custom SCA for windows
26 views
Skip to first unread message
doc dodo
8:05 AM (16 hours ago) 8:05 AM
to Wazuh | Mailing List
Hello,
I try custom sca with check
checks:
- id: 330510
title: "Ensure windows wazuh-agent is installed."
description: "wazuh-agent install checking."
remediation: "Install wazuh-agent."
condition: all
rules:
- "c:if (Get-Package -Name 'Wazuh Agent' -ErrorAction SilentlyContinue) { 'Exists' } else { 'NotExists' } -> r:Exists"
- id: 330510
title: "Ensure windows wazuh-agent is installed."
description: "wazuh-agent install checking."
remediation: "Install wazuh-agent."
condition: all
rules:
- "c:if (Get-Package -Name 'Wazuh Agent' -ErrorAction SilentlyContinue) { 'Exists' } else { 'NotExists' } -> r:Exists"
But result is not applicable. If I input command in Powershell I get the result "Exist".
What could be the problem?
Matías Mercado
11:47 AM (12 hours ago) 11:47 AM
to Wazuh | Mailing List
Hello,
Get-Package depends on the available package providers (MSI, Programs, Chocolatey, etc.). Those providers are not always loaded when PowerShell is executed non-interactively by a service. As a result, Get-Package -Name 'Wazuh Agent' often returns nothing, even though the agent is installed.
Try this instead:
checks:
- id: 330510
title: "Ensure Windows Wazuh Agent is installed"
description: "Checks if the Wazuh Agent is installed via registry."
remediation: "Install the Wazuh Agent."
condition: all
rules:
- "c:reg query \"HKLM\\SOFTWARE\\Wazuh\" -> r:Wazuh"
- id: 330510
title: "Ensure Windows Wazuh Agent is installed"
description: "Checks if the Wazuh Agent is installed via registry."
remediation: "Install the Wazuh Agent."
condition: all
rules:
- "c:reg query \"HKLM\\SOFTWARE\\Wazuh\" -> r:Wazuh"
This is verifying the package searching on the registry and is not using PowerShell.
Regards,
Matías Mercado.
Matías Mercado.
Jose Cintron
1:45 PM (10 hours ago) 1:45 PM
to Matías Mercado, Wazuh | Mailing List
something like (sust foobar with the actual service name)
get-service -name "foobar"
should work you can also make sure that it is running (it is not enough to install it, it should also be running).
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/8681bc39-6ac7-43e4-8732-1c902567b0b2n%40googlegroups.com.
+==========================================
| Jose J. Cintron - <prb...@gmail.com>
| Jose J. Cintron - <prb...@gmail.com>
| https://sites.google.com/site/joseconsciousness
|
| "The key to joy is disobedience."
| Aleister Crowley
+==========================================
|
| "The key to joy is disobedience."
| Aleister Crowley
+==========================================
Jack Martin
2:38 PM (9 hours ago) 2:38 PM
to Jose Cintron, Matías Mercado, Wazuh | Mailing List
I do to implement the Cleartext Credential Exposure use case using Wazuh:
Detect passwords stored in scripts, configuration files, or log files
Value: Prevents credential leakage and credential reuse attacks
Response: Generate alerts and recommend credential rotation
Reference:
My questions are:
If the environment has more than 50 agents across different operating systems, how can this be implemented efficiently without manually configuring each agent?
How can we create and manage custom security policies centrally on the Ubuntu-based Wazuh manager and apply them to Windows 10 Pro agents?
The Wazuh manager is running on Ubuntu, and the agents are Windows 10 Pro.
Please let me know if this approach is correct and if there are additional best practices or recommendations I should consider.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/CAKQkZEnXcHomyqxsmD0AviiEnBtJK77ytK34jK1wqK9YPsyuRw%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages