Create SCA Policy for Windows Server 2012 (non R2)

[jk-olaoluwa]

Component	Action type	Main Issue
SCA	Create	#18306

Main tasks

• [x] Use the latest CIS benchmark PDF from https://downloads.cisecurity.org/#/
• [x] Verify IDs numbers.
• [x] Verify texts are correct: Title, Description, Rationale and Remediation.
• [x] Verify Compliance: CIS, CIS_CSC.
• [x] Verify condtion and rules:
  • [x] To Pass.
  • [x] To Fail.

Checks

Syntax and semantic

• [x] a) ID of each policy must be contiguous.
• [x] b) The order and format set in Documentation must be respected.
• [x] c) YML must be valid to avoid errors.

Content

• [x] a) Compare each check with its analog from CIS Benchmark.
• [x] b) Try maintaining each rule as similar as possible with the Audit section from the CIS check.
• [x] c) Check that the commands provide the expected output.
• [x] d) When a failure is discovered, check similar policies to avoid repetition of the issue.

Unit testing

• [x] a) Output from agent.log after the SCA scan and a raw output of the result of the checks.
  Tests results

Analysisd (server or local)

analysisd.debug=2

Auth daemon debug (server)

authd.debug=0

Exec daemon debug (server, local, or Unix agent)

execd.debug=0

Monitor daemon debug (server, local, or Unix agent)

monitord.debug=0

Log collector (server, local or Unix agent)

logcollector.debug=0

Integrator daemon debug (server, local or Unix agent)

integrator.debug=0

Unix agentd

agent.debug=2

Deployment

• [x] a) If the policy it's new, it must be added to the sca.files templates.
• [x] b) If the OS has many supported SCA policies, a policy must be set as the default policy. (as example)

Documentation

• [x] a) Ensure documentation SCA list includes the created or updated SCA.

[Johnng007]

Fix for Issue https://github.com/wazuh/wazuh/issues/21298

(L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. (Automated)

• id: 15521 title: "Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'." description: "This policy setting determines the maximum allowable age for a computer account password. By default, domain members automatically change their domain passwords every 30 days. If you increase this interval significantly so that the computers no longer change their passwords, an attacker would have more time to undertake a brute force attack against one of the computer accounts. The recommended state for this setting is: 30 or fewer days, but not 0. Note: A value of 0 does not conform to the benchmark as it disables maximum password age. Note #2: Some problems can occur as a result of machine account password expiration, particularly if a machine is reverted to a previous point-in-time state, as is common with virtual machines. Depending on how far back the reversion is, the older machine account password stored on the machine may no longer be recognized by the domain controllers, and therefore the computer loses its domain trust. This can also disrupt non-persistent VDI implementations, and devices with write filters that disallow permanent changes to the OS volume. Some organizations may choose to exempt themselves from this recommendation and disable machine account password expiration for these situations." rationale: "In Active Directory-based domains, each computer has an account and password just like every user. By default, the domain members automatically change their domain password every 30 days. If you increase this interval significantly, or set it to 0 so that the computers no longer change their passwords, an attacker will have more time to undertake a brute force attack to guess the password of one or more computer accounts." impact: "None - this is the default behavior." remediation: "To establish the recommended configuration via GP, set the following UI path to 30 or fewer days, but not 0: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Maximum machine account password age." references:

  • "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age" compliance:
  • cis: ["2.3.6.5"]
  • cis_csc_v8: ["5.2"]
  • cmmc_v2.0: ["IA.L2-3.5.7"]
  • pci_dss_v4.0: ["2.2.2", "8.3.5", "8.3.6", "8.6.3"]
  • soc_2: ["CC6.1"] condition: all rules:

  WRONG RULE

  • 'c:net.exe accounts -> n:Maximum password age (days):\s+(\d+) compare <= 30'
  • 'c:net.exe accounts -> n:Maximum password age (days):\s+(\d+) compare > 0'

  CORRECT RULE condition: all rules:

  • 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge'
  • 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 0'
  • 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> n:^(\d+) compare <= 30'

  (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled'. (Automated)

• id: 15509 title: "Ensure 'Accounts: Guest account status' is set to 'Disabled'." description: "This policy setting determines whether the Guest account is enabled or disabled. The Guest account allows unauthenticated network users to gain access to the system. The recommended state for this setting is: Disabled. Note: This setting will have no impact when applied to the Domain Controllers organizational unit via group policy because Domain Controllers have no local account database. It can be configured at the domain level via group policy, similar to account lockout and password policy settings." rationale: "The default Guest account allows unauthenticated network users to log on as Guest with no password. These unauthorized users could access any resources that are accessible to the Guest account over the network. This capability means that any network shares with permissions that allow access to the Guest account, the Guests group, or the Everyone group will be accessible over the network, which could lead to the exposure or corruption of data." impact: "All network users will need to authenticate before they can access shared resources. If you disable the Guest account and the Network Access: Sharing and Security Model option is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail. This policy setting should have little impact on most organizations because it is the default setting in Microsoft Windows 2000, Windows XP, and Windows Server™ 2003." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Guest account status." references:
  • "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status" compliance:
  • cis: ["2.3.1.2"]
  • cis_csc_v8: ["4.7"]
  • cis_csc_v7: ["16.8"]
  • iso_27001-2013: ["A.9.2.1"]
  • pci_dss_v3.2.1: ["2.1", "2.1.1"]
  • pci_dss_v4.0: ["2.2.2", "2.3.1"]
  • soc_2: ["CC6.3"] condition: any rules:
  • 'c:net user guest -> r:Account active\s+No'
  • "c:net user guest -> r:The user name could not be found."

[jk-olaoluwa]

Update 05/02/2024

• Preparing SCA test environment
• Generating yaml file from the CIS pdf file

Update 06/02/2024

• Created PR - #21794
• Section 1.1.1 - 1.2.4 (in progress) https://github.com/wazuh/wazuh/pull/21794/commits/471194556fa0283162907565239f5c5e52d1e3d1

Update 07/02/2024

• Section 1.1.1 - 1.2.4 (Completed)

Update 08/02/2024

• Section 2.2.1 - 2.2.16 (Completed)

Update 09/02/2024

• Section 2.2.17 - 2.3.2.2 (Completed)

Update 12/02/2024

• Section 2.3.2.3 - 2.3.10.4 (Completed)

Update 13/02/2024

• Section 2.3.10.5 - 2.3.15.1 (Completed)

Update 14/02/2024

• Section 2.3.15.2 - 2.3.17.8 (Completed)

Update 15/02/2024

• Section 5.1 - 9.1.2 (Completed)

Update 16/02/2024

• Section 9.1.3 - 9.2.6 (Completed)

Update 19/02/2024

• Section 9.2.7 - 9.3.10 (Completed)

Update 20/02/2024

• Section 17.1.1 - 17.2.6 (Completed)

Update 21/02/2024

• Section 17.3.1 - 17.5.5 (Completed)

Update 22/02/2024

• Section 17.6.1 - 17.8.1 (Completed)

Update 23/02/2024

• Section 17.9.1 - 18.3.6 (Completed)

Update 26/02/2024

• Section 18.4.1 - 18.5.6 (Completed)

Update 27/02/2024

• Section 18.5.7 - 18.6.19.2.1

Update 28/02/2024

• Section 18.6.20.1 - 18.8.1.1

Update 04/03/2024

• Section 18.9.3.1 - 18.9.20.1.13

Update 05/03/2024

• Section 18.9.26.1 - 18.9.32.6.1

Update 06/03/2024

• Section 18.9.32.6.2 - 18.9.46.11.1

Update 07/03/2024

• Section 18.9.50.1.1 - 18.10.14.2

Update 08/04/2024

• Section 18.10.24.1 - 19.7.42.2.1 (Completed)

Update 12/03/2024

• SCA Completed and IDs created

Update 14/03/2024

• final checks completed
• renamed file from cis_win2012.yml to cis_win2012_non_r2.yml

[IsExec]

Review Update - 15/03/2024

Section 1.1.1 - 2.3.1.3

• File Description, Policy and Requirements(Line 1 - 28) 🔴

  - Line 2 - Checks should be for windows 2012 (non r2) - Line 11 and 12 Incorrect CIS Benchmark version and description - Incorrect policy ID and name - Incorrect requirements title and rules (Line 23 and 27)
• 2.3.1.3 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. (Automated) 🔴

  - Id: - Title: 🟢 - Description: 🟢 - Rationale: 🟢 - Impact: 🟢 - Remediation: 🟢 - References: 🟢 - Compliance: 🟢 - Rules: 🔴 Current -> condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1' Expected -> condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1'

Review Update - 18/03/2024

• Section 1.1.1 - 2.3.1.3 fix confirmed

  Section 2.3.1.4 - 2.3.7.1

  • 2.3.5.2 (L1) Ensure 'Domain controller: Allow vulnerable Netlogon secure channel connections' is set to 'Not Configured' (DC Only). (Automated) 🔴

    - Id: - Title: 🟢 - Description: 🟢 - Rationale: 🟢 - Impact: 🟢 - Remediation: 🟢 - References: 🟢 - Compliance: 🟢 - Rules: 🔴 Current -> condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> VulnerableChannelAllowList' Expected -> condition: all rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> VulnerableChannelAllowList'
  • 2.3.5.5 (L1) Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only). (Automated) 🔴

    - Id: - Title: 🟢 - Description: 🟢 - Rationale: 🟢 - Impact: 🟢 - Remediation: 🟢 - References: 🟢 - Compliance: 🟢 - Rules: 🔴 Current -> condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange -> 0' Proposed -> condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange -> 0'

Justification for 2.3.5.5

Review Update - 02/04/2024

Section 2.3.7.2 - 2.3.11.2

• 2.3.8.3 (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'. (Automated) 🔴

  - Id: - Title: 🟢 - Description: 🟢 - Rationale: 🟢 - Impact: 🟢 - Remediation: 🟢 - References: 🟢 - Compliance: 🟢 - Rules: 🔴 Current -> condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 1' Proposed -> condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0'
• 2.3.11.2 (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'. (Automated) 🔴

  - Id: - Title: 🟢 - Description: 🟢 - Rationale: 🟢 - Impact: 🟢 - Remediation: 🟢 - References: 🟢 - Compliance: 🟢 - Rules: 🔴 Current -> condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 0' Proposed -> condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 0'

Review Update - 03/04/2024

Section 2.3.11.2 - 9.1.1

• 2.3.11.3 (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'. (Automated) 🔴

  - Id: - Title: 🟢 - Description: 🟢 - Rationale: 🟢 - Impact: 🟢 - Remediation: 🟢 - References: 🟢 - Compliance: 🟢 - Rules: 🔴 Current -> condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> 0' Proposed -> condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u' - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> 0'

Review Update - 04/04/2024

• Section 9.1.1 - 18.3.3 🟢

Review Update - 05/04/2024

• Section 18.3.4 - 18.10.43.5.2

  • 18.10.43.5.2 (L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled'. (Automated) 🔴

    - Id: - Title: 🟢 - Description: 🟢 - Rationale: 🟢 - Impact: 🟢 - Remediation: 🟢 - References: 🟢 - Compliance: 🟢 - Rules: 🔴 Current -> condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> 0' Proposed -> condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> 0'

Review Update - 08/04/2024

• Section 18.10.43.10.1 - 18.10.57.3.9.4 🟢

Review Update - 16/04/2024

Section 18.10.57.3.9.5 - 18.10.87.2

• 18.10.59.2 (L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'. (Automated) 🔴

  - Id: - Title: 🟢 - Description: 🟢 - Rationale: 🟢 - Impact: 🟢 - Remediation: 🟢 - References: 🟢 - Compliance: 🟢 - Rules: 🔴 Current - condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0' Suggested - condition: any - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0'
  • 18.10.81.1 (L1) Ensure 'Allow user control over installs' is set to 'Disabled'. (Automated) 🔴

    - Id: - Title: 🟢 - Description: 🟢 - Rationale: 🟢 - Impact: 🟢 - Remediation: 🟢 - References: 🟢 - Compliance: 🟢 - Rules: 🔴 Current - condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 0' Suggested - condition: any - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 0'
  • 18.10.81.2 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'. (Automated) 🔴

    - Id: - Title: 🟢 - Description: 🟢 - Rationale: 🟢 - Impact: 🟢 - Remediation: 🟢 - References: 🟢 - Compliance: 🟢 - Rules: 🔴 Current - condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' Suggested - condition: any - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0'
  • 18.10.81.3 (L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'. (Automated) 🔴

    - Id: - Title: 🟢 - Description: 🟢 - Rationale: 🟢 - Impact: 🟢 - Remediation: 🟢 - References: 🟢 - Compliance: 🟢 - Rules: 🔴 Current - condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0' Suggested - condition: any - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0'

[jk-olaoluwa]

Review Update - 15/03/2024

• Section 1.1.1 - 2.3.1.3 - fixed

18/03/2024

• Section 2.3.1.4 - 2.3.7.1 - fixed

03/04/2024

• Section 2.3.7.2 - 2.3.11.2 - fixed

04/04/2024

• Section 2.3.11.2 - 9.1.1 - fixed

05/04/2024

• Section 18.3.4 - 18.10.43.5.2 - fixed

[ooniagbi]

Currently working on other issues.

[ooniagbi]

This is still on hold because of higher-priority issues.

[ooniagbi]

This is still on hold because of higher-priority issues.

[IsExec]

Windows Server 2012 non-R2 SCA Testing Report

Condition: The new SCA was benchmarked against Windows server 2012 R2 SCA.

Agent running on old SCA (Windows server 2012 R2 SCA)

Endpoint spec

CPU/RAM

````console >systeminfo Host Name: WINDOWS-SERVER- OS Name: Microsoft Windows Server 2012 R2 Standard OS Version: 6.3.9600 N/A Build 9600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Registered Organization: Vagrant Product ID: 00252-00105-69793-AA339 Original Install Date: 1/13/2015, 3:27:02 AM System Boot Time: 7/31/2024, 4:38:06 PM System Manufacturer: innotek GmbH System Model: VirtualBox System Type: x64-based PC Processor(s): 1 Processor(s) Installed. [01]: Intel64 Family 6 Model 142 Stepping 10 GenuineIntel ~2112 Mhz BIOS Version: innotek GmbH VirtualBox, 12/1/2006 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC-06:00) Central Time (US & Canada) Total Physical Memory: 4,024 MB Available Physical Memory: 2,731 MB Virtual Memory: Max Size: 5,432 MB Virtual Memory: Available: 4,293 MB Virtual Memory: In Use: 1,139 MB Page File Location(s): C:\pagefile.sys ````

Disk

````console >wmic logicaldisk get size,freespace,caption Caption FreeSpace Size C: 40912048128 64055406592 D: ````

Footprint test results

Metrics

            

SCA logs

````console 2024/07/31 22:20:50 sca: INFO: Starting Security Configuration Assessment scan. 2024/07/31 22:20:51 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2012r2.yml' 2024/07/31 22:20:56 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2012r2.yml' 2024/07/31 22:20:56 sca: INFO: Security Configuration Assessment scan finished. Duration: 6 seconds. 2024/07/31 22:25:50 sca: INFO: Starting Security Configuration Assessment scan. 2024/07/31 22:25:50 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2012r2.yml' 2024/07/31 22:25:56 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2012r2.yml' 2024/07/31 22:25:56 sca: INFO: Security Configuration Assessment scan finished. Duration: 6 seconds. 2024/07/31 22:30:50 sca: INFO: Starting Security Configuration Assessment scan. 2024/07/31 22:30:50 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2012r2.yml' 2024/07/31 22:30:56 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2012r2.yml' 2024/07/31 22:30:56 sca: INFO: Security Configuration Assessment scan finished. Duration: 6 seconds. ````

metrics.zip

Agent running on new SCA (Windows server 2012 non-R2 SCA Rework)

Endpoint spec

CPU/RAM

````console >systeminfo Host Name: WIN-VC0KKML8ORL OS Name: Microsoft Windows Server 2012 Standard Evaluation OS Version: 6.2.9200 N/A Build 9200 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Vagrant Registered Organization: Vagrant Product ID: 00183-90000-00001-AA422 Original Install Date: 8/1/2024, 8:16:59 PM System Boot Time: 8/1/2024, 8:18:02 PM System Manufacturer: innotek GmbH System Model: VirtualBox System Type: x64-based PC Processor(s): 1 Processor(s) Installed. [01]: Intel64 Family 6 Model 142 Stepping 10 GenuineIntel ~2112 Mhz BIOS Version: innotek GmbH VirtualBox, 12/1/2006 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC) Coordinated Universal Time Total Physical Memory: 4,024 MB Available Physical Memory: 2,896 MB Virtual Memory: Max Size: 7,608 MB Virtual Memory: Available: 6,601 MB Virtual Memory: In Use: 1,007 MB Page File Location(s): C:\pagefile.sys ````

Disk

````console >wmic logicaldisk get size,freespace,caption Caption FreeSpace Size C: 17856405504 42580570112 ````

Footprint test results

Metrics

!           

SCA logs

````console 2024/08/02 00:49:53 sca: INFO: Starting Security Configuration Assessment scan. 2024/08/02 00:49:53 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2012_non_r2.yml' 2024/08/02 00:49:57 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2012_non_r2.yml' 2024/08/02 00:49:57 sca: INFO: Security Configuration Assessment scan finished. Duration: 4 seconds. 2024/08/02 00:54:53 sca: INFO: Starting Security Configuration Assessment scan. 2024/08/02 00:54:53 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2012_non_r2.yml' 2024/08/02 00:54:58 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2012_non_r2.yml' 2024/08/02 00:54:58 sca: INFO: Security Configuration Assessment scan finished. Duration: 5 seconds. 2024/08/02 00:59:53 sca: INFO: Starting Security Configuration Assessment scan. 2024/08/02 00:59:53 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2012_non_r2.yml' 2024/08/02 00:59:58 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2012_non_r2.yml' 2024/08/02 00:59:58 sca: INFO: Security Configuration Assessment scan finished. Duration: 5 seconds. ````

metrics.zip

Analysis

	Benchmark (Win server 2012 R2 SCA)	New SCA (Win server 2012 nonR2)	Difference
CPU
wazuh-agent.exe average CPU percent	2.3	0.75	-1.55
Overall average CPU percent	11.6	4.4	-7.2
Overall peak CPU percent	18.1	8.3	-9.8
Memory
wazuh-agent.exe average memory (MB)	0.02	0.02	0
Overall average memory used (MB)	1299.9	1227.41	-72.49
Overall peak memory used peak (MB)	1301.05	1227.52	-73.53
Disk
Overall average disk used (MB)	22069.54	23578.23	1508.69
Overall peak disk used (MB)	22069.54	23578.23	1508.69
Overall average disk read bytes	N/A	N/A	N/A
Overall peak disk read bytes	N/A	N/A	N/A
Overall average disk write bytes	N/A	N/A	N/A
Overall peak disk write bytes	N/A	N/A	N/A

Note on Disk Read Bytes and Disk Write Bytes

Disk read and disk write bytes were excluded because the get_metrics.py script returned an Attribute error.

Error

```console >python get_metrics.py -- interval 5 -- duration 600 Traceback global_metrics = get_global_env_values (args.unit> File "C:\Users\Administrator\Desktop\sca_footprint\get_metrics.py", line 95, i n get_global_env_values disk_read_bytes = convert_units AAA AttributeError: 'NoneType' object has no attribute 'read_bytes' ```

The disk read and write bytes were excluded by commenting out the parts of the script that fetch the disk read and write bytes data.

[IsExec]

Windows Server 2012 non-R2 SCA Re-Test Report

Note on Disk Read Bytes and Disk Write Bytes

To capture the disk write and disk read values, it is required to enable disk metrics by running the command below:

>diskperf -y

Condition: The new SCA was benchmarked against old Windows server 2012 R2 SCA.

Agent running on old SCA (Windows server 2012 R2 SCA)

Endpoint spec

CPU/RAM

````console >systeminfo Host Name: WINDOWS-SERVER- OS Name: Microsoft Windows Server 2012 R2 Standard OS Version: 6.3.9600 N/A Build 9600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Registered Organization: Vagrant Product ID: 00252-00105-69793-AA339 Original Install Date: 1/13/2015, 3:27:02 AM System Boot Time: 8/11/2024, 1:07:05 PM System Manufacturer: innotek GmbH System Model: VirtualBox System Type: x64-based PC Processor(s): 1 Processor(s) Installed. [01]: Intel64 Family 6 Model 142 Stepping 10 GenuineIntel ~2112 Mhz BIOS Version: innotek GmbH VirtualBox, 12/1/2006 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC-06:00) Central Time (US & Canada) Total Physical Memory: 4,024 MB Available Physical Memory: 3,126 MB Virtual Memory: Max Size: 5,432 MB Virtual Memory: Available: 4,560 MB Virtual Memory: In Use: 872 MB Page File Location(s): C:\pagefile.sys Domain: WORKGROUP ````

Disk

````console >wmic logicaldisk get size,freespace,caption C a p t i o n F r e e S p a c e S i z e C : 4 3 3 1 7 2 4 8 0 0 0 6 4 0 5 5 4 0 6 5 9 2 ````

Footprint test results

Metrics

            

SCA logs

````console 2024/08/11 12:40:27 sca: INFO: Starting Security Configuration Assessment scan. 2024/08/11 12:40:27 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2012r2.yml' 2024/08/11 12:40:31 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2012r2.yml' 2024/08/11 12:40:31 sca: INFO: Security Configuration Assessment scan finished. Duration: 4 seconds. 2024/08/11 12:45:27 sca: INFO: Starting Security Configuration Assessment scan. 2024/08/11 12:45:27 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2012r2.yml' 2024/08/11 12:45:30 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2012r2.yml' 2024/08/11 12:45:30 sca: INFO: Security Configuration Assessment scan finished. Duration: 3 seconds. 2024/08/11 12:50:27 sca: INFO: Starting Security Configuration Assessment scan. 2024/08/11 12:50:27 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2012r2.yml' 2024/08/11 12:50:30 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2012r2.yml' 2024/08/11 12:50:30 sca: INFO: Security Configuration Assessment scan finished. Duration: 3 seconds. ````

metrics.zip

Agent running on new SCA (Windows server 2012 R2 SCA Rework)

Endpoint spec

CPU/RAM

````console >systeminfo Host Name: WIN-4UH3B19KVBF OS Name: Microsoft Windows Server 2012 Standard Evaluation OS Version: 6.2.9200 N/A Build 9200 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Vagrant Registered Organization: Vagrant Product ID: 00183-90000-00001-AA422 Original Install Date: 8/11/2024, 7:38:20 PM System Boot Time: 8/11/2024, 7:39:16 PM System Manufacturer: innotek GmbH System Model: VirtualBox System Type: x64-based PC Processor(s): 1 Processor(s) Installed. [01]: Intel64 Family 6 Model 142 Stepping 10 GenuineIntel ~2112 Mhz BIOS Version: innotek GmbH VirtualBox, 12/1/2006 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC) Coordinated Universal Time Total Physical Memory: 4,024 MB Available Physical Memory: 3,165 MB Virtual Memory: Max Size: 7,608 MB Virtual Memory: Available: 6,789 MB Virtual Memory: In Use: 819 MB Page File Location(s): C:\pagefile.sys ````

Disk

````console >wmic logicaldisk get size,freespace,caption C a p t i o n F r e e S p a c e S i z e C : 1 8 1 2 8 4 9 8 6 8 8 4 2 5 8 0 5 7 0 1 1 2 ````

Footprint test results

Metrics

            

SCA logs

````console 20:57:00 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2012_non_r2.yml' 2024/08/11 20:57:04 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2012_non_r2.yml' 2024/08/11 20:57:04 sca: INFO: Security Configuration Assessment scan finished. Duration: 4 seconds. 2024/08/11 21:02:00 sca: INFO: Starting Security Configuration Assessment scan. 2024/08/11 21:02:00 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2012_non_r2.yml' 2024/08/11 21:02:04 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2012_non_r2.yml' 2024/08/11 21:02:04 sca: INFO: Security Configuration Assessment scan finished. Duration: 4 seconds. 2024/08/11 21:07:00 sca: INFO: Starting Security Configuration Assessment scan. 2024/08/11 21:07:00 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2012_non_r2.yml' 2024/08/11 21:07:04 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2012_non_r2.yml' 2024/08/11 21:07:04 sca: INFO: Security Configuration Assessment scan finished. Duration: 4 seconds. ````

metrics.zip

Analysis

	Benchmark (Win server 2012 R2 SCA)	New SCA (Win server 2012 nonR2)	Difference
CPU
wazuh-agent.exe average CPU percent	1.2	0.9	-0.3
Overall average CPU percent	0.4	4.6	4.2
Overall peak CPU percent	0.8	7.8	7
Memory
wazuh-agent.exe average memory (MB)	0.02	0.02	0
Overall average memory used (MB)	1162.15	841.29	-320.86
Overall peak memory used peak (MB)	1162.23	841.86	-320.37
Disk
Overall average disk used (MB)	19193.59	23325.89	4132.3
Overall peak disk used (MB)	19193.59	23325.89	4132.3
Overall average disk read bytes	1019.89	0	-1019.89
Overall peak disk read bytes	1019.89	0	-1019.89
Overall average disk write bytes	342.36	4.11	-338.25
Overall peak disk write bytes	342.45	4.2	-338.25

[ooniagbi]

LGTM!

[ooniagbi]

Pending: https://github.com/wazuh/wazuh-packages/issues/3073#issuecomment-2296630654

[ooniagbi]

Merged to 4.10.0