Manual testing - Modify Amazon Linux 2 SCA policy to resolve typo on control 1.1.22 and EMPTY_LINE conditions

[72nomada]

Related issue	Related PR
wazuh/wazuh#13744	wazuh/wazuh#13781

Test cases

Using an Amazon Linux 2 system running a wazuh-agent we need to verify at least:

• Ensure list of controls works properly
  • 1.1.22 Ensure sticky bit is set on all world-writable directories.
  • 1.5.2 Ensure XD/NX support is enabled.
  • 3.5.2.4 Ensure iptables are flushed with nftables.
  • Policy doesn't create the /dev/nul file

[Rebits]

Conclusions 🟡

We can affirm that the development has solved wazuh/wazuh#13744, in addition, it has not included any error in the controls specified in the issue test case

However, it seems that the Ensure XD/NX support is enabled control is not precise enough (See #3014 (comment) for more information)

[Rebits]

Wazuh Branch	Wazuh Package	OS
4.3	RPM	Centos8

Preconditions

• Wazuh manager in amazonlinux2 host
• Wazuh agent in amazonlinux2 host
• Enable the SCA module in the Wazuh agent

  <sca>
    <enabled>yes</enabled>
    <scan_on_start>yes</scan_on_start>
    <interval>1m</interval>
    <skip_nfs>yes</skip_nfs>
  </sca>

Test Cases

Ensure sticky bit is set on all world-writable directories 🟢

Remove sticky bits from the /tmp directory:

chmod -t /tmp

• Check expected SCA alert is generated

** Alert 1655800781.1024805: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2,
2022 Jun 21 08:39:41 (ip-172-31-3-57.ec2.internal) any->sca
Rule: 19011 (level 9) -> 'CIS Benchmark for Amazon Linux 2: Ensure sticky bit is set on all world-writable directories.: Status changed from passed to failed'
{"type":"check","id":1373819350,"policy":"CIS Benchmark for Amazon Linux 2","policy_id":"cis_amazon_linux_2","check":{"id":20520,"title":"Ensure sticky bit is set on all world-writable directories.","description":"Setting the sticky bit on world writable directories prevents users from deleting or renaming files in that directory that are not owned by them.","rationale":"This feature prevents the ability to delete or rename files in world writable directories (such as /tmp ) that are owned by another user.","remediation":"Run the following command to set the sticky bit on all world writable directories: # df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) 2>/dev/null | xargs -I '{}' chmod a+t '{}'","compliance":{"cis":"1.1.22","cis_csc":"8.4,8.5","pci_dss":"2.2.4","nist_800_53":"CM.1","tsc":"CC5.2"},"rules":["not c:sh -c \"df --local -P 2> /dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \\\\( -perm -0002 -a ! -perm -1000 \\\\) 2>/dev/null\" -> r:^/"],"condition":"all","command":"sh -c \"df --local -P 2> /dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \\\\( -perm -0002 -a ! -perm -1000 \\\\) 2>/dev/null\"","result":"failed"}}
sca.type: check
sca.scan_id: 1373819350
sca.policy: CIS Benchmark for Amazon Linux 2
sca.check.id: 20520
sca.check.title: Ensure sticky bit is set on all world-writable directories.
sca.check.description: Setting the sticky bit on world writable directories prevents users from deleting or renaming files in that directory that are not owned by them.
sca.check.rationale: This feature prevents the ability to delete or rename files in world writable directories (such as /tmp ) that are owned by another user.
sca.check.remediation: Run the following command to set the sticky bit on all world writable directories: # df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null | xargs -I '{}' chmod a+t '{}'
sca.check.compliance.cis: 1.1.22
sca.check.compliance.cis_csc: 8.4,8.5
sca.check.compliance.pci_dss: 2.2.4
sca.check.compliance.nist_800_53: CM.1
sca.check.compliance.tsc: CC5.2
sca.check.command: ["sh -c \"df --local -P 2> /dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \\\\( -perm -0002 -a ! -perm -1000 \\\\) 2>/dev/null\""]
sca.check.result: failed
sca.check.previous_result: passed

