Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PCRE2 regex for SCA policies #17124

Merged
merged 23 commits into from Jun 7, 2023
Merged

PCRE2 regex for SCA policies #17124

merged 23 commits into from Jun 7, 2023

Conversation

jotacarma90
Copy link
Member

Related issue
Closes #13931

Description

Hello team, this PR aims to add the possibility in SCA to use the PCRE2 regex engine to test the policies.
In this first step we have added a new tag inside the SCA ruleset to have the possibility to test the rules in PCRE2 adding the regex_type tag that takes as default value os_regex.
We have two possibilities to configure the engine, the first one is to configure a global engine by adding in the policy section the configuration regex_type: "<engine>" by default the regex_type will be os_regex. We can also configure a particular check with a different engine than the global engine by adding in the check regex_type: "<engine>".
So we can have the following combination of policies and controls with different or the same engines:

Tags PCRE2 engine global setting OS_regex engine global setting
Policy x x PCRE2 engine local check
Check x x OS_regex engine local check

Configuration options

This is a fragment of the cis_ubuntu20.04.yml policy in the rule adding a change in the 19045 check's regex.

policy:
  id: "cis_ubuntu20-04"
  file: "cis_ubuntu20-04.yml"
  name: "CIS benchmark for Ubuntu Linux 20.04 LTS"
  description: "This document provides prescriptive guidance for establishing a secure configuration posture for Ubuntu Linux 20.04 LTS."
  references:
    - https://www.cisecurity.org/cis-benchmarks/

requirements:
  title: "Check Ubuntu version."
  description: "Requirements for running the SCA scan against Ubuntu Linux 20.04 LTS"
  condition: all
  rules:
    - 'f:/etc/os-release -> r:Ubuntu'
    - 'f:/proc/sys/kernel/ostype -> Linux'

checks:

- id: 19040
    title: "Ensure all AppArmor Profiles are enforcing."
    description: "AppArmor profiles define what resources applicatons are able to access."
    rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.."
    remediation: "Run the following command to set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* Any unconfined processes may need to have a profile created or activated for them and then be restarted."
    compliance:
      - cis: ["1.6.1.4"]
      - cis_csc: ["14.6"]
      - pci_dss: ["2.2.4"]
      - nist_800_53: ["CM.1"]
      - tsc: ["CC5.2"]
    condition: all
    rules:
      - 'c:apparmor_status -> n:^(\d+)\s*profiles are loaded compare > 0'
      - 'c:apparmor_status -> r:^0\s*profiles are in complain mode'
      - 'c:apparmor_status -> r:^0\s*processes are unconfined'

- id: 19045
    title: "Ensure permissions on /etc/issue are configured."
    description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals."
    rationale: "If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information."
    remediation: "Run the following commands to set permissions on /etc/issue: # chown root:root /etc/issue # chmod u-x,go-wx /etc/issue"
    compliance:
      - cis: ["1.7.5"]
      - cis_csc: ["5.1"]
      - pci_dss: ["10.2.5"]
      - hipaa: ["164.312.b"]
      - nist_800_53: ["AU.14", "AC.7"]
      - gpg_13: ["7.8"]
      - gdpr_IV: ["35.7","32.2"]
      - tsc: ["CC6.1","CC6.8","CC7.2","CC7.3","CC7.4"]
    condition: all
    rules:
      - 'c:stat /etc/issue -> r:^Access:\s*\(0644\/.{0,10}\)\s*Uid:\s*\(\s*\t*0\/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0\/\s*\t*root\)$'  
    regex_type: "PCRE2"

Logs/Alerts example

This is an example of SCA operation using the OS_regex engine:

2022/09/27 06:23:11 sca[13134] wm_sca.c:1004 at wm_sca_do_scan(): DEBUG: Beginning evaluation of check id: 19045 'Ensure permissions on /etc/issue are configured.'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1005 at wm_sca_do_scan(): DEBUG: Rule aggregation strategy for this check is 'all'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1006 at wm_sca_do_scan(): DEBUG: Initial rule-aggregator value por this type of rule is '1'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1007 at wm_sca_do_scan(): DEBUG: Beginning rules evaluation.
2022/09/27 06:23:11 sca[13134] wm_sca.c:1017 at wm_sca_do_scan(): DEBUG: SCA will use 'osregex' engine to check the rules.
2022/09/27 06:23:11 sca[13134] wm_sca.c:1041 at wm_sca_do_scan(): DEBUG: Considering rule: 'c:stat /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)
'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1154 at wm_sca_do_scan(): DEBUG: Running command: 'stat /etc/issue'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1665 at wm_sca_read_command(): DEBUG: Executing command 'stat /etc/issue', and testing output with pattern 'r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)
\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1671 at wm_sca_read_command(): DEBUG: Command 'stat /etc/issue' returned code 0
2022/09/27 06:23:11 sca[13134] wm_sca.c:1966 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\))(  File: /etc/
issue) -> 0
2022/09/27 06:23:11 sca[13134] wm_sca.c:1969 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\))(  File: 
/etc/issue) -> 0
2022/09/27 06:23:11 sca[13134] wm_sca.c:1966 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\))(  Size: 26   
             Blocks: 8          IO Block: 4096   regular file) -> 0
2022/09/27 06:23:11 sca[13134] wm_sca.c:1969 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\))(  Size: 
26           Blocks: 8          IO Block: 4096   regular file) -> 0
2022/09/27 06:23:11 sca[13134] wm_sca.c:1966 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\))(Device: fd00h/64768d      Inode: 1049278     Links: 1) -> 0
2022/09/27 06:23:11 sca[13134] wm_sca.c:1969 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\))(Device: fd00h/64768d Inode: 1049278     Links: 1) -> 0
2022/09/27 06:23:11 sca[13134] wm_sca.c:1966 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\))(Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)) -> 1
2022/09/27 06:23:11 sca[13134] wm_sca.c:1969 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\))(Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)) -> 1
2022/09/27 06:23:11 sca[13134] wm_sca.c:1727 at wm_sca_read_command(): DEBUG: Result for (r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\))(stat /etc/issue) -> 1
2022/09/27 06:23:11 sca[13134] wm_sca.c:1157 at wm_sca_do_scan(): DEBUG: Command output matched.
2022/09/27 06:23:11 sca[13134] wm_sca.c:1246 at wm_sca_do_scan(): DEBUG: Result for rule 'c:stat /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)': 1
2022/09/27 06:23:11 sca[13134] wm_sca.c:1157 at wm_sca_do_scan(): DEBUG: Command output matched.
2022/09/27 06:23:11 sca[13134] wm_sca.c:1246 at wm_sca_do_scan(): DEBUG: Result for rule 'c:stat /etc/issue -> r:^Access:\s*\(0644\/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0\/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0\/\s*\t*root
\)$': 1
2022/09/27 06:23:11 sca[13134] wm_sca.c:1041 at wm_sca_do_scan(): DEBUG: Considering rule: 'c:apparmor_status -> n:^(\d+)\s*profiles are loaded compare > 0'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1154 at wm_sca_do_scan(): DEBUG: Running command: 'apparmor_status'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1665 at wm_sca_read_command(): DEBUG: Executing command 'apparmor_status', and testing output with pattern 'n:^(\d+)\s*profiles are loaded compare > 0'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1671 at wm_sca_read_command(): DEBUG: Command 'apparmor_status' returned code 0
2022/09/27 06:23:11 sca[13134] wm_sca.c:1859 at wm_sca_regex_numeric_comparison(): DEBUG: REGEX: '^(\d+)\s*profiles are loaded'. Partial comparison: '> 0'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1874 at wm_sca_regex_numeric_comparison(): DEBUG: No match found for regex '^(\d+)\s*profiles are loaded'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1966 at wm_sca_pattern_matches(): DEBUG: Testing minterm (n:^(\d+)\s*profiles are loaded compare > 0)(apparmor module is loaded.) -> 0
2022/09/27 06:23:11 sca[13134] wm_sca.c:1969 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (n:^(\d+)\s*profiles are loaded compare > 0)(apparmor module is loaded.) -> 0
2022/09/27 06:23:11 sca[13134] wm_sca.c:1859 at wm_sca_regex_numeric_comparison(): DEBUG: REGEX: '^(\d+)\s*profiles are loaded'. Partial comparison: '> 0'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1891 at wm_sca_regex_numeric_comparison(): DEBUG: Captured value: '11'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1908 at wm_sca_regex_numeric_comparison(): DEBUG: Converted value: '11'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1745 at wm_sca_apply_numeric_partial_comparison(): DEBUG: Partial comparison '> 0'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1787 at wm_sca_apply_numeric_partial_comparison(): DEBUG: Value given for comparison: '0'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1808 at wm_sca_apply_numeric_partial_comparison(): DEBUG: Value converted: '0'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1826 at wm_sca_apply_numeric_partial_comparison(): DEBUG: Operation is '11 > 0'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1911 at wm_sca_regex_numeric_comparison(): DEBUG: Comparison result '11 > 0' -> 1
2022/09/27 06:23:11 sca[13134] wm_sca.c:1966 at wm_sca_pattern_matches(): DEBUG: Testing minterm (n:^(\d+)\s*profiles are loaded compare > 0)(11 profiles are loaded.) -> 1
2022/09/27 06:23:11 sca[13134] wm_sca.c:1969 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (n:^(\d+)\s*profiles are loaded compare > 0)(11 profiles are loaded.) -> 1
2022/09/27 06:23:11 sca[13134] wm_sca.c:1727 at wm_sca_read_command(): DEBUG: Result for (n:^(\d+)\s*profiles are loaded compare > 0)(apparmor_status) -> 1
2022/09/27 06:23:11 sca[13134] wm_sca.c:1157 at wm_sca_do_scan(): DEBUG: Command output matched.
2022/09/27 06:23:11 sca[13134] wm_sca.c:1246 at wm_sca_do_scan(): DEBUG: Result for rule 'c:apparmor_status -> n:^(\d+)\s*profiles are loaded compare > 0': 1

This is an example of SCA operation using the PCRE2 engine:

2022/09/27 06:23:11 sca[13134] wm_sca.c:1004 at wm_sca_do_scan(): DEBUG: Beginning evaluation of check id: 19046 'Ensure permissions on /etc/issue are configured.'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1005 at wm_sca_do_scan(): DEBUG: Rule aggregation strategy for this check is 'all'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1006 at wm_sca_do_scan(): DEBUG: Initial rule-aggregator value por this type of rule is '1'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1007 at wm_sca_do_scan(): DEBUG: Beginning rules evaluation.
2022/09/27 06:23:11 sca[13134] wm_sca.c:1017 at wm_sca_do_scan(): DEBUG: SCA will use 'pcre2' engine to check the rules.
2022/09/27 06:23:11 sca[13134] wm_sca.c:1041 at wm_sca_do_scan(): DEBUG: Considering rule: 'c:stat /etc/issue -> r:^Access:\s*\(0644\/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0\/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0\/\s*\t*ro
ot\)$'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1154 at wm_sca_do_scan(): DEBUG: Running command: 'stat /etc/issue'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1665 at wm_sca_read_command(): DEBUG: Executing command 'stat /etc/issue', and testing output with pattern 'r:^Access:\s*\(0644\/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0\/\s*\t*roo
t\)\s*\t*Gid:\s*\(\s*\t*0\/\s*\t*root\)$'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1671 at wm_sca_read_command(): DEBUG: Command 'stat /etc/issue' returned code 0
2022/09/27 06:23:11 sca[13134] wm_sca.c:1966 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:^Access:\s*\(0644\/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0\/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0\/\s*\t*root\)$)(  File: 
/etc/issue) -> 0
2022/09/27 06:23:11 sca[13134] wm_sca.c:1969 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:^Access:\s*\(0644\/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0\/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0\/\s*\t*root\)$)(  F
ile: /etc/issue) -> 0
2022/09/27 06:23:11 sca[13134] wm_sca.c:1966 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:^Access:\s*\(0644\/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0\/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0\/\s*\t*root\)$)(  Size: 
26           Blocks: 8          IO Block: 4096   regular file) -> 0
2022/09/27 06:23:11 sca[13134] wm_sca.c:1969 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:^Access:\s*\(0644\/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0\/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0\/\s*\t*root\)$)(  S
ize: 26              Blocks: 8          IO Block: 4096   regular file) -> 0
2022/09/27 06:23:11 sca[13134] wm_sca.c:1966 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:^Access:\s*\(0644\/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0\/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0\/\s*\t*root\)$)(Device: 
fd00h/64768d Inode: 1049278     Links: 1) -> 0
2022/09/27 06:23:11 sca[13134] wm_sca.c:1969 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:^Access:\s*\(0644\/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0\/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0\/\s*\t*root\)$)(Dev
ice: fd00h/64768d    Inode: 1049278     Links: 1) -> 0
2022/09/27 06:23:11 sca[13134] wm_sca.c:1966 at wm_sca_pattern_matches(): DEBUG: Testing minterm (r:^Access:\s*\(0644\/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0\/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0\/\s*\t*root\)$)(Access: 
(0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)) -> 1
2022/09/27 06:23:11 sca[13134] wm_sca.c:1969 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (r:^Access:\s*\(0644\/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0\/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0\/\s*\t*root\)$)(Acc
ess: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)) -> 1
2022/09/27 06:23:11 sca[13134] wm_sca.c:1727 at wm_sca_read_command(): DEBUG: Result for (r:^Access:\s*\(0644\/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0\/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0\/\s*\t*root\)$)(stat /etc/issue)
 -> 1
2022/09/27 06:23:11 sca[13134] wm_sca.c:1157 at wm_sca_do_scan(): DEBUG: Command output matched.
2022/09/27 06:23:11 sca[13134] wm_sca.c:1246 at wm_sca_do_scan(): DEBUG: Result for rule 'c:stat /etc/issue -> r:^Access:\s*\(0644\/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0\/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0\/\s*\t*root
\)$': 1
2022/09/27 06:23:11 sca[13134] wm_sca.c:1041 at wm_sca_do_scan(): DEBUG: Considering rule: 'c:apparmor_status -> n:^(\d+)\s*profiles are loaded compare > 0'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1154 at wm_sca_do_scan(): DEBUG: Running command: 'apparmor_status'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1665 at wm_sca_read_command(): DEBUG: Executing command 'apparmor_status', and testing output with pattern 'n:^(\d+)\s*profiles are loaded compare > 0'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1671 at wm_sca_read_command(): DEBUG: Command 'apparmor_status' returned code 0
2022/09/27 06:23:11 sca[13134] wm_sca.c:1859 at wm_sca_regex_numeric_comparison(): DEBUG: REGEX: '^(\d+)\s*profiles are loaded'. Partial comparison: '> 0'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1874 at wm_sca_regex_numeric_comparison(): DEBUG: No match found for regex '^(\d+)\s*profiles are loaded'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1966 at wm_sca_pattern_matches(): DEBUG: Testing minterm (n:^(\d+)\s*profiles are loaded compare > 0)(apparmor module is loaded.) -> 0
2022/09/27 06:23:11 sca[13134] wm_sca.c:1969 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (n:^(\d+)\s*profiles are loaded compare > 0)(apparmor module is loaded.) -> 0
2022/09/27 06:23:11 sca[13134] wm_sca.c:1859 at wm_sca_regex_numeric_comparison(): DEBUG: REGEX: '^(\d+)\s*profiles are loaded'. Partial comparison: '> 0'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1891 at wm_sca_regex_numeric_comparison(): DEBUG: Captured value: '11'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1908 at wm_sca_regex_numeric_comparison(): DEBUG: Converted value: '11'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1745 at wm_sca_apply_numeric_partial_comparison(): DEBUG: Partial comparison '> 0'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1787 at wm_sca_apply_numeric_partial_comparison(): DEBUG: Value given for comparison: '0'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1808 at wm_sca_apply_numeric_partial_comparison(): DEBUG: Value converted: '0'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1826 at wm_sca_apply_numeric_partial_comparison(): DEBUG: Operation is '11 > 0'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1911 at wm_sca_regex_numeric_comparison(): DEBUG: Comparison result '11 > 0' -> 1
2022/09/27 06:23:11 sca[13134] wm_sca.c:1966 at wm_sca_pattern_matches(): DEBUG: Testing minterm (n:^(\d+)\s*profiles are loaded compare > 0)(11 profiles are loaded.) -> 1
2022/09/27 06:23:11 sca[13134] wm_sca.c:1969 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (n:^(\d+)\s*profiles are loaded compare > 0)(11 profiles are loaded.) -> 1
2022/09/27 06:23:11 sca[13134] wm_sca.c:1727 at wm_sca_read_command(): DEBUG: Result for (n:^(\d+)\s*profiles are loaded compare > 0)(apparmor_status) -> 1
2022/09/27 06:23:11 sca[13134] wm_sca.c:1157 at wm_sca_do_scan(): DEBUG: Command output matched.
2022/09/27 06:23:11 sca[13134] wm_sca.c:1246 at wm_sca_do_scan(): DEBUG: Result for rule 'c:apparmor_status -> n:^(\d+)\s*profiles are loaded compare > 0': 1
2022/09/27 06:23:11 sca[13134] wm_sca.c:1041 at wm_sca_do_scan(): DEBUG: Considering rule: 'c:apparmor_status -> n:^(\d+)\s*profiles are loaded compare > 0'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1154 at wm_sca_do_scan(): DEBUG: Running command: 'apparmor_status'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1665 at wm_sca_read_command(): DEBUG: Executing command 'apparmor_status', and testing output with pattern 'n:^(\d+)\s*profiles are loaded compare > 0'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1671 at wm_sca_read_command(): DEBUG: Command 'apparmor_status' returned code 0
2022/09/27 06:23:11 sca[13134] wm_sca.c:1859 at wm_sca_regex_numeric_comparison(): DEBUG: REGEX: '^(\d+)\s*profiles are loaded'. Partial comparison: '> 0'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1874 at wm_sca_regex_numeric_comparison(): DEBUG: No match found for regex '^(\d+)\s*profiles are loaded'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1966 at wm_sca_pattern_matches(): DEBUG: Testing minterm (n:^(\d+)\s*profiles are loaded compare > 0)(apparmor module is loaded.) -> 0
2022/09/27 06:23:11 sca[13134] wm_sca.c:1969 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (n:^(\d+)\s*profiles are loaded compare > 0)(apparmor module is loaded.) -> 0
2022/09/27 06:23:11 sca[13134] wm_sca.c:1859 at wm_sca_regex_numeric_comparison(): DEBUG: REGEX: '^(\d+)\s*profiles are loaded'. Partial comparison: '> 0'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1891 at wm_sca_regex_numeric_comparison(): DEBUG: Captured value: '11'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1908 at wm_sca_regex_numeric_comparison(): DEBUG: Converted value: '11'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1745 at wm_sca_apply_numeric_partial_comparison(): DEBUG: Partial comparison '> 0'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1787 at wm_sca_apply_numeric_partial_comparison(): DEBUG: Value given for comparison: '0'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1808 at wm_sca_apply_numeric_partial_comparison(): DEBUG: Value converted: '0'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1826 at wm_sca_apply_numeric_partial_comparison(): DEBUG: Operation is '11 > 0'
2022/09/27 06:23:11 sca[13134] wm_sca.c:1911 at wm_sca_regex_numeric_comparison(): DEBUG: Comparison result '11 > 0' -> 1
2022/09/27 06:23:11 sca[13134] wm_sca.c:1966 at wm_sca_pattern_matches(): DEBUG: Testing minterm (n:^(\d+)\s*profiles are loaded compare > 0)(11 profiles are loaded.) -> 1
2022/09/27 06:23:11 sca[13134] wm_sca.c:1969 at wm_sca_pattern_matches(): DEBUG: Pattern test result: (n:^(\d+)\s*profiles are loaded compare > 0)(11 profiles are loaded.) -> 1
2022/09/27 06:23:11 sca[13134] wm_sca.c:1727 at wm_sca_read_command(): DEBUG: Result for (n:^(\d+)\s*profiles are loaded compare > 0)(apparmor_status) -> 1
2022/09/27 06:23:11 sca[13134] wm_sca.c:1157 at wm_sca_do_scan(): DEBUG: Command output matched.
2022/09/27 06:23:11 sca[13134] wm_sca.c:1246 at wm_sca_do_scan(): DEBUG: Result for rule 'c:apparmor_status -> n:^(\d+)\s*profiles are loaded compare > 0': 1
2022/09/27 06:23:11 sca[13134] wm_sca.c:1269 at wm_sca_do_scan(): DEBUG: Result for check id: 19046 'Ensure permissions on /etc/issue are configured.' -> 1

Tests

  • Compilation without warnings in every supported platform
    • Linux
    • Windows
    • MAC OS X
  • Source installation
  • Package installation
  • Source upgrade
  • Package upgrade
  • Review logs syntax and correct language
  • Memory tests for Linux
    • Scan-build report
    • Valgrind (memcheck and descriptor leaks check)
    • AddressSanitizer
  • Memory tests for Windows
    • Scan-build report

FrancoRivero and others added 23 commits May 15, 2023 11:48
@FrancoRivero @jotacarma90
Add changes to include the possibility to use the PCRE2 or os_regex e…
56e5649 
…ngine
@FrancoRivero @jotacarma90
Add changes on wm_sca.c to adapt PCRE2 regex engine to module
5ce0d6b
@FrancoRivero @jotacarma90
Add changes to wm_sca_apply_numeric_partial_comparison and wm_sca_reg…
d242459 
…ex_numeric_comparison to work with PCRE2

Signed-off-by: Rivero, Franco <francorivero2012@gmail.com>
@FrancoRivero @jotacarma90
Add changes to build in Windows systems
8072f6c
@FrancoRivero @jotacarma90
Fix error that takes passed when it should be failed and takes failed…
4708462 
… when it is passed
@FrancoRivero @jotacarma90
Fix segmetation fault when reading a PCRE2 rule in os_regex engine
eb97a29
@FrancoRivero @jotacarma90
Fix bug found by scan-build
d9e29b3
@FrancoRivero @jotacarma90
Add changes to read the regex engine from the policy and a selector t…
503c91c 
…hat takes priority the regex engine of the check
@FrancoRivero @jotacarma90
Fix build warning and add some unit tests
d064eb1
@FrancoRivero @jotacarma90
Fix memory leaks and logical bugs
749f717
@ncvicchi @jotacarma90
Released regex_engine memory on loop breaks to avoid memory leaks
0921782
@ncvicchi @jotacarma90
Removed mem leaks & clean some unnecesary code
dc61fe8
@ncvicchi @jotacarma90
All reported mem leaks solved
1423dfd
@ncvicchi @jotacarma90
Removed invalid free
4a79e52
@ncvicchi @jotacarma90
Fixed mem leaks. No more leaks detected for both osregex or pcre2
f4172ed
@ncvicchi @jotacarma90
Changed memory alloctation for reason from OS_MAXSTR to just needed m…
d047edc 
…emory
@ncvicchi @jotacarma90
Removed nonull warning
d9f313c
@ncvicchi @jotacarma90
Removed expression.c modifications, solved memleaks another way, and …
57f62bd 
…remove nonull comparison warning
@ncvicchi @jotacarma90
Fixed failing unit test
fd92aa0
@ncvicchi @jotacarma90
Fixed macOS crash
a54f962
@ncvicchi @jotacarma90
Fixed mem-leak reported by coverity
001b1dd
@ncvicchi @jotacarma90
Fixed null pointer dereference
ca6cc77
@ncvicchi @jotacarma90
Fixed last mem-leak. Flagged mutex initialization
0346e56
@jotacarma90 jotacarma90 requested a review from ncvicchi May 15, 2023 14:05
@jotacarma90 jotacarma90 linked an issue May 15, 2023 that may be closed by this pull request
Feature request: PCRE2 regex for SCA policies #13931
Closed
@Deblintrake09 Deblintrake09 mentioned this pull request May 15, 2023
Closed
4 tasks
@jotacarma90 jotacarma90 requested a review from mjcr99 May 25, 2023 12:31
mjcr99
mjcr99 approved these changes May 25, 2023
View reviewed changes
Copy link
Member

@mjcr99 mjcr99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@vikman90 vikman90 mentioned this pull request May 30, 2023
Closed
2 tasks
@vikman90 vikman90 merged commit 7df598f into 4.5 Jun 7, 2023
47 checks passed
@vikman90 vikman90 deleted the 13931-PCRE2-regex-for-SCA-policies branch June 7, 2023 09:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mjcr99 mjcr99 mjcr99 approved these changes

@ncvicchi ncvicchi Awaiting requested review from ncvicchi

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Feature request: PCRE2 regex for SCA policies
5 participants
@jotacarma90 @mjcr99 @vikman90 @FrancoRivero @ncvicchi