afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #881 from wazuh/873-github-actions

Browse Source 
GitHub actions remake
This commit is contained in:
Gonzalo Acuña 2023-02-01 10:03:52 -03:00 committed by GitHub
commit 16b9078a18
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
29 changed files with 510 additions and 2315 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
.github/dependabot.yml vendored
View File

@ -1,12 +0,0 @@
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
- package-ecosystem: "pip" # See documentation for possible values
directory: "/" # Location of package manifests
schedule:
interval: "daily"
target-branch: "4.4"

67
.github/playbooks/aio-wazuh.yml vendored Normal file
View File

@ -0,0 +1,67 @@
- name: Generate certificates prior to converging
hosts: localhost
become: true
become_user: root
roles:
- role: ../../roles/wazuh/wazuh-indexer
vars:
generate_certs: true
perform_installation: false
instances:
node1:
name: wazuh-es01 # Important: must be equal to indexer_node_name.
ip: "127.0.0.1" # When unzipping, the node will search for its node name folder to get the cert.
role: indexer
node3:
name: wazuh-mgr01
ip: "127.0.0.1"
role: wazuh
node5:
name: wazuh-dash01
ip: "127.0.0.1"
role: dashboard
pre_tasks:
- name: overview of cert configuration
debug:
var: wazuh_endpoint_list
- name: Converge
hosts: localhost
become: true
become_user: root
roles:
# 1. Check packages
- role: ../../roles/wazuh/check-packages
become: no
delegate_to: localhost
run_once: true
# 2. Wazuh indexer
- role: ../../roles/wazuh/wazuh-indexer
vars:
indexer_node_name: "wazuh-es01"
single_node: true
# 3. Managers
- role: ../../roles/wazuh/ansible-wazuh-manager
- role: ../../roles/wazuh/ansible-filebeat-oss
vars:
filebeat_node_name: "wazuh-mgr01"
filebeat_output_indexer_hosts:
- "localhost:9200"
# 4. Wazuh dashboard
- role: ../../roles/wazuh/wazuh-dashboard
vars:
dashboard_node_name: "wazuh-dash01"
vars:
instances:
node1:
name: wazuh-es01 # Important: must be equal to indexer_node_name.
ip: "127.0.0.1" # When unzipping, the node will search for its node name folder to get the cert.
role: indexer
node3:
name: wazuh-mgr01
ip: "127.0.0.1"
role: wazuh
node5:
name: wazuh-dash01
ip: "127.0.0.1"
role: dashboard

7
molecule/default/converge.yml → .github/playbooks/single-wazuh.yml vendored
View File

@ -13,7 +13,7 @@
tags: tags:
- generate-certs - generate-certs
- name: ConvergeInstall - name: ConvergeInstall
hosts: all hosts: localhost
roles: roles:
# 1. Check packages # 1. Check packages
- role: ../../roles/wazuh/check-packages - role: ../../roles/wazuh/check-packages
@ -23,7 +23,10 @@
# 2. Managers # 2. Managers
- role: ../../roles/wazuh/ansible-wazuh-manager - role: ../../roles/wazuh/ansible-wazuh-manager
vars: vars:
- { role: ../../roles/wazuh/ansible-filebeat-oss, filebeat_output_indexer_hosts: "indexer_centos7:9200" } - role: ../../roles/wazuh/ansible-filebeat-oss
vars:
filebeat_output_indexer_hosts:
- "indexer_centos7:9200"
pre_tasks: pre_tasks:
- name: (converge) fix missing packages in cloud images - name: (converge) fix missing packages in cloud images
apt: apt:

67
.github/workflows/al_aio.yml vendored Normal file
View File

@ -0,0 +1,67 @@
---
name: AIO-AL-Single-Instance
on: [pull_request, workflow_dispatch, release]
jobs:
start-runner:
name: Start self-hosted EC2 runner
runs-on: ubuntu-latest
outputs:
label: ${{ steps.start-ec2-runner.outputs.label }}
ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }}
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Start EC2 runner
id: start-ec2-runner
uses: machulav/ec2-github-runner@v2
with:
mode: start
github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
ec2-image-id: ${{ secrets.AL2_AMI_ID }}
ec2-instance-type: t3a.large
subnet-id: ${{ secrets.SUBNET_ID }}
security-group-id: ${{ secrets.SG_ID }}
aws-resource-tags: > # optional, requires additional permissions
[
{"Key": "Name", "Value": "wazuh-ansible-gh-runner-aio"},
{"Key": "GitHubRepository", "Value": "${{ github.repository }}"},
{"Key": "team", "Value": "CICD"},
{"Key": "termination_date", "Value": "2022-12-31 21:00:00"}
]
install-aio-single-instance:
name: Installs AIO single instance
needs: start-runner # required to start the main job when the runner is ready
runs-on: ${{ needs.start-runner.outputs.label }} # run the job on the newly created runner
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
- name: Ansible Playbook run Wazuh AIO Single instance
run: ansible-playbook ./.github/playbooks/aio-wazuh.yml
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
stop-runner:
name: Stop self-hosted EC2 runner
needs:
- start-runner # required to get output from the start-runner job
- install-aio-single-instance # required to wait when the main job is done
runs-on: ubuntu-latest
if: ${{ always() }} # required to stop the runner even if the error happened in the previous jobs
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Stop EC2 runner
uses: machulav/ec2-github-runner@v2
with:
mode: stop
github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
label: ${{ needs.start-runner.outputs.label }}
ec2-instance-id: ${{ needs.start-runner.outputs.ec2-instance-id }}

67
.github/workflows/al_wazuh.yml vendored Normal file
View File

@ -0,0 +1,67 @@
---
name: Wazuh-AL-Single-Instance
on: [pull_request, workflow_dispatch, release]
jobs:
start-runner:
name: Start self-hosted EC2 runner
runs-on: ubuntu-latest
outputs:
label: ${{ steps.start-ec2-runner.outputs.label }}
ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }}
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Start EC2 runner
id: start-ec2-runner
uses: machulav/ec2-github-runner@v2
with:
mode: start
github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
ec2-image-id: ${{ secrets.AL2_AMI_ID }}
ec2-instance-type: t3.small
subnet-id: ${{ secrets.SUBNET_ID }}
security-group-id: ${{ secrets.SG_ID }}
aws-resource-tags: > # optional, requires additional permissions
[
{"Key": "Name", "Value": "wazuh-ansible-gh-runner-wazuh"},
{"Key": "GitHubRepository", "Value": "${{ github.repository }}"},
{"Key": "team", "Value": "CICD"},
{"Key": "termination_date", "Value": "2022-12-31 21:00:00"}
]
install-wazuh-single-instance:
name: Installs Wazuh server single instance
needs: start-runner # required to start the main job when the runner is ready
runs-on: ${{ needs.start-runner.outputs.label }} # run the job on the newly created runner
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
- name: Ansible Playbook run Wazuh Single instance
run: ansible-playbook ./.github/playbooks/single-wazuh.yml
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
stop-runner:
name: Stop self-hosted EC2 runner
needs:
- start-runner # required to get output from the start-runner job
- install-wazuh-single-instance # required to wait when the main job is done
runs-on: ubuntu-latest
if: ${{ always() }} # required to stop the runner even if the error happened in the previous jobs
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Stop EC2 runner
uses: machulav/ec2-github-runner@v2
with:
mode: stop
github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
label: ${{ needs.start-runner.outputs.label }}
ec2-instance-id: ${{ needs.start-runner.outputs.ec2-instance-id }}

76
.github/workflows/centos_aio.yml vendored Normal file
View File

@ -0,0 +1,76 @@
---
name: AIO-CentOS-Single-Instance
on: [pull_request, workflow_dispatch, release]
jobs:
start-runner:
name: Start self-hosted EC2 runner
runs-on: ubuntu-latest
outputs:
label: ${{ steps.start-ec2-runner.outputs.label }}
ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }}
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Start EC2 runner
id: start-ec2-runner
uses: machulav/ec2-github-runner@v2
with:
mode: start
github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
ec2-image-id: ${{ secrets.CENTOS8_AMI_ID }}
ec2-instance-type: t3a.large
subnet-id: ${{ secrets.SUBNET_ID }}
security-group-id: ${{ secrets.SG_ID }}
aws-resource-tags: > # optional, requires additional permissions
[
{"Key": "Name", "Value": "wazuh-ansible-gh-runner-aio"},
{"Key": "GitHubRepository", "Value": "${{ github.repository }}"},
{"Key": "team", "Value": "CICD"},
{"Key": "termination_date", "Value": "2022-12-31 21:00:00"}
]
install-aio-single-instance:
name: Installs AIO single instance
needs: start-runner # required to start the main job when the runner is ready
runs-on: ${{ needs.start-runner.outputs.label }} # run the job on the newly created runner
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
- name: Hack to get setup-python to work on act. See act issue 251
run: |
if [ ! -f "/etc/lsb-release" ] ; then
echo "DISTRIB_RELEASE=18.04" > /etc/lsb-release
fi
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Ansible Playbook run Wazuh AIO Single instance
run: ansible-playbook ./.github/playbooks/aio-wazuh.yml
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
stop-runner:
name: Stop self-hosted EC2 runner
needs:
- start-runner # required to get output from the start-runner job
- install-aio-single-instance # required to wait when the main job is done
runs-on: ubuntu-latest
if: ${{ always() }} # required to stop the runner even if the error happened in the previous jobs
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Stop EC2 runner
uses: machulav/ec2-github-runner@v2
with:
mode: stop
github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
label: ${{ needs.start-runner.outputs.label }}
ec2-instance-id: ${{ needs.start-runner.outputs.ec2-instance-id }}

76
.github/workflows/centos_wazuh.yml vendored Normal file
View File

@ -0,0 +1,76 @@
---
name: Wazuh-CentOS-Single-Instance
on: [pull_request, workflow_dispatch, release]
jobs:
start-runner:
name: Start self-hosted EC2 runner
runs-on: ubuntu-latest
outputs:
label: ${{ steps.start-ec2-runner.outputs.label }}
ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }}
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Start EC2 runner
id: start-ec2-runner
uses: machulav/ec2-github-runner@v2
with:
mode: start
github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
ec2-image-id: ${{ secrets.CENTOS8_AMI_ID }}
ec2-instance-type: t3.small
subnet-id: ${{ secrets.SUBNET_ID }}
security-group-id: ${{ secrets.SG_ID }}
aws-resource-tags: > # optional, requires additional permissions
[
{"Key": "Name", "Value": "wazuh-ansible-gh-runner-wazuh"},
{"Key": "GitHubRepository", "Value": "${{ github.repository }}"},
{"Key": "team", "Value": "CICD"},
{"Key": "termination_date", "Value": "2022-12-31 21:00:00"}
]
install-wazuh-single-instance:
name: Installs Wazuh server single instance
needs: start-runner # required to start the main job when the runner is ready
runs-on: ${{ needs.start-runner.outputs.label }} # run the job on the newly created runner
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
- name: Hack to get setup-python to work on act. See act issue 251
run: |
if [ ! -f "/etc/lsb-release" ] ; then
echo "DISTRIB_RELEASE=18.04" > /etc/lsb-release
fi
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Ansible Playbook run Wazuh Single instance
run: ansible-playbook ./.github/playbooks/single-wazuh.yml
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
stop-runner:
name: Stop self-hosted EC2 runner
needs:
- start-runner # required to get output from the start-runner job
- install-wazuh-single-instance # required to wait when the main job is done
runs-on: ubuntu-latest
if: ${{ always() }} # required to stop the runner even if the error happened in the previous jobs
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Stop EC2 runner
uses: machulav/ec2-github-runner@v2
with:
mode: stop
github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
label: ${{ needs.start-runner.outputs.label }}
ec2-instance-id: ${{ needs.start-runner.outputs.ec2-instance-id }}

66
.github/workflows/main.yml vendored
View File

@ -1,66 +0,0 @@
---
name: Molecule tests for Wazuh Ansible
on: [pull_request, workflow_dispatch, release]
jobs:
scenario-default:
name: Default scenario (smoke)
runs-on: ubuntu-latest
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
- name: Hack to get setup-python to work on act. See act issue 251
run: |
# Hack to get setup-python to work on act
if [ ! -f "/etc/lsb-release" ] ; then
echo "DISTRIB_RELEASE=18.04" > /etc/lsb-release
fi
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install poetry
run: pip3 install poetry
- name: Install dependencies
run: poetry install
- name: Run Molecule tests.
run: poetry run molecule test -s default
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
scenario-distributed-wazuh:
name: Distributed Wazuh
runs-on: ubuntu-latest
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
- name: Hack to get setup-python to work on act. See act issue 251
run: |
if [ ! -f "/etc/lsb-release" ] ; then
echo "DISTRIB_RELEASE=18.04" > /etc/lsb-release
fi
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install poetry
run: pip3 install poetry
- name: Install dependencies
run: poetry install
- name: Run Molecule tests.
run: poetry run molecule test -s distributed-wazuh
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'

76
.github/workflows/ubuntu_aio.yml vendored Normal file
View File

@ -0,0 +1,76 @@
---
name: AIO-Ubuntu-Single-Instance
on: [pull_request, workflow_dispatch, release]
jobs:
start-runner:
name: Start self-hosted EC2 runner
runs-on: ubuntu-latest
outputs:
label: ${{ steps.start-ec2-runner.outputs.label }}
ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }}
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Start EC2 runner
id: start-ec2-runner
uses: machulav/ec2-github-runner@v2
with:
mode: start
github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
ec2-image-id: ${{ secrets.UBUNTU2204_AMI_ID }}
ec2-instance-type: t3a.large
subnet-id: ${{ secrets.SUBNET_ID }}
security-group-id: ${{ secrets.SG_ID }}
aws-resource-tags: > # optional, requires additional permissions
[
{"Key": "Name", "Value": "wazuh-ansible-gh-runner-aio"},
{"Key": "GitHubRepository", "Value": "${{ github.repository }}"},
{"Key": "team", "Value": "CICD"},
{"Key": "termination_date", "Value": "2022-12-31 21:00:00"}
]
install-aio-single-instance:
name: Installs AIO single instance
needs: start-runner # required to start the main job when the runner is ready
runs-on: ${{ needs.start-runner.outputs.label }} # run the job on the newly created runner
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
- name: Hack to get setup-python to work on act. See act issue 251
run: |
if [ ! -f "/etc/lsb-release" ] ; then
echo "DISTRIB_RELEASE=18.04" > /etc/lsb-release
fi
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Ansible Playbook run Wazuh AIO Single instance
run: ansible-playbook ./.github/playbooks/aio-wazuh.yml
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
stop-runner:
name: Stop self-hosted EC2 runner
needs:
- start-runner # required to get output from the start-runner job
- install-aio-single-instance # required to wait when the main job is done
runs-on: ubuntu-latest
if: ${{ always() }} # required to stop the runner even if the error happened in the previous jobs
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Stop EC2 runner
uses: machulav/ec2-github-runner@v2
with:
mode: stop
github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
label: ${{ needs.start-runner.outputs.label }}
ec2-instance-id: ${{ needs.start-runner.outputs.ec2-instance-id }}

76
.github/workflows/ubuntu_wazuh.yml vendored Normal file
View File

@ -0,0 +1,76 @@
---
name: Wazuh-Ubuntu-Single-Instance
on: [pull_request, workflow_dispatch, release]
jobs:
start-runner:
name: Start self-hosted EC2 runner
runs-on: ubuntu-latest
outputs:
label: ${{ steps.start-ec2-runner.outputs.label }}
ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }}
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Start EC2 runner
id: start-ec2-runner
uses: machulav/ec2-github-runner@v2
with:
mode: start
github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
ec2-image-id: ${{ secrets.UBUNTU2204_AMI_ID }}
ec2-instance-type: t3.small
subnet-id: ${{ secrets.SUBNET_ID }}
security-group-id: ${{ secrets.SG_ID }}
aws-resource-tags: > # optional, requires additional permissions
[
{"Key": "Name", "Value": "wazuh-ansible-gh-runner-wazuh"},
{"Key": "GitHubRepository", "Value": "${{ github.repository }}"},
{"Key": "team", "Value": "CICD"},
{"Key": "termination_date", "Value": "2022-12-31 21:00:00"}
]
install-wazuh-single-instance:
name: Installs Wazuh server single instance
needs: start-runner # required to start the main job when the runner is ready
runs-on: ${{ needs.start-runner.outputs.label }} # run the job on the newly created runner
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
- name: Hack to get setup-python to work on act. See act issue 251
run: |
if [ ! -f "/etc/lsb-release" ] ; then
echo "DISTRIB_RELEASE=18.04" > /etc/lsb-release
fi
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Ansible Playbook run Wazuh Single instance
run: ansible-playbook ./.github/playbooks/single-wazuh.yml
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
stop-runner:
name: Stop self-hosted EC2 runner
needs:
- start-runner # required to get output from the start-runner job
- install-wazuh-single-instance # required to wait when the main job is done
runs-on: ubuntu-latest
if: ${{ always() }} # required to stop the runner even if the error happened in the previous jobs
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Stop EC2 runner
uses: machulav/ec2-github-runner@v2
with:
mode: stop
github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
label: ${{ needs.start-runner.outputs.label }}
ec2-instance-id: ${{ needs.start-runner.outputs.ec2-instance-id }}

