Closed 72nomada closed 1 year ago
Rebits
commented
1 year ago | OS | OS version | Deployment | Image/AMI | Notes |
|---|---|---|---|---|
| Debian | 11 | Vagrant | debian/bullseye64 |
wazuh-manager |
|---|
| wazuh-managerv-4.4.0-1 |
Rebits
commented
1 year ago | Tester | PR commit |
|---|---|
| @Rebits | https://github.com/wazuh/wazuh/pull/16017/commits/4fa99c8874258f960c2d74a924a3f03a6d04f9d9 |
Command output
``` root@debian11:/home/vagrant# dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' aide dpkg-query: no packages found matching aide root@debian11:/home/vagrant# dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' aide-common dpkg-query: no packages found matching aide-common ```Alert
``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29526,"title":"Ensure AIDE is installed.","description":"AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system.","rationale":"By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries.","remediation":"Install AIDE using the appropriate package manager or manual installation: # apt install aide aide-common Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Run the following commands to initialize AIDE: # aideinit # mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db.","compliance":{"cis":"1.3.1","cis_csc_v8":"3.14","cis_csc_v7":"14.9","cmmc_v2.0":"AC.L2-3.1.7","hipaa":"164.312(b),164.312(c)(1),164.312(c)(2)","pci_dss_3.2.1":"10.2.1,11.5","pci_dss_4.0":"10.2.1,10.2.1.1","nist_sp_800-53":"AC-6(9)","soc_2":"CC6.1","iso_27001-2013":"A.12.4.3","mitre_techniques":"T1036,T1036.002,T1036.003,T1036.004,T1036.005,T1565,T1565.001"},"rules":["c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' aide -> r:install ok installed","c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' aide-common -> r:install ok installed"],"condition":"all","references":"https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.service,https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.timer","command":"dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' aide","result":"failed"}} ```
Command output
``` root@debian11:/home/vagrant# systemctl is-enabled aidecheck.service enabled root@debian11:/home/vagrant# systemctl is-enabled aidecheck.service enabled root@debian11:/home/vagrant# systemctl is-enabled aidecheck.timer enabled root@debian11:/home/vagrant# systemctl status aidecheck.timer β aidecheck.timer - Aide check every day at 5AM Loaded: loaded (/etc/systemd/system/aidecheck.timer; enabled; vendor preset: enabled) Active: active (waiting) since Mon 2023-03-06 13:19:23 UTC; 7min ago Trigger: Tue 2023-03-07 05:00:00 UTC; 15h left Triggers: β aidecheck.service Mar 06 13:19:23 debian11 systemd[1]: Started Aide check every day at 5AM. root@debian11:/home/vagrant# ```Alert
``` {"type":"check","id":1897137806,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29527,"title":"Ensure filesystem integrity is regularly checked.","description":"Periodic checking of the filesystem integrity is needed to detect changes to the filesystem.","rationale":"Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion.","remediation":"If cron will be used to schedule and run aide check: Run the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check OR If aidecheck.service and aidecheck.timer will be used to schedule and run aide check: Create or edit the file /etc/systemd/system/aidecheck.service and add the following lines: [Unit] Description=Aide Check [Service] Type=simple ExecStart=/usr/bin/aide.wrapper --config /etc/aide/aide.conf --check [Install] WantedBy=multi-user.target . Create or edit the file /etc/systemd/system/aidecheck.timer and add the following lines: [Unit] Description=Aide check every day at 5AM [Timer] OnCalendar=*-*-* 05:00:00 Unit=aidecheck.service [Install] WantedBy=multi-user.target .Run the following commands: # chown root:root /etc/systemd/system/aidecheck.* # chmod 0644 /etc/systemd/system/aidecheck.* # systemctl daemon-reload # systemctl enable aidecheck.service # systemctl --now enable aidecheck.timer.","compliance":{"cis":"1.3.2","cis_csc_v8":"8.5","cis_csc_v7":"14.9","cmmc_v2.0":"AU.L2-3.3.1","pci_dss_3.2.1":"10.1,10.2.2,10.2.4,10.2.5,10.3","pci_dss_4.0":"9.4.5,10.2,10.2.1,10.2.1.2,10.2.1.5","nist_sp_800-53":"AU-3(1),AU-7","soc_2":"CC5.2,CC7.2","iso_27001-2013":"A.12.4.3","mitre_techniques":"T1036,T1036.002,T1036.003,T1036.004,T1036.005,T1565,T1565.001","mitre_tactics":"TA0040","mitre_mitigations":"M1022"},"rules":["c:systemctl is-enabled aidecheck.service -> r:enabled","c:systemctl is-enabled aidecheck.timer -> r:enabled","c:systemctl status aidecheck.timer -> r:active"],"condition":"any","references":"https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.service,https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.timer","command":"systemctl is-enabled aidecheck.service","result":"passed"}} ```
Alert
``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29528,"title":"Ensure bootloader password is set.","description":"Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters.","rationale":"Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off AppArmor at boot time).","remediation":"Create an encrypted password with grub-mkpasswd-pbkdf2: # grub-mkpasswd-pbkdf2 Enter password:Reenter password: PBKDF2 hash of your password is . Add the following into a custom /etc/grub.d configuration file: cat < \" password_pbkdf2 EOF. The superuser/user information and password should not be contained in the /etc/grub.d/00_header file as this file could be overwritten in a package update. If there is a requirement to be able to boot/reboot without entering the password, edit /etc/grub.d/10_linux and add --unrestricted to the line CLASS= Example: CLASS=\"--class gnu-linux --class gnu --class os --unrestricted\". Run the following command to update the grub2 configuration: # update-grub.","compliance":{"cis":"1.4.1","cis_csc_v8":"5.2","cis_csc_v7":"4.4","cmmc_v2.0":"IA.L2-3.5.7","pci_dss_4.0":"2.2.2,8.3.5,8.3.6,8.6.3","soc_2":"CC6.1","iso_27001-2013":"A.9.4.3","nist_sp_800-53":"IA-5 (1)","mitre_techniques":"T1542","mitre_tactics":"TA0003","mitre_mitigations":"M1046"},"rules":["f:/boot/grub/grub.cfg -> r:^\\s*\\t*set superusers","f:/boot/grub/grub.cfg -> r:^\\s*\\t*password"],"condition":"any","references":"https://help.ubuntu.com/community/Grub2/Passwords","file":"/boot/grub/grub.cfg","result":"failed"}} ```
Command output
``` File: /boot/grub/grub.cfg Size: 7973 Blocks: 16 IO Block: 4096 regular file Device: 801h/2049d Inode: 131090 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2023-03-06 14:16:14.429529461 +0000 Modify: 2023-03-06 14:16:09.901482197 +0000 Change: 2023-03-06 14:16:09.901482197 +0000 Birth: 2022-12-19 20:28:37.127676684 +0000 ```Alert
``` {"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29529,"title":"Ensure permissions on bootloader config are configured.","description":"The grub configuration file contains information on boot settings and passwords for unlocking boot options.","rationale":"Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them.","remediation":"Run the following commands to set permissions on your grub configuration: # chown root:root /boot/grub/grub.cfg # chmod u-wx,go-rwx /boot/grub/grub.cfg .Additional Information: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings. Replace /boot/grub/grub.cfg with the appropriate grub configuration file for your environment.","compliance":{"cis":"1.4.2","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1542","mitre_tactics":"TA0005,TA0007","mitre_mitigations":"M1022"},"rules":["c:stat -L /boot/grub/grub.cfg -> r:Access:\\s*\\(0400/-r--------\\)\\s*Uid:\\s*\\(\\s*\\t*0/\\s*\\t*root\\)\\s*\\t*Gid:\\s*\\(\\s*\\t*0/\\s*\\t*root\\)"],"condition":"all","command":"stat -L /boot/grub/grub.cfg","result":"failed"}} ```
Alert
``` {"type":"check","id":127797040,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29530,"title":"Ensure authentication required for single user mode.","description":"Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader.","rationale":"Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials.","remediation":"Run the following command and follow the prompts to set a password for the root user: # passwd root.","compliance":{"cis":"1.4.3","cis_csc_v8":"5.2","cis_csc_v7":"4.4","cmmc_v2.0":"IA.L2-3.5.7","pci_dss_4.0":"2.2.2,8.3.5,8.3.6,8.6.3","soc_2":"CC6.1","iso_27001-2013":"A.9.4.3","nist_sp_800-53":"IA-5 (1)","mitre_techniques":"T1548","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["f:/etc/shadow -> r:^root:*:|^root:!:"],"condition":"any","file":"/etc/shadow","result":"passed"}} ```
Command output
``` root@debian11:/home/vagrant# dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\n' prelink dpkg-query: no packages found matching prelink ```Alert
``` {"type":"check","id":127797040,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29531,"title":"Ensure prelink is not installed.","description":"prelink is a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way that the time needed for the dynamic linker to perform relocations at startup significantly decreases.","rationale":"The prelinking feature can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc.","remediation":"Run the following command to restore binaries to normal: # prelink -ua . Uninstall prelink using the appropriate package manager or manual installation: # apt purge prelink.","compliance":{"cis":"1.5.2","cis_csc_v8":"3.14","cis_csc_v7":"14.9","cmmc_v2.0":"AC.L2-3.1.7","hipaa":"164.312(b),164.312(c)(1),164.312(c)(2)","pci_dss_3.2.1":"10.2.1,11.5","pci_dss_4.0":"10.2.1,10.2.1.1","nist_sp_800-53":"AC-6(9)","soc_2":"CC6.1","iso_27001-2013":"A.12.4.3","mitre_techniques":"T1055,T1055.009,T1065,T1065.001","mitre_tactics":"TA0002","mitre_mitigations":"M1050"},"rules":["c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' prelink -> r:dpkg-query: no packages found matching prelink"],"condition":"all","command":"dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' prelink","result":"passed"}} ```
Command output
``` root@debian11:/home/vagrant# systemctl is-active apport.service inactive ```Alert
``` {"type":"check","id":127797040,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29532,"title":"Ensure Automatic Error Reporting is not enabled.","description":"The Apport Error Reporting Service automatically generates crash reports for debugging.","rationale":"Apport collects potentially sensitive data, such as core dumps, stack traces, and log files. They can contain passwords, credit card numbers, serial numbers, and other private material.","remediation":"Edit /etc/default/apport and add or edit the enabled parameter to equal 0: enabled=0 Run the following commands to stop and disable the apport service # systemctl stop apport.service # systemctl --now disable apport.service -- OR -- Run the following command to remove the apport package: # apt purge apport.","compliance":{"cis":"1.5.3","cis_csc_v8":"4.8","cis_csc_v7":"9.2","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.13.1.3","nist_sp_800-53":"SI-4","mitre_techniques":"T1015,T1133,T1200,T1076,T1051"},"rules":["c:systemctl is-active apport.service -> r:inactive"],"condition":"all","command":"systemctl is-active apport.service","result":"passed"}} ```
Command output
``` [root@localhost vagrant]# sysctl fs.suid_dumpable fs.suid_dumpable = 0 [root@localhost vagrant]# grep -Rh fs\.suid_dumpable /etc/sysctl.conf fs.suid_dumpable = 0 [root@localhost vagrant]# grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d * hard core 0 ```Alert
``` {"type":"check","id":334935111,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29533,"title":"Ensure core dumps are restricted.","description":"A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user.","rationale":"Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core.","remediation":"Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0 .Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0 .Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0 .IF systemd-coredump is installed: edit /etc/systemd/coredump.conf and add/modify the following lines: Storage=none ProcessSizeMax=0 .Run the command: systemctl daemon-reload.","compliance":{"cis":"1.5.4","mitre_techniques":"T1005","mitre_tactics":"TA0007"},"rules":["c:sysctl fs.suid_dumpable -> r:^fs.suid_dumpable = 0","c:grep -Rh fs\\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^fs.suid_dumpable = 0","c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:^* hard core 0"],"condition":"all","command":"sysctl fs.suid_dumpable,grep -Rh fs\\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d,grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d","result":"passed"}} ```
Command output
``` root@debian11:/home/vagrant# dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' apparmor apparmor\tins:/home/vagrant# dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' apparmor-utilss}\\t${db:Status-Status}\\n' ap apparmor-utils\tinstall ok installed\tinstalled\nroot@debian11:/home/vagrant# ```Alert
``` {"type":"check","id":723932811,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29534,"title":"Ensure AppArmor is installed.","description":"AppArmor provides Mandatory Access Controls.","rationale":"Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available.","remediation":"Install AppArmor. # apt install apparmor apparmor-utils.","compliance":{"cis":"1.6.1.1","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1068,T1565,T1565.001,T1565.003","mitre_tactics":"TA0003","mitre_mitigations":"M1026"},"rules":["c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' apparmor -> r:install ok installed","c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' apparmor-utils -> r:install ok installed"],"condition":"all","command":"dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' apparmor,dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' apparmor-utils","result":"passed"}} ```
Command output
``` root@debian11:/home/vagrant# grep "^\s*linux" /boot/grub/grub.cfg | grep -v "apparmor=1" linux /boot/vmlinuz-5.10.0-21-amd64 root=UUID=084c29b3-cc2f-473d-aea9-93051946599b ro consoleblank=0 elevator=noop scsi_mod.use_blk_mq=Y net.ifnames=0 biosdevname=0 linux /boot/vmlinuz-5.10.0-21-amd64 root=UUID=084c29b3-cc2f-473d-aea9-93051946599b ro consoleblank=0 elevator=noop scsi_mod.use_blk_mq=Y net.ifnames=0 biosdevname=0 linux /boot/vmlinuz-5.10.0-21-amd64 root=UUID=084c29b3-cc2f-473d-aea9-93051946599b ro single consoleblank=0 elevator=noop scsi_mod.use_blk_mq=Y linux /boot/vmlinuz-5.10.0-20-amd64 root=UUID=084c29b3-cc2f-473d-aea9-93051946599b ro consoleblank=0 elevator=noop scsi_mod.use_blk_mq=Y net.ifnames=0 biosdevname=0 linux /boot/vmlinuz-5.10.0-20-amd64 root=UUID=084c29b3-cc2f-473d-aea9-93051946599b ro single consoleblank=0 elevator=noop scsi_mod.use_blk_mq=Y ```Alert
``` {"type":"check","id":127797040,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29535,"title":"Ensure AppArmor is enabled in the bootloader configuration.","description":"Configure AppArmor to be enabled at boot time and verify that it has not been overwritten by the bootloader boot parameters. Note: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.","rationale":"AppArmor must be enabled at boot time in your bootloader configuration to ensure that the controls it provides are not overridden.","remediation":"Edit /etc/default/grub and add the apparmor=1 and security=apparmor parameters to the GRUB_CMDLINE_LINUX= line GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor\" Run the following command to update the grub2 configuration: # update-grub.","compliance":{"cis":"1.6.1.2","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1068,T1565,T1565.001,T1565.003","mitre_tactics":"TA0003","mitre_mitigations":"M1026"},"rules":["f:/boot/grub/grub.cfg -> r:^\\s*linux && !r:apparmor=1","f:/boot/grub/grub.cfg -> r:^\\s*linux && !r:security=apparmor"],"condition":"none","file":"/boot/grub/grub.cfg","result":"passed"}} ```
Command output
``` root@debian11:/home/vagrant# apparmor_status | grep profiles 7 profiles are loaded. 7 profiles are in enforce mode. 0 profiles are in complain mode. 2 processes have profiles defined. ```Alert
``` {"type":"check","id":127797040,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29536,"title":"Ensure all AppArmor Profiles are in enforce or complain mode.","description":"AppArmor profiles define what resources applications are able to access.","rationale":"Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.","remediation":"Run the following command to set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* OR Run the following command to set all profiles to complain mode: # aa-complain /etc/apparmor.d/* Note: Any unconfined processes may need to have a profile created or activated for them and then be restarted.","compliance":{"cis":"1.6.1.3","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_tactics":"TA0005"},"rules":["c:apparmor_status -> r:^0\\s*processes are unconfined"],"condition":"all","command":"apparmor_status","result":"passed"}} ```
Command output
``` apparmor module is loaded. 7 profiles are loaded. 7 profiles are in enforce mode. /usr/bin/man /usr/sbin/chronyd lsb_release man_filter man_groff nvidia_modprobe nvidia_modprobe//kmod 0 profiles are in complain mode. 2 processes have profiles defined. 0 processes are in enforce mode. 0 processes are in complain mode. 2 processes are unconfined but have a profile defined. /usr/sbin/chronyd (349) /usr/sbin/chronyd (350) ```Alert
``` {"type":"check","id":726821932,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29537,"title":"Ensure all AppArmor Profiles are enforcing.","description":"AppArmor profiles define what resources applications are able to access.","rationale":"Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.","remediation":"Run the following command to set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* Note: Any unconfined processes may need to have a profile created or activated for them and then be restarted.","compliance":{"cis":"1.5.4","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1068,T1565,T1565.001,T1565.003","mitre_tactics":"TA0005"},"rules":["c:apparmor_status -> n:^(\\d+)\\s*profiles are loaded compare > 0","c:apparmor_status -> r:^0\\s*profiles are in complain mode","c:apparmor_status -> r:^0\\s*processes are unconfined"],"condition":"all","command":"apparmor_status","result":"failed"}} ```
Alert
``` {"type":"check","id":127797040,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29538,"title":"Ensure message of the day is configured properly.","description":"The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version.","rationale":"Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a .\" command once they have logged in.","remediation":"Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform OR If the motd is not used, this file can be removed. Run the following command to remove the motd file: # rm /etc/motd.","compliance":{"cis":"1.7.1","mitre_techniques":"T1082,T1592,T1592.004","mitre_tactics":"TA0007"},"rules":["not f:/etc/motd -> r:\\\\v|\\\\r|\\\\m|\\\\s|Debian|Ubuntu","not f:/etc/motd"],"condition":"any","references":"http://www.justice.gov/criminal/cybercrime/","file":"/etc/motd","result":"failed"}} ```
Alert
``` {"type":"check","id":127797040,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29539,"title":"Ensure local login warning banner is configured properly.","description":"The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version.","rationale":"Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a .\" command once they have logged in.","remediation":"Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v , or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.","compliance":{"cis":"1.7.2","mitre_techniques":"T1082,T1592,T1592.004","mitre_tactics":"TA0007"},"rules":["f:/etc/issue -> r:\\\\v|\\\\r|\\\\m|\\\\s|Debian|Ubuntu"],"condition":"none","references":"http://www.justice.gov/criminal/cybercrime/","file":"/etc/issue","result":"failed"}} ```
Alert
``` {"type":"check","id":127797040,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29540,"title":"Ensure remote login warning banner is configured properly.","description":"The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version.","rationale":"Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a .\" command once they have logged in.","remediation":"Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v or references to the OS platform: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net.","compliance":{"cis":"1.7.3","mitre_techniques":"T1018,T1082,T1592,T1592.004","mitre_tactics":"TA0007"},"rules":["f:/etc/issue.net -> r:\\\\v|\\\\r|\\\\m|\\\\s|Debian|Ubuntu"],"condition":"none","references":"http://www.justice.gov/criminal/cybercrime/","file":"/etc/issue.net","result":"failed"}} ```
Command output
``` root@debian11:/home/vagrant# stat -L /etc/motd File: /etc/motd Size: 286 Blocks: 8 IO Block: 4096 regular file Device: 801h/2049d Inode: 655482 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2023-03-06 10:53:34.807416734 +0000 Modify: 2022-12-09 19:15:00.000000000 +0000 Change: 2022-12-19 20:25:24.086701633 +0000 Birth: 2022-12-19 20:25:24.086701633 +0000 ```Alert
``` {"type":"check","id":127797040,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29541,"title":"Ensure permissions on /etc/motd are configured.","description":"The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users.","rationale":"If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information.","remediation":"Run the following commands to set permissions on /etc/motd : # chown root:root $(readlink -e /etc/motd) # chmod u-x,go-wx $(readlink -e /etc/motd) OR run the following command to remove the /etc/motd file: # rm /etc/motd.","compliance":{"cis":"1.7.4","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1222,T1222.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:stat -L /etc/motd -> r:Access:\\s*\\(0644/-rw-r--r--\\)\\s*Uid:\\s*\\(\\s*\\t*0/\\s*\\t*root\\)\\s*\\t*Gid:\\s*\\(\\s*\\t*0/\\s*\\t*root\\)"],"condition":"all","references":"http://www.justice.gov/criminal/cybercrime/","command":"stat -L /etc/motd","result":"passed"}} ```
Command output
``` root@debian11:/home/vagrant# stat -L /etc/issue File: /etc/issue Size: 27 Blocks: 8 IO Block: 4096 regular file Device: 801h/2049d Inode: 655385 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2023-03-06 10:53:33.111406516 +0000 Modify: 2022-12-09 19:15:00.000000000 +0000 Change: 2022-12-19 20:25:19.054676167 +0000 Birth: 2022-12-19 20:25:19.054676167 +0000 ```Alert
``` {"type":"check","id":127797040,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29542,"title":"Ensure permissions on /etc/issue are configured.","description":"The contents of the /etc/issue file are displayed to users prior to login for local terminals.","rationale":"If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information.","remediation":"Run the following commands to set permissions on /etc/issue : # chown root:root $(readlink -e /etc/issue) # chmod u-x,go-wx $(readlink -e /etc/issue).","compliance":{"cis":"1.7.5","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1222,T1222.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:stat -L /etc/issue -> r:Access:\\s*\\(0644/-rw-r--r--\\)\\s*Uid:\\s*\\(\\s*\\t*0/\\s*\\t*root\\)\\s*\\t*Gid:\\s*\\(\\s*\\t*0/\\s*\\t*root\\)"],"condition":"all","references":"http://www.justice.gov/criminal/cybercrime/","command":"stat -L /etc/issue","result":"passed"}} ```
Command output
``` root@debian11:/home/vagrant# stat -L /etc/issue.net File: /etc/issue.net Size: 20 Blocks: 8 IO Block: 4096 regular file Device: 801h/2049d Inode: 655386 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2023-03-06 11:00:47.806881931 +0000 Modify: 2022-12-09 19:15:00.000000000 +0000 Change: 2022-12-19 20:25:19.054676167 +0000 Birth: 2022-12-19 20:25:19.054676167 +0000 ```Alert
``` {"type":"check","id":127797040,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29543,"title":"Ensure permissions on /etc/issue.net are configured.","description":"The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services.","rationale":"If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information.","remediation":"Run the following commands to set permissions on /etc/issue.net : # chown root:root $(readlink -e /etc/issue.net) # chmod u-x,go-wx $(readlink -e /etc/issue.net).","compliance":{"cis":"1.7.6","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1222,T1222.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:stat -L /etc/issue.net -> r:Access:\\s*\\(0644/-rw-r--r--\\)\\s*Uid:\\s*\\(\\s*\\t*0/\\s*\\t*root\\)\\s*\\t*Gid:\\s*\\(\\s*\\t*0/\\s*\\t*root\\)"],"condition":"all","references":"http://www.justice.gov/criminal/cybercrime/","command":"stat -L /etc/issue.net","result":"passed"}} ```
Command output
``` root@debian11:/home/vagrant# dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\n' gdm3 dpkg-query: no packages found matching gdm3 ```Alert
