SCA not working for several Windows Server OS
281 views
Skip to first unread message
Nadita Candra
Dec 20, 2023, 11:44:20 PM12/20/23
to Wazuh | Mailing List
Hello Team,
i'm using wazuh to monitoring security events on my company VPS's server. We use 5 different OSes ;
centos 7
WinServer 2019
WinServer 2012 R2 Standard
WinServer 2012 Datacenter
WinServer 2008 R2 Enterprise
WinServer 2019
WinServer 2012 R2 Standard
WinServer 2012 Datacenter
WinServer 2008 R2 Enterprise
What im asking is why SCA not working scanning in 2 Windows Server OS:
WinServer 2012 Datacenter, and
WinServer 2008 R2 Enterprise.
WinServer 2008 R2 Enterprise.
But the SCA is working well with default conf in centos 7, WinServer 2019 and 2012 R2 Standard. Is there any way to fix this?Thak before
Stuti Gupta
Dec 20, 2023, 11:51:39 PM12/20/23
to Wazuh | Mailing List
Hi team!
Thank you for using wazuh.
Please allow me some time. I'm looking into this query and will update you with an appropriate answer. Meanwhile can you please share more information on the current wazuh version?
Hope to hear from you soon.
Regards
Thank you for using wazuh.
Please allow me some time. I'm looking into this query and will update you with an appropriate answer. Meanwhile can you please share more information on the current wazuh version?
Hope to hear from you soon.
Regards
Stuti Gupta
Dec 21, 2023, 12:39:31 AM12/21/23
to Wazuh | Mailing List
Hi
Nadita,
Hope you are doing well.
Wazuh officially supported policy files, see the table Available SCA policies. As you can see in the table, right now we don't have the policies for the operating systems you mention. The default policies installed for the unsupported Windows operating systems are the following: https://github.com/wazuh/wazuh-ruleset/blob/master/sca/windows/sca_win_audit.yml
We're still working on policies for missing OS and trying to improve Wazuh, and we'll do it as soon as our workflow allows us. You can check the progress on this issue https://github.com/wazuh/wazuh/issues/14358. However, there is a workaround you can use as a template to create your own custom SCA policy For you follow the steps mentioned below.
1. To enable a custom policy file add the policy file path to the <sca> block in the Wazuh agent configuration file and give the right permissions. An example is shown below:
<sca>
<policies>
<policy><FULLPATH_TO_CUSTOM_SCA_POLICY_FILE></policy>
</policies>
</sca>
As described in the centralized configuration section, the Wazuh manager can push files and configurations to connected Wazuh agents.
You can enable this feature to push policy files to the Wazuh agents in defined groups.
On the Wazuh agent, edit the local_internal_options.conf file to allow the execution of commands in SCA policies sent from the Wazuh server:
# echo "sca.remote_commands=1" >> /var/ossec/etc/local_internal_options.conf
Note
You do not need to enable remote commands if you add the policy files to each agent without using the Wazuh server to push them.
2. On the Wazuh server, place a new policy file in the /var/ossec/etc/shared/default folder and change its ownership. Replace <NEW_POLICY_FILE> with your policy name.
# chown wazuh:wazuh /var/ossec/etc/shared/default/<NEW_POLICY_FILE>
3. Add the following configuration block to the Wazuh server /var/ossec/etc/shared/default/agent.conf file to configure the new policy file in the Wazuh agent:
<agent_config>
<!-- Shared agent configuration here -->
<sca>
<policies>
<policy>etc/shared/<NEW_POLICY_FILE></policy>
</policies>
</sca>
</agent_config>
4. The new <sca> block in the Wazuh server /var/ossec/etc/shared/default/agent.conf file is merged with the <sca> block on the Wazuh agent side, and the new configuration is added. Finally, restart the wazuh-manager.
Reference: https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/how-to-configure.html
Finally, I give you this link to our documentation: https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/creating-custom-policies.html Here is how you can create the policies you need.
Hope this helps. Please free to contact us for any information/issues.
Regards,
Hope you are doing well.
Wazuh officially supported policy files, see the table Available SCA policies. As you can see in the table, right now we don't have the policies for the operating systems you mention. The default policies installed for the unsupported Windows operating systems are the following: https://github.com/wazuh/wazuh-ruleset/blob/master/sca/windows/sca_win_audit.yml
We're still working on policies for missing OS and trying to improve Wazuh, and we'll do it as soon as our workflow allows us. You can check the progress on this issue https://github.com/wazuh/wazuh/issues/14358. However, there is a workaround you can use as a template to create your own custom SCA policy For you follow the steps mentioned below.
1. To enable a custom policy file add the policy file path to the <sca> block in the Wazuh agent configuration file and give the right permissions. An example is shown below:
<sca>
<policies>
<policy><FULLPATH_TO_CUSTOM_SCA_POLICY_FILE></policy>
</policies>
</sca>
As described in the centralized configuration section, the Wazuh manager can push files and configurations to connected Wazuh agents.
You can enable this feature to push policy files to the Wazuh agents in defined groups.
On the Wazuh agent, edit the local_internal_options.conf file to allow the execution of commands in SCA policies sent from the Wazuh server:
# echo "sca.remote_commands=1" >> /var/ossec/etc/local_internal_options.conf
Note
You do not need to enable remote commands if you add the policy files to each agent without using the Wazuh server to push them.
2. On the Wazuh server, place a new policy file in the /var/ossec/etc/shared/default folder and change its ownership. Replace <NEW_POLICY_FILE> with your policy name.
# chown wazuh:wazuh /var/ossec/etc/shared/default/<NEW_POLICY_FILE>
3. Add the following configuration block to the Wazuh server /var/ossec/etc/shared/default/agent.conf file to configure the new policy file in the Wazuh agent:
<agent_config>
<!-- Shared agent configuration here -->
<sca>
<policies>
<policy>etc/shared/<NEW_POLICY_FILE></policy>
</policies>
</sca>
</agent_config>
4. The new <sca> block in the Wazuh server /var/ossec/etc/shared/default/agent.conf file is merged with the <sca> block on the Wazuh agent side, and the new configuration is added. Finally, restart the wazuh-manager.
Reference: https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/how-to-configure.html
Finally, I give you this link to our documentation: https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/creating-custom-policies.html Here is how you can create the policies you need.
Hope this helps. Please free to contact us for any information/issues.
Regards,
Nadita Candra
Dec 21, 2023, 2:01:51 AM12/21/23
to Wazuh | Mailing List
Thank you very much sir, this very clear info, i wish you healthy always..
Reply all
Reply to author
Forward
0 new messages