Allow configuration of certs and password for agent-server communication

.github/FUNDING.yml

@@ -0,0 +1,4 @@
+# These are supported funding model platforms
+
+github: dj-wasabi
+patreon: wernerdijkerman

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,35 @@
+---
+name: Bug report
+about: Help to improve this Ansible role.
+
+---
+
+**Describe the bug**
+<!--- A clear and concise description of what the bug is. -->
+
+**Installation method/version**
+<!--- Please provide the installation method and version of the role. -->
+
+* Github / latest
+* Ansible Galaxy / 1.1.0
+
+**Ansible Version**
+
+```
+<!--- Paste output from "ansible --version" -->
+```
+
+**Targetted hosts**
+Concerns the following OS(es):
+<!--- Pick one below and delete the rest -->
+
+* Ubuntu
+* Debian
+* CentOS
+* Mint
+
+**Expected behavior**
+<!--- A clear and concise description of what you expected to happen. -->
+
+**Additional context**
+<!--- Add any other context about the problem here. Configuration of the role/group_vars information etc. -->

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,14 @@
+---
+name: Feature request
+about: Suggest an idea for this Ansible role
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/workflows/agent.yml

@@ -0,0 +1,45 @@
+# This is a basic workflow to help you get started with Actions
+
+name: CI
+
+# Controls when the action will run. Triggers the workflow on push or pull request
+# events but only for the master branch
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  build:
+    strategy:
+      fail-fast: false
+      matrix:
+        molecule_distro:
+          - container: centos7
+          - container: centos8
+          - container: ubuntu1604
+          - container: ubuntu1804
+          - container: debian8
+          - container: debian9
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v1
+
+      - name: Set up Python 3.7
+        uses: actions/setup-python@v1
+        with:
+          python-version: 3.7
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          curl -so requirements.txt 'https://raw.githubusercontent.com/dj-wasabi/ansible-ci-base/master/requirements.txt'
+          pip install -r requirements.txt
+
+      - name: Run role tests
+        run: >-
+          MY_MOLECULE_CONTAINER=${{ matrix.molecule_distro.container }}
+          molecule test

CHANGELOG.md

@@ -0,0 +1,33 @@
+# ansible-ossec-agent Release
+
+Below an overview of all changes in the releases.
+
+Version (Release date)
+
+0.2.0   (2020-08-31)
+
+  * Optionally disable public repos #22 (By pull request: briankfitzwater (Thanks!))
+  * Option to set agent name #23 (By pull request: briankfitzwater (Thanks!))
+  * Switch repo to atomicorp #29 (By pull request: emmetog (Thanks!))
+
+0.1.0   (2018-01-02)
+
+  * Using Molecule V2 for CI test purposes #21
+  * Add option to disable active-response in template #20 (By pull request: briankfitzwater (Thanks!))
+  * Set permisisons on client.keys file #19 (By pull request: briankfitzwater (Thanks!))
+  * Update atomic-release #17 (By pull request: aarnaud (Thanks!))
+  * Fix new debian repository #15 (By pull request: aarnaud (Thanks!))
+  * Added run_once: true to several delegate tasks #14
+  * Added first working molecule tests #13
+  * Fix agent registration in managed mode #10 (By pull request: aarnaud (Thanks!))
+  * Add ossec-server fqdn config #9 (By pull request: aarnaud (Thanks!))
+  * control ossec authd with service #5 (By pull request: jlruizmlg (Thanks!))
+  * Allow for situations where the ossec server is not managed by ansible #4 (By pull request: zeroem (Thanks!))
+  * include no dependencies #3 (By pull request: recunius (Thanks!))
+  * Distribution Handling, Agent Profile, and Starting ossec-remoted #2 (By pull request: recunius (Thanks!))
+  * EL7 fixes #1 (By pull request: andskli (Thanks!))
+
+0.0.1   (2014-12-07)
+
+  * Initial working version.
+

CODE_OF_CONDUCT.md

@@ -0,0 +1,3 @@
+# Code of Conduct
+
+The Code of Conduct from Ansible found [here](https://docs.ansible.com/ansible/devel/community/code_of_conduct.html) applies to this Ansible role as well.

CONTRIBUTING.md

@@ -0,0 +1,88 @@
+# Contributing to this role
+
+**Table of content**
+
+- [Contributing to this role](#contributing-to-this-role)
+  * [Contributing](#contributing)
+  * [(local) Development](#-local--development)
+    + [Requirements](#requirements)
+    + [Execution](#execution)
+- [Other](#other)
+  * [Virtualenv](#virtualenv)
+  * [Links](#links)
+
+Thank you very much for making time to improve this Ansible role.
+
+## Contributing
+
+Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms. [Contributor Code of Conduct](https://docs.ansible.com/ansible/devel/community/code_of_conduct.html).
+
+1. Fork the repo
+
+2. Create a branch and apply your changes to this branch.
+
+    a. Make sure you have updated the documentation when adding new variables;
+
+    b. Don't forget to add/update tests so we can test the functionality during each Pull Request;
+
+    c. Make sure the tests will succeed.
+
+3. Push the branch to your fork and submit a pull request.
+
+**Note**
+
+Pull Requests that fails during the tests will not be merged.
+
+## Coding Guidelines
+
+Style guides are important because they ensure consistency in the content, look, and feel of a book or a website.
+
+* [Ansible Style Guide](http://docs.ansible.com/ansible/latest/dev_guide/style_guide/)
+* It's "Ansible" when referring to the product and ``ansible`` when referring to the command  line tool, package, etc
+* Playbooks should be written in multi-line YAML with ``key: value``. The form ``key=value`` is only for ``ansible`` ad-hoc, not for ``ansible-playbook``.
+* Tasks should always have a ``name:``
+
+## (local) Development
+
+This role make use of Molecule to test the execution of the role and verificate it. In the root of the repository, a file named `requirements.txt` exists and contains the versions used by the tests.
+
+### Requirements
+
+You can install them with the following command:
+
+```
+pip install -r requirements.txt
+```
+
+Once the dependencies are installed, please install Docker as Molecule is configured in this repository to create Docker containers. See [this](https://docs.docker.com/install/) link to install Docker on your system.
+
+### Execution
+
+Once everything is installed, you can validate your changes by executing:
+```
+molecule test
+```
+
+It should run without any issues.
+
+# Other
+
+## Virtualenv
+
+Suggestion is to create a virtualenv so you won't have issues with other projects.
+
+Some web pages describing for virtual env:
+
+* http://thepythonguru.com/python-virtualenv-guide/
+* https://realpython.com/python-virtual-environments-a-primer/
+* https://www.dabapps.com/blog/introduction-to-pip-and-virtualenv-python/
+
+## Links
+
+[Molecule](https://molecule.readthedocs.io/)
+
+[Ansible](https://www.ansible.com/)
+
+[Molecule V2 with your own role](https://werner-dijkerman.nl/2017/09/05/using-molecule-v2-to-test-ansible-roles/)
+
+**End note**: Have fun making changes. If a feature helps you, then others find it helpful too and I will happily have it merged. 

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2018 Werner Dijkerman
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,12 @@
+**Description of PR**
+<!--- Describe what the PR holds -->
+
+**Type of change**
+<!--- Pick one below and delete the rest: -->
+
+Feature Pull Request
+Bugfix Pull Request
+Docs Pull Request
+
+**Fixes an issue**
+<!--- If this PR fixes an issue, please mention it. -->

README.md

@@ -1,11 +1,11 @@
 dj-wasabi.ossec-agent
 =========
 
-This role will install and configure an ossec-agent on the server. When there there is an parameter `ossec_server_name` configured, it will delagate an action for automatically authenticate the agent. 
+This role will install and configure an ossec-agent on the server. When there is a parameter, `ossec_server_name` configured, it will delagate an action to automatically authenticate the agent.
 
 Build Status:
 
-[![Build Status](https://travis-ci.org/dj-wasabi/ansible-ossec-agent.svg?branch=master)](https://travis-ci.org/dj-wasabi/ansible-ossec-agent)
+[![Build Status](https://img.shields.io/endpoint.svg?url=https%3A%2F%2Factions-badge.atrox.dev%2Fdj-wasabi%2Fansible-ossec-agent%2Fbadge%3Fref%3Dmaster&style=flat)](https://actions-badge.atrox.dev/dj-wasabi/ansible-ossec-agent/goto?ref=master)
 
 
 Requirements
@@ -24,10 +24,25 @@ Role Variables
 This role needs 4 parameters:
 * `ossec_server_ip`: This is the ip address of the server running the ossec-server.
 * `ossec_server_fqdn`: This is the fqdn of the server running the ossec-server.
-* `ossec_server_name`: This is the hostname of the server running the ossec-server used for delegate with ansible. 
+* `ossec_server_name`: This is the hostname of the server running the ossec-server used for delegate with ansible.
 * `ossec_managed_server`: When set to false, tasks that delegate to ossec server will be skipped
 
-This role has 3 tasks with 'delagation_to' which needs the parameter `ossec_server_name`. When this parameter is not set, you'll need to run manually the `/var/ossec/bin/ossec-authd` on the server and `/var/ossec/bin/agent-auth` on the agent. When this is the case, it will show you an message with the exact command line.
+This role has 3 tasks with 'delagation_to' which needs the parameter `ossec_server_name`. When this parameter
+is not set, you'll need to run manually the `/var/ossec/bin/ossec-authd` on the server and `/var/ossec/bin/agent-auth`
+on the agent. When this is the case, it will pause and show you an message with the exact command line. You can skip
+these pauses using the `ossec_agent_pause_for_manual_steps` variable (see below).
+
+The following role variables are optional:
+* `ossec_active_response_disabled`: Disables active response if set to yes. If this is not defined active response is enabled.
+* `ossec_disable_public_repos`: Disables installation of public repositories if set to "yes".
+* `ossec_agent_package_name`: Default is "ossec-hids-agent". This can be set to a URL or path to a .rpm file or path to a .deb file if the public repositories cannot be used.
+* `ossec_agent_name`: Optional name for the OSSEC agent.  Default is to use hostname.
+* `ossec_agent_pause_for_manual_steps`: Defaults to true, if false then the playbook will not pause to run manual steps on server. Meant to be used with auto registration.
+* `ossec_agent_client_pass`: If set, the agent will use this password when registering with the server.
+* `ossec_agent_server_cert_path`: If set, the agent will use this root cert to validate any certs provided by the server when registering (the SAN of the cert used by the server must match the `ossec_server_name` used by the client to connect).
+* `ossec_agent_cert_path`: If set, the agent will use this cert for itself when registering.
+* `ossec_agent_key_path`: If set, the agent will use this key for itself when registering.
+```
 
 Dependencies
 ------------
@@ -62,7 +77,7 @@ GPLv3
 Author Information
 ------------------
 
-Please send suggestion or pull requests to make this role better. 
+Please send suggestion or pull requests to make this role better.
 
 Github: https://github.com/dj-wasabi/ansible-ossec-agent
 

defaults/main.yml

@@ -1,7 +1,24 @@
 ---
 # defaults file for ossec-agent
 
-#ossec_server_fqdn: ossec-server.local
-#ossec_server_ip: 127.0.0.1
 ossec_server_name: ""
 ossec_managed_server: true
+ossec_server_atomic_release: 1.0-21
+ossec_agent_package_name: ossec-hids-agent
+
+# Set to an empty string or null to disable adding a key
+ossec_agent_debian_repository_key: "https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt"
+ossec_agent_debian_repository_url: "https://updates.atomicorp.com/channels/atomic/{{ ansible_distribution | lower }}"
+
+ossec_filename: "atomic-release-{{ ossec_server_atomic_release }}.el{{ ansible_distribution_major_version }}.art.noarch.rpm"
+ossec_url: "https://www.atomicorp.com/channels/atomic/centos/{{ ansible_distribution_major_version }}/x86_64/RPMS"
+ossec_download_url: "{{ ossec_url }}/{{ ossec_filename }}"
+
+ossec_server_disable_gpgkey: False
+ossec_agent_client_pass: ""
+
+ossec_agent_server_cert_path: ""
+ossec_agent_cert_path: ""
+ossec_agent_key_path: ""
+
+ossec_agent_pause_for_manual_steps: true

handlers/main.yml

@@ -2,6 +2,7 @@
 # handlers file for ossec-agent
 
 - name: restart ossec-agent
-  service: name={{ ossec_init_name }}
-           state=restarted
-           enabled=yes
+  service:
+    name: "{{ ossec_init_name }}"
+    state: restarted
+    enabled: yes