How to configure SCA
Upon installation, agents will include the policies appropriates for their particular Operating System. For the full list of Officially supported policy files see table Available SCA policies. These policies are included with the Wazuh Manager installation so that they can be easily enabled.
For a detailed description of the various configuration parameters of SCA, please check the sca.
Enabling and disabling policies
By default, the Wazuh Agent will run scans for every policy (.yaml or .yml files) present in their ruleset folder:
Linux agents:
<agent-installation-folder>/ruleset/sca
.Windows agents:
<agent-installation-folder>\ruleset\sca
.
Warning
The contents of the aforementioned default ruleset folders are neither kept across installations nor updates. If you wish to modify or add new policies, place then under an alternative folder.
To enable a policy file that's outside the default folder, add a line like
<policy>/some/custom/policy/folder/policy_file_to_enable.yml</policy>
to the policies section of the SCA module.
There are two ways to disable policies, the simplest one is by renaming the policy file by adding .disabled
(or anything different from .yaml or .yml) after their YAML extension. The second is to disable them from
the ossec.conf by adding a line such as
<policy enabled="no">/var/ossec/etc/shared/policy_file_to_disable.yml</policy>
to the policies section of the SCA module.