System Audit CIS - RHEL7 - 1.6.1
282 views
Skip to first unread message
Marcio Costa
Apr 26, 2017, 9:19:33 AM4/26/17
to Wazuh mailing list
Hello guys.
In my server, option Kibana -> Wazuh APP -> Dashboard -> CIS Compliance I see CIS alert:
System Audit: CIS - RHEL7 - 1.6.1 - Randomized Virtua Memory Region Placement not enabled {CIS: 1.6.3 RHEL7}. File: /proc/sys/kernel/randomize_va_space. Reference: https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf
But my file is correct, using the default value:
# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
# cat /proc/sys/kernel/randomize_va_space
2
In /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt I see:
# 1.6.1 Enable Randomized Virtual Memory Region Placement (Scored)
# Note this is also labeled 1.6.1 in the CIS benchmark.
[CIS - RHEL7 - 1.6.1 - Randomized Virtua Memory Region Placement not enabled {CIS: 1.6.3 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterpri se_Linux_7_Benchmark_v1.1.0.pdf]
f:/proc/sys/kernel/randomize_va_space -> 2;
Checking the document in https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf, page #39, I see the correct value (kernel.randomize_va_space = 2).
What could be wrong ?
Thank you by any help.
In my server, option Kibana -> Wazuh APP -> Dashboard -> CIS Compliance I see CIS alert:
System Audit: CIS - RHEL7 - 1.6.1 - Randomized Virtua Memory Region Placement not enabled {CIS: 1.6.3 RHEL7}. File: /proc/sys/kernel/randomize_va_space. Reference: https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf
But my file is correct, using the default value:
# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
# cat /proc/sys/kernel/randomize_va_space
2
In /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt I see:
# 1.6.1 Enable Randomized Virtual Memory Region Placement (Scored)
# Note this is also labeled 1.6.1 in the CIS benchmark.
[CIS - RHEL7 - 1.6.1 - Randomized Virtua Memory Region Placement not enabled {CIS: 1.6.3 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterpri se_Linux_7_Benchmark_v1.1.0.pdf]
f:/proc/sys/kernel/randomize_va_space -> 2;
Checking the document in https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf, page #39, I see the correct value (kernel.randomize_va_space = 2).
What could be wrong ?
Thank you by any help.
Jesus Linares
Apr 27, 2017, 5:40:33 AM4/27/17
to Wazuh mailing list
Hi Marcio,
according to the CIS guide (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf):
Enable Randomized Virtual Memory Region Placement
Audit:
# sysctl kernel.randomize_va_space
kernel.randomize_va_space = 2So the rootcheck must check if /proc/sys/kernel/randomize_va_space is different to '2', but right now it is checking if it is exactly '2'.
I updated the file: https://github.com/wazuh/wazuh-ruleset/commit/d605e42b458d0b10eddd57204effc157e1d1a731
The check must be:
# 1.6.1 Enable Randomized Virtual Memory Region Placement (Scored)
# Note this is also labeled 1.6.1 in the CIS benchmark.
[CIS - RHEL7 - 1.6.1 - Randomized Virtua Memory Region Placement not enabled {CIS: 1.6.3 RHEL7}] [any] [https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf]
f:/proc/sys/kernel/randomize_va_space -> !r:^2$;Thanks for your feedback.
Regards.
Marcio Costa
Apr 27, 2017, 9:43:32 AM4/27/17
to Wazuh mailing list
Hello Jesus!
Thank you by the reply.
Let me ask more one thing:
I'm running "/var/ossec/bin/update_ruleset.py -f -r -d", but still with the same 'old' version of file /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt, without the corrections.
I need wait some time to get the rules file updated on git ?
