SCA: Implement Execution Logic

[TomasTurina]

Description

This task involves executing SCA policy checks, including commands, file and directory checks, registry evaluations, and process inspections. Each check must run as an independent coroutine to allow scan interruptions at any time. Common helper libraries (e.g., cmdHelper, file_helper, registryHelper) should be used to streamline implementation.

Tasks

1. Research & Design

   • Define execution requirements for each check type.
   • Establish coroutine-based execution flow.

2. Development

   • Implement execution logic for each check type.
   • Ensure coroutine-based execution for interruption support.
   • Integrate with common helper libraries.

3. Unit Testing

   • Develop tests to validate each check execution.
   • Ensure proper handling of scan interruptions.

4. Documentation

   • Document execution flow and helper library usage.
   • Provide examples of check execution behavior.

Definition of Done

• Execution logic for all check types is implemented.
• Coroutine-based execution supports scan interruption.
• Unit tests validate execution correctness.
• Documentation is complete and reviewed.

[jr0me]

Update

At the moment, I’m focused on analyzing the wm_sca_do_scan function to understand how the SCA module evaluates and processes individual checks. This includes examining how it handles different rule types (file, command, process, etc.), manages variable substitution, selects the appropriate regex engine, and applies aggregation strategies (ALL, ANY, NONE). I’m also looking into how results are collected, how events are built and sent, and how the function interacts with the cis_db_for_hash structure to prevent duplicate alerts.

[jr0me]

Update

Started implementing an abstraction for the policy classes that will carry the execution logic.

[jr0me]

Update

I continue to design and implement the rule evaluation classes.

[jr0me]

Update

Refactored the current code, implemented parsing functions to separate rule types from pattern, negation marks, sorting variables and replacing them.

[jr0me]

Update

Opened draft PR with most rule evaluators drafted #753

[jr0me]

Update

Re implemented OsUtils to get the list of running processes for the process rule evaluation.

[jr0me]

Implemented missing logic in evaluators and added tests to all of them but Registry type.

[jr0me]

Fixed some issues that were incorporated with the latest rebase.
Added Registry tests.
Using Utils::Exec from cmdHelper doesn't work like the 4.x implementation, and command's output leak into the console. I'm looking into Boost::process to achieve a similar behavior as the one from 4.x

[jr0me]

Implemented a new Utils::Exec based on boost::process. While keeping the old implementation as PipeOpen (renamed). Looking into generating event messages with results from policy checks.

[jr0me]

Corrected some comments on PR, which is now opened and ready for review.