Rework SCA Policy for Microsoft Windows 11 Enterprise #22734

jk-olaoluwa · 2024-04-04T09:21:45Z

Component	Action type	Main Issue
SCA	Rework	#21930

Main tasks

Use the latest CIS benchmark PDF from https://downloads.cisecurity.org/#/
Verify IDs numbers.
Verify texts are correct: Title, Description, Rationale and Remediation.
Verify Compliance: CIS, CIS_CSC.
Verify condition and rules:
- To Pass.
- To Fail.
Solve Related issues:
CIS Benchmark Tests and how they treat missing registry keys are different between OS versions #16479

Checks

Syntax and semantic

a) ID of each policy must be contiguous.
b) The order and format set in Documentation must be respected.
c) YML must be valid to avoid errors.

Content

a) Compare each check with its analog from CIS Benchmark.
b) Try maintaining each rule as similar as possible with the Audit section from the CIS check.
c) Check that the commands provide the expected output.
d) When a failure is discovered, check similar policies to avoid repetition of the issue.

Unit testing

a) Output from agent.log after the SCA scan and a raw output of the result of the checks.

Tests results

2023/11/09 17:16:09 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win10_enterprise.yml'
2023/11/09 17:16:09 sca: INFO: Security Configuration Assessment scan finished. Duration: 81 seconds.

Analysisd (server or local)

analysisd.debug=2

Auth daemon debug (server)

authd.debug=0

Exec daemon debug (server, local, or Unix agent)

execd.debug=0

Monitor daemon debug (server, local, or Unix agent)

monitord.debug=0

Log collector (server, local or Unix agent)

logcollector.debug=0

Integrator daemon debug (server, local or Unix agent)

integrator.debug=0

Unix agentd

agent.debug=2

Deployment

a) If the policy it's new, it must be added to the sca.files templates.
b) If the OS has many supported SCA policies, a policy must be set as the default policy. (as example)

Documentation

a) Ensure documentation SCA list includes the created or updated SCA.

…-duration-aws Change max `iam_role_duration` aws

Enhancement/19081 remoted tests

…fig-profile-prefixes Remove profile prefixes

Remove changes.md file

…ed-auth-for-wodles Remove deprecated plain text auth from AWS and Azure wodles

…test Add `--build-managers-only` parameter in conftest.py

…stats Make get_daemons_stats_socket function asynchronous

Merge 4.9.0 into master

- QueryAllPackages - Reduced log verbosity from warning to debug - Improved log message -> 'error' string on warning level - osDataCache - Improved log message -> added context

…zuh-db-in-ci-install-test Improve log messages from the vulnerability scanner

mhamra and others added 30 commits August 25, 2023 10:30

Remove changes.md file

7447f98

logtest - Assertion in test_configuration

b80ab73

Assert fixed - function scope

b11ae83

Workflow for logtest tests

f7e2013

Migrate logtest IT config_tests

918e2f9

Migrate logtest IT invalid_rule_decoders

7967bca

Migrate logtest IT invalid_socket

c106d5c

Migrate logtest IT invalid_token

f8ca638

Migrate logtest IT log_process

5afea12

Migrate logtest IT remove_old_sessions

516f057

Migrate logtest IT remove_session

8148ba6

Migrate logtest IT rules_decoders_load

f79a24f

Migrate logtest IT ruleset_refresh

5710437

Apply requested changes

0e3eab6

Move logtest IT patterns

36c9e95

Minor fix

d4e4509

Remove redundant fixture "function"

3320ec5

Logtest IT use session_parameters

3590af3

Remove redundant fixture "function"

a70b2a2

Remove commented lines

8151a1e

Logtest IT create new fixtures

61d16e7

Apply requested changes

506b1fc

Change max role_duration

239ba7e

add test_configuration for invalid connections

5d73f39

add minor changes to test_configuration for invalid connections

4454001

add test_configuration for invalid port connection

0d0f8c5

add test_configuration: invalid connection protocol

8ae7655

fixed minor syntax changes

a78f6ac

add test_configuration: valid connection

684d662

add test_configuration: compare_config_api_response

280bd0c

Selutario and others added 24 commits February 16, 2024 17:22

Merge pull request #21884 from wazuh/feature/21689-change-max-session…

ba6082f

…-duration-aws Change max `iam_role_duration` aws

Merge pull request #21934 from wazuh/enhancement/19081-remoted-tests

e11c7a0

Enhancement/19081 remoted tests

Remove secret and access key from AWS parser

03e0d41

Remove deprecared keys from Azure parser

3d237c4

Remove access_key and secret_key auth option from AWS wodle

f0d6bb2

Remove plain text auth options from Azure wodle

c42ba64

Remove profile prefixes

0841d04

Simplify profile configuration

bf2559b

Apply suggestions from CR

ae78ab7

Add requested changes

aa3d1d5

Add space

d8ed115

Remove tab

5fa6269

Do not add prefix to default profiles

52f34f4

Merge pull request #21042 from wazuh/enhancement/20752-remove-aws-con…

dfaec66

…fig-profile-prefixes Remove profile prefixes

Make get_daemons_stats_agents function async

67860bc

Merge pull request #18612 from wazuh/fix/18565-remove-changes-md

bbb917b

Remove changes.md file

Merge pull request #18680 from wazuh/enhacement/17975-remove-deprecat…

19413a5

…ed-auth-for-wodles Remove deprecated plain text auth from AWS and Azure wodles

Merge pull request #21924 from wazuh/feature/21775-new-parameter-conf…

c03b272

…test Add `--build-managers-only` parameter in conftest.py

Merge pull request #19712 from wazuh/enhancement/19394-async-daemons-…

098511a

…stats Make get_daemons_stats_socket function asynchronous

Merge branch '4.9.0' into merge-4.9.0-into-master

8db75d4

Merge pull request #22410 from wazuh/merge-4.9.0-into-master

8282236

Merge 4.9.0 into master

CL:

fc5c7ab

- QueryAllPackages - Reduced log verbosity from warning to debug - Improved log message -> 'error' string on warning level - osDataCache - Improved log message -> added context

Merge pull request #22418 from wazuh/dev-22227-empty-response-from-wa…

6f672d0

…zuh-db-in-ci-install-test Improve log messages from the vulnerability scanner

Rework SCA Policy For Microsoft Windows 11

9b5c56e

jk-olaoluwa linked an issue Apr 4, 2024 that may be closed by this pull request

Rework SCA Policy for Microsoft Windows 11 Enterprise #22195

Open

19 tasks

jk-olaoluwa added 5 commits April 8, 2024 14:09

Rework SCA for Microsoft Windows 11 Enterprise

770f3e2

SCA Policy for Microsoft Windows 11 Enterprise

13df902

Rework SCA Policy for Windows 11 Enterprise

36a752f

Rework SCA Policy for Windows 11 Enterprise

7c12a7e

Rework SCA Policy for Windows 11 Enterprise

7f136cd

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Rework SCA Policy for Microsoft Windows 11 Enterprise #22734

Rework SCA Policy for Microsoft Windows 11 Enterprise #22734

jk-olaoluwa commented Apr 4, 2024

Rework SCA Policy for Microsoft Windows 11 Enterprise #22734

Are you sure you want to change the base?

Rework SCA Policy for Microsoft Windows 11 Enterprise #22734

Conversation

jk-olaoluwa commented Apr 4, 2024

Main tasks

Checks

Syntax and semantic

Content

Unit testing

Analysisd (server or local)

Auth daemon debug (server)

Exec daemon debug (server, local, or Unix agent)

Monitor daemon debug (server, local, or Unix agent)

Log collector (server, local or Unix agent)

Integrator daemon debug (server, local or Unix agent)

Unix agentd

Deployment

Documentation