CIS benchmark for Ubuntu Linux 20.04 LTS (Does not work as expected)
772 views
Skip to first unread message
Scott E. MacKenzie
Jul 12, 2022, 7:55:07 PM7/12/22
to Wazuh mailing list
Problem:
CIS benchmark for Ubuntu Linux 20.04 LTS on AWS Marketplace wazuh install (server) with wazuh-agent installed based on guide on remote test server (below) does not report actual system state correctly upon audit.
Remote Test Server Information
Linux thinktank 5.4.0-1080-aws-fips #87+fips1-Ubuntu SMP Fri Jun 10 20:13:19 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Distributor ID: Ubuntu
Description: Ubuntu 20.04.4 LTS
Release: 20.04
Codename: focal
Description: Ubuntu 20.04.4 LTS
Release: 20.04
Codename: focal
Wazuh Reports the Below Findings, which manually "pass" but wazuh shows "failed". Examples provided below;
Wazuh reports
19093 Ensure iptables-persistent is not installed. Command: dpkg -s iptables-persistent failed
Rationale Running both ufw and the services included in the iptables-persistent package may lead to conflict
Manual check:
Is ufw installed?
Checks (Condition: all)
- c:dpkg -s ufw -> r:Status: install ok installed
- not c:dpkg -s iptables-persistent -> r:Status: install ok installed
thinktank:~$ sudo dpkg -s ufw
dpkg-query: package 'ufw' is not installed and no information is available
Use dpkg --info (= dpkg-deb --info) to examine archive files.
dpkg-query: package 'ufw' is not installed and no information is available
Use dpkg --info (= dpkg-deb --info) to examine archive files.
thinktank:~$ sudo dpkg -s iptables-persistent
Package: iptables-persistent
Status: install ok installed
Priority: optional
Section: admin
Installed-Size: 49
Maintainer: Ubuntu Developers <ubuntu-dev...@lists.ubuntu.com>
Architecture: all
Version: 1.0.14ubuntu1
Depends: netfilter-persistent (= 1.0.14ubuntu1), debconf (>= 0.5) | debconf-2.0
Pre-Depends: iptables
Conffiles:
/etc/systemd/system/netfilter-persistent.service.d/iptables.conf 6086e64821392da68277639fd6557f60
Description: boot-time loader for netfilter rules, iptables plugin
netfilter-persistent is a loader for netfilter configuration using a
plugin-based architecture.
.
This package contains the iptables and ip6tables plugins.
Original-Maintainer: gustavo panizzo <g...@zumbi.com.ar>
Package: iptables-persistent
Status: install ok installed
Priority: optional
Section: admin
Installed-Size: 49
Maintainer: Ubuntu Developers <ubuntu-dev...@lists.ubuntu.com>
Architecture: all
Version: 1.0.14ubuntu1
Depends: netfilter-persistent (= 1.0.14ubuntu1), debconf (>= 0.5) | debconf-2.0
Pre-Depends: iptables
Conffiles:
/etc/systemd/system/netfilter-persistent.service.d/iptables.conf 6086e64821392da68277639fd6557f60
Description: boot-time loader for netfilter rules, iptables plugin
netfilter-persistent is a loader for netfilter configuration using a
plugin-based architecture.
.
This package contains the iptables and ip6tables plugins.
Original-Maintainer: gustavo panizzo <g...@zumbi.com.ar>
This is happening on 15 rules (to be 100% clean). Using this as an example does anyone have any ideas what "bug" or "issue" would be causing in correct reporting with a nearly default clean install of AWS Marketplace Wazuh + Clean Ubuntu Instance?
We are test wazuh and this concerns the team that we cannot count on baseline reports or is this expected and anticipated?
The other question is about the CIS benchmark for Ubuntu Linux 20.04 LTS provided. There are actually 2 baselines for servers. Level 1 and Level 2. Which one is this one provided as defaul and would it be a good idea to provide both or indicate clearly which one this is?
Thanks in advance on any input or guidance.
We love the tool thus far, but would feel more confident if "baselines" were accurate and worked out of the box.
Scott
elw...@wazuh.com
Jul 13, 2022, 2:40:38 AM7/13/22
to Wazuh mailing list
Hello Scott,
Thanks for using Wazuh and glad you are loving the experience so far.
Regarding your questions, we use the benchmarks from https://downloads.cisecurity.org/#/ as a baseline to create the SCA policies for Wazuh, and for this specific check, the result seems to be the expected one as iptables-persistent should not be installed (which is not the case in your server) to have a pass result.
.png?part=0.1&view=1)
On a side note, we usually make manual test iterations over the SCA policies before releasing them as is the case for the upcoming ones as you can find here https://github.com/wazuh/wazuh/issues?q=is%3Aissue+is%3Aopen+sca+policies+tests+ and we always urge you to report any issue in our Github repo.
Hope this helps.
Regards.
Elwali
Thanks for using Wazuh and glad you are loving the experience so far.
Regarding your questions, we use the benchmarks from https://downloads.cisecurity.org/#/ as a baseline to create the SCA policies for Wazuh, and for this specific check, the result seems to be the expected one as iptables-persistent should not be installed (which is not the case in your server) to have a pass result.
On a side note, we usually make manual test iterations over the SCA policies before releasing them as is the case for the upcoming ones as you can find here https://github.com/wazuh/wazuh/issues?q=is%3Aissue+is%3Aopen+sca+policies+tests+ and we always urge you to report any issue in our Github repo.
Hope this helps.
Regards.
Elwali
Scott E. MacKenzie
Jul 13, 2022, 5:34:51 PM7/13/22
to Wazuh mailing list
Thanks for the reply
Elwali.
Please read my thread carefully. Their are a few problems with your logic.
1. The rules should only "fail" on iptables-persistent when "ufw is installed" which is not the case. This is shown clearly in your image (posted above) and in the latest CIS_Ubuntu_Linux_20.04_LTS_Benchmark_v1.1.0
2. The rules within CIS_Ubuntu_Linux_20.04_LTS_Benchmark_v1.1.0 are not to be applied "combined". Servers are audited based on Level 1 or Level 2. Not both.
3. Are you indicating that wazuh "combines" the benchimarks into one unified "wazuh" benchmark and ignores the CIS standards/approach?
Please help me understand your logic?
Thanks in advance,
Scott
Scott E. MacKenzie
Jul 17, 2022, 5:06:45 PM7/17/22
to Wazuh mailing list
Anyone have any feedback?
Team Wazuh? Anything?
elw...@wazuh.com
Jul 18, 2022, 4:44:00 AM7/18/22
to Wazuh mailing list
Hello Scott,
Apologies for the late response as I was verifying this with the proper team.
We do follow the CIS approach and do not combine the levels. However, the mentioned checks need to be fixed, for that, we have escalated the opened issue https://github.com/wazuh/wazuh/issues/14235 to the proper team to tackle it as soon as possible.
Thank you for bringing this to our attention and we urge you to report any similar issues to our GitHub repo.
Regards,
Wali
Apologies for the late response as I was verifying this with the proper team.
We do follow the CIS approach and do not combine the levels. However, the mentioned checks need to be fixed, for that, we have escalated the opened issue https://github.com/wazuh/wazuh/issues/14235 to the proper team to tackle it as soon as possible.
Thank you for bringing this to our attention and we urge you to report any similar issues to our GitHub repo.
Regards,
Wali
Reply all
Reply to author
Forward
0 new messages