afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added a successful installation on provided Docker containers with Molecule

Browse Source
This commit is contained in:
Werner Dijkerman 2019-04-15 21:52:08 +02:00
parent 85dbeca966
commit 8291e4ab9f
9 changed files with 131 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
molecule/default/molecule.yml
View File

@ -7,20 +7,31 @@ lint:
name: yamllint name: yamllint
enabled: false # fix in seperate PR enabled: false # fix in seperate PR
platforms: platforms:
- name: bionic - name: wazuh_manager_bionic
image: ubuntu:bionic image: ubuntu:bionic
- name: xenial groups:
- wazuh_manager
- name: wazuh_manager_xenial
image: ubuntu:xenial image: ubuntu:xenial
- name: trusty groups:
- wazuh_manager
- name: wazuh_manager_trusty
image: ubuntu:trusty image: ubuntu:trusty
- name: centos6 groups:
- wazuh_manager
- name: wazuh_manager_centos6
image: centos:6 image: centos:6
- name: centos7 groups:
image: centos:7 - wazuh_manager
- name: wazuh_manager_centos7
image: milcom/centos7-systemd
privileged: True
groups:
- wazuh_manager
provisioner: provisioner:
name: ansible name: ansible
env: env:
ANSIBLE_ROLES_PATH: $HOME/wazuh-ansible/roles ANSIBLE_ROLES_PATH: ../../roles
lint: lint:
name: ansible-lint name: ansible-lint
enabled: true # fix in seperate PR enabled: true # fix in seperate PR

8
molecule/default/playbook.yml
View File

@ -1,9 +1,11 @@
--- ---
- name: Converge - name: Converge
hosts: all hosts: wazuh_manager
roles: roles:
- {role: wazuh/ansible-wazuh-manager} - role: wazuh/ansible-wazuh-manager
- {role: wazuh/ansible-filebeat} #, filebeat_output_logstash_hosts: 'your elastic stack server IP'
# - {role: wazuh/ansible-filebeat} #, filebeat_output_logstash_hosts: 'your elastic stack server IP'
# Elasticsearch requires too much memory to test multiple containers concurrently - To Fix # Elasticsearch requires too much memory to test multiple containers concurrently - To Fix
#- {role: elastic-stack/ansible-elasticsearch, elasticsearch_network_host: 'localhost'} #- {role: elastic-stack/ansible-elasticsearch, elasticsearch_network_host: 'localhost'}
#- {role: elastic-stack/ansible-logstash, logstash_input_beats: true, elasticsearch_network_host: 'localhost'} #- {role: elastic-stack/ansible-logstash, logstash_input_beats: true, elasticsearch_network_host: 'localhost'}

20
molecule/default/prepare.yml
View File

@ -1,5 +1,21 @@
--- ---
- name: Prepare - name: Prepare
hosts: all hosts: all
gather_facts: false gather_facts: True
tasks: [] tasks:
- name: "Install Python packages for Trusty to solve trust issues"
package:
name:
- python-setuptools
- python-pip
state: latest
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_major_version | int == 14
- name: "Install dependencies"
package:
name:
- curl
state: latest

1
roles/wazuh/ansible-wazuh-manager/defaults/main.yml
View File

@ -1,5 +1,6 @@
--- ---
wazuh_manager_fqdn: "wazuh-server" wazuh_manager_fqdn: "wazuh-server"
wazuh_manager_package_state: latest
wazuh_manager_config: wazuh_manager_config:
json_output: 'yes' json_output: 'yes'

2
roles/wazuh/ansible-wazuh-manager/handlers/main.yml
View File

@ -13,3 +13,5 @@
name: wazuh-api name: wazuh-api
state: restarted state: restarted
enabled: true enabled: true
when:
- not (ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' and ansible_distribution_major_version|int < 6)

2
roles/wazuh/ansible-wazuh-manager/meta/main.yml
View File

@ -18,6 +18,6 @@ galaxy_info:
- name: Fedora - name: Fedora
versions: versions:
- all - all
categories: galaxy_tags:
- monitoring - monitoring
dependencies: [] dependencies: []

38
roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml
View File

@ -1,17 +1,30 @@
--- ---
- name: Debian/Ubuntu | Install apt-transport-https and ca-certificates - name: Debian/Ubuntu | Install apt-transport-https and ca-certificates
apt: apt:
name: ['apt-transport-https', 'ca-certificates'] name:
state: present
cache_valid_time: 3600
with_items:
- apt-transport-https - apt-transport-https
- ca-certificates - ca-certificates
- urllib3 - gnupg
state: present
cache_valid_time: 3600
- name: Debian/Ubuntu | Installing Wazuh repository key (Ubuntu 14)
become: yes
shell: |
set -o pipefail
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
args:
warn: False
executable: /bin/bash
changed_when: False
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_major_version | int == 14
- name: Debian/Ubuntu | Installing Wazuh repository key - name: Debian/Ubuntu | Installing Wazuh repository key
apt_key: url=https://packages.wazuh.com/key/GPG-KEY-WAZUH apt_key: url=https://packages.wazuh.com/key/GPG-KEY-WAZUH
when:
- not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- name: Debian/Ubuntu | Add Wazuh repositories - name: Debian/Ubuntu | Add Wazuh repositories
apt_repository: apt_repository:
@ -19,8 +32,23 @@
state: present state: present
update_cache: yes update_cache: yes
- name: Debian/Ubuntu | Installing NodeJS repository key (Ubuntu 14)
become: yes
shell: |
set -o pipefail
curl -s https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add -
args:
warn: False
executable: /bin/bash
changed_when: False
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_major_version | int == 14
- name: Debian/Ubuntu | Installing NodeJS repository key - name: Debian/Ubuntu | Installing NodeJS repository key
apt_key: url=https://deb.nodesource.com/gpgkey/nodesource.gpg.key apt_key: url=https://deb.nodesource.com/gpgkey/nodesource.gpg.key
when:
- not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- name: Debian/Ubuntu | Add NodeSource repositories for Node.js - name: Debian/Ubuntu | Add NodeSource repositories for Node.js
apt_repository: apt_repository:

23
roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml
View File

@ -3,7 +3,7 @@
yum_repository: yum_repository:
name: NodeJS name: NodeJS
description: NodeJS-$releasever description: NodeJS-$releasever
baseurl: https://rpm.nodesource.com/pub_6.x/el/{{ansible_distribution_major_version}}/x86_64 baseurl: https://rpm.nodesource.com/pub_6.x/el/{{ ansible_distribution_major_version }}/x86_64
gpgkey: https://rpm.nodesource.com/pub/el/NODESOURCE-GPG-SIGNING-KEY-EL gpgkey: https://rpm.nodesource.com/pub/el/NODESOURCE-GPG-SIGNING-KEY-EL
gpgcheck: yes gpgcheck: yes
when: when:
@ -19,9 +19,12 @@
when: ansible_distribution == 'Fedora' when: ansible_distribution == 'Fedora'
- name: AmazonLinux | Get Nodejs - name: AmazonLinux | Get Nodejs
shell: curl --silent --location https://rpm.nodesource.com/setup_8.x | bash - shell: |
set -o pipefail
curl --silent --location https://rpm.nodesource.com/setup_8.x | bash -
args: args:
warn: no warn: no
executable: /bin/bash
when: when:
- ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA" - ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA"
@ -53,7 +56,10 @@
- ansible_distribution_major_version|int == 5 - ansible_distribution_major_version|int == 5
- name: RedHat/CentOS/Fedora | Install openscap - name: RedHat/CentOS/Fedora | Install openscap
package: name=openscap-scanner state=present package: name={{ item }} state=present
with_items:
- openscap-scanner
- openssl
tags: tags:
- init - init
when: not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") when: not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA")
@ -80,7 +86,7 @@
- wazuh_manager_config.cluster.disable != 'yes' - wazuh_manager_config.cluster.disable != 'yes'
- name: CentOS/RedHat 6 | Install python-cryptography module - name: CentOS/RedHat 6 | Install python-cryptography module
shell: pip2.7 install cryptography pip: name=cryptography state=present
environment: environment:
PATH: "/opt/rh/python27/root/usr/bin:{{ ansible_env.PATH }}" PATH: "/opt/rh/python27/root/usr/bin:{{ ansible_env.PATH }}"
LD_LIBRARY_PATH: "/opt/rh/python27/root/usr/lib64:/opt/rh/python27/root/usr/lib" LD_LIBRARY_PATH: "/opt/rh/python27/root/usr/lib64:/opt/rh/python27/root/usr/lib"
@ -128,4 +134,11 @@
- name: Set Distribution CIS filename for RHEL7/CentOS-7 - name: Set Distribution CIS filename for RHEL7/CentOS-7
set_fact: set_fact:
cis_distribution_filename: cis_rhel7_linux_rcl.txt cis_distribution_filename: cis_rhel7_linux_rcl.txt
when: (ansible_os_family == "RedHat" and ansible_distribution_major_version == '7') or (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") when:
- ansible_os_family == "RedHat" and ansible_distribution_major_version == '7'
- name: Set Distribution CIS filename for RHEL7/CentOS-7 (Amazon)
set_fact:
cis_distribution_filename: cis_rhel7_linux_rcl.txt
when:
- ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA"

38
roles/wazuh/ansible-wazuh-manager/tasks/main.yml
View File

@ -6,13 +6,13 @@
when: ansible_os_family == "Debian" when: ansible_os_family == "Debian"
- name: Install wazuh-manager, wazuh-api and expect - name: Install wazuh-manager, wazuh-api and expect
package: pkg={{ item }} state=latest package: pkg={{ item }} state={{ wazuh_manager_package_state }}
with_items: with_items:
- wazuh-manager - wazuh-manager
- wazuh-api - wazuh-api
- expect - expect
when: when:
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 ) - not (ansible_distribution in ['CentOS','RedHat'] and ansible_distribution_major_version|int < 6)
tags: tags:
- init - init
@ -22,21 +22,21 @@
regexp: 'echo -n "Starting Wazuh-manager: "' regexp: 'echo -n "Starting Wazuh-manager: "'
replace: 'echo -n "Starting Wazuh-manager (EL6): "; source /opt/rh/python27/enable; export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/var/ossec/framework/lib' replace: 'echo -n "Starting Wazuh-manager (EL6): "; source /opt/rh/python27/enable; export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/var/ossec/framework/lib'
when: when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6' - ansible_distribution in ['CentOS', 'RedHat'] and ansible_distribution_major_version|int == 6
- wazuh_manager_config.cluster.disable != 'yes' - wazuh_manager_config.cluster.disable != 'yes'
- name: Install wazuh-manager and expect (EL5) - name: Install wazuh-manager and expect (EL5)
package: pkg={{ item }} state=latest package: pkg={{ item }} state={{ wazuh_manager_package_state }}
with_items: with_items:
- wazuh-manager - wazuh-manager
- expect - expect
when: when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 - ansible_distribution in ['CentOS','RedHat'] and ansible_distribution_major_version|int < 6
tags: tags:
- init - init
- name: Generate SSL files for authd - name: Generate SSL files for authd
command: "openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:1825 -keyout sslmanager.key -out sslmanager.cert -subj /CN={{wazuh_manager_fqdn}}/" command: "openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:1825 -keyout sslmanager.key -out sslmanager.cert -subj /CN={{ wazuh_manager_fqdn }}/"
args: args:
creates: sslmanager.cert creates: sslmanager.cert
chdir: /var/ossec/etc/ chdir: /var/ossec/etc/
@ -71,7 +71,7 @@
- name: Ensure ossec-authd service is disabled - name: Ensure ossec-authd service is disabled
service: name=ossec-authd enabled=no state=stopped service: name=ossec-authd enabled=no state=stopped
when: old_authd_service.stat.exists == True when: old_authd_service.stat.exists
tags: tags:
- config - config
@ -80,7 +80,7 @@
with_items: with_items:
- "/etc/init.d/ossec-authd" - "/etc/init.d/ossec-authd"
- "/lib/systemd/system/ossec-authd.service" - "/lib/systemd/system/ossec-authd.service"
when: old_authd_service.stat.exists == True when: old_authd_service.stat.exists
tags: tags:
- config - config
@ -180,7 +180,7 @@
- name: Retrieving Wazuh-API User Credentials - name: Retrieving Wazuh-API User Credentials
include_vars: wazuh_api_creds.yml include_vars: wazuh_api_creds.yml
when: when:
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 ) - not (ansible_distribution in ['CentOS','RedHat'] and ansible_distribution_major_version|int < 6)
tags: tags:
- config - config
@ -198,9 +198,12 @@
- config - config
- name: Check if client-syslog is enabled - name: Check if client-syslog is enabled
shell: "grep -c 'ossec-csyslogd' /var/ossec/bin/.process_list | xargs echo" shell: |
set -o pipefail
"grep -c 'ossec-csyslogd' /var/ossec/bin/.process_list | xargs echo"
args: args:
removes: /var/ossec/bin/.process_list removes: /var/ossec/bin/.process_list
executable: /bin/bash
changed_when: False changed_when: False
check_mode: no check_mode: no
register: csyslog_enabled register: csyslog_enabled
@ -212,14 +215,17 @@
notify: restart wazuh-manager notify: restart wazuh-manager
when: when:
- csyslog_enabled.stdout == '0' or "skipped" in csyslog_enabled.stdout - csyslog_enabled.stdout == '0' or "skipped" in csyslog_enabled.stdout
- syslog_output is defined and syslog_output == true - syslog_output is defined and syslog_output
tags: tags:
- config - config
- name: Check if ossec-agentlessd is enabled - name: Check if ossec-agentlessd is enabled
shell: "grep -c 'ossec-agentlessd' /var/ossec/bin/.process_list | xargs echo" shell: |
set -o pipefail
"grep -c 'ossec-agentlessd' /var/ossec/bin/.process_list | xargs echo"
args: args:
removes: /var/ossec/bin/.process_list removes: /var/ossec/bin/.process_list
executable: /bin/bash
changed_when: False changed_when: False
check_mode: no check_mode: no
register: agentlessd_enabled register: agentlessd_enabled
@ -252,7 +258,7 @@
poll: 0 poll: 0
when: when:
- wazuh_manager_config.vuls.disable != 'yes' - wazuh_manager_config.vuls.disable != 'yes'
- ansible_distribution == 'Redhat' or ansible_distribution == 'CentOS' or ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' or ansible_distribution == 'Oracle' - ansible_distribution in ['Redhat', 'CentOS', 'Ubuntu', 'Debian', 'Oracle']
tags: tags:
- init - init
@ -293,7 +299,7 @@
notify: restart wazuh-api notify: restart wazuh-api
when: when:
- wazuh_api_user is defined - wazuh_api_user is defined
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 ) - not (ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' and ansible_distribution_major_version|int < 6)
tags: tags:
- config - config
@ -345,7 +351,7 @@
environment: environment:
LD_LIBRARY_PATH: "$LD_LIBRARY_PATH:/var/ossec/framework/lib" LD_LIBRARY_PATH: "$LD_LIBRARY_PATH:/var/ossec/framework/lib"
when: when:
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 ) - not (ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' and ansible_distribution_major_version|int < 6)
- name: Ensure Wazuh Manager is started and enabled (EL5) - name: Ensure Wazuh Manager is started and enabled (EL5)
service: service:
@ -355,7 +361,7 @@
tags: tags:
- config - config
when: when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 - ansible_distribution in ['CentOS', 'RedHat'] and ansible_distribution_major_version|int < 6
- import_tasks: "RMRedHat.yml" - import_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat" when: ansible_os_family == "RedHat"