afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added a successful installation on provided Docker containers with Molecule

Browse Source
This commit is contained in:
Werner Dijkerman 2019-04-15 21:52:08 +02:00
parent 85dbeca966
commit 8291e4ab9f
9 changed files with 131 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
molecule/default/molecule.yml
View File

@ -7,20 +7,31 @@ lint:
name: yamllint
enabled: false # fix in seperate PR
platforms:
- name: bionic
- name: wazuh_manager_bionic
image: ubuntu:bionic
- name: xenial
groups:
- wazuh_manager
- name: wazuh_manager_xenial
image: ubuntu:xenial
- name: trusty
groups:
- wazuh_manager
- name: wazuh_manager_trusty
image: ubuntu:trusty
- name: centos6
groups:
- wazuh_manager
- name: wazuh_manager_centos6
image: centos:6
- name: centos7
image: centos:7
groups:
- wazuh_manager
- name: wazuh_manager_centos7
image: milcom/centos7-systemd
privileged: True
groups:
- wazuh_manager
provisioner:
name: ansible
env:
ANSIBLE_ROLES_PATH: $HOME/wazuh-ansible/roles
ANSIBLE_ROLES_PATH: ../../roles
lint:
name: ansible-lint
enabled: true # fix in seperate PR

8
molecule/default/playbook.yml
View File

@ -1,9 +1,11 @@
---
- name: Converge
hosts: all
hosts: wazuh_manager
roles:
- {role: wazuh/ansible-wazuh-manager}
- {role: wazuh/ansible-filebeat} #, filebeat_output_logstash_hosts: 'your elastic stack server IP'
- role: wazuh/ansible-wazuh-manager
# - {role: wazuh/ansible-filebeat} #, filebeat_output_logstash_hosts: 'your elastic stack server IP'
# Elasticsearch requires too much memory to test multiple containers concurrently - To Fix
#- {role: elastic-stack/ansible-elasticsearch, elasticsearch_network_host: 'localhost'}
#- {role: elastic-stack/ansible-logstash, logstash_input_beats: true, elasticsearch_network_host: 'localhost'}

20
molecule/default/prepare.yml
View File

@ -1,5 +1,21 @@
---
- name: Prepare
hosts: all
gather_facts: false
tasks: []
gather_facts: True
tasks:
- name: "Install Python packages for Trusty to solve trust issues"
package:
name:
- python-setuptools
- python-pip
state: latest
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_major_version | int == 14
- name: "Install dependencies"
package:
name:
- curl
state: latest

1
roles/wazuh/ansible-wazuh-manager/defaults/main.yml
View File

@ -1,5 +1,6 @@
---
wazuh_manager_fqdn: "wazuh-server"
wazuh_manager_package_state: latest
wazuh_manager_config:
json_output: 'yes'

2
roles/wazuh/ansible-wazuh-manager/handlers/main.yml
View File

@ -13,3 +13,5 @@
name: wazuh-api
state: restarted
enabled: true
when:
- not (ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' and ansible_distribution_major_version|int < 6)

2
roles/wazuh/ansible-wazuh-manager/meta/main.yml
View File

@ -18,6 +18,6 @@ galaxy_info:
- name: Fedora
versions:
- all
categories:
galaxy_tags:
- monitoring
dependencies: []

38
roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml
View File

@ -1,17 +1,30 @@
---
- name: Debian/Ubuntu | Install apt-transport-https and ca-certificates
apt:
name: ['apt-transport-https', 'ca-certificates']
state: present
cache_valid_time: 3600
with_items:
name:
- apt-transport-https
- ca-certificates
- urllib3
- gnupg
state: present
cache_valid_time: 3600
- name: Debian/Ubuntu | Installing Wazuh repository key (Ubuntu 14)
become: yes
shell: |
set -o pipefail
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
args:
warn: False
executable: /bin/bash
changed_when: False
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_major_version | int == 14
- name: Debian/Ubuntu | Installing Wazuh repository key
apt_key: url=https://packages.wazuh.com/key/GPG-KEY-WAZUH
when:
- not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- name: Debian/Ubuntu | Add Wazuh repositories
apt_repository:
@ -19,8 +32,23 @@
state: present
update_cache: yes
- name: Debian/Ubuntu | Installing NodeJS repository key (Ubuntu 14)
become: yes
shell: |
set -o pipefail
curl -s https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add -
args:
warn: False
executable: /bin/bash
changed_when: False
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_major_version | int == 14
- name: Debian/Ubuntu | Installing NodeJS repository key
apt_key: url=https://deb.nodesource.com/gpgkey/nodesource.gpg.key
when:
- not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- name: Debian/Ubuntu | Add NodeSource repositories for Node.js
apt_repository:

23
roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml
View File

@ -3,7 +3,7 @@
yum_repository:
name: NodeJS
description: NodeJS-$releasever
baseurl: https://rpm.nodesource.com/pub_6.x/el/{{ansible_distribution_major_version}}/x86_64
baseurl: https://rpm.nodesource.com/pub_6.x/el/{{ ansible_distribution_major_version }}/x86_64
gpgkey: https://rpm.nodesource.com/pub/el/NODESOURCE-GPG-SIGNING-KEY-EL
gpgcheck: yes
when:
@ -19,9 +19,12 @@
when: ansible_distribution == 'Fedora'
- name: AmazonLinux | Get Nodejs
shell: curl --silent --location https://rpm.nodesource.com/setup_8.x | bash -
shell: |
set -o pipefail
curl --silent --location https://rpm.nodesource.com/setup_8.x | bash -
args:
warn: no
executable: /bin/bash
when:
- ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA"
@ -53,7 +56,10 @@
- ansible_distribution_major_version|int == 5
- name: RedHat/CentOS/Fedora | Install openscap
package: name=openscap-scanner state=present
package: name={{ item }} state=present
with_items:
- openscap-scanner
- openssl
tags:
- init
when: not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA")
@ -80,7 +86,7 @@
- wazuh_manager_config.cluster.disable != 'yes'
- name: CentOS/RedHat 6 | Install python-cryptography module
shell: pip2.7 install cryptography
pip: name=cryptography state=present
environment:
PATH: "/opt/rh/python27/root/usr/bin:{{ ansible_env.PATH }}"
LD_LIBRARY_PATH: "/opt/rh/python27/root/usr/lib64:/opt/rh/python27/root/usr/lib"
@ -128,4 +134,11 @@
- name: Set Distribution CIS filename for RHEL7/CentOS-7
set_fact:
cis_distribution_filename: cis_rhel7_linux_rcl.txt
when: (ansible_os_family == "RedHat" and ansible_distribution_major_version == '7') or (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA")
when:
- ansible_os_family == "RedHat" and ansible_distribution_major_version == '7'
- name: Set Distribution CIS filename for RHEL7/CentOS-7 (Amazon)
set_fact:
cis_distribution_filename: cis_rhel7_linux_rcl.txt
when:
- ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA"

