diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index d0a2877d..6d3775cd 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -5,6 +5,7 @@ **バグ修正:** - ルールカウントの一部が正確ではなかった。 (#99) (@fukusuket) +- タスクスケジューラのログ設定が正確に報告されていなかった。 (#100 (@fukusuket)) ## 1.0.0 [2025/05/20] - AUSCERT/SINCON リリース diff --git a/CHANGELOG.md b/CHANGELOG.md index d565fa23..a29b9ef1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ **Bug Fixes:** - Some of the rule count was not accurate. (#99) (@fukusuket) +- TaskScheduler log settings were not accurately reported. (#100 (@fukusuket)) ## 1.0.0 [2025/05/20] - AUSCERT/SINCON Release diff --git a/WELA.ps1 b/WELA.ps1 index 232eb2da..f506c4e2 100644 --- a/WELA.ps1 +++ b/WELA.ps1 @@ -1338,13 +1338,14 @@ function GuideYamatoSecurity $guid = "" $eids = @() $channels = @("Microsoft-Windows-TaskScheduler/Operational") - $enabled = $true + $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-TaskScheduler/Operational" -valueName "Enabled" -expectedValue 1 + $current = if ($enabled) { "Enabled" } else { "Disabled" } $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } $auditResult += [WELA]::New( "TaskScheduler Operational", "", - "Enabled", + $current, [array]$rules, "Enabled", "Enabled", @@ -2536,13 +2537,14 @@ function GuideASD { $guid = "" $eids = @() $channels = @("Microsoft-Windows-TaskScheduler/Operational") - $enabled = $true + $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-TaskScheduler/Operational" -valueName "Enabled" -expectedValue 1 + $current = if ($enabled) { "Enabled" } else { "Disabled" } $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } $auditResult += [WELA]::New( "TaskScheduler Operational", "", - "Enabled", + $current, [array]$rules, "Enabled", "", @@ -3734,13 +3736,14 @@ function GuideMSC { $guid = "" $eids = @() $channels = @("Microsoft-Windows-TaskScheduler/Operational") - $enabled = $true + $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-TaskScheduler/Operational" -valueName "Enabled" -expectedValue 1 + $current = if ($enabled) { "Enabled" } else { "Disabled" } $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } $auditResult += [WELA]::New( "TaskScheduler Operational", "", - "Enabled", + $current, [array]$rules, "Enabled", "", @@ -4929,13 +4932,14 @@ function GuideMSS { $guid = "" $eids = @() $channels = @("Microsoft-Windows-TaskScheduler/Operational") - $enabled = $true + $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-TaskScheduler/Operational" -valueName "Enabled" -expectedValue 1 + $current = if ($enabled) { "Enabled" } else { "Disabled" } $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules | ForEach-Object { $_.applicable = $enabled } $auditResult += [WELA]::New( "TaskScheduler Operational", "", - "Enabled", + $current, [array]$rules, "Enabled", "",