From 85167b2d47f6858ed2f3a5f8b29c1c4ed9c76b33 Mon Sep 17 00:00:00 2001
From: Enrique Martin <enrique.martin@pandorafms.com>
Date: Mon, 8 Apr 2024 13:44:48 +0200
Subject: [PATCH] Debugging

---
 .../pandora_security_win/src/pandora_security_win.py     | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py
index 661fd77429..84ba3c0ac1 100644
--- a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py
+++ b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py
@@ -341,13 +341,14 @@ def check_login_audit_policy(auditpol_logon_category, auditpol_logon_success_con
         # Run the auditpol command to check the audit policy for Logon/Logoff
         cmd_command = f'auditpol /get /subcategory:"{auditpol_logon_category}"'
         result = subprocess.run(cmd_command, shell=True, capture_output=True, text=True, check=True)
-        last_line = result.stdout.encode(sys.getdefaultencoding()).decode('utf-8').strip().split('\n')[-1].strip()
+        last_line = result.stdout.strip().split('\n')[-1].strip()
+        last_line_parts = re.split(r'\s\s+', last_line)
         cleaned_line = re.sub(' +', ' ', last_line)
         
         # Interpret the result
-        if auditpol_logon_success_conf.encode(sys.getdefaultencoding()).decode('utf-8') in result.stdout:
+        if auditpol_logon_success_conf.encode(sys.getdefaultencoding()) == last_line_parts[1].encode(sys.getdefaultencoding()):
             result = 1
-        elif auditpol_logon_noaudit_conf.encode(sys.getdefaultencoding()).decode('utf-8') in result.stdout:
+        elif auditpol_logon_noaudit_conf.encode(sys.getdefaultencoding()) == last_line_parts[1].encode(sys.getdefaultencoding()):
             result = 0
         else:
             print("Unable to determine audit policy for Logon/Logoff events.", file=sys.stderr)
@@ -381,7 +382,7 @@ if __name__ == "__main__":
 
     if(args.conf):
         try:
-            with open(args.conf, 'r', encoding='utf-8') as f:
+            with open(args.conf, 'r', encoding=sys.getdefaultencoding()) as f:
                 content = f.read()
                 config.read_string('[CONF]\n' + content)
         except Exception as e: