IT Hygiene rules
39 views
Skip to first unread message
German DiCasas
Mar 10, 2026, 12:08:48 PM (6 days ago) Mar 10
to Wazuh | Mailing List
Hi team,
There are any way to create rules from the IT Hygiene? I mean, it is posible to create a rule when an agent have anydesk, or teamviewer, installed on the device (package.name)? o when port 3389 is listening?
I have wazuh 4.14 all in one instalation.
Regards
German
Olamilekan Abdullateef Ajani
Mar 10, 2026, 1:10:24 PM (6 days ago) Mar 10
to Wazuh | Mailing List
Hello German,
Since syscollector inventory is mainly meant for visibility, I believe SCA is often a better option for this type of IT hygiene check. You can create a custom policy that verifies whether tools like AnyDesk are installed on the endpoint.
For example, the policy below checks the Windows registry locations where installed applications are registered. If AnyDesk is detected, the check will fail and appear in the Configuration Assessment dashboard. You can customize this to suit your environment.
policy:
id: "windows_anydesk_detection"
file: "sca_windows_anydesk.yml"
name: "Detect unauthorized remote access software (AnyDesk)"
description: "Checks if AnyDesk is installed on the endpoint"
checks:
- id: 100001
title: "Ensure AnyDesk is not installed (64-bit path)"
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall -> !r:AnyDesk'
- id: 100002
title: "Ensure AnyDesk is not installed (32-bit path)"
condition: all
rules:
- 'r:HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall -> !r:AnyDesk'
Once the policy is added and distributed to the agent, it will be evaluated during the next SCA scan. Please see the attached screenshot for a sample.
Please let me know what you think or if you require further assistance on this.
German DiCasas
Mar 10, 2026, 4:53:13 PM (6 days ago) Mar 10
to Wazuh | Mailing List
good to know that. How can I trigger an alert from that Configuration Assessment if fail? I mean something to see on dashboard of alerts .
I did a dashboard for the status of those program over agent names but I do now know how trigger an alert from that SCA. Its possible?
Reagards,
German
German DiCasas
Mar 10, 2026, 6:24:27 PM (6 days ago) Mar 10
to Wazuh | Mailing List
perfect works
On server side I created /var/ossec/etc/shared/default/sca_programs.yml (permision wazuh:wazuh) and edit the agent.conf over same path
<agent_config>
<sca>
<policies>
<policy>etc/shared/sca_programs.yml</policy>
</policies>
</sca>
</agent_config>
But only localy. At the moment to configure the centralized configuration with wazuh_command.remote_commands=1 and sca.remote_commands=1 on agent seems to be that is not updated. I can not see the new sca policy on manager.
On server side I created /var/ossec/etc/shared/default/sca_programs.yml (permision wazuh:wazuh) and edit the agent.conf over same path
<agent_config>
<sca>
<policies>
<policy>etc/shared/sca_programs.yml</policy>
</policies>
</sca>
</agent_config>
I restarted the agent and manager ... I can not see the new sca policy over manager.
The manager is wazuh 4.14 and the agent 4.14 is over a windows 11 system
The manager is wazuh 4.14 and the agent 4.14 is over a windows 11 system
I use the doc over https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/how-to-configure.html. Also, what port use the manager to update over agents this sca policy?
German
Olamilekan Abdullateef Ajani
Mar 11, 2026, 8:56:55 AM (5 days ago) Mar 11
to Wazuh | Mailing List
Hello German,
I tested this now, and it works, please see the attached. One place to start is to check the ossec.log file on the agent and see if the policy is even loaded.
The configuration you shared is accurate. But the message in the log will point to the right direction.
I await feedback from you.
German DiCasas
Mar 13, 2026, 6:51:16 PM (3 days ago) Mar 13
to Wazuh | Mailing List
I checked that log and same, the sca created is not shown. The agent is over a windows 11. The yml created is over /var/ossec/etc/shared/default and also I created the yml over another group related to the windows agent.. that is to check witch one is loades over sca dashboard and only is the local one
Over ossec.log of server I can not see any input related to sca_programs.yml . Also, I edited the custom sca to know if is loaded from local agent (100001,100002) or server(100003,100004), I can see only the local as before.
