Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Global queries FIM - Investigate impact on installation/upgrade - Wazuh Ansible #1542

Closed
2 of 5 tasks
c-bordon opened this issue Feb 12, 2025 · 3 comments
Closed
2 of 5 tasks

Global queries FIM - Investigate impact on installation/upgrade - Wazuh Ansible #1542

c-bordon opened this issue Feb 12, 2025 · 3 comments
Assignees
@YisDav
Labels
level/subtask Task issue type/change Change requested

Comments

@c-bordon
Copy link
Member

c-bordon commented Feb 12, 2025
edited
Loading

Description

The issue aims to investigate if the new files need special handling in the installation of the Wazuh central components with the Wazuh Ansible

With persistence

  • /var/ossec/queue/indexer/wazuh-states-[index_name]-[cluster_name]

Without persistence

  • /var/ossec/templates/[index_name]_states_template.json
  • /var/ossec/templates/[index_name]_states_template.json
  • /var/ossec/lib/libinventory_harvester.so

Tasks

  • Investigate if these files need special handling in AIO installation with the Wazuh ansible
  • Investigate if these files need special handling in distributed installation with the Wazuh ansible
  • Make the necessary changes
  • Test the installation methods

DRI
@c-bordon c-bordon added level/subtask Task issue type/change Change requested labels Feb 12, 2025
@YisDav
Copy link
Member

YisDav commented Feb 13, 2025
edited
Loading

FIM Investigation

Related Wazuh component(s):

Path Wazuh Component
/var/ossec/queue/indexer/wazuh-states-[index_name]-[cluster_name] Wazuh Manager
/var/ossec/templates/[index_name]_states_template.json Wazuh Manager
/var/ossec/templates/[index_name]_states_template.json Wazuh Manager
/var/ossec/lib/libinventory_harvester.so Wazuh Manager

Conclusions

An extensive search was conducted for the specified paths, and upon locating the affected component, the following was identified:

The mentioned files are created within the system either after the packages are installed or as part of the component's installation process.

Since the installation via Ansible is performed directly on the host or machine, no additional modifications are required to maintain the specified persistence requirements.

This applies for both: AIO and Distributed deployments

@c-bordon
Copy link
Member Author

We need to research these changes in the ossec.conf wazuh/wazuh#28217

@c-bordon c-bordon reopened this Feb 14, 2025
@YisDav
Copy link
Member

YisDav commented Feb 17, 2025

FIM investigation update

It was found that, when deploying with Ansible (both AIO and Distributed), the wazuh-manager role of the current version uses a template file (here).

On the other hand, a new configuration block is expected to be added to the manager configuration file.

<inventory_harvester>
  <fim_inventory>
     <enable>yes</enable>
  </fim_inventory>
  <system_inventory>
      <enable>yes</enable>
  </system_inventory>
</inventory_harvester>

Therefore, it can be left the default values of these variables or explicitly added this configuration block to the file. To add the configuration block, an update must be made to the template file.

Also ideally it must be defined where must be this block located (inside the 600+ lines of code of the template file)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@YisDav YisDav

Labels
level/subtask Task issue type/change Change requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@c-bordon @YisDav