AdriiiPRodri
commented
3 years ago Hi @mradaszewski92,
Sorry for the late reply. In order to use this endpoint properly, you can previously check the policies of an agent with the following endpoint:
curl --request GET --url https://localhost:55040/sca/001?pretty=true --header TOKEN
{
"data": {
"affected_items": [
{
"references": "https://www.cisecurity.org/cis-benchmarks/",
"invalid": 37,
"hash_file": "33173218b401a0f759cf96908e59f78e7f9a0147cf24dcdf4d6ccc46fe393d9f",
"fail": 94,
"score": 38,
"pass": 60,
"end_scan": "2021-08-30T08:26:45Z",
"description": "This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 10.",
"total_checks": 191,
"start_scan": "2021-08-30T08:26:45Z",
"policy_id": "cis_debian10",
"name": "CIS Benchmark for Debian/Linux 10"
}
],
"total_affected_items": 1,
"total_failed_items": 0,
"failed_items": []
},
"message": "All selected sca information was returned",
"error": 0
}In this case, the information in the SCA database of agent 001 is returned. After checking this, we perform the request to the endpoint that you indicate, specifying the policy_id value, in this case cis_debian10:
curl --request GET --url https://localhost:55040/sca/001/checks/cis_debian10?pretty=true --header TOKEN
{
"condition": "all",
"result": "",
"remediation": "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vi /etc/modprobe.d/freevxfs.conf and add the following line: install freevxfs /bin/true Run the following command to unload the freevxfs module: # rmmod freevxfs",
"title": "Ensure mounting of freevxfs filesystems is disabled",
"policy_id": "cis_debian10",
"status": "Not applicable",
"rationale": "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.",
"description": "The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems.",
"command": "/sbin/modprobe -n -v freevxfs,lsmod",
"reason": "Invalid path or wrong permissions to run command '/sbin/modprobe -n -v freevxfs'",
"id": 2500,
"compliance": [
{
"key": "cis",
"value": "1.1.1.1"
},
{
"key": "cis_csc",
"value": "5.1"
},
{
"key": "pci_dss",
"value": "2.2.5"
},
{
"key": "tsc",
"value": "CC6.3"
}
],
"rules": [
{
"type": "command",
"rule": "c:/sbin/modprobe -n -v freevxfs -> r:^install /bin/true"
},This will return the policy monitoring alerts for the specify policy. For more information you can check the API specification here: https://documentation.wazuh.com/4.1/user-manual/api/reference.html#tag/SCA
If you have any other questions, do not hesitate to ask. I recommend you to use Wazuh's community channels for future questions: Slack and Google Groups.
Regards
Wazuh: 4.1.5 Agetn: 4.1.3 OS: Redhat Enterprise Edition 7.9
Hello team
I want to know which configuration files do not satisfy my hardening, and i use /sca/{agent:id}/checks/{:id} for that. But when i do some request, i have empty response evry time .. None of the values I passed as a parameter work, be it a title or an alphanumeric value. Even if i have valid JWT token.