-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Test: SCA scan results #61
Comments
2019-04-05 |
Testing on a clean CentOS6 agent
|
Right now, I am testing on a clean CentOS 7 agent. Will attach the inconsistencies I found as soon as they are ready. |
I finished testing CentOS 7 and I am finishing SUSE 11 right now. I attach my work until now. |
I finished testing SUSE 11 and CentOS 5, will continue testing Debian 7. |
Finished CentOS 6, Debian 9 and only missing L1 policies from Debian 8. |
CentOS 7cis_rhel7_linux_rclPass: 95 Fail: 9 Score: 91% 6505:
6506:
6507:
They pass as being in a separate partition, even though /var itself does not exist as a separate partition, which doesn’t make sense as they are located in it. etc/fstab:
6508:
It passes even tough /home does not exist as a separate partition. etc/fstab:
6560:
It passes the check because it is set to INFO, but it’s commented so it does not take effect. /etc/ssh/sshd_config:
system_audit_sshPass: 3 Fail: 6 Score: 33% 1500:
It passes the check even tough the port is never changed in the configuration file. /etc/ssh/sshd_config:
system_audit_rclPass: 76 Fail: 0 Score: 100% |
SUSE 11cis_sles11_linuxPass: 82 Fail: 9 Score: 90% First of all there were a couple of issues in the requirements and variables sections of the policy file:
7005:
7006:
They pass as being in a separate partition, even though /var itself does not exist as a separate partition, which doesn’t make sense as they are located in it. etc/fstab:
7007:
It passes even tough /home does not exist as a separate partition. etc/fstab:
7043:
Since we want it to be disabled, the rules should check if it has a value of 1, not 0. 7053:
It passes the check because it is set to INFO, but it’s commented so it does not take effect. /etc/ssh/sshd_config:
system_audit_sshPass: 3 Fail: 6 Score: 33% 1500:
It passes the check even tough the port is never changed in the configuration file. /etc/ssh/sshd_config:
system_audit_rclPass: 76 Fail: 0 Score: 100% system_audit_pwPass: 0 Fail: 4 Score: 0% |
CentOS 5cis_rhel5_linux_rclPass: 97 Fail: 14 Score: 87% 5505:
It passes the check even tough the /var/tmp directory is not bound to /tmp. /etc/fstab:
5506:
5507:
They pass as being in a separate partition, even though /var itself does not exist as a separate partition, which doesn’t make sense as they are located in it. etc/fstab:
5508:
It passes even tough /home does not exist as a separate partition. etc/fstab:
5516:
This rule fails, but looking at the corresponding rules section, I think this has a copypasting issue. This doesn’t have anything to do with fstab. 5518:
This rule passes but it should not. If we want to have selinux=enforcing, we should make the rule trigger when it is NOT set to enforcing. /etc/selinux/config:
5519:
Same reasoning as above, this fails when it IS set to targeted. /etc/selinux/config:
5536:
It passes the check when umask is not set to 027. /etc/init.d/functions:
5547:
Since we want it to be disabled, the rules should check if it has a value of 1, not 0. system_audit_sshPass: 2 Fail: 7 Score: 22% 1500:
It passes the check even tough the port is never changed in the configuration file. /etc/ssh/sshd_config:
system_audit_rclPass: 76 Fail: 0 Score: 100% system_audit_pwPass: 0 Fail: 4 Score: 0% |
CentOS 6cis_rhel6_linux_rclPass: 95 Fail: 12 Score: 88% 6006:
6007:
They pass as being in a separate partition, even though /var itself does not exist as a separate partition, which doesn’t make sense as they are located in it. etc/fstab:
6508:
It passes even tough /home does not exist as a separate partition. etc/fstab:
system_audit_sshPass: 3 Fail: 6 Score: 33% 1500:
It passes the check even tough the port is never changed in the configuration file. /etc/ssh/sshd_config:
system_audit_rclPass: 76 Fail: 0 Score: 100% system_audit_pwPass: 0 Fail: 4 Score: 0% |
Debian 9cis_debian_linux_rclPass: 34 Fail: 7 Score: 82% 5034:
It passes the check even tough the port is never changed in the configuration file. /etc/ssh/sshd_config:
system_audit_sshPass: 3 Fail: 6 Score: 33% 1500:
It passes the check even tough the port is never changed in the configuration file. /etc/ssh/sshd_config:
system_audit_rclPass: 76 Fail: 0 Score: 100% system_audit_pwPass: 2 Fail: 2 Score: 50% |
Debian 8cis_debianlinux7-8_L1_rclPass: 213 Fail: 100 Score: 68% 10583:
It doesn’t account for the value “without-password”. /etc/ssh/sshd_config:
cis_debianlinux7-8_L2_rclPass: 0 Fail: 28 Score: 0% system_audit_sshPass: 5 Fail: 4 Score: 55% system_audit_rclPass: 76 Fail: 0 Score: 100% system_audit_pwPass: 2 Fail: 2 Score: 50% |
Debian 7cis_debianlinux7-8_L1_rclPass: 227 Fail: 90 Score: 71% 10583:
It doesn’t account for the value “without-password”. /etc/ssh/sshd_config:
cis_debianlinux7-8_L2_rclPass: 0 Fail: 28 Score: 0% system_audit_sshPass: 4 Fail: 5 Score: 44% system_audit_rclPass: 76 Fail: 0 Score: 100% system_audit_pwPass: 2 Fail: 2 Score: 50% |
SUSE 12cis_sles11_linuxPass: 72 Fail: 11 Score: 86% 7505:
7506:
They pass as being in a separate partition, even though /var itself does not exist as a separate partition, which doesn’t make sense as they are located in it. etc/fstab:
7507:
It passes even tough /home does not exist as a separate partition. etc/fstab:
7544:
Since we want it to be disabled, the rules should check if it has a value of 1, not 0. 7548:
The title has its first letter missing. 7053:
It passes the check because it is set to INFO, but it’s commented so it does not take effect. /etc/ssh/sshd_config:
system_audit_sshPass: 3 Fail: 6 Score: 33% 1500:
It passes the check even tough the port is never changed in the configuration file. /etc/ssh/sshd_config:
system_audit_rclPass: 76 Fail: 0 Score: 100% system_audit_pwPass: 0 Fail: 4 Score: 0% |
Fixed reported rules at wazuh/wazuh-ruleset#357 |
Hi team,
We have to fill a report including the SCA scan results for every OS in a default installation of the Wazuh agent and in a most clean environment as possible. This report should include the number of pass/fail results, as well as to verify that there are no false positives.
Linux
RHEL/CentOS 5
RHEL/CentOS 6
RHEL/CentOS 7
Debian 7
Debian 8
Debian 9
Suse 11
Suse 12
Windows
Windows XP/Server 2003
Windows Server 2012 R2
Windows 10
Windows Server 2016
Solaris
mac OS
MAC OS X 10.11
MAC OS X 10.12
MAC OS X 10.13
Apart from checking the default policies included in the
ossec.conf
, for Linux distributions, we should test the Application policies such ascis_apache2224_rcl.yml
and the newly developed policies located at wazuh/wazuh-ruleset#321 (linux passwords, debian 7/8, solaris 11 and Windows 10) and wazuh/wazuh-ruleset#331 (macOS policies).Note: the macOS policies testing is blocked by the including of command rules for SCA (wazuh/wazuh#2696).
The text was updated successfully, but these errors were encountered: