Agent configuration on-demand JSON arrays format

[juankaromo]

Hi team,

The JSON format of an agent's on-demand configuration responses is incorrect for arrays. For example, currently, the SCA configuration JSON is the following:

{
   "sca":{
      "enabled":"yes",
      "scan_on_start":"yes",
      "skip_nfs":"yes",
      "interval":43200,
      "policies":[
         "cis_rhel7_linux_rcl.yml",
         "system_audit_rcl.yml",
         "system_audit_ssh.yml",
         "system_audit_pw.yml"
      ]
   }
}

So when in the Wazuh app we use the JSON to XML parser to show it in the XML viewer we get this output:

This is incorrect because the policies are composed of an array of policies. This would be fixed by changing the answer so that JSON adopts this format:

{
   "sca":{
      "enabled":"yes",
      "scan_on_start":"yes",
      "skip_nfs":"yes",
      "interval":43200,
      "policies":{
         "policy":[
            "cis_rhel7_linux_rcl.yml",
            "system_audit_rcl.yml",
            "system_audit_ssh.yml",
            "system_audit_pw.yml"
         ]
      }
   }
}

This also happens in OpenSCAP Profiles, Labels, Syscheck Ignore, Syscheck directories.

Regards.

[JmZero]

It would be helpful if you could give me a small model of how the different answers should be for the other cases you mention at the end. I've already changed the SCA configuration following format.

[JmZero]

I have been trying the different cases that you have mentioned, in the case of SCA I have already been able to solve it, but I would like you to tell me if the others should be like this:

Labels

JSON:

"labels": [
     {
        "label": [
           {
              "value": "i-052a1838c",
              "key": "aws.instance-id"
           },
           {
              "value": "sg-1103",
              "key": "aws.sec-group"
           },
           {
              "value": "172.17.0.0",
              "key": "network.ip"
           },
           {
              "value": "02:42:ac:11:00:02",
              "key": "network.mac"
           },
           {
              "value": "January 1st, 2017",
              "key": "installation",
              "hidden": "yes"
           }
        ]
     },
     {
        "label": [
           {
              "value": "i-052a1838c",
              "key": "aws.instance-id"
           },
           {
              "value": "sg-1103",
              "key": "aws.sec-group"
           },
           {
              "value": "172.17.0.0",
              "key": "network.ip"
           },
           {
              "value": "02:42:ac:11:00:02",
              "key": "network.mac"
           },
           {
              "value": "January 1st, 2017",
              "key": "installation",
              "hidden": "yes"
           }
        ]
     }
  ]

XML:

<labels>
  <label key="aws.instance-id">i-052a1838c</label>
  <label key="aws.sec-group">sg-1103</label>
  <label key="network.ip">172.17.0.0</label>
  <label key="network.mac">02:42:ac:11:00:02</label>
  <label key="installation" hidden="yes">January 1st, 2017</label>
</labels>

<labels>
  <label key="aws.instance-id">i-052a1838c</label>
  <label key="aws.sec-group">sg-1103</label>
  <label key="network.ip">172.17.0.0</label>
  <label key="network.mac">02:42:ac:11:00:02</label>
  <label key="installation" hidden="yes">January 1st, 2017</label>
</labels>

Syscheck Ignore

JSON:

"syscheck": {
     "directories": [
        {
           "check_all": "yes",
           "path": "/etc"
        },
        {
           "check_all": "yes",
           "path": "/usr/bin"
        },
        {
           "check_all": "yes",
           "path": "/usr/sbin"
        },
        {
           "check_all": "yes",
           "path": "/bin"
        },
        {
           "check_all": "yes",
           "path": "/sbin"
        },
        {
           "check_all": "yes",
           "path": "/boot"
        }
     ]
  }

XML:

<syscheck>
    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin,/boot</directories>
</syscheck>

Syscheck Directories

JSON:

"syscheck": {
     "ignore": [
        "/etc/mtab",
        "/etc/hosts.deny",
        "/etc/mail/statistics",
        "/etc/random-seed",
        "/etc/random.seed",
        "/etc/adjtime",
        "/etc/httpd/logs",
        "/etc/utmpx",
        "/etc/wtmpx",
        "/etc/cups/certs",
        "/etc/dumpdates",
        "/etc/svc/volatile",
        "/sys/kernel/security",
        "/sys/kernel/debug",
        "/dev/core",
        {
           "type": "sregex",
           "item": "^/proc"
        },
        {
           "type": "sregex",
           "item": ".log$|.swp$"
        }
     ]
  }

XML:

<syscheck>
    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/random.seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>
    <ignore>/sys/kernel/security</ignore>
    <ignore>/sys/kernel/debug</ignore>
    <ignore>/dev/core</ignore>
    
    <!-- File types to ignore -->
    <ignore type="sregex">^/proc</ignore>
    <ignore type="sregex">.log$|.swp$</ignore>
</syscheck>

Open-SCAP Profiles

JSON:

"open-scap": {
     "content": [
        {
           "type": "xccdf",
           "profile": "webserver",
           "profiles": [
              null
           ]
        },
        {
           "type": "xccdf",
           "profile": "dmz",
           "profiles": [
              null
           ]
        }
     ]
  }

XML:

<wodle name="open-scap">
    <content type="xccdf" profile="webserver"/>
    <content type="xccdf" profile="dmz"/>
</wodle>

[JmZero]

This issue is blocked until complete https://github.com/wazuh/wazuh/issues/3429