From cea70a3fbdf7f762c2c81ccfee3fa43c35809597 Mon Sep 17 00:00:00 2001 From: Angelo Lisco Date: Thu, 29 Mar 2018 20:27:05 +0200 Subject: [PATCH] Move 'api_pass' variable in a separate var file so it's possibile to encrypt it with ansible-vault Improve the task tags --- ansible-wazuh-agent/defaults/main.yml | 3 +-- ansible-wazuh-agent/tasks/Linux.yml | 17 ++++++++++++++--- ansible-wazuh-agent/vars/api_pass.yml | 3 +++ ansible-wazuh-agent/vars/authd_pass.yml | 1 + wazuh-agent.yml | 3 +-- 5 files changed, 20 insertions(+), 7 deletions(-) create mode 100644 ansible-wazuh-agent/vars/api_pass.yml diff --git a/ansible-wazuh-agent/defaults/main.yml b/ansible-wazuh-agent/defaults/main.yml index 65c0973d..a127e71c 100644 --- a/ansible-wazuh-agent/defaults/main.yml +++ b/ansible-wazuh-agent/defaults/main.yml @@ -4,9 +4,8 @@ wazuh_managers: port: 1514 protocol: tcp api_port: 55000 - api_proto: 'https' + api_proto: 'http' api_user: null - api_password: null wazuh_profile: null wazuh_auto_restart: 'yes' wazuh_agent_authd: diff --git a/ansible-wazuh-agent/tasks/Linux.yml b/ansible-wazuh-agent/tasks/Linux.yml index 19128c1c..97e2c78c 100644 --- a/ansible-wazuh-agent/tasks/Linux.yml +++ b/ansible-wazuh-agent/tasks/Linux.yml @@ -23,6 +23,7 @@ include_vars: authd_pass.yml tags: - config + - authd - name: Copy CA, SSL key and cert for authd copy: @@ -35,6 +36,7 @@ - "{{ wazuh_agent_authd.ssl_agent_key }}" tags: - config + - authd when: - wazuh_agent_authd.ssl_agent_ca is not none @@ -56,6 +58,7 @@ - wazuh_managers.0.address is not none tags: - config + - authd - name: Linux | Verify agent registration shell: echo {{ agent_auth_output }} | grep "Valid key created" @@ -64,12 +67,19 @@ - wazuh_managers.0.address is not none tags: - config + - authd when: wazuh_agent_authd.enable == true - name: Linux | Agent registration via rest-API block: + - name: Retrieving authd Credentials + include_vars: authd_pass.yml + tags: + - config + - api + - name: Linux | Create the agent key via rest-API uri: url: "{{ wazuh_managers.0.api_proto }}://{{ wazuh_managers.0.address }}:{{ wazuh_managers.0.api_port }}/agents/" @@ -81,7 +91,7 @@ headers: Content-Type: "application/json" user: "{{ wazuh_managers.0.api_user }}" - password: "{{ wazuh_managers.0.api_password }}" + password: "{{ api_pass }}" register: newagent_api changed_when: newagent_api.json.error == 0 when: @@ -100,7 +110,7 @@ method: GET return_content: yes user: "{{ wazuh_managers.0.api_user }}" - password: "{{ wazuh_managers.0.api_password }}" + password: "{{ api_pass }}" when: - check_keys.stat.size == 0 - wazuh_managers.0.address is not none @@ -128,9 +138,10 @@ - newagent_api.changed tags: - config + - api notify: restart wazuh-agent - when: wazuh_agent_authd.enable == false + when: wazuh_agent_authd.enable == false and ( wazuh_managers.0.api_user is defined and api_pass is defined ) - name: Linux | Vuls integration deploy (runs in background, can take a while) command: /var/ossec/wodles/vuls/deploy_vuls.sh {{ ansible_distribution|lower }} {{ ansible_distribution_major_version|int }} diff --git a/ansible-wazuh-agent/vars/api_pass.yml b/ansible-wazuh-agent/vars/api_pass.yml new file mode 100644 index 00000000..a85676d2 --- /dev/null +++ b/ansible-wazuh-agent/vars/api_pass.yml @@ -0,0 +1,3 @@ +--- +# We recommend the use of Ansible Vault to protect Wazuh, api, agentless and authd credentials. +#api_pass: 'changeme' diff --git a/ansible-wazuh-agent/vars/authd_pass.yml b/ansible-wazuh-agent/vars/authd_pass.yml index df5e2bbf..e25b12aa 100644 --- a/ansible-wazuh-agent/vars/authd_pass.yml +++ b/ansible-wazuh-agent/vars/authd_pass.yml @@ -1,2 +1,3 @@ --- +# We recommend the use of Ansible Vault to protect Wazuh, api, agentless and authd credentials. #authd_pass: 'foobar' diff --git a/wazuh-agent.yml b/wazuh-agent.yml index 746d11e7..99f80e36 100644 --- a/wazuh-agent.yml +++ b/wazuh-agent.yml @@ -7,9 +7,8 @@ port: 1514 protocol: udp api_port: 55000 - api_proto: 'https' + api_proto: 'http' api_user: ansible - api_password: changeme wazuh_agent_authd: enable: true port: 1515