From 2ad6af2a3f9de6e87ddf754d4dd1171c5a25eda7 Mon Sep 17 00:00:00 2001 From: roronoasins Date: Fri, 16 Jun 2023 17:18:55 +0100 Subject: [PATCH] add(#59): add the manager role This commit adds the initial provisioning structure with the manager role (with its playbook, tasks, etc.). This allows to install the any manager version using custom packages or repo. Note: When using the repo it uses `4.x` gpg, we should discuss if we want to extend the support --- provisioning/playbooks/wazuh-manager.yml | 4 ++ .../roles/wazuh/manager/defaults/main.yml | 13 ++++ .../roles/wazuh/manager/handlers/main.yml | 8 +++ .../roles/wazuh/manager/meta/main.yml | 23 +++++++ .../roles/wazuh/manager/tasks/Debian.yml | 64 +++++++++++++++++ .../roles/wazuh/manager/tasks/RedHat.yml | 68 +++++++++++++++++++ .../roles/wazuh/manager/tasks/main.yml | 27 ++++++++ provisioning/roles/wazuh/vars/repo.yml | 12 ++++ .../roles/wazuh/vars/repo_pre-release.yml | 12 ++++ .../roles/wazuh/vars/repo_staging.yml | 12 ++++ provisioning/roles/wazuh/vars/repo_vars.yml | 2 + 11 files changed, 245 insertions(+) create mode 100644 provisioning/playbooks/wazuh-manager.yml create mode 100644 provisioning/roles/wazuh/manager/defaults/main.yml create mode 100644 provisioning/roles/wazuh/manager/handlers/main.yml create mode 100644 provisioning/roles/wazuh/manager/meta/main.yml create mode 100644 provisioning/roles/wazuh/manager/tasks/Debian.yml create mode 100644 provisioning/roles/wazuh/manager/tasks/RedHat.yml create mode 100644 provisioning/roles/wazuh/manager/tasks/main.yml create mode 100644 provisioning/roles/wazuh/vars/repo.yml create mode 100644 provisioning/roles/wazuh/vars/repo_pre-release.yml create mode 100644 provisioning/roles/wazuh/vars/repo_staging.yml create mode 100644 provisioning/roles/wazuh/vars/repo_vars.yml diff --git a/provisioning/playbooks/wazuh-manager.yml b/provisioning/playbooks/wazuh-manager.yml new file mode 100644 index 0000000..c0c7ad4 --- /dev/null +++ b/provisioning/playbooks/wazuh-manager.yml @@ -0,0 +1,4 @@ +--- +- hosts: manager + roles: + - role: ../roles/wazuh/manager diff --git a/provisioning/roles/wazuh/manager/defaults/main.yml b/provisioning/roles/wazuh/manager/defaults/main.yml new file mode 100644 index 0000000..d1ffd91 --- /dev/null +++ b/provisioning/roles/wazuh/manager/defaults/main.yml @@ -0,0 +1,13 @@ +--- +## Global +wazuh_manager_version: "{{ packages_version | default(manager_production_version) }}" +wazuh_dir: "/var/ossec" +service_name: wazuh-manager +wazuh_manager_config_defaults: + repo: '{{ wazuh_repo }}' + + +# Custom packages installation +wazuh_custom_packages_installation_manager_enabled: false +wazuh_custom_packages_installation_manager_deb_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/" +wazuh_custom_packages_installation_manager_rpm_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/" diff --git a/provisioning/roles/wazuh/manager/handlers/main.yml b/provisioning/roles/wazuh/manager/handlers/main.yml new file mode 100644 index 0000000..8d61733 --- /dev/null +++ b/provisioning/roles/wazuh/manager/handlers/main.yml @@ -0,0 +1,8 @@ +--- +- name: start service + become: true + systemd: + name: "{{ service_name }}" + daemon_reload: true + state: started + enabled: true diff --git a/provisioning/roles/wazuh/manager/meta/main.yml b/provisioning/roles/wazuh/manager/meta/main.yml new file mode 100644 index 0000000..1275d23 --- /dev/null +++ b/provisioning/roles/wazuh/manager/meta/main.yml @@ -0,0 +1,23 @@ +--- +galaxy_info: + author: Wazuh + description: Installing, deploying and configuring Wazuh Manager. + company: wazuh.com + license: license (GPLv3) + min_ansible_version: 2.0 + platforms: + - name: EL + versions: + - all + - name: Ubuntu + versions: + - all + - name: Debian + versions: + - all + - name: Fedora + versions: + - all + galaxy_tags: + - monitoring +dependencies: [] diff --git a/provisioning/roles/wazuh/manager/tasks/Debian.yml b/provisioning/roles/wazuh/manager/tasks/Debian.yml new