Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SCA refactor tier 1 #582

Open
davidjiglesias opened this issue Feb 7, 2025 · 0 comments
Open

SCA refactor tier 1 #582

davidjiglesias opened this issue Feb 7, 2025 · 0 comments
Assignees
@vikman90
Labels
level/objective Objective issue module/sca Security Compliance Assessment type/enhancement Enhancement issue

Comments

@davidjiglesias
Copy link
Member

davidjiglesias commented Feb 7, 2025
edited by vikman90
Loading

Description

This issue tracks the porting of the Security Compliance Assessment (SCA) module to the new agent architecture. This involves refactoring the existing module to leverage the new agent's capabilities, including persistent state, stateful/stateless messaging, and alignment with the new data model.

Functional Requirements

  • The agent must maintain a persistent internal state.
  • This state must be synchronized to the Indexer via stateful messages.
  • The module must report check result change events via stateless messages.
  • The module must execute scans periodically, with configurable intervals.
  • Existing 4.x policies must be supported (same format).
  • Policy execution behavior must remain consistent with 4.x.
  • The module must support graceful shutdown during scans.
  • Initial policy development for the following operating systems:
    • Amazon Linux 2023
    • Ubuntu 24.04
    • macOS 15 Sequoia
    • Windows 11

Non-Functional Requirements

  • The module must function on Tier 1 supported operating systems.
  • Data stored in the internal state and reported to the server must conform to ECS schema.

Implementation Restrictions

  • The internal state must be implemented using the DBsync library.
  • Policies are assumed to be present on the agent (may be revisited).
  • The module will be developed from scratch:
    • C++ 20 and coroutines.
    • Leverage code from the existing 4.x implementation.

Testing

  • Comprehensive integration tests will be developed to ensure the module functions correctly within the new agent framework and across supported operating systems.

Plan

  1. Design the SCA module architecture.
  2. Design the necessary configuration schema.
  3. Design the database schema for DBsync.
  4. Implement the configuration parser.
  5. Develop the SCA module:
    a. Implement a coroutine for parsing SCA policies (YAML).
    b. Implement a coroutine for scan execution.
    c. Integrate the module with DBsync.
    d. Develop initial policies.
  6. Create integration tests.
  7. Add development documentation.

Future Lines (Tier 2)

  • Agent-side policy retrieval.
  • Policy signing.
  • Determine default out-of-the-box policies.
  • Management API: SCA endpoints.
  • Content Manager extension.
  • SCA Provider implementation.

Let me know if you'd like any adjustments or additions to this issue!
@davidjiglesias davidjiglesias added level/objective Objective issue type/enhancement Enhancement issue labels Feb 7, 2025
@vikman90 vikman90 self-assigned this Feb 7, 2025
@wazuhci wazuhci moved this to Backlog in XDR+SIEM/Release 5.0.0 Feb 11, 2025
@wazuhci wazuhci moved this to Backlog in Roadmap Feb 11, 2025
@TomasTurina TomasTurina added the module/sca Security Compliance Assessment label Feb 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vikman90 vikman90

Labels
level/objective Objective issue module/sca Security Compliance Assessment type/enhancement Enhancement issue
Projects
Roadmap
Status: Backlog
XDR+SIEM/Release 5.0.0
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vikman90 @TomasTurina @davidjiglesias