diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index be48deb6..10301cfc 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -32,6 +32,12 @@ wazuh_agent_sources_installation: user_agent_config_profile: null user_ca_store: "/var/ossec/wpk_root.pem" +wazuh_agent_yum_lock_timeout: 30 + +# We recommend the use of ansible-vault to protect Wazuh, api, agentless and authd credentials. +api_pass: wazuh +authd_pass: '' + wazuh_api_reachable_from_agent: false wazuh_profile_centos: 'centos, centos7, centos7.6' wazuh_profile_ubuntu: 'ubuntu, ubuntu18, ubuntu18.04' @@ -83,7 +89,7 @@ wazuh_managers: protocol: tcp api_port: 55000 api_proto: 'http' - api_user: null + api_user: wazuh max_retries: 5 retry_interval: 5 diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml index ce92b033..3279647a 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml @@ -1,9 +1,4 @@ --- -- name: Retrieving authd Credentials - include_vars: authd_pass.yml - tags: - - config - - include_tasks: "RedHat.yml" when: ansible_os_family == "RedHat" @@ -19,11 +14,10 @@ - wazuh_custom_packages_installation_agent_enabled - name: Linux CentOS/RedHat | Install wazuh-agent - package: + yum: name: wazuh-agent-{{ wazuh_agent_version }} state: present - async: 90 - poll: 30 + lock_timeout: '{{ wazuh_agent_yum_lock_timeout }}' when: - ansible_os_family|lower == "redhat" - not wazuh_agent_sources_installation.enabled @@ -45,7 +39,8 @@ - init - name: Linux | Check if client.keys exists - stat: path=/var/ossec/etc/client.keys + stat: + path: /var/ossec/etc/client.keys register: check_keys when: wazuh_agent_config.enrollment.enabled == 'no' tags: @@ -54,9 +49,6 @@ - name: Linux | Agent registration via authd block: - - name: Retrieving authd Credentials - include_vars: authd_pass.yml - - name: Copy CA root certificate to verify authd copy: src: "{{ wazuh_agent_authd.ssl_agent_ca }}" @@ -86,7 +78,7 @@ -m {{ wazuh_agent_authd.registration_address }} -p {{ wazuh_agent_authd.port }} {% if wazuh_agent_nat %} -I "any" {% endif %} - {% if authd_pass is defined and authd_pass | length > 0 %} -P {{ authd_pass }} {% endif %} + {% if authd_pass | length > 0 %} -P {{ authd_pass }} {% endif %} {% if wazuh_agent_authd.ssl_agent_ca is defined and wazuh_agent_authd.ssl_agent_ca != None %} -v "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}" {% endif %} @@ -124,9 +116,6 @@ - name: Linux | Agent registration via rest-API block: - - name: Retrieving rest-API Credentials - include_vars: api_pass.yml - - name: Linux | Create the agent key via rest-API uri: url: "{{ wazuh_managers.0.api_proto }}://{{ wazuh_agent_authd.registration_address }}:{{ wazuh_managers.0.api_port }}/agents/" @@ -195,22 +184,24 @@ - api - name: Linux | Installing agent configuration (ossec.conf) - template: src=var-ossec-etc-ossec-agent.conf.j2 - dest=/var/ossec/etc/ossec.conf - owner=root - group=ossec - mode=0644 + template: + src: var-ossec-etc-ossec-agent.conf.j2 + dest: /var/ossec/etc/ossec.conf + owner: root + group: ossec + mode: 0644 notify: restart wazuh-agent tags: - init - config - name: Linux | Installing local_internal_options.conf - template: src=var-ossec-etc-local-internal-options.conf.j2 - dest=/var/ossec/etc/local_internal_options.conf - owner=root - group=ossec - mode=0640 + template: + src: var-ossec-etc-local-internal-options.conf.j2 + dest: /var/ossec/etc/local_internal_options.conf + owner: root + group: ossec + mode: 0640 notify: restart wazuh-agent tags: - init @@ -226,7 +217,7 @@ when: - wazuh_agent_config.enrollment.enabled == 'yes' - wazuh_agent_config.enrollment.authorization_pass_path | length > 0 - - ( authd_pass is defined) and ( authd_pass|length > 0) + - authd_pass | length > 0 tags: - config diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml index 3a7756ca..66d962cc 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml @@ -54,18 +54,13 @@ tags: - config -- name: Retrieving authd Credentials - include_vars: authd_pass.yml - tags: - - config - - name: Windows | Register agent win_shell: > {{ wazuh_agent_win_auth_path }} -m {{ wazuh_agent_authd.registration_address }} -p {{ wazuh_agent_authd.port }} {% if wazuh_agent_authd.agent_name is not none %}-A {{ wazuh_agent_authd.agent_name }} {% endif %} - {% if authd_pass is defined and authd_pass | length > 0 %} -P {{ authd_pass }}{% endif %} + {% if authd_pass | length > 0 %} -P {{ authd_pass }}{% endif %} register: agent_auth_output notify: Windows | Restart Wazuh Agent when: diff --git a/roles/wazuh/ansible-wazuh-agent/vars/api_pass.yml b/roles/wazuh/ansible-wazuh-agent/vars/api_pass.yml deleted file mode 100644 index ad6e1164..00000000 --- a/roles/wazuh/ansible-wazuh-agent/vars/api_pass.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -# We recommend the use of Ansible Vault to protect Wazuh, api, agentless and authd credentials. -# api_pass: 'changeme' diff --git a/roles/wazuh/ansible-wazuh-agent/vars/authd_pass.yml b/roles/wazuh/ansible-wazuh-agent/vars/authd_pass.yml deleted file mode 100644 index c1f4da4f..00000000 --- a/roles/wazuh/ansible-wazuh-agent/vars/authd_pass.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -# We recommend the use of Ansible Vault to protect Wazuh, api, agentless and authd credentials. -# authd_pass: 'foobar' -authd_pass: '' \ No newline at end of file