Red Hat Enterprise Linux 9 SCA policy rework - checks 4.2 to 4.3

72nomada commented 1 year ago

Target version	Related issue	Related PR
4.4.x	#3391	https://github.com/wazuh/wazuh/pull/16016

Check Id and Name	Status	Ready for QA
4.2 Configure Logging
4.2.1 Configure rsyslog
4.2.1.1 Ensure rsyslog is installed (Automated)	🟢	🟢
4.2.1.2 Ensure rsyslog service is enabled (Automated)	🟢	🟢
4.2.1.3 Ensure journald is configured to send logs to rsyslog (Manual)	🟢	🟢
4.2.1.4 Ensure rsyslog default file permissions are configured (Automated)	🟢	🟢
4.2.1.5 Ensure logging is configured (Manual)	⚫
4.2.1.6 Ensure rsyslog is configured to send logs to a remote log host (Manual)	🟢	🟢
4.2.1.7 Ensure rsyslog is not configured to receive logs from a remote client (Automated)	🟢	🟢
4.2.2 Configure journald
4.2.2.1 Ensure journald is configured to send logs to a remote log host
4.2.2.1.1 Ensure systemd-journal-remote is installed (Manual)	🟢	🟢
4.2.2.1.2 Ensure systemd-journal-remote is configured (Manual)	⚫
4.2.2.1.3 Ensure systemd-journal-remote is enabled (Manual)	🟢	🟢
4.2.2.1.4 Ensure journald is not configured to receive logs from a remote client (Automated)	🟢	🟢
4.2.2.2 Ensure journald service is enabled (Automated)	🟢	🟢
4.2.2.3 Ensure journald is configured to compress large log files (Automated)	🟢	🟢
4.2.2.4 Ensure journald is configured to write logfiles to persistent disk (Automated)	🟢	🟢
4.2.2.5 Ensure journald is not configured to send logs to rsyslog (Manual)	🟢	🟢
4.2.2.6 Ensure journald log rotation is configured per site policy (Manual)	⚫
4.2.2.7 Ensure journald default file permissions configured (Manual)	⚫
4.2.3 Ensure all logfiles have appropriate permissions and ownership (Automated)	⚫
4.3 Ensure logrotate is configured (Manual)	⚫

Rebits commented 1 year ago

Tester review

Testing environment

OS	OS version	Deployment	Image/AMI	Notes
RHEL	9	Vagrant	roboxes/rhel9

Status

[x] In progress
[x] Pending Review
[x] QA Manager approved (@jmv74211)
[x] Development team leader approved @72nomada

Rebits commented 1 year ago

Testing results

Tester	PR commit
@Rebits	https://github.com/wazuh/wazuh/pull/16016/commits/7f4e24311e64fcae337eb33914c74d644b21df2f

4.2.1.1 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

Rules details

Command output
``` [root@rhel9 vagrant]# rpm -q rsyslog rsyslog-8.2102.0-105.el9.x86_64 ```

Alert
``` {"timestamp":"2023-03-13T18:16:51.317+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure rsyslog is installed.","id":"19008","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["4.2.1.1"],"cis_csc_v8":["8.2"],"cis_csc_v7":["6.2","6.3"],"nist_sp_800-53":["AU-2","AU-12","SI-5"],"iso_27001-2013":["A.12.4.1"],"hipaa":["164.312(b)"],"mitre_techniques":["T1005","T1070","T1070.002"],"mitre_tactics":["TA0005"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1678731411.5433084","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1347683544","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28086","title":"Ensure rsyslog is installed.","description":"The rsyslog software is recommended in environments where journald does not meet operation requirements.","rationale":"The security enhancements of rsyslog such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server) justify installing and configuring the package.","remediation":"Run the following command to install rsyslog: # dnf install rsyslog.","compliance":{"cis":"4.2.1.1","cis_csc_v8":"8.2","cis_csc_v7":"6.2,6.3","nist_sp_800-53":"AU-2,AU-12,SI-5","iso_27001-2013":"A.12.4.1","cmmc_v2":{"0":"AU.L2-3.3.1"},"hipaa":"164.312(b)","pci_dss_3":{"2":{"1":"10.2,10.3"}},"pci_dss_4":{"0":"5.3.4,6.4.1,6.4.2,10.2.1,10.2.1.1,10.2.1.2,10.2.1.3,10.2.1.4,10.2.1.5,10.2.1.6,10.2.1.7,10.2.2"},"mitre_techniques":"T1005,T1070,T1070.002","mitre_tactics":"TA0005"},"command":["rpm -q rsyslog"],"result":"passed"}}},"location":"sca"} ```

