From 92ebe86ef6004511edfec6fe77ab8e17c44f4e94 Mon Sep 17 00:00:00 2001
From: neonmei <neonmei@pm.me>
Date: Thu, 12 Nov 2020 14:24:14 -0300
Subject: [PATCH 1/6] roles/wazuh-agent: move api_pass and authd_pass from role
 vars to defaults, lowering precedence required to override them

---
 roles/wazuh/ansible-wazuh-agent/defaults/main.yml   | 4 ++++
 roles/wazuh/ansible-wazuh-agent/vars/api_pass.yml   | 3 ---
 roles/wazuh/ansible-wazuh-agent/vars/authd_pass.yml | 4 ----
 3 files changed, 4 insertions(+), 7 deletions(-)
 delete mode 100644 roles/wazuh/ansible-wazuh-agent/vars/api_pass.yml
 delete mode 100644 roles/wazuh/ansible-wazuh-agent/vars/authd_pass.yml

diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
index 38ff1151..9cf19515 100644
--- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
+++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
@@ -32,6 +32,10 @@ wazuh_agent_sources_installation:
   user_agent_config_profile: null
   user_ca_store: "/var/ossec/wpk_root.pem"
 
+# We recommend the use of ansible-vault to protect Wazuh, api, agentless and authd credentials.
+# api_pass: 'changeme'
+authd_pass: ''
+
 wazuh_managers:
   - address: 127.0.0.1
     port: 1514
diff --git a/roles/wazuh/ansible-wazuh-agent/vars/api_pass.yml b/roles/wazuh/ansible-wazuh-agent/vars/api_pass.yml
deleted file mode 100644
index ad6e1164..00000000
--- a/roles/wazuh/ansible-wazuh-agent/vars/api_pass.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-# We recommend the use of Ansible Vault to protect Wazuh, api, agentless and authd credentials.
-# api_pass: 'changeme'
diff --git a/roles/wazuh/ansible-wazuh-agent/vars/authd_pass.yml b/roles/wazuh/ansible-wazuh-agent/vars/authd_pass.yml
deleted file mode 100644
index c1f4da4f..00000000
--- a/roles/wazuh/ansible-wazuh-agent/vars/authd_pass.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-# We recommend the use of Ansible Vault to protect Wazuh, api, agentless and authd credentials.
-# authd_pass: 'foobar'
-authd_pass: ''
\ No newline at end of file

From bab8279f7316f9835f43522d818799438db960f5 Mon Sep 17 00:00:00 2001
From: neonmei <neonmei@pm.me>
Date: Thu, 12 Nov 2020 14:29:01 -0300
Subject: [PATCH 2/6] roles/wazuh-agent: remove include_vars tasks

---
 roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml   | 11 -----------
 roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml |  5 -----
 2 files changed, 16 deletions(-)

diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml
index 54b370f8..1da97502 100644
--- a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml
+++ b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml
@@ -1,9 +1,4 @@
 ---
-- name: Retrieving authd Credentials
-  include_vars: authd_pass.yml
-  tags:
-    - config
-
 - include_tasks: "RedHat.yml"
   when: ansible_os_family == "RedHat"
 
@@ -54,9 +49,6 @@
 - name: Linux | Agent registration via authd
   block:
 
-    - name: Retrieving authd Credentials
-      include_vars: authd_pass.yml
-
     - name: Copy CA root certificate to verify authd
       copy:
         src: "{{ wazuh_agent_authd.ssl_agent_ca }}"
@@ -124,9 +116,6 @@
 - name: Linux | Agent registration via rest-API
   block:
 
-    - name: Retrieving rest-API Credentials
-      include_vars: api_pass.yml
-
     - name: Linux | Create the agent key via rest-API
       uri:
         url: "{{ wazuh_managers.0.api_proto }}://{{ wazuh_agent_authd.registration_address }}:{{ wazuh_managers.0.api_port }}/agents/"
diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml
index c778933c..145dc6d5 100644
--- a/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml
+++ b/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml
@@ -54,11 +54,6 @@
   tags:
     - config
 
-- name: Retrieving authd Credentials
-  include_vars: authd_pass.yml
-  tags:
-    - config
-
 - name: Windows | Register agent
   win_shell: >
     {{ wazuh_agent_win_auth_path }}

From 0bbdf231f2f31f12a0e1f38bbb6816bf317a0983 Mon Sep 17 00:00:00 2001
From: neonmei <neonmei@pm.me>
Date: Thu, 12 Nov 2020 14:34:57 -0300
Subject: [PATCH 3/6] roles/wazuh-agent: remove "is defined" conditionals, as
 authd_pass is now part of roles default, now check is only against length

---
 roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml   | 4 ++--
 roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml
index 1da97502..b1bf5b95 100644
--- a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml
+++ b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml
@@ -78,7 +78,7 @@
         -m {{ wazuh_agent_authd.registration_address }}
         -p {{ wazuh_agent_authd.port }}
         {% if wazuh_agent_nat %} -I "any" {% endif %}
-        {% if authd_pass is defined %} -P {{ authd_pass }} {% endif %}
+        {% if authd_pass | length > 0 %} -P {{ authd_pass }} {% endif %}
         {% if wazuh_agent_authd.ssl_agent_ca is defined and wazuh_agent_authd.ssl_agent_ca != None %}
         -v "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}"
         {% endif %}
@@ -215,7 +215,7 @@
   when:
     - wazuh_agent_config.enrollment.enabled == 'yes'
     - wazuh_agent_config.enrollment.authorization_pass_path | length > 0
-    - ( authd_pass is defined) and ( authd_pass|length > 0)
+    - authd_pass | length > 0
   tags:
     - config
 
diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml
index 145dc6d5..66d962cc 100644
--- a/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml
+++ b/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml
@@ -60,7 +60,7 @@
     -m {{ wazuh_agent_authd.registration_address }}
     -p {{ wazuh_agent_authd.port }}
     {% if wazuh_agent_authd.agent_name is not none %}-A {{ wazuh_agent_authd.agent_name }} {% endif %}
-    {% if authd_pass is defined %} -P {{ authd_pass }}{% endif %}
+    {% if authd_pass | length > 0 %} -P {{ authd_pass }}{% endif %}
   register: agent_auth_output
   notify: Windows | Restart Wazuh Agent
   when:

From 1dfd613f0d7ba62b3f618cf33502363cfe96b153 Mon Sep 17 00:00:00 2001
From: neonmei <neonmei@pm.me>
Date: Thu, 12 Nov 2020 14:35:23 -0300
Subject: [PATCH 4/6] roles/wazuh-agent: uncomment api_pass

---
 roles/wazuh/ansible-wazuh-agent/defaults/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
index 9cf19515..1e4b8529 100644
--- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
+++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
@@ -33,7 +33,7 @@ wazuh_agent_sources_installation:
   user_ca_store: "/var/ossec/wpk_root.pem"
 
 # We recommend the use of ansible-vault to protect Wazuh, api, agentless and authd credentials.
-# api_pass: 'changeme'
+api_pass: 'changeme'
 authd_pass: ''
 
 wazuh_managers:

From 8b266583744f91e8927da19b79503fb61af008a8 Mon Sep 17 00:00:00 2001
From: neonmei <neonmei@pm.me>
Date: Thu, 12 Nov 2020 14:39:17 -0300
Subject: [PATCH 5/6] roles/wazuh-agent: expand task declaration for clarity

---
 .../wazuh/ansible-wazuh-agent/tasks/Linux.yml | 25 +++++++++++--------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml
index b1bf5b95..87b03433 100644
--- a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml
+++ b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml
@@ -40,7 +40,8 @@
     - init
 
 - name: Linux | Check if client.keys exists
-  stat: path=/var/ossec/etc/client.keys
+  stat:
+    path: /var/ossec/etc/client.keys
   register: check_keys
   when: wazuh_agent_config.enrollment.enabled == 'yes'
   tags:
@@ -184,22 +185,24 @@
     - api
 
 - name: Linux | Installing agent configuration (ossec.conf)
-  template: src=var-ossec-etc-ossec-agent.conf.j2
-            dest=/var/ossec/etc/ossec.conf
-            owner=root
-            group=ossec
-            mode=0644
+  template:
+    src: var-ossec-etc-ossec-agent.conf.j2
+    dest: /var/ossec/etc/ossec.conf
+    owner: root
+    group: ossec
+    mode: 0644
   notify: restart wazuh-agent
   tags:
     - init
     - config
 
 - name: Linux | Installing local_internal_options.conf
-  template: src=var-ossec-etc-local-internal-options.conf.j2
-            dest=/var/ossec/etc/local_internal_options.conf
-            owner=root
-            group=ossec
-            mode=0640
+  template:
+    src: var-ossec-etc-local-internal-options.conf.j2
+    dest: /var/ossec/etc/local_internal_options.conf
+    owner: root
+    group: ossec
+    mode: 0640
   notify: restart wazuh-agent
   tags:
     - init

From b4d2b564b78629c47483811f5f81ecdaa938046d Mon Sep 17 00:00:00 2001
From: neonmei <neonmei@pm.me>
Date: Fri, 20 Nov 2020 13:40:17 -0300
Subject: [PATCH 6/6] roles/wazuh-agent: update api credentials to wazuh:wazuh

---
 roles/wazuh/ansible-wazuh-agent/defaults/main.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
index 1e4b8529..6e1949e5 100644
--- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
+++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
@@ -33,7 +33,7 @@ wazuh_agent_sources_installation:
   user_ca_store: "/var/ossec/wpk_root.pem"
 
 # We recommend the use of ansible-vault to protect Wazuh, api, agentless and authd credentials.
-api_pass: 'changeme'
+api_pass: wazuh
 authd_pass: ''
 
 wazuh_managers:
@@ -42,7 +42,7 @@ wazuh_managers:
     protocol: tcp
     api_port: 55000
     api_proto: 'http'
-    api_user: null
+    api_user: wazuh
     max_retries: 5
     retry_interval: 5
 wazuh_api_reachable_from_agent: false