Browse Source

wazuh: upgrade to 4.0.3

keep-around/8261cd17789762f14973453456d69dd78ebc22ed
Loïc Dachary 10 months ago
parent
commit
8261cd1778
Signed by: dachary GPG Key ID: 992D23B392F9E4F2
  1. 8
      .gitmodules
  2. 17
      docs/services/ids.rst
  3. 123
      playbooks/wazuh/agent.yml
  4. 5
      playbooks/wazuh/inventory/group_vars/all/wazuh.yml
  5. 314
      playbooks/wazuh/manager.yml
  6. 17
      playbooks/wazuh/test-wazuh-playbook.yml
  7. 155
      playbooks/wazuh/tests/test_wazuh.py
  8. 33
      playbooks/wazuh/wazuh-agent-playbook.yml
  9. 2
      playbooks/wazuh/wazuh-ansible
  10. 2
      playbooks/wazuh/wazuh-firewall-playbook.yml
  11. 33
      playbooks/wazuh/wazuh-manager-playbook.yml
  12. 3
      tests/icinga_helper.py
  13. 2
      tox.ini

8
.gitmodules

@ -4,10 +4,10 @@
[submodule "molecule/jdauphant.nginx/roles/jdauphant.nginx"]
path = playbooks/jdauphant.nginx/roles/jdauphant.nginx
url = https://github.com/jdauphant/ansible-role-nginx.git
[submodule "molecule/wazuh/wazuh-ansible"]
path = playbooks/wazuh/wazuh-ansible
url = https://lab.enough.community/main/wazuh-ansible
[submodule "molecule/debops"]
path = playbooks/debops
branch = stable-1.2
branch = stable-1.2
url = https://github.com/debops/debops
[submodule "playbooks/wazuh/wazuh-ansible"]
path = playbooks/wazuh/wazuh-ansible
url = https://github.com/wazuh/wazuh-ansible

17
docs/services/ids.rst

@ -7,6 +7,23 @@ The `Wazuh <http://wazuh.com/>`_ Intrusion Detection System watches
over all hosts and will report problems to the `ids@example.com` mail
address.
The wazuh API user and password must be created to allow the agents
to register on the server. For instance:
.. code::
$ cat ~/.enough/example.com/group_vars/all/wazuh.yml
---
wazuh_api_username: apiuser
wazuh_api_password: .S3cur3Pa75w0rd-#
wazuh_mailto: contact@enough.community
wazuh_email_from: contact@enough.community
.. note::
The password must obey the `wazuh requirements <https://github.com/wazuh/wazuh/blob/79e4d3fd09b28c65fb7990148821b47742d867c4/framework/wazuh/security.py#L22>`__ to be valid. They are complex and the best way
to make sure is to try the regular expression manually.
The service is created on the host specified by the `--host` argument:
.. code::

123
playbooks/wazuh/agent.yml

@ -1,123 +0,0 @@
---
wazuh_agent_config:
active_response:
ar_disabled: 'no'
ca_store: '/var/ossec/etc/wpk_root.pem'
ca_verification: 'yes'
log_format: 'plain'
client_buffer:
disable: 'no'
queue_size: '5000'
events_per_sec: '500'
syscheck:
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
alert_new_files: 'yes'
remove_old_diff: 'yes'
restart_audit: 'yes'
skip_nfs: 'yes'
ignore:
- /etc/mtab
#- /etc/mnttab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
- /sys/kernel/security
- /sys/kernel/debug
no_diff:
- /etc/ssl/private.key
directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: 'check_all="yes"'
- dirs: /bin,/sbin
checks: 'check_all="yes"'
windows_registry:
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
arch: 'both'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
rootcheck:
frequency: 43200
openscap:
disable: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
osquery:
disable: 'yes'
run_daemon: 'yes'
log_path: '/var/log/osquery/osqueryd.results.log'
config_path: '/etc/osquery/osquery.conf'
ad_labels: 'yes'
syscollector:
disable: 'no'
interval: '1h'
scan_on_start: 'yes'
hardware: 'yes'
os: 'yes'
network: 'yes'
packages: 'yes'
ports_no: 'yes'
processes: 'yes'
cis_cat:
disable: 'yes'
install_java: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
ciscat_path: '/var/ossec/wodles/ciscat'
content:
- type: 'xccdf'
path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'
vuls:
disable: 'yes'
interval: '1d'
run_on_start: 'yes'
args:
- 'mincvss 5'
- 'antiquity-limit 20'
- 'updatenvd'
- 'nvd-year 2016'
- 'autoupdate'
localfiles:
debian:
- format: 'syslog'
location: '/var/log/auth.log'
- format: 'syslog'
location: '/var/log/syslog'
- format: 'syslog'
location: '/var/log/dpkg.log'
- format: 'syslog'
location: '/var/log/kern.log'
centos:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'syslog'
location: '/var/log/maillog'
- format: 'audit'
location: '/var/log/audit/audit.log'
common:
- format: 'syslog'
location: '/var/ossec/logs/active-responses.log'
- format: 'command'
command: 'df -P'
frequency: '360'
- format: 'full_command'
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
alias: 'netstat listening ports'
frequency: '360'
- format: 'full_command'
command: 'last -n 20'
frequency: '360'

