Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Agent configuration on-demand JSON arrays format #390

Open
juankaromo opened this issue May 22, 2019 · 3 comments
Open

Agent configuration on-demand JSON arrays format #390

juankaromo opened this issue May 22, 2019 · 3 comments
Labels
bug
Projects
Wazuh 3.11.0

Comments

@juankaromo
Copy link

Hi team,

The JSON format of an agent's on-demand configuration responses is incorrect for arrays. For example, currently, the SCA configuration JSON is the following:

{
   "sca":{
      "enabled":"yes",
      "scan_on_start":"yes",
      "skip_nfs":"yes",
      "interval":43200,
      "policies":[
         "cis_rhel7_linux_rcl.yml",
         "system_audit_rcl.yml",
         "system_audit_ssh.yml",
         "system_audit_pw.yml"
      ]
   }
}

So when in the Wazuh app we use the JSON to XML parser to show it in the XML viewer we get this output:

image

This is incorrect because the policies are composed of an array of policies. This would be fixed by changing the answer so that JSON adopts this format:

{
   "sca":{
      "enabled":"yes",
      "scan_on_start":"yes",
      "skip_nfs":"yes",
      "interval":43200,
      "policies":{
         "policy":[
            "cis_rhel7_linux_rcl.yml",
            "system_audit_rcl.yml",
            "system_audit_ssh.yml",
            "system_audit_pw.yml"
         ]
      }
   }
}

image

This also happens in OpenSCAP Profiles, Labels, Syscheck Ignore, Syscheck directories.

Regards.
@JmZero
Copy link

JmZero commented May 22, 2019

It would be helpful if you could give me a small model of how the different answers should be for the other cases you mention at the end.
I've already changed the SCA configuration following format.

@crd1985 crd1985 added this to To do in Wazuh 3.11.0 via automation May 22, 2019
@crd1985 crd1985 added the bug label May 22, 2019
@crd1985 crd1985 added this to the 21st week milestone May 22, 2019
@JmZero
Copy link

JmZero commented May 23, 2019

I have been trying the different cases that you have mentioned, in the case of SCA I have already been able to solve it, but I would like you to tell me if the others should be like this:

Labels

JSON:

"labels": [
     {
        "label": [
           {
              "value": "i-052a1838c",
              "key": "aws.instance-id"
           },
           {
              "value": "sg-1103",
              "key": "aws.sec-group"
           },
           {
              "value": "172.17.0.0",
              "key": "network.ip"
           },
           {
              "value": "02:42:ac:11:00:02",
              "key": "network.mac"
           },
           {
              "value": "January 1st, 2017",
              "key": "installation",
              "hidden": "yes"
           }
        ]
     },
     {
        "label": [
           {
              "value": "i-052a1838c",
              "key": "aws.instance-id"
           },
           {
              "value": "sg-1103",
              "key": "aws.sec-group"
           },
           {
              "value": "172.17.0.0",
              "key": "network.ip"
           },
           {
              "value": "02:42:ac:11:00:02",
              "key": "network.mac"
           },
           {
              "value": "January 1st, 2017",
              "key": "installation",
              "hidden": "yes"
           }
        ]
     }
  ]

XML:

<labels>
  <label key="aws.instance-id">i-052a1838c</label>
  <label key="aws.sec-group">sg-1103</label>
  <label key="network.ip">172.17.0.0</label>
  <label key="network.mac">02:42:ac:11:00:02</label>
  <label key="installation" hidden="yes">January 1st, 2017</label>
</labels>

<labels>
  <label key="aws.instance-id">i-052a1838c</label>
  <label key="aws.sec-group">sg-1103</label>
  <label key="network.ip">172.17.0.0</label>
  <label key="network.mac">02:42:ac:11:00:02</label>
  <label key="installation" hidden="yes">January 1st, 2017</label>
</labels>

Syscheck Ignore

JSON:

"syscheck": {
     "directories": [
        {
           "check_all": "yes",
           "path": "/etc"
        },
        {
           "check_all": "yes",
           "path": "/usr/bin"
        },
        {
           "check_all": "yes",
           "path": "/usr/sbin"
        },
        {
           "check_all": "yes",
           "path": "/bin"
        },
        {
           "check_all": "yes",
           "path": "/sbin"
        },
        {
           "check_all": "yes",
           "path": "/boot"
        }
     ]
  }

XML:

<syscheck>
    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin,/boot</directories>
</syscheck>

Syscheck Directories

JSON:

"syscheck": {
     "ignore": [
        "/etc/mtab",
        "/etc/hosts.deny",
        "/etc/mail/statistics",
        "/etc/random-seed",
        "/etc/random.seed",
        "/etc/adjtime",
        "/etc/httpd/logs",
        "/etc/utmpx",
        "/etc/wtmpx",
        "/etc/cups/certs",
        "/etc/dumpdates",
        "/etc/svc/volatile",
        "/sys/kernel/security",
        "/sys/kernel/debug",
        "/dev/core",
        {
           "type": "sregex",
           "item": "^/proc"
        },
        {
           "type": "sregex",
           "item": ".log$|.swp$"
        }
     ]
  }

XML:

<syscheck>
    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/random.seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>
    <ignore>/sys/kernel/security</ignore>
    <ignore>/sys/kernel/debug</ignore>
    <ignore>/dev/core</ignore>
    
    <!-- File types to ignore -->
    <ignore type="sregex">^/proc</ignore>
    <ignore type="sregex">.log$|.swp$</ignore>
</syscheck>

Open-SCAP Profiles

JSON:

"open-scap": {
     "content": [
        {
           "type": "xccdf",
           "profile": "webserver",
           "profiles": [
              null
           ]
        },
        {
           "type": "xccdf",
           "profile": "dmz",
           "profiles": [
              null
           ]
        }
     ]
  }

XML:

<wodle name="open-scap">
    <content type="xccdf" profile="webserver"/>
    <content type="xccdf" profile="dmz"/>
</wodle>

@JmZero JmZero moved this from To do to In progress in Wazuh 3.11.0 May 24, 2019
@crd1985 crd1985 modified the milestones: 21st week, 22nd week May 29, 2019
@crd1985 crd1985 modified the milestones: 22nd week, 24th week Jun 12, 2019
@JmZero
Copy link

JmZero commented Jun 12, 2019
edited

This issue is blocked until complete wazuh/wazuh#3429

@crd1985 crd1985 modified the milestones: 24th week, 31st week Jul 29, 2019
@crd1985 crd1985 removed this from the 31st week milestone Nov 21, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
Wazuh 3.11.0
  
In progress
Milestone
No milestone
Development

No branches or pull requests
3 participants
@crd1985 @juankaromo @JmZero