From 9f36e17ee0afd881468c496da3d1ae4ba80956b3 Mon Sep 17 00:00:00 2001 From: Xavier Noguer Date: Tue, 23 May 2023 15:07:42 +0000 Subject: [PATCH] Added tests considering Wazuh for file integrity and tooling --- db/tests.db | 2 ++ include/tests_file_integrity | 19 +++++++++++++++++++ include/tests_hardening | 2 +- include/tests_tooling | 29 +++++++++++++++++++++++++++++ 4 files changed, 51 insertions(+), 1 deletion(-) diff --git a/db/tests.db b/db/tests.db index e4dc8fbd..69a68bc9 100644 --- a/db/tests.db +++ b/db/tests.db @@ -148,6 +148,7 @@ FINT-4338:test:security:file_integrity::osqueryd syscheck daemon running: FINT-4339:test:security:file_integrity:Linux:Check IMA/EVM Status FINT-4340:test:security:file_integrity:Linux:Check dm-integrity status FINT-4341:test:security:file_integrity:Linux:Check dm-verity status +FINT-4344:test:security:file_integrity::Wazuh syscheck daemon running: FINT-4350:test:security:file_integrity::File integrity software installed: FINT-4402:test:security:file_integrity::Checksums (SHA256 or SHA512): FIRE-4502:test:security:firewalls:Linux:Check iptables kernel module: @@ -437,6 +438,7 @@ TOOL-5102:test:security:tooling::Check for presence of Fail2ban: TOOL-5104:test:security:tooling::Enabled tests for Fail2ban: TOOL-5120:test:security:tooling::Presence of Snort IDS: TOOL-5122:test:security:tooling::Snort IDS configuration file: +TOOL-5128:test:security:tooling::Check for active Wazuh daemon: TOOL-5130:test:security:tooling::Check for active Suricata daemon: TOOL-5160:test:security:tooling::Check for active OSSEC daemon: TOOL-5190:test:security:tooling::Check presence of available IDS/IPS tooling: diff --git a/include/tests_file_integrity b/include/tests_file_integrity index 8a38b97e..a0bf497f 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -398,6 +398,25 @@ fi # ################################################################################# +# + # Test : FINT-4344 + # Description : Check if Wazuh system integrity tool is running + Register --test-no FINT-4344 --weight L --network NO --category security --description "Wazuh syscheck daemon running" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Checking if Wazuh syscheck daemon is running" + if IsRunning "wazuh-syscheckd"; then + LogText "Result: syscheck (Wazuh) active" + Report "file_integrity_tool[]=wazuh" + FILE_INT_TOOL="wazuh-syscheck" + FILE_INT_TOOL_FOUND=1 + Display --indent 4 --text "- Wazuh (syscheck)" --result "${STATUS_FOUND}" --color GREEN + else + LogText "Result: syscheck (Wazuh) is not active" + if IsVerbose; then Display --indent 4 --text "- Wazuh" --result "${STATUS_NOT_FOUND}" --color WHITE; fi + fi + fi +# +################################################################################# # # Test : FINT-4402 (was FINT-4316) # Description : Check if AIDE is configured to use SHA256 or SHA512 checksums diff --git a/include/tests_hardening b/include/tests_hardening index c414edb6..8ca04d6d 100644 --- a/include/tests_hardening +++ b/include/tests_hardening @@ -99,7 +99,7 @@ else Display --indent 4 --text "- Installed malware scanner" --result "${STATUS_NOT_FOUND}" --color RED fi - ReportSuggestion "${TEST_NO}" "Harden the system by installing at least one malware scanner, to perform periodic file system scans" "-" "Install a tool like rkhunter, chkrootkit, OSSEC" + ReportSuggestion "${TEST_NO}" "Harden the system by installing at least one malware scanner, to perform periodic file system scans" "-" "Install a tool like rkhunter, chkrootkit, OSSEC, Wazuh" AddHP 1 3 LogText "Result: no malware scanner found" fi diff --git a/include/tests_tooling b/include/tests_tooling index 083f5045..2ef9f81b 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -428,6 +428,35 @@ fi # ################################################################################# +# + # Test : TOOL-5128 + # Description : Check for Wazuh daemon + Register --test-no TOOL-5128 --weight L --network NO --category security --description "Check for active Wazuh daemon" + if [ ${SKIPTEST} -eq 0 ]; then + # Server side + if IsRunning "wazuh-analysisd"; then + IDS_IPS_TOOL_FOUND=1 + Report "ids_ips_tooling[]=wazuh" + Report "ids_ips_tooling[]=wazuh-analysisd" + LogText "Result: Wazuh analysis daemon is active" + Display --indent 2 --text "- Checking presence of Wazuh (analysis)" --result "${STATUS_FOUND}" --color GREEN + else + LogText "Result: Wazuh analysis daemon not active" + fi + + # Client side + if IsRunning "wazuh-agentd"; then + IDS_IPS_TOOL_FOUND=1 + Report "ids_ips_tooling[]=wazuh" + Report "ids_ips_tooling[]=wazuh-agentd" + LogText "Result: Wazuh agent daemon is active" + Display --indent 2 --text "- Checking presence of Wazuh (agent)" --result "${STATUS_FOUND}" --color GREEN + else + LogText "Result: Wazuh agent daemon not active" + fi + fi +# +################################################################################# # # Test : TOOL-5190 # Description : Check for an IDS/IPS tool