SCA assessment missing several benchmark checks
160 views
Skip to first unread message
Nithin Kumar
Nov 3, 2023, 10:59:33 AM11/3/23
to Wazuh | Mailing List
Dear Team,
Looking at the SCA results on an agent machine, I see that several checks from the chosen benchmark reference are missing.
The Benchmark used on this client is 'CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0'.
When I search for a specific check, say "2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One' (Automated)", there are no results for this benchmark (have searched in the exported report as well - similar outcome)
In fact, the entire section of "
2.2 User Rights Assignment" is missing.
Is there anything that I may have missed?
Additional info: API output from GET /syscollector/001/os attached.
Additional info: API output from GET /syscollector/001/os attached.
Thanks in advance!
Nithin Kumar
Nov 4, 2023, 11:23:53 AM11/4/23
to Wazuh | Mailing List
Dear Team,
Looks like the benchmark checks are missing from the cis_win11_enterprise.yml file as well. If I'm not mistaken, this file decides what checks to perform.
Not sure why the checks are missing.
Appreciate any advise.
Thanks!
Jorge Eduardo Molas
Nov 6, 2023, 10:02:48 AM11/6/23
to Wazuh | Mailing List
Hi Nithin, thanks for using Wazuh.
I will be working on your cases. I will return as soon as possible.
Regards
Nithin Kumar
Nov 7, 2023, 12:51:54 PM11/7/23
to Wazuh | Mailing List
Hi Jorge,
Thank you! Looking forward to figuring this out
Best
Jorge Eduardo Molas
Nov 8, 2023, 7:42:24 PM11/8/23
to Wazuh | Mailing List
Hello! Sorry for the delay.
Under Path "C:\Program Files (x86)\ossec-agent\ruleset\sca you can find the YAML file cis_win11_enterprise.yml, which contains all the CIS rules of the benchmark. If you search for cis: ["2.2.X "] (rules in section 2.2) will not find a decoder.
In the issue, you can find the rework related to this CIS Benchmark. In any case, I will consult the team internally to know the status or ETA of the implementation of this section.
Regards!
Under Path "C:\Program Files (x86)\ossec-agent\ruleset\sca you can find the YAML file cis_win11_enterprise.yml, which contains all the CIS rules of the benchmark. If you search for cis: ["2.2.X "] (rules in section 2.2) will not find a decoder.
In the issue, you can find the rework related to this CIS Benchmark. In any case, I will consult the team internally to know the status or ETA of the implementation of this section.
Regards!
Nithin Kumar
Nov 9, 2023, 3:55:58 AM11/9/23
to Wazuh | Mailing List
Thank you Jorge.
Would be great to know the ETA of implementation.
Are there other compatable rulesets that include this section? If so, as a temporary workaround, would it work if I copy that over to
cis_win11_enterprise.yml ?
Best!
Jorge Eduardo Molas
Nov 9, 2023, 3:19:27 PM11/9/23
to Wazuh | Mailing List
Hi Nithin! I've asked the internal team.
Sections 2.2.1 to 2.2.39 cannot be implemented due to the absence of registry key representation for group policy settings, which makes it difficult to program as rules.
Unfortunately, there is no workaround available.
Regards!
Reply all
Reply to author
Forward
0 new messages