New SCA policies

[никита какдела]

Hello! 

Hi! I saw that Wazuh's SCA policies have been updated (https://github.com/wazuh/wazuh/tree/main/ruleset/sca/windows).
My question is, how can I centrally update policies on all my agents? I have multiple agents, all running different operating systems. Is there a way to update them centrally? If so, is there a manual or instructions?

[никита какдела]

Through agents_upgrade?

вторник, 13 января 2026 г. в 11:57:46 UTC+3, никита какдела:

[Md. Nazmur Sakib]

Hello,

You can share the SCA yml policy file from the manager to the agent’s endpoints and use agent group configuration to configure the policy.


First, you need to share the polcy to the agent. For this, you need to enable remote file sharing from the agent. This is disabled by default as when enbaled it make posssible to share any file to the endpoint, whoever is in control of the Wazuh Manager server.
For example, in Windows agents.

To enable this, go to your endpoint, open PowerShell as an administrator, and run this command.

notepad "C:\Program Files (x86)\ossec-agent\local_internal_options.conf"

And this line at the end of the config file, and save the file.
sca.remote_commands=1


And restart the agent service.
Restart-Service -Name wazuh

If you configure this one time, now you will be able to configure any SCA policies to that endpoint from your Wazuh manager.

Do this on every endpoint you want to configure SCA policy remotely from the Manager.
Check this document to learn more about how to share policy files and configuration with the Wazuh agents.

Now ssh into your Wazuh manager and go to this directory.
cd /var/ossec/etc/shared/default/

And make a SCA Yml policy file.
nano win_custom_SCA.yml

Now copy the sca script on this file

And change the policy file ownership.

chown wazuh:wazuh /var/ossec/etc/shared/default/ win_custom_SCA.yml  


Now, add this policy configuration to the agent group configuration from the Wazuh manager. Make sure the agent belongs to that agent group.

/var/ossec/etc/shared/<agent_group_name>/agent.conf

<agent_config>

    <sca>

      <policies>

        <policy enabled="yes">C:\Program Files (x86)\ossec-agent\shared\win_custom_SCA.yml</policy>

      </policies>

    </sca>

  </agent_config>


Check this document to learn more about agent group configuration.
https://documentation.wazuh.com/current/user-manual/agent/agent-management/grouping-agents.html


Now you should be able to see the scan result of the agent.

Let me know if this works for you.

[Md. Nazmur Sakib]

You can upgrade your agent’s to get the updated policies after the update. But please keep in mind that agent versions should be less than or equal to the manager version to work properly.

You can also update the policy from the manager with the following steps I have explained in the above message. You need to enable the new policy and disable the old one.

Ref : Enabling and disabling policies

Let me know if you need any further information.

[никита какдела]

After updating Manager to  v 4.14.2 cant update agents. Now i get this message: 
Failed upgrades:
Agent 185 status: Timeout reached while waiting for the response from the agent, check the result manually on the agent for more information
What should i check?

вторник, 13 января 2026 г. в 12:48:59 UTC+3, Md. Nazmur Sakib:

[Md. Nazmur Sakib]

This can happen due to a connectivity issue or if the agent cannot properly communicate with the manager during the agent remote upgrade.
Also, check the ossec logs from the agent and the manager during the upgrade to get more information on this.

cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"


Let me know if you need any further help with the agent upgrade.