Openscap template block may render invalid wodle block in ossec.conf

[jm404]

The openscap block in the template var-ossec-etc-ossec-server.conf.j2 is not properly rendered for Centos 8 and RHEL 8.

The code block causing the issue is the following:

wazuh-ansible/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2

Lines 133 to 183 in d384c73

	<wodle name="open-scap">
	<disabled>no</disabled>
	<timeout>{{ wazuh_manager_config.openscap.timeout }}</timeout>
	<interval>{{ wazuh_manager_config.openscap.interval }}</interval>
	<scan-on-start>{{ wazuh_manager_config.openscap.scan_on_start }}</scan-on-start>
	{% if ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'xenial' %}
	<content type="xccdf" path="ssg-ubuntu-1604-ds.xml">
	<profile>xccdf_org.ssgproject.content_profile_common</profile>
	</content>
	{% elif ansible_distribution == 'Debian' %}
	{% if ansible_distribution_release == 'jessie' %}
	{% if openscap_version_valid.stdout == "0" %}
	<content type="xccdf" path="ssg-debian-8-ds.xml">
	<profile>xccdf_org.ssgproject.content_profile_common</profile>
	</content>
	<content type="oval" path="cve-debian-8-oval.xml"/>
	{% endif %}
	{% elif ansible_distribution_release == 'stretch' %}
	<content type="oval" path="cve-debian-9-oval.xml"/>
	{% endif %}
	{% elif ansible_distribution == 'CentOS' %}
	{% if ansible_distribution_major_version == '7' %}
	<content type="xccdf" path="ssg-centos-7-ds.xml">
	{% elif ansible_distribution_major_version == '6' %}
	<content type="xccdf" path="ssg-centos-6-ds.xml">
	{% endif %}
	<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
	<profile>xccdf_org.ssgproject.content_profile_common</profile>
	</content>
	{% elif ansible_distribution == 'RedHat' %}
	{% if ansible_distribution_major_version == '7' %}
	<content type="xccdf" path="ssg-rhel-7-ds.xml">
	{% elif ansible_distribution_major_version == '6' %}
	<content type="xccdf" path="ssg-rhel-6-ds.xml">
	{% endif %}
	<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
	<profile>xccdf_org.ssgproject.content_profile_common</profile>
	</content>
	{% if ansible_distribution_major_version == '7' %}
	<content type="oval" path="cve-redhat-7-ds.xml"/>
	{% elif ansible_distribution_major_version == '6' %}
	<content type="oval" path="cve-redhat-6-ds.xml"/>
	{% endif %}
	{% elif ansible_distribution == 'Fedora' %}
	<content type="xccdf" path="ssg-fedora-ds.xml">
	<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
	<profile>xccdf_org.ssgproject.content_profile_common</profile>
	</content>
	{% endif %}
	</wodle>
	{% endif %}

In RHEL8, as neither {% if ansible_distribution_major_version == '7' %} nor {% elif ansible_distribution_major_version == '6' %} are activated, the wodle is rendered as:

  <wodle name="open-scap">
    <disabled>no</disabled>
    <timeout>1800</timeout>
    <interval>1d</interval>
    <scan-on-start>yes</scan-on-start>
    
      
        <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
        <profile>xccdf_org.ssgproject.content_profile_common</profile>
      </content>
    
  </wodle>

Notice there is no line that opens "content" that tag causing Wazuh Manager to fail when verifying the ossec.conf file.

This error affects different OS's and the following templates should be reviewed.

• var-ossec-etc-ossec-server.conf.j2

• var-ossec-etc-ossec-agent.conf.j2

Tasks

• Fix conditionals to don't render the wodle when OS can't be determined

• Review rendered OS and update them if required

• Test changes and verify template renders properly where OS detected

• Update changelog

Best regards

Jose