Wazuh don't interpret well custom SCA policy

[AlejandroOS]

Hello,

Today I have created a custom SCA policy, that truly, is the same Windows 10 CIS Enterprise Benchmark but translated to Spanish.

I got problems like these

- In English OS, net.exe accounts retrieves: "Length of password history maintained" and shows as "Passed" to detect ""Ensure 'Enforce password history' is set to '24 or more password(s)'.""

- In Spanish OS, I have detected that the output of these line is "Duración del historial de contraseñas", so I have replaced the command to:

• c:net.exe accounts -> n:Duración del historial de contraseñas:\s+(\d+) compare >= 24

This setting is set at 25 in the machine, but the custom SCA policy is showing it as "Failed".

Have tried 1000 regex ways to try to detect this setting, but I think there's something that Wazuh don't interpret well.

Is there anyone that could help me?

Thanks and regards,

[Pedro Nicolás Gomez]

Hi,

The characters "ó" and "ñ" are breaking the regex. It is possible that when this command is executed the response contains strange symbols for the characters "ó" and "ñ".

I did a test by modifying the rule and it worked for me:

c:net.exe accounts -> n:Duraci\S+ del historial de contrase\S+:\s+(\d+) compare >= 24

Note: I had to change the "Duración del historial de contraseñas" value to 24 because it defaulted to 0.

I hope it helps.

Best regards,

Pedro Nicolas.

[Pedro Nicolás Gomez]

I attach the image of the result because it has not been sent correctly in the previous message.

I hope it helps.

Best regards,

Pedro Nicolas.

[AlejandroOS]

Hello Pedro,

Thanks, this helped me too much to figure the rest of the policies and worked well.

I have a question, is there any way to deploy this custom policy in every Wazuh installation automatically?

We are deploying the Wazuh Agent via Intune, and figured out that on the installation the custom policy don't load, and have to do some configuration in every ossec.conf of every agent and load the ruleset manually.

Regards and thanks,

[Pedro Nicolás Gomez]

Hi AlejandroOS, I am glad to hear that you found my suggestion useful.

You can use "centralized configuration" to share custom policy to agents.
Here is a link to the documentation which explains how to do it:
https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/how-to-configure.html#how-to-share-policy-files-and-configuration-with-the-wazuh-agents

Note that the first step is to enable "sca.remote_commands" in the agent, this for security reasons cannot be done from the manager, you must do it in each of the agents to which you want to share the new policy.

I hope it helps.

Best regards,

Pedro Nicolas.

[Jose]

Hello Pedro,

Following what you mentioned above, I was able to solve the problem of the characters "ó" and "ñ" breaking the regular expression mentioned in Nicolas' post

However, for this case, where there is an accent on the word “Validación”, it has not worked for me (I have tried everything mentioned in the previous posts without success)

auditpol.exe /get /subcategory:"Validación de credenciales" -> r:Aciertos y errores

I would appreciate it if you could give me a solution to this problem.

[Jose]

Hello 

Has anyone had the same problem when trying to translate with these types of rules?

[Pedro Nicolás Gomez]

Hi Jose,

I have run several tests but have been unsuccessful. The problem here is that the "ó" character is in the command to execute not in the response.

I will create an issue, it will be prioritized and worked on when convenient.

In the meantime, one solution would be to consider changing the OS language to English.

I hope it helps.
Best regards,
Pedro Nicolas.

[Jose Peredo]

Good night

Regarding the problem, perhaps this is a possible solution. (My case is that I have more than 300 PCs with Spanish language)

This is the original command:
auditpol.exe /get /subcategory:"Credential Validation" -> r:Success and Failure

This is the translation that does not work

auditpol.exe /get /subcategory:"Validación de credenciales" -> r:Aciertos y errores

This is how it would work:
auditpol.exe /get /subcategory:"{0CCE923F-69AE-11D9-BED3-505054503030}" -> r:Aciertos y errores

This way I avoid using accents in the command statement.


The GUIDs of categories and subcategories are obtained in this way:
auditpol /list /subcategory:* /r


I tested it with Windows 10, Windows 11 and Windows Server 2022.

[Pedro Nicolás Gomez]

Hi Jose Peredo,
Thank you very much for sharing your workaround, using the SubcategoryGUID is a more universal way.

Again thank you very much for the contribution.
Regards

Pedro Nicolas

[Corp HQ Pseudo]

Hello Pedro.  Can Wazuh recognize the Cyrillic alphabet in the SCA rules or anywhere else?

For example: cis_win10_enterprise.yml

rules:
      - "c:net user administrator -> r:Не найдено имя пользователя."

[Pedro Nicolás Gomez]

Hi  Corp HQ Pseudo, 

I'm not 100% sure (I tried to download a VM to check but couldn't), but I think it can be interpreted. In your case, you search for a string (in Cyrillic alphabet) inside the result it can be interpreted by a regex, this gives more flexibility so that it can recognize those characters.

By configuring wazuh-agent in debug 2(internal_options.conf file) we could see how it gets the result of the sca policy:

# Windows debug (used by the Windows agent)
windows.debug=2

[Alejandro Olmos Sánchez]

I worked in another solution also and is this one:

'c:auditpol.exe /get /category:* -> r:Validaci\S+n de credenciales\s+ Aciertos y errores'

'c:auditpol.exe /get /category:* -> r:Administraci\S+n de grupos de aplicacionesAciertos y errores'

Regards,