Closed 72nomada closed 1 year ago
OS | OS version | Deployment | Image/AMI | Notes |
---|---|---|---|---|
Debian | 11 | Vagrant | debian/bullseye64 |
wazuh-manager |
---|
wazuh-managerv-4.4.0-1 |
After the requested changes the policy seems to fit correctly with the CIS Red Hat Enterprise Linux 9 Benchmark. In addition, every audit rule seems to work as expected.
Tester | PR commit |
---|---|
@Rebits | https://github.com/wazuh/wazuh/pull/16017/commits/fb54bf7381c68e3609bfa237d8d6054c1e216ae2 |
Review of checks 1-1.1.3.3. The rest of the checks of the policy will be reviewed in the second iteration to work with the newest policy version
Note Check
29532
include an indentation error that leads to a global error in the policy. This check is out of the scope of this issue, so, this testing was performed by removing all the checks in the policy after 1.2.2
Command output
``` root@debian11:/home/vagrant# findmnt --kernel /tmp root@debian11:/home/vagrant# systemctl is-enabled tmp.mount Failed to get unit file state for tmp.mount: No such file or directory root@debian11:/home/vagrant# ```Alert
``` {"type":"check","id":1980171972,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29500,"title":"Ensure /tmp is separate partition.","description":"The /tmp directory is a world-writable directory used for temporary storage by all users and some applications.","rationale":"Making /tmp its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp.","remediation":"First ensure that systemd is correctly configured to ensure that /tmp will be mounted at boot time. # systemctl unmask tmp.mount. For specific configuration requirements of the /tmp mount for your environment, modify /etc/fstab or tmp.mount. Example of /etc/fstab configured tmpfs file system with specific mount options: tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 0 Example of tmp.mount configured tmpfs file system with specific mount options: [Unit] Description=Temporary Directory /tmp ConditionPathIsSymbolicLink=!/tmp DefaultDependencies=no Conflicts=umount.targetBefore=local-fs.target umount.target After=swap.target [Mount] What=tmpfs Where=/tmp Type=tmpfs","compliance":{"cis":"1.1.2.1","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1499,T1499.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /tmp -> r:/tmp","c:systemctl is-enabled tmp.mount -> r:enabled|generated"],"condition":"all","references":"https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/,https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html","command":"findmnt --kernel /tmp","result":"failed"}} ```
Command output
``` root@debian11:/home/vagrant# findmnt --kernel /tmp TARGET SOURCE FSTYPE OPTIONS /tmp tmpfs tmpfs rw,relatime ```Alert
``` {"type":"check","id":1980171972,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29501,"title":"Ensure nodev option set on /tmp partition.","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp.","remediation":"Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. Example:/tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0. Run the following command to remount /tmp with the configured options: # mount -o remount /tmp","compliance":{"cis":"1.1.2.2","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1200","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /tmp -> r:^/tmp && r:nodev"],"condition":"all","command":"findmnt --kernel /tmp","result":"failed"}} ```
Command output
``` root@debian11:/home/vagrant# findmnt --kernel /tmp TARGET SOURCE FSTYPE OPTIONS /tmp tmpfs tmpfs rw,relatime ```Alert
``` {"type":"check","id":1980171972,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29502,"title":"Ensure noexec option set on /tmp partition.","description":"The noexec mount option specifies that the filesystem cannot contain executable binaries.","rationale":"Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp.","remediation":"Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. Example:/tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0. Run the following command to remount /tmp with the configured options: # mount -o remount /tmp","compliance":{"cis":"1.1.2.3","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1204,T1204.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /tmp -> r:^/tmp && r:noexec"],"condition":"all","command":"findmnt --kernel /tmp","result":"failed"}} ```
Command output
``` root@debian11:/home/vagrant# findmnt --kernel /tmp TARGET SOURCE FSTYPE OPTIONS /tmp tmpfs tmpfs rw,relatime ```Alert
``` {"type":"check","id":1980171972,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29503,"title":"Ensure nosuid option set on /tmp partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp.","remediation":"Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. Example:/tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0. Run the following command to remount /tmp with the configured options: # mount -o remount /tmp","compliance":{"cis":"1.1.2.4","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1548,T1548.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /tmp -> r:^/tmp && r:nosuid"],"condition":"all","command":"findmnt --kernel /tmp","result":"failed"}} ```
Command output
``` root@debian11:/home/vagrant# findmnt --kernel /var root@debian11:/home/vagrant# ```Alert
``` {"type":"check","id":1980171972,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29504,"title":"Ensure separate partition exists for /var.","description":"The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable.","rationale":"The reasoning for mounting /var on a separate partition is as follow.(1) Protection from resource exhaustion: The default installation only creates a single / partition. Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var and cause unintended behavior across the system as the disk is full. See man auditd.conf for details. (2) Fine grained control over the mount: Configuring /var as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behaviour. See man mount for exact details regarding filesystem-independent and filesystem-specific options. (3) Protection from exploitation: An example of exploiting /var may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.","remediation":"For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.","compliance":{"cis":"1.1.3.1","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1499,T1499.001","mitre_tactics":"TA0006"},"rules":["c:findmnt --kernel /var -> r:^/var"],"condition":"all","references":"http://tldp.org/HOWTO/LVM-HOWTO/","command":"findmnt --kernel /var","result":"failed"}} ```
Command output
``` root@debian11:/home/vagrant# findmnt --kernel /var root@debian11:/home/vagrant# ```Alert
``` {"type":"check","id":1980171972,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29505,"title":"Ensure nodev option set on /var partition.","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the /var filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var.","remediation":"IF the /var partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var partition. Example:/var defaults,rw,nosuid,nodev,relatime 0 0 . Run the following command to remount /var with the configured options: # mount -o remount /var.","compliance":{"cis":"1.1.3.2","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1200","mitre_tactics":"TA0005","mitre_mitigations":"M1038"},"rules":["c:findmnt --kernel /var -> r:^/var && r:nodev"],"condition":"all","command":"findmnt --kernel /var","result":"failed"}} ```
Command output
``` root@debian11:/home/vagrant# findmnt --kernel /var root@debian11:/home/vagrant# ```Alert
``` {"type":"check","id":1980171972,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29506,"title":"Ensure nosuid option set on /var partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Since the /var filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var.","remediation":"IF the /var partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var partition. Example:/var defaults,rw,nosuid,nodev,relatime 0 0 . Run the following command to remount /var with the configured options: # mount -o remount /var","compliance":{"cis":"1.1.3.3","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1548,T1548.001","mitre_tactics":"TA0005","mitre_mitigations":"M1038"},"rules":["c:findmnt --kernel /var -> r:/^var && r:nosuid"],"condition":"all","command":"findmnt --kernel /var","result":"failed"}} ```
Tester | PR commit |
---|---|
@Rebits | https://github.com/wazuh/wazuh/pull/16017/commits/4fa99c8874258f960c2d74a924a3f03a6d04f9d9 |
Command output
``` root@debian11:/home/vagrant# findmnt --kernel /var/tmp root@debian11:/home/vagrant# ```Alert
``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29507,"title":"Ensure separate partition exists for /var/tmp.","description":"The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications. Temporary files residing in /var/tmp are to be preserved between reboots.","rationale":"The reasoning for mounting /var/tmp on a separate partition is as follows. - Protection from resource exhaustion: The default installation only creates a single / partition. Since the /var/tmp directory may contain world-writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/tmp and cause the potential disruption to daemons as the disk is full. - Fine grained control over the mount: Configuring /var/tmp as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. - Protection from exploitation: An example of exploiting /var/tmp may be an attacker establishing a hard-link to a system setuid program and wait for it to be updated. Once the program was updated, the hard-link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.","remediation":"For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.","compliance":{"cis":"1.1.4.1","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1499,T1499.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /var/tmp -> r:/var/tmp\\s+"],"condition":"all","references":"http://tldp.org/HOWTO/LVM-HOWTO/","command":"findmnt --kernel /var/tmp","result":"failed"}} ```
Command output
``` root@debian11:/home/vagrant# findmnt --kernel /var/tmp root@debian11:/home/vagrant# ```Alert
``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29508,"title":"Ensure noexec option set on /var/tmp partition.","description":"The noexec mount option specifies that the filesystem cannot contain executable binaries.","rationale":"Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp.","remediation":"IF the /var/tmp partition exists, edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. Example:/var/tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 . Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp.","compliance":{"cis":"1.1.4.2","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1204,T1204.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /var/tmp -> r:^/var/tmp\\s+ && r:noexec"],"condition":"all","command":"findmnt --kernel /var/tmp","result":"failed"}} ```
Command output
``` root@debian11:/home/vagrant# findmnt --kernel /var/tmp root@debian11:/home/vagrant# ```Alert
``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29509,"title":"Ensure nosuid option set on /var/tmp partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp.","remediation":"IF the /var/tmp partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. Example:/var/tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 . Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp.","compliance":{"cis":"1.1.4.3","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1548,T1548.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /var/tmp -> r:^/var/tmp\\s+ && r:nosuid"],"condition":"all","command":"findmnt --kernel /var/tmp","result":"failed"}} ```
Command output
``` root@debian11:/home/vagrant# findmnt --kernel /var/tmp root@debian11:/home/vagrant# ```Alert
``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29510,"title":"Ensure nodev option set on /var/tmp partition.","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/tmp.","remediation":"IF the /var/tmp partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. Example:/var/tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 . Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp.","compliance":{"cis":"1.1.4.4","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1200","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /var/tmp -> r:^/var/tmp\\s+ && r:nodev"],"condition":"all","command":"findmnt --kernel /var/tmp","result":"failed"}} ```
Command output
``` root@debian11:/home/vagrant# findmnt --kernel /var/log root@debian11:/home/vagrant# ```Alert
``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29511,"title":"Ensure separate partition exists for /var/log/.","description":"The /var/log directory is used by system services to store log data.","rationale":"The reasoning for mounting /var/log on a separate partition is as follows. - Protection from resource exhaustion: The default installation only creates a single / partition. Since the /var/log directory contains log files which can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. - Fine grained control over the mount: Configuring /var/log as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. - Protection of log data: As /var/log contains log files, care should be taken to ensure the security and integrity of the data and mount point.","remediation":"For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.","compliance":{"cis":"1.1.5.1","cis_csc_v8":"8.3","cis_csc_v7":"6.4","pci_dss_3.2.1":"10.7","soc_2":"A1.1","iso_27001-2013":"A.12.4.1","mitre_techniques":"T1499,T1499.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /var/log -> r:/var/log\\s+"],"condition":"all","references":"http://tldp.org/HOWTO/LVM-HOWTO/","command":"findmnt --kernel /var/log","result":"failed"}} ```
Command output
``` root@debian11:/home/vagrant# findmnt --kernel /var/log root@debian11:/home/vagrant# ```Alert
``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29512,"title":"Ensure nodev option set on /var/log/ partition.","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the /var/log filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log.","remediation":"IF the /var/log partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log partition. Example:/var/log defaults,rw,nosuid,nodev,noexec,relatime 0 0 . Run the following command to remount /var/log with the configured options: # mount -o remount /var/log.","compliance":{"cis":"1.1.5.2","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1200","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /var/log -> r:^/var/log\\s+ && r:nodev"],"condition":"all","command":"findmnt --kernel /var/log","result":"failed"}} ```
Command output
``` root@debian11:/home/vagrant# findmnt --kernel /var/log ```Alert
``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29513,"title":"Ensure noexec option set on /var/log/ partition.","description":"The noexec mount option specifies that the filesystem cannot contain executable binaries.","rationale":"Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot run executable binaries from /var/log.","remediation":"IF the /var/log partition exists, edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/log partition. Example:/var/log defaults,rw,nosuid,nodev,noexec,relatime 0 0 . Run the following command to remount /var/log with the configured options: # mount -o remount /var/log.","compliance":{"cis":"1.1.5.3","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1204,T1204.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /var/log -> r:^/var/log\\s+ && r:noexec"],"condition":"all","command":"findmnt --kernel /var/log","result":"failed"}} ```
Command output
``` root@debian11:/home/vagrant# findmnt --kernel /var/log ```Alert
``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29514,"title":"Ensure nosuid option set on /var/log/ partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot create setuid files in /var/log.","remediation":"IF the /var/log partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log partition. Example:/var/log defaults,rw,nosuid,nodev,noexec,relatime 0 0 . Run the following command to remount /var/log with the configured options: # mount -o remount /var/log.","compliance":{"cis":"1.1.5.4","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1548,T1548.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /var/log -> r:^/var/log\\s+ && r:nosuid"],"condition":"all","command":"findmnt --kernel /var/log","result":"failed"}} ```
Command output
``` root@debian11:/home/vagrant# findmnt --kernel /var/log/audit root@debian11:/home/vagrant ```Alert
``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29515,"title":"Ensure separate partition exists for /var/log/audit.","description":"The auditing daemon, auditd, stores log data in the /var/log/audit directory.","rationale":"The reasoning for mounting /var/log/audit on a separate partition is as follows. - Protection from resource exhaustion: The default installation only creates a single / partition. Since the /var/log/audit directory contains the audit.log file which can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/log/audit and cause auditd to trigger it's space_left_action as the disk is full. See man auditd.conf for details. - Fine grained control over the mount: Configuring /var/log/audit as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. - Protection of audit data: As /var/log/audit contains audit logs, care should be taken to ensure the security and integrity of the data and mount point.","remediation":"For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.","compliance":{"cis":"1.1.6.1","cis_csc_v8":"8.3","cis_csc_v7":"6.4","pci_dss_3.2.1":"10.7","soc_2":"A1.1","iso_27001-2013":"A.12.4.1","mitre_techniques":"T1499,T1499.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /var/log/audit -> r:/var/log/audit\\s+"],"condition":"all","references":"http://tldp.org/HOWTO/LVM-HOWTO/","command":"findmnt --kernel /var/log/audit","result":"failed"}} ```
Command output
``` root@debian11:/home/vagrant# findmnt --kernel /var/log/audit root@debian11:/home/vagrant# ```Alert
``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29516,"title":"Ensure noexec option set on /var/log/audit partition.","description":"The noexec mount option specifies that the filesystem cannot contain executable binaries.","rationale":"Since the /var/log/audit filesystem is only intended for audit logs, set this option to ensure that users cannot run executable binaries from /var/log/audit.","remediation":"IF the /var/log/audit partition exists, edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var partition. Example:/var/log/audit defaults,rw,nosuid,nodev,noexec,relatime 0 0 . Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit.","compliance":{"cis":"1.1.6.2","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1204,T1204.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /var/log/audit -> r:^/var/log/audit\\s+ && r:noexec"],"condition":"all","command":"findmnt --kernel /var/log/audit","result":"failed"}} ```
Command output
``` root@debian11:/home/vagrant# findmnt --kernel /var/log/audit ```Alert
``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29517,"title":"Ensure nodev option set on /var/log/audit partition.","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the /var/log/audit filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log/audit.","remediation":"IF the /var/log/audit partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log/audit partition. Example:/var/log/audit defaults,rw,nosuid,nodev,noexec,relatime 0 0 . Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit.","compliance":{"cis":"1.1.6.3","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1200","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /var/log/audit -> r:^/var/log/audit\\s+ && r:nodev"],"condition":"all","command":"findmnt --kernel /var/log/audit","result":"failed"}} ```
Command output
``` root@debian11:/home/vagrant# findmnt --kernel /var/log/audit ```Alert
``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29518,"title":"Ensure nosuid option set on /var/log/audit partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Since the /var/log/audit filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var/log/audit.","remediation":"IF the /var/log/audit partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log/audit partition. Example:/var/log/audit defaults,rw,nosuid,nodev,noexec,relatime 0 0 . Run the following command to remount /var/log/audit with the configured options: # mount -o remount /var/log/audit.","compliance":{"cis":"1.1.6.4","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1548,T1548.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /var/log/audit -> r:^/var/log/audit\\s+ && r:nosuid"],"condition":"all","command":"findmnt --kernel /var/log/audit","result":"failed"}} ```
Command output
``` root@debian11:/home/vagrant# findmnt --kernel /home root@debian11:/home/vagrant# ```Alert
``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29519,"title":"Ensure separate partition exists for /home.","description":"The /home directory is used to support disk storage needs of local users.","rationale":"The reasoning for mounting /home on a separate partition is as follows. - Protection from resource exhaustion: The default installation only creates a single / partition. Since the /home directory contains user generated data, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /home and impact all local users. - Fine grained control over the mount: Configuring /home as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev. These options limits an attackers ability to create exploits on the system. In the case of /home options such as usrquota/grpquota may be considered to limit the impact that users can have on each other with regards to disk resource exhaustion. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options. - Protection of user data: As /home contains user data, care should be taken to ensure the security and integrity of the data and mount point.","remediation":"For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.","compliance":{"cis":"1.1.7.1","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1499,T1499.001","mitre_tactics":"TA0005","mitre_mitigations":"M1038"},"rules":["c:findmnt --kernel /home -> r:/home\\s+"],"condition":"all","references":"http://tldp.org/HOWTO/LVM-HOWTO/","command":"findmnt --kernel /home","result":"failed"}} ```
Command output
``` root@debian11:/home/vagrant# findmnt --kernel /home root@debian11:/home/vagrant# ```Alert
``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29520,"title":"Ensure nodev option set on /home partition.","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the /home filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /home.","remediation":"IF the /home partition exists, edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. Example:/home defaults,rw,nosuid,nodev,relatime 0 0. Run the following command to remount /home with the configured options: # mount -o remount /home.","compliance":{"cis":"1.1.7.2","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1200","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /home -> r:^/home\\s+ && r:nodev"],"condition":"all","command":"findmnt --kernel /home","result":"failed"}} ```
Command output
``` root@debian11:/home/vagrant# findmnt --kernel /home ```Alert
``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29521,"title":"Ensure nosuid option set on /home partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Since the /home filesystem is only intended for user file storage, set this option to ensure that users cannot create setuid files in /home.","remediation":"IF the /home partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /home partition. Example:/home defaults,rw,nosuid,nodev,relatime 0 0. Run the following command to remount /home with the configured options: # mount -o remount /home.","compliance":{"cis":"1.1.7.3","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1548,T1548.001","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /home -> r:^/home\\s+ && r:nosuid"],"condition":"all","command":"findmnt --kernel /home","result":"failed"}} ```
Command output
