DNS caching, DNS forwarding and/or DHCP server, it is recommended that the package be removed to reduce the potential attack surface.","remediation":"Run the following command to remove dnsmasq: # dnf remove dnsmasq.","compliance":{"cis":"2.2.14","nist_800_53":"CM-7","mitre_techniques":"T1203,T1210,T1543,T1543.002","mitre_tactics":"TA0008","mitre_mitigations":"M1042"},"rules":["c:rpm -q dnsmasq -> r:^package dnsmasq is not installed"],"condition":"all","command":"rpm -q dnsmasq","result":"passed"}} ```
2.2.15 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# ss -lntu Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:* udp UNCONN 0 0 [::1]:323 [::]:* tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* tcp LISTEN 0 128 0.0.0.0:55000 0.0.0.0:* tcp LISTEN 0 128 0.0.0.0:1514 0.0.0.0:* tcp LISTEN 0 128 0.0.0.0:1515 0.0.0.0:* tcp LISTEN 0 128 [::]:22 [::]:* ```
Alert ``` {"type":"check","id":770809971,"policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","policy_id":"cis_rhel9_linux","check":{"id":28067,"title":"Ensure mail transfer agent is configured for local-only mode.","description":"Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail.","rationale":"The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems. Notes: - This recommendation is designed around the postfix mail server. - Depending on your environment you may have an alternative MTA installed such as sendmail. If this is the case consult the documentation for your installed MTA to configure the recommended state.","remediation":"Edit /etc/postfix/main.cf and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below: inet_interfaces = loopback-only. Run the following command to restart postfix: # systemctl restart postfix.","compliance":{"cis":"2.2.15","cis_csc_v8":"4.8","cis_csc_v7":"9.2","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.13.1.3","mitre_techniques":"T1018,T1210","mitre_tactics":"TA0008","mitre_mitigations":"M1042"},"rules":["not c:ss -lntu -> r:\\s*127.0.0.1:25\\s*|\\s*::1:25\\s*"],"condition":"all","command":"ss -lntu","result":"passed"}} ```
2.2.16 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :red_circle: **Expected**: ``` Run the following command to remove nfs-utils: # dnf remove nfs-utils OR If the nfs-utils package is required as a dependency, run the following command to stop and mask the nfs-server service: # systemctl --now mask nfs-server. ``` **Current**: ``` Run the following command to remove nfs-utils: # dnf remove nfs-utils OR If the nfs-package is required as a dependency, run the following command to stop and mask the nfs-server service: # systemctl --now mask nfs-server. ``` - **Impact**: :green_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# rpm -q nfs-utils package nfs-utils is not installed [root@rhel9 vagrant]# systemctl is-enabled nfs-server Failed to get unit file state for nfs-server.service: No such file or directory [root@rhel9 vagrant]# ```
Alert ``` {"type":"check","id":770809971,"policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","policy_id":"cis_rhel9_linux","check":{"id":28068,"title":"Ensure nfs-utils is not installed or the nfs-server service is masked.","description":"The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network.","rationale":"If the system does not require network shares, it is recommended that the nfs-utils package be removed to reduce the attack surface of the system.","remediation":"Run the following command to remove nfs-utils: # dnf remove nfs-utils OR If the nfs-package is required as a dependency, run the following command to stop and mask the nfs-server service: # systemctl --now mask nfs-server.","compliance":{"cis":"2.2.16","cis_csc_v8":"4.8","cis_csc_v7":"9.2","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.13.1.3","mitre_techniques":"T1005,T1039,T1083,T1135,T1210","mitre_tactics":"TA0008","mitre_mitigations":"M1042"},"rules":["c:rpm -q nfs-utils -> r:^package nfs-utils is not installed","c:systemctl is-enabled nfs-server -> r:masked|No such file or directory"],"condition":"any","command":"rpm -q nfs-utils","result":"passed"}} ```
2.2.17 :red_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :red_circle: **Expected** ``` Run the following command to remove rpcbind: # dnf remove rpcbind OR If the rpcbind package is required as a dependency, run the following commands to stop and mask the rpcbind.service and rpcbind.socket systemd units: # systemctl --now mask rpcbind.service # systemctl --now mask rpcbind.socket. ``` **Current** ``` Run the following command to remove rpcbind: # dnf remove rpcbind OR If the rpcbind package is required as a dependency, run the following commands to stop and mask the rpcbind.service and rpcbind.socket services: # systemctl --now mask rpcbind.service # systemctl --now mask rpcbind.socket ``` - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :yellow_circle: Regarding CIS policy we should assert that rpcbind is not installed or rpcbind and rpcbind.socket systemd units are masked. Now in this case, this check will be marked as pass ``` [root@localhost vagrant]# systemctl is-enabled rpcbind.socket enabled [root@localhost vagrant]# systemctl is-enabled rpcbind masked [root@localhost vagrant]# ```
Rules details
Command output ``` [root@rhel9 vagrant]# rpm -q rpcbind package rpcbind is not installed [root@rhel9 vagrant]# systemctl is-enabled rpcbind Failed to get unit file state for rpcbind.service: No such file or directory [root@rhel9 vagrant]# systemctl is-enabled rpcbind.socket Failed to get unit file state for rpcbind.socket: No such file or directory [root@rhel9 vagrant]# ```
Alert ``` {"type":"check","id":1177380810,"policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","policy_id":"cis_rhel9_linux","check":{"id":28069,"title":"Ensure rpcbind is not installed or the rpcbind services are masked.","description":"The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts rpcbind on the server with a particular RPC program number. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service. Portmapper is an RPC service, which always listens on tcp and udp 111, and is used to map other RPC services (such as nfs, nlockmgr, quotad, mountd, etc.) to their corresponding port number on the server. When a remote host makes an RPC call to that server, it first consults with portmap to determine where the RPC server is listening.","rationale":"A small request (~82 bytes via UDP) sent to the Portmapper generates a large response (7x to 28x amplification), which makes it a suitable tool for DDoS attacks. If rpcbind is not required, it is recommended that the rpcbind package be removed to reduce the attack surface of the system.","remediation":"Run the following command to remove rpcbind: # dnf remove rpcbind OR If the rpcbind package is required as a dependency, run the following commands to stop and mask the rpcbind.service and rpcbind.socket services: # systemctl --now mask rpcbind.service # systemctl --now mask rpcbind.socket.","compliance":{"cis":"2.2.17","cis_csc_v8":"4.8","cis_csc_v7":"9.2","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.13.1.3","mitre_techniques":"T1203,T1210,T1498,T1498.002,T1543,T1543.002","mitre_tactics":"TA0008","mitre_mitigations":"M1042"},"rules":["c:rpm -q rpcbind -> r:^package rpcbind is not installed","c:systemctl is-enabled rpcbind -> r:masked|No such file or directory","c:systemctl is-enabled rpcbind.socket -> r:masked|No such file or directory"],"condition":"any","command":"rpm -q rpcbind","result":"passed"}} ```