38
roles/wazuh/ansible-wazuh-manager/tasks/main.yml
View File

@ -6,13 +6,13 @@
when: ansible_os_family == "Debian"
- name: Install wazuh-manager, wazuh-api and expect
package: pkg={{ item }} state=latest
package: pkg={{ item }} state={{ wazuh_manager_package_state }}
with_items:
- wazuh-manager
- wazuh-api
- expect
when:
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 )
- not (ansible_distribution in ['CentOS','RedHat'] and ansible_distribution_major_version|int < 6)
tags:
- init
@ -22,21 +22,21 @@
regexp: 'echo -n "Starting Wazuh-manager: "'
replace: 'echo -n "Starting Wazuh-manager (EL6): "; source /opt/rh/python27/enable; export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/var/ossec/framework/lib'
when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6'
- ansible_distribution in ['CentOS', 'RedHat'] and ansible_distribution_major_version|int == 6
- wazuh_manager_config.cluster.disable != 'yes'
- name: Install wazuh-manager and expect (EL5)
package: pkg={{ item }} state=latest
package: pkg={{ item }} state={{ wazuh_manager_package_state }}
with_items:
- wazuh-manager
- expect
when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6
- ansible_distribution in ['CentOS','RedHat'] and ansible_distribution_major_version|int < 6
tags:
- init
- name: Generate SSL files for authd
command: "openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:1825 -keyout sslmanager.key -out sslmanager.cert -subj /CN={{wazuh_manager_fqdn}}/"
command: "openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:1825 -keyout sslmanager.key -out sslmanager.cert -subj /CN={{ wazuh_manager_fqdn }}/"
args:
creates: sslmanager.cert
chdir: /var/ossec/etc/
@ -71,7 +71,7 @@
- name: Ensure ossec-authd service is disabled
service: name=ossec-authd enabled=no state=stopped
when: old_authd_service.stat.exists == True
when: old_authd_service.stat.exists
tags:
- config
@ -80,7 +80,7 @@
with_items:
- "/etc/init.d/ossec-authd"
- "/lib/systemd/system/ossec-authd.service"
when: old_authd_service.stat.exists == True
when: old_authd_service.stat.exists
tags:
- config
@ -180,7 +180,7 @@
- name: Retrieving Wazuh-API User Credentials
include_vars: wazuh_api_creds.yml
when:
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 )
- not (ansible_distribution in ['CentOS','RedHat'] and ansible_distribution_major_version|int < 6)
tags:
- config
@ -198,9 +198,12 @@
- config
- name: Check if client-syslog is enabled
shell: "grep -c 'ossec-csyslogd' /var/ossec/bin/.process_list | xargs echo"
shell: |
set -o pipefail
"grep -c 'ossec-csyslogd' /var/ossec/bin/.process_list | xargs echo"
args:
removes: /var/ossec/bin/.process_list
executable: /bin/bash
changed_when: False
check_mode: no
register: csyslog_enabled
@ -212,14 +215,17 @@
notify: restart wazuh-manager
when:
- csyslog_enabled.stdout == '0' or "skipped" in csyslog_enabled.stdout
- syslog_output is defined and syslog_output == true
- syslog_output is defined and syslog_output
tags:
- config
- name: Check if ossec-agentlessd is enabled
shell: "grep -c 'ossec-agentlessd' /var/ossec/bin/.process_list | xargs echo"
shell: |
set -o pipefail
"grep -c 'ossec-agentlessd' /var/ossec/bin/.process_list | xargs echo"
args:
removes: /var/ossec/bin/.process_list
executable: /bin/bash
changed_when: False
check_mode: no
register: agentlessd_enabled
@ -252,7 +258,7 @@
poll: 0
when:
- wazuh_manager_config.vuls.disable != 'yes'
- ansible_distribution == 'Redhat' or ansible_distribution == 'CentOS' or ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' or ansible_distribution == 'Oracle'
- ansible_distribution in ['Redhat', 'CentOS', 'Ubuntu', 'Debian', 'Oracle']
tags:
- init
@ -293,7 +299,7 @@
notify: restart wazuh-api
when:
- wazuh_api_user is defined
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 )
- not (ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' and ansible_distribution_major_version|int < 6)
tags:
- config
@ -345,7 +351,7 @@
environment:
LD_LIBRARY_PATH: "$LD_LIBRARY_PATH:/var/ossec/framework/lib"
when:
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 )
- not (ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' and ansible_distribution_major_version|int < 6)
- name: Ensure Wazuh Manager is started and enabled (EL5)
service:
@ -355,7 +361,7 @@
tags:
- config
when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6
- ansible_distribution in ['CentOS', 'RedHat'] and ansible_distribution_major_version|int < 6
- import_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat"