Consultation on Auditing and Policy Monitoring modules

[Daniel Hinojo]

Good evening Dear, I have been looking for information in the Wazuh documentation regarding the modules of Auditing and Policy Monitoring (Policy Monitoring, System Audit, Security configuration Assessment) but I cannot have a clear concept of each one, I understand that rootcheck or another integration can be used to do it but please if you could tell me what it is for and where it is in the documentation. Thanks

[Alejandro Cuellar]

Here I tell you what each part is about, if you want to investigate a little more I also attach our documentation for each part.

• Policy monitoring

The rootcheck module can be used to enforce and monitor your security policy. This is the process of verifying that all systems conform to a set of predefined rules surrounding configuration settings and approved application usage.
https://documentation.wazuh.com/current/pci-dss/policy-monitoring.html

• The Linux Audit:

System takes care of keeping track of what is happening in the operating system by listening to events based on pre-configured rules. Nevertheless, Audit does not provide additional security itself, it is used with other tools to enhance security. In this article we will focus on how monitoring root actions on Linux using Auditd and Wazuh.
https://wazuh.com/blog/monitoring-root-actions-on-linux-using-auditd-and-wazuh/

• The SCA module:

One of the most certain ways to secure hosts is by reducing their vulnerability surface. That process is commonly known as hardening, and configuration assessment is an effective way to determine opportunities where hosts could have their attack surface reduced, and here is where SCA comes into play.
SCA performs scans in order to discover exposures or misconfigurations in monitored hosts. Those scans assess the configuration of the hosts by means of policy files, that contains rules to be tested against the actual configuration of host. For example, SCA could assess whether it is necessary to change password related configuration, remove unnecessary software, disable unnecessary services, or audit the TCP/IP stack configuration.
https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/what_is_it.html 

[Daniel Hinojo]

Thanks for your answer, I understand then that the SCA is more complete to audit and review policies than the other two plugins? 

 I also have the following queries: 

- The sca is already installed by default but under what policies or good practices is it based?

- I understand that it is through the PCI framework? 

- Automatically assigns and verifies according to the agent's Operating System? 

- Can you add other validations or directives apart from the ones that come by default? 

- Do these verifications generate an alert according to the level?

[Alejandro Cuellar]

• The sca is already installed by default but under what policies or good practices is it based?

Our SCA policy is based on security practices for NGINX, found on several security blogs that you can check at the Reference section here

• I understand that it is through the PCI framework? 

Let me explain this, from latest versions of Wazuh (3.9+), Security Configuration Assessment (SCA) provides pre-defined policies to help meet regulatory compliance such as HIPAA or PCI DSS or meet standards like CIS.

• Automatically assigns and verifies according to the agent's Operating System? 

Yes indeed, for each operating system we have certain policies, which you can consult in the table here. These policies will not be executed in the event that another operating system other than the one required tries to execute them as mentioned here:
If the requirements aren't satisfied for a specific policy file, the scan for that file won't start.

• Can you add other validations or directives apart from the ones that come by default? 

Of course, here is a link so you can see how to create custom SCA policies

• Do these verifications generate an alert according to the level?

In order to receive alerts, you will need to configure these, I attach this link so you can see how to do it.
Any other questions or queries, do not hesitate to contact us again.

[Alejandro Cuellar]

Excuse me, my mistake, regarding the first question, our policies (not all) are based on CIS Benchmarks but not "NGINX". Sorry for the confusion.