Overview
The Configuration Assessment module (also known as Security Configuration Assessment or SCA) continuously evaluates the security configuration of your systems against established baselines and best practices. It helps identify misconfigurations and compliance issues by scanning assets and comparing their configurations to predefined security policies.Key Features
Continuous Configuration Monitoring
Automated, continuous assessment of system configurations:- Policy-based Scanning: Evaluate systems against security policy benchmarks
- Automated Assessments: Regular scans without manual intervention
- Multi-platform Support: Assess Linux, Windows, and macOS systems
- Custom Policies: Define custom security policies for your environment
- Real-time Alerts: Immediate notification of configuration violations
Comprehensive Security Policies
Pre-built policies for industry standards and best practices:- CIS Benchmarks: Center for Internet Security benchmarks
- NIST Guidelines: NIST security configuration guidelines
- PCI DSS: Payment Card Industry security standards
- HIPAA: Healthcare security configurations
- Custom Policies: Organization-specific security policies
Interactive Dashboards
Powerful visualization and analysis tools:- Overview Dashboard: Organization-wide configuration compliance (Dashboard ID:
sca-overview-dashboard) - Agent Dashboard: Configuration status for specific agents (Dashboard ID:
sca-pinned-agent-dashboard) - Inventory View: Detailed policy check results and compliance status
- Trend Analysis: Track configuration compliance over time
Data Sources
Configuration Assessment utilizes specialized index patterns:SCA States
- Pattern:
wazuh-states-sca* - Type: Current configuration assessment states
- Data: Policy check results, compliance status, remediation information
Events Data
- Pattern:
wazuh-events* - Type: Configuration change events
Assessment Data Structure
Configuration assessment data includes:| Field | Description |
|---|---|
timestamp | When the assessment was performed |
wazuh.agent.name | Name of the assessed agent |
sca.policy | Name of the security policy evaluated |
sca.check.id | Unique identifier for the check |
sca.check.title | Title of the security check |
sca.check.description | Detailed check description |
sca.check.result | Result (passed, failed, not applicable) |
sca.check.remediation | Remediation steps |
sca.check.compliance | Associated compliance requirements |
sca.check.rationale | Why this check is important |
Policy Structure
Policy Components
Each security policy consists of:-
Policy Metadata
- Policy name and description
- Target operating system
- Version information
- References to standards
-
Security Checks
- Individual configuration checks
- Expected vs actual state comparison
- Pass/fail criteria
-
Remediation Guidance
- Steps to fix failed checks
- Commands or procedures
- Risk assessment
-
Compliance Mapping
- Linked compliance requirements
- Regulatory references
- Control identifiers
Check Results
- Passed: Configuration meets the security requirement
- Failed: Configuration does not meet the requirement
- Not Applicable: Check doesn’t apply to this system
Inventory View
The SCA inventory provides comprehensive configuration assessment details:Features
- Policy Compliance Status: Overall compliance for each policy
- Check Details: Individual check results with descriptions
- Remediation Steps: Detailed remediation guidance
- Compliance Mapping: Links to compliance requirements
- Historical Data: Track configuration changes over time
SCAInventoryDashboard ID:
sca-inventory-dashboardAgent Dashboard ID:
sca-agent-inventory-dashboardLocation:
/plugins/main/public/components/overview/sca/components/inventory/
Check Details
TheSCACheckDetails component provides in-depth information:
- Complete check description
- Rationale for the security requirement
- Current configuration state
- Remediation procedures
- Compliance references
- Related checks
Use Cases
Security Hardening
Harden systems according to best practices:- Run configuration assessments on new systems
- Review failed checks
- Implement recommended security configurations
- Re-scan to verify remediation
- Document baseline security configurations
Compliance Auditing
Demonstrate compliance with regulatory requirements:PCI DSS Compliance
- Verify security configurations for cardholder data systems
- Track compliance with PCI DSS configuration requirements
- Generate compliance reports for auditors
- Monitor ongoing compliance
HIPAA Compliance
- Assess security configurations for systems with ePHI
- Verify technical safeguards implementation
- Document security configurations
- Regular compliance assessments
CIS Benchmarks
- Implement CIS security hardening guidelines
- Track compliance with CIS benchmarks
- Prioritize remediation of failed checks
- Maintain security posture
Configuration Drift Detection
Identify unauthorized configuration changes:- Establish baseline configurations
- Run regular assessments
- Detect deviations from baseline
- Investigate unauthorized changes
- Restore approved configurations
Vulnerability Remediation
Address configuration-based vulnerabilities:- Identify insecure configurations
- Assess risk and impact
- Prioritize remediation efforts
- Implement secure configurations
- Verify remediation success
Change Management
Support IT change management processes:- Verify changes meet security requirements
- Assess impact of proposed changes
- Document configuration baselines
- Track configuration history
- Rollback problematic changes
Integration with Other Modules
Configuration Assessment integrates with:- Vulnerability Detection: Link misconfigurations to vulnerabilities
- File Integrity Monitoring: Detect configuration file changes
- System Auditing: Track who made configuration changes
- Threat Hunting: Investigate configuration-related security events
- Compliance Modules: Support PCI DSS, HIPAA, GDPR compliance
Common Security Policies
CIS Benchmarks
Comprehensive security configuration guidelines:- CIS Red Hat Enterprise Linux Benchmark
- CIS Ubuntu Linux Benchmark
- CIS Windows Server Benchmark
- CIS macOS Benchmark
- CIS Docker Benchmark
- CIS Kubernetes Benchmark
Custom Policies
Create organization-specific policies:Assessment Scheduling
Scan Frequency
Configure how often assessments run:Scan Policies
Select which policies to apply:Remediation Workflow
Standard Remediation Process
-
Identify Failed Checks
- Review assessment results
- Filter by severity or compliance requirement
- Prioritize based on risk
-
Analyze Impact
- Review check rationale
- Assess business impact of remediation
- Identify dependencies
-
Plan Remediation
- Review remediation steps
- Plan implementation approach
- Schedule maintenance window if needed
-
Implement Changes
- Execute remediation steps
- Document changes made
- Test system functionality
-
Verify Remediation
- Run new assessment
- Confirm checks now pass
- Document successful remediation
Best Practices
- Regular Assessments: Schedule frequent scans to detect drift
- Prioritize Remediation: Focus on high-risk configuration issues first
- Document Exceptions: Formally document and approve any policy exceptions
- Test Before Production: Test policy changes in non-production environments
- Automate Remediation: Use configuration management tools for consistent remediation
- Track Metrics: Monitor compliance trends and remediation progress
- Integrate with CM: Link with configuration management systems
- Educate Teams: Train system administrators on security configurations
- Review Policies: Regularly review and update security policies
- Audit Trail: Maintain records of assessments and remediations
Reporting
Generate comprehensive configuration assessment reports:Compliance Reports
- Overall compliance percentage
- Policy-by-policy compliance status
- Failed checks by severity
- Remediation progress tracking
- Historical compliance trends
Executive Summaries
- High-level compliance posture
- Critical configuration issues
- Remediation status
- Compliance trend analysis
Detailed Technical Reports
- Complete check results
- Remediation procedures
- System-by-system analysis
- Compliance requirement mapping
Performance Considerations
- Scan Timing: Schedule scans during off-peak hours
- Policy Scope: Focus policies on relevant checks for each system type
- Resource Usage: Monitor system resources during scans
- Network Impact: Consider network bandwidth for policy distribution
- Database Optimization: Maintain SCA indices for optimal performance
Component Architecture
The Configuration Assessment module architecture:/plugins/main/public/components/overview/sca/
Sample Data
The module supports sample data for testing:- Category: Security Configuration Assessment
- Pattern:
wazuh-states-sca*
Common Configuration Issues
Critical Issues
- Default passwords still in use
- Unnecessary services enabled
- Insecure protocol configurations
- Missing security patches
- Weak encryption settings
High Priority Issues
- Insufficient password complexity
- Disabled security features
- Insecure file permissions
- Unnecessary open ports
- Missing audit logging
Medium Priority Issues
- Suboptimal configurations
- Missing hardening measures
- Incomplete security settings
- Legacy protocol support