5
playbooks/wazuh/inventory/group_vars/all/wazuh.yml

@ -0,0 +1,5 @@
---
wazuh_api_username: apiuser
wazuh_api_password: "SdNoponch3o_Ho5pAcubAco"
wazuh_mailto: "contact@enough.community"
wazuh_email_from: "contact@enough.community"

314
playbooks/wazuh/manager.yml

@ -1,314 +0,0 @@
# copy/pasted from wazuh-ansible/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
# it is difficult to update, see https://github.com/wazuh/wazuh-ansible/issues/101
---
wazuh_manager_fqdn: "wazuh-server"
wazuh_manager_config:
json_output: 'yes'
alerts_log: 'yes'
logall: 'no'
logall_json: 'no'
log_format: 'plain'
api:
bind_addr: '0.0.0.0'
port: 55000
https: 'no'
basic_auth: 'yes'
behind_proxy_server: 'no'
https_cert: '/var/ossec/etc/sslmanager.cert'
https_key: '/var/ossec/etc/sslmanager.key'
https_use_ca: 'no'
https_ca: ''
use_only_authd: 'false'
drop_privileges: 'true'
experimental_features: 'false'
secure_protocol: 'TLSv1_2_method'
honor_cipher_order: 'true'
ciphers: ''
cluster:
disable: 'yes'
name: 'wazuh'
node_name: 'manager_01'
node_type: 'master'
key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa'
interval: '2m'
port: '1516'
bind_addr: '0.0.0.0'
nodes:
- '172.17.0.2'
- '172.17.0.3'
- '172.17.0.4'
hidden: 'no'
connection:
- type: 'secure'
port: '1514'
protocol: 'udp'
queue_size: 131072
authd:
enable: false
port: 1515
use_source_ip: 'yes'
force_insert: 'yes'
force_time: 0
purge: 'no'
use_password: 'no'
ssl_agent_ca: null
ssl_verify_host: 'no'
ssl_manager_cert: '/var/ossec/etc/sslmanager.cert'
ssl_manager_key: '/var/ossec/etc/sslmanager.key'
ssl_auto_negotiate: 'no'
email_notification: 'yes'
mail_to:
- 'ids@{{ domain }}'
mail_smtp_server: localhost
mail_from: 'contact@{{ domain }}'
mail_maxperhour: 12
mail_queue_size: 131072
extra_emails:
- enable: false
mail_to: 'admin@example.net'
format: full
level: 7
event_location: null
group: null
do_not_delay: false
do_not_group: false
rule_id: null
reports:
- enable: false
category: 'syscheck'
title: 'Daily report: File changes'
email_to: 'admin@example.net'
location: null
group: null
rule: null
level: null
srcip: null
user: null
showlogs: null
syscheck:
disable: 'no'
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
alert_new_files: 'yes'
ignore:
- /etc/mtab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
- /sys/kernel/security
- /sys/kernel/debug
no_diff:
- /etc/ssl/private.key
directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: 'check_all="yes"'
- dirs: /bin,/sbin,/boot
checks: 'check_all="yes"'
auto_ignore_frequency:
frequency: 'frequency="10"'
timeframe: 'timeframe="3600"'
value: 'no'
skip_nfs: 'yes'
remove_old_diff: 'yes'
restart_audit: 'yes'
rootcheck:
frequency: 43200
openscap:
disable: 'no'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
cis_cat:
disable: 'yes'
install_java: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
ciscat_path: 'wodles/ciscat'
content:
- type: 'xccdf'
path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'
osquery:
disable: 'yes'
run_daemon: 'yes'
log_path: '/var/log/osquery/osqueryd.results.log'
config_path: '/etc/osquery/osquery.conf'
ad_labels: 'yes'
syscollector:
disable: 'no'
interval: '1h'
scan_on_start: 'yes'
hardware: 'yes'
os: 'yes'
network: 'yes'
packages: 'yes'
ports_no: 'yes'
processes: 'yes'
vul_detector:
disable: 'yes'
interval: '5m'
ignore_time: '6h'
run_on_start: 'yes'
ubuntu:
disable: 'yes'
update_interval: '1h'
redhat:
disable: 'yes'
update_interval: '1h'
debian:
disable: 'yes'
update_interval: '1h'
vuls:
disable: 'yes'
interval: '1d'
run_on_start: 'yes'
args:
- 'mincvss 5'
- 'antiquity-limit 20'
- 'updatenvd'
- 'nvd-year 2016'
- 'autoupdate'
log_level: 1
email_level: 12
localfiles:
common:
- format: 'command'
command: 'df -P'
frequency: '360'
- format: 'full_command'
command: |
netstat -tulpn | \
sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
alias: 'netstat listening ports'
frequency: '360'
- format: 'full_command'
command: 'last -n 20'
- format: 'syslog'
location: '/var/ossec/logs/active-responses.log'
debian:
- format: 'syslog'
location: '/var/log/auth.log'
- format: 'syslog'
location: '/var/log/syslog'
- format: 'syslog'
location: '/var/log/dpkg.log'
- format: 'syslog'
location: '/var/log/kern.log'
centos:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'syslog'
location: '/var/log/maillog'
- format: 'audit'
location: '/var/log/audit/audit.log'
globals:
- '127.0.0.1'
- '192.168.2.1'
commands:
- name: 'disable-account'
executable: 'disable-account.sh'
expect: 'user'
timeout_allowed: 'yes'
#- name: 'restart-ossec'
# executable: 'restart-ossec.sh'
# expect: ''
# timeout_allowed: 'no'
- name: 'win_restart-ossec'
executable: 'restart-ossec.cmd'
expect: ''
timeout_allowed: 'no'
- name: 'firewall-drop'
executable: 'firewall-drop.sh'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'host-deny'
executable: 'host-deny.sh'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'route-null'
executable: 'route-null.sh'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'win_route-null'
executable: 'route-null.cmd'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'netsh'
executable: 'netsh.cmd'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'netsh-win-2016'
executable: 'netsh-win-2016.cmd'
expect: 'srcip'
timeout_allowed: 'yes'
ruleset:
rules_path: 'custom_ruleset/rules/'
decoders_path: 'custom_ruleset/decoders/'
rule_exclude:
- '0215-policy_rules.xml'
active_responses:
- command: 'restart-ossec'
location: 'local'
rules_id: '100002'
- command: 'win_restart-ossec'
location: 'local'
rules_id: '100003'
- command: 'host-deny'
location: 'local'
level: 6
timeout: 600
syslog_outputs:
- server: null
port: null
format: null
wazuh_agent_configs:
- type: os
type_value: Linux
syscheck:
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
alert_new_files: 'yes'
ignore:
- /etc/mtab
- /etc/mnttab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/svc/volatile
no_diff:
- /etc/ssl/private.key
# Example
#directories:
#- dirs: /etc,/usr/bin,/usr/sbin
# checks: 'check_all="yes"'
rootcheck:
frequency: 43200
cis_distribution_filename: null
localfiles:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'syslog'
location: '/var/log/maillog'
- format: 'apache'
location: '/var/log/httpd/error_log'
- format: 'apache'
location: '/var/log/httpd/access_log'
- format: 'apache'
location: '/var/ossec/logs/active-responses.log'

17
playbooks/wazuh/test-wazuh-playbook.yml

@ -1,5 +1,22 @@
---
- name: prepare wazuh-host for tests
hosts: wazuh-service-group
become: true
pre_tasks:
- name: hold all mails /etc/postfix/hold.regexp
copy:
content: |
/^/ HOLD
dest: /etc/postfix/hold.regexp
- name: systemtcl restart postfix
service:
name: postfix
state: restarted
- name: open port 55000 on firewall for tests
hosts: localhost
gather_facts: false

155
playbooks/wazuh/tests/test_wazuh.py

@ -2,6 +2,7 @@ from pprint import pprint
import testinfra
import requests
import yaml
from enough.common import ansible_utils
from enough.common import retry
testinfra_hosts = ['ansible://wazuh-host']
@ -10,39 +11,67 @@ testinfra_hosts = ['ansible://wazuh-host']
class Wazuh(object):
def __init__(self, config):
url = self.get_address(config.getoption("--ansible-inventory"))
self.url = f'http://{url}:55000'
inventory = config.getoption("--ansible-inventory")
url = self.get_address(inventory)
p = ansible_utils.Ansible('.', '.', ['playbooks/wazuh/inventory'])
username = p.get_variable('wazuh_api_username', 'wazuh-host')
password = p.get_variable('wazuh_api_password', 'wazuh-host')
self.url = f'https://{url}:55000'
self.s = requests.session()
self.s.auth = ('frob', 'nitz')
self.s.verify = None
self.s.headers = {
'Accept': 'application/json',
}
r = self.s.get(f'{self.url}/security/user/authenticate',
auth=(username, password))
print(r.text)
r.raise_for_status()
self.s.headers['Authorization'] = f"Bearer {r.json()['data']['token']}"
def get_info(self):
r = self.s.get(self.url, params={'pretty': 'true'})
print(r.text)
r.raise_for_status()
return r.json()
def get_agents(self):
r = self.s.get(f'{self.url}/agents')
print(r.text)
r.raise_for_status()
return r.json()
def get_agent_id(self, host):
agents = self.get_agents()['data']['affected_items']
for agent in agents:
if agent['name'].startswith(host):
return agent['id']
raise Exception(f'{host} not found in {agents}')
def get_address(self, inventory):
vars_dir = f'{inventory}/group_vars/all'
return 'wazuh.' + yaml.safe_load(
open(vars_dir + '/domain.yml'))['domain']
def get_check_times(self, type):
r = self.s.get(self.url + '/' + type + '/001/last_scan')
def get_check_times(self, agent):
r = self.s.get(f'{self.url}/syscheck/{agent}/last_scan')
print(r.text)
r.raise_for_status()
d = r.json()
assert d['error'] == 0
return (d['data']['start'], d['data']['end'])
d = r.json()['data']['affected_items'][0]
return (d['start'], d['end'])
@retry.retry(AssertionError, tries=8)
def wait_for_checks(self):
def wait_for_checks(self, agent):
# start time > end time means the check is ongoing
for type in ('syscheck', 'rootcheck'):
(start, end) = self.get_check_times(type)
assert start < end
(start, end) = self.get_check_times(agent)
assert start < end
def get_syscheck_end(self):
return self.get_check_times('syscheck')[1]
def get_syscheck_end(self, agent):
return self.get_check_times(agent)[1]
def run_syscheck(self):
last = self.get_syscheck_end()
r = self.s.put(self.url + '/syscheck/001')