2.2.18 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# rpm -q rsync-daemon package rsync-daemon is not installed [root@rhel9 vagrant]# systemctl is-enabled rsyncd Failed to get unit file state for rsyncd.service: No such file or directory ```
Alert ``` {"type":"check","id":1177380810,"policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","policy_id":"cis_rhel9_linux","check":{"id":28070,"title":"Ensure rsync-daemon is not installed or the rsyncd service is masked.","description":"The rsyncd service can be used to synchronize files between systems over network links.","rationale":"Unless required, the rsync-daemon package should be removed to reduce the attack surface area of the system. The rsyncd service presents a security risk as it uses unencrypted protocols for communication. Note: If a required dependency exists for the rsync-daemon package, but the rsyncd service is not required, the service should be masked.","remediation":"Run the following command to remove the rsync package: # dnf remove rsync-daemon OR Run the following command to mask the rsyncd service: # systemctl --now mask rsyncd.","compliance":{"cis":"2.2.18","cis_csc_v8":"4.8","cis_csc_v7":"9.2","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.13.1.3","mitre_techniques":"T1105,T1203,T1210,T1543,T1543.002,T1570","mitre_tactics":"TA0008","mitre_mitigations":"M1042"},"rules":["c:rpm -q rsync-daemon -> r:^package rsync-daemon is not installed","c:systemctl is-enabled rsyncd -> r:masked|No such file or directory"],"condition":"any","command":"rpm -q rsync-daemon","result":"passed"}} ```
2.3.1 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# rpm -q telnet telnet-0.17-85.el9.x86_64 ```
Alert ``` {"type":"check","id":1177380810,"policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","policy_id":"cis_rhel9_linux","check":{"id":28071,"title":"Ensure telnet client is not installed.","description":"The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol.","rationale":"The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions.","remediation":"Run the following command to remove the telnet package: # dnf remove telnet.","compliance":{"cis":"2.3.1","cis_csc_v8":"4.8","cis_csc_v7":"2.6","nist_sp_800-53":"CM-7","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.12.5.1,A.12.6.2","mitre_techniques":"T1040,T1203,T1543,T1543.002","mitre_tactics":"TA0006,TA0008","mitre_mitigations":"M1041,M1042"},"rules":["c:rpm -q telnet -> r:^package telnet is not installed"],"condition":"all","command":"rpm -q telnet","result":"failed"}} ```
2.3.2 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :green_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# rpm -q openldap-clients package openldap-clients is not installed ```
Alert ``` {"type":"check","id":1177380810,"policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","policy_id":"cis_rhel9_linux","check":{"id":28072,"title":"Ensure LDAP client is not installed.","description":"The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database.","rationale":"If the system will not need to act as an LDAP client, it is recommended that the software be removed to reduce the potential attack surface.","remediation":"Run the following command to remove the openldap-clients package: # dnf remove openldap-clients.","compliance":{"cis":"2.3.2","cis_csc_v8":"4.8","cis_csc_v7":"2.6","nist_sp_800-53":"CM-7","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.12.5.1,A.12.6.2","mitre_techniques":"T1203,T1543,T1543.002","mitre_tactics":"TA0008","mitre_mitigations":"M1042"},"rules":["c:rpm -q openldap-clients -> r:^package openldap-clients is not installed"],"condition":"all","command":"rpm -q openldap-clients","result":"passed"}} ```
2.3.3 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# rpm -q tftp package tftp is not installed ```
Alert ``` {"type":"check","id":1177380810,"policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","policy_id":"cis_rhel9_linux","check":{"id":28073,"title":"Ensure TFTP client is not installed.","description":"Trivial File Transfer Protocol (TFTP) is a simple protocol for exchanging files between two TCP/IP machines. TFTP servers allow connections from a TFTP Client for sending and receiving files.","rationale":"TFTP does not have built-in encryption, access control or authentication. This makes it very easy for an attacker to exploit TFTP to gain access to files.","remediation":"Run the following command to remove tftp: # dnf remove tftp.","compliance":{"cis":"2.3.3","cis_csc_v8":"4.8","cis_csc_v7":"9.2","nist_sp_800-53":"CM-7","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.13.1.3","mitre_techniques":"T1203,T1543,T1543.002","mitre_tactics":"TA0008","mitre_mitigations":"M1042"},"rules":["c:rpm -q tftp -> r:^package tftp is not installed"],"condition":"all","command":"rpm -q tftp","result":"passed"}} ```
2.3.4 :green_circle: - **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:
Rules details
Command output ``` [root@rhel9 vagrant]# rpm -q ftp package ftp is not installed ```
Alert ``` {"type":"check","id":1177380810,"policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","policy_id":"cis_rhel9_linux","check":{"id":28074,"title":"Ensure FTP client is not installed.","description":"FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary (permits anonymous users to connect to a server).","rationale":"FTP does not protect the confidentiality of data or authentication credentials. It is recommended SFTP be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be removed to reduce the potential attack surface.","remediation":"Run the following command to remove ftp: # dnf remove ftp.","compliance":{"cis":"2.3.4","cis_csc_v8":"4.8","cis_csc_v7":"9.2","nist_sp_800-53":"CM-7","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.13.1.3","mitre_techniques":"T1203,T1543,T1543.002","mitre_tactics":"TA0008","mitre_mitigations":"M1042"},"rules":["c:rpm -q ftp -> r:^package ftp is not installed"],"condition":"all","command":"rpm -q ftp","result":"passed"}} ```
jk-olaoluwa commented 1 year ago

