Updating the manager role with Wazuh 2.1

* ossec-authd now could be configured from ossec.conf.
* Switching from generating the SSL certs and using a CA.
* Adding authd password template (intended to be used with vault).

ansible-wazuh-manager/README.md

@@ -38,7 +38,8 @@ This file has the agenless credentials.
    arguments: '/bin /etc/ /sbin'
    passwd: qwerty
 ```
-### vars/wazuh_api_creds
+
+### vars/wazuh_api_creds.yml
 This file has user and password created in httpasswd format.
 ```
 ---
@@ -46,6 +47,13 @@ wazuh_api_user:
   - "foo:$apr1$/axqZYWQ$Xo/nz/IG3PdwV82EnfYKh/"
 ```
 
+### vars/authd_pass.yml
+This file has the password to be used for the authd daemon.
+```
+---
+authd_pass: foobar
+```
+
 Default config
 --------------
 
@@ -55,36 +63,48 @@ Default config
 wazuh_manager_fqdn: "wazuh-server"
 
 wazuh_manager_config:
+  json_output: 'yes'
+  alerts_log: 'yes'
+  logall: 'no'
+  authd:
+    enable: false
   email_notification: no
   mail_to:
     - admin@example.net
   mail_smtp_server: localhost
   mail_from: wazuh-server@example.com
-  frequency_check: 43200
+  syscheck:
-  syscheck_scan_on_start: 'yes'
+    frequency: 43200
+    scan_on_start: 'yes'
+    ignore:
+      - /etc/mtab
+      - /etc/mnttab
+      - /etc/hosts.deny
+      - /etc/mail/statistics
+      - /etc/random-seed
+      - /etc/random.seed
+      - /etc/adjtime
+      - /etc/httpd/logs
+      - /etc/utmpx
+      - /etc/wtmpx
+      - /etc/cups/certs
+      - /etc/dumpdates
+      - /etc/svc/volatile
+    no_diff:
+      - /etc/ssl/private.key
+    directories:
+      - dirs: /etc,/usr/bin,/usr/sbin
+        checks: 'check_all="yes"'
+      - dirs: /bin,/sbin
+        checks: 'check_all="yes"'
+  rootcheck:
+    frequency: 43200
+  openscap:
+    timeout: 1800
+    interval: '1d'
+    scan_on_start: 'yes'
   log_level: 1
   email_level: 12
-  ignore_files:
-    - /etc/mtab
-    - /etc/mnttab
-    - /etc/hosts.deny
-    - /etc/mail/statistics
-    - /etc/random-seed
-    - /etc/random.seed
-    - /etc/adjtime
-    - /etc/httpd/logs
-    - /etc/utmpx
-    - /etc/wtmpx
-    - /etc/cups/certs
-    - /etc/dumpdates
-    - /etc/svc/volatile
-  no_diff:
-    - /etc/ssl/private.key
-  directories:
-    - check_all: 'yes'
-      dirs: /etc,/usr/bin,/usr/sbin
-    - check_all: 'yes'
-      dirs: /bin,/sbin
   localfiles:
     - format: 'syslog'
       location: '/var/log/messages'

ansible-wazuh-manager/defaults/main.yml

@@ -5,7 +5,8 @@ wazuh_manager_config:
   json_output: 'yes'
   alerts_log: 'yes'
   logall: 'no'
-  enable_authd: false
+  authd:
+    enable: false
   email_notification: no
   mail_to:
     - admin@example.net

ansible-wazuh-manager/tasks/main.yml

@@ -14,13 +14,27 @@
   tags:
     - init
 
-- name: Generate SSL files
+- name: Generate SSL files for authd
   command: "openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:1825 -keyout sslmanager.key -out sslmanager.cert -subj /CN={{wazuh_manager_fqdn}}/"
   args:
     creates: sslmanager.cert
     chdir: /var/ossec/etc/
   tags:
       - config
+  when: wazuh_manager_config.authd.ssl_agent_ca is not defined
+
+- name: Copy CA, SSL key and cert for authd
+  copy:
+    src: "{{ item }}"
+    dest: "/var/ossec/etc/{{ item | basename }}"
+    mode: 0644
+  with_items:
+    - "{{ wazuh_manager_config.authd.ssl_agent_ca }}"
+    - "{{ wazuh_manager_config.authd.ssl_manager_cert }}"
+    - "{{ wazuh_manager_config.authd.ssl_manager_key }}"
+  tags:
+    - config
+  when: wazuh_manager_config.authd.ssl_agent_ca is defined
 
 - name: Installing the local_rules.xml (default local_rules.xml)
   template: src=var-ossec-rules-local_rules.xml.j2
@@ -79,15 +93,41 @@
   command: /var/ossec/bin/ossec-control enable agentless
   when: agentless_running.stdout == '0' and agentless_creeds is defined
 
