Test: SCA scan results

[chemamartinez]

Hi team,

We have to fill a report including the SCA scan results for every OS in a default installation of the Wazuh agent and in a most clean environment as possible. This report should include the number of pass/fail results, as well as to verify that there are no false positives.

Linux

• RHEL/CentOS 5

• RHEL/CentOS 6

• RHEL/CentOS 7

• Debian 7

• Debian 8

• Debian 9

• Suse 11

• Suse 12

Windows

• Windows XP/Server 2003

• Windows Server 2012 R2

• Windows 10

• Windows Server 2016

Solaris

• Solaris 11

mac OS

• MAC OS X 10.11

• MAC OS X 10.12

• MAC OS X 10.13

Apart from checking the default policies included in the ossec.conf, for Linux distributions, we should test the Application policies such as cis_apache2224_rcl.yml and the newly developed policies located at wazuh/wazuh-ruleset#321 (linux passwords, debian 7/8, solaris 11 and Windows 10) and wazuh/wazuh-ruleset#331 (macOS policies).

Note: the macOS policies testing is blocked by the including of command rules for SCA (wazuh/wazuh#2696).

[juan70]

2019-04-05

[juan70]

Testing on a clean CentOS6 agent

• cis_rhel6_linux_rcl.yml
  Some rules seem incorrect, and come from the initial cis_rhel6_linux_rcl.txt rootcheck file (5 years ago...). They are causing false positives: the test fails but it should not.

  ID 6016 cis "1.6.1.1"
  - 'f:/etc/grub.conf -> !r:selinux=0;'
  should be
  - 'f:/etc/grub.conf -> r:selinux=0;'
  maybe add
  - 'f:/etc/grub.conf -> r:enforcing=0;'
  
  ID 6017 cis "1.6.1.2"
  - 'f:/etc/selinux/config -> r:SELINUX=enforcing;'
  should be
  - 'f:/etc/selinux/config -> !r:SELINUX=enforcing;'
  
  ID 6018 cis "1.6.1.3"
  - 'f:/etc/selinux/config -> r:SELINUXTYPE=targeted;'
  should be
  - 'f:/etc/selinux/config -> !r:SELINUXTYPE=targeted;'
  

  And maybe this could be added in ID 6047 cis "3.2.4":

  - 'f:/proc/sys/net/ipv4/conf/default/log_martians -> 0;'
  

• Generic system_audit_ssh.yml
  False negative, when the SSH port is 22: the service is actually listening on port 22, but the test is reported as passed.
  The rule is

  - 'f:$sshd_file -> !r:^# && r:Port\.+22;'
  

  meaning: if there is a not commented line reading Port 22 in /etc/ssh/sshd_config, say test failed.
  Actually, there is a commented line reading #Port 22 and no other uncommented line reading Port xx.
  So the port used is 22, which is the default. The result of the test should be failed not passed.

  This rule seems to work:

  condition: any
  rules:
  - 'f:$sshd_file -> !r:^\s*Port;'
  - 'f:$sshd_file -> r:^\s*Port && r:\s+22\s*$;'
  

  • if no uncommented line Port exists -> test failed
    • if only a commented line #Port xx exists where xx is any value -> test failed too
  • if an uncommented line Port 22 exists -> test failed
  • any other case:
    • if an uncommented line Port xx exists where xx is not 22 -> test passed

[Leamsy]

Right now, I am testing on a clean CentOS 7 agent. Will attach the inconsistencies I found as soon as they are ready.

[Leamsy]

I finished testing CentOS 7 and I am finishing SUSE 11 right now. I attach my work until now.
sca testing.pdf

[Leamsy]

I finished testing SUSE 11 and CentOS 5, will continue testing Debian 7.
sca testing.pdf

[Leamsy]

Finished CentOS 6, Debian 9 and only missing L1 policies from Debian 8.
sca testing.pdf

[Leamsy]

CentOS 7

cis_rhel7_linux_rcl

Pass: 95 Fail: 9 Score: 91%

6505:

condition: any
   rules:
     - 'f:/etc/fstab -> !r:^# && !r:/var/tmp;'

6506:

condition: any
   rules:
     - 'f:/etc/fstab -> !r:^# && !r:/var/log;'

6507:

condition: any
   rules:
     - 'f:/etc/fstab -> !r:^# && !r:/var/log/audit;'

They pass as being in a separate partition, even though /var itself does not exist as a separate partition, which doesn’t make sense as they are located in it.

etc/fstab:

#
# /etc/fstab
# Created by anaconda on Thu Feb 28 20:50:01 2019
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=f52f361a-da1a-4ea0-8c7f-ca2706e86b46 /                       xfs     defaults        0 0
/swapfile none swap defaults 0 0

6508:

condition: any
   rules:
     - 'f:/etc/fstab -> !r:^# && !r:/home;'

It passes even tough /home does not exist as a separate partition.

etc/fstab:

#
# /etc/fstab
# Created by anaconda on Thu Feb 28 20:50:01 2019
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=f52f361a-da1a-4ea0-8c7f-ca2706e86b46 /                       xfs     defaults        0 0
/swapfile none swap defaults 0 0

6560:

condition: any
   rules:
     - 'f:/etc/ssh/sshd_config -> !r:^# && !r:LogLevel\.+INFO;'

It passes the check because it is set to INFO, but it’s commented so it does not take effect.

/etc/ssh/sshd_config:

# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

system_audit_ssh

Pass: 3 Fail: 6 Score: 33%

1500:

condition: any
   rules:
     - 'f:$sshd_file -> !r:^# && r:Port\.+22;'

It passes the check even tough the port is never changed in the configuration file.

/etc/ssh/sshd_config:

#	$OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

system_audit_rcl

Pass: 76 Fail: 0 Score: 100%

[Leamsy]

SUSE 11

cis_sles11_linux

Pass: 82 Fail: 9 Score: 90%

First of all there were a couple of issues in the requirements and variables sections of the policy file:

requirements:
  title: "Check Suse 11 version"
  description: "Requirements for running the SCA scan against SUSE Linux Enterprise Server 11"
  condition: "any required"
  rules:
    - 'f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11";'
    - 'f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11 SP1";'
    - 'f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11 SP2";'
    - 'f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11 SP3";'
    - 'f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11 SP4";'

variables:
  $rc_dirs: /etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d;

• The requirements are extracted from the /etc/os-release file, when that file does not exist. It should be extracted from /etc/issue.

• The variable “$sshd_file: /etc/ssh/sshd_config;” is missing, hindering the rules that depend on it.

7005:

condition: any
   rules:
     - 'f:/etc/fstab -> ^# && !r:/var/log;'

7006:

condition: any
   rules:
     - 'f:/etc/fstab -> ^# && !r:/var/log/audit;'

They pass as being in a separate partition, even though /var itself does not exist as a separate partition, which doesn’t make sense as they are located in it.

etc/fstab:

devpts  /dev/pts          devpts  mode=0620,gid=5 0 0
proc    /proc             proc    defaults        0 0
sysfs   /sys              sysfs   noauto          0 0
debugfs /sys/kernel/debug debugfs noauto          0 0
tmpfs   /run              tmpfs   noauto          0 0
/dev/sda1 / ext3 defaults 1 1

7007:

condition: any
   rules:
     - 'f:/etc/fstab -> !r:^# && !r:/home;'

It passes even tough /home does not exist as a separate partition.

etc/fstab:

devpts  /dev/pts          devpts  mode=0620,gid=5 0 0
proc    /proc             proc    defaults        0 0
sysfs   /sys              sysfs   noauto          0 0
debugfs /sys/kernel/debug debugfs noauto          0 0
tmpfs   /run              tmpfs   noauto          0 0
/dev/sda1 / ext3 defaults 1 1

7043:

condition: any
   rules:
     - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0;'
     - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0;'

Since we want it to be disabled, the rules should check if it has a value of 1, not 0.

7053:

condition: any
   rules:
     - 'f:/etc/ssh/sshd_config -> !r:^# && !r:LogLevel\.+INFO;'

It passes the check because it is set to INFO, but it’s commented so it does not take effect.

/etc/ssh/sshd_config:

# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

system_audit_ssh

Pass: 3 Fail: 6 Score: 33%

1500:

condition: any
   rules:
     - 'f:$sshd_file -> !r:^# && r:Port\.+22;'

It passes the check even tough the port is never changed in the configuration file.

/etc/ssh/sshd_config:

#	$OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

system_audit_rcl

Pass: 76 Fail: 0 Score: 100%

system_audit_pw

Pass: 0 Fail: 4 Score: 0%

[Leamsy]

CentOS 5

cis_rhel5_linux_rcl

Pass: 97 Fail: 14 Score: 87%

5505:

condition: any
   rules:
     - 'f:/etc/fstab -> r:^# && !r:/var/tmp && !r:bind;'

It passes the check even tough the /var/tmp directory is not bound to /tmp.

