diff --git a/roles/wazuh/ansible-wazuh-manager/files/create_user.py b/roles/wazuh/ansible-wazuh-manager/files/create_user.py new file mode 100644 index 00000000..aeabde44 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/files/create_user.py @@ -0,0 +1,86 @@ +import logging +import sys +import json +import random +import string +import argparse +import os + +# Set framework path +sys.path.append("/var/ossec/framework") + +try: + from wazuh.security import ( + create_user, + get_users, + get_roles, + set_user_role, + update_user, + ) +except Exception as e: + logging.error("No module 'wazuh' found.") + sys.exit(1) + + +def db_users(): + users_result = get_users() + return {user["username"]: user["id"] for user in users_result.affected_items} + + +def db_roles(): + roles_result = get_roles() + return {role["name"]: role["id"] for role in roles_result.affected_items} + + +if __name__ == "__main__": + parser = argparse.ArgumentParser(description='add_user script') + parser.add_argument('--username', action="store", dest="username") + parser.add_argument('--password', action="store", dest="password") + results = parser.parse_args() + + username = results.username + password = results.password + + initial_users = db_users() + if username not in initial_users: + # create a new user + create_user(username=username, password=password) + users = db_users() + uid = users[username] + roles = db_roles() + rid = roles["administrator"] + set_user_role( + user_id=[ + str(uid), + ], + role_ids=[ + str(rid), + ], + ) + else: + # modify an existing user ("wazuh" or "wazuh-wui") + uid = initial_users[username] + update_user( + user_id=[ + str(uid), + ], + password=password, + ) + # set a random password for all other users + for name, id in initial_users.items(): + if name != username: + random_pass = "".join( + random.choices( + string.ascii_uppercase + + string.ascii_lowercase + + string.digits + + "@$!%*?&-_", + k=16, + ) + ) + update_user( + user_id=[ + str(id), + ], + password=random_pass, + ) diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml index e3b03c03..fb0be0e0 100644 --- a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml @@ -277,46 +277,29 @@ tags: - config -# - name: Get API auth token -# uri: -# url: "https://{{ inventory_hostname }}:55000/security/user/authenticate?raw=true" -# method: GET -# user: wazuh -# password: wazuh -# validate_certs: no -# force_basic_auth: yes -# return_content: yes -# status_code: 200 -# retries: 10 -# delay: 5 -# until: token.status == 200 -# register: token -# tags: -# - config_api_users -# when: -# - wazuh_api_users is defined -# - wazuh_manager_config.cluster.node_type == "master" +- name: Create custom API user + block: + - name: Copy create_user script + copy: + src: create_user.py + dest: /var/ossec/framework/scripts/create_user.py + owner: root + group: ossec + mode: 0644 -# - name: Create Wazuh-API Users -# block: -# - name: Create new user -# uri: -# url: "https://{{ inventory_hostname }}:55000/security/users" -# method: POST -# body_format: json -# body: -# username: "{{ item.username }}" -# password: "{{ item.password }}" -# validate_certs: no -# status_code: 200 -# headers: -# Authorization: "Bearer {{ token.content }}" -# with_items: -# - "{{ wazuh_api_users }}" -# register: user_creation - # when: - # - wazuh_api_users is defined - # - wazuh_manager_config.cluster.node_type == "master" + - name: Execute create_user script + script: + chdir: /var/ossec/framework/scripts/ + cmd: create_user.py --username "{{ item.username }}" --password "{{ item.password }}" + executable: /var/ossec/framework/python/bin/python3 + with_items: + - "{{ wazuh_api_users }}" + + tags: + - config_api_users + when: + - wazuh_api_users is defined + - wazuh_manager_config.cluster.node_type == "master" - name: Agentless Hosts & Passwd template: