From 3ef34f1c28d2ecabd25edc55ce8fa480eaad43df Mon Sep 17 00:00:00 2001
From: Miguelangel Freitas <miguelangel@wazuh.com>
Date: Mon, 24 Jul 2017 23:23:39 -0400
Subject: [PATCH 1/7] Wazuh manager: control more syscheck options.

---
 ansible-wazuh-manager/defaults/main.yml       | 26 +++++++++++++++++--
 .../var-ossec-etc-ossec-server.conf.j2        | 22 +++++++++-------
 2 files changed, 37 insertions(+), 11 deletions(-)

diff --git a/ansible-wazuh-manager/defaults/main.yml b/ansible-wazuh-manager/defaults/main.yml
index b598c053..047ebcb2 100644
--- a/ansible-wazuh-manager/defaults/main.yml
+++ b/ansible-wazuh-manager/defaults/main.yml
@@ -7,8 +7,30 @@ wazuh_manager_config:
     - admin@example.net
   mail_smtp_server: localhost
   mail_from: wazuh-server@example.com
-  frequency_check: 43200
-  syscheck_scan_on_start: 'yes'
+  syscheck:
+    frequency: 43200
+    scan_on_start: 'yes'
+    ignore:
+      - /etc/mtab
+      - /etc/mnttab
+      - /etc/hosts.deny
+      - /etc/mail/statistics
+      - /etc/random-seed
+      - /etc/random.seed
+      - /etc/adjtime
+      - /etc/httpd/logs
+      - /etc/utmpx
+      - /etc/wtmpx
+      - /etc/cups/certs
+      - /etc/dumpdates
+      - /etc/svc/volatile
+    no_diff:
+      - /etc/ssl/private.key
+    directories:
+      - dirs: /etc,/usr/bin,/usr/sbin
+        checks: 'check_all="yes"'
+      - dirs: /bin,/sbin
+        checks: 'check_all="yes"'
   log_level: 1
   email_level: 12
   ignore_files:
diff --git a/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
index 348c9cf1..9dbc023e 100644
--- a/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
+++ b/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
@@ -89,23 +89,27 @@
 
   <syscheck>
     <!-- Frequency that syscheck is executed -- default every 20 hours -->
-    <frequency>{{ wazuh_manager_config.frequency_check }}</frequency>
-    <scan_on_start>{{ wazuh_manager_config.syscheck_scan_on_start }}</scan_on_start>
+    <frequency>{{ wazuh_manager_config.syscheck.frequency }}</frequency>
+    <scan_on_start>{{ wazuh_manager_config.syscheck.scan_on_start }}</scan_on_start>
 
     <!-- Directories to check  (perform all possible verifications) -->
-{% for directory in wazuh_manager_config.directories %}
-   <directories check_all="{{ directory.check_all }}">{{ directory.dirs }}</directories>
-{% endfor %}
+    {% if wazuh_manager_config.syscheck.directories is defined %}
+    {% for directory in wazuh_manager_config.syscheck.directories %}
+    <directories {{ directory.checks }}>{{ directory.dirs }}</directories>
+    {% endfor %}
+    {% endif %}
 
     <!-- Files/directories to ignore -->
-    {% for ignore_file in wazuh_manager_config.ignore_files %}
-    <ignore>{{ ignore_file }}</ignore>
+    {% if wazuh_manager_config.syscheck.ignore is defined %}
+    {% for ignore in wazuh_manager_config.syscheck.ignore %}
+    <ignore>{{ ignore }}</ignore>
     {% endfor %}
+    {% endif %}
 
     <!-- Files no diff -->
-    {% for no_diff in wazuh_manager_config.no_diff %}
+{% for no_diff in wazuh_manager_config.syscheck.no_diff %}
     <nodiff>{{ no_diff }}</nodiff>
-    {% endfor %}
+{% endfor %}
   </syscheck>
 
   {% if ansible_distribution == 'Ubuntu'  and ansible_distribution_release == 'xenial' %}

From c1156bb7577b9611925254fd235df811a98def94 Mon Sep 17 00:00:00 2001
From: Miguelangel Freitas <miguelangel@wazuh.com>
Date: Mon, 24 Jul 2017 23:26:07 -0400
Subject: [PATCH 2/7] Wazuh manager: define rootcheck frequency.

---
 ansible-wazuh-manager/defaults/main.yml       | 23 ++-----------------
 .../var-ossec-etc-ossec-server.conf.j2        |  2 +-
 2 files changed, 3 insertions(+), 22 deletions(-)

diff --git a/ansible-wazuh-manager/defaults/main.yml b/ansible-wazuh-manager/defaults/main.yml
index 047ebcb2..66eaf7ec 100644
--- a/ansible-wazuh-manager/defaults/main.yml
+++ b/ansible-wazuh-manager/defaults/main.yml
@@ -31,29 +31,10 @@ wazuh_manager_config:
         checks: 'check_all="yes"'
       - dirs: /bin,/sbin
         checks: 'check_all="yes"'
+  rootcheck:
+    frequency: 43200
   log_level: 1
   email_level: 12
-  ignore_files:
-    - /etc/mtab
-    - /etc/mnttab
-    - /etc/hosts.deny
-    - /etc/mail/statistics
-    - /etc/random-seed
-    - /etc/random.seed
-    - /etc/adjtime
-    - /etc/httpd/logs
-    - /etc/utmpx
-    - /etc/wtmpx
-    - /etc/cups/certs
-    - /etc/dumpdates
-    - /etc/svc/volatile
-  no_diff:
-    - /etc/ssl/private.key
-  directories:
-    - check_all: 'yes'
-      dirs: /etc,/usr/bin,/usr/sbin
-    - check_all: 'yes'
-      dirs: /bin,/sbin
   localfiles:
     - format: 'syslog'
       location: '/var/log/messages'
diff --git a/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
index 9dbc023e..ff41ce36 100644
--- a/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
+++ b/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
@@ -74,7 +74,7 @@
     <check_if>yes</check_if>
 
     <!-- Frequency that rootcheck is executed - every 12 hours -->
-    <frequency>43200</frequency>
+    <frequency>{{ wazuh_manager_config.rootcheck.frequency }}</frequency>
 
     <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
     <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>

From aaca36420d98a511fc140cf02b78138ec6e79aa3 Mon Sep 17 00:00:00 2001
From: Miguelangel Freitas <miguelangel@wazuh.com>
Date: Mon, 24 Jul 2017 23:52:34 -0400
Subject: [PATCH 3/7] Wazuh manager: OpenSCAP

Install libopenscap8 in Debian/Ubuntu
Set wodle values like: timeout, interval and scan-on-start
Refactoring ossec.conf template
---
 ansible-wazuh-manager/defaults/main.yml       |  4 +
 ansible-wazuh-manager/tasks/Debian.yml        |  8 ++
 .../var-ossec-etc-ossec-server.conf.j2        | 93 +++++++------------
 3 files changed, 47 insertions(+), 58 deletions(-)

diff --git a/ansible-wazuh-manager/defaults/main.yml b/ansible-wazuh-manager/defaults/main.yml
index 66eaf7ec..a5b7f1ee 100644
--- a/ansible-wazuh-manager/defaults/main.yml
+++ b/ansible-wazuh-manager/defaults/main.yml
@@ -33,6 +33,10 @@ wazuh_manager_config:
         checks: 'check_all="yes"'
   rootcheck:
     frequency: 43200
+  openscap:
+    timeout: 1800
+    interval: '1d'
+    scan_on_start: 'yes'
   log_level: 1
   email_level: 12
   localfiles:
diff --git a/ansible-wazuh-manager/tasks/Debian.yml b/ansible-wazuh-manager/tasks/Debian.yml
index f96f07ce..da7d916e 100644
--- a/ansible-wazuh-manager/tasks/Debian.yml
+++ b/ansible-wazuh-manager/tasks/Debian.yml
@@ -26,3 +26,11 @@
 - name: Debian/Ubuntu | Set Distribution CIS filename for Debian/Ubuntu
   set_fact:
     cis_distribution_filename: cis_debian_linux_rcl.txt
+
+- name: Debian/Ubuntu | Install OpenScap
+  package: name={{ item }} state=present
+  with_items:
+    - libopenscap8
+    - xsltproc
+  tags:
+    - init
diff --git a/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
index ff41ce36..9669c847 100644
--- a/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
+++ b/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
@@ -112,73 +112,50 @@
 {% endfor %}
   </syscheck>
 
-  {% if ansible_distribution == 'Ubuntu'  and ansible_distribution_release == 'xenial' %}
   <wodle name="open-scap">
     <disabled>no</disabled>
-    <timeout>1800</timeout>
-    <interval>1d</interval>
-    <scan-on-start>yes</scan-on-start>
-
+    <timeout>{{ wazuh_manager_config.openscap.timeout }}</timeout>
+    <interval>{{ wazuh_manager_config.openscap.interval }}</interval>
+    <scan-on-start>{{ wazuh_manager_config.openscap.scan_on_start }}</scan-on-start>
+    {% if ansible_distribution == 'Ubuntu'  and ansible_distribution_release == 'xenial' %}
     <content type="xccdf" path="ssg-ubuntu-1604-ds.xml">
       <profile>xccdf_org.ssgproject.content_profile_common</profile>
     </content>
-  </wodle>
-  {% elif ansible_distribution == 'Debian'  and ansible_distribution_release == 'jessie' %}
-  <wodle name="open-scap">
-    <disabled>no</disabled>
-    <timeout>1800</timeout>
-    <interval>1d</interval>
-    <scan-on-start>yes</scan-on-start>
-
+    {% elif ansible_distribution == 'Debian' and ansible_distribution_release == 'jessie' %}
     <content type="xccdf" path="ssg-debian-8-ds.xml">
       <profile>xccdf_org.ssgproject.content_profile_common</profile>
-    </content>
-  </wodle>
-  {% elif ansible_distribution == 'CentOS' %}
-  <wodle name="open-scap">
-    <disabled>no</disabled>
-    <timeout>1800</timeout>
-    <interval>1d</interval>
-    <scan-on-start>yes</scan-on-start>
-
-    {% if ansible_distribution_major_version == '7' %}
-    <content type="xccdf" path="ssg-centos-7-ds.xml">
-    {% elif ansible_distribution_major_version == '6' %}
-    <content type="xccdf" path="ssg-centos-6-ds.xml">
+      </content>
+    <content type="oval" path="cve-debian-oval.xml"/>
+    {% elif ansible_distribution == 'CentOS' %}
+      {% if ansible_distribution_major_version == '7' %}
+      <content type="xccdf" path="ssg-centos-7-ds.xml">
+      {% elif ansible_distribution_major_version == '6' %}
+      <content type="xccdf" path="ssg-centos-6-ds.xml">
+      {% endif %}
+        <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
+        <profile>xccdf_org.ssgproject.content_profile_common</profile>
+      </content>
+    {% elif ansible_distribution == 'RedHat' %}
+      {% if ansible_distribution_major_version == '7' %}
+      <content type="xccdf" path="ssg-rhel-7-ds.xml">
+      {% elif ansible_distribution_major_version == '6' %}
+      <content type="xccdf" path="ssg-rhel-6-ds.xml">
+      {% endif %}
+        <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
+        <profile>xccdf_org.ssgproject.content_profile_common</profile>
+      </content>
+      {% if ansible_distribution_major_version == '7' %}
+      <content type="oval" path="cve-redhat-7-ds.xml"/>
+      {% elif ansible_distribution_major_version == '6' %}
+      <content type="oval" path="cve-redhat-6-ds.xml"/>
+      {% endif %}
+    {% elif ansible_distribution == 'Fedora' %}
+      <content type="xccdf" path="ssg-fedora-ds.xml">
+        <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
+        <profile>xccdf_org.ssgproject.content_profile_common</profile>
+      </content>
     {% endif %}
-    <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
-      <profile>xccdf_org.ssgproject.content_profile_common</profile>
-    </content>
   </wodle>
-  {% elif ansible_distribution == 'RedHat' %}
-  <wodle name="open-scap">
-    <disabled>no</disabled>
-    <timeout>1800</timeout>
-    <interval>1d</interval>
-    <scan-on-start>yes</scan-on-start>
-
-    {% if ansible_distribution_major_version == '7' %}
-    <content type="xccdf" path="ssg-rhel-7-ds.xml">
-    {% elif ansible_distribution_major_version == '6' %}
-    <content type="xccdf" path="ssg-rhel-7-ds.xml">
-    {% endif %}
-      <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
-      <profile>xccdf_org.ssgproject.content_profile_common</profile>
-    </content>
-  </wodle>
-  {% elif ansible_distribution == 'Fedora' %}
-  <wodle name="open-scap">
-    <disabled>no</disabled>
-    <timeout>1800</timeout>
-    <interval>1d</interval>
-    <scan-on-start>yes</scan-on-start>
-
-    <content type="xccdf" path="ssg-fedora-ds.xml">
-      <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
-      <profile>xccdf_org.ssgproject.content_profile_common</profile>
-    </content>
-  </wodle>
-  {% endif %}
 
