This is the documentation for Wazuh 3.10. Check out the docs for the latest version of Wazuh!

sca

New in version 3.9.0.

This section covers the configuration for the Security Configuration Assessment module.

XML section name

<sca>
</sca>

Settings to run Security Configuration Assessment scans.

Main options

Main options Allowed values
enabled yes, no
skip_nfs yes, no
policies N/A

Scheduling options

Scheduling options Allowed values
scan_on_start yes, no
interval A positive number + suffix
day A day of the month
wday A day of the week
time A time of the day [hh:mm]
Interval suffixes Time scale
s seconds
m minutes
d days
w weeks
M months

Some examples of usage of these options are included in the SCA documentation.

Main options

enabled

Enables the module.

Default value yes
Allowed values yes, no

skip_nfs

Enable or disable the scanning of network mounted filesystems (Works on Linux and FreeBSD). Currently, skip_nfs will exclude checking files on CIFS or NFS mounts.

Default value yes
Allowed values yes, no

policies

Between <policy> tags, in this section it can be included policy files to run assessments.

Default value n/a
Allowed values Any YAML policy file

Attributes

enabled Offers the possibility to disable a policy when it has been enabled previously.

Note

Since Wazuh v3.10.2, although this section is missing, the Wazuh Agent will run scans for every policy (.yaml or .yml files) present in their ruleset folder.

Example

<policies>
  <policy>cis_debian9_L1.yml</policy>
  <policy>sca_unix_audit.yml</policy>
  <policy enabled="no">cis_debian9_L2.yml/policy>
</policies>

Scheduling options

scan_on_start

The SCA module will perform the scan immediately when started.

Default value yes
Allowed values yes, no

interval

Interval between module executions.

Default value 12h
Allowed values A positive number that should contain a suffix character indicating a time unit, such as, s (seconds), m (minutes), h (hours), d (days), w (weeks), M (months)

The interval option is conditioned by the following described options day, wday and time. If none of these options are set, the interval can take any allowed value.

day

Day of the month to run the scan.

Default value n/a
Allowed values Day of the month [1..31]

Note

When the day option is set, the interval value must be a multiple of months. By default, the interval is set to a month.

wday

Day of the week to run the scan. This option is not compatible with the day option.

Default value n/a
Allowed values
Day of the week:
  • sunday/sun
  • monday/mon
  • tuesday/tue
  • wednesday/wed
  • thursday/thu
  • friday/fri
  • saturday/sat

Note

When the wday option is set, the interval value must be a multiple of weeks. By default, the interval is set to a week.

time

Time of the day to run the scan. It has to be represented in the format hh:mm.

Default value n/a
Allowed values Time of day [hh:mm]

Note

When only the time option is set, the interval value must be a multiple of days. By default, the interval is set to a day.

Configuration example

<sca>
  <enabled>yes</enabled>
  <scan_on_start>yes</scan_on_start>
  <time>04:00</time>
  <skip_nfs>yes</skip_nfs>

  <policies>
    <policy>cis_debian9_L1.yml</policy>
    <policy>sca_unix_audit.yml</policy>
    <policy enabled="no">cis_debian9_L2.yml/policy>
    <policy>/my/custom/policy/path/my_policy.yaml</policy>
  </policies>
</sca>