CIS checks via OSSEC

220 views
Skip to first unread message

Michiel van Es

unread,
Jul 23, 2014, 4:31:09 AM7/23/14
to ossec...@googlegroups.com
Hello,

We see that OSSEC does some CIS checks for Red Hat 5 and older.
Is it possible to update the CIS checks in OSSEC to do CIS checks for RHEL 6 etc? (http://benchmarks.cisecurity.org/downloads/show-single/?file=rhel6.120)
This helps with PCI-DSS v3 compliance (2.2).

Or is it easy to add these checks yourself or are they on the planning to be included in a new release?

Michiel

Christian Beer

unread,
Jul 23, 2014, 5:58:36 AM7/23/14
to ossec...@googlegroups.com
Hi I downloaded the Benchmark paper and tool a quick look.

The question is what is to do? As I understand the document one has to
copy the script snippets from the audit sections into the CIS text files
and annotate with some information, right?

This seems to me like a copy&paste job and a pull request on github.

Regards
Christian
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to ossec-list+...@googlegroups.com
> <mailto:ossec-list+...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.

dan (ddp)

unread,
Jul 23, 2014, 7:53:50 AM7/23/14
to ossec...@googlegroups.com
I would love to see updated checks.

> Michiel
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.

dan (ddp)

unread,
Jul 23, 2014, 7:57:31 AM7/23/14
to ossec...@googlegroups.com
On Wed, Jul 23, 2014 at 5:56 AM, Christian Beer
<cb.mai...@googlemail.com> wrote:
> Hi I downloaded the Benchmark paper and tool a quick look.
>
> The question is what is to do? As I understand the document one has to
> copy the script snippets from the audit sections into the CIS text files
> and annotate with some information, right?
>
> This seems to me like a copy&paste job and a pull request on github.
>

I'd start by copying one of the older files, modifying the OS version
check to work with the version you want to check. Then adjust as new
alerts come in.
I think I'll give this a shot with Centos 7 and report back.

> Regards
> Christian
>
> Am 23.07.2014 10:31, schrieb Michiel van Es:
>> Hello,
>>
>> We see that OSSEC does some CIS checks for Red Hat 5 and older.
>> Is it possible to update the CIS checks in OSSEC to do CIS checks for
>> RHEL 6 etc?
>> (http://benchmarks.cisecurity.org/downloads/show-single/?file=rhel6.120)
>> This helps with PCI-DSS v3 compliance (2.2).
>>
>> Or is it easy to add these checks yourself or are they on the planning
>> to be included in a new release?
>>
>> Michiel
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google
>> Groups "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send
>> an email to ossec-list+...@googlegroups.com
>> <mailto:ossec-list+...@googlegroups.com>.
>> For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.

Michael Starks

unread,
Jul 23, 2014, 9:45:46 AM7/23/14
to ossec...@googlegroups.com
On 2014-07-23 4:56, Christian Beer wrote:
> Hi I downloaded the Benchmark paper and tool a quick look.
>
> The question is what is to do? As I understand the document one has to
> copy the script snippets from the audit sections into the CIS text
> files
> and annotate with some information, right?
>
> This seems to me like a copy&paste job and a pull request on github.

It's a little more involved than that. The CIS checks are performed by
rootcheck and that has it's own synatx. It doesn't just execute scripts.

theresa mic-snare

unread,
Jul 14, 2015, 2:03:24 PM7/14/15
to ossec...@googlegroups.com
hi folks,

i just found this interesting thread.
wanted to ask, is there any update with this? how could I contribute? I could do some testing on CentOS 6/RHEL...

theresa mic-snare

unread,
Jul 14, 2015, 2:10:29 PM7/14/15
to ossec...@googlegroups.com
also, I'd like to update this page to something more up-to-date (RHEL 6 / 7) once I understand how it works and what it does

reading into it right now...

Santiago Bassett

unread,
Jul 14, 2015, 2:11:09 PM7/14/15
to ossec...@googlegroups.com

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.

theresa mic-snare

unread,
Jul 25, 2015, 6:19:29 PM7/25/15
to ossec-list, santiago...@gmail.com
I just checked my ossec.conf I was surprised to find out that the rootcheck for CIS isn't even defined.
but I quickly added the cis_rhel6_linux.rcl.txt that Santi provided, thx Santi :)

when I called rootcheck_control I got the following return
Resolved events:

** No entries found.

Outstanding events:

** No entries found.


is this possible?
does this need to run a few times (more than once) in order to show anything?
maybe it has to do that the rhel6 cis check seems a bit incomplete

what does SCORED and NOT SCORED mean in the cis check?

i find it hard to believe that my system passed all the tests...

Santiago Bassett

unread,
Jul 25, 2015, 6:54:38 PM7/25/15
to theresa mic-snare, ossec-list
Hi Theresa,

have a look at this doc:


I was also curious and found the explanation in page 5:

Scored:
Failure to comply with "Scored" recommendations will decrease the final benchmark score. Compliance with "Scored" recommendations will increase the final benchmark score. 

Not Scored:
Failure to comply with "Not Scored" recommendations will not decrease the final benchmark score. Compliance with "Not Scored" recommendations will not increase the final benchmark score.


Regarding your other question, I am not sure why you don't have alerts, are you sure you added the right config in ossec.conf? Something like <system_audit>path_to_your_cis_rules</system_audit>, remember it needs to be added for the agents.

Best

theresa mic-snare

unread,
Jul 27, 2015, 2:46:26 AM7/27/15
to ossec-list, santiago...@gmail.com
Hi Santi,

great, thanks for looking this up :)

for some reason it works now....surprising.
maybe it takes some time after an inital run...

I now have plenty of Outstanding events, great :)))))

best,
theresa

theresa mic-snare

unread,
Jul 27, 2015, 11:01:12 AM7/27/15
to ossec-list, santiago...@gmail.com, rockpr...@gmail.com
Hi all,

since https://github.com/ossec/ossec-hids/blob/master/src/rootcheck/db/cis_rhel6_linux_rcl.txt seems a bit incomplete, I'd start to complete it.
lots of important checks are still tagged as "to do"

please let me know if anyone is already working on the RHEL6 checks or has it even completed.
I'd like to avoid that I work on something that someone else has already completed/or is still working on.

so please let me know!

i'd contribute the complete file then as a pull request on github.

thanks,
theresa

theresa mic-snare

unread,
Jul 28, 2015, 3:14:24 PM7/28/15
to ossec-list, santiago...@gmail.com, rockpr...@gmail.com
Hi again,

I don't quite understand how these checks work.
Rootcheck complains about the following checks:

2015 Jul 28 20:24:43 (first time detected: 2015 Jul 27 17:21:47)
System Audit: System Audit: CIS - RHEL6 1.4.2 - SELinux not set to enforcing. File: /etc/selinux/config. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 .

2015 Jul 28 20:24:43 (first time detected: 2015 Jul 27 17:21:47)
System Audit: System Audit: CIS - RHEL6 1.4.2 - SELinux policy not set to targeted. File: /etc/selinux/config. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6

It's perfectly clear what is meant by it, but for the sake of it, I will post what's in the CIS file as well:

# 1.4.2 Set selinux state
[CIS - RHEL6 1.4.2 - SELinux not set to enforcing] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL6]
f:/etc/selinux/config -> r:SELINUX=enforcing;

# 1.4.3 Set seliux policy
[CIS - RHEL6 1.4.2 - SELinux policy not set to targeted] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL6]
f:/etc/selinux/config -> r:SELINUXTYPE=targeted;

meaning I have to check the SELinux config, here we go:

SELINUX=enforcing
SELINUXTYPE=targeted

Sorry, but what I'm doing wrong here...I don't understand it.

Other checks are not being "acknowledge" either...

# Controls source route validation
net.ipv4.conf.all.accept_source_route = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 1

# Controls ICMP secure redirects
net.ipv4.conf.all.accept_redirects = 1

# Log packets with impossible addresses to kernel log? yes
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.lo.log_martians = 1
net.ipv4.conf.eth0.log_martians = 1

does this look OK to you?!
anyone had any experience?

thanks,
theresa

Santiago Bassett

unread,
Jul 28, 2015, 3:40:30 PM7/28/15
to theresa mic-snare, ossec-list
Yes, looks like those rule should have an "!" 

I think it would make sense rules like this instead:

# 1.4.2 Set selinux state
[CIS - RHEL6 1.4.2 - SELinux not set to enforcing] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL6]

f:/etc/selinux/config -> !r:SELINUX=enforcing;

# 1.4.3 Set seliux policy
[CIS - RHEL6 1.4.2 - SELinux policy not set to targeted] [any] [http://www.ossec.net/wiki/index.php/CIS_RHEL6]

f:/etc/selinux/config -> !r:SELINUXTYPE=targeted;

Regarding the other checks I am not sure what you mean. What is the problem there?

Santiago.
Reply all
Reply to author
Forward
0 new messages