OSSEC + CIS benchmark tests

[Daniel Cid]

Hi list,

I just posted in my blog about the new support for CIS benchmarks on
OSSEC and I want to hear
the feedback anyone may have.

Link: http://www.ossec.net/dcid/?p=137

"
We just included support in the OSSEC Policy monitor to audit if a
system is in compliance with the CIS Security Benchmarks
(as of right now, only RHEL2-5, Fedora 1-5 and Debian/Ubuntu are
supported - the other versions will be soon).

If you want to try it out manually and provide some feedback to us,
please follow the instructions bellow to test:

First, grab the latest CVS snapshot and compile it (it will be
included on v1.6 and above):

# wget http://www.ossec.net/files/snapshots/ossec-hids-080710.tar.gz
# tar -zxvf ossec-hids-080710.tar.gz
# cd ossec-hids-080710/src/
# make clean
# make libs
# cd rootcheck
# make binary

The binary ossec-rootcheck will be created on the current directory
and we can start using it. A simple scan on my Ubuntu
box looked like this: (note, that it will do all the normal rootcheck
tests plus the CIS scans — just grep for CIS if you don't want to see
the rest):

# ./ossec-rootcheck
..

[INFO]: System Audit: CIS - Testing against the CIS Debian Linux
Benchmark v1.0. File: /proc/sys/kernel/ostype. Reference:
http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS - Debian Linux 1.4 - Robust partition
scheme - /tmp is not on its own partition. File: /etc/fstab.
Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS - Debian Linux 1.4 - Robust partition
scheme - /var is not on its own partition. File: /etc/fstab.
Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS - Debian Linux 2.3 - SSH Configuration -
Root login allowed. File: /etc/ssh/sshd_config. Reference:
http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS - Debian Linux 2.4 - System Accounting -
Sysstat not enabled. File: /etc/default/sysstat. Reference:
http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS - Debian Linux 4.18 - Disable standard
boot services - Squid Enabled. File: /etc/init.d/squid. Reference:
http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS - Debian Linux 7.2 - Removable partition
/media without 'nodev' set. File: /etc/fstab. Reference:
http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS - Debian Linux 7.2 - Removable partition
/media without 'nosuid' set. File: /etc/fstab. Reference:
http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS - Debian Linux 7.3 - User-mounted
removable partition /media. File: /etc/fstab. Reference:
http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS - Debian Linux 8.8 - GRUB Password not
set. File: /boot/grub/menu.lst. Reference:
http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

..

Anyone here using CIS (or FDCC)? As always, feedback and suggestions
are welcome.
"

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

[Martin West]

On Thu, 2008-07-10 at 16:43 -0300, Daniel Cid wrote:
> I want to hear
> the feedback anyone may have.

Installed and ran ok on

Linux lenovo2 2.6.24-19-server #1 SMP Wed Jun 18 15:18:00 UTC 2008 i686
GNU/Linux

Looks good, Thanks

--
regards
Martin West

[Reggie Griffin]

Daniel,

We work with FDCC and CIS. Is there any information regarding the
regular expression syntax in the CIS config files. We use Nessus and
customize there .audit files currently.

-Reggie

[autodidactic]

Are there any updates to this feature or documentation about it? I see vary raw documentation in the sample CIS benchark policy audit files, but leaves me guessing about some of it? I want to write the policy for the newer CIS benchmarks for EL6 and EL7... any help or pointers to where I can learn more would be helpful... 

also, i'm not sure how to implement a permissions check via this system. is it possible or perhaps it is not?

[dan (ddp)]

On Tue, May 12, 2015 at 6:57 PM, autodidactic <theorig...@gmail.com> wrote:
> Are there any updates to this feature or documentation about it? I see vary
> raw documentation in the sample CIS benchark policy audit files, but leaves
> me guessing about some of it? I want to write the policy for the newer CIS
> benchmarks for EL6 and EL7... any help or pointers to where I can learn more
> would be helpful...
>

I haven't written anything about it, and I haven't looked into it
enough to know the answers.

>> tests plus the CIS scans -- just grep for CIS if you don't want to see

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[The O.G.]

So, does that mean the best way to understand how the system policy audit works is to basically read the source code in rootcheck system?

[dan (ddp)]

On May 15, 2015 5:27 PM, "The O.G." <theorig...@gmail.com> wrote:
>
> So, does that mean the best way to understand how the system policy audit works is to basically read the source code in rootcheck system?
>

It simply means I cannot answer many questions about it. Reading the aource is one way to get a better understanding.
Someone with more knowledge about the topic answering is another way.
I will definitely add this to my (not)short list of things to dig into though.