Fix rules in cis_ubuntu22 04.yml

[M0rga-n]

Description

Fixed rules for the SCA file cis_ubuntu22-04.yml

Configuration options

28532:
When Apport Error Reporting service is not installed when running the following command "Failed to get unit file state for apport.service: No such file or directory" is returned.

- "c:systemctl is-enabled apport.service -> r:disabled"

Changing this to the following code fixes the issue.

- "not c:systemctl is-enabled apport.service -> r:^active"

28532:

• When systemd-coredump is not installed when running the command "systemctl is-enabled coredump.service" the following text is returned "Failed to get unit file state for coredump.service: No such file or directory."
• The check for hard core 0 is wrong. Cis recommends to add the line "* hard core 0" to the file.

- "c:systemctl is-enabled coredump.service -> r:enabled|masked|disabled"
- 'c:grep -Rh "hard core 0" /etc/security/limits.conf /etc/security/limits.d/ -> !r:^\s*\t*# && r:\p hard core 0'

Changing this to the following code fixes the issue

- "c:systemctl is-enabled coredump.service -> r:enabled|masked|disabled|^Failed to get unit file state for coredump.service: No such file or directory"
- 'c:grep -Rh "hard core 0" /etc/security/limits.conf /etc/security/limits.d/ -> !r:^\s*\t*# && r:^* hard core 0'

28566:
When rsync is not installed when running the following command "Failed to get unit file state for rsync.service: No such file or directory" is returned.

- "c:systemctl is-enabled rsync -> r:masked|disabled"

Changing this to the following code fixes the issue

- "c:systemctl is-enabled rsync -> r:masked|disabled|^Failed to get unit file state for rsync.service: No such file or directory"

28653:
There is an extra -> at both rules removing the second arrow fixes the issue

- "c:sshd -T -> -> n:^clientaliveinterval\\s*\\t*(\\d+) compare > 0"
- "c:sshd -T -> -> n:^clientalivecountmax\\s*\\t*(\\d+) compare > 0"

- "c:sshd -T -> n:^clientaliveinterval\\s*\\t*(\\d+) compare > 0"
- "c:sshd -T -> n:^clientalivecountmax\\s*\\t*(\\d+) compare > 0"

28664:
Cis recommends setting the ENCRYPT_METHOD to yescrypt and when implementing CIS 5.4.3 yescrypt is added to the /etc/pam.d/common-passwords file. Excluding yescrypt ensures passing the SCA test while still passing the CIS benchmark.

- 'not f:/etc/pam.d/common-password -> !r:^\s*\t*# && r:yescrypt|md5|bigcrypt|sha256|sha512|blowfish'
- 'f:/etc/login.defs -> r:^\s*\t*ENCRYPT_METHOD\s*\t*yescrypt'

Changing this to the following code fixes the issue

- 'not f:/etc/pam.d/common-password -> !r:^\s*\t*# && r:md5|bigcrypt|sha256|sha512|blowfish'
- 'f:/etc/login.defs -> r:^\s*\t*ENCRYPT_METHOD\s*\t*yescrypt'

28663:
For this CIS rule you configure the line "password [success=1 default=ignore] pam_unix.so ovscure use_authok try_first_pass yescrypt remember=5" This SCA rule checks if the line is there but this line has an ^ while checking the middle of the line thus returning false.

- 'f:/etc/pam.d/common-password -> n:^\s*\t*use_authtok\s*\t*try_first_pass\s*\t*yescrypt\s*\t*remember=(\d+) compare >= 5'

Removing the ^ fixes the issue

- 'f:/etc/pam.d/common-password -> n:\s*\t*use_authtok\s*\t*try_first_pass\s*\t*yescrypt\s*\t*remember=(\d+) compare >= 5'

28665:
This rule has an ^ in the wrong spot thus returning false.

- 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS^\s*\t*(\d+) compare >=1'

Removing the ^ fixes the issue

- 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare >=1'

28534:
These rules check the following files for text. But this generated file had a combination of tabs and spaces for some reason. This code only checks for extra spaces and not tabs so failing in some cases.

-f:/boot/grub/grub.cfg -> r:^\s*linux && r:apparmor=1'
- 'f:/boot/grub/grub.cfg -> r:^\s*linux && r:security=apparmor'
- 'not f:/boot/grub/grub.cfg -> r:^\s*linux && !r:apparmor=1'
- 'not f:/boot/grub/grub.cfg -> r:^\s*linux && !r:security=apparmor'

Adding \t* to the rules fixes the issue

-f:/boot/grub/grub.cfg -> r:^\s*\t*linux && r:apparmor=1'
- 'f:/boot/grub/grub.cfg -> r:^\s*\t*linux && r:security=apparmor'
- 'not f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !r:apparmor=1'
- 'not f:/boot/grub/grub.cfg -> r:^\s*\t*linux && !r:security=apparmor'

Tests

• Compilation without warnings in every supported platform
  • Linux
  • Windows