https://github.com/wazuh/wazuh-qa/issues/3818#issuecomment-1450419200

2.1.1 πŸ”΄ - Solved 2.1.2 πŸ”΄ - Solved 2.2.1 πŸ”΄ - Solved 2.2.6 πŸ”΄ - Solved 2.2.16 πŸ”΄ - Solved 2.2.17 πŸ”΄ - Solved

https://github.com/wazuh/wazuh/commit/c7b1cd11ed4a881dbeecb78d7c9f53270f74b31f

Rebits commented 1 year ago

Testing results - Second review

PR Commit
https://github.com/wazuh/wazuh/commit/b558c2f83e9ec723d3aad369e58cc54c14ee0776
2.1.1 :green_circle: **Compliance**: :green_circle:
2.1.2 :green_circle: - **Compliance**: :green_circle:
2.2.1 :green_circle: - **Compliance**: :green_circle:
2.2.6 :green_circle: - **Rationale**: :green_circle:
2.2.16 :green_circle: - **Remediation**: :green_circle:
2.2.17 :yellow_circle: - **Remediation**: :green_circle: - **Rules**: :yellow_circle: As commented in the previous review interaction: ``` Regarding CIS policy we should assert that rpcbind is not installed or rpcbind and rpcbind.socket systemd units are masked. Now, in this case, this check will be marked as a pass [root@localhost vagrant]# systemctl is-enabled rpcbind.socket enabled [root@localhost vagrant]# systemctl is-enabled rpcbind masked [root@localhost vagrant]# ``` Is it possible to work around this case?
jk-olaoluwa commented 1 year ago

https://github.com/wazuh/wazuh-qa/issues/3818#issuecomment-1451738167

2.2.17 🟑 - Solved

https://github.com/wazuh/wazuh/commit/eb937587622e6798b50a698cb4c309ac4f69585c

Rebits commented 1 year ago

Testing results - Third review

2.2.17 :green_circle: - **Rules**: **Rpcbind is not installed** :green_circle: ``` {"type":"check","id":843294813,"policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","policy_id":"cis_rhel9_linux","check":{"id":28069,"title":"Ensure rpcbind is not installed or the rpcbind services are masked.","description":"The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts rpcbind on the server with a particular RPC program number. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service. Portmapper is an RPC service, which always listens on tcp and udp 111, and is used to map other RPC services (such as nfs, nlockmgr, quotad, mountd, etc.) to their corresponding port number on the server. When a remote host makes an RPC call to that server, it first consults with portmap to determine where the RPC server is listening.","rationale":"A small request (~82 bytes via UDP) sent to the Portmapper generates a large response (7x to 28x amplification), which makes it a suitable tool for DDoS attacks. If rpcbind is not required, it is recommended that the rpcbind package be removed to reduce the attack surface of the system.","remediation":"Run the following command to remove rpcbind: # dnf remove rpcbind OR If the rpcbind package is required as a dependency, run the following commands to stop and mask the rpcbind.service and rpcbind.socket systemd units: # systemctl --now mask rpcbind.service # systemctl --now mask rpcbind.socket.","compliance":{"cis":"2.2.17","cis_csc_v8":"4.8","cis_csc_v7":"9.2","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.13.1.3","mitre_techniques":"T1203,T1210,T1498,T1498.002,T1543,T1543.002","mitre_tactics":"TA0008","mitre_mitigations":"M1042"},"rules":["c:rpm -q rpcbind -> r:^package rpcbind is not installed","not c:systemctl status rpcbind rpcbind.socket -> r:Loaded: && !r: masked"],"condition":"any","command":"rpm -q rpcbind","result":"passed"}} ``` **Rpcbind is installed and enabled** :green_circle: ``` {"type":"check","id":2094635115,"policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","policy_id":"cis_rhel9_linux","check":{"id":28069,"title":"Ensure rpcbind is not installed or the rpcbind services are masked.","description":"The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts rpcbind on the server with a particular RPC program number. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service. Portmapper is an RPC service, which always listens on tcp and udp 111, and is used to map other RPC services (such as nfs, nlockmgr, quotad, mountd, etc.) to their corresponding port number on the server. When a remote host makes an RPC call to that server, it first consults with portmap to determine where the RPC server is listening.","rationale":"A small request (~82 bytes via UDP) sent to the Portmapper generates a large response (7x to 28x amplification), which makes it a suitable tool for DDoS attacks. If rpcbind is not required, it is recommended that the rpcbind package be removed to reduce the attack surface of the system.","remediation":"Run the following command to remove rpcbind: # dnf remove rpcbind OR If the rpcbind package is required as a dependency, run the following commands to stop and mask the rpcbind.service and rpcbind.socket systemd units: # systemctl --now mask rpcbind.service # systemctl --now mask rpcbind.socket.","compliance":{"cis":"2.2.17","cis_csc_v8":"4.8","cis_csc_v7":"9.2","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.13.1.3","mitre_techniques":"T1203,T1210,T1498,T1498.002,T1543,T1543.002","mitre_tactics":"TA0008","mitre_mitigations":"M1042"},"rules":["c:rpm -q rpcbind -> r:^package rpcbind is not installed","not c:systemctl status rpcbind rpcbind.socket -> r:Loaded: && !r: masked"],"condition":"any","command":"rpm -q rpcbind,systemctl status rpcbind rpcbind.socket","result":"failed"}} ``` **Rpcbind is installed and masked** :green_circle: ``` {"type":"check","id":1431028828,"policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","policy_id":"cis_rhel9_linux","check":{"id":28069,"title":"Ensure rpcbind is not installed or the rpcbind services are masked.","description":"The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts rpcbind on the server with a particular RPC program number. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service. Portmapper is an RPC service, which always listens on tcp and udp 111, and is used to map other RPC services (such as nfs, nlockmgr, quotad, mountd, etc.) to their corresponding port number on the server. When a remote host makes an RPC call to that server, it first consults with portmap to determine where the RPC server is listening.","rationale":"A small request (~82 bytes via UDP) sent to the Portmapper generates a large response (7x to 28x amplification), which makes it a suitable tool for DDoS attacks. If rpcbind is not required, it is recommended that the rpcbind package be removed to reduce the attack surface of the system.","remediation":"Run the following command to remove rpcbind: # dnf remove rpcbind OR If the rpcbind package is required as a dependency, run the following commands to stop and mask the rpcbind.service and rpcbind.socket systemd units: # systemctl --now mask rpcbind.service # systemctl --now mask rpcbind.socket.","compliance":{"cis":"2.2.17","cis_csc_v8":"4.8","cis_csc_v7":"9.2","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.13.1.3","mitre_techniques":"T1203,T1210,T1498,T1498.002,T1543,T1543.002","mitre_tactics":"TA0008","mitre_mitigations":"M1042"},"rules":["c:rpm -q rpcbind -> r:^package rpcbind is not installed","not c:systemctl status rpcbind rpcbind.socket -> r:Loaded: && !r: masked"],"condition":"any","command":"rpm -q rpcbind,systemctl status rpcbind rpcbind.socket","result":"passed"}} ``` **Rpcbind socket is masked but service is not** :green_circle: ``` {"type":"check","id":638188393,"policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","policy_id":"cis_rhel9_linux","check":{"id":28069,"title":"Ensure rpcbind is not installed or the rpcbind services are masked.","description":"The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts rpcbind on the server with a particular RPC program number. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service. Portmapper is an RPC service, which always listens on tcp and udp 111, and is used to map other RPC services (such as nfs, nlockmgr, quotad, mountd, etc.) to their corresponding port number on the server. When a remote host makes an RPC call to that server, it first consults with portmap to determine where the RPC server is listening.","rationale":"A small request (~82 bytes via UDP) sent to the Portmapper generates a large response (7x to 28x amplification), which makes it a suitable tool for DDoS attacks. If rpcbind is not required, it is recommended that the rpcbind package be removed to reduce the attack surface of the system.","remediation":"Run the following command to remove rpcbind: # dnf remove rpcbind OR If the rpcbind package is required as a dependency, run the following commands to stop and mask the rpcbind.service and rpcbind.socket systemd units: # systemctl --now mask rpcbind.service # systemctl --now mask rpcbind.socket.","compliance":{"cis":"2.2.17","cis_csc_v8":"4.8","cis_csc_v7":"9.2","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.13.1.3","mitre_techniques":"T1203,T1210,T1498,T1498.002,T1543,T1543.002","mitre_tactics":"TA0008","mitre_mitigations":"M1042"},"rules":["c:rpm -q rpcbind -> r:^package rpcbind is not installed","not c:systemctl status rpcbind rpcbind.socket -> r:Loaded: && !r: masked"],"condition":"any","command":"rpm -q rpcbind,systemctl status rpcbind rpcbind.socket","result":"failed"}} ```
jmv74211 commented 1 year ago

