From 332ee7ae8bd4858d6761146e84b722bdb979cbda Mon Sep 17 00:00:00 2001 From: neonmei Date: Mon, 23 Nov 2020 11:24:43 -0300 Subject: [PATCH 01/11] roles/agent: add task for determining which wazuh_managers to use through `register: yes` instead of just grabbing the first one on the list, otherwise fallback to first in the list --- roles/wazuh/ansible-wazuh-agent/defaults/main.yml | 1 + roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index e59d4653..31c1ba85 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -92,6 +92,7 @@ wazuh_managers: api_user: wazuh max_retries: 5 retry_interval: 5 + register: yes ## Enrollment wazuh_agent_enrollment: diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml index 034a3122..642e26a8 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml @@ -116,6 +116,13 @@ - name: Linux | Agent registration via rest-API block: + - name: Establish target Wazuh Manager for registration task + set_fact: + target_manager: '{{ manager_primary | length | ternary(manager_primary, manager_fallback) | first }}' + vars: + manager_primary: "{{ wazuh_managers | selectattr('register','true') | list }}" + manager_fallback: "{{ wazuh_managers | list }}" + - name: Linux | Create the agent key via rest-API uri: url: "{{ wazuh_managers.0.api_proto }}://{{ wazuh_agent_authd.registration_address }}:{{ wazuh_managers.0.api_port }}/agents/" From 5f6973d8d25711cff12703d372558b115cf494a6 Mon Sep 17 00:00:00 2001 From: neonmei Date: Mon, 23 Nov 2020 11:25:31 -0300 Subject: [PATCH 02/11] roles/agent: add task for fetching jwt token --- .../wazuh/ansible-wazuh-agent/tasks/Linux.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml index 642e26a8..69cae549 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml @@ -123,6 +123,25 @@ manager_primary: "{{ wazuh_managers | selectattr('register','true') | list }}" manager_fallback: "{{ wazuh_managers | list }}" + - name: Linux | Obtain JWT Token + uri: + url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/security/user/authenticate' + method: GET + url_username: '{{ target_manager.api_user }}' + url_password: '{{ api_pass }}' + status_code: 200 + return_content: yes + force_basic_auth: yes + validate_certs: '{{ target_manager.validate_certs | default(false) }}' + no_log: '{{ wazuh_agent_nolog_sensible | bool }}' + delegate_to: '{{ ansible_host if wazuh_api_reachable_from_agent else "localhost" }}' + changed_when: api_jwt_result.json.error == 0 + register: api_jwt_result + become: no + tags: + - config + - api + - name: Linux | Create the agent key via rest-API uri: url: "{{ wazuh_managers.0.api_proto }}://{{ wazuh_agent_authd.registration_address }}:{{ wazuh_managers.0.api_port }}/agents/" From 535add6f4cde78b64939ea49d049e74988417f64 Mon Sep 17 00:00:00 2001 From: neonmei Date: Mon, 23 Nov 2020 11:26:39 -0300 Subject: [PATCH 03/11] roles/agent: add nolog variable for registration tasks with credentials output --- roles/wazuh/ansible-wazuh-agent/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 31c1ba85..c06ed72b 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -80,6 +80,7 @@ wazuh_agent_nat: false ### Wazuh ########################################## +wazuh_agent_nolog_sensible: yes wazuh_agent_config_overlay: yes ## Client From d4092bf6864457c2de63e661f3e3f254b47e3264 Mon Sep 17 00:00:00 2001 From: neonmei Date: Mon, 23 Nov 2020 11:28:37 -0300 Subject: [PATCH 04/11] roles/agent: update agent registry task with token, nolog and remove when, as it is checked on every task, shuld be applied to block --- .../ansible-wazuh-agent/defaults/main.yml | 5 ++- .../wazuh/ansible-wazuh-agent/tasks/Linux.yml | 35 ++++++++++--------- 2 files changed, 23 insertions(+), 17 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index c06ed72b..9d7d261a 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -83,7 +83,10 @@ wazuh_agent_nat: false wazuh_agent_nolog_sensible: yes wazuh_agent_config_overlay: yes -## Client +# This is a middle ground between breaking existing uses of wazuh_agent_nat +# and allow working with agents having several network interfaces +wazuh_agent_address: '{{ "any" if wazuh_agent_nat else ansible_default_ipv4.address }}' + wazuh_managers: - address: 127.0.0.1 port: 1514 diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml index 69cae549..e165024c 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml @@ -144,23 +144,26 @@ - name: Linux | Create the agent key via rest-API uri: - url: "{{ wazuh_managers.0.api_proto }}://{{ wazuh_agent_authd.registration_address }}:{{ wazuh_managers.0.api_port }}/agents/" - validate_certs: false + url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/agents' method: POST - body: '{"name":"{{ agent_name }}"}' body_format: json - status_code: 200 + body: + name: '{{ agent_name }}' + ip: '{{ wazuh_agent_address }}' + force_time: 1 headers: - Content-Type: "application/json" - user: "{{ wazuh_managers.0.api_user }}" - password: "{{ api_pass }}" - register: newagent_api - delegate_to: "{{ 'localhost' if not wazuh_api_reachable_from_agent else inventory_hostname }}" + Authorization: 'Bearer {{ jwt_token }}' + status_code: 200 + return_content: yes + validate_certs: '{{ target_manager.validate_certs | default(false) }}' become: no - changed_when: newagent_api.json.error == 0 - when: - - not check_keys.stat.exists or check_keys.stat.size == 0 - - wazuh_managers.0.address is not none + no_log: '{{ wazuh_agent_nolog_sensible | bool }}' + delegate_to: "{{ 'localhost' if not wazuh_api_reachable_from_agent else inventory_hostname }}" + changed_when: api_agent_post.json.error == 0 + register: api_agent_post + vars: + agent_name: '{{ target_manager.agent_name | default(ansible_hostname) }}' + jwt_token: '{{ api_jwt_result.json.data.token }}' tags: - config - api @@ -201,10 +204,10 @@ - wazuh_agent_authd.registration_address is not none - newagent_api.json.error == 0 notify: restart wazuh-agent - when: - - not wazuh_agent_authd.enable - - not wazuh_agent_config.enrollment.enabled | length > 0 or wazuh_agent_config.enrollment.enabled == 'no' + - not ( wazuh_agent_authd.enable | bool ) + - wazuh_agent_config.enrollment.enabled != 'yes' + - not client_keys_file.stat.exists or client_keys_file.stat.size == 0 tags: - config - api From a4c4b6cd327c630ff2b4ac99ce018431a703db51 Mon Sep 17 00:00:00 2001 From: neonmei Date: Mon, 23 Nov 2020 11:29:34 -0300 Subject: [PATCH 05/11] roles/agent: refresh agent validation in rest registration method --- .../wazuh/ansible-wazuh-agent/tasks/Linux.yml | 32 +++++++++++-------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml index e165024c..17cb9fa6 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml @@ -168,23 +168,27 @@ - config - api - - name: Linux | Retrieve new agent data via rest-API + - name: Linux | Validate registered agent key matches manager record uri: - url: >- - "{{ wazuh_managers.0.api_proto }}://{{ wazuh_agent_authd.registration_address - }}:{{ wazuh_managers.0.api_port }}/agents/{{ newagent_api.json.data.id }}" - validate_certs: false + url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/agents/{{ agent_id }}/key' method: GET - return_content: true - user: "{{ wazuh_managers.0.api_user }}" - password: "{{ api_pass }}" - when: - - not check_keys.stat.exists or check_keys.stat.size == 0 - - wazuh_agent_authd.registration_address is not none - - newagent_api.json.error == 0 - register: newagentdata_api - delegate_to: "{{ 'localhost' if not wazuh_api_reachable_from_agent else inventory_hostname }}" + headers: + Authorization: 'Bearer {{ jwt_token }}' + status_code: 200 + return_content: yes + validate_certs: '{{ target_manager.validate_certs | default(false) }}' become: no + no_log: '{{ wazuh_agent_nolog_sensible | bool }}' + delegate_to: "{{ 'localhost' if not wazuh_api_reachable_from_agent else inventory_hostname }}" + register: api_agent_validation + vars: + agent_id: '{{ api_agent_post.json.data.id }}' + agent_key: '{{ api_agent_post.json.data.key }}' + jwt_token: '{{ api_jwt_result.json.data.token }}' + failed_when: api_agent_validation.json.data.affected_items[0].key != agent_key + when: + - wazuh_agent_api_validate | bool + - api_agent_post.json.error == 0 tags: - config - api From a28837a74da00c98d3d0f8570db774079e53228c Mon Sep 17 00:00:00 2001 From: neonmei Date: Mon, 23 Nov 2020 11:32:01 -0300 Subject: [PATCH 06/11] roles/agent: in rest registration method, update manage_agents task --- roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml index 17cb9fa6..9c2eb825 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml @@ -193,20 +193,18 @@ - config - api - - name: Linux | Register agent (via rest-API) + - name: Linux | Import Key (via rest-API) command: /var/ossec/bin/manage_agents environment: OSSEC_ACTION: i - OSSEC_AGENT_NAME: '{{ newagentdata_api.json.data.name }}' - OSSEC_AGENT_IP: '{% if wazuh_agent_nat %}any{% else %}{{ newagentdata_api.json.data.ip }}{% endif %}' - OSSEC_AGENT_ID: '{{ newagent_api.json.data.id }}' - OSSEC_AGENT_KEY: '{{ newagent_api.json.data.key }}' + OSSEC_AGENT_NAME: '{{ agent_name }}' + OSSEC_AGENT_IP: '{{ wazuh_agent_address }}' + OSSEC_AGENT_ID: '{{ api_agent_post.json.data.id }}' + OSSEC_AGENT_KEY: '{{ api_agent_post.json.data.key }}' OSSEC_ACTION_CONFIRMED: y register: manage_agents_output - when: - - not check_keys.stat.exists or check_keys.stat.size == 0 - - wazuh_agent_authd.registration_address is not none - - newagent_api.json.error == 0 + vars: + agent_name: '{{ target_manager.agent_name | default(ansible_hostname) }}' notify: restart wazuh-agent when: - not ( wazuh_agent_authd.enable | bool ) From 1df3ef86993ec125c51b1d15fb20078f92867beb Mon Sep 17 00:00:00 2001 From: neonmei Date: Mon, 23 Nov 2020 11:38:07 -0300 Subject: [PATCH 07/11] roles/agent: for registration rename check_keys->client_keys_file for more clarity, update conditionals length checks to explicit "yes" check --- roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml index 9c2eb825..8b8d9314 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml @@ -41,8 +41,7 @@ - name: Linux | Check if client.keys exists stat: path: /var/ossec/etc/client.keys - register: check_keys - when: wazuh_agent_config.enrollment.enabled == 'yes' + register: client_keys_file tags: - config @@ -97,18 +96,18 @@ vars: agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ ansible_hostname }}{% endif %}" when: - - not check_keys.stat.exists or check_keys.stat.size == 0 + - not client_keys_file.stat.exists or client_keys_file.stat.size == 0 - wazuh_agent_authd.registration_address is not none - name: Linux | Verify agent registration - shell: echo {{ agent_auth_output }} | grep "Valid key created" + shell: echo {{ agent_auth_output }} | grep "Valid key received" when: - - not check_keys.stat.exists or check_keys.stat.size == 0 + - not client_keys_file.stat.exists or client_keys_file.stat.size == 0 - wazuh_agent_authd.registration_address is not none when: - - wazuh_agent_authd.enable - - not wazuh_agent_config.enrollment.enabled | length > 0 or wazuh_agent_config.enrollment.enabled == 'no' + - wazuh_agent_authd.enable | bool + - wazuh_agent_config.enrollment.enabled != 'yes' tags: - config - authd From 7e445c7f55078f4c6011bcc7981a37d54157d823 Mon Sep 17 00:00:00 2001 From: neonmei Date: Mon, 23 Nov 2020 11:39:27 -0300 Subject: [PATCH 08/11] roles/agent: add wazuh_agent_api_validate to optionally skip agent registry validation task --- roles/wazuh/ansible-wazuh-agent/defaults/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 9d7d261a..328449fe 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -115,6 +115,12 @@ wazuh_agent_enrollment: delay_after_enrollment: 20 use_source_ip: 'no' +## Authentication Method: REST API + +# For more information see: +# * https://documentation.wazuh.com/4.0/user-manual/registering/restful-api-registration.html +wazuh_agent_api_validate: yes + ## Client buffer wazuh_agent_client_buffer: disable: 'no' From 35c9df9c7ec2a5fe0555bffb5144da0dea4f375b Mon Sep 17 00:00:00 2001 From: neonmei Date: Mon, 23 Nov 2020 11:41:17 -0300 Subject: [PATCH 09/11] roles/agent: add comments on role defaults and group registration related tasks --- .../ansible-wazuh-agent/defaults/main.yml | 37 +++++++++++++------ 1 file changed, 25 insertions(+), 12 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 328449fe..a3777031 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -43,16 +43,6 @@ wazuh_profile_centos: 'centos, centos7, centos7.6' wazuh_profile_ubuntu: 'ubuntu, ubuntu18, ubuntu18.04' wazuh_auto_restart: 'yes' -wazuh_agent_authd: - registration_address: 127.0.0.1 - enable: false - port: 1515 - agent_name: null - groups: [] - ssl_agent_ca: null - ssl_agent_cert: null - ssl_agent_key: null - ssl_auto_negotiate: 'no' wazuh_notify_time: '10' wazuh_time_reconnect: '60' wazuh_crypto_method: 'aes' @@ -74,6 +64,7 @@ wazuh_agent_repo: gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145' +# This is deprecated, see: wazuh_agent_address wazuh_agent_nat: false ########################################## @@ -87,18 +78,24 @@ wazuh_agent_config_overlay: yes # and allow working with agents having several network interfaces wazuh_agent_address: '{{ "any" if wazuh_agent_nat else ansible_default_ipv4.address }}' +# List of managers. The first one with register variable declared *and* set to true +# is the one used to register the agent. Otherwise, the first one in the list will be used. wazuh_managers: - address: 127.0.0.1 port: 1514 protocol: tcp api_port: 55000 - api_proto: 'http' + api_proto: https api_user: wazuh max_retries: 5 retry_interval: 5 register: yes -## Enrollment +## Authentication Method: Enrollment section (4.x) + +# For more information see: +# * https://documentation.wazuh.com/4.0/user-manual/reference/ossec-conf/client.html#enrollment + wazuh_agent_enrollment: enabled: '' manager_address: '' @@ -115,6 +112,22 @@ wazuh_agent_enrollment: delay_after_enrollment: 20 use_source_ip: 'no' +## Authentication Method: invoking agent-auth + +# For more information see: +# * https://documentation.wazuh.com/4.0/user-manual/registering/password-authorization-registration.html + +wazuh_agent_authd: + registration_address: 127.0.0.1 + enable: false + port: 1515 + agent_name: null + groups: [] + ssl_agent_ca: null + ssl_agent_cert: null + ssl_agent_key: null + ssl_auto_negotiate: 'no' + ## Authentication Method: REST API # For more information see: From 5170c206e037cfe6f2418885b5272741f9261bea Mon Sep 17 00:00:00 2001 From: neonmei Date: Mon, 23 Nov 2020 11:41:45 -0300 Subject: [PATCH 10/11] roles/agent: use auto-enrollment by default --- roles/wazuh/ansible-wazuh-agent/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index a3777031..8a75900c 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -97,7 +97,7 @@ wazuh_managers: # * https://documentation.wazuh.com/4.0/user-manual/reference/ossec-conf/client.html#enrollment wazuh_agent_enrollment: - enabled: '' + enabled: 'yes' manager_address: '' port: 1515 agent_name: 'testname' From f7ed5f1f7f9b6b49c8d245f0e46a28d89bc1c274 Mon Sep 17 00:00:00 2001 From: neonmei Date: Mon, 23 Nov 2020 11:43:59 -0300 Subject: [PATCH 11/11] roles/agent: update ossec.conf template to check against explicit yes instead of length --- .../templates/var-ossec-etc-ossec-agent.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 index bb71ca45..22f94856 100644 --- a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 +++ b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 @@ -37,7 +37,7 @@ {{ wazuh_auto_restart }} {{ wazuh_crypto_method }} - {% if wazuh_agent_config.enrollment.enabled | length > 0 %} + {% if wazuh_agent_config.enrollment.enabled == 'yes' %} {{ wazuh_agent_config.enrollment.enabled }} {% if wazuh_agent_config.enrollment.manager_address | length > 0 %}