From 4f9243989770a1089f14275b19a9b24da1acd2c0 Mon Sep 17 00:00:00 2001 From: Srinivasan-tm Date: Thu, 29 Aug 2024 11:09:23 +0530 Subject: [PATCH 1/2] Some fixes for ubuntu benchmark * checking if mail transfer agent is configured for local only, the check was negated for some reason * checking for rsync service is uninstalled or masked, but is checking if rsync service is uninstalled and masked, the check should be an any check not an all check * For rsyslog config, the file creation setting should either be in rsyslog.conf or a file in rsyslog.d/ folder. For both to be true. So, changing the check from an all to an any * Before checking for the perission of sshd_config, we need to check if sshd is even in the system. So automatically passing the check if sshd is not present in the system --- wazuh/cis_ubuntu22-04_workstation_level_1.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/wazuh/cis_ubuntu22-04_workstation_level_1.yml b/wazuh/cis_ubuntu22-04_workstation_level_1.yml index 80af1aa..08edfd5 100644 --- a/wazuh/cis_ubuntu22-04_workstation_level_1.yml +++ b/wazuh/cis_ubuntu22-04_workstation_level_1.yml @@ -1023,7 +1023,7 @@ checks: - soc_2: ["CC6.3", " CC6.6"] condition: all rules: - - 'not c:ss -lntu -> r:\.*:25\s && r:127.0.0.1:25\s+|::1]:25\s+' + - 'c:ss -lntu -> r:\.*:25\s && r:127.0.0.1:25\s+|::1]:25\s+' # 2.2.16 Ensure rsync service is either not installed or masked (Automated) - id: 28566 @@ -1042,7 +1042,7 @@ checks: - pci_dss_v3.2.1: ["1.1.6", " 1.2.1", " 2.2.2", " 2.2.5"] - pci_dss_v4.0: ["1.2.5", " 2.2.4", " 6.4.1"] - soc_2: ["CC6.3", " CC6.6"] - condition: all + condition: any rules: - "c:dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\\n' rsync -> r:no packages found matching rsync|deinstall|not-installed" - 'c:systemctl is-active rsync" -> r:inactive' @@ -1961,7 +1961,7 @@ checks: - pci_dss_3.2.1: ["10.2", "10.3"] - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"] - nist_sp_800-53: ["AU-7"] - condition: all + condition: any rules: - 'f:/etc/rsyslog.conf -> r:^\s*\t*\$FileCreateMode 0640' - 'd:/etc/rsyslog.d -> r:\.*.conf -> r:^\s*\t*\$FileCreateMode 0640' @@ -2211,8 +2211,9 @@ checks: - pci_dss_4.0: ["1.3.1", "7.1"] - nist_sp_800-53: ["AC-5", "AC-6"] - soc_2: ["CC5.2", "CC6.1"] - condition: all + condition: any rules: + - 'not f:/usr/sbin/sshd' - 'c:stat /etc/ssh/sshd_config -> r:Access:\s*\t*\(0600/-rw-------\)\s*\t*Uid:\s*\t*\(\s*\t*0/\s*root\)\s*Gid:\s*\t*\(\s*\t*0/\s*\t*root\)' # 5.2.4 Ensure SSH access is limited (Automated) From 14a04c4faf94975660d897738306b7741c0ab571 Mon Sep 17 00:00:00 2001 From: Srinivasan-tm Date: Mon, 2 Sep 2024 10:55:11 +0530 Subject: [PATCH 2/2] In /boot/grub/grub.cfg initial spaces before words start in every line are tabs and not spaces. So changing the check to see for tabs and not spaces --- wazuh/cis_ubuntu22-04_workstation_level_1.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/wazuh/cis_ubuntu22-04_workstation_level_1.yml b/wazuh/cis_ubuntu22-04_workstation_level_1.yml index 08edfd5..b4a8222 100644 --- a/wazuh/cis_ubuntu22-04_workstation_level_1.yml +++ b/wazuh/cis_ubuntu22-04_workstation_level_1.yml @@ -445,10 +445,10 @@ checks: - soc_2: ["CC5.2", "CC6.1"] condition: all rules: - - 'f:/boot/grub/grub.cfg -> r:^\s*linux && r:apparmor=1' - - 'f:/boot/grub/grub.cfg -> r:^\s*linux && r:security=apparmor' - - 'not f:/boot/grub/grub.cfg -> r:^\s*linux && !r:apparmor=1' - - 'not f:/boot/grub/grub.cfg -> r:^\s*linux && !r:security=apparmor' + - 'f:/boot/grub/grub.cfg -> r:^\t*linux && r:apparmor=1' + - 'f:/boot/grub/grub.cfg -> r:^\t*linux && r:security=apparmor' + - 'not f:/boot/grub/grub.cfg -> r:^\t*linux && !r:apparmor=1' + - 'not f:/boot/grub/grub.cfg -> r:^\t*linux && !r:security=apparmor' # 1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode (Automated) - id: 28535