Wazuh manager: OpenSCAP

Install libopenscap8 in Debian/Ubuntu Set wodle values like: timeout, interval and scan-on-start Refactoring ossec.conf template
2017-07-24 23:52:34 -04:00 · 2017-07-24 23:52:34 -04:00 · aaca36420d
commit aaca36420d
parent c1156bb757
3 changed files with 47 additions and 58 deletions
--- a/ansible-wazuh-manager/defaults/main.yml
+++ b/ansible-wazuh-manager/defaults/main.yml
@ -33,6 +33,10 @@ wazuh_manager_config:
        checks: 'check_all="yes"'
  rootcheck:
    frequency: 43200
  openscap:
    timeout: 1800
    interval: '1d'
    scan_on_start: 'yes'
  log_level: 1
  email_level: 12
  localfiles:
--- a/ansible-wazuh-manager/tasks/Debian.yml
+++ b/ansible-wazuh-manager/tasks/Debian.yml
@ -26,3 +26,11 @@
 - name: Debian/Ubuntu | Set Distribution CIS filename for Debian/Ubuntu
  set_fact:
    cis_distribution_filename: cis_debian_linux_rcl.txt
 - name: Debian/Ubuntu | Install OpenScap
  package: name={{ item }} state=present
  with_items:
    - libopenscap8
    - xsltproc
  tags:
    - init
--- a/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
+++ b/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
@ -112,35 +112,21 @@
 {% endfor %}
  </syscheck>
  {% if ansible_distribution == 'Ubuntu'  and ansible_distribution_release == 'xenial' %}
  <wodle name="open-scap">
    <disabled>no</disabled>
-    <timeout>1800</timeout>
+    <timeout>{{ wazuh_manager_config.openscap.timeout }}</timeout>
-    <interval>1d</interval>
+    <interval>{{ wazuh_manager_config.openscap.interval }}</interval>
-    <scan-on-start>yes</scan-on-start>
+    <scan-on-start>{{ wazuh_manager_config.openscap.scan_on_start }}</scan-on-start>
-
+    {% if ansible_distribution == 'Ubuntu'  and ansible_distribution_release == 'xenial' %}
    <content type="xccdf" path="ssg-ubuntu-1604-ds.xml">
      <profile>xccdf_org.ssgproject.content_profile_common</profile>
    </content>
  </wodle>
    {% elif ansible_distribution == 'Debian' and ansible_distribution_release == 'jessie' %}
  <wodle name="open-scap">
    <disabled>no</disabled>
    <timeout>1800</timeout>
    <interval>1d</interval>
    <scan-on-start>yes</scan-on-start>
    <content type="xccdf" path="ssg-debian-8-ds.xml">
      <profile>xccdf_org.ssgproject.content_profile_common</profile>
      </content>
-  </wodle>
+    <content type="oval" path="cve-debian-oval.xml"/>
    {% elif ansible_distribution == 'CentOS' %}
  <wodle name="open-scap">
    <disabled>no</disabled>
    <timeout>1800</timeout>
    <interval>1d</interval>
    <scan-on-start>yes</scan-on-start>
      {% if ansible_distribution_major_version == '7' %}
      <content type="xccdf" path="ssg-centos-7-ds.xml">
      {% elif ansible_distribution_major_version == '6' %}
@ -149,36 +135,27 @@
        <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
        <profile>xccdf_org.ssgproject.content_profile_common</profile>
      </content>
  </wodle>
    {% elif ansible_distribution == 'RedHat' %}
  <wodle name="open-scap">
    <disabled>no</disabled>
    <timeout>1800</timeout>
    <interval>1d</interval>
    <scan-on-start>yes</scan-on-start>
      {% if ansible_distribution_major_version == '7' %}
      <content type="xccdf" path="ssg-rhel-7-ds.xml">
      {% elif ansible_distribution_major_version == '6' %}
-    <content type="xccdf" path="ssg-rhel-7-ds.xml">
+      <content type="xccdf" path="ssg-rhel-6-ds.xml">
      {% endif %}
        <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
        <profile>xccdf_org.ssgproject.content_profile_common</profile>
      </content>
-  </wodle>
+      {% if ansible_distribution_major_version == '7' %}
      <content type="oval" path="cve-redhat-7-ds.xml"/>
      {% elif ansible_distribution_major_version == '6' %}
      <content type="oval" path="cve-redhat-6-ds.xml"/>
      {% endif %}
    {% elif ansible_distribution == 'Fedora' %}
  <wodle name="open-scap">
    <disabled>no</disabled>
    <timeout>1800</timeout>
    <interval>1d</interval>
    <scan-on-start>yes</scan-on-start>
      <content type="xccdf" path="ssg-fedora-ds.xml">
        <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
        <profile>xccdf_org.ssgproject.content_profile_common</profile>
      </content>
  </wodle>
    {% endif %}
  </wodle>
 {% if agentless_creeds is defined %}
 {% for agentless in agentless_creeds %}