Adding some changes from Wazuh manager

ansible-wazuh-agent/defaults/main.yml

@@ -1,11 +1,12 @@
 ---
 wazuh_manager_ip: 127.0.0.1
 wazuh_authd_port: 1515
-wazuh_register_client: true
+wazuh_register_client: false
 wazuh_agent_config:
-  frequency_check: 43200
+  syscheck:
-  syscheck_scan_on_start: 'yes'
+    frequency: 43200
-  ignore_files:
+    scan_on_start: 'yes'
+    ignore:
       - /etc/mtab
       - /etc/mnttab
       - /etc/hosts.deny
@@ -22,10 +23,16 @@ wazuh_agent_config:
     no_diff:
       - /etc/ssl/private.key
     directories:
-    - check_all: 'yes'
+      - dirs: /etc,/usr/bin,/usr/sbin
-      dirs: /etc,/usr/bin,/usr/sbin
+        checks: 'check_all="yes"'
-    - check_all: 'yes'
+      - dirs: /bin,/sbin
-      dirs: /bin,/sbin
+        checks: 'check_all="yes"'
+  rootcheck:
+    frequency: 43200
+  openscap:
+    timeout: 1800
+    interval: '1d'
+    scan_on_start: 'yes'
   localfiles:
     - format: 'syslog'
       location: '/var/log/messages'

ansible-wazuh-agent/tasks/Debian.yml

@@ -3,9 +3,10 @@
   apt: name="{{ item }}" state=present update_cache=yes
   with_items:
     - apt-transport-https
+    - ca-certificates
 
 - name: Debian/Ubuntu | Installing repository key
-  shell: curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
+  apt_key: url=https://packages.wazuh.com/key/GPG-KEY-WAZUH
 
 - name: Debian/Ubuntu | Add Wazuh repositories
   apt_repository:
@@ -13,7 +14,29 @@
     state: present
     update_cache: yes
 
-- name: Set Distribution CIS filename for debian
+- name: Debian/Ubuntu | Set Distribution CIS filename for debian
   set_fact:
     cis_distribution_filename: cis_debian_linux_rcl.txt
   when: ansible_os_family == "Debian"
+
+- name: Debian/Ubuntu | Install OpenScap
+  package: name={{ item }} state=present
+  with_items:
+    - libopenscap8
+    - xsltproc
+  tags:
+    - init
+
+- name: Debian/Ubuntu | Get OpenScap installed version
+  shell: "dpkg-query --showformat='${Version}' --show libopenscap8"
+  register: openscap_version
+  changed_when: true
+  tags:
+    - config
+
+- name: Debian/Ubuntu | Check OpenScap version
+  shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?"
+  register: openscap_version_valid
+  changed_when: true
+  tags:
+    - config

ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2

@@ -25,8 +25,8 @@
     <check_ports>yes</check_ports>
     <check_if>yes</check_if>
 
-    <!-- Rootcheck scan frequency -->
+    <!-- Frequency that rootcheck is executed - every 12 hours -->
-    <frequency>43200</frequency>
+    <frequency>{{ wazuh_agent_config.rootcheck.frequency }}</frequency>
 
     <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
     <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
@@ -40,26 +40,77 @@
   </rootcheck>
 
   <syscheck>
-    <!-- Syscgeck scan frequency -->
+    <!-- Frequency that syscheck is executed -- default every 20 hours -->
-    <frequency>{{ wazuh_agent_config.frequency_check }}</frequency>
+    <frequency>{{ wazuh_agent_config.syscheck.frequency }}</frequency>
-    <scan_on_start>{{ wazuh_agent_config.syscheck_scan_on_start }}</scan_on_start>
+    <scan_on_start>{{ wazuh_agent_config.syscheck.scan_on_start }}</scan_on_start>
 
-    <!-- Directories to monitor -->
+    <!-- Directories to check  (perform all possible verifications) -->
-    {% for directory in wazuh_agent_config.directories %}
+    {% if wazuh_agent_config.syscheck.directories is defined %}
-    <directories check_all="{{ directory.check_all }}">{{ directory.dirs }}</directories>
+    {% for directory in wazuh_agent_config.syscheck.directories %}
+    <directories {{ directory.checks }}>{{ directory.dirs }}</directories>
     {% endfor %}
+    {% endif %}
 
     <!-- Files/directories to ignore -->
-    {% for ignore_file in wazuh_agent_config.ignore_files %}
+    {% if wazuh_agent_config.syscheck.ignore is defined %}
-    <ignore>{{ ignore_file }}</ignore>
+    {% for ignore in wazuh_agent_config.syscheck.ignore %}
+    <ignore>{{ ignore }}</ignore>
     {% endfor %}
+    {% endif %}
 
     <!-- Files no diff -->
-    {% for no_diff in wazuh_agent_config.no_diff %}
+    {% for no_diff in wazuh_agent_config.syscheck.no_diff %}
     <nodiff>{{ no_diff }}</nodiff>
     {% endfor %}
   </syscheck>
 
+  <wodle name="open-scap">
+    <disabled>no</disabled>
+    <timeout>{{ wazuh_agent_config.openscap.timeout }}</timeout>
+    <interval>{{ wazuh_agent_config.openscap.interval }}</interval>
+    <scan-on-start>{{ wazuh_agent_config.openscap.scan_on_start }}</scan-on-start>
+    {% if ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'xenial' %}
+    <content type="xccdf" path="ssg-ubuntu-1604-ds.xml">
+      <profile>xccdf_org.ssgproject.content_profile_common</profile>
+    </content>
+    {% elif ansible_distribution == 'Debian' and ansible_distribution_release == 'jessie' %}
+    {% if openscap_version_valid.stdout == "0" %}
+    <content type="xccdf" path="ssg-debian-8-ds.xml">
+      <profile>xccdf_org.ssgproject.content_profile_common</profile>
+    </content>
+    {% endif %}
+    <content type="oval" path="cve-debian-oval.xml"/>
+    {% elif ansible_distribution == 'CentOS' %}
+      {% if ansible_distribution_major_version == '7' %}
+      <content type="xccdf" path="ssg-centos-7-ds.xml">
+      {% elif ansible_distribution_major_version == '6' %}
+      <content type="xccdf" path="ssg-centos-6-ds.xml">
+      {% endif %}
+        <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
+        <profile>xccdf_org.ssgproject.content_profile_common</profile>
+      </content>
+    {% elif ansible_distribution == 'RedHat' %}
+      {% if ansible_distribution_major_version == '7' %}
+      <content type="xccdf" path="ssg-rhel-7-ds.xml">
+      {% elif ansible_distribution_major_version == '6' %}
+      <content type="xccdf" path="ssg-rhel-6-ds.xml">
+      {% endif %}
+        <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
+        <profile>xccdf_org.ssgproject.content_profile_common</profile>
+      </content>
+      {% if ansible_distribution_major_version == '7' %}
+      <content type="oval" path="cve-redhat-7-ds.xml"/>
+      {% elif ansible_distribution_major_version == '6' %}
+      <content type="oval" path="cve-redhat-6-ds.xml"/>
+      {% endif %}
+    {% elif ansible_distribution == 'Fedora' %}
+      <content type="xccdf" path="ssg-fedora-ds.xml">
+        <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
+        <profile>xccdf_org.ssgproject.content_profile_common</profile>
+      </content>
+    {% endif %}
+  </wodle>
+
   <!-- Files to monitor (localfiles) -->
     {% for localfile in wazuh_agent_config.localfiles %}
     <localfile>
@@ -73,58 +124,4 @@
     </localfile>
   {% endfor %}
 
-  {% if ansible_distribution == 'Ubuntu'  and ansible_distribution_release == 'xenial' %}
-  <wodle name="open-scap">
-    <timeout>1800</timeout>
-    <interval>1d</interval>
-    <scan-on-start>yes</scan-on-start>
-
-    <content type="xccdf" path="ssg-ubuntu-1604-ds.xml">
-      <profile>xccdf_org.ssgproject.content_profile_common</profile>
-    </content>
-  </wodle>
-  {% elif ansible_distribution == 'CentOS' %}
-  <wodle name="open-scap">
-    <timeout>1800</timeout>
-    <interval>1d</interval>
-    <scan-on-start>yes</scan-on-start>
-
-    {% if ansible_distribution_major_version == '7' %}
-    <content type="xccdf" path="ssg-centos-7-ds.xml">
-    {% elif ansible_distribution_major_version == '6' %}
-    <content type="xccdf" path="ssg-centos-6-ds.xml">
-    {% endif %}
-      <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
-      <profile>xccdf_org.ssgproject.content_profile_common</profile>
-    </content>
-  </wodle>
-  {% elif ansible_distribution == 'RedHat' %} 
-  <wodle name="open-scap">
-    <timeout>1800</timeout>
-    <interval>1d</interval>
-    <scan-on-start>yes</scan-on-start>
-
-    {% if ansible_distribution_major_version == '7' %}
-    <content type="xccdf" path="ssg-rhel-7-ds.xml">
-    {% elif ansible_distribution_major_version == '6' %}
-    <content type="xccdf" path="ssg-rhel-6-ds.xml">
-    {% endif %}
-      <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
-      <profile>xccdf_org.ssgproject.content_profile_common</profile>
-    </content>
-  </wodle>
-  {% elif ansible_distribution == 'Fedora' %}
-  <wodle name="open-scap">
-    <disabled>yes</disabled>
-    <timeout>1800</timeout>
-    <interval>1d</interval>
-    <scan-on-start>yes</scan-on-start>
-
-    <content type="xccdf" path="ssg-fedora-ds.xml">
-        <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
-        <profile>xccdf_org.ssgproject.content_profile_common</profile>
-    </content>
-  </wodle>
-  {% endif %}
-
 </ossec_config>