Log4j Rules for SCA - Windows OS
145 views
Skip to first unread message
rahul b
Dec 21, 2021, 8:45:49 AM12/21/21
to Wazuh mailing list
Hi Team,
We are trying to find log4j files in the system with SCA custom rules. But we are getting "not applicable results" even though the files exist in the system. I am requesting your support in creating custom rules to resolve this issue.
Rule details follow.
policy:
id: "log4j_check"
file: "log4j_check_test.yml"
name: "Log4j dependency check"
description: "This document provides prescriptive guidance for identifying Log4j RCE vulnerability"
references:
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
requirements:
title: "Check that the platform is Windows"
description: "Requirements for running the SCA scan against machines with log4j files on them."
condition: all
rules:
- 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows'
checks:
- id: 20001
title: "Ensure Log4j files are not on the system."
description: "The Log4j library is vulnerable to RCE on versions between 2.10 and 2.15."
remediation: "Update the log4j library to version 2.16 or set log4j2.formatMsgNoLookups to true if possible."
condition: none
rules:
- 'd:c:/ -> ^log4j-core -> r:JndiLookup.class'
id: "log4j_check"
file: "log4j_check_test.yml"
name: "Log4j dependency check"
description: "This document provides prescriptive guidance for identifying Log4j RCE vulnerability"
references:
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
requirements:
title: "Check that the platform is Windows"
description: "Requirements for running the SCA scan against machines with log4j files on them."
condition: all
rules:
- 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows'
checks:
- id: 20001
title: "Ensure Log4j files are not on the system."
description: "The Log4j library is vulnerable to RCE on versions between 2.10 and 2.15."
remediation: "Update the log4j library to version 2.16 or set log4j2.formatMsgNoLookups to true if possible."
condition: none
rules:
- 'd:c:/ -> ^log4j-core -> r:JndiLookup.class'
Thanks
Rahul
Miguel Casares
Dec 21, 2021, 10:23:10 AM12/21/21
to Wazuh mailing list
Hello Rahul,
The first statement of the SCA policy should match the Windows version to make sure it is being applied in the correct OS. For instance, if you are using Windows 10, you should be using this statement:
requirements:
title: "Check that the Windows platform is Windows 10"
description: "Requirements for running the CIS benchmark Domain Controller under Windows 10"
condition: all
rules:
- 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows 10'
Otherwise, it won't be run for your OS version.
You have several examples here: https://github.com/wazuh/wazuh/blob/master/ruleset/sca/windows/cis_win10_enterprise.yml
https://github.com/wazuh/wazuh/blob/master/ruleset/sca/windows/cis_win2019.yml
https://github.com/wazuh/wazuh/blob/master/ruleset/sca/windows/cis_win2019.yml
Then, you would need to detect if log4j-core jar files are present in your OS. If you want to use the d rule syntax, you would need to specify the full folder where the files should be located and check with the regex if the specific files are present.
Another possibility would be to create a PowerShell script that will search all drives for log4j-core*.jar files, and execute it with the c rule syntax.
I hope that helps.
Regards,
Miguel Casares
rahul b
Dec 22, 2021, 12:55:56 AM12/22/21
to Wazuh mailing list
Hi Miguel,
Thanks for sharing the details. Unfortunately, we are not able to provide the full folder path for log4j in the ruleset because we are not sure where the user will copy the files in the system, so we have given the entire C drive to find the files. Is it possible to get the details of less than the log4j-2.17.0 version and also list the number of files that exist in the system with the SCA Ruleset?
Thanks
Rahul
Reply all
Reply to author
Forward
0 new messages