CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2025-12-06 17:22:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #103 from Yamato-Security/100-fix-task-sche-setting

Browse Source 
fix: TaskScheduler log audit setting
This commit is contained in:
Zach Mathis (田中ザック)
2025-10-05 15:33:06 +08:00
committed by GitHub
parent b73787e3e1 5246b0dbf0
commit f593299509
3 changed files with 14 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG-Japanese.md
View File

@@ -5,6 +5,7 @@
**バグ修正:** **バグ修正:**
- ルールカウントの一部が正確ではなかった。 (#99) (@fukusuket) - ルールカウントの一部が正確ではなかった。 (#99) (@fukusuket)
- タスクスケジューラのログ設定が正確に報告されていなかった。 (#100 (@fukusuket))
## 1.0.0 [2025/05/20] - AUSCERT/SINCON リリース ## 1.0.0 [2025/05/20] - AUSCERT/SINCON リリース

1
CHANGELOG.md
View File

@@ -5,6 +5,7 @@
**Bug Fixes:** **Bug Fixes:**
- Some of the rule count was not accurate. (#99) (@fukusuket) - Some of the rule count was not accurate. (#99) (@fukusuket)
- TaskScheduler log settings were not accurately reported. (#100 (@fukusuket))
## 1.0.0 [2025/05/20] - AUSCERT/SINCON Release ## 1.0.0 [2025/05/20] - AUSCERT/SINCON Release

20
WELA.ps1
View File

@@ -1338,13 +1338,14 @@ function GuideYamatoSecurity
$guid = "" $guid = ""
$eids = @() $eids = @()
$channels = @("Microsoft-Windows-TaskScheduler/Operational") $channels = @("Microsoft-Windows-TaskScheduler/Operational")
$enabled = $true $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-TaskScheduler/Operational" -valueName "Enabled" -expectedValue 1
$current = if ($enabled) { "Enabled" } else { "Disabled" }
$rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid }
$rules | ForEach-Object { $_.applicable = $enabled } $rules | ForEach-Object { $_.applicable = $enabled }
$auditResult += [WELA]::New( $auditResult += [WELA]::New(
"TaskScheduler Operational", "TaskScheduler Operational",
"", "",
"Enabled", $current,
[array]$rules, [array]$rules,
"Enabled", "Enabled",
"Enabled", "Enabled",
@@ -2536,13 +2537,14 @@ function GuideASD {
$guid = "" $guid = ""
$eids = @() $eids = @()
$channels = @("Microsoft-Windows-TaskScheduler/Operational") $channels = @("Microsoft-Windows-TaskScheduler/Operational")
$enabled = $true $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-TaskScheduler/Operational" -valueName "Enabled" -expectedValue 1
$current = if ($enabled) { "Enabled" } else { "Disabled" }
$rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid }
$rules | ForEach-Object { $_.applicable = $enabled } $rules | ForEach-Object { $_.applicable = $enabled }
$auditResult += [WELA]::New( $auditResult += [WELA]::New(
"TaskScheduler Operational", "TaskScheduler Operational",
"", "",
"Enabled", $current,
[array]$rules, [array]$rules,
"Enabled", "Enabled",
"", "",
@@ -3734,13 +3736,14 @@ function GuideMSC {
$guid = "" $guid = ""
$eids = @() $eids = @()
$channels = @("Microsoft-Windows-TaskScheduler/Operational") $channels = @("Microsoft-Windows-TaskScheduler/Operational")
$enabled = $true $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-TaskScheduler/Operational" -valueName "Enabled" -expectedValue 1
$current = if ($enabled) { "Enabled" } else { "Disabled" }
$rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid }
$rules | ForEach-Object { $_.applicable = $enabled } $rules | ForEach-Object { $_.applicable = $enabled }
$auditResult += [WELA]::New( $auditResult += [WELA]::New(
"TaskScheduler Operational", "TaskScheduler Operational",
"", "",
"Enabled", $current,
[array]$rules, [array]$rules,
"Enabled", "Enabled",
"", "",
@@ -4929,13 +4932,14 @@ function GuideMSS {
$guid = "" $guid = ""
$eids = @() $eids = @()
$channels = @("Microsoft-Windows-TaskScheduler/Operational") $channels = @("Microsoft-Windows-TaskScheduler/Operational")
$enabled = $true $enabled = CheckRegistryValue -registryPath "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-TaskScheduler/Operational" -valueName "Enabled" -expectedValue 1
$current = if ($enabled) { "Enabled" } else { "Disabled" }
$rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid } $rules = $all_rules | Where-Object { RuleFilter $_ $eids $channels $guid }
$rules | ForEach-Object { $_.applicable = $enabled } $rules | ForEach-Object { $_.applicable = $enabled }
$auditResult += [WELA]::New( $auditResult += [WELA]::New(
"TaskScheduler Operational", "TaskScheduler Operational",
"", "",
"Enabled", $current,
[array]$rules, [array]$rules,
"Enabled", "Enabled",
"", "",