diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
index 4f587c86..d4684ab4 100644
--- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
+++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
@@ -43,16 +43,6 @@ wazuh_profile_centos: 'centos, centos7, centos7.6'
wazuh_profile_ubuntu: 'ubuntu, ubuntu18, ubuntu18.04'
wazuh_auto_restart: 'yes'
-wazuh_agent_authd:
- registration_address: 127.0.0.1
- enable: false
- port: 1515
- agent_name: null
- groups: []
- ssl_agent_ca: null
- ssl_agent_cert: null
- ssl_agent_key: null
- ssl_auto_negotiate: 'no'
wazuh_notify_time: '10'
wazuh_time_reconnect: '60'
wazuh_crypto_method: 'aes'
@@ -74,26 +64,38 @@ wazuh_agent_repo:
gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145'
+# This is deprecated, see: wazuh_agent_address
wazuh_agent_nat: false
##########################################
### Wazuh
##########################################
+wazuh_agent_nolog_sensible: yes
wazuh_agent_config_overlay: yes
-## Client
+# This is a middle ground between breaking existing uses of wazuh_agent_nat
+# and allow working with agents having several network interfaces
+wazuh_agent_address: '{{ "any" if wazuh_agent_nat else ansible_default_ipv4.address }}'
+
+# List of managers. The first one with register variable declared *and* set to true
+# is the one used to register the agent. Otherwise, the first one in the list will be used.
wazuh_managers:
- address: 127.0.0.1
port: 1514
protocol: tcp
api_port: 55000
- api_proto: 'http'
+ api_proto: https
api_user: wazuh
max_retries: 5
retry_interval: 5
+ register: yes
+
+## Authentication Method: Enrollment section (4.x)
+
+# For more information see:
+# * https://documentation.wazuh.com/4.0/user-manual/reference/ossec-conf/client.html#enrollment
-## Enrollment
wazuh_agent_enrollment:
enabled: 'yes'
manager_address: ''
@@ -110,6 +112,28 @@ wazuh_agent_enrollment:
delay_after_enrollment: 20
use_source_ip: 'no'
+## Authentication Method: invoking agent-auth
+
+# For more information see:
+# * https://documentation.wazuh.com/4.0/user-manual/registering/password-authorization-registration.html
+
+wazuh_agent_authd:
+ registration_address: 127.0.0.1
+ enable: false
+ port: 1515
+ agent_name: null
+ groups: []
+ ssl_agent_ca: null
+ ssl_agent_cert: null
+ ssl_agent_key: null
+ ssl_auto_negotiate: 'no'
+
+## Authentication Method: REST API
+
+# For more information see:
+# * https://documentation.wazuh.com/4.0/user-manual/registering/restful-api-registration.html
+wazuh_agent_api_validate: yes
+
## Client buffer
wazuh_agent_client_buffer:
disable: 'no'
diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml
index 3279647a..8b8d9314 100644
--- a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml
+++ b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml
@@ -41,8 +41,7 @@
- name: Linux | Check if client.keys exists
stat:
path: /var/ossec/etc/client.keys
- register: check_keys
- when: wazuh_agent_config.enrollment.enabled == 'no'
+ register: client_keys_file
tags:
- config
@@ -97,18 +96,18 @@
vars:
agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ ansible_hostname }}{% endif %}"
when:
- - not check_keys.stat.exists or check_keys.stat.size == 0
+ - not client_keys_file.stat.exists or client_keys_file.stat.size == 0
- wazuh_agent_authd.registration_address is not none
- name: Linux | Verify agent registration
shell: echo {{ agent_auth_output }} | grep "Valid key received"
when:
- - not check_keys.stat.exists or check_keys.stat.size == 0
+ - not client_keys_file.stat.exists or client_keys_file.stat.size == 0
- wazuh_agent_authd.registration_address is not none
when:
- - wazuh_agent_authd.enable
- - not wazuh_agent_config.enrollment.enabled | length > 0 or wazuh_agent_config.enrollment.enabled == 'no'
+ - wazuh_agent_authd.enable | bool
+ - wazuh_agent_config.enrollment.enabled != 'yes'
tags:
- config
- authd
@@ -116,69 +115,100 @@
- name: Linux | Agent registration via rest-API
block:
+ - name: Establish target Wazuh Manager for registration task
+ set_fact:
+ target_manager: '{{ manager_primary | length | ternary(manager_primary, manager_fallback) | first }}'
+ vars:
+ manager_primary: "{{ wazuh_managers | selectattr('register','true') | list }}"
+ manager_fallback: "{{ wazuh_managers | list }}"
+
+ - name: Linux | Obtain JWT Token
+ uri:
+ url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/security/user/authenticate'
+ method: GET
+ url_username: '{{ target_manager.api_user }}'
+ url_password: '{{ api_pass }}'
+ status_code: 200
+ return_content: yes
+ force_basic_auth: yes
+ validate_certs: '{{ target_manager.validate_certs | default(false) }}'
+ no_log: '{{ wazuh_agent_nolog_sensible | bool }}'
+ delegate_to: '{{ ansible_host if wazuh_api_reachable_from_agent else "localhost" }}'
