diff --git a/README.md b/README.md index 700ae2db..2e37b4b6 100644 --- a/README.md +++ b/README.md @@ -8,8 +8,9 @@ These playbooks install and configure Wazuh agent, manager and indexer and dashboard. ## Branches -* `master` branch contains the latest code, be aware of possible bugs on this branch. -* `stable` branch on correspond to the last Wazuh stable version. + +- `master` branch contains the latest code, be aware of possible bugs on this branch. +- `stable` branch on correspond to the last Wazuh stable version. ## Compatibility Matrix @@ -41,8 +42,8 @@ These playbooks install and configure Wazuh agent, manager and indexer and dashb ## Documentation -* [Wazuh Ansible documentation](https://documentation.wazuh.com/current/deploying-with-ansible/index.html) -* [Full documentation](http://documentation.wazuh.com) +- [Wazuh Ansible documentation](https://documentation.wazuh.com/current/deploying-with-ansible/index.html) +- [Full documentation](http://documentation.wazuh.com) ## Directory structure @@ -70,10 +71,10 @@ These playbooks install and configure Wazuh agent, manager and indexer and dashb │ ├── VERSION │ ├── CHANGELOG.md - ## Example: production-ready distributed environment ### Playbook + The hereunder example playbook uses the `wazuh-ansible` role to provision a production-ready Wazuh environment. The architecture includes 2 Wazuh nodes, 3 Wazuh indexer nodes and a mixed Wazuh dashboard node (Wazuh indexer data node + Wazuh dashboard). ```yaml @@ -328,6 +329,7 @@ After the playbook execution, the Wazuh UI should be reachable through `https:// ## Example: single-host environment ### Playbook + The hereunder example playbook uses the `wazuh-ansible` role to provision a single-host Wazuh environment. This architecture includes all the Wazuh and Opensearch components in a single node. ```yaml @@ -416,4 +418,4 @@ Copyright (C) 2016, Wazuh Inc. (License GPLv2) ## Web references -* [Wazuh website](http://wazuh.com) +- [Wazuh website](http://wazuh.com) diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 62c15859..17a84ecd 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -15,6 +15,12 @@ - name: ConvergeInstall hosts: all roles: + # 1. Check packages + - role: ../../roles/wazuh/check-packages + become: no + delegate_to: localhost + run_once: true + # 2. Managers - role: ../../roles/wazuh/ansible-wazuh-manager vars: - { role: ../../roles/wazuh/ansible-filebeat-oss, filebeat_output_indexer_hosts: "indexer_centos7:9200" } diff --git a/molecule/distributed-wazuh/converge.yml b/molecule/distributed-wazuh/converge.yml index 8ff42c37..6ed457fd 100644 --- a/molecule/distributed-wazuh/converge.yml +++ b/molecule/distributed-wazuh/converge.yml @@ -79,24 +79,29 @@ become: true become_user: root roles: - # 1. Wazuh indexer + # 1. Check packages + - role: ../../roles/wazuh/check-packages + become: no + delegate_to: localhost + run_once: true + # 2. Wazuh indexer - role: ../../roles/wazuh/wazuh-indexer when: inventory_hostname in groups['indexer'] - # 2. Managers + # 3. Managers - role: ../../roles/wazuh/ansible-wazuh-manager when: inventory_hostname in groups['managers'] - role: ../../roles/wazuh/ansible-filebeat-oss when: inventory_hostname in groups['managers'] - # 3. Wazuh dashboard + # 4. Wazuh dashboard - role: ../../roles/wazuh/wazuh-dashboard when: inventory_hostname in groups['dashboard'] - # 4. Agents: + # 5. Agents: - role: ../../roles/wazuh/ansible-wazuh-agent vars: wazuh_managers: '{{ wazuh_managers_list }}' when: inventory_hostname in groups['agents'] vars: - instances: + instances: node1: name: wazuh-es01 # Important: must be equal to indexer_node_name. ip: "{{ hostvars.molecule_wazuh_indexer_centos7.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/main.yml b/roles/wazuh/ansible-wazuh-agent/tasks/main.yml index f84d3748..d12446b1 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/main.yml @@ -1,16 +1,15 @@ --- -- name: Get latest Wazuh release - become: false - shell: "curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '\"tag_name\":' | sed -E 's/.*\"([^\"]+)\".*/\\1/'| cut -c 2-" - register: wazuh_latest_release - delegate_to: localhost +- include_vars: ../../vars/repo_vars.yml - include_vars: ../../vars/repo.yml - when: "wazuh_latest_release.stdout is version(wazuh_agent_version, operator='ge')" + when: packages_repository == 'production' -- include_vars: ../../vars/repo_dev.yml - when: "wazuh_latest_release.stdout is version(wazuh_agent_version, operator='lt')" +- include_vars: ../../vars/repo_pre-release.yml + when: packages_repository == 'pre-release' + +- include_vars: ../../vars/repo_staging.yml + when: packages_repository == 'staging' - name: Overlay wazuh_agent_config on top of defaults set_fact: diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml index e27784ca..57ee132d 100644 --- a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml @@ -9,15 +9,16 @@ - curl state: present -- name: Get latest wazuh release - shell: "curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '\"tag_name\":' | sed -E 's/.*\"([^\"]+)\".*/\\1/'| cut -c 2-" - register: wazuh_latest_release +- include_vars: ../../vars/repo_vars.yml - include_vars: ../../vars/repo.yml - when: "wazuh_latest_release.stdout is version(wazuh_manager_version, operator='ge')" + when: packages_repository == 'production' -- include_vars: ../../vars/repo_dev.yml - when: "wazuh_latest_release.stdout is version(wazuh_manager_version, operator='lt')" +- include_vars: ../../vars/repo_pre-release.yml + when: packages_repository == 'pre-release' + +- include_vars: ../../vars/repo_staging.yml + when: packages_repository == 'staging' - name: Overlay wazuh_manager_config on top of defaults set_fact: diff --git a/roles/wazuh/check-packages/defaults/main.yml b/roles/wazuh/check-packages/defaults/main.yml new file mode 100644 index 00000000..78e08132 --- /dev/null +++ b/roles/wazuh/check-packages/defaults/main.yml @@ -0,0 +1,2 @@ +--- +wazuh_version: 4.4.0 \ No newline at end of file diff --git a/roles/wazuh/check-packages/files/packages_uri.txt b/roles/wazuh/check-packages/files/packages_uri.txt new file mode 100644 index 00000000..bd59e004 --- /dev/null +++ b/roles/wazuh/check-packages/files/packages_uri.txt @@ -0,0 +1,6 @@ +yum/wazuh-manager-VERSION-1.x86_64.rpm +apt/pool/main/w/wazuh-manager/wazuh-manager_VERSION-1_amd64.deb +yum/wazuh-dashboard-VERSION-1.x86_64.rpm +yum/wazuh-indexer-VERSION-1.x86_64.rpm +apt/pool/main/w/wazuh-agent/wazuh-agent_VERSION-1_amd64.deb +yum/wazuh-agent-VERSION-1.x86_64.rpm \ No newline at end of file diff --git a/roles/wazuh/check-packages/scripts/check_packages.sh b/roles/wazuh/check-packages/scripts/check_packages.sh new file mode 100755 index 00000000..20c62047 --- /dev/null +++ b/roles/wazuh/check-packages/scripts/check_packages.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +VERSION=$1 +#echo $VERSION +## Replace VERSION with $VERSION in packages_uri.txt and save it as packages_uri_new.txt +sed 's,VERSION,'$VERSION',g' ../files/packages_uri.txt > ../files/packages_uri_new.txt + +checkPackages(){ + ## Set S3 Bucket URL + if [ $1 == "production" ]; then + echo "production" + PACKAGES_URL=https://packages.wazuh.com/4.x/ + elif [ $1 == "pre-release" ]; then + echo "pre-release" + PACKAGES_URL=https://packages-dev.wazuh.com/pre-release/ + elif [ $1 == "staging" ]; then + echo "staging" + PACKAGES_URL=https://packages-dev.wazuh.com/staging/ + CHECK_WIN_PACKAGE=$(grep windows ../files/packages_uri_new.txt) + echo $CHECK_WIN_PACKAGE + if [ -n "$CHECK_WIN_PACKAGE" ]; then + WIN_AGENT_NAME=$(aws s3 ls s3://packages-dev.wazuh.com/staging/windows/wazuh-agent-$VERSION --region=us-west-1 | tail -1 | awk '{printf $4}') + if [ -z $WIN_AGENT_NAME ]; then + echo "Windows agent package for version " $VERSION " does not exist in the staging repository" + exit 1 + fi + WIN_AGENT_URI="windows/"$WIN_AGENT_NAME + echo $PACKAGES_URL$WIN_AGENT_URI "check" + sed -i 's,windows/.*,'$WIN_AGENT_URI',g' ../files/packages_uri_new.txt + sed -i 's,wazuh_winagent_config_url.*,wazuh_winagent_config_url: \"'$PACKAGES_URL$WIN_AGENT_URI'\",g' ../../vars/repo_staging.yml + sed -i 's,wazuh_winagent_package_name.*,wazuh_winagent_package_name: \"'$WIN_AGENT_NAME'\",g' ../../vars/repo_staging.yml + fi + fi + + ## Set EXISTS to 0 (true) + EXISTS=0 + + ## Loop through the packages_uri_new.txt file + while IFS= read -r URI + do + echo "$URI" + ## Check if the package exists + PACKAGE=$(curl --silent -I $PACKAGES_URL$URI | grep -E "^HTTP" | awk '{print $2}') + ## If it does not exist set EXISTS to 1 (false) + if [ "$PACKAGE" != "200" ]; then + EXISTS=1 + #echo $PACKAGES_URL$URI "does not exist" + return $EXISTS + fi + done < ../files/packages_uri_new.txt + + return $EXISTS +} + +replaceVars(){ + sed -i "s|packages_repository:.