SCA false failure for 15004 Ensure 'Password must meet complexity requirements' is set to 'Enabled'.

[Colin Edwards]

The SCA for Win 10, cis_win10_enterprise.yml, contains ID 15004 to validate that password complexity is enabled, but the detection doesn't work correctly.  The same may be true for SCA for other versions of Windows...I haven't checked.

The rule is defined as 'c:powershell Get-ADDefaultDomainPasswordPolicy -Current LoggedOnUser -> r:ComplexityEnabled\s+: True'

In most environments, this is going to be a false failure (false-negative) for 2 reasons that I know of:

1 - The system executing the powershell command needs to have the ActiveDirectory powershell module installed, and that usually only exists on sysadmin systems.  If you run it on a system that doesn't have the module, it will return an error...

2 - If the AD ps module is installed, the command still needs to be executed by a user on the domain for it to actually retrieve the policy.  Forgive me if this isn't 100% accurate because I'm new to using Wazuh, but I believe everything executed for SCA is done by the Agent Service, so it runs as System, and System can't retrieve the domain policy.

Whereas, if it were executed by a user on the domain, it would actually retrieve the policy and the desired result "ComplexityEnabled\s+: True" would succeed.

Or, if the command is going to be executed by System because it's run by the Agent Service, it could have credentials for any regular non-privileged domain user passed into it and it would succeed, but I don't know if Wazuh has a way to do something like that (particularly without leaving plaintext creds in a file somewhere).

Colin Edwards

CISSP, GDSA, GCIH, GMON, GCWN

[Jose Antonio Izquierdo]

Hi Colin,

We just opened this issue - https://github.com/wazuh/wazuh/issues/15554 to track the investigation and resolution of this false positive.

If you need to include or modify any details, feel free to ping me or use the issue link.

Thanks a lot,

Jose.