From f6e020631e639d7f69a04b9f407f393a81ad74ca Mon Sep 17 00:00:00 2001 From: Christos Pollalis Date: Sat, 11 Apr 2020 02:15:42 +0300 Subject: [PATCH 1/2] Make agent registration via the rest API idempotent Check whether an error was returned by the HTTP POST to the `agents/` endpoint before invoking `/var/ossec/bin/manage_agents` in order to register a new agent. It seems like that if an agent has already been registered under the given name, the HTTP POST will return an error that'll cause the next task, which is meant to retrieve the agent information, to be skipped. That'll cause the agent registration task to fail in return. Instead, this change will cause the aforementioned task to be skipped, too. So, if an agent has already been successfully registered and the playbook is re-run, it'll run all the way to the end. If anything goes wrong (during the registration process) and the agent fails to start, the `restart wazuh-agent` handler will still fail. --- roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml index 9528aa330..a84e4020e 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml @@ -124,7 +124,6 @@ password: "{{ api_pass }}" register: newagent_api notify: restart wazuh-agent - # changed_when: newagent_api.json.error == 0 vars: agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ inventory_hostname }}{% endif %}" when: @@ -133,7 +132,7 @@ become: false ignore_errors: true - - name: Linux | Retieve new agent data via rest-API + - name: Linux | Retrieve new agent data via rest-API uri: url: >- "{{ wazuh_managers.0.api_proto }}://{{ wazuh_agent_authd.registration_address @@ -164,7 +163,7 @@ when: - not check_keys.stat.exists or check_keys.stat.size == 0 - wazuh_agent_authd.registration_address is not none - - newagent_api.changed + - newagent_api.json.error == 0 notify: restart wazuh-agent when: From ae40cb45827cb1c3590651a6771c12ee72343c63 Mon Sep 17 00:00:00 2001 From: Christos Pollalis Date: Sat, 11 Apr 2020 18:26:13 +0300 Subject: [PATCH 2/2] Split "Copy CA, SSL key and cert for authd" task of the wazuh-agent playbook to allow one to perform either manager or agent verification, or both. --- roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml index a84e4020e..7fa0cc03e 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml @@ -50,17 +50,25 @@ - name: Retrieving authd Credentials include_vars: authd_pass.yml - - name: Copy CA, SSL key and cert for authd + - name: Copy CA root certificate to verify authd + copy: + src: "{{ wazuh_agent_authd.ssl_agent_ca }}" + dest: "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}" + mode: 0644 + when: + - wazuh_agent_authd.ssl_agent_ca is not none + + - name: Copy TLS/SSL certificate for agent verification copy: src: "{{ item }}" dest: "/var/ossec/etc/{{ item | basename }}" mode: 0644 with_items: - - "{{ wazuh_agent_authd.ssl_agent_ca }}" - "{{ wazuh_agent_authd.ssl_agent_cert }}" - "{{ wazuh_agent_authd.ssl_agent_key }}" when: - - wazuh_agent_authd.ssl_agent_ca is not none + - wazuh_agent_authd.ssl_agent_cert is not none + - wazuh_agent_authd.ssl_agent_key is not none - name: Linux | Register agent (via authd) shell: >