Let me attach the output:
#/var/ossec/bin/update_ruleset.py -f -r -d
DEBUG: Arguments: {'force': True, 'source': 'download', 'json': False, 'ossec_path': '/var/ossec', 'debug': True, 'backups': False, 'restart': True}
### Wazuh ruleset ###
The following rules will be updated:
0010-rules_config.xml
0015-ossec_rules.xml
0020-syslog_rules.xml
0025-sendmail_rules.xml
0030-postfix_rules.xml
0035-spamd_rules.xml
0040-imapd_rules.xml
0045-mailscanner_rules.xml
0050-ms-exchange_rules.xml
0055-courier_rules.xml
0060-firewall_rules.xml
0065-pix_rules.xml
0070-netscreenfw_rules.xml
0075-cisco-ios_rules.xml
0080-sonicwall_rules.xml
0085-pam_rules.xml
0090-telnetd_rules.xml
0095-sshd_rules.xml
0100-solaris_bsm_rules.xml
0105-asterisk_rules.xml
0110-ms_dhcp_rules.xml
0115-arpwatch_rules.xml
0120-symantec-av_rules.xml
0125-symantec-ws_rules.xml
0130-trend-osce_rules.xml
0135-hordeimp_rules.xml
0140-roundcube_rules.xml
0145-wordpress_rules.xml
0150-cimserver_rules.xml
0155-dovecot_rules.xml
0160-vmpop3d_rules.xml
0165-vpopmail_rules.xml
0170-ftpd_rules.xml
0175-proftpd_rules.xml
0180-pure-ftpd_rules.xml
0185-vsftpd_rules.xml
0190-ms_ftpd_rules.xml
0195-named_rules.xml
0200-smbd_rules.xml
0205-racoon_rules.xml
0210-vpn_concentrator_rules.xml
0215-policy_rules.xml
0220-msauth_rules.xml
0225-mcafee_av_rules.xml
0230-ms-se_rules.xml
0235-vmware_rules.xml
0240-ids_rules.xml
0245-web_rules.xml
0250-apache_rules.xml
0255-zeus_rules.xml
0260-nginx_rules.xml
0265-php_rules.xml
0270-web_appsec_rules.xml
0275-squid_rules.xml
0280-attack_rules.xml
0285-systemd_rules.xml
0290-firewalld_rules.xml
0295-mysql_rules.xml
0300-postgresql_rules.xml
0305-dropbear_rules.xml
0310-openbsd_rules.xml
0315-apparmor_rules.xml
0320-clam_av_rules.xml
0325-opensmtpd_rules.xml
0330-sysmon_rules.xml
0335-unbound_rules.xml
0340-puppet_rules.xml
0345-netscaler_rules.xml
0350-amazon_rules.xml
0355-amazon-ec2_rules.xml
0360-serv-u_rules.xml
0365-auditd_rules.xml
0370-amazon-iam_rules.xml
0375-usb_rules.xml
0380-redis_rules.xml
0385-oscap_rules.xml
0390-fortigate_rules.xml
0395-hp_rules.xml
0400-openvpn_rules.xml
0405-rsa-auth-manager_rules.xml
0410-imperva_rules.xml
0415-sophos_rules.xml
0420-freeipa_rules.xml
0425-cisco-estreamer_rules.xml
The following rootchecks will be updated:
cis_debian_linux_rcl.txt
cis_rhel5_linux_rcl.txt
cis_rhel6_linux_rcl.txt
cis_rhel7_linux_rcl.txt
cis_rhel_linux_rcl.txt
cis_sles11_linux_rcl.txt
cis_sles12_linux_rcl.txt
rootkit_files.txt
rootkit_trojans.txt
system_audit_rcl.txt
system_audit_ssh.txt
win_applications_rcl.txt
win_audit_rcl.txt
win_malware_rcl.txt
The following decoders will be updated:
0010-active-response_decoders.xml
0015-aix-ipsec_decoders.xml
0020-amazon_decoders.xml
0025-apache_decoders.xml
0030-arpwatch_decoders.xml
0035-asterisk_decoders.xml
0040-auditd_decoders.xml
0045-barracuda_decoders.xml
0050-checkpoint_decoders.xml
0055-cimserver_decoders.xml
0060-cisco-estreamer_decoders.xml
0065-cisco-ios_decoders.xml
0070-cisco-vpn_decoders.xml
0075-clamav_decoders.xml
0080-courier_decoders.xml
0085-dovecot_decoders.xml
0090-dragon-nids_decoders.xml
0095-dropbear_decoders.xml
0100-fortigate_decoders.xml
0105-freeipa_decoders.xml
0110-ftpd_decoders.xml
0115-grandstream_decoders.xml
0120-horde_decoders.xml
0125-hp_decoders.xml
0130-imapd_decoders.xml
0135-imperva_decoders.xml
0140-kernel_decoders.xml
0145-mailscanner_decoders.xml
0150-mysql_decoders.xml
0155-named_decoders.xml
0160-netscaler_decoders.xml
0165-netscreen_decoders.xml
0170-nginx_decoders.xml
0175-ntpd_decoders.xml
0180-openbsd_decoders.xml
0185-openldap_decoders.xml
0190-openvpn_decoders.xml
0195-oscap_decoders.xml
0200-ossec_decoders.xml
0205-pam_decoders.xml
0210-pix_decoders.xml
0215-portsentry_decoders.xml
0220-postfix_decoders.xml
0225-postgresql_decoders.xml
0230-proftpd_decoders.xml
0235-puppet_decoders.xml
0240-pure-ftpd_decoders.xml
0245-racoon_decoders.xml
0250-redis_decoders.xml
0255-roundcube_decoders.xml
0260-rsa-auth-manager_decoders.xml
0265-rshd_decoders.xml
0270-samba_decoders.xml
0275-sendmail_decoders.xml
0280-serv-u_decoders.xml
0285-snort_decoders.xml
0290-solaris_decoders.xml
0295-sonicwall_decoders.xml
0300-sophos_decoders.xml
0305-squid_decoders.xml
0310-ssh_decoders.xml
0315-su_decoders.xml
0320-sudo_decoders.xml
0325-suhosin_decoders.xml
0330-symantec_decoders.xml
0335-telnet_decoders.xml
0340-trend-osce_decoders.xml
0345-unbound_decoders.xml
0350-unix_decoders.xml
0355-vm-pop3_decoders.xml
0360-vmware_decoders.xml
0365-vpopmail_decoders.xml
0370-vsftpd_decoders.xml
0375-web-accesslog_decoders.xml
0380-windows_decoders.xml
0385-wordpress_decoders.xml
0390-zeus_decoders.xml
OSSEC requires a restart to apply changes.
