afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
f6e020631e
wazuh-ansible-4.8.1/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml
Christos Pollalis f6e020631e Make agent registration via the rest API idempotent 
Check whether an error was returned by the HTTP POST to the `agents/`
endpoint before invoking `/var/ossec/bin/manage_agents` in order to
register a new agent.

It seems like that if an agent has already been registered under the
given name, the HTTP POST will return an error that'll cause the next
task, which is meant to retrieve the agent information, to be skipped.
That'll cause the agent registration task to fail in return. Instead,
this change will cause the aforementioned task to be skipped, too. So,
if an agent has already been successfully registered and the playbook
is re-run, it'll run all the way to the end.

If anything goes wrong (during the registration process) and the agent
fails to start, the `restart wazuh-agent` handler will still fail.
2020-04-11 02:15:42 +03:00

225 lines
7.4 KiB
YAML
Raw Blame History

---
- include_tasks: "RedHat.yml"
when: ansible_os_family == "RedHat"
- include_tasks: "Debian.yml"
when: ansible_os_family == "Debian"
- include_tasks: "installation_from_sources.yml"
when:
- wazuh_agent_sources_installation.enabled
- include_tasks: "installation_from_custom_packages.yml"
when:
- wazuh_custom_packages_installation_agent_enabled
- name: Linux CentOS/RedHat | Install wazuh-agent
package:
name: wazuh-agent-{{ wazuh_agent_version }}
state: present
async: 90
poll: 30
when:
- ansible_os_family|lower == "redhat"
- not wazuh_agent_sources_installation.enabled
- not wazuh_custom_packages_installation_agent_enabled
tags:
- init
- name: Linux Debian | Install wazuh-agent
apt:
name: "wazuh-agent={{ wazuh_agent_version }}"
state: present
cache_valid_time: 3600
when:
- ansible_os_family|lower != "redhat"
- not wazuh_agent_sources_installation.enabled
- not wazuh_custom_packages_installation_agent_enabled
tags:
- init
- name: Linux | Check if client.keys exists
stat: path=/var/ossec/etc/client.keys
register: check_keys
tags:
- config
- name: Linux | Agent registration via authd
block:
- name: Retrieving authd Credentials
include_vars: authd_pass.yml
- name: Copy CA, SSL key and cert for authd
copy:
src: "{{ item }}"
dest: "/var/ossec/etc/{{ item | basename }}"
mode: 0644
with_items:
- "{{ wazuh_agent_authd.ssl_agent_ca }}"
- "{{ wazuh_agent_authd.ssl_agent_cert }}"
- "{{ wazuh_agent_authd.ssl_agent_key }}"
when:
- wazuh_agent_authd.ssl_agent_ca is not none
- name: Linux | Register agent (via authd)
shell: >
/var/ossec/bin/agent-auth
{% if wazuh_agent_authd.agent_name is defined and wazuh_agent_authd.agent_name != None %}
-A {{ wazuh_agent_authd.agent_name }}
{% endif %}
-m {{ wazuh_agent_authd.registration_address }}
-p {{ wazuh_agent_authd.port }}
{% if wazuh_agent_nat %} -I "any" {% endif %}
{% if authd_pass is defined %} -P {{ authd_pass }} {% endif %}
{% if wazuh_agent_authd.ssl_agent_ca is defined and wazuh_agent_authd.ssl_agent_ca != None %}
-v "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}"
{% endif %}
{% if wazuh_agent_authd.ssl_agent_cert is defined and wazuh_agent_authd.ssl_agent_cert != None %}
-x "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_cert | basename }}"
{% endif %}
{% if wazuh_agent_authd.ssl_agent_key is defined and wazuh_agent_authd.ssl_agent_key != None %}
-k "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_key | basename }}"
{% endif %}
{% if wazuh_agent_authd.ssl_auto_negotiate == 'yes' %} -a {% endif %}
{% if wazuh_agent_authd.groups is defined and wazuh_agent_authd.groups | length > 0 %}
-G "{{ wazuh_agent_authd.groups | join(',') }}"
{% endif %}
register: agent_auth_output
notify: restart wazuh-agent
vars:
agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ ansible_hostname }}{% endif %}"
when:
- not check_keys.stat.exists or check_keys.stat.size == 0
- wazuh_agent_authd.registration_address is not none
- name: Linux | Verify agent registration
shell: echo {{ agent_auth_output }} | grep "Valid key created"
when:
- not check_keys.stat.exists or check_keys.stat.size == 0
- wazuh_agent_authd.registration_address is not none
when: wazuh_agent_authd.enable
tags:
- config
- authd
- name: Linux | Agent registration via rest-API
block:
- name: Retrieving rest-API Credentials
include_vars: api_pass.yml
- name: Linux | Create the agent key via rest-API
uri:
url: "{{ wazuh_managers.0.api_proto }}://{{ wazuh_agent_authd.registration_address }}:{{ wazuh_managers.0.api_port }}/agents/"
validate_certs: false
method: POST
body: '{"name":"{{ agent_name }}"}'
body_format: json
status_code: 200
headers:
Content-Type: "application/json"
user: "{{ wazuh_managers.0.api_user }}"
password: "{{ api_pass }}"
register: newagent_api
notify: restart wazuh-agent
vars:
agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ inventory_hostname }}{% endif %}"
when:
- not check_keys.stat.exists or check_keys.stat.size == 0
- wazuh_agent_authd.registration_address is not none
become: false
ignore_errors: true
- name: Linux | Retrieve new agent data via rest-API
uri:
url: >-
"{{ wazuh_managers.0.api_proto }}://{{ wazuh_agent_authd.registration_address
}}:{{ wazuh_managers.0.api_port }}/agents/{{ newagent_api.json.data.id }}"
validate_certs: false
method: GET
return_content: true
user: "{{ wazuh_managers.0.api_user }}"
password: "{{ api_pass }}"
when:
- not check_keys.stat.exists or check_keys.stat.size == 0
- wazuh_agent_authd.registration_address is not none
- newagent_api.json.error == 0
register: newagentdata_api
delegate_to: localhost
become: false
- name: Linux | Register agent (via rest-API)
command: /var/ossec/bin/manage_agents
environment:
OSSEC_ACTION: i
OSSEC_AGENT_NAME: '{{ newagentdata_api.json.data.name }}'
OSSEC_AGENT_IP: '{% if wazuh_agent_nat %}any{% else %}{{ newagentdata_api.json.data.ip }}{% endif %}'
OSSEC_AGENT_ID: '{{ newagent_api.json.data.id }}'
OSSEC_AGENT_KEY: '{{ newagent_api.json.data.key }}'
OSSEC_ACTION_CONFIRMED: y
register: manage_agents_output
when:
- not check_keys.stat.exists or check_keys.stat.size == 0
- wazuh_agent_authd.registration_address is not none
- newagent_api.json.error == 0
notify: restart wazuh-agent
when:
- not wazuh_agent_authd.enable
tags:
- config
- api
- name: Linux | Vuls integration deploy (runs in background, can take a while)
command: /var/ossec/wodles/vuls/deploy_vuls.sh {{ ansible_distribution|lower }} {{ ansible_distribution_major_version|int }}
args:
creates: /var/ossec/wodles/vuls/config.toml
async: 3600
poll: 0
when:
- wazuh_agent_config.vuls.disable != 'yes'
- ansible_distribution in ['Redhat', 'CentOS', 'Ubuntu', 'Debian', 'Oracle']
tags:
- init
- name: Linux | Installing agent configuration (ossec.conf)
template: src=var-ossec-etc-ossec-agent.conf.j2
dest=/var/ossec/etc/ossec.conf
owner=root
group=ossec
mode=0644
notify: restart wazuh-agent
tags:
- init
- config
- name: Linux | Installing local_internal_options.conf
template: src=var-ossec-etc-local-internal-options.conf.j2
dest=/var/ossec/etc/local_internal_options.conf
owner=root
group=ossec
mode=0640
notify: restart wazuh-agent
tags:
- init
- config
- name: Linux | Ensure Wazuh Agent service is started and enabled
service:
name: wazuh-agent
enabled: true
state: started
tags: config
- include_tasks: "RMRedHat.yml"
when:
- ansible_os_family == "RedHat"
- not wazuh_agent_sources_installation.enabled
- include_tasks: "RMDebian.yml"
when:
- ansible_os_family == "Debian"
- not wazuh_agent_sources_installation.enabled
Reference in New Issue View Git Blame Copy Permalink