Cis policy SCA

1,284 views
Skip to first unread message

Susana Reis

unread,
Jan 24, 2022, 11:25:43 AM1/24/22
to Wazuh mailing list
I'm new to wazuh. An agent has been installed on a Windows 10 machine and the policy it is applying is sca_win_audit.yml in C:\Program Files (x86)\ossec-agent\ruleset\sca. Isn't it supposed to apply to cis_win10_enterprise.yml? I don't understand how to do it, can anyone help? Thanks.

Alexis Rivas

unread,
Jan 24, 2022, 12:13:17 PM1/24/22
to Wazuh mailing list

Hi! hope you’re doing well.

There are certain articles at our Wazuh Docs that you should take a look into.
I’m sharing these articles below:

With these articles, you’ll be able to configure and run cis_win10_enterprise at your agent node.
Hope this information helps.

Regards,
Alexis.

Susana Reis

unread,
Jan 25, 2022, 6:39:31 AM1/25/22
to Wazuh mailing list
Hi,

Read that but i dont understand why i always have the  sca_win_audit.yml in C:\Program Files (x86)\ossec-agent\ruleset\sca. Can anyone help me? Tryed the conf with shared policies and group default didnt work either.

Thanks in advance.

Alexis Rivas

unread,
Jan 25, 2022, 8:25:43 AM1/25/22
to Wazuh mailing list

Hi,

By default, the Wazuh Agent will run scans for every policy (.yaml or .yml files) present in their ruleset folder.
And as you know, the Wazuh manager has the ability to push files and configurations to connected Wazuh agents.

These files will be located at /var/ossec/etc/shared/ at the agent node. However, the agent must be configured to run a specific SCA file from that directory.
It’s well explained here: How to share policy files and configuration with the Wazuh agents.
I suggest you to take a deeper look into that article, and please note that the SCA files you shared between master and agent, are not going to be automatically placed at C:\Program Files (x86)\ossec-agent\ruleset\sca.

Regards,
Alexis.

Susana Reis

unread,
Jan 26, 2022, 10:45:34 AM1/26/22
to Wazuh mailing list

1.       Manager Conf


[root@manager windows2019]# ll

total 896

-rw-rw----. 1 ossec  ossec    320 Jan 26 12:28 agent.conf

-rw-r-----. 1 ossec  ossec 453416 Jan 26 12:04 cis_win2019.yml

-rw-rw----. 1 ossecr ossec 453878 Jan 26 14:38 merged.mg

 

Create a group to windows2019 and place a new policy file in the Wazuh manager’s(cis_win2019.yml) and remove the agent form group default and put on windows2019.

 

Push the policy to the agent, put the block in agent.conf in the Manager.

[root@manager windows2019]# cat agent.conf

  <agent_config>

    <!-- Shared agent configuration here -->

    <sca>

      <enabled>yes</enabled>

      <scan_on_start>yes</scan_on_start>

      <interval>15m</interval>

      <skip_nfs>yes</skip_nfs>

      <policies>

        <policy>etc/shared/cis_win2019.yml</policy>

      </policies>

    </sca>

  </agent_config>

 

2.    Agent Conf

And then in the agent machine windows 2019 in local_internal_options.conf put the command sca.remote_commands=1.

 The agent pushed the conf from the Manager(agent.jpg attach)

But still not working in the manager still show´s with the sca_win_audit and not with cis.

 

On ossec.log in the agent seems that is not finding the cis policy and it´s on /shared.

 2022/01/26 15:23:14 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'

2022/1/26 15:23:14 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'.
2022/01/26 15:23:14 sca: WARNING: Policy file 'C:\Program Files (x86)\ossec-agent\etc\shared\cis_win2019.yml' not found. Check your configuration.
2022/01/26 15:23:14 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2022/01/26 15:23:14 wazuh-agent: INFO: Windows version is 6.0 or newer. (Microsoft Windows Server 2019 Datacenter [Ver: 10.0.17763] - Wazuh v4.2.5).
2022/01/26 15:23:14 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2022/01/26 15:23:14 sca: INFO: Module started.
2022/01/26 15:23:14 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'.
2022/01/26 15:23:14 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2022/01/26 15:23:14 wazuh-agent: INFO: (1951): Analyzing event log: 'Application'.
2022/01/26 15:23:14 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2022/01/26 15:23:14 sca: INFO: Loaded policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml'

What I miss? Can you help.

agent.JPG

Alexis Rivas

unread,
Jan 26, 2022, 4:00:50 PM1/26/22
to Wazuh mailing list

Hi,

Push the policy to the agent, put the block in agent.conf in the Manager.

Please explain me a little bit more here, did you move the file from ruleset/sca to etc/shared/windows2019, right?
This way the manager will synchronize the file with the entire group.

The configuration seems to be good. However the agent is not able to find the yml file.


2022/01/26 15:23:14 sca: WARNING: Policy file 'C:\Program Files (x86)\ossec-agent\etc\shared\cis_win2019.yml' not found. Check your configuration.

I’m thinking about two possibilities here:

  • Manager: try to add the full path of the yml file at agent.conf.

or

  • Agent: try to move the yml file from shared to ruleset/sca, then restart the agent and review the ossec.log file to verify it’s running the cis_win2019.yml as well (this is not a proper solution, but it could lead us to get more information about this problem).

Regards

Alexis.

Susana Reis

unread,
Jan 27, 2022, 10:28:29 AM1/27/22
to Wazuh mailing list
Hi, I found problem. I was putting the incorrect policy directory in the agent's file. /etc/shared was added and /etc does not exist on windows. If possible, can you clarify two additional questions: 1- Cis policies not fully mapped with the cis benchmark? 2- When creating a policy, can the id be any number? or does it have to be a sequence of other policies or the same policy?

Thanks in advance.

Alexis Rivas

unread,
Jan 27, 2022, 11:49:46 AM1/27/22
to Wazuh mailing list

Hi,

I found problem. I was putting the incorrect policy directory in the agent’s file. /etc/shared was added and /etc does not exist on windows.

So, did you manage to solve it? great!

About those questions:

1- Cis policies not fully mapped with the cis benchmark?

Do you mean if the SCA policies are being mapped with CIS-CAT integration?

As our documentation says:

There are multiple Wazuh integrations that perform configuration assessment scans (see Policy monitoring section) including CIS-CAT and more recently the Security Configuration Assessment (SCA). The SCA was created by the Wazuh development team to overcome limitations that were inherent to the other integrations.

If you need more information about this, I’m sharing with you a few articles from our Wazuh Docs:

2- When creating a policy, can the id be any number? or does it have to be a sequence of other policies or the same policy?

Up here you’ll find information about how to create a custom SCA policy. I recommend you to take a look into, it’s well detailed.

The policy ID type is a string with no further requirements.

Field Mandatory Type Allowed values Allowed values
id Yes String Any sting Policy ID

Regards,
Alexis

Reply all
Reply to author
Forward
0 new messages