Marking SCAP rules you want to "Accept risk"

[Kat]

Ok, I have searched through archives and can't find anything - maybe no one else is thinking about this? I doubt that.

If you have a SCAP rule, let's say "/var on unique partition" and on some servers, you are willing to accept that risk, what is the best way to mark it as such so it does not continue to fire on particular hosts forever?

Thanks

Kat

[Miguelangel Freitas]

Hi Kat,

You can create a suppression rule to match with the particular OpenScap check and a Wazuh agent, for example:

<rule id="100100" level="0">

  <if_group>oscap</if_group>

  <field name="oscap.check.id">xccdf_org.ssgproject.content_rule_partition_for_var_log</field>

  <hostname><agent_name></hostname>

  <description>Suppress OpenScap fail.</description>

</rule>

Every OpenScap check has their own id, Wazuh decodes that id on the oscap.check.id field. In conjunction with the <hostname> field, you can suppress alerts for specific a agent, the ossec-logtest output using the above rule will be as the following:

**Phase 1: Completed pre-decoding.

       full event: 'oscap: msg: "xccdf-result", scan-id: "0001526941137", content: "ssg-centos-7-ds.xml", title: "Ensure /var/log Located On Separate Partition", id: "xccdf_org.ssgproject.content_rule_partition_for_var_log", result: "fail", severity: "low", description: "System logs are stored in the /var/log directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.", rationale: "Placing /var/log in its own partition enables better separation between log files and other files in /var/." references: "AU-9 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-32 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf),  (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1.1.11 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)", identifiers: "", oval-id: "oval:ssg-partition_for_var_log:def:1", benchmark-id: "xccdf_org.ssgproject.content_benchmark_RHEL-7", profile-id: "xccdf_org.ssgproject.content_profile_common", profile-title: "Common Profile for General-Purpose Systems".'

       timestamp: '(null)'

       hostname: '<agent_name>'

       program_name: '(null)'

       log: 'oscap: msg: "xccdf-result", scan-id: "0001526941137", content: "ssg-centos-7-ds.xml", title: "Ensure /var/log Located On Separate Partition", id: "xccdf_org.ssgproject.content_rule_partition_for_var_log", result: "fail", severity: "low", description: "System logs are stored in the /var/log directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.", rationale: "Placing /var/log in its own partition enables better separation between log files and other files in /var/." references: "AU-9 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-32 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf),  (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1.1.11 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)", identifiers: "", oval-id: "oval:ssg-partition_for_var_log:def:1", benchmark-id: "xccdf_org.ssgproject.content_benchmark_RHEL-7", profile-id: "xccdf_org.ssgproject.content_profile_common", profile-title: "Common Profile for General-Purpose Systems".'

**Phase 2: Completed decoding.

       decoder: 'oscap'

       oscap.scan.id: '0001526941137'

       oscap.scan.content: 'ssg-centos-7-ds.xml'

       oscap.check.title: 'Ensure /var/log Located On Separate Partition'

       oscap.check.id: 'xccdf_org.ssgproject.content_rule_partition_for_var_log'

       oscap.check.result: 'fail'

       oscap.check.severity: 'low'

       oscap.check.description: 'System logs are stored in the /var/log directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.'

       oscap.check.rationale: 'Placing /var/log in its own partition enables better separation between log files and other files in /var/.'

       oscap.check.references: 'AU-9 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf), SC-32 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf),  (http://iase.disa.mil/stigs/cci/Pages/index.aspx), 1.1.11 (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf)'

       oscap.check.identifiers: ''

       oscap.check.oval.id: 'oval:ssg-partition_for_var_log:def:1'

       oscap.scan.benchmark.id: 'xccdf_org.ssgproject.content_benchmark_RHEL-7'

       oscap.scan.profile.id: 'xccdf_org.ssgproject.content_profile_common'

       oscap.scan.profile.title: 'Common Profile for General-Purpose Systems'

**Phase 3: Completed filtering (rules).

       Rule id: '100100'

       Level: '0'

       Description: 'Suppress OpenScap check.'

Events with level 0 will not generate alerts. I hope this helps

Please not hesitate to contact us again.

Best Regards,

Miguelangel Freitas.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1f0cc659-ba14-49fc-9b32-aa8b009c3e7c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Kat]

Looks like I may start work on a feature to make this more automatic. :)