How Can I clean CIS information in Security configuration assessment

[Henrique Avelino]

Would I like to know, if is it possible to clean CIS informantion in Security configuration Assessment Inventory about the agent:

I would like to do that, because in the passed I overwrited some rules about "Pass" and "Not applicable" and today I just have alerts about "Failed", I fixed the overwirte rule and I would like to do a new full scan and get all the alerts about Passed, Failed and Not applicable.

Thanks.

[Henrique Avelino]

Could someone help me?

Thanks.

[Matías David Mercado Aragonés]

Hi Henrique,

Thanks for use Wazuh!

Yes, you can clean up CIS information. First, you need to stop Wazuh manager. Then, check your agent ID, you can found this ID number on your Wazuh GUI dashboard dropdown menu > Agents.

After that, you have to delete a few tables using sqlite3 from your agent database. Follow the next commands:
 
systemctl stop wazuh-manager sqlite3 /var/ossec/queue/db/"YOUR-AGENT-ID".db 'DELETE FROM sca_check'; sqlite3 /var/ossec/queue/db/"YOUR-AGENT-ID".db 'DELETE FROM sca_check_compliance'; sqlite3 /var/ossec/queue/db/"YOUR-AGENT-ID".db 'DELETE FROM sca_check_rules'; sqlite3 /var/ossec/queue/db/"YOUR-AGENT-ID".db 'DELETE FROM sca_policy'; sqlite3 /var/ossec/queue/db/"YOUR-AGENT-ID".db 'DELETE FROM sca_scan_info'; systemctl start wazuh-manager

Remember to change "YOUR-AGENT-ID", and then start again your Wazuh manager. After that, you will see on your Wazuh GUI dashboard that your CIS data is clear. Now you can run a new CIS evaluation, here you have more information on CIS evaluation and intervals.

Regards,
Matías.

[Henrique Avelino]

Hi Matias.

Thank you for your time.

I have cluster, so Do I need to do in Master and Node or just in Master?

Thanks.

[Matías David Mercado Aragonés]

Hi Henrique,

Delete this tables only on Wazuh master. You should test it in one agent, and if it works as you need, then you could proceed with the remaining agents.

Regards,
Matías.