diff --git a/wazuh/cis_ubuntu22-04_workstation_level_1.yml b/wazuh/cis_ubuntu22-04_workstation_level_1.yml
index 80af1aa..b4a8222 100644
--- a/wazuh/cis_ubuntu22-04_workstation_level_1.yml
+++ b/wazuh/cis_ubuntu22-04_workstation_level_1.yml
@@ -445,10 +445,10 @@ checks:
       - soc_2: ["CC5.2", "CC6.1"]
     condition: all
     rules:
-      - 'f:/boot/grub/grub.cfg -> r:^\s*linux && r:apparmor=1'
-      - 'f:/boot/grub/grub.cfg -> r:^\s*linux && r:security=apparmor'
-      - 'not f:/boot/grub/grub.cfg -> r:^\s*linux && !r:apparmor=1'
-      - 'not f:/boot/grub/grub.cfg -> r:^\s*linux && !r:security=apparmor'
+      - 'f:/boot/grub/grub.cfg -> r:^\t*linux && r:apparmor=1'
+      - 'f:/boot/grub/grub.cfg -> r:^\t*linux && r:security=apparmor'
+      - 'not f:/boot/grub/grub.cfg -> r:^\t*linux && !r:apparmor=1'
+      - 'not f:/boot/grub/grub.cfg -> r:^\t*linux && !r:security=apparmor'
 
   # 1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode (Automated)
   - id: 28535
@@ -1023,7 +1023,7 @@ checks:
       - soc_2: ["CC6.3", " CC6.6"]
     condition: all
     rules:
-      - 'not c:ss -lntu -> r:\.*:25\s && r:127.0.0.1:25\s+|::1]:25\s+'
+      - 'c:ss -lntu -> r:\.*:25\s && r:127.0.0.1:25\s+|::1]:25\s+'
 
   # 2.2.16 Ensure rsync service is either not installed or masked (Automated)
   - id: 28566
@@ -1042,7 +1042,7 @@ checks:
       - pci_dss_v3.2.1: ["1.1.6", " 1.2.1", " 2.2.2", " 2.2.5"]
       - pci_dss_v4.0: ["1.2.5", " 2.2.4", " 6.4.1"]
       - soc_2: ["CC6.3", " CC6.6"]
-    condition: all
+    condition: any
     rules:
       - "c:dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\\n' rsync -> r:no packages found matching rsync|deinstall|not-installed"
       - 'c:systemctl is-active rsync" -> r:inactive'
@@ -1961,7 +1961,7 @@ checks:
       - pci_dss_3.2.1: ["10.2", "10.3"]
       - pci_dss_4.0: ["5.3.4", "6.4.1", "6.4.2", "10.2.1", "10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.2"]
       - nist_sp_800-53: ["AU-7"]
-    condition: all
+    condition: any
     rules:
       - 'f:/etc/rsyslog.conf -> r:^\s*\t*\$FileCreateMode 0640'
       - 'd:/etc/rsyslog.d -> r:\.*.conf -> r:^\s*\t*\$FileCreateMode 0640'
@@ -2211,8 +2211,9 @@ checks:
       - pci_dss_4.0: ["1.3.1", "7.1"]
       - nist_sp_800-53: ["AC-5", "AC-6"]
       - soc_2: ["CC5.2", "CC6.1"]
-    condition: all
+    condition: any
     rules:
+      - 'not f:/usr/sbin/sshd'
       - 'c:stat /etc/ssh/sshd_config -> r:Access:\s*\t*\(0600/-rw-------\)\s*\t*Uid:\s*\t*\(\s*\t*0/\s*root\)\s*Gid:\s*\t*\(\s*\t*0/\s*\t*root\)'
 
   # 5.2.4 Ensure SSH access is limited (Automated)