Add SCA template for Ubuntu 12.04 by chemamartinez · Pull Request #3361 · wazuh/wazuh

chemamartinez · 2019-05-20T17:36:10Z

Related issue
#3359

Description

This PR adds a specific SCA template for Ubuntu 12.04, which is based in Debian 7 (wheezy):

# cat /etc/debian_version
wheezy/sid

The added template applies to Ubuntu 12.04 and adds the policies cis_debianlinux7-8_L1_rcl.yml and cis_debianlinux7-8_L2_rcl.yml when installing the agent in that platform instead of the generic one.

Logs/Alerts example

Wazuh version

root@vagrant:/var/ossec/ruleset/sca# cat /etc/ossec-init.conf
DIRECTORY="/var/ossec"
NAME="Wazuh"
VERSION="v3.9.1"
REVISION="3920"
DATE="Mon May 20 16:56:44 UTC 2019"
TYPE="agent"

Ubuntu version

root@vagrant:/var/ossec/ruleset/sca# cat /etc/os-release
NAME="Ubuntu"
VERSION="12.04.5 LTS, Precise Pangolin"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu precise (12.04.5 LTS)"
VERSION_ID="12.04"

Default installed policies

root@vagrant:/var/ossec/ruleset/sca# ll
total 172
drwxr-x--- 2 root ossec  4096 May 20 16:56 ./
drwxr-x--- 3 root ossec  4096 May 20 16:56 ../
-rw-r----- 1 root ossec 98288 May 20 16:56 cis_debianlinux7-8_L1_rcl.yml
-rw-r----- 1 root ossec 37087 May 20 16:56 cis_debianlinux7-8_L2_rcl.yml
-rw-r----- 1 root ossec 11622 May 20 16:56 system_audit_pw.yml
-rw-r----- 1 root ossec  4189 May 20 16:56 system_audit_rcl.yml
-rw-r----- 1 root ossec  5635 May 20 16:56 system_audit_ssh.yml

Default configuration

root@vagrant:/var/ossec/ruleset/sca# cat /var/ossec/etc/ossec.conf |grep -A 13 "<sca>"
  <sca>
    <enabled>yes</enabled>
    <scan_on_start>yes</scan_on_start>
    <interval>12h</interval>
    <skip_nfs>yes</skip_nfs>

    <policies>
      <policy>cis_debianlinux7-8_L1_rcl.yml</policy>
      <policy>cis_debianlinux7-8_L2_rcl.yml</policy>
      <policy>system_audit_rcl.yml</policy>
      <policy>system_audit_ssh.yml</policy>
      <policy>system_audit_pw.yml</policy>
    </policies>
  </sca>

Tests

Empty checks are pending.

Compilation without warnings in every supported platform
- Linux
Source installation
Package installation
Source upgrade
Package upgrade
Retrocompatibility with older Wazuh versions

chemamartinez · 2019-05-22T13:07:17Z

The package installation doesn't add new policies:

root@vagrant:~# dpkg -i wazuh-agent_3.9.1-1_amd64.deb
Selecting previously unselected package wazuh-agent.
(Reading database ... 35393 files and directories currently installed.)
Unpacking wazuh-agent (from wazuh-agent_3.9.1-1_amd64.deb) ...
Setting up wazuh-agent (3.9.1-1) ...
Processing triggers for ureadahead ...
root@vagrant:~# ll /var/ossec/ruleset/sca/
total 72
drwxr-x--- 2 root ossec  4096 May 22 13:05 ./
drwxr-x--- 3 root ossec  4096 May 22 13:05 ../
-rw-r----- 1 root ossec 35138 May 22 12:30 cis_debian_linux_rcl.yml
-rw-r----- 1 root ossec 11622 May 22 12:30 system_audit_pw.yml
-rw-r----- 1 root ossec  4189 May 22 12:30 system_audit_rcl.yml
-rw-r----- 1 root ossec  5635 May 22 12:30 system_audit_ssh.yml

Ping @wazuh/cicd

chemamartinez · 2019-05-27T13:41:37Z

Here we can see the result of scanning the added policies in a Ubuntu 12.04 host with the minimum modifications:

sqlite> select policy_id,pass,fail,invalid,total_checks from sca_scan_info;
cis_debianlinux7-8_L2|0|28|0|28
cis_debianlinux7-8_L1|18|61|28|107

Individual checks for CIS benchmark for Debian/Linux 7 and 8 L1

sqlite> select title,result,status,reason from sca_check where policy_id="cis_debianlinux7-8_L1";
Create Separate Partition for /tmp|failed||
Set nodev option for /tmp Partition|failed||
Set nosuid option for /tmp Partition|failed||
Set noexec option for /tmp Partition|failed||
 Create Separate Partition for /var|failed||
Bind Mount the /var/tmp directory to /tmp|failed||
Create Separate Partition for /var/log|failed||
Create Separate Partition for /var/log/audit|failed||
Create Separate Partition for /home|failed||
Add nodev Option to /home|failed||
Add nodev Option to Removable Media Partitions|failed||
Add noexec Option to Removable Media Partitions|failed||
Add nosuid Option to Removable Media Partitions|failed||
Add nodev Option to /run/shm Partition|failed||
Add nosuid Option to /run/shm Partition|failed||
Add noexec Option to /run/shm Partition|failed||
Disable Automounting||Not applicable|Could not open '/etc/rc7.d': No such file or directory
Set Boot Loader Password|failed||
Require Authentication for Single-User Mode|failed||
Restrict Core Dumps|failed||
Enable Randomized Virtual Memory Region Placement|failed||
Ensure NIS is not installed|passed||
Ensure rsh server is not enabled||Not applicable|File /etc/inetd.conf not found
Ensure talk server is not enabled||Not applicable|File /etc/inetd.conf not found
Ensure telnet server is not enabled||Not applicable|File /etc/inetd.conf not found
Ensure tftp-server is not enabled||Not applicable|File /etc/inetd.conf not found
Ensure xinetd is not enabled|failed||
Ensure chargen is not enabled||Not applicable|File /etc/inetd.conf not found
Ensure daytime is not enabled||Not applicable|File /etc/inetd.conf not found
Ensure echo is not enabled||Not applicable|File /etc/inetd.conf not found
Ensure discard is not enabled||Not applicable|File /etc/inetd.conf not found
Ensure time is not enabled||Not applicable|File /etc/inetd.conf not found
Ensure Avahi Server is not enabled||Not applicable|Could not open '/etc/rc7.d': No such file or directory
Ensure print server is not enabled||Not applicable|Could not open '/etc/rc7.d': No such file or directory
Ensure DHCP Server is not enabled||Not applicable|Could not open '/etc/rc7.d': No such file or directory
Configure Network Time Protocol (NTP)||Not applicable|File /etc/ntp.conf not found
Ensure LDAP is not enabled|passed||
Ensure NFS and RPC are not enabled||Not applicable|Could not open '/etc/rc7.d': No such file or directory
Ensure DNS Server is not enabled||Not applicable|Could not open '/etc/rc7.d': No such file or directory
Ensure FTP Server is not enabled||Not applicable|Could not open '/etc/rc7.d': No such file or directory
Ensure HTTP Server is not enabled||Not applicable|Could not open '/etc/rc7.d': No such file or directory
Ensure IMAP and POP server is not enabled||Not applicable|Could not open '/etc/rc7.d': No such file or directory
Ensure Samba is not enabled||Not applicable|Could not open '/etc/rc7.d': No such file or directory
Ensure HTTP Proxy Server is not enabled||Not applicable|Could not open '/etc/rc7.d': No such file or directory
Ensure SNMP Server is not enabled||Not applicable|Could not open '/etc/rc7.d': No such file or directory
Configure Mail Transfer Agent for Local-Only Mode||Not applicable|File /etc/exim4/update-exim4.conf.conf not found
Ensure rsync service is not enabled|passed||
Disable IP Forwarding|failed||
Disable Send Packet Redirects|passed||
Disable Source Routed Packet Acceptance|failed||
Disable ICMP Redirect Acceptance|failed||
Disable Secure ICMP Redirect Acceptance|failed||
Log Suspicious Packets|failed||
Enable Ignore Broadcast Requests|failed||
Enable Bad Error Message Protection|failed||
Enable RFC-recommended Source Route Validation|failed||
Enable TCP SYN Cookies|failed||
Disable IPv6 Router Advertisements|failed||
Disable IPv6 Redirect Acceptance|failed||
Disable IPv6|failed||
Create /etc/hosts.allow|failed||
Create /etc/hosts.deny|failed||
Disable DCCP|failed||
Disable SCTP|failed||
Disable RDS|failed||
Disable TIPC|failed||
Ensure Firewall is active|failed||
Ensure the rsyslog Service is activated|failed||
Configure /etc/rsyslog.conf||Not applicable|File /etc/rsyslog.conf,/etc/rsyslog.d/* not found
Configure rsyslog to Send Logs to a Remote Log Host|failed||
Accept Remote rsyslog Messages Only on Designated Log Hosts||Not applicable|File /etc/rsyslog.conf,/etc/rsyslog.d/* not found
Configure logrotate|passed||
Enable cron Daemon|failed||
Restrict at/cron to Authorized Users|failed||
Set Password Creation Requirement Parameters Using pam_cracklib|failed||
 Set Lockout for Failed Password Attempts|failed||
Limit Password Reuse|failed||
Set SSH Protocol to 2|passed||
Set LogLevel to INFO|passed||
Disable SSH X11 Forwarding|failed||
Set SSH MaxAuthTries to 4 or Less|failed||
Set SSH IgnoreRhosts to Yes|passed||
Set SSH HostbasedAuthentication to No|passed||
Disable SSH Root Login|failed||
Set SSH PermitEmptyPasswords to No|passed||
Do Not Allow Users to Set Environment Options|failed||
Set Idle Timeout Interval for User Login|failed||
Limit Access via SSH|failed||
Set SSH Banner|failed||
Restrict Access to the su Command|failed||
Set Password Expiration Days|failed||
Set Password Change Minimum Number of Days|failed||
Set Password Expiring Warning Days|failed||
Set Default Group for root Account|passed||
Set Default umask for Users|failed||
Lock Inactive User Accounts|failed||
Set Warning Banner for Standard Login Services|passed||
Remove OS Information from Login Warning Banners|failed||
Ensure Password Fields are Not Empty|passed||
Verify No Legacy "+" Entries Exist in /etc/passwd File|passed||
Verify No Legacy "+" Entries Exist in /etc/shadow File|passed||
Verify No Legacy "+" Entries Exist in /etc/group File|passed||
Verify No UID 0 Accounts Exist Other Than root|passed||
Check for Presence of User .rhosts Files||Not applicable|Could not open '/usr2/home/*': No such file or directory
Check for Presence of User .netrc Files||Not applicable|Could not open '/usr2/home/*': No such file or directory
Check for Presence of User .forward Files||Not applicable|Could not open '/usr2/home/*': No such file or directory
Ensure shadow group is empty|passed||

Individual checks for CIS benchmark for Debian/Linux 7 and 8 L2

sqlite> select title,result,status,reason from sca_check where policy_id="cis_debianlinux7-8_L2";
Disable Mounting of cramfs Filesystems|failed||
Disable Mounting of freevxfs Filesystems|failed||
Disable Mounting of jffs2 Filesystems|failed||
Disable Mounting of hfs Filesystems|failed||
Disable Mounting of hfsplus Filesystems|failed||
Disable Mounting of squashfs Filesystems|failed||
Disable Mounting of udf Filesystems|failed||
Activate AppArmor|failed||
Configure Audit Log Storage Size|failed||
Disable System on Audit Log Full|failed||
Keep All Auditing Information|failed||
Enable Auditing for Processes That Start Prior to auditd|failed||
Record Events That Modify Date and Time Information|failed||
Record Events That Modify User/Group Information|failed||
Record Events That Modify the System's Network Environment|failed||
Record Events That Modify the System's Mandatory Access Controls|failed||
Collect Login and Logout Events|failed||
Collect Session Initiation Information|failed||
Collect Discretionary Access Control Permission Modification Events|failed||
Collect Unsuccessful Unauthorized Access Attempts to Files|failed||
Collect Successful File System Mounts|failed||
Collect File Deletion Events by User|failed||
Collect Changes to System Administration Scope (sudoers)|failed||
Collect System Administrator Actions (sudolog)|failed||
Collect Kernel Module Loading and Unloading|failed||
Make the Audit Configuration Immutable|failed||
Install AIDE|failed||
Implement Periodic Execution of File Integrity|failed||

The most notable point is that every check of the L2 policy is failed. So I have checked no false positives have been introduced.

Here is the output of the policy scan in debug mode:

2019/05/27 13:26:37 sca[28130] wm_sca.c:954 at wm_sca_do_scan(): DEBUG: Checking entry: 'Disable Mounting of cramfs Filesystems'.
2019/05/27 13:26:37 sca[28130] wm_sca.c:965 at wm_sca_do_scan(): DEBUG: Rule is: f:!/etc/modprobe.d/CIS.conf;
2019/05/27 13:26:37 sca[28130] wm_sca.c:1489 at wm_sca_check_file(): DEBUG: Result for EXISTS(/etc/modprobe.d/CIS.conf) -> 0
---------
2019/05/27 13:26:37 sca[28130] wm_sca.c:954 at wm_sca_do_scan(): DEBUG: Checking entry: 'Disable Mounting of freevxfs Filesystems'.
2019/05/27 13:26:37 sca[28130] wm_sca.c:965 at wm_sca_do_scan(): DEBUG: Rule is: f:!/etc/modprobe.d/CIS.conf;
2019/05/27 13:26:37 sca[28130] wm_sca.c:1489 at wm_sca_check_file(): DEBUG: Result for EXISTS(/etc/modprobe.d/CIS.conf) -> 0
---------
2019/05/27 13:26:37 sca[28130] wm_sca.c:954 at wm_sca_do_scan(): DEBUG: Checking entry: 'Disable Mounting of jffs2 Filesystems'.
2019/05/27 13:26:37 sca[28130] wm_sca.c:965 at wm_sca_do_scan(): DEBUG: Rule is: f:!/etc/modprobe.d/CIS.conf;
2019/05/27 13:26:37 sca[28130] wm_sca.c:1489 at wm_sca_check_file(): DEBUG: Result for EXISTS(/etc/modprobe.d/CIS.conf) -> 0
---------
2019/05/27 13:26:37 sca[28130] wm_sca.c:954 at wm_sca_do_scan(): DEBUG: Checking entry: 'Disable Mounting of hfs Filesystems'.
2019/05/27 13:26:37 sca[28130] wm_sca.c:965 at wm_sca_do_scan(): DEBUG: Rule is: f:!/etc/modprobe.d/CIS.conf;
2019/05/27 13:26:37 sca[28130] wm_sca.c:1489 at wm_sca_check_file(): DEBUG: Result for EXISTS(/etc/modprobe.d/CIS.conf) -> 0
---------
2019/05/27 13:26:37 sca[28130] wm_sca.c:954 at wm_sca_do_scan(): DEBUG: Checking entry: 'Disable Mounting of hfsplus Filesystems'.
2019/05/27 13:26:37 sca[28130] wm_sca.c:965 at wm_sca_do_scan(): DEBUG: Rule is: f:!/etc/modprobe.d/CIS.conf;
2019/05/27 13:26:37 sca[28130] wm_sca.c:1489 at wm_sca_check_file(): DEBUG: Result for EXISTS(/etc/modprobe.d/CIS.conf) -> 0
---------
2019/05/27 13:26:37 sca[28130] wm_sca.c:954 at wm_sca_do_scan(): DEBUG: Checking entry: 'Disable Mounting of squashfs Filesystems'.
2019/05/27 13:26:37 sca[28130] wm_sca.c:965 at wm_sca_do_scan(): DEBUG: Rule is: f:!/etc/modprobe.d/CIS.conf;
2019/05/27 13:26:37 sca[28130] wm_sca.c:1489 at wm_sca_check_file(): DEBUG: Result for EXISTS(/etc/modprobe.d/CIS.conf) -> 0
---------
2019/05/27 13:26:37 sca[28130] wm_sca.c:954 at wm_sca_do_scan(): DEBUG: Checking entry: 'Disable Mounting of udf Filesystems'.
2019/05/27 13:26:37 sca[28130] wm_sca.c:965 at wm_sca_do_scan(): DEBUG: Rule is: f:!/etc/modprobe.d/CIS.conf;
2019/05/27 13:26:37 sca[28130] wm_sca.c:1489 at wm_sca_check_file(): DEBUG: Result for EXISTS(/etc/modprobe.d/CIS.conf) -> 0
---------
2019/05/27 13:26:37 sca[28130] wm_sca.c:954 at wm_sca_do_scan(): DEBUG: Checking entry: 'Activate AppArmor'.
2019/05/27 13:26:37 sca[28130] wm_sca.c:965 at wm_sca_do_scan(): DEBUG: Rule is: f:/etc/default/grub -> NIN r:apparmor=1 && r:security=apparmor;
2019/05/27 13:26:37 sca[28130] wm_sca.c:1489 at wm_sca_check_file(): DEBUG: Result for NIN r:apparmor=1 && r:security=apparmor(/etc/default/grub) -> 0
---------
2019/05/27 13:26:37 sca[28130] wm_sca.c:954 at wm_sca_do_scan(): DEBUG: Checking entry: 'Configure Audit Log Storage Size'.
2019/05/27 13:26:37 sca[28130] wm_sca.c:965 at wm_sca_do_scan(): DEBUG: Rule is: f:!/etc/audit;
2019/05/27 13:26:37 sca[28130] wm_sca.c:1489 at wm_sca_check_file(): DEBUG: Result for EXISTS(/etc/audit) -> 0
---------
2019/05/27 13:26:37 sca[28130] wm_sca.c:954 at wm_sca_do_scan(): DEBUG: Checking entry: 'Disable System on Audit Log Full'.
2019/05/27 13:26:37 sca[28130] wm_sca.c:965 at wm_sca_do_scan(): DEBUG: Rule is: f:!/etc/audit;
2019/05/27 13:26:37 sca[28130] wm_sca.c:1489 at wm_sca_check_file(): DEBUG: Result for EXISTS(/etc/audit) -> 0
---------
2019/05/27 13:26:37 sca[28130] wm_sca.c:954 at wm_sca_do_scan(): DEBUG: Checking entry: 'Keep All Auditing Information'.
2019/05/27 13:26:37 sca[28130] wm_sca.c:965 at wm_sca_do_scan(): DEBUG: Rule is: f:!/etc/audit;
2019/05/27 13:26:37 sca[28130] wm_sca.c:1489 at wm_sca_check_file(): DEBUG: Result for EXISTS(/etc/audit) -> 0
---------
2019/05/27 13:26:37 sca[28130] wm_sca.c:954 at wm_sca_do_scan(): DEBUG: Checking entry: 'Enable Auditing for Processes That Start Prior to auditd'.
2019/05/27 13:26:37 sca[28130] wm_sca.c:965 at wm_sca_do_scan(): DEBUG: Rule is: f:/etc/default/grub -> !r:^GRUB_CMDLINE_LINUX\s*=\s*\.*audit\s*=\s*1\.*;
2019/05/27 13:26:37 sca[28130] wm_sca.c:1489 at wm_sca_check_file(): DEBUG: Result for !r:^GRUB_CMDLINE_LINUX\s*=\s*\.*audit\s*=\s*1\.*(/etc/default/grub) -> 0
---------
2019/05/27 13:26:37 sca[28130] wm_sca.c:954 at wm_sca_do_scan(): DEBUG: Checking entry: 'Record Events That Modify Date and Time Information'.
2019/05/27 13:26:37 sca[28130] wm_sca.c:965 at wm_sca_do_scan(): DEBUG: Rule is: f:!/etc/audit;
2019/05/27 13:26:37 sca[28130] wm_sca.c:1489 at wm_sca_check_file(): DEBUG: Result for EXISTS(/etc/audit) -> 0
---------
2019/05/27 13:26:37 sca[28130] wm_sca.c:954 at wm_sca_do_scan(): DEBUG: Checking entry: 'Record Events That Modify User/Group Information'.
2019/05/27 13:26:37 sca[28130] wm_sca.c:965 at wm_sca_do_scan(): DEBUG: Rule is: f:!/etc/audit;
2019/05/27 13:26:37 sca[28130] wm_sca.c:1489 at wm_sca_check_file(): DEBUG: Result for EXISTS(/etc/audit) -> 0
---------
2019/05/27 13:26:37 sca[28130] wm_sca.c:954 at wm_sca_do_scan(): DEBUG: Checking entry: 'Record Events That Modify the System's Network Environment'.
2019/05/27 13:26:37 sca[28130] wm_sca.c:965 at wm_sca_do_scan(): DEBUG: Rule is: f:!/etc/audit;
2019/05/27 13:26:37 sca[28130] wm_sca.c:1489 at wm_sca_check_file(): DEBUG: Result for EXISTS(/etc/audit) -> 0
---------
2019/05/27 13:26:37 sca[28130] wm_sca.c:954 at wm_sca_do_scan(): DEBUG: Checking entry: 'Record Events That Modify the System's Mandatory Access Controls'.
2019/05/27 13:26:37 sca[28130] wm_sca.c:965 at wm_sca_do_scan(): DEBUG: Rule is: f:!/etc/audit;
2019/05/27 13:26:37 sca[28130] wm_sca.c:1489 at wm_sca_check_file(): DEBUG: Result for EXISTS(/etc/audit) -> 0
---------
2019/05/27 13:26:37 sca[28130] wm_sca.c:954 at wm_sca_do_scan(): DEBUG: Checking entry: 'Collect Login and Logout Events'.
2019/05/27 13:26:37 sca[28130] wm_sca.c:965 at wm_sca_do_scan(): DEBUG: Rule is: f:!/etc/audit;
2019/05/27 13:26:37 sca[28130] wm_sca.c:1489 at wm_sca_check_file(): DEBUG: Result for EXISTS(/etc/audit) -> 0
---------
2019/05/27 13:26:37 sca[28130] wm_sca.c:954 at wm_sca_do_scan(): DEBUG: Checking entry: 'Collect Session Initiation Information'.
2019/05/27 13:26:37 sca[28130] wm_sca.c:965 at wm_sca_do_scan(): DEBUG: Rule is: f:!/etc/audit;
2019/05/27 13:26:37 sca[28130] wm_sca.c:1489 at wm_sca_check_file(): DEBUG: Result for EXISTS(/etc/audit) -> 0
---------
2019/05/27 13:26:37 sca[28130] wm_sca.c:954 at wm_sca_do_scan(): DEBUG: Checking entry: 'Collect Discretionary Access Control Permission Modification Events'.
2019/05/27 13:26:37 sca[28130] wm_sca.c:965 at wm_sca_do_scan(): DEBUG: Rule is: f:!/etc/audit;
2019/05/27 13:26:37 sca[28130] wm_sca.c:1489 at wm_sca_check_file(): DEBUG: Result for EXISTS(/etc/audit) -> 0
---------
2019/05/27 13:26:37 sca[28130] wm_sca.c:954 at wm_sca_do_scan(): DEBUG: Checking entry: 'Collect Unsuccessful Unauthorized Access Attempts to Files'.
2019/05/27 13:26:37 sca[28130] wm_sca.c:965 at wm_sca_do_scan(): DEBUG: Rule is: f:!/etc/audit;
2019/05/27 13:26:37 sca[28130] wm_sca.c:1489 at wm_sca_check_file(): DEBUG: Result for EXISTS(/etc/audit) -> 0
---------
2019/05/27 13:26:37 sca[28130] wm_sca.c:954 at wm_sca_do_scan(): DEBUG: Checking entry: 'Collect Successful File System Mounts'.
2019/05/27 13:26:37 sca[28130] wm_sca.c:965 at wm_sca_do_scan(): DEBUG: Rule is: f:!/etc/audit;
2019/05/27 13:26:37 sca[28130] wm_sca.c:1489 at wm_sca_check_file(): DEBUG: Result for EXISTS(/etc/audit) -> 0
---------
2019/05/27 13:26:37 sca[28130] wm_sca.c:954 at wm_sca_do_scan(): DEBUG: Checking entry: 'Collect File Deletion Events by User'.
2019/05/27 13:26:37 sca[28130] wm_sca.c:965 at wm_sca_do_scan(): DEBUG: Rule is: f:!/etc/audit;
2019/05/27 13:26:37 sca[28130] wm_sca.c:1489 at wm_sca_check_file(): DEBUG: Result for EXISTS(/etc/audit) -> 0
---------
2019/05/27 13:26:37 sca[28130] wm_sca.c:954 at wm_sca_do_scan(): DEBUG: Checking entry: 'Collect Changes to System Administration Scope (sudoers)'.
2019/05/27 13:26:37 sca[28130] wm_sca.c:965 at wm_sca_do_scan(): DEBUG: Rule is: f:!/etc/audit;
2019/05/27 13:26:37 sca[28130] wm_sca.c:1489 at wm_sca_check_file(): DEBUG: Result for EXISTS(/etc/audit) -> 0
---------
2019/05/27 13:26:37 sca[28130] wm_sca.c:954 at wm_sca_do_scan(): DEBUG: Checking entry: 'Collect System Administrator Actions (sudolog)'.
2019/05/27 13:26:37 sca[28130] wm_sca.c:965 at wm_sca_do_scan(): DEBUG: Rule is: f:!/etc/audit;
2019/05/27 13:26:37 sca[28130] wm_sca.c:1489 at wm_sca_check_file(): DEBUG: Result for EXISTS(/etc/audit) -> 0
---------
2019/05/27 13:26:37 sca[28130] wm_sca.c:954 at wm_sca_do_scan(): DEBUG: Checking entry: 'Collect Kernel Module Loading and Unloading'.
2019/05/27 13:26:37 sca[28130] wm_sca.c:965 at wm_sca_do_scan(): DEBUG: Rule is: f:!/etc/audit;
2019/05/27 13:26:37 sca[28130] wm_sca.c:1489 at wm_sca_check_file(): DEBUG: Result for EXISTS(/etc/audit) -> 0
---------
2019/05/27 13:26:37 sca[28130] wm_sca.c:954 at wm_sca_do_scan(): DEBUG: Checking entry: 'Make the Audit Configuration Immutable'.
2019/05/27 13:26:37 sca[28130] wm_sca.c:965 at wm_sca_do_scan(): DEBUG: Rule is: f:!/etc/audit;
2019/05/27 13:26:37 sca[28130] wm_sca.c:1489 at wm_sca_check_file(): DEBUG: Result for EXISTS(/etc/audit) -> 0
---------
2019/05/27 13:26:37 sca[28130] wm_sca.c:954 at wm_sca_do_scan(): DEBUG: Checking entry: 'Install AIDE'.
2019/05/27 13:26:37 sca[28130] wm_sca.c:965 at wm_sca_do_scan(): DEBUG: Rule is: f:!/usr/sbin/aideinit;
2019/05/27 13:26:37 sca[28130] wm_sca.c:1489 at wm_sca_check_file(): DEBUG: Result for EXISTS(/usr/sbin/aideinit) -> 0
---------
2019/05/27 13:26:37 sca[28130] wm_sca.c:954 at wm_sca_do_scan(): DEBUG: Checking entry: 'Implement Periodic Execution of File Integrity'.
2019/05/27 13:26:37 sca[28130] wm_sca.c:965 at wm_sca_do_scan(): DEBUG: Rule is: f:/etc/crontab -> !r:/usr/sbin/aide --check;
2019/05/27 13:26:37 sca[28130] wm_sca.c:1489 at wm_sca_check_file(): DEBUG: Result for !r:/usr/sbin/aide --check(/etc/crontab) -> 0

In the results, we can see most of the failed results are due to the missing of the file /etc/audit. So the results seem correct.

Add SCA templates for Ubuntu 12.04

5a4322e

chemamartinez added type/bug Something isn't working module/sca Security Configuration Assessment module labels May 20, 2019

chemamartinez requested review from BraulioV and vikman90 May 22, 2019 13:07

chemamartinez marked this pull request as ready for review May 22, 2019 13:07

BraulioV mentioned this pull request May 22, 2019

Add new SCA policies for Ubuntu 12.04 wazuh/wazuh-packages#174

Closed

vikman90 requested changes May 23, 2019

View reviewed changes

Comment thread etc/templates/config/ubuntu/12/04/sca.files Outdated

Comment thread etc/templates/config/ubuntu/12/04/sca.template Outdated

Add newline at the end of new templates

4abd168

snaow approved these changes Jun 3, 2019

View reviewed changes

vikman90 approved these changes Jun 3, 2019

View reviewed changes

chemamartinez merged commit 3581054 into 3.9 Jun 3, 2019

chemamartinez deleted the fix-3359 branch June 3, 2019 09:51

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add SCA template for Ubuntu 12.04#3361

Add SCA template for Ubuntu 12.04#3361
chemamartinez merged 2 commits into3.9from
fix-3359

chemamartinez commented May 20, 2019 •

edited

Loading

Uh oh!

chemamartinez commented May 22, 2019 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

chemamartinez commented May 27, 2019 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

chemamartinez commented May 20, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Logs/Alerts example

Tests

Uh oh!

chemamartinez commented May 22, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

chemamartinez commented May 27, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

chemamartinez commented May 20, 2019 •

edited

Loading

chemamartinez commented May 22, 2019 •

edited

Loading

chemamartinez commented May 27, 2019 •

edited

Loading