diff --git a/CHANGELOG.md b/CHANGELOG.md index 5032bf99..91000121 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,24 @@ # Change Log All notable changes to this project will be documented in this file. +## [v4.0.2] + +### Added + +- Update to Wazuh v4.0.2 + +### Changed + +- New role variables have been introduced (e.g: `wazuh_agent_api_validate`), see documentation or PRs listed here for details. +- Some variables have been deprecated (e.g: `wazuh_agent_nat`) in favour of other ones, see documentation or PRs listed here for details. + +### Fixed + +- Fix agent enrollment default value. Fix authd registration. [PR#505](https://github.com/wazuh/wazuh-ansible/issues/505) +- Remove async clause causing agent install timeout on resource-constrained Centos installations [PR#507](https://github.com/wazuh/wazuh-ansible/issues/507) +- Fix REST registration method for agents [PR#509](https://github.com/wazuh/wazuh-ansible/issues/509) +- `authd_pass` and `api_pass` [precedence](https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable) too high, lower to role defaults [PR#488](https://github.com/wazuh/wazuh-ansible/issues/488) + ## [v4.0.1] ### Added @@ -13,7 +31,7 @@ All notable changes to this project will be documented in this file. - Roles/elastic-stack: update jvm.options template per upstream updates ([@neonmei](https://github.com/neonmei)) [PR#501](https://github.com/wazuh/wazuh-ansible/pull/501) - Improve linting history ([@neonmei](https://github.com/neonmei)) - - Fix lint opendistro kibana [PR#497](https://github.com/wazuh/wazuh-ansible/pull/497) + - Fix lint opendistro kibana [PR#497](https://github.com/wazuh/wazuh-ansible/pull/497) - Feature lint roles configurations [PR#496](https://github.com/wazuh/wazuh-ansible/pull/496) - Feature lint role wazuh agent [PR#495](https://github.com/wazuh/wazuh-ansible/pull/495) - Feature lint role filebeat oss [PR#494](https://github.com/wazuh/wazuh-ansible/pull/494) diff --git a/README.md b/README.md index 42cae4e4..9895be44 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ These playbooks install and configure Wazuh agent, manager and Elastic Stack. | Wazuh version | Elastic | ODFE | |---------------|---------|--------| -| v4.0.1 | 7.9.3 | 1.11.0 | +| v4.0.2 | 7.9.3 | 1.11.0 | ## Documentation diff --git a/molecule/distributed-wazuh-elk-xpack/group_vars/all.yml b/molecule/distributed-wazuh-elk-xpack/group_vars/all.yml index 715e921c..45028909 100644 --- a/molecule/distributed-wazuh-elk-xpack/group_vars/all.yml +++ b/molecule/distributed-wazuh-elk-xpack/group_vars/all.yml @@ -12,6 +12,19 @@ manager_addresses: "{{ managers_hostvars | map(attribute='private_ip') | list }} elastic_addresses: "{{ elastic_hostvars | map(attribute='private_ip') | list }}" kibana_addresses: "{{ kibana_hostvars | map(attribute='private_ip') | list }}" +######################################################## +# Versions +elastic_stack_version: 7.9.3 +filebeat_version: 7.9.3 + +# Debian packages need the ${VERSION}-1 +wazuh_manager_version: 4.0.2-1 +wazuh_agent_version: 4.0.2-1 + +# Kibana role appends it automatically. +wazuh_version: 4.0.2 + + ######################################################## # General ELK stack variables @@ -22,6 +35,3 @@ kibana_xpack_security: true elasticsearch_xpack_security: true elasticsearch_xpack_security_user: elastic elasticsearch_xpack_security_password: elastic_pass - -elastic_stack_version: 7.9.3 -filebeat_version: 7.9.3 \ No newline at end of file diff --git a/molecule/distributed-wazuh-elk/group_vars/all.yml b/molecule/distributed-wazuh-elk/group_vars/all.yml index c5d04fe9..48ae39eb 100644 --- a/molecule/distributed-wazuh-elk/group_vars/all.yml +++ b/molecule/distributed-wazuh-elk/group_vars/all.yml @@ -10,4 +10,14 @@ elastic_hostvars: "{{ groups['elastic'] | map('extract', hostvars) | list }}" manager_addresses: "{{ managers_hostvars | map(attribute='private_ip') | list }}" elastic_addresses: "{{ elastic_hostvars | map(attribute='private_ip') | list }}" +######################################################## +# Versions elastic_stack_version: 7.9.3 +filebeat_version: 7.9.3 + +# Debian packages need the ${VERSION}-1 +wazuh_manager_version: 4.0.2-1 +wazuh_agent_version: 4.0.2-1 + +# Kibana role appends it automatically. +wazuh_version: 4.0.2 \ No newline at end of file diff --git a/molecule/distributed-wazuh-odfe/group_vars/all.yml b/molecule/distributed-wazuh-odfe/group_vars/all.yml index 998bbbb5..393ec495 100644 --- a/molecule/distributed-wazuh-odfe/group_vars/all.yml +++ b/molecule/distributed-wazuh-odfe/group_vars/all.yml @@ -15,12 +15,6 @@ kibana_addresses: "{{ kibana_hostvars | map(attribute='private_ip') | list }}" ######################################################## # General ELK stack variables -# Cluster Settings -#es_version: "7.9.1" -#es_major_version: "7.x" -#opendistro_version: 1.10.1 -filebeat_version: 7.9.1 - # OpenDistro kibana_opendistro_security: true @@ -34,4 +28,20 @@ opendistro_admin_password: changeme # All nodes are called by IP name elasticsearch_node_name: '{{ ansible_hostname }}' kibana_node_name: '{{ ansible_hostname }}' -filebeat_node_name: '{{ ansible_hostname }}' \ No newline at end of file +filebeat_node_name: '{{ ansible_hostname }}' + +######################################################## +# Versions +# See: https://opendistro.github.io/for-elasticsearch-docs/version-history/ + +elastic_stack_version: 7.9.1 +opendistro_version: 1.11.0 +filebeat_version: 7.9.1 +kibana_opendistro_version: -1.11.0-1 + +# Debian packages need the ${VERSION}-1 +wazuh_manager_version: 4.0.2-1 +wazuh_agent_version: 4.0.2-1 + +# Kibana role appends it automatically. +wazuh_version: 4.0.2 \ No newline at end of file diff --git a/pyproject.toml b/pyproject.toml index 8db66cca..8b4b0a71 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "wazuh-ansible" -version = "4.0.1" +version = "4.0.2" description = "" authors = ["neonmei "] diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index e61495a0..ad473430 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -7,7 +7,7 @@ kibana_server_host: "0.0.0.0" kibana_server_port: "5601" kibana_conf_path: /etc/kibana elastic_stack_version: 7.9.3 -wazuh_version: 4.0.1 +wazuh_version: 4.0.2 wazuh_app_url: https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana elasticrepo: diff --git a/roles/opendistro/opendistro-kibana/defaults/main.yml b/roles/opendistro/opendistro-kibana/defaults/main.yml index 4fe1c819..612822d0 100644 --- a/roles/opendistro/opendistro-kibana/defaults/main.yml +++ b/roles/opendistro/opendistro-kibana/defaults/main.yml @@ -10,7 +10,7 @@ kibana_server_port: "5601" kibana_server_name: "kibana" kibana_max_payload_bytes: 1048576 elastic_stack_version: 7.9.1 -wazuh_version: 4.0.1 +wazuh_version: 4.0.2 wazuh_app_url: https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana # The OpenDistro package repository diff --git a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml index be1eae13..0b977cdd 100644 --- a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml @@ -1,7 +1,7 @@ --- filebeat_version: 7.9.1 -wazuh_template_branch: v4.0.1 +wazuh_template_branch: v4.0.2 filebeat_output_elasticsearch_hosts: - "localhost:9200" diff --git a/roles/wazuh/ansible-filebeat/defaults/main.yml b/roles/wazuh/ansible-filebeat/defaults/main.yml index 401983ff..1ef9493f 100644 --- a/roles/wazuh/ansible-filebeat/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat/defaults/main.yml @@ -1,7 +1,7 @@ --- filebeat_version: 7.9.3 -wazuh_template_branch: v4.0.1 +wazuh_template_branch: v4.0.2 filebeat_create_config: true diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 21ccb4f7..6e31e857 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -1,5 +1,5 @@ --- -wazuh_agent_version: 4.0.1-1 +wazuh_agent_version: 4.0.2-1 # Custom packages installation @@ -12,7 +12,7 @@ wazuh_custom_packages_installation_agent_rpm_url: "" wazuh_agent_sources_installation: enabled: false - branch: "v4.0.1" + branch: "v4.0.2" user_language: "y" user_no_stop: "y" user_install_type: "agent" @@ -32,21 +32,17 @@ wazuh_agent_sources_installation: user_agent_config_profile: null user_ca_store: "/var/ossec/wpk_root.pem" +wazuh_agent_yum_lock_timeout: 30 + +# We recommend the use of ansible-vault to protect Wazuh, api, agentless and authd credentials. +api_pass: wazuh +authd_pass: '' + wazuh_api_reachable_from_agent: false wazuh_profile_centos: 'centos, centos7, centos7.6' wazuh_profile_ubuntu: 'ubuntu, ubuntu18, ubuntu18.04' wazuh_auto_restart: 'yes' -wazuh_agent_authd: - registration_address: 127.0.0.1 - enable: false - port: 1515 - agent_name: null - groups: [] - ssl_agent_ca: null - ssl_agent_cert: null - ssl_agent_key: null - ssl_auto_negotiate: 'no' wazuh_notify_time: '10' wazuh_time_reconnect: '60' wazuh_crypto_method: 'aes' @@ -59,8 +55,8 @@ wazuh_winagent_config: auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe check_md5: True md5: f2444d89dab2c4c31bbdef454c95eb28 -wazuh_winagent_config_url: https://packages.wazuh.com/4.x/windows/wazuh-agent-4.0.1-1.msi -wazuh_winagent_package_name: wazuh-agent-4.0.1-1.msi +wazuh_winagent_config_url: https://packages.wazuh.com/4.x/windows/wazuh-agent-4.0.2.msi +wazuh_winagent_package_name: wazuh-agent-4.0.2.msi wazuh_agent_repo: apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main' @@ -68,31 +64,43 @@ wazuh_agent_repo: gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145' +# This is deprecated, see: wazuh_agent_address wazuh_agent_nat: false ########################################## ### Wazuh ########################################## +wazuh_agent_nolog_sensible: yes wazuh_agent_config_overlay: yes -## Client +# This is a middle ground between breaking existing uses of wazuh_agent_nat +# and allow working with agents having several network interfaces +wazuh_agent_address: '{{ "any" if wazuh_agent_nat else ansible_default_ipv4.address }}' + +# List of managers. The first one with register variable declared *and* set to true +# is the one used to register the agent. Otherwise, the first one in the list will be used. wazuh_managers: - address: 127.0.0.1 port: 1514 protocol: tcp api_port: 55000 - api_proto: 'http' - api_user: null + api_proto: https + api_user: wazuh max_retries: 5 retry_interval: 5 + register: yes + +## Authentication Method: Enrollment section (4.x) + +# For more information see: +# * https://documentation.wazuh.com/4.0/user-manual/reference/ossec-conf/client.html#enrollment -## Enrollment wazuh_agent_enrollment: - enabled: '' + enabled: 'yes' manager_address: '' port: 1515 - agent_name: 'testname' + agent_name: '' groups: '' agent_address: '' ssl_cipher: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH @@ -104,6 +112,28 @@ wazuh_agent_enrollment: delay_after_enrollment: 20 use_source_ip: 'no' +## Authentication Method: invoking agent-auth + +# For more information see: +# * https://documentation.wazuh.com/4.0/user-manual/registering/password-authorization-registration.html + +wazuh_agent_authd: + registration_address: 127.0.0.1 + enable: false + port: 1515 + agent_name: null + groups: [] + ssl_agent_ca: null + ssl_agent_cert: null + ssl_agent_key: null + ssl_auto_negotiate: 'no' + +## Authentication Method: REST API + +# For more information see: +# * https://documentation.wazuh.com/4.0/user-manual/registering/restful-api-registration.html +wazuh_agent_api_validate: yes + ## Client buffer wazuh_agent_client_buffer: disable: 'no' diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml index 54b370f8..2cf5eacb 