Argus SCA module
Security Configuration Assessment (SCA) involves verifying that systems adhere to a set of predefined rules related to configuration settings and approved application usage. One of the most effective ways to secure endpoints is by minimizing their vulnerability surface, a process known as hardening. Configuration assessments help identify weaknesses in your endpoints, allowing you to address them and reduce your overall attack surface.
The Argus SCA module scans monitored endpoints to detect misconfigurations and exposures, offering recommendations for remediation. These scans evaluate the endpoint’s configuration using policy files that contain rules to be tested against the endpoint’s actual settings. SCA policies can check for the presence of files, directories, registry keys and values, active processes, and can also perform recursive checks within directories to identify potential security gaps.
Configuration of SCA
Enabling and disabling policies
By default, the Argus agent runs scans for every policy (.yaml or .yml files) present in their ruleset folder:
· Linux and Unix-based agents: /var/ossec/ruleset/sca.
· Windows agents: C:\Program Files (x86)\ossec-agent\ruleset\sca.
· macOS agents: /Library/Ossec/ruleset/sca.
To enable a policy file outside the Argus agent installation folder, add the policy file path to the <sca> block in the Argus agent configuration file. An example is shown below:
<sca>
<policies>
<policy><FULLPATH_TO_CUSTOM_SCA_POLICY_FILE></policy>
</policies>
</sca>
You can also specify a relative path to the Argus installation directory:
<sca>
<policies>
<policy>etc/shared/<CUSTOM_SCA_POLICY_FILE></policy>
</policies>
</sca>
There are two ways to disable policies on the Argus agent. The simplest one is renaming the policy file by adding .disabled (or anything different from .yaml or .yml) after their YAML extension.
The second is to disable them from the Argus agent ossec.conf file by adding a line such as the following to the <policy> section of the SCA module:
<sca>
<policies>
<policy enabled=”no”>etc/shared/<POLICY_FILE_TO_DISABLE></policy>
</policies>
</sca>
How to share policy files and configuration with the Argus agents
You can enable this feature to push policy files to the Argus agents in defined groups. By default, every Argus agent belongs to the default group, which is used here as an example:
1. On the Argus agent, edit the local_internal_options.conf file to allow the execution of commands in SCA policies sent from the Argus server:
echo “sca.remote_commands=1” >> /var/ossec/etc/local_internal_options.conf
2. On the Argus server, place a new policy file in the /var/ossec/etc/shared/default folder and change its ownership.
Replace <NEW_POLICY_FILE> with your policy name.
chown Argus:Argus /var/ossec/etc/shared/default/<NEW_POLICY_FILE>
3. Add the following configuration block to the Argus server /var/ossec/etc/shared/default/agent.conf file to configure the new policy file in the Argus agent:
<agent_config>
<!– Shared agent configuration here –>
<sca>
<policies>
<policy>etc/shared/<NEW_POLICY_FILE></policy>
</policies>
</sca>
</agent_config>
All files remotely pushed from the Argus server are saved in the /<ARGUS_HOME_DIRECTORY>/etc/shared/ directory on the agent endpoints regardless of the group they belong to.
