afmarulanda/wazuh-ansible-4.12.0
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
afa2ad2b05
wazuh-ansible-4.12.0/roles/wazuh/ansible-wazuh-manager
History
Andrés Felipe Marulanda Hernández afa2ad2b05 fix(wazuh-manager): Adapta la instalación de OpenScap para SO modernos 
El paquete 'libopenscap8' fue reemplazado por 'openscap-scanner' en distribuciones recientes como Ubuntu 24.04, lo que causaba un fallo en la instalación.

Se reintroduce la lógica condicional para seleccionar el nombre del paquete correcto según la versión del sistema operativo, restaurando la compatibilidad del rol.
2025-09-10 13:27:09 +00:00
..
defaults Nueva versión con modificaciones 2025-09-09 16:40:55 -05:00
files Nueva versión con modificaciones 2025-09-09 16:40:55 -05:00
handlers Nueva versión con modificaciones 2025-09-09 16:40:55 -05:00
meta Nueva versión con modificaciones 2025-09-09 16:40:55 -05:00
tasks fix(wazuh-manager): Adapta la instalación de OpenScap para SO modernos 2025-09-10 13:27:09 +00:00
templates Nueva versión con modificaciones 2025-09-09 16:40:55 -05:00
vars Nueva versión con modificaciones 2025-09-09 16:40:55 -05:00
README.md Nueva versión con modificaciones 2025-09-09 16:40:55 -05:00

README.md

Ansible Playbook - Wazuh manager

This role will install the Wazuh manager on a host.

Requirements

This role will work on:

  • Red Hat
  • CentOS
  • Fedora
  • Debian
  • Ubuntu

Role Variables

This role has some variables which you can or need to override.

wazuh_manager_fqdn: ~
wazuh_manager_config: []
shared_agent_config: []

Vault variables

vars/agentless_creds.yml

This file has the agenless credentials.

---
 agentless_creds:
 - type: ssh_integrity_check_linux
   frequency: 3600
   host: root@example.net
   state: periodic
   arguments: '/bin /etc/ /sbin'
   passwd: qwerty

vars/wazuh_api_creds.yml

This file has user and password created in httpasswd format.

---
wazuh_api_user:
  - "foo:$apr1$/axqZYWQ$Xo/nz/IG3PdwV82EnfYKh/"

vars/authd_pass.yml

This file has the password to be used for the authd daemon.

---
authd_pass: foobar

Default config

defaults/main.yml

---
wazuh_manager_fqdn: "wazuh-server"

wazuh_manager_config:
  json_output: 'yes'
  alerts_log: 'yes'
  logall: 'no'
  authd:
    enable: false
  email_notification: no
  mail_to:
    - admin@example.net
  mail_smtp_server: localhost
  mail_from: wazuh-server@example.com
  syscheck:
    frequency: 43200
    scan_on_start: 'yes'
    ignore:
      - /etc/mtab
      - /etc/mnttab
      - /etc/hosts.deny
      - /etc/mail/statistics
      - /etc/random-seed
      - /etc/random.seed
      - /etc/adjtime
      - /etc/httpd/logs
      - /etc/utmpx
      - /etc/wtmpx
      - /etc/cups/certs
      - /etc/dumpdates
      - /etc/svc/volatile
    no_diff:
      - /etc/ssl/private.key
    directories:
      - dirs: /etc,/usr/bin,/usr/sbin
        checks: 'check_all="yes"'
      - dirs: /bin,/sbin
        checks: 'check_all="yes"'
  rootcheck:
    frequency: 43200
  openscap:
    timeout: 1800
    interval: '1d'
    scan_on_start: 'yes'
  log_level: 1
  email_level: 12
  localfiles:
    - format: 'syslog'
      location: '/var/log/messages'
    - format: 'syslog'
      location: '/var/log/secure'
    - format: 'command'
      command: 'df -P'
      frequency: '360'
    - format: 'full_command'
      command: 'netstat -tln | grep -v 127.0.0.1 | sort'
      frequency: '360'
    - format: 'full_command'
      command: 'last -n 20'
      frequency: '360'
  globals:
    - '127.0.0.1'
    - '192.168.2.1'
  connection:
    - type: 'secure'
      port: '1514'
      protocol: 'tcp'
  commands:
    - name: 'disable-account'
      executable: 'disable-account.sh'
      expect: 'user'
      timeout_allowed: 'yes'
    - name: 'restart-ossec'
      executable: 'restart-ossec.sh'
      expect: ''
      timeout_allowed: 'no'
    - name: 'firewall-drop'
      executable: 'firewall-drop.sh'
      expect: 'srcip'
      timeout_allowed: 'yes'
    - name: 'host-deny'
      executable: 'host-deny.sh'
      expect: 'srcip'
      timeout_allowed: 'yes'
    - name: 'route-null'
      executable: 'route-null.sh'
      expect: 'srcip'
      timeout_allowed: 'yes'
    - name: 'win_route-null'
      executable: 'route-null.cmd'
      expect: 'srcip'
      timeout_allowed: 'yes'
  active_responses:
    - command: 'host-deny'
      location: 'local'
      level: 6
      timeout: 600

shared_agent_config:
  - type: os
    type_value: linux
    frequency_check: 79200
    ignore_files:
      - /etc/mtab
      - /etc/mnttab
      - /etc/hosts.deny
      - /etc/mail/statistics
      - /etc/svc/volatile
    directories:
      - check_all: yes
        dirs: /etc,/usr/bin,/usr/sbin
      - check_all: yes
        dirs: /bin,/sbin
    localfiles:
      - format: 'syslog'
        location: '/var/log/messages'
      - format: 'syslog'
        location: '/var/log/secure'
      - format: 'syslog'
        location: '/var/log/maillog'
      - format: 'apache'
        location: '/var/log/httpd/error_log'
      - format: 'apache'
        location: '/var/log/httpd/access_log'
      - format: 'apache'
        location: '/var/ossec/logs/active-responses.log'

Custom variables:

You can create a YAML file and change the default variables for this role, to later using it with -e option in ansible-playbooks, for example:

---
wazuh_manager_fqdn: "wazuh-server"

wazuh_manager_config:
  email_notification: yes
  mail_to:
    - myadmin@mydomain.com
  mail_smtp_server: mysmtp.mydomain.com

Dependencies

No dependencies.

Example Playbook

Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:

- hosts: wazuh-server.example.com
  roles:
     - { role: ansible-wazuh-server }

License and copyright

WAZUH Copyright (C) 2016, Wazuh Inc. (License GPLv3)

Based on previous work from dj-wasabi

Modified by Wazuh

The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem.