Closed chemamartinez closed 5 years ago
cis_rhel6_linux_rcl.yml
Some rules seem incorrect, and come from the initial cis_rhel6_linux_rcl.txt
rootcheck file (5 years ago...). They are causing false positives: the test fails but it should not.
ID 6016 cis "1.6.1.1"
- 'f:/etc/grub.conf -> !r:selinux=0;'
should be
- 'f:/etc/grub.conf -> r:selinux=0;'
maybe add
- 'f:/etc/grub.conf -> r:enforcing=0;'
ID 6017 cis "1.6.1.2"
- 'f:/etc/selinux/config -> r:SELINUX=enforcing;'
should be
- 'f:/etc/selinux/config -> !r:SELINUX=enforcing;'
ID 6018 cis "1.6.1.3"
- 'f:/etc/selinux/config -> r:SELINUXTYPE=targeted;'
should be
- 'f:/etc/selinux/config -> !r:SELINUXTYPE=targeted;'
And maybe this could be added in ID 6047 cis "3.2.4"
:
- 'f:/proc/sys/net/ipv4/conf/default/log_martians -> 0;'
Generic system_audit_ssh.yml
False negative, when the SSH port is 22: the service is actually listening on port 22, but the test is reported as passed.
The rule is
- 'f:$sshd_file -> !r:^# && r:Port\.+22;'
meaning: if there is a not commented line reading Port 22
in /etc/ssh/sshd_config
, say test failed.
Actually, there is a commented line reading #Port 22
and no other uncommented line reading Port xx
.
So the port used is 22
, which is the default. The result of the test should be failed
not passed
.
This rule seems to work:
condition: any
rules:
- 'f:$sshd_file -> !r:^\s*Port;'
- 'f:$sshd_file -> r:^\s*Port && r:\s+22\s*$;'
Port
exists -> test failed#Port xx
exists where xx
is any value -> test failed tooPort 22
exists -> test failedPort xx
exists where xx
is not 22
-> test passedRight now, I am testing on a clean CentOS 7 agent. Will attach the inconsistencies I found as soon as they are ready.
I finished testing CentOS 7 and I am finishing SUSE 11 right now. I attach my work until now. sca testing.pdf
I finished testing SUSE 11 and CentOS 5, will continue testing Debian 7. sca testing.pdf
Finished CentOS 6, Debian 9 and only missing L1 policies from Debian 8. sca testing.pdf
Pass: 95 Fail: 9 Score: 91%
6505:
condition: any
rules:
- 'f:/etc/fstab -> !r:^# && !r:/var/tmp;'
6506:
condition: any
rules:
- 'f:/etc/fstab -> !r:^# && !r:/var/log;'
6507:
condition: any
rules:
- 'f:/etc/fstab -> !r:^# && !r:/var/log/audit;'
They pass as being in a separate partition, even though /var itself does not exist as a separate partition, which doesn’t make sense as they are located in it.
etc/fstab:
#
# /etc/fstab
# Created by anaconda on Thu Feb 28 20:50:01 2019
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=f52f361a-da1a-4ea0-8c7f-ca2706e86b46 / xfs defaults 0 0
/swapfile none swap defaults 0 0
6508:
condition: any
rules:
- 'f:/etc/fstab -> !r:^# && !r:/home;'
It passes even tough /home does not exist as a separate partition.
etc/fstab:
#
# /etc/fstab
# Created by anaconda on Thu Feb 28 20:50:01 2019
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=f52f361a-da1a-4ea0-8c7f-ca2706e86b46 / xfs defaults 0 0
/swapfile none swap defaults 0 0
6560:
condition: any
rules:
- 'f:/etc/ssh/sshd_config -> !r:^# && !r:LogLevel\.+INFO;'
It passes the check because it is set to INFO, but it’s commented so it does not take effect.
