Wazuh agents include the appropriate policies for their particular operating system during installation. For the full list of officially supported policy files, see the table Available SCA policies. These policies are included with the Wazuh server installation so that they can be easily enabled.
For a detailed description of the various configuration parameters of SCA, please check the SCA reference.
By default, the Wazuh agent runs scans for every policy (
.yml files) present in their ruleset folder:
Linux and Unix-based agents:
C:\Program Files (x86)\ossec-agent\ruleset\sca.
The contents of the aforementioned default ruleset folders are neither kept across installations nor updates. Place them under an alternative folder if you wish to modify or add new policies.
To enable a policy file outside the Wazuh agent installation folder, add the policy file path to the
<sca> block in the Wazuh agent configuration file. An example is shown below:
<sca> <policies> <policy><FULLPATH_TO_CUSTOM_SCA_POLICY_FILE></policy> </policies> </sca>
You can also specify a relative path to the Wazuh installation directory:
<sca> <policies> <policy>etc/shared/<CUSTOM_SCA_POLICY_FILE></policy> </policies> </sca>
There are two ways to disable policies on the Wazuh agent. The simplest one is renaming the policy file by adding
.disabled (or anything different from
.yml) after their YAML extension.
The second is to disable them from the Wazuh agent
ossec.conf file by adding a line such as the following to the
<policy> section of the SCA module:
<sca> <policies> <policy enabled="no">etc/shared/<POLICY_FILE_TO_DISABLE></policy> </policies> </sca>