wazuh-ansible-4.8.1/roles/wazuh/ansible-wazuh-manager/tasks/main.yml

---

- name: "Install dependencies"
  package:
    name:
      - unzip
      - openssl
      - tar
      - curl
    state: present
  register: package_status
  until: "package_status is not failed"  
  retries: 10
  delay: 10

- include_vars: ../../vars/repo_vars.yml

- include_vars: ../../vars/repo.yml
  when: packages_repository == 'production'

- include_vars: ../../vars/repo_pre-release.yml
  when: packages_repository == 'pre-release'

- include_vars: ../../vars/repo_staging.yml
  when: packages_repository == 'staging'

- name: Overlay wazuh_manager_config on top of defaults
  set_fact:
    wazuh_manager_config: '{{ wazuh_manager_config_defaults | combine(config_layer, recursive=True) }}'
  vars:
    config_layer: '{{ wazuh_manager_config | default({}) }}'
  when: wazuh_manager_config_overlay | bool

- include_tasks: "RedHat.yml"
  when: (ansible_os_family == "RedHat" and ansible_distribution_major_version|int > 5) or (ansible_os_family  == "RedHat" and ansible_distribution == "Amazon")

- include_tasks: "Debian.yml"
  when: ansible_os_family == "Debian"

- name: Install expect
  package:
    name: expect
    state: "{{ wazuh_manager_package_state }}"
  when:
    - not (ansible_os_family|lower == "redhat" and ansible_distribution_major_version|int < 6) and
      not (ansible_distribution|lower == "centos" and ansible_distribution_major_version|int == 8)
  tags: init

- name: Generate SSL files for authd
  command: "openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:1825 -keyout sslmanager.key -out sslmanager.cert -subj /CN={{ wazuh_manager_fqdn }}/"
  args:
    creates: sslmanager.cert
    chdir: "{{ wazuh_dir }}/etc/"
  tags:
    - config
  when: wazuh_manager_config.authd.ssl_agent_ca is not none

- name: Copy CA, SSL key and cert for authd
  copy:
    src: "{{ item }}"
    dest: "{{ wazuh_dir }}/etc/{{ item }}"
    mode: 0644
  with_items:
    - "{{ wazuh_manager_config.authd.ssl_agent_ca }}"
    - "{{ wazuh_manager_config.authd.ssl_manager_cert }}"
    - "{{ wazuh_manager_config.authd.ssl_manager_key }}"
  tags:
    - config
  when: wazuh_manager_config.authd.ssl_agent_ca is not none

- name: Verifying for old init authd service
  stat: path=/etc/init.d/ossec-authd
  register: old_authd_service
  tags:
    - config

- name: Verifying for old systemd authd service
  stat: path=/lib/systemd/system/ossec-authd.service
  register: old_authd_service
  tags:
    - config

- name: Ensure ossec-authd service is disabled
  service: name=ossec-authd enabled=no state=stopped
  when: old_authd_service.stat.exists
  tags:
    - config

- name: Removing old init authd services
  file: path="{{ item }}" state=absent
  with_items:
    - "/etc/init.d/ossec-authd"
    - "/lib/systemd/system/ossec-authd.service"
  when: old_authd_service.stat.exists
  tags:
    - config

- name: Installing the local_rules.xml (default local_rules.xml)
  template: src=var-ossec-rules-local_rules.xml.j2
            dest="{{ wazuh_dir }}/etc/rules/local_rules.xml"
            owner=wazuh
            group=wazuh
            mode=0640
  notify: restart wazuh-manager
  tags:
    - init
    - config
    - rules

- name: Adding local rules files
  copy: src="{{ wazuh_manager_config.ruleset.rules_path }}"
        dest="{{ wazuh_dir }}/etc/rules/"
        owner=wazuh
        group=wazuh
        mode=0640
  notify: restart wazuh-manager
  tags:
    - init
    - config
    - rules

- name: Installing the local_decoder.xml
  template: src=var-ossec-rules-local_decoder.xml.j2
            dest="{{ wazuh_dir }}/etc/decoders/local_decoder.xml"
            owner=wazuh
            group=wazuh
            mode=0640
  notify: restart wazuh-manager
  tags:
    - init
    - config
    - rules

- name: Adding local decoders files
  copy: src="{{ wazuh_manager_config.ruleset.decoders_path }}"
        dest="{{ wazuh_dir }}/etc/decoders/"
        owner=wazuh
        group=wazuh
        mode=0640
  notify: restart wazuh-manager
  tags:
    - init
    - config
    - rules

- name: Configure the shared-agent.conf
  template:
    src: var-ossec-etc-shared-agent.conf.j2
    dest: "{{ wazuh_dir }}/etc/shared/default/agent.conf"
    owner: wazuh
    group: wazuh
    mode: 0640
    validate: "{{ wazuh_dir }}/bin/verify-agent-conf -f %s"
  notify: restart wazuh-manager
  tags:
    - init
    - config
  when:
    - shared_agent_config is defined

- name: Installing the local_internal_options.conf
  template: src=var-ossec-etc-local-internal-options.conf.j2
            dest="{{ wazuh_dir }}/etc/local_internal_options.conf"
            owner=root
            group=wazuh
            mode=0640
  notify: restart wazuh-manager
  tags:
    - init
    - config

