SCA Report & Vulnerabilities Exceptions
λ
Is it possible to log a comment or exception against specific agents to track known vulnerabilities. Some older system do require know vulnerabilities to exist on the system, such as SMB 1.0.
Ideally I'd like to add some comment or custom field to the report for a specific agent to state that this is a known vulnerability. Also perhaps change the RESULT rating from FAILED to 'ACCEPTED RISK'
As an example:
Jose Antonio Izquierdo
Hi, shadowedr,
I will share with you some thoughts on your points:
- KB5006743 has replaced the KB5008244 vulnerability
- The SCA report customize based on the agent that provides the SCA results.
About Vulnerability
Your screenshot shows KB5005633, but the report is about KB5008244. In MSU are the KBs that will mitigate this vulnerability. Having one will solve your vulnerability:
"KB5008244": [
"KB5011552",
"KB5009610",
"KB5012626",
"KB5014012",
"KB5010404"
],
Also, you can check this by searching the KB5008244 in the catalog:
https://www.catalog.update.microsoft.com/Search.aspx?q=KB5008244
About SCA customization:
Each agent has the SCA policies under the folder you-wazuh-agent-folder/ruleset/sca. The one related to your request is sca_win_audit.yml. You can find there the check id 14562. Fields description, rationale, and remediation are fields you can modify to include custom details related to the server where you are running this policy. Remember that each SCA policy in an agent is only associated with that agent. Remember that this file will be replaced after the next wazuh-agent upgrade. Rename the current file as sca_win_audit.yml.disabled, copy and rename with a custom name, and modify the content as needed.
- id: 14562
title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'"
description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. The recommended state for this setting is: Disabled. Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect."
rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state."
remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named No auto-restart for scheduled Automatic Updates installations, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates."
compliance:
- cis_csc: ["4.5"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> 0'
You can modify fields condition and rules as well. You need to be familiar with the SCA syntax. You can find documentation and details at https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/index.html.
I hope this helps,
Please, feel free to reach me if you need any further clarification.
Best Regards,
Jose.