``` root@debian11:/home/vagrant# findmnt --kernel /dev/shm TARGET SOURCE FSTYPE OPTIONS /dev/shm tmpfs tmpfs rw,nosuid,nodev ```Alert
``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29522,"title":"Ensure nodev option set on /dev/shm partition.","description":"The nodev mount option specifies that the filesystem cannot contain special devices.","rationale":"Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions.","remediation":"Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm.","compliance":{"cis":"1.1.8.1","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1200","mitre_tactics":"TA0005","mitre_mitigations":"M1038"},"rules":["c:findmnt --kernel /dev/shm -> r:^/dev/shm\\s+ && r:nodev"],"condition":"all","command":"findmnt --kernel /dev/shm","result":"passed"}} ```
Command output
``` root@debian11:/home/vagrant# findmnt --kernel /dev/shm TARGET SOURCE FSTYPE OPTIONS /dev/shm tmpfs tmpfs rw,nosuid,nodev ```Alert
``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29523,"title":"Ensure noexec option set on /dev/shm partition.","description":"The noexec mount option specifies that the filesystem cannot contain executable binaries.","rationale":"Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system.","remediation":"Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Example:/dev/shm defaults,rw,nosuid,nodev,noexec,relatime 0 0. Run the following command to remount /dev/shm with the configured options: # mount -o remount /dev/shm. NOTE It is recommended to use tmpfs as the device/filesystem type as /dev/shm is used as shared memory space by applications.","compliance":{"cis":"1.1.8.2","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1204,T1204.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:findmnt --kernel /dev/shm -> r:^/dev/shm\\s+ && r:noexec"],"condition":"all","command":"findmnt --kernel /dev/shm","result":"failed"}} ```
Command output
``` root@debian11:/home/vagrant# findmnt --kernel /dev/shm TARGET SOURCE FSTYPE OPTIONS /dev/shm tmpfs tmpfs rw,nosuid,nodev ```Alert
``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29524,"title":"Ensure nosuid option set on /dev/shm partition.","description":"The nosuid mount option specifies that the filesystem cannot contain setuid files.","rationale":"Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them.","remediation":"Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm using the updated options from /etc/fstab: # mount -o remount /dev/shm.","compliance":{"cis":"1.1.8.3","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1548,T1548.001","mitre_tactics":"TA0005","mitre_mitigations":"M1038"},"rules":["c:findmnt --kernel /dev/shm -> r:^/dev/shm\\s+ && r:nosuid"],"condition":"all","command":"findmnt --kernel /dev/shm","result":"passed"}} ```
Command output
``` root@debian11:/home/vagrant# systemctl is-enabled autofs Failed to get unit file state for autofs.service: No such file or directory ```Alert
``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29525,"title":"Disable Automounting.","description":"autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives.","rationale":"With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves.","remediation":"If there are no other packages that depends on autofs, remove the package with: # apt purge autofs OR if there are dependencies on the autofs package: Run the following commands to mask autofs: # systemctl stop autofs # systemctl mask autofs.","compliance":{"cis":"1.1.9","cis_csc_v8":"10.3","cis_csc_v7":"8.5","cmmc_v2.0":"MP.L2-3.8.7","hipaa":"164.310(d)(1)","iso_27001-2013":"A.12.2.1","mitre_techniques":"T1068,T1203,T1211,T1212"},"rules":["c:systemctl is-enabled autofs -> r:Failed to get unit file state for autofs.service: No such file or directory|disabled"],"condition":"any","command":"systemctl is-enabled autofs","result":"passed"}} ```
Related to: https://github.com/wazuh/wazuh-qa/issues/3826#issuecomment-1455893915
commit - https://github.com/wazuh/wazuh/pull/16017/commits/da48899a5651b4a3496454c849cd50a92b90d042
Tester | PR commit |
---|---|
@Rebits | https://github.com/wazuh/wazuh/pull/16017/commits/1fe0031a7393df04cb1c1bc7e6b0073cb149cf1e |
Tester | PR commit |
---|---|
@Rebits | https://github.com/wazuh/wazuh/pull/16017/commits/bb1f06ee02bf91729e4e188804d63e8fea302dd9 |
After the development of a PDF policy parser and a compliance mapping tool, it has been detected some new unexpected values:
1.1.2.1 🔴
1.1.2.2 🔴
1.1.2.3 🔴
1.1.2.4 🔴
1.1.3.1 🔴
1.1.3.2 🔴
1.1.3.3 🔴
1.1.4.1 🔴
1.1.4.2 🔴
1.1.4.3 🔴
1.1.4.4 🔴
1.1.5.2 🔴
1.1.5.3 🔴
1.1.5.4 🔴
1.1.6.1 🔴
1.1.6.2 🔴
1.1.6.3 🔴
1.1.6.4 🔴
1.1.7.1 🔴
1.1.7.2 🔴
1.1.7.3 🔴
1.1.8.1 🔴
1.1.8.2 🔴
1.1.8.3 🔴
Tester | PR commit |
---|---|
@Rebits | https://github.com/wazuh/wazuh/pull/16017/commits/0eb02c2f6f8dc09330429bf6f42c69da9aecf4b7 |
The suggested changes have been applied and everything appears to be correct.
Threat Intel - @olulekew7