CIS benchmark on Oracle Linux 7

[Michael Madore]

Hi Everyone,

I have installed the wazuh agent on a number of CentOS 7.5 machines and I receive results of the CIS benchmark for these systems on the manager.  For example:

CIS - RHEL7 - 4.1.1 - Network parameters - IP Forwarding enabled

I also have the agent installed on a system running Oracle Linux 7.5.  On this system the benchmark doesn't run.  The /etc/redhat-release file has the following string:

Red Hat Enterprise Linux Server release 7.5 (Maipo)

There is also /etc/oracle-release which contains:

Oracle Linux Server release 7.5

How does the agent determine if it should run the benchmark?

Thanks,

Mike

[Chema Martinez]

Hi Michael,

It depends on which CIS benchmark the agent is running. Each benchmark file determines its targets by matching the content of the file "/etc/redhat-release" with defined regular expressions.

The benchmark "cis_rhel_linux_rcl.txt" only works for Red Hat and Fedora, as is defined in it:

# Main one. Only valid for Red Hat/Fedora.

[CIS - Testing against the CIS Red Hat Enterprise Linux Benchmark v1.0.5] [any required] [https://benchmarks.cisecurity.org/tools2/linux/CIS_RHLinux_Benchmark_v1.0.5.pdf]

f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 4;

f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 3;

f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 2.1;

f:/etc/fedora-release -> r:^Fedora && r:release 1;

f:/etc/fedora-release -> r:^Fedora && r:release 2;

f:/etc/fedora-release -> r:^Fedora && r:release 3;

f:/etc/fedora-release -> r:^Fedora && r:release 4;

f:/etc/fedora-release -> r:^Fedora && r:release 5;

However, the benchmark "cis_rhel7_linux_rcl.txt" should work for Oracle Linux as is defined:

[CIS - Testing against the CIS Red Hat Enterprise Linux 7 Benchmark v1.1.0] [any required] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]

f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 7;

f:/etc/redhat-release -> r:^CentOS && r:release 7;

f:/etc/redhat-release -> r:^Cloud && r:release 7;

f:/etc/redhat-release -> r:^Oracle && r:release 7;

f:/etc/redhat-release -> r:^Better && r:release 7;

f:/etc/redhat-release -> r:^OpenVZ && r:release 7;

Could you check with benchmark have you set up in your agent configuration file? It should be included with the tag <system_audit>

Best regards,

Chema.

Chema Martinez | IT Engineer — Wazuh, Inc.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/daae5c0b-3a8a-4c6f-bc5b-96b2d28af015%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.