``` {"type":"check","id":127797040,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29544,"title":"Ensure GNOME Display Manager is removed.","description":"The GNOME Display Manager (GDM) is a program that manages graphical display servers and handles graphical user logins.","rationale":"If a Graphical User Interface (GUI) is not required, it should be removed to reduce the attack surface of the system.","remediation":"Run the following command to uninstall gdm3: # apt purge gdm3.","compliance":{"cis":"1.8.1","cis_csc_v8":"4.8","cis_csc_v7":"9.2","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.13.1.3","nist_sp_800-53":"SI-4","mitre_techniques":"T1543,T1543.002","mitre_tactics":"TA0002"},"rules":["c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' gdm3 -> r: unknown ok not-installed"],"condition":"all","command":"dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' gdm3","result":"failed"}} ```
Alert
``` {"type":"check","id":127797040,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29545,"title":"Ensure XDCMP is not enabled.","description":"X Display Manager Control Protocol (XDMCP) is designed to provide authenticated access to display management services for remote displays.","rationale":"XDMCP is inherently insecure. XDMCP is not a ciphered protocol. This may allow an attacker to capture keystrokes entered by a user XDMCP is vulnerable to man-in-the-middle attacks. This may allow an attacker to steal the credentials of legitimate users by impersonating the XDMCP server.","remediation":"Edit the file /etc/gdm3/custom.conf and remove the line: Enable=true.","compliance":{"cis":"1.8.10","cis_csc_v8":"4.8","cis_csc_v7":"9.2","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.13.1.3","nist_sp_800-53":"SI-4","mitre_techniques":"T1040,T1056,T1056.001,T1557","mitre_tactics":"TA0002","mitre_mitigations":"M1050"},"rules":["f:/etc/gdm3/custom.conf -> r:^\\s*Enable\\s*=\\s*true"],"condition":"none","file":"/etc/gdm3/custom.conf","status":"Not applicable","reason":"Could not open file '/etc/gdm3/custom.conf'"}} ```
Command output
``` root@debian11:/home/vagrant# apt -s upgrade Reading package lists... Done Building dependency tree... Done Reading state information... Done Calculating upgrade... Done 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. ```Alert
``` {"type":"check","id":127797040,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29546,"title":"Ensure updates, patches, and additional security software are installed.","description":"Periodically patches are released for included software either due to security flaws or to include additional functionality.","rationale":"Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected.","remediation":"Run the following command to update all packages following local site policy guidance on applying updates and patches: # apt upgrade OR # apt dist-upgrade.","compliance":{"cis":"1.9","cis_csc_v8":"7.3","cis_csc_v7":"3.4,3.5","cmmc_v2.0":"SI.L1-3.14.1","pci_dss_3.2.1":"6.2","nist_sp_800-53":"SI-2(2)","soc_2":"CC7.1"},"rules":["c:apt -s upgrade -> r:^The following packages will be upgraded"],"condition":"none","command":"apt -s upgrade","result":"passed"}} ```
olulekew7
commented
1 year ago 1.3.1 π΄
1.3.2 π΄
1.4.1 π΄
1.4.2 π΄
1.4.3 π΄
1.5.3 π΄
1.5.4 π΄
1.6.1.1 π΄
1.6.1.2 π΄
1.6.1.3 π΄
1.7.1 π΄
1.7.2 π΄
1.7.3 π΄
1.7.4 π΄
1.7.5 π΄
1.7.6 π΄
1.8.1 π΄
1.8.10 π‘
Rebits
commented
1 year ago | Tester | PR commit |
|---|---|
| @Rebits | https://github.com/wazuh/wazuh/pull/16017/commits/0eb02c2f6f8dc09330429bf6f42c69da9aecf4b7 |
IsExec
commented
1 year ago https://github.com/wazuh/wazuh-qa/issues/3827
1.7.4 π΄ Default value: solved
https://github.com/wazuh/wazuh/pull/16017/commits/f0106b053c483ec5fb7ec2fc6c6cdaebca00a3e0
Rebits
commented
1 year ago | Tester | PR commit |
|---|---|
| @Rebits | https://github.com/wazuh/wazuh/pull/16017/commits/f0106b053c483ec5fb7ec2fc6c6cdaebca00a3e0 |
72nomada
commented
1 year ago 1.3.2 - Solved
Rebits
commented
1 year ago | Tester | PR commit |
|---|---|
| @Rebits | https://github.com/wazuh/wazuh/pull/16017/commits/0eb02c2f6f8dc09330429bf6f42c69da9aecf4b7 |
Rebits
commented
1 year ago Suggested changes were implemented correctly. Everything seems to work as expected
Threat Intel - @olulekew7