Closing conclusion πŸ‘πŸΌ

The suggested changes have been applied and everything appears to be correct.

Rebits commented 1 year ago

Testing result - Fourth review

PR Commit
https://github.com/wazuh/wazuh/commit/24405eb600b03d6556fea30d7d4a9dd45f74df1a

After the development of a PDF policy parser and a compliance mapping tool, it has been detected some new unexpected values:

2.1.2 :red_circle: **Remediation**: Missing `.` at the end of the section
2.2.15 :red_circle: **Rationale**: Replace `Notes`by `Note` Expected ``` The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems. Note: - This recommendation is designed around the postfix mail server. - Depending on your environment you may have an alternative MTA installed such as sendmail. If this is the case consult the documentation for your installed MTA to configure the recommended state. ```
2.2.16 :red_circle: **Impact**: Replace `nfsserver` by nfs-server
Rebits commented 1 year ago

Testing result - Fourth review

PR Commit
https://github.com/wazuh/wazuh/commit/7f4e24311e64fcae337eb33914c74d644b21df2f

After the development of a PDF policy parser and a compliance mapping tool, it has been detected some new unexpected values:

2.1.2 :green_circle: **Remediation**: :green_circle:
2.2.15 :green_circle: **Rationale**: :green_circle:
2.2.16 :green_circle: **Impact**: :green_circle:
jmv74211 commented 1 year ago

Closing conclusion πŸ‘πŸΌ

The suggested changes have been applied and everything appears to be correct.