Exciting news! We are redesigning the Arctic Wolf Help Documentation site to provide a better user experience. Our new site will launch on May 1, 2024.

Create Script-based Checks

Updated Nov 22, 2023

Create script-based checks

Slang supports checks written in other common scripting languages, in addition to the built-in library of standards-based checks. Scripts can be in any format or language that the scan target supports.

For Windows, use:

For Linux, use:

Before you begin

Steps

  1. Create a script-based check.
  2. Add a script-based check to a rule.
  3. Test the script-based check.

Step 1: Create a script-based check

Script checks use the Script Check Engine (SCE) standard. See Script Check Engine for more information. You can use Slang parameters with script-based checks the same way as regular Slang checks.

  1. Open Visual Studio Code (VS Code).

  2. Select File > New File..., and then name the file <check_name>.ps1.

  3. Copy this script, and then paste it in the new .ps1 file:

    For example:

      # This script checks the TPM status using TPM. #
      # clear all errors
      $error.Clear()
      # check tpm is present and ready
      try {
        $TPM = Get-TPM
        Write-Output $TPM
        if ($TPM -and $TPM.TpmPresent -and $TPM.TpmReady) {
          Write-Output "Result: PASS"
          exit $env:XCCDF_RESULT_PASS
        } else {
          Write-Output "Result: FAIL"
          exit $env:XCCDF_RESULT_FAIL
        }
      } catch {
          Write-Output $_
          Write-Output "Result: ERROR"
          exit $env:XCCDF_RESULT_ERROR
      }     
  4. Save the file in the /Slang/check_scripts folder.

Step 2: Add a script-based check to a rule

When you add scripts to your ~/Slang/check_scripts folder, you can use them in Slang rules. See Add rules to the project for more information.

  1. In VS Code, select File > Open Folder, and then navigate to your project.

  2. Create a file, and then name it <rule_id>.slang.

  3. Copy this content, and then paste it in the new .slang file:

    Rule:
      title: <rule_name>
      checks:
        - common.script:
        script_file: <check_name>.ps1
  4. (Optional) Export parameters as environment variables to use in your script.

    For example:

    - common.script:
      script_file: <check_name>.ps1
      set_environment_variables:
          <environment_variable>: ${<parameter_name>}

    In SCE, exported variables are prefixed by XCCDF_VALUE_. To use the environment variables in your script, use the appropriate syntax for your scripting language. For example, use $env:XCCDF_VALUE_<environment_variable> in PowerShell and $XCCDF_VALUE_<environment_variable> in bash.

  5. Save the rule file.

  6. Run this command to export your project, including the new script-based check:

    slang export <project_name> <project_name>.xml

Step 3: Test the script-based check

  1. Run a scan.

    Note: If you have access to a Windows 10 device to scan against, and have completed Test a Slang project, run this command to export and test your project using a profile:

    slang export <project_name> <project_name>.xml --scan_config <config_name> --profile profile.<profile_name>.slang --elevate y
  2. Review the results to make sure the script worked as expected.

    For example, verify that the output includes XCCDF_RESULT_PASS, XCCDF_RESULT_FAIL, XCCDF_RESULT_ERROR, or XCCDF_RESULT_UNKNOWN.

Next steps

See also