 {% if agentless_creeds is defined %}
 {% for agentless in agentless_creeds %}

From 63f3eb3c243f2e5fa208783ad385a46e9f6be93b Mon Sep 17 00:00:00 2001
From: Miguelangel Freitas <miguelangel@wazuh.com>
Date: Tue, 25 Jul 2017 00:04:15 -0400
Subject: [PATCH 4/7] Wazuh manager: Enable or not ossec-authd (default:
 disabled)

---
 ansible-wazuh-manager/defaults/main.yml |  1 +
 ansible-wazuh-manager/tasks/main.yml    | 21 +++++++++++++++++----
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/ansible-wazuh-manager/defaults/main.yml b/ansible-wazuh-manager/defaults/main.yml
index a5b7f1ee..5a0d7b67 100644
--- a/ansible-wazuh-manager/defaults/main.yml
+++ b/ansible-wazuh-manager/defaults/main.yml
@@ -2,6 +2,7 @@
 wazuh_manager_fqdn: "wazuh-server"
 
 wazuh_manager_config:
+  enable_authd: false
   email_notification: no
   mail_to:
     - admin@example.net
diff --git a/ansible-wazuh-manager/tasks/main.yml b/ansible-wazuh-manager/tasks/main.yml
index ebc5341d..5e000f40 100644
--- a/ansible-wazuh-manager/tasks/main.yml
+++ b/ansible-wazuh-manager/tasks/main.yml
@@ -106,7 +106,10 @@
             owner=root
             group=root
             mode=0755
-  when: ansible_service_mgr == "upstart" and ansible_os_family != "CoreOS"
+  when:
+    - ansible_service_mgr == "upstart"
+    - ansible_os_family != "CoreOS"
+    - wazuh_manager_config.enable_authd == true
   tags:
     - init
     - config
@@ -115,11 +118,20 @@
   template:
     src: ossec-authd.service
     dest: /lib/systemd/system/ossec-authd.service
-  when: ansible_service_mgr == "systemd" and ansible_os_family != "CoreOS"
+  when:
+    - ansible_service_mgr == "systemd"
+    - ansible_os_family != "CoreOS"
+    - wazuh_manager_config.enable_authd == true
   tags:
     - init
     - config
 
+- name: Ensure ossec-authd service is started and enabled
+  service: name=ossec-authd enabled=yes state=started
+  when: wazuh_manager_config.enable_authd == true
+  tags:
+    - config
+
 - name: Wazuh-api User
   template:
     src: api_user.j2
@@ -145,7 +157,7 @@
   shell: /usr/bin/base64 /var/ossec/agentless/.passlist_tmp > /var/ossec/agentless/.passlist && rm /var/ossec/agentless/.passlist_tmp
   when: agentless_creeds is defined
 