-- name: Start client-syslog
+- name: Start ossec-agentlessd
   command: /var/ossec/bin/ossec-control start agentless
   when: agentless_running.stdout == '0' and agentless_creeds is defined
 
+- name: Check if ossec-authd is enabled
+  shell: "/var/ossec/bin/ossec-control status | grep -c 'ossec-authd is running' | xargs echo"
+  register: authd_running
+  changed_when: False
+
+- name: Enable ossec-authd
+  command: /var/ossec/bin/ossec-control enable auth
+  when:
+    - authd_running.stdout == '0'
+    - wazuh_manager_config.authd.enable == true
+
+- name: Start ossec-authd
+  command: /var/ossec/bin/ossec-control start auth
+  when:
+    - authd_running.stdout == '0'
+    - wazuh_manager_config.authd.enable == true
+
+- name: Retrieving authd Credentials
+  include_vars: authd_pass.yml
+  tags:
+    - config
+
 - name: Retrieving Agentless Credentials
   include_vars: agentless_creeds.yml
+  tags:
+    - config
 
 - name: Retrieving Wazuh-api User Credentials
   include_vars: wazuh_api_creds.yml
+  tags:
+    - config
 
 - name: Checking alert log output settings
   fail: msg="Please enable json_output or alerts_log options."
@@ -109,35 +149,18 @@
     - init
     - config
 
-- name: Write ossec-authd init file
+- name: Ossec-authd password
-  template: src=ossec-authd-init.service
-            dest=/etc/init.d/ossec-authd
-            owner=root
-            group=root
-            mode=0755
-  when:
-    - ansible_service_mgr == "upstart"
-    - ansible_os_family != "CoreOS"
-    - wazuh_manager_config.enable_authd == true
-  tags:
-    - init
-    - config
-
-- name: Write ossec-authd systemd file
   template:
-    src: ossec-authd.service
+    src: authd_pass.j2
-    dest: /lib/systemd/system/ossec-authd.service
+    dest: "/var/ossec/etc/authd.pass"
+    owner: ossec
+    group: ossec
+    mode: 0640
+  no_log: true
+  notify: restart wazuh-manager
   when:
-    - ansible_service_mgr == "systemd"
+    - wazuh_manager_config.authd.use_password is defined
-    - ansible_os_family != "CoreOS"
+    - wazuh_manager_config.authd.use_password == true
-    - wazuh_manager_config.enable_authd == true
-  tags:
-    - init
-    - config
-
-- name: Ensure ossec-authd service is started and enabled
-  service: name=ossec-authd enabled=yes state=started
-  when: wazuh_manager_config.enable_authd == true
   tags:
     - config
 

ansible-wazuh-manager/templates/authd_pass.j2

@@ -0,0 +1 @@
+{{ authd_pass }}

ansible-wazuh-manager/templates/ossec-authd-init.service

@@ -1,104 +0,0 @@
-#!/bin/sh
-#
-# ossec-authd  Start the OSSEC-HIDS Authentication Daemon
-#
-# chkconfig: 2345 99 01
-# description: Provides key signing for OSSEC Clients
-# processname: ossec-authd
-# config: /var/ossec/etc/ossec.conf
-# pidfile: /var/run/ossec-authd.pid
-### BEGIN INIT INFO
-# Provides:          ossec-authd
-# Default-Start:     2 3 4 5
-# Default-Stop:      0 1 6
-# Short-Description: Authentication Daemon for OSSEC-HIDS.
-# Description:       Provides key signing for OSSEC Clients
-### END INIT INFO
-
-# Author: Brad Lhotsky <brad.lhotsky@gmail.com>
-NAME=ossec-authd
-HOME=/var/ossec
-DAEMON=/var/ossec/bin/ossec-authd
-DAEMON_ARGS="-p 1515 2>&1 >> /var/ossec/logs/ossec-authd.log &"
-PIDDIR=/var/ossec/var/run
-SCRIPTNAME=/etc/init.d/ossec-authd
-
-if [ ! -e $HOME/etc/sslmanager.key ]
-  then
-    echo "Creating ossec-authd key and cert"
-    openssl genrsa -out $HOME/etc/sslmanager.key 4096
-    openssl req -new -x509 -key $HOME/etc/sslmanager.key\
-      -out $HOME/etc/sslmanager.cert -days 3650\
-      -subj /CN=fqdn/
-fi
-
-. /etc/rc.d/init.d/functions
-
-getpid() {
-    for filename in $PIDDIR/${NAME}*.pid; do
-        pidfile=$(basename $filename)
-        pid=$(echo $pidfile |cut -d\- -f 3 |cut -d\. -f 1)
-        kill -0 $pid &> /dev/null
-        RETVAL=$?
-        if [ $RETVAL -eq 0 ]; then
-            PIDFILE=$filename
-            PID=$pid
-        else
-            rm -f $filename
-        fi;
-    done;
-}
-
-start() {
-  echo -n $"Starting $NAME: "
-  daemon $DAEMON $DAEMON_ARGS
-  retval=$?
-  if [ $retval -eq 0 ]; then
-    echo_success
-    echo
-  else
-    echo_failure
-    echo
-  fi
-  return $retval
-}
-
-stop() {
-  echo -n $"Stopping $NAME: "
-  getpid
-  killproc -p $PIDFILE $NAME
-  retval=$?
-  echo
-  return $retval
-}
-
-restart() {
-  stop
-  start
-}
-
-case "$1" in
-  start)
-    start
-    ;;
-  stop)
-    stop
-    ;;
-  status)
-    getpid
-    if [ -z $PIDFILE ]; then
-        status $NAME
-    else
-        status -p $PIDFILE $NAME
-    fi;
-    ;;
-  restart)
-    restart
-    ;;
-  *)
-    echo "Usage: $0 {start|stop|status}"
-    exit 2
-    ;;
-esac
-
-exit $?

ansible-wazuh-manager/templates/ossec-authd.service

@@ -1,8 +0,0 @@
-[Unit]
-Description=Wazuh authd
-
-[Service]
-EnvironmentFile=/etc/ossec-init.conf
-Environment=DIRECTORY=/var/ossec
-
-ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-authd -p 1515

ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2

@@ -1,3 +1,4 @@
+#jinja2: trim_blocks:False
 <!--
   Wazuh - Manager - Default configuration
   More info at: https://documentation.wazuh.com
@@ -21,6 +22,23 @@
     <email_from>{{ wazuh_manager_config.mail_from }}</email_from>
   </global>
 
+{% if wazuh_manager_config.authd.enable == true %}
+  <auth>
+    <disabled>no</disabled>
+    {% if wazuh_manager_config.authd.port is defined %}<port>{{wazuh_manager_config.authd.port}}</port>{% else %}<port>1515</port>{% endif %}
+    {% if wazuh_manager_config.authd.use_source_ip is defined %}<use_source_ip>{{wazuh_manager_config.authd.use_source_ip}}</use_source_ip>{% endif %}
+    {% if wazuh_manager_config.authd.force_insert is defined %}<force_insert>{{wazuh_manager_config.authd.force_insert}}</force_insert>{% endif %}
+    {% if wazuh_manager_config.authd.force_time is defined %}<force_time>{{wazuh_manager_config.authd.force_time}}</force_time>{% endif %}
+    {% if wazuh_manager_config.authd.purge is defined %}<purge>{{wazuh_manager_config.authd.purge}}</purge>{% endif %}
+    {% if wazuh_manager_config.authd.use_password is defined %}<use_password>{{wazuh_manager_config.authd.use_password}}</use_password>{% endif %}
+    {% if wazuh_manager_config.authd.ssl_agent_ca is defined %}<ssl_agent_ca>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_agent_ca | basename}}</ssl_agent_ca>{% endif %}
+    {% if wazuh_manager_config.authd.ssl_verify_host is defined %}<ssl_verify_host>{{wazuh_manager_config.authd.ssl_verify_host}}</ssl_verify_host>{% endif %}
+    {% if wazuh_manager_config.authd.ssl_manager_cert is defined %}<ssl_manager_cert>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_manager_cert | basename}}</ssl_manager_cert>{% endif %}
+    {% if wazuh_manager_config.authd.ssl_manager_key is defined %}<ssl_manager_key>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_manager_key | basename}}</ssl_manager_key>{% endif %}
+    {% if wazuh_manager_config.authd.ssl_auto_negotiate is defined %}<ssl_auto_negotiate>{{wazuh_manager_config.authd.ssl_auto_negotiate}}</ssl_auto_negotiate>{% endif %}
+  </auth>
+{% endif %}
+
 {% if wazuh_manager_config.extra_emails is defined %}
 {% for mail in wazuh_manager_config.extra_emails %}
   <email_alerts>

ansible-wazuh-manager/vars/authd_pass.yml

@@ -0,0 +1,2 @@
+---
+#authd_pass: foobar