/etc/ssh/sshd_config:
# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
Pass: 3 Fail: 6 Score: 33%
1500:
condition: any
rules:
- 'f:$sshd_file -> !r:^# && r:Port\.+22;'
It passes the check even tough the port is never changed in the configuration file.
/etc/ssh/sshd_config:
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
Pass: 76 Fail: 0 Score: 100%
Pass: 82 Fail: 9 Score: 90%
First of all there were a couple of issues in the requirements and variables sections of the policy file:
requirements:
title: "Check Suse 11 version"
description: "Requirements for running the SCA scan against SUSE Linux Enterprise Server 11"
condition: "any required"
rules:
- 'f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11";'
- 'f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11 SP1";'
- 'f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11 SP2";'
- 'f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11 SP3";'
- 'f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11 SP4";'
variables:
$rc_dirs: /etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d;
The requirements are extracted from the /etc/os-release file, when that file does not exist. It should be extracted from /etc/issue.
The variable “$sshd_file: /etc/ssh/sshd_config;” is missing, hindering the rules that depend on it.
7005:
condition: any
rules:
- 'f:/etc/fstab -> ^# && !r:/var/log;'
7006:
condition: any
rules:
- 'f:/etc/fstab -> ^# && !r:/var/log/audit;'
They pass as being in a separate partition, even though /var itself does not exist as a separate partition, which doesn’t make sense as they are located in it.
etc/fstab:
devpts /dev/pts devpts mode=0620,gid=5 0 0
proc /proc proc defaults 0 0
sysfs /sys sysfs noauto 0 0
debugfs /sys/kernel/debug debugfs noauto 0 0
tmpfs /run tmpfs noauto 0 0
/dev/sda1 / ext3 defaults 1 1
7007:
condition: any
rules:
- 'f:/etc/fstab -> !r:^# && !r:/home;'
It passes even tough /home does not exist as a separate partition.
etc/fstab:
devpts /dev/pts devpts mode=0620,gid=5 0 0
proc /proc proc defaults 0 0
sysfs /sys sysfs noauto 0 0
debugfs /sys/kernel/debug debugfs noauto 0 0
tmpfs /run tmpfs noauto 0 0
/dev/sda1 / ext3 defaults 1 1
7043:
condition: any
rules:
- 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0;'
- 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0;'
Since we want it to be disabled, the rules should check if it has a value of 1, not 0.
7053:
condition: any
rules:
- 'f:/etc/ssh/sshd_config -> !r:^# && !r:LogLevel\.+INFO;'
It passes the check because it is set to INFO, but it’s commented so it does not take effect.
/etc/ssh/sshd_config:
# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
Pass: 3 Fail: 6 Score: 33%
1500:
condition: any
rules:
- 'f:$sshd_file -> !r:^# && r:Port\.+22;'
It passes the check even tough the port is never changed in the configuration file.
/etc/ssh/sshd_config:
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
Pass: 76 Fail: 0 Score: 100%
Pass: 0 Fail: 4 Score: 0%
Pass: 97 Fail: 14 Score: 87%
5505:
condition: any
rules:
- 'f:/etc/fstab -> r:^# && !r:/var/tmp && !r:bind;'
It passes the check even tough the /var/tmp directory is not bound to /tmp.
/etc/fstab:
/dev/VolGroup00/LogVol00 / ext3 defaults 1 1
LABEL=/boot /boot ext3 defaults 1 2
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
/dev/VolGroup00/LogVol01 swap swap defaults 0 0
5506:
condition: any
rules:
- 'f:/etc/fstab -> ^# && !r:/var/log;'
5507:
condition: any
rules:
- 'f:/etc/fstab -> ^# && !r:/var/log/audit;'
They pass as being in a separate partition, even though /var itself does not exist as a separate partition, which doesn’t make sense as they are located in it.
etc/fstab:
/dev/VolGroup00/LogVol00 / ext3 defaults 1 1
LABEL=/boot /boot ext3 defaults 1 2
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
/dev/VolGroup00/LogVol01 swap swap defaults 0 0
5508:
condition: any
rules:
- 'f:/etc/fstab -> ^# && !r:/home;'
It passes even tough /home does not exist as a separate partition.
etc/fstab:
/dev/VolGroup00/LogVol00 / ext3 defaults 1 1
LABEL=/boot /boot ext3 defaults 1 2
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
/dev/VolGroup00/LogVol01 swap swap defaults 0 0
5516:
condition: any
rules:
- 'f:/etc/fstab -> !r:^# && r:/dev/shm && !r:noexec;'
- 'p:yum-updatesd;'
This rule fails, but looking at the corresponding rules section, I think this has a copypasting issue. This doesn’t have anything to do with fstab.
5518:
condition: any
rules:
- 'f:/etc/selinux/config -> r:SELINUX=enforcing;'
This rule passes but it should not. If we want to have selinux=enforcing, we should make the rule trigger when it is NOT set to enforcing.
/etc/selinux/config:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
5519:
condition: any
rules:
- 'f:/etc/selinux/config -> r:SELINUX=enforcing;'
Same reasoning as above, this fails when it IS set to targeted.
/etc/selinux/config:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
5536:
condition: all
rules:
- 'f:/etc/init.d/functions -> !r:^# && r:^umask && <:umask 027;'
It passes the check when umask is not set to 027.
/etc/init.d/functions:
# Make sure umask is sane
umask 022
5547:
condition: any
rules:
- 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0;'
- 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0;'
Since we want it to be disabled, the rules should check if it has a value of 1, not 0.
Pass: 2 Fail: 7 Score: 22%
1500:
condition: any
rules:
- 'f:$sshd_file -> !r:^# && r:Port\.+22;'
It passes the check even tough the port is never changed in the configuration file.
/etc/ssh/sshd_config:
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
Pass: 76 Fail: 0 Score: 100%
Pass: 0 Fail: 4 Score: 0%
Pass: 95 Fail: 12 Score: 88%
6006:
condition: any
rules:
- 'f:/etc/fstab -> !r:^# && !r:/var/log;'
6007:
condition: any
rules:
- 'f:/etc/fstab -> !r:^# && !r:/var/log/audit;'
They pass as being in a separate partition, even though /var itself does not exist as a separate partition, which doesn’t make sense as they are located in it.
etc/fstab:
#
# /etc/fstab
# Created by anaconda on Thu Feb 28 20:35:43 2019
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=c184952e-1de5-46f3-a789-d2f1476564bc / ext4 defaults 1 1
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
/swapfile none swap defaults 0 0
6508:
condition: any
rules:
- 'f:/etc/fstab -> !r:^# && !r:/home;'
It passes even tough /home does not exist as a separate partition.
etc/fstab:
#
# /etc/fstab
# Created by anaconda on Thu Feb 28 20:35:43 2019
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=c184952e-1de5-46f3-a789-d2f1476564bc / ext4 defaults 1 1
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
/swapfile none swap defaults 0 0
Pass: 3 Fail: 6 Score: 33%
1500:
condition: any
rules:
- 'f:$sshd_file -> !r:^# && r:Port\.+22;'
It passes the check even tough the port is never changed in the configuration file.
/etc/ssh/sshd_config:
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
Pass: 76 Fail: 0 Score: 100%
Pass: 0 Fail: 4 Score: 0%
Pass: 34 Fail: 7 Score: 82%
5034:
condition: any
rules:
- 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+2;'
It passes the check even tough the port is never changed in the configuration file.
/etc/ssh/sshd_config:
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
Pass: 3 Fail: 6 Score: 33%
1500:
condition: any
rules:
- 'f:$sshd_file -> !r:^# && r:Port\.+22;'
It passes the check even tough the port is never changed in the configuration file.
