Description

This issue aims to manually test the correct functioning of the SCA checks, report the results, and open new issues for any encountered errors.

OS: RHEL9 (Red Hat Enterprise Linux 9) SCA policy file: cis_rhel9_linux.yml

Tests

For each check in the SCA policy checks:

The title, description, rationale, and remediation must correspond to the ones in the CIS Red Hat Enterprise Linux 8 Benchmark v2.0.0 - 02-23-2022 document.
The check command found in the CIS benchmark file should work as expected and must match the rules specified in the check of the yml file.

https://github.com/wazuh/wazuh/blob/b2e6e27b0fcf11959d6013c2bac725cbaaa84ed0/ruleset/sca/rhel/9/cis_rhel9_linux.yml#L35-L3922

The installers must also be tested:

Check the scan is executed automatically when installing.
Check the scan result.

Note that at this moment there is no CIS Benchmark for RHEL9 available. We will use RHEL8 CIS Benchmark as the base.

Test report procedure

All test results must have one of the following statuses:
:green_circle:	All checks passed.
:red_circle:	There is at least one failed result.
:yellow_circle:	There is at least one expected failure or skipped test and no failures.

Any failing test must be properly addressed with a new issue, detailing the error and the possible cause.

An extended report of the test results can be attached as a ZIP or TXT file. Please attach any documents, screenshots, or tables to the issue update with the results. This report can be used by the auditors to dig deeper into any possible failures and details.

SCA checks

Conclusions

All the results reported in this issue, as well as other observations, have been discussed with @72nomada and have been addressed in the following commits:

https://github.com/wazuh/wazuh/pull/13843/commits/9b0097b300bc0be694f9233f03028fbd31d8883c, https://github.com/wazuh/wazuh/pull/13843/commits/14b551d794f32bb8007789ac8370b43969b2eebf, https://github.com/wazuh/wazuh/pull/13843/commits/14b551d794f32bb8007789ac8370b43969b2eebf, https://github.com/wazuh/wazuh/pull/13843/commits/a567f3b4274f461f635ca5cdd865de35b84d85ca, https://github.com/wazuh/wazuh/pull/13843/commits/b2569cec045d903542ec93f96df49ee6ebc700a2, and https://github.com/wazuh/wazuh/pull/13843/commits/e614874628ff496cf8eb7f9a6097de029b3b9dec.

Environment, RHEL9 system

I have used the generic/rhel9 vagrant box to create the testing environment.

# cat /etc/os-release 
NAME="Red Hat Enterprise Linux"
VERSION="9.0 (Plow)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="9.0"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Red Hat Enterprise Linux 9.0 (Plow)"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/9/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_BUGZILLA_PRODUCT_VERSION=9.0
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.0"

Requirements for RHEL9 SCA checks

requirements:
  title: "Check RHEL9 family platform"
  description: "Requirements for running the policy against RHEL 9 family."
  condition: any
  rules:
    - "f:/etc/redhat-release -> r:^Red Hat Enterprise Linux && r:release 9"
    - "f:/etc/redhat-release -> r:^Cloud && r:release 9"
    - "f:/etc/redhat-release -> r:^Oracle && r:release 9"
    - "f:/etc/redhat-release -> r:^Better && r:release 9"
    - "f:/etc/redhat-release -> r:^OpenVZ && r:release 9"

The requirement for running the "CIS Benchmark for Red Hat Enterprise Linux 9" policy is met. The content of /etc/redhat-release is:

# cat /etc/redhat-release
Red Hat Enterprise Linux release 9.0 (Plow)

SCA checks

Comparison between the CIS Red Hat Enterprise Linux 8 Benchmark v2.0.0 - 02-23-2022 and cis_rhel9_linux.yml

1 Initial Setup

1.1 Filesystem Configuration

1.1.1 Disable unused filesystems

1.1.1.1 Ensure mounting of cramfs filesystems is disabled (Automated) 🔴

title: 🟢 description: 🟢 rationale: 🔴

"Removing support for unneeded filesystem types reduces the local attack surface of the ~~server~~ system. If this filesystem type is not needed, disable it."

Where it says server, it should say system.

remediation: 🟢 cis compliance: 🟢

Check:

[root@Wazuh vagrant]# modprobe -n -v cramfs 
modprobe: FATAL: Module cramfs not found in directory /lib/modules/5.14.0-70.13.1.el9_0.x86_64
[root@Wazuh vagrant]# lsmod | grep cramfs
[root@Wazuh vagrant]# grep -E "^blacklist\s+cramfs" /etc/modprobe.d/*
[root@Wazuh vagrant]#

Expected: PASS

Findings: 🔴

This check passes thanks to the additional condition included in "c:modprobe -n -v cramfs -> r:install /bin/false|Module cramfs not found". According to the CIS Benchmark, the modprobe -n -v cramfs output should be install /bin/false, the Module cramfs not found is not an accepted output.
- The cramfs module has been removed in RHEL9. As this module is no longer present, consider removing the "1.1.1.1 Ensure mounting of cramfs filesystems is disabled" check. See Considerations in adopting RHEL 9.
There is no rule for the third check included in the CIS Red Hat Enterprise Linux 8 Benchmark: grep -E "^blacklist\s+cramfs" /etc/modprobe.d/*

1.1.1.2 Ensure mounting of squashfs filesystems is disabled (Automated) 🔴

title: 🟢 description: 🟢 rationale: 🟢 remediation: 🟢 cis compliance: 🟢

Check:

[root@Wazuh vagrant]# modprobe -n -v squashfs | grep "^install"
[root@Wazuh vagrant]# lsmod | grep squashfs
[root@Wazuh vagrant]# grep -E "^blacklist\s+squashfs" /etc/modprobe.d/*

Expected: FAIL

Findings: 🔴

There is no rule for the third check included in the CIS Red Hat Enterprise Linux 8 Benchmark: grep -E "^blacklist\s+squashfs" /etc/modprobe.d/*
- An additional condition Module squashfs not found, not present in the CIS Benchmark, is included in the first rule "c:modprobe -n -v squashfs -> r:install /bin/true|Module squashfs not found"
1.1.1.3 Ensure mounting of udf filesystems is disabled (Automated) 🔴

title: 🟢 description: 🟢 rationale: 🟢 remediation: 🟢 cis compliance: 🔴

cis: ["1.1.1.4"] should be: - "1.1.1.3"

Check:

[root@Wazuh vagrant]# modprobe -n -v udf | grep "^install"
[root@Wazuh vagrant]# lsmod | grep udf
[root@Wazuh vagrant]# grep -E "^blacklist[[:blank:]]*udf" /etc/modprobe.d/*
[root@Wazuh vagrant]#

Expected: FAIL

Findings: 🔴

There is no rule for the third check included in the CIS Red Hat Enterprise Linux 8 Benchmark: grep -E "^blacklist[[:blank:]]*udf" /etc/modprobe.d/*
- An additional condition Module udf not found, not present in the CIS Benchmark, is included in the first rule "c:modprobe -n -v udf -> r:install /bin/true|Module udf not found"
1.1.2 Configure /tmp

1.1.2.1 Ensure /tmp is a separate partition (Automated)

title: 🟢 description: 🟢
rationale: 🔴

"Making /tmp its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp."

The highlighted text "additional mount options such as" is present in the CIS Benchmark and missing in cis_rhel9_linux.yml.

In addition, "hardlink" must be changed to "hard link".

remediation: 🟢 cis compliance: 🔴

cis_csc: ["9.1"] should be cis_csc: ["4.8", "9.2"]

Check:

[root@Wazuh vagrant]# findmnt --kernel /tmp
[root@Wazuh vagrant]# systemctl is-enabled tmp.mount
disabled

Expected: FAIL

1.1.2.2 Ensure nodev option set on /tmp partition (Automated) 🔴

title: 🟢 description: 🟢 rationale: 🔴

"Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot ~~attempt to~~ create a block or character special devices in /tmp."

The crossed-out phrase ~~attempt to~~ should be deleted.
"create block" should be "create a block".

remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# findmnt --kernel /tmp | grep nodev
[root@Wazuh vagrant]#

Expected: FAIL

1.1.2.3 Ensure noexec option set on /tmp partition (Automated) 🟢

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# findmnt --kernel /tmp | grep noexec
[root@Wazuh vagrant]#

Expected: FAIL

1.1.2.4 Ensure nosuid option set on /tmp partition (Automated) 🔴

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🔴 "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. Example: /tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /tmp with the configured options: # mount -o remount /tmp "

There is an extra space between /tmp and the quotation mark "...remount /tmp ". The period is missing.

cis compliance: 🟢

[root@Wazuh vagrant]# findmnt --kernel /tmp | grep nosuid
[root@Wazuh vagrant]#

Expected: FAIL

1.1.3 Configure /var

1.1.3.1 Ensure separate partition exists for /var (Automated) 🔴

title: 🟢 description: 🟢
rationale: 🔴

"... the hard- link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw."

"hard- link" should be "hard-link".

remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# findmnt --kernel /var
[root@Wazuh vagrant]#

Expected: FAIL

1.1.3.2 Ensure nodev option set on /var partition (Automated) 🔴

title: 🟢 description: 🟢 rationale: 🟢 remediation: 🟢
cis compliance: 🔴

cis: ["1.1.2.2"] should be 1.1.3.2

[root@Wazuh vagrant]# findmnt --kernel /var | grep nodev
[root@Wazuh vagrant]#

Expected: FAIL

1.1.3.3 Ensure noexec option set on /var partition (Automated) 🟢

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# findmnt --kernel /var | grep noexec
[root@Wazuh vagrant]#

Expected: FAIL

1.1.3.4 Ensure nosuid option set on /var partition (Automated) 🔴

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: 🔴

cis: ["1.1.2.4"] should be 1.1.3.4

[root@Wazuh vagrant]# findmnt --kernel /var | grep nosuid
[root@Wazuh vagrant]#

Expected: FAIL

1.1.4 Configure /var/tmp

1.1.4.1 Ensure separate partition exists for /var/tmp (Automated) 🔴

title: 🟢 description: 🟢
rationale: 🔴

"hard- link" should be "hard-link".

remediation: 🟢
cis compliance: 🟢

[root@Wazuh vagrant]# findmnt --kernel /var/tmp
[root@Wazuh vagrant]#

Expected: FAIL

1.1.4.2 Ensure noexec option set on /var/tmp partition (Automated) 🔴

title: 🟢 description: 🟢 rationale: 🟢 remediation: 🔴

"Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition."

The remediation field is incomplete. The following text is missing: "Example: /var/tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var/tmp with the configured options: # mount -o remount /var/tmp."

cis compliance: 🟢

[root@Wazuh vagrant]# findmnt --kernel /var/tmp | grep noexec
[root@Wazuh vagrant]#

Expected: FAIL

1.1.4.3 Ensure nosuid option set on /var/tmp partition (Automated) 🟢

title: 🟢 description: 🟢 rationale: 🟢 remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# findmnt --kernel /var/tmp | grep nosuid
[root@Wazuh vagrant]#

Expected: FAIL

1.1.4.4 Ensure nodev option set on /var/tmp partition (Automated) 🔴

title: 🟢 description: 🟢 rationale: 🔴 "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot ~~attempt to~~ create a block or character special devices in /var/tmp."

"...to ensure that users cannot attempt to create block..." should be "...to ensure that users cannot create a block..."

remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# findmnt --kernel /var/tmp | grep nodev
[root@Wazuh vagrant]#

Expected: FAIL

1.1.5 Configure /var/log

1.1.5.1 Ensure separate partition exists for /var/log (Automated) 🔴

title: 🟢 description: 🟢 rationale: 🔴

"...the hard- link would be broken and the attacker would have..."

"hard- link" should be "hard-link".

remediation: 🟢 cis compliance: :yellow_circle:

cis_csc: ["6.4", "8.3"] Usually the cis_csc values follow the order [v8, v7]. In this case, they are inverted.

[root@Wazuh vagrant]# findmnt --kernel /var/log
[root@Wazuh vagrant]#

Expected: FAIL

1.1.5.2 Ensure nodev option set on /var/log partition (Automated) 🟢

title: 🟢 description: 🟢 rationale: 🟢 remediation: 🟢
cis compliance: 🟢

[root@Wazuh vagrant]# findmnt --kernel /var/log | grep nodev
[root@Wazuh vagrant]#

Expected: FAIL

1.1.5.3 Ensure noexec option set on /var/log partition (Automated) 🟢

title: 🟢
description: 🟢
rationale: 🟢 remediation: 🟢
cis compliance: 🟢

[root@Wazuh vagrant]# findmnt --kernel /var/log | grep noexec
[root@Wazuh vagrant]#

Expected: FAIL

1.1.5.4 Ensure nosuid option set on /var/log partition (Automated) 🟢

title: 🟢 description: 🟢 rationale: 🟢 remediation: 🟢
cis compliance: 🟢

[root@Wazuh vagrant]# findmnt --kernel /var/log | grep nosuid
[root@Wazuh vagrant]#

Expected: FAIL

1.1.6 Configure /var/log/audit

1.1.6.1 Ensure separate partition exists for /var/log/audit (Automated) :yellow_circle:

title: 🟢 description: 🟢
rationale: :yellow_circle:

"...the hard- link would be broken and the attacker would have his own copy of the program..."

"hard- link" should be "hard-link".

remediation: 🟢 cis compliance: :yellow_circle:

cis_csc: ["6.4", "8.3"] Usually the cis_csc values follow the order [v8, v7]. In this case, they are inverted.

[root@Wazuh vagrant]# findmnt --kernel /var/log/audit
[root@Wazuh vagrant]#

Expected: FAIL

1.1.6.2 Ensure noexec option set on /var/log/audit partition (Automated) 🟢

title: 🟢 description: 🟢
rationale: 🟢
remediation: 🟢
cis compliance: 🟢

[root@Wazuh vagrant]# findmnt --kernel /var/log/audit | grep noexec
[root@Wazuh vagrant]#

Expected: FAIL

1.1.6.3 Ensure nodev option set on /var/log/audit partition (Automated) 🟢

title: 🟢 description: 🟢
rationale: 🟢
remediation: 🟢
cis compliance: 🟢

[root@Wazuh vagrant]# findmnt --kernel /var/log/audit | grep nodev
[root@Wazuh vagrant]#

Expected: FAIL

1.1.6.4 Ensure nosuid option set on /var/log/audit partition (Automated) 🟢

title: 🟢 description: 🟢
rationale: 🟢
remediation: 🟢
cis compliance:

[root@Wazuh vagrant]# findmnt --kernel /var/log/audit | grep nosuid
[root@Wazuh vagrant]#

Expected: FAIL

1.1.7 Configure /home

1.1.7.1 Ensure separate partition exists for /home (Automated) 🔴

title: 🔴 "Ensure separate partition exists for /var/log/audit." should be "Ensure separate partition exists for /home."

description: 🟢 rationale: 🔴

"the hard- link would be broken and the attacker"

"hard- link" should be "hard-link".

remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# findmnt --kernel /home
[root@Wazuh vagrant]#

Expected: FAIL

1.1.7.2 Ensure nodev option set on /home partition (Automated) :yellow_circle:

title: 🟢 description: 🟢
rationale: :yellow_circle: The rationales differ but the one in the cis_rhel9_linux.yml document seems to be the right one.

cis_rhel9_linux.yml: "Since the /home filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /home." CIS Benchmark: "Since the /home filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var"

The CIS Red Hat Enterprise Linux 8 Benchmark v2.0.0 rationale seems to be incorrect as it refers to /var.

remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# findmnt --kernel /home | grep nodev
[root@Wazuh vagrant]#

Expected: FAIL

1.1.7.3 Ensure nosuid option set on /home partition (Automated) 🟢

title: 🟢 description: 🟢
rationale: 🟢
remediation:
cis compliance: 🟢

[root@Wazuh vagrant]# findmnt --kernel /home | grep nosuid
[root@Wazuh vagrant]#

Expected: FAIL

1.1.7.4 Ensure usrquota option set on /home partition (Automated) 🔴

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🔴

"...Enable quotas on the partition: # quotaon -vug /home /dev/sdb [/home]: group quotas turned on /dev/sdb [/home]: user quotas turned on " There is an extra space between on and the quotation mark "... turned on ". The period is missing.

cis compliance: 🟢

[root@Wazuh vagrant]# findmnt --kernel /home | grep usrquota
[root@Wazuh vagrant]#

Expected: FAIL

Findings: 🔴

The second audit command is missing. The cis_rhel9_linux.yml is only verifying that the usrquota option is set for the /home mount, but is not verifying that quotas is enabled.

# quotaon -p /home | grep user
user quota on /home (/dev/sdb) is on

1.1.7.5 Ensure grpquota option set on /home partition (Automated) 🔴

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🔴

"...group quotas turned on /dev/sdb [/home]: user quotas turned on "

There is an extra space between on and the quotation mark "... turned on ". The period is missing.

cis compliance: 🟢

[root@Wazuh vagrant]# findmnt --kernel /home | grep grpquota
[root@Wazuh vagrant]#

Expected: FAIL

Findings: 🔴

The second audit command is missing. The cis_rhel9_linux.yml is only verifying that the grpquota option is set, but is not verifying that quotas is enabled.

# quotaon -p /home | grep group
user quota on /home (/dev/sdb) is on

The output off the command seems to be wrong in the CIS benchmark document. Note that the command is looking for "group" which is not present in the output.

1.1.8 Configure /dev/shm

1.1.8.1 Ensure nodev option set on /dev/shm partition (Automated) 🟢

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# mount | grep -E '\s/dev/shm\s' | grep -v nodev
[root@Wazuh vagrant]#

Expected: FAIL

1.1.8.2 Ensure noexec option set on /dev/shm partition (Automated) 🟢

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# findmnt --kernel /dev/shm | grep noexec
[root@Wazuh vagrant]#

Expected: FAIL

1.1.8.3 Ensure nosuid option set on /dev/shm partition (Automated) 🟢

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# mount | grep -E '\s/dev/shm\s' | grep -v nosuid
[root@Wazuh vagrant]#

Expected: FAIL

1.1.9 Disable Automounting (Automated) 🟢

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# systemctl is-enabled autofs
Failed to get unit file state for autofs.service: No such file or directory

Expected: PASS

1.1.10 Disable USB Storage (Automated) 🔴

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🔴

"Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/usb-storage.conf and add the following line: install usb-storage /bin/true Run the following command to unload the usb-storage module: # rmmod usb-storage"

There are extra spaces between "/bin/true" and "Run": "/bin/true`Run". In "...module: # rmmod..." the#` symbol is not present in the CIS Benchmark document. The period is missing.

cis compliance: 🟢

[root@Wazuh vagrant]# modprobe -n -v usb-storage
insmod /lib/modules/5.14.0-70.13.1.el9_0.x86_64/kernel/drivers/usb/storage/usb-storage.ko.xz

Expected: PASS (With the current rule that does not correspond to the CIS Benchmark audit).

Findings:

The current rule "c:modprobe -n -v usb-storage -> r:insdmod" expects a different output that the one included in the CIS benchmark document: install usb-storage /bin/true.

1.2 Configure Software Updates

1.2.3 Ensure gpgcheck is globally activated (Automated) 🔴

title: 🟢 description: 🔴

"The gpgcheck option, found in the main section of the ~~/etc/yum.conf~~ /etc/dnf/dnf.conf and individual /etc/yum/repos.d/* files determines if an RPM package's signature is checked prior to its installation."

"/etc/yum.conf" should be "/etc/dnf/dnf.conf".

rationale: 🟢
remediation: 🔴

"Edit /etc/yum.conf and set ' gpgcheck=1 ' in the [main] section. Example: # sed -i 's/^gpgcheck\s=\s./gpgcheck=1/' /etc/dnf/dnf.conf Edit any failing files in /etc/yum.repos.d/ and set all instances of gpgcheck to ' 1 ' Example: # find /etc/yum.repos.d/ -name \".repo\" -exec echo \"Checking:\" {} \; -exec sed -i 's/^gpgcheck\s=\s./gpgcheck=1/' {} \;."

As in the description, "/etc/yum.conf" should be "/etc/dnf/dnf.conf".

cis compliance: :yellow_circle:

cis_csc: ["3.4", "7.3"] is inverted, we usually follow the convention v8, v7.

[root@Wazuh vagrant]# grep ^gpgcheck /etc/dnf/dnf.conf
gpgcheck=1
[root@Wazuh vagrant]# grep -P "^gpgcheck\h*=\h*[^1].*\h*$" /etc/yum.repos.d/*
[root@Wazuh vagrant]#

Expected: PASS

1.3 Filesystem Integrity Checking

1.3.1 Ensure AIDE is installed (Automated) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# rpm -q aide
package aide is not installed

Expected: FAIL

1.3.2 Ensure filesystem integrity is regularly checked (Automated) 🔴

This check is divided in A and B. Check A verifies that aidcheck.service and aidcheck.timer are enabled and that aidcheck.timer is running. On the other hand, check B verifies that a cron job is scheduled to run the aide check.

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🔴

"If cron will be used to schedule and run aide check. Run the following command: # crontab -u root -e Add the following line to the crontab: 0 5 /usr/sbin/aide --check OR if aidecheck.service and aidecheck.timer will be used to schedule and run aide check: Create or edit the file /etc/systemd/system/aidecheck.service and add the following lines:[Unit] Description=Aide Check [Service] Type=simple ExecStart=/usr/sbin/aide --check [Install] WantedBy=multi-user.target. Create or edit the file /etc/systemd/system/aidecheck.timer and add the following lines: [Unit] Description=Aide check every day at 5AM [Timer] OnCalendar=-- 05:00:00 Unit=aidecheck.service [Install] WantedBy=multi-user.target. Run the following commands: # chown root:root /etc/systemd/system/aidecheck. # chmod 0644 /etc/systemd/system/aidecheck. # systemctl daemon-reload # systemctl enable aidecheck.service # systemctl --now enable aidecheck.timer"

The sentence and add the following lines is included in the CIS Benchmark document and is missing in the cis_rhel9_linux.yml remediation for "Ensure filesystem integrity is regularly checked (A)".

🔴 The remediation in the "Ensure filesystem integrity is regularly checked (B)" check differs from the one included in the CIS Benchmark document.

cis compliance: 🔴 Check A: 🟢 Check B: 🔴

cis_csc: ["3.5"] should be cis_csc: ["3.14", "14.9"].

🔴 Note that pci_dss, nist_800_53 and tsc checks differ between check A and check B.

[root@Wazuh vagrant]# systemctl is-enabled aidecheck.service
Failed to get unit file state for aidecheck.service: No such file or directory
[root@Wazuh vagrant]# systemctl is-enabled aidecheck.timer
Failed to get unit file state for aidecheck.timer: No such file or directory
[root@Wazuh vagrant]# systemctl status aidecheck.timer
Unit aidecheck.timer could not be found.
[root@Wazuh vagrant]# crontab -u root -l 
no crontab for root
[root@Wazuh vagrant]# grep -r aide /etc/cron.* /etc/crontab

Expected: FAIL

1.4 Secure Boot Settings

1.4.3 Ensure authentication is required when booting into rescue mode :yellow_circle:

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: :yellow_circle:

cis_csc: ["4.4", "5.2"] does not follow the convention v8, v7.

[root@Wazuh vagrant]# grep -r /systemd-sulogin-shell /usr/lib/systemd/system/rescue.service
/etc/systemd/system/rescue.service.d
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue

Expected: PASS

1.5 Additional Process Hardening

1.5.1 Ensure core dump storage is disabled (Automated)

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# grep -i '^\s*storage\s*=\s*none' /etc/systemd/coredump.conf
[root@Wazuh vagrant]#

Expected: FAIL

1.5.2 Ensure core dump backtraces are disabled (Automated) 🟢

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# grep -i '^\s*ProcessSizeMax\s*=\s*0' /etc/systemd/coredump.conf
[root@Wazuh vagrant]#

Expected: FAIL. Default Value: ProcessSizeMax=2G

1.5.3 Ensure address space layout randomization (ASLR) is enabled (Automated) 🔴

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🔴

'...parameter:# sysctl -w kernel.randomize_va_space=2 '

There's an extra space between "kernel.randomize_va_space=2" and the quotation mark.

cis compliance: :yellow_circle:

cis_csc: ["8.3", "10.5"] does not follow the convention v8, v7.

#!/usr/bin/env bash
{
krp="" pafile="" fafile=""
kpname="kernel.randomize_va_space"
kpvalue="2"
searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
  echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
else
  echo -e "\nFAIL: "
  [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
  [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
  [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
fi
}

[root@Wazuh vagrant]# bash 1.5.3_test.sh 

FAIL: 

"kernel.randomize_va_space = 2" is not set in a kernel parameter configuration file

Expected: FAIL

1.6 Mandatory Access Control

1.6.1 Configure SELinux

1.6.1.1 Ensure SELinux is installed (Automated) 🟢

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# rpm -q libselinux
libselinux-3.3-2.el9.x86_64

Expected: PASS

1.6.1.2 Ensure SELinux is not disabled in bootloader configuration (Automated) :yellow_circle:

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# cat /boot/grub2/grubenv | grep -e kernelopts=\.*selinux=0
[root@Wazuh vagrant]# cat /boot/grub2/grubenv | grep -e kernelopts=\.*enforcing=0
[root@Wazuh vagrant]#

Expected: PASS

Findings: :yellow_circle:

The cis_rhel9_linux.yml rule 'f:/boot/grub2/grubenv -> r:kernelopts=\.*selinux=0|kernelopts=\.*enforcing=0' only checks /boot/grub2/grubenv. According to the CIS Benchmark the grub.cfg file should also be checked as well as any other file following the criteria find /boot -type f $ -name 'grubenv' -o -name 'grub.conf' -o -name 'grub.cfg' $.

[root@Wazuh vagrant]# find /boot -type f \( -name 'grubenv' -o -name 'grub.conf' -o -name 'grub.cfg' \)
/boot/grub2/grubenv
/boot/grub2/grub.cfg

1.6.1.3 Ensure SELinux policy is configured (Automated) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢
cis compliance: 🟢

[root@Wazuh vagrant]# grep -E '^\s*SELINUXTYPE=(targeted|mls)\b' /etc/selinux/config
SELINUXTYPE=targeted
[root@Wazuh vagrant]# sestatus | grep Loaded
Loaded policy name:             targeted

Expected: PASS

1.6.1.4 Ensure the SELinux mode is not disabled (Automated) :yellow_circle:

title: 🟢 description: :yellow_circle:

" SELinux can run..." There's an extra space between the quotation mark and "SELinux".

rationale: 🟢 remediation: :yellow_circle:

"...For Enforcing mode: SELINUX=enforcing OR For Permissive mode: SELINUX=permissive " There's an extra space between "permissive" and the quotation mark.

cis compliance: 🟢

[root@Wazuh vagrant]# getenforce
Enforcing
[root@Wazuh vagrant]# grep -Ei '^\s*SELINUX=(enforcing|permissive)' /etc/selinux/config
SELINUX=enforcing

Expected: PASS

1.6.1.5 Ensure the SELinux mode is enforcing (Automated) 🔴

title: 🔴

Ensure the SELinux ~~state~~ mode is enforcing

"SELinux state" should be "SELinux mode".

description: :yellow_circle:

" SELinux can run..."
"... httpd_t domain permissive: # semanage permissive -a httpd_t " There's an extra space between the quotation mark and "SELinux" and between "httpd_t" and the quotation mark.

rationale: :yellow_circle:

cis_rhel9_linux.yml: "Running SELinux in disabled mode is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future. Running SELinux in Permissive mode, though helpful for developing SELinux policy, only logs access denial entries, but does not deny any operations."

CIS Benchmark: "Running SELinux in disabled mode the system not only avoids enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future. Running SELinux in Permissive mode, though helpful for developing SELinux policy, only logs access denial entries, but does not deny any operations."

remediation: :yellow_circle:

"...SELINUX=enforcing. "

There's an extra space between "enforcing." and the quotation mark.

cis compliance: 🟢

[root@Wazuh vagrant]# getenforce
Enforcing
[root@Wazuh vagrant]# grep -i SELINUX=enforcing /etc/selinux/config
SELINUX=enforcing

Expected: PASS

1.6.1.6 Ensure no unconfined services exist (Automated)

title: 🟢 description: 🟢 rationale: :yellow_circle:

"...SELinux is a security enhancement on top of DAC rules – it does not replace them"

The period is missing.

remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# ps -eZ | grep unconfined_service_t
system_u:system_r:unconfined_service_t:s0 936 ?  00:00:15 VBoxService

Expected: FAIL

1.6.1.7 Ensure SETroubleshoot is not installed (Automated)

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# rpm -q setroubleshoot
package setroubleshoot is not installed

Expected: PASS

1.6.1.8 Ensure the MCS Translation Service (mcstrans) is not installed

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# rpm -q mcstrans
package mcstrans is not installed

Expected: PASS

1.7 Command Line Warning Banners

1.7.1 Ensure message of the day is configured properly (Automated) 🔴

title: 🟢 description: 🟢
rationale: 🟢 remediation: :yellow_circle:

"...or references to the OS platform OR If the motd is not used, this file can be removed."

There are extra spaces before and after "OR".

cis compliance: 🟢

[root@Wazuh vagrant]# cat /etc/motd | grep -E -i "(\\\v|\\\r|\\\m|\\\s)"
[root@Wazuh vagrant]#

Expected: PASS

Findings: 🔴

The cis_rhel9_linux.yml rule 'f:/etc/motd -> r:\\v|\\r|\\m|\\s' does not include a check looking for the OS name included in the CIS Benchmark command.

[root@Wazuh vagrant]# grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'
rhel

CIS Benchmark audit:

grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/motd

1.7.2 Ensure local login warning banner is configured properly (Automated) 🔴

title: 🟢 description: 🔴

"The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \m - machine architecture \r - operating system release \s - operating system name \v - operating system version"

The description is missing the final phrase "- or the operating system's name"

rationale: 🟢

remediation: :yellow_circle: "...OS platform:" The : is not present in the CIS Benchmark document.

cis compliance: 🟢

[root@Wazuh vagrant]# cat /etc/issue | grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))"
\S
Kernel \r on an \m

Expected: FAIL

Findings: 🔴

The cis_rhel9_linux.yml rule 'f:/etc/issue -> r:\\v|\\r|\\m|\\s' does not include a check looking for the OS name included in the CIS Benchmark command.

1.7.3 Ensure remote login warning banner is configured properly (Automated)

title: 🟢 description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# cat /etc/issue.net | grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))"
\S
Kernel \r on an \m

Expected: FAIL

Findings: 🔴

The cis_rhel9_linux.yml rule f:/etc/issue.net -> r:\\v|\\r|\\m|\\s' does not include a check looking for the OS name included in the CIS Benchmark command.

1.7.4 Ensure permissions on /etc/motd are configured (Automated) 🟢

title: 🟢 description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# stat -L /etc/motd
  File: /etc/motd
  Size: 0           Blocks: 0          IO Block: 4096   regular empty file
Device: fd00h/64768d    Inode: 134346435   Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:etc_t:s0
Access: 2022-07-15 11:17:26.709792077 +0000
Modify: 2022-05-27 05:13:44.145798344 +0000
Change: 2022-05-27 05:13:44.145798344 +0000
 Birth: 2022-05-27 04:56:07.287003754 +0000

Expected: PASS

1.7.5 Ensure permissions on /etc/issue are configured (Automated) 🟢

title: 🟢 description: 🟢 rationale: 🟢 remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# stat /etc/issue
  File: /etc/issue
  Size: 23          Blocks: 8          IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 134346408   Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:etc_t:s0
Access: 2022-07-18 08:34:23.745898172 +0000
Modify: 2022-04-06 15:03:54.000000000 +0000
Change: 2022-07-18 08:34:18.520000061 +0000
 Birth: 2022-05-27 04:56:07.240003697 +0000

Expected: PASS

1.7.6 Ensure permissions on /etc/issue.net are configured (Automated) 🟢

title: 🟢 description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# stat /etc/issue.net
  File: /etc/issue.net
  Size: 22          Blocks: 8          IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 134346409   Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:etc_t:s0
Access: 2022-07-18 09:57:22.341484421 +0000
Modify: 2022-04-06 15:03:54.000000000 +0000
Change: 2022-05-27 04:56:07.240003697 +0000
 Birth: 2022-05-27 04:56:07.240003697 +0000

Expected: PASS

1.8 GNOME Display Manager

1.8.1 Ensure GNOME Display Manager is removed (Manual) :yellow_circle:

title: 🟢 description: 🟢
rationale: 🟢 remediation: :yellow_circle:

"Run the following command to remove the gdm package # dnf remove gdm.'"

There's an extra ' at the end of the sentence.

cis compliance: :yellow_circle:

cis_csc: ["2.6", "4.8"] is not in the usual order v8, v7.

[root@Wazuh vagrant]# rpm -q gdm
package gdm is not installed

Expected: PASS

1.8.2 Ensure GDM login banner is configured (Automated) 🟢

title: 🟢 description: 🟢
rationale: 🟢 remediation:
cis compliance: 🟢

[root@Wazuh vagrant]# cat /etc/dconf/profile/gdm
cat: /etc/dconf/profile/gdm: No such file or directory

Expected: FAIL

1.8.3 Ensure last logged in user display is disabled (Automated) :yellow_circle:

title: 🟢 description: 🟢
rationale: :yellow_circle:

"...on the system, consult your documentation to disable displaying the last logged on user. "

There's an extra space between user. and the quotation mark.

remediation: :yellow_circle:

"...databases: # dconf update "

There's an extra space between update and the quotation mark.

cis compliance: 🟢

[root@Wazuh vagrant]# cat /etc/dconf/profile/gdm
cat: /etc/dconf/profile/gdm: No such file or directory

Expected: FAIL

1.8.4 Ensure XDMCP is not enabled (Automated) 🔴

title: 🟢 description: 🟢
rationale: 🟢 remediation: :yellow_circle:

"Edit the file /etc/gdm/custom.conf and remove the line Enable=true. "

There's an extra space between Enable=true. and the quotation mark.

cis compliance: 🟢

[root@Wazuh vagrant]# grep -Eis '^\s*Enable\s*=\s*true' /etc/gdm/custom.conf
[root@Wazuh vagrant]#

Expected: PASS based on the CIS audit. FAIL with the current rules.

Findings: 🔴

The cis_rhel9_linux.yml rules are not consistent with que CIS Benchmark audit command.

cis_rhel9_linux.yml rules:

condition: all
    rules:
      - "f:/etc/gdm/custom.conf"
      - 'c:egrep -Eis "^\s{0,}Enable\s{0,}=\s{0,}true" /etc/gdm/custom.conf -> r:^\s*Enable\s*=\s*true'

CIS benchmark audit:

# grep -Eis '^\s*Enable\s*=\s*true' /etc/gdm/custom.conf
Nothing should be returned

The second rule looks for Enable = true while the CIS benchmark audit states that nothing should be returned.
On the other hand, the CIS audit command does not verify that the file exists.

1.8.5 Ensure automatic mounting of removable media is disabled (Automated) :yellow_circle:

title: 🟢 description: 🟢 rationale: :yellow_circle:

"...to mount it themselves. "

There's an extra space between themselves. and the quotation mark.

remediation: 🟢 cis compliance: :yellow_circle:

cis_csc: ["8.5", "10.3"] does not follow the usual order v8, v7.

[root@Wazuh vagrant]# gsettings get org.gnome.desktop.media-handling automount
No schemas installed

Expected: FAIL

1.9 Ensure updates, patches, and additional security software are installed :yellow_circle:

title: 🟢 description: 🟢
rationale: 🟢 remediation: :yellow_circle:

"Use your package manager to update all packages on the system according to site policy. The following command will install all available ~~security~~ updates: # dnf update"

The word security is not present in the CIS Benchmark rationale.

cis compliance: :yellow_circle:

cis_csc: ["3.4", "7.3", "7.4"] does not follow the usual order v8, v7.

[root@Wazuh vagrant]# dnf check-update
Last metadata expiration check: 0:00:14 ago on Tue 19 Jul 2022 09:01:05 AM UTC.

Expected: PASS

Findings: :yellow_circle:

The rule checks for security updates while the CIS audit command checks for all available updates or patches.

1.10 Ensure system-wide crypto policy is not legacy (Automated) 🔴

title: 🟢 description: 🟢
rationale: 🟢 remediation: :🔴

remediation: "Run the following command to change the system-wide crypto policy # update-crypto-policies --set `Example: # update-crypto-policies --set DEFAULT Run the following to make the updated system-wide crypto policy active # update-crypto-policies.`"

There are many blank spaces in the remediation. A period is missing.

cis compliance: 🟢

[root@Wazuh vagrant]# grep -E -i '^\s*LEGACY\s*(\s+#.*)?$' /etc/crypto-policies/config
[root@Wazuh vagrant]#

Expected: PASS

2 Services

2.1 Time Synchronization

2.1.1 Ensure time synchronization is in use (Automated) :yellow_circle:

title: 🟢
description: :yellow_circle:

"... If another method for time synchronization is being used, this section may be skipped. "

There's an extra space between skipped. and the quotation mark.

rationale: 🟢
remediation: 🟢 cis compliance: :yellow_circle:

cis_csc: ["6.1", "8.4"] does not follow the usual order v8, v7.

[root@Wazuh vagrant]# rpm -q chrony
chrony-4.1-3.el9.x86_64

Expected: PASS

2.1.2 Ensure chrony is configured (Automated) 🔴

title: 🟢 description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: :yellow_circle:

cis_csc: ["6.1", "8.4"] does not follow the usual order v8, v7.

[root@Wazuh vagrant]# grep -E "^(server|pool)" /etc/chrony.conf
pool 2.rhel.pool.ntp.org iburst
[root@Wazuh vagrant]# grep ^OPTIONS /etc/sysconfig/chronyd
OPTIONS="-F 2"

Expected: FAIL

Findings: 🔴

The rule f:/etc/chrony.conf -> r:server does not allow the pool option as does the CIS audit command: grep -E "^(server|pool)" /etc/chrony.conf.

The pool option can be used to specify a pool of NTP servers rather than a single NTP server. For more information, see https://chrony.tuxfamily.org/doc/4.2/chrony.conf.html#pool.

2.2 Special Purpose Services

2.2.1 Ensure xinetd is not installed (Automated) 🔴

title: 🟢 description: 🟢
rationale: 🔴

"If there are no xinetd services required, it is recommended that ~~the daemon be disabled~~ the package be removed to reduce the attack surface ~~are~~ of the system. Note: If an xinetd service or services are required, ensure that any xinetd service not required is stopped and disabled."

The rationale differs from that of the CIS Benchmark document.

remediation: 🟢 cis compliance: :yellow_circle:

cis_csc: ["2.6", "4.8", "9.2"] does not follow the usual order v8,v7.

[root@Wazuh vagrant]# rpm -q xinetd
package xinetd is not installed

Expected: PASS

2.2.2 Ensure xorg-x11-server-common is not installed (Automated) 🔴

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# rpm -q xorg-x11-server-common
package xorg-x11-server-common is not installed

Expected: PASS

Findings: 🔴

The rule c:rpm -q xorg-x11-server-common -> r:^package xinetd is not installed looks for the wrong output. The output should be "package xorg-x11-server-common is not installed".

2.2.3 Ensure Avahi Server is not installed (Automated) 🔴

title: 🟢 description: 🟢
rationale: 🔴

"Automatic discovery of network services is not normally required for system functionality. It is recommended to ~~disable~~ remove ~~the service~~ this package to reduce the potential attack surface."

The rationale differs from that of the CIS Benchmark document.

remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# rpm -q avahi-autoipd avahi
package avahi-autoipd is not installed
package avahi is not installed

Expected: PASS

2.2.4 Ensure CUPS is not installed (Automated) 🔴

title: 🔴

There's a typo in the title: "Ensure CUPS is not ~~isntalled~~ installed."

description: 🟢 rationale: 🟢 remediation: :yellow_circle:

"If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be removed to reduce the potential attack surface. Note: Removing CUPS will prevent printing from the system"

A period is missing.

cis compliance: :yellow_circle:

"Run the following command to remove cups: # dnf remove cups"

A period is missing.

[root@Wazuh vagrant]# rpm -q cups
package cups is not installed

Expected: PASS

2.2.5 Ensure DHCP Server is not installed (Automated) :yellow_circle:

title: 🟢 description: 🟢
rationale: :yellow_circle:

The rationale is different from that of the CIS Benchmark document but seems correct.

remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# rpm -q dhcp-server
package dhcp-server is not installed

Expected: PASS

2.2.6 Ensure DNS Server is not installed (Automated) 🔴

title: 🟢 description: 🟢
rationale: 🔴

"Unless a system is specifically designated to act as a DNS server, it is recommended that the ~~service be disabled~~ package be removed to reduce the potential attack surface."

The rationale differs from that of the CIS Benchmark document.

remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# rpm -q bind
package bind is not installed

Expected: PASS

2.2.7 Ensure FTP Server is not installed (Automated) 🔴

title: 🟢 description: 🟢
rationale: 🔴

"FTP does not protect the confidentiality of data or authentication credentials. It is recommended SFTP be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the ~~service be disabled~~ package be removed to reduce the potential attack surface."

The rationale differs from that of the CIS Benchmark document.

remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# rpm -q ftp
package ftp is not installed

Expected: PASS

2.2.8 Ensure VSFTP Server is not installed (Automated) 🟢

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# rpm -q vsftpd
package vsftpd is not installed

Expected: PASS

2.2.9 Ensure TFTP Server is not installed (Automated) 🟢

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# rpm -q tftp-server
package tftp-server is not installed

Expected: PASS

2.2.10 Ensure a web server is not installed (Automated) 🟢

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# rpm -q httpd nginx
package httpd is not installed
package nginx is not installed

Expected: PASS

2.2.11 Ensure IMAP and POP3 server is not installed (Automated) 🔴

title: 🟢 description: 🟢
rationale: 🔴

"Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the ~~service be disabled~~ package be removed to reduce the potential attack surface. Note: Several IMAP/POP3 servers exist and can use other service names. These should also be audited and the packages removed if not required."

remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# rpm -q dovecot cyrus-imapd
package dovecot is not installed
package cyrus-imapd is not installed

Expected: PASS

2.2.12 Ensure Samba is not installed (Automated) 🔴

title: 🔴

Ensure Samba is not ~~enabled~~ installed.

description: 🔴

"The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the ~~Small~~ Server Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems."

rationale: 🔴

"If there is no need to mount directories and file systems to Windows systems, then this ~~service can be disabled~~ package can be removed to reduce the potential attack surface."

remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# rpm -q samba
package samba is not installed

Expected: PASS

2.2.13 Ensure HTTP Proxy Server is not installed (Automated) 🟢

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# rpm -q squid
package squid is not installed

Expected: PASS

2.2.14 Ensure net-snmp is not installed (Automated) :yellow_circle:

title: 🟢 description: 🟢 rationale: 🟢 remediation: 🟢 cis compliance: :yellow_circle:

cis_csc: ["2.6", "4.8", "9.2"] does not follow the usual order v8, v7

[root@Wazuh vagrant]# rpm -q net-snmp
package net-snmp is not installed

Expected: PASS

2.2.15 Ensure NIS server is not installed (Automated) 🔴

title: 🟢 description: 🟢
rationale: 🔴

"The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that ~~the service be disabled and other,~~ the ypserv package be removed, and if required a more secure services be used."

The rationale differs from that of the CIS Benchmark document.

remediation: 🟢 cis compliance: :yellow_circle:

cis_csc: ["2.6", "4.8", "9.2"] does not follow the usual order v8, v7

[root@Wazuh vagrant]# rpm -q ypserv
package ypserv is not installed

Expected: PASS

2.2.16 Ensure telnet-server is not installed (Automated) :yellow_circle:

title: 🟢 description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: :yellow_circle:

cis_csc: ["2.6", "4.8", "9.2"] does not follow the usual order v8, v7

[root@Wazuh vagrant]# rpm -q telnet-server
package telnet-server is not installed

Expected: PASS

2.2.17 Ensure mail transfer agent is configured for local-only mode (Automated) :yellow_circle:

title: 🟢 description: 🟢
rationale: 🟢 remediation: :yellow_circle:

"Run the following command to restart postfix:: # systemctl restart postfix"

There's a double : after "posfix": posfix::. A period is missing.

cis compliance: 🟢

[root@Wazuh vagrant]# ss -lntu | grep -E ':25\s' | grep -E -v '\s(127.0.0.1|\[?::1\]?):25\s'
[root@Wazuh vagrant]#

Expected: PASS

2.2.18 Ensure nfs-utils is not installed or the nfs-server service is masked (Automated) 🟢

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# rpm -q nfs-utils
package nfs-utils is not installed
[root@Wazuh vagrant]# systemctl is-enabled nfs-server
Failed to get unit file state for nfs-server.service: No such file or directory

Expected: PASS

2.2.19 Ensure rpcbind is not installed or the rpcbind services are masked(Automated) 🔴

title: 🔴

cis_rhel9_linux.yml: "Ensure RPC is not enabled."

CIS Benchmark document: "Ensure rpcbind is not installed or the rpcbind services are masked."

description: 🟢
rationale: 🟢
remediation: 🟢

Note: It differs from the CIS remediation as it corrects an error in the document that says to uninstall the wrong package nfs-utils.

cis compliance: 🟢

[root@Wazuh vagrant]# rpm -q rpcbind
package rpcbind is not installed
[root@Wazuh vagrant]# systemctl is-enabled rpcbind
Failed to get unit file state for rpcbind.service: No such file or directory
[root@Wazuh vagrant]# systemctl is-enabled rpcbind.socket
Failed to get unit file state for rpcbind.socket: No such file or directory

Expected: PASS

Findings: 🔴

If the rpcbind package is required as a dependency, the CIS requires both rpcbind and rpcbind.socket services to be masked.

With the current rules, we are checking that at least one of the services is masked (should be both).

condition: any
rules:
  - "c:rpm -q rpcbind -> r:^package rpcbind is not installed"
  - "c:systemctl is-enabled rpcbind -> r:masked|No such file or directory"
  - "c:systemctl is-enabled rpcbind.socket -> r:masked|No such file or directory"

2.2.20 Ensure rsync is not installed or the rsyncd service is masked (Automated) 🟢

title: 🟢 description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# rpm -q rsync
package rsync is not installed
[root@Wazuh vagrant]# systemctl is-enabled rsyncd
Failed to get unit file state for rsyncd.service: No such file or directory

Expected: PASS

2.3 Service Clients

2.3.1 Ensure NIS Client is not installed (Automated) 🔴

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🔴

"Run the following command to ~~uninstall~~ remove the ypbind package: # dnf remove ypbind"

cis compliance: :yellow_circle:

cis_csc: ["2.6", "4.8"] does not follow the usual order v8, v7.

[root@Wazuh vagrant]# rpm -q ypbind
package ypbind is not installed

Expected: PASS

Finding: 🔴

The rule is looking for the wrong output "package rsync is not installed". It should be ypbind not rsync.

    rules:
      - "c:rpm -q ypbind -> r:^package rsync is not installed"

2.3.2 Ensure rsh client is not installed (Automated) :yellow_circle:

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: :yellow_circle:

cis_csc: ["2.6", "4.8"] does not follow the usual order v8, v7.

[root@Wazuh vagrant]# rpm -q rsh
package rsh is not installed

Expected: PASS

2.3.3 Ensure talk client is not installed (Automated) 🔴

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🔴

"Run the following command to remove the ~~rsh~~ talk package: # dnf remove ~~rsh~~ talk."

cis compliance: :yellow_circle:

cis_csc: ["2.6", "4.8"] does not follow the usual order v8, v7.

[root@Wazuh vagrant]# rpm -q talk
package talk is not installed

Expected: PASS

2.3.4 Ensure telnet client is not installed (Automated) 🔴

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🔴

Run the following command to ~~uninstall telnet~~ remove the telnet package: # dnf remove telnet

cis compliance: :yellow_circle:

cis_csc: ["2.6", "4.8"] does not follow the usual order v8, v7.

[root@Wazuh vagrant]# rpm -q telnet
telnet-0.17-85.el9.x86_64

Expected: FAIL

2.3.5 Ensure LDAP client is not installed (Automated) :yellow_circle:

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: :yellow_circle:

cis_csc: ["2.6", "4.8"] does not follow the usual order v8, v7.

[root@Wazuh vagrant]# rpm -q openldap-clients
package openldap-clients is not installed

Expected: PASS

2.3.6 Ensure TFTP client is not installed (Automated) 🟢

title: 🟢
description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# rpm -q tftp
package tftp is not installed

Expected: PASS

3 Network Configuration

3.1 Disable unused network protocols and devices

3.1.2 Ensure SCTP is disabled (Automated) 🟢

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# modprobe -n -v sctp
modprobe: FATAL: Module sctp not found in directory /lib/modules/5.14.0-70.13.1.el9_0.x86_64
[root@Wazuh vagrant]# lsmod | grep sctp
[root@Wazuh vagrant]#

Expected: PASS

3.1.3 Ensure DCCP is disabled (Automated)

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# modprobe -n -v dccp
modprobe: FATAL: Module dccp not found in directory /lib/modules/5.14.0-70.13.1.el9_0.x86_64
[root@Wazuh vagrant]# lsmod | grep dccp
[root@Wazuh vagrant]#

Expected: PASS

3.1.4 Ensure wireless interfaces are disabled (Automated) 🔴

title: 🟢
description: 🟢
rationale: 🔴

"If wireless is not to be used, wireless devices ~~can~~ should be disabled to reduce the potential attack surface."

remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# bash 3.1.4_audit_script.sh
WIFI-HW  WIFI     WWAN-HW  WWAN    
enabled  enabled  enabled  enabled 
[root@Wazuh vagrant]# nmcli radio wifi
enabled
[root@Wazuh vagrant]# nmcli radio wwan
enabled

Expected: FAIL

3.2 Network Parameters (Host Only)

3.2.1 Ensure IP forwarding is disabled (Automated) 🔴

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: 🟢

CIS audit scripts and outputs:

#!/usr/bin/env bash
{
  krp="" pafile="" fafile=""
  kpname="net.ipv4.ip_forward"
  kpvalue="0"
  searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
  krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
  pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
  fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
  if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
    echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
  else
    echo -e "\nFAIL: "
    [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
    [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
    [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
  fi
}

[root@Wazuh vagrant]# bash test_3.2.1.sh 

FAIL: 

"net.ipv4.ip_forward = 0" is not set in a kernel parameter configuration file

#!/usr/bin/env bash
{
  krp="" pafile="" fafile=""
  kpname="net.ipv6.conf.all.forwarding"
  kpvalue="0"
  searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
  krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
  pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
  fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
  if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
    echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
  else
    echo -e "\nFAIL: " 
    [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
    [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
    [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
  fi
}

[root@Wazuh vagrant]# bash test_3.2.1_2.sh 

FAIL: 

"net.ipv6.conf.all.forwarding = 0" is not set in a kernel parameter configuration file

Findings: 🔴

- 'not c:grep -Rh -E -s "\s*net\.ipv4\.ip_forward" /etc/sysctl.conf /etc/sysctl.d/ /usr/lib/sysctl.d/ /run/sysctl.d/ -> r:^\s*net.ipv4.ip_forward\s*=\s*1'

The audit rules do not search all the files and directories included in the CIS audit: /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf

Expected: FAIL

3.2.2 Ensure packet redirect sending is disabled (Automated) 🔴

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: 🟢

CIS audit scripts and outputs:

#!/usr/bin/env bash
{
  krp="" pafile="" fafile=""
  kpname="net.ipv4.conf.all.send_redirects"
  kpvalue="0"
  searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf
/etc/sysctl.conf"
  krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
  pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
  fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
  if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
    echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
  else
    echo -e "\nFAIL: "
    [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
    [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\"" 
    [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
  fi
}

[root@Wazuh vagrant]# bash test3.2.2_1.sh 

FAIL: 
"net.ipv4.conf.all.send_redirects" is set to "1" in the running configuration

"net.ipv4.conf.all.send_redirects = 0" is not set in a kernel parameter configuration file

#!/usr/bin/env bash
{
  krp="" pafile="" fafile=""
  kpname="net.ipv4.conf.default.send_redirects"
  kpvalue="0"
  searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc sysctl.conf"
  krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
  pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
  fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
  if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
    echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
  else
    echo -e "\nFAIL: "
    [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
    [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
    [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
  fi
}

[root@Wazuh vagrant]# bash test3.2.2_2.sh 

FAIL: 
"net.ipv4.conf.default.send_redirects" is set to "1" in the running configuration

"net.ipv4.conf.default.send_redirects = 0" is not set in a kernel parameter configuration file

Findings: 🔴

- 'c:grep -Rh net.ipv4.conf.default.send_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:^\s*net.ipv4.conf.default.send_redirects\s*=\s*0'

The audit rules do not search all the files and directories included in the CIS audit: /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf

Expected: FAIL

3.3 Network Parameters (Host and Router)

3.3.1 Ensure source routed packets are not accepted (Automated)

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: 🟢

CIS audit scripts and outputs:

#!/usr/bin/env bash
{
  krp="" pafile="" fafile=""
  kpname="net.ipv4.conf.all.accept_source_route"
  kpvalue="0"
  searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
  krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
  pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
  fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
  if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
    echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
  else
    echo -e "\nFAIL: "
    [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
    [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
    [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
  fi
}

[root@Wazuh vagrant]# bash test_3.3.1_1.sh 

FAIL: 

"net.ipv4.conf.all.accept_source_route = 0" is not set in a kernel parameter configuration file

#!/usr/bin/env bash
{
  krp="" pafile="" fafile=""
  kpname="net.ipv4.conf.default.accept_source_route"
  kpvalue="0"
  searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
  krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
  pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
  fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
  if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
    echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
  else
    echo -e "\nFAIL: "
    [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
    [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
    [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
  fi
}

[root@Wazuh vagrant]# bash test_3.3.1_2.sh 

PASS:
"net.ipv4.conf.default.accept_source_route" is set to "0" in the running configuration and in "/usr/lib/sysctl.d/50-default.conf
/lib/sysctl.d/50-default.conf"

Expected: FAIL

Findings: 🔴

The rule 'c:grep -Rh net.ipv4.conf.default.accept_source_route /etc/sysctl.conf /etc/sysctl.d/ -> r:^\s*net.ipv4.conf.default.accept_source_route\s*=\s*0' only searches /etc/sysctl.conf and /etc/sysctl.d/ while the CIS audit searches in: /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf

3.2.2 Ensure packet redirect sending is disabled (Automated)

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: 🟢

CIS audit scripts and outputs:

#!/usr/bin/env bash
{
  krp="" pafile="" fafile=""
  kpname="net.ipv4.conf.all.send_redirects"
  kpvalue="0"
  searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
  krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
  pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
  fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
  if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
    echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
  else
    echo -e "\nFAIL: "
    [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
    [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
    [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
  fi
}

[root@Wazuh vagrant]# bash test_3.2.2_1.sh 

FAIL: 
"net.ipv4.conf.all.send_redirects" is set to "1" in the running configuration

"net.ipv4.conf.all.send_redirects = 0" is not set in a kernel parameter configuration file

#!/usr/bin/env bash
{
  krp="" pafile="" fafile=""
  kpname="net.ipv4.conf.default.send_redirects"
  kpvalue="0"
  searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"
  krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)"
  pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)"
  fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')"
  if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then
    echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\""
  else
    echo -e "\nFAIL: "
    [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n"
    [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\""
    [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n"
  fi
}

[root@Wazuh vagrant]# bash test_3.2.2_2.sh

FAIL: 
"net.ipv4.conf.default.send_redirects" is set to "1" in the running configuration

"net.ipv4.conf.default.send_redirects = 0" is not set in a kernel parameter configuration file

Expected: FAIL

3.3 Network Parameters (Host and Router)

3.3.1 - 3.3.9 :red_circle: As in the previous section, not all files and directories included in the CIS audit scripts are scanned in the cis_rhel9_linux.yml rules.

3.4 Firewall Configuration

3.4.1 Configure firewalld

3.4.1.1 Ensure firewalld is installed (Automated) 🟢

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# rpm -q firewalld iptables
firewalld-1.0.0-4.el9.noarch
package iptables is not installed

Expected: FAIL

3.4.1.2 Ensure iptables-services not installed with firewalld (Automated) :yellow_circle:

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# rpm -q iptables-services
package iptables-services is not installed

Findings: :yellow_circle:

The CIS audit command only verifies that the iptables-services package is not installed. The cis_rhel9_linux.yml rules also check if firewalld is installed. Checking if firewalld is installed is redundant since it is included in 3.4.1.1. Including this extra rule may cause this check to fail and the user to apply remediations unnecessarily.

Expected: PASS

3.4.1.3 Ensure nftables either not installed or masked with firewalld (Automated) 🔴

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# rpm -q nftables
nftables-0.9.8-12.el9.x86_64
[root@Wazuh vagrant]# systemctl is-active nftables
inactive
[root@Wazuh vagrant]# systemctl is-enabled nftables
disabled

Expected: FAIL

Findings: 🔴

The condition that nftables can be masked is not included in the cis_rhel9_linux.yml rules.
As in the previous check, verifying if firewalld is installed is redundant since it is included in 3.4.1.1.

3.4.1.4 Ensure firewalld service enabled and running (Automated) :yellow_circle:

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# systemctl is-enabled firewalld
enabled
[root@Wazuh vagrant]# firewall-cmd --state
running

Expected: PASS

Findings: :yellow_circle:

An additional check that verifies if firewalld is installed is included in the cis_rhel9_linux.yml rules.

3.4.1.5 Ensure firewalld default zone is set (Automated) :yellow_circle:

title: 🟢 description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# firewall-cmd --get-default-zone
public

Expected: PASS

Findings: :yellow_circle:

An additional check that verifies if firewalld is installed is included in the cis_rhel9_linux.yml rules.

3.4.2 Configure nftables

3.4.2.1 Ensure nftables is installed (Automated) 🔴

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# rpm -q nftables
nftables-0.9.8-12.el9.x86_64

Expected: PASS

Findings: 🔴

    rules:
      - "c:rpm -q firewalld -> r:^package firewalld is not installed"
      - "c:rpm -q iptables -> r:^package iptables is not installed"
      - "c:rpm -q nftables -> r:^nftables-"

The CIS audit command only verifies that nftables is installed. The cis_rhel9_linux.yml rules also require that firewalld and iptables are not installed, this requirement is not correct as firewalld can be installed but masked.

3.4.2.2 Ensure firewalld is either not installed or masked with nftables (Automated) 🔴

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢
cis compliance: 🟢

[root@Wazuh vagrant]# rpm -q firewalld
firewalld-1.0.0-4.el9.noarch
[root@Wazuh vagrant]# command -v firewall-cmd >/dev/null && firewall-cmd --state | grep 'running'
running
[root@Wazuh vagrant]# systemctl is-enabled firewalld
enabled

Expected: FAIL

Findings: 🔴

The condition that firewalld can be masked is not included in the cis_rhel9_linux.yml rules.
An additional check that verifies if nftables is installed is included in the cis_rhel9_linux.yml rules.

3.4.2.3 Ensure iptables-services not installed with nftables (Automated) :yellow_circle:

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢
cis compliance: 🟢

[root@Wazuh vagrant]# rpm -q iptables-services
package iptables-services is not installed

Expected: PASS

Findings: :yellow_circle:

An additional check that verifies if nftables is installed is included in the cis_rhel9_linux.yml rules.

3.4.2.4 Ensure iptables are flushed with nftables (Manual) :yellow_circle:

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢
cis compliance: 🟢

[root@Wazuh vagrant]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@Wazuh vagrant]# ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Expected: PASS

Findings: :yellow_circle:

An additional check that verifies if nftables is installed is included in the cis_rhel9_linux.yml rules.

3.4.2.5 Ensure an nftables table exists (Automated) :yellow_circle:

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢
cis compliance: 🟢

[root@Wazuh vagrant]# nft list tables
table inet firewalld

Expected: PASS

Findings: :yellow_circle:

An additional check that verifies if nftables is installed is included in the cis_rhel9_linux.yml rules.

3.4.2.6 Ensure nftables base chains exist (Automated)

3.4.2.9 Ensure nftables default deny firewall policy (Automated) 🔴

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢
cis compliance: 🔴

[root@Wazuh vagrant]# nft list ruleset | grep 'hook input'
        type filter hook input priority filter + 10; policy accept;
[root@Wazuh vagrant]# nft list ruleset | grep 'hook forward'
        type filter hook forward priority filter + 10; policy accept;
[root@Wazuh vagrant]# nft list ruleset | grep 'hook output'
        type filter hook output priority filter + 10; policy accept;

Expected: PASS

Findings: 🔴

    rules:
      - "c:nft list ruleset -> r:input"
      - "c:nft list ruleset -> r:forward"
      - "c:nft list ruleset -> r:output"
      - "c:rpm -q nftables -> r:nftables-"

The 3.4.2.9 policy is not covered in the cis_rhel9_linux.yml rules. The 3.4.2.9 check verifies that base chains contain a policy of DROP.
An additional check that verifies if nftables is installed is included in the cis_rhel9_linux.yml rules.

3.4.2.10 Ensure nftables service is enabled (Automated) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢
cis compliance: 🟢

[root@Wazuh vagrant]# systemctl is-enabled nftables
disabled

Expected: FAIL

3.4.3 Configure iptables

3.4.3.1 Configure iptables software.

3.4.3.1.1 Ensure iptables packages are installed (Automated) 3.4.3.1.2 Ensure nftables is not installed with iptables (Automated) 3.4.3.1.3 Ensure firewalld is either not installed or masked with iptables (Automated) :yellow_circle:

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢
cis compliance: 🟢

[root@Wazuh vagrant]# rpm -q iptables iptables-services
package iptables is not installed
package iptables-services is not installed
[root@Wazuh vagrant]# rpm -q nftables
nftables-0.9.8-12.el9.x86_64
[root@Wazuh vagrant]# rpm -q firewalld
firewalld-1.0.0-4.el9.noarch
[root@Wazuh vagrant]# systemctl status firewalld | grep "Active: " | grep -v "active (running) "
[root@Wazuh vagrant]# systemctl is-enabled firewalld
enabled

Expected: FAIL

Findings: :yellow_circle:

The condition that firewalld can be masked is not taken into consideration in the cis_rhel9_linux.yml rules.

3.4.3.2 Configure IPv4 iptables.

3.4.3.2.4 Ensure iptables default deny firewall policy (Automated) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢
cis compliance: 🟢

[root@Wazuh vagrant]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Expected: FAIL

3.4.3.2.6 Ensure iptables is enabled and active (Automated) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢
cis compliance: 🟢

[root@Wazuh vagrant]# systemctl is-enabled iptables
Failed to get unit file state for iptables.service: No such file or directory
[root@Wazuh vagrant]# systemctl is-active iptables
inactive

Expected: FAIL

3.4.3.3 Configure IPv6 iptables.

3.4.3.3.1 Ensure ip6tables loopback traffic is configured (Automated) 🔴

title: 🟢 description: 🔴

"Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic tothe loopback network (::1)."

There's a typo "tothe".

rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# ip6tables -L INPUT -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@Wazuh vagrant]# ip6tables -L OUTPUT -v -n
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Expected: FAIL

Findings: 🔴

The condition that IPv6 can be disabled is not taken into consideration.

3.4.3.3.4 Ensure ip6tables default deny firewall policy (Automated) 🔴

title: 🟢 description: 🟢 rationale: 🟢
remediation: 🔴

There's a typo: "-PFORWARD" should be "-P FORWARD"

cis compliance: 🟢

[root@Wazuh vagrant]# ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Expected: FAIL

Findings: 🔴

The condition that IPv6 can be disabled is not taken into consideration.

3.4.3.3.6 Ensure ip6tables is enabled and active (Automated)

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🔴

# systemctl --now enable ip6tables should be # systemctl --now start ip6tables.

cis compliance: 🟢

[root@Wazuh vagrant]# systemctl is-enabled ip6tables
Failed to get unit file state for ip6tables.service: No such file or directory
[root@Wazuh vagrant]# systemctl status ip6tables
Unit ip6tables.service could not be found.

Expected: PASS

Findings: 🔴

The condition that IPv6 can be disabled is not taken into consideration.

4 Logging and Auditing

4.1 Configure System Accounting (auditd)

4.1.1 Ensure auditing is enabled

4.1.1.1 Ensure auditd is installed (Automated) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢
cis compliance: 🟢

[root@Wazuh vagrant]# rpm -q audit
audit-3.0.7-101.el9_0.2.x86_64

Expected: PASS

4.1.1.2 Ensure auditd service is enabled (Automated) 🔴

title: 🔴 "Ensure auditd service is enabled ~~and running~~."

description: 🟢 rationale: 🟢 remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# systemctl is-enabled auditd
enabled

Expected: PASS

Findings: 🔴

The second rule "c:systemctl status auditd -> r:active && r:running" is not included in the CIS audit commands.

4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled (Automated)

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢
cis compliance: 🟢

[root@Wazuh vagrant]# find /boot -type f -name 'grubenv' -exec grep -P 'kernelopts=([^#\n\r]+\h+)?(audit=1)' {} \;
[root@Wazuh vagrant]#

Expected: FAIL

4.1.2 Configure Data Retention

4.1.2.1 Ensure audit log storage size is configured (Automated) 🟢

title: 🟢 description: 🟢
rationale: 🟢 remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# grep -w "^\s*max_log_file\s*=" /etc/audit/auditd.conf
max_log_file = 8

Expected: PASS

4.1.2.2 Ensure audit logs are not automatically deleted (Automated) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# grep max_log_file_action /etc/audit/auditd.conf
max_log_file_action = ROTATE

Expected: FAIL

4.1.2.3 Ensure system is disabled when audit logs are full (Automated) :yellow_circle:

title: 🟢 description: 🟢
rationale: 🟢
remediation: :yellow_circle: Extra spaces are present in the remediation. cis compliance: 🟢

[root@Wazuh vagrant]# grep space_left_action /etc/audit/auditd.conf
space_left_action = SYSLOG
admin_space_left_action = SUSPEND
[root@Wazuh vagrant]# grep action_mail_acct /etc/audit/auditd.conf
action_mail_acct = root
[root@Wazuh vagrant]# grep -E 'admin_space_left_action\s*=\s*(halt|single)' /etc/audit/auditd.conf 
[root@Wazuh vagrant]#

Expected: FAIL

4.1.3 Configure auditd rules

4.1.3.1 Ensure changes to system administration scope (sudoers) is collected (Automated)

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# awk '/^ *-w/ \
&&/\/etc\/sudoers/ \
&&/ +-p *wa/ \
&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules
[root@Wazuh vagrant]# auditctl -l | awk '/^ *-w/ \
&&/\/etc\/sudoers/ \
&&/ +-p *wa/ \
&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)'
[root@Wazuh vagrant]#

Expected: FAIL

4.1.3.4 Ensure events that modify date and time information are collected (Automated) 🔴

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# awk '/^ *-a *always,exit/ \
&&/ -F *arch=b[2346]{2}/ \
&&/ -S/ \
&&(/adjtimex/ \
||/settimeofday/ \
||/clock_settime/ ) \
&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules
[root@Wazuh vagrant]# awk '/^ *-w/ \
&&/\/etc\/localtime/ \
&&/ +-p *wa/ \
&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules
[root@Wazuh vagrant]#

Expected: FAIL

Findings: 🔴

rules:
      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S adjtimex && r:-S settimeofday && r:-S stime && r:-k time-change'
      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S clock_settime && r:-k time-change'

One rule should include arch=b64.

4.1.3.5 Ensure events that modify the system's network environment are collected (Automated) 🔴

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# awk '/^ *-a *always,exit/ \
&&/ -F *arch=b[2346]{2}/ \
&&/ -S/ \
&&(/sethostname/ \
||/setdomainname/) \
&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules
[root@Wazuh vagrant]# awk '/^ *-w/ \
&&(/\/etc\/issue/ \
||/\/etc\/issue.net/ \
||/\/etc\/hosts/ \
||/\/etc\/sysconfig\/network/) \
&&/ +-p *wa/ \
&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules
[root@Wazuh vagrant]#

Expected: FAIL

Findings: 🔴

-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale

A rule for arch=b64 is missing.
Review r:-S sethostname && r:-S setdomainname as the expected output is -S sethostname,setdomainname

    rules:
      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S sethostname && r:-S setdomainname && r:-k system-locale'
      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/issue && r:-p wa && r:-k system-locale'
      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/issue.net && r:-p wa && r:-k system-locale'
      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/hosts && r:-p wa && r:-k system-locale'
      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/sysconfig/network && r:-p wa && r:-k system-locale'
      - 'd:/etc/audit/rules.d/ -> r:\.*.rules -> r:-w /etc/sysconfig/network-scripts/ && r:-p wa && r:-k system-locale'

4.1.3.8 Ensure events that modify user/group information are collected(Automated) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# awk '/^ *-w/ \
&&(/\/etc\/group/ \
||/\/etc\/passwd/ \
||/\/etc\/gshadow/ \
||/\/etc\/shadow/ \
||/\/etc\/security\/opasswd/) \
&&/ +-p *wa/ \
&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules
[root@Wazuh vagrant]#

Expected: FAIL

4.1.3.9 Ensure discretionary access control permission modification events are collected (Automated) 🔴

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

Expected: FAIL

Findings: 🔴

Rules do not correspond to the expected output. Rules for 64 bits are missing.
r:-S chmod && r:-S fchmod && r:-S fchmodat vs -S chmod,fchmod,fchmodat
-F auid!=4294967295 vs -F auid!=-1

Expected outputs:

-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1
-F key=perm_mod
-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F
auid!=-1 -F key=perm_mod
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1
-F key=perm_mod
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F
auid!=-1 -F key=perm_mod
-a always,exit -F arch=b64 -S
setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F
auid>=1000 -F auid!=-1 -F key=perm_mod
-a always,exit -F arch=b32 -S
setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F
auid>=1000 -F auid!=-1 -F key=perm_mod

Rules:

    rules:
      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chmod && r:-S fchmod && r:-S fchmodat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod"
      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chown && r:-S fchown && r:-S fchownat && r:-S lchown && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod"
      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S setxattr && r:-S lsetxattr && r:-S fsetxattr && r:-S removexattr && r:-S lremovexattr && r:-S fremovexattr && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod"

4.1.3.10 Ensure successful file system mounts are collected (Automated) 🔴

title: 🟢
description: 🔴 (and umount ) rationale: 🔴 "non-privileged"
remediation: 🔴 "Remediation:" cis compliance: 🟢

Expected: FAIL

Findings: 🔴

Rules do not correspond to the expected output. Rules for 64 bits are missing.

Expected outputs:

-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts

rules:
      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts"

4.1.3.11 Ensure session initiation information is collected (Automated) 🔴

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# awk '/^ *-w/ \
&&(/\/var\/run\/utmp/ \
||/\/var\/log\/wtmp/ \
||/\/var\/log\/btmp/) \
&&/ +-p *wa/ \
&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules
[root@Wazuh vagrant]#

Expected: FAIL

Findings: 🔴

Rules do not correspond to the expected output.

Expected output:

-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session

    rules:
      - "f:/etc/audit/audit.rules -> r:-w /var/run/utmp && r:-p wa && r:-k session"
      - "f:/etc/audit/audit.rules -> r:-w /var/log/wtmp && r:-p wa && r:-k logins"
      - "f:/etc/audit/audit.rules -> r:-w /var/log/btmp && r:-p wa && r:-k logins"

4.1.3.12 Ensure login and logout events are collected (Automated) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# awk '/^ *-w/ \
&&(/\/var\/log\/lastlog/ \
||/\/var\/run\/faillock/) \
&&/ +-p *wa/ \
&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules
[root@Wazuh vagrant]#

Expected: FAIL

4.1.3.13 Ensure file deletion events by users are collected (Automated) 🔴

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
[ -n "${UID_MIN}" ] && awk "/^ *-a *always,exit/ \
&&/ -F *arch=b[2346]{2}/ \
&&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) \
&&/ -F *auid>=${UID_MIN}/ \
&&/ -S/ \
&&(/unlink/||/rename/||/unlinkat/||/renameat/) \
&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules \
|| printf "ERROR: Variable 'UID_MIN' is unset.\n"
[root@Wazuh vagrant]#

Expected: FAIL

Findings: 🔴

Rules do not correspond to the expected output. Rules for 64 bits are missing.
r:-S unlink && r:-S unlinkat && r:-S rename && r:-S renameat vs -S rename,unlink,unlinkat,renamea.
r:-F auid!=429496729 vs F auid!=-1.

Expected output:

-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -
F auid!=-1 -F key=delete
-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -
F auid!=-1 -F key=delete

rules:
      - "f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S unlink && r:-S unlinkat && r:-S rename && r:-S renameat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k delete"

4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected (Automated) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# awk '/^ *-w/ \
&&(/\/etc\/selinux/ \
||/\/usr\/share\/selinux/) \
&&/ +-p *wa/ \
&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules
[root@Wazuh vagrant]#

Expected: FAIL

4.1.3.20 Ensure the audit configuration is immutable (Automated) :yellow_circle:

title: 🟢
description: :yellow_circle: "`. Setting the flag " `-e 2"
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# grep "^\s*[^#]" /etc/audit/rules.d/*.rules | tail -1
-f 1

Expected: FAIL

4.2 Configure Logging

4.2.1 Configure rsyslog

4.2.1.1 Ensure rsyslog is installed (Automated) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# rpm -q rsyslog
rsyslog-8.2102.0-101.el9.x86_64

Expected: PASS

4.2.1.2 Ensure rsyslog service is enabled (Automated) :yellow_circle:

title: :yellow_circle: "Ensure rsyslog Sservice is enabled" description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# systemctl is-enabled rsyslog
enabled

Expected: PASS

4.2.1.3 Ensure journald is configured to send logs to rsyslog (Manual) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# grep ^\s*ForwardToSyslog /etc/systemd/journald.conf
[root@Wazuh vagrant]#

Expected: FAIL

4.2.1.4 Ensure rsyslog default file permissions are configured (Automated) 🔴

title: 🔴 "Ensure rsyslog default file permissions are configured." description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# grep ^\$FileCreateMode /etc/rsyslog.conf /etc/rsyslog.d/*.conf
grep: /etc/rsyslog.d/*.conf: No such file or directory
[root@Wazuh vagrant]#

Expected: FAIL

Findings: 🔴

The rules do not meet the condition that permissions must be 640 or more restrictive. Values such as 670 are allowed by the expression ^\$FileCreateMode 06\d0. Condition should be all.

rules:
  - 'f:/etc/rsyslog.conf -> r:^\$FileCreateMode 06\d0|^\$FileCreateMode 04\d0|^\$FileCreateMode 02\d0|^\$FileCreateMode 00\d0'
  - 'f:/etc/rsyslog.conf -> r:^\$FileCreateMode 0\d40|^\$FileCreateMode 0\d20|^\$FileCreateMode 0\d00'

4.2.1.6 Ensure rsyslog is configured to send logs to a remote log host (Manual) 🔴

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🔴 cis_csc is wrong.

[root@Wazuh vagrant]# grep *.*[^I][^I]*@ /etc/rsyslog.conf
[root@Wazuh vagrant]#

Expected: FAIL

Findings: 🔴
The new format is not taken into consideration. Note that the remediation suggests the new format.

# grep -E '^\s*([^#]+\s+)?action\(([^#]+\s+)?\btarget=\"?[^#"]+\"?\b'
/etc/rsyslog.conf /etc/rsyslog.d/*.conf

Output should include target= , for example:

*.* action(type="omfwd" target="loghost.example.com" port="514"
protocol="tcp"

4.2.1.7 Ensure rsyslog is not configured to recieve logs from a remote client (Automated) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# grep '$ModLoad imtcp' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
grep: /etc/rsyslog.d/*.conf: No such file or directory
[root@Wazuh vagrant]# grep '$InputTCPServerRun' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
grep: /etc/rsyslog.d/*.conf: No such file or directory

Expected: FAIL

4.2.2 Configure journald

4.2.2.1 Ensure journald is configured to send logs to a remote log host

4.2.2.1.1 Ensure systemd-journal-remote is installed (Manual) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# rpm -q systemd-journal-remote
package systemd-journal-remote is not installed

Expected: FAIL

4.2.2.1.2 Ensure systemd-journal-remote is configured (Manual) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# grep -P "^ *URL=|^ *ServerKeyFile=|^ *ServerCertificateFile=|^ *TrustedCertificateFile=" /etc/systemd/journal-upload.conf
grep: /etc/systemd/journal-upload.conf: No such file or directory

Expected: FAIL

4.2.2.1.3 Ensure systemd-journal-remote is enabled (Manual) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# systemctl is-enabled systemd-journal-upload.service
Failed to get unit file state for systemd-journal-upload.service: No such file or directory

Expected: FAIL

4.2.2.1.4 Ensure journald is not configured to recieve logs from a remote client (Automated) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# systemctl is-enabled systemd-journal-remote.socket
Failed to get unit file state for systemd-journal-remote.socket: No such file or directory

Expected: FAIL

4.2.2.2 Ensure journald service is enabled (Automated) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# systemctl is-enabled systemd-journald.service
static

Expected: PASS

4.2.2.3 Ensure journald is configured to compress large log files (Automated) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# grep ^\s*Compress /etc/systemd/journald.conf
[root@Wazuh vagrant]#

Expected: FAIL

4.2.2.4 Ensure journald is configured to write logfiles to persistent disk (Automated) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# grep ^\s*Storage /etc/systemd/journald.conf
[root@Wazuh vagrant]#

Expected: FAIL

4.2.2.5 Ensure journald is not configured to send logs to rsyslog (Manual) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# grep ^\s*ForwardToSyslog /etc/systemd/journald.conf
[root@Wazuh vagrant]#

Expected: PASS

4.2.3 Ensure permissions on all logfiles are configured (Automated) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢 cis compliance: 🟢

[root@Wazuh vagrant]# find /var/log/ -type f -perm /g+wx,o+rwx -exec ls -l "{}" +
-rw-rw----. 1 root utmp      0 Aug  1 11:26 /var/log/btmp
-rw-rw----. 1 root utmp      0 May 27 05:13 /var/log/btmp-20220801
-rw-r--r--. 1 root root  74951 Aug  4 14:12 /var/log/dnf.librepo.log
-rw-r--r--. 1 root root 205380 Aug  4 14:12 /var/log/dnf.log
-rw-r--r--. 1 root root   8799 Aug  4 14:12 /var/log/dnf.rpm.log
-rw-r--r--. 1 root root    840 Aug  4 14:12 /var/log/hawkey.log
...

Expected: FAIL

5 Access, Authentication and Authorization

5.1 Configure time-based job schedulers

5.1.1 Ensure cron daemon is enabled (Automated) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢
cis compliance: 🟢

[root@Wazuh vagrant]# systemctl is-enabled crond
enabled

Expected: PASS

5.1.2 Ensure permissions on /etc/crontab are configured (Automated) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢
cis compliance: 🟢

[root@Wazuh vagrant]# stat /etc/crontab
  File: /etc/crontab
  Size: 451         Blocks: 8          IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 134724320   Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:system_cron_spool_t:s0
Access: 2022-08-03 07:47:42.917405256 +0000
Modify: 2022-03-23 10:19:13.000000000 +0000
Change: 2022-05-27 04:56:45.019436082 +0000
 Birth: 2022-05-27 04:56:45.019436082 +0000

Expected: FAIL

5.1.3 Ensure permissions on /etc/cron.hourly are configured (Automated) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢
cis compliance: 🟢

[root@Wazuh vagrant]# stat /etc/cron.hourly
  File: /etc/cron.hourly
  Size: 22          Blocks: 0          IO Block: 4096   directory
Device: fd00h/64768d    Inode: 227025      Links: 2
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:bin_t:s0
Access: 2022-08-04 12:01:01.571430166 +0000
Modify: 2022-03-23 10:19:13.000000000 +0000
Change: 2022-05-27 04:56:45.019436082 +0000
 Birth: 2022-05-27 04:56:44.656437215 +0000

Expected: FAIL

5.1.4 Ensure permissions on /etc/cron.daily are configured (Automated) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢
cis compliance: 🟢

[root@Wazuh vagrant]# stat /etc/cron.daily
  File: /etc/cron.daily
  Size: 6           Blocks: 0          IO Block: 4096   directory
Device: fd00h/64768d    Inode: 134724319   Links: 2
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:bin_t:s0
Access: 2022-08-03 07:47:47.925454637 +0000
Modify: 2022-03-23 10:19:13.000000000 +0000
Change: 2022-05-27 04:56:45.019436082 +0000
 Birth: 2022-05-27 04:56:45.019436082 +0000

Expected: FAIL

5.1.5 Ensure permissions on /etc/cron.weekly are configured (Automated) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢
cis compliance: 🟢

[root@Wazuh vagrant]# stat /etc/cron.weekly
  File: /etc/cron.weekly
  Size: 6           Blocks: 0          IO Block: 4096   directory
Device: fd00h/64768d    Inode: 227034      Links: 2
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:bin_t:s0
Access: 2022-08-03 07:47:47.925454637 +0000
Modify: 2022-03-23 10:19:13.000000000 +0000
Change: 2022-05-27 04:56:45.019436082 +0000
 Birth: 2022-05-27 04:56:45.019436082 +0000

Expected: FAIL

5.1.6 Ensure permissions on /etc/cron.monthly are configured (Automated) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢
cis compliance: 🟢

[root@Wazuh vagrant]# stat /etc/cron.monthly
  File: /etc/cron.monthly
  Size: 6           Blocks: 0          IO Block: 4096   directory
Device: fd00h/64768d    Inode: 201588083   Links: 2
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:bin_t:s0
Access: 2022-08-03 07:47:47.925454637 +0000
Modify: 2022-03-23 10:19:13.000000000 +0000
Change: 2022-05-27 04:56:45.019436082 +0000
 Birth: 2022-05-27 04:56:45.019436082 +0000

Expected: FAIL

5.1.7 Ensure permissions on /etc/cron.d are configured (Automated) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢
cis compliance: 🟢

[root@Wazuh vagrant]# stat /etc/cron.d
  File: /etc/cron.d
  Size: 21          Blocks: 0          IO Block: 4096   directory
Device: fd00h/64768d    Inode: 134724313   Links: 2
Access: (0700/drwx------)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:system_cron_spool_t:s0
Access: 2022-08-03 07:47:42.901405098 +0000
Modify: 2022-07-07 08:22:09.873784112 +0000
Change: 2022-08-04 15:16:41.961848287 +0000
 Birth: 2022-05-27 04:56:44.874436534 +0000

Expected: PASS

5.2 Configure SSH Server

5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Automated) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢
cis compliance: 🟢

[root@Wazuh vagrant]# stat /etc/ssh/sshd_config
  File: /etc/ssh/sshd_config
  Size: 3539        Blocks: 8          IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 134693240   Links: 1
Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:etc_t:s0
Access: 2022-08-04 16:00:41.542986958 +0000
Modify: 2022-05-27 05:13:32.084831622 +0000
Change: 2022-05-27 05:13:32.084831622 +0000
 Birth: 2022-05-27 05:13:32.083831625 +0000

Expected: PASS

5.2.2 Ensure permissions on SSH private host key files are configured (Automated) :red_circle:

title: 🟢
description: :yellow_circle: "In this authentication method, Tthe possession" rationale: 🟢
remediation: :red_circle: There's an extra space: o- rwx.
cis compliance: 🟢

  File: /etc/ssh/ssh_host_ecdsa_key
  Size: 480         Blocks: 8          IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 134826330   Links: 1
Access: (0640/-rw-r-----)  Uid: (    0/    root)   Gid: (  996/ssh_keys)
Context: system_u:object_r:sshd_key_t:s0
Access: 2022-08-04 16:00:41.542986958 +0000
Modify: 2022-07-07 08:22:08.633787035 +0000
Change: 2022-07-07 08:22:08.633787035 +0000
 Birth: 2022-07-07 08:22:08.633787035 +0000
  File: /etc/ssh/ssh_host_ed25519_key
  Size: 387         Blocks: 8          IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 134857680   Links: 1
Access: (0640/-rw-r-----)  Uid: (    0/    root)   Gid: (  996/ssh_keys)
Context: system_u:object_r:sshd_key_t:s0
Access: 2022-08-04 16:00:41.542986958 +0000
Modify: 2022-07-07 08:22:08.652786989 +0000
Change: 2022-07-07 08:22:08.671786945 +0000
 Birth: 2022-07-07 08:22:08.652786989 +0000
  File: /etc/ssh/ssh_host_rsa_key
  Size: 2578        Blocks: 8          IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 134857664   Links: 1
Access: (0640/-rw-r-----)  Uid: (    0/    root)   Gid: (  996/ssh_keys)
Context: system_u:object_r:sshd_key_t:s0
Access: 2022-08-04 16:00:41.542986958 +0000
Modify: 2022-07-07 08:22:09.390785251 +0000
Change: 2022-07-07 08:22:09.408785207 +0000
 Birth: 2022-07-07 08:22:09.390785251 +0000

Expected: PASS

Findings: :red_circle:

The rules allow permissions less restrictive than 600, e.g. 700. r:^Access: $0\d00/\w\w\w\w------$
The following configuration, that is also valid according to the CIS, is not taken into account: Uid is 0/root and Gid is /ssh_keys and permissions 0640 or more restrictive

5.2.3 Ensure permissions on SSH public host key files are configured (Automated) :red_circle:

title: 🟢
description: 🟢
rationale: 🟢
remediation: :yellow_circle: Default value is missing.
cis compliance: 🟢

[root@Wazuh vagrant]# find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec stat {} \;
  File: /etc/ssh/ssh_host_ecdsa_key.pub
  Size: 162         Blocks: 8          IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 134857675   Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:sshd_key_t:s0
Access: 2022-08-04 16:00:41.542986958 +0000
Modify: 2022-07-07 08:22:08.633787035 +0000
Change: 2022-08-04 16:44:21.245796632 +0000
 Birth: 2022-07-07 08:22:08.633787035 +0000
  File: /etc/ssh/ssh_host_ed25519_key.pub
  Size: 82          Blocks: 8          IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 135011012   Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:sshd_key_t:s0
Access: 2022-08-04 16:00:41.542986958 +0000
Modify: 2022-07-07 08:22:08.652786989 +0000
Change: 2022-08-04 16:44:21.250796676 +0000
 Birth: 2022-07-07 08:22:08.652786989 +0000
  File: /etc/ssh/ssh_host_rsa_key.pub
  Size: 554         Blocks: 8          IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 135098301   Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:sshd_key_t:s0
Access: 2022-08-04 16:00:41.542986958 +0000
Modify: 2022-07-07 08:22:09.390785251 +0000
Change: 2022-08-04 16:44:21.255796721 +0000
 Birth: 2022-07-07 08:22:09.390785251 +0000

Expected: PASS

Findings :red_circle:

File /etc/ssh/ssh_host_ed228519_key.pub is not on my system.

[root@Wazuh vagrant]# stat -L /etc/ssh/ssh_host_ed228519_key.pub 
stat: cannot statx '/etc/ssh/ssh_host_ed228519_key.pub': No such file or directory

We should verify that "Access does not grant write or execute permissions to group or other". The rules only check for 644 and do not allow more restrictive values that should also be valid.

5.2.4 Ensure SSH access is limited (Automated)

title: 🟢
description: 🟢
rationale: 🟢
remediation: :yellow_circle: an AND should be OR. cis compliance: 🟢

[root@Wazuh vagrant]# sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Pi '^\h*(allow|deny)(users|groups)\h+\H+(\h+.*)?$'
[root@Wazuh vagrant]# grep -Pi '^\h*(allow|deny)(users|groups)\h+\H+(\h+.*)?$' /etc/ssh/sshd_config
[root@Wazuh vagrant]#

Expected: FAIL

5.2.5 Ensure SSH LogLevel is appropriate (Automated) :yellow_circle:

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢
cis compliance: 🟢

[root@Wazuh vagrant]# sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep loglevel
loglevel INFO

Expected: PASS

Findings: :yellow_circle: :

loglevel is sometimes capitalized and sometimes not.

rules:
      - 'c:sshd -T -C user=root -> r:^\s*LogLevel\s+VERBOSE|^\s*loglevel\s+INFO'```

5.2.6 Ensure SSH PAM is enabled (Automated) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢
cis compliance: 🟢

[root@Wazuh vagrant]# sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -i usepam
usepam yes
[root@Wazuh vagrant]# grep -Ei '^\s*UsePAM\s+no' /etc/ssh/sshd_config
[root@Wazuh vagrant]#

Expected: PASS

5.2.7 Ensure SSH root login is disabled (Automated) 🟢

title: 🟢
description: 🟢
rationale: 🟢
remediation: 🟢
cis compliance: 🟢

[root@Wazuh vagrant]# sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep permitrootlogin
permitrootlogin yes
[root@Wazuh vagrant]# grep -Ei '^\s*PermitRootLogin\s+yes' /etc/ssh/sshd_config
PermitRootLogin yes

Expected: FAIL

wazuh / wazuh

Wazuh 4.3 - SCA policies manual tests - RHEL 9 #14141

Description

Tests

Test report procedure

SCA checks

Conclusions

Environment, RHEL9 system

Requirements for RHEL9 SCA checks

SCA checks

1 Initial Setup

1.1 Filesystem Configuration

1.1.1 Disable unused filesystems

1.1.1.1 Ensure mounting of cramfs filesystems is disabled (Automated) 🔴

1.1.1.2 Ensure mounting of squashfs filesystems is disabled (Automated) 🔴

1.1.1.3 Ensure mounting of udf filesystems is disabled (Automated) 🔴

1.1.2 Configure /tmp

1.1.2.1 Ensure /tmp is a separate partition (Automated)

1.1.2.2 Ensure nodev option set on /tmp partition (Automated) 🔴

1.1.2.3 Ensure noexec option set on /tmp partition (Automated) 🟢

1.1.2.4 Ensure nosuid option set on /tmp partition (Automated) 🔴

1.1.3 Configure /var

1.1.3.1 Ensure separate partition exists for /var (Automated) 🔴

1.1.3.2 Ensure nodev option set on /var partition (Automated) 🔴

1.1.3.3 Ensure noexec option set on /var partition (Automated) 🟢

1.1.3.4 Ensure nosuid option set on /var partition (Automated) 🔴

1.1.4 Configure /var/tmp

1.1.4.1 Ensure separate partition exists for /var/tmp (Automated) 🔴

1.1.4.2 Ensure noexec option set on /var/tmp partition (Automated) 🔴

1.1.4.3 Ensure nosuid option set on /var/tmp partition (Automated) 🟢

1.1.4.4 Ensure nodev option set on /var/tmp partition (Automated) 🔴

1.1.5 Configure /var/log

1.1.5.1 Ensure separate partition exists for /var/log (Automated) 🔴

1.1.5.2 Ensure nodev option set on /var/log partition (Automated) 🟢

1.1.5.3 Ensure noexec option set on /var/log partition (Automated) 🟢

1.1.5.4 Ensure nosuid option set on /var/log partition (Automated) 🟢

1.1.6 Configure /var/log/audit

1.1.6.1 Ensure separate partition exists for /var/log/audit (Automated) :yellow_circle:

1.1.6.2 Ensure noexec option set on /var/log/audit partition (Automated) 🟢

1.1.6.3 Ensure nodev option set on /var/log/audit partition (Automated) 🟢

1.1.6.4 Ensure nosuid option set on /var/log/audit partition (Automated) 🟢

1.1.7 Configure /home

1.1.7.1 Ensure separate partition exists for /home (Automated) 🔴

1.1.7.2 Ensure nodev option set on /home partition (Automated) :yellow_circle:

1.1.7.3 Ensure nosuid option set on /home partition (Automated) 🟢

1.1.7.4 Ensure usrquota option set on /home partition (Automated) 🔴

1.1.7.5 Ensure grpquota option set on /home partition (Automated) 🔴

1.1.8 Configure /dev/shm

1.1.8.1 Ensure nodev option set on /dev/shm partition (Automated) 🟢

1.1.8.2 Ensure noexec option set on /dev/shm partition (Automated) 🟢

1.1.8.3 Ensure nosuid option set on /dev/shm partition (Automated) 🟢

1.1.9 Disable Automounting (Automated) 🟢

1.1.10 Disable USB Storage (Automated) 🔴

1.2 Configure Software Updates

1.2.3 Ensure gpgcheck is globally activated (Automated) 🔴

1.3 Filesystem Integrity Checking

1.3.1 Ensure AIDE is installed (Automated) 🟢

1.3.2 Ensure filesystem integrity is regularly checked (Automated) 🔴

1.4 Secure Boot Settings

1.4.3 Ensure authentication is required when booting into rescue mode :yellow_circle:

1.5 Additional Process Hardening

1.5.1 Ensure core dump storage is disabled (Automated)

1.5.2 Ensure core dump backtraces are disabled (Automated) 🟢

1.5.3 Ensure address space layout randomization (ASLR) is enabled (Automated) 🔴

1.6 Mandatory Access Control

1.6.1 Configure SELinux

1.6.1.1 Ensure SELinux is installed (Automated) 🟢

1.6.1.2 Ensure SELinux is not disabled in bootloader configuration (Automated) :yellow_circle:

1.6.1.3 Ensure SELinux policy is configured (Automated) 🟢

1.6.1.4 Ensure the SELinux mode is not disabled (Automated) :yellow_circle:

1.6.1.5 Ensure the SELinux mode is enforcing (Automated) 🔴

1.6.1.6 Ensure no unconfined services exist (Automated)

1.6.1.7 Ensure SETroubleshoot is not installed (Automated)

1.6.1.8 Ensure the MCS Translation Service (mcstrans) is not installed

1.7 Command Line Warning Banners

1.7.1 Ensure message of the day is configured properly (Automated) 🔴

1.7.2 Ensure local login warning banner is configured properly (Automated) 🔴

1.7.3 Ensure remote login warning banner is configured properly (Automated)

1.7.4 Ensure permissions on /etc/motd are configured (Automated) 🟢

1.7.5 Ensure permissions on /etc/issue are configured (Automated) 🟢