Error found while validating policy file: cis_win10_enterprise.yml
288 views
Skip to first unread message
Marcos Espinoza
May 31, 2023, 1:27:48 PM5/31/23
to Wazuh mailing list
HI,
I have an issue with wazuh on premises and with wazuh cloud trial.
/var/ossec/logs/ossec.log reports:
On Premises:
Error found while validating policy file: '/var/ossec/ruleset/sca/cis_win10_enterprise.yml'. Skipping it.
'/var/ossec/ruleset/sca/cis_win11_enterprise.yml'. Skipping it.
On CLOUD trial:
'/var/ossec/ruleset/sca/cis_win10_enterprise.yml' is assign ossec config
but, doesn't show on SCA /Management/Configuration/Policy monitoring/SCA
This warning affects the evaluation of Security configuration assessment for WIN10 and WIN 11 Agents.
Are this policies disable on cloud trial ?
Install info:
Wazuh version on premises deployed on CentOS Linux release 7.9.2009 (Core) from sources:
App version: 4.4.3
App revision: 01
Install date: May 27, 2023 @ 17:20:49.120
Wazuh version App CLOUD:
App version: 4.3.11
App revision: 4312
Install date: May 29, 2023 @ 14:32:14.708
App revision: 01
Install date: May 27, 2023 @ 17:20:49.120
Wazuh version App CLOUD:
App version: 4.3.11
App revision: 4312
Install date: May 29, 2023 @ 14:32:14.708
Testing Monitored windows endpoints are Windows 10 PRO
Hope someone can help with this....cheers
Marcos Espinoza
May 31, 2023, 2:17:31 PM5/31/23
to Wazuh mailing list
Same problem with virtual machine ova deploy:
2023/05/31 18:08:33 sca: WARNING: Invalid check 15505: Invalid rule format.
2023/05/31 18:08:33 sca: WARNING: Error found while validating policy file: '/var/ossec/ruleset/sca/cis_win10_enterprise.yml'. Skipping it.
2023/05/31 18:08:33 sca: WARNING: Error found while validating policy file: '/var/ossec/ruleset/sca/cis_win10_enterprise.yml'. Skipping it.
Always fails when there's a registry rule:
compliance:
- cis: ["1.1.6"]
- cis_csc: ["5.2"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SAM'
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SAM -> RelaxMinimumPasswordLengthLimits'
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SAM -> RelaxMinimumPasswordLengthLimits -> 1'
- cis: ["1.1.6"]
- cis_csc: ["5.2"]
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SAM'
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SAM -> RelaxMinimumPasswordLengthLimits'
- 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SAM -> RelaxMinimumPasswordLengthLimits -> 1'
If I comment out the whole rule, it just skip to the next one with regitry and fails again.
tomas....@wazuh.com
May 31, 2023, 10:22:20 PM5/31/23
to Wazuh mailing list
Hi Marcos,
I tried to reproduce this issue in a Windows 10 enterprise and it is working in my local environment.
Do you see any ERROR or WARNING prior to this one in the log?
sca: WARNING: Error found while validating policy file: '/var/ossec/ruleset/sca/cis_win10_enterprise.yml'. Skipping it.
Could you please check if these registries exist in your Windows systems?
HKEY_LOCAL_MACHINE\System
HKEY_LOCAL_MACHINE\System\CurrentControlSet
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SAM
If you manually download this file and replace the one from the installation, does the problem persists after restarting Wazuh?
Could you also verify if there is any problem with permissions to the access the registries?
I'll be waiting for your comments.
Best regards.
Tomás Turina
Reply all
Reply to author
Forward
0 new messages