*|packages_repository: $1|g" ../../vars/repo_vars.yml + +} + +## Call the checkPackages function for each repository +if checkPackages "production"; then + echo "production" + replaceVars "production" + exit 0 +elif checkPackages "pre-release"; then + echo "pre-release" + replaceVars "pre-release" + exit 0 +elif checkPackages "production"; then + echo "production" + replaceVars "production" + exit 0 +elif checkPackages "staging"; then + echo "staging" + replaceVars "staging" + exit 0 +else + echo "Failed" + exit 1 +fi \ No newline at end of file diff --git a/roles/wazuh/check-packages/tasks/main.yml b/roles/wazuh/check-packages/tasks/main.yml new file mode 100644 index 00000000..bbee623b --- /dev/null +++ b/roles/wazuh/check-packages/tasks/main.yml @@ -0,0 +1,11 @@ +--- + - name: Check packages + shell: | + ./check_packages.sh {{ wazuh_version }} + args: + warn: false + executable: /bin/bash + chdir: "{{ role_path }}/scripts/" + delegate_to: localhost + become: no + diff --git a/roles/wazuh/vars/repo_dev.yml b/roles/wazuh/vars/repo_pre-release.yml similarity index 100% rename from roles/wazuh/vars/repo_dev.yml rename to roles/wazuh/vars/repo_pre-release.yml diff --git a/roles/wazuh/vars/repo_staging.yml b/roles/wazuh/vars/repo_staging.yml new file mode 100644 index 00000000..2c2b4966 --- /dev/null +++ b/roles/wazuh/vars/repo_staging.yml @@ -0,0 +1,12 @@ +wazuh_repo: + apt: 'deb https://packages-dev.wazuh.com/staging/apt/ unstable main' + yum: 'https://packages-dev.wazuh.com/staging/yum/' + gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH' + key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145' +wazuh_winagent_config_url: "https://packages-dev.wazuh.com/staging/windows/wazuh-agent-{{ wazuh_agent_version }}-1.msi" +wazuh_winagent_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.msi" + +certs_gen_tool_version: 4.4 + +# Url of certificates generator tool +certs_gen_tool_url: "https://packages-dev.wazuh.com/{{ certs_gen_tool_version }}/wazuh-certs-tool.sh" \ No newline at end of file diff --git a/roles/wazuh/vars/repo_vars.yml b/roles/wazuh/vars/repo_vars.yml new file mode 100644 index 00000000..53157764 --- /dev/null +++ b/roles/wazuh/vars/repo_vars.yml @@ -0,0 +1 @@ +packages_repository: production \ No newline at end of file diff --git a/roles/wazuh/wazuh-dashboard/tasks/main.yml b/roles/wazuh/wazuh-dashboard/tasks/main.yml index 44bcaa1c..3f3fa665 100755 --- a/roles/wazuh/wazuh-dashboard/tasks/main.yml +++ b/roles/wazuh/wazuh-dashboard/tasks/main.yml @@ -1,13 +1,14 @@ --- -- name: Get latest wazuh release - shell: "curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '\"tag_name\":' | sed -E 's/.*\"([^\"]+)\".*/\\1/'| cut -c 2-" - register: wazuh_latest_release +- include_vars: ../../vars/repo_vars.yml - include_vars: ../../vars/repo.yml - when: "wazuh_latest_release.stdout is version(dashboard_version, operator='ge')" + when: packages_repository == 'production' -- include_vars: ../../vars/repo_dev.yml - when: "wazuh_latest_release.stdout is version(dashboard_version, operator='lt')" +- include_vars: ../../vars/repo_pre-release.yml + when: packages_repository == 'pre-release' + +- include_vars: ../../vars/repo_staging.yml + when: packages_repository == 'staging' - import_tasks: RedHat.yml when: ansible_os_family == 'RedHat' diff --git a/roles/wazuh/wazuh-indexer/tasks/main.yml b/roles/wazuh/wazuh-indexer/tasks/main.yml index f3afe7f8..48034ae6 100644 --- a/roles/wazuh/wazuh-indexer/tasks/main.yml +++ b/roles/wazuh/wazuh-indexer/tasks/main.yml @@ -1,13 +1,14 @@ --- -- name: Get latest wazuh release - shell: "curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '\"tag_name\":' | sed -E 's/.*\"([^\"]+)\".*/\\1/'| cut -c 2-" - register: wazuh_latest_release +- include_vars: ../../vars/repo_vars.yml - include_vars: ../../vars/repo.yml - when: "wazuh_latest_release.stdout is version(indexer_version, operator='ge')" + when: packages_repository == 'production' -- include_vars: ../../vars/repo_dev.yml - when: "wazuh_latest_release.stdout is version(indexer_version, operator='lt')" +- include_vars: ../../vars/repo_pre-release.yml + when: packages_repository == 'pre-release' + +- include_vars: ../../vars/repo_staging.yml + when: packages_repository == 'staging' - import_tasks: local_actions.yml when: