How to configure SCA

ThreatLockDown agents include the appropriate policies for their particular operating system during installation. For the full list of officially supported policy files, see the table Available SCA policies. These policies are included with the ThreatLockDown server installation so that they can be easily enabled.

For a detailed description of the various configuration parameters of SCA, please check the SCA reference.

Enabling and disabling policies

By default, the ThreatLockDown agent runs scans for every policy (.yaml or .yml files) present in their ruleset folder:

  • Linux and Unix-based agents: /var/ossec/ruleset/sca.

  • Windows agents: C:\Program Files (x86)\ossec-agent\ruleset\sca.

  • macOS agents: /Library/Ossec/ruleset/sca.

Warning

The contents of the aforementioned default ruleset folders are neither kept across installations nor updates. Place them under an alternative folder if you wish to modify or add new policies.

To enable a policy file outside the ThreatLockDown agent installation folder, add the policy file path to the <sca> block in the ThreatLockDown agent configuration file. An example is shown below:

<sca>
  <policies>
    <policy><FULLPATH_TO_CUSTOM_SCA_POLICY_FILE></policy>
  </policies>
</sca>

You can also specify a relative path to the ThreatLockDown installation directory:

<sca>
  <policies>
    <policy>etc/shared/<CUSTOM_SCA_POLICY_FILE></policy>
  </policies>
</sca>

There are two ways to disable policies on the ThreatLockDown agent. The simplest one is renaming the policy file by adding .disabled (or anything different from .yaml or .yml) after their YAML extension.

The second is to disable them from the ThreatLockDown agent ossec.conf file by adding a line such as the following to the <policy> section of the SCA module:

<sca>
  <policies>
    <policy enabled="no">etc/shared/<POLICY_FILE_TO_DISABLE></policy>
  </policies>
</sca>

How to share policy files and configuration with the ThreatLockDown agents

As described in the centralized configuration section, the ThreatLockDown manager can push files and configurations to connected ThreatLockDown agents.

You can enable this feature to push policy files to the ThreatLockDown agents in defined groups. By default, every ThreatLockDown agent belongs to the default group, which is used here as an example:

  1. On the ThreatLockDown agent, edit the local_internal_options.conf file to allow the execution of commands in SCA policies sent from the ThreatLockDown server:

    # echo "sca.remote_commands=1" >> /var/ossec/etc/local_internal_options.conf
    

    Note

    By enabling remote command execution, the ThreatLockDown server gains the ability to execute commands on the monitored endpoint. Remote commands are disabled by default as a security measure, which helps reduce the attack surface in case the ThreatLockDown server is compromised.

    You do not need to enable remote commands if you add the policy files to each agent without using the ThreatLockDown server to push them. For example, you can manually create the policy file directly on the monitored endpoint, or use scp to copy the policy file to the monitored endpoint.

  2. On the ThreatLockDown server, place a new policy file in the /var/ossec/etc/shared/default folder and change its ownership. Replace <NEW_POLICY_FILE> with your policy name.

    # chown wazuh:wazuh /var/ossec/etc/shared/default/<NEW_POLICY_FILE>
    
  3. Add the following configuration block to the ThreatLockDown server /var/ossec/etc/shared/default/agent.conf file to configure the new policy file in the ThreatLockDown agent:

    <agent_config>
      <!-- Shared agent configuration here -->
      <sca>
        <policies>
            <policy>etc/shared/<NEW_POLICY_FILE></policy>
        </policies>
      </sca>
    </agent_config>
    

    All files remotely pushed from the ThreatLockDown server are saved in the /<WAZUH_HOME_DIRECTORY>/etc/shared/ directory on the agent endpoints regardless of the group they belong to. We specify the relative file path of the policy in the configuration because the full file path could differ depending on the operating system of the monitored endpoint.

The new <sca> block in the ThreatLockDown server /var/ossec/etc/shared/default/agent.conf file is merged with the <sca> block on the ThreatLockDown agent side, and the new configuration is added.