/etc/fstab:

/dev/VolGroup00/LogVol00 /                       ext3    defaults        1 1
LABEL=/boot             /boot                   ext3    defaults        1 2
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
/dev/VolGroup00/LogVol01 swap                    swap    defaults        0 0

5506:

condition: any
   rules:
     - 'f:/etc/fstab -> ^# && !r:/var/log;'

5507:

condition: any
   rules:
     - 'f:/etc/fstab -> ^# && !r:/var/log/audit;'

They pass as being in a separate partition, even though /var itself does not exist as a separate partition, which doesn’t make sense as they are located in it.

etc/fstab:

/dev/VolGroup00/LogVol00 /                       ext3    defaults        1 1
LABEL=/boot             /boot                   ext3    defaults        1 2
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
/dev/VolGroup00/LogVol01 swap                    swap    defaults        0 0

5508:

condition: any
   rules:
     - 'f:/etc/fstab -> ^# && !r:/home;'

It passes even tough /home does not exist as a separate partition.

etc/fstab:

/dev/VolGroup00/LogVol00 /                       ext3    defaults        1 1
LABEL=/boot             /boot                   ext3    defaults        1 2
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
/dev/VolGroup00/LogVol01 swap                    swap    defaults        0 0

5516:

condition: any
   rules:
     - 'f:/etc/fstab -> !r:^# && r:/dev/shm && !r:noexec;'
     - 'p:yum-updatesd;'

This rule fails, but looking at the corresponding rules section, I think this has a copypasting issue. This doesn’t have anything to do with fstab.

5518:

condition: any
   rules:
     - 'f:/etc/selinux/config -> r:SELINUX=enforcing;'

This rule passes but it should not. If we want to have selinux=enforcing, we should make the rule trigger when it is NOT set to enforcing.

/etc/selinux/config:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#	enforcing - SELinux security policy is enforced.
#	permissive - SELinux prints warnings instead of enforcing.
#	disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
#	targeted - Only targeted network daemons are protected.
#	strict - Full SELinux protection.
SELINUXTYPE=targeted

# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0

5519:

condition: any
   rules:
     - 'f:/etc/selinux/config -> r:SELINUX=enforcing;'

Same reasoning as above, this fails when it IS set to targeted.

/etc/selinux/config:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#	enforcing - SELinux security policy is enforced.
#	permissive - SELinux prints warnings instead of enforcing.
#	disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
#	targeted - Only targeted network daemons are protected.
#	strict - Full SELinux protection.
SELINUXTYPE=targeted

# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0

5536:

condition: all
   rules:
     - 'f:/etc/init.d/functions -> !r:^# && r:^umask && <:umask 027;'

It passes the check when umask is not set to 027.

/etc/init.d/functions:

# Make sure umask is sane
umask 022

5547:

condition: any
   rules:
     - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0;'
     - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0;'

Since we want it to be disabled, the rules should check if it has a value of 1, not 0.

system_audit_ssh

Pass: 2 Fail: 7 Score: 22%

1500:

condition: any
   rules:
     - 'f:$sshd_file -> !r:^# && r:Port\.+22;'

It passes the check even tough the port is never changed in the configuration file.

/etc/ssh/sshd_config:

#	$OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

system_audit_rcl

Pass: 76 Fail: 0 Score: 100%

system_audit_pw

Pass: 0 Fail: 4 Score: 0%

[Leamsy]

CentOS 6

cis_rhel6_linux_rcl

Pass: 95 Fail: 12 Score: 88%

6006:

condition: any
   rules:
     - 'f:/etc/fstab -> !r:^# && !r:/var/log;'

6007:

condition: any
   rules:
     - 'f:/etc/fstab -> !r:^# && !r:/var/log/audit;'

They pass as being in a separate partition, even though /var itself does not exist as a separate partition, which doesn’t make sense as they are located in it.

etc/fstab:

#
# /etc/fstab
# Created by anaconda on Thu Feb 28 20:35:43 2019
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=c184952e-1de5-46f3-a789-d2f1476564bc /                       ext4    defaults        1 1
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
/swapfile none swap defaults 0 0

6508:

condition: any
   rules:
     - 'f:/etc/fstab -> !r:^# && !r:/home;'

It passes even tough /home does not exist as a separate partition.

etc/fstab:

#
# /etc/fstab
# Created by anaconda on Thu Feb 28 20:35:43 2019
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=c184952e-1de5-46f3-a789-d2f1476564bc /                       ext4    defaults        1 1
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
/swapfile none swap defaults 0 0

system_audit_ssh

Pass: 3 Fail: 6 Score: 33%

1500:

condition: any
   rules:
     - 'f:$sshd_file -> !r:^# && r:Port\.+22;'

It passes the check even tough the port is never changed in the configuration file.

/etc/ssh/sshd_config:

#	$OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

system_audit_rcl

Pass: 76 Fail: 0 Score: 100%

system_audit_pw

Pass: 0 Fail: 4 Score: 0%

[Leamsy]

Debian 9

cis_debian_linux_rcl

Pass: 34 Fail: 7 Score: 82%

5034:

condition: any
   rules:
     - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\.+2;'

It passes the check even tough the port is never changed in the configuration file.

/etc/ssh/sshd_config:

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

system_audit_ssh

Pass: 3 Fail: 6 Score: 33%

1500:

condition: any
   rules:
     - 'f:$sshd_file -> !r:^# && r:Port\.+22;'

It passes the check even tough the port is never changed in the configuration file.

/etc/ssh/sshd_config:

#	$OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

system_audit_rcl

Pass: 76 Fail: 0 Score: 100%

system_audit_pw

Pass: 2 Fail: 2 Score: 50%

[Leamsy]

Debian 8

cis_debianlinux7-8_L1_rcl

Pass: 213 Fail: 100 Score: 68%

10583:

condition: any
   rules:
     - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s+yes;'
     - 'f:/etc/ssh/sshd_config -> !r:^PermitRootLogin\s+no;'

It doesn’t account for the value “without-password”.

/etc/ssh/sshd_config:

# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes

cis_debianlinux7-8_L2_rcl

Pass: 0 Fail: 28 Score: 0%

system_audit_ssh

Pass: 5 Fail: 4 Score: 55%

system_audit_rcl

Pass: 76 Fail: 0 Score: 100%

system_audit_pw

Pass: 2 Fail: 2 Score: 50%

[Leamsy]

Debian 7

cis_debianlinux7-8_L1_rcl

Pass: 227 Fail: 90 Score: 71%

10583:

condition: any
   rules:
     - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s+yes;'
     - 'f:/etc/ssh/sshd_config -> !r:^PermitRootLogin\s+no;'

It doesn’t account for the value “without-password”.

/etc/ssh/sshd_config:

# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes

cis_debianlinux7-8_L2_rcl

Pass: 0 Fail: 28 Score: 0%

system_audit_ssh

Pass: 4 Fail: 5 Score: 44%

system_audit_rcl

Pass: 76 Fail: 0 Score: 100%

system_audit_pw

Pass: 2 Fail: 2 Score: 50%

[Leamsy]

SUSE 12

cis_sles11_linux

Pass: 72 Fail: 11 Score: 86%

7505:

condition: any
   rules:
     - 'f:/etc/fstab -> ^# && !r:/var/log;'

7506:

condition: any
   rules:
     - 'f:/etc/fstab -> ^# && !r:/var/log/audit;'

They pass as being in a separate partition, even though /var itself does not exist as a separate partition, which doesn’t make sense as they are located in it.

etc/fstab:

/dev/sda1 / ext3 acl 1 1

7507:

condition: any
   rules:
     - 'f:/etc/fstab -> !r:^# && !r:/home;'

It passes even tough /home does not exist as a separate partition.

etc/fstab:

/dev/sda1 / ext3 acl 1 1

7544:

condition: any
   rules:
     - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0;'
     - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0;'

Since we want it to be disabled, the rules should check if it has a value of 1, not 0.

7548:

title: "nsure suspicious packets are logged"

The title has its first letter missing.

7053:

condition: any
   rules:
     - 'f:/etc/ssh/sshd_config -> !r:^# && !r:LogLevel\.+INFO;'

It passes the check because it is set to INFO, but it’s commented so it does not take effect.

/etc/ssh/sshd_config:

# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

system_audit_ssh

Pass: 3 Fail: 6 Score: 33%

1500:

condition: any
   rules:
     - 'f:$sshd_file -> !r:^# && r:Port\.+22;'

It passes the check even tough the port is never changed in the configuration file.

/etc/ssh/sshd_config:

#	$OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

system_audit_rcl

Pass: 76 Fail: 0 Score: 100%

system_audit_pw

Pass: 0 Fail: 4 Score: 0%

[chemamartinez]

Fixed reported rules at wazuh/wazuh-ruleset#357