Server Manager:
Over doc say: "All files remotely pushed from the Wazuh server are saved in the /<WAZUH_HOME_DIRECTORY>/etc/shared/ directory on the agent endpoints regardless of the group they belong to" I checked an yes, the policy over the server is over windows agent "C:\Program Files (x86)\ossec-agent\shared" . ... but is not show in web manager... It doesn't seem to apply and it's not visible on the SCA dashboard
grep -iE "/sca/|sca:" /var/ossec/logs/ossec.log
2026/03/13 07:22:10 sca: INFO: Starting Security Configuration Assessment scan.
2026/03/13 07:22:10 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'
2026/03/13 07:22:30 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'
2026/03/13 07:22:30 sca: INFO: Security Configuration Assessment scan finished. Duration: 20 seconds.
2026/03/13 14:35:05 sca: INFO: Module started.
2026/03/13 14:35:05 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'
2026/03/13 14:35:05 sca: INFO: Starting Security Configuration Assessment scan.
2026/03/13 14:35:06 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'
2026/03/13 14:35:36 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'
2026/03/13 14:35:36 sca: INFO: Security Configuration Assessment scan finished. Duration: 31 seconds.
2026/03/13 15:05:14 sca: INFO: Module started.
2026/03/13 15:05:14 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'
2026/03/13 15:05:14 sca: INFO: Starting Security Configuration Assessment scan.
2026/03/13 15:05:15 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'
2026/03/13 15:05:22 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'
2026/03/13 15:05:22 sca: INFO: Security Configuration Assessment scan finished. Duration: 8 seconds.
2026/03/13 15:29:04 sca: INFO: Module started.
2026/03/13 15:29:04 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'
2026/03/13 15:29:04 sca: INFO: Starting Security Configuration Assessment scan.
2026/03/13 15:29:04 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'
2026/03/13 15:29:11 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'
2026/03/13 15:29:11 sca: INFO: Security Configuration Assessment scan finished. Duration: 7 seconds.
2026/03/13 15:30:36 sca: INFO: Module started.
2026/03/13 15:30:36 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'
2026/03/13 15:30:36 sca: INFO: Starting Security Configuration Assessment scan.
2026/03/13 15:30:36 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'
2026/03/13 15:30:44 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'
2026/03/13 15:30:44 sca: INFO: Security Configuration Assessment scan finished. Duration: 8 seconds.
2026/03/13 07:22:10 sca: INFO: Starting Security Configuration Assessment scan.
2026/03/13 07:22:10 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'
2026/03/13 07:22:30 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'
2026/03/13 07:22:30 sca: INFO: Security Configuration Assessment scan finished. Duration: 20 seconds.
2026/03/13 14:35:05 sca: INFO: Module started.
2026/03/13 14:35:05 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'
2026/03/13 14:35:05 sca: INFO: Starting Security Configuration Assessment scan.
2026/03/13 14:35:06 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'
2026/03/13 14:35:36 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'
2026/03/13 14:35:36 sca: INFO: Security Configuration Assessment scan finished. Duration: 31 seconds.
2026/03/13 15:05:14 sca: INFO: Module started.
2026/03/13 15:05:14 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'
2026/03/13 15:05:14 sca: INFO: Starting Security Configuration Assessment scan.
2026/03/13 15:05:15 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'
2026/03/13 15:05:22 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'
2026/03/13 15:05:22 sca: INFO: Security Configuration Assessment scan finished. Duration: 8 seconds.
2026/03/13 15:29:04 sca: INFO: Module started.
2026/03/13 15:29:04 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'
2026/03/13 15:29:04 sca: INFO: Starting Security Configuration Assessment scan.
2026/03/13 15:29:04 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'
2026/03/13 15:29:11 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'
2026/03/13 15:29:11 sca: INFO: Security Configuration Assessment scan finished. Duration: 7 seconds.
2026/03/13 15:30:36 sca: INFO: Module started.
2026/03/13 15:30:36 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'
2026/03/13 15:30:36 sca: INFO: Starting Security Configuration Assessment scan.
2026/03/13 15:30:36 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'
2026/03/13 15:30:44 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'
2026/03/13 15:30:44 sca: INFO: Security Configuration Assessment scan finished. Duration: 8 seconds.
Over doc say: "All files remotely pushed from the Wazuh server are saved in the /<WAZUH_HOME_DIRECTORY>/etc/shared/ directory on the agent endpoints regardless of the group they belong to" I checked an yes, the policy over the server is over windows agent "C:\Program Files (x86)\ossec-agent\shared" . ... but is not show in web manager... It doesn't seem to apply and it's not visible on the SCA dashboard
Let me know what command can I run to check some flow error.
Regards
German
Reply all
Reply to author
Forward
0 new messages