Rework SCA Policy Windows 11 Enterprise

[ooniagbi]

Component	Action type	Main Issue
SCA	Create	#18306

Main tasks

• Use the latest CIS benchmark PDF from https://downloads.cisecurity.org/#/
• Verify IDs numbers.
• Verify texts are correct: Title, Description, Rationale and Remediation.
• Verify Compliance: CIS, CIS_CSC.
• Verify condtion and rules:
  • To Pass.
  • To Fail.
• Solve Related issues:

Checks

Syntax and semantic

• a) ID of each policy must be contiguous.
• b) The order and format set in Documentation must be respected.
• c) YML must be valid to avoid errors.

Content

• a) Compare each check with its analog from CIS Benchmark.
• b) Try maintaining each rule as similar as possible with the Audit section from the CIS check.
• c) Check that the commands provide the expected output.
• d) When a failure is discovered, check similar policies to avoid repetition of the issue.

Unit testing

• a) Output from agent.log after the SCA scan and a raw output of the result of the checks.

Tests results

Analysisd (server or local)

analysisd.debug=2

Auth daemon debug (server)

authd.debug=0

Exec daemon debug (server, local, or Unix agent)

execd.debug=0

Monitor daemon debug (server, local, or Unix agent)

monitord.debug=0

Log collector (server, local or Unix agent)

logcollector.debug=0

Integrator daemon debug (server, local or Unix agent)

integrator.debug=0

Unix agentd

agent.debug=2

2023/11/03 17:33:18 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win11_enterprise.yml'
2023/11/03 17:33:18 sca: INFO: Security Configuration Assessment scan finished. Duration: 7 seconds.

Deployment

• a) If the policy it's new, it must be added to the sca.files templates.
• b) If the OS has many supported SCA policies, a policy must be set as the default policy. (as example)

Documentation

• a) Ensure documentation SCA list includes the created or updated SCA.

[IsExec]

LGTM