4.2.1.2 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

Rules details

Command output
``` [root@rhel9 vagrant]# systemctl is-enabled rsyslog enabled ```

Alert
``` {"timestamp":"2023-03-13T18:16:51.327+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure rsyslog service is enabled.","id":"19008","firedtimes":2,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["4.2.1.2"],"cis_csc_v8":["8.2"],"cis_csc_v7":["6.2","6.3"],"nist_sp_800-53":["AU-2","AU-12","SI-5"],"iso_27001-2013":["A.12.4.1"],"hipaa":["164.312(b)"],"mitre_techniques":["T1070","T1070.002","T1211","T1562","T1562.001"],"mitre_tactics":["TA0005"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1678731411.5435766","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1347683544","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28087","title":"Ensure rsyslog service is enabled.","description":"Once the rsyslog package is installed, ensure that the service is enabled.","rationale":"If the rsyslog service is not enabled to start on boot, the system will not capture logging events.","remediation":"Run the following command to enable rsyslog: # systemctl --now enable rsyslog.","compliance":{"cis":"4.2.1.2","cis_csc_v8":"8.2","cis_csc_v7":"6.2,6.3","nist_sp_800-53":"AU-2,AU-12,SI-5","iso_27001-2013":"A.12.4.1","cmmc_v2":{"0":"AU.L2-3.3.1"},"hipaa":"164.312(b)","pci_dss_3":{"2":{"1":"10.2,10.3"}},"pci_dss_4":{"0":"5.3.4,6.4.1,6.4.2,10.2.1,10.2.1.1,10.2.1.2,10.2.1.3,10.2.1.4,10.2.1.5,10.2.1.6,10.2.1.7,10.2.2"},"mitre_techniques":"T1070,T1070.002,T1211,T1562,T1562.001","mitre_tactics":"TA0005"},"command":["systemctl is-enabled rsyslog"],"result":"passed"}}},"location":"sca"} ```

4.2.1.3 :red_circle:

- **Title**: :large_blue_circle: - **Description**: :large_blue_circle: - **Rationale**: :large_blue_circle: - **Remediation**: :large_blue_circle: - **Impact**: :black_circle: - **Compliance**: :large_blue_circle: - **CIS ID**: :large_blue_circle: - **CSC**: :large_blue_circle: - **ISO**: :large_blue_circle: - **CMMC**: :large_blue_circle: - **SOC**: :large_blue_circle: - **NIST**: :large_blue_circle: - **PCI**: :large_blue_circle: - **MITRE**: :red_circle: Expected tactic: TA0040 - **References**: :large_blue_circle: - **Rules**: :red_circle: Include \s* at the begin of the regex for consistency with the CIS audit rule.

