Updated HP-UX checks requested changes

wazuh · Nov 8, 2022 · bb56b28 · bb56b28
1 parent 505b530
commit bb56b28
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 7 deletions.
diff --git a/ruleset/sca/hpux/cis_hpux_11i.yml b/ruleset/sca/hpux/cis_hpux_11i.yml
@@ -19,7 +19,7 @@ policy:
     - https://www.cisecurity.org/wp-content/uploads/2017/04/CIS_HP-UX_11i_Benchmark_v1.5.0.pdf
 
 requirements:
-  title: "Check HPUX version."
+  title: "Check HPUX version and bastille is not installed."
   description: "Requirements for running the SCA scan against HPUX family."
   condition: all
   rules:
@@ -350,8 +350,9 @@ checks:
     remediation: "Perform the following: ch_rc -a -p RUN_CIFSCLIENT=1 /etc/rc.config.d/cifsclient"
     compliance:
       - cis: ["1.3.9"]
-    condition: all
+    condition: any
     rules:
+      - "not f:/etc/rc.config.d/cifsclient"
       - "f:/etc/rc.config.d/cifsclient -> r:RUN_CIFSCLIENT=0"
 
   - id: 25021
@@ -807,8 +808,8 @@ checks:
     rules:
       - "f:/etc/motd"
       - "f:/etc/issue"
-      - 'c:not sh -c "ls -la /etc/motd | grep -e ^-rw-r--r--.*root.*sys | grep -v total" -> r:/etc/motd'
-      - 'c:not sh -c "ls -la /etc/issue | grep -e ^-rw-r--r--.*root.*root | grep -v total" -> r:/etc/issue'
+      - 'c:ls -la /etc/motd -> r:^-rw-r--r--\.*root\.*sys'
+      - 'c:ls -la /etc/issue -> r:^-rw-r--r--\.*root\.*root'
 
   - id: 25050
     title: "Create warning banners for FTP daemon."

diff --git a/ruleset/sca/hpux/cis_hpux_11i_bastille.yml b/ruleset/sca/hpux/cis_hpux_11i_bastille.yml
@@ -20,12 +20,13 @@ policy:
     - https://myenterpriselicense.hpe.com/cwp-ui/free-software/B6849AA
 
 requirements:
-  title: "Check HPUX version."
+  title: "Check HPUX version, bastille is installed and a bastille report is present."
   description: "Requirements for running the SCA scan against HPUX family."
   condition: all
   rules:
     - "c:swlist HPUX*OE* -> r:HPUX11i"
     - "d:/opt/sec_mgmt/bastille/"
+    - "f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config"
 
 checks:
   #################################################################
@@ -69,7 +70,8 @@ checks:
       - https://www.hp.com/go/bastille
     condition: all
     rules:
-      - "c:/opt/sec_mgmt/bastille/bin/bastille --assessnobrowser -> f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config"
+      - "f:/opt/sec_mgmt/bastille/bin/bastille"
+      - "f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config"
 
   #################################################################
   # 1.2 Minimize inetd network services
@@ -259,7 +261,7 @@ checks:
       - cis_level: ["1"]
     condition: all
     rules:
-      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecutity.gui_login="Y"'
+      - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> r:AccountSecurity.gui_login="Y"'
 
   - id: 30017
     title: "Disable email server, if possible."
@@ -675,6 +677,7 @@ checks:
       - 'f:/var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config -> n:AccountSecurity.MIN_PASSWORD_LENGTH="(\d+) compare >= 7"'
 
   - id: 30049
+    title: "Verify no legacy '+' entries exist in passwd and group files."
     description: "'+' entries in various passwd and group files served as markers for systems to insert data from NIS maps at a certain point in a system configuration file. HP-UX does not use these markers, but they may exist in files that have been imported from other platforms. They should be deleted if they exist."
     rationale: "Legacy '+' entries are no longer required on HP-UX systems, and may provide an avenue for attackers to gain privileged access on the system."
     remediation: "Perform the following to remove any legacy '+' entries in passwd and group files: 1. Display legacy '+' entries: grep '^+:' /etc/passwd /etc/group 2. Remove any entries found from the passwd and group files."