Browse Source

wazuh: the agent playbook does nothing if there are no wazuh hosts

Fixes: main/infrastructure#217
keep-around/ea261852fc79885ae657f380cfa68820f28d3955
Loïc Dachary 1 year ago
committed by Loic Dachary
parent
commit
ea261852fc
Signed by: dachary GPG Key ID: 992D23B392F9E4F2
  1. 6
      docs/services/ids.rst
  2. 2
      docs/user-guide.rst
  3. 4
      inventory/firewall.yml
  4. 28
      inventory/services.yml
  5. 4
      playbooks/wazuh/inventory/services.yml
  6. 2
      playbooks/wazuh/playbook.yml
  7. 1
      playbooks/wazuh/wazuh-agent-playbook.yml
  8. 2
      playbooks/wekan/playbook.yml
  9. 6
      tests/enough/common/test_common_service.py

6
docs/services/ids.rst

@ -6,3 +6,9 @@ Intrusion Detection System
The `Wazuh <http://wazuh.com/>`_ Intrusion Detection System watches
over all hosts and will report problems to the `ids@example.com` mail
address.
The service is created on the host specified by the `--host` argument:
.. code::
$ enough --domain example.com service create --host wazuh-host wazuh

2
docs/user-guide.rst

@ -127,6 +127,7 @@ The following services are available:
* :doc:`bind <services/bind>` for `DNS server <https://www.isc.org/bind/>`__ at ``bind.examples.com``
* :doc:`OpenVPN <services/VPN>`, for `VPN <https://openvpn.net/>`__ at ``openvpn.example.com``
* :doc:`wazuh <services/ids>` for `Intrusion Detection System <https://wazuh.com/>`__ at ``wazuh.example.com``.
* :doc:`chat <services/mattermost>`, for `instant messaging <https://mattermost.com/>`__ at ``chat.example.com``
* :doc:`cloud <services/nextcloud>`, for `file sharing <https://nextcloud.com/>`__ at ``cloud.example.com``
* ``forum``, for `discussions and mailing lists <https://www.discourse.org/>`__ at ``forum.example.com``
@ -302,7 +303,6 @@ Services
The following services are always available:
* :doc:`icinga <services/monitoring>` for `monitoring <https://icinga.com/>`__ at ``icinga.example.com``.
* :doc:`wazuh <services/ids>` for `Intrusion Detection System <https://wazuh.com/>`__ at ``wazuh.example.com``.
* :doc:`postfix <services/postfix>` for `SMTP server <http://www.postfix.org/>`__ at ``postfix.example.com``.
* `security groups <https://docs.openstack.org/nova/train/admin/security-groups.html>`__ for :ref:`firewall <firewall>`.

4
inventory/firewall.yml

@ -28,8 +28,8 @@ firewall_icinga2_client_group:
# wazuh
firewall_wazuh_server_group:
hosts:
wazuh-host:
children:
wazuh-service-group:
firewall_wazuh_client_group:
children:

28
inventory/services.yml

@ -9,7 +9,6 @@ essential-service-hosts:
bind-service-group:
postfix-service-group:
icinga-service-group:
wazuh-service-group:
bind-service-group:
hosts:
@ -48,8 +47,7 @@ icinga-client-group:
all-hosts:
wazuh-service-group:
hosts:
wazuh-host:
hosts: {}
wazuh-service-hosts:
children:
@ -80,7 +78,7 @@ gitlab-service-hosts:
children:
gitlab-service-group:
gitlab-runner-service-group:
essential-service-hosts:
essential-service-group:
weblate-service-group:
hosts:
@ -89,7 +87,7 @@ weblate-service-group:
weblate-service-hosts:
children:
weblate-service-group:
essential-service-hosts:
essential-service-group:
packages-service-group:
hosts:
@ -98,7 +96,7 @@ packages-service-group:
packages-service-hosts:
children:
packages-service-group:
essential-service-hosts:
essential-service-group:
chat-service-group:
hosts:
@ -107,7 +105,7 @@ chat-service-group:
chat-service-hosts:
children:
chat-service-group:
essential-service-hosts:
essential-service-group:
forum-service-group:
hosts:
@ -116,7 +114,7 @@ forum-service-group:
forum-service-hosts:
children:
forum-service-group:
essential-service-hosts:
essential-service-group:
website-service-group:
hosts:
@ -125,7 +123,7 @@ website-service-group:
website-service-hosts:
children:
website-service-group:
essential-service-hosts:
essential-service-group:
api-service-group:
hosts:
@ -135,7 +133,7 @@ api-service-hosts:
children:
api-service-group:
gitlab-service-hosts:
essential-service-hosts:
essential-service-group:
wekan-service-group:
hosts: {}
@ -143,7 +141,7 @@ wekan-service-group:
wekan-service-hosts:
children:
wekan-service-group:
essential-service-hosts:
essential-service-group:
pad-service-group:
hosts: {}
@ -151,7 +149,7 @@ pad-service-group:
pad-service-hosts:
children:
pad-service-group:
essential-service-hosts:
essential-service-group:
openvpn-service-group:
hosts: {}
@ -159,7 +157,7 @@ openvpn-service-group:
openvpn-service-hosts:
children:
openvpn-service-group:
essential-service-hosts:
essential-service-group:
backup-service-group:
hosts: {}
@ -167,7 +165,7 @@ backup-service-group:
backup-service-hosts:
children:
backup-service-group:
essential-service-hosts:
essential-service-group:
securedrop-service-group:
hosts: {}
@ -175,4 +173,4 @@ securedrop-service-group:
securedrop-service-hosts:
children:
securedrop-service-group:
essential-service-hosts:
essential-service-group:

4
playbooks/wazuh/inventory/services.yml

@ -0,0 +1,4 @@
---
wazuh-service-group:
hosts:
wazuh-host:

2
playbooks/wazuh/playbook.yml

@ -8,6 +8,8 @@
- import_playbook: ../bind/bind-client-playbook.yml
- import_playbook: ../icinga/icinga-playbook.yml
- import_playbook: ../postfix/postfix-playbook.yml
# see ../wekan/playbook.yml for a
# tests if wazuh-agent-playbook.yml is safe to include when there is no wazuh host
- import_playbook: wazuh-manager-playbook.yml
- import_playbook: wazuh-agent-playbook.yml
- import_playbook: test-wazuh-playbook.yml

1
playbooks/wazuh/wazuh-agent-playbook.yml

@ -17,3 +17,4 @@
api_user: '{{ wazu_agent_api_user | default("frob") }}'
wazuh_api_reachable_from_agent: true
api_pass: '{{ wazu_agent_api_pass | default("nitz") }}'
when: (groups['wazuh-service-group'] | length) > 0

2
playbooks/wekan/playbook.yml

@ -7,5 +7,7 @@
- import_playbook: ../bind/bind-client-playbook.yml
- import_playbook: ../icinga/icinga-playbook.yml
- import_playbook: ../postfix/postfix-playbook.yml
# tests if wazuh-agent-playbook.yml is safe to include when there is no wazuh host
- import_playbook: ../wazuh/wazuh-agent-playbook.yml
- import_playbook: test-wekan-playbook.yml
- import_playbook: wekan-playbook.yml

6
tests/enough/common/test_common_service.py

@ -33,7 +33,7 @@ def test_openstack_create_or_update(tmpdir, openstack_name, requests_mock):
def test_service_from_host():
s = service.Service(settings.CONFIG_DIR, settings.SHARE_DIR, domain='test.com')
assert s.service_from_host('icinga-host') in ('essential', 'openvpn', 'wekan')
assert s.service_from_host('icinga-host') in ('essential', 'openvpn', 'wekan', 'wazuh')
assert s.service_from_host('cloud-host') == 'cloud'
assert s.service_from_host('unknown-host') is None
@ -50,12 +50,14 @@ def test_update_vpn_dependencies():
assert s.hosts_with_internal_network(['bind-host']) == []
assert 'website-host' not in s.service2hosts['openvpn']
assert 'website-host' not in s.service2hosts['weblate']
assert 'weblate-host' in s.service2hosts['weblate']
s.ansible.set_inventories(['tests/enough/common/test_common_service/vpn_inventory'])
s.set_service_info()
assert 'website-host' in s.service2hosts['openvpn']
assert s.hosts_with_internal_network(['icinga-host']) == ['icinga-host']
s.update_vpn_dependencies()
assert 'website-host' in s.service2hosts['weblate']
assert 'website-host' not in s.service2hosts['weblate']
assert 'weblate-host' in s.service2hosts['weblate']
def test_ensure_non_empty_service_group(tmpdir):

Loading…
Cancel
Save