From 8291e4ab9fa0317090bc5f0f636d8b40580d640b Mon Sep 17 00:00:00 2001 From: Werner Dijkerman Date: Mon, 15 Apr 2019 21:52:08 +0200 Subject: [PATCH] Added a successful installation on provided Docker containers with Molecule --- molecule/default/molecule.yml | 25 ++++++++---- molecule/default/playbook.yml | 8 ++-- molecule/default/prepare.yml | 20 +++++++++- .../ansible-wazuh-manager/defaults/main.yml | 1 + .../ansible-wazuh-manager/handlers/main.yml | 2 + .../wazuh/ansible-wazuh-manager/meta/main.yml | 28 +++++++------- .../ansible-wazuh-manager/tasks/Debian.yml | 38 ++++++++++++++++--- .../ansible-wazuh-manager/tasks/RedHat.yml | 23 ++++++++--- .../ansible-wazuh-manager/tasks/main.yml | 38 +++++++++++-------- 9 files changed, 131 insertions(+), 52 deletions(-) diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 19fba1ff..e18bd1f9 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -7,20 +7,31 @@ lint: name: yamllint enabled: false # fix in seperate PR platforms: - - name: bionic + - name: wazuh_manager_bionic image: ubuntu:bionic - - name: xenial + groups: + - wazuh_manager + - name: wazuh_manager_xenial image: ubuntu:xenial - - name: trusty + groups: + - wazuh_manager + - name: wazuh_manager_trusty image: ubuntu:trusty - - name: centos6 + groups: + - wazuh_manager + - name: wazuh_manager_centos6 image: centos:6 - - name: centos7 - image: centos:7 + groups: + - wazuh_manager + - name: wazuh_manager_centos7 + image: milcom/centos7-systemd + privileged: True + groups: + - wazuh_manager provisioner: name: ansible env: - ANSIBLE_ROLES_PATH: $HOME/wazuh-ansible/roles + ANSIBLE_ROLES_PATH: ../../roles lint: name: ansible-lint enabled: true # fix in seperate PR diff --git a/molecule/default/playbook.yml b/molecule/default/playbook.yml index f8b8debf..d74f3e66 100644 --- a/molecule/default/playbook.yml +++ b/molecule/default/playbook.yml @@ -1,9 +1,11 @@ --- - name: Converge - hosts: all + hosts: wazuh_manager roles: - - {role: wazuh/ansible-wazuh-manager} - - {role: wazuh/ansible-filebeat} #, filebeat_output_logstash_hosts: 'your elastic stack server IP' + - role: wazuh/ansible-wazuh-manager + + + # - {role: wazuh/ansible-filebeat} #, filebeat_output_logstash_hosts: 'your elastic stack server IP' # Elasticsearch requires too much memory to test multiple containers concurrently - To Fix #- {role: elastic-stack/ansible-elasticsearch, elasticsearch_network_host: 'localhost'} #- {role: elastic-stack/ansible-logstash, logstash_input_beats: true, elasticsearch_network_host: 'localhost'} diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 5358b3bd..2ef19d18 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -1,5 +1,21 @@ --- - name: Prepare hosts: all - gather_facts: false - tasks: [] + gather_facts: True + tasks: + + - name: "Install Python packages for Trusty to solve trust issues" + package: + name: + - python-setuptools + - python-pip + state: latest + when: + - ansible_distribution == "Ubuntu" + - ansible_distribution_major_version | int == 14 + + - name: "Install dependencies" + package: + name: + - curl + state: latest diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index 80b39c06..b550b0f8 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -1,5 +1,6 @@ --- wazuh_manager_fqdn: "wazuh-server" +wazuh_manager_package_state: latest wazuh_manager_config: json_output: 'yes' diff --git a/roles/wazuh/ansible-wazuh-manager/handlers/main.yml b/roles/wazuh/ansible-wazuh-manager/handlers/main.yml index 70f7b506..0fac45a1 100644 --- a/roles/wazuh/ansible-wazuh-manager/handlers/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/handlers/main.yml @@ -13,3 +13,5 @@ name: wazuh-api state: restarted enabled: true + when: + - not (ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' and ansible_distribution_major_version|int < 6) diff --git a/roles/wazuh/ansible-wazuh-manager/meta/main.yml b/roles/wazuh/ansible-wazuh-manager/meta/main.yml index 69b6ebec..1275d232 100644 --- a/roles/wazuh/ansible-wazuh-manager/meta/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/meta/main.yml @@ -6,18 +6,18 @@ galaxy_info: license: license (GPLv3) min_ansible_version: 2.0 platforms: - - name: EL - versions: - - all - - name: Ubuntu - versions: - - all - - name: Debian - versions: - - all - - name: Fedora - versions: - - all - categories: - - monitoring + - name: EL + versions: + - all + - name: Ubuntu + versions: + - all + - name: Debian + versions: + - all + - name: Fedora + versions: + - all + galaxy_tags: + - monitoring dependencies: [] diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml b/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml index 05b6a5a7..8123e4c9 100644 --- a/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml +++ b/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml @@ -1,17 +1,30 @@ --- - name: Debian/Ubuntu | Install apt-transport-https and ca-certificates apt: - name: ['apt-transport-https', 'ca-certificates'] + name: + - apt-transport-https + - ca-certificates + - gnupg state: present cache_valid_time: 3600 - with_items: - - apt-transport-https - - ca-certificates - - urllib3 +- name: Debian/Ubuntu | Installing Wazuh repository key (Ubuntu 14) + become: yes + shell: | + set -o pipefail + curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - + args: + warn: False + executable: /bin/bash + changed_when: False + when: + - ansible_distribution == "Ubuntu" + - ansible_distribution_major_version | int == 14 - name: Debian/Ubuntu | Installing Wazuh repository key apt_key: url=https://packages.wazuh.com/key/GPG-KEY-WAZUH + when: + - not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14) - name: Debian/Ubuntu | Add Wazuh repositories apt_repository: @@ -19,8 +32,23 @@ state: present update_cache: yes +- name: Debian/Ubuntu | Installing NodeJS repository key (Ubuntu 14) + become: yes + shell: | + set -o pipefail + curl -s https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add - + args: + warn: False + executable: /bin/bash + changed_when: False + when: + - ansible_distribution == "Ubuntu" + - ansible_distribution_major_version | int == 14 + - name: Debian/Ubuntu | Installing NodeJS repository key apt_key: url=https://deb.nodesource.com/gpgkey/nodesource.gpg.key + when: + - not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14) - name: Debian/Ubuntu | Add NodeSource repositories for Node.js apt_repository: diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml b/roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml index e603508a..93118e83 100644 --- a/roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml +++ b/roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml @@ -3,7 +3,7 @@ yum_repository: name: NodeJS description: NodeJS-$releasever - baseurl: https://rpm.nodesource.com/pub_6.x/el/{{ansible_distribution_major_version}}/x86_64 + baseurl: https://rpm.nodesource.com/pub_6.x/el/{{ ansible_distribution_major_version }}/x86_64 gpgkey: https://rpm.nodesource.com/pub/el/NODESOURCE-GPG-SIGNING-KEY-EL gpgcheck: yes when: @@ -19,9 +19,12 @@ when: ansible_distribution == 'Fedora' - name: AmazonLinux | Get Nodejs - shell: curl --silent --location https://rpm.nodesource.com/setup_8.x | bash - + shell: | + set -o pipefail + curl --silent --location https://rpm.nodesource.com/setup_8.x | bash - args: warn: no + executable: /bin/bash when: - ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA" @@ -53,7 +56,10 @@ - ansible_distribution_major_version|int == 5 - name: RedHat/CentOS/Fedora | Install openscap - package: name=openscap-scanner state=present + package: name={{ item }} state=present + with_items: + - openscap-scanner + - openssl tags: - init when: not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") @@ -80,7 +86,7 @@ - wazuh_manager_config.cluster.disable != 'yes' - name: CentOS/RedHat 6 | Install python-cryptography module - shell: pip2.7 install cryptography + pip: name=cryptography state=present environment: PATH: "/opt/rh/python27/root/usr/bin:{{ ansible_env.PATH }}" LD_LIBRARY_PATH: "/opt/rh/python27/root/usr/lib64:/opt/rh/python27/root/usr/lib" @@ -128,4 +134,11 @@ - name: Set Distribution CIS filename for RHEL7/CentOS-7 set_fact: cis_distribution_filename: cis_rhel7_linux_rcl.txt - when: (ansible_os_family == "RedHat" and ansible_distribution_major_version == '7') or (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") + when: + - ansible_os_family == "RedHat" and ansible_distribution_major_version == '7' + +- name: Set Distribution CIS filename for RHEL7/CentOS-7 (Amazon) + set_fact: + cis_distribution_filename: cis_rhel7_linux_rcl.txt + when: + - ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA" diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml index f5c8ba3d..5ccc4057 100644 --- a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml @@ -6,13 +6,13 @@ when: ansible_os_family == "Debian" - name: Install wazuh-manager, wazuh-api and expect - package: pkg={{ item }} state=latest + package: pkg={{ item }} state={{ wazuh_manager_package_state }} with_items: - wazuh-manager - wazuh-api - expect when: - - not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 ) + - not (ansible_distribution in ['CentOS','RedHat'] and ansible_distribution_major_version|int < 6) tags: - init @@ -22,21 +22,21 @@ regexp: 'echo -n "Starting Wazuh-manager: "' replace: 'echo -n "Starting Wazuh-manager (EL6): "; source /opt/rh/python27/enable; export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/var/ossec/framework/lib' when: - - ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6' + - ansible_distribution in ['CentOS', 'RedHat'] and ansible_distribution_major_version|int == 6 - wazuh_manager_config.cluster.disable != 'yes' - name: Install wazuh-manager and expect (EL5) - package: pkg={{ item }} state=latest + package: pkg={{ item }} state={{ wazuh_manager_package_state }} with_items: - wazuh-manager - expect when: - - ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 + - ansible_distribution in ['CentOS','RedHat'] and ansible_distribution_major_version|int < 6 tags: - init - name: Generate SSL files for authd - command: "openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:1825 -keyout sslmanager.key -out sslmanager.cert -subj /CN={{wazuh_manager_fqdn}}/" + command: "openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:1825 -keyout sslmanager.key -out sslmanager.cert -subj /CN={{ wazuh_manager_fqdn }}/" args: creates: sslmanager.cert chdir: /var/ossec/etc/ @@ -71,7 +71,7 @@ - name: Ensure ossec-authd service is disabled service: name=ossec-authd enabled=no state=stopped - when: old_authd_service.stat.exists == True + when: old_authd_service.stat.exists tags: - config @@ -80,7 +80,7 @@ with_items: - "/etc/init.d/ossec-authd" - "/lib/systemd/system/ossec-authd.service" - when: old_authd_service.stat.exists == True + when: old_authd_service.stat.exists tags: - config @@ -180,7 +180,7 @@ - name: Retrieving Wazuh-API User Credentials include_vars: wazuh_api_creds.yml when: - - not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 ) + - not (ansible_distribution in ['CentOS','RedHat'] and ansible_distribution_major_version|int < 6) tags: - config @@ -198,9 +198,12 @@ - config - name: Check if client-syslog is enabled - shell: "grep -c 'ossec-csyslogd' /var/ossec/bin/.process_list | xargs echo" + shell: | + set -o pipefail + "grep -c 'ossec-csyslogd' /var/ossec/bin/.process_list | xargs echo" args: removes: /var/ossec/bin/.process_list + executable: /bin/bash changed_when: False check_mode: no register: csyslog_enabled @@ -212,14 +215,17 @@ notify: restart wazuh-manager when: - csyslog_enabled.stdout == '0' or "skipped" in csyslog_enabled.stdout - - syslog_output is defined and syslog_output == true + - syslog_output is defined and syslog_output tags: - config - name: Check if ossec-agentlessd is enabled - shell: "grep -c 'ossec-agentlessd' /var/ossec/bin/.process_list | xargs echo" + shell: | + set -o pipefail + "grep -c 'ossec-agentlessd' /var/ossec/bin/.process_list | xargs echo" args: removes: /var/ossec/bin/.process_list + executable: /bin/bash changed_when: False check_mode: no register: agentlessd_enabled @@ -252,7 +258,7 @@ poll: 0 when: - wazuh_manager_config.vuls.disable != 'yes' - - ansible_distribution == 'Redhat' or ansible_distribution == 'CentOS' or ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' or ansible_distribution == 'Oracle' + - ansible_distribution in ['Redhat', 'CentOS', 'Ubuntu', 'Debian', 'Oracle'] tags: - init @@ -293,7 +299,7 @@ notify: restart wazuh-api when: - wazuh_api_user is defined - - not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 ) + - not (ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' and ansible_distribution_major_version|int < 6) tags: - config @@ -345,7 +351,7 @@ environment: LD_LIBRARY_PATH: "$LD_LIBRARY_PATH:/var/ossec/framework/lib" when: - - not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 ) + - not (ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' and ansible_distribution_major_version|int < 6) - name: Ensure Wazuh Manager is started and enabled (EL5) service: @@ -355,7 +361,7 @@ tags: - config when: - - ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 + - ansible_distribution in ['CentOS', 'RedHat'] and ansible_distribution_major_version|int < 6 - import_tasks: "RMRedHat.yml" when: ansible_os_family == "RedHat"