• Remediation

[root@ip-172-31-3-57 qa]# ls -la / | grep tmp
drwxrwxrwx   8 root root  172 Jun 21 08:39 tmp
[root@ip-172-31-3-57 qa]# df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) 2>/dev/null | xargs -I '{}' chmod a+t '{}'
bash: syntax error near unexpected token `('
[root@ip-172-31-3-57 qa]# df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null | xargs -I '{}' chmod a+t '{}'
[root@ip-172-31-3-57 qa]# ls -la / | grep tmp
drwxrwxrwt   8 root root  172 Jun 21 08:39 tmp
[root@ip-172-31-3-57 qa]# 

Ensure XD/NX support is enabled 🔴

The Ensure XD/NX support is enabled control is not precise enough, producing false negatives.
This support is enable by default, but it can be changed changing kernel parameters. In this case, we are going to disable using the following command:

grubby --update-kernel=ALL --args="noexec=off"

After this, we restart our agent host.
We can check that the new parameters is active:

cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-5.10.112-108.499.amzn2.x86_64 root=UUID=008cdb03-aa96-41b3-8e92-b11c5b511efd ro console=tty0 console=ttyS0,115200n8 net.ifnames=0 biosdevname=0 nvme_core.io_timeout=4294967295 rd.emergency=poweroff rd.shell=0 LANG=en_US.UTF-8 noexec=off

If we check the control, it uses the following rules:

- 'c:sh -c "journalctl | grep \"protection: active\"" -> r:protection: active'
 - 'c:sh -c "[[ -n $(grep noexec[0-9]*=off /proc/cmdline) || -z $(grep -E -i \" (pae|nx) \" /proc/cpuinfo) || -n $(grep \"\\sNX\\s.*\\sprotection:\\s\" /var/log/dmesg | grep -v active) ]] && echo \"NX Protection is not active\"" -> r:^$'

Regarding the first rule, If we have disabled this option manually and we check the journalctl log using protection: active regex, we get:

[root@ip-172-31-3-57 qa]# journalctl | grep protection: active
Jun 21 09:30:39 localhost kernel: NX (Execute Disable) protection: active
Jun 21 09:39:48 localhost kernel: NX (Execute Disable) protection: active
Jun 21 09:54:44 localhost kernel: NX (Execute Disable) protection: active

As we can see, there are multiple logs that fit the regex, so, the regex will always match, even if we have manually disabled the noexec as shows in the last log message (Jun 21 10:04:21 localhost kernel: NX (Execute Disable) protection: disabled by kernel command line option)

Suggestion1: Replace the first rule by - 'c:sh -c "journalctl | grep \"protection: \" | tail -1" -> r:protection: active'

Suggestion2: Relace any condition by all

Note: Proposed suggestions required further research in multiple OS in order to consider them valid for all scenarios

Ensure iptables are flushed with nftables 🟢

• Install nftables

[root@ip-172-31-3-57 qa]# yum install nftables
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Package 1:nftables-0.9.0-14.amzn2.0.1.x86_64 already installed and latest version
Nothing to do
[root@ip-172-31-3-57 qa]# 

• Flush iptables and ip6tables rules

iptables -F
ip6tables -F

• Check that control pass

** Alert 1655808603.7666621: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2,
2022 Jun 21 10:50:03 (ip-172-31-3-57.ec2.internal) any->sca
Rule: 19010 (level 3) -> 'CIS Benchmark for Amazon Linux 2: Ensure iptables are flushed with nftables.: Status changed from failed to passed'
{"type":"check","id":1230570152,"policy":"CIS Benchmark for Amazon Linux 2","policy_id":"cis_amazon_linux_2","check":{"id":20594,"title":"Ensure iptables are flushed with nftables.","description":"nftables is a replacement for iptables, ip6tables, ebtables and arptables","rationale":"It is possible to mix iptables and nftables. However, this increases complexity and also the chance to introduce errors. For simplicity flush out all iptables rules, and ensure it is not loaded","remediation":"Run the following commands to flush iptables: For iptables: # iptables -F For ip6tables: # ip6tables -F","compliance":{"cis":"3.5.2.4","cis_csc":"9.4","pci_dss":"1.1","tsc":"CC8.1"},"rules":["c:rpm -q nftables -> r:^nftables-","not c:sh -c \"ip6tables -L | egrep -v  \\\"^target|^Chain\\\"\" -> r:^\\w+","not c:sh -c \"iptables -L | egrep -v  \\\"^target|^Chain\\\"\" -> r:^\\w+"],"condition":"all","command":"rpm -q nftables,sh -c \"ip6tables -L | egrep -v  \\\"^target|^Chain\\\"\",sh -c \"iptables -L | egrep -v  \\\"^target|^Chain\\\"\"","result":"passed"}}
sca.type: check
sca.scan_id: 1230570152
sca.policy: CIS Benchmark for Amazon Linux 2
sca.check.id: 20594
sca.check.title: Ensure iptables are flushed with nftables.
sca.check.description: nftables is a replacement for iptables, ip6tables, ebtables and arptables
sca.check.rationale: It is possible to mix iptables and nftables. However, this increases complexity and also the chance to introduce errors. For simplicity flush out all iptables rules, and ensure it is not loaded
sca.check.remediation: Run the following commands to flush iptables: For iptables: # iptables -F For ip6tables: # ip6tables -F
sca.check.compliance.cis: 3.5.2.4
sca.check.compliance.cis_csc: 9.4

• Add a new iptables rule and check that control fails

** Alert 1655808550.7417520: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2,
2022 Jun 21 10:49:10 (ip-172-31-3-57.ec2.internal) any->sca
Rule: 19007 (level 7) -> 'CIS Benchmark for Amazon Linux 2: Ensure iptables are flushed with nftables.'
{"type":"check","id":883888519,"policy":"CIS Benchmark for Amazon Linux 2","policy_id":"cis_amazon_linux_2","check":{"id":20594,"title":"Ensure iptables are flushed with nftables.","description":"nftables is a replacement for iptables, ip6tables, ebtables and arptables","rationale":"It is possible to mix iptables and nftables. However, this increases complexity and also the chance to introduce errors. For simplicity flush out all iptables rules, and ensure it is not loaded","remediation":"Run the following commands to flush iptables: For iptables: # iptables -F For ip6tables: # ip6tables -F","compliance":{"cis":"3.5.2.4","cis_csc":"9.4","pci_dss":"1.1","tsc":"CC8.1"},"rules":["c:rpm -q nftables -> r:^nftables-","not c:sh -c \"ip6tables -L | egrep -v  \\\"^target|^Chain\\\"\" -> r:^\\w+","not c:sh -c \"iptables -L | egrep -v  \\\"^target|^Chain\\\"\" -> r:^\\w+"],"condition":"all","command":"rpm -q nftables,sh -c \"ip6tables -L | egrep -v  \\\"^target|^Chain\\\"\",sh -c \"iptables -L | egrep -v  \\\"^target|^Chain\\\"\"","result":"failed"}}
sca.type: check
sca.scan_id: 883888519
sca.policy: CIS Benchmark for Amazon Linux 2
sca.check.id: 20594
sca.check.title: Ensure iptables are flushed with nftables.
sca.check.description: nftables is a replacement for iptables, ip6tables, ebtables and arptables
sca.check.rationale: It is possible to mix iptables and nftables. However, this increases complexity and also the chance to introduce errors. For simplicity flush out all iptables rules, and ensure it is not loaded
sca.check.remediation: Run the following commands to flush iptables: For iptables: # iptables -F For ip6tables: # ip6tables -F
sca.check.compliance.cis: 3.5.2.4
sca.check.compliance.cis_csc: 9.4

Policy doesn't create the /dev/nul file 🟢

After multiple scans, no /dev/null file was created

[jmv74211]

The following issue has been created to report a failure with the check "Ensure XD/ND support is enabled it is not precise enough"

Here can be found the pull request associated with the requested changes.

Once the new made changes are approved, all related changes related to this manual testing issue will be approved.

[jmv74211]

New changes have been tested here. Tested changes are approved 🟢 .