How to configure SCA

Upon installation, agents will include the policies appropriates for their particular Operating System. For the full list of Officially supported policy files see table Available SCA policies. These policies are included with the Wazuh Manager installation so that they can be easily enabled.

For a detailed description of the various configuration parameters of SCA, please check the sca.

Enabling and disabling policies

By default, the Wazuh Agent will run scans for every policy (.yaml or .yml files) present in their ruleset folder:

  • Linux agents: <agent-installation-folder>/ruleset/sca.

  • Windows agents: <agent-installation-folder>\ruleset\sca.

Warning

The contents of the aforementioned default ruleset folders are neither kept across installations nor updates. If you wish to modify or add new policies, place then under an alternative folder.

To enable a policy file that’s outside the default folder, add a line like

<policy>/some/custom/policy/folder/policy_file_to_enable.yml</policy>

to the policies section of the SCA module.

There are two ways to disable policies, the simplest one is by renaming the policy file by adding .disabled (or anything different from .yaml or .yml) after their YAML extension. The second is to disable them from the ossec.conf by adding a line such as

<policy enabled="no">/var/ossec/etc/shared/policy_file_to_disable.yml</policy>

to the policies section of the SCA module.

How to share policy files and configuration with agents

As described in the centralized configuration section, the Wazuh manager has the ability to push files and configurations to connected agents.

This feature can be used to push policy files to agents in defined groups. By default, every agent belongs to the default group, so we can use this group as example.

In order to push a new policy from the manager it should be placed in the directory /var/ossec/etc/shared/default, and be owned by user ossec.

In addition, to push configuration, the same strategy applies. For instance, in order to add a policy, add a block like the following to the /var/ossec/etc/shared/default/agent.conf as per the example.

Enabling a policy from the ossec.conf
<agent_config>
    <!-- Shared agent configuration here -->
    <sca>
        <policies>
            <policy>/var/ossec/etc/shared/your_policy_file.yml</policy>
        </policies>
    </sca>
</agent_config>

This <sca> block will be merged with the <sca> block on the agent side and the new configuration will be added.

Available SCA policies

Policy

Name

Requirement

cis_win2012r2_domainL1

CIS benchmark for Windows 2012 R2 Domain Controller L1

Windows Server 2012 R2

cis_win2012r2_domainL2

CIS benchmark for Windows 2012 R2 Domain Controller L2

Windows Server 2012 R2

cis_win2012r2_memberL1

CIS benchmark for Windows 2012 R2 Member Server L1

Windows Server 2012 R2

cis_win2012r2_memberL2

CIS benchmark for Windows 2012 R2 Member Server L2

Windows Server 2012 R2

cis_win10_enterprise_L1

CIS benchmark for Windows 10 Enterprise (Release 1709)

Windows 10

cis_win10_enterprise_L2

CIS benchmark for Windows 10 Enterprise (Release 1709)

Windows 10

sca_win_audit

Benchmark for Windows auditing

Windows

cis_rhel5_linux

CIS Benchmark for Red Hat Enterprise Linux 5

Red Hat Systems

cis_rhel6_linux

CIS Benchmark for Red Hat Enterprise Linux 6

Red Hat Systems

cis_rhel7_linux

CIS Benchmark for Red Hat Enterprise Linux 7

Red Hat Systems

cis_debian7_L1

CIS benchmark for Debian/Linux 7 L1

Debian 7

cis_debian7_L2

CIS benchmark for Debian/Linux 7 L2

Debian 7

cis_debian8_L1

CIS benchmark for Debian/Linux 8 L1

Debian 8

cis_debian8_L2

CIS benchmark for Debian/Linux 8 L2

Debian 8

cis_debian9_L1

CIS benchmark for Debian/Linux 9 L1

Debian 9

cis_debian9_L2

CIS benchmark for Debian/Linux 9 L2

Debian 9

cis_sles11_linux

CIS SUSE Linux Enterprise 11 Benchmark

SUSE 11

cis_sles12_linux

CIS SUSE Linux Enterprise 12 Benchmark

SUSE 12

cis_solaris11

CIS benchmark for Oracle Solaris 11

Solaris 11

sca_unix_audit

Benchmark for Linux auditing

N/A

cis_apple_macOS_10.11

CIS Apple OSX 10.11 Benchmark

MAC OS X 10.11 (El Capitan)

cis_apple_macOS_10.12

CIS Apple macOS 10.12 Benchmark

MAC OS X 10.12 (Sierra)

cis_apple_macOS_10.13

CIS Apple macOS 10.13 Benchmark

MAC OS X 10.13 (High Sierra)

web_vulnerabilities

System audit for web-related vulnerabilities

N/A

cis_apache_24

CIS Apache HTTP Server 2.4 Benchmark

Apache configuration files

cis_mysql5-6_community

CIS benchmark for Oracle MySQL Community Server 5.6

MySQL configuration files

cis_mysql5-6_enterprise

CIS benchmark for Oracle MySQL Enterprise 5.6

MySQL configuration files