-- name: Ensure Wazuh Manager, wazuh api and ossec-authd service is started and enabled
+- name: Ensure Wazuh Manager, wazuh api service is started and enabled
   service:
     name: "{{ item }}"
     enabled: yes
@@ -153,7 +165,8 @@
   with_items:
     - wazuh-manager
     - wazuh-api
-    - ossec-authd
+  tags:
+    - config
 
 - include: "RMRedHat.yml"
   when: ansible_os_family == "RedHat"

From d5eb54a01bccffa63a1f751802c22297b71c14b0 Mon Sep 17 00:00:00 2001
From: Miguelangel Freitas <miguelangel@wazuh.com>
Date: Tue, 25 Jul 2017 00:33:41 -0400
Subject: [PATCH 5/7] Wazuh manager: adding the ability to configure daily
 reports.

---
 .../var-ossec-etc-ossec-server.conf.j2          | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
index 9669c847..1ffa2d81 100644
--- a/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
+++ b/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
@@ -47,6 +47,23 @@
     {% endif %}
   </email_alerts>
 {% endfor %}
+{% endif %}
+
+{% if wazuh_manager_config.reports is defined %}
+{% for report in wazuh_manager_config.reports %}
+  <reports>
+    <category>{{ report.category }}</category>
+    <title>{{ report.title }}</title>
+    <email_to>{{ report.email_to }}</email_to>
+    {% if report.location is defined %}<location>{{ report.location }}</location>{% endif %}
+    {% if report.group is defined %}<group>{{ report.group }}</group>{% endif %}
+    {% if report.rule is defined %}<rule>{{ report.rule }}</rule>{% endif %}
+    {% if report.level is defined %}<level>{{ report.level }}</level>{% endif %}
+    {% if report.srcip is defined %}<srcip>{{ report.srcip }}</srcip>{% endif %}
+    {% if report.user is defined %}<user>{{ report.user }}</user>{% endif %}
+    {% if report.showlogs is defined %}<showlogs>{{ report.showlogs }}</showlogs>{% endif %}
+  </reports>
+{% endfor %}
 {% endif %}
 
   <alerts>

From 263ceebded2658e4ea1dbc4e7139f95d328d4162 Mon Sep 17 00:00:00 2001
From: Miguelangel Freitas <miguelangel@wazuh.com>
Date: Tue, 25 Jul 2017 00:56:51 -0400
Subject: [PATCH 6/7] Wazuh manager: switch between log output types.

---
 ansible-wazuh-manager/defaults/main.yml                  | 3 +++
 ansible-wazuh-manager/tasks/main.yml                     | 9 +++++++++
 .../templates/var-ossec-etc-ossec-server.conf.j2         | 5 +++--
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/ansible-wazuh-manager/defaults/main.yml b/ansible-wazuh-manager/defaults/main.yml
index 5a0d7b67..c5d2e9dc 100644
--- a/ansible-wazuh-manager/defaults/main.yml
+++ b/ansible-wazuh-manager/defaults/main.yml
@@ -2,6 +2,9 @@
 wazuh_manager_fqdn: "wazuh-server"
 
 wazuh_manager_config:
+  json_output: 'yes'
+  alerts_log: 'yes'
+  logall: 'no'
   enable_authd: false
   email_notification: no
   mail_to:
diff --git a/ansible-wazuh-manager/tasks/main.yml b/ansible-wazuh-manager/tasks/main.yml
index 5e000f40..bff50411 100644
--- a/ansible-wazuh-manager/tasks/main.yml
+++ b/ansible-wazuh-manager/tasks/main.yml
@@ -89,6 +89,15 @@
 - name: Retrieving Wazuh-api User Credentials
   include_vars: wazuh_api_creds.yml
 
