sca
New in version 3.9.0.
This section covers the configuration for the Security Configuration Assessment module.
Settings to run Security Configuration Assessment scans.
Options
Main options
Main options |
Allowed values |
---|---|
yes, no |
|
yes, no |
|
N/A |
Scheduling options
Scheduling options |
Allowed values |
---|---|
yes, no |
|
A positive number + suffix |
|
A day of the month |
|
A day of the week |
|
A time of the day [hh:mm] |
Interval suffixes |
Time scale |
---|---|
s |
seconds |
m |
minutes |
d |
days |
w |
weeks |
M |
months |
Some examples of usage of these options are included in the SCA documentation.
enabled
Enables the module.
Default value |
yes |
Allowed values |
yes, no |
skip_nfs
Enable or disable the scanning of network mounted filesystems (Works on Linux and FreeBSD).
Currently, skip_nfs
will exclude checking files on CIFS or NFS mounts.
Default value |
yes |
Allowed values |
yes, no |
policies
Between <policy>
tags, in this section it can be included policy files to run assessments.
Default value |
n/a |
Allowed values |
Any YAML policy file |
Attributes
enabled |
Offers the possibility to disable a policy when it has been enabled previously. |
Note
Since Wazuh v3.10.0, although this section is missing, the Wazuh Agent will run scans for every policy (.yaml or .yml files) present in their ruleset folder.
Example
<policies>
<policy>cis_debian9_L1.yml</policy>
<policy>sca_unix_audit.yml</policy>
<policy enabled="no">cis_debian9_L2.yml/policy>
</policies>
scan_on_start
The SCA module will perform the scan immediately when started.
Default value |
yes |
Allowed values |
yes, no |
interval
Interval between module executions.
Default value |
12h |
Allowed values |
A positive number that should contain a suffix character indicating a time unit, such as, s (seconds), m (minutes), h (hours), d (days), w (weeks), M (months) |
The interval option is conditioned by the following described options day
, wday
and time
. If none of these options are set, the interval can take any allowed value.
day
Day of the month to run the scan.
Default value |
n/a |
Allowed values |
Day of the month [1..31] |
Note
When the day
option is set, the interval value must be a multiple of months. By default, the interval is set to a month.
wday
Day of the week to run the scan. This option is not compatible with the day
option.
Default value |
n/a |
Allowed values |
|
Note
When the wday
option is set, the interval value must be a multiple of weeks. By default, the interval is set to a week.
time
Time of the day to run the scan. It has to be represented in the format hh:mm.
Default value |
n/a |
Allowed values |
Time of day [hh:mm] |
Note
When only the time
option is set, the interval value must be a multiple of days or weeks. By default, the interval is set to a day.
Configuration example
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<time>04:00</time>
<skip_nfs>yes</skip_nfs>
<policies>
<policy>cis_debian9_L1.yml</policy>
<policy>sca_unix_audit.yml</policy>
<policy enabled="no">cis_debian9_L2.yml/policy>
<policy>/my/custom/policy/path/my_policy.yaml</policy>
</policies>
</sca>