Modern security teams rely on Wazuh to continuously evaluate system configurations against recognized security standards, helping identify insecure settings before they become exploitable.
One of the most popular frameworks for this purpose is the Center for Internet Security (CIS) Benchmarks, which can be assessed using the CIS-CAT tool integrated with Wazuh.
The Wazuh CIS-CAT integration enables administrators to automate compliance assessments across Windows, Linux, and other supported operating systems.
Instead of manually auditing hundreds of security settings, Wazuh can execute CIS-CAT scans on managed endpoints and import the results into the Wazuh Dashboard for centralized visibility.
However, one of the most common problems administrators encounter is the “Java path not found” error.
Because CIS-CAT is a Java application, it cannot run unless the Wazuh agent can locate a valid Java Runtime Environment (JRE) or Java Development Kit (JDK).
If Java is missing, incorrectly installed, or unavailable through the configured system path, CIS-CAT assessments fail before they even begin.
Fortunately, this issue is usually straightforward to diagnose once you understand how the integration works and where Wazuh expects Java to be installed.
In this guide, you’ll learn:
- How the Wazuh CIS-CAT integration works
- Why Java is required for compliance scans
- The most common causes of “Java path not found” errors
- Step-by-step methods to diagnose and fix Java path issues
- Best practices for preventing future CIS-CAT execution failures
Related Guides:
Understanding the Wazuh CIS-CAT Integration
What Is CIS-CAT?
CIS-CAT (Center for Internet Security Configuration Assessment Tool) is an automated compliance assessment utility developed by the Center for Internet Security (CIS).
It evaluates operating systems and applications against the official CIS Benchmarks, which define secure configuration recommendations for a wide variety of platforms.
Rather than manually reviewing hundreds of registry values, file permissions, security policies, and operating system settings, CIS-CAT performs these checks automatically and generates a detailed compliance report.
Wazuh integrates with CIS-CAT by allowing managed agents to execute local assessments and forward the results back to the Wazuh Manager, where they become searchable, reportable, and visible within the dashboard.
What Are CIS Benchmarks?
CIS Benchmarks are consensus-based security configuration standards developed by cybersecurity experts from government agencies, academia, vendors, and industry practitioners.
They provide detailed hardening guidance for technologies such as:
- Windows Server
- Windows Desktop
- Ubuntu
- Red Hat Enterprise Linux
- Debian
- Oracle Linux
- macOS
- Kubernetes
- Docker
- VMware
- Microsoft SQL Server
- Apache Web Server
- NGINX
- Oracle Database
- Amazon Web Services (AWS)
- Microsoft Azure
Each benchmark contains hundreds of recommendations designed to reduce attack surfaces by disabling unnecessary services, enforcing strong authentication, configuring logging, securing network protocols, and applying security best practices.
The CIS Benchmarks are widely recognized throughout the cybersecurity industry and are frequently referenced by compliance frameworks such as NIST, PCI DSS, HIPAA, and ISO 27001.
CIS-CAT Lite vs. CIS-CAT Pro
There are two primary editions of CIS-CAT.
| Feature | CIS-CAT Lite | CIS-CAT Pro |
|---|
| Free to use | ✔ | ✘ |
| Basic benchmark assessments | ✔ | ✔ |
| Advanced reporting | Limited | ✔ |
| Enterprise automation | Limited | ✔ |
| Additional benchmark coverage | Limited | ✔ |
| Compliance dashboards | Limited | ✔ |
| Commercial support | ✘ | ✔ |
Most Wazuh deployments use CIS-CAT Lite, which is sufficient for performing automated benchmark assessments and importing results into Wazuh.
Organizations requiring enterprise-scale compliance reporting often deploy CIS-CAT Pro, particularly when integrating with larger governance, risk, and compliance (GRC) programs.
Compliance Assessment Capabilities
When integrated correctly, Wazuh and CIS-CAT provide continuous compliance monitoring across your infrastructure.
Typical assessments include:
- Password policy verification
- Account lockout configuration
- Audit policy validation
- Firewall configuration checks
- Secure service configuration
- Registry security settings
- File permission auditing
- SSH hardening validation
- Kernel security parameters
- Package configuration analysis
The results are centralized inside Wazuh, allowing analysts to:
- Identify failed benchmark recommendations
- Track compliance trends over time
- Prioritize remediation efforts
- Generate compliance reports
- Correlate compliance failures with security events
This combination transforms Wazuh from a traditional SIEM into a broader security monitoring and compliance platform.
Related Guides: How to Monitor Kubernetes Using Wazuh
How Wazuh Executes CIS-CAT Scans
The Wazuh Agent Launches CIS-CAT Locally
Unlike many centralized vulnerability scanners, Wazuh executes CIS-CAT directly on the endpoint through the installed Wazuh agent.
When a scheduled Security Configuration Assessment (SCA) or CIS-CAT scan begins, the agent starts the CIS-CAT executable locally.
Running the assessment on the endpoint gives CIS-CAT direct access to system files, registry settings, security policies, installed packages, and other configuration data needed for evaluation.
Because the assessment runs locally, every monitored endpoint must satisfy the CIS-CAT runtime requirements independently.
Java Runtime Environment Dependency
One of those runtime requirements is Java.
CIS-CAT is packaged as a Java application and requires a supported Java Runtime Environment (JRE) or Java Development Kit (JDK).
Before the assessment begins, the Wazuh agent attempts to launch the Java executable specified by the CIS-CAT integration configuration.
If Java cannot be found, Wazuh commonly reports errors such as:
- Java path not found
- java executable not found
- Unable to execute java
- Failed to launch CIS-CAT
- Cannot find Java Runtime Environment
These failures occur before the compliance assessment starts, meaning no benchmark checks are executed and no results are returned to the Wazuh Manager.
Oracle recommends using supported Java versions and maintaining the runtime with current security updates to ensure compatibility and reduce exposure to known vulnerabilities.
Typical CIS-CAT Scan Workflow
A successful CIS-CAT assessment generally follows this sequence:
- Wazuh Manager schedules the compliance assessment.
- The Wazuh agent receives the scan request.
- The agent locates the configured Java executable.
- Java launches the CIS-CAT application.
- CIS-CAT loads the selected benchmark profile.
- The endpoint is evaluated against benchmark rules.
- CIS-CAT generates assessment results.
- The Wazuh agent parses the output.
- Results are forwarded to the Wazuh Manager.
- Findings become searchable in the Wazuh Dashboard.
If the Java executable cannot be located during step three, the workflow terminates immediately.
Result Collection and Reporting
After a successful assessment, Wazuh imports the CIS-CAT results into its indexing pipeline, making them available for dashboards, alerts, searches, and long-term reporting.
Security teams can use these results to:
- View overall compliance scores
- Identify failed benchmark rules
- Track remediation progress
- Detect configuration drift
- Generate audit evidence for compliance initiatives
If Java path errors prevent CIS-CAT from launching, none of these results are collected.
This often leads administrators to believe the integration itself is broken when the root cause is simply an inaccessible Java executable.
Related Guides:
Common Causes of Java Path Errors
Several different configuration problems can prevent Wazuh from launching CIS-CAT successfully.
While the error message often simply states “Java path not found”, the underlying cause can vary depending on the operating system, Java installation, and how the Wazuh agent is configured.
Understanding the most common causes makes troubleshooting significantly faster.
Java Is Not Installed
The most straightforward cause is that Java is not installed on the endpoint.
Since CIS-CAT is a Java application, the Wazuh agent must be able to launch a Java Runtime Environment (JRE) or Java Development Kit (JDK).
If neither is installed, the scan fails immediately because there is no executable available.
Typical symptoms include:
java: command not foundUnable to locate JavaJava executable not found- CIS-CAT exits immediately without producing results
On Linux systems, this can often happen after provisioning a minimal server image that omits Java packages.
JAVA_HOME Is Not Configured
Many Java applications, including CIS-CAT deployments, rely on the JAVA_HOME environment variable to locate the Java installation.
If JAVA_HOME points to a non-existent directory or has never been configured, the Wazuh agent may be unable to determine which Java runtime to use.
Examples include:
- Java upgraded but
JAVA_HOME still references the old version. - Java removed without updating environment variables.
- Typographical errors in the configured path.
JAVA_HOME points to the bin directory instead of the Java installation root.
Always ensure that JAVA_HOME references the root directory of the installed JDK or JRE rather than the java executable itself.
PATH Environment Variable Is Missing Java
Even if Java is correctly installed, the executable must be discoverable through the system’s PATH environment variable unless Wazuh is configured with an absolute Java path.
For example:
or
If the directory containing java is absent from PATH, commands executed by the Wazuh agent cannot locate the runtime automatically.
This is especially common after manual Java installations where environment variables were never updated.
Incorrect Java Binary Location
Administrators sometimes configure the wrong executable path inside the CIS-CAT integration.
Examples include:
- Incorrect directory names
- Typographical errors
- Referencing deleted installations
- Using symbolic links that no longer exist
- Pointing to a directory instead of the executable
Always verify the configured Java binary against the actual installed location.
Multiple Java Versions Installed
Many enterprise systems have multiple Java versions installed simultaneously.
For example:
- Java 8
- Java 11
- Java 17
- Java 21
While this is perfectly valid, problems arise when:
JAVA_HOME references one versionPATH references another- Wazuh attempts to launch a third version
This inconsistency often produces unexpected compatibility problems or causes CIS-CAT to fail entirely.
Whenever possible, standardize on a single supported Java version for CIS-CAT assessments.
Unsupported Java Version
Not every Java release is compatible with every CIS-CAT version.
Very old Java releases may lack required runtime features, while cutting-edge versions may introduce compatibility changes before CIS-CAT officially supports them.
Before upgrading Java across your environment, verify the supported runtime versions in the CIS-CAT documentation.
Permission Problems
Java may exist on the system but still be inaccessible to the Wazuh agent.
Common permission issues include:
- Missing execute permissions
- Restricted installation directories
- SELinux policies
- AppArmor restrictions
- File ownership problems
- Endpoint security software blocking execution
If the Wazuh service account cannot execute the Java binary, CIS-CAT will fail despite Java being correctly installed.
Service Cannot Access User Environment Variables
This is one of the most overlooked causes.
Administrators often verify Java by opening a terminal as their own user account and running:
The command succeeds, yet Wazuh still reports that Java cannot be found.
The reason is that system services frequently run under dedicated service accounts that do not inherit the logged-in user’s environment variables.
For example:
JAVA_HOME configured only in .bashrcPATH modified only for interactive shells- Windows environment variables configured for the current user rather than the system
As a result, Java works interactively but fails when launched by the Wazuh agent service.
Verify Java Installation
Before changing Wazuh or CIS-CAT configuration files, verify that Java is installed correctly and accessible from the operating system.
These simple checks often identify the root cause within minutes.
Check the Java Version
The quickest verification is to display the installed Java version.
Linux:
Windows Command Prompt:
A successful installation returns output similar to:
or
If you instead receive:
or
Java is either missing or unavailable through the system PATH.
Locate the Java Executable
Next, determine exactly where Java is installed.
Linux:
or
Windows:
The returned path should point to the executable that Wazuh will launch.
Typical examples include:
Confirm JAVA_HOME
Verify that the JAVA_HOME environment variable references the correct installation.
Linux:
Windows:
The output should point to the Java installation directory rather than the executable itself.
Example:
or
If no value is returned, JAVA_HOME has not been configured.
Verify PATH Configuration
Next, inspect the system PATH variable.
Linux:
Windows:
Ensure that the Java bin directory appears somewhere within the output.
For example:
or
If it is missing, Java may function only when referenced with its full path.
Test Java Execution Manually
Finally, execute Java directly using its absolute path.
Linux:
or
Windows:
If these commands execute successfully, the Java installation itself is healthy.
Any remaining issues are likely related to environment variables, permissions, or Wazuh’s CIS-CAT configuration rather than Java itself.
Install Java if It Is Missing
If Java is not installed, or the existing installation is corrupted, the solution is to install a supported Java Runtime Environment (JRE) or Java Development Kit (JDK).
Most administrators choose the latest Long-Term Support (LTS) release to maximize compatibility and receive ongoing security updates.
After installation, always verify that the Java executable is available to the Wazuh agent before rerunning CIS-CAT assessments.
Installing Java on Ubuntu/Debian
Update the package repository:
Install OpenJDK:
Alternatively, install a specific version such as OpenJDK 21:
After installation, confirm that Java is available:
Installing Java on RHEL/CentOS/Rocky Linux
Install OpenJDK using your package manager.
RHEL 9 / Rocky Linux:
Older CentOS releases:
Verify the installation:
Installing Java on Windows
Download and install a supported JDK or JRE from a trusted vendor such as Oracle or Eclipse Adoptium.
During installation:
- Install for all users if possible.
- Configure system-wide environment variables.
- Add Java to the system
PATH. - Restart any open command prompts after installation.
After installation, verify from Command Prompt:
Verifying the Installation
Once Java has been installed, perform one final verification before testing CIS-CAT.
Confirm:
java -version executes successfully.JAVA_HOME points to the correct installation directory.- The Java
bin directory is included in the system PATH. - The Wazuh service account can execute the Java binary.
- The Java version is supported by your CIS-CAT release.
Completing these checks before rerunning the assessment can save significant troubleshooting time and helps ensure that the Wazuh agent can successfully launch CIS-CAT.
Related Guides:
Configure Java for Wazuh CIS-CAT
After confirming that Java is installed, the next step is ensuring that the Wazuh agent can actually locate and execute it.
In many cases, Java is present on the system, but incorrect environment variables or service configurations prevent CIS-CAT from launching.
Set JAVA_HOME
The JAVA_HOME environment variable tells applications where the Java installation is located.
Although some applications can rely solely on the system PATH, configuring JAVA_HOME improves consistency and reduces compatibility issues.
On Linux, you can temporarily set the variable using:
To make the change persistent, add it to a system-wide configuration file such as:
/etc/environment/etc/profile/etc/profile.d/java.sh
On Windows:
- Open System Properties.
- Select Advanced → Environment Variables.
- Create or edit the JAVA_HOME system variable.
- Set its value to the Java installation directory (not the
bin folder).
For example:
Avoid pointing JAVA_HOME directly to java.exe, as many Java-based applications expect the variable to reference the installation root.
Update the PATH Variable
Once JAVA_HOME is configured, ensure that the Java executable directory is included in the system PATH.
On Linux:
On Windows, add:
to the system PATH variable.
After updating the PATH, open a new terminal or Command Prompt and verify:
If Java launches successfully without specifying the full path, the environment is configured correctly.
Configure Environment Variables for Services
One of the most common reasons CIS-CAT fails despite a successful interactive test is that the Wazuh agent runs as a background service.
Background services frequently use a different execution environment than interactive user sessions.
Examples include:
JAVA_HOME defined only in .bashrcPATH modified only for the logged-in user- Windows environment variables configured under the current user instead of the Local System account
- Systemd services that do not inherit shell environment variables
On Linux systems using systemd, you may need to define environment variables directly within the Wazuh service configuration or create an override file.
For example:
Reload systemd after making changes:
This ensures that the Wazuh agent starts with the correct Java environment.
Restart the Wazuh Agent
After updating environment variables, restart the Wazuh agent so it loads the new configuration.
Linux:
Verify the service status:
Windows (PowerShell):
Alternatively, restart the service from the Services management console.
Restarting is essential because existing processes continue using their original environment until they are restarted.
Related Guide: How to Unmask and Restart a Blocked Wazuh-Agent Service on Linux
Verify Configuration Changes
Before rerunning a CIS-CAT assessment, verify that the Wazuh agent can access Java successfully.
Check the following:
java -version executes without errors.JAVA_HOME points to the correct installation.- The Java
bin directory is included in the system PATH. - The Wazuh agent service has been restarted.
- The Java executable referenced by CIS-CAT actually exists.
If all checks succeed, rerun the CIS-CAT scan and review the Wazuh agent logs for any remaining execution errors.
Related Guides: Troubleshooting wazuh-logtest: Why Alerts Are Missing from JSON Output
Check the CIS-CAT Configuration
Even with Java configured correctly, CIS-CAT assessments can still fail if the integration itself is incomplete or improperly configured.
Verifying the CIS-CAT installation helps eliminate another common source of execution failures.
Review the CIS-CAT Directory
Begin by confirming that the CIS-CAT files are installed in the expected directory.
Depending on your operating system and deployment method, the directory should contain:
- CIS-CAT executable files
- Benchmark content
- Configuration files
- Supporting libraries
- Documentation
If the directory is incomplete or accidentally deleted, the Wazuh agent will be unable to launch the scanner regardless of the Java configuration.
Verify Scanner Files
Inspect the CIS-CAT installation for required files.
Typical components include:
- CIS-CAT launcher
- Java archive (
.jar) files - Benchmark XML files
- Configuration files
- Supporting libraries
Missing or corrupted files often produce startup errors that resemble Java failures, making it important to verify the integrity of the installation before focusing solely on the runtime.
If necessary, reinstall or replace the CIS-CAT package from an official source.
Validate the CIS-CAT Configuration
Review the Wazuh CIS-CAT integration configuration carefully.
Verify that:
- The scanner path is correct.
- The Java executable path is valid.
- File permissions allow execution.
- Benchmark locations match the installed directory.
- Configuration files contain no typographical errors.
Small mistakes such as an extra space, incorrect capitalization, or outdated installation path are surprisingly common causes of failed assessments.
When modifying configuration files, validate your syntax before restarting the agent.
Related Guide: How to Fix ossec.conf Syntax Errors in Wazuh Agents
Confirm Benchmark Availability
CIS-CAT requires benchmark content in order to perform assessments.
Verify that:
- The required benchmark files are present.
- The benchmark version matches the CIS-CAT release.
- The selected operating system is supported.
- Benchmark files are readable by the Wazuh agent.
If benchmark content is missing, the scanner may start successfully but terminate before performing any compliance checks.
Troubleshoot Platform-Specific Java Issues
Some Java path problems are unique to a particular operating system.
Understanding these platform-specific behaviors can significantly reduce troubleshooting time.
Linux-Specific Problems
Linux environments often experience Java execution issues because of differences between interactive shells and background services.
Common Linux-specific causes include:
- Missing system-wide environment variables
- Incorrect symbolic links
- Permission restrictions
- SELinux or AppArmor policies
- Multiple Java installations managed by alternatives
Because Linux distributions vary considerably, always verify configuration using the same service account that runs the Wazuh agent.
Shell Profile Differences
Administrators frequently configure Java inside personal shell profiles such as:
.bashrc.bash_profile.profile.zshrc
These files are loaded only during interactive login sessions.
System services, including the Wazuh agent, typically do not read these profiles.
As a result:
- Java works when you log in.
- CIS-CAT fails when launched by Wazuh.
Whenever possible, configure Java using system-wide environment files instead of user-specific shell profiles.
Service Environment Variables
On modern Linux systems, Wazuh usually runs as a systemd service.
You can inspect the service environment using:
If the output does not contain the expected Java variables, create a systemd override or update the service configuration before restarting the agent.
This ensures that Java is available regardless of which administrator is logged into the system.
Symbolic Link Issues
Many Linux distributions use symbolic links for Java.
For example:
may point to:
If the underlying Java installation is removed or upgraded improperly, the symbolic link may become invalid.
Verify the active link:
If the link is broken, recreate it or update the system’s Java alternatives configuration.
Windows-Specific Problems
Windows systems introduce a different set of Java path issues.
Common examples include:
- Incorrect registry entries
- User-only environment variables
- Service account restrictions
- Architecture mismatches
- Legacy Java installations
Many of these problems occur after upgrading Java without removing older versions.
Registry Configuration
Some Java installers record installation paths in the Windows Registry.
If registry entries reference removed or outdated installations, applications that rely on them may fail to locate Java.
This is particularly common after:
- Manual uninstallations
- Side-by-side Java upgrades
- Incomplete installer rollbacks
Keeping only actively supported Java installations helps minimize registry inconsistencies.
Environment Variables
On Windows, ensure that both JAVA_HOME and PATH are configured as System variables, not merely User variables.
The Wazuh service generally runs under the Local System account, which cannot access environment variables defined exclusively for an individual user.
Always verify configuration from an elevated Command Prompt after making changes.
Service Account Permissions
The Wazuh service account must have permission to:
- Read the Java installation directory.
- Execute
java.exe. - Access the CIS-CAT installation.
- Read benchmark files.
Restrictive NTFS permissions, endpoint protection software, or application control policies can prevent Java from launching even when the installation itself is valid.
32-bit vs. 64-bit Java
Finally, confirm that the Java architecture matches your deployment requirements.
Problems can occur when:
- 32-bit Java is installed on a 64-bit system.
- Multiple architectures are installed simultaneously.
- Wazuh references the wrong executable.
- Legacy software installs an outdated 32-bit runtime earlier in the
PATH.
Using a supported 64-bit Java installation for modern Wazuh deployments simplifies maintenance and avoids many compatibility issues.
Verify Wazuh Agent Permissions
Even if Java is installed correctly and the CIS-CAT configuration is valid, the assessment can still fail if the Wazuh agent lacks permission to execute the required files.
Since the agent runs as a service account rather than an interactive user, verifying its permissions is an important troubleshooting step.
Confirm the Agent Can Execute Java
The Wazuh agent must be able to locate and execute the Java binary.
First, identify the account under which the agent is running.
On Linux:
or
On Windows, open Services, locate the Wazuh service, and check the Log On account.
Once you’ve identified the service account, verify that it has execute access to the Java binary.
Typical executable locations include:
or
If the service account cannot execute Java, CIS-CAT assessments will terminate immediately with runtime errors.
Verify File Permissions
Next, inspect the permissions on both the Java installation and the CIS-CAT files.
On Linux:
or
Ensure that:
- The Java executable has execute permissions.
- The Wazuh agent can traverse each parent directory.
- CIS-CAT files are readable by the service account.
- Benchmark XML files are accessible.
On Windows, verify that the Wazuh service account has Read & Execute permissions on:
- Java installation directory
- CIS-CAT installation directory
- Benchmark files
- Supporting libraries
Permission issues often appear after administrators manually copy files or restore them from backups with restrictive access control lists (ACLs).
Check SELinux or AppArmor Restrictions
On hardened Linux systems, mandatory access control frameworks such as SELinux or AppArmor may prevent the Wazuh agent from executing Java, even when traditional Unix file permissions appear correct.
For SELinux-enabled systems, review recent denials:
You can also inspect the audit log:
On AppArmor-enabled systems:
Look for profiles affecting:
wazuh-agentjava- CIS-CAT executables
If security policies are blocking execution, update the relevant policy rather than disabling SELinux or AppArmor whenever possible.
Test Manual Execution as the Wazuh User
One of the most effective troubleshooting techniques is to execute Java using the same account that runs the Wazuh agent.
On Linux:
Or, if necessary:
If Java fails under the Wazuh service account but works under your administrator account, the problem is almost certainly related to permissions or environment variables rather than the Java installation itself.
This approach closely replicates the conditions under which CIS-CAT is launched and often reveals issues that are hidden during normal testing.
Review Wazuh Logs for Additional Errors
When Java path issues persist, the Wazuh logs often provide far more detail than the initial error message displayed in the dashboard.
Reviewing these logs can quickly identify configuration mistakes, missing files, or permission problems.
Wazuh Agent Logs
The Wazuh agent log should be your first stop when troubleshooting failed CIS-CAT assessments.
Typical locations include:
Linux:
Windows:
Look for messages such as:
- Failed to execute Java
- Java executable not found
- Unable to start CIS-CAT
- Permission denied
- No such file or directory
These messages often identify the exact file path that Wazuh attempted to execute, making it easier to locate configuration errors.
Related Guide: Fix Wazuh Logcollector Dropped Messages
CIS-CAT Execution Logs
Depending on your CIS-CAT version and configuration, the scanner may also generate its own log files.
These logs can reveal problems such as:
- Benchmark loading failures
- Java exceptions
- Invalid configuration files
- Missing benchmark content
- Unsupported Java versions
Comparing CIS-CAT logs with the Wazuh agent log helps determine whether the failure occurs before Java launches or after the scanner starts.
If no CIS-CAT log is generated at all, the issue is often related to Java execution rather than the assessment itself.
Operating System Logs
Operating system logs can expose issues that never appear in Wazuh.
Useful sources include:
Linux
journalctl/var/log/messages/var/log/syslog/var/log/audit/audit.log
For example:
Windows
- Windows Event Viewer
- Application Log
- System Log
- Security Log
These logs frequently reveal:
- Access denied errors
- Service startup failures
- Missing executable errors
- Security policy violations
- Application crashes
Reviewing OS logs alongside Wazuh logs provides a more complete picture of what occurred during the failed assessment.
Java Runtime Error Messages
If Java starts successfully but CIS-CAT still fails, review the Java runtime output.
Common runtime errors include:
Could not find or load main classUnsupportedClassVersionErrorNoClassDefFoundErrorClassNotFoundExceptionUnable to access jarfileOutOfMemoryError
These messages usually indicate:
- Incorrect Java versions
- Corrupted CIS-CAT files
- Missing libraries
- Invalid class paths
- Incomplete installations
Capturing the complete Java error output is often enough to pinpoint the underlying problem without further guesswork.
Test the CIS-CAT Assessment
After correcting any Java path or configuration issues, perform a complete end-to-end test to verify that the integration is functioning correctly.
This confirms not only that Java launches successfully, but also that Wazuh can collect and report the assessment results.
Run a Manual Assessment
Before relying on scheduled scans, execute CIS-CAT manually from the command line.
A successful manual run confirms that:
- Java is functioning correctly.
- CIS-CAT launches successfully.
- Benchmark files can be loaded.
- Results are generated without errors.
If the manual assessment fails, continue troubleshooting the Java installation or CIS-CAT configuration before returning to Wazuh.
Force a New Scan
Once manual execution succeeds, trigger a fresh assessment through your Wazuh deployment.
Depending on your configuration, you can:
- Restart the Wazuh agent.
- Trigger the assessment manually.
- Wait for the next scheduled compliance scan.
- Initiate the scan using your existing automation workflow.
After the scan begins, monitor the Wazuh agent log to ensure the assessment completes successfully without Java-related errors.
Related Guide: How to Test Wazuh Rules
Verify Assessment Results
When the scan finishes, verify that compliance data has been generated.
Confirm that:
- The assessment completed successfully.
- Benchmark checks were executed.
- Compliance scores were calculated.
- Failed recommendations appear as expected.
- No Java execution errors are reported.
If results are incomplete, compare the generated output with the agent and CIS-CAT logs to identify any remaining issues.
Confirm Dashboard Reporting
Finally, open the Wazuh Dashboard and verify that the assessment results have been indexed correctly.
Check that:
- The endpoint appears in compliance reports.
- CIS-CAT findings are searchable.
- Compliance scores are displayed.
- Failed benchmark recommendations are visible.
- No ingestion or indexing errors are present.
If the assessment completed successfully but results do not appear in the dashboard, the issue likely lies in data ingestion or indexing rather than the Java runtime itself.
Related Guides:
Prevent Future Java Path Issues
Once you have resolved a Wazuh CIS-CAT Java path not found error, the next step is preventing the same problem from occurring during future maintenance activities.
Java upgrades, operating system changes, and Wazuh updates can unintentionally break CIS-CAT integrations if runtime dependencies are not managed consistently.
Standardize Java Installations
Maintaining a consistent Java deployment strategy across endpoints reduces compatibility problems and makes troubleshooting easier.
Recommended practices include:
- Use the same supported Java version across all Wazuh agents.
- Deploy Java through centralized configuration management tools.
- Avoid installing multiple Java versions unless required.
- Maintain a documented standard Java installation directory.
For example, standardizing Linux systems around:
and Windows systems around:
makes it easier to configure CIS-CAT and troubleshoot failures.
A consistent Java environment also helps security teams identify unexpected configuration drift across monitored endpoints.
Use Absolute Java Paths
Relying only on the system PATH variable can introduce unexpected failures, especially in enterprise environments with multiple Java versions.
Whenever possible, configure CIS-CAT integrations to use the full Java executable path.
Example:
instead of:
Using an absolute path ensures that Wazuh launches the expected Java runtime regardless of:
- User environment differences
- Shell configuration changes
- Alternative Java installations
- Operating system upgrades
Document Environment Variables
Maintain documentation for all Java-related configuration values, including:
JAVA_HOME- Java installation directory
- Java version
- CIS-CAT installation location
- Wazuh integration settings
This documentation should include:
- Expected values
- Configuration file locations
- Deployment procedures
- Troubleshooting steps
Clear documentation reduces recovery time when administrators inherit existing Wazuh deployments or when systems are rebuilt.
Monitor Java Upgrades
Java upgrades are one of the most common causes of CIS-CAT failures.
A Java update can change:
- Installation paths
- Symbolic links
- Registry entries
- Default Java versions
- Environment variable values
Before upgrading Java across production endpoints:
- Identify the current Java version used by CIS-CAT.
- Verify the new version is supported.
- Update configuration paths if required.
- Test a CIS-CAT scan afterward.
Avoid assuming that a successful Java upgrade automatically preserves application compatibility.
Test After Wazuh Updates
Wazuh upgrades can modify:
- Agent behavior
- Integration components
- Configuration handling
- Compliance modules
After upgrading Wazuh components, verify that:
- CIS-CAT scans still execute.
- Java paths remain valid.
- Compliance results appear in the dashboard.
- No new agent errors appear.
Related Guide: How to Upgrade a Wazuh Agent
Automate Configuration Validation
Large environments benefit from automated validation checks.
Useful automated checks include:
- Confirm Java is installed.
- Validate the Java version.
- Check
JAVA_HOME. - Verify CIS-CAT files exist.
- Test Java execution under the Wazuh service account.
- Confirm recent compliance scan results.
Automation helps detect configuration drift before it causes failed assessments.
Configuration management platforms such as Ansible, Puppet, or Microsoft Group Policy can enforce consistent Java and CIS-CAT settings across large deployments.
Best Practices for Reliable Wazuh CIS-CAT Assessments
A reliable CIS-CAT deployment requires more than simply installing Java and configuring the scanner.
Following operational best practices helps maintain continuous compliance visibility and prevents unexpected assessment failures.
Install a Supported Java Version
Always use a Java version supported by your CIS-CAT release.
Avoid using:
- End-of-life Java versions
- Unverified third-party builds
- Unsupported experimental releases
A supported Java runtime improves compatibility, security, and long-term stability.
Keep CIS-CAT Updated
CIS-CAT updates often include:
- New benchmark support
- Updated compliance checks
- Bug fixes
- Improved reporting capabilities
Running outdated CIS-CAT versions may result in:
- Missing benchmark coverage
- Incorrect compliance results
- Compatibility problems with newer Java releases
Regularly review CIS-CAT releases and update according to your organization’s maintenance schedule.
Store CIS-CAT Files in Standard Locations
Avoid placing CIS-CAT files in temporary directories or administrator home folders.
Recommended storage locations should be:
- Predictable
- Accessible by the Wazuh agent
- Protected with appropriate permissions
- Documented
Consistent storage locations simplify automation and troubleshooting.
Verify Permissions Regularly
Permissions can change after:
- System migrations
- File restores
- Security policy updates
- Operating system upgrades
Regularly verify that the Wazuh agent can:
- Execute Java.
- Access CIS-CAT files.
- Read benchmark content.
- Write assessment results.
This is especially important on hardened systems using SELinux, AppArmor, or Windows application control policies.
Monitor Agent Logs
Wazuh agent logs provide early warning signs of CIS-CAT problems.
Monitor for:
- Java execution failures
- Permission errors
- Missing files
- Benchmark loading failures
- Scanner crashes
Proactive monitoring prevents small configuration issues from becoming long-term compliance gaps.
Related Guide: Why Is Wazuh Using High CPU? Troubleshooting Guide
Validate Compliance Scans Periodically
Do not assume that scheduled compliance scans are working indefinitely.
Regularly confirm:
- New scan results are appearing.
- Compliance scores are updating.
- Failed checks are being reported.
- Endpoints remain visible in dashboards.
Periodic validation ensures that compliance monitoring remains operational.
Test Changes in a Staging Environment
Before making large-scale changes to Java, CIS-CAT, or Wazuh:
- Test changes on non-production endpoints.
- Run CIS-CAT assessments.
- Confirm dashboard reporting.
- Deploy changes gradually.
A staging environment helps identify compatibility problems before they affect enterprise-wide compliance monitoring.
Frequently Asked Questions (FAQ)
Question: Why Does Wazuh Require Java for CIS-CAT Scans?
Wazuh requires Java because CIS-CAT is a Java-based compliance assessment application. The Wazuh agent launches CIS-CAT locally on endpoints, and the Java runtime provides the execution environment required for the scanner.
Without Java, CIS-CAT cannot start and no compliance assessment results are generated.
Question: Which Java Versions Are Supported by CIS-CAT?
Supported Java versions depend on the CIS-CAT release being used.
Before deploying or upgrading Java, check the CIS-CAT documentation for the supported runtime versions.
Avoid upgrading Java blindly because newer releases may not always be immediately compatible with existing CIS-CAT versions.
Question: How Do I Find the Correct Java Executable Path?
Use operating system commands to locate Java.
Linux:
Windows:
For the complete resolved path on Linux:
The result should point to the actual Java executable used by CIS-CAT.
Question: Can I Use OpenJDK Instead of Oracle Java?
Yes. Many Wazuh deployments successfully use OpenJDK implementations.
The important requirements are:
- The Java version is supported.
- The runtime can execute CIS-CAT.
- The Wazuh agent has permission to access it.
Always verify compatibility with your CIS-CAT version before deployment.
Question: Why Does Java Work in My Terminal but Not in Wazuh?
This happens because your interactive shell and the Wazuh service may use different environments.
Common causes include:
JAVA_HOME configured only in .bashrc- User-only PATH settings
- Service account permission restrictions
- Windows user variables instead of system variables
Test Java using the same account that runs the Wazuh agent.
Question: How Do I Set JAVA_HOME Permanently?
On Linux, configure JAVA_HOME in a system-wide environment file such as:
or:
On Windows, create a system environment variable through:
System Properties → Advanced → Environment Variables
After changing the variable, restart the Wazuh service.
Question: Can Multiple Java Installations Cause CIS-CAT Failures?
Yes.
Multiple Java versions can create conflicts when:
PATH points to one version.JAVA_HOME points to another.- CIS-CAT uses a third installation.
Standardizing Java versions across Wazuh agents helps prevent these issues.
Question: How Do I Manually Test a CIS-CAT Scan?
A manual test should confirm:
- Java executes successfully.
- CIS-CAT launches.
- Benchmark files load correctly.
- Results are generated.
Testing manually helps determine whether the problem exists in Java, CIS-CAT, or the Wazuh integration.
Question: Where Are CIS-CAT Logs Stored?
Log locations depend on the CIS-CAT version and deployment configuration.
Common locations include:
- CIS-CAT installation directory
- Temporary assessment directories
- Wazuh agent logs
The Wazuh agent log is usually the first place to check:
Linux:
Windows:
Question: How Do I Verify That Wazuh Successfully Completed a CIS-CAT Assessment?
Verify the assessment by checking:
- Wazuh agent logs for successful execution.
- CIS-CAT output files.
- Compliance dashboards.
- Generated benchmark results.
A successful scan should produce compliance findings that appear in the Wazuh Dashboard.
Related Guide: How to Fix Missing Statistics in Wazuh Dashboard
Conclusion
CIS-CAT provides Wazuh deployments with powerful compliance assessment capabilities, but the integration depends heavily on a properly configured Java runtime.
When Java cannot be located, CIS-CAT scans fail before compliance checks can even begin.
The most common causes of Wazuh CIS-CAT Java path not found errors include:
- Java not being installed.
- Incorrect
JAVA_HOME configuration. - Missing Java entries in the
PATH variable. - Incorrect Java executable paths.
- Multiple conflicting Java installations.
- Service account permission problems.
- Wazuh agents running without access to user environment variables.
Resolving these problems requires verifying the complete execution chain:
- Confirm Java installation.
- Validate environment variables.
- Check permissions.
- Verify CIS-CAT files.
- Review Wazuh and operating system logs.
- Test a complete assessment workflow.
To maintain reliable compliance scanning, regularly test CIS-CAT after Java upgrades, CIS-CAT updates, and Wazuh version changes.
A proactive validation process ensures that security teams continue receiving accurate compliance visibility across their monitored infrastructure.
Related Guides:
Be First to Comment