Merge branch 'devel' into feature-359-agent-auth-groups

CHANGELOG.md

@@ -1,6 +1,26 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
+## [v3.11.4_7.6.1]
+
+### Added
+
+- Update to Wazuh v3.11.4
+- Support for RHEL/CentOS 8 ([@jm404](https://github.com/jm404)) [PR#377](https://github.com/wazuh/wazuh-ansible/pull/377)
+
+### Changed
+
+- Disabled shared configuration by default ([@jm404](https://github.com/jm404)) [PR#369](https://github.com/wazuh/wazuh-ansible/pull/369)
+- Add chdir argument to Wazuh Kibana Plugin installation tasks ([@jm404](https://github.com/jm404)) [PR#375](https://github.com/wazuh/wazuh-ansible/pull/375)
+- Adjustments for systems without (direct) internet connection ([@joschneid](https://github.com/joschneid)) [PR#348](https://github.com/wazuh/wazuh-ansible/pull/348)
+
+### Fixed
+
+- Avoid to install Wazuh API in worker nodes ([@manuasir](https://github.com/manuasir)) [PR#371](https://github.com/wazuh/wazuh-ansible/pull/371)
+- Conditionals of custom Wazuh packages installation tasks ([@rshad](https://github.com/rshad)) [PR#372](https://github.com/wazuh/wazuh-ansible/pull/372)
+- Fix Ansible elastic_stack-distributed template ([@francobep](https://github.com/francobep)) [PR#352](https://github.com/wazuh/wazuh-ansible/pull/352)
+- Fix manager API verification ([@Zenidd](https://github.com/Zenidd)) [PR#360](https://github.com/wazuh/wazuh-ansible/pull/360)
+
 ## [v3.11.3_7.5.2]
 
 ### Added

VERSION

@@ -1,2 +1,2 @@
-WAZUH-ANSIBLE_VERSION="v3.11.3"
+WAZUH-ANSIBLE_VERSION="v4"
-REVISION="31130"
+REVISION="31140"

playbooks/wazuh-elastic_stack-distributed.yml

@@ -4,7 +4,7 @@
   roles:
     - role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch
       elasticsearch_network_host: <node-1 IP>
-      node_name: node-1
+      elasticsearch_node_name: node-1
       elasticsearch_bootstrap_node: true
       elasticsearch_cluster_nodes:
         - <node-1 IP>

roles/elastic-stack/ansible-elasticsearch/defaults/main.yml

@@ -4,7 +4,7 @@ elasticsearch_http_port: 9200
 elasticsearch_network_host: 127.0.0.1
 elasticsearch_reachable_host: 127.0.0.1
 elasticsearch_jvm_xms: null
-elastic_stack_version: 7.5.2
+elastic_stack_version: 7.6.1
 elasticsearch_lower_disk_requirements: false
 
 elasticrepo:

roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml

@@ -35,7 +35,7 @@
   copy:
     src: "{{ master_certs_path }}/ca/{{ ca_key_name }}"
     dest: "{{ node_certs_source }}/{{ ca_key_name }}"
-    mode: '0664'
+    mode: 0440
   when:
    - not generate_CA
    - node_certs_generator
@@ -45,7 +45,7 @@
   copy:
     src: "{{ master_certs_path }}/ca/{{ ca_cert_name }}"
     dest: "{{ node_certs_source }}/{{ ca_cert_name }}"
-    mode: '0664'
+    mode: 0440
   when:
     - not generate_CA
     - node_certs_generator
@@ -100,7 +100,7 @@
   file:
     path: "{{ master_certs_path }}"
     state: directory
-    mode: '0700'
+    mode: 0700
   delegate_to: "127.0.0.1"
   when:
     - node_certs_generator
@@ -109,7 +109,7 @@
   file:
     path: "{{ master_certs_path }}/ca/"
     state: directory
-    mode: '0700'
+    mode: 0700
   delegate_to: "127.0.0.1"
   when:
     - node_certs_generator
@@ -149,6 +149,7 @@
   copy:
     src: "{{ item }}"
     dest: "{{ node_certs_destination }}/"
+    mode: 0440
   with_items:
     - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key"
     - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt"
@@ -163,6 +164,7 @@
   copy:
     src: "{{ item }}"
     dest: "{{ node_certs_destination }}/"
+    mode: 0440
   with_items:
     - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key"
     - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt"
@@ -176,7 +178,7 @@
 - name: Ensuring folder permissions
   file:
     path: "{{ node_certs_destination }}/"
-    mode: '0774'
+    mode: 0774
     state: directory
     recurse: yes
   when:

roles/elastic-stack/ansible-kibana/defaults/main.yml

@@ -5,8 +5,8 @@ elasticsearch_http_port: "9200"
 elasticsearch_network_host: "127.0.0.1"
 kibana_server_host: "0.0.0.0"
 kibana_server_port: "5601"
-elastic_stack_version: 7.5.2
+elastic_stack_version: 7.6.1
-wazuh_version: 3.11.3
+wazuh_version: 3.11.4
 wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp
 
 elasticrepo:
@@ -43,8 +43,11 @@ nodejs:
   repo_dict:
       debian: "deb"
       redhat: "rpm"
-  repo_url_ext: "nodesource.com/setup_8.x" 
+  repo_url_ext: "nodesource.com/setup_10.x"
 
 # Build from sources
 build_from_sources: false
-wazuh_plugin_branch: 3.11-7.5
+wazuh_plugin_branch: 3.11-7.6
+
+#Nodejs NODE_OPTIONS
+node_options: --max-old-space-size=4096

roles/elastic-stack/ansible-kibana/tasks/build_wazuh_plugin.yml

@@ -14,7 +14,7 @@
     get_url:
       url: "https://{{ nodejs['repo_dict'][ansible_os_family|lower] }}.{{ nodejs['repo_url_ext'] }}"
       dest: "/tmp/setup_nodejs_repo.sh"
-      mode: "0700"
+      mode: 0700
 
   - name: Execute downloaded script to install Nodejs repo
     command: /tmp/setup_nodejs_repo.sh
@@ -63,12 +63,11 @@
       chdir: "/tmp/app/build"
 
   - name: Install Wazuh Plugin (can take a while)
-    shell: "/usr/share/kibana/bin/kibana-plugin install file:///tmp/app/build/{{ wazuhapp_package_name.stdout }}"
+    shell: NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana-plugin install file:///tmp/app/build/{{ wazuhapp_package_name.stdout }}
-    environment:
-      NODE_OPTIONS: "--max-old-space-size=3072"
     args:
       executable: /bin/bash
       creates: /usr/share/kibana/plugins/wazuh/package.json
+      chdir: /usr/share/kibana
     become: yes
     become_user: kibana
     notify: restart kibana

roles/elastic-stack/ansible-kibana/tasks/main.yml

@@ -28,6 +28,7 @@
   copy:
     src: "{{ item }}"
     dest: "{{ node_certs_destination }}/"
+    mode: 0440
   with_items:
     - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key"
     - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.crt"
@@ -41,7 +42,7 @@
   copy:
     src: "{{ item }}"
     dest: "{{ node_certs_destination }}/"
-    mode: '0664'
+    mode: 0440
   with_items:
     - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key"
     - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.crt"
@@ -65,7 +66,7 @@
 - name: Ensuring certificates folder owner
   file:
     path: "{{ node_certs_destination }}/"
-    mode: '0770'
+    mode: 0770
     recurse: yes
   when:
     - kibana_xpack_security
@@ -78,7 +79,7 @@
     dest: /etc/kibana/kibana.yml
     owner: root
     group: root
-    mode: '0664'
+    mode: 0644
   notify: restart kibana
   tags: configure
 
@@ -117,14 +118,14 @@
     - build_from_sources is defined
     - build_from_sources
 
-
 - name: Install Wazuh Plugin (can take a while)
-  shell: "/usr/share/kibana/bin/kibana-plugin install {{ wazuh_app_url }}-{{ wazuh_version }}_{{ elastic_stack_version }}.zip"
+  shell: >-
-  environment:
+    NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana-plugin install
-    NODE_OPTIONS: "--max-old-space-size=3072"
+    {{ wazuh_app_url }}-{{ wazuh_version }}_{{ elastic_stack_version }}.zip
   args:
     executable: /bin/bash
     creates: /usr/share/kibana/plugins/wazuh/package.json
+    chdir: /usr/share/kibana
   become: yes
   become_user: kibana
   notify: restart kibana
@@ -134,6 +135,16 @@
   when:
     - not build_from_sources
 
+- name: Kibana optimization (can take a while)
+  shell: NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana --optimize
+  args:
+    executable: /bin/bash
+  become: yes
+  become_user: kibana
+  changed_when: false
+  tags:
+    - skip_ansible_lint
+
 - name: Wait for Elasticsearch port
   wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }}
 

roles/wazuh/ansible-filebeat/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-filebeat_version: 7.5.2
+filebeat_version: 7.6.1
 
 filebeat_create_config: true
 

roles/wazuh/ansible-filebeat/tasks/config.yml

@@ -5,7 +5,7 @@
     dest: "/etc/filebeat/filebeat.yml"
     owner: root
     group: root
-    mode: 0644
+    mode: 0400
   notify: restart filebeat
   tags: configure
 
@@ -15,7 +15,7 @@
     dest: "/etc/filebeat/wazuh-template.json"
     owner: root
     group: root
-    mode: 0644
+    mode: 0400
   notify: restart filebeat
   tags: configure
 
@@ -30,7 +30,7 @@
   copy:
     src: "{{ item }}"
     dest: "{{ filebeat_ssl_dir }}/{{ item | basename }}"
-    mode: 0644
+    mode: 0400
   with_items:
     - "{{ filebeat_ssl_key_file }}"
     - "{{ filebeat_ssl_certificate_file }}"

roles/wazuh/ansible-filebeat/tasks/main.yml

@@ -30,6 +30,7 @@
   copy:
     src: "{{ item }}"
     dest: "{{ node_certs_destination }}/"
+    mode: 0440
   with_items:
     - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key"
     - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt"
@@ -43,6 +44,7 @@
   copy:
     src: "{{ item }}"
     dest: "{{ node_certs_destination }}/"
+    mode: 0440
   with_items:
     - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key"
     - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt"
@@ -55,7 +57,7 @@
 - name: Ensuring folder & certs permissions
   file:
     path: "{{ node_certs_destination }}/"
-    mode: '0774'
+    mode: 0774
     state: directory
     recurse: yes
   when:

roles/wazuh/ansible-wazuh-agent/defaults/main.yml

@@ -1,9 +1,18 @@
 ---
-wazuh_agent_version: 3.11.3-1
+wazuh_agent_version: 3.11.4-1
+
+
+# Custom packages installation
+
+wazuh_custom_packages_installation_agent_enabled: false
+wazuh_custom_packages_installation_agent_deb_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/branches/3.12/deb/var/wazuh-agent_3.12.0-0.3319fimreworksqlite_amd64.deb"
+wazuh_custom_packages_installation_agent_rpm_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/branches/3.12/rpm/var/wazuh-agent-3.12.0-0.3319fimreworksqlite.x86_64.rpm"
+
+# Sources installation
 
 wazuh_agent_sources_installation:
   enabled: false
-  branch: "v3.11.3"
+  branch: "v3.11.4"
   user_language: "y"
   user_no_stop: "y"
   user_install_type: "agent"
@@ -52,10 +61,10 @@ wazuh_winagent_config:
   auth_path: C:\Program Files\ossec-agent\agent-auth.exe
   # Adding quotes to auth_path_x86 since win_shell outputs error otherwise
   auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe
-  version: '3.11.3'
+  check_md5: True
-  revision: '1'
+  md5: 87ce22038688efb44d95f9daff472056
-  repo: https://packages.wazuh.com/3.x/windows/
+wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.11.4-1.msi
-  md5: e4623e7cd3f2fc6ac8a313cbdd7c3cba
+wazuh_winagent_package_name: wazuh-agent-3.11.4-1.msi
 wazuh_agent_config:
   repo:
     apt: 'deb https://packages.wazuh.com/3.x/apt/ stable main'

roles/wazuh/ansible-wazuh-agent/tasks/Debian.yml

@@ -21,6 +21,7 @@
     - ansible_distribution == "Ubuntu"
     - ansible_distribution_major_version | int == 14
     - not wazuh_agent_sources_installation.enabled
+    - not wazuh_custom_packages_installation_agent_enabled
 
 - name: Debian/Ubuntu | Installing Wazuh repository key
   apt_key:
@@ -29,6 +30,7 @@
   when:
     - not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
     - not wazuh_agent_sources_installation.enabled
+    - not wazuh_custom_packages_installation_agent_enabled
 
 - name: Debian/Ubuntu | Add Wazuh repositories
   apt_repository:
@@ -38,6 +40,7 @@
     update_cache: true
   when:
     - not wazuh_agent_sources_installation.enabled
+    - not wazuh_custom_packages_installation_agent_enabled
 
 - name: Debian/Ubuntu | Set Distribution CIS filename for debian
   set_fact:

roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml

@@ -9,6 +9,10 @@
   when:
     - wazuh_agent_sources_installation.enabled
 
+- include_tasks: "installation_from_custom_packages.yml"
+  when:
+    - wazuh_custom_packages_installation_agent_enabled
+
 - name: Linux CentOS/RedHat | Install wazuh-agent
   package:
     name: wazuh-agent-{{ wazuh_agent_version }}
@@ -18,6 +22,7 @@
   when:
     - ansible_os_family|lower == "redhat"
     - not wazuh_agent_sources_installation.enabled
+    - not wazuh_custom_packages_installation_agent_enabled
   tags:
     - init
 
@@ -29,6 +34,7 @@
   when:
     - ansible_os_family|lower != "redhat"
     - not wazuh_agent_sources_installation.enabled
+    - not wazuh_custom_packages_installation_agent_enabled
   tags:
     - init
 

roles/wazuh/ansible-wazuh-agent/tasks/RedHat.yml

@@ -10,7 +10,8 @@
   when:
     - (ansible_facts['os_family']|lower == 'redhat') and (ansible_distribution|lower != 'amazon')
     - (ansible_distribution_major_version|int <= 5)
-    - not wazuh_agent_sources_installation.enabled or not wazuh_api_sources_installation.enabled
+    - not wazuh_agent_sources_installation.enabled
+    - not wazuh_custom_packages_installation_agent_enabled
   register: repo_v5_installed
 
 - name: RedHat/CentOS/Fedora | Install Wazuh repo
@@ -24,6 +25,7 @@
   when:
     - repo_v5_installed is skipped
     - not wazuh_agent_sources_installation.enabled
+    - not wazuh_custom_packages_installation_agent_enabled
 
 - name: RedHat/CentOS/Fedora | download Oracle Java RPM
   get_url:

roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml

@@ -14,38 +14,41 @@
 - name: Windows | Set Win Path (x64)
   set_fact:
     wazuh_agent_win_path: "{{ wazuh_winagent_config.install_dir }}"
-    wazuh_agent_win_auth_path: "{{ wazuh_winagent_config.auth_path_x86 }}"
+    wazuh_agent_win_auth_path: "{{ wazuh_winagent_config.auth_path }}"
   when:
     - not check_path.stat.exists
 
 - name: Windows | Check if Wazuh installer is already downloaded
   win_stat:
-    path: "{{ wazuh_winagent_config.download_dir }}wazuh-agent-{{ wazuh_winagent_config.version }}-{{ wazuh_winagent_config.revision }}.msi"
+    path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}"
   register: wazuh_package_downloaded
 
 - name: Windows | Download Wazuh Agent package
   win_get_url:
-    url: "{{ wazuh_winagent_config.repo }}wazuh-agent-{{ wazuh_winagent_config.version }}-{{ wazuh_winagent_config.revision }}.msi"
+    url: "{{ wazuh_winagent_config_url }}"
     dest: "{{ wazuh_winagent_config.download_dir }}"
   when:
     - not wazuh_package_downloaded.stat.exists
 
 - name: Windows | Verify the Wazuh Agent installer
   win_stat:
-    path: "{{ wazuh_winagent_config.download_dir }}wazuh-agent-{{ wazuh_winagent_config.version }}-{{ wazuh_winagent_config.revision }}.msi"
+    path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}"
     get_checksum: true
     checksum_algorithm: md5
   register: wazuh_agent_status
   failed_when:
     - wazuh_agent_status.stat.checksum != wazuh_winagent_config.md5
+  when:
+    - wazuh_winagent_config.check_md5
 
 - name: Windows | Install Agent if not already installed
   win_package:
-    path: "{{ wazuh_winagent_config.download_dir }}wazuh-agent-{{ wazuh_winagent_config.version }}-{{ wazuh_winagent_config.revision }}.msi"
+    path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}"
     state: present
 
 - name: Windows | Check if client.keys exists
-  win_stat: path="{{ wazuh_agent_win_path }}client.keys"
+  win_stat:
+    path: "{{ wazuh_agent_win_path }}client.keys"
   register: check_windows_key
   tags:
     - config
@@ -94,5 +97,5 @@
 
 - name: Windows | Delete downloaded Wazuh agent installer file
   win_file:
-    path: "{{ wazuh_winagent_config.download_dir }}wazuh-agent-{{ wazuh_winagent_config.version }}-{{ wazuh_winagent_config.revision }}.msi"
+    path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}"
     state: absent

roles/wazuh/ansible-wazuh-agent/tasks/installation_from_custom_packages.yml

@@ -0,0 +1,28 @@
+---
+  - name: Install Wazuh Agent from .deb packages
+    apt:
+      deb: "{{ wazuh_custom_packages_installation_agent_deb_url }}"
+      state: present
+    when:
+      - ansible_os_family|lower == "debian"
+      - wazuh_custom_packages_installation_agent_enabled
+
+  - name: Install Wazuh Agent from .rpm packages | yum
+    yum:
+      name: "{{ wazuh_custom_packages_installation_agent_rpm_url }}"
+      state: present
+    when:
+      - ansible_os_family|lower == "redhat"
+      - wazuh_custom_packages_installation_agent_enabled
+      - not (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8")
+      - not (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8")
+
+  - name: Install Wazuh Agent from .rpm packages | dnf
+    dnf:
+      name: "{{ wazuh_custom_packages_installation_agent_rpm_url }}"
+      state: present
+    when:
+      - ansible_os_family|lower == "redhat"
+      - wazuh_custom_packages_installation_agent_enabled
+      - (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") or
+        (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8")

roles/wazuh/ansible-wazuh-agent/tasks/installation_from_sources.yml

@@ -76,7 +76,7 @@
       dest: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}/etc/preloaded-vars.conf"
       owner: root
       group: root
-      mode: '644'
+      mode: 0644
     changed_when: false
 
   - name: Executing "install.sh" script to build and install the Wazuh Agent

roles/wazuh/ansible-wazuh-manager/README.md

@@ -20,7 +20,7 @@ This role has some variables which you can or need to override.
 ```
 wazuh_manager_fqdn: ~
 wazuh_manager_config: []
-wazuh_agent_configs: []
+shared_agent_config: []
 ```
 
 Vault variables
@@ -157,7 +157,7 @@ wazuh_manager_config:
       level: 6
       timeout: 600
 
-wazuh_agent_configs:
+shared_agent_config:
   - type: os
     type_value: linux
     frequency_check: 79200

roles/wazuh/ansible-wazuh-manager/defaults/main.yml

@@ -1,12 +1,21 @@
 ---
-wazuh_manager_version: 3.11.3-1
+wazuh_manager_version: 3.11.4-1
 
 wazuh_manager_fqdn: "wazuh-server"
 wazuh_manager_package_state: present
 
+# Custom packages installation
+wazuh_custom_packages_installation_manager_enabled: false
+wazuh_custom_packages_installation_manager_deb_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/branches/3.12/deb/var/wazuh-manager_3.12.0-0.3319fimreworksqlite_amd64.deb"
+wazuh_custom_packages_installation_manager_rpm_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/branches/3.12/rpm/var/wazuh-manager-3.12.0-0.3319fimreworksqlite.x86_64.rpm"
+wazuh_custom_packages_installation_api_enabled: false
+wazuh_custom_packages_installation_api_deb_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/branches/3.12/deb/var/wazuh-api_3.12.0-0.3319fimreworksqlite_amd64.deb"
+wazuh_custom_packages_installation_api_rpm_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/branches/3.12/rpm/var/wazuh-api-3.12.0-0.3319fimreworksqlite.x86_64.rpm"
+
+# Sources installation
 wazuh_manager_sources_installation:
   enabled: false
-  branch: "v3.11.3"
+  branch: "v3.11.4"
   user_language: "en"
   user_no_stop: "y"
   user_install_type: "server"
@@ -31,7 +40,7 @@ wazuh_manager_sources_installation:
 
 wazuh_api_sources_installation:
   enabled: false
-  branch: "v3.11.3"
+  branch: "v3.11.4"
   update: "y"
   remove: "y"
   directory: null
@@ -47,6 +56,9 @@ wazuh_api_sources_installation:
   common_name: null
   password: null
 
+wazuh_api_user:
+  - "foo:$apr1$/axqZYWQ$Xo/nz/IG3PdwV82EnfYKh/"
+
 wazuh_manager_config:
   repo:
     apt: 'deb https://packages.wazuh.com/3.x/apt/ stable main'
@@ -344,53 +356,53 @@ wazuh_manager_config:
       - key: Env
         value: Production
 
-wazuh_agent_configs:
+# shared_agent_config:
-  - type: os
+  # - type: os
-    type_value: Linux
+  #   type_value: Linux
-    syscheck:
+  #   syscheck:
-      frequency: 43200
+  #     frequency: 43200
-      scan_on_start: 'yes'
+  #     scan_on_start: 'yes'
-      alert_new_files: 'yes'
+  #     alert_new_files: 'yes'
-      ignore:
+  #     ignore:
-        - /etc/mtab
+  #       - /etc/mtab
-        - /etc/mnttab
+  #       - /etc/mnttab
-        - /etc/hosts.deny
+  #       - /etc/hosts.deny
-        - /etc/mail/statistics
+  #       - /etc/mail/statistics
-        - /etc/svc/volatile
+  #       - /etc/svc/volatile
-      no_diff:
+  #     no_diff:
-        - /etc/ssl/private.key
+  #       - /etc/ssl/private.key
-    rootcheck:
+  #   rootcheck:
-      frequency: 43200
+  #     frequency: 43200
-      cis_distribution_filename: null
+  #     cis_distribution_filename: null
-    localfiles:
+  #   localfiles:
-      - format: 'syslog'
+  #     - format: 'syslog'
-        location: '/var/log/messages'
+  #       location: '/var/log/messages'
-      - format: 'syslog'
+  #     - format: 'syslog'
-        location: '/var/log/secure'
+  #       location: '/var/log/secure'
-      - format: 'syslog'
+  #     - format: 'syslog'
-        location: '/var/log/maillog'
+  #       location: '/var/log/maillog'
-      - format: 'apache'
+  #     - format: 'apache'
-        location: '/var/log/httpd/error_log'
+  #       location: '/var/log/httpd/error_log'
-      - format: 'apache'
+  #     - format: 'apache'
-        location: '/var/log/httpd/access_log'
+  #       location: '/var/log/httpd/access_log'
-      - format: 'apache'
+  #     - format: 'apache'
-        location: '/var/ossec/logs/active-responses.log'
+  #       location: '/var/ossec/logs/active-responses.log'
-  - type: os
+  # - type: os
-    type_value: Windows
+  #   type_value: Windows
-    syscheck:
+  #   syscheck:
-      frequency: 43200
+  #     frequency: 43200
-      scan_on_start: 'yes'
+  #     scan_on_start: 'yes'
-      auto_ignore: 'no'
+  #     auto_ignore: 'no'
-      alert_new_files: 'yes'
+  #     alert_new_files: 'yes'
-      windows_registry:
+  #     windows_registry:
-        - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
+  #       - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
-          arch: 'both'
+  #         arch: 'both'
-        - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
+  #       - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
-    localfiles:
+  #   localfiles:
-      - location: 'Security'
+  #     - location: 'Security'
-        format: 'eventchannel'
+  #       format: 'eventchannel'
-      - location: 'System'
+  #     - location: 'System'
-        format: 'eventlog'
+  #       format: 'eventlog'
 
 nodejs:
   repo_dict:

roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml

@@ -24,6 +24,7 @@
     - ansible_distribution == "Ubuntu"
     - ansible_distribution_major_version | int == 14
     - not wazuh_manager_sources_installation.enabled or not wazuh_api_sources_installation.enabled
+    - not wazuh_custom_packages_installation_manager_enabled or not wazuh_custom_packages_installation_api_enabled
 
 - name: Debian/Ubuntu | Installing Wazuh repository key
   apt_key:
@@ -32,6 +33,7 @@
   when:
     - not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
     - not wazuh_manager_sources_installation.enabled or not wazuh_api_sources_installation.enabled
+    - not wazuh_custom_packages_installation_manager_enabled or not wazuh_custom_packages_installation_api_enabled
 
 - name: Debian/Ubuntu | Add Wazuh repositories
   apt_repository:
@@ -42,6 +44,7 @@
   changed_when: false
   when:
     - not wazuh_manager_sources_installation.enabled or not wazuh_api_sources_installation.enabled
+    - not wazuh_custom_packages_installation_manager_enabled or not wazuh_custom_packages_installation_api_enabled
 
 - name: Debian/Ubuntu | Set Distribution CIS filename for Debian/Ubuntu
   set_fact:
@@ -106,11 +109,16 @@
   tags: init
   when:
     - not wazuh_manager_sources_installation.enabled
+    - not wazuh_custom_packages_installation_manager_enabled
 
 - include_tasks: "installation_from_sources.yml"
   when:
     - wazuh_manager_sources_installation.enabled or wazuh_api_sources_installation.enabled
 
+- include_tasks: "installation_from_custom_packages.yml"
+  when:
+    - wazuh_custom_packages_installation_manager_enabled or wazuh_custom_packages_installation_api_enabled
+
 - name: Debian/Ubuntu | Install wazuh-api
   apt:
     name:
@@ -123,3 +131,5 @@
   tags: init
   when:
     - not wazuh_api_sources_installation.enabled
+    - not wazuh_custom_packages_installation_manager_enabled
+    - wazuh_manager_config.cluster.node_type == "master"

roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml

@@ -11,6 +11,7 @@
     - (ansible_os_family|lower == 'redhat') and (ansible_distribution|lower != 'amazon')
     - (ansible_distribution_major_version|int <= 5)
     - not wazuh_manager_sources_installation.enabled or not wazuh_api_sources_installation.enabled
+    - not wazuh_custom_packages_installation_manager_enabled or not wazuh_custom_packages_installation_api_enabled
   register: repo_v5_manager_installed
 
 - name: RedHat/CentOS/Fedora | Install Wazuh repo
@@ -24,6 +25,7 @@
   when:
     - repo_v5_manager_installed is skipped
     - not wazuh_manager_sources_installation.enabled or not wazuh_api_sources_installation.enabled
+    - not wazuh_custom_packages_installation_manager_enabled or not wazuh_custom_packages_installation_api_enabled
 
 - name: RedHat/CentOS/Fedora | Install openscap
   package: name={{ item }} state=present
@@ -118,6 +120,7 @@
   when:
     - ansible_os_family|lower == "redhat"
     - not wazuh_manager_sources_installation.enabled
+    - not wazuh_custom_packages_installation_manager_enabled
   tags:
     - init
 
@@ -125,6 +128,10 @@
   when:
     - wazuh_manager_sources_installation.enabled or wazuh_api_sources_installation.enabled
 
+- include_tasks: "../tasks/installation_from_custom_packages.yml"
+  when:
+    - wazuh_custom_packages_installation_manager_enabled or wazuh_custom_packages_installation_api_enabled
+
 - name: CentOS/RedHat/Amazon | Install wazuh-api
   package:
     name: "wazuh-api-{{ wazuh_manager_version }}"
@@ -134,6 +141,8 @@
   when:
     - ansible_os_family|lower == "redhat"
     - not wazuh_api_sources_installation.enabled
+    - not wazuh_custom_packages_installation_api_enabled
+    - wazuh_manager_config.cluster.node_type == "master"
   tags:
     - init
 

roles/wazuh/ansible-wazuh-manager/tasks/installation_from_custom_packages.yml

@@ -0,0 +1,61 @@
+---
+  - block:
+      - name: Install Wazuh Manager from .deb packages
+        apt:
+          deb: "{{ wazuh_custom_packages_installation_manager_deb_url }}"
+          state: present
+        when:
+          - wazuh_custom_packages_installation_manager_enabled
+
+      - name: Install Wazuh API from .deb packages
+        apt:
+          deb: "{{ wazuh_custom_packages_installation_api_deb_url }}"
+          state: present
+        when:
+          - wazuh_custom_packages_installation_api_enabled
+          - wazuh_manager_config.cluster.node_type == "master"
+
+    when:
+      - ansible_os_family|lower == "debian"
+
+  - block:
+    - name: Install Wazuh Manager from .rpm packages | yum
+      yum:
+        name: "{{ wazuh_custom_packages_installation_manager_rpm_url }}"
+        state: present
+      when:
+        - wazuh_custom_packages_installation_manager_enabled
+        - not (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8")
+        - not (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8")
+
+    - name: Install Wazuh Manager from .rpm packages | dnf
+      dnf:
+        name: "{{ wazuh_custom_packages_installation_manager_rpm_url }}"
+        state: present
+      when:
+        - wazuh_custom_packages_installation_manager_enabled
+        - (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") or
+          (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8")
+
+    - name: Install Wazuh API from .rpm packages | yum
+      yum:
+        name: "{{ wazuh_custom_packages_installation_api_rpm_url }}"
+        state: present
+      when:
+        - wazuh_custom_packages_installation_api_enabled
+        - not (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8")
+        - not (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8")
+        - wazuh_manager_config.cluster.node_type == "master"
+
+    - name: Install Wazuh API from .rpm packages | dnf
+      dnf:
+        name: "{{ wazuh_custom_packages_installation_api_rpm_url }}"
+        state: present
+      when:
+        - wazuh_custom_packages_installation_api_enabled
+        - (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") or
+          (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8")
+        - wazuh_manager_config.cluster.node_type == "master"
+
+    when:
+      - ansible_os_family|lower == "redhat"

roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml

@@ -91,7 +91,7 @@
           dest: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}/etc/preloaded-vars.conf"
           owner: root
           group: root
-          mode: '644'
+          mode: 0644
 
       - name: Executing "install.sh" script to build and install the Wazuh Manager
         shell: ./install.sh > /tmp/build_wazuh_manager_log.txt
@@ -122,6 +122,8 @@
     stat:
       path: /var/ossec/api/app.js
     register: wazuh_api
+    when:
+      - wazuh_manager_config.cluster.node_type == "master"
 
   - name: Install Wazuh API from sources
     block:
@@ -165,7 +167,7 @@
           dest: "/tmp/wazuh-api/configuration/preloaded_vars.conf"
           owner: root
           group: root
-          mode: '644'
+          mode: 0644
 
       - name: Execute Wazuh API installation script
         shell: ./install_api.sh > /tmp/build_wazuh_api_log.txt
@@ -178,5 +180,6 @@
     when:
       - not wazuh_api.stat.exists
       - wazuh_api_sources_installation.enabled
+      - wazuh_manager_config.cluster.node_type == "master"
     tags:
       - api

roles/wazuh/ansible-wazuh-manager/tasks/main.yml

@@ -18,14 +18,16 @@
       get_url:
         url: "https://{{ nodejs['repo_dict'][ansible_os_family|lower] }}.{{ nodejs['repo_url_ext'] }}"
         dest: /etc/nodejs.sh
-        mode: '0775'
+        mode: 0775
       changed_when: false
 
     - name: Run NodeJS bash script
       command: sh /etc/nodejs.sh
       register: nodejs_script
       changed_when: nodejs_script.rc == 0
-  when: not node_service_status.stat.exists
+  when:
+    - not node_service_status.stat.exists
+    - wazuh_manager_config.cluster.node_type == "master"
 
 - name: Installing NodeJS
   package:
@@ -33,6 +35,9 @@
     state: present
   register: nodejs_service_is_installed
   until: nodejs_service_is_installed is succeeded
+  when:
+    - wazuh_manager_config.cluster.node_type == "master"
+
   tags: init
 
 - include_tasks: "RedHat.yml"
@@ -158,6 +163,8 @@
   tags:
     - init
     - config
+  when:
+    - shared_agent_config is defined
 
 - name: Installing the config.js (api configuration)
   template: src=var-ossec-api-configuration-config.js.j2
@@ -166,6 +173,9 @@
             group=ossec
             mode=0740
   notify: restart wazuh-api
+  when:
+    - wazuh_manager_config.cluster.node_type == "master"
+
   tags:
     - init
     - config
@@ -191,12 +201,6 @@
   tags:
     - config
 
-- name: Retrieving Wazuh-API User Credentials
-  include_vars: wazuh_api_creds.yml
-  when:
-    - not (ansible_distribution in ['CentOS','RedHat', 'Amazon'] and ansible_distribution_major_version|int < 6)
-  tags:
-    - config
 
 - name: Check if syslog output is enabled
   set_fact: syslog_output=true
@@ -308,6 +312,7 @@
   notify: restart wazuh-api
   when:
     - wazuh_api_user is defined
+    - wazuh_manager_config.cluster.node_type == "master"
   tags:
     - config
 
@@ -329,31 +334,22 @@
   tags:
     - config
 
-- name: Ensure Wazuh Manager, wazuh API service is started and enabled
+- name: Ensure Wazuh Manager service is started and enabled.
   service:
-    name: "{{ item }}"
+    name: "wazuh-manager"
     enabled: true
     state: started
-  with_items:
-    - wazuh-manager
-    - wazuh-api
   tags:
     - config
-  environment:
-    LD_LIBRARY_PATH: "$LD_LIBRARY_PATH:/var/ossec/framework/lib"
-  when:
-    - not (ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' or ansible_distribution == 'Amazon')
-    - ansible_distribution_major_version|int < 6
 
-- name: Ensure Wazuh Manager is started and enabled (EL5)
+- name: Ensure Wazuh API service is started and enabled.
   service:
-    name: wazuh-manager
+    name: "wazuh-api"
     enabled: true
     state: started
+  when: wazuh_manager_config.cluster.node_type == "master"
   tags:
     - config
-  when:
-    - ansible_distribution in ['CentOS', 'RedHat', 'Amazon'] and ansible_distribution_major_version|int < 6
 
 - name: Create agent groups
   command: "/var/ossec/bin/agent_groups -a -g {{ item }} -q"

roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2

@@ -1,6 +1,6 @@
 #jinja2: trim_blocks: False
-{% if wazuh_agent_configs is defined %}
+{% if shared_agent_config is defined %}
-{% for agent_config in wazuh_agent_configs %}
+{% for agent_config in shared_agent_config %}
 <agent_config {{ agent_config.type }}="{{ agent_config.type_value }}">
   {% if agent_config.syscheck is defined %}
   <syscheck>

roles/wazuh/ansible-wazuh-manager/vars/wazuh_api_creds.yml

@@ -1,3 +0,0 @@
----
-wazuh_api_user:
-  - "foo:$apr1$/axqZYWQ$Xo/nz/IG3PdwV82EnfYKh/"