Debian Linux 11 SCA policy - checks 1.3 to 1.9

[72nomada]

Target version	Related issue	Related PR
4.4.x	#3825	wazuh/wazuh#16017

Check Id and Name	Status	Extra
1.3 Filesystem Integrity Checking
1.3.1 Ensure AIDE is installed (Automated)	🟢
1.3.2 Ensure filesystem integrity is regularly checked (Automated)	🟢
1.4 Secure Boot Settings
1.4.1 Ensure bootloader password is set (Automated)	🟢
1.4.2 Ensure permissions on bootloader config are configured (Automated)	🟢
1.4.3 Ensure authentication required for single user mode (Automated)	🟢
1.5 Additional Process Hardening
1.5.1 Ensure address space layout randomization (ASLR) is enabled (Automated)	⚫
1.5.2 Ensure prelink is not installed (Automated)	🟢
1.5.3 Ensure Automatic Error Reporting is not enabled (Automated)	🟢
1.5.4 Ensure core dumps are restricted (Automated)	🟢
1.6 Mandatory Access Control
1.6.1 Configure AppArmor
1.6.1.1 Ensure AppArmor is installed (Automated)	🟢
1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration (Automated)	🟢
1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode (Automated)	🟢
1.6.1.4 Ensure all AppArmor Profiles are enforcing (Automated)	🟢
1.7 Command Line Warning Banners
1.7.1 Ensure message of the day is configured properly (Automated)	🟢
1.7.2 Ensure local login warning banner is configured properly (Automated)	🟢
1.7.3 Ensure remote login warning banner is configured properly (Automated)	🟢
1.7.4 Ensure permissions on /etc/motd are configured (Automated)	🟢
1.7.5 Ensure permissions on /etc/issue are configured (Automated)	🟢
1.7.6 Ensure permissions on /etc/issue.net are configured (Automated)	🟢
1.8 GNOME Display Manager
1.8.1 Ensure GNOME Display Manager is removed (Automated)	🟢
1.8.2 Ensure GDM login banner is configured (Automated)	⚫
1.8.3 Ensure GDM disable-user-list option is enabled (Automated)	⚫
1.8.4 Ensure GDM screen locks when the user is idle (Automated)	⚫
1.8.5 Ensure GDM screen locks cannot be overridden (Automated)	⚫
1.8.6 Ensure GDM automatic mounting of removable media is disabled (Automated)	⚫
1.8.7 Ensure GDM disabling automatic mounting of removable media is not overridden (Automated)	⚫
1.8.8 Ensure GDM autorun-never is enabled (Automated)	⚫
1.8.9 Ensure GDM autorun-never is not overridden (Automated)	⚫
1.8.10 Ensure XDCMP is not enabled (Automated)	🟢
1.9 Ensure updates, patches, and additional security software are installed (Manual)	🟢

Threat Intel - @olulekew7

[Rebits]

Tester review

Testing environment

OS	OS version	Deployment	Image/AMI	Notes
Debian	11	Vagrant	debian/bullseye64

Tested packages

wazuh-manager
wazuh-managerv-4.4.0-1

Status

• In progress
• Pending Review
• QA Manager approved (@jmv74211)
• Development team leader approved (@72nomada )

[Rebits]

Testing results

Tester	PR commit
@Rebits	wazuh/wazuh@4fa99c8

---

1.3.1 🔴

• Title: 🟢
• Description: 🟢
• Rationale: 🟢
• Remediation: 🟢
• Impact: ⚫
• Compliance: 🟢
  • CIS ID: 🟢
  • CSC: 🟢
  • ISO: 🟢
  • CMMC: 🟢
  • SOC: 🟢
  • NIST: 🟢
  • PCI: 🟢
  • MITRE: 🟢
• References: 🔴

Unexpected references. No references specified in the CIS policy for this check

• Rules: 🟢

Rules details

Command output

root@debian11:/home/vagrant# dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' aide
dpkg-query: no packages found matching aide
root@debian11:/home/vagrant# dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' aide-common
dpkg-query: no packages found matching aide-common

Alert

{"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29526,"title":"Ensure AIDE is installed.","description":"AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system.","rationale":"By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries.","remediation":"Install AIDE using the appropriate package manager or manual installation: # apt install aide aide-common Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Run the following commands to initialize AIDE: # aideinit # mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db.","compliance":{"cis":"1.3.1","cis_csc_v8":"3.14","cis_csc_v7":"14.9","cmmc_v2.0":"AC.L2-3.1.7","hipaa":"164.312(b),164.312(c)(1),164.312(c)(2)","pci_dss_3.2.1":"10.2.1,11.5","pci_dss_4.0":"10.2.1,10.2.1.1","nist_sp_800-53":"AC-6(9)","soc_2":"CC6.1","iso_27001-2013":"A.12.4.3","mitre_techniques":"T1036,T1036.002,T1036.003,T1036.004,T1036.005,T1565,T1565.001"},"rules":["c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' aide -> r:install ok installed","c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' aide-common -> r:install ok installed"],"condition":"all","references":"https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.service,https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.timer","command":"dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' aide","result":"failed"}}

1.3.2 🔴

• Title: 🟢
• Description: 🟢
• Rationale: 🟢
• Remediation: 🔴

Wrong . separation between different paragraphs. Expected

If cron will be used to schedule and run aide check: Run the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check OR If aidecheck.service and aidecheck.timer will be used to schedule and run aide check: Create or edit the file /etc/systemd/system/aidecheck.service and add the following lines: [Unit] Description=Aide Check [Service] Type=simple ExecStart=/usr/bin/aide.wrapper --config /etc/aide/aide.conf --check [Install] WantedBy=multi-user.target. Create or edit the file /etc/systemd/system/aidecheck.timer and add the following lines: [Unit] Description=Aide check every day at 5AM [Timer] OnCalendar=*-*-* 05:00:00 Unit=aidecheck.service [Install] WantedBy=multi-user.target. Run the following commands: # chown root:root /etc/systemd/system/aidecheck.* # chmod 0644 /etc/systemd/system/aidecheck.* # systemctl daemon-reload # systemctl enable aidecheck.service # systemctl --now enable aidecheck.timer.

• Impact: ⚫
• Compliance: 🟢
  • CIS ID: 🟢
  • CSC: 🟢
  • ISO: 🟢
  • CMMC: 🟢
  • SOC: 🟢
  • NIST: 🟢
  • PCI: 🟢
  • MITRE: 🟢
• References: 🟢
• Rules: 🟢

Rules details

Command output

root@debian11:/home/vagrant# systemctl is-enabled aidecheck.service
enabled
root@debian11:/home/vagrant# systemctl is-enabled aidecheck.service
enabled
root@debian11:/home/vagrant# systemctl is-enabled aidecheck.timer
enabled
root@debian11:/home/vagrant# systemctl status aidecheck.timer
● aidecheck.timer - Aide check every day at 5AM
     Loaded: loaded (/etc/systemd/system/aidecheck.timer; enabled; vendor preset: enabled)
     Active: active (waiting) since Mon 2023-03-06 13:19:23 UTC; 7min ago
    Trigger: Tue 2023-03-07 05:00:00 UTC; 15h left
   Triggers: ● aidecheck.service

Mar 06 13:19:23 debian11 systemd[1]: Started Aide check every day at 5AM.
root@debian11:/home/vagrant# 

Alert

{"type":"check","id":1897137806,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29527,"title":"Ensure filesystem integrity is regularly checked.","description":"Periodic checking of the filesystem integrity is needed to detect changes to the filesystem.","rationale":"Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion.","remediation":"If cron will be used to schedule and run aide check: Run the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check OR If aidecheck.service and aidecheck.timer will be used to schedule and run aide check: Create or edit the file /etc/systemd/system/aidecheck.service and add the following lines: [Unit] Description=Aide Check [Service] Type=simple ExecStart=/usr/bin/aide.wrapper --config /etc/aide/aide.conf --check [Install] WantedBy=multi-user.target . Create or edit the file /etc/systemd/system/aidecheck.timer and add the following lines: [Unit] Description=Aide check every day at 5AM [Timer] OnCalendar=*-*-* 05:00:00 Unit=aidecheck.service [Install] WantedBy=multi-user.target .Run the following commands: # chown root:root /etc/systemd/system/aidecheck.* # chmod 0644 /etc/systemd/system/aidecheck.* # systemctl daemon-reload # systemctl enable aidecheck.service # systemctl --now enable aidecheck.timer.","compliance":{"cis":"1.3.2","cis_csc_v8":"8.5","cis_csc_v7":"14.9","cmmc_v2.0":"AU.L2-3.3.1","pci_dss_3.2.1":"10.1,10.2.2,10.2.4,10.2.5,10.3","pci_dss_4.0":"9.4.5,10.2,10.2.1,10.2.1.2,10.2.1.5","nist_sp_800-53":"AU-3(1),AU-7","soc_2":"CC5.2,CC7.2","iso_27001-2013":"A.12.4.3","mitre_techniques":"T1036,T1036.002,T1036.003,T1036.004,T1036.005,T1565,T1565.001","mitre_tactics":"TA0040","mitre_mitigations":"M1022"},"rules":["c:systemctl is-enabled aidecheck.service -> r:enabled","c:systemctl is-enabled aidecheck.timer -> r:enabled","c:systemctl status aidecheck.timer -> r:active"],"condition":"any","references":"https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.service,https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.timer","command":"systemctl is-enabled aidecheck.service","result":"passed"}}

1.4.1 🔴

🔴 Unepxected value: default value

• Title: 🟢
• Description: 🟢
• Rationale: 🟢
• Remediation: 🟢
• Impact: 🔴

Replaced : with - in the more information section.
Expected:

More Information: https://help.ubuntu.com/community/Grub2/Passwords

• Compliance: 🟢
  • CIS ID: 🟢
  • CSC: 🟢
  • ISO: 🟢
  • CMMC: 🟢
  • SOC: 🟢
  • NIST: 🟢
  • PCI: 🟢
  • MITRE: 🟢
• References: 🔴

No references for this check according to policy file

• Rules: 🔴

Condition should be all instead of any

Rules details

Alert

{"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29528,"title":"Ensure bootloader password is set.","description":"Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters.","rationale":"Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off AppArmor at boot time).","remediation":"Create an encrypted password with grub-mkpasswd-pbkdf2: # grub-mkpasswd-pbkdf2 Enter password: <password> Reenter password: <password> PBKDF2 hash of your password is <encrypted-password>. Add the following into a custom /etc/grub.d configuration file: cat <<EOF set superusers=\"<username>\" password_pbkdf2 <username> <encrypted-password> EOF. The superuser/user information and password should not be contained in the /etc/grub.d/00_header file as this file could be overwritten in a package update. If there is a requirement to be able to boot/reboot without entering the password, edit /etc/grub.d/10_linux and add --unrestricted to the line CLASS= Example: CLASS=\"--class gnu-linux --class gnu --class os --unrestricted\". Run the following command to update the grub2 configuration: # update-grub.","compliance":{"cis":"1.4.1","cis_csc_v8":"5.2","cis_csc_v7":"4.4","cmmc_v2.0":"IA.L2-3.5.7","pci_dss_4.0":"2.2.2,8.3.5,8.3.6,8.6.3","soc_2":"CC6.1","iso_27001-2013":"A.9.4.3","nist_sp_800-53":"IA-5 (1)","mitre_techniques":"T1542","mitre_tactics":"TA0003","mitre_mitigations":"M1046"},"rules":["f:/boot/grub/grub.cfg -> r:^\\s*\\t*set superusers","f:/boot/grub/grub.cfg -> r:^\\s*\\t*password"],"condition":"any","references":"https://help.ubuntu.com/community/Grub2/Passwords","file":"/boot/grub/grub.cfg","result":"failed"}}

1.4.2 🔴

• Title: 🟢
• Description: 🟢
• Rationale: 🟢
• Remediation: 🔴

Do not include additional information section.

