Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MVP - Ansible - Roles: wazuh-agent role #1508

Open
2 tasks done
YisDav opened this issue Jan 16, 2025 · 2 comments · May be fixed by #1517
Open
2 tasks done

MVP - Ansible - Roles: wazuh-agent role #1508

YisDav opened this issue Jan 16, 2025 · 2 comments · May be fixed by #1517
Assignees
@YisDav
Labels
level/subtask Task issue type/enhancement

Comments

@YisDav
Copy link
Member

YisDav commented Jan 16, 2025
edited
Loading

Description

The ansible role for Wazuh agent (roles/wazuh-agent) is a refactored and simplified proposal that allows the installation of the agent (pointing to one or several Wazuh server instances) on multiple, the ones listed in the Wazuh agent tier 1.

For better description, please read the parent commit (#1493).

Tasks

  • Develop the Wazuh agent role. The playbook must work with every OS, version, and architecture supported (Agent tier 1) by Wazuh.
  • Test the role with all the chosen Wazuh agent tier 1 OSs.
@YisDav YisDav linked a pull request Jan 20, 2025 that will close this issue
Open
@wazuhci wazuhci moved this to Backlog in XDR+SIEM/Release 5.0.0 Jan 22, 2025
@wazuhci wazuhci moved this from Backlog to In progress in XDR+SIEM/Release 5.0.0 Jan 23, 2025
@YisDav YisDav linked a pull request Jan 23, 2025 that will close this issue
Refactor of the wazuh-agent ansible role #1517
Open
@wazuhci wazuhci moved this from In progress to Pending review in XDR+SIEM/Release 5.0.0 Jan 23, 2025
@teddytpc1 teddytpc1 changed the title Ansible MVP - Roles: wazuh-agent role MVP - Ansible - Roles: wazuh-agent role Jan 27, 2025
@wazuhci wazuhci moved this from Pending review to On hold in XDR+SIEM/Release 5.0.0 Jan 28, 2025
@wazuhci wazuhci moved this from On hold to In progress in XDR+SIEM/Release 5.0.0 Jan 28, 2025
@YisDav
Copy link
Member Author

YisDav commented Jan 28, 2025

Update

An update was made to the history of the branches, in order to bring the changes of the working branch (enhancement/1496-wazuh-ansible-spike-implementation-plan) in a fluid way, since these changes are the basis for this issue.

@YisDav
Copy link
Member Author

YisDav commented Jan 30, 2025
edited
Loading

Update

OS list

OS Version Architecture Available in AWS (official) Test performed
Ubuntu 24.04 aarch64 Yes No
Debian 12 x86_64 Yes No
Redhat 9 aarch64 Yes No
CentOS Stream 8 x86_64 Requires Suscription No
Amazon Linux 2023 x86_64 Yes No
Windows 11 x86_64 Yes No
MacOS 15 (Sequoia) x86_64 Yes No
MacOS 15 (Sequoia) aarch64 Yes No

Current status description

Some preliminary test were performed on Ubuntu aarch64, Redhat aarch64, Amazon Linux x86_64 and Windows x86_64, with Wazuh 5.0.0 packages. Also, it was deployed an Ubuntu x86_64 with Wazuh AIO 5.0.0 (manual installation).

These results were found:

  • For Windows: Change in the service name of the agent from Wazuh (in the 4.10.1 version) to Wazuh Agent (in the 5.0.0 version)
  • For Linux:
    • Required changes to adjust the enrollment method as in Ubuntu aarch64, the installation doesn't recognize the environment variables for agent registration.
    • Fix in ansible tasks, to include force: yes instead of recurse: yes

There are still not packages available for 5.0.0 in arm architectures.
This affects tests on Ubuntu aarch64, Redhat aarch64, and MacOS aarch64

Considerations

  • Filebeat: Filebeat tasks will no longer be required.
  • Certificates:
    • Server:
      • Certificates path is going to change from /etc/filebeat/certs/ to /etc/wazuh-server/certs/
      • Now, these following certificates are required to start the service, otherwise it fails:
        • indexer-key.pem
        • private-key.pem
        • root-ca.pem
        • server.pem
        • indexer.pem
        • public-key.pem
        • server-key.pem
      • The file /var/ossec/etc/ossec.conf no longer exists. It is replaced by /etc/wazuh-server/wazuh-server.yml
  • Agent:
    • Wazuh Agent name in windows now is Wazuh Agent
    • The file /var/ossec/etc/ossec.conf no longer exists, as a replacement migh be used /etc/wazuh-agent/wazuh-agent.yml.
  • Dashboard: The configuration file /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml does no longer exists

New certificates generation process

The new certificates required by wazuh server are:

  • private-key.pem
  • public-key.pem (planned to be removed)

This is still an active topic, is being discussed here.

# JWT key files generation
openssl ecparam -name secp256k1 -genkey -noout -out /etc/wazuh-server/certs/private-key.pem
openssl ec -in /etc/wazuh-server/certs/private-key.pem -pubout -out /etc/wazuh-server/certs/public-key.pem
# Change owner
chown wazuh-server:wazuh-server /etc/wazuh-server/certs/*

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@YisDav YisDav

Labels
level/subtask Task issue type/enhancement
Projects
XDR+SIEM/Release 5.0.0
Status: In progress
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Refactor of the wazuh-agent ansible role wazuh/wazuh-ansible
1 participant
@YisDav