Move 'api_pass' variable in a separate var file so it's possibile to encrypt it with ansible-vault
Improve the task tags
This commit is contained in:
Angelo Lisco
parent
6cb6d3bda8
commit
cea70a3fbd
@ -4,9 +4,8 @@ wazuh_managers:
|
|||||||
port: 1514
|
port: 1514
|
||||||
protocol: tcp
|
protocol: tcp
|
||||||
api_port: 55000
|
api_port: 55000
|
||||||
api_proto: 'https'
|
api_proto: 'http'
|
||||||
api_user: null
|
api_user: null
|
||||||
api_password: null
|
|
||||||
wazuh_profile: null
|
wazuh_profile: null
|
||||||
wazuh_auto_restart: 'yes'
|
wazuh_auto_restart: 'yes'
|
||||||
wazuh_agent_authd:
|
wazuh_agent_authd:
|
||||||
|
|||||||
@ -23,6 +23,7 @@
|
|||||||
include_vars: authd_pass.yml
|
include_vars: authd_pass.yml
|
||||||
tags:
|
tags:
|
||||||
- config
|
- config
|
||||||
|
- authd
|
||||||
|
|
||||||
- name: Copy CA, SSL key and cert for authd
|
- name: Copy CA, SSL key and cert for authd
|
||||||
copy:
|
copy:
|
||||||
@ -35,6 +36,7 @@
|
|||||||
- "{{ wazuh_agent_authd.ssl_agent_key }}"
|
- "{{ wazuh_agent_authd.ssl_agent_key }}"
|
||||||
tags:
|
tags:
|
||||||
- config
|
- config
|
||||||
|
- authd
|
||||||
when:
|
when:
|
||||||
- wazuh_agent_authd.ssl_agent_ca is not none
|
- wazuh_agent_authd.ssl_agent_ca is not none
|
||||||
|
|
||||||
@ -56,6 +58,7 @@
|
|||||||
- wazuh_managers.0.address is not none
|
- wazuh_managers.0.address is not none
|
||||||
tags:
|
tags:
|
||||||
- config
|
- config
|
||||||
|
- authd
|
||||||
|
|
||||||
- name: Linux | Verify agent registration
|
- name: Linux | Verify agent registration
|
||||||
shell: echo {{ agent_auth_output }} | grep "Valid key created"
|
shell: echo {{ agent_auth_output }} | grep "Valid key created"
|
||||||
@ -64,12 +67,19 @@
|
|||||||
- wazuh_managers.0.address is not none
|
- wazuh_managers.0.address is not none
|
||||||
tags:
|
tags:
|
||||||
- config
|
- config
|
||||||
|
- authd
|
||||||
|
|
||||||
when: wazuh_agent_authd.enable == true
|
when: wazuh_agent_authd.enable == true
|
||||||
|
|
||||||
- name: Linux | Agent registration via rest-API
|
- name: Linux | Agent registration via rest-API
|
||||||
block:
|
block:
|
||||||
|
|
||||||
|
- name: Retrieving authd Credentials
|
||||||
|
include_vars: authd_pass.yml
|
||||||
|
tags:
|
||||||
|
- config
|
||||||
|
- api
|
||||||
|
|
||||||
- name: Linux | Create the agent key via rest-API
|
- name: Linux | Create the agent key via rest-API
|
||||||
uri:
|
uri:
|
||||||
url: "{{ wazuh_managers.0.api_proto }}://{{ wazuh_managers.0.address }}:{{ wazuh_managers.0.api_port }}/agents/"
|
url: "{{ wazuh_managers.0.api_proto }}://{{ wazuh_managers.0.address }}:{{ wazuh_managers.0.api_port }}/agents/"
|
||||||
@ -81,7 +91,7 @@
|
|||||||
headers:
|
headers:
|
||||||
Content-Type: "application/json"
|
Content-Type: "application/json"
|
||||||
user: "{{ wazuh_managers.0.api_user }}"
|
user: "{{ wazuh_managers.0.api_user }}"
|
||||||
password: "{{ wazuh_managers.0.api_password }}"
|
password: "{{ api_pass }}"
|
||||||
register: newagent_api
|
register: newagent_api
|
||||||
changed_when: newagent_api.json.error == 0
|
changed_when: newagent_api.json.error == 0
|
||||||
when:
|
when:
|
||||||
@ -100,7 +110,7 @@
|
|||||||
method: GET
|
method: GET
|
||||||
return_content: yes
|
return_content: yes
|
||||||
user: "{{ wazuh_managers.0.api_user }}"
|
user: "{{ wazuh_managers.0.api_user }}"
|
||||||
password: "{{ wazuh_managers.0.api_password }}"
|
password: "{{ api_pass }}"
|
||||||
when:
|
when:
|
||||||
- check_keys.stat.size == 0
|
- check_keys.stat.size == 0
|
||||||
- wazuh_managers.0.address is not none
|
- wazuh_managers.0.address is not none
|
||||||
@ -128,9 +138,10 @@
|
|||||||
- newagent_api.changed
|
- newagent_api.changed
|
||||||
tags:
|
tags:
|
||||||
- config
|
- config
|
||||||
|
- api
|
||||||
notify: restart wazuh-agent
|
notify: restart wazuh-agent
|
||||||
|
|
||||||
when: wazuh_agent_authd.enable == false
|
when: wazuh_agent_authd.enable == false and ( wazuh_managers.0.api_user is defined and api_pass is defined )
|
||||||
|
|
||||||
- name: Linux | Vuls integration deploy (runs in background, can take a while)
|
- name: Linux | Vuls integration deploy (runs in background, can take a while)
|
||||||
command: /var/ossec/wodles/vuls/deploy_vuls.sh {{ ansible_distribution|lower }} {{ ansible_distribution_major_version|int }}
|
command: /var/ossec/wodles/vuls/deploy_vuls.sh {{ ansible_distribution|lower }} {{ ansible_distribution_major_version|int }}
|
||||||
|
|||||||
3
ansible-wazuh-agent/vars/api_pass.yml
Normal file
3
ansible-wazuh-agent/vars/api_pass.yml
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
---
|
||||||
|
# We recommend the use of Ansible Vault to protect Wazuh, api, agentless and authd credentials.
|
||||||
|
#api_pass: 'changeme'
|
||||||
@ -1,2 +1,3 @@
|
|||||||
---
|
---
|
||||||
|
# We recommend the use of Ansible Vault to protect Wazuh, api, agentless and authd credentials.
|
||||||
#authd_pass: 'foobar'
|
#authd_pass: 'foobar'
|
||||||
|
|||||||
@ -7,9 +7,8 @@
|
|||||||
port: 1514
|
port: 1514
|
||||||
protocol: udp
|
protocol: udp
|
||||||
api_port: 55000
|
api_port: 55000
|
||||||
api_proto: 'https'
|
api_proto: 'http'
|
||||||
api_user: ansible
|
api_user: ansible
|
||||||
api_password: changeme
|
|
||||||
wazuh_agent_authd:
|
wazuh_agent_authd:
|
||||||
enable: true
|
enable: true
|
||||||
port: 1515
|
port: 1515
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user