Installing wazuh manager based on documentation example fails

[andel7]

Hi,

I am following ansible deployment based on documentation and installation of wazuh-manager fails.
It explicitly expects configuration of at least the following:
cis_cat:
disable: 'no'
install_java: 'yes'
openscap:
disable: 'no'

I assume some defaults can be defined.
Then it started failing on email configuration and finally ansible playbook failed on task "Configure ossec.conf".

[andel7]

TASK [ansible-wazuh-manager : Configure ossec.conf] ********************************************************************************************************************************************************
fatal: [10.142.0.11]: FAILED! => {"changed": false, "msg": "AnsibleError: Unexpected templating type error occurred on (<!--\n  Wazuh - Manager - Default configuration\n  More info at: https://documentation.wazuh.com\n  Mailing list: https://groups.google.com/forum/#!forum/wazuh\n-->\n\n<ossec_config>\n  <global>\n    <jsonout_output>{{ wazuh_manager_config.json_output }}</jsonout_output>\n    <alerts_log>{{ wazuh_manager_config.alerts_log }}</alerts_log>\n    <logall>{{ wazuh_manager_config.logall }}</logall>\n    {% if wazuh_manager_config.email_notification | lower == \"yes\" %}\n    <email_notification>yes</email_notification>\n    {% else %}\n    <email_notification>no</email_notification>\n    {% endif %}\n    {% for to in wazuh_manager_config.mail_to %}\n    <email_to>{{ to }}</email_to>\n    {% endfor %}\n    <smtp_server>{{ wazuh_manager_config.mail_smtp_server }}</smtp_server>\n    <email_from>{{ wazuh_manager_config.mail_from }}</email_from>\n  </global>\n\n  <cluster>\n    <disabled>{{ wazuh_manager_config.cluster.disable }}</disabled>\n    <name>{{ wazuh_manager_config.cluster.name }}</name>\n    <node_name>{{ wazuh_manager_config.cluster.node_name }}</node_name>\n    <node_type>{{ wazuh_manager_config.cluster.node_type }}</node_type>\n    <key>{{ wazuh_manager_config.cluster.key }}</key>\n    <interval>{{ wazuh_manager_config.cluster.interval }}</interval>\n    <port>{{ wazuh_manager_config.cluster.port }}</port>\n    <bind_addr>{{ wazuh_manager_config.cluster.bind_addr }}</bind_addr>\n    <nodes>\n    {% for node in wazuh_manager_config.cluster.nodes %}\n      <node>{{ node }}</node>\n    {% endfor %}\n    </nodes>\n    <hidden>{{ wazuh_manager_config.cluster.hidden }}</hidden>\n  </cluster>\n\n  <logging>\n    <log_format>{{ wazuh_manager_config.log_format }}</log_format>\n  </logging>\n\n{% if wazuh_manager_config.authd.enable == true %}\n  <auth>\n    <disabled>no</disabled>\n    {% if wazuh_manager_config.authd.port is not none %}<port>{{wazuh_manager_config.authd.port}}</port>{% else %}<port>1515</port>{% endif %}\n    {% if wazuh_manager_config.authd.use_source_ip is not none %}<use_source_ip>{{wazuh_manager_config.authd.use_source_ip}}</use_source_ip>{% endif %}\n    {% if wazuh_manager_config.authd.force_insert is not none %}<force_insert>{{wazuh_manager_config.authd.force_insert}}</force_insert>{% endif %}\n    {% if wazuh_manager_config.authd.force_time is not none %}<force_time>{{wazuh_manager_config.authd.force_time}}</force_time>{% endif %}\n    {% if wazuh_manager_config.authd.purge is not none %}<purge>{{wazuh_manager_config.authd.purge}}</purge>{% endif %}\n    {% if wazuh_manager_config.authd.use_password is not none %}<use_password>{{wazuh_manager_config.authd.use_password}}</use_password>{% endif %}\n    {% if wazuh_manager_config.authd.ssl_agent_ca is not none %}<ssl_agent_ca>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_agent_ca | basename}}</ssl_agent_ca>{% endif %}\n    {% if wazuh_manager_config.authd.ssl_verify_host is not none %}<ssl_verify_host>{{wazuh_manager_config.authd.ssl_verify_host}}</ssl_verify_host>{% endif %}\n    {% if wazuh_manager_config.authd.ssl_manager_cert is not none %}<ssl_manager_cert>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_manager_cert | basename}}</ssl_manager_cert>{% endif %}\n    {% if wazuh_manager_config.authd.ssl_manager_key is not none %}<ssl_manager_key>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_manager_key | basename}}</ssl_manager_key>{% endif %}\n    {% if wazuh_manager_config.authd.ssl_auto_negotiate is not none %}<ssl_auto_negotiate>{{wazuh_manager_config.authd.ssl_auto_negotiate}}</ssl_auto_negotiate>{% endif %}\n  </auth>\n{% endif %}\n\n{% if wazuh_manager_config.extra_emails is defined %}\n{% for mail in wazuh_manager_config.extra_emails %}\n{% if mail.enable == true %}\n  <email_alerts>\n    <email_to>{{ mail.mail_to }}</email_to>\n    {% if mail.format is not none %}\n    <format>{{ mail.format }}</format>\n    {% endif %}\n    {% if mail.level is not none %}\n    <level>{{ mail.level }}</level>\n    {% endif %}\n    {% if mail.event_location is not none %}\n    <event_location>{{ mail.event_location }}</event_location>\n    {% endif %}\n    {% if mail.group is not none %}\n    <group>{{ mail.group }}</group>\n    {% endif %}\n    {% if mail.do_not_delay is not none and mail.do_not_delay == true %}\n    <do_not_delay />\n    {% endif %}\n    {% if mail.do_not_group is not none and mail.do_not_group == true %}\n    <do_not_group />\n    {% endif %}\n    {% if mail.rule_id is not none %}\n    <rule_id>{{ mail.rule_id }}</rule_id>\n    {% endif %}\n  </email_alerts>\n{% endif %}\n{% endfor %}\n{% endif %}\n\n{% if wazuh_manager_config.reports is defined %}\n{% for report in wazuh_manager_config.reports %}\n{% if report.enable == true %}\n  <reports>\n    <category>{{ report.category }}</category>\n    <title>{{ report.title }}</title>\n    <email_to>{{ report.email_to }}</email_to>\n    {% if report.location is not none %}<location>{{ report.location }}</location>{% endif %}\n    {% if report.group is not none %}<group>{{ report.group }}</group>{% endif %}\n    {% if report.rule is not none %}<rule>{{ report.rule }}</rule>{% endif %}\n    {% if report.level is not none %}<level>{{ report.level }}</level>{% endif %}\n    {% if report.srcip is not none %}<srcip>{{ report.srcip }}</srcip>{% endif %}\n    {% if report.user is not none %}<user>{{ report.user }}</user>{% endif %}\n    {% if report.showlogs is not none %}<showlogs>{{ report.showlogs }}</showlogs>{% endif %}\n  </reports>\n{% endif %}\n{% endfor %}\n{% endif %}\n\n  <alerts>\n    <log_alert_level>{{ wazuh_manager_config.log_level }}</log_alert_level>\n    <email_alert_level>{{ wazuh_manager_config.email_level }}</email_alert_level>\n  </alerts>\n\n  <remote>\n  {% for connection in wazuh_manager_config.connection %}\n    <connection>{{ connection.type }}</connection>\n    <port>{{ connection.port }}</port>\n    <protocol>{{ connection.protocol }}</protocol>\n  {% endfor %}\n  </remote>\n\n  <rootcheck>\n    <disabled>no</disabled>\n    <check_unixaudit>yes</check_unixaudit>\n    <check_files>yes</check_files>\n    <check_trojans>yes</check_trojans>\n    <check_dev>yes</check_dev>\n    <check_sys>yes</check_sys>\n    <check_pids>yes</check_pids>\n    <check_ports>yes</check_ports>\n    <check_if>yes</check_if>\n\n    <!-- Frequency that rootcheck is executed - every 12 hours -->\n    <frequency>{{ wazuh_manager_config.rootcheck.frequency }}</frequency>\n\n    <rootkit_files>/var/ossec/etc/shared/default/rootkit_files.txt</rootkit_files>\n    <rootkit_trojans>/var/ossec/etc/shared/default/rootkit_trojans.txt</rootkit_trojans>\n    <system_audit>/var/ossec/etc/shared/default/system_audit_rcl.txt</system_audit>\n    <system_audit>/var/ossec/etc/shared/default/system_audit_ssh.txt</system_audit>\n    {% if cis_distribution_filename is defined %}\n    <system_audit>/var/ossec/etc/shared/default/{{ cis_distribution_filename }}</system_audit>\n    {% endif %}\n\n    <skip_nfs>yes</skip_nfs>\n  </rootcheck>\n\n  <syscheck>\n    <auto_ignore>{{ wazuh_manager_config.syscheck.auto_ignore }}</auto_ignore>\n    <alert_new_files>{{ wazuh_manager_config.syscheck.alert_new_files }}</alert_new_files>\n    <!-- Frequency that syscheck is executed -- default every 20 hours -->\n    <frequency>{{ wazuh_manager_config.syscheck.frequency }}</frequency>\n    <scan_on_start>{{ wazuh_manager_config.syscheck.scan_on_start }}</scan_on_start>\n\n    <!-- Directories to check  (perform all possible verifications) -->\n    {% if wazuh_manager_config.syscheck.directories is defined %}\n    {% for directory in wazuh_manager_config.syscheck.directories %}\n    <directories {{ directory.checks }}>{{ directory.dirs }}</directories>\n    {% endfor %}\n    {% endif %}\n\n    <!-- Files/directories to ignore -->\n    {% if wazuh_manager_config.syscheck.ignore is defined %}\n    {% for ignore in wazuh_manager_config.syscheck.ignore %}\n    <ignore>{{ ignore }}</ignore>\n    {% endfor %}\n    {% endif %}\n\n    <!-- Files no diff -->\n    {% for no_diff in wazuh_manager_config.syscheck.no_diff %}\n    <nodiff>{{ no_diff }}</nodiff>\n    {% endfor %}\n  </syscheck>\n\n  {% if ansible_system == \"Linux\" and wazuh_manager_config.openscap.disable == 'no' %}\n  <wodle name=\"open-scap\">\n    <disabled>no</disabled>\n    <timeout>{{ wazuh_manager_config.openscap.timeout }}</timeout>\n    <interval>{{ wazuh_manager_config.openscap.interval }}</interval>\n    <scan-on-start>{{ wazuh_manager_config.openscap.scan_on_start }}</scan-on-start>\n    {% if ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'xenial' %}\n    <content type=\"xccdf\" path=\"ssg-ubuntu-1604-ds.xml\">\n      <profile>xccdf_org.ssgproject.content_profile_common</profile>\n    </content>\n    {% elif ansible_distribution == 'Debian' %}\n    {% if ansible_distribution_release == 'jessie' %}\n    {% if openscap_version_valid.stdout == \"0\" %}\n    <content type=\"xccdf\" path=\"ssg-debian-8-ds.xml\">\n      <profile>xccdf_org.ssgproject.content_profile_common</profile>\n    </content>\n    <content type=\"oval\" path=\"cve-debian-8-oval.xml\"/>\n    {% endif %}\n    {% elif ansible_distribution_release == 'stretch' %}\n    <content type=\"oval\" path=\"cve-debian-9-oval.xml\"/>\n    {% endif %}\n    {% elif ansible_distribution == 'CentOS' %}\n      {% if ansible_distribution_major_version == '7' %}\n      <content type=\"xccdf\" path=\"ssg-centos-7-ds.xml\">\n      {% elif ansible_distribution_major_version == '6' %}\n      <content type=\"xccdf\" path=\"ssg-centos-6-ds.xml\">\n      {% endif %}\n        <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>\n        <profile>xccdf_org.ssgproject.content_profile_common</profile>\n      </content>\n    {% elif ansible_distribution == 'RedHat' %}\n      {% if ansible_distribution_major_version == '7' %}\n      <content type=\"xccdf\" path=\"ssg-rhel-7-ds.xml\">\n      {% elif ansible_distribution_major_version == '6' %}\n      <content type=\"xccdf\" path=\"ssg-rhel-6-ds.xml\">\n      {% endif %}\n        <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>\n        <profile>xccdf_org.ssgproject.content_profile_common</profile>\n      </content>\n      {% if ansible_distribution_major_version == '7' %}\n      <content type=\"oval\" path=\"cve-redhat-7-ds.xml\"/>\n      {% elif ansible_distribution_major_version == '6' %}\n      <content type=\"oval\" path=\"cve-redhat-6-ds.xml\"/>\n      {% endif %}\n    {% elif ansible_distribution == 'Fedora' %}\n      <content type=\"xccdf\" path=\"ssg-fedora-ds.xml\">\n        <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>\n        <profile>xccdf_org.ssgproject.content_profile_common</profile>\n      </content>\n    {% endif %}\n  </wodle>\n  {% endif %}\n\n  {% if wazuh_manager_config.cis_cat.disable == 'no' %}\n  <wodle name=\"cis-cat\">\n    <disabled>no</disabled>\n    <timeout>{{ wazuh_manager_config.cis_cat.timeout }}</timeout>\n    <interval>{{ wazuh_manager_config.cis_cat.interval }}</interval>\n    <scan-on-start>{{ wazuh_manager_config.cis_cat.scan_on_start }}</scan-on-start>\n    {% if wazuh_manager_config.cis_cat.install_java == 'yes' %}\n    <java_path>/usr/bin</java_path>\n    {% else %}\n    <java_path>{{ wazuh_manager_config.cis_cat.java_path }}</java_path>\n    {% endif %}\n    <ciscat_path>{{ wazuh_manager_config.cis_cat.ciscat_path }}</ciscat_path>\n    {% for benchmark in wazuh_manager_config.cis_cat.content %}\n    <content type=\"{{ benchmark.type }}\" path=\"{{ benchmark.path }}\">\n      <profile>{{ benchmark.profile }}</profile>\n    </content>\n    {% endfor %}\n  </wodle>\n  {% endif %}\n\n  {% if ansible_system == \"Linux\" and wazuh_manager_config.vuls.disable == 'no' %}\n  <wodle name=\"command\">\n    <disabled>no</disabled>\n    <tag>Wazuh-VULS</tag>\n    <command>/usr/bin/python /var/ossec/wodles/vuls/vuls.py{% for arg in wazuh_manager_config.vuls.args %} --{{ arg }}{% endfor %}</command>\n    <interval>{{ wazuh_manager_config.vuls.interval }}</interval>\n    <ignore_output>yes</ignore_output>\n    <run_on_start>{{ wazuh_manager_config.vuls.run_on_start }}</run_on_start>\n  </wodle>\n  {% endif %}\n\n{% if agentless_creeds is defined %}\n{% for agentless in agentless_creeds %}\n  <agentless>\n    <type>{{ agentless.type }}</type>\n    <frequency>{{ agentless.frequency }}</frequency>\n    <host>{{ agentless.host }}</host>\n    <state>{{ agentless.state }}</state>\n    {% if agentless.arguments is defined %}\n      <arguments>{{ agentless.arguments }}</arguments>\n    {% endif %}\n  </agentless>\n\n{% endfor %}\n{% endif %}\n\n  <global>\n{% for white_list in wazuh_manager_config.globals %}\n    <white_list>{{ white_list }}</white_list>\n{% endfor %}\n  </global>\n\n  {% for command in wazuh_manager_config.commands %}\n    <command>\n      <name>{{ command.name }}</name>\n      <executable>{{ command.executable }}</executable>\n      <expect>{{ command.expect }}</expect>\n      <timeout_allowed>{{ command.timeout_allowed }}</timeout_allowed>\n    </command>\n  {% endfor %}\n\n\n  <ruleset>\n    <!-- Default ruleset -->\n    <decoder_dir>ruleset/decoders</decoder_dir>\n    <rule_dir>ruleset/rules</rule_dir>\n    <rule_exclude>0215-policy_rules.xml</rule_exclude>\n    {% if cdb_lists is defined %}\n    {% for list in cdb_lists %}\n    <list>etc/lists/{{ list.name }}</list>\n    {% endfor %}\n    {% endif %}\n\n    <!-- User-defined ruleset -->\n    <decoder_dir>etc/decoders</decoder_dir>\n    <rule_dir>etc/rules</rule_dir>\n  </ruleset>\n\n  <!-- Active Response Config -->\n{% for response in wazuh_manager_config.active_responses %}\n  <active-response>\n    <disabled>no</disabled>\n    <command>{{ response.command }}</command>\n    {%if response.location is defined %}<location>{{ response.location }}</location>{% endif %}\n    {%if response.agent_id is defined %}<agent_id>{{ response.agent_id }}</agent_id>{% endif %}\n    {%if response.level is defined %}<level>{{ response.level }}</level>{% endif %}\n    {%if response.rules_group is defined %}<rules_group>{{ response.rules_group }}</rules_group>{% endif %}\n    {%if response.rules_id is defined %}<rules_id>{{ response.rules_id }}</rules_id>{% endif %}\n    {%if response.timeout is defined %}<timeout>{{ response.timeout }}</timeout>{% endif %}\n    {%if response.repeated_offenders is defined %}<repeated_offenders>{{ response.repeated_offenders }}</repeated_offenders>{% endif %}\n  </active-response>\n{% endfor %}\n\n  <!-- Files to monitor (localfiles) -->\n{% for localfile in wazuh_manager_config.localfiles %}\n  <localfile>\n     <log_format>{{ localfile.format }}</log_format>\n     {% if localfile.format == 'command' or localfile.format == 'full_command' %}\n     <command>{{ localfile.command }}</command>\n     <frequency>{{ localfile.frequency }}</frequency>\n     {% else %}\n     <location>{{ localfile.location }}</location>\n     {% endif %}\n  </localfile>\n{% endfor %}\n\n{% if wazuh_manager_config.syslog_outputs is defined %}\n{% for syslog_output in wazuh_manager_config.syslog_outputs %}\n{% if syslog_output.server is not none  %}\n  <syslog_output>\n    <server>{{ syslog_output.server }}</server>\n    <port>{{ syslog_output.port }}</port>\n    <format>{{ syslog_output.format }}</format>\n  </syslog_output>\n{% endif %}\n{% endfor %}\n{% endif %}\n\n</ossec_config>\n): 'NoneType' object is not iterable"}

[andel7]

I think I understand the issue a bit better now.
Based on documentation (https://documentation.wazuh.com/current/deploying-with-ansible/roles/wazuh-manager.html) I can create a variable file - vars-production.yml. Add specific configurations and the run:

 ansible-playbook wazuh-manager.yml -e@vars-production.yml

However if I create a wazuh_manager_config dictionary in vars-production.yml it completely overrides wazuh_manager_config from default/main.yml and then I get to copy-attributes-hell.
Either documentation should be fixed in some way or the variables in the playbook.

[ghost]

Hi @andel7,

Yes, this is the expected behavior according to Ansible the variable precedence. We're going to update our ansible documentation in ASAP, I created an issue here: wazuh/wazuh-documentation#282 in order to track this one and add your suggestions. Thanks!

Best Regards,