SCA Windows 11
614 views
Skip to first unread message
Jonathan G.
Aug 31, 2022, 11:00:26 AM8/31/22
to Wazuh mailing list
Hello,
I updated Wazuh to version 4.3.7, I saw that there was the CIS benchmark for Windows 11 21H2 included in the update. I tried to activate it by following the documentation here: https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/how-to-configure.html#how-to-share-policy-files-and-configuration-with-the-wazuh-agents
I saw that the file cis_win11_enterprise.yml does not go up on the agent in ruleset/sca but it is well present in the shared folder.
So, I put in agent.conf:
  <sca>
   <policies>
    <policy enabled="yes">C:\Program Files (x86)\ossec-agent\shared\cis_win11_enterprise.yml</policy>
   </policies>
  </sca>
In ossec.conf:
 <sca>
   <enabled>yes</enabled>
   <scan_on_start>yes</scan_on_start>
   <interval>12h</interval>
   <skip_nfs>yes</skip_nfs>
 </sca>
Now I can see the Windows 11 SCA in Wazuh, but when I go to it I get an error:
The filter contains invalid characters
And when I click on Full view:
createError@https://<IP>/1/bundles/plugin/wazuh/wazuh.plugin.js:2:31654
settle@https://<IP>/1/bundles/plugin/wazuh/wazuh.plugin.js:8:15184
onloadend@https://<IP>/1/bundles/plugin/wazuh/wazuh.plugin.js:2:29453
In api.log I find this:
2022/08/31 16:10:59 INFO: wazuh-wui <IP> "GET /sca/001" with parameters {"q": "policy_id=cis_win11_enterprise_21H2"} and body {} done in 0.062s: 200
2022/08/31 16:11:09 ERROR: Timeout executing API request
I increased the timeout in the wazuh configuration, but it doesn't change anything.
Wazuh 4.3.7 is installed on a Ubuntu 22.04 server and the agent is on a windows 11 PC.
I updated Wazuh to version 4.3.7, I saw that there was the CIS benchmark for Windows 11 21H2 included in the update. I tried to activate it by following the documentation here: https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/how-to-configure.html#how-to-share-policy-files-and-configuration-with-the-wazuh-agents
When I go, on wazuh, in SCA, then in CIS Benchmark for Windows 11 Enterprise (Release 21H2), it does not load and I have an error. (See screenshot)
So, I put in agent.conf:
  <sca>
   <policies>
    <policy enabled="yes">C:\Program Files (x86)\ossec-agent\shared\cis_win11_enterprise.yml</policy>
   </policies>
  </sca>
In ossec.conf:
 <sca>
   <enabled>yes</enabled>
   <scan_on_start>yes</scan_on_start>
   <interval>12h</interval>
   <skip_nfs>yes</skip_nfs>
 </sca>
Now I can see the Windows 11 SCA in Wazuh, but when I go to it I get an error:
The filter contains invalid characters
And when I click on Full view:
createError@https://<IP>/1/bundles/plugin/wazuh/wazuh.plugin.js:2:31654
settle@https://<IP>/1/bundles/plugin/wazuh/wazuh.plugin.js:8:15184
onloadend@https://<IP>/1/bundles/plugin/wazuh/wazuh.plugin.js:2:29453
In api.log I find this:
2022/08/31 16:10:59 INFO: wazuh-wui <IP> "GET /sca/001" with parameters {"q": "policy_id=cis_win11_enterprise_21H2"} and body {} done in 0.062s: 200
2022/08/31 16:11:09 ERROR: Timeout executing API request
I increased the timeout in the wazuh configuration, but it doesn't change anything.
Wazuh 4.3.7 is installed on a Ubuntu 22.04 server and the agent is on a windows 11 PC.
Would you have an idea ?
Dario Menten
Aug 31, 2022, 2:43:58 PM8/31/22
to Wazuh mailing list
Hello Jonathan,
I was trying to replicate your issue, but without success, the SCA Policy for Windows 11 is working as expected.
I think the main issue you are getting is related to this logline:
2022/08/31 16:11:09 ERROR: Timeout executing API request
So I recommend you check the networking between the Wazuh Dashboard and the Wazuh Manager.
If they are on the same box, my recommendation is to check the resources on the box, CPU, and Memory Usage. Disk space available.
Regarding this, remember having 6-8GB for an all-in-one system with less than 25 agents.
You can try also, modifying the timeout limit of the Wazuh API, by editing this file: /var/ossec/api/configuration/api.yaml
intervals:
request_timeout: 100
I hope this information could be helpful for you.
Kind Regards.
Jonathan G.
Sep 1, 2022, 3:16:23 AM9/1/22
to Wazuh mailing list
Hello Dario,
Thank you for this quick answer!
Thank you for this quick answer!
Indeed, it came from the machine, which is a test server for a future deployment.
By making the indicated modification, everything works correctly now! It will soon be moved to a much more powerful server.
Could you confirm that my configuration is ok ? I must take the file in Shared and not in ruleset/sca ?
Thanks for your answer !
Have a nice day.
By making the indicated modification, everything works correctly now! It will soon be moved to a much more powerful server.
Could you confirm that my configuration is ok ? I must take the file in Shared and not in ruleset/sca ?
Thanks for your answer !
Have a nice day.
Dario Menten
Sep 1, 2022, 1:05:27 PM9/1/22
to Wazuh mailing list
Hello Jonathan,
I am glad to know you make it work.
If you need to specify an SCA Policy file, yes the file should be present at that location.
But that Policy is by default so there should be no need to specify the file on the configurations, just making sure the SCA is enabled.
Have a great day!
Jonathan G.
Sep 2, 2022, 2:51:11 AM9/2/22
to Wazuh mailing list
HI,
Sorry but, the good location is shared folder or ruleset/sca folders ?
I think I have another problem then because when I activate the SCA, I only have Benchmark for Windows audit and CIS Benchmark for Windows 10 Enterprise (Release 1803) while the PC is in Windows 11 Pro. If I don't specify the path in the agent configuration, CIS Benchmark for Windows 11 Enterprise (Release 21H2)
doesn't come up.
Can you tell me the configuration for (maybe all-in-one or 1 master + 1 worker) wazuh for approx 300 agents ?
Thanks for your help !
Greetings
Reply all
Reply to author
Forward
0 new messages