Fix custom sca policies remote checks

The config option to allow for remote commands needs to be set
on the agents, not the manager. This fixes many benchmarks being
makred as not applicable.

Author: MoteHue

etc/kayobe/ansible/wazuh-manager.yml

@@ -33,16 +33,6 @@
           register: custom_sca_policies
           when: custom_sca_policies_folder.stat.exists
 
-        - name: Allow Wazuh agents to execute commands in SCA policies sent from the Wazuh manager
-          blockinfile:
-            path: "/var/ossec/etc/local_internal_options.conf"
-            state: present
-            owner: wazuh
-            group: wazuh
-            block: |
-              sca.remote_commands=1
-          when: custom_sca_policies.files | length > 0
-
         - name: Copy custom SCA policy files to Wazuh manager
           copy:
             # Note the trailing slash to copy directory contents
@@ -125,3 +115,40 @@
       service:
         name: wazuh-dashboard
         state: restarted
+
+- hosts: wazuh-agent
+  become: yes
+  become_user: root
+  tasks:
+    - name: Check if custom SCA policies directory exists
+      stat:
+        path: "{{ local_custom_sca_policies_path }}"
+      register: custom_sca_policies_folder
+      delegate_to: localhost
+      become: no
+
+    - name: Gather list of custom SCA policies
+      find:
+        paths: "{{ local_custom_sca_policies_path }}"
+        patterns: '*.yml'
+      delegate_to: localhost
+      register: custom_sca_policies
+      when: custom_sca_policies_folder.stat.exists
+
+    - name: Allow Wazuh agents to execute commands in SCA policies sent from the Wazuh manager
+      blockinfile:
+        path: "/var/ossec/etc/local_internal_options.conf"
+        state: present
+        owner: wazuh
+        group: wazuh
+        block: |
+          sca.remote_commands=1
+      when: custom_sca_policies.files | length > 0
+      notify:
+        - Restart wazuh-agent
+
+  handlers:
+    - name: Restart wazuh-agent
+      service:
+        name: wazuh-agent
+        state: restarted

etc/kayobe/inventory/group_vars/all/wazuh

@@ -0,0 +1,3 @@
+---
+# Ansible custom SCA policies directory
+local_custom_sca_policies_path: "{{ kayobe_env_config_path }}/wazuh/custom_sca_policies"

etc/kayobe/inventory/group_vars/wazuh-manager/wazuh-manager

@@ -24,9 +24,6 @@ local_certs_path: "{{ playbook_dir }}/wazuh/certificates"
 # Ansible control host custom certificates directory
 local_custom_certs_path: "{{ playbook_dir }}/wazuh/custom_certificates"
 
-# Ansible custom SCA policies directory
-local_custom_sca_policies_path: "{{ kayobe_env_config_path }}/wazuh/custom_sca_policies"
-
 # Indexer variables
 indexer_node_name: "{{ inventory_hostname }}"