QA testing - Add missing SCA files during Wazuh-manager installation.

72nomada commented 2 years ago

Target version	Related issue	Related PR
4.3.7	https://github.com/wazuh/wazuh/issues/14481	https://github.com/wazuh/wazuh/pull/14482

Description

Updated sca.manager.files to include missing SCA files

Proposed checks

[x] Verify that SCA files are installed after wazuh-manager deployment on 4.3.6
[x] Verify that SCA files are installed after wazuh-manager deployment on 4.3.7
[x] Verify Scan of SCA on 4.3.7
- [x] macOS 12.0 - Monterey
- [x] Ubuntu 22.04
- [x] Solaris 11.4
- [x] Windows 2022
- [x] Windows 11 Enterprise
- [x] Microsoft 10 Enterprise

Expected results

All SCA files are present and marked as disable

Configuration and considerations

use wazuh-manager 4.3.7

CamiRomero commented 2 years ago

Review data

Tester	PR commit
@CamiRomero	84754c

Testing environment

OS	OS version	Deployment	Image/AMI
Centos	8	Local	qactl/centos_8
macOS	12.0	AWS	development/macos-monterey
Ubuntu	22.04	AWS	ami-003530de8839921c4
Solaris	11.4	AWS	development/solaris11
Windows	10 Enterprise	Local	gusztavvargadr/windows-10-21h2-enterprise
Windows	11 Enterprise	Local	gusztavvargadr/windows-11-21h2-enterprise
Windows	Server 2022	AWS	ami-0270e15cf87054f5a

Tested packages

`wazuh-manager`	`wazuh-agent`
4.3.7	Windows - macOS - Ubuntu - Solaris

Status

[x] In progress
[x] Pending Review
[x] Team leader approved
[ ] Manager approved

CamiRomero commented 2 years ago

Verify that SCA files are installed after wazuh-manager deployment on 4.3.6

Verify SCA files :green_circle:

1. Install Wazuh Manager 4.3.6 2. Check files located in /var/ossec/ruleset/sca/: ``` ls /var/ossec/ruleset/sca/ ``` Output: ``` cis_amazon_linux_1.yml.disabled cis_rhel6_linux.yml.disabled cis_amazon_linux_2.yml.disabled cis_rhel7_linux.yml.disabled cis_apache_24.yml.disabled cis_rhel8_linux.yml.disabled cis_apple_macOS_10.11.yml.disabled cis_sles11_linux.yml.disabled cis_apple_macOS_10.12.yml.disabled cis_sles12_linux.yml.disabled cis_apple_macOS_10.13.yml.disabled cis_sles15_linux.yml.disabled cis_apple_macOS_10.14.yml.disabled cis_solaris11.yml.disabled cis_apple_macOS_10.15.yml.disabled cis_sqlserver_2012.yml.disabled cis_apple_macOS_11.1.yml.disabled cis_sqlserver_2014.yml.disabled cis_centos6_linux.yml.disabled cis_sqlserver_2016.yml.disabled cis_centos7_linux.yml.disabled cis_sqlserver_2017.yml.disabled cis_centos8_linux.yml cis_sqlserver_2019.yml.disabled cis_debian10.yml.disabled cis_ubuntu14-04.yml.disabled cis_debian7.yml.disabled cis_ubuntu16-04.yml.disabled cis_debian8.yml.disabled cis_ubuntu18-04.yml.disabled cis_debian9.yml.disabled cis_ubuntu20-04.yml.disabled cis_mongodb_36.yml.disabled cis_win10_enterprise.yml.disabled cis_mysql5-6_community.yml.disabled cis_win2012r2.yml.disabled cis_mysql5-6_enterprise.yml.disabled cis_win2016.yml.disabled cis_nginx_1.yml.disabled cis_win2019.yml.disabled cis_oracle_database_19c.yml.disabled sca_unix_audit.yml.disabled cis_postgre-sql-13.yml.disabled sca_win_audit.yml.disabled cis_rhel5_linux.yml.disabled web_vulnerabilities.yml.disabled ``` 2. Count files located in /var/ossec/ruleset/sca/: ``` ls /var/ossec/ruleset/sca/ | wc -l ``` Output: ``` 46 ```

CamiRomero commented 2 years ago

Verify that SCA files are installed after wazuh-manager deployment on 4.3.7

Verify SCA files :green_circle:

1. Download and upgrade Wazuh Manager: ``` curl -LO https://packages-dev.wazuh.com/warehouse/test/4.3/rpm/var/wazuh-manager-4.3.7-qa.3150.x86_64.rpm yum upgrade wazuh-manager-4.3.7-qa.3150.x86_64.rpm ``` 2. Check Wazuh version: ``` /var/ossec/bin/wazuh-control inf ``` Output: ``` WAZUH_VERSION="v4.3.7" WAZUH_REVISION="40319" WAZUH_TYPE="server" ``` 3. Check files located in /var/ossec/ruleset/sca/: ``` ls /var/ossec/ruleset/sca/ ``` Output: ``` cis_amazon_linux_1.yml.disabled cis_rhel7_linux.yml.disabled cis_amazon_linux_2.yml.disabled cis_rhel8_linux.yml.disabled cis_apache_24.yml.disabled cis_sles11_linux.yml.disabled cis_apple_macOS_10.11.yml.disabled cis_sles12_linux.yml.disabled cis_apple_macOS_10.12.yml.disabled cis_sles15_linux.yml.disabled cis_apple_macOS_10.13.yml.disabled cis_solaris11.4.yml.disabled cis_apple_macOS_10.14.yml.disabled cis_solaris11.yml.disabled cis_apple_macOS_10.15.yml.disabled cis_sqlserver_2012.yml.disabled cis_apple_macOS_11.1.yml.disabled cis_sqlserver_2014.yml.disabled cis_apple_macOS_12.0.yml.disabled cis_sqlserver_2016.yml.disabled cis_centos6_linux.yml.disabled cis_sqlserver_2017.yml.disabled cis_centos7_linux.yml.disabled cis_sqlserver_2019.yml.disabled cis_centos8_linux.yml cis_ubuntu14-04.yml.disabled cis_debian10.yml.disabled cis_ubuntu16-04.yml.disabled cis_debian7.yml.disabled cis_ubuntu18-04.yml.disabled cis_debian8.yml.disabled cis_ubuntu20-04.yml.disabled cis_debian9.yml.disabled cis_ubuntu22-04.yml.disabled cis_iis_10.yml.disabled cis_win10_enterprise.yml.disabled cis_mongodb_36.yml.disabled cis_win11_enterprise.yml.disabled cis_mysql5-6_community.yml.disabled cis_win2012r2.yml.disabled cis_mysql5-6_enterprise.yml.disabled cis_win2016.yml.disabled cis_nginx_1.yml.disabled cis_win2019.yml.disabled cis_oracle_database_19c.yml.disabled cis_win2022.yml.disabled cis_postgre-sql-13.yml.disabled sca_unix_audit.yml.disabled cis_rhel5_linux.yml.disabled sca_win_audit.yml.disabled cis_rhel6_linux.yml.disabled web_vulnerabilities.yml.disabled ``` 4. Count files located in /var/ossec/ruleset/sca/: ``` ls /var/ossec/ruleset/sca/ | wc -l ``` Output: ``` 52 ``` 5. Check that the files included in the [PR](https://github.com/wazuh/wazuh/pull/14482/) are present: ``` [root@centos-manager1 vagrant]# ls /var/ossec/ruleset/sca/ | grep cis_apple_macOS_12.0.yml cis_apple_macOS_12.0.yml.disabled [root@centos-manager1 vagrant]# ls /var/ossec/ruleset/sca/ | grep cis_iis_10.yml cis_iis_10.yml.disabled [root@centos-manager1 vagrant]# ls /var/ossec/ruleset/sca/ | grep cis_apple_macOS_12.0.yml cis_apple_macOS_12.0.yml.disabled [root@centos-manager1 vagrant]# ls /var/ossec/ruleset/sca/ | grep cis_solaris11.4.yml cis_solaris11.4.yml.disabled [root@centos-manager1 vagrant]# ls /var/ossec/ruleset/sca/ | grep cis_ubuntu22-04.yml cis_ubuntu22-04.yml.disabled [root@centos-manager1 vagrant]# ls /var/ossec/ruleset/sca/ | grep cis_win11_enterprise.yml cis_win11_enterprise.yml.disabled [root@centos-manager1 vagrant]# ls /var/ossec/ruleset/sca/ | grep cis_win2022.yml cis_win2022.yml.disabled ```

CamiRomero commented 2 years ago

Verify Scan of SCA on 4.3.7

macOS 12.0 - Monterey :green_circle:

1. Download and install Wazuh Agent: ``` curl -LO -k https://packages-dev.wazuh.com/warehouse/test/4.3/macos/wazuh-agent-4.3.7-qa.3150.pkg launchctl setenv WAZUH_MANAGER "IP" && installer -pkg wazuh-agent-4.3.7-qa.3150.pkg -target / /Library/Ossec/bin/wazuh-control start ``` 3. Check logs located in `/var/ossec/logs/ossec.log`: ``` 2022/08/08 18:35:15 sca: INFO: Module started. 2022/08/08 18:35:15 sca: INFO: Loaded policy '/Library/Ossec/ruleset/sca/cis_apple_macOS_12.0.yml' 2022/08/08 18:35:15 sca: INFO: Starting Security Configuration Assessment scan. 2022/08/08 18:35:15 wazuh-modulesd:control: INFO: Starting control thread. 2022/08/08 18:35:15 wazuh-modulesd:syscollector: INFO: Module started. 2022/08/08 18:35:15 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2022/08/08 18:35:15 sca: INFO: Starting evaluation of policy: '/Library/Ossec/ruleset/sca/cis_apple_macOS_12.0.yml' 2022/08/08 18:35:18 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2022/08/08 18:35:42 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended. 2022/08/08 18:36:21 sca: INFO: Evaluation finished for policy '/Library/Ossec/ruleset/sca/cis_apple_macOS_12.0.yml' 2022/08/08 18:36:21 sca: INFO: Security Configuration Assessment scan finished. Duration: 66 seconds. ``` 4. Get result of Scan on Wazuh Manager: ``` curl --location --request GET 'https://HOST_IP:55000/sca/AGENT_ID' \ --header 'Authorization: Bearer TOKEN' ``` Output: ``` { "data": { "affected_items": [ { "references": "https://www.cisecurity.org/cis-benchmarks/", "description": "This document, CIS Apple macOS 12 Monterey tested against Apple macOS 12.x", "pass": 27, "fail": 37, "hash_file": "42a937e39ac6793ce465dcc27a68635d35d52543f3f411db5092a414fb74cc52", "name": "CIS Apple macOS 12.0 Monterey Benchmark", "policy_id": "cis_apple_macos_12.x", "start_scan": "2022-08-08T16:36:18Z", "score": 42, "total_checks": 65, "end_scan": "2022-08-08T16:36:18Z", "invalid": 0 } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "All selected sca information was returned", "error": 0 } ``` 5. Check alerts on `/var/ossec/logs/alerts.log`: ``` ** Alert 1659978167.712062: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2, 2022 Aug 08 17:02:47 (macos-1201) any->sca Rule: 19004 (level 7) -> 'SCA summary: CIS Apple macOS 12.0 Monterey Benchmark: Score less than 50% (41)' {"type":"summary","scan_id":576627534,"name":"CIS Apple macOS 12.0 Monterey Benchmark","policy_id":"cis_apple_macos_12.x","file":"cis_apple_macOS_12.0.yml","description":"This document, CIS Apple macOS 12 Monterey tested against Apple macOS 12.x","references":"https://www.cisecurity.org/cis-benchmarks/","passed":27,"failed":38,"invalid":0,"total_checks":65,"score":41.5384635925293,"start_time":1659978143,"end_time":1659978164,"hash":"4d7a6a516bbee8ab716745454b3a1287372de19852142bf0baf1af26e667b5d0","hash_file":"42a937e39ac6793ce465dcc27a68635d35d52543f3f411db5092a414fb74cc52"} sca.type: summary sca.scan_id: 576627534 sca.policy: CIS Apple macOS 12.0 Monterey Benchmark sca.description: This document, CIS Apple macOS 12 Monterey tested against Apple macOS 12.x sca.policy_id: cis_apple_macos_12.x sca.passed: 27 sca.failed: 38 sca.invalid: 0 sca.total_checks: 65 sca.score: 41 sca.file: cis_apple_macOS_12.0.yml ```

Ubuntu 22.04 :green_circle:

1. Download and install Wazuh Agent: ``` curl -LO -k https://packages-dev.wazuh.com/warehouse/test/4.3/deb/var/wazuh-agent_4.3.7-qa.3150_amd64.deb WAZUH_MANAGER="172.31.3.86" apt-get install /home/qa/wazuh-agent_4.3.7-qa.3150_amd64.deb systemctl daemon-reload systemctl enable wazuh-agent systemctl start wazuh-agent ``` 3. Check logs located in `/var/ossec/logs/ossec.log`: ``` 2022/08/08 17:28:57 sca: INFO: Module started. 2022/08/08 17:28:57 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml' 2022/08/08 17:28:57 sca: INFO: Starting Security Configuration Assessment scan. 2022/08/08 17:28:57 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml' 2022/08/08 17:29:04 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml' 2022/08/08 17:29:04 sca: INFO: Security Configuration Assessment scan finished. Duration: 7 seconds. ``` 4. Get result of Scan on Wazuh Manager: ``` curl --location --request GET 'https://HOST_IP:55000/sca/AGENT_ID' \ --header 'Authorization: Bearer TOKEN' ``` Output: ``` { "data": { "affected_items": [ { "description": "This document provides prescriptive guidance for establishing a secure configuration posture for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.", "end_scan": "2022-08-08T17:32:06Z", "name": "CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.", "fail": 117, "score": 37, "hash_file": "cf3ac7f43dd59f4d6714c15260765517e9a5cd5f874ad46bfe92a5ebc421ab45", "total_checks": 191, "pass": 70, "references": "https://www.cisecurity.org/cis-benchmarks/", "policy_id": "cis_ubuntu22-04", "start_scan": "2022-08-08T17:32:06Z", "invalid": 4 } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "All selected sca information was returned", "error": 0 } ``` 5. Check alerts on `/var/ossec/logs/alerts.log`: ``` ** Alert 1659979273.1389630: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2, 2022 Aug 08 17:21:13 (ip-172-31-10-73) any->sca Rule: 19004 (level 7) -> 'SCA summary: CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.: Score less than 50% (37)' {"type":"summary","scan_id":1976855730,"name":"CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","policy_id":"cis_ubuntu22-04","file":"cis_ubuntu22-04.yml","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS.","references":"https://www.cisecurity.org/cis-benchmarks/","passed":70,"failed":117,"invalid":4,"total_checks":191,"score":37.433155059814453,"start_time":1659979257,"end_time":1659979259,"hash":"bf50aaa6eecff35b384956223e3b703713620baa6b56b0dfae1efe722c0a7a70","hash_file":"cf3ac7f43dd59f4d6714c15260765517e9a5cd5f874ad46bfe92a5ebc421ab45","force_alert":"1"} sca.type: summary sca.scan_id: 1976855730 sca.policy: CIS benchmark for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS. sca.description: This document provides prescriptive guidance for establishing a secure configuration posture for Ubuntu Linux 22.04 LTS based on CIS benchmark for Ubuntu Linux 22.04 LTS. sca.policy_id: cis_ubuntu22-04 sca.passed: 70 sca.failed: 117 sca.invalid: 4 sca.total_checks: 191 sca.score: 37 sca.file: cis_ubuntu22-04.yml ```

Solaris 11.4 :green_circle:

1. Download and install Wazuh Agent: ``` curl -LO -k https://packages-dev.wazuh.com/warehouse/test/4.3/solaris/i386/11/wazuh-agent_v4.3.7-qa.3150-sol11-i386.p5p pkg install -g wazuh-agent_v4.3.7-qa.3150-sol11-i386.p5p wazuh-agent ``` 3. Check logs located in `/var/ossec/logs/ossec.log`: ``` 2022/08/08 21:02:03 sca: INFO: Module started. 2022/08/08 21:02:03 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_solaris11.yml' 2022/08/08 21:02:03 sca: INFO: Starting Security Configuration Assessment scan. 2022/08/08 21:02:03 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_solaris11.yml' 2022/08/08 21:02:12 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_solaris11.yml' 2022/08/08 21:02:12 sca: INFO: Security Configuration Assessment scan finished. Duration: 9 seconds. ``` 4. Get result of Scan on Wazuh Manager: ``` curl --location --request GET 'https://HOST_IP:55000/sca/AGENT_ID' \ --header 'Authorization: Bearer TOKEN' ``` Output: ``` { "data": { "affected_items": [ { "description": "This document, CIS Oracle Solaris 11 Benchmark v1.1.0, provides prescriptive guidance for establishing a secure configuration posture for Oracle Solaris 11 on both x86 and SPARC platforms. This guide was tested against Solaris 11 11/11 release, updated to the Software Repository Update 5 (SRU5). As of the publication of this document, Solaris 11 11/11 SRU5 is the latest available support update for the Solaris 11 OS. The recommendations included in this document may need to be adjusted for future Solaris 11 updates.", "end_scan": "2022-08-08T18:03:08Z", "name": "CIS Benchmark for Oracle Solaris 11", "fail": 32, "score": 37, "hash_file": "0e49a013285d28c58ba387ad97968a4e7ef21cac10a3e81df98b9d7d218910c1", "total_checks": 51, "pass": 19, "references": "https://www.cisecurity.org/cis-benchmarks/", "policy_id": "cis_solaris11", "start_scan": "2022-08-08T18:03:08Z", "invalid": 0 } ], "total_affected_items": 1, "total_failed_items": 0, "failed_items": [] }, "message": "All selected sca information was returned", "error": 0 } ``` 5. Check alerts on `/var/ossec/logs/alerts.log`: ``` ** Alert 1659981743.1785544: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2, 2022 Aug 08 18:02:23 (solaris-11) any->sca Rule: 19004 (level 7) -> 'SCA summary: CIS Benchmark for Oracle Solaris 11: Score less than 50% (37)' {"type":"summary","scan_id":10129,"name":"CIS Benchmark for Oracle Solaris 11","policy_id":"cis_solaris11","file":"cis_solaris11.yml","description":"This document, CIS Oracle Solaris 11 Benchmark v1.1.0, provides prescriptive guidance for establishing a secure configuration posture for Oracle Solaris 11 on both x86 and SPARC platforms. This guide was tested against Solaris 11 11/11 release, updated to the Software Repository Update 5 (SRU5). As of the publication of this document, Solaris 11 11/11 SRU5 is the latest available support update for the Solaris 11 OS. The recommendations included in this document may need to be adjusted for future Solaris 11 updates.","references":"https://www.cisecurity.org/cis-benchmarks/","passed":19,"failed":32,"invalid":0,"total_checks":51,"score":37.254901885986328,"start_time":1659981723,"end_time":1659981729,"hash":"6011b715b39c5a201d9b6bc8c07fa55ee90873cb3b8748beae70c1568a376088","hash_file":"0e49a013285d28c58ba387ad97968a4e7ef21cac10a3e81df98b9d7d218910c1","force_alert":"1"} sca.type: summary sca.scan_id: 10129 sca.policy: CIS Benchmark for Oracle Solaris 11 sca.description: This document, CIS Oracle Solaris 11 Benchmark v1.1.0, provides prescriptive guidance for establishing a secure configuration posture for Oracle Solaris 11 on both x86 and SPARC platforms. This guide was tested against Solaris 11 11/11 release, updated to the Software Repository Update 5 (SRU5). As of the publication of this document, Solaris 11 11/11 SRU5 is the latest available support update for the Solaris 11 OS. The recommendations included in this document may need to be adjusted for future Solaris 11 updates. sca.policy_id: cis_solaris11 sca.passed: 19 sca.failed: 32 sca.invalid: 0 sca.total_checks: 51 sca.score: 37 sca.file: cis_solaris11.yml ``

Windows 2022 :green_circle:

1. Download and install Wazuh Agent: ``` curl -LO -k https://packages-dev.wazuh.com/warehouse/test/4.3/windows/wazuh-agent-4.3.7-qa.3150.msi ``` ![imagen](https://user-images.githubusercontent.com/37776796/183701235-9a400a14-df91-4693-9a7a-c8291900b937.png) 3. Check logs located in `/var/ossec/logs/ossec.log`: ``` 2022/08/09 16:00:49 sca: INFO: Module started. 2022/08/09 16:00:49 sca: INFO: Loaded policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2022.yml' 2022/08/09 16:00:49 sca: INFO: Loaded policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml' 2022/08/09 16:00:49 sca: INFO: Starting Security Configuration Assessment scan. 2022/08/09 16:00:49 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2022.yml' 2022/08/09 16:01:54 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2022.yml' 2022/08/09 16:01:54 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml' 2022/08/09 16:01:57 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml' 2022/08/09 16:01:57 sca: INFO: Security Configuration Assessment scan finished. Duration: 68 seconds. ``` 4. Get result of Scan on Wazuh Manager: ``` curl --location --request GET 'https://HOST_IP:55000/sca/AGENT_ID' \ --header 'Authorization: Bearer TOKEN' ``` Output: ``` { "data": { "affected_items": [ { "end_scan": "2022-08-09T16:04:27Z", "start_scan": "2022-08-09T16:04:27Z", "fail": 10, "description": "This document provides a way of ensuring the security of the Windows systems.", "pass": 25, "score": 71, "policy_id": "sca_win_audit", "hash_file": "da409ead5682c644e5bf9b99c91fc1c1bbc439126696ed406a7c932bc9d5c499", "total_checks": 71, "references": "NULL", "invalid": 36, "name": "Benchmark for Windows audit" }, { "end_scan": "2022-08-09T16:04:24Z", "start_scan": "2022-08-09T16:04:24Z", "fail": 222, "description": "This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows Server 2022.", "pass": 117, "score": 34, "policy_id": "cis_win2022", "hash_file": "f3359091e4f32c276cb5b55d3caebbcd63ffea581a62a909952584ccb50afbf0", "total_checks": 342, "references": "https://www.cisecurity.org/cis-benchmarks/", "invalid": 3, "name": "CIS Benchmark for Windows Server 2022 RTM " } ], "total_affected_items": 2, "total_failed_items": 0, "failed_items": [] }, "message": "All selected sca information was returned", "error": 0 } ``` 5. Check alerts on `/var/ossec/logs/alerts.log`: ``` ** Alert 1660061083.2157724: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2, 2022 Aug 09 16:04:43 (EC2AMAZ-N9OLJ1L) any->sca Rule: 19004 (level 7) -> 'SCA summary: CIS Benchmark for Windows Server 2022 RTM : Score less than 50% (34)' {"type":"summary","scan_id":1046313769,"name":"CIS Benchmark for Windows Server 2022 RTM ","policy_id":"cis_win2022","file":"cis_win2022.yml","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows Server 2022.","references":"https://www.cisecurity.org/cis-benchmarks/","passed":117,"failed":222,"invalid":3,"total_checks":342,"score":34.513275146484375,"start_time":1660061016,"end_time":1660061064,"hash":"52a9934125a6d7f102478aa2d0509757fb73654c318e706b57c5799f9e0f5966","hash_file":"f3359091e4f32c276cb5b55d3caebbcd63ffea581a62a909952584ccb50afbf0","force_alert":"1"} sca.type: summary sca.scan_id: 1046313769 sca.policy: CIS Benchmark for Windows Server 2022 RTM sca.description: This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows Server 2022. sca.policy_id: cis_win2022 sca.passed: 117 sca.failed: 222 sca.invalid: 3 sca.total_checks: 342 sca.score: 34 sca.file: cis_win2022.yml ```

Windows 11 Enterprise :green_circle:

1. Download and install Wazuh Agent: ``` curl -LO -k https://packages-dev.wazuh.com/warehouse/test/4.3/windows/wazuh-agent-4.3.7-qa.3150.msi ``` ![imagen](https://user-images.githubusercontent.com/37776796/183713970-1c3cc778-d1e5-44aa-a729-23973baed228.png) 3. Check logs located in `/var/ossec/logs/ossec.log`: ``` 2022/08/09 17:07:37 sca: INFO: Module started. 2022/08/09 17:07:37 sca: INFO: Loaded policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win11_enterprise.yml' 2022/08/09 17:07:37 sca: INFO: Loaded policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml' 2022/08/09 17:07:37 sca: INFO: Starting Security Configuration Assessment scan. 2022/08/09 17:07:37 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win11_enterprise.yml' 2022/08/09 17:08:10 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win11_enterprise.yml' 2022/08/09 17:08:10 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml' 2022/08/09 17:08:13 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml' 2022/08/09 17:08:13 sca: INFO: Security Configuration Assessment scan finished. Duration: 36 seconds. ``` 4. Get result of Scan on Wazuh Manager: ``` curl --location --request GET 'https://HOST_IP:55000/sca/AGENT_ID' \ --header 'Authorization: Bearer TOKEN' ``` Output: ``` { "data": { "affected_items": [ { "end_scan": "2022-08-09T17:08:10Z", "start_scan": "2022-08-09T17:08:10Z", "fail": 13, "description": "This document provides a way of ensuring the security of the Windows systems.", "pass": 22, "score": 62, "policy_id": "sca_win_audit", "hash_file": "da409ead5682c644e5bf9b99c91fc1c1bbc439126696ed406a7c932bc9d5c499", "total_checks": 71, "references": "NULL", "invalid": 36, "name": "Benchmark for Windows audit" }, { "end_scan": "2022-08-09T17:08:07Z", "start_scan": "2022-08-09T17:08:07Z", "fail": 271, "description": "This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows 11.", "pass": 121, "score": 30, "policy_id": "cis_win11_enterprise_21H2", "hash_file": "1fd394d1108179b86e56243419e430e96299cf96ef92b61f2cbcaa81bfd9ba3e", "total_checks": 395, "references": "https://www.cisecurity.org/cis-benchmarks/", "invalid": 3, "name": "CIS Benchmark for Windows 11 Enterprise (Release 21H2)" } ], "total_affected_items": 2, "total_failed_items": 0, "failed_items": [] }, "message": "All selected sca information was returned", "error": 0 } ``` 5. Check alerts on `/var/ossec/logs/alerts.log`: ``` ** Alert 1660064906.3734663: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2, 2022 Aug 09 17:08:26 (DESKTOP-LG33DL4) any->sca Rule: 19004 (level 7) -> 'SCA summary: CIS Benchmark for Windows 11 Enterprise (Release 21H2): Score less than 50% (30)' {"type":"summary","scan_id":1770583813,"name":"CIS Benchmark for Windows 11 Enterprise (Release 21H2)","policy_id":"cis_win11_enterprise_21H2","file":"cis_win11_enterprise.yml","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows 11.","references":"https://www.cisecurity.org/cis-benchmarks/","passed":121,"failed":271,"invalid":3,"total_checks":395,"score":30.867347717285156,"start_time":1660064857,"end_time":1660064887,"hash":"c9805f55d0525156fa14d10c9ce977d7139b5bea677829e61d203e5c42d7e462","hash_file":"1fd394d1108179b86e56243419e430e96299cf96ef92b61f2cbcaa81bfd9ba3e","force_alert":"1"} sca.type: summary sca.scan_id: 1770583813 sca.policy: CIS Benchmark for Windows 11 Enterprise (Release 21H2) sca.description: This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows 11. sca.policy_id: cis_win11_enterprise_21H2 sca.passed: 121 sca.failed: 271 sca.invalid: 3 sca.total_checks: 395 sca.score: 30 sca.file: cis_win11_enterprise.yml ```

Windows 10 Enterprise :green_circle:

1. Download and install Wazuh Agent: ``` curl -LO -k https://packages-dev.wazuh.com/warehouse/test/4.3/windows/wazuh-agent-4.3.7-qa.3150.msi ``` ![imagen](https://user-images.githubusercontent.com/37776796/183897179-70708746-8a61-45cf-b13f-dcb5ae2b307a.png) 3. Check logs located in `/var/ossec/logs/ossec.log`: ``` 2022/08/10 12:08:30 sca: INFO: Module started. 2022/08/10 12:08:30 sca: INFO: Loaded policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win10_enterprise.yml' 2022/08/10 12:08:30 sca: INFO: Loaded policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml' 2022/08/10 12:08:30 sca: INFO: Starting Security Configuration Assessment scan. 2022/08/10 12:08:30 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win10_enterprise.yml' 2022/08/10 12:08:48 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win10_enterprise.yml' 2022/08/10 12:08:48 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml' 2022/08/10 12:08:51 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml' 2022/08/10 12:08:51 sca: INFO: Security Configuration Assessment scan finished. Duration: 21 seconds. ``` 4. Get result of Scan on Wazuh Manager: ``` curl --location --request GET 'https://HOST_IP:55000/sca/AGENT_ID' \ --header 'Authorization: Bearer TOKEN' ``` Output: ``` { "data": { "affected_items": [ { "references": "NULL", "hash_file": "da409ead5682c644e5bf9b99c91fc1c1bbc439126696ed406a7c932bc9d5c499", "pass": 22, "start_scan": "2022-08-10T12:08:48Z", "score": 62, "description": "This document provides a way of ensuring the security of the Windows systems.", "name": "Benchmark for Windows audit", "policy_id": "sca_win_audit", "end_scan": "2022-08-10T12:08:48Z", "total_checks": 71, "fail": 13, "invalid": 36 }, { "references": "https://www.cisecurity.org/cis-benchmarks/", "hash_file": "0b4f03cd759c81045fdab3ea741071e378e42bf8bb3734b572ef6c23e6af7272", "pass": 122, "start_scan": "2022-08-10T12:08:45Z", "score": 31, "description": "This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows 10.", "name": "CIS Benchmark for Windows 10 Enterprise (Release 21H2)", "policy_id": "cis_win10_enterprise", "end_scan": "2022-08-10T12:08:45Z", "total_checks": 395, "fail": 270, "invalid": 3 } ], "total_affected_items": 2, "total_failed_items": 0, "failed_items": [] }, "message": "All selected sca information was returned", "error": 0 } ``` 5. Check alerts on `/var/ossec/logs/alerts.log`: ``` ** Alert 1660132961.5837320: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2, 2022 Aug 10 12:02:41 (DESKTOP-JM1IEU0) any->sca Rule: 19004 (level 7) -> 'SCA summary: CIS Benchmark for Windows 10 Enterprise (Release 21H2): Score less than 50% (31)' {"type":"summary","scan_id":1356817811,"name":"CIS Benchmark for Windows 10 Enterprise (Release 21H2)","policy_id":"cis_win10_enterprise","file":"cis_win10_enterprise.yml","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows 10.","references":"https://www.cisecurity.org/cis-benchmarks/","passed":122,"failed":270,"invalid":3,"total_checks":395,"score":31.12244987487793,"start_time":1660133310,"end_time":1660133325,"hash":"4e9f40886b7484fc13c962210a1917931c0bcc1c66da4777a836d53e0f1b5d92","hash_file":"0b4f03cd759c81045fdab3ea741071e378e42bf8bb3734b572ef6c23e6af7272","force_alert":"1"} sca.type: summary sca.scan_id: 1356817811 sca.policy: CIS Benchmark for Windows 10 Enterprise (Release 21H2) sca.description: This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows 10. sca.policy_id: cis_win10_enterprise sca.passed: 122 sca.failed: 270 sca.invalid: 3 sca.total_checks: 395 sca.score: 31 sca.file: cis_win10_enterprise.yml ```

jmv74211 commented 2 years ago

🟢 Everything seems to be working properly

wazuh / wazuh-qa