Merge pull request #831 from wazuh/2796-provisioning-tool-4.4

Automatic Provisioning: Adapt roles and increase os support - 4.4

roles/wazuh/ansible-wazuh-agent/defaults/main.yml

@@ -56,7 +56,7 @@ wazuh_winagent_config:
   md5: 8ffa75d13280f1aa6ffca54f4273df4d
 wazuh_winagent_config_url: https://packages.wazuh.com/4.x/windows/wazuh-agent-4.4.0-1.msi
 wazuh_winagent_package_name: wazuh-agent-4.4.0-1.msi
-
+wazuh_winagent_package_name_generic: wazuh-agent.msi
 wazuh_dir: "/var/ossec"
 
 # This is deprecated, see: wazuh_agent_address

roles/wazuh/ansible-wazuh-agent/tasks/MacOS.yml

@@ -0,0 +1,8 @@
+- name: Download agent package
+  get_url:
+    url: "{{ wazuh_custom_packages_installation_agent_macos_url }}"
+    dest: /Users/vagrant
+    validate_certs: no
+
+- include_tasks: "installation_from_custom_packages.yml"
+  when: wazuh_custom_packages_installation_agent_enabled

roles/wazuh/ansible-wazuh-agent/tasks/Solaris.yml

@@ -0,0 +1,8 @@
+- name: Download agent package
+  get_url:
+    url: "{{ wazuh_custom_packages_installation_agent_solaris_url }}"
+    dest: /export/home/vagrant
+    validate_certs: no
+
+- include_tasks: "installation_from_custom_packages.yml"
+  when: wazuh_custom_packages_installation_agent_enabled

roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml

@@ -29,6 +29,7 @@
     dest: "{{ wazuh_winagent_config.download_dir }}"
   when:
     - not wazuh_package_downloaded.stat.exists
+    - not wazuh_custom_packages_installation_agent_enabled
 
 - name: Windows | Verify the Wazuh Agent installer
   win_stat:
@@ -40,12 +41,14 @@
     - wazuh_agent_status.stat.checksum != wazuh_winagent_config.md5
   when:
     - wazuh_winagent_config.check_md5
+    - not wazuh_custom_packages_installation_agent_enabled
 
 
 - name: Windows | Install Agent if not already installed
   win_package:
     path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}"
     state: present
+  when: not wazuh_custom_packages_installation_agent_enabled
 
 - name: Windows | Check if client.keys exists
   win_stat:
@@ -95,3 +98,7 @@
   win_file:
     path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}"
     state: absent
+
+- include_tasks: "installation_from_custom_packages.yml"
+  when:
+    - wazuh_custom_packages_installation_agent_enabled

roles/wazuh/ansible-wazuh-agent/tasks/installation_from_custom_packages.yml

@@ -21,8 +21,51 @@
     dnf:
       name: "{{ wazuh_custom_packages_installation_agent_rpm_url }}"
       state: present
+      disable_gpg_check: True
+
     when:
       - ansible_os_family|lower == "redhat"
       - wazuh_custom_packages_installation_agent_enabled
       - (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") or
-        (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8")
+        (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8")
+
+# MacOS
+
+  - name: Install MacOS agent from pkg | custom macos pkg
+    become: true
+    shell: installer -pkg wazuh-* -target /
+    args:
+      chdir: /Users/vagrant
+    when: ansible_os_family == "Darwin"
+
+# Solaris
+  - name: Create noask file
+    lineinfile:
+      path: "/export/home/vagrant/noaskfile"
+      line: action=nocheck
+      create: yes
+    when: ansible_os_family == "Solaris"
+
+  - name: Install solaris wazuh agent custom package
+    become: true
+    shell: pkgadd -a noaskfile -d wazuh-* -n all
+    environment:
+      PATH: "/opt/python3/bin/:/usr/sbin:/usr/bin:/usr/sbin/:/opt/csw/gnu/:/usr/sfw/bin/:/opt/csw/bin/"
+    args:
+      chdir: "/export/home/vagrant"
+    when: ansible_os_family == 'Solaris'
+
+# Windows
+  - name: Donwload Windows agent msi
+    win_get_url:
+      url: "{{ wazuh_custom_packages_installation_agent_msi_url }}"
+      dest: "{{wazuh_winagent_config.download_dir}}{{wazuh_winagent_package_name_generic}}"
+    when:
+      - ansible_os_family == "Windows"
+
+  - name: Install Wazuh Agent from .msi packages | custom win_package
+    win_package:
+      path: "{{wazuh_winagent_config.download_dir}}{{wazuh_winagent_package_name_generic}}"
+      state: present
+    when:
+      - ansible_os_family == "Windows"

roles/wazuh/ansible-wazuh-agent/tasks/main.yml

@@ -24,3 +24,9 @@
 
 - include_tasks: "Linux.yml"
   when: ansible_system == "Linux"
+
+- include_tasks: "MacOS.yml"
+  when: ansible_system == "Darwin"
+
+- include_tasks: "Solaris.yml"
+  when: ansible_os_family == "Solaris"

roles/wazuh/ansible-wazuh-manager/tasks/installation_from_custom_packages.yml

@@ -23,6 +23,7 @@
       dnf:
         name: "{{ wazuh_custom_packages_installation_manager_rpm_url }}"
         state: present
+        disable_gpg_check: True
       when:
         - wazuh_custom_packages_installation_manager_enabled
         - (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") or

roles/wazuh/wazuh-dashboard/defaults/main.yml

@@ -1,5 +1,10 @@
 ---
 
+# Custom package installation
+wazuh_custom_packages_installation_indexer_enabled: false
+wazuh_custom_packages_installation_indexer_deb_url: ""
+wazuh_custom_packages_installation_indexer_rpm_url: ""
+
 # Dashboard configuration
 indexer_http_port: 9200
 indexer_api_protocol: https

roles/wazuh/wazuh-dashboard/tasks/Debian.yml

@@ -21,4 +21,9 @@
     register: install
 
   tags:
-    - install
+    - install
+  when: not wazuh_custom_packages_installation_dashboard_enabled
+
+- include_tasks: "install_from_custom_package.yml"
+  when:
+    - wazuh_custom_packages_installation_dashboard_enabled

roles/wazuh/wazuh-dashboard/tasks/RedHat.yml

@@ -19,3 +19,8 @@
 
   tags:
     - install
+  when: not wazuh_custom_packages_installation_dashboard_enabled
+
+- include_tasks: "install_from_custom_package.yml"
+  when:
+    - wazuh_custom_packages_installation_dashboard_enabled

roles/wazuh/wazuh-dashboard/tasks/install_from_custom_package.yml

@@ -0,0 +1,32 @@
+---
+  - block:
+      - name: Install Wazuh Dashboard from .deb packages
+        apt:
+          deb: "{{ wazuh_custom_packages_installation_dashboard_deb_url }}"
+          state: present
+        when:
+          - wazuh_custom_packages_installation_dashboard_enabled
+    when:
+      - ansible_os_family|lower == "debian"
+
+  - block:
+    - name: Install Wazuh Dashboard from .rpm packages | yum
+      yum:
+        name: "{{ wazuh_custom_packages_installation_dashboard_rpm_url }}"
+        state: present
+      when:
+        - wazuh_custom_packages_installation_dashboard_enabled
+        - not (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8")
+        - not (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8")
+
+    - name: Install Wazuh Dashboard from .rpm packages | dnf
+      dnf:
+        name: "{{ wazuh_custom_packages_installation_dashboard_rpm_url }}"
+        state: present
+        disable_gpg_check: True
+      when:
+        - wazuh_custom_packages_installation_dashboard_enabled
+        - (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") or
+          (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8")
+    when:
+      - ansible_os_family|lower == "redhat"

roles/wazuh/wazuh-indexer/defaults/main.yml

@@ -1,4 +1,9 @@
 ---
+# Custom package installation
+wazuh_custom_packages_installation_indexer_enabled: false
+wazuh_custom_packages_installation_indexer_deb_url: ""
+wazuh_custom_packages_installation_indexer_rpm_url: ""
+
 # Cluster Settings
 indexer_version: 4.4.0
 
@@ -26,7 +31,7 @@ minimum_master_nodes: 2
 # Example es1.example.com, es2.example.com
 domain_name: wazuh.com
 
-indexer_sec_plugin_conf_path: /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig
+indexer_sec_plugin_conf_path: /etc/wazuh-indexer/opensearch-security
 indexer_sec_plugin_tools_path: /usr/share/wazuh-indexer/plugins/opensearch-security/tools
 indexer_conf_path: /etc/wazuh-indexer/
 indexer_index_path: /var/lib/wazuh-indexer/

roles/wazuh/wazuh-indexer/tasks/Debian.yml

@@ -4,6 +4,10 @@
 - name: Update cache
   apt:
     update_cache: yes
+  register: update_result
+  until: update_result is success
+  retries: 3
+  delay: 10
 
 - name: Debian 9 (Stretch)
   when: (ansible_facts['distribution'] == "Debian" and ansible_facts['distribution_major_version'] == "9")
@@ -16,23 +20,30 @@
         ]
         state: present
 
-- name: Add Wazuh indexer repository
+- name: Install wazuh-indexer
   block:
-    - name: Add apt repository signing key
-      apt_key:
-        url: "{{ wazuh_repo.gpg }}"
-        state: present
-
     - name: Add Wazuh indexer repository
-      apt_repository:
-        repo: "{{ wazuh_repo.apt }}"
+      block:
+        - name: Add apt repository signing key
+          apt_key:
+            url: "{{ wazuh_repo.gpg }}"
+            state: present
+
+        - name: Add Wazuh indexer repository
+          apt_repository:
+            repo: "{{ wazuh_repo.apt }}"
+            state: present
+            filename: 'wazuh-indexer'
+            update_cache: yes
+
+    - name: Install Wazuh indexer
+      apt:
+        name: wazuh-indexer={{ indexer_version }}-1
         state: present
-        filename: 'wazuh-indexer'
-        update_cache: yes
+      register: install
+      tags: install
+  when: not wazuh_custom_packages_installation_indexer_enabled
 
-- name: Install Wazuh indexer
-  apt:
-    name: wazuh-indexer={{ indexer_version }}-1
-    state: present
-  register: install
-  tags: install
+- include_tasks: "install_from_custom_package.yml"
+  when:
+    - wazuh_custom_packages_installation_indexer_enabled

roles/wazuh/wazuh-indexer/tasks/RedHat.yml

@@ -10,15 +10,15 @@
       gpgkey: "{{ wazuh_repo.gpg }}"
       gpgcheck: true
     changed_when: false
-
-
+    when: not wazuh_custom_packages_installation_indexer_enabled
 
   - name: Amazon Linux | Install Amazon extras
     block:
       - name: Install Amazon extras
         yum:
           name: amazon-linux-extras
           state: present
+          lock_timeout: 180
 
       - name: Configure vm.max_map_count
         lineinfile:
@@ -49,6 +49,10 @@
       state: present
     register: install
     tags: install
+    when: not wazuh_custom_packages_installation_indexer_enabled
 
   tags:
   - install
+
+- include_tasks: "install_from_custom_package.yml"
+  when: wazuh_custom_packages_installation_indexer_enabled

roles/wazuh/wazuh-indexer/tasks/install_from_custom_package.yml

@@ -0,0 +1,32 @@
+---
+  - block:
+      - name: Install Wazuh Indexer from .deb packages
+        apt:
+          deb: "{{ wazuh_custom_packages_installation_indexer_deb_url }}"
+          state: present
+        when:
+          - wazuh_custom_packages_installation_indexer_enabled
+    when:
+      - ansible_os_family|lower == "debian"
+
+  - block:
+    - name: Install Wazuh Indexer from .rpm packages | yum
+      yum:
+        name: "{{ wazuh_custom_packages_installation_indexer_rpm_url }}"
+        state: present
+      when:
+        - wazuh_custom_packages_installation_indexer_enabled
+        - not (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8")
+        - not (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8")
+
+    - name: Install Wazuh Indexer from .rpm packages | dnf
+      dnf:
+        name: "{{ wazuh_custom_packages_installation_indexer_rpm_url }}"
+        state: present
+        disable_gpg_check: True
+      when:
+        - wazuh_custom_packages_installation_indexer_enabled
+        - (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") or
+          (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8")
+    when:
+      - ansible_os_family|lower == "redhat"

roles/wazuh/wazuh-indexer/tasks/security_actions.yml

@@ -52,38 +52,38 @@
       {{ indexer_sec_plugin_tools_path }}/hash.sh -p {{ indexer_admin_password }}
     register: indexer_admin_password_hashed
     no_log: '{{ indexer_nolog_sensible | bool }}'
-  
+
   - name: Set the Admin user password
     replace:
       path: "{{ indexer_sec_plugin_conf_path }}/internal_users.yml"
       regexp: '(?<=admin:\n  hash: )(.*)(?=)'
       replace: "{{ indexer_password_hash | quote }}"
     vars:
       indexer_password_hash: "{{ indexer_admin_password_hashed.stdout_lines | last }}"
-  
+
   # this can also be achieved with password_hash, but it requires dependencies on the controller
   - name: Hash the kibanaserver role/user pasword
     shell: |
       export JAVA_HOME=/usr/share/wazuh-indexer/jdk
       {{ indexer_sec_plugin_tools_path }}/hash.sh -p {{ dashboard_password }}
     register: indexer_kibanaserver_password_hashed
     no_log: '{{ indexer_nolog_sensible | bool }}'
-  
+
   - name: Set the kibanaserver user password
     replace:
       path: "{{ indexer_sec_plugin_conf_path }}/internal_users.yml"
       regexp: '(?<=kibanaserver:\n  hash: )(.*)(?=)'
       replace: "{{ indexer_password_hash | quote }}"
     vars:
       indexer_password_hash: "{{ indexer_kibanaserver_password_hashed.stdout_lines | last }}"
-  
+
   - name: Initialize the Opensearch security index in Wazuh indexer
     command: >
       sudo -u wazuh-indexer OPENSEARCH_PATH_CONF={{ indexer_conf_path }}
       JAVA_HOME=/usr/share/wazuh-indexer/jdk
       {{ indexer_sec_plugin_tools_path }}/securityadmin.sh
       -cd {{ indexer_sec_plugin_conf_path }}/
-      -icl -p 9300 -cd {{ indexer_sec_plugin_conf_path }}/
+      -icl -p {{indexer_http_port}} -cd {{ indexer_sec_plugin_conf_path }}/
       -nhnv
       -cacert {{ indexer_conf_path }}/certs/root-ca.pem
       -cert {{ indexer_conf_path }}/certs/admin.pem
@@ -114,5 +114,3 @@
     timeout: 4
   when:
     - indexer_custom_user is defined and indexer_custom_user
-
-