Killing ossec-monitord ..
Killing ossec-logcollector ..
Killing ossec-remoted ..
Killing ossec-syscheckd ..
Killing ossec-analysisd ..
Killing ossec-maild ..
Killing ossec-execd ..
Killing wazuh-modulesd ..
Wazuh v2.0 Stopped
Starting Wazuh v2.0 (maintained by Wazuh Inc.)...
Started wazuh-modulesd...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.
Ruleset 2.0 updated to 2.0 successfully
Thank you by the reply.
Let me ask more one thing:
I'm running "/var/ossec/bin/update_ruleset.py -f -r -d", but still with the same 'old' version of file /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt, without the corrections.
I need wait some time to get the rules file updated on git ?
Let me attach the output:
#/var/ossec/bin/update_ruleset.py -f -r -d
DEBUG: Arguments: {'force': True, 'source': 'download', 'json': False, 'ossec_path': '/var/ossec', 'debug': True, 'backups': False, 'restart': True}
### Wazuh ruleset ###
The following rules will be updated:
0010-rules_config.xml
0015-ossec_rules.xml
0020-syslog_rules.xml
0025-sendmail_rules.xml
0030-postfix_rules.xml
0035-spamd_rules.xml
0040-imapd_rules.xml
0045-mailscanner_rules.xml
0050-ms-exchange_rules.xml
0055-courier_rules.xml
0060-firewall_rules.xml
0065-pix_rules.xml
0070-netscreenfw_rules.xml
0075-cisco-ios_rules.xml
0080-sonicwall_rules.xml
0085-pam_rules.xml
0090-telnetd_rules.xml
0095-sshd_rules.xml
0100-solaris_bsm_rules.xml
0105-asterisk_rules.xml
0110-ms_dhcp_rules.xml
0115-arpwatch_rules.xml
0120-symantec-av_rules.xml
0125-symantec-ws_rules.xml
0130-trend-osce_rules.xml
0135-hordeimp_rules.xml
0140-roundcube_rules.xml
0145-wordpress_rules.xml
0150-cimserver_rules.xml
0155-dovecot_rules.xml
0160-vmpop3d_rules.xml
0165-vpopmail_rules.xml
0170-ftpd_rules.xml
0175-proftpd_rules.xml
0180-pure-ftpd_rules.xml
0185-vsftpd_rules.xml
0190-ms_ftpd_rules.xml
0195-named_rules.xml
0200-smbd_rules.xml
0205-racoon_rules.xml
0210-vpn_concentrator_rules.xml
0215-policy_rules.xml
0220-msauth_rules.xml
0225-mcafee_av_rules.xml
0230-ms-se_rules.xml
0235-vmware_rules.xml
0240-ids_rules.xml
0245-web_rules.xml
0250-apache_rules.xml
0255-zeus_rules.xml
0260-nginx_rules.xml
0265-php_rules.xml
0270-web_appsec_rules.xml
0275-squid_rules.xml
0280-attack_rules.xml
0285-systemd_rules.xml
0290-firewalld_rules.xml
0295-mysql_rules.xml
0300-postgresql_rules.xml
0305-dropbear_rules.xml
0310-openbsd_rules.xml
0315-apparmor_rules.xml
0320-clam_av_rules.xml
0325-opensmtpd_rules.xml
0330-sysmon_rules.xml
0335-unbound_rules.xml
0340-puppet_rules.xml
0345-netscaler_rules.xml
0350-amazon_rules.xml
0355-amazon-ec2_rules.xml
0360-serv-u_rules.xml
0365-auditd_rules.xml
0370-amazon-iam_rules.xml
0375-usb_rules.xml
0380-redis_rules.xml
0385-oscap_rules.xml
0390-fortigate_rules.xml
0395-hp_rules.xml
0400-openvpn_rules.xml
0405-rsa-auth-manager_rules.xml
0410-imperva_rules.xml
0415-sophos_rules.xml
0420-freeipa_rules.xml
0425-cisco-estreamer_rules.xml
The following rootchecks will be updated:
cis_debian_linux_rcl.txt
cis_rhel5_linux_rcl.txt
cis_rhel6_linux_rcl.txt
cis_rhel7_linux_rcl.txt
cis_rhel_linux_rcl.txt
cis_sles11_linux_rcl.txt
cis_sles12_linux_rcl.txt
rootkit_files.txt
