Closed jk-olaoluwa closed 1 month ago
Fix for Issue https://github.com/wazuh/wazuh/issues/21298
id: 15521 title: "Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'." description: "This policy setting determines the maximum allowable age for a computer account password. By default, domain members automatically change their domain passwords every 30 days. If you increase this interval significantly so that the computers no longer change their passwords, an attacker would have more time to undertake a brute force attack against one of the computer accounts. The recommended state for this setting is: 30 or fewer days, but not 0. Note: A value of 0 does not conform to the benchmark as it disables maximum password age. Note #2: Some problems can occur as a result of machine account password expiration, particularly if a machine is reverted to a previous point-in-time state, as is common with virtual machines. Depending on how far back the reversion is, the older machine account password stored on the machine may no longer be recognized by the domain controllers, and therefore the computer loses its domain trust. This can also disrupt non-persistent VDI implementations, and devices with write filters that disallow permanent changes to the OS volume. Some organizations may choose to exempt themselves from this recommendation and disable machine account password expiration for these situations." rationale: "In Active Directory-based domains, each computer has an account and password just like every user. By default, the domain members automatically change their domain password every 30 days. If you increase this interval significantly, or set it to 0 so that the computers no longer change their passwords, an attacker will have more time to undertake a brute force attack to guess the password of one or more computer accounts." impact: "None - this is the default behavior." remediation: "To establish the recommended configuration via GP, set the following UI path to 30 or fewer days, but not 0: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Maximum machine account password age." references:
WRONG RULE
CORRECT RULE condition: all rules:
Section 1.1.1 - 2.3.1.3
Section 1.1.1 - 2.3.1.3 fix confirmed
Justification for 2.3.5.5
Section 2.3.7.2 - 2.3.11.2
Section 2.3.11.2 - 9.1.1
Section 18.3.4 - 18.10.43.5.2
Section 18.10.57.3.9.5 - 18.10.87.2
18/03/2024
03/04/2024
04/04/2024
05/04/2024
Currently working on other issues.
This is still on hold because of higher-priority issues.
This is still on hold because of higher-priority issues.
Condition: The new SCA was benchmarked against Windows server 2012 R2 SCA.
Β | Benchmark (Win server 2012 R2 SCA) | New SCA (Win server 2012 nonR2) | Difference |
---|---|---|---|
CPU | Β | Β | Β |
wazuh-agent.exe Β average CPU percent |
2.3 | 0.75 | -1.55 |
Overall average CPU percent | 11.6 | 4.4 | -7.2 |
Overall peak CPU percent | 18.1 | 8.3 | -9.8 |
Memory | Β | Β | Β |
wazuh-agent.exe average memory (MB) |
0.02 | 0.02 | 0 |
Overall average memory used (MB) | 1299.9 | 1227.41 | -72.49 |
Overall peak memory used peak (MB) | 1301.05 | 1227.52 | -73.53 |
Disk | Β | Β | Β |
Overall average disk used (MB) | 22069.54 | 23578.23 | 1508.69 |
Overall peak disk used (MB) | 22069.54 | 23578.23 | 1508.69 |
Overall average disk read bytes | N/A | N/A | N/A |
Overall peak disk read bytes | N/A | N/A | N/A |
Overall average disk write bytes | N/A | N/A | N/A |
Overall peak disk write bytes | N/A | N/A | N/A |
Disk read and disk write bytes were excluded because the get_metrics.py script returned an Attribute error.
The disk read and write bytes were excluded by commenting out the parts of the script that fetch the disk read and write bytes data.
Windows Server 2012 non-R2 SCA Re-Test Report
To capture the disk write and disk read values, it is required to enable disk metrics by running the command below:
>diskperf -y
Condition: The new SCA was benchmarked against old Windows server 2012 R2 SCA.
Β | Benchmark (Win server 2012 R2 SCA) | New SCA (Win server 2012 nonR2) | Difference |
---|---|---|---|
CPU | Β | Β | Β |
wazuh-agent.exe Β average CPU percent |
1.2 | 0.9 | -0.3 |
Overall average CPU percent | 0.4 | 4.6 | 4.2 |
Overall peak CPU percent | 0.8 | 7.8 | 7 |
Memory | Β | Β | Β |
wazuh-agent.exe average memory (MB) |
0.02 | 0.02 | 0 |
Overall average memory used (MB) | 1162.15 | 841.29 | -320.86 |
Overall peak memory used peak (MB) | 1162.23 | 841.86 | -320.37 |
Disk | Β | Β | Β |
Overall average disk used (MB) | 19193.59 | 23325.89 | 4132.3 |
Overall peak disk used (MB) | 19193.59 | 23325.89 | 4132.3 |
Overall average disk read bytes | 1019.89 | 0 | -1019.89 |
Overall peak disk read bytes | 1019.89 | 0 | -1019.89 |
Overall average disk write bytes | 342.36 | 4.11 | -338.25 |
Overall peak disk write bytes | 342.45 | 4.2 | -338.25 |
LGTM!
Merged to 4.10.0
Main tasks
Checks
Syntax and semantic
Content
Audit
section from the CIS check.Unit testing
agent.log
after the SCA scan and a raw output of the result of the checks.Tests results
Analysisd (server or local)
analysisd.debug=2
Auth daemon debug (server)
authd.debug=0
Exec daemon debug (server, local, or Unix agent)
execd.debug=0
Monitor daemon debug (server, local, or Unix agent)
monitord.debug=0
Log collector (server, local or Unix agent)
logcollector.debug=0
Integrator daemon debug (server, local or Unix agent)
integrator.debug=0
Unix agentd
agent.debug=2
Deployment
sca.files
templates.Documentation