This is the documentation for Wazuh 3.9. Check out the docs for the latest version of Wazuh!

wodle name=”cis-cat”

New in version 3.1.0.

XML section name

<wodle name="cis-cat">
</wodle>

Configuration options of the CIS-CAT wodle.

Warning

CIS-CAT is not installed by default. It is a proprietary software that you have to obtain for using this module.

Main options

Main options Allowed values
disabled yes, no
timeout A positive number (seconds)
java_path Any valid path
ciscat_path Any valid path
content N/A

Scheduling options

Scheduling options Allowed values
scan-on-start yes, no
interval A positive number + suffix
day A day of the month
wday A day of the week
time A time of the day [hh:mm]

In the CIS-CAT integration section are shown some cases of using these options.

Main options

disabled

Disables the CIS-CAT wodle.

Default value no
Allowed values yes, no

timeout

Timeout for each evaluation. In case the execution takes longer that the specified timeout, it stops.

Default value 1800
Allowed values A positive number (seconds)

java_path

Define where Java is located. If this parameter is not set, the wodle will search for the Java location in the default environment variable $PATH.

Default value $PATH
Allowed values Any valid path.

Warning

For this field, it can be set a full path or a relative path. Whether you specify a relative path, it concatenates to the Wazuh installation path. ciscat_path has the same behavior.

ciscat_path

Define where CIS-CAT is located.

Default value wodles/ciscat
Allowed values Any valid path.

content

Define an evaluation. At present, you can only run assessments for XCCDF policy files.

Attributes

type Select content type.
path Use the specified policy file.
timeout

Timeout for the evaluation (in seconds).

Use of this attribute overwrites the generic timeout.

profile Select profile.

Note

The path attribute can be filled in with the whole path where the benchmark files are located, or with a relative path to the CIS-CAT tool location.

Scheduling options

scan-on-start

Run evaluation immediately when service is started.

Default value yes
Allowed values yes, no

interval

Interval between CIS-CAT executions.

Default value 1d
Allowed values A positive number that should contain a suffix character indicating a time unit, such as, s (seconds), m (minutes), h (hours), d (days), w (weeks), M (months)

The interval option is conditioned by the following described options day, wday and time. If none of these options are set, the interval can take any allowed value.

day

New in version 3.5.0.

Day of the month to run the CIS-CAT scan.

Default value n/a
Allowed values Day of the month [1..31]

Note

When the day option is set, the interval value must be a multiple of months. By default, the interval is set to a month.

wday

New in version 3.5.0.

Day of the week to run the CIS-CAT scan. This option is not compatible with the day option.

Default value n/a
Allowed values
Day of the week:
  • sunday/sun
  • monday/mon
  • tuesday/tue
  • wednesday/wed
  • thursday/thu
  • friday/fri
  • saturday/sat

Note

When the wday option is set, the interval value must be a multiple of weeks. By default, the interval is set to a week.

time

New in version 3.5.0.

Time of the day to run the scan. It has to be represented in the format hh:mm.

Default value n/a
Allowed values Time of day [hh:mm]

Note

When only the time option is set, the interval value must be a multiple of days. By default, the interval is set to a day.

Example of configuration

<wodle name="cis-cat">

  <disabled>no</disabled>
  <timeout>1800</timeout>
  <wday>monday</wday>
  <time>04:00</time>
  <interval>2w</interval>
  <scan-on-start>yes</scan-on-start>

  <java_path>/usr/bin</java_path>
  <ciscat_path>wodles/ciscat</ciscat_path>

  <content type="xccdf" path="benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml">
    <profile>xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server</profile>
  </content>

</wodle>