How to configure SCA

Enabling and disabling policies

By default, the Wazuh agent runs scans for every policy (.yaml or .yml files) present in their ruleset folder:

• Linux and Unix-based agents: /var/ossec/ruleset/sca.

• Windows agents: C:\Program Files (x86)\ossec-agent\ruleset\sca.

• macOS agents: /Library/Ossec/ruleset/sca.

To enable a policy file outside the Wazuh agent installation folder, add the policy file path to the <sca> block in the Wazuh agent configuration file. An example is shown below:

<sca>
  <policies>
    <policy><FULLPATH_TO_CUSTOM_SCA_POLICY_FILE></policy>
  </policies>
</sca>

You can also specify a relative path to the Wazuh installation directory:

<sca>
  <policies>
    <policy>etc/shared/<CUSTOM_SCA_POLICY_FILE></policy>
  </policies>
</sca>

There are two ways to disable policies on the Wazuh agent. The simplest one is renaming the policy file by adding .disabled (or anything different from .yaml or .yml) after their YAML extension.

The second is to disable them from the Wazuh agent ossec.conf file by adding a line such as the following to the <policy> section of the SCA module:

<sca>
  <policies>
    <policy enabled="no">etc/shared/<POLICY_FILE_TO_DISABLE></policy>
  </policies>
</sca>

How to share policy files and configuration with the Wazuh agents

As described in the centralized configuration section, the Wazuh manager can push files and configurations to connected Wazuh agents.

You can enable this feature to push policy files to the Wazuh agents in defined groups. By default, every Wazuh agent belongs to the default group, which is used here as an example:

1. On the Wazuh agent, edit the local_internal_options.conf file to allow the execution of commands in SCA policies that use the c (command) rule type sent from the Wazuh server:

   # echo "sca.remote_commands=1" >> /var/ossec/etc/local_internal_options.conf
   

   Note

   By enabling the sca.remote_commands flag, the Wazuh server can execute commands on the monitored endpoint for SC policies that include rules of type c (command). This setting is only required for SCA policies using the c rule type; policies with other rule types (e.g., f for file, p for process, or r for registry) are not affected by the sca.remote_commands flag and will function without enabling it.

   Remote command execution is disabled by default as a security measure to reduce the attack surface in case the Wazuh server is compromised. If you prefer not to enable remote commands, you can manually deploy policy files to each agent without using the Wazuh server to push them. For example, you can create the policy file directly on the monitored endpoint or use scp to copy the policy file to the endpoint.

2. On the Wazuh server, place a new policy file in the /var/ossec/etc/shared/default folder and change its ownership. Replace <NEW_POLICY_FILE> with your policy name.

   # chown wazuh:wazuh /var/ossec/etc/shared/default/<NEW_POLICY_FILE>
   

3. Add the following configuration block to the Wazuh server /var/ossec/etc/shared/default/agent.conf file to configure the new policy file in the Wazuh agent:

   <agent_config>
     <!-- Shared agent configuration here -->
     <sca>
       <policies>
           <policy>etc/shared/<NEW_POLICY_FILE></policy>
       </policies>
     </sca>
   </agent_config>
   

   All files remotely pushed from the Wazuh server are saved in the /<WAZUH_HOME_DIRECTORY>/etc/shared/ directory on the agent endpoints regardless of the group they belong to. We specify the relative file path of the policy in the configuration because the full file path could differ depending on the operating system of the monitored endpoint.

The new <sca> block in the Wazuh server /var/ossec/etc/shared/default/agent.conf file is merged with the <sca> block on the Wazuh agent side, and the new configuration is added.