Package installation control with SCA
8 views
Skip to first unread message
doc dodo
8:44 AM (8 hours ago) 8:44 AM
to Wazuh | Mailing List
Hello,
I want to control package installation with custom SCA. A try to add to configuration with command sc query:
- id: 330511
title: "Ensure windows zabbix-agent is installed."
description: "zabbix-agent install checking."
remediation: "Install zabbix-agent."
condition: all
rules:
- 'c:sc query "Zabbix Agent" -> r:STATE\s+:\s+\d+\s+RUNNING'
title: "Ensure windows zabbix-agent is installed."
description: "zabbix-agent install checking."
remediation: "Install zabbix-agent."
condition: all
rules:
- 'c:sc query "Zabbix Agent" -> r:STATE\s+:\s+\d+\s+RUNNING'
When I run the command manually
on the endpoint
it works successfully
(Screenshot-1.jpg)
But SCA reports an error
(Screenshot-2.jpg)
Is there anything else that might be missing to run the command?
Federico Gustavo Caffieri
10:31 AM (6 hours ago) 10:31 AM
to Wazuh | Mailing List
The issue is likely your regex matching against a localized `sc query` output. The field label (`STATE`) may appear translated depending on the OS language, but `RUNNING` is always in English.
Try simplifying the rule something like these:
```
rules:
- 'c:sc query "Zabbix Agent" -> r:RUNNING'
```
If it still fails, run this on the endpoint and share the `SERVICE_NAME` value:
```
sc query type= all state= all | findstr /i zabbix
```
The internal service name may differ from the display name and needs to match exactly in the rule.
For deeper debugging, enable SCA debug logs on the agent (`windows.debug=2` in `internal_options.conf`) and check `ossec.log` for `wm_sca_pattern_matches` entries — you'll see exactly what string is being tested against your regex. SCA custom policies docs: https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/creating-custom-policies.html
Reply all
Reply to author
Forward
0 new messages