sca

New in version 3.9.0.

This section covers the configuration for the Security Configuration Assessment module.

XML section name

<sca>
</sca>

Settings to run Security Configuration Assessment scans.

Main options

Main options

Allowed values

enabled

yes, no

skip_nfs

yes, no

policies

N/A

Scheduling options

Scheduling options

Allowed values

scan_on_start

yes, no

interval

A positive number + suffix

day

A day of the month

wday

A day of the week

time

A time of the day [hh:mm]

Interval suffixes

Time scale

s

seconds

m

minutes

d

days

w

weeks

M

months

Some examples of usage of these options are included in the SCA documentation.

Main options

enabled

Enables the module.

Default value

yes

Allowed values

yes, no

skip_nfs

Enable or disable the scanning of network mounted filesystems (Works on Linux and FreeBSD). Currently, skip_nfs will exclude checking files on CIFS or NFS mounts.

Default value

yes

Allowed values

yes, no

policies

Between <policy> tags, in this section it can be included policy files to run assessments.

Default value

n/a

Allowed values

Any YAML policy file

Attributes

enabled

Offers the possibility to disable a policy when it has been enabled previously.

Note

Since Wazuh v3.10.2, although this section is missing, the Wazuh Agent will run scans for every policy (.yaml or .yml files) present in their ruleset folder.

Example

<policies>
  <policy>cis_debian9_L1.yml</policy>
  <policy>sca_unix_audit.yml</policy>
  <policy enabled="no">cis_debian9_L2.yml/policy>
</policies>

Scheduling options

scan_on_start

The SCA module will perform the scan immediately when started.

Default value

yes

Allowed values

yes, no

interval

Interval between module executions.

Default value

12h

Allowed values

A positive number that should contain a suffix character indicating a time unit, such as, s (seconds), m (minutes), h (hours), d (days), w (weeks), M (months)

The interval option is conditioned by the following described options day, wday and time. If none of these options are set, the interval can take any allowed value.

day

Day of the month to run the scan.

Default value

n/a

Allowed values

Day of the month [1..31]

Note

When the day option is set, the interval value must be a multiple of months. By default, the interval is set to a month.

wday

Day of the week to run the scan. This option is not compatible with the day option.

Default value

n/a

Allowed values

Day of the week:
  • sunday/sun

  • monday/mon

  • tuesday/tue

  • wednesday/wed

  • thursday/thu

  • friday/fri

  • saturday/sat

Note

When the wday option is set, the interval value must be a multiple of weeks. By default, the interval is set to a week.

time

Time of the day to run the scan. It has to be represented in the format hh:mm.

Default value

n/a

Allowed values

Time of day [hh:mm]

Note

When only the time option is set, the interval value must be a multiple of days. By default, the interval is set to a day.

Configuration example

<sca>
  <enabled>yes</enabled>
  <scan_on_start>yes</scan_on_start>
  <time>04:00</time>
  <skip_nfs>yes</skip_nfs>

  <policies>
    <policy>cis_debian9_L1.yml</policy>
    <policy>sca_unix_audit.yml</policy>
    <policy enabled="no">cis_debian9_L2.yml/policy>
    <policy>/my/custom/policy/path/my_policy.yaml</policy>
  </policies>
</sca>