• Impact: ⚫
• Compliance: 🟢
  • CIS ID: 🟢
  • CSC: 🟢
  • ISO: 🟢
  • CMMC: 🟢
  • SOC: 🟢
  • NIST: 🟢
  • PCI: 🟢
  • MITRE: 🟢
• References: 🟢
• Rules: 🟢

Rules details

Command output

  File: /boot/grub/grub.cfg
  Size: 7973      	Blocks: 16         IO Block: 4096   regular file
Device: 801h/2049d	Inode: 131090      Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2023-03-06 14:16:14.429529461 +0000
Modify: 2023-03-06 14:16:09.901482197 +0000
Change: 2023-03-06 14:16:09.901482197 +0000
 Birth: 2022-12-19 20:28:37.127676684 +0000

Alert

{"type":"check","id":2012058286,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29529,"title":"Ensure permissions on bootloader config are configured.","description":"The grub configuration file contains information on boot settings and passwords for unlocking boot options.","rationale":"Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them.","remediation":"Run the following commands to set permissions on your grub configuration: # chown root:root /boot/grub/grub.cfg # chmod u-wx,go-rwx /boot/grub/grub.cfg .Additional Information: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings. Replace /boot/grub/grub.cfg with the appropriate grub configuration file for your environment.","compliance":{"cis":"1.4.2","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1542","mitre_tactics":"TA0005,TA0007","mitre_mitigations":"M1022"},"rules":["c:stat -L /boot/grub/grub.cfg -> r:Access:\\s*\\(0400/-r--------\\)\\s*Uid:\\s*\\(\\s*\\t*0/\\s*\\t*root\\)\\s*\\t*Gid:\\s*\\(\\s*\\t*0/\\s*\\t*root\\)"],"condition":"all","command":"stat -L /boot/grub/grub.cfg","result":"failed"}}

1.4.3 🔴

• Title: 🟢
• Description: 🟢
• Rationale: 🟢
• Remediation: 🟢
• Impact: ⚫
• Compliance: 🟢
  • CIS ID: 🟢
  • CSC: 🟢
  • ISO: 🟢
  • CMMC: 🟢
  • SOC: 🟢
  • NIST: 🟢
  • PCI: 🟢
  • MITRE: 🟢
• References: 🟢
• Rules: 🔴

This rule does no correspond with the CIS policy. CIS audit rules expects to specify a password for root user. In case of leaving this password

If no root password is set, then regardless of if the system is set to prompt for a password for Single User Mode or not it will just load root access.

Rules details

Alert

{"type":"check","id":127797040,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29530,"title":"Ensure authentication required for single user mode.","description":"Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader.","rationale":"Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials.","remediation":"Run the following command and follow the prompts to set a password for the root user: # passwd root.","compliance":{"cis":"1.4.3","cis_csc_v8":"5.2","cis_csc_v7":"4.4","cmmc_v2.0":"IA.L2-3.5.7","pci_dss_4.0":"2.2.2,8.3.5,8.3.6,8.6.3","soc_2":"CC6.1","iso_27001-2013":"A.9.4.3","nist_sp_800-53":"IA-5 (1)","mitre_techniques":"T1548","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["f:/etc/shadow -> r:^root:*:|^root:!:"],"condition":"any","file":"/etc/shadow","result":"passed"}}

1.5.1

Not implemented. Expected due to SCA limitations

1.5.2 🟢

• Title: 🟢
• Description: 🟢
• Rationale: 🟢
• Remediation: 🟢
• Impact: ⚫
• Compliance: 🟢
  • CIS ID: 🟢
  • CSC: 🟢
  • ISO: 🟢
  • CMMC: 🟢
  • SOC: 🟢
  • NIST: 🟢
  • PCI: 🟢
  • MITRE: 🟢
• References: ⚫
• Rules: 🟢

Rules details

Command output

root@debian11:/home/vagrant# dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\n' prelink
dpkg-query: no packages found matching prelink

Alert

{"type":"check","id":127797040,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29531,"title":"Ensure prelink is not installed.","description":"prelink is a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way that the time needed for the dynamic linker to perform relocations at startup significantly decreases.","rationale":"The prelinking feature can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc.","remediation":"Run the following command to restore binaries to normal: # prelink -ua . Uninstall prelink using the appropriate package manager or manual installation: # apt purge prelink.","compliance":{"cis":"1.5.2","cis_csc_v8":"3.14","cis_csc_v7":"14.9","cmmc_v2.0":"AC.L2-3.1.7","hipaa":"164.312(b),164.312(c)(1),164.312(c)(2)","pci_dss_3.2.1":"10.2.1,11.5","pci_dss_4.0":"10.2.1,10.2.1.1","nist_sp_800-53":"AC-6(9)","soc_2":"CC6.1","iso_27001-2013":"A.12.4.3","mitre_techniques":"T1055,T1055.009,T1065,T1065.001","mitre_tactics":"TA0002","mitre_mitigations":"M1050"},"rules":["c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' prelink -> r:dpkg-query: no packages found matching prelink"],"condition":"all","command":"dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' prelink","result":"passed"}}

1.5.3 🔴

🔴 : Unexpected field default value

• Title: 🟢
• Description: 🟢
• Rationale: 🟢
• Remediation: 🟢
• Impact: ⚫
• Compliance: 🔴
  • CIS ID: 🟢
  • CSC: 🟢
  • ISO: 🟢
  • CMMC: 🟢
  • SOC: 🟢
  • NIST: 🟢
  • PCI: 🟢
  • MITRE: 🔴

No mitre values expected for this check

• References: ⚫
• Rules: 🟢

Rules details

Command output

root@debian11:/home/vagrant# systemctl is-active apport.service
inactive

Alert

{"type":"check","id":127797040,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29532,"title":"Ensure Automatic Error Reporting is not enabled.","description":"The Apport Error Reporting Service automatically generates crash reports for debugging.","rationale":"Apport collects potentially sensitive data, such as core dumps, stack traces, and log files. They can contain passwords, credit card numbers, serial numbers, and other private material.","remediation":"Edit /etc/default/apport and add or edit the enabled parameter to equal 0: enabled=0 Run the following commands to stop and disable the apport service # systemctl stop apport.service # systemctl --now disable apport.service -- OR -- Run the following command to remove the apport package: # apt purge apport.","compliance":{"cis":"1.5.3","cis_csc_v8":"4.8","cis_csc_v7":"9.2","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.13.1.3","nist_sp_800-53":"SI-4","mitre_techniques":"T1015,T1133,T1200,T1076,T1051"},"rules":["c:systemctl is-active apport.service -> r:inactive"],"condition":"all","command":"systemctl is-active apport.service","result":"passed"}}

1.5.4 🔴

• Title: 🟢
• Description: 🟢
• Rationale: 🟢
• Remediation: 🔴

Expected:

Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0. Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0. Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0. IF systemd-coredump is installed: edit /etc/systemd/coredump.conf and add/modify the following lines: Storage=none ProcessSizeMax=0. Run the command: systemctl daemon-reload.

• Impact: ⚫
• Compliance: 🟢
  • CIS ID: 🟢
  • CSC: 🟢
  • ISO: 🟢
  • CMMC: 🟢
  • SOC: 🟢
  • NIST: 🟢
  • PCI: 🟢
  • MITRE: 🟢
• References: ⚫
• Rules: 🟢

Rules details

Command output

[root@localhost vagrant]# sysctl fs.suid_dumpable
fs.suid_dumpable = 0
[root@localhost vagrant]# grep -Rh fs\.suid_dumpable /etc/sysctl.conf
fs.suid_dumpable = 0
[root@localhost vagrant]# grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d
* hard core 0

Alert

{"type":"check","id":334935111,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29533,"title":"Ensure core dumps are restricted.","description":"A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user.","rationale":"Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core.","remediation":"Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0 .Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0 .Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0 .IF systemd-coredump is installed: edit /etc/systemd/coredump.conf and add/modify the following lines: Storage=none ProcessSizeMax=0 .Run the command: systemctl daemon-reload.","compliance":{"cis":"1.5.4","mitre_techniques":"T1005","mitre_tactics":"TA0007"},"rules":["c:sysctl fs.suid_dumpable -> r:^fs.suid_dumpable = 0","c:grep -Rh fs\\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^fs.suid_dumpable = 0","c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:^* hard core 0"],"condition":"all","command":"sysctl fs.suid_dumpable,grep -Rh fs\\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d,grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d","result":"passed"}}

1.6.1.1 🔴

• Title: 🟢
• Description: 🟢
• Rationale: 🟢
• Remediation: 🟢
• Impact: ⚫
• Compliance: 🟢
  • CIS ID: 🟢
  • CSC: 🟢
  • ISO: 🟢
  • CMMC: 🟢
  • SOC: 🟢
  • NIST: 🟢
  • PCI: 🟢
  • MITRE: 🟢
• References: 🔴

There are no references in the policy

• Rules: 🟢

Rules details

Command output

root@debian11:/home/vagrant# dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' apparmor
apparmor\tins:/home/vagrant# dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' apparmor-utilss}\\t${db:Status-Status}\\n' ap
apparmor-utils\tinstall ok installed\tinstalled\nroot@debian11:/home/vagrant# 

Alert

{"type":"check","id":723932811,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29534,"title":"Ensure AppArmor is installed.","description":"AppArmor provides Mandatory Access Controls.","rationale":"Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available.","remediation":"Install AppArmor. # apt install apparmor apparmor-utils.","compliance":{"cis":"1.6.1.1","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1068,T1565,T1565.001,T1565.003","mitre_tactics":"TA0003","mitre_mitigations":"M1026"},"rules":["c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' apparmor -> r:install ok installed","c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' apparmor-utils -> r:install ok installed"],"condition":"all","command":"dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' apparmor,dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' apparmor-utils","result":"passed"}}

1.6.1.2 🔴

• Title: 🟢
• Description: 🟢
• Rationale: 🟢
• Remediation: 🟢
• Impact: ⚫
• Compliance: 🟢
  • CIS ID: 🟢
  • CSC: 🟢
  • ISO: 🟢
  • CMMC: 🟢
  • SOC: 🟢
  • NIST: 🟢
  • PCI: 🟢
  • MITRE: 🟢
• References: 🔴

No expected references for this check in the policy

• Rules: 🔴

Rule does not take into account tabulations, making it mark the check as pass for invalid cases.
Expected:

- 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !r:apparmor=1'
- 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !r:security=apparmor'

Rules details

Command output

root@debian11:/home/vagrant# grep "^\s*linux" /boot/grub/grub.cfg | grep -v "apparmor=1"
	linux	/boot/vmlinuz-5.10.0-21-amd64 root=UUID=084c29b3-cc2f-473d-aea9-93051946599b ro consoleblank=0 elevator=noop scsi_mod.use_blk_mq=Y net.ifnames=0 biosdevname=0
		linux	/boot/vmlinuz-5.10.0-21-amd64 root=UUID=084c29b3-cc2f-473d-aea9-93051946599b ro consoleblank=0 elevator=noop scsi_mod.use_blk_mq=Y net.ifnames=0 biosdevname=0
		linux	/boot/vmlinuz-5.10.0-21-amd64 root=UUID=084c29b3-cc2f-473d-aea9-93051946599b ro single consoleblank=0 elevator=noop scsi_mod.use_blk_mq=Y
		linux	/boot/vmlinuz-5.10.0-20-amd64 root=UUID=084c29b3-cc2f-473d-aea9-93051946599b ro consoleblank=0 elevator=noop scsi_mod.use_blk_mq=Y net.ifnames=0 biosdevname=0
		linux	/boot/vmlinuz-5.10.0-20-amd64 root=UUID=084c29b3-cc2f-473d-aea9-93051946599b ro single consoleblank=0 elevator=noop scsi_mod.use_blk_mq=Y