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml @@ -1,9 +1,4 @@ --- -- name: Retrieving authd Credentials - include_vars: authd_pass.yml - tags: - - config - - include_tasks: "RedHat.yml" when: ansible_os_family == "RedHat" @@ -19,11 +14,10 @@ - wazuh_custom_packages_installation_agent_enabled - name: Linux CentOS/RedHat | Install wazuh-agent - package: + yum: name: wazuh-agent-{{ wazuh_agent_version }} state: present - async: 90 - poll: 30 + lock_timeout: '{{ wazuh_agent_yum_lock_timeout }}' when: - ansible_os_family|lower == "redhat" - not wazuh_agent_sources_installation.enabled @@ -45,18 +39,15 @@ - init - name: Linux | Check if client.keys exists - stat: path=/var/ossec/etc/client.keys - register: check_keys - when: wazuh_agent_config.enrollment.enabled == 'yes' + stat: + path: /var/ossec/etc/client.keys + register: client_keys_file tags: - config - name: Linux | Agent registration via authd block: - - name: Retrieving authd Credentials - include_vars: authd_pass.yml - - name: Copy CA root certificate to verify authd copy: src: "{{ wazuh_agent_authd.ssl_agent_ca }}" @@ -86,7 +77,7 @@ -m {{ wazuh_agent_authd.registration_address }} -p {{ wazuh_agent_authd.port }} {% if wazuh_agent_nat %} -I "any" {% endif %} - {% if authd_pass is defined %} -P {{ authd_pass }} {% endif %} + {% if authd_pass | length > 0 %} -P {{ authd_pass }} {% endif %} {% if wazuh_agent_authd.ssl_agent_ca is defined and wazuh_agent_authd.ssl_agent_ca != None %} -v "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}" {% endif %} @@ -105,18 +96,18 @@ vars: agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ ansible_hostname }}{% endif %}" when: - - not check_keys.stat.exists or check_keys.stat.size == 0 + - not client_keys_file.stat.exists or client_keys_file.stat.size == 0 - wazuh_agent_authd.registration_address is not none - name: Linux | Verify agent registration - shell: echo {{ agent_auth_output }} | grep "Valid key created" + shell: echo {{ agent_auth_output }} | grep "Valid key received" when: - - not check_keys.stat.exists or check_keys.stat.size == 0 + - not client_keys_file.stat.exists or client_keys_file.stat.size == 0 - wazuh_agent_authd.registration_address is not none when: - - wazuh_agent_authd.enable - - not wazuh_agent_config.enrollment.enabled | length > 0 or wazuh_agent_config.enrollment.enabled == 'no' + - wazuh_agent_authd.enable | bool + - wazuh_agent_config.enrollment.enabled != 'yes' tags: - config - authd @@ -124,93 +115,128 @@ - name: Linux | Agent registration via rest-API block: - - name: Retrieving rest-API Credentials - include_vars: api_pass.yml + - name: Establish target Wazuh Manager for registration task + set_fact: + target_manager: '{{ manager_primary | length | ternary(manager_primary, manager_fallback) | first }}' + vars: + manager_primary: "{{ wazuh_managers | selectattr('register','true') | list }}" + manager_fallback: "{{ wazuh_managers | list }}" + + - name: Linux | Obtain JWT Token + uri: + url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/security/user/authenticate' + method: GET + url_username: '{{ target_manager.api_user }}' + url_password: '{{ api_pass }}' + status_code: 200 + return_content: yes + force_basic_auth: yes + validate_certs: '{{ target_manager.validate_certs | default(false) }}' + no_log: '{{ wazuh_agent_nolog_sensible | bool }}' + delegate_to: '{{ ansible_host if wazuh_api_reachable_from_agent else "localhost" }}' + changed_when: api_jwt_result.json.error == 0 + register: api_jwt_result + become: no + tags: + - config + - api - name: Linux | Create the agent key via rest-API uri: - url: "{{ wazuh_managers.0.api_proto }}://{{ wazuh_agent_authd.registration_address }}:{{ wazuh_managers.0.api_port }}/agents/" - validate_certs: false + url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/agents' method: POST - body: '{"name":"{{ agent_name }}"}' body_format: json - status_code: 200 + body: + name: '{{ agent_name }}' + ip: '{{ wazuh_agent_address }}' + force_time: 1 headers: - Content-Type: "application/json" - user: "{{ wazuh_managers.0.api_user }}" - password: "{{ api_pass }}" - register: newagent_api - delegate_to: "{{ 'localhost' if not wazuh_api_reachable_from_agent else inventory_hostname }}" + Authorization: 'Bearer {{ jwt_token }}' + status_code: 200 + return_content: yes + validate_certs: '{{ target_manager.validate_certs | default(false) }}' become: no - changed_when: newagent_api.json.error == 0 - when: - - not check_keys.stat.exists or check_keys.stat.size == 0 - - wazuh_managers.0.address is not none + no_log: '{{ wazuh_agent_nolog_sensible | bool }}' + delegate_to: "{{ 'localhost' if not wazuh_api_reachable_from_agent else inventory_hostname }}" + changed_when: api_agent_post.json.error == 0 + register: api_agent_post + vars: + agent_name: '{{ target_manager.agent_name | default(ansible_hostname) }}' + jwt_token: '{{ api_jwt_result.json.data.token }}' tags: - config - api - - name: Linux | Retrieve new agent data via rest-API + - name: Linux | Validate registered agent key matches manager record uri: - url: >- - "{{ wazuh_managers.0.api_proto }}://{{ wazuh_agent_authd.registration_address - }}:{{ wazuh_managers.0.api_port }}/agents/{{ newagent_api.json.data.id }}" - validate_certs: false + url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/agents/{{ agent_id }}/key' method: GET - return_content: true - user: "{{ wazuh_managers.0.api_user }}" - password: "{{ api_pass }}" - when: - - not check_keys.stat.exists or check_keys.stat.size == 0 - - wazuh_agent_authd.registration_address is not none - - newagent_api.json.error == 0 - register: newagentdata_api - delegate_to: "{{ 'localhost' if not wazuh_api_reachable_from_agent else inventory_hostname }}" + headers: + Authorization: 'Bearer {{ jwt_token }}' + status_code: 200 + return_content: yes + validate_certs: '{{ target_manager.validate_certs | default(false) }}' become: no + no_log: '{{ wazuh_agent_nolog_sensible | bool }}' + delegate_to: "{{ 'localhost' if not wazuh_api_reachable_from_agent else inventory_hostname }}" + register: api_agent_validation + vars: + agent_id: '{{ api_agent_post.json.data.id }}' + agent_key: '{{ api_agent_post.json.data.key }}' + jwt_token: '{{ api_jwt_result.json.data.token }}' + failed_when: api_agent_validation.json.data.affected_items[0].key != agent_key + when: + - wazuh_agent_api_validate | bool + - api_agent_post.json.error == 0 tags: - config - api - - name: Linux | Register agent (via rest-API) + - name: Linux | Import Key (via rest-API) command: /var/ossec/bin/manage_agents environment: OSSEC_ACTION: i - OSSEC_AGENT_NAME: '{{ newagentdata_api.json.data.name }}' - OSSEC_AGENT_IP: '{% if wazuh_agent_nat %}any{% else %}{{ newagentdata_api.json.data.ip }}{% endif %}' - OSSEC_AGENT_ID: '{{ newagent_api.json.data.id }}' - OSSEC_AGENT_KEY: '{{ newagent_api.json.data.key }}' + OSSEC_AGENT_NAME: '{{ agent_name }}' + OSSEC_AGENT_IP: '{{ wazuh_agent_address }}' + OSSEC_AGENT_ID: '{{ api_agent_post.json.data.id }}' + OSSEC_AGENT_KEY: '{{ api_agent_post.json.data.key }}' OSSEC_ACTION_CONFIRMED: y register: manage_agents_output - when: - - not check_keys.stat.exists or check_keys.stat.size == 0 - - wazuh_agent_authd.registration_address is not none - - newagent_api.json.error == 0 + vars: + agent_name: '{{ target_manager.agent_name | default(ansible_hostname) }}' notify: restart wazuh-agent - when: - - not wazuh_agent_authd.enable - - not wazuh_agent_config.enrollment.enabled | length > 0 or wazuh_agent_config.enrollment.enabled == 'no' + - not ( wazuh_agent_authd.enable | bool ) + - wazuh_agent_config.enrollment.enabled != 'yes' + - not client_keys_file.stat.exists or client_keys_file.stat.size == 0 tags: - config - api +- name: Linux | Agent registration via auto-enrollment + debug: + msg: Agent registration will be performed through enrollment option in templated ossec.conf + when: wazuh_agent_config.enrollment.enabled == 'yes' + - name: Linux | Installing agent configuration (ossec.conf) - template: src=var-ossec-etc-ossec-agent.conf.j2 - dest=/var/ossec/etc/ossec.conf - owner=root - group=ossec - mode=0644 + template: + src: var-ossec-etc-ossec-agent.conf.j2 + dest: /var/ossec/etc/ossec.conf + owner: root + group: ossec + mode: 0644 notify: restart wazuh-agent tags: - init - config - name: Linux | Installing local_internal_options.conf - template: src=var-ossec-etc-local-internal-options.conf.j2 - dest=/var/ossec/etc/local_internal_options.conf - owner=root - group=ossec - mode=0640 + template: + src: var-ossec-etc-local-internal-options.conf.j2 + dest: /var/ossec/etc/local_internal_options.conf + owner: root + group: ossec + mode: 0640 notify: restart wazuh-agent tags: - init @@ -226,7 +252,7 @@ when: - wazuh_agent_config.enrollment.enabled == 'yes' - wazuh_agent_config.enrollment.authorization_pass_path | length > 0 - - ( authd_pass is defined) and ( authd_pass|length > 0) + - authd_pass | length > 0 tags: - config diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml index c778933c..66d962cc 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml @@ -54,18 +54,13 @@ tags: - config -- name: Retrieving authd Credentials - include_vars: authd_pass.yml - tags: - - config - - name: Windows | Register agent win_shell: > {{ wazuh_agent_win_auth_path }} -m {{ wazuh_agent_authd.registration_address }} -p {{ wazuh_agent_authd.port }} {% if wazuh_agent_authd.agent_name is not none %}-A {{ wazuh_agent_authd.agent_name }} {% endif %} - {% if authd_pass is defined %} -P {{ authd_pass }}{% endif %} + {% if authd_pass | length > 0 %} -P {{ authd_pass }}{% endif %} register: agent_auth_output notify: Windows | Restart Wazuh Agent when: diff --git a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 index bb71ca45..22f94856 100644 --- a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 +++ b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 @@ -37,7 +37,7 @@ {{ wazuh_auto_restart }} {{ wazuh_crypto_method }} - {% if wazuh_agent_config.enrollment.enabled | length > 0 %} + {% if wazuh_agent_config.enrollment.enabled == 'yes' %} {{ wazuh_agent_config.enrollment.enabled }} {% if wazuh_agent_config.enrollment.manager_address | length > 0 %} diff --git a/roles/wazuh/ansible-wazuh-agent/vars/api_pass.yml b/roles/wazuh/ansible-wazuh-agent/vars/api_pass.yml deleted file mode 100644 index ad6e1164..00000000 --- a/roles/wazuh/ansible-wazuh-agent/vars/api_pass.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -# We recommend the use of Ansible Vault to protect Wazuh, api, agentless and authd credentials. -# api_pass: 'changeme' diff --git a/roles/wazuh/ansible-wazuh-agent/vars/authd_pass.yml b/roles/wazuh/ansible-wazuh-agent/vars/authd_pass.yml deleted file mode 100644 index c1f4da4f..00000000 --- a/roles/wazuh/ansible-wazuh-agent/vars/authd_pass.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -# We recommend the use of Ansible Vault to protect Wazuh, api, agentless and authd credentials. -# authd_pass: 'foobar' -authd_pass: '' \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index 9d496170..85e63ecd 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -1,5 +1,5 @@ --- -wazuh_manager_version: 4.0.1-1 +wazuh_manager_version: 4.0.2-1 wazuh_manager_fqdn: "wazuh-server" wazuh_manager_package_state: present @@ -12,7 +12,7 @@ wazuh_custom_packages_installation_manager_rpm_url: "https://s3-us-west-1.amazon # Sources installation wazuh_manager_sources_installation: enabled: false - branch: "v4.0.1" + branch: "v4.0.2" user_language: "en" user_no_stop: "y" user_install_type: "server"