Rules details

Alert
``` {"timestamp":"2023-03-13T18:16:51.345+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure journald is configured to send logs to rsyslog.","id":"19007","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["4.2.1.3"],"cis_csc_v8":["8.2","8.9"],"cis_csc_v7":["6.2","6.3","6.5"],"nist_sp_800-53":["AC-3","AU-2","AU-4","AU-12","MP-2","SI-5"],"iso_27001-2013":["A.12.4.1"],"hipaa":["164.312(b)"],"soc_2":["PL1.4"],"mitre_techniques":["T1070","T1070.002","T1562","T1562.006","T1565"],"mitre_tactics":["TA0005"],"mitre_mitigations":["M1029"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1678731411.5438191","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1347683544","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28088","title":"Ensure journald is configured to send logs to rsyslog.","description":"Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs, however, use of the RSyslog service provides a consistent means of log collection and export.","rationale":"IF RSyslog is the preferred method for capturing logs, all logs of the system should be sent to it for further processing. Note: This recommendation only applies if rsyslog is the chosen method for client side logging. Do not apply this recommendation if journald is used.","remediation":"Edit the /etc/systemd/journald.conf file and add the following line: ForwardToSyslog=yes Restart the service: # systemctl restart rsyslog.","compliance":{"cis":"4.2.1.3","cis_csc_v8":"8.2,8.9","cis_csc_v7":"6.2,6.3,6.5","nist_sp_800-53":"AC-3,AU-2,AU-4,AU-12,MP-2,SI-5","iso_27001-2013":"A.12.4.1","cmmc_v2":{"0":"AU.L2-3.3.1"},"hipaa":"164.312(b)","pci_dss_3":{"2":{"1":"10.2,10.3,10.5.3,10.5.4"}},"pci_dss_4":{"0":"5.3.4,6.4.1,6.4.2,10.2.1,10.2.1.1,10.2.1.2,10.2.1.3,10.2.1.4,10.2.1.5,10.2.1.6,10.2.1.7,10.2.2,10.3.3"},"soc_2":"PL1.4","mitre_techniques":"T1070,T1070.002,T1562,T1562.006,T1565","mitre_tactics":"TA0005","mitre_mitigations":"M1029"},"file":["/etc/systemd/journald.conf"],"result":"failed"}}},"location":"sca"} ```

4.2.1.5 :black_circle:

Not implemented. Expected due to SCA limitations

4.2.1.6 :red_circle:

- **Title**: :green_circle: - **Description**: :red_circle: Typo, centralized instead of `centralised` - **Rationale**: :green_circle: - **Remediation**: :red_circle: Include `.` at the end of the section - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:

Rules details

Alert
``` {"timestamp":"2023-03-14T12:48:10.981+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure rsyslog is configured to send logs to a remote log host.: Status changed from failed to passed","id":"19010","firedtimes":2,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["4.2.1.6"],"cis_csc_v8":["8.2"],"cis_csc_v7":["6.2","6.3"],"iso_27001-2013":["A.12.4.1"],"hipaa":["164.312(b)"],"nist_sp_800-53":["AU-7"],"mitre_techniques":["T1070","T1070.002","T1562","T1562.006"],"mitre_tactics":["TA0040"],"mitre_mitigations":["M1029"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1678798090.9744","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1926921802","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28090","title":"Ensure rsyslog is configured to send logs to a remote log host.","description":"RSyslog supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralised log management.","rationale":"Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system.","remediation":"Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add the following line (where loghost.example.com is the name of your central log host). The target directive may either be a fully qualified domain name or an IP address. *.* action(type=\"omfwd\" target=\"192.168.2.100\" port=\"514\" protocol=\"tcp\" action.resumeRetryCount=\"100\" queue.type=\"LinkedList\" queue.size=\"1000\") Run the following command to reload the rsyslogd configuration: # systemctl restart rsyslog.","compliance":{"cis":"4.2.1.6","cis_csc_v8":"8.2","cis_csc_v7":"6.2,6.3","iso_27001-2013":"A.12.4.1","cmmc_v2":{"0":"AU.L2-3.3.1"},"hipaa":"164.312(b)","pci_dss_3":{"2":{"1":"10.2,10.3"}},"pci_dss_4":{"0":"5.3.4,6.4.1,6.4.2,10.2.1,10.2.1.1,10.2.1.2,10.2.1.3,10.2.1.4,10.2.1.5,10.2.1.6,10.2.1.7,10.2.2"},"nist_sp_800-53":"AU-7","mitre_techniques":"T1070,T1070.002,T1562,T1562.006","mitre_tactics":"TA0040","mitre_mitigations":"M1029"},"file":["/etc/rsyslog.conf"],"result":"passed","previous_result":"failed"}}},"location":"sca"} ```

4.2.1.7 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :red_circle: Expected `.` at the end of the section - **Impact**: :black_circle: - **Compliance**: :red_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :red_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: ISO: Expected ['A.12.4.1', 'A.13.1.3'], - **References**: :black_circle: - **Rules**: :green_circle:

Rules details

Alert
``` {"timestamp":"2023-03-14T12:48:10.981+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure rsyslog is configured to send logs to a remote log host.: Status changed from failed to passed","id":"19010","firedtimes":2,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["4.2.1.6"],"cis_csc_v8":["8.2"],"cis_csc_v7":["6.2","6.3"],"iso_27001-2013":["A.12.4.1"],"hipaa":["164.312(b)"],"nist_sp_800-53":["AU-7"],"mitre_techniques":["T1070","T1070.002","T1562","T1562.006"],"mitre_tactics":["TA0040"],"mitre_mitigations":["M1029"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1678798090.9744","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1926921802","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28090","title":"Ensure rsyslog is configured to send logs to a remote log host.","description":"RSyslog supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralised log management.","rationale":"Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system.","remediation":"Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add the following line (where loghost.example.com is the name of your central log host). The target directive may either be a fully qualified domain name or an IP address. *.* action(type=\"omfwd\" target=\"192.168.2.100\" port=\"514\" protocol=\"tcp\" action.resumeRetryCount=\"100\" queue.type=\"LinkedList\" queue.size=\"1000\") Run the following command to reload the rsyslogd configuration: # systemctl restart rsyslog.","compliance":{"cis":"4.2.1.6","cis_csc_v8":"8.2","cis_csc_v7":"6.2,6.3","iso_27001-2013":"A.12.4.1","cmmc_v2":{"0":"AU.L2-3.3.1"},"hipaa":"164.312(b)","pci_dss_3":{"2":{"1":"10.2,10.3"}},"pci_dss_4":{"0":"5.3.4,6.4.1,6.4.2,10.2.1,10.2.1.1,10.2.1.2,10.2.1.3,10.2.1.4,10.2.1.5,10.2.1.6,10.2.1.7,10.2.2"},"nist_sp_800-53":"AU-7","mitre_techniques":"T1070,T1070.002,T1562,T1562.006","mitre_tactics":"TA0040","mitre_mitigations":"M1029"},"file":["/etc/rsyslog.conf"],"result":"passed","previous_result":"failed"}}},"location":"sca"} ```

4.2.2.1.1 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :red_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :red_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: Expected ISO value: 'A.12.4.1' - **References**: :black_circle: - **Rules**: :green_circle:

Rules details

Command output
``` [root@rhel9 vagrant]# rpm -q systemd-journal-remote package systemd-journal-remote is not installed ```

Alert
``` {"timestamp":"2023-03-13T18:16:51.392+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure systemd-journal-remote is installed.","id":"19007","firedtimes":4,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["4.2.2.1.1"],"cis_csc_v8":["8.2"],"cis_csc_v7":["6.2","6.3"],"nist_sp_800-53":["AU-2","AU-12","SI-5"],"hipaa":["164.312(b)"],"mitre_techniques":["T1070","T1070.002","T1562","T1562.006"],"mitre_tactics":["TA0040"],"mitre_mitigations":["M1029"]},"agent":{"id":"000","name":"rhel9"},"manager":{"name":"rhel9"},"id":"1678731411.5452960","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"1347683544","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28092","title":"Ensure systemd-journal-remote is installed.","description":"Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management.","rationale":"Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system.","remediation":"Run the following command to install systemd-journal-remote: # dnf install systemd-journal-remote.","compliance":{"cis":"4.2.2.1.1","cis_csc_v8":"8.2","cis_csc_v7":"6.2,6.3","nist_sp_800-53":"AU-2,AU-12,SI-5","cmmc_v2":{"0":"AU.L2-3.3.1"},"hipaa":"164.312(b)","pci_dss_3":{"2":{"1":"10.2,10.3"}},"pci_dss_4":{"0":"5.3.4,6.4.1,6.4.2,10.2.1,10.2.1.1,10.2.1.2,10.2.1.3,10.2.1.4,10.2.1.5,10.2.1.6,10.2.1.7,10.2.2"},"mitre_techniques":"T1070,T1070.002,T1562,T1562.006","mitre_tactics":"TA0040","mitre_mitigations":"M1029"},"command":["rpm -q systemd-journal-remote"],"result":"failed"}}},"location":"sca"} ```

4.2.2.1.2 :black_circle:

Not implemented. Expected due to SCA limitations

4.2.2.1.3 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :red_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :red_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: Expected ISO value: `A.12.4.1` - **References**: :black_circle: - **Rules**: :green_circle:

Rules details

Command output
``` [root@rhel9 vagrant]# systemctl is-enabled systemd-journal-upload.service Failed to get unit file state for systemd-journal-upload.service: No such file or directory ```

Alert
``` {"timestamp":"2023-03-14T13:20:57.167+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure systemd-journal-remote is enabled.","id":"19007","firedtimes":1,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["4.2.2.1.3"],"cis_csc_v8":["8.2"],"cis_csc_v7":["6.2","6.3"],"nist_sp_800-53":["AU-2","AU-12","CM-7","SI-5"],"hipaa":["164.312(b)"],"mitre_techniques":["T1070","T1070.002","T1562","T1562.006"],"mitre_tactics":["TA0040"],"mitre_mitigations":["M1029"]},"agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1678800057.203840","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"780965329","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28093","title":"Ensure systemd-journal-remote is enabled.","description":"Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management.","rationale":"Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system.","remediation":"Run the following command to enable systemd-journal-remote: # systemctl --now enable systemd-journal-upload.service.","compliance":{"cis":"4.2.2.1.3","cis_csc_v8":"8.2","cis_csc_v7":"6.2,6.3","nist_sp_800-53":"AU-2,AU-12,CM-7,SI-5","cmmc_v2":{"0":"AU.L2-3.3.1"},"hipaa":"164.312(b)","pci_dss_3":{"2":{"1":"10.2,10.3"}},"pci_dss_4":{"0":"5.3.4,6.4.1,6.4.2,10.2.1,10.2.1.1,10.2.1.2,10.2.1.3,10.2.1.4,10.2.1.5,10.2.1.6,10.2.1.7,10.2.2"},"mitre_techniques":"T1070,T1070.002,T1562,T1562.006","mitre_tactics":"TA0040","mitre_mitigations":"M1029"},"command":["systemctl is-enabled systemd-journal-upload.service"],"result":"failed"}}},"location":"sca"} ```

4.2.2.1.4 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :red_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :red_circle: - **CMMC**: :red_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: **CMMC**: Missing `AU.L2-3.3.1` value **NIST**: Expected `AU-7` **ISO**: Expected ["A.12.4.1", "A.13.1.3"] - **References**: :black_circle: - **Rules**: :green_circle:

Rules details

Command output
``` [root@localhost vagrant]# systemctl is-enabled systemd-journal-remote.socket disabled ```

Alert
``` {"timestamp":"2023-03-14T13:20:57.177+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure journald is not configured to receive logs from a remote client.","id":"19007","firedtimes":2,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["4.2.2.1.4"],"cis_csc_v8":["4.8","8.2"],"cis_csc_v7":["6.2","6.3","9.2"],"nist_sp_800-53":["AU.L2-3.3.1","AU-2","AU-12","CM-7","SI-5"],"hipaa":["164.312(b)"],"soc_2":["CC6.3","CC6.6"],"mitre_techniques":["T1070","T1070.002","T1562","T1562.006"],"mitre_tactics":["TA0040"],"mitre_mitigations":["M1029"]},"agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1678800057.206890","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"780965329","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28094","title":"Ensure journald is not configured to receive logs from a remote client.","description":"Journald supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts. NOTE: - The same package, systemd-journal-remote, is used for both sending logs to remote hosts and receiving incoming logs. - With regards to receiving logs, there are two services; systemd-journal- remote.socket and systemd-journal-remote.service.","rationale":"If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary.","remediation":"Run the following command to disable systemd-journal-remote.socket: # systemctl --now mask systemd-journal-remote.socket.","compliance":{"cis":"4.2.2.1.4","cis_csc_v8":"4.8,8.2","cis_csc_v7":"6.2,6.3,9.2","nist_sp_800-53":"AU.L2-3.3.1,AU-2,AU-12,CM-7,SI-5","cmmc_v2":{"0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6"},"hipaa":"164.312(b)","pci_dss_3":{"2":{"1":"1.1.6,1.2.1,2.2.2,2.2.5,10.2,10.3"}},"pci_dss_4":{"0":"1.2.5,2.2.4,5.3.4,6.4.1,6.4.2,10.2.1,10.2.1.1,10.2.1.2,10.2.1.3,10.2.1.4,10.2.1.5,10.2.1.6,10.2.1.7,10.2.2"},"soc_2":"CC6.3,CC6.6","mitre_techniques":"T1070,T1070.002,T1562,T1562.006","mitre_tactics":"TA0040","mitre_mitigations":"M1029"},"command":["systemctl is-enabled systemd-journal-remote.socket"],"result":"failed"}}},"location":"sca"} ```

4.2.2.2 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

Rules details

Command output
``` [root@localhost vagrant]# systemctl is-enabled systemd-journald.service static ```

