Fixing Wazuh CIS-CAT Assessments: Troubleshooting Missing Java Paths

Modern security teams rely on Wazuh to continuously evaluate system configurations against recognized security standards, helping identify insecure settings before they become exploitable.

One of the most popular frameworks for this purpose is the Center for Internet Security (CIS) Benchmarks, which can be assessed using the CIS-CAT tool integrated with Wazuh.

The Wazuh CIS-CAT integration enables administrators to automate compliance assessments across Windows, Linux, and other supported operating systems.

Instead of manually auditing hundreds of security settings, Wazuh can execute CIS-CAT scans on managed endpoints and import the results into the Wazuh Dashboard for centralized visibility.

However, one of the most common problems administrators encounter is the “Java path not found” error.

Because CIS-CAT is a Java application, it cannot run unless the Wazuh agent can locate a valid Java Runtime Environment (JRE) or Java Development Kit (JDK).

If Java is missing, incorrectly installed, or unavailable through the configured system path, CIS-CAT assessments fail before they even begin.

Fortunately, this issue is usually straightforward to diagnose once you understand how the integration works and where Wazuh expects Java to be installed.

In this guide, you’ll learn:

  • How the Wazuh CIS-CAT integration works
  • Why Java is required for compliance scans
  • The most common causes of “Java path not found” errors
  • Step-by-step methods to diagnose and fix Java path issues
  • Best practices for preventing future CIS-CAT execution failures

Related Guides:


Understanding the Wazuh CIS-CAT Integration

 

What Is CIS-CAT?

CIS-CAT (Center for Internet Security Configuration Assessment Tool) is an automated compliance assessment utility developed by the Center for Internet Security (CIS).

It evaluates operating systems and applications against the official CIS Benchmarks, which define secure configuration recommendations for a wide variety of platforms.

Rather than manually reviewing hundreds of registry values, file permissions, security policies, and operating system settings, CIS-CAT performs these checks automatically and generates a detailed compliance report.

Wazuh integrates with CIS-CAT by allowing managed agents to execute local assessments and forward the results back to the Wazuh Manager, where they become searchable, reportable, and visible within the dashboard.

What Are CIS Benchmarks?

CIS Benchmarks are consensus-based security configuration standards developed by cybersecurity experts from government agencies, academia, vendors, and industry practitioners.

They provide detailed hardening guidance for technologies such as:

  • Windows Server
  • Windows Desktop
  • Ubuntu
  • Red Hat Enterprise Linux
  • Debian
  • Oracle Linux
  • macOS
  • Kubernetes
  • Docker
  • VMware
  • Microsoft SQL Server
  • Apache Web Server
  • NGINX
  • Oracle Database
  • Amazon Web Services (AWS)
  • Microsoft Azure

Each benchmark contains hundreds of recommendations designed to reduce attack surfaces by disabling unnecessary services, enforcing strong authentication, configuring logging, securing network protocols, and applying security best practices.

The CIS Benchmarks are widely recognized throughout the cybersecurity industry and are frequently referenced by compliance frameworks such as NIST, PCI DSS, HIPAA, and ISO 27001.

CIS-CAT Lite vs. CIS-CAT Pro

There are two primary editions of CIS-CAT.

FeatureCIS-CAT LiteCIS-CAT Pro
Free to use
Basic benchmark assessments
Advanced reportingLimited
Enterprise automationLimited
Additional benchmark coverageLimited
Compliance dashboardsLimited
Commercial support

Most Wazuh deployments use CIS-CAT Lite, which is sufficient for performing automated benchmark assessments and importing results into Wazuh.

Organizations requiring enterprise-scale compliance reporting often deploy CIS-CAT Pro, particularly when integrating with larger governance, risk, and compliance (GRC) programs.

Compliance Assessment Capabilities

When integrated correctly, Wazuh and CIS-CAT provide continuous compliance monitoring across your infrastructure.

Typical assessments include:

  • Password policy verification
  • Account lockout configuration
  • Audit policy validation
  • Firewall configuration checks
  • Secure service configuration
  • Registry security settings
  • File permission auditing
  • SSH hardening validation
  • Kernel security parameters
  • Package configuration analysis

The results are centralized inside Wazuh, allowing analysts to:

  • Identify failed benchmark recommendations
  • Track compliance trends over time
  • Prioritize remediation efforts
  • Generate compliance reports
  • Correlate compliance failures with security events

This combination transforms Wazuh from a traditional SIEM into a broader security monitoring and compliance platform.

Related Guides: How to Monitor Kubernetes Using Wazuh


How Wazuh Executes CIS-CAT Scans

 

The Wazuh Agent Launches CIS-CAT Locally

Unlike many centralized vulnerability scanners, Wazuh executes CIS-CAT directly on the endpoint through the installed Wazuh agent.

When a scheduled Security Configuration Assessment (SCA) or CIS-CAT scan begins, the agent starts the CIS-CAT executable locally.

Running the assessment on the endpoint gives CIS-CAT direct access to system files, registry settings, security policies, installed packages, and other configuration data needed for evaluation.

Because the assessment runs locally, every monitored endpoint must satisfy the CIS-CAT runtime requirements independently.

Java Runtime Environment Dependency

One of those runtime requirements is Java.

CIS-CAT is packaged as a Java application and requires a supported Java Runtime Environment (JRE) or Java Development Kit (JDK).

Before the assessment begins, the Wazuh agent attempts to launch the Java executable specified by the CIS-CAT integration configuration.

If Java cannot be found, Wazuh commonly reports errors such as:

  • Java path not found
  • java executable not found
  • Unable to execute java
  • Failed to launch CIS-CAT
  • Cannot find Java Runtime Environment

These failures occur before the compliance assessment starts, meaning no benchmark checks are executed and no results are returned to the Wazuh Manager.

Oracle recommends using supported Java versions and maintaining the runtime with current security updates to ensure compatibility and reduce exposure to known vulnerabilities.

Typical CIS-CAT Scan Workflow

A successful CIS-CAT assessment generally follows this sequence:

  1. Wazuh Manager schedules the compliance assessment.
  2. The Wazuh agent receives the scan request.
  3. The agent locates the configured Java executable.
  4. Java launches the CIS-CAT application.
  5. CIS-CAT loads the selected benchmark profile.
  6. The endpoint is evaluated against benchmark rules.
  7. CIS-CAT generates assessment results.
  8. The Wazuh agent parses the output.
  9. Results are forwarded to the Wazuh Manager.
  10. Findings become searchable in the Wazuh Dashboard.

If the Java executable cannot be located during step three, the workflow terminates immediately.

Result Collection and Reporting

After a successful assessment, Wazuh imports the CIS-CAT results into its indexing pipeline, making them available for dashboards, alerts, searches, and long-term reporting.

Security teams can use these results to:

  • View overall compliance scores
  • Identify failed benchmark rules
  • Track remediation progress
  • Detect configuration drift
  • Generate audit evidence for compliance initiatives

If Java path errors prevent CIS-CAT from launching, none of these results are collected.

This often leads administrators to believe the integration itself is broken when the root cause is simply an inaccessible Java executable.

Related Guides:


Common Causes of Java Path Errors

Several different configuration problems can prevent Wazuh from launching CIS-CAT successfully.

While the error message often simply states “Java path not found”, the underlying cause can vary depending on the operating system, Java installation, and how the Wazuh agent is configured.

Understanding the most common causes makes troubleshooting significantly faster.

Java Is Not Installed

The most straightforward cause is that Java is not installed on the endpoint.

Since CIS-CAT is a Java application, the Wazuh agent must be able to launch a Java Runtime Environment (JRE) or Java Development Kit (JDK).

If neither is installed, the scan fails immediately because there is no executable available.

Typical symptoms include:

  • java: command not found
  • Unable to locate Java
  • Java executable not found
  • CIS-CAT exits immediately without producing results

On Linux systems, this can often happen after provisioning a minimal server image that omits Java packages.

JAVA_HOME Is Not Configured

Many Java applications, including CIS-CAT deployments, rely on the JAVA_HOME environment variable to locate the Java installation.

If JAVA_HOME points to a non-existent directory or has never been configured, the Wazuh agent may be unable to determine which Java runtime to use.

Examples include:

  • Java upgraded but JAVA_HOME still references the old version.
  • Java removed without updating environment variables.
  • Typographical errors in the configured path.
  • JAVA_HOME points to the bin directory instead of the Java installation root.

Always ensure that JAVA_HOME references the root directory of the installed JDK or JRE rather than the java executable itself.

PATH Environment Variable Is Missing Java

Even if Java is correctly installed, the executable must be discoverable through the system’s PATH environment variable unless Wazuh is configured with an absolute Java path.

For example:

/usr/bin/java

or

C:\Program Files\Java\jdk-21\bin

If the directory containing java is absent from PATH, commands executed by the Wazuh agent cannot locate the runtime automatically.

This is especially common after manual Java installations where environment variables were never updated.

Incorrect Java Binary Location

Administrators sometimes configure the wrong executable path inside the CIS-CAT integration.

Examples include:

  • Incorrect directory names
  • Typographical errors
  • Referencing deleted installations
  • Using symbolic links that no longer exist
  • Pointing to a directory instead of the executable

Always verify the configured Java binary against the actual installed location.

Multiple Java Versions Installed

Many enterprise systems have multiple Java versions installed simultaneously.

For example:

  • Java 8
  • Java 11
  • Java 17
  • Java 21

While this is perfectly valid, problems arise when:

  • JAVA_HOME references one version
  • PATH references another
  • Wazuh attempts to launch a third version

This inconsistency often produces unexpected compatibility problems or causes CIS-CAT to fail entirely.

Whenever possible, standardize on a single supported Java version for CIS-CAT assessments.

Unsupported Java Version

Not every Java release is compatible with every CIS-CAT version.

Very old Java releases may lack required runtime features, while cutting-edge versions may introduce compatibility changes before CIS-CAT officially supports them.

Before upgrading Java across your environment, verify the supported runtime versions in the CIS-CAT documentation.

Permission Problems

Java may exist on the system but still be inaccessible to the Wazuh agent.

Common permission issues include:

  • Missing execute permissions
  • Restricted installation directories
  • SELinux policies
  • AppArmor restrictions
  • File ownership problems
  • Endpoint security software blocking execution

If the Wazuh service account cannot execute the Java binary, CIS-CAT will fail despite Java being correctly installed.

Service Cannot Access User Environment Variables

This is one of the most overlooked causes.

Administrators often verify Java by opening a terminal as their own user account and running:

java -version

The command succeeds, yet Wazuh still reports that Java cannot be found.

The reason is that system services frequently run under dedicated service accounts that do not inherit the logged-in user’s environment variables.

For example:

  • JAVA_HOME configured only in .bashrc
  • PATH modified only for interactive shells
  • Windows environment variables configured for the current user rather than the system

As a result, Java works interactively but fails when launched by the Wazuh agent service.


Verify Java Installation

Before changing Wazuh or CIS-CAT configuration files, verify that Java is installed correctly and accessible from the operating system.

These simple checks often identify the root cause within minutes.

Check the Java Version

The quickest verification is to display the installed Java version.

Linux:

java -version

Windows Command Prompt:

java -version

A successful installation returns output similar to:

openjdk version "21.0.2"

or

java version "17.0.12"

If you instead receive:

java: command not found

or

'java' is not recognized as an internal or external command

Java is either missing or unavailable through the system PATH.

Locate the Java Executable

Next, determine exactly where Java is installed.

Linux:

which java

or

readlink -f $(which java)

Windows:

where java

The returned path should point to the executable that Wazuh will launch.

Typical examples include:

/usr/bin/java
/usr/lib/jvm/java-21-openjdk/bin/java
C:\Program Files\Java\jdk-21\bin\java.exe

Confirm JAVA_HOME

Verify that the JAVA_HOME environment variable references the correct installation.

Linux:

echo $JAVA_HOME

Windows:

echo %JAVA_HOME%

The output should point to the Java installation directory rather than the executable itself.

Example:

/usr/lib/jvm/java-21-openjdk

or

C:\Program Files\Java\jdk-21

If no value is returned, JAVA_HOME has not been configured.

Verify PATH Configuration

Next, inspect the system PATH variable.

Linux:

echo $PATH

Windows:

echo %PATH%

Ensure that the Java bin directory appears somewhere within the output.

For example:

/usr/lib/jvm/java-21-openjdk/bin

or

C:\Program Files\Java\jdk-21\bin

If it is missing, Java may function only when referenced with its full path.

Test Java Execution Manually

Finally, execute Java directly using its absolute path.

Linux:

/usr/bin/java -version

or

/usr/lib/jvm/java-21-openjdk/bin/java -version

Windows:

"C:\Program Files\Java\jdk-21\bin\java.exe" -version

If these commands execute successfully, the Java installation itself is healthy.

Any remaining issues are likely related to environment variables, permissions, or Wazuh’s CIS-CAT configuration rather than Java itself.


Install Java if It Is Missing

If Java is not installed, or the existing installation is corrupted, the solution is to install a supported Java Runtime Environment (JRE) or Java Development Kit (JDK).

Most administrators choose the latest Long-Term Support (LTS) release to maximize compatibility and receive ongoing security updates.

After installation, always verify that the Java executable is available to the Wazuh agent before rerunning CIS-CAT assessments.

Installing Java on Ubuntu/Debian

Update the package repository:

sudo apt update

Install OpenJDK:

sudo apt install default-jdk

Alternatively, install a specific version such as OpenJDK 21:

sudo apt install openjdk-21-jdk

After installation, confirm that Java is available:

java -version

Installing Java on RHEL/CentOS/Rocky Linux

Install OpenJDK using your package manager.

RHEL 9 / Rocky Linux:

sudo dnf install java-21-openjdk

Older CentOS releases:

sudo yum install java-11-openjdk

Verify the installation:

java -version

Installing Java on Windows

Download and install a supported JDK or JRE from a trusted vendor such as Oracle or Eclipse Adoptium.

During installation:

  • Install for all users if possible.
  • Configure system-wide environment variables.
  • Add Java to the system PATH.
  • Restart any open command prompts after installation.

After installation, verify from Command Prompt:

java -version

Verifying the Installation

Once Java has been installed, perform one final verification before testing CIS-CAT.

Confirm:

  • java -version executes successfully.
  • JAVA_HOME points to the correct installation directory.
  • The Java bin directory is included in the system PATH.
  • The Wazuh service account can execute the Java binary.
  • The Java version is supported by your CIS-CAT release.

Completing these checks before rerunning the assessment can save significant troubleshooting time and helps ensure that the Wazuh agent can successfully launch CIS-CAT.

Related Guides:


Configure Java for Wazuh CIS-CAT

After confirming that Java is installed, the next step is ensuring that the Wazuh agent can actually locate and execute it.

In many cases, Java is present on the system, but incorrect environment variables or service configurations prevent CIS-CAT from launching.

Set JAVA_HOME

The JAVA_HOME environment variable tells applications where the Java installation is located.

Although some applications can rely solely on the system PATH, configuring JAVA_HOME improves consistency and reduces compatibility issues.

On Linux, you can temporarily set the variable using:

export JAVA_HOME=/usr/lib/jvm/java-21-openjdk

To make the change persistent, add it to a system-wide configuration file such as:

  • /etc/environment
  • /etc/profile
  • /etc/profile.d/java.sh

On Windows:

  1. Open System Properties.
  2. Select AdvancedEnvironment Variables.
  3. Create or edit the JAVA_HOME system variable.
  4. Set its value to the Java installation directory (not the bin folder).

For example:

C:\Program Files\Java\jdk-21

Avoid pointing JAVA_HOME directly to java.exe, as many Java-based applications expect the variable to reference the installation root.

Update the PATH Variable

Once JAVA_HOME is configured, ensure that the Java executable directory is included in the system PATH.

On Linux:

export PATH=$JAVA_HOME/bin:$PATH

On Windows, add:

%JAVA_HOME%\bin

to the system PATH variable.

After updating the PATH, open a new terminal or Command Prompt and verify:

java -version

If Java launches successfully without specifying the full path, the environment is configured correctly.

Configure Environment Variables for Services

One of the most common reasons CIS-CAT fails despite a successful interactive test is that the Wazuh agent runs as a background service.

Background services frequently use a different execution environment than interactive user sessions.

Examples include:

  • JAVA_HOME defined only in .bashrc
  • PATH modified only for the logged-in user
  • Windows environment variables configured under the current user instead of the Local System account
  • Systemd services that do not inherit shell environment variables

On Linux systems using systemd, you may need to define environment variables directly within the Wazuh service configuration or create an override file.

For example:

[Service]
Environment="JAVA_HOME=/usr/lib/jvm/java-21-openjdk"
Environment="PATH=/usr/lib/jvm/java-21-openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin"

Reload systemd after making changes:

sudo systemctl daemon-reload

This ensures that the Wazuh agent starts with the correct Java environment.

Restart the Wazuh Agent

After updating environment variables, restart the Wazuh agent so it loads the new configuration.

Linux:

sudo systemctl restart wazuh-agent

Verify the service status:

sudo systemctl status wazuh-agent

Windows (PowerShell):

Restart-Service Wazuh

Alternatively, restart the service from the Services management console.

Restarting is essential because existing processes continue using their original environment until they are restarted.

Related Guide: How to Unmask and Restart a Blocked Wazuh-Agent Service on Linux

Verify Configuration Changes

Before rerunning a CIS-CAT assessment, verify that the Wazuh agent can access Java successfully.

Check the following:

  • java -version executes without errors.
  • JAVA_HOME points to the correct installation.
  • The Java bin directory is included in the system PATH.
  • The Wazuh agent service has been restarted.
  • The Java executable referenced by CIS-CAT actually exists.

If all checks succeed, rerun the CIS-CAT scan and review the Wazuh agent logs for any remaining execution errors.

Related Guides: Troubleshooting wazuh-logtest: Why Alerts Are Missing from JSON Output


Check the CIS-CAT Configuration

Even with Java configured correctly, CIS-CAT assessments can still fail if the integration itself is incomplete or improperly configured.

Verifying the CIS-CAT installation helps eliminate another common source of execution failures.

Review the CIS-CAT Directory

Begin by confirming that the CIS-CAT files are installed in the expected directory.

Depending on your operating system and deployment method, the directory should contain:

  • CIS-CAT executable files
  • Benchmark content
  • Configuration files
  • Supporting libraries
  • Documentation

If the directory is incomplete or accidentally deleted, the Wazuh agent will be unable to launch the scanner regardless of the Java configuration.

Verify Scanner Files

Inspect the CIS-CAT installation for required files.

Typical components include:

  • CIS-CAT launcher
  • Java archive (.jar) files
  • Benchmark XML files
  • Configuration files
  • Supporting libraries

Missing or corrupted files often produce startup errors that resemble Java failures, making it important to verify the integrity of the installation before focusing solely on the runtime.

If necessary, reinstall or replace the CIS-CAT package from an official source.

Validate the CIS-CAT Configuration

Review the Wazuh CIS-CAT integration configuration carefully.

Verify that:

  • The scanner path is correct.
  • The Java executable path is valid.
  • File permissions allow execution.
  • Benchmark locations match the installed directory.
  • Configuration files contain no typographical errors.

Small mistakes such as an extra space, incorrect capitalization, or outdated installation path are surprisingly common causes of failed assessments.

When modifying configuration files, validate your syntax before restarting the agent.

Related Guide: How to Fix ossec.conf Syntax Errors in Wazuh Agents

Confirm Benchmark Availability

CIS-CAT requires benchmark content in order to perform assessments.

Verify that:

  • The required benchmark files are present.
  • The benchmark version matches the CIS-CAT release.
  • The selected operating system is supported.
  • Benchmark files are readable by the Wazuh agent.

If benchmark content is missing, the scanner may start successfully but terminate before performing any compliance checks.


Troubleshoot Platform-Specific Java Issues

Some Java path problems are unique to a particular operating system.

Understanding these platform-specific behaviors can significantly reduce troubleshooting time.

Linux-Specific Problems

Linux environments often experience Java execution issues because of differences between interactive shells and background services.

Common Linux-specific causes include:

  • Missing system-wide environment variables
  • Incorrect symbolic links
  • Permission restrictions
  • SELinux or AppArmor policies
  • Multiple Java installations managed by alternatives

Because Linux distributions vary considerably, always verify configuration using the same service account that runs the Wazuh agent.

Shell Profile Differences

Administrators frequently configure Java inside personal shell profiles such as:

  • .bashrc
  • .bash_profile
  • .profile
  • .zshrc

These files are loaded only during interactive login sessions.

System services, including the Wazuh agent, typically do not read these profiles.

As a result:

  • Java works when you log in.
  • CIS-CAT fails when launched by Wazuh.

Whenever possible, configure Java using system-wide environment files instead of user-specific shell profiles.

Service Environment Variables

On modern Linux systems, Wazuh usually runs as a systemd service.

You can inspect the service environment using:

systemctl show wazuh-agent --property=Environment

If the output does not contain the expected Java variables, create a systemd override or update the service configuration before restarting the agent.

This ensures that Java is available regardless of which administrator is logged into the system.

Symbolic Link Issues

Many Linux distributions use symbolic links for Java.

For example:

/usr/bin/java

may point to:

/usr/lib/jvm/java-21-openjdk/bin/java

If the underlying Java installation is removed or upgraded improperly, the symbolic link may become invalid.

Verify the active link:

readlink -f $(which java)

If the link is broken, recreate it or update the system’s Java alternatives configuration.

Windows-Specific Problems

Windows systems introduce a different set of Java path issues.

Common examples include:

  • Incorrect registry entries
  • User-only environment variables
  • Service account restrictions
  • Architecture mismatches
  • Legacy Java installations

Many of these problems occur after upgrading Java without removing older versions.

Registry Configuration

Some Java installers record installation paths in the Windows Registry.

If registry entries reference removed or outdated installations, applications that rely on them may fail to locate Java.

This is particularly common after:

  • Manual uninstallations
  • Side-by-side Java upgrades
  • Incomplete installer rollbacks

Keeping only actively supported Java installations helps minimize registry inconsistencies.

Environment Variables

On Windows, ensure that both JAVA_HOME and PATH are configured as System variables, not merely User variables.

The Wazuh service generally runs under the Local System account, which cannot access environment variables defined exclusively for an individual user.

Always verify configuration from an elevated Command Prompt after making changes.

Service Account Permissions

The Wazuh service account must have permission to:

  • Read the Java installation directory.
  • Execute java.exe.
  • Access the CIS-CAT installation.
  • Read benchmark files.

Restrictive NTFS permissions, endpoint protection software, or application control policies can prevent Java from launching even when the installation itself is valid.

32-bit vs. 64-bit Java

Finally, confirm that the Java architecture matches your deployment requirements.

Problems can occur when:

  • 32-bit Java is installed on a 64-bit system.
  • Multiple architectures are installed simultaneously.
  • Wazuh references the wrong executable.
  • Legacy software installs an outdated 32-bit runtime earlier in the PATH.

Using a supported 64-bit Java installation for modern Wazuh deployments simplifies maintenance and avoids many compatibility issues.


Be First to Comment

    Leave a Reply

    Your email address will not be published. Required fields are marked *