We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The SCA policies for MAC OS X based on CIS benchmarks need a review in the defined rules:
\s
\t
wazuh-ruleset/sca/darwin/17/cis_apple_macOS_10.13.yml
Line 27 in 48eae91
Line 28 in 48eae91
Now
Line 41 in 48eae91
$
https://github.com/wazuh/wazuh-ruleset/blob/3.9/sca/darwin/17/cis_apple_macOS_10.13.yml#L66
In addition, the output of that command includes a blank line, which matches wrongly with the desired regex:
2019/05/06 16:42:27 sca[59229] wm_sca.c:912 at wm_sca_do_scan(): DEBUG: Rule is: c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> !r:^\s*1$; 2019/05/06 16:42:27 sca[59229] wm_sca.c:1008 at wm_sca_do_scan(): DEBUG: Running command: 'defaults read /Library/Preferences/com.apple.commerce AutoUpdate'. 2019/05/06 16:42:27 sca[59229] wm_sca.c:1549 at wm_sca_read_command(): DEBUG: Rule without IN/NIN: !r:^\s*1$ 2019/05/06 16:42:27 sca[59229] wm_sca.c:1553 at wm_sca_read_command(): DEBUG: Negation found, is a NIN rule 2019/05/06 16:42:27 sca[59229] wm_sca.c:1650 at wm_sca_pt_matches(): DEBUG: Testing buf "1" with minterm "!r:^\s*1$" -> 0 2019/05/06 16:42:27 sca[59229] wm_sca.c:1653 at wm_sca_pt_matches(): DEBUG: Rule test result: 0 2019/05/06 16:42:27 sca[59229] wm_sca.c:1650 at wm_sca_pt_matches(): DEBUG: Testing buf "" with minterm "!r:^\s*1$" -> 1 2019/05/06 16:42:27 sca[59229] wm_sca.c:1653 at wm_sca_pt_matches(): DEBUG: Rule test result: 1 2019/05/06 16:42:27 sca[59229] wm_sca.c:1570 at wm_sca_read_command(): DEBUG: Result for !r:^\s*1$(defaults read /Library/Preferences/com.apple.commerce AutoUpdate) -> 1
Where the command output is:
~ defaults read /Library/Preferences/com.apple.commerce AutoUpdate 1
Empty lines from command and file output should be ignored.
These examples come from the file cis_apple_macOS_10.13.yml but extend to the other MAC OS X policies.
The text was updated successfully, but these errors were encountered:
Already merged (#387). Good job @TJOSERAFAEL!
Sorry, something went wrong.
TJOSERAFAEL
No branches or pull requests
The SCA policies for MAC OS X based on CIS benchmarks need a review in the defined rules:
\s
looks for spaces only, it has to be replaced by a\t
.wazuh-ruleset/sca/darwin/17/cis_apple_macOS_10.13.yml
Line 27 in 48eae91
wazuh-ruleset/sca/darwin/17/cis_apple_macOS_10.13.yml
Line 28 in 48eae91
Now
is a typo.wazuh-ruleset/sca/darwin/17/cis_apple_macOS_10.13.yml
Line 41 in 48eae91
$
which can cause false positives:https://github.com/wazuh/wazuh-ruleset/blob/3.9/sca/darwin/17/cis_apple_macOS_10.13.yml#L66
In addition, the output of that command includes a blank line, which matches wrongly with the desired regex:
Where the command output is:
Empty lines from command and file output should be ignored.
These examples come from the file cis_apple_macOS_10.13.yml but extend to the other MAC OS X policies.
The text was updated successfully, but these errors were encountered: