Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Delete all config about openscap #999

Open
vcerenu opened this issue May 9, 2024 · 0 comments
Open

Delete all config about openscap #999

vcerenu opened this issue May 9, 2024 · 0 comments

Comments

@vcerenu
Copy link
Member

vcerenu commented May 9, 2024

Description

Openscap is deprecated, but we still have current configurations in our Puppet deployment.

You must proceed with the elimination of all the code related to the "open-scap" wodle configuration within the Wazuh manager and Wazuh agent deployment, since they have no real use.

Checking the code we can see that the variables to use Openscap are currently active:

wazuh-puppet/manifests/params_agent.pp

Line 31 in f4252b1

$configure_wodle_openscap = true

wazuh-puppet/manifests/params_manager.pp

Line 37 in f4252b1

$configure_wodle_openscap = true

Wazuh agents and managera still contain Openscap configurations when deployed:

wazuh-puppet/manifests/params_agent.pp

Lines 366 to 459 in f4252b1

'CentOS': {
if ( $::operatingsystemrelease =~ /^6.*/ ) {
$ossec_service_provider = 'redhat'
$wodle_openscap_content = {
'ssg-centos-6-ds.xml' => {
'type' => 'xccdf',
profiles => [
'xccdf_org.ssgproject.content_profile_pci-dss',
'xccdf_org.ssgproject.content_profile_server',
]
}
}
}
if ( $::operatingsystemrelease =~ /^7.*/ ) {
$ossec_service_provider = 'systemd'
$wodle_openscap_content = {
'ssg-centos-7-ds.xml' => {
'type' => 'xccdf',
profiles => [
'xccdf_org.ssgproject.content_profile_pci-dss',
'xccdf_org.ssgproject.content_profile_common',
]
}
}
}
}
/^(RedHat|OracleLinux)$/: {
if ( $::operatingsystemrelease =~ /^6.*/ ) {
$ossec_service_provider = 'redhat'
$wodle_openscap_content = {
'ssg-rhel-6-ds.xml' => {
'type' => 'xccdf',
profiles => [
'xccdf_org.ssgproject.content_profile_pci-dss',
'xccdf_org.ssgproject.content_profile_server',
]
},
'cve-redhat-6-ds.xml' => {
'type' => 'xccdf',
}
}
}
if ( $::operatingsystemrelease =~ /^7.*/ ) {
$ossec_service_provider = 'systemd'
$wodle_openscap_content = {
'ssg-rhel-7-ds.xml' => {
'type' => 'xccdf',
profiles => [
'xccdf_org.ssgproject.content_profile_pci-dss',
'xccdf_org.ssgproject.content_profile_common',
]
},
'cve-redhat-7-ds.xml' => {
'type' => 'xccdf',
}
}
}
if ( $::operatingsystemrelease =~ /^8.*/ ) {
$ossec_service_provider = 'systemd'
$wodle_openscap_content = {
'ssg-rhel-8-ds.xml' => {
'type' => 'xccdf',
profiles => [
'xccdf_org.ssgproject.content_profile_pci-dss',
'xccdf_org.ssgproject.content_profile_common',
]
},
'cve-redhat-8-ds.xml' => {
'type' => 'xccdf',
}
}
}
}
'Fedora': {
if ( $::operatingsystemrelease =~ /^(23|24|25).*/ ) {
$ossec_service_provider = 'redhat'
$wodle_openscap_content = {
'ssg-fedora-ds.xml' => {
'type' => 'xccdf',
profiles => [
'xccdf_org.ssgproject.content_profile_standard',
'xccdf_org.ssgproject.content_profile_common',
]
},
}
}
}

wazuh-puppet/manifests/params_manager.pp

Lines 385 to 517 in f4252b1

case $::lsbdistcodename {
'xenial': {
$server_service = 'wazuh-manager'
$server_package = 'wazuh-manager'
$wodle_openscap_content = {
'ssg-ubuntu-1604-ds.xml' => {
'type' => 'xccdf',
profiles => ['xccdf_org.ssgproject.content_profile_common'],
},'cve-ubuntu-xenial-oval.xml' => {
'type' => 'oval'
}
}
}
'jessie': {
$server_service = 'wazuh-manager'
$server_package = 'wazuh-manager'
$wodle_openscap_content = {
'ssg-debian-8-ds.xml' => {
'type' => 'xccdf',
profiles => ['xccdf_org.ssgproject.content_profile_common'],
},
'cve-debian-8-oval.xml' => {
'type' => 'oval',
}
}
}
/^(wheezy|stretch|buster|bullseye|bookworm|sid|precise|trusty|vivid|wily|xenial|bionic|focal|groovy|jammy)$/: {
$server_service = 'wazuh-manager'
$server_package = 'wazuh-manager'
$wodle_openscap_content = undef
}
default: {
fail("Module ${module_name} is not supported on ${::operatingsystem}")
}
}
}
'RedHat': {
$agent_service = 'wazuh-agent'
$agent_package = 'wazuh-agent'
$server_service = 'wazuh-manager'
$server_package = 'wazuh-manager'
$service_has_status = true
$default_local_files =[
{ 'location' => '/var/log/audit/audit.log' , 'log_format' => 'audit'},
{ 'location' => '/var/ossec/logs/active-responses.log' , 'log_format' => 'syslog'},
{ 'location' => '/var/log/messages', 'log_format' => 'syslog'},
{ 'location' => '/var/log/secure' , 'log_format' => 'syslog'},
{ 'location' => '/var/log/maillog' , 'log_format' => 'syslog'},
]
case $::operatingsystem {
'Amazon': {
$ossec_service_provider = 'systemd'
$api_service_provider = 'systemd'
# Amazon is based on Centos-6 with some improvements
# taken from RHEL-7 but uses SysV-Init, not Systemd.
# Probably best to leave this undef until we can
# write/find a release-specific file.
$wodle_openscap_content = undef
}
'CentOS': {
if ( $::operatingsystemrelease =~ /^6.*/ ) {
$ossec_service_provider = 'redhat'
$api_service_provider = 'redhat'
$wodle_openscap_content = {
'ssg-centos-6-ds.xml' => {
'type' => 'xccdf',
profiles => ['xccdf_org.ssgproject.content_profile_pci-dss', 'xccdf_org.ssgproject.content_profile_server',]
}
}
}
if ( $::operatingsystemrelease =~ /^7.*/ ) {
$ossec_service_provider = 'systemd'
$api_service_provider = 'systemd'
$wodle_openscap_content = {
'ssg-centos-7-ds.xml' => {
'type' => 'xccdf',
profiles => ['xccdf_org.ssgproject.content_profile_pci-dss', 'xccdf_org.ssgproject.content_profile_common',]
}
}
}
}
/^(RedHat|OracleLinux)$/: {
if ( $::operatingsystemrelease =~ /^6.*/ ) {
$ossec_service_provider = 'redhat'
$api_service_provider = 'redhat'
$wodle_openscap_content = {
'ssg-rhel-6-ds.xml' => {
'type' => 'xccdf',
profiles => ['xccdf_org.ssgproject.content_profile_pci-dss', 'xccdf_org.ssgproject.content_profile_server',]
},
'cve-redhat-6-ds.xml' => {
'type' => 'xccdf',
}
}
}
if ( $::operatingsystemrelease =~ /^7.*/ ) {
$ossec_service_provider = 'systemd'
$api_service_provider = 'systemd'
$wodle_openscap_content = {
'ssg-rhel-7-ds.xml' => {
'type' => 'xccdf',
profiles => ['xccdf_org.ssgproject.content_profile_pci-dss', 'xccdf_org.ssgproject.content_profile_common',]
},
'cve-redhat-7-ds.xml' => {
'type' => 'xccdf',
}
}
}
}
'Fedora': {
if ( $::operatingsystemrelease =~ /^(23|24|25).*/ ) {
$ossec_service_provider = 'redhat'
$api_service_provider = 'redhat'
$wodle_openscap_content = {
'ssg-fedora-ds.xml' => {
'type' => 'xccdf',
profiles => ['xccdf_org.ssgproject.content_profile_standard', 'xccdf_org.ssgproject.content_profile_common',]
},
}
}
}
'AlmaLinux': {
if ( $::operatingsystemrelease =~ /^8.*/ ) {
$ossec_service_provider = 'redhat'
$api_service_provider = 'redhat'
}
}
default: { fail('This ossec module has not been tested on your distribution') }
}
}

Configurations are generated because the configure_wodle_openscap variable is in true state:

wazuh-puppet/manifests/agent.pp

Lines 377 to 385 in f4252b1

if ($configure_wodle_openscap == true) {
concat::fragment {
'ossec.conf_openscap':
target => 'agent_ossec.conf',
order => 16,
before => Service[$agent_service_name],
content => template($ossec_wodle_openscap_template);
}
}

wazuh-puppet/manifests/manager.pp

Lines 467 to 474 in f4252b1

if ($configure_wodle_openscap == true){
concat::fragment {
'ossec.conf_wodle_openscap':
order => 15,
target => 'manager_ossec.conf',
content => template($ossec_wodle_openscap_template);
}
}

We should, in the first instance, remove the variables that enable this configuration and subsequently eliminate all the related code and templates.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Release 5.0.0
Status: Blocked
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vcerenu