SCA check command result

[doc dodo]

Hello,

I have realtime FIM setting in ossec.conf:

<directories check_all="yes" realtime="yes" whodata="yes" report_changes="yes">/var/ossec/etc/ossec.conf</directories>

And I want to check control this setting with SCA configuration.

I have SCA custom rule:

  - id: 330315
    title: "Realtime FIM ossec.conf checking."
    description: "Realtime FIM ossec.conf checking."
    remediation: "Configure FIM ossec.conf."
    condition: all
    rules:
      - "c:cat /var/ossec/etc/ossec.conf | grep realtime | grep ossec.conf | awk '{print $1}' | sed 's/^.//' -> r:directories"

But the result is always "Passed"  even if the line with FIM checking is missing.

[rodrigo....@wazuh.com]

Hello!

I suggest you attempt using a regex that doesn't just check if the word "directories" is in the output, but that also checks that:
a) It's a <directories> entry
b) containes realtime="yes"
c) It targets /var/ossec/etc/ossec.conf

I have come up with this regex here that seems to do the trick: "<directories[^>]*realtime=\"yes\"[^>]*>\/var\/ossec\/etc\/ossec.conf<\/directories>".

I have tested it using this online tool: https://regex101.com/

You can try feeding it strings such as "<directories realtime="yes">/var/ossec/etc/ossec.conf</directories>" to make sure that the above conditions are met and only then the result should be "Passed"