Fix some SCA rules (#357)

wazuh · Apr 25, 2019 · b8153da · b8153da
1 parent d04a799
commit b8153da
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 18 deletions.
diff --git a/sca/rhel/5/cis_rhel5_linux_rcl.yml b/sca/rhel/5/cis_rhel5_linux_rcl.yml
@@ -288,7 +288,7 @@ checks:
     - CCE-3977-6
    condition: any
    rules:
-     - 'f:/etc/grub.conf -> !r:selinux=0;'
+     - 'f:/etc/grub.conf -> r:selinux=0;'
 # 1.4.2 Set selinux state
  - id: 5518
    title: "Set the SELinux State"
@@ -302,7 +302,7 @@ checks:
     - CCE-3999-0
    condition: any
    rules:
-     - 'f:/etc/selinux/config -> r:SELINUX=enforcing;'
+     - 'f:/etc/selinux/config -> !r:SELINUX=enforcing;'
 # 1.4.3 Set seliux policy
  - id: 5519
    title: "Set the SELinux Policy"
@@ -316,7 +316,7 @@ checks:
     - CCE-3624-4
    condition: any
    rules:
-     - 'f:/etc/selinux/config -> r:SELINUXTYPE=targeted;'
+     - 'f:/etc/selinux/config -> !r:SELINUXTYPE=targeted;'
 # 1.4.4 Remove SETroubleshoot
  - id: 5520
    title: "Remove SETroubleshoot"
@@ -711,8 +711,8 @@ checks:
     - CCE-4155-8
    condition: any
    rules:
-     - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0;'
-     - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0;'
+     - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 1;'
+     - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 1;'
 ###############################################
 # 4.2 Modify Network Parameters (Host and Router)
 ###############################################

diff --git a/sca/rhel/6/cis_rhel6_linux_rcl.yml b/sca/rhel/6/cis_rhel6_linux_rcl.yml
@@ -82,7 +82,7 @@ checks:
     - pci_dss: "2.2.4"
    condition: any
    rules:
-     - 'f:/etc/fstab -> !r:^# && r:/tmp && !r:nodev;'
+     - 'f:/etc/fstab -> !r:^# && r:/tmp && !r:noexec;'
 # 1.1.6 Build considerations - Partition scheme.
  - id: 6004
    title: "Ensure separate partition exists for /var"
@@ -249,7 +249,7 @@ checks:
     - pci_dss: "2.2.4"
    condition: any
    rules:
-     - 'f:/etc/grub.conf -> !r:selinux=0;'
+     - 'f:/etc/grub.conf -> r:selinux=0;'
 # 1.6.1.2 Set selinux state
  - id: 6017
    title: "Ensure the SELinux state is enforcing"
@@ -262,7 +262,7 @@ checks:
     - pci_dss: "2.2.4"
    condition: any
    rules:
-     - 'f:/etc/selinux/config -> r:SELINUX=enforcing;'
+     - 'f:/etc/selinux/config -> !r:SELINUX=enforcing;'
 # 1.6.1.3 Set seliux policy
  - id: 6018
    title: "Ensure SELinux policy is configured"
@@ -274,7 +274,7 @@ checks:
     - pci_dss: "2.2.4"
    condition: any
    rules:
-     - 'f:/etc/selinux/config -> r:SELINUXTYPE=targeted;'
+     - 'f:/etc/selinux/config -> !r:SELINUXTYPE=targeted;'
 # 1.6.1.4 Remove SETroubleshoot
  - id: 6019
    title: "Ensure SETroubleshoot is not installed"
@@ -631,8 +631,8 @@ checks:
     - pci_dss: "2.2.4"
    condition: any
    rules:
-     - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0;'
-     - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0;'
+     - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 1;'
+     - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 1;'
 ###############################################
 # 3.2 Modify Network Parameters (Host and Router)
 ###############################################
@@ -676,6 +676,7 @@ checks:
    condition: any
    rules:
      - 'f:/proc/sys/net/ipv4/conf/all/log_martians -> 0;'
+     - 'f:/proc/sys/net/ipv4/conf/default/log_martians -> 0;'
 # 3.2.5 Enable Ignore Broadcast Requests (Scored)
  - id: 6048
    title: "Ensure broadcast ICMP requests are ignored"

diff --git a/sca/sles/11/cis_sles11_linux_rcl.yml b/sca/sles/11/cis_sles11_linux_rcl.yml
@@ -566,8 +566,8 @@ checks:
     - pci_dss: "2.2.4"
    condition: any
    rules:
-     - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0;'
-     - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0;'
+     - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 1;'
+     - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 1;'
 # Section 3.2 - Network Parameters (Host and Router)
  - id: 7044
    title: "Ensure source routed packets are not accepted"
@@ -704,7 +704,7 @@ checks:
     - pci_dss: "2.2.4"
    condition: any
    rules:
-     - 'f:$sshd_file -> !r:^\s*MaxAuthTries\s+4\s*$;'
+     - 'f:/etc/ssh/sshd_config -> !r:^\s*MaxAuthTries\s+4\s*$;'
  - id: 7055
    title: "Ensure SSH IgnoreRhosts is enabled"
    description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication."
@@ -740,7 +740,7 @@ checks:
     - pci_dss: "4.1"
    condition: any
    rules:
-     - 'f:$sshd_file -> !r:^\s*PermitRootLogin\.+no;'
+     - 'f:/etc/ssh/sshd_config -> !r:^\s*PermitRootLogin\.+no;'
  - id: 7058
    title: "Ensure SSH PermitEmptyPasswords is disabled"
    description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings."
@@ -752,7 +752,7 @@ checks:
     - pci_dss: "4.1"
    condition: any
    rules:
-     - 'f:$sshd_file -> !r:^\s*PermitEmptyPasswords\.+no;'
+     - 'f:/etc/ssh/sshd_config -> !r:^\s*PermitEmptyPasswords\.+no;'
 # Section 6.2 - User and Group Settings
  - id: 7059
    title: "Ensure password fields are not empty"

diff --git a/sca/sles/12/cis_sles12_linux_rcl.yml b/sca/sles/12/cis_sles12_linux_rcl.yml
@@ -585,8 +585,8 @@ checks:
     - pci_dss: "2.2.4"
    condition: any
    rules:
-     - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0;'
-     - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0;'
+     - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 1;'
+     - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 1;'
 # Section 3.2 - Network Parameters (Host and Router)
  - id: 7545
    title: "Ensure source routed packets are not accepted"