Added authd enrollment alternative to macOS.yml

2023-10-10 15:08:04 +02:00 · 2023-10-10 15:08:04 +02:00 · eabc38dc84
commit eabc38dc84
parent 490bcfff25
1 changed files with 110 additions and 5 deletions
--- a/roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml
+++ b/roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml
@ -21,12 +21,117 @@
  get_url:
    url: "{{ wazuh_macos_package_url }}"
    dest: "{{ wazuh_macos_config.download_dir }}"
+  register: download_result
  when:
    - not wazuh_package_downloaded.stat.exists
  
+- name: macOS | Check if Wazuh Agent is already installed
+  stat:
+    path: "{{ wazuh_macos_config.install_dir }}"
+  register: wazuh_installed
+
+- name: macOS | Install Agent if not already installed
+  command: "installer -pkg {{ wazuh_macos_config.download_dir }}{{ wazuh_macos_package_name }} -target /"
+  register: install_result
+
+- name: macOS | Check if client.keys exists
+  stat:
+    path: "{{ wazuh_macos_config.install_dir }}/etc/client.keys"
+  register: client_keys_file
+  tags:
+    - config
+
+- name: macOS | Agent registration via authd
+  block:
+
+    - name: Copy CA root certificate to verify authd
+      copy:
+        src: "{{ wazuh_agent_authd.ssl_agent_ca }}"
+        dest: "{{ wazuh_macos_config.install_dir }}/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}"
+        mode: 0644
+      when:
+        - wazuh_agent_authd.ssl_agent_ca is not none
+
+    - name: Copy TLS/SSL certificate for agent verification
+      copy:
+        src: "{{ item }}"
+        dest: "{{ wazuh_macos_config.install_dir }}/etc/{{ item | basename }}"
+        mode: 0644
+      with_items:
+        - "{{ wazuh_agent_authd.ssl_agent_cert }}"
+        - "{{ wazuh_agent_authd.ssl_agent_key }}"
+      when:
+        - wazuh_agent_authd.ssl_agent_cert is not none
+        - wazuh_agent_authd.ssl_agent_key is not none
+    - name: macOS | Register agent (via authd)
+      shell: >
+        {{ wazuh_macos_config.install_dir }}/bin/agent-auth
+        {% if wazuh_agent_authd.agent_name is defined and wazuh_agent_authd.agent_name != None %}
+        -A {{ wazuh_agent_authd.agent_name }}
+        {% endif %}
+        -m {{ wazuh_agent_authd.registration_address }}
+        -p {{ wazuh_agent_authd.port }}
+        {% if wazuh_agent_nat %} -I "any" {% endif %}
+        {% if authd_pass | length > 0 %} -P {{ authd_pass }} {% endif %}
+        {% if wazuh_agent_authd.ssl_agent_ca is defined and wazuh_agent_authd.ssl_agent_ca != None %}
+        -v "{{ wazuh_macos_config.install_dir }}/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}"
+        {% endif %}
+        {% if wazuh_agent_authd.ssl_agent_cert is defined and wazuh_agent_authd.ssl_agent_cert != None %}
+        -x "{{ wazuh_macos_config.install_dir }}/etc/{{ wazuh_agent_authd.ssl_agent_cert | basename }}"
+        {% endif %}
+        {% if wazuh_agent_authd.ssl_agent_key is defined and wazuh_agent_authd.ssl_agent_key != None  %}
+        -k "{{ wazuh_macos_config.install_dir }}/etc/{{ wazuh_agent_authd.ssl_agent_key | basename }}"
+        {% endif %}
+        {% if wazuh_agent_authd.ssl_auto_negotiate == 'yes' %} -a {% endif %}
+        {% if wazuh_agent_authd.groups is defined and wazuh_agent_authd.groups | length > 0 %}
+        -G "{{ wazuh_agent_authd.groups | join(',') }}"
+        {% endif %}
+      register: agent_auth_output
+      notify: macOS | Restart Wazuh Agent
+      vars:
+        agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ ansible_hostname }}{% endif %}"
+      when:
+        - not client_keys_file.stat.exists or client_keys_file.stat.size == 0
+        - wazuh_agent_authd.registration_address is not none
+
+    - name: macOS | Verify agent registration
+      shell: >
+        sh -c "echo '{{ agent_auth_output.stdout }} {{ agent_auth_output.stderr }}' | grep 'Valid key received'"
+      when:
+        - not client_keys_file.stat.exists or client_keys_file.stat.size == 0
+        - wazuh_agent_authd.registration_address is not none
+  when:
+    - wazuh_agent_authd.enable | bool
+    - wazuh_agent_config.enrollment.enabled != 'yes'
+  tags:
+    - config
+    - authd
+
+- name: macOS | Installing agent configuration (ossec.conf)
+  template:
+    src: var-ossec-etc-ossec-agent.conf.j2
+    dest: "{{ wazuh_macos_config.install_dir }}/etc/ossec.conf"
+    owner: root
+    group: wazuh
+    mode: 0644
+  notify: macOS | Restart Wazuh Agent
+  tags:
+    - init
+    - config
+
+- name: macOS | Installing local_internal_options.conf
+  template:
+    src: var-ossec-etc-local-internal-options.conf.j2
+    dest: "{{ wazuh_macos_config.install_dir }}/etc/local_internal_options.conf"
+    owner: root
+    group: wazuh
+    mode: 0640
+  notify: macOS | Restart Wazuh Agent
+  tags:
+    - init
+    - config
+
 - name: macOS | Delete downloaded Wazuh agent installer file
   file:
     path: "{{ wazuh_macos_config.download_dir }}{{ wazuh_macos_package_name }}"
     state: absent
-  when:
-    - wazuh_package_downloaded.stat.exists