Debian Linux 11 SCA policy - checks 1 to 1.2.2

[72nomada]

Target version	Related issue	Related PR
4.4.x	#3825	https://github.com/wazuh/wazuh/pull/16017

Check Id and Name	Status	Extra
1 Initial Setup
1.1 Filesystem Configuration
1.1.1 Disable unused filesystems
1.1.1.1 Ensure mounting of cramfs filesystems is disabled (Automated)	⚫
1.1.1.2 Ensure mounting of squashfs filesystems is disabled (Automated)	⚫
1.1.1.3 Ensure mounting of udf filesystems is disabled (Automated)	⚫
1.1.2 Configure /tmp
1.1.2.1 Ensure /tmp is a separate partition (Automated)	🟢
1.1.2.2 Ensure nodev option set on /tmp partition (Automated)	🟢
1.1.2.3 Ensure noexec option set on /tmp partition (Automated)	🟢
1.1.2.4 Ensure nosuid option set on /tmp partition (Automated)	🟢
1.1.3 Configure /var
1.1.3.1 Ensure separate partition exists for /var (Automated)	🟢
1.1.3.2 Ensure nodev option set on /var partition (Automated)	🟢
1.1.3.3 Ensure nosuid option set on /var partition (Automated)	🟢
1.1.4 Configure /var/tmp
1.1.4.1 Ensure separate partition exists for /var/tmp (Automated)	🟢
1.1.4.2 Ensure noexec option set on /var/tmp partition (Automated)	🟢
1.1.4.3 Ensure nosuid option set on /var/tmp partition (Automated)	🟢
1.1.4.4 Ensure nodev option set on /var/tmp partition (Automated)	🟢
1.1.5 Configure /var/log
1.1.5.1 Ensure separate partition exists for /var/log (Automated)	🟢
1.1.5.2 Ensure nodev option set on /var/log partition (Automated)	🟢
1.1.5.3 Ensure noexec option set on /var/log partition (Automated)	🟢
1.1.5.4 Ensure nosuid option set on /var/log partition (Automated)	🟢
1.1.6 Configure /var/log/audit
1.1.6.1 Ensure separate partition exists for /var/log/audit (Automated)	🟢
1.1.6.2 Ensure noexec option set on /var/log/audit partition (Automated)	🟢
1.1.6.3 Ensure nodev option set on /var/log/audit partition (Automated)	🟢
1.1.6.4 Ensure nosuid option set on /var/log/audit partition (Automated)	🟢
1.1.7 Configure /home
1.1.7.1 Ensure separate partition exists for /home (Automated)	🟢
1.1.7.2 Ensure nodev option set on /home partition (Automated)	🟢
1.1.7.3 Ensure nosuid option set on /home partition (Automated)	🟢
1.1.8 Configure /dev/shm
1.1.8.1 Ensure nodev option set on /dev/shm partition (Automated)	🟢
1.1.8.2 Ensure noexec option set on /dev/shm partition (Automated)	🟢
1.1.8.3 Ensure nosuid option set on /dev/shm partition (Automated)	🟢
1.1.9 Disable Automounting (Automated)	🟢
1.1.10 Disable USB Storage (Automated)	🟢
1.2 Configure Software Updates
1.2.1 Ensure package manager repositories are configured (Manual)	⚫
1.2.2 Ensure GPG keys are configured (Manual)	⚫

Threat Intel - @olulekew7

[Rebits]

Tester review

Testing environment

OS	OS version	Deployment	Image/AMI	Notes
Debian	11	Vagrant	debian/bullseye64

Tested packages

wazuh-manager
wazuh-managerv-4.4.0-1

Status

• [x] In progress
• [x] Pending Review
• [x] QA Manager approved (@jmv74211)
• [x] Development team leader approved (@72nomada )

Conclusion :green_circle:

After the requested changes the policy seems to fit correctly with the CIS Red Hat Enterprise Linux 9 Benchmark. In addition, every audit rule seems to work as expected.

[Rebits]

Update 03/03/2023

• Perform checks from 1-1.1.5.3

[Rebits]

Testing results

Tester	PR commit
@Rebits	https://github.com/wazuh/wazuh/pull/16017/commits/fb54bf7381c68e3609bfa237d8d6054c1e216ae2

---

Review of checks 1-1.1.3.3. The rest of the checks of the policy will be reviewed in the second iteration to work with the newest policy version

Note Check 29532 include an indentation error that leads to a global error in the policy. This check is out of the scope of this issue, so, this testing was performed by removing all the checks in the policy after 1.2.2

General policy checks :red_circle:

Requirements for this policy are: ``` requirements: title: "Check Debian version." description: "Requirements for running the SCA scan against Debian/Ubuntu." condition: all rules: - "f:/etc/debian_version" - "f:/proc/sys/kernel/ostype -> Linux" ``` However, it does not check if the Debian version is 11. Also, the description includes also Ubuntu systems, but this OS has already defined a policy.

1.1.1.1 :black_circle:

Not implemented. Expected due to SCA limitations

1.1.1.2 :black_circle:

Not implemented. Expected due to SCA limitations

1.1.1.3 :black_circle:

Not implemented. Expected due to SCA limitations

1.1.2.1 :red_circle:

- **Title**: :red_circle: **Expected**: `Ensure /tmp is a separate partition` **Current**: `Ensure /tmp is separate partition` - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :red_circle: Expected `.` at the end of the section - **Impact**: :green_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :yellow_circle: We should include static value into the rule regex. Also, replace first rule regex with ` r:^/tmp\s` ``` rules: - "c:findmnt --kernel /tmp -> r:^/tmp\s" - "c:systemctl is-enabled tmp.mount -> r:enabled|generated|static" ```

Rules details

Command output

``` root@debian11:/home/vagrant# findmnt --kernel /tmp root@debian11:/home/vagrant# systemctl is-enabled tmp.mount Failed to get unit file state for tmp.mount: No such file or directory root@debian11:/home/vagrant# ```

Alert

``` {"type":"check","id":1980171972,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29500,"title":"Ensure /tmp is separate partition.","description":"The /tmp directory is a world-writable directory used for temporary storage by all users and some applications.","rationale":"Making /tmp its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp.","remediation":"First ensure that systemd is correctly configured to ensure that /tmp will be mounted at boot time. # systemctl unmask tmp.mount. For specific configuration requirements of the /tmp mount for your environment, modify /etc/fstab or tmp.mount. Example of /etc/fstab configured tmpfs file system with specific mount options: tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 0 Example of tmp.mount configured tmpfs file system with specific mount options: [Unit] Description=Temporary Directory /tmp ConditionPathIsSymbolicLink=!/tmp DefaultDependencies=no Conflicts=umount.targetBefore=local-fs.target umount.target After=swap.target [Mount] What=tmpfs Where=/tmp Type=tmpfs","compliance":{"cis":"1.1.2.1","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1499,T1499.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /tmp -> r:/tmp","c:systemctl is-enabled tmp.mount -> r:enabled|generated"],"condition":"all","references":"https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/,https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html","command":"findmnt --kernel /tmp","result":"failed"}} ```

1.1.2.2 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :red_circle: **Expected**: ``` Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /tmp ``` **Current**: ``` Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp ``` - **Remediation**: :red_circle: Expected `.` at the end of the section - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: Repace rule by ``` - "c:findmnt --kernel /tmp -> r:^/tmp && r:nodev" ```

Rules details

Command output

``` root@debian11:/home/vagrant# findmnt --kernel /tmp TARGET SOURCE FSTYPE OPTIONS /tmp tmpfs tmpfs rw,relatime ```

Alert

``` {"type":"check","id":1980171972,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29501,"title":"Ensure nodev option set on /tmp partition.","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp.","remediation":"Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. Example: /tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0. Run the following command to remount /tmp with the configured options: # mount -o remount /tmp","compliance":{"cis":"1.1.2.2","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1200","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /tmp -> r:^/tmp && r:nodev"],"condition":"all","command":"findmnt --kernel /tmp","result":"failed"}} ```

1.1.2.3 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: Replace the rule by: ``` - "c:findmnt --kernel /tmp -> r:^/tmp && r:noexec" ```

Rules details

Command output

``` root@debian11:/home/vagrant# findmnt --kernel /tmp TARGET SOURCE FSTYPE OPTIONS /tmp tmpfs tmpfs rw,relatime ```

Alert

``` {"type":"check","id":1980171972,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29502,"title":"Ensure noexec option set on /tmp partition.","description":"The noexec mount option specifies that the filesystem cannot contain executable binaries.","rationale":"Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp.","remediation":"Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. Example: /tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0. Run the following command to remount /tmp with the configured options: # mount -o remount /tmp","compliance":{"cis":"1.1.2.3","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1204,T1204.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /tmp -> r:^/tmp && r:noexec"],"condition":"all","command":"findmnt --kernel /tmp","result":"failed"}} ```

1.1.2.4 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :red_circle: Expected `.` at the end of the section - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: Replace rule by: ``` - "c:findmnt --kernel /tmp -> r:^/tmp && r:nosuid" ```

Rules details

Command output

``` root@debian11:/home/vagrant# findmnt --kernel /tmp TARGET SOURCE FSTYPE OPTIONS /tmp tmpfs tmpfs rw,relatime ```

Alert

``` {"type":"check","id":1980171972,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29503,"title":"Ensure nosuid option set on /tmp partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp.","remediation":"Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. Example: /tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0. Run the following command to remount /tmp with the configured options: # mount -o remount /tmp","compliance":{"cis":"1.1.2.4","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1548,T1548.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /tmp -> r:^/tmp && r:nosuid"],"condition":"all","command":"findmnt --kernel /tmp","result":"failed"}} ```

1.1.3.1 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :red_circle: Inconsistent with the rest of policies. Different sections should be indicated by ` - ` - **Remediation**: :green_circle: - **Impact**: :green_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :red_circle: Inconsistent with the rest of the policies. In case the reference include a link it should be added the full reference. In this case: ``` - 'AJ Lewis, "LVM HOWTO", http://tldp.org/HOWTO/LVM-HOWTO/' ``` - **Rules**: :red_circle: Replace the rule by ``` - "c:findmnt --kernel /var -> r:^/var\s" ```

Rules details

Command output

``` root@debian11:/home/vagrant# findmnt --kernel /var root@debian11:/home/vagrant# ```

Alert

``` {"type":"check","id":1980171972,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29504,"title":"Ensure separate partition exists for /var.","description":"The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable.","rationale":"The reasoning for mounting /var on a separate partition is as follow.(1) Protection from resource exhaustion: The default installation only creates a single / partition. Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var and cause unintended behavior across the system as the disk is full. See man auditd.conf for details. (2) Fine grained control over the mount: Configuring /var as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behaviour. See man mount for exact details regarding filesystem-independent and filesystem-specific options. (3) Protection from exploitation: An example of exploiting /var may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.","remediation":"For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.","compliance":{"cis":"1.1.3.1","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1499,T1499.001","mitre_tactics":"TA0006"},"rules":["c:findmnt --kernel /var -> r:^/var"],"condition":"all","references":"http://tldp.org/HOWTO/LVM-HOWTO/","command":"findmnt --kernel /var","result":"failed"}} ```

1.1.3.2 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:

Rules details

Command output

``` root@debian11:/home/vagrant# findmnt --kernel /var root@debian11:/home/vagrant# ```

Alert

``` {"type":"check","id":1980171972,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29505,"title":"Ensure nodev option set on /var partition.","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the /var filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var.","remediation":"IF the /var partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var partition. Example: /var defaults,rw,nosuid,nodev,relatime 0 0 . Run the following command to remount /var with the configured options: # mount -o remount /var.","compliance":{"cis":"1.1.3.2","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1200","mitre_tactics":"TA0005","mitre_mitigations":"M1038"},"rules":["c:findmnt --kernel /var -> r:^/var && r:nodev"],"condition":"all","command":"findmnt --kernel /var","result":"failed"}} ```

1.1.3.3 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :red_circle: Expected `.` at the end of the section - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :red_circle: **Current**: ``` - "c:findmnt --kernel /var -> r:/^var && r:nosuid" ``` **Expected** ``` - "c:findmnt --kernel /var -> r:^/var && r:nosuid" ```

Rules details

Command output

``` root@debian11:/home/vagrant# findmnt --kernel /var root@debian11:/home/vagrant# ```

Alert

``` {"type":"check","id":1980171972,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29506,"title":"Ensure nosuid option set on /var partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Since the /var filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var.","remediation":"IF the /var partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var partition. Example: /var defaults,rw,nosuid,nodev,relatime 0 0 . Run the following command to remount /var with the configured options: # mount -o remount /var","compliance":{"cis":"1.1.3.3","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1548,T1548.001","mitre_tactics":"TA0005","mitre_mitigations":"M1038"},"rules":["c:findmnt --kernel /var -> r:/^var && r:nosuid"],"condition":"all","command":"findmnt --kernel /var","result":"failed"}} ```

[Rebits]

Testing results - Second review

Tester	PR commit
@Rebits	https://github.com/wazuh/wazuh/pull/16017/commits/4fa99c8874258f960c2d74a924a3f03a6d04f9d9

---

Policy Requirements :red_circle:

**Description**: It is required to change the description, removing the reference to Ubuntu system **Rules**: :green_circle:. Rules now detect correctly Debian11 system.

1.1.2.1 :yellow_circle:

- **Remediation** :green_circle: - **Rules**: :yellow_circle: Should we include static value into the rule regex? Also, replace first rule regex with `r:^/tmp\s` for consistency. ``` rules: - "c:findmnt --kernel /tmp -> r:^/tmp\s" - "c:systemctl is-enabled tmp.mount -> r:enabled|generated|static" ```

1.1.2.2 :red_circle:

- **Rationale**: **Expected**: ``` Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /tmp ``` **Current**: ``` Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp ``` - **Remediation**: :green_circle: - **Rule**: :green_circle:

1.1.2.3 :green_circle:

- **Rules**: :green_circle:

1.1.2.4 :green_circle:

- **Remediation**: :green_circle: - **Rules**: :green_circle:

1.1.3.1 :red_circle:

- **References**: :red_circle: Inconsistent with the rest of the policies. In case the reference include a link it should be added the full reference. In this case: ``` - 'AJ Lewis, "LVM HOWTO", http://tldp.org/HOWTO/LVM-HOWTO/' ``` - **Rules**: :green_circle:

1.1.3.3 :red_circle:

- **Remediation**: :green_circle: - **Rules**: :red_circle: Wrong regex. Current: ``` - 'c:findmnt --kernel /var -> r:/^var\s+ && r:nosuid' ``` Expected ``` - 'c:findmnt --kernel /var -> r:^/var\s+ && r:nosuid' ```

1.1.4.1 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :green_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :red_circle: Inconsistent with the rest of the policies. In case the reference include a link it should be added the full reference. In this case: ``` - 'AJ Lewis, "LVM HOWTO", http://tldp.org/HOWTO/LVM-HOWTO/' ``` - **Rules**: :green_circle:

Rules details

Command output

``` root@debian11:/home/vagrant# findmnt --kernel /var/tmp root@debian11:/home/vagrant# ```

Alert

``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29507,"title":"Ensure separate partition exists for /var/tmp.","description":"The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications. Temporary files residing in /var/tmp are to be preserved between reboots.","rationale":"The reasoning for mounting /var/tmp on a separate partition is as follows. - Protection from resource exhaustion: The default installation only creates a single / partition. Since the /var/tmp directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/tmp and cause the potential disruption to daemons as the disk is full. - Fine grained control over the mount: Configuring /var/tmp as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. - Protection from exploitation: An example of exploiting /var/tmp may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.","remediation":"For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.","compliance":{"cis":"1.1.4.1","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1499,T1499.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /var/tmp -> r:/var/tmp\\s+"],"condition":"all","references":"http://tldp.org/HOWTO/LVM-HOWTO/","command":"findmnt --kernel /var/tmp","result":"failed"}} ```

1.1.4.2 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :green_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

Rules details

Command output

``` root@debian11:/home/vagrant# findmnt --kernel /var/tmp root@debian11:/home/vagrant# ```

Alert

``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29508,"title":"Ensure noexec option set on /var/tmp partition.","description":"The noexec mount option specifies that the filesystem cannot contain executable binaries.","rationale":"Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp.","remediation":"IF the /var/tmp partition exists, edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. Example: /var/tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 . Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp.","compliance":{"cis":"1.1.4.2","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1204,T1204.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /var/tmp -> r:^/var/tmp\\s+ && r:noexec"],"condition":"all","command":"findmnt --kernel /var/tmp","result":"failed"}} ```

1.1.4.3 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :green_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

Rules details

Command output

``` root@debian11:/home/vagrant# findmnt --kernel /var/tmp root@debian11:/home/vagrant# ```

Alert

``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29509,"title":"Ensure nosuid option set on /var/tmp partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp.","remediation":"IF the /var/tmp partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. Example: /var/tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 . Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp.","compliance":{"cis":"1.1.4.3","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1548,T1548.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /var/tmp -> r:^/var/tmp\\s+ && r:nosuid"],"condition":"all","command":"findmnt --kernel /var/tmp","result":"failed"}} ```

1.1.4.4 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :green_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:

Rules details

Command output

``` root@debian11:/home/vagrant# findmnt --kernel /var/tmp root@debian11:/home/vagrant# ```

Alert

``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29510,"title":"Ensure nodev option set on /var/tmp partition.","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/tmp.","remediation":"IF the /var/tmp partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. Example: /var/tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 . Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp.","compliance":{"cis":"1.1.4.4","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1200","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /var/tmp -> r:^/var/tmp\\s+ && r:nodev"],"condition":"all","command":"findmnt --kernel /var/tmp","result":"failed"}} ```

1.1.5.1 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :red_circle: Current: `http://tldp.org/HOWTO/LVM-HOWTO/` Expected: `AJ Lewis, "LVM HOWTO", http://tldp.org/HOWTO/LVM-HOWTO/` - **Rules**: :red_circle: Include ^ in the regex for consistency ``` r:^/var/log\s+' ```

Rules details

Command output

``` root@debian11:/home/vagrant# findmnt --kernel /var/log root@debian11:/home/vagrant# ```

Alert

``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29511,"title":"Ensure separate partition exists for /var/log/.","description":"The /var/log directory is used by system services to store log data.","rationale":"The reasoning for mounting /var/log on a separate partition is as follows. - Protection from resource exhaustion: The default installation only creates a single / partition. Since the /var/log directory contains log files which can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. - Fine grained control over the mount: Configuring /var/log as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. - Protection of log data: As /var/log contains log files, care should be taken to ensure the security and integrity of the data and mount point.","remediation":"For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.","compliance":{"cis":"1.1.5.1","cis_csc_v8":"8.3","cis_csc_v7":"6.4","pci_dss_3.2.1":"10.7","soc_2":"A1.1","iso_27001-2013":"A.12.4.1","mitre_techniques":"T1499,T1499.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /var/log -> r:/var/log\\s+"],"condition":"all","references":"http://tldp.org/HOWTO/LVM-HOWTO/","command":"findmnt --kernel /var/log","result":"failed"}} ```

1.1.5.2 :red_circle:

- **Title**: :red_circle: Extra `/` in path. Expected: ``` Ensure nodev option set on /var/log partition ``` - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:

Rules details

Command output

``` root@debian11:/home/vagrant# findmnt --kernel /var/log root@debian11:/home/vagrant# ```

Alert

``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29512,"title":"Ensure nodev option set on /var/log/ partition.","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the /var/log filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log.","remediation":"IF the /var/log partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log partition. Example: /var/log defaults,rw,nosuid,nodev,noexec,relatime 0 0 . Run the following command to remount /var/log with the configured options: # mount -o remount /var/log.","compliance":{"cis":"1.1.5.2","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1200","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /var/log -> r:^/var/log\\s+ && r:nodev"],"condition":"all","command":"findmnt --kernel /var/log","result":"failed"}} ```

1.1.5.3 :red_circle:

- **Title**: :red_circle: Extra `/` in path. Expected: `Ensure noexec option set on /var/log partition` - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:

Rules details

Command output

``` root@debian11:/home/vagrant# findmnt --kernel /var/log ```

Alert

``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29513,"title":"Ensure noexec option set on /var/log/ partition.","description":"The noexec mount option specifies that the filesystem cannot contain executable binaries.","rationale":"Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot run executable binaries from /var/log.","remediation":"IF the /var/log partition exists, edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/log partition. Example: /var/log defaults,rw,nosuid,nodev,noexec,relatime 0 0 . Run the following command to remount /var/log with the configured options: # mount -o remount /var/log.","compliance":{"cis":"1.1.5.3","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1204,T1204.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /var/log -> r:^/var/log\\s+ && r:noexec"],"condition":"all","command":"findmnt --kernel /var/log","result":"failed"}} ```

1.1.5.4 :red_circle:

- **Title**: :red_circle: Extra `/`. Expected: ``` Ensure nosuid option set on /var/log partition ``` - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

Rules details

Command output

``` root@debian11:/home/vagrant# findmnt --kernel /var/log ```

Alert

``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29514,"title":"Ensure nosuid option set on /var/log/ partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot create setuid files in /var/log.","remediation":"IF the /var/log partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log partition. Example: /var/log defaults,rw,nosuid,nodev,noexec,relatime 0 0 . Run the following command to remount /var/log with the configured options: # mount -o remount /var/log.","compliance":{"cis":"1.1.5.4","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1548,T1548.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /var/log -> r:^/var/log\\s+ && r:nosuid"],"condition":"all","command":"findmnt --kernel /var/log","result":"failed"}} ```

1.1.6.1 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :red_circle: Expected: `AJ Lewis, "LVM HOWTO", http://tldp.org/HOWTO/LVM-HOWTO` Current: `http://tldp.org/HOWTO/LVM-HOWTO` - **Rules**: :red_circle: Expected ^ in regex for consistency.

Rules details

Command output

``` root@debian11:/home/vagrant# findmnt --kernel /var/log/audit root@debian11:/home/vagrant ```

Alert

``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29515,"title":"Ensure separate partition exists for /var/log/audit.","description":"The auditing daemon, auditd, stores log data in the /var/log/audit directory.","rationale":"The reasoning for mounting /var/log/audit on a separate partition is as follows. - Protection from resource exhaustion: The default installation only creates a single / partition. Since the /var/log/audit directory contains the audit.log file which can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/log/audit and cause auditd to trigger it's space_left_action as the disk is full. See man auditd.conf for details. - Fine grained control over the mount: Configuring /var/log/audit as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. - Protection of audit data: As /var/log/audit contains audit logs, care should be taken to ensure the security and integrity of the data and mount point.","remediation":"For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.","compliance":{"cis":"1.1.6.1","cis_csc_v8":"8.3","cis_csc_v7":"6.4","pci_dss_3.2.1":"10.7","soc_2":"A1.1","iso_27001-2013":"A.12.4.1","mitre_techniques":"T1499,T1499.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /var/log/audit -> r:/var/log/audit\\s+"],"condition":"all","references":"http://tldp.org/HOWTO/LVM-HOWTO/","command":"findmnt --kernel /var/log/audit","result":"failed"}} ```

1.1.6.2 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:

Rules details

Command output

``` root@debian11:/home/vagrant# findmnt --kernel /var/log/audit root@debian11:/home/vagrant# ```

Alert

``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29516,"title":"Ensure noexec option set on /var/log/audit partition.","description":"The noexec mount option specifies that the filesystem cannot contain executable binaries.","rationale":"Since the /var/log/audit filesystem is only intended for audit logs, set this option to ensure that users cannot run executable binaries from /var/log/audit.","remediation":"IF the /var/log/audit partition exists, edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var partition. Example: /var/log/audit defaults,rw,nosuid,nodev,noexec,relatime 0 0 . Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit.","compliance":{"cis":"1.1.6.2","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1204,T1204.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /var/log/audit -> r:^/var/log/audit\\s+ && r:noexec"],"condition":"all","command":"findmnt --kernel /var/log/audit","result":"failed"}} ```

1.1.6.3 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :green_circle: - **Rules**: :green_circle:

Rules details

Command output

``` root@debian11:/home/vagrant# findmnt --kernel /var/log/audit ```

Alert

``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29517,"title":"Ensure nodev option set on /var/log/audit partition.","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the /var/log/audit filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log/audit.","remediation":"IF the /var/log/audit partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log/audit partition. Example: /var/log/audit defaults,rw,nosuid,nodev,noexec,relatime 0 0 . Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit.","compliance":{"cis":"1.1.6.3","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1200","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /var/log/audit -> r:^/var/log/audit\\s+ && r:nodev"],"condition":"all","command":"findmnt --kernel /var/log/audit","result":"failed"}} ```

1.1.6.4 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:

Rules details

Command output

``` root@debian11:/home/vagrant# findmnt --kernel /var/log/audit ```

Alert

``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29518,"title":"Ensure nosuid option set on /var/log/audit partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Since the /var/log/audit filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var/log/audit.","remediation":"IF the /var/log/audit partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log/audit partition. Example: /var/log/audit defaults,rw,nosuid,nodev,noexec,relatime 0 0 . Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit.","compliance":{"cis":"1.1.6.4","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1548,T1548.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /var/log/audit -> r:^/var/log/audit\\s+ && r:nosuid"],"condition":"all","command":"findmnt --kernel /var/log/audit","result":"failed"}} ```

1.1.7.1 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :green_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :red_circle: Expected: `AJ Lewis, "LVM HOWTO", http://tldp.org/HOWTO/LVM-HOWTO/` Current: `http://tldp.org/HOWTO/LVM-HOWTO/` - **Rules**: :red_circle: Expected ^ in the regex for consistency.

Rules details

Command output

``` root@debian11:/home/vagrant# findmnt --kernel /home root@debian11:/home/vagrant# ```

Alert

``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29519,"title":"Ensure separate partition exists for /home.","description":"The /home directory is used to support disk storage needs of local users.","rationale":"The reasoning for mounting /home on a separate partition is as follows. - Protection from resource exhaustion: The default installation only creates a single / partition. Since the /home directory contains user generated data, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /home and impact all local users. - Fine grained control over the mount: Configuring /home as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. In the case of /home options such as usrquota/grpquota may be considered to limit the impact that users can have on each other with regards to disk resource exhaustion. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. - Protection of user data: As /home contains user data, care should be taken to ensure the security and integrity of the data and mount point.","remediation":"For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.","compliance":{"cis":"1.1.7.1","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1499,T1499.001","mitre_tactics":"TA0005","mitre_mitigations":"M1038"},"rules":["c:findmnt --kernel /home -> r:/home\\s+"],"condition":"all","references":"http://tldp.org/HOWTO/LVM-HOWTO/","command":"findmnt --kernel /home","result":"failed"}} ```

1.1.7.2 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:

Rules details

Command output

``` root@debian11:/home/vagrant# findmnt --kernel /home root@debian11:/home/vagrant# ```

Alert

``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29520,"title":"Ensure nodev option set on /home partition.","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the /home filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /home.","remediation":"IF the /home partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. Example: /home defaults,rw,nosuid,nodev,relatime 0 0. Run the following command to remount /home with the configured options: # mount -o remount /home.","compliance":{"cis":"1.1.7.2","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1200","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /home -> r:^/home\\s+ && r:nodev"],"condition":"all","command":"findmnt --kernel /home","result":"failed"}} ```

1.1.7.3 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:

Rules details

Command output

``` root@debian11:/home/vagrant# findmnt --kernel /home ```

Alert

``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29521,"title":"Ensure nosuid option set on /home partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Since the /home filesystem is only intended for user file storage, set this option to ensure that users cannot create setuid files in /home.","remediation":"IF the /home partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /home partition. Example: /home defaults,rw,nosuid,nodev,relatime 0 0. Run the following command to remount /home with the configured options: # mount -o remount /home.","compliance":{"cis":"1.1.7.3","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1548,T1548.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /home -> r:^/home\\s+ && r:nosuid"],"condition":"all","command":"findmnt --kernel /home","result":"failed"}} ```

1.1.8.1 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:

Rules details

Command output

``` root@debian11:/home/vagrant# findmnt --kernel /dev/shm TARGET SOURCE FSTYPE OPTIONS /dev/shm tmpfs tmpfs rw,nosuid,nodev ```

Alert

``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29522,"title":"Ensure nodev option set on /dev/shm partition.","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions.","remediation":"Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm.","compliance":{"cis":"1.1.8.1","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1200","mitre_tactics":"TA0005","mitre_mitigations":"M1038"},"rules":["c:findmnt --kernel /dev/shm -> r:^/dev/shm\\s+ && r:nodev"],"condition":"all","command":"findmnt --kernel /dev/shm","result":"passed"}} ```

1.1.8.2 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:

Rules details

Command output

``` root@debian11:/home/vagrant# findmnt --kernel /dev/shm TARGET SOURCE FSTYPE OPTIONS /dev/shm tmpfs tmpfs rw,nosuid,nodev ```

Alert

``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29523,"title":"Ensure noexec option set on /dev/shm partition.","description":"The noexec mount option specifies that the filesystem cannot contain executable binaries.","rationale":"Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system.","remediation":"Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Example: /dev/shm defaults,rw,nosuid,nodev,noexec,relatime 0 0. Run the following command to remount /dev/shm with the configured options: # mount -o remount /dev/shm. NOTE It is recommended to use tmpfs as the device/filesystem type as /dev/shm is used as shared memory space by applications.","compliance":{"cis":"1.1.8.2","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1204,T1204.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /dev/shm -> r:^/dev/shm\\s+ && r:noexec"],"condition":"all","command":"findmnt --kernel /dev/shm","result":"failed"}} ```

1.1.8.3 :green_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :green_circle:

Rules details

Command output

``` root@debian11:/home/vagrant# findmnt --kernel /dev/shm TARGET SOURCE FSTYPE OPTIONS /dev/shm tmpfs tmpfs rw,nosuid,nodev ```

Alert

``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29524,"title":"Ensure nosuid option set on /dev/shm partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them.","remediation":"Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm.","compliance":{"cis":"1.1.8.3","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1548,T1548.001","mitre_tactics":"TA0005","mitre_mitigations":"M1038"},"rules":["c:findmnt --kernel /dev/shm -> r:^/dev/shm\\s+ && r:nosuid"],"condition":"all","command":"findmnt --kernel /dev/shm","result":"passed"}} ```

1.1.9 :red_circle:

- **Title**: :green_circle: - **Description**: :green_circle: - **Rationale**: :green_circle: - **Remediation**: :green_circle: - **Impact**: :black_circle: - **Compliance**: :green_circle: - **CIS ID**: :green_circle: - **CSC**: :green_circle: - **ISO**: :green_circle: - **CMMC**: :green_circle: - **SOC**: :green_circle: - **NIST**: :green_circle: - **PCI**: :green_circle: - **MITRE**: :green_circle: - **References**: :black_circle: - **Rules**: :red_circle: CIS audit specified: `As a preference autofs should not be installed unless other packages depend on it. Run the following command to verify autofs is not installed` We should ensure that autofs is not enabled, changing the condition to all ``` - "not c:systemctl is-enabled autofs -> r:disabled" ```

Rules details

Command output

``` root@debian11:/home/vagrant# systemctl is-enabled autofs Failed to get unit file state for autofs.service: No such file or directory ```

Alert

``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29525,"title":"Disable Automounting.","description":"autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives.","rationale":"With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves.","remediation":"If there are no other packages that depends on autofs, remove the package with: # apt purge autofs OR if there are dependencies on the autofs package: Run the following commands to mask autofs: # systemctl stop autofs # systemctl mask autofs.","compliance":{"cis":"1.1.9","cis_csc_v8":"10.3","cis_csc_v7":"8.5","cmmc_v2.0":"MP.L2-3.8.7","hipaa":"164.310(d)(1)","iso_27001-2013":"A.12.2.1","mitre_techniques":"T1068,T1203,T1211,T1212"},"rules":["c:systemctl is-enabled autofs -> r:Failed to get unit file state for autofs.service: No such file or directory|disabled"],"condition":"any","command":"systemctl is-enabled autofs","result":"passed"}} ```

1.1.10 :black_circle:

Not implemented. Expected due to SCA limitations

1.2.1 :black_circle:

Not implemented. Manual check

1.2.2 :black_circle:

Not implemented. Manual check

[72nomada]

Related to: https://github.com/wazuh/wazuh-qa/issues/3826#issuecomment-1455893915

• Policy Requirements - Solved
• 1.1.2.1 🟡
  • replace first rule regex with r:^/tmp\s -> solved
  • Should we include static value into the rule regex? -> no. It should not possible to have static if there is no dependence.
• 1.1.2.2 🔴
  • Remediation - solved (a?)
• 1.1.3.1 🔴
  • references - won't change, reference is the link and the link is present, if there is extra text, it is ok but is not mandatory
• 1.1.3.3 🔴
  • rule - wrong syntax - solved
• 1.1.4.1 🔴
  • references - won't change, reference is the link and the link is present, if there is extra text, it is ok but is not mandatory
• 1.1.5.1 🔴
  • rule - wrong syntax - solved
  • references - won't change, reference is the link and the link is present, if there is extra text, it is ok but is not mandatory
• 1.1.5.2 🔴
  • title - /var/log/ is valid for the title (as in 1.1.5.1), we don't need to change it. anyway, changed. (1.1.5.1 too)
• 1.1.5.3 🔴
  • title - /var/log/ is valid for the title, we don't need to change it. anyway, changed.
• 1.1.5.4 🔴
  • title - /var/log/ is valid for the title, we don't need to change it. anyway, changed.
• 1.1.6.1 🔴
  • references - won't change, reference is the link and the link is present, if there is extra text, it is ok but is not
  • rule - wrong syntax - solved
• 1.1.7.1 🔴
  • references - won't change, reference is the link and the link is present, if there is extra text, it is ok but is not
  • rule - wrong syntax - solved
• 1.1.9 🔴
  • rule - no change done - the current rule is asking for disabled or not installed.

commit - https://github.com/wazuh/wazuh/pull/16017/commits/da48899a5651b4a3496454c849cd50a92b90d042

[Rebits]

Testing results - Thrid review

Tester	PR commit
@Rebits	https://github.com/wazuh/wazuh/pull/16017/commits/1fe0031a7393df04cb1c1bc7e6b0073cb149cf1e

---

References values only include link :yellow_circle:

This inconsistency is not new. Some of the policies do include text while others do not. Since there is no reasonable reason for these differences, it would be good to standardize the content of this field in the policy. For now, this will not be marked as a failure, instead, it will be added to the final commentaries to the policy.

Policy requirements :green_circle:

- **Description**: :green_circle:

1.1.2.2 :green_circle:

- **Rationale**: :green_circle:

1.1.3.1 :green_circle:

**References**: :green_circle:. Review the `References only includes link` section.

1.1.3.3 :green_circle:

**Rules**: :green_circle:

1.1.4.1 :green_circle:

**References**: :green_circle:. Review the `References only includes link` section.

1.1.5.1 :green_circle:

- **Rule**: :green_circle: - **References**: :green_circle:. Review the `References only includes link` section.

1.1.5.2 :green_circle:

- **Title**: :green_circle:

1.1.5.3 :green_circle:

- **Title**: :green_circle:

1.1.5.4 :green_circle:

- **Title**: :green_circle:

1.1.6.1 :green_circle:

- **References**: :green_circle:. Review the `References only includes link` section. - **Rules**: :green_circle:

1.1.7.1 :green_circle:

- **References**: :green_circle:. Review the `References only includes link` section. - **Rule**: :green_circle:

1.1.9 :green_circle:

- **Rule**: :green_circle:

[Rebits]

Testing results - Fourth review

Tester	PR commit
@Rebits	https://github.com/wazuh/wazuh/pull/16017/commits/bb1f06ee02bf91729e4e188804d63e8fea302dd9

After the development of a PDF policy parser and a compliance mapping tool, it has been detected some new unexpected values:

---

1.1.2.1 :red_circle:

**Title**: :red_circle: : Missing `a`. Expected `Ensure /tmp is a separate partition` **Remediation**: :red_circle Expected: ``` First ensure that systemd is correctly configured to ensure that /tmp will be mounted at boot time. # systemctl unmask tmp.mount. For specific configuration requirements of the /tmp mount for your environment, modify /etc/fstab or tmp.mount. Example of /etc/fstab configured tmpfs file system with specific mount options: tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 0 Example of tmp.mount configured tmpfs file system with specific mount options: [Unit] Description=Temporary Directory /tmp ConditionPathIsSymbolicLink=!/tmp DefaultDependencies=no Conflicts=umount.targetBefore=local-fs.target umount.target After=swap.target [Mount] What=tmpfs Where=/tmp Type=tmpfs. ``` > `2G 0 0` instead of `2G 0 ` **Compliance**: **NIST**: No expected NIST value

1.1.2.2 :red_circle:

**Rationale**: :red_circle: Expected: ``` Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /tmp. ``` **Compliance**: **NIST**: No expected NIST value

1.1.2.3 :red_circle:

**Compliance**: :red_circle: **NIST**: No expected NIST value

1.1.2.4 :red_circle:

**Compliance**: :red_circle: **NIST**: No expected NIST value

1.1.3.1 :red_circle:

**Compliance**: :red_circle: No expected NIST value for this check

1.1.3.2 :red_circle:

**Compliance**: :red_circle: **NIST**: No expected NIST value

1.1.3.3 :red_circle:

**Compliance**: :red_circle: **NIST**: No expected NIST value

1.1.4.1 :red_circle:

**Compliance**: :red_circle: **NIST**: No expected NIST value

1.1.4.2 :red_circle:

**Compliance**: :red_circle: **NIST**: No expected NIST value

1.1.4.3 :red_circle:

**Compliance**: :red_circle: **NIST**: No expected NIST value

1.1.4.4 :red_circle:

**Compliance**: :red_circle: **NIST**: No expected NIST value

1.1.5.2 :red_circle:

**Compliance**: :red_circle: **NIST**: No expected NIST value

1.1.5.3 :red_circle:

**Compliance**: :red_circle: **NIST**: No expected NIST value

1.1.5.4 :red_circle:

**Compliance**: :red_circle: **NIST**: No expected NIST value

1.1.6.1 :red_circle:

**Rationale** :red_circle: Expected ``` The reasoning for mounting /var/log/audit on a separate partition is as follows. Protection from resource exhaustion The default installation only creates a single / partition. Since the /var/log/audit directory contains the audit.log file which can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/log/audit and cause auditd to trigger it's space_left_action as the disk is full. See man auditd.conf for details. Fine grained control over the mount Configuring /var/log/audit as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. Protection of audit data As /var/log/audit contains audit logs, care should be taken to ensure the security and integrity of the data and mount point. ```

1.1.6.2 :red_circle:

**Compliance**: :red_circle: **NIST**: No expected NIST value

1.1.6.3 :red_circle:

**Compliance**: :red_circle: **NIST**: No expected NIST value

1.1.6.4 :red_circle:

**Compliance**: :red_circle: **NIST**: No expected NIST value

1.1.7.1 :red_circle:

**Compliance**: :red_circle: **NIST**: No expected NIST value

1.1.7.2 :red_circle:

**Compliance**: :red_circle: **NIST**: No expected NIST value

1.1.7.3 :red_circle:

**Compliance**: :red_circle: **NIST**: No expected NIST value

1.1.8.1 :red_circle:

**Compliance**: :red_circle: **NIST**: No expected NIST value

1.1.8.2 :red_circle:

**Compliance**: :red_circle: **NIST**: No expected NIST value

1.1.8.3 :red_circle:

**Compliance**: :red_circle: **NIST**: No expected NIST value

[72nomada]

1.1.2.1 🔴

• Title - Solved
• Remediation - Expected is not correct. Solved other errors.
• NIST - Nothing to do, NIST is not in the pdf, but it is in control 3.3 v8

1.1.2.2 🔴

• Rationale - Solved
• NIST - Nothing to do, NIST is not in the pdf, but it is in control 3.3 v8

1.1.2.3 🔴

• NIST - Nothing to do, NIST is not in the pdf, but it is in control 3.3 v8

1.1.2.4 🔴

• NIST - Nothing to do, NIST is not in the pdf, but it is in control 3.3 v8

1.1.3.1 🔴

• NIST - Nothing to do, NIST is not in the pdf, but it is in control 3.3 v8

1.1.3.2 🔴

• NIST - Nothing to do, NIST is not in the pdf, but it is in control 3.3 v8

1.1.3.3 🔴

• NIST - Nothing to do, NIST is not in the pdf, but it is in control 3.3 v8

1.1.4.1 🔴

• NIST - Nothing to do, NIST is not in the pdf, but it is in control 3.3 v8

1.1.4.2 🔴

• NIST - Nothing to do, NIST is not in the pdf, but it is in control 3.3 v8

1.1.4.3 🔴

• NIST - Nothing to do, NIST is not in the pdf, but it is in control 3.3 v8

1.1.4.4 🔴

• NIST - Nothing to do, NIST is not in the pdf, but it is in control 3.3 v8

1.1.5.2 🔴

• NIST - Nothing to do, NIST is not in the pdf, but it is in control 3.3 v8

1.1.5.3 🔴

• NIST - Nothing to do, NIST is not in the pdf, but it is in control 3.3 v8

1.1.5.4 🔴

• NIST - Nothing to do, NIST is not in the pdf, but it is in control 3.3 v8

1.1.6.1 🔴

• rationale - Expected is not correct. Solved other errors.

1.1.6.2 🔴

• NIST - Nothing to do, NIST is not in the pdf, but it is in control 3.3 v8

1.1.6.3 🔴

• NIST - Nothing to do, NIST is not in the pdf, but it is in control 3.3 v8

1.1.6.4 🔴

• NIST - Nothing to do, NIST is not in the pdf, but it is in control 3.3 v8

1.1.7.1 🔴

• NIST - Nothing to do, NIST is not in the pdf, but it is in control 3.3 v8

1.1.7.2 🔴

• NIST - Nothing to do, NIST is not in the pdf, but it is in control 3.3 v8

1.1.7.3 🔴

• NIST - Nothing to do, NIST is not in the pdf, but it is in control 3.3 v8

1.1.8.1 🔴

• NIST - Nothing to do, NIST is not in the pdf, but it is in control 3.3 v8

1.1.8.2 🔴

• NIST - Nothing to do, NIST is not in the pdf, but it is in control 3.3 v8

1.1.8.3 🔴

• NIST - Nothing to do, NIST is not in the pdf, but it is in control 3.3 v8

[Rebits]

Testing results - Fifth review

Tester	PR commit
@Rebits	https://github.com/wazuh/wazuh/pull/16017/commits/0eb02c2f6f8dc09330429bf6f42c69da9aecf4b7

---

1.1.2.1 :green_circle:

1.1.2.2 :green_circle:

[jmv74211]

Closing conclusion 👍🏼

The suggested changes have been applied and everything appears to be correct.