Wazuh ‐ CIS Benchmark scans - mluchettii/github-wiki-mluchetti GitHub Wiki

Table of Contents

• CIS Windows 11 Benchmark
• CIS Distribution Independent Linux Benchmark

CIS Windows 11 Benchmark

On the Endpoints screen, click on one of the agents. In the above screenshot, we can see that a scan of this host has been completed automatically after the Windows agent was added. We can also see the results of the MITRE ATT&CK evaluation, as well as our level of compliance with different standards, such as PCI DSS.

CIS Benchmark for Windows 11

These are the results of the CIS Benchmark SCA scan for the Windows 11 agent. My score is 30%, having passed only 146 out of 481 checks. These checks make sure that the system is compliant with CIS standards, and include controls such as ensuring that the maximum password age is set to '365 or fewer days, but not 0'.

Clicking on a control expands a menu showing the rationale for the control, how to remediate it, a description of the policy setting, and other relevant information. This being a Windows agent, you can see the relevant registry values that were checked, so the remediation would involve changing a value using regedit.

CIS Distribution Independent Linux Benchmark

This is the screen for the Fedora Linux agent. Here, you can see a different benchmark is used, as well as its own set of top 5 most vulnerable packages under 'Vulnerability Detection'.

Results of the CIS Linux Benchmark scan. Better score than the Windows 11 scan, but also half the amount of checks.

Example of a failed check 'Ensure login and logout events are collected.' and how to remediate it. The remediation states that to fix this check, I would have to add a few lines to the /etc/audit/rules.d/audit.rules file:

This had to be done manually, but there are ways to automate the process using scripts. Thankfully, there is another piece of scanning software called OpenSCAP, and it provides the user with a Bash remediation script to execute.