Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Mac OS X SCA policies #382

Closed
chemamartinez opened this issue May 6, 2019 · 1 comment
Closed

Fix Mac OS X SCA policies #382

chemamartinez opened this issue May 6, 2019 · 1 comment
Assignees
@TJOSERAFAEL
Labels
bug SCA SCA policies related issues
Projects
Wazuh 3.9.1

Comments

@chemamartinez
Copy link
Contributor

The SCA policies for MAC OS X based on CIS benchmarks need a review in the defined rules:

  1. It doesn't match because \s looks for spaces only, it has to be replaced by a \t.

wazuh-ruleset/sca/darwin/17/cis_apple_macOS_10.13.yml

Line 27 in 48eae91

- 'c:sw_vers -> r:^ProductVersion:\s*10.13;'

  1. Dot is not scaped here:

wazuh-ruleset/sca/darwin/17/cis_apple_macOS_10.13.yml

Line 28 in 48eae91

- 'c:system_profiler SPSoftwareDataType -> r:^\s*System Version:.*10.13;'

  1. Now is a typo.

wazuh-ruleset/sca/darwin/17/cis_apple_macOS_10.13.yml

Line 41 in 48eae91

- 'c:softwareupdate -l -> !r:^\s*Now new software available;'

  1. Many checks are not finished in $ which can cause false positives:

https://github.com/wazuh/wazuh-ruleset/blob/3.9/sca/darwin/17/cis_apple_macOS_10.13.yml#L66

In addition, the output of that command includes a blank line, which matches wrongly with the desired regex:

2019/05/06 16:42:27 sca[59229] wm_sca.c:912 at wm_sca_do_scan(): DEBUG: Rule is: c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> !r:^\s*1$;
2019/05/06 16:42:27 sca[59229] wm_sca.c:1008 at wm_sca_do_scan(): DEBUG: Running command: 'defaults read /Library/Preferences/com.apple.commerce AutoUpdate'.
2019/05/06 16:42:27 sca[59229] wm_sca.c:1549 at wm_sca_read_command(): DEBUG: Rule without IN/NIN: !r:^\s*1$
2019/05/06 16:42:27 sca[59229] wm_sca.c:1553 at wm_sca_read_command(): DEBUG: Negation found, is a NIN rule
2019/05/06 16:42:27 sca[59229] wm_sca.c:1650 at wm_sca_pt_matches(): DEBUG: Testing buf "1" with minterm "!r:^\s*1$" -> 0
2019/05/06 16:42:27 sca[59229] wm_sca.c:1653 at wm_sca_pt_matches(): DEBUG: Rule test result: 0
2019/05/06 16:42:27 sca[59229] wm_sca.c:1650 at wm_sca_pt_matches(): DEBUG: Testing buf "" with minterm "!r:^\s*1$" -> 1
2019/05/06 16:42:27 sca[59229] wm_sca.c:1653 at wm_sca_pt_matches(): DEBUG: Rule test result: 1
2019/05/06 16:42:27 sca[59229] wm_sca.c:1570 at wm_sca_read_command(): DEBUG: Result for !r:^\s*1$(defaults read /Library/Preferences/com.apple.commerce AutoUpdate) -> 1

Where the command output is:

~ defaults read /Library/Preferences/com.apple.commerce AutoUpdate
1

Empty lines from command and file output should be ignored.

These examples come from the file cis_apple_macOS_10.13.yml but extend to the other MAC OS X policies.
@chemamartinez chemamartinez added bug SCA SCA policies related issues labels May 6, 2019
@chemamartinez chemamartinez added this to To do in Wazuh 3.9.1 via automation May 6, 2019
@TJOSERAFAEL TJOSERAFAEL moved this from To do to In progress in Wazuh 3.9.1 May 7, 2019
@TJOSERAFAEL TJOSERAFAEL moved this from In progress to Under review in Wazuh 3.9.1 May 7, 2019
@TJOSERAFAEL TJOSERAFAEL mentioned this issue May 7, 2019
Merged
@chemamartinez
Copy link
Contributor Author

Already merged (#387). Good job @TJOSERAFAEL!

Wazuh 3.9.1 automation moved this from Under review to Done May 14, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TJOSERAFAEL TJOSERAFAEL

Labels
bug SCA SCA policies related issues
Projects
No open projects
Wazuh 3.9.1
  
Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TJOSERAFAEL @chemamartinez