+- name: Checking alert log output settings
+  fail: msg="Please enable json_output or alerts_log options."
+  when:
+    - wazuh_manager_config.json_output == 'no'
+    - wazuh_manager_config.alerts_log == 'no'
+  tags:
+    - init
+    - config
+
 - name: Configure ossec.conf
   template: src=var-ossec-etc-ossec-server.conf.j2
             dest=/var/ossec/etc/ossec.conf
diff --git a/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
index 1ffa2d81..4c19e0ab 100644
--- a/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
+++ b/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
@@ -6,8 +6,9 @@
 
 <ossec_config>
   <global>
-    <jsonout_output>yes</jsonout_output>
-    <alerts_log>yes</alerts_log>
+    <jsonout_output>{{ wazuh_manager_config.json_output }}</jsonout_output>
+    <alerts_log>{{ wazuh_manager_config.alerts_log }}</alerts_log>
+    <logall>{{ wazuh_manager_config.logall }}</logall>
     {% if wazuh_manager_config.email_notification | lower == "yes" %}
     <email_notification>yes</email_notification>
     {% else %}

From 972ffee9a9aa61a3db2b0d239d706f314413e1f1 Mon Sep 17 00:00:00 2001
From: Miguelangel Freitas <miguelangel@wazuh.com>
Date: Tue, 25 Jul 2017 20:04:45 -0400
Subject: [PATCH 7/7] Wazuh manager: check openscap version.

---
 ansible-wazuh-manager/tasks/Debian.yml             | 14 ++++++++++++++
 .../templates/var-ossec-etc-ossec-server.conf.j2   | 10 ++++++----
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/ansible-wazuh-manager/tasks/Debian.yml b/ansible-wazuh-manager/tasks/Debian.yml
index da7d916e..b051acd3 100644
--- a/ansible-wazuh-manager/tasks/Debian.yml
+++ b/ansible-wazuh-manager/tasks/Debian.yml
@@ -34,3 +34,17 @@
     - xsltproc
   tags:
     - init
+
+- name: Debian/Ubuntu | Get OpenScap installed version
+  shell: "dpkg-query --showformat='${Version}' --show libopenscap8"
+  register: openscap_version
+  changed_when: true
+  tags:
+    - config
+
+- name: Debian/Ubuntu | Check OpenScap version
+  shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?"
+  register: openscap_version_valid
+  changed_when: true
+  tags:
+    - config
diff --git a/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
index 4c19e0ab..6a421309 100644
--- a/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
+++ b/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
@@ -125,9 +125,9 @@
     {% endif %}
 
     <!-- Files no diff -->
-{% for no_diff in wazuh_manager_config.syscheck.no_diff %}
+    {% for no_diff in wazuh_manager_config.syscheck.no_diff %}
     <nodiff>{{ no_diff }}</nodiff>
-{% endfor %}
+    {% endfor %}
   </syscheck>
 
   <wodle name="open-scap">
@@ -135,14 +135,16 @@
     <timeout>{{ wazuh_manager_config.openscap.timeout }}</timeout>
     <interval>{{ wazuh_manager_config.openscap.interval }}</interval>
     <scan-on-start>{{ wazuh_manager_config.openscap.scan_on_start }}</scan-on-start>
-    {% if ansible_distribution == 'Ubuntu'  and ansible_distribution_release == 'xenial' %}
+    {% if ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'xenial' %}
     <content type="xccdf" path="ssg-ubuntu-1604-ds.xml">
       <profile>xccdf_org.ssgproject.content_profile_common</profile>
     </content>
     {% elif ansible_distribution == 'Debian' and ansible_distribution_release == 'jessie' %}
+    {% if openscap_version_valid.stdout == "0" %}
     <content type="xccdf" path="ssg-debian-8-ds.xml">
       <profile>xccdf_org.ssgproject.content_profile_common</profile>
-      </content>
+    </content>
+    {% endif %}
     <content type="oval" path="cve-debian-oval.xml"/>
     {% elif ansible_distribution == 'CentOS' %}
       {% if ansible_distribution_major_version == '7' %}