Alert
``` {"timestamp":"2023-03-14T13:20:57.188+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure journald service is enabled.","id":"19008","firedtimes":2,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["4.2.2.2"],"cis_csc_v8":["8.2"],"cis_csc_v7":["6.2","6.3"],"iso_27001-2013":["A.12.4.1"],"hipaa":["164.312(b)"],"nist_sp_800-53":["AU-7"],"mitre_techniques":["T1070","T1070.002","T1562","T1562.006"],"mitre_tactics":["TA0040"],"mitre_mitigations":["M1029"]},"agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1678800057.210534","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"780965329","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28095","title":"Ensure journald service is enabled.","description":"Ensure that the systemd-journald service is enabled to allow capturing of logging events.","rationale":"If the systemd-journald service is not enabled to start on boot, the system will not capture logging events.","remediation":"By default the systemd-journald service does not have an [Install] section and thus cannot be enabled / disabled. It is meant to be referenced as Requires or Wants by other unit files. As such, if the status of systemd-journald is not static, investigate why.","compliance":{"cis":"4.2.2.2","cis_csc_v8":"8.2","cis_csc_v7":"6.2,6.3","iso_27001-2013":"A.12.4.1","cmmc_v2":{"0":"AU.L2-3.3.1"},"hipaa":"164.312(b)","pci_dss_3":{"2":{"1":"10.2,10.3"}},"pci_dss_4":{"0":"5.3.4,6.4.1,6.4.2,10.2.1,10.2.1.1,10.2.1.2,10.2.1.3,10.2.1.4,10.2.1.5,10.2.1.6,10.2.1.7,10.2.2"},"nist_sp_800-53":"AU-7","mitre_techniques":"T1070,T1070.002,T1562,T1562.006","mitre_tactics":"TA0040","mitre_mitigations":"M1029"},"command":["systemctl is-enabled systemd-journald.service"],"result":"passed"}}},"location":"sca"} ```

4.2.2.3 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :red_circle:. Remove extra`,` in `Compress=yes,` - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

Rules details

Alert
``` {"timestamp":"2023-03-14T13:20:57.198+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure journald is configured to compress large log files.","id":"19007","firedtimes":3,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["4.2.2.3"],"cis_csc_v8":["8.2","8.3"],"cis_csc_v7":["6.2","6.3","6.4"],"iso_27001-2013":["A.12.4.1"],"hipaa":["164.312(b)"],"nist_sp_800-53":["AU-7"],"soc_2":["A1.1"],"mitre_techniques":["T1562","T1562.001"],"mitre_tactics":["TA0005"],"mitre_mitigations":["M1053"]},"agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1678800057.213463","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"780965329","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28096","title":"Ensure journald is configured to compress large log files.","description":"The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large.","rationale":"Uncompressed large files may unexpectedly fill a filesystem leading to resource unavailability. Compressing logs prior to write can prevent sudden, unexpected filesystem impacts.","remediation":"Edit the /etc/systemd/journald.conf file and add the following line: Compress=yes, Restart the service: # systemctl restart systemd-journal-upload.","compliance":{"cis":"4.2.2.3","cis_csc_v8":"8.2,8.3","cis_csc_v7":"6.2,6.3,6.4","iso_27001-2013":"A.12.4.1","cmmc_v2":{"0":"AU.L2-3.3.1"},"hipaa":"164.312(b)","pci_dss_3":{"2":{"1":"10.2,10.3,10.7"}},"pci_dss_4":{"0":"5.3.4,6.4.1,6.4.2,10.2.1,10.2.1.1,10.2.1.2,10.2.1.3,10.2.1.4,10.2.1.5,10.2.1.6,10.2.1.7,10.2.2"},"nist_sp_800-53":"AU-7","soc_2":"A1.1","mitre_techniques":"T1562,T1562.001","mitre_tactics":"TA0005","mitre_mitigations":"M1053"},"file":["/etc/systemd/journald.conf"],"result":"failed"}}},"location":"sca"} ```

4.2.2.4 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :red_circle: Remove extra `,` in `Storage=persistent,` - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

Rules details

Alert
``` {"timestamp":"2023-03-14T13:20:57.208+0000","rule":{"level":7,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure journald is configured to write logfiles to persistent disk.","id":"19007","firedtimes":4,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["4.2.2.4"],"cis_csc_v8":["8.2"],"cis_csc_v7":["6.2","6.3"],"iso_27001-2013":["A.12.4.1"],"hipaa":["164.312(b)"],"nist_sp_800-53":["AU-7"],"mitre_techniques":["T1070","T1070.002","T1562","T1562.006"],"mitre_tactics":["TA0005"],"mitre_mitigations":["M1022"]},"agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1678800057.216510","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"780965329","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28097","title":"Ensure journald is configured to write logfiles to persistent disk.","description":"Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the server they are protected from loss due to a reboot.","rationale":"Writing log data to disk will provide the ability to forensically reconstruct events which may have impacted the operations or security of a system even after a system crash or reboot.","remediation":"Edit the /etc/systemd/journald.conf file and add the following line: Storage=persistent, Restart the service: # systemctl restart systemd-journal-upload.","compliance":{"cis":"4.2.2.4","cis_csc_v8":"8.2","cis_csc_v7":"6.2,6.3","iso_27001-2013":"A.12.4.1","cmmc_v2":{"0":"AU.L2-3.3.1"},"hipaa":"164.312(b)","pci_dss_3":{"2":{"1":"10.2,10.3"}},"pci_dss_4":{"0":"5.3.4,6.4.1,6.4.2,10.2.1,10.2.1.1,10.2.1.2,10.2.1.3,10.2.1.4,10.2.1.5,10.2.1.6,10.2.1.7,10.2.2"},"nist_sp_800-53":"AU-7","mitre_techniques":"T1070,T1070.002,T1562,T1562.006","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"file":["/etc/systemd/journald.conf"],"result":"failed"}}},"location":"sca"} ```

4.2.2.5 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :red_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :red_circle: - **NIST**: :red_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: NIST: Expected `AU-6(3)` PCI3: Expected ["1.1.6", "1.2.1", "10.2", "10.3", "2.2.2", "2.2.5"] PCI4: Expected ["1.2.5", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2", "2.2.4", "5.3.4", "6.4.1", "6.4.2"] SOC2: Missing value - **References**: :green_circle: - **Rules**: :green_circle:

Rules details

Alert
``` {"timestamp":"2023-03-14T13:20:57.219+0000","rule":{"level":3,"description":"CIS Benchmark for Red Hat Enterprise Linux 9.: Ensure journald is not configured to send logs to rsyslog.","id":"19008","firedtimes":3,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["4.2.2.5"],"cis_csc_v8":["8.2","8.9"],"cis_csc_v7":["6.2","6.3","6.5"],"iso_27001-2013":["A.12.4.1"],"hipaa":["164.312(b)"],"nist_sp_800-53":["AU-7"],"mitre_techniques":["T1070","T1070.002","T1562","T1562.006","T1565"],"mitre_tactics":["TA0040"],"mitre_mitigations":["M1029"]},"agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1678800057.219710","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"780965329","policy":"CIS Benchmark for Red Hat Enterprise Linux 9.","check":{"id":"28098","title":"Ensure journald is not configured to send logs to rsyslog.","description":"Data from journald should be kept in the confines of the service and not forwarded on to other services.","rationale":"IF journald is the method for capturing logs, all logs of the system should be handled by journald and not forwarded to other logging mechanisms. Note: This recommendation only applies if journald is the chosen method for client side logging. Do not apply this recommendation if rsyslog is used.","remediation":"Edit the /etc/systemd/journald.conf file and ensure that ForwardToSyslog=yes is removed. Restart the service: # systemctl restart systemd-journald.service.","compliance":{"cis":"4.2.2.5","cis_csc_v8":"8.2,8.9","cis_csc_v7":"6.2,6.3,6.5","iso_27001-2013":"A.12.4.1","cmmc_v2":{"0":"AU.L2-3.3.1"},"hipaa":"164.312(b)","pci_dss_3":{"2":{"1":"10.2,10.3"}},"pci_dss_4":{"0":"5.3.4,6.4.1,6.4.2,10.2.1,10.2.1.1,10.2.1.2,10.2.1.3,10.2.1.4,10.2.1.5,10.2.1.6,10.2.1.7,10.2.2"},"nist_sp_800-53":"AU-7","mitre_techniques":"T1070,T1070.002,T1562,T1562.006,T1565","mitre_tactics":"TA0040","mitre_mitigations":"M1029"},"file":["/etc/systemd/journald.conf"],"result":"passed"}}},"location":"sca"} ```

4.2.2.6 :black_circle:

Not implemented. Expected

4.2.2.6 :black_circle:

Not implemented. Expected

4.2.2.6 :black_circle:

Not implemented. Expected

4.3 :black_circle:

Not implemented. Expected

jk-olaoluwa commented 1 year ago

https://github.com/wazuh/wazuh-qa/issues/3821#issuecomment-1464047409

4.2.1.3 🔴

Compliance - Solved
Rule - Solved

4.2.1.6 🔴

Description - Solved
Remediation - . is already in the check

4.2.1.7 🔴

Remediation - . is already in the check
Compliance - Solved

4.2.2.1.1 🔴

Compliance - Solved

4.2.2.1.3 🔴

Compliance - Solved

4.2.2.1.4 🔴

Compliance - Solved

4.2.2.3 🔴

Remediation - Solved

4.2.2.4 🔴

Remediation - Solved

4.2.2.5 🔴

Compliance - Solved
- PCI3 - solved as per compliance dictionary 8.2 and 8.9 v8
- PCI4 - solved as per compliance dictionary 8.2 and 8.9 v8
- SOC - solved
- NIST - solved as per compliance dictionary 8.2 and 8.9 v8

https://github.com/wazuh/wazuh/commit/4f83a78c3bddb6f01b1e8f1c7f0e44446bd5f63b

Rebits commented 1 year ago

Testing results

Tester	PR commit
@Rebits	https://github.com/wazuh/wazuh/commit/4f83a78c3bddb6f01b1e8f1c7f0e44446bd5f63b

4.2.1.3 :green_circle:

- **Rules**: :green_circle: - **Compliance**: :green_circle:

4.2.1.6 :green_circle:

- **Compliance**: :green_circle:

4.2.1.7 :green_circle:

- **Compliance**: :green_circle: - **Remediation**: :green_circle:

4.2.2.1.1 :green_circle:

- **Compliance**: :green_circle:

4.2.2.1.3 :green_circle:

- **Compliance**: :green_circle:

4.2.2.1.4 :green_circle:

- **Compliance**: :green_circle:

4.2.2.3 :red_circle:

- **Remediation**: :red_circle: Replace `systemd-journal-upload` with `systemd-journald.service`

4.2.2.4 :red_circle:

- **Remediation**: :red_circle: Replace `systemd-journal-upload` with `systemd-journald.service`

4.2.2.5 :green_circle:

- **Compliance**: :green_circle:

jk-olaoluwa commented 1 year ago

https://github.com/wazuh/wazuh-qa/issues/3821#issuecomment-1473761808

4.2.2.3 🔴 - Solved 4.2.2.4 🔴 - Solved

https://github.com/wazuh/wazuh/commit/ae894aeccebcba2d7c4bc606fa1f04784348ae88

Rebits commented 1 year ago

Testing results

Tester	PR commit
@Rebits	https://github.com/wazuh/wazuh/commit/ae894aeccebcba2d7c4bc606fa1f04784348ae88

4.2.2.3 :green_circle:

**Remediation**: :green_circle:

4.2.2.4 :green_circle:

**Remediation**: :green_circle:

Rebits commented 1 year ago

Closing conclusion 👍🏼

The suggested changes have been applied and everything appears to be correct.

Note: Some changes were proposed during a meeting between @72nomada and @Rebits.

wazuh / wazuh-qa