diff --git a/.github/actions/default/Dockerfile b/.github/actions/default/Dockerfile
new file mode 100644
index 00000000..9dffbde8
--- /dev/null
+++ b/.github/actions/default/Dockerfile
@@ -0,0 +1,7 @@
+FROM quay.io/ansible/molecule:2.20
+
+VOLUME [ "/sys/fs/cgroup", "/run", "/run/lock" ]
+
+COPY ./entrypoint.sh /entrypoint.sh
+RUN chmod 755 /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/.github/actions/default/action.yml b/.github/actions/default/action.yml
new file mode 100644
index 00000000..a9b38478
--- /dev/null
+++ b/.github/actions/default/action.yml
@@ -0,0 +1,6 @@
+name: molecule-test
+description: Molecule tests for Wazuh Ansible
+runs:
+ using: docker
+ image: 'Dockerfile'
+
diff --git a/.github/actions/default/entrypoint.sh b/.github/actions/default/entrypoint.sh
new file mode 100644
index 00000000..158e9f08
--- /dev/null
+++ b/.github/actions/default/entrypoint.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -eu
+
+molecule test
\ No newline at end of file
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
new file mode 100644
index 00000000..26cb0e32
--- /dev/null
+++ b/.github/workflows/main.yml
@@ -0,0 +1,13 @@
+
+name: Molecule tests for Wazuh Ansible
+
+on: [push]
+
+jobs:
+ default:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Check out code
+ uses: actions/checkout@v2
+ - name: Default scenario
+ uses: './.github/actions/default'
diff --git a/molecule/default/Dockerfile.j2 b/molecule/default/Dockerfile.j2
new file mode 100644
index 00000000..19692c20
--- /dev/null
+++ b/molecule/default/Dockerfile.j2
@@ -0,0 +1,14 @@
+# Molecule managed
+
+{% if item.registry is defined %}
+FROM {{ item.registry.url }}/{{ item.image }}
+{% else %}
+FROM {{ item.image }}
+{% endif %}
+
+RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get upgrade -y && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
+ elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python2-dnf bash && dnf clean all; \
+ elif [ $(command -v yum) ]; then yum makecache fast && yum update -y && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
+ elif [ $(command -v zypper) ]; then zypper refresh && zypper update -y && zypper install -y python sudo bash python-xml && zypper clean -a; \
+ elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \
+ elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates && xbps-remove -O; fi
diff --git a/molecule/default/INSTALL.rst b/molecule/default/INSTALL.rst
new file mode 100644
index 00000000..e26493b8
--- /dev/null
+++ b/molecule/default/INSTALL.rst
@@ -0,0 +1,16 @@
+*******
+Install
+*******
+
+Requirements
+============
+
+* Docker Engine
+* docker-py
+
+Install
+=======
+
+.. code-block:: bash
+
+ $ sudo pip install docker-py
diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
new file mode 100644
index 00000000..cd184961
--- /dev/null
+++ b/molecule/default/molecule.yml
@@ -0,0 +1,53 @@
+---
+dependency:
+ name: galaxy
+driver:
+ name: docker
+lint:
+ name: yamllint
+ enabled: false
+platforms:
+
+ - name: manager_centos7
+ image: milcom/centos7-systemd
+ command: /sbin/init
+ ulimits:
+ - nofile:262144:262144
+ privileged: true
+ memory_reservation: 2048m
+
+ - name: ubuntu20
+ image: jrei/systemd-ubuntu:20.04
+ privileged: true
+
+ - name: debian9
+ image: jrei/systemd-debian:9
+ privileged: true
+
+provisioner:
+ name: ansible
+ config_options:
+ defaults:
+ hash_behaviour: merge
+ env:
+ ANSIBLE_ROLES_PATH: ./roles
+ lint:
+ name: ansible-lint
+ enabled: false
+scenario:
+ name: default
+ test_sequence:
+ - dependency
+ - syntax
+ - create
+ - prepare
+ - converge
+ #- idempotence
+ - verify
+ - cleanup
+ - destroy
+verifier:
+ name: testinfra
+ lint:
+ name: flake8
+ enabled: false
diff --git a/molecule/default/playbook.yml b/molecule/default/playbook.yml
new file mode 100644
index 00000000..0e6bf98d
--- /dev/null
+++ b/molecule/default/playbook.yml
@@ -0,0 +1,7 @@
+---
+- name: Converge
+ hosts: all
+ roles:
+ - role: ../../roles/wazuh/ansible-wazuh-manager
+ vars:
+ - { role: ../../roles/wazuh/ansible-filebeat, filebeat_output_elasticsearch_hosts: "elasticsearch_centos7:9200" }
diff --git a/molecule/default/tests/test_default.py b/molecule/default/tests/test_default.py
new file mode 100644
index 00000000..e63a0bab
--- /dev/null
+++ b/molecule/default/tests/test_default.py
@@ -0,0 +1,52 @@
+import os
+import pytest
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+ os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
+
+def get_wazuh_version():
+ """This return the version of Wazuh."""
+ return "3.13.1"
+
+def test_wazuh_packages_are_installed(host):
+ """Test if the main packages are installed."""
+ manager = host.package("wazuh-manager")
+ api = host.package("wazuh-api")
+ assert manager.is_installed
+ assert manager.version.startswith(get_wazuh_version())
+ assert api.is_installed
+ assert api.version.startswith(get_wazuh_version())
+
+def test_wazuh_services_are_running(host):
+ """Test if the services are enabled and running.
+
+ When assert commands are commented, this means that the service command has
+ a wrong exit code: https://github.com/wazuh/wazuh-ansible/issues/107
+ """
+ manager = host.service("wazuh-manager")
+ api = host.service("wazuh-api")
+ # assert manager.is_running
+ assert manager.is_running
+ # assert api.is_running
+ assert api.is_running
+
+@pytest.mark.parametrize("wazuh_file, wazuh_owner, wazuh_group, wazuh_mode", [
+ ("/var/ossec/etc/sslmanager.cert", "root", "root", 0o640),
+ ("/var/ossec/etc/sslmanager.key", "root", "root", 0o640),
+ ("/var/ossec/etc/rules/local_rules.xml", "ossec", "ossec", 0o640),
+ ("/var/ossec/etc/lists/audit-keys", "ossec", "ossec", 0o660),
+])
+
+def test_wazuh_files(host, wazuh_file, wazuh_owner, wazuh_group, wazuh_mode):
+ """Test if Wazuh related files exist and have proper owners and mode."""
+ wazuh_file_host = host.file(wazuh_file)
+ assert wazuh_file_host.user == wazuh_owner
+ assert wazuh_file_host.group == wazuh_group
+ assert wazuh_file_host.mode == wazuh_mode
+
+def test_filebeat_is_installed(host):
+ """Test if the elasticsearch package is installed."""