Alert

{"type":"check","id":127797040,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29535,"title":"Ensure AppArmor is enabled in the bootloader configuration.","description":"Configure AppArmor to be enabled at boot time and verify that it has not been overwritten by the bootloader boot parameters. Note: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.","rationale":"AppArmor must be enabled at boot time in your bootloader configuration to ensure that the controls it provides are not overridden.","remediation":"Edit /etc/default/grub and add the apparmor=1 and security=apparmor parameters to the GRUB_CMDLINE_LINUX= line GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor\" Run the following command to update the grub2 configuration: # update-grub.","compliance":{"cis":"1.6.1.2","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1068,T1565,T1565.001,T1565.003","mitre_tactics":"TA0003","mitre_mitigations":"M1026"},"rules":["f:/boot/grub/grub.cfg -> r:^\\s*linux && !r:apparmor=1","f:/boot/grub/grub.cfg -> r:^\\s*linux && !r:security=apparmor"],"condition":"none","file":"/boot/grub/grub.cfg","result":"passed"}}

1.6.1.3 🔴

• Title: 🟢
• Description: 🟢
• Rationale: 🟢
• Remediation: 🟢
• Impact: ⚫
• Compliance: 🟢
  • CIS ID: 🟢
  • CSC: 🟢
  • ISO: 🟢
  • CMMC: 🟢
  • SOC: 🟢
  • NIST: 🟢
  • PCI: 🟢
  • MITRE: 🟢
• References: 🔴

No expected references for this check

• Rules: 🟢

Rules details

Command output

root@debian11:/home/vagrant# apparmor_status | grep profiles
7 profiles are loaded.
7 profiles are in enforce mode.
0 profiles are in complain mode.
2 processes have profiles defined.

Alert

{"type":"check","id":127797040,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29536,"title":"Ensure all AppArmor Profiles are in enforce or complain mode.","description":"AppArmor profiles define what resources applications are able to access.","rationale":"Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.","remediation":"Run the following command to set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* OR Run the following command to set all profiles to complain mode: # aa-complain /etc/apparmor.d/* Note: Any unconfined processes may need to have a profile created or activated for them and then be restarted.","compliance":{"cis":"1.6.1.3","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_tactics":"TA0005"},"rules":["c:apparmor_status -> r:^0\\s*processes are unconfined"],"condition":"all","command":"apparmor_status","result":"passed"}}

1.5.4 🔴

• Title: 🟢
• Description: 🟢
• Rationale: 🟢
• Remediation: 🟢
• Impact: 🟢
• Compliance: 🟢
  • CIS ID: 🟢
  • CSC: 🟢
  • ISO: 🟢
  • CMMC: 🟢
  • SOC: 🟢
  • NIST: 🟢
  • PCI: 🟢
  • MITRE: 🟢
• References: 🔴

No references expected for this check

• Rules: 🟢

Rules details

Command output

apparmor module is loaded.
7 profiles are loaded.
7 profiles are in enforce mode.
   /usr/bin/man
   /usr/sbin/chronyd
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
0 profiles are in complain mode.
2 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
2 processes are unconfined but have a profile defined.
   /usr/sbin/chronyd (349) 
   /usr/sbin/chronyd (350) 

Alert

{"type":"check","id":726821932,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29537,"title":"Ensure all AppArmor Profiles are enforcing.","description":"AppArmor profiles define what resources applications are able to access.","rationale":"Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.","remediation":"Run the following command to set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* Note: Any unconfined processes may need to have a profile created or activated for them and then be restarted.","compliance":{"cis":"1.5.4","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1068,T1565,T1565.001,T1565.003","mitre_tactics":"TA0005"},"rules":["c:apparmor_status -> n:^(\\d+)\\s*profiles are loaded compare > 0","c:apparmor_status -> r:^0\\s*profiles are in complain mode","c:apparmor_status -> r:^0\\s*processes are unconfined"],"condition":"all","command":"apparmor_status","result":"failed"}}

1.7.1 🔴

• Title: 🟢
• Description: 🟢
• Rationale: 🟢
• Remediation: 🟢
• Impact: ⚫
• Compliance: 🟢
  • CIS ID: 🟢
  • CSC: 🟢
  • ISO: 🟢
  • CMMC: 🟢
  • SOC: 🟢
  • NIST: 🟢
  • PCI: 🟢
  • MITRE: 🟢
• References: 🔴

No references expected for this check

• Rules: 🟡

Should we include Linux instead of Ubuntu in the regex?

Rules details

Alert

{"type":"check","id":127797040,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29538,"title":"Ensure message of the day is configured properly.","description":"The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version.","rationale":"Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a .\" command once they have logged in.","remediation":"Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , \\v or references to the OS platform OR If the motd is not used, this file can be removed. Run the following command to remove the motd file: # rm /etc/motd.","compliance":{"cis":"1.7.1","mitre_techniques":"T1082,T1592,T1592.004","mitre_tactics":"TA0007"},"rules":["not f:/etc/motd -> r:\\\\v|\\\\r|\\\\m|\\\\s|Debian|Ubuntu","not f:/etc/motd"],"condition":"any","references":"http://www.justice.gov/criminal/cybercrime/","file":"/etc/motd","result":"failed"}}

1.7.2 🔴

• Title: 🟢
• Description: 🟢
• Rationale: 🟢
• Remediation: 🟢
• Impact: ⚫
• Compliance: 🟢
  • CIS ID: 🟢
  • CSC: 🟢
  • ISO: 🟢
  • CMMC: 🟢
  • SOC: 🟢
  • NIST: 🟢
  • PCI: 🟢
  • MITRE: 🟢
• References: 🔴

No references for this check

• Rules: 🟡

Should we include Linux instead of Ubuntu in the regex?

Rules details

Alert

{"type":"check","id":127797040,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29539,"title":"Ensure local login warning banner is configured properly.","description":"The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version.","rationale":"Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a .\" command once they have logged in.","remediation":"Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v , or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.","compliance":{"cis":"1.7.2","mitre_techniques":"T1082,T1592,T1592.004","mitre_tactics":"TA0007"},"rules":["f:/etc/issue -> r:\\\\v|\\\\r|\\\\m|\\\\s|Debian|Ubuntu"],"condition":"none","references":"http://www.justice.gov/criminal/cybercrime/","file":"/etc/issue","result":"failed"}}

1.7.3 🔴

• Title: 🟢
• Description: 🟢
• Rationale: 🟢
• Remediation: 🟢
• Impact: ⚫
• Compliance: 🟢
  • CIS ID: 🟢
  • CSC: 🟢
  • ISO: 🟢
  • CMMC: 🟢
  • SOC: 🟢
  • NIST: 🟢
  • PCI: 🟢
  • MITRE: 🟢
• References: 🔴

No references expected for this check

• Rules: 🟡

Should we include Linux instead of Ubuntu in the regex?

Rules details

Alert

{"type":"check","id":127797040,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29540,"title":"Ensure remote login warning banner is configured properly.","description":"The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version.","rationale":"Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a .\" command once they have logged in.","remediation":"Edit the /etc/issue.net file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v or references to the OS platform: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net.","compliance":{"cis":"1.7.3","mitre_techniques":"T1018,T1082,T1592,T1592.004","mitre_tactics":"TA0007"},"rules":["f:/etc/issue.net -> r:\\\\v|\\\\r|\\\\m|\\\\s|Debian|Ubuntu"],"condition":"none","references":"http://www.justice.gov/criminal/cybercrime/","file":"/etc/issue.net","result":"failed"}}

1.7.4 🔴

🔴 : Unexpected default value field.

• Title: 🟢
• Description: 🟢
• Rationale: 🟢
• Remediation: 🟢
• Impact: ⚫
• Compliance: 🟢
  • CIS ID: 🟢
  • CSC: 🟢
  • ISO: 🟢
  • CMMC: 🟢
  • SOC: 🟢
  • NIST: 🟢
  • PCI: 🟢
  • MITRE: 🟢
• References: 🔴

No expected references for this rule.

• Rules: 🔴

It does not take into account the case in which the file does not exists (safe configuration).
Expected:

condition: any

rules:

- 'c:stat -L /etc/motd -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
- not f: etc/motd

Rules details

Command output

root@debian11:/home/vagrant# stat -L /etc/motd
  File: /etc/motd
  Size: 286       	Blocks: 8          IO Block: 4096   regular file
Device: 801h/2049d	Inode: 655482      Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2023-03-06 10:53:34.807416734 +0000
Modify: 2022-12-09 19:15:00.000000000 +0000
Change: 2022-12-19 20:25:24.086701633 +0000
 Birth: 2022-12-19 20:25:24.086701633 +0000

Alert

{"type":"check","id":127797040,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29541,"title":"Ensure permissions on /etc/motd are configured.","description":"The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users.","rationale":"If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information.","remediation":"Run the following commands to set permissions on /etc/motd : # chown root:root $(readlink -e /etc/motd) # chmod u-x,go-wx $(readlink -e /etc/motd) OR run the following command to remove the /etc/motd file: # rm /etc/motd.","compliance":{"cis":"1.7.4","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1222,T1222.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:stat -L /etc/motd -> r:Access:\\s*\\(0644/-rw-r--r--\\)\\s*Uid:\\s*\\(\\s*\\t*0/\\s*\\t*root\\)\\s*\\t*Gid:\\s*\\(\\s*\\t*0/\\s*\\t*root\\)"],"condition":"all","references":"http://www.justice.gov/criminal/cybercrime/","command":"stat -L /etc/motd","result":"passed"}}

1.7.5 🔴

🔴 Unexpected field default value

• Title: 🟢
• Description: 🟢
• Rationale: 🟢
• Remediation: 🟢
• Impact: ⚫
• Compliance: 🟢
  • CIS ID: 🟢
  • CSC: 🟢
  • ISO: 🟢
  • CMMC: 🟢
  • SOC: 🟢
  • NIST: 🟢
  • PCI: 🟢
  • MITRE: 🟢
• References: 🔴

No expected reference for this check

• Rules: 🟢

Rules details

Command output

root@debian11:/home/vagrant# stat -L /etc/issue
  File: /etc/issue
  Size: 27        	Blocks: 8          IO Block: 4096   regular file
Device: 801h/2049d	Inode: 655385      Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2023-03-06 10:53:33.111406516 +0000
Modify: 2022-12-09 19:15:00.000000000 +0000
Change: 2022-12-19 20:25:19.054676167 +0000
 Birth: 2022-12-19 20:25:19.054676167 +0000

Alert

{"type":"check","id":127797040,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29542,"title":"Ensure permissions on /etc/issue are configured.","description":"The contents of the /etc/issue file are displayed to users prior to login for local terminals.","rationale":"If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information.","remediation":"Run the following commands to set permissions on /etc/issue : # chown root:root $(readlink -e /etc/issue) # chmod u-x,go-wx $(readlink -e /etc/issue).","compliance":{"cis":"1.7.5","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1222,T1222.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:stat -L /etc/issue -> r:Access:\\s*\\(0644/-rw-r--r--\\)\\s*Uid:\\s*\\(\\s*\\t*0/\\s*\\t*root\\)\\s*\\t*Gid:\\s*\\(\\s*\\t*0/\\s*\\t*root\\)"],"condition":"all","references":"http://www.justice.gov/criminal/cybercrime/","command":"stat -L /etc/issue","result":"passed"}}

1.7.6 🔴

🔴 Unexpected default value field

• Title: 🟢
• Description: 🟢
• Rationale: 🟢
• Remediation: 🟢
• Impact: ⚫
• Compliance: 🟢
  • CIS ID: 🟢
  • CSC: 🟢
  • ISO: 🟢
  • CMMC: 🟢
  • SOC: 🟢
  • NIST: 🟢
  • PCI: 🟢
  • MITRE: 🟢
• References: 🔴

No expected referenced for this check

• Rules: 🟢

Rules details

Command output

root@debian11:/home/vagrant# stat -L /etc/issue.net
  File: /etc/issue.net
  Size: 20        	Blocks: 8          IO Block: 4096   regular file
Device: 801h/2049d	Inode: 655386      Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2023-03-06 11:00:47.806881931 +0000
Modify: 2022-12-09 19:15:00.000000000 +0000
Change: 2022-12-19 20:25:19.054676167 +0000
 Birth: 2022-12-19 20:25:19.054676167 +0000

Alert

{"type":"check","id":127797040,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29543,"title":"Ensure permissions on /etc/issue.net are configured.","description":"The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services.","rationale":"If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information.","remediation":"Run the following commands to set permissions on /etc/issue.net : # chown root:root $(readlink -e /etc/issue.net) # chmod u-x,go-wx $(readlink -e /etc/issue.net).","compliance":{"cis":"1.7.6","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.5,AC.L2-3.1.3,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","pci_dss_3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_4.0":"1.3.1,7.1","nist_sp_800-53":"AC-5,AC-6","soc_2":"CC5.2,CC6.1","iso_27001-2013":"A.9.1.1","mitre_techniques":"T1222,T1222.002","mitre_tactics":"TA0005","mitre_mitigations":"M1022"},"rules":["c:stat -L /etc/issue.net -> r:Access:\\s*\\(0644/-rw-r--r--\\)\\s*Uid:\\s*\\(\\s*\\t*0/\\s*\\t*root\\)\\s*\\t*Gid:\\s*\\(\\s*\\t*0/\\s*\\t*root\\)"],"condition":"all","references":"http://www.justice.gov/criminal/cybercrime/","command":"stat -L /etc/issue.net","result":"passed"}}

1.8.1 🔴

• Title: 🟢
• Description: 🟢
• Rationale: 🟢
• Remediation: 🟢
• Impact: ⚫
• Compliance: 🟢
  • CIS ID: 🟢
  • CSC: 🟢
  • ISO: 🟢
  • CMMC: 🟢
  • SOC: 🟢
  • NIST: 🟢
  • PCI: 🟢
  • MITRE: 🟢
• References: 🟢
• Rules: 🔴

Check does not take into account this cases:

dpkg-query: no packages found matching gdm3

It should be marked as passed

Rules details

Command output

root@debian11:/home/vagrant# dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\n' gdm3
dpkg-query: no packages found matching gdm3

Alert

{"type":"check","id":127797040,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29544,"title":"Ensure GNOME Display Manager is removed.","description":"The GNOME Display Manager (GDM) is a program that manages graphical display servers and handles graphical user logins.","rationale":"If a Graphical User Interface (GUI) is not required, it should be removed to reduce the attack surface of the system.","remediation":"Run the following command to uninstall gdm3: # apt purge gdm3.","compliance":{"cis":"1.8.1","cis_csc_v8":"4.8","cis_csc_v7":"9.2","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.13.1.3","nist_sp_800-53":"SI-4","mitre_techniques":"T1543,T1543.002","mitre_tactics":"TA0002"},"rules":["c:dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' gdm3 -> r: unknown ok not-installed"],"condition":"all","command":"dpkg-query -W -f='${binary:Package}\\t${Status}\\t${db:Status-Status}\\n' gdm3","result":"failed"}}

1.8.2 ⚫

Not implemented. Expected due to SCA limitations

1.8.3 ⚫

Not implemented. Expected due to SCA limitations

1.8.4 ⚫

Not implemented. Expected due to SCA limitations

1.8.5 ⚫

Not implemented. Expected due to SCA limitations

1.8.6 ⚫

Not implemented. Expected due to SCA limitations

1.8.7 ⚫

Not implemented. Expected due to SCA limitations

1.8.8 ⚫

Not implemented. Expected due to SCA limitations

1.8.9 ⚫

Not implemented. Expected due to SCA limitations

1.8.10 🟡

• Title: 🟢
• Description: 🟢
• Rationale: 🟢
• Remediation: 🟢
• Impact: ⚫
• Compliance: 🟢
  • CIS ID: 🟢
  • CSC: 🟢
  • ISO: 🟢
  • CMMC: 🟢
  • SOC: 🟢
  • NIST: 🟢
  • PCI: 🟢
  • MITRE: 🟢
• References: ⚫
• Rules: 🟡

Marked as not applicable if gdm3 is not installed.
It is not possible to take into account default case due to SCA limitations.

Rules details

Alert

{"type":"check","id":127797040,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29545,"title":"Ensure XDCMP is not enabled.","description":"X Display Manager Control Protocol (XDMCP) is designed to provide authenticated access to display management services for remote displays.","rationale":"XDMCP is inherently insecure. XDMCP is not a ciphered protocol. This may allow an attacker to capture keystrokes entered by a user XDMCP is vulnerable to man-in-the-middle attacks. This may allow an attacker to steal the credentials of legitimate users by impersonating the XDMCP server.","remediation":"Edit the file /etc/gdm3/custom.conf and remove the line: Enable=true.","compliance":{"cis":"1.8.10","cis_csc_v8":"4.8","cis_csc_v7":"9.2","cmmc_v2.0":"CM.L2-3.4.7,CM.L2-3.4.8,SC.L2-3.13.6","pci_dss_3.2.1":"1.1.6,1.2.1,2.2.2,2.2.5","pci_dss_4.0":"1.2.5,2.2.4,6.4.1","soc_2":"CC6.3,CC6.6","iso_27001-2013":"A.13.1.3","nist_sp_800-53":"SI-4","mitre_techniques":"T1040,T1056,T1056.001,T1557","mitre_tactics":"TA0002","mitre_mitigations":"M1050"},"rules":["f:/etc/gdm3/custom.conf -> r:^\\s*Enable\\s*=\\s*true"],"condition":"none","file":"/etc/gdm3/custom.conf","status":"Not applicable","reason":"Could not open file '/etc/gdm3/custom.conf'"}}

1.9 🟢

• Title: 🟢
• Description: 🟢
• Rationale: 🟢
• Remediation: 🟢
• Impact: ⚫
• Compliance: 🟢
  • CIS ID: 🟢
  • CSC: 🟢
  • ISO: 🟢
  • CMMC: 🟢
  • SOC: 🟢
  • NIST: 🟢
  • PCI: 🟢
  • MITRE: 🟢
• References: ⚫
• Rules: 🟢

Rules details

Command output

root@debian11:/home/vagrant# apt -s upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Alert

{"type":"check","id":127797040,"policy":"CIS Benchmark for Debian/Linux 11","policy_id":"cis_debian11","check":{"id":29546,"title":"Ensure updates, patches, and additional security software are installed.","description":"Periodically patches are released for included software either due to security flaws or to include additional functionality.","rationale":"Newer patches may contain security enhancements that would not be available through the latest full update. As a result, it is recommended that the latest software patches be used to take advantage of the latest functionality. As with any software installation, organizations need to determine if a given update meets their requirements and verify the compatibility and supportability of any additional software against the update revision that is selected.","remediation":"Run the following command to update all packages following local site policy guidance on applying updates and patches: # apt upgrade OR # apt dist-upgrade.","compliance":{"cis":"1.9","cis_csc_v8":"7.3","cis_csc_v7":"3.4,3.5","cmmc_v2.0":"SI.L1-3.14.1","pci_dss_3.2.1":"6.2","nist_sp_800-53":"SI-2(2)","soc_2":"CC7.1"},"rules":["c:apt -s upgrade -> r:^The following packages will be upgraded"],"condition":"none","command":"apt -s upgrade","result":"passed"}}

[olulekew7]

1.3.1 🔴

• Reference: Solved

1.3.2 🔴

• Remediation: Solved

1.4.1 🔴

• Default Value: Solved
• More Information: Solved
• References: Nothing to do. Is not an error to use a reference from other item here.
• Rules: Solved

1.4.2 🔴

• Remediation: Solved

1.4.3 🔴

• Rules: Solved

1.5.3 🔴

• Default Value: Solved
• MITRE: Solved

1.5.4 🔴

• Remediation: Solved

1.6.1.1 🔴

• Reference: Solved

1.6.1.2 🔴

• Reference: Solved
• Rules: Solved

1.6.1.3 🔴

• Reference: Solved

1.7.1 🔴

• Reference: Solved
• Rules: We keep Ubuntu, we don't include Linux

1.7.2 🔴

• Reference: Solved
• Rules: We keep Ubuntu, we don't include Linux

1.7.3 🔴

• Reference: Solved
• Rules: We keep Ubuntu, we don't include Linux

1.7.4 🔴

• Remediation: Solved
• Reference: Solved
• Rules: Solved

1.7.5 🔴

• Reference: Solved
• Default Value: Solved

1.7.6 🔴

• Reference: Solved
• Default Value: Solved

1.8.1 🔴

• Rules: Solved

1.8.10 🟡

• Rules: Solved

[Rebits]

Testing results

Tester	PR commit
@Rebits	wazuh/wazuh@0eb02c2

---

1.3.1 🟢

• Reference: 🟢

1.3.2 🟢

• Reference: 🟢

1.4.1 🟢

• Impact: 🟢
• References: 🟢

1.4.2 🟢

• Remediation: 🟢

1.4.3 🟢

• Remediation: 🟢
• Rules: 🟢

1.4.3 🟢

• Remediation: 🟢
• Rules: 🟢

1.5.3 🟢

• Compliance: 🟢
• Default value: 🟢

1.5.4 🟢

• Remediation: 🟢

1.6.1.1 🟢

• References: 🟢

1.6.1.2 🟢

• References: 🟢
• Rules: 🟢

1.6.1.3 🟢

• References: 🟢

1.6.1.3 🟢

• References: 🟢

1.7.1 🟢

• References: 🟢

1.7.2 🟢

• References: 🟢

1.7.4 🔴

Default value field is still defined in the check.

1.7.5 🟢

• References: 🟢

1.7.6 🟢

• References: 🟢

1.8.1 🟢

• Rules: 🟢

1.8.10 🟢

• Rules: 🟢

[IsExec]

#3827

1.7.4 🔴
Default value: solved

wazuh/wazuh@f0106b0

[Rebits]

Testing results

Tester	PR commit
@Rebits	wazuh/wazuh@f0106b0

---

1.3.2 🔴

• Rule: Condition should be all instead of any

[72nomada]

1.3.2 - Solved

[Rebits]

Testing results

Tester	PR commit
@Rebits	wazuh/wazuh@0eb02c2

---

1.3.2 🟢

Rules: 🟢

[Rebits]

Closing conclusion 👍🏼

Suggested changes were implemented correctly. Everything seems to work as expected