def run_syscheck(self, host):
agent = self.get_agent_id(host)
last = self.get_syscheck_end(agent)
r = self.s.put(self.url + '/syscheck', params={'agents_list': agent})
r.raise_for_status()
d = r.json()
pprint(d)
@ -50,37 +79,73 @@ class Wazuh(object):
@retry.retry(AssertionError, tries=8)
def wait_for_syscheck():
assert self.get_syscheck_end() > last
current_last = self.get_syscheck_end(agent)
assert current_last is not None, f'syscheck in progress'
assert current_last > last, f'{current_last} > {last}'
wait_for_syscheck()
def get_syscheck_md5(self, path):
r = self.s.get(self.url + '/syscheck/001?file=' + path)
@retry.retry(AssertionError, tries=8)
def get_syscheck_md5(self, host, path):
agent = self.get_agent_id(host)
r = self.s.get(f'{self.url}/syscheck/{agent}', params={'file': path})
print(r.text)
r.raise_for_status()
d = r.json()
assert d['error'] == 0
info = d['data']['items'][0]
assert info['file'] == path
return info['md5']
r = r.json()
assert len(r['data']['affected_items']) > 0, f'{r} has no information yet about {path}'
d = r['data']['affected_items'][0]
assert d['file'] == path
return d['md5']
def test_wazuh(host, pytestconfig):
# postfix_host is a wazuh agent
postfix_host = testinfra.host.Host.get_host(
'ansible://postfix-host',
ansible_inventory=host.backend.ansible_inventory)
#
# it can fail sometimes because of https://github.com/wazuh/wazuh/issues/2236
#
postfix_host
def test_wazuh_api(host, pytestconfig):
w = Wazuh(pytestconfig)
w.run_syscheck()
good_md5 = w.get_syscheck_md5('/etc/screenrc')
# tamper with a file on the postfix-host
with postfix_host.sudo():
postfix_host.run("""
echo HACK >> /etc/screenrc
""")
w.run_syscheck()
bad_md5 = w.get_syscheck_md5('/etc/screenrc')
assert good_md5 != bad_md5
info = w.get_info()
assert info['error'] == 0
assert info['data']['title'] == "Wazuh API REST"
def test_wazuh_syscheck(host, pytestconfig):
try:
w = Wazuh(pytestconfig)
w.run_syscheck('postfix-host')
good_md5 = w.get_syscheck_md5('postfix-host', '/etc/screenrc')
with host.sudo():
host.run("""
postsuper -d ALL
sed -i -e '/email_alert_level/s/>12</>6</' /var/ossec/etc/ossec.conf
systemctl restart wazuh-manager
""")
# postfix_host is a wazuh agent
postfix_host = testinfra.host.Host.get_host(
'ansible://postfix-host',
ansible_inventory=host.backend.ansible_inventory)
#
# modify /etc/screenrc and verify wazuh sees it
#
with postfix_host.sudo():
postfix_host.run("date +%s >> /etc/screenrc")
w.run_syscheck('postfix-host')
bad_md5 = w.get_syscheck_md5('postfix-host', '/etc/screenrc')
assert good_md5 != bad_md5
#
# verify a notification is sent regarding this change
#
@retry.retry(AssertionError, tries=8)
def wait_for_mail():
with host.sudo():
cmd = host.run("""
ls /var/spool/postfix/hold
grep -qw /etc/screenrc /var/spool/postfix/hold/*
""")
print(cmd.stdout)
assert cmd.rc == 0, f'{cmd.stdout} {cmd.stderr}'
wait_for_mail()
finally:
with host.sudo():
host.run("""
sed -i -e '/email_alert_level/s/>.*</>12</' /var/ossec/etc/ossec.conf
systemctl restart wazuh-manager
""")

33
playbooks/wazuh/wazuh-agent-playbook.yml

@ -2,8 +2,6 @@
- name: install wazuh-agent
hosts: all-hosts:!wazuh-service-group
become: true
vars_files:
- agent.yml
roles:
- role: ansible-wazuh-agent
@ -11,10 +9,33 @@
wazuh_managers:
- address: "wazuh.{{ domain }}"
port: 1514
protocol: udp
protocol: tcp
api_port: 55000
api_proto: 'http'
api_user: '{{ wazu_agent_api_user | default("frob") }}'
api_proto: 'https'
api_user: '{{ wazuh_api_username }}'
max_retries: 5
retry_interval: 5
register: yes
api_pass: '{{ wazuh_api_password }}'
wazuh_api_reachable_from_agent: true
api_pass: '{{ wazu_agent_api_pass | default("nitz") }}'
wazuh_agent_enrollment:
enabled: 'no'
#
# The following lines are not needed because it is not enabled.
# But they are used anyway during template instantiation
# and must be present.
#
manager_address: ''
port: 1515
agent_name: ''
groups: ''
agent_address: ''
ssl_cipher: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
server_ca_path: ''
agent_certificate_path: ''
agent_key_path: ''
authorization_pass_path: /var/ossec/etc/authd.pass
auto_method: 'no'
delay_after_enrollment: 20
use_source_ip: 'no'
when: (groups['wazuh-service-group'] | length) > 0

2
playbooks/wazuh/wazuh-ansible

@ -1 +1 @@
Subproject commit 52047670da044d96c3800cc66669b894ee2acd63
Subproject commit c57bba81eec80ceae84b47d727a4a3f582556157

2
playbooks/wazuh/wazuh-firewall-playbook.yml

@ -8,7 +8,7 @@
vars:
firewall_server: "{{ item.0 }}"
firewall_clients: [ "{{ hostvars[item.1]['ansible_host'] }}/32" ]
firewall_protocols: [ udp ]
firewall_protocols: [ tcp ]
firewall_ports: [ 1514 ]
when: hostvars[item.0].ansible_host is defined and hostvars[item.1].ansible_host is defined
with_nested:

33
playbooks/wazuh/wazuh-manager-playbook.yml

@ -32,13 +32,36 @@
- name: install wazuh-manager
hosts: wazuh-service-group
become: true
vars_files:
- manager.yml
roles:
- role: ansible-wazuh-manager
vars:
wazuh_api_user:
# htpasswd -nb frob nitz
- "{{ wazuh_manager_api_user | default('frob:$apr1$wOI7F7qb$ZfLb5n.2IgHk8.vrfh3sq.') }}"
wazuh_manager_email_notification: 'yes'
wazuh_manager_mailto:
- '{{ wazuh_mailto }}'
wazuh_manager_email_smtp_server: "localhost"
wazuh_manager_email_from: '{{ wazuh_email_from }}'
wazuh_api_users:
- username: "{{ wazuh_api_username }}"
password: "{{ wazuh_api_password }}"
wazuh_manager_fqdn: "wazuh.{{ domain }}"
wazuh_manager_authd:
enable: false
#
# The following lines are not needed because it is not enabled.
# But they are used anyway during template instantiation
# and must be present.
#
port: 1515
use_source_ip: 'no'
force_insert: 'yes'
force_time: 0
purge: 'yes'
use_password: 'no'
limit_maxagents: 'yes'
ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH'
ssl_agent_ca: null
ssl_verify_host: 'no'
ssl_manager_cert: 'sslmanager.cert'
ssl_manager_key: 'sslmanager.key'
ssl_auto_negotiate: 'no'

3
tests/icinga_helper.py

@ -36,7 +36,8 @@ class IcingaHelper(object):
def get_web_session(self):
p = ansible_utils.Playbook('.', '.', [self.inventory])
username = list(p.get_role_variables('icinga2', 'icingaweb2_user').values())[0]
username = p.get_variable('wazuh_api_username', 'wazuh-host')
password = p.get_variable('wazuh_api_password', 'wazuh-host')
password = list(p.get_role_variables('icinga2', 'icingaweb2_user_pass').values())[0]
address = self.get_address()
session = requests.Session()

2
tox.ini

@ -42,6 +42,6 @@ commands = env --unset=REQUESTS_CA_BUNDLE {envbindir}/py.test --log-cli-level IN
commands = sphinx-build -W -vvv -b html docs build/html
[flake8]
exclude = venv,.tox,dist,doc,*.egg,build,docs/conf.py,src,playbooks/debops*
exclude = venv,.tox,dist,doc,*.egg,build,docs/conf.py,src,playbooks/debops*,playbooks/wazuh/wazuh-ansible,playbooks/wazuh/roles
show-source = true
max_line_length = 100

Loading…
Cancel
Save