file mode 100644 index 0000000..bd161db --- /dev/null +++ b/provisioning/roles/wazuh/manager/tasks/Debian.yml @@ -0,0 +1,64 @@ +--- +- name: Debian/Ubuntu | Install gnupg, apt-transport-https + become: true + apt: + name: + - gnupg + - apt-transport-https + state: present + cache_valid_time: 3600 + install_recommends: false + register: wazuh_manager_https_packages_installed + until: wazuh_manager_https_packages_installed is succeeded + +- name: Debian/Ubuntu | Installing Wazuh repository key (Ubuntu 14) + become: true + shell: | + set -o pipefail + curl -s {{ wazuh_repo.gpg }} | apt-key add - + args: + warn: false + executable: /bin/bash + changed_when: false + when: + - ansible_distribution == "Ubuntu" + - ansible_distribution_major_version | int == 14 + - not wazuh_custom_packages_installation_manager_enabled + +- name: Debian/Ubuntu | Installing Wazuh repository key + apt_key: + url: "{{ wazuh_repo.gpg }}" + id: "{{ wazuh_repo.key_id }}" + when: + - not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14) + - not wazuh_custom_packages_installation_manager_enabled + +- name: Debian/Ubuntu | Add Wazuh repositories + apt_repository: + filename: wazuh_repo + repo: "{{ wazuh_repo.apt }}" + state: present + update_cache: true + changed_when: false + when: + - not wazuh_custom_packages_installation_manager_enabled + +- name: Debian/Ubuntu | Install wazuh-manager + become: true + apt: + name: "wazuh-manager={{ wazuh_manager_version }}-*" + state: present + notify: start service + when: not wazuh_custom_packages_installation_manager_enabled + +- name: Install Wazuh Manager from .deb packages + become: true + apt: + deb: "{{ wazuh_custom_packages_installation_manager_deb_url }}" + state: present + notify: start service + when: + - wazuh_custom_packages_installation_manager_enabled + +- name: run the handlers after the installation + meta: flush_handlers diff --git a/provisioning/roles/wazuh/manager/tasks/RedHat.yml b/provisioning/roles/wazuh/manager/tasks/RedHat.yml new file mode 100644 index 0000000..1c90294 --- /dev/null +++ b/provisioning/roles/wazuh/manager/tasks/RedHat.yml @@ -0,0 +1,68 @@ +--- +- name: RedHat/CentOS 5 | Install Wazuh repo + become: true + yum_repository: + name: wazuh_repo + description: Wazuh repository + baseurl: "{{ wazuh_repo.yum }}5/" + gpgkey: "{{ wazuh_repo.gpg }}-5" + gpgcheck: true + changed_when: false + when: + - (ansible_os_family|lower == 'redhat') and (ansible_distribution|lower != 'amazon') + - (ansible_distribution_major_version|int <= 5) + - not wazuh_custom_packages_installation_manager_enabled + register: repo_v5_manager_installed + +- name: RedHat/CentOS/Fedora | Install Wazuh repo + become: true + yum_repository: + name: wazuh_repo + description: Wazuh repository + baseurl: "{{ wazuh_repo.yum }}" + gpgkey: "{{ wazuh_repo.gpg }}" + gpgcheck: true + changed_when: false + when: + - repo_v5_manager_installed is skipped + - not wazuh_custom_packages_installation_manager_enabled + +- name: CentOS/RedHat/Amazon | Install wazuh-manager + become: true + package: + name: "wazuh-manager-{{ wazuh_manager_version }}" + state: present + register: wazuh_manager_main_packages_installed + until: wazuh_manager_main_packages_installed is succeeded + when: + - ansible_os_family|lower == "redhat" + - not wazuh_custom_packages_installation_manager_enabled + notify: start service + tags: + - init + +- block: + - name: Install Wazuh Manager from .rpm packages | yum + become: true + yum: + name: "{{ wazuh_custom_packages_installation_manager_rpm_url }}" + state: present + when: + - not (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") + - not (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8") + + - name: Install Wazuh Manager from .rpm packages | dnf + become: true + dnf: + name: "{{ wazuh_custom_packages_installation_manager_rpm_url }}" + state: present + disable_gpg_check: True + when: + - (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") or + (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8") + notify: start service + when: + - wazuh_custom_packages_installation_manager_enabled + +- name: run the handlers after the installation + meta: flush_handlers diff --git a/provisioning/roles/wazuh/manager/tasks/main.yml b/provisioning/roles/wazuh/manager/tasks/main.yml new file mode 100644 index 0000000..d0ae9e9 --- /dev/null +++ b/provisioning/roles/wazuh/manager/tasks/main.yml @@ -0,0 +1,27 @@ +--- + +- name: Include vars/repo_vars.yml + include_vars: ../../vars/repo_vars.yml + +- name: Include vars/repo.yml + include_vars: ../../vars/repo.yml + when: packages_repository == 'production' + +- name: Include vars/repo_pre-release.yml + include_vars: ../../vars/repo_pre-release.yml + when: packages_repository == 'pre-release' + +- name: Include vars/repo_staging.yml + include_vars: ../../vars/repo_staging.yml + when: packages_repository == 'staging' + +- name: Include tasks based on OS + include_tasks: "{{ ansible_os_family }}.yml" + +- name: Ensure Wazuh Manager service is started and enabled. + service: + name: "wazuh-manager" + enabled: true + state: started + tags: + - config diff --git a/provisioning/roles/wazuh/vars/repo.yml b/provisioning/roles/wazuh/vars/repo.yml new file mode 100644 index 0000000..22e4e57 --- /dev/null +++ b/provisioning/roles/wazuh/vars/repo.yml @@ -0,0 +1,12 @@ +wazuh_repo: + apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main' + yum: 'https://packages.wazuh.com/4.x/yum/' + gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' + key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145' +wazuh_winagent_config_url: "https://packages.wazuh.com/4.x/windows/wazuh-agent-{{ wazuh_agent_version }}-1.msi" +wazuh_winagent_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.msi" + +certs_gen_tool_version: 4.4 + +# Url of certificates generator tool +certs_gen_tool_url: "https://packages.wazuh.com/{{ certs_gen_tool_version }}/wazuh-certs-tool.sh" diff --git a/provisioning/roles/wazuh/vars/repo_pre-release.yml b/provisioning/roles/wazuh/vars/repo_pre-release.yml new file mode 100644 index 0000000..54e1bf8 --- /dev/null +++ b/provisioning/roles/wazuh/vars/repo_pre-release.yml @@ -0,0 +1,12 @@ +wazuh_repo: + apt: 'deb https://packages-dev.wazuh.com/pre-release/apt/ unstable main' + yum: 'https://packages-dev.wazuh.com/pre-release/yum/' + gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH' + key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145' +wazuh_winagent_config_url: "https://packages-dev.wazuh.com/pre-release/windows/wazuh-agent-{{ wazuh_agent_version }}-1.msi" +wazuh_winagent_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.msi" + +certs_gen_tool_version: 4.4 + +# Url of certificates generator tool +certs_gen_tool_url: "https://packages-dev.wazuh.com/{{ certs_gen_tool_version }}/wazuh-certs-tool.sh" diff --git a/provisioning/roles/wazuh/vars/repo_staging.yml b/provisioning/roles/wazuh/vars/repo_staging.yml new file mode 100644 index 0000000..3f5569f --- /dev/null +++ b/provisioning/roles/wazuh/vars/repo_staging.yml @@ -0,0 +1,12 @@ +wazuh_repo: + apt: 'deb https://packages-dev.wazuh.com/staging/apt/ unstable main' + yum: 'https://packages-dev.wazuh.com/staging/yum/' + gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH' + key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145' +wazuh_winagent_config_url: "https://packages-dev.wazuh.com/staging/windows/wazuh-agent-{{ wazuh_agent_version }}-1.msi" +wazuh_winagent_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.msi" + +certs_gen_tool_version: 4.4 + +# Url of certificates generator tool +certs_gen_tool_url: "https://packages-dev.wazuh.com/{{ certs_gen_tool_version }}/wazuh-certs-tool.sh" diff --git a/provisioning/roles/wazuh/vars/repo_vars.yml b/provisioning/roles/wazuh/vars/repo_vars.yml new file mode 100644 index 0000000..77c4738 --- /dev/null +++ b/provisioning/roles/wazuh/vars/repo_vars.yml @@ -0,0 +1,2 @@ +packages_repository: production +manager_production_version: 4.4.4