- name: Retrieving Agentless Credentials
  include_vars: agentless_creds.yml
  tags:
    - config

- name: Retrieving authd Credentials
  include_vars: authd_pass.yml
  tags:
    - config

- name: Check if syslog output is enabled
  set_fact: syslog_output=true
  when: item.server is not none
  with_items:
    - "{{ wazuh_manager_config.syslog_outputs }}"
  tags:
    - config

- name: Check if client-syslog is enabled
  shell: |
    set -o pipefail
    "grep -c 'ossec-csyslogd' {{ wazuh_dir }}/bin/.process_list | xargs echo"    
  args:
    removes: "{{ wazuh_dir }}/bin/.process_list"
    executable: /bin/bash
  changed_when: false
  check_mode: false
  register: csyslog_enabled
  tags:
    - config

- name: Enable client-syslog
  command: "{{ wazuh_dir }}/bin/wazuh-control enable client-syslog"
  notify: restart wazuh-manager
  when:
    - csyslog_enabled.stdout == '0' or "skipped" in csyslog_enabled.stdout
    - syslog_output is defined and syslog_output
  tags:
    - config

- name: Check if ossec-agentlessd is enabled
  shell: |
    set -o pipefail
    "grep -c 'ossec-agentlessd' {{ wazuh_dir }}/bin/.process_list | xargs echo"    
  args:
    removes: "{{ wazuh_dir }}/bin/.process_list"
    executable: /bin/bash
  changed_when: false
  check_mode: false
  register: agentlessd_enabled
  tags:
    - config

- name: Enable ossec-agentlessd
  command: "{{ wazuh_dir }}/bin/wazuh-control enable agentless"
  notify: restart wazuh-manager
  when:
    - agentlessd_enabled.stdout == '0' or "skipped" in agentlessd_enabled.stdout
    - agentless_creds is defined
  tags:
    - config

- name: Checking alert log output settings
  fail: msg="Please enable json_output or alerts_log options."
  when:
    - wazuh_manager_config.json_output == 'no'
    - wazuh_manager_config.alerts_log == 'no'
  tags:
    - init
    - config

- name: Configure ossec.conf
  template:
    src: var-ossec-etc-ossec-server.conf.j2
    dest: "{{ wazuh_dir }}/etc/ossec.conf"
    owner: root
    group: wazuh
    mode: 0644
  notify: restart wazuh-manager
  tags:
    - init
    - config

- name: Generate the wazuh-keystore
  shell: >
    /var/ossec/bin/wazuh-keystore -f indexer -k user -v {{ indexer_security_user }}
    /var/ossec/bin/wazuh-keystore -f indexer -k password -v {{ indexer_security_password }}    
  notify: restart wazuh-manager
  tags:
    - init
    - config

- name: Ossec-authd password
  template:
    src: authd_pass.j2
    dest: "{{ wazuh_dir }}/etc/authd.pass"
    owner: wazuh
    group: wazuh
    mode: 0640
  no_log: true
  notify: restart wazuh-manager
  when:
    - wazuh_manager_config.authd.use_password is defined
    - wazuh_manager_config.authd.use_password == 'yes'
  tags:
    - config

- name: Create custom API user
  block:
    - name: Copy create_user script
      copy:
        src: create_user.py
        dest: "{{ wazuh_dir }}/framework/scripts/create_user.py"
        owner: root
        group: wazuh
        mode: 0644

    - name: Create admin.json
      template:
        src: templates/admin.json.j2
        dest: "{{ wazuh_dir }}/api/configuration/admin.json"
        owner: wazuh
        group: wazuh
        mode: 0644
      no_log: true

    - name: Execute create_user script
      script:
        chdir: "{{ wazuh_dir }}/framework/scripts/"
        cmd: create_user.py --username "{{ item.username }}" --password "{{ item.password }}"
        executable: "{{ wazuh_dir }}/framework/python/bin/python3"
      with_items:
        - "{{ wazuh_api_users }}"

  tags:
    - config_api_users
  when:
    - wazuh_api_users is defined
    - wazuh_manager_config.cluster.node_type == "master"

- name: Agentless Hosts & Passwd
  template:
    src: agentless.j2
    dest: "{{ wazuh_dir }}/agentless/.passlist_tmp"
    owner: root
    group: root
    mode: 0644
  no_log: true
  when: agentless_creds is defined
  tags:
    - config

- name: Encode the secret
  shell: "/usr/bin/base64 {{ wazuh_dir }}/agentless/.passlist_tmp > {{ wazuh_dir }}/agentless/.passlist && rm {{ wazuh_dir }}/agentless/.passlist_tmp"
  when: agentless_creds is defined
  tags:
    - config

- name: Ensure Wazuh Manager service is started and enabled.
  service:
    name: "wazuh-manager"
    enabled: true
    state: started
  tags:
    - config

- name: Create agent groups
  command: "{{ wazuh_dir }}/bin/agent_groups -a -g {{ item }} -q"
  with_items:
    - "{{ agent_groups }}"
  when:
    - ( agent_groups is defined) and ( agent_groups|length > 0)
  tags: molecule-idempotence-notest

- name: Run uninstall tasks
  include_tasks: uninstall.yml