/etc/ssh/sshd_config:
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
Pass: 76 Fail: 0 Score: 100%
Pass: 2 Fail: 2 Score: 50%
Pass: 213 Fail: 100 Score: 68%
10583:
condition: any
rules:
- 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s+yes;'
- 'f:/etc/ssh/sshd_config -> !r:^PermitRootLogin\s+no;'
It doesn’t account for the value “without-password”.
/etc/ssh/sshd_config:
# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
Pass: 0 Fail: 28 Score: 0%
Pass: 5 Fail: 4 Score: 55%
Pass: 76 Fail: 0 Score: 100%
Pass: 2 Fail: 2 Score: 50%
Pass: 227 Fail: 90 Score: 71%
10583:
condition: any
rules:
- 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s+yes;'
- 'f:/etc/ssh/sshd_config -> !r:^PermitRootLogin\s+no;'
It doesn’t account for the value “without-password”.
/etc/ssh/sshd_config:
# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
Pass: 0 Fail: 28 Score: 0%
Pass: 4 Fail: 5 Score: 44%
Pass: 76 Fail: 0 Score: 100%
Pass: 2 Fail: 2 Score: 50%
Pass: 72 Fail: 11 Score: 86%
7505:
condition: any
rules:
- 'f:/etc/fstab -> ^# && !r:/var/log;'
7506:
condition: any
rules:
- 'f:/etc/fstab -> ^# && !r:/var/log/audit;'
They pass as being in a separate partition, even though /var itself does not exist as a separate partition, which doesn’t make sense as they are located in it.
etc/fstab:
/dev/sda1 / ext3 acl 1 1
7507:
condition: any
rules:
- 'f:/etc/fstab -> !r:^# && !r:/home;'
It passes even tough /home does not exist as a separate partition.
etc/fstab:
/dev/sda1 / ext3 acl 1 1
7544:
condition: any
rules:
- 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0;'
- 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0;'
Since we want it to be disabled, the rules should check if it has a value of 1, not 0.
7548:
title: "nsure suspicious packets are logged"
The title has its first letter missing.
7053:
condition: any
rules:
- 'f:/etc/ssh/sshd_config -> !r:^# && !r:LogLevel\.+INFO;'
It passes the check because it is set to INFO, but it’s commented so it does not take effect.
/etc/ssh/sshd_config:
# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
Pass: 3 Fail: 6 Score: 33%
1500:
condition: any
rules:
- 'f:$sshd_file -> !r:^# && r:Port\.+22;'
It passes the check even tough the port is never changed in the configuration file.
/etc/ssh/sshd_config:
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
Pass: 76 Fail: 0 Score: 100%
Pass: 0 Fail: 4 Score: 0%
Fixed reported rules at https://github.com/wazuh/wazuh-ruleset/pull/357
Hi team,
We have to fill a report including the SCA scan results for every OS in a default installation of the Wazuh agent and in a most clean environment as possible. This report should include the number of pass/fail results, as well as to verify that there are no false positives.
Linux
[x] RHEL/CentOS 5
[x] RHEL/CentOS 6
[x] RHEL/CentOS 7
[x] Debian 7
[x] Debian 8
[x] Debian 9
[x] Suse 11
[x] Suse 12
Windows
[ ] Windows XP/Server 2003
[ ] Windows Server 2012 R2
[ ] Windows 10
[ ] Windows Server 2016
Solaris
mac OS
[ ] MAC OS X 10.11
[ ] MAC OS X 10.12
[ ] MAC OS X 10.13
Apart from checking the default policies included in the
ossec.conf
, for Linux distributions, we should test the Application policies such ascis_apache2224_rcl.yml
and the newly developed policies located at https://github.com/wazuh/wazuh-ruleset/pull/321 (linux passwords, debian 7/8, solaris 11 and Windows 10) and https://github.com/wazuh/wazuh-ruleset/issues/331 (macOS policies).Note: the macOS policies testing is blocked by the including of command rules for SCA (https://github.com/wazuh/wazuh/pull/2696).