OS_REGEX Converter required

[Shine Cardozo]

Dear Team

Please provide me a regex converter as I need to update a few policies in SCA meant for AlmaLinux8. The thing I am referring to is the following:

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html

Example:

# 1.5.2 Configure bootloader

- id: 6030

title: "Ensure permissions on bootloader config are configured."

description: "The grub configuration file contains information on boot settings and passwords for unlocking boot options. The grub configuration is usually located at /boot/grub2/grub.cfg and linked as /etc/grub2.cfg . On newer grub2 systems the encrypted bootloader password is contained in /boot/grub2/user.cfg"

rationale: "Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them."

remediation: "Run the following commands to set permissions on your grub configuration: # chown root:root /boot/grub2/grub.cfg # chmod og-rwx /boot/grub2/grub.cfg # chown root:root /boot/grub2/user.cfg # chmod og-rwx /boot/grub2/user.cfg"

compliance:

- cis: ["1.5.2"]

- cis_csc: ["5.1"]

- pci_dss: ["2.2.4"]

- nist_800_53: ["CM.1"]

- tsc: ["CC5.2"]

- cis_level: ["1"]

condition: all

rules:

- 'c:stat /boot/grub2/grub.cfg -> r:Access:\s*\(0\d00/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'

- 'c:stat /boot/grub2/user.cfg -> r:Access:\s*\(0\d00/-\w\w\w------\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)|cannot stat'

Here I want to change 

'c:stat /boot/grub2/grub.cfg -> r:Access:\s*\(0\d00/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)'

to a string that matches the following:

Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)

I am unable to get the syntax of your OS_REGEX right. 

Is there a converter that would convert normal string to OS_REGEX. (I might need to update multiple strings)

Sincerely

---

[Jeremiah Kolawole]

Hello Shine,

You can use these online regex tools here and here to convert your normal strings to OS_REGEX, These tools will help you to test and validate your regular expressions. I also recommend that you use the documentation when using these tools.

Regards

[Shine Cardozo]

Thanks

Also another small question related to the same topic.

Considering the following:

Checks (Condition: all)

• f:/etc/bashrc -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare <= 900
• f:/etc/profile -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare <= 900
• not f:/etc/bashrc -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare > 900
• not f:/etc/profile -> n:^\s*\t*TMOUT\s*\t*=\s*\t*(\d+) compare > 900

Is there anyway to save the output of the above to ossec.log. Need to check which statement is failing.

Sincerely

Shine

Shine Cardozo | System and Network Administrator

Email shine.cardozo@CdMx.in Address Office No A - 201, Asian Pinnacle, Fatorda, Goa - India (403602) Landline(Office): 0832 297 6020 Website CdMx.in

This e-mail may contain privileged and confidential information which is the property of CodeMax IT Solutions Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute, or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. CodeMax IT Solutions Pvt. Ltd. does not accept any liability for virus-infected e-mail.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/949f4304-e566-4c23-b8f3-e0c7536c7286n%40googlegroups.com.

[Jeremiah Kolawole]

Hello Shine,

To do this, you need to add an entry for the ossec.log file to capture the sca checks.

Configure the agent to log the SCA checks to the ossec.conf file. Look for the <localfile> section which defines the log files that the agent should monitor.

You can read more here

Here's an easy alternative in my opinion.

You can use this debug command to test the rules in your terminal

pkill modulesd; /var/ossec/bin/wazuh-modulesd -fdd 2>&1 | grep 'sca\['

Regards

[Shine Cardozo]

Thanks!