Merge pull request #510 from wazuh/feature-release-4.0.2

wazuh-ansible: Version bump for 4.0.2 release
2020-11-25 16:19:33 +01:00 · 2020-11-25 16:19:33 +01:00 · b13664d999
commit b13664d999
parent 6e72daa737 2501ee6624
17 changed files with 217 additions and 125 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,6 +1,24 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 ## [v4.0.2]
 ### Added
 - Update to Wazuh v4.0.2
 ### Changed
 - New role variables have been introduced (e.g: `wazuh_agent_api_validate`), see documentation or PRs listed here for details.
 - Some variables have been deprecated (e.g: `wazuh_agent_nat`) in favour of other ones, see documentation or PRs listed here for details.
 ### Fixed
 - Fix agent enrollment default value. Fix authd registration. [PR#505](https://github.com/wazuh/wazuh-ansible/issues/505)
 - Remove async clause causing agent install timeout on resource-constrained Centos installations [PR#507](https://github.com/wazuh/wazuh-ansible/issues/507)
 - Fix REST registration method for agents [PR#509](https://github.com/wazuh/wazuh-ansible/issues/509)
 - `authd_pass` and `api_pass` [precedence](https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable) too high, lower to role defaults [PR#488](https://github.com/wazuh/wazuh-ansible/issues/488)
 ## [v4.0.1]
 ### Added
--- a/README.md
+++ b/README.md
@ -15,7 +15,7 @@ These playbooks install and configure Wazuh agent, manager and Elastic Stack.
 | Wazuh version | Elastic | ODFE   |
 |---------------|---------|--------|
-| v4.0.1        | 7.9.3   | 1.11.0 |
+| v4.0.2        | 7.9.3   | 1.11.0 |
 ## Documentation
--- a/molecule/distributed-wazuh-elk-xpack/group_vars/all.yml
+++ b/molecule/distributed-wazuh-elk-xpack/group_vars/all.yml
@ -12,6 +12,19 @@ manager_addresses: "{{ managers_hostvars | map(attribute='private_ip') | list }}
 elastic_addresses: "{{ elastic_hostvars | map(attribute='private_ip') | list }}"
 kibana_addresses: "{{ kibana_hostvars | map(attribute='private_ip') | list }}"
 ########################################################
 # Versions
 elastic_stack_version: 7.9.3
 filebeat_version: 7.9.3
 # Debian packages need the ${VERSION}-1
 wazuh_manager_version: 4.0.2-1
 wazuh_agent_version: 4.0.2-1
 # Kibana role appends it automatically.
 wazuh_version: 4.0.2
 ########################################################
 # General ELK stack variables
@ -22,6 +35,3 @@ kibana_xpack_security: true
 elasticsearch_xpack_security: true
 elasticsearch_xpack_security_user: elastic
 elasticsearch_xpack_security_password: elastic_pass
 elastic_stack_version: 7.9.3
 filebeat_version: 7.9.3
--- a/molecule/distributed-wazuh-elk/group_vars/all.yml
+++ b/molecule/distributed-wazuh-elk/group_vars/all.yml
@ -10,4 +10,14 @@ elastic_hostvars: "{{ groups['elastic'] | map('extract', hostvars)  | list }}"
 manager_addresses: "{{ managers_hostvars | map(attribute='private_ip') | list }}"
 elastic_addresses: "{{ elastic_hostvars | map(attribute='private_ip') | list }}"