+ changed_when: api_jwt_result.json.error == 0
+ register: api_jwt_result
+ become: no
+ tags:
+ - config
+ - api
+
- name: Linux | Create the agent key via rest-API
uri:
- url: "{{ wazuh_managers.0.api_proto }}://{{ wazuh_agent_authd.registration_address }}:{{ wazuh_managers.0.api_port }}/agents/"
- validate_certs: false
+ url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/agents'
method: POST
- body: '{"name":"{{ agent_name }}"}'
body_format: json
- status_code: 200
+ body:
+ name: '{{ agent_name }}'
+ ip: '{{ wazuh_agent_address }}'
+ force_time: 1
headers:
- Content-Type: "application/json"
- user: "{{ wazuh_managers.0.api_user }}"
- password: "{{ api_pass }}"
- register: newagent_api
- delegate_to: "{{ 'localhost' if not wazuh_api_reachable_from_agent else inventory_hostname }}"
+ Authorization: 'Bearer {{ jwt_token }}'
+ status_code: 200
+ return_content: yes
+ validate_certs: '{{ target_manager.validate_certs | default(false) }}'
become: no
- changed_when: newagent_api.json.error == 0
- when:
- - not check_keys.stat.exists or check_keys.stat.size == 0
- - wazuh_managers.0.address is not none
+ no_log: '{{ wazuh_agent_nolog_sensible | bool }}'
+ delegate_to: "{{ 'localhost' if not wazuh_api_reachable_from_agent else inventory_hostname }}"
+ changed_when: api_agent_post.json.error == 0
+ register: api_agent_post
+ vars:
+ agent_name: '{{ target_manager.agent_name | default(ansible_hostname) }}'
+ jwt_token: '{{ api_jwt_result.json.data.token }}'
tags:
- config
- api
- - name: Linux | Retrieve new agent data via rest-API
+ - name: Linux | Validate registered agent key matches manager record
uri:
- url: >-
- "{{ wazuh_managers.0.api_proto }}://{{ wazuh_agent_authd.registration_address
- }}:{{ wazuh_managers.0.api_port }}/agents/{{ newagent_api.json.data.id }}"
- validate_certs: false
+ url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/agents/{{ agent_id }}/key'
method: GET
- return_content: true
- user: "{{ wazuh_managers.0.api_user }}"
- password: "{{ api_pass }}"
- when:
- - not check_keys.stat.exists or check_keys.stat.size == 0
- - wazuh_agent_authd.registration_address is not none
- - newagent_api.json.error == 0
- register: newagentdata_api
- delegate_to: "{{ 'localhost' if not wazuh_api_reachable_from_agent else inventory_hostname }}"
+ headers:
+ Authorization: 'Bearer {{ jwt_token }}'
+ status_code: 200
+ return_content: yes
+ validate_certs: '{{ target_manager.validate_certs | default(false) }}'
become: no
+ no_log: '{{ wazuh_agent_nolog_sensible | bool }}'
+ delegate_to: "{{ 'localhost' if not wazuh_api_reachable_from_agent else inventory_hostname }}"
+ register: api_agent_validation
+ vars:
+ agent_id: '{{ api_agent_post.json.data.id }}'
+ agent_key: '{{ api_agent_post.json.data.key }}'
+ jwt_token: '{{ api_jwt_result.json.data.token }}'
+ failed_when: api_agent_validation.json.data.affected_items[0].key != agent_key
+ when:
+ - wazuh_agent_api_validate | bool
+ - api_agent_post.json.error == 0
tags:
- config
- api
- - name: Linux | Register agent (via rest-API)
+ - name: Linux | Import Key (via rest-API)
command: /var/ossec/bin/manage_agents
environment:
OSSEC_ACTION: i
- OSSEC_AGENT_NAME: '{{ newagentdata_api.json.data.name }}'
- OSSEC_AGENT_IP: '{% if wazuh_agent_nat %}any{% else %}{{ newagentdata_api.json.data.ip }}{% endif %}'
- OSSEC_AGENT_ID: '{{ newagent_api.json.data.id }}'
- OSSEC_AGENT_KEY: '{{ newagent_api.json.data.key }}'
+ OSSEC_AGENT_NAME: '{{ agent_name }}'
+ OSSEC_AGENT_IP: '{{ wazuh_agent_address }}'
+ OSSEC_AGENT_ID: '{{ api_agent_post.json.data.id }}'
+ OSSEC_AGENT_KEY: '{{ api_agent_post.json.data.key }}'
OSSEC_ACTION_CONFIRMED: y
register: manage_agents_output
- when:
- - not check_keys.stat.exists or check_keys.stat.size == 0
- - wazuh_agent_authd.registration_address is not none
- - newagent_api.json.error == 0
+ vars:
+ agent_name: '{{ target_manager.agent_name | default(ansible_hostname) }}'
notify: restart wazuh-agent
-
when:
- - not wazuh_agent_authd.enable
- - not wazuh_agent_config.enrollment.enabled | length > 0 or wazuh_agent_config.enrollment.enabled == 'no'
+ - not ( wazuh_agent_authd.enable | bool )
+ - wazuh_agent_config.enrollment.enabled != 'yes'
+ - not client_keys_file.stat.exists or client_keys_file.stat.size == 0
tags:
- config
- api
diff --git a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
index bb71ca45..22f94856 100644
--- a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
+++ b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
@@ -37,7 +37,7 @@
{{ wazuh_auto_restart }}
{{ wazuh_crypto_method }}
- {% if wazuh_agent_config.enrollment.enabled | length > 0 %}
+ {% if wazuh_agent_config.enrollment.enabled == 'yes' %}
{{ wazuh_agent_config.enrollment.enabled }}
{% if wazuh_agent_config.enrollment.manager_address | length > 0 %}