Merge branch 'devel' into feature-256-add-sca-template

2019-10-07 16:18:57 +02:00 · 2019-10-07 16:18:57 +02:00 · 6b8b1b6eb4
commit 6b8b1b6eb4
parent d7e3cec04b 0bc870b2a8
9 changed files with 101 additions and 18 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -37,6 +37,10 @@ All notable changes to this project will be documented in this file.
 - Fixed Kibana installation in Amazon Linux [@jm404](https://github.com/jm404) [#232](https://github.com/wazuh/wazuh-ansible/pull/232)
 - Fixed Windows Agent installation and configuration [@jm404](https://github.com/jm404) [#234](https://github.com/wazuh/wazuh-ansible/pull/234)

+### Fixed
+
+- Removed registry key check on Wazuh Agent installation in windows [@jm404](https://github.com/jm404) [#265](https://github.com/wazuh/wazuh-ansible/pull/265)
+
 ## [v3.9.5_7.2.1]

 ### Added 
--- a/roles/elastic-stack/ansible-elasticsearch/README.md
+++ b/roles/elastic-stack/ansible-elasticsearch/README.md
@ -12,6 +12,8 @@ This role will work on:
 * Fedora
 * Debian
 * Ubuntu
+ 
+For the elasticsearch role with XPack security the `unzip` command must be available on the Ansible master.

 Role Variables
 --------------
@ -53,6 +55,79 @@ Example Playbook
    - {role: ../roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: '172.16.0.163', elasticsearch_master_candidate: true, elasticsearch_cluster_nodes: ['172.16.0.162','172.16.0.163','172.16.0.161']}
 ```

+- Three nodes Elasticsearch cluster with XPack security
+```
+---
+- hosts: elastic-1
+  roles:
+    - role: ../roles/elastic-stack/ansible-elasticsearch
+      elasticsearch_network_host: 172.16.0.111
+      elasticsearch_node_name: node-1
+      single_node: false
+      elasticsearch_master_candidate: true
+      elasticsearch_bootstrap_node: true
+      elasticsearch_cluster_nodes:
+        - 172.16.0.111
+        - 172.16.0.112
+        - 172.16.0.113
+      elasticsearch_discovery_nodes:
+        - 172.16.0.111
+        - 172.16.0.112
+        - 172.16.0.113
+      elasticsearch_xpack_security: true
+      node_certs_generator: true
+      node_certs_generator_ip: 172.16.0.111
+
+  vars:
+    elasticsearch_xpack_users:
+      anne:
+        password: 'PasswordHere'
+        roles: '["kibana_user", "monitoring_user"]'
+      jack:
+        password: 'PasswordHere'
+        roles: '["superuser"]'
+    instances:
+      node-1:
+        name: node-1
+        ip: 172.16.0.111
+      node-2:
+        name: node-2
+        ip: 172.16.0.112
+      node-3:
+        name: node-3
+        ip: 172.16.0.113
+
+- hosts: elastic-2
+  roles:
+    - role: ../roles/elastic-stack/ansible-elasticsearch
+      elasticsearch_network_host: 172.16.0.112
+      elasticsearch_node_name: node-2
+      single_node: false
+      elasticsearch_xpack_security: true
+      elasticsearch_master_candidate: true
+      node_certs_generator_ip: 172.16.0.111
+      elasticsearch_discovery_nodes:
+        - 172.16.0.111
+        - 172.16.0.112
+        - 172.16.0.113
+
+- hosts: elastic-3
+  roles:
+    - role: ../roles/elastic-stack/ansible-elasticsearch
+      elasticsearch_network_host: 172.16.0.113
+      elasticsearch_node_name: node-3
+      single_node: false
+      elasticsearch_xpack_security: true
+      elasticsearch_master_candidate: true
+      node_certs_generator_ip: 172.16.0.111
+      elasticsearch_discovery_nodes:
+        - 172.16.0.111
+        - 172.16.0.112
+        - 172.16.0.113
+
+```
+
+
 License and copyright
 ---------------------

--- a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml
+++ b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml
@ -3,6 +3,7 @@ elasticsearch_cluster_name: wazuh
 elasticsearch_node_name: node-1
 elasticsearch_http_port: 9200
 elasticsearch_network_host: 127.0.0.1
+elasticsearch_reachable_host: 127.0.0.1
 elasticsearch_jvm_xms: null
 elastic_stack_version: 7.3.2
 single_node: true
@ -30,7 +31,3 @@ generate_CA: true
 ca_key_name: ""
 ca_cert_name: ""
 ca_password: ""
-
-
-
-
--- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml
+++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml
@ -109,7 +109,7 @@
    - init

 - name: Make sure Elasticsearch is running before proceeding
-  wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=400
+  wait_for: host={{ elasticsearch_reachable_host }} port={{ elasticsearch_http_port }} delay=3 timeout=400
  tags:
    - configure
    - init
--- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml
+++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml
@ -1,12 +1,4 @@

- name: Install unzip dependency.
-  package:
-    name: unzip
-    state: present
-  delegate_to: "127.0.0.1"
-  when:
-    - node_certs_generator
-
 - name: Check if certificate exists locally
  stat:
    path: "{{ node_certs_destination }}/{{ elasticsearch_node_name }}.crt"
@ -202,3 +194,19 @@
  when:
    - node_certs_generator
  tags: molecule-idempotence-notest
+
+- name: Create elasticsearch users
+  uri:
+    url: "https://{{ elasticsearch_reachable_host }}:9200/_security/user/{{ item.key }}"
+    method: POST
+    body_format: json
+    user: "{{ elasticsearch_xpack_security_user }}"
+    password: "{{ elasticsearch_xpack_security_password }}"
+    body: '{ "password" : "{{ item.value["password"] }}", "roles" : {{ item.value["roles"] }} }'
+    validate_certs: no
+  loop: "{{ elasticsearch_xpack_users|default({})|dict2items }}"
+  register: http_response
+  failed_when: http_response.status != 200
+  when:
+    - elasticsearch_xpack_users is defined
+    - node_certs_generator
--- a/roles/elastic-stack/ansible-elasticsearch/templates/instances.yml.j2
+++ b/roles/elastic-stack/ansible-elasticsearch/templates/instances.yml.j2
@ -6,10 +6,10 @@
 instances:
 {% for (key,value) in instances.items() %}
 - name: "{{ value.name }}"
-{% if value.ip %}
+{% if value.ip is defined and value.ip | length > 0 %}
  ip:
   - "{{ value.ip }}"
-{% elif value.dns %}
+{% elif value.dns is defined and value.dns | length > 0 %}
  dns:
   - "{{ value.dns }}"
 {% endif %}
--- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
+++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
@ -29,8 +29,7 @@ wazuh_winagent_config:
  version: '3.10.2'
  revision: '1'
  repo: https://packages.wazuh.com/3.x/windows/
-  md5: ee5b24216db472d291da4e14f0b3bc63
-  register_key: 9903C258-FC1E-4886-B7DB-1535976EC1D5
+  md5: 71650780904cbfc2e45eae4298adb7a3 
 wazuh_agent_config:
  active_response:
    ar_disabled: 'no'
--- a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml
+++ b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml
@ -185,6 +185,7 @@
    name: wazuh-agent
    enabled: true
    state: started
+  tags: config

 - import_tasks: "RMRedHat.yml"
  when: ansible_os_family == "RedHat"
--- a/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml
+++ b/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml
@ -42,7 +42,6 @@
 - name: Windows | Install Agent if not already installed
  win_package:
    path: "{{ wazuh_winagent_config.download_dir }}wazuh-agent-{{ wazuh_winagent_config.version }}-{{ wazuh_winagent_config.revision }}.msi"
-    product_id: '{{ "{" }}{{ wazuh_winagent_config.register_key }}{{ "}" }}'
    state: present

 - name: Windows | Check if client.keys exists