Cleartext Credential Exposure sca police

[Jack Martin]

I do to implement the Cleartext Credential Exposure use case using Wazuh:

Detect passwords stored in scripts, configuration files, or log files

Value: Prevents credential leakage and credential reuse attacks

Response: Generate alerts and recommend credential rotation

Reference:
https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/use-cases.html#use-cases

My questions are:

If the environment has more than 50 agents across different operating systems, how can this be implemented efficiently without manually configuring each agent?

How can we create and manage custom security policies centrally on the Ubuntu-based Wazuh manager and apply them to Windows 10 Pro agents?

The Wazuh manager is running on Ubuntu, and the agents are Windows 10 Pro.

Please let me know if this approach is correct and if there are additional best practices or recommendations I should consider.  In the manager location is root@vegita-VMware-Virtual-Platform:/var/ossec/etc/shared/default2# ls
agent.conf  keywordcheck.yml  merged.mg
root@vegita-VMware-Virtual-Platform:/var/ossec/etc/shared/default2#

that was manager path were i file save but in the agent share folder file name was see but when i come to dashboard than the police ws not see i try it 4 days but this problem was not solve please help me in this or any other deatil you wont i give you ok  

[Md. Nazmur Sakib]

Hi Jack,

You can share the SCA yml policy file from the manager to the agent’s endpoints and use agent group configuration to configure the policy.


First, you need to share the polcy to the agent. For this, you need to enable remote file sharing from the agent. This is disabled by default as when enbaled it make posssible to share any file to the endpoint, whoever is in control of the Wazuh Manager server.


To enable this, go to your endpoint, open PowerShell as an administrator, and run this command.

notepad "C:\Program Files (x86)\ossec-agent\local_internal_options.conf"

And this line at the end of the config file, and save the file.
sca.remote_commands=1


And restart the agent service.
Restart-Service -Name wazuh

If you configure this one time, now you will be able to configure any SCA policies to that endpoint from your Wazuh manager.


Do this on every endpoint you want to configure SCA policy remotely from the Manager.


Now ssh into your Wazuh manager and go to this directory.
cd /var/ossec/etc/shared/default/

And make a SCA Yml policy file.
nano win_keywordcheck.yml

Now copy the sca script on this file

And change the policy file ownership.

chown wazuh:wazuh /var/ossec/etc/shared/default/win_keywordcheck.yml


Now, add this policy configuration to the agent group configuration from the Wazuh manager. Make sure the agent belongs to that agent group.

It will be better if you make a separate group for the Windows 10 Pro agent and add the configuration to that group.

/var/ossec/etc/shared/<agent_group_name>/agent.conf

<agent_config>

    <sca>

      <policies>

        <policy enabled="yes">C:\Program Files (x86)\ossec-agent\shared\win_keywordcheck.yml</policy>

      </policies>

    </sca>

  </agent_config>


Check this document to learn more about agent group configuration.
https://documentation.wazuh.com/current/user-manual/agent/agent-management/grouping-agents.html


Now you should be able to see the scan result of the agent.

If you are following this use case.

Detecting keyword in a file. Make sure to create the text file on the endpoint or this scan will not run, as this is a requirement to run the scan.

policy:

  id: "keyword_check_windows"

  file: "keywordcheck.yml"

  name: "SCA use case: Keyword check"

—-----------------

 condition: any

 rules:

   - 'f:C:\Program Files\testfile.txt'

checks:

  - id: 10001

Check this document to learn more about how to share policy files and configuration with the Wazuh agents.


Let me know if this works for you.