CIS Benchmark can't reach 100%
326 views
Skip to first unread message
Arby Malabo
Mar 4, 2024, 2:48:34 AM3/4/24
to Wazuh | Mailing List
Hello,
I can't seem to reach 100% or reach at least 80% in my CIS benchmark, even if I have followed the directions on how to enable the settings to meet the requirements it is still reflected in the dashboard as failed.
Please help, it is one of my selling points to the team to approve wazuh as our siem.
My agent is installed on a mac 14 sonoma and my wazuh is v4.7.2
Antonio David Gutiérrez
Mar 4, 2024, 3:23:32 AM3/4/24
to Wazuh | Mailing List
Hi Arby,
I am not sure about you are referring to.
Are you talking about reaching 100% or 80% of passed checks in a Security Configuration Assessment policy? In this case, some check details could give information about the remediation to pass it, this could indicate how to solve the configuration problem. If you are not talking about this feature of Wazuh, could you elaborate you are referring to?
I am not sure about you are referring to.
Are you talking about reaching 100% or 80% of passed checks in a Security Configuration Assessment policy? In this case, some check details could give information about the remediation to pass it, this could indicate how to solve the configuration problem. If you are not talking about this feature of Wazuh, could you elaborate you are referring to?
Arby Malabo
Mar 4, 2024, 11:59:27 PM3/4/24
to Antonio David Gutiérrez, Wazuh | Mailing List
Hi,
Yes I want to reach a passing mark on the Security Configuration Assessment policy, I did follow how to remediate the configuration problems but still the status is failed, even though in manual checking/running the script says that I reach the requirements.
Sample:
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a33e359c-6216-4891-be50-e600a5e17d39n%40googlegroups.com.
Antonio David Gutiérrez
Mar 5, 2024, 2:33:32 AM3/5/24
to Wazuh | Mailing List
Hi, thank you so much for clarifying the context.
Regarding the check with ID 34025 that you displayed in the last message, I guess the SCA policy that was executed could be: cis_apple_macOS_14.0.yml
According to the check with ID 34025 the definition has 2 rules that both should pass to consider the result of the check as passed. Reference: https://github.com/wazuh/wazuh/blob/v4.7.2/ruleset/sca/darwin/23/cis_apple_macOS_14.0.yml#L595-L620.
The rules for this check are:
- "c:fdesetup status -> r:^FileVault is On"
This executes the command:
fdesetup status
then, tries to match in the output of the command the text starting with
FileVault is On
- 'c:osascript -l JavaScript -e "osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.MCX'').objectForKey(''dontAllowFDEDisable'')" -> r:^0$'
This executes the command:
osascript -l JavaScript -e "osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.MCX'').objectForKey(''dontAllowFDEDisable'')"
then, tries to match in the output a literal line:
0
According to the condition: all clause, both condition has to pass to consider the check with ID 34025 as passed.
1. Could you check both are passing? Could you run and share the output of the commands in the host that is not passing that check?
2. Could you indicate what is the name of the SCA policy and details about the operating system that is using it?
References:
- Security Configuration Assessment: https://documentation.wazuh.com/4.7/user-manual/capabilities/sec-config-assessment/index.html
Regarding the check with ID 34025 that you displayed in the last message, I guess the SCA policy that was executed could be: cis_apple_macOS_14.0.yml
According to the check with ID 34025 the definition has 2 rules that both should pass to consider the result of the check as passed. Reference: https://github.com/wazuh/wazuh/blob/v4.7.2/ruleset/sca/darwin/23/cis_apple_macOS_14.0.yml#L595-L620.
The rules for this check are:
- "c:fdesetup status -> r:^FileVault is On"
This executes the command:
fdesetup status
then, tries to match in the output of the command the text starting with
FileVault is On
- 'c:osascript -l JavaScript -e "osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.MCX'').objectForKey(''dontAllowFDEDisable'')" -> r:^0$'
This executes the command:
osascript -l JavaScript -e "osascript -l JavaScript -e "$.NSUserDefaults.alloc.initWithSuiteName(''com.apple.MCX'').objectForKey(''dontAllowFDEDisable'')"
then, tries to match in the output a literal line:
0
According to the condition: all clause, both condition has to pass to consider the check with ID 34025 as passed.
1. Could you check both are passing? Could you run and share the output of the commands in the host that is not passing that check?
2. Could you indicate what is the name of the SCA policy and details about the operating system that is using it?
References:
- Security Configuration Assessment: https://documentation.wazuh.com/4.7/user-manual/capabilities/sec-config-assessment/index.html
Randy Schultz
Mar 5, 2024, 5:35:26 AM3/5/24
to Wazuh | Mailing List
I'm wondering if there's an issue with the Wazuh agent and Mac OS 14.3.1 (Sonoma). After upgrading to Sonoma, SCA seems to have stopped working and the agent shows Disconnected even though the system has access to Wazuh. Has Sonoma been tested and verified to work?
Antonio David Gutiérrez
Mar 6, 2024, 3:10:15 AM3/6/24
to Wazuh | Mailing List
Hi Randy, regarding your question, Mac OS 14.3.1 (Sonoma) should be supported.
Some issue references:
- https://github.com/wazuh/wazuh/issues/17148
- https://github.com/wazuh/wazuh/issues/20992
If the agent shows as disconnected, check:
- Wazuh agent is running
- Wazuh agent host can connect with the Wazuh server host
- Wazuh agent logs. This could indicate the cause of the connection problem or with SCA.
Some issue references:
- https://github.com/wazuh/wazuh/issues/17148
- https://github.com/wazuh/wazuh/issues/20992
If the agent shows as disconnected, check:
- Wazuh agent is running
- Wazuh agent host can connect with the Wazuh server host
- Wazuh agent logs. This could indicate the cause of the connection problem or with SCA.
Arby Malabo
Mar 10, 2024, 11:07:59 PM3/10/24
to Antonio David Gutiérrez, Wazuh | Mailing List
Hello,
If wazuh can't (automatically) correctly determine a failed SCA check to be passed, can I as an admin edit the status since I verified it manually that the SCA is indeed passed the requirements?, in my case enabling the Filevault.
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7e6d93f2-a99b-4977-850a-aac3c98fe29en%40googlegroups.com.
Antonio David Gutiérrez
Mar 11, 2024, 4:02:19 AM3/11/24
to Wazuh | Mailing List
Hi Arby,
Editing the SCA checks is not the way the SCA module is expected to work. The results of the checks are stored in the database in the Wazuh agents hosts and Wazuh servers: https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/how-it-works.html#how-sca-works. Maybe you could edit these values to get the displayed value is the desired one. You should take into account that the SCA module has scheduled runs, so the previous value could be overwritten if you managed to edit it previously. As you can see, the administrators should not have to edit these values.
If you want the SCA module to check that FileVault is enabled, you should review the reason because the check defined in the SCA policy is failing. If your manual check using the commands defined in the SCA check pass, then it could indicate a bug in the SCA module or condition in the SCA policy that should be solved. Could you provide the evidence the check is failing? If you consider there is a problem in the SCA module, you could open a new issue here: https://github.com/wazuh/wazuh/issues/new?assignees=&labels=&projects=&template=default.md&title=
In the case you don't need the check of FileVault is enabled, then you could create a custom SCA policy with the checks you want and configure it to run this custom policy instead of the built-in in the affected Wazuh agents.
Editing the SCA checks is not the way the SCA module is expected to work. The results of the checks are stored in the database in the Wazuh agents hosts and Wazuh servers: https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/how-it-works.html#how-sca-works. Maybe you could edit these values to get the displayed value is the desired one. You should take into account that the SCA module has scheduled runs, so the previous value could be overwritten if you managed to edit it previously. As you can see, the administrators should not have to edit these values.
If you want the SCA module to check that FileVault is enabled, you should review the reason because the check defined in the SCA policy is failing. If your manual check using the commands defined in the SCA check pass, then it could indicate a bug in the SCA module or condition in the SCA policy that should be solved. Could you provide the evidence the check is failing? If you consider there is a problem in the SCA module, you could open a new issue here: https://github.com/wazuh/wazuh/issues/new?assignees=&labels=&projects=&template=default.md&title=
In the case you don't need the check of FileVault is enabled, then you could create a custom SCA policy with the checks you want and configure it to run this custom policy instead of the built-in in the affected Wazuh agents.
Reply all
Reply to author
Forward
0 new messages