rootkit_trojans.txt
system_audit_rcl.txt
system_audit_ssh.txt
win_applications_rcl.txt
win_audit_rcl.txt
win_malware_rcl.txt
The following decoders will be updated:
0010-active-response_decoders.xml
0015-aix-ipsec_decoders.xml
0020-amazon_decoders.xml
0025-apache_decoders.xml
0030-arpwatch_decoders.xml
0035-asterisk_decoders.xml
0040-auditd_decoders.xml
0045-barracuda_decoders.xml
0050-checkpoint_decoders.xml
0055-cimserver_decoders.xml
0060-cisco-estreamer_decoders.xml
0065-cisco-ios_decoders.xml
0070-cisco-vpn_decoders.xml
0075-clamav_decoders.xml
0080-courier_decoders.xml
0085-dovecot_decoders.xml
0090-dragon-nids_decoders.xml
0095-dropbear_decoders.xml
0100-fortigate_decoders.xml
0105-freeipa_decoders.xml
0110-ftpd_decoders.xml
0115-grandstream_decoders.xml
0120-horde_decoders.xml
0125-hp_decoders.xml
0130-imapd_decoders.xml
0135-imperva_decoders.xml
0140-kernel_decoders.xml
0145-mailscanner_decoders.xml
0150-mysql_decoders.xml
0155-named_decoders.xml
0160-netscaler_decoders.xml
0165-netscreen_decoders.xml
0170-nginx_decoders.xml
0175-ntpd_decoders.xml
0180-openbsd_decoders.xml
0185-openldap_decoders.xml
0190-openvpn_decoders.xml
0195-oscap_decoders.xml
0200-ossec_decoders.xml
0205-pam_decoders.xml
0210-pix_decoders.xml
0215-portsentry_decoders.xml
0220-postfix_decoders.xml
0225-postgresql_decoders.xml
0230-proftpd_decoders.xml
0235-puppet_decoders.xml
0240-pure-ftpd_decoders.xml
0245-racoon_decoders.xml
0250-redis_decoders.xml
0255-roundcube_decoders.xml
0260-rsa-auth-manager_decoders.xml
0265-rshd_decoders.xml
0270-samba_decoders.xml
0275-sendmail_decoders.xml
0280-serv-u_decoders.xml
0285-snort_decoders.xml
0290-solaris_decoders.xml
0295-sonicwall_decoders.xml
0300-sophos_decoders.xml
0305-squid_decoders.xml
0310-ssh_decoders.xml
0315-su_decoders.xml
0320-sudo_decoders.xml
0325-suhosin_decoders.xml
0330-symantec_decoders.xml
0335-telnet_decoders.xml
0340-trend-osce_decoders.xml
0345-unbound_decoders.xml
0350-unix_decoders.xml
0355-vm-pop3_decoders.xml
0360-vmware_decoders.xml
0365-vpopmail_decoders.xml
0370-vsftpd_decoders.xml
0375-web-accesslog_decoders.xml
0380-windows_decoders.xml
0385-wordpress_decoders.xml
0390-zeus_decoders.xml
OSSEC requires a restart to apply changes.
Killing ossec-monitord ..
Killing ossec-logcollector ..
Killing ossec-remoted ..
Killing ossec-syscheckd ..
Killing ossec-analysisd ..
Killing ossec-maild ..
Killing ossec-execd ..
Killing wazuh-modulesd ..
Wazuh v2.0 Stopped
Starting Wazuh v2.0 (maintained by Wazuh Inc.)...
Started wazuh-modulesd...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.
Ruleset 2.0 updated to 2.0 successfully
Jesus Linares
Apr 27, 2017, 11:05:09 AM4/27/17
to Wazuh mailing list
Hi Marcio,
the script downloads the new ruleset from the stable branch which is updated when we release a new version.
If you want to install the ruleset that you see in master/development branch, clone the repository and call the script with the argument --source path_repository.
Regards.
Marcio Costa
May 2, 2017, 1:04:32 PM5/2/17
to Wazuh mailing list
Hi Jesus.
Works!
Thank you.
Works!
Thank you.
Reply all
Reply to author
Forward
0 new messages