SCA - CIS Windows 10

[charl...@gmail.com]

Hello All!

I assumed that when you install that agent, the installation would detected which OS is running and install the relevant SCA yml file as well?

I am running Windows 10 Pro in my Lab, I do know the CIS benchmark is for Enterprise,  I'm not sure if that would cause it to not work/install, however there is only the sca_win_audit.yml and not the full CIS benchmark.

Has anybody gotten that Win10 benchmark to work for any/all versions of Windows 10?

Or perhaps I am missing something? Please assist whenever possible and thanks for this community platform.

Regards,

Charl

[Miguel Eduardo Sanchez]

Hi Charl,

In the case of sca_win_audit.yml, the requirement condition for it to work on your system is:

'r:HKEY_LOCAL_MACHINE\SAM\SAM'

Meaning, that it checks for the existence of that registry path.

On the other hand, for cis_win10_enterprise.yml is much more specific. It checks for the ProductName key within HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion begins with this value: Windows 10.

- 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows 10'

I have tested cis_win10_enterprise.yml in an internal lab and seems to work fine. I attach you this SCA policy file so that you can test it in your environment. You may want to rename sca_win_audit.yml to something like  sca_win_audit.yml.bak, place cis_win10_enterprise.yml in the same folder and restart your Wazuh agent.

I am consulting internally about the way the Wazuh agent determines what sca yml policy file assign to an OS when it is installed.

Hope it helps.

Thanks.

Miguel E. Sanchez

Wazuh Inc -  Threat Intel