+ filebeat = host.package("filebeat")
+ assert filebeat.is_installed
+ assert filebeat.version.startswith('7.8.0')
diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml
index d2d06097..30fad99d 100644
--- a/roles/elastic-stack/ansible-kibana/tasks/main.yml
+++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml
@@ -14,16 +14,6 @@
- import_tasks: Debian.yml
when: ansible_os_family == 'Debian'
-- name: Reload systemd
- systemd:
- daemon_reload: true
- ignore_errors: true
- when:
- - not (ansible_distribution == "Amazon" and ansible_distribution_version == "(Karoo)")
- - not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<'))
- - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<'))
- - not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<'))
-
- name: Copying node's certificate from master
copy:
src: "{{ item }}"
@@ -176,10 +166,6 @@
mode: 0751
changed_when: False
-- name: Reload systemd configuration
- systemd:
- daemon_reload: true
-
- name: Ensure Kibana is started and enabled
service:
name: kibana
diff --git a/roles/opendistro/opendistro-kibana/tasks/main.yml b/roles/opendistro/opendistro-kibana/tasks/main.yml
index 006b7cd7..e127f2f9 100755
--- a/roles/opendistro/opendistro-kibana/tasks/main.yml
+++ b/roles/opendistro/opendistro-kibana/tasks/main.yml
@@ -11,16 +11,6 @@
- import_tasks: RedHat.yml
when: ansible_os_family == 'RedHat'
-- name: Reload systemd
- systemd:
- daemon_reload: true
- ignore_errors: true
- when:
- - not (ansible_distribution == "Amazon" and ansible_distribution_version == "(Karoo)")
- - not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<'))
- - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<'))
- - not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<'))
-
- name: Install Kibana
package:
name: "opendistroforelasticsearch-kibana{{ kibana_opendistro_version }}"
@@ -119,10 +109,6 @@
mode: 0751
changed_when: False
-- name: Reload systemd configuration
- systemd:
- daemon_reload: true
-
- name: Ensure Kibana started and enabled
service:
name: kibana
diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml
index 71d57a6d..f4e30a77 100644
--- a/roles/wazuh/ansible-filebeat/tasks/main.yml
+++ b/roles/wazuh/ansible-filebeat/tasks/main.yml
@@ -111,15 +111,6 @@
when: filebeat_create_config
notify: restart filebeat
-- name: Reload systemd
- systemd: daemon_reload=yes
- ignore_errors: true
- when:
- - not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA")
- - not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<'))
- - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<'))
- - not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<'))
-
- name: Ensure Filebeat is started and enabled at boot.
service:
name: filebeat
diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
index 586fd594..c2652053 100644
--- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
+++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
@@ -294,4 +294,19 @@ wazuh_agent_config:
list:
- key: Env
value: Production
+ enrollment:
+ enabled: no
+ manager_address: ''
+ port: 1515
+ agent_name: ''
+ groups: ''
+ agent_address: ''
+ ssl_cipher: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
+ server_ca_path: ''
+ agent_certificate_path: ''
+ agent_key_path: ''
+ authorization_pass: ChangeMe
+ auto_method: no
+ delay_after_enrollment: 20
+ use_source_ip: no
wazuh_agent_nat: false
diff --git a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
index a1e79db5..d5433660 100644
--- a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
+++ b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
@@ -45,6 +45,26 @@
{{ wazuh_agent_config.client_buffer.events_per_sec }}
+ {% if wazuh_agent_config.enrollment is defined and wazuh_agent_config.enrollment.enabled == 'yes' %}
+
+ {{ wazuh_agent_config.enrollment.enabled }}
+ {{ wazuh_agent_config.enrollment.manager_address }}
+ {{ wazuh_agent_config.enrollment.port }}
+ {{ wazuh_agent_config.enrollment.agent_name }}
+ {{ wazuh_agent_config.enrollment.groups }}
+ {{ wazuh_agent_config.enrollment.agent_address }}
+ {{ wazuh_agent_config.enrollment.ssl_cipher }}
+ {{ wazuh_agent_config.enrollment.server_ca_path }}
+ {{ wazuh_agent_config.enrollment.agent_certificate_path }}
+ {{ wazuh_agent_config.enrollment.agent_key_path }}
+ {{ wazuh_agent_config.enrollment.authorization_pass }}
+ {{ wazuh_agent_config.enrollment.auto_method }}
+ {{ wazuh_agent_config.enrollment.delay_after_enrollment }}
+ {{ wazuh_agent_config.enrollment.use_source_ip }}
+
+ {% endif %}
+
+
{% if wazuh_agent_config.rootcheck is defined %}
no
diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml b/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml
index 1cc75f38..9e57193d 100644
--- a/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml
+++ b/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml
@@ -102,10 +102,6 @@
name:
- "wazuh-manager={{ wazuh_manager_version }}"
state: present
- cache_valid_time: 3600
- install_recommends: false
- register: wazuh_manager_main_packages_installed
- until: wazuh_manager_main_packages_installed is succeeded
tags: init
when:
- not wazuh_manager_sources_installation.enabled