16
molecule/default/INSTALL.rst
View File

@ -1,16 +0,0 @@
*******
Install
*******
Requirements
============
* Docker Engine
* docker-py
Install
=======
.. code-block:: bash
$ sudo pip install docker-py

69
molecule/default/molecule.yml
View File

@ -1,69 +0,0 @@
---
# Smoke test: basic manager run
dependency:
name: galaxy
driver:
name: docker
lint: |
yamllint .
ansible-lint roles
flake8 molecule
platforms:
- name: wazuh_manager_centos7
hostname: wazuh-mgr01
image: geerlingguy/docker-centos7-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory_reservation: 512m
memory: 1024m
ulimits:
- nofile:262144:262144
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
- name: wazuh_manager_debian9
hostname: wazuh-mgr02
image: geerlingguy/docker-debian9-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory_reservation: 512m
memory: 1024m
groups:
- managers
ulimits:
- nofile:262144:262144
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
provisioner:
name: ansible
ansible_args:
- -vv
config_options:
defaults:
hash_behaviour: merge
playbooks:
create: create.yml
converge: converge.yml
#destroy: destroy.yml
env:
ANSIBLE_ROLES_PATH: ./roles
lint:
name: ansible-lint
enabled: false
scenario:
name: default
test_sequence:
- dependency
- syntax
- create
- prepare
- converge
#- idempotence
#- verify
- cleanup
- destroy
verifier:
name: testinfra

65
molecule/default/tests/test_default.py
View File

@ -1,65 +0,0 @@
import os
import pytest
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
def get_wazuh_version():
"""This return the version of Wazuh."""
return "4.4.0"
def test_wazuh_packages_are_installed(host):
"""Test the main packages are installed."""
manager = host.package("wazuh-manager")
assert manager.is_installed
assert manager.version.startswith(get_wazuh_version())
def test_wazuh_services_are_running(host):
"""Test the services are enabled and running.
When assert commands are commented, this means that the service command has
a wrong exit code: https://github.com/wazuh/wazuh-ansible/issues/107
"""
# This currently doesn't work with out current Docker base images
# manager = host.service("wazuh-manager")
# api = host.service("wazuh-api")
# assert manager.is_running
# assert api.is_running
output = host.check_output(
'ps aux | grep ossec | tr -s " " | cut -d" " -f11'
)
assert 'ossec-authd' in output
assert 'wazuh-modulesd' in output
assert 'wazuh-db' in output
assert 'ossec-execd' in output
assert 'ossec-monitord' in output
assert 'ossec-remoted' in output
assert 'ossec-logcollector' in output
assert 'ossec-analysisd' in output
assert 'ossec-syscheckd' in output
@pytest.mark.parametrize("wazuh_file, wazuh_owner, wazuh_group, wazuh_mode", [
("/var/ossec/etc/sslmanager.cert", "root", "root", 0o640),
("/var/ossec/etc/sslmanager.key", "root", "root", 0o640),
("/var/ossec/etc/rules/local_rules.xml", "wazuh", "wazuh", 0o640),
("/var/ossec/etc/lists/audit-keys", "wazuh", "wazuh", 0o660),
])
def test_wazuh_files(host, wazuh_file, wazuh_owner, wazuh_group, wazuh_mode):
"""Test Wazuh related files exist and have proper owners and mode."""
wazuh_file_host = host.file(wazuh_file)
assert wazuh_file_host.user == wazuh_owner
assert wazuh_file_host.group == wazuh_group
assert wazuh_file_host.mode == wazuh_mode
def test_filebeat_is_installed(host):
"""Test the elasticsearch package is installed."""
filebeat = host.package("filebeat")
assert filebeat.is_installed
assert filebeat.version.startswith('7.10.2')

36
molecule/distributed-wazuh-elk-xpack/group_vars/all.yml
View File

@ -1,36 +0,0 @@
---
########################################################
# Helper variables
private_ip: '{{ ansible_default_ipv4.address }}'
managers_hostvars: "{{ groups['managers'] | map('extract', hostvars) | list }}"
elastic_hostvars: "{{ groups['elastic'] | map('extract', hostvars) | list }}"
kibana_hostvars: "{{ groups['kibana'] | map('extract', hostvars) | list }}"
manager_addresses: "{{ managers_hostvars | map(attribute='private_ip') | list }}"
elastic_addresses: "{{ elastic_hostvars | map(attribute='private_ip') | list }}"
kibana_addresses: "{{ kibana_hostvars | map(attribute='private_ip') | list }}"
########################################################
# Versions
elastic_stack_version: 7.10.2
filebeat_version: 7.10.2
# Debian packages need the ${VERSION}-1
wazuh_manager_version: 4.4.0-1
wazuh_agent_version: 4.4.0-1
# Kibana role appends it automatically.
wazuh_version: 4.4.0
########################################################
# General ELK stack variables
# Xpack Security: autogenerate CA
generate_CA: true
filebeat_xpack_security: true
kibana_xpack_security: true
elasticsearch_xpack_security: true
elasticsearch_xpack_security_user: elastic
elasticsearch_xpack_security_password: elastic_pass

64
molecule/distributed-wazuh-elk-xpack/tests/test_default.py
View File

@ -1,64 +0,0 @@
import os
import pytest
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
def get_wazuh_version():
"""This return the version of Wazuh."""
return "4.4.0"
def test_wazuh_packages_are_installed(host):
"""Test the main packages are installed."""
manager = host.package("wazuh-manager")
assert manager.is_installed
assert manager.version.startswith(get_wazuh_version())
def test_wazuh_services_are_running(host):
"""Test the services are enabled and running.
When assert commands are commented, this means that the service command has
a wrong exit code: https://github.com/wazuh/wazuh-ansible/issues/107
"""
# This currently doesn't work with out current Docker base images
# manager = host.service("wazuh-manager")
# api = host.service("wazuh-api")
# assert manager.is_running
# assert api.is_running
output = host.check_output(
'ps aux | grep ossec | tr -s " " | cut -d" " -f11'
)
assert 'ossec-authd' in output
assert 'wazuh-modulesd' in output
assert 'wazuh-db' in output
assert 'ossec-execd' in output
assert 'ossec-monitord' in output
assert 'ossec-remoted' in output
assert 'ossec-logcollector' in output
assert 'ossec-analysisd' in output
assert 'ossec-syscheckd' in output
@pytest.mark.parametrize("wazuh_file, wazuh_owner, wazuh_group, wazuh_mode", [
("/var/ossec/etc/sslmanager.cert", "root", "root", 0o640),
("/var/ossec/etc/sslmanager.key", "root", "root", 0o640),
("/var/ossec/etc/rules/local_rules.xml", "wazuh", "wazuh", 0o640),
("/var/ossec/etc/lists/audit-keys", "wazuh", "wazuh", 0o660),
])
def test_wazuh_files(host, wazuh_file, wazuh_owner, wazuh_group, wazuh_mode):
"""Test Wazuh related files exist and have proper owners and mode."""
wazuh_file_host = host.file(wazuh_file)
assert wazuh_file_host.user == wazuh_owner
assert wazuh_file_host.group == wazuh_group
assert wazuh_file_host.mode == wazuh_mode
def test_filebeat_is_installed(host):
"""Test the elasticsearch package is installed."""
filebeat = host.package("filebeat")
assert filebeat.is_installed
assert filebeat.version.startswith('7.10.2')

23
molecule/distributed-wazuh-elk/group_vars/all.yml
View File

@ -1,23 +0,0 @@
---
########################################################
# Helper variables
private_ip: '{{ ansible_default_ipv4.address }}'
managers_hostvars: "{{ groups['managers'] | map('extract', hostvars) | list }}"
elastic_hostvars: "{{ groups['elastic'] | map('extract', hostvars) | list }}"
manager_addresses: "{{ managers_hostvars | map(attribute='private_ip') | list }}"
elastic_addresses: "{{ elastic_hostvars | map(attribute='private_ip') | list }}"
########################################################
# Versions
elastic_stack_version: 7.10.2
filebeat_version: 7.10.2
# Debian packages need the ${VERSION}-1
wazuh_manager_version: 4.4.0-1
wazuh_agent_version: 4.4.0-1
# Kibana role appends it automatically.
wazuh_version: 4.4.0

47
molecule/distributed-wazuh-odfe/group_vars/all.yml
View File

@ -1,47 +0,0 @@
---
########################################################
# Helper variables
private_ip: '{{ ansible_default_ipv4.address }}'
managers_hostvars: "{{ groups['managers'] | map('extract', hostvars) | list }}"
elastic_hostvars: "{{ groups['elastic'] | map('extract', hostvars) | list }}"
kibana_hostvars: "{{ groups['kibana'] | map('extract', hostvars) | list }}"
manager_addresses: "{{ managers_hostvars | map(attribute='private_ip') | list }}"
elastic_addresses: "{{ elastic_hostvars | map(attribute='private_ip') | list }}"
kibana_addresses: "{{ kibana_hostvars | map(attribute='private_ip') | list }}"
########################################################
# General ELK stack variables
# OpenDistro
kibana_opendistro_security: true
opendistro_kibana_user: kibanaserver
opendistro_security_user: elastic
opendistro_kibana_password: changeme
opendistro_security_password: admin
opendistro_admin_password: changeme
# All nodes are called by IP name
elasticsearch_node_name: '{{ ansible_hostname }}'
kibana_node_name: '{{ ansible_hostname }}'
filebeat_node_name: '{{ ansible_hostname }}'
########################################################
# Versions
# See: https://opendistro.github.io/for-elasticsearch-docs/version-history/
elastic_stack_version: 7.10.2
opendistro_version: 1.13.2
filebeat_version: 7.10.2
kibana_opendistro_version: 1.13.2-1
# Debian packages need the ${VERSION}-1
wazuh_manager_version: 4.4.0-1
wazuh_agent_version: 4.4.0-1
# Kibana role appends it automatically.
wazuh_version: 4.4.0

64
molecule/distributed-wazuh-odfe/tests/test_default.py
View File

@ -1,64 +0,0 @@
import os
import pytest
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
def get_wazuh_version():
"""This return the version of Wazuh."""
return "4.4.0"
def test_wazuh_packages_are_installed(host):
"""Test the main packages are installed."""
manager = host.package("wazuh-manager")
assert manager.is_installed
assert manager.version.startswith(get_wazuh_version())
def test_wazuh_services_are_running(host):
"""Test the services are enabled and running.
When assert commands are commented, this means that the service command has
a wrong exit code: https://github.com/wazuh/wazuh-ansible/issues/107
"""
# This currently doesn't work with out current Docker base images
# manager = host.service("wazuh-manager")
# api = host.service("wazuh-api")
# assert manager.is_running
# assert api.is_running
output = host.check_output(
'ps aux | grep ossec | tr -s " " | cut -d" " -f11'
)
assert 'ossec-authd' in output
assert 'wazuh-modulesd' in output
assert 'wazuh-db' in output
assert 'ossec-execd' in output
assert 'ossec-monitord' in output
assert 'ossec-remoted' in output
assert 'ossec-logcollector' in output
assert 'ossec-analysisd' in output
assert 'ossec-syscheckd' in output
@pytest.mark.parametrize("wazuh_file, wazuh_owner, wazuh_group, wazuh_mode", [
("/var/ossec/etc/sslmanager.cert", "root", "root", 0o640),
("/var/ossec/etc/sslmanager.key", "root", "root", 0o640),
("/var/ossec/etc/rules/local_rules.xml", "wazuh", "wazuh", 0o640),
("/var/ossec/etc/lists/audit-keys", "wazuh", "wazuh", 0o660),
])
def test_wazuh_files(host, wazuh_file, wazuh_owner, wazuh_group, wazuh_mode):
"""Test Wazuh related files exist and have proper owners and mode."""
wazuh_file_host = host.file(wazuh_file)
assert wazuh_file_host.user == wazuh_owner
assert wazuh_file_host.group == wazuh_group
assert wazuh_file_host.mode == wazuh_mode
def test_filebeat_is_installed(host):
"""Test the elasticsearch package is installed."""
filebeat = host.package("filebeat")
assert filebeat.is_installed
assert filebeat.version.startswith('7.10.2')

16
molecule/distributed-wazuh/INSTALL.rst
View File

@ -1,16 +0,0 @@
*******
Install
*******
Requirements
============
* Docker Engine
* docker-py
Install
=======
.. code-block:: bash
$ sudo pip install docker-py

126
molecule/distributed-wazuh/converge.yml
View File

@ -1,126 +0,0 @@
---
- name: Build Facts
hosts: all
become: true
become_user: root
vars:
endpoints_hostvars: '{{ managers_hostvars | union(indexer_hostvars) | union(dashboard_hostvars) }}'
wazuh_managers_common:
port: 1514
protocol: tcp
api_port: 55000
api_proto: 'http'
api_user: ansible
max_retries: 5
retry_interval: 5
pre_tasks:
- name: (converge) build instances list dynamically for cert generator consumption
set_fact:
wazuh_endpoint_list: "{{ wazuh_endpoint_list | default({}) | combine({ instance_hostname: instance_item }) }}"
vars:
instance_hostname: '{{ item.ansible_facts.hostname }}'
instance_item:
name: '{{ instance_hostname }}'
ip: '{{ item.private_ip }}'
loop: '{{ endpoints_hostvars }}'
no_log: true
- name: (converge) build wazuh_managers list dynamically for agents to consume
set_fact:
wazuh_managers_list: '{{ wazuh_managers_list | default([]) | union([manager_item]) }}'
vars:
manager_item: '{{ wazuh_managers_common | combine({"address": item}) }}'
loop: '{{ manager_addresses }}'
- name: overview of cert configuration
debug:
var: wazuh_endpoint_list
- name: Generate certificates prior to converging
hosts: molecule_wazuh_indexer_centos7
become: true
become_user: root
roles:
- role: ../../roles/wazuh/wazuh-indexer
vars:
generate_certs: true
perform_installation: false
instances:
node1:
name: wazuh-es01 # Important: must be equal to indexer_node_name.
ip: "{{ hostvars.molecule_wazuh_indexer_centos7.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert.
role: indexer
node2:
name: wazuh-es02
ip: "{{ hostvars.molecule_wazuh_indexer_centos7_2.private_ip }}"
role: indexer
node3:
name: wazuh-mgr01
ip: "{{ hostvars.molecule_wazuh_manager_debian9.private_ip }}"
role: wazuh
node_type: master
node4:
name: wazuh-mgr02
ip: "{{ hostvars.molecule_wazuh_manager_centos7.private_ip }}"
role: wazuh
node_type: worker
node5:
name: wazuh-dash01
ip: "{{ hostvars.molecule_wazuh_dashboard_centos7.private_ip }}"
role: dashboard
pre_tasks:
- name: overview of cert configuration
debug:
var: wazuh_endpoint_list
- name: Converge
hosts: all
become: true
become_user: root
roles:
# 1. Check packages
- role: ../../roles/wazuh/check-packages
become: no
delegate_to: localhost
run_once: true
# 2. Wazuh indexer
- role: ../../roles/wazuh/wazuh-indexer
when: inventory_hostname in groups['indexer']
# 3. Managers
- role: ../../roles/wazuh/ansible-wazuh-manager
when: inventory_hostname in groups['managers']
- role: ../../roles/wazuh/ansible-filebeat-oss
when: inventory_hostname in groups['managers']
# 4. Wazuh dashboard
- role: ../../roles/wazuh/wazuh-dashboard
when: inventory_hostname in groups['dashboard']
# 5. Agents:
- role: ../../roles/wazuh/ansible-wazuh-agent
vars:
wazuh_managers: '{{ wazuh_managers_list }}'
when: inventory_hostname in groups['agents']
vars:
instances:
node1:
name: wazuh-es01 # Important: must be equal to indexer_node_name.
ip: "{{ hostvars.molecule_wazuh_indexer_centos7.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert.
role: indexer
node2:
name: wazuh-es02
ip: "{{ hostvars.molecule_wazuh_indexer_centos7_2.private_ip }}"
role: indexer
node3:
name: wazuh-mgr01
ip: "{{ hostvars.molecule_wazuh_manager_debian9.private_ip }}"
role: wazuh
node_type: master
node4:
name: wazuh-mgr02
ip: "{{ hostvars.molecule_wazuh_manager_centos7.private_ip }}"
role: wazuh
node_type: worker
node5:
name: wazuh-dash01
ip: "{{ hostvars.molecule_wazuh_dashboard_centos7.private_ip }}"
role: dashboard

24
molecule/distributed-wazuh/group_vars/agents.yml
View File

@ -1,24 +0,0 @@
---
wazuh_agent_config:
enrollment:
enabled: 'yes'
#manager_address: ''
#port: 1515
agent_name: '{{ ansible_hostname }}'
#groups: ''
#agent_address: ''
#server_ca_path: ''
#agent_certificate_path: ''
#agent_key_path: ''
#authorization_pass_path : /var/ossec/etc/authd.pass
#auto_method: 'no'
#delay_after_enrollment: 20
#use_source_ip: 'no'
wazuh_agent_authd:
registration_address: '{{ manager_addresses[0] }}'
enable: true
port: 1515
ssl_agent_ca: null
ssl_auto_negotiate: 'no'

39
molecule/distributed-wazuh/group_vars/all.yml
View File

@ -1,39 +0,0 @@
---
########################################################
# Helper variables
private_ip: '{{ ansible_default_ipv4.address }}'
managers_hostvars: "{{ groups['managers'] | map('extract', hostvars) | list }}"
indexer_hostvars: "{{ groups['indexer'] | map('extract', hostvars) | list }}"
dashboard_hostvars: "{{ groups['dashboard'] | map('extract', hostvars) | list }}"
manager_addresses: "{{ managers_hostvars | map(attribute='private_ip') | list }}"
indexer_addresses: "{{ indexer_hostvars | map(attribute='private_ip') | list }}"
dashboard_addresses: "{{ dashboard_hostvars | map(attribute='private_ip') | list }}"
########################################################
# General Wazuh stack variables
# Wazuh indexer/dashboard
dashboard_security: true
dashboard_user: kibanaserver
indexer_security_user: admin
dashboard_password: changeme
indexer_security_password: changeme
indexer_admin_password: changeme
# All nodes are called by IP name
indexer_node_name: '{{ ansible_facts.hostname }}'
dashboard_node_name: '{{ ansible_facts.hostname }}'
filebeat_node_name: '{{ ansible_facts.hostname }}'
indexer_version: 4.4.0
filebeat_version: 7.10.2
wazuh_version: 4.4.0
# Debian packages need the ${VERSION}-1
wazuh_manager_version: 4.4.0
wazuh_agent_version: 4.4.0

16
molecule/distributed-wazuh/group_vars/dashboard.yml
View File

@ -1,16 +0,0 @@
---
dashboard_server_name: '{{ ansible_hostname }}'
indexer_network_host: "{{ indexer_addresses[0] }}"
indexer_node_master: false
indexer_node_ingest: false
indexer_node_data: false
role: 'dashboard'
wazuh_api_credentials:
- id: default
url: 'https://{{ manager_addresses[0] }}'
port: 55000
username: wazuh
password: wazuh

13
molecule/distributed-wazuh/group_vars/indexer.yml
View File

@ -1,13 +0,0 @@
---
single_node: false
indexer_node_master: true
minimum_master_nodes: 1
role: 'indexer'
indexer_network_host: '{{ private_ip }}'
indexer_http_port: 9200
indexer_cluster_nodes: '{{ indexer_addresses }}'
indexer_discovery_nodes: '{{ indexer_addresses }}'

21
molecule/distributed-wazuh/group_vars/managers.yml
View File

@ -1,21 +0,0 @@
---
wazuh_manager_fqdn: '{{ ansible_hostname }}'
filebeat_output_indexer_hosts: '{{ indexer_addresses }}'
node_type: "{{ 'master' if ansible_hostname == 'wazuh-mgr01' else 'worker' }}"
role: 'wazuh'
wazuh_manager_config:
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
queue_size: 131072
api:
https: 'yes'
cluster:
disable: 'no'
node_name: '{{ ansible_hostname }}'
node_type: "{{ 'master' if ansible_hostname == 'wazuh-mgr01' else 'worker' }}"
nodes: '{{ manager_addresses }}'
hidden: 'no'

162
molecule/distributed-wazuh/molecule.yml
View File

@ -1,162 +0,0 @@
---
# Distributed scenario: clustered manager scenario + connected agents
# 2-core CPU
# 7 GB of RAM memory
# 14 GB of SSD disk space
#
# Source: https://docs.github.com/en/free-pro-team@latest/actions/reference/specifications-for-github-hosted-runners
dependency:
name: galaxy
driver:
name: docker
lint: |
yamllint .
ansible-lint roles
flake8 molecule
platforms:
################################################
# Wazuh Managers
################################################
- name: molecule_wazuh_manager_centos7
hostname: wazuh-mgr01
image: geerlingguy/docker-centos7-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory_reservation: 512m
memory: 1024m
groups:
- managers
ulimits:
- nofile:262144:262144
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
- name: molecule_wazuh_manager_debian9
hostname: wazuh-mgr02
image: geerlingguy/docker-debian9-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory_reservation: 512m
memory: 1024m
groups:
- managers
ulimits:
- nofile:262144:262144
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
################################################
# Wazuh indexer Cluster
################################################
- name: molecule_wazuh_indexer_centos7
hostname: wazuh-es01
image: geerlingguy/docker-centos7-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory: 4096m
memory_reservation: 2048m
groups:
- indexer
ulimits:
- nofile:262144:262144
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
- name: molecule_wazuh_indexer_centos7_2
hostname: wazuh-es02
image: geerlingguy/docker-centos7-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory: 4096m
memory_reservation: 2048m
groups:
- indexer
ulimits:
- nofile:262144:262144
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
################################################
# Wazuh Agents
################################################
- name: molecule_wazuh_agent_centos7
hostname: wazuh-agent01
image: geerlingguy/docker-centos7-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory: 1024m
memory_reservation: 512m
groups:
- agents
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
- name: molecule_wazuh_agent_debian9
hostname: wazuh-agent02
image: geerlingguy/docker-debian9-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory: 1024m
memory_reservation: 512m
groups:
- agents
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
################################################
# Wazuh dashboard
################################################
- name: molecule_wazuh_dashboard_centos7
hostname: wazuh-dash01
image: geerlingguy/docker-centos7-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory: 2048m
memory_reservation: 512m
groups:
- dashboard
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
provisioner:
name: ansible
ansible_args:
- -vv
inventory:
links:
group_vars: group_vars
playbooks:
create: create.yml
converge: converge.yml
#destroy: destroy.yml
config_options:
defaults:
hash_behaviour: merge
env:
ANSIBLE_ROLES_PATH: ./roles
lint:
name: ansible-lint
enabled: false
scenario:
name: distributed-wazuh
test_sequence:
- dependency
- syntax
- create
- prepare
- converge
#- idempotence
#- verify
- cleanup
- destroy
verifier:
name: testinfra

64
molecule/distributed-wazuh/tests/test_default.py
View File

@ -1,64 +0,0 @@
import os
import pytest
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
def get_wazuh_version():
"""This return the version of Wazuh."""
return "4.4.0"
def test_wazuh_packages_are_installed(host):
"""Test the main packages are installed."""
manager = host.package("wazuh-manager")
assert manager.is_installed
assert manager.version.startswith(get_wazuh_version())
def test_wazuh_services_are_running(host):
"""Test the services are enabled and running.
When assert commands are commented, this means that the service command has
a wrong exit code: https://github.com/wazuh/wazuh-ansible/issues/107
"""
# This currently doesn't work with out current Docker base images
# manager = host.service("wazuh-manager")
# api = host.service("wazuh-api")
# assert manager.is_running
# assert api.is_running
output = host.check_output(
'ps aux | grep ossec | tr -s " " | cut -d" " -f11'
)
assert 'ossec-authd' in output
assert 'wazuh-modulesd' in output
assert 'wazuh-db' in output
assert 'ossec-execd' in output
assert 'ossec-monitord' in output
assert 'ossec-remoted' in output
assert 'ossec-logcollector' in output
assert 'ossec-analysisd' in output
assert 'ossec-syscheckd' in output
@pytest.mark.parametrize("wazuh_file, wazuh_owner, wazuh_group, wazuh_mode", [
("/var/ossec/etc/sslmanager.cert", "root", "root", 0o640),
("/var/ossec/etc/sslmanager.key", "root", "root", 0o640),
("/var/ossec/etc/rules/local_rules.xml", "wazuh", "wazuh", 0o640),
("/var/ossec/etc/lists/audit-keys", "wazuh", "wazuh", 0o660),
])
def test_wazuh_files(host, wazuh_file, wazuh_owner, wazuh_group, wazuh_mode):
"""Test Wazuh related files exist and have proper owners and mode."""
wazuh_file_host = host.file(wazuh_file)
assert wazuh_file_host.user == wazuh_owner
assert wazuh_file_host.group == wazuh_group
assert wazuh_file_host.mode == wazuh_mode
def test_filebeat_is_installed(host):
"""Test the elasticsearch package is installed."""
filebeat = host.package("filebeat")
assert filebeat.is_installed
assert filebeat.version.startswith('7.10.2')

1342
poetry.lock generated
View File

File diff suppressed because it is too large Load Diff

28
pyproject.toml
View File

@ -1,28 +0,0 @@
[tool.poetry]
name = "wazuh-ansible"
version = "4.4.0"
description = ""
authors = ["neonmei <neonmei@pm.me>"]
[tool.poetry.dependencies]
python = "^3.6"
# Pin ansible version to that currently present on awx
ansible = "==4.10.0"
jinja2 = "^3.0.3"
[tool.poetry.dev-dependencies]
pytest = "^7.0"
ansible-lint = "^5.4.0"
flake8 = "^4.0.1"
selinux = "^0.2.1"
yamllint = "^1.26.3"
# minimum version is 3.0.3, because we need docker memory limitation
# https://github.com/ansible-community/molecule/pull/2615
molecule = {extras = ["docker"], version = "==3.3.4"}
testinfra = "^6.0.0"
[build-system]
requires = ["poetry>=1.1.8"]
build-backend = "poetry.masonry.api"