From 54443102f72dee6fe2eb80bf5deea622a2a52110 Mon Sep 17 00:00:00 2001
From: "Manuel J. Bernal" <manu.asi2@gmail.com>
Date: Tue, 1 Sep 2020 22:55:53 +0200
Subject: [PATCH] WIP: auto-enrollment implementation

---
 playbooks/wazuh-agent.yml                     | 12 +---
 playbooks/wazuh-manager.yml                   |  4 +-
 .../ansible-wazuh-agent/defaults/main.yml     | 14 ++---
 .../wazuh/ansible-wazuh-agent/tasks/Linux.yml | 24 ++++++-
 .../templates/authd_pass.j2                   |  1 +
 .../var-ossec-etc-ossec-agent.conf.j2         | 63 +++++++++++++------
 .../ansible-wazuh-agent/vars/authd_pass.yml   |  1 +
 .../ansible-wazuh-manager/defaults/main.yml   |  2 +-
 .../ansible-wazuh-manager/tasks/main.yml      | 21 -------
 .../templates/authd_pass.j2                   |  2 +-
 10 files changed, 82 insertions(+), 62 deletions(-)
 create mode 100644 roles/wazuh/ansible-wazuh-agent/templates/authd_pass.j2

diff --git a/playbooks/wazuh-agent.yml b/playbooks/wazuh-agent.yml
index b06589cd..e4f7291c 100644
--- a/playbooks/wazuh-agent.yml
+++ b/playbooks/wazuh-agent.yml
@@ -1,20 +1,14 @@
 ---
-- hosts: <your wazuh agents hosts>
+- hosts: agents
   roles:
     - ../roles/wazuh/ansible-wazuh-agent
   vars:
     wazuh_managers:
-      - address: <your manager IP>
+      - address: 172.16.0.111
         port: 1514
         protocol: tcp
         api_port: 55000
         api_proto: 'http'
         api_user: ansible
         max_retries: 5
-        retry_interval: 5
-    wazuh_agent_authd:
-      registration_address: <registration IP>
-      enable: true
-      port: 1515
-      ssl_agent_ca: null
-      ssl_auto_negotiate: 'no'
+        retry_interval: 5
\ No newline at end of file
diff --git a/playbooks/wazuh-manager.yml b/playbooks/wazuh-manager.yml
index 5ec6a50b..18bd3afe 100644
--- a/playbooks/wazuh-manager.yml
+++ b/playbooks/wazuh-manager.yml
@@ -1,8 +1,8 @@
 ---
-- hosts: <WAZUH_MANAGER_HOST>
+- hosts: managers
   roles:
     - role: ../roles/wazuh/ansible-wazuh-manager
     - role: ../roles/wazuh/ansible-filebeat
-      filebeat_output_elasticsearch_hosts: <YOUR_ELASTICSEARCH_IP>:9200
+      filebeat_output_elasticsearch_hosts: 172.16.0.161:9200
 
 
diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
index c2652053..fb185bdb 100644
--- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
+++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
@@ -4,9 +4,9 @@ wazuh_agent_version: 3.13.1-1
 
 # Custom packages installation
 
-wazuh_custom_packages_installation_agent_enabled: false
+wazuh_custom_packages_installation_agent_enabled: true
 wazuh_custom_packages_installation_agent_deb_url: ""
-wazuh_custom_packages_installation_agent_rpm_url: ""
+wazuh_custom_packages_installation_agent_rpm_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/staging/yum/wazuh-agent-4.0.0-0.40000.20200901.x86_64.rpm"
 
 # Sources installation
 
@@ -295,18 +295,18 @@ wazuh_agent_config:
       - key: Env
         value: Production
   enrollment:
-    enabled: no
+    enabled: ''
     manager_address: ''
     port: 1515
-    agent_name: ''
+    agent_name: 'testname'
     groups: ''
     agent_address: ''
     ssl_cipher: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
     server_ca_path: ''
     agent_certificate_path: ''
     agent_key_path: ''
-    authorization_pass: ChangeMe
-    auto_method: no
+    authorization_pass_path : /var/ossec/etc/authd.pass
+    auto_method: 'no'
     delay_after_enrollment: 20
-    use_source_ip: no
+    use_source_ip: 'no'
 wazuh_agent_nat: false
diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml
index 70987a01..f1068d2e 100644
--- a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml
+++ b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml
@@ -1,4 +1,9 @@
 ---
+- name: Retrieving authd Credentials
+  include_vars: authd_pass.yml
+  tags:
+    - config
+
 - include_tasks: "RedHat.yml"
   when: ansible_os_family == "RedHat"
 
@@ -42,6 +47,7 @@
 - name: Linux | Check if client.keys exists
   stat: path=/var/ossec/etc/client.keys
   register: check_keys
+  when: wazuh_agent_config.enrollment.enabled == 'yes'
   tags:
     - config
 
@@ -108,7 +114,9 @@
         - not check_keys.stat.exists or check_keys.stat.size == 0
         - wazuh_agent_authd.registration_address is not none
 
-  when: wazuh_agent_authd.enable
+  when:
+    - wazuh_agent_authd.enable
+    - not wazuh_agent_config.enrollment.enabled | length > 0 or wazuh_agent_config.enrollment.enabled == 'no'
   tags:
     - config
     - authd
@@ -181,6 +189,7 @@
 
   when:
     - not wazuh_agent_authd.enable
+    - not wazuh_agent_config.enrollment.enabled | length > 0 or wazuh_agent_config.enrollment.enabled == 'no'
   tags:
     - config
     - api
@@ -220,6 +229,19 @@
     - init
     - config
 
+- name: Create auto-enrollment password file
+  template:
+    src: authd_pass.j2
+    dest: "/var/ossec/etc/authd.pass"
+    owner: ossec
+    group: ossec
+    mode: 0640
+  when:
+    - wazuh_agent_config.enrollment.enabled == 'yes'
+    - wazuh_agent_config.enrollment.authorization_pass_path | length > 0
+  tags:
+    - config
+
 - name: Linux | Ensure Wazuh Agent service is started and enabled
   service:
     name: wazuh-agent
diff --git a/roles/wazuh/ansible-wazuh-agent/templates/authd_pass.j2 b/roles/wazuh/ansible-wazuh-agent/templates/authd_pass.j2
new file mode 100644
index 00000000..97a481f2
--- /dev/null
+++ b/roles/wazuh/ansible-wazuh-agent/templates/authd_pass.j2
@@ -0,0 +1 @@
+{{ authd_pass }}
\ No newline at end of file
diff --git a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
index d5433660..5de7ffa6 100644
--- a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
+++ b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
@@ -36,6 +36,49 @@
     {% endif %}
     <auto_restart>{{ wazuh_auto_restart }}</auto_restart>
     <crypto_method>{{ wazuh_crypto_method }}</crypto_method>
+
+  {% if wazuh_agent_config.enrollment.enabled | length > 0 %}
+    <enrollment>
+      <enabled>{{ wazuh_agent_config.enrollment.enabled }}</enabled>
+      {% if wazuh_agent_config.enrollment.manager_address | length > 0 %}
+      <manager_address>{{ wazuh_agent_config.enrollment.manager_address }}</manager_address>
+      {% endif %}
+      {% if wazuh_agent_config.enrollment.agent_name | length > 0 %}
+      <agent_name>{{ wazuh_agent_config.enrollment.agent_name }}</agent_name>
+      {% endif %}
+      {% if wazuh_agent_config.enrollment.port is defined > 0 %}
+      <port>{{ wazuh_agent_config.enrollment.port }}</port>
+      {% endif %}
+      {% if wazuh_agent_config.enrollment.groups | length > 0 %}
+      <groups>{{ wazuh_agent_config.enrollment.groups }}</groups>
+      {% endif %}
+      {% if wazuh_agent_config.enrollment.agent_address | length > 0 %}
+      <agent_address>{{ wazuh_agent_config.enrollment.agent_address }}</agent_address>
+      {% endif %}
+      {% if wazuh_agent_config.enrollment.server_ca_path | length > 0 %}
+      <server_ca_path>{{ wazuh_agent_config.enrollment.server_ca_path }}</server_ca_path>
+      {% endif %}
+      {% if wazuh_agent_config.enrollment.agent_certificate_path | length > 0 %}
+      <agent_certificate_path>{{ wazuh_agent_config.enrollment.agent_certificate_path }}</agent_certificate_path>
+      {% endif %}
+      {% if wazuh_agent_config.enrollment.agent_key_path | length > 0 %}
+      <agent_key_path>{{ wazuh_agent_config.enrollment.agent_key_path }}</agent_key_path>
+      {% endif %}
+      {% if wazuh_agent_config.enrollment.authorization_pass_path | length > 0 %}
+      <authorization_pass>{{ wazuh_agent_config.enrollment.authorization_pass_path }}</authorization_pass>
+      {% endif %}
+      {% if wazuh_agent_config.enrollment.auto_method | length > 0 %}
+      <auto_method>{{ wazuh_agent_config.enrollment.auto_method }}</auto_method>
+      {% endif %}
+      {% if wazuh_agent_config.enrollment.delay_after_enrollment is defined > 0 %}
+      <delay_after_enrollment>{{ wazuh_agent_config.enrollment.delay_after_enrollment }}</delay_after_enrollment>
+      {% endif %}
+      {% if wazuh_agent_config.enrollment.use_source_ip | length > 0 %}
+      <use_source_ip>{{ wazuh_agent_config.enrollment.use_source_ip }}</use_source_ip>
+      {% endif %}
+    </enrollment>
+  {% endif %}
+
   </client>
 
   <client_buffer>
@@ -45,26 +88,6 @@
     <events_per_second>{{ wazuh_agent_config.client_buffer.events_per_sec }}</events_per_second>
   </client_buffer>
 
-  {% if wazuh_agent_config.enrollment is defined and wazuh_agent_config.enrollment.enabled == 'yes' %}
-    <enrollment>
-      <enabled>{{ wazuh_agent_config.enrollment.enabled }}</enabled>
-      <manager_address>{{ wazuh_agent_config.enrollment.manager_address }}</manager_address>
-      <port>{{ wazuh_agent_config.enrollment.port }}</port>
-      <agent_name>{{ wazuh_agent_config.enrollment.agent_name }}</agent_name>
-      <groups>{{ wazuh_agent_config.enrollment.groups }}</groups>
-      <agent_address>{{ wazuh_agent_config.enrollment.agent_address }}</agent_address>
-      <ssl_cipher>{{ wazuh_agent_config.enrollment.ssl_cipher }}</ssl_cipher>
-      <server_ca_path>{{ wazuh_agent_config.enrollment.server_ca_path }}</server_ca_path>
-      <agent_certificate_path>{{ wazuh_agent_config.enrollment.agent_certificate_path }}</agent_certificate_path>
-      <agent_key_path>{{ wazuh_agent_config.enrollment.agent_key_path }}</agent_key_path>
-      <authorization_pass>{{ wazuh_agent_config.enrollment.authorization_pass }}</authorization_pass>
-      <auto_method>{{ wazuh_agent_config.enrollment.auto_method }}</auto_method>
-      <delay_after_enrollment>{{ wazuh_agent_config.enrollment.delay_after_enrollment }}</delay_after_enrollment>
-      <use_source_ip>{{ wazuh_agent_config.enrollment.use_source_ip }}</use_source_ip>
-    </enrollment>
-  {% endif %}
-
-
   {% if wazuh_agent_config.rootcheck is defined %}
   <rootcheck>
     <disabled>no</disabled>
diff --git a/roles/wazuh/ansible-wazuh-agent/vars/authd_pass.yml b/roles/wazuh/ansible-wazuh-agent/vars/authd_pass.yml
index bc8113e3..36e0cdeb 100644
--- a/roles/wazuh/ansible-wazuh-agent/vars/authd_pass.yml
+++ b/roles/wazuh/ansible-wazuh-agent/vars/authd_pass.yml
@@ -1,3 +1,4 @@
 ---
 # We recommend the use of Ansible Vault to protect Wazuh, api, agentless and authd credentials.
 # authd_pass: 'foobar'
+authd_pass: ultrasecret
\ No newline at end of file
diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
index d2276a0f..3efdd492 100644
--- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
+++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
@@ -7,7 +7,7 @@ wazuh_manager_package_state: present
 # Custom packages installation
 wazuh_custom_packages_installation_manager_enabled: false
 wazuh_custom_packages_installation_manager_deb_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/"
-wazuh_custom_packages_installation_manager_rpm_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/"
+wazuh_custom_packages_installation_manager_rpm_url: " +´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
 
 # Sources installation
 wazuh_manager_sources_installation:
diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml
index 923ac413..7cb2a719 100644
--- a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml
+++ b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml
@@ -29,17 +29,6 @@
     - not node_service_status.stat.exists
     - wazuh_manager_config.cluster.node_type == "master"
 
-- name: Installing NodeJS
-  package:
-    name: nodejs
-    state: present
-  register: nodejs_service_is_installed
-  until: nodejs_service_is_installed is succeeded
-  when:
-    - wazuh_manager_config.cluster.node_type == "master"
-
-  tags: init
-
 - include_tasks: "RedHat.yml"
   when: (ansible_os_family == "RedHat" and ansible_distribution_major_version|int > 5) or (ansible_os_family  == "RedHat" and ansible_distribution == "Amazon")
 
@@ -200,7 +189,6 @@
   tags:
     - config
 
-
 - name: Check if syslog output is enabled
   set_fact: syslog_output=true
   when: item.server is not none
@@ -368,15 +356,6 @@
   tags:
     - config
 
-- name: Ensure Wazuh API service is started and enabled.
-  service:
-    name: "wazuh-api"
-    enabled: true
-    state: started
-  when: wazuh_manager_config.cluster.node_type == "master"
-  tags:
-    - config
-
 - name: Create agent groups
   command: "/var/ossec/bin/agent_groups -a -g {{ item }} -q"
   with_items:
diff --git a/roles/wazuh/ansible-wazuh-manager/templates/authd_pass.j2 b/roles/wazuh/ansible-wazuh-manager/templates/authd_pass.j2
index 27c97708..97a481f2 100644
--- a/roles/wazuh/ansible-wazuh-manager/templates/authd_pass.j2
+++ b/roles/wazuh/ansible-wazuh-manager/templates/authd_pass.j2
@@ -1 +1 @@
-{{ authd_pass }}
+{{ authd_pass }}
\ No newline at end of file