sca

This section covers the configuration for the Security Configuration Assessment module.

Settings to run Security Configuration Assessment scans.

Options

Main options

enabled
skip_nfs
policies

Main options	Allowed values
enabled	yes, no
skip_nfs	yes, no
policies	N/A

Scheduling options

scan_on_start
interval
day
wday
time

Scheduling options	Allowed values
scan_on_start	yes, no
interval	A positive number + suffix
day	A day of the month
wday	A day of the week
time	A time of the day [hh:mm]

Interval suffixes	Time scale
s	seconds
m	minutes
d	days
w	weeks
M	months

Some examples of usage of these options are included in the SCA documentation.

enabled

Enables the module.

Default value	yes
Allowed values	yes, no

skip_nfs

Enable or disable the scanning of network mounted filesystems (Works on Linux and FreeBSD). Currently, skip_nfs will exclude checking files on CIFS or NFS mounts.

Default value	yes
Allowed values	yes, no

policies

Between <policy> tags, in this section it can be included policy files to run assessments.

Default value	n/a
Allowed values	Any YAML policy file

Attributes

enabled

Offers the possibility to disable a policy when it has been enabled previously.

Note

Since ThreatLockDown v3.10.0, although this section is missing, the ThreatLockDown Agent will run scans for every policy (.yaml or .yml files) present in their ruleset folder.

Warning

Since ThreatLockDown v4.2.0, when a policy is defined by a relative path, this path is relative to the ThreatLockDown installation directory. If the policy is located outside the installation directory, a full path can be used.

Example

<policies>
  <policy>etc/shared/cis_debian10.yml</policy>
  <policy>/path/to/my/policy.yml</policy>
</policies>

scan_on_start

The SCA module will perform the scan immediately when started.

Default value	yes
Allowed values	yes, no

interval

The interval between module executions.

Default value	12h
Allowed values	A positive number that should contain a suffix character indicating a time unit, such as, s (seconds), m (minutes), h (hours), d (days), w (weeks), M (months)

The interval option is conditioned by the following described options day, wday and time. If none of these options are set, the interval can take any allowed value.

day

Day of the month to run the scan.

Default value	n/a
Allowed values	Day of the month [1..31]

Note

When the day option is set, the interval value must be a multiple of months. By default, the interval is set to a month.

wday

Day of the week to run the scan. This option is not compatible with the day option.

Default value	n/a
Allowed values	Day of the week: sunday/sun monday/mon tuesday/tue wednesday/wed thursday/thu friday/fri saturday/sat

Note

When the wday option is set, the interval value must be a multiple of weeks. By default, the interval is set to a week.

time

Time of the day to run the scan. It has to be represented in the format hh:mm.

Default value	n/a
Allowed values	Time of day [hh:mm]

Note

When only the time option is set, the interval value must be a multiple of days or weeks. By default, the interval is set to a day.

Configuration example

<sca>
  <enabled>yes</enabled>
  <scan_on_start>yes</scan_on_start>
  <time>04:00</time>
  <skip_nfs>yes</skip_nfs>

  <policies>
    <policy>etc/shared/cis_debian10.yml</policy>
    <policy enabled="no">ruleset/sca/cis_debian9.yml</policy>
    <policy>/my/custom/policy/path/my_policy.yaml</policy>
  </policies>
</sca>