Fix: Win10 SCA checks #14090

Rebits · 2022-06-30T14:36:30Z

Related issue
wazuh/wazuh-qa#3021

Description

This PR fixes some errors in Win 10 CIS SCA benchmark. The complete list of these changes can be found in wazuh/wazuh-qa#3021 research.

ruleset/sca/windows/cis_win10_enterprise.yml

Co-authored-by: Fabricio Brunetti <fabricio.brunetti@wazuh.com>

…is win10 policy

…cription

…cases

… cases

…nfigured cases

ruleset/sca/windows/cis_win10_enterprise.yml

Co-authored-by: Fabricio Brunetti <fabricio.brunetti@wazuh.com>

…lt values Co-authored-by: Fabricio Brunetti <fabricio.brunetti@wazuh.com>

…to 13191-Update-Win10-SCA-vr-qa

Co-authored-by: Fabricio Brunetti <fabricio.brunetti@wazuh.com>

fabamatic

LGTM

fabamatic · 2022-07-11T21:07:19Z

ruleset/sca/windows/cis_win10_enterprise.yml

-      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:System32\\logfiles\\firewall\\domainfw.log'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:System32\logfiles\firewall\domainfw.log'


please add back \

Suggested change

- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:System32\logfiles\firewall\domainfw.log'

- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:System32\\logfiles\\firewall\\domainfw.log'

fabamatic · 2022-07-11T21:08:02Z

ruleset/sca/windows/cis_win10_enterprise.yml

-      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:System32\\logfiles\\firewall\\privatefw.log'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:System32\logfiles\firewall\privatefw.log'


Please add back \

Suggested change

- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:System32\logfiles\firewall\privatefw.log'

- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:System32\\logfiles\\firewall\\privatefw.log'

fabamatic · 2022-07-11T21:08:40Z

ruleset/sca/windows/cis_win10_enterprise.yml

-      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:System32\\logfiles\\firewall\\publicfw.log'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath'
+      - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:System32\logfiles\firewall\publicfw.log'


Please add back \

Suggested change

- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:System32\logfiles\firewall\publicfw.log'

- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:System32\\logfiles\\firewall\\publicfw.log'

* Updated Win 10 SCA using checks developed for Win 11 SCA - Both benchmarks have the same set of checks * Fixing typo in check 2.3.1.3 * Fixing wrong / characters in remediation text * Fixed CSC numbers to v8 in check 1.1.1 to 1.1.6 * Fixing error in 2.3.14.1 * Fixing error in 2.3.10.1 rationale * Fixing rule in 17.5.1 * Fixing cis compliance in 18.9.66.1 * Fixing 2.3.17.8 * Fixing 2.3.17.7 * Fixing 5.29 * Fixing 5.28 * Fix: Win10 SCA checks (#14090) * fix: win10 yaml format, cis_csc and 1.1.1-1.2.3 minnor fixes * fix: win10 fixes in description,tittle,rationale and rules * fix: win10 checks 2.3.14.1-5.29 * fix: errors in cis win10 rules 1.1-2.3.10.11 Co-authored-by: Fabricio Brunetti <fabricio.brunetti@wazuh.com> * fix: errors in cis win10 rules 2.3.10.12-5.15 Co-authored-by: Fabricio Brunetti <fabricio.brunetti@wazuh.com> * fix: win10 cis ids of 15327, 15344 and 15367 and minnor fixes * fix: cis win10 titles and rules 15223, 15374 * fix: cis win10 rationale minnor error 1.1-5.29 * fix: remove double white-spaces in cis win10 policy * fix: remove whitespace before double quotes in cis win10 policy * fix: remove double whitespaces and whitespaces before double quotes cis win10 policy * fix: cis win10 check 15017 * fix: sca win10 changes in rules 15121 15119 15120 15122 and 15108 description * fix: sca win10 add default cases for checks 15120-15144 * fix: cis win10 enrich description for checks 15145-15167 * fix: cis win10 remediation * fix: cis win10 rationale * Fixing errors introduced by merge with parent branch * fix: cis win10 descriptions * fix: cis win10 rules 18.1.1.1-18.6.1. Add default and not configured cases * fix: cis win10 rules 18.6.2-18.9.45.1. Add default and not configured cases * fix: cis win10 rules 18.9.47.4.1-18.9.108.4.3. Add default and not configured cases * fix: cis win10 default values cases for some Windows Firewall checks. Co-authored-by: Fabricio Brunetti <fabricio.brunetti@wazuh.com> * fix: cis win10 remove Windows blog links references Co-authored-by: Fabricio Brunetti <fabricio.brunetti@wazuh.com> * fix: cis win10 fix checks 15102, 15264, 15316, 15381, 15389 for default values Co-authored-by: Fabricio Brunetti <fabricio.brunetti@wazuh.com> * fix: cis win10 fix some rules according to default values * Fixing regex in 1.2.1 * Fixing regex in 1.2.3 * fix: cis win10 errors in rules introduced in 9c98aa2 Co-authored-by: Fabricio Brunetti <fabricio.brunetti@wazuh.com> * fix: cin win10 error in checks 15310, 15317, 15347, 15356 Co-authored-by: Fabricio Brunetti <fabricio.brunetti@wazuh.com> * Updating rules with findings from Win 11 SCA * Fixing error in 18.9.65.3.3.2 * Fixing error in 18.9.57.1 * Fixing 18.9.108.4.3 * Adding 18.9.6.2 Co-authored-by: Víctor Rebollo Pérez <victorrebollop@gmail.com>

Rebits added 2 commits June 29, 2022 16:36

fix: win10 yaml format, cis_csc and 1.1.1-1.2.3 minnor fixes

b76124e

fix: win10 fixes in description,tittle,rationale and rules

5073eed

Rebits added the reporter/qa QA Team: Reporting possible bug label Jun 30, 2022

Rebits force-pushed the 13191-Update-Win10-SCA-vr-qa branch from 4c4d972 to ca8a074 Compare June 30, 2022 14:48

fix: win10 checks 2.3.14.1-5.29

046796e

Rebits force-pushed the 13191-Update-Win10-SCA-vr-qa branch from ca8a074 to 046796e Compare June 30, 2022 15:17

fabamatic suggested changes Jun 30, 2022

View reviewed changes

ruleset/sca/windows/cis_win10_enterprise.yml Outdated Show resolved Hide resolved

fix: errors in cis win10 rules 1.1-2.3.10.11

2a00c95

Co-authored-by: Fabricio Brunetti <fabricio.brunetti@wazuh.com>

Rebits force-pushed the 13191-Update-Win10-SCA-vr-qa branch from 5cd6cac to 2a00c95 Compare July 1, 2022 07:52

Rebits and others added 8 commits July 1, 2022 09:12

fix: errors in cis win10 rules 2.3.10.12-5.15

18dbade

Co-authored-by: Fabricio Brunetti <fabricio.brunetti@wazuh.com>

fix: win10 cis ids of 15327, 15344 and 15367 and minnor fixes

ca8a037

fix: cis win10 titles and rules 15223, 15374

d7b2dbc

fix: cis win10 rationale minnor error 1.1-5.29

77885de

fix: remove double white-spaces in cis win10 policy

409bb98

fix: remove whitespace before double quotes in cis win10 policy

f1ee69c

fix: remove double whitespaces and whitespaces before double quotes c…

2fb956d

…is win10 policy

fix: cis win10 check 15017

2c74663

Rebits mentioned this pull request Jul 1, 2022

Wazuh 4.3 - SCA policies manual tests - SCA Policy for CIS Microsoft Windows 10 Enterprise Release 21H2 Benchmark v1.12.0 / @Rebits wazuh/wazuh-qa#3021

Closed

fix: sca win10 changes in rules 15121 15119 15120 15122 and 15108 des…

39c2900

…cription

Rebits force-pushed the 13191-Update-Win10-SCA-vr-qa branch from baac5d2 to 39c2900 Compare July 1, 2022 16:21

Rebits and others added 7 commits July 4, 2022 16:00

fix: sca win10 add default cases for checks 15120-15144

bf4ab8e

fix: cis win10 enrich description for checks 15145-15167

f336a31

fix: cis win10 remediation

d429d95

fix: cis win10 rationale

5d79adc

Merge branch '13191-Update-Win10-SCA' into 13191-Update-Win10-SCA-vr-qa

06ef5c3

Fixing errors introduced by merge with parent branch

032eca6

fix: cis win10 descriptions

1dfc92f

Rebits force-pushed the 13191-Update-Win10-SCA-vr-qa branch from 032eca6 to 1dfc92f Compare July 6, 2022 09:42

fix: cis win10 rules 18.1.1.1-18.6.1. Add default and not configured …

108cb07

…cases

Rebits added 2 commits July 7, 2022 15:56

fix: cis win10 rules 18.6.2-18.9.45.1. Add default and not configured…

1df6b2e

… cases

fix: cis win10 rules 18.9.47.4.1-18.9.108.4.3. Add default and not co…

383e6cf

…nfigured cases

fabamatic suggested changes Jul 8, 2022

View reviewed changes

fabamatic suggested changes Jul 9, 2022

View reviewed changes

Rebits force-pushed the 13191-Update-Win10-SCA-vr-qa branch from 86659e6 to 4c83f75 Compare July 11, 2022 10:21

fix: cis win10 default values cases for some Windows Firewall checks.

2ea346b

Co-authored-by: Fabricio Brunetti <fabricio.brunetti@wazuh.com>

Rebits force-pushed the 13191-Update-Win10-SCA-vr-qa branch 2 times, most recently from 7a9eff5 to b716769 Compare July 11, 2022 10:26

fix: cis win10 remove Windows blog links references

2ac4652

Co-authored-by: Fabricio Brunetti <fabricio.brunetti@wazuh.com>

Rebits force-pushed the 13191-Update-Win10-SCA-vr-qa branch from b716769 to 2ac4652 Compare July 11, 2022 10:27

Rebits and others added 7 commits July 11, 2022 11:30

fix: cis win10 fix checks 15102, 15264, 15316, 15381, 15389 for defau…

da25b7a

…lt values Co-authored-by: Fabricio Brunetti <fabricio.brunetti@wazuh.com>

fix: cis win10 fix some rules according to default values

9c98aa2

Fixing regex in 1.2.1

c82c442

Merge remote-tracking branch 'origin/13191-Update-Win10-SCA-vr-qa' in…

d7240b0

…to 13191-Update-Win10-SCA-vr-qa

Fixing regex in 1.2.3

df0b131

fix: cis win10 errors in rules introduced in 9c98aa2

7c901cb

Co-authored-by: Fabricio Brunetti <fabricio.brunetti@wazuh.com>

fix: cin win10 error in checks 15310, 15317, 15347, 15356

36277ca

fabamatic marked this pull request as ready for review July 12, 2022 14:02

fabamatic approved these changes Jul 12, 2022

View reviewed changes

fabamatic merged commit de3f0c1 into 13191-Update-Win10-SCA Jul 12, 2022

fabamatic deleted the 13191-Update-Win10-SCA-vr-qa branch July 12, 2022 14:03

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix: Win10 SCA checks #14090

Fix: Win10 SCA checks #14090

Rebits commented Jun 30, 2022

fabamatic left a comment

fabamatic Jul 11, 2022

fabamatic Jul 11, 2022

fabamatic Jul 11, 2022

	- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:System32\logfiles\firewall\domainfw.log'
	- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:System32\\logfiles\\firewall\\domainfw.log'

Fix: Win10 SCA checks #14090

Fix: Win10 SCA checks #14090

Conversation

Rebits commented Jun 30, 2022

Description

fabamatic left a comment

Choose a reason for hiding this comment

fabamatic Jul 11, 2022

Choose a reason for hiding this comment

fabamatic Jul 11, 2022

Choose a reason for hiding this comment

fabamatic Jul 11, 2022

Choose a reason for hiding this comment