 ########################################################
 # Versions
 elastic_stack_version: 7.9.3
 filebeat_version: 7.9.3
 # Debian packages need the ${VERSION}-1
 wazuh_manager_version: 4.0.2-1
 wazuh_agent_version: 4.0.2-1
 # Kibana role appends it automatically.
 wazuh_version: 4.0.2
--- a/molecule/distributed-wazuh-odfe/group_vars/all.yml
+++ b/molecule/distributed-wazuh-odfe/group_vars/all.yml
@ -15,12 +15,6 @@ kibana_addresses: "{{ kibana_hostvars | map(attribute='private_ip') | list }}"
 ########################################################
 # General ELK stack variables
 # Cluster Settings
 #es_version: "7.9.1"
 #es_major_version: "7.x"
 #opendistro_version: 1.10.1
 filebeat_version: 7.9.1
 # OpenDistro
 kibana_opendistro_security: true
@ -35,3 +29,19 @@ opendistro_admin_password: changeme
 elasticsearch_node_name: '{{ ansible_hostname }}'
 kibana_node_name: '{{ ansible_hostname }}'
 filebeat_node_name: '{{ ansible_hostname }}'
 ########################################################
 # Versions
 # See: https://opendistro.github.io/for-elasticsearch-docs/version-history/
 elastic_stack_version: 7.9.1
 opendistro_version: 1.11.0
 filebeat_version: 7.9.1
 kibana_opendistro_version: -1.11.0-1
 # Debian packages need the ${VERSION}-1
 wazuh_manager_version: 4.0.2-1
 wazuh_agent_version: 4.0.2-1
 # Kibana role appends it automatically.
 wazuh_version: 4.0.2
--- a/pyproject.toml
+++ b/pyproject.toml
@ -1,6 +1,6 @@
 [tool.poetry]
 name = "wazuh-ansible"
-version = "4.0.1"
+version = "4.0.2"
 description = ""
 authors = ["neonmei <neonmei@pm.me>"]
--- a/roles/elastic-stack/ansible-kibana/defaults/main.yml
+++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml
@ -7,7 +7,7 @@ kibana_server_host: "0.0.0.0"
 kibana_server_port: "5601"
 kibana_conf_path: /etc/kibana
 elastic_stack_version: 7.9.3
-wazuh_version: 4.0.1
+wazuh_version: 4.0.2
 wazuh_app_url: https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana
 elasticrepo:
--- a/roles/opendistro/opendistro-kibana/defaults/main.yml
+++ b/roles/opendistro/opendistro-kibana/defaults/main.yml
@ -10,7 +10,7 @@ kibana_server_port: "5601"
 kibana_server_name: "kibana"
 kibana_max_payload_bytes: 1048576
 elastic_stack_version: 7.9.1
-wazuh_version: 4.0.1
+wazuh_version: 4.0.2
 wazuh_app_url: https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana
 # The OpenDistro package repository
--- a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml
+++ b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml
@ -1,7 +1,7 @@
 ---
 filebeat_version: 7.9.1
-wazuh_template_branch: v4.0.1
+wazuh_template_branch: v4.0.2
 filebeat_output_elasticsearch_hosts:
  - "localhost:9200"
--- a/roles/wazuh/ansible-filebeat/defaults/main.yml
+++ b/roles/wazuh/ansible-filebeat/defaults/main.yml
@ -1,7 +1,7 @@
 ---
 filebeat_version: 7.9.3
-wazuh_template_branch: v4.0.1
+wazuh_template_branch: v4.0.2
 filebeat_create_config: true
--- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
+++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
@ -1,5 +1,5 @@
 ---
-wazuh_agent_version: 4.0.1-1
+wazuh_agent_version: 4.0.2-1
 # Custom packages installation
@ -12,7 +12,7 @@ wazuh_custom_packages_installation_agent_rpm_url: ""
 wazuh_agent_sources_installation:
  enabled: false
-  branch: "v4.0.1"
+  branch: "v4.0.2"
  user_language: "y"
  user_no_stop: "y"
  user_install_type: "agent"
@ -32,21 +32,17 @@ wazuh_agent_sources_installation:
  user_agent_config_profile: null
  user_ca_store: "/var/ossec/wpk_root.pem"
 wazuh_agent_yum_lock_timeout: 30
 # We recommend the use of ansible-vault to protect Wazuh, api, agentless and authd credentials.
 api_pass: wazuh
 authd_pass: ''
 wazuh_api_reachable_from_agent: false
 wazuh_profile_centos: 'centos, centos7, centos7.6'
 wazuh_profile_ubuntu: 'ubuntu, ubuntu18, ubuntu18.04'
 wazuh_auto_restart: 'yes'
 wazuh_agent_authd:
  registration_address: 127.0.0.1
  enable: false
  port: 1515
  agent_name: null
  groups: []
  ssl_agent_ca: null
  ssl_agent_cert: null
  ssl_agent_key: null
  ssl_auto_negotiate: 'no'
 wazuh_notify_time: '10'
 wazuh_time_reconnect: '60'
 wazuh_crypto_method: 'aes'
@ -59,8 +55,8 @@ wazuh_winagent_config:
  auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe
  check_md5: True
  md5: f2444d89dab2c4c31bbdef454c95eb28
-wazuh_winagent_config_url: https://packages.wazuh.com/4.x/windows/wazuh-agent-4.0.1-1.msi
+wazuh_winagent_config_url: https://packages.wazuh.com/4.x/windows/wazuh-agent-4.0.2.msi
-wazuh_winagent_package_name: wazuh-agent-4.0.1-1.msi
+wazuh_winagent_package_name: wazuh-agent-4.0.2.msi
 wazuh_agent_repo:
  apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main'
@ -68,31 +64,43 @@ wazuh_agent_repo:
  gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
  key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145'
 # This is deprecated, see: wazuh_agent_address
 wazuh_agent_nat: false
 ##########################################
 ### Wazuh
 ##########################################
 wazuh_agent_nolog_sensible: yes
 wazuh_agent_config_overlay: yes
-## Client
+# This is a middle ground between breaking existing uses of wazuh_agent_nat
 # and allow working with agents having several network interfaces
 wazuh_agent_address: '{{ "any" if wazuh_agent_nat else ansible_default_ipv4.address }}'
 # List of managers. The first one with register variable declared *and* set to true
 # is the one used to register the agent. Otherwise, the first one in the list will be used.
 wazuh_managers:
  - address: 127.0.0.1
    port: 1514
    protocol: tcp
    api_port: 55000
-    api_proto: 'http'
+    api_proto: https
-    api_user: null
+    api_user: wazuh
    max_retries: 5
    retry_interval: 5
    register: yes
 ## Authentication Method: Enrollment section (4.x)
 # For more information see:
 # * https://documentation.wazuh.com/4.0/user-manual/reference/ossec-conf/client.html#enrollment
 ## Enrollment
 wazuh_agent_enrollment:
-  enabled: ''
+  enabled: 'yes'
  manager_address: ''
  port: 1515
-  agent_name: 'testname'
+  agent_name: ''
  groups: ''
  agent_address: ''
  ssl_cipher: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
@ -104,6 +112,28 @@ wazuh_agent_enrollment:
  delay_after_enrollment: 20
  use_source_ip: 'no'
 ## Authentication Method: invoking agent-auth
 # For more information see:
 # * https://documentation.wazuh.com/4.0/user-manual/registering/password-authorization-registration.html
 wazuh_agent_authd:
  registration_address: 127.0.0.1
  enable: false
  port: 1515
  agent_name: null
  groups: []
  ssl_agent_ca: null
  ssl_agent_cert: null
  ssl_agent_key: null
  ssl_auto_negotiate: 'no'
 ## Authentication Method: REST API
 # For more information see:
 # * https://documentation.wazuh.com/4.0/user-manual/registering/restful-api-registration.html
 wazuh_agent_api_validate: yes
 ## Client buffer
 wazuh_agent_client_buffer:
  disable: 'no'
--- a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml
+++ b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml
@ -1,9 +1,4 @@
 ---
 - name: Retrieving authd Credentials
  include_vars: authd_pass.yml
  tags:
    - config
 - include_tasks: "RedHat.yml"
  when: ansible_os_family == "RedHat"
@ -19,11 +14,10 @@
    - wazuh_custom_packages_installation_agent_enabled
 - name: Linux CentOS/RedHat | Install wazuh-agent
-  package:
+  yum:
    name: wazuh-agent-{{ wazuh_agent_version }}
    state: present
-  async: 90
+    lock_timeout: '{{ wazuh_agent_yum_lock_timeout }}'
  poll: 30
  when:
    - ansible_os_family|lower == "redhat"
    - not wazuh_agent_sources_installation.enabled
@ -45,18 +39,15 @@
    - init
 - name: Linux | Check if client.keys exists
-  stat: path=/var/ossec/etc/client.keys
+  stat:
-  register: check_keys
+    path: /var/ossec/etc/client.keys
-  when: wazuh_agent_config.enrollment.enabled == 'yes'
+  register: client_keys_file
  tags:
    - config
 - name: Linux | Agent registration via authd
  block:
    - name: Retrieving authd Credentials
      include_vars: authd_pass.yml
    - name: Copy CA root certificate to verify authd
      copy:
        src: "{{ wazuh_agent_authd.ssl_agent_ca }}"
@ -86,7 +77,7 @@
        -m {{ wazuh_agent_authd.registration_address }}
        -p {{ wazuh_agent_authd.port }}
        {% if wazuh_agent_nat %} -I "any" {% endif %}
-        {% if authd_pass is defined %} -P {{ authd_pass }} {% endif %}
+        {% if authd_pass | length > 0 %} -P {{ authd_pass }} {% endif %}
        {% if wazuh_agent_authd.ssl_agent_ca is defined and wazuh_agent_authd.ssl_agent_ca != None %}
        -v "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}"
        {% endif %}
@ -105,18 +96,18 @@
      vars:
        agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ ansible_hostname }}{% endif %}"
      when:
-        - not check_keys.stat.exists or check_keys.stat.size == 0
+        - not client_keys_file.stat.exists or client_keys_file.stat.size == 0
        - wazuh_agent_authd.registration_address is not none
    - name: Linux | Verify agent registration
-      shell: echo {{ agent_auth_output }} | grep "Valid key created"
+      shell: echo {{ agent_auth_output }} | grep "Valid key received"
      when:
-        - not check_keys.stat.exists or check_keys.stat.size == 0
+        - not client_keys_file.stat.exists or client_keys_file.stat.size == 0
        - wazuh_agent_authd.registration_address is not none
  when:
-    - wazuh_agent_authd.enable
+    - wazuh_agent_authd.enable | bool
-    - not wazuh_agent_config.enrollment.enabled | length > 0 or wazuh_agent_config.enrollment.enabled == 'no'
+    - wazuh_agent_config.enrollment.enabled != 'yes'
  tags:
    - config
    - authd
@ -124,93 +115,128 @@
 - name: Linux | Agent registration via rest-API
  block:
-    - name: Retrieving rest-API Credentials
+    - name: Establish target Wazuh Manager for registration task
-      include_vars: api_pass.yml
+      set_fact:
        target_manager: '{{ manager_primary | length | ternary(manager_primary, manager_fallback) | first }}'
      vars:
        manager_primary: "{{ wazuh_managers | selectattr('register','true') | list }}"
        manager_fallback: "{{ wazuh_managers | list }}"
    - name: Linux | Obtain JWT Token
      uri:
        url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/security/user/authenticate'
        method: GET
        url_username: '{{ target_manager.api_user }}'
        url_password: '{{ api_pass }}'
        status_code: 200
        return_content: yes
        force_basic_auth: yes
        validate_certs: '{{ target_manager.validate_certs | default(false) }}'
      no_log: '{{ wazuh_agent_nolog_sensible | bool }}'
      delegate_to: '{{ ansible_host if wazuh_api_reachable_from_agent else "localhost"  }}'
      changed_when: api_jwt_result.json.error == 0
      register: api_jwt_result
      become: no
      tags:
        - config
        - api
    - name: Linux | Create the agent key via rest-API
      uri:
-        url: "{{ wazuh_managers.0.api_proto }}://{{ wazuh_agent_authd.registration_address }}:{{ wazuh_managers.0.api_port }}/agents/"
+        url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/agents'
        validate_certs: false
        method: POST
        body: '{"name":"{{ agent_name }}"}'
        body_format: json
-        status_code: 200
+        body:
          name: '{{ agent_name }}'
          ip: '{{ wazuh_agent_address }}'
          force_time: 1
        headers:
-          Content-Type: "application/json"
+          Authorization: 'Bearer {{ jwt_token }}'
-        user: "{{ wazuh_managers.0.api_user }}"
+        status_code: 200
-        password: "{{ api_pass }}"
+        return_content: yes
-      register: newagent_api
+        validate_certs: '{{ target_manager.validate_certs | default(false) }}'
      delegate_to: "{{ 'localhost' if not wazuh_api_reachable_from_agent else inventory_hostname }}"
      become: no
-      changed_when: newagent_api.json.error == 0
+      no_log: '{{ wazuh_agent_nolog_sensible | bool }}'
-      when:
+      delegate_to: "{{ 'localhost' if not wazuh_api_reachable_from_agent else inventory_hostname }}"
-        - not check_keys.stat.exists or check_keys.stat.size == 0
+      changed_when: api_agent_post.json.error == 0
-        - wazuh_managers.0.address is not none
+      register: api_agent_post
      vars:
        agent_name: '{{ target_manager.agent_name | default(ansible_hostname) }}'
        jwt_token: '{{ api_jwt_result.json.data.token }}'
      tags:
        - config
        - api
-    - name: Linux | Retrieve new agent data via rest-API
+    - name: Linux | Validate registered agent key matches manager record
      uri:
-        url: >-
+        url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/agents/{{ agent_id }}/key'
          "{{ wazuh_managers.0.api_proto }}://{{ wazuh_agent_authd.registration_address
          }}:{{ wazuh_managers.0.api_port }}/agents/{{ newagent_api.json.data.id }}"
        validate_certs: false
        method: GET
-        return_content: true
+        headers:
-        user: "{{ wazuh_managers.0.api_user }}"
+          Authorization: 'Bearer {{ jwt_token }}'
-        password: "{{ api_pass }}"
+        status_code: 200
-      when:
+        return_content: yes
-        - not check_keys.stat.exists or check_keys.stat.size == 0
+        validate_certs: '{{ target_manager.validate_certs | default(false) }}'
        - wazuh_agent_authd.registration_address is not none
        - newagent_api.json.error == 0
      register: newagentdata_api
      delegate_to: "{{ 'localhost' if not wazuh_api_reachable_from_agent else inventory_hostname }}"
      become: no
      no_log: '{{ wazuh_agent_nolog_sensible | bool }}'
      delegate_to: "{{ 'localhost' if not wazuh_api_reachable_from_agent else inventory_hostname }}"
      register: api_agent_validation
      vars:
        agent_id: '{{ api_agent_post.json.data.id }}'
        agent_key: '{{ api_agent_post.json.data.key }}'
        jwt_token: '{{ api_jwt_result.json.data.token }}'
      failed_when: api_agent_validation.json.data.affected_items[0].key != agent_key
      when:
      - wazuh_agent_api_validate | bool
      - api_agent_post.json.error == 0
      tags:
        - config
        - api
-    - name: Linux | Register agent (via rest-API)
+    - name: Linux | Import Key (via rest-API)
      command: /var/ossec/bin/manage_agents
      environment:
        OSSEC_ACTION: i
-        OSSEC_AGENT_NAME: '{{ newagentdata_api.json.data.name }}'
+        OSSEC_AGENT_NAME: '{{ agent_name }}'
-        OSSEC_AGENT_IP: '{% if wazuh_agent_nat %}any{% else %}{{ newagentdata_api.json.data.ip }}{% endif %}'
+        OSSEC_AGENT_IP: '{{ wazuh_agent_address }}'
-        OSSEC_AGENT_ID: '{{ newagent_api.json.data.id }}'
+        OSSEC_AGENT_ID: '{{ api_agent_post.json.data.id }}'
-        OSSEC_AGENT_KEY: '{{ newagent_api.json.data.key }}'
+        OSSEC_AGENT_KEY: '{{ api_agent_post.json.data.key }}'
        OSSEC_ACTION_CONFIRMED: y
      register: manage_agents_output
-      when:
+      vars:
-        - not check_keys.stat.exists or check_keys.stat.size == 0
+        agent_name: '{{ target_manager.agent_name | default(ansible_hostname) }}'
        - wazuh_agent_authd.registration_address is not none
        - newagent_api.json.error == 0
      notify: restart wazuh-agent
  when:
-    - not wazuh_agent_authd.enable
+    - not ( wazuh_agent_authd.enable | bool )
-    - not wazuh_agent_config.enrollment.enabled | length > 0 or wazuh_agent_config.enrollment.enabled == 'no'
+    - wazuh_agent_config.enrollment.enabled != 'yes'
    - not client_keys_file.stat.exists or client_keys_file.stat.size == 0
  tags:
    - config
    - api
 - name: Linux | Agent registration via auto-enrollment
  debug:
    msg: Agent registration will be performed through enrollment option in templated ossec.conf
  when:  wazuh_agent_config.enrollment.enabled == 'yes'
 - name: Linux | Installing agent configuration (ossec.conf)
-  template: src=var-ossec-etc-ossec-agent.conf.j2
+  template:
-            dest=/var/ossec/etc/ossec.conf
+    src: var-ossec-etc-ossec-agent.conf.j2
-            owner=root
+    dest: /var/ossec/etc/ossec.conf
-            group=ossec
+    owner: root
-            mode=0644
+    group: ossec
    mode: 0644
  notify: restart wazuh-agent
  tags:
    - init
    - config
 - name: Linux | Installing local_internal_options.conf
-  template: src=var-ossec-etc-local-internal-options.conf.j2
+  template:
-            dest=/var/ossec/etc/local_internal_options.conf
+    src: var-ossec-etc-local-internal-options.conf.j2
-            owner=root
+    dest: /var/ossec/etc/local_internal_options.conf
-            group=ossec
+    owner: root
-            mode=0640
+    group: ossec
    mode: 0640
  notify: restart wazuh-agent
  tags:
    - init
@ -226,7 +252,7 @@
  when:
    - wazuh_agent_config.enrollment.enabled == 'yes'
    - wazuh_agent_config.enrollment.authorization_pass_path | length > 0
-    - ( authd_pass is defined) and ( authd_pass|length > 0)
+    - authd_pass | length > 0
  tags:
    - config
--- a/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml
+++ b/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml
@ -54,18 +54,13 @@
  tags:
    - config
 - name: Retrieving authd Credentials
  include_vars: authd_pass.yml
  tags:
    - config
 - name: Windows | Register agent
  win_shell: >
    {{ wazuh_agent_win_auth_path }}
    -m {{ wazuh_agent_authd.registration_address }}
    -p {{ wazuh_agent_authd.port }}
    {% if wazuh_agent_authd.agent_name is not none %}-A {{ wazuh_agent_authd.agent_name }} {% endif %}
-    {% if authd_pass is defined %} -P {{ authd_pass }}{% endif %}
+    {% if authd_pass | length > 0 %} -P {{ authd_pass }}{% endif %}
  register: agent_auth_output
  notify: Windows | Restart Wazuh Agent
  when:
--- a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
+++ b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
@ -37,7 +37,7 @@
    <auto_restart>{{ wazuh_auto_restart }}</auto_restart>
    <crypto_method>{{ wazuh_crypto_method }}</crypto_method>
-  {% if wazuh_agent_config.enrollment.enabled | length > 0 %}
+  {% if wazuh_agent_config.enrollment.enabled == 'yes' %}
    <enrollment>
      <enabled>{{ wazuh_agent_config.enrollment.enabled }}</enabled>
      {% if wazuh_agent_config.enrollment.manager_address | length > 0 %}
--- a/roles/wazuh/ansible-wazuh-agent/vars/api_pass.yml
+++ b/roles/wazuh/ansible-wazuh-agent/vars/api_pass.yml
@ -1,3 +0,0 @@
 ---
 # We recommend the use of Ansible Vault to protect Wazuh, api, agentless and authd credentials.
 # api_pass: 'changeme'
--- a/roles/wazuh/ansible-wazuh-agent/vars/authd_pass.yml
+++ b/roles/wazuh/ansible-wazuh-agent/vars/authd_pass.yml
@ -1,4 +0,0 @@
 ---
 # We recommend the use of Ansible Vault to protect Wazuh, api, agentless and authd credentials.
 # authd_pass: 'foobar'
 authd_pass: ''
--- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
+++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
@ -1,5 +1,5 @@
 ---
-wazuh_manager_version: 4.0.1-1
+wazuh_manager_version: 4.0.2-1
 wazuh_manager_fqdn: "wazuh-server"
 wazuh_manager_package_state: present
@ -12,7 +12,7 @@ wazuh_custom_packages_installation_manager_rpm_url: "https://s3-us-west-1.amazon
 # Sources installation
 wazuh_manager_sources_installation:
  enabled: false
-  branch: "v4.0.1"
+  branch: "v4.0.2"
  user_language: "en"
  user_no_stop: "y"
  user_install_type: "server"