diff --git a/Pipfile b/Pipfile index ce0266f26..6f709455d 100644 --- a/Pipfile +++ b/Pipfile @@ -14,9 +14,22 @@ molecule = "==2.20.2" python_version = "2.7" [scripts] +test ="molecule test --destroy=never" +worker ="molecule test -s worker --destroy=never" +agent ="molecule test -s wazuh-agent --destroy=never" +elasticsearch ="molecule test -s elasticsearch --destroy=never" +kibana ="molecule test -s kibana --destroy=never" + +# Verify .. +verify ="molecule verify" +verify_worker ="molecule verify -s worker" +verify_agent ="molecule verify -s agent" +verify_elasticsearch ="molecule verify -s elasticsearch" +verify_kibana ="molecule verify -s kibana" + +# Destroy .. destroy ="molecule destroy" -test ="molecule test" -agent ="molecule test -s wazuh-agent" -elasticsearch ="molecule test -s elasticsearch" -filebeat ="molecule test -s filebeat" -kibana ="molecule test -s kibana" +destroy_worker ="molecule destroy -s worker" +destroy_agent ="molecule destroy -s agent" +destroy_elasticsearch ="molecule destroy -s elasticsearch" +destroy_kibana ="molecule destroy -s kibana" diff --git a/molecule/default/create.yml b/molecule/default/create.yml index 25932aee1..0b25ec816 100644 --- a/molecule/default/create.yml +++ b/molecule/default/create.yml @@ -44,10 +44,13 @@ - name: Create docker network(s) docker_network: - name: "{{ item }}" - docker_host: "{{ item.docker_host | default('unix://var/run/docker.sock') }}" + name: "main" state: present - with_items: "{{ molecule_yml.platforms | molecule_get_docker_networks }}" + + - name: Sleep 5 seconds till the network gets created if it's not + # Pause for 5 minutes to build app cache. + pause: + seconds: 10 - name: Create molecule instance(s) docker_container: @@ -65,7 +68,8 @@ exposed_ports: "{{ item.exposed_ports | default(omit) }}" published_ports: "{{ item.published_ports | default(omit) }}" ulimits: "{{ item.ulimits | default(omit) }}" - networks: "{{ item.networks | default(omit) }}" + networks: + - name: "main" dns_servers: "{{ item.dns_servers | default(omit) }}" register: server with_items: "{{ molecule_yml.platforms }}" @@ -78,4 +82,4 @@ register: docker_jobs until: docker_jobs.finished retries: 300 - with_items: "{{ server.results }}" + with_items: "{{ server.results }}" \ No newline at end of file diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml deleted file mode 100644 index 6a54a8463..000000000 --- a/molecule/default/molecule.yml +++ /dev/null @@ -1,69 +0,0 @@ ---- -dependency: - name: galaxy -driver: - name: docker -lint: - name: yamllint - enabled: false -platforms: - - name: bionic - image: solita/ubuntu-systemd:bionic - command: /sbin/init - ulimits: - - nofile:262144:262144 - privileged: true - memory_reservation: 2048m - - name: xenial - image: solita/ubuntu-systemd:xenial - privileged: true - memory_reservation: 2048m - command: /sbin/init - ulimits: - - nofile:262144:262144 -# - name: trusty -# image: ubuntu:trusty -# privileged: true -# memory_reservation: 2048m -# ulimits: -# - nofile:262144:262144 -# - name: centos6 -# image: centos:6 -# privileged: true -# memory_reservation: 2048m -# ulimits: -# - nofile:262144:262144 - - name: centos7 - image: milcom/centos7-systemd - memory_reservation: 2048m - privileged: true - ulimits: - - nofile:262144:262144 -provisioner: - name: ansible - env: - ANSIBLE_ROLES_PATH: ../../roles - lint: - name: ansible-lint - enabled: true -scenario: - name: default - test_sequence: - - lint - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - - idempotence - - side_effect - - verify - - cleanup - - destroy -verifier: - name: testinfra - lint: - name: flake8 - enabled: true diff --git a/molecule/default/molecule.yml.template b/molecule/default/molecule.yml.template new file mode 100644 index 000000000..f46226c2a --- /dev/null +++ b/molecule/default/molecule.yml.template @@ -0,0 +1,47 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint + enabled: false +platforms: + - name: manager_platform_ + image: imagename + command: /sbin/init + ulimits: + - nofile:262144:262144 + privileged: true + memory_reservation: 2048m +provisioner: + name: ansible + config_options: + defaults: + hash_behaviour: merge + env: + ANSIBLE_ROLES_PATH: ../../roles + lint: + name: ansible-lint + enabled: true +scenario: + name: default + test_sequence: + - lint + - dependency + - cleanup + - destroy + - syntax + - create + - prepare + - converge + - idempotence + - side_effect + - verify + - cleanup + - destroy +verifier: + name: testinfra + lint: + name: flake8 + enabled: true diff --git a/molecule/default/playbook.yml b/molecule/default/playbook.yml index 242a37771..d4561c1b1 100644 --- a/molecule/default/playbook.yml +++ b/molecule/default/playbook.yml @@ -3,4 +3,17 @@ hosts: all roles: - role: wazuh/ansible-wazuh-manager - + vars: + wazuh_manager_config: + cluster: + disable: 'no' + name: 'wazuh' + node_name: 'manager' + node_type: 'master' + key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa' + port: '1516' + bind_addr: '0.0.0.0' + nodes: + - 'manager_bionic' + hidden: 'no' + - { role: wazuh/ansible-filebeat, filebeat_output_elasticsearch_hosts: 'elasticsearch_bionic:9200' } \ No newline at end of file diff --git a/molecule/default/playbook.yml.template b/molecule/default/playbook.yml.template new file mode 100644 index 000000000..f73659e9c --- /dev/null +++ b/molecule/default/playbook.yml.template @@ -0,0 +1,19 @@ +--- +- name: Converge + hosts: all + roles: + - role: wazuh/ansible-wazuh-manager + vars: + wazuh_manager_config: + cluster: + disable: 'no' + name: 'wazuh' + node_name: 'manager' + node_type: 'master' + key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa' + port: '1516' + bind_addr: '0.0.0.0' + nodes: + - 'manager_platform' + hidden: 'no' + - { role: wazuh/ansible-filebeat, filebeat_output_elasticsearch_hosts: 'elasticsearch_platform:9200' } \ No newline at end of file diff --git a/molecule/default/tests/test_default.py b/molecule/default/tests/test_default.py index c5e76d676..174a499ff 100644 --- a/molecule/default/tests/test_default.py +++ b/molecule/default/tests/test_default.py @@ -73,8 +73,17 @@ def test_open_ports(host): """Test if the main port is open and the agent-auth is not open.""" distribution = host.system_info.distribution.lower() if distribution == 'ubuntu': + assert host.socket("tcp://0.0.0.0:1516").is_listening assert host.socket("tcp://0.0.0.0:1515").is_listening assert host.socket("tcp://0.0.0.0:1514").is_listening elif distribution == 'centos': + assert host.socket("tcp://0.0.0.0:1516").is_listening assert host.socket("tcp://127.0.0.1:1515").is_listening assert host.socket("tcp://127.0.0.1:1514").is_listening + + +def test_filebeat_is_installed(host): + """Test if the elasticsearch package is installed.""" + filebeat = host.package("filebeat") + assert filebeat.is_installed + assert filebeat.version.startswith('7.2.1') diff --git a/molecule/elasticsearch/molecule.yml b/molecule/elasticsearch/molecule.yml index ebf47ccb9..11d8902fe 100644 --- a/molecule/elasticsearch/molecule.yml +++ b/molecule/elasticsearch/molecule.yml @@ -8,41 +8,19 @@ lint: options: config-data: ignore: .virtualenv -platforms: - #- name: bionic - # image: solita/ubuntu-systemd:bionic - # command: /sbin/init - # ulimits: - # - nofile:262144:262144 - # privileged: true - # memory_reservation: 2048m - #- name: xenial - # image: solita/ubuntu-systemd:xenial - # privileged: true - # memory_reservation: 2048m - # command: /sbin/init - # ulimits: - # - nofile:262144:262144 - #- name: trusty - #image: ubuntu:trusty - #privileged: true - #memory_reservation: 2048m - #ulimits: - #- nofile:262144:262144 - #- name: centos6 - # image: centos:6 - # privileged: true - # memory_reservation: 2048m - # ulimits: - # - nofile:262144:262144 - - name: centos7 - image: milcom/centos7-systemd - memory_reservation: 2048m - privileged: true +bionics: + - name: elasticsearch_bionic + image: solita/ubuntu-systemd:bionic + command: /sbin/init ulimits: - nofile:262144:262144 + privileged: true + memory_reservation: 2048m provisioner: name: ansible + config_options: + defaults: + hash_behaviour: merge playbooks: docker: create: ../default/create.yml @@ -57,6 +35,22 @@ provisioner: group_vars: all: elasticsearch_jvm_xms: 512 +scenario: + name: elasticsearch + test_sequence: + - lint + - dependency + - cleanup + - destroy + - syntax + - create + - prepare + - converge + #- idempotence + - side_effect + - verify + - cleanup + - destroy verifier: name: testinfra lint: diff --git a/molecule/elasticsearch/molecule.yml.template b/molecule/elasticsearch/molecule.yml.template new file mode 100644 index 000000000..baba140e4 --- /dev/null +++ b/molecule/elasticsearch/molecule.yml.template @@ -0,0 +1,57 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint + options: + config-data: + ignore: .virtualenv +platforms: + - name: elasticsearch_platform_ + image: imagename + command: /sbin/init + ulimits: + - nofile:262144:262144 + privileged: true + memory_reservation: 2048m +provisioner: + name: ansible + config_options: + defaults: + hash_behaviour: merge + playbooks: + docker: + create: ../default/create.yml + destroy: ../default/destroy.yml + prepare: ../default/prepare.yml + env: + ANSIBLE_ROLES_PATH: ../../roles + lint: + name: ansible-lint + enabled: true + inventory: + group_vars: + all: + elasticsearch_jvm_xms: 512 +scenario: + name: elasticsearch + test_sequence: + - lint + - dependency + - cleanup + - destroy + - syntax + - create + - prepare + - converge + - idempotence + - side_effect + - verify + - cleanup + - destroy +verifier: + name: testinfra + lint: + name: flake8 diff --git a/molecule/elasticsearch/playbook.yml b/molecule/elasticsearch/playbook.yml index f6bf45f9d..6b5c44f8e 100644 --- a/molecule/elasticsearch/playbook.yml +++ b/molecule/elasticsearch/playbook.yml @@ -3,4 +3,4 @@ hosts: all roles: - role: elastic-stack/ansible-elasticsearch - elasticsearch_network_host: 'localhost' + elasticsearch_network_host: 'elasticsearch_bionic' diff --git a/molecule/elasticsearch/playbook.yml.template b/molecule/elasticsearch/playbook.yml.template new file mode 100644 index 000000000..0b2f9d5ab --- /dev/null +++ b/molecule/elasticsearch/playbook.yml.template @@ -0,0 +1,6 @@ +--- +- name: Converge + hosts: all + roles: + - role: elastic-stack/ansible-elasticsearch + elasticsearch_network_host: 'elasticsearch_platform' diff --git a/molecule/filebeat/INSTALL.rst b/molecule/filebeat/INSTALL.rst deleted file mode 100644 index 6a44bde9e..000000000 --- a/molecule/filebeat/INSTALL.rst +++ /dev/null @@ -1,22 +0,0 @@ -******* -Docker driver installation guide -******* - -Requirements -============ - -* Docker Engine - -Install -======= - -Please refer to the `Virtual environment`_ documentation for installation best -practices. If not using a virtual environment, please consider passing the -widely recommended `'--user' flag`_ when invoking ``pip``. - -.. _Virtual environment: https://virtualenv.pypa.io/en/latest/ -.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site - -.. code-block:: bash - - $ pip install 'molecule[docker]' diff --git a/molecule/filebeat/playbook.yml b/molecule/filebeat/playbook.yml deleted file mode 100644 index 3ff917f66..000000000 --- a/molecule/filebeat/playbook.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: wazuh/ansible-filebeat diff --git a/molecule/filebeat/prepare.yml b/molecule/filebeat/prepare.yml deleted file mode 100644 index 49325b85f..000000000 --- a/molecule/filebeat/prepare.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -- name: Prepare - hosts: all - gather_facts: true - tasks: - - - name: "Install Python packages for Trusty to solve trust issues" - package: - name: - - python-apt - - python-setuptools - - python-pip - state: latest - register: wazuh_manager_trusty_packages_installed - until: wazuh_manager_trusty_packages_installed is succeeded - when: - - ansible_distribution == "Ubuntu" - - ansible_distribution_major_version | int == 14 - - - name: "Install dependencies" - package: - name: - - curl - - net-tools - state: latest - register: wazuh_manager_dependencies_packages_installed - until: wazuh_manager_dependencies_packages_installed is succeeded - - - name: "Install (RedHat) dependencies" - package: - name: - - initscripts - state: latest - register: wazuh_manager_dependencies_packages_installed - until: wazuh_manager_dependencies_packages_installed is succeeded - when: - - ansible_os_family == 'RedHat' diff --git a/molecule/filebeat/tests/test_default.py b/molecule/filebeat/tests/test_default.py deleted file mode 100644 index 02638b521..000000000 --- a/molecule/filebeat/tests/test_default.py +++ /dev/null @@ -1,13 +0,0 @@ -import os - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') - - -def test_filebeat_is_installed(host): - """Test if the elasticsearch package is installed.""" - filebeat = host.package("filebeat") - assert filebeat.is_installed - assert filebeat.version.startswith('7.2.1') diff --git a/molecule/kibana/molecule.yml b/molecule/kibana/molecule.yml deleted file mode 100644 index 20ea5e075..000000000 --- a/molecule/kibana/molecule.yml +++ /dev/null @@ -1,61 +0,0 @@ ---- -dependency: - name: galaxy -driver: - name: docker -lint: - name: yamllint - options: - config-data: - ignore: .virtualenv -platforms: - - name: bionic - image: solita/ubuntu-systemd:bionic - command: /sbin/init - ulimits: - - nofile:262144:262144 - privileged: true - memory_reservation: 1024m - - name: xenial - image: solita/ubuntu-systemd:xenial - privileged: true - memory_reservation: 1024m - command: /sbin/init - ulimits: - - nofile:262144:262144 -# - name: trusty -# image: ubuntu:trusty -# memory_reservation: 1024m -# ulimits: -# - nofile:262144:262144 -# - name: centos6 -# image: centos:6 -# privileged: true -# memory_reservation: 1024m -# ulimits: -# - nofile:262144:262144 - - name: centos7 - image: milcom/centos7-systemd - memory_reservation: 1024m - privileged: true - ulimits: - - nofile:262144:262144 -provisioner: - name: ansible - playbooks: - docker: - create: ../default/create.yml - destroy: ../default/destroy.yml - env: - ANSIBLE_ROLES_PATH: ../../roles - lint: - name: ansible-lint - enabled: true - inventory: - group_vars: - all: - elasticsearch_jvm_xms: 256 -verifier: - name: testinfra - lint: - name: flake8 diff --git a/molecule/filebeat/molecule.yml b/molecule/kibana/molecule.yml.template similarity index 51% rename from molecule/filebeat/molecule.yml rename to molecule/kibana/molecule.yml.template index 5e0555086..eec8f6e3e 100644 --- a/molecule/filebeat/molecule.yml +++ b/molecule/kibana/molecule.yml.template @@ -9,27 +9,18 @@ lint: config-data: ignore: .virtualenv platforms: - # - name: trusty - # image: ubuntu:trusty - - name: bionic - image: solita/ubuntu-systemd:bionic + - name: kibana_platform_ + image: imagename command: /sbin/init + ulimits: + - nofile:262144:262144 privileged: true - - name: xenial - image: solita/ubuntu-systemd:xenial - privileged: true - command: /sbin/init - #- name: centos6 - # image: geerlingguy/docker-centos6-ansible - # privileged: true - # command: /sbin/init - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:ro - - name: centos7 - image: milcom/centos7-systemd - privileged: true + memory_reservation: 1024m provisioner: name: ansible + config_options: + defaults: + hash_behaviour: merge playbooks: docker: create: ../default/create.yml @@ -39,6 +30,10 @@ provisioner: lint: name: ansible-lint enabled: true + inventory: + group_vars: + all: + elasticsearch_jvm_xms: 256 verifier: name: testinfra lint: diff --git a/molecule/kibana/playbook.yml b/molecule/kibana/playbook.yml index 6deac8096..6af17723d 100644 --- a/molecule/kibana/playbook.yml +++ b/molecule/kibana/playbook.yml @@ -2,6 +2,5 @@ - name: Converge hosts: all roles: - - role: elastic-stack/ansible-kibana - \ No newline at end of file + elasticsearch_network_host: 'elasticsearch_bionic' \ No newline at end of file diff --git a/molecule/kibana/playbook.yml.template b/molecule/kibana/playbook.yml.template new file mode 100644 index 000000000..b166ac282 --- /dev/null +++ b/molecule/kibana/playbook.yml.template @@ -0,0 +1,6 @@ +--- +- name: Converge + hosts: all + roles: + - role: elastic-stack/ansible-kibana + elasticsearch_network_host: 'elasticsearch_platform' \ No newline at end of file diff --git a/molecule/kibana/prepare.yml b/molecule/kibana/prepare.yml index 7e5ca29d2..c55922191 100644 --- a/molecule/kibana/prepare.yml +++ b/molecule/kibana/prepare.yml @@ -34,8 +34,3 @@ until: wazuh_manager_dependencies_packages_installed is succeeded when: - ansible_os_family == 'RedHat' - - roles: - - role: wazuh/ansible-wazuh-manager - - role: elastic-stack/ansible-elasticsearch - elasticsearch_network_host: 'localhost' diff --git a/molecule/wazuh-agent/molecule.yml b/molecule/wazuh-agent/molecule.yml index 953fbb093..a0b050b18 100644 --- a/molecule/wazuh-agent/molecule.yml +++ b/molecule/wazuh-agent/molecule.yml @@ -11,27 +11,27 @@ lint: config-data: ignore: .virtualenv platforms: - - name: wazuh_server_centos7 - image: milcom/centos7-systemd - networks: - - name: wazuh - privileged: true - groups: - - manager + #- name: wazuh_server_centos7 + # image: milcom/centos7-systemd + # networks: + # - name: wazuh + # privileged: true + # groups: + # - manager - name: wazuh_agent_bionic image: ubuntu:bionic networks: - name: wazuh groups: - agent - - name: wazuh_agent_xenial - image: solita/ubuntu-systemd:xenial - privileged: true - command: /sbin/init - networks: - - name: wazuh - groups: - - agent + #- name: wazuh_agent_xenial + # image: solita/ubuntu-systemd:xenial + # privileged: true + # command: /sbin/init + # networks: + # - name: wazuh + # groups: + # - agent #- name: wazuh_agent_trusty # image: ubuntu:trusty # networks: @@ -44,15 +44,18 @@ platforms: # - name: wazuh # groups: # - agent - - name: wazuh_agent_centos7 - image: milcom/centos7-systemd - privileged: true - networks: - - name: wazuh - groups: - - agent + #- name: wazuh_agent_centos7 + # image: milcom/centos7-systemd + # privileged: true + # networks: + # - name: wazuh + # groups: + # - agent provisioner: name: ansible + config_options: + defaults: + hash_behaviour: merge playbooks: docker: create: ../default/create.yml diff --git a/molecule/wazuh-agent/molecule.yml.template b/molecule/wazuh-agent/molecule.yml.template new file mode 100644 index 000000000..a0b050b18 --- /dev/null +++ b/molecule/wazuh-agent/molecule.yml.template @@ -0,0 +1,89 @@ +--- +dependency: + name: galaxy +driver: + name: docker + #lint: + # name: yamllint +lint: + name: yamllint + options: + config-data: + ignore: .virtualenv +platforms: + #- name: wazuh_server_centos7 + # image: milcom/centos7-systemd + # networks: + # - name: wazuh + # privileged: true + # groups: + # - manager + - name: wazuh_agent_bionic + image: ubuntu:bionic + networks: + - name: wazuh + groups: + - agent + #- name: wazuh_agent_xenial + # image: solita/ubuntu-systemd:xenial + # privileged: true + # command: /sbin/init + # networks: + # - name: wazuh + # groups: + # - agent + #- name: wazuh_agent_trusty + # image: ubuntu:trusty + # networks: + # - name: wazuh + # groups: + # - agent + #- name: wazuh_agent_centos6 + # image: centos:6 + # networks: + # - name: wazuh + # groups: + # - agent + #- name: wazuh_agent_centos7 + # image: milcom/centos7-systemd + # privileged: true + # networks: + # - name: wazuh + # groups: + # - agent +provisioner: + name: ansible + config_options: + defaults: + hash_behaviour: merge + playbooks: + docker: + create: ../default/create.yml + destroy: ../default/destroy.yml + env: + ANSIBLE_ROLES_PATH: ../../roles + inventory: + group_vars: + agent: + api_pass: password + wazuh_managers: + - address: "{{ wazuh_manager_ip }}" + port: 1514 + protocol: tcp + api_port: 55000 + api_proto: 'http' + api_user: null + wazuh_agent_authd: + enable: true + port: 1515 + ssl_agent_ca: null + ssl_agent_cert: null + ssl_agent_key: null + ssl_auto_negotiate: 'no' + lint: + name: ansible-lint + enabled: true +verifier: + name: testinfra + lint: + name: flake8 diff --git a/molecule/wazuh-agent/playbook.yml b/molecule/wazuh-agent/playbook.yml index 5b8695695..4feac0c26 100644 --- a/molecule/wazuh-agent/playbook.yml +++ b/molecule/wazuh-agent/playbook.yml @@ -1,20 +1,18 @@ --- - name: Converge - hosts: agent - pre_tasks: - - name: "Get ip Wazuh Manager" - shell: | - set -o pipefail - grep $(hostname) /etc/hosts | awk '{print $1}' | sort | head -n 2 | tail -n 1 - register: wazuh_manager_ip_stdout - changed_when: false - delegate_to: wazuh_server_centos7 - args: - executable: /bin/bash - - - name: "Set fact for ip address" - set_fact: - wazuh_manager_ip: "{{ wazuh_manager_ip_stdout.stdout }}" - + hosts: all roles: - role: wazuh/ansible-wazuh-agent + vars: + wazuh_managers: + - address: 'manager_platform' + port: 1514 + protocol: tcp + api_port: 55000 + api_proto: 'http' + api_user: ansible + wazuh_agent_authd: + enable: true + port: 1515 + ssl_agent_ca: null + ssl_auto_negotiate: 'no' diff --git a/molecule/wazuh-agent/playbook.yml.template b/molecule/wazuh-agent/playbook.yml.template new file mode 100644 index 000000000..4feac0c26 --- /dev/null +++ b/molecule/wazuh-agent/playbook.yml.template @@ -0,0 +1,18 @@ +--- +- name: Converge + hosts: all + roles: + - role: wazuh/ansible-wazuh-agent + vars: + wazuh_managers: + - address: 'manager_platform' + port: 1514 + protocol: tcp + api_port: 55000 + api_proto: 'http' + api_user: ansible + wazuh_agent_authd: + enable: true + port: 1515 + ssl_agent_ca: null + ssl_auto_negotiate: 'no' diff --git a/molecule/filebeat/Dockerfile.j2 b/molecule/worker/Dockerfile.j2 similarity index 100% rename from molecule/filebeat/Dockerfile.j2 rename to molecule/worker/Dockerfile.j2 diff --git a/molecule/worker/molecule.yml.template b/molecule/worker/molecule.yml.template new file mode 100644 index 000000000..ecfe6469b --- /dev/null +++ b/molecule/worker/molecule.yml.template @@ -0,0 +1,53 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint + options: + config-data: + ignore: .virtualenv +platforms: + - name: worker_platform_ + image: imagename + command: /sbin/init + ulimits: + - nofile:262144:262144 + privileged: true + memory_reservation: 2048m +provisioner: + name: ansible + config_options: + defaults: + hash_behaviour: merge + playbooks: + docker: + create: ../default/create.yml + destroy: ../default/destroy.yml + prepare: ../default/prepare.yml + env: + ANSIBLE_ROLES_PATH: ../../roles + lint: + name: ansible-lint + enabled: true +scenario: + name: worker + test_sequence: + - lint + - dependency + - cleanup + - destroy + - syntax + - create + - prepare + - converge + - idempotence + - side_effect + - verify + - cleanup + - destroy +verifier: + name: testinfra + lint: + name: flake8 diff --git a/molecule/worker/playbook.yml b/molecule/worker/playbook.yml new file mode 100644 index 000000000..a59f93f2e --- /dev/null +++ b/molecule/worker/playbook.yml @@ -0,0 +1,21 @@ +--- +- name: Converge + hosts: all + roles: + - role: wazuh/ansible-wazuh-manager + vars: + wazuh_manager_config: + cluster: + disable: 'no' + name: 'wazuh' + node_name: 'worker-01' + node_type: 'worker' + key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa' + port: '1516' + bind_addr: '0.0.0.0' + nodes: + - 'manager_bionic' + hidden: 'no' + - { role: wazuh/ansible-filebeat, filebeat_output_elasticsearch_hosts: 'elasticsearch_bionic:9200' } + + diff --git a/molecule/worker/playbook.yml.template b/molecule/worker/playbook.yml.template new file mode 100644 index 000000000..45b12d1dd --- /dev/null +++ b/molecule/worker/playbook.yml.template @@ -0,0 +1,21 @@ +--- +- name: Converge + hosts: all + roles: + - role: wazuh/ansible-wazuh-manager + vars: + wazuh_manager_config: + cluster: + disable: 'no' + name: 'wazuh' + node_name: 'worker-01' + node_type: 'worker' + key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa' + port: '1516' + bind_addr: '0.0.0.0' + nodes: + - 'manager_platform' + hidden: 'no' + - { role: wazuh/ansible-filebeat, filebeat_output_elasticsearch_hosts: 'elasticsearch_platform:9200' } + + diff --git a/molecule/worker/tests/test_default.py b/molecule/worker/tests/test_default.py new file mode 100644 index 000000000..8dc96bbf4 --- /dev/null +++ b/molecule/worker/tests/test_default.py @@ -0,0 +1,85 @@ +import os +import pytest + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') + + +def get_wazuh_version(): + """This return the version of Wazuh.""" + return "3.9.5" + + +def test_wazuh_packages_are_installed(host): + """Test if the main packages are installed.""" + manager = host.package("wazuh-manager") + api = host.package("wazuh-api") + + distribution = host.system_info.distribution.lower() + if distribution == 'centos': + if host.system_info.release == "7": + assert manager.is_installed + assert manager.version.startswith(get_wazuh_version()) + assert api.is_installed + assert api.version.startswith(get_wazuh_version()) + elif host.system_info.release.startswith("6"): + assert manager.is_installed + assert manager.version.startswith(get_wazuh_version()) + elif distribution == 'ubuntu': + assert manager.is_installed + assert manager.version.startswith(get_wazuh_version()) + + +def test_wazuh_services_are_running(host): + """Test if the services are enabled and running. + + When assert commands are commented, this means that the service command has + a wrong exit code: https://github.com/wazuh/wazuh-ansible/issues/107 + """ + manager = host.service("wazuh-manager") + api = host.service("wazuh-api") + + distribution = host.system_info.distribution.lower() + if distribution == 'centos': + # assert manager.is_running + assert manager.is_enabled + # assert not api.is_running + assert not api.is_enabled + elif distribution == 'ubuntu': + # assert manager.is_running + assert manager.is_enabled + # assert api.is_running + assert api.is_enabled + + +@pytest.mark.parametrize("wazuh_file, wazuh_owner, wazuh_group, wazuh_mode", [ + ("/var/ossec/etc/sslmanager.cert", "root", "root", 0o640), + ("/var/ossec/etc/sslmanager.key", "root", "root", 0o640), + ("/var/ossec/etc/rules/local_rules.xml", "root", "ossec", 0o640), + ("/var/ossec/etc/lists/audit-keys", "root", "ossec", 0o640), +]) +def test_wazuh_files(host, wazuh_file, wazuh_owner, wazuh_group, wazuh_mode): + """Test if Wazuh related files exist and have proper owners and mode.""" + wazuh_file_host = host.file(wazuh_file) + + assert wazuh_file_host.user == wazuh_owner + assert wazuh_file_host.group == wazuh_group + assert wazuh_file_host.mode == wazuh_mode + + +def test_open_ports(host): + """Test if the main port is open and the agent-auth is not open.""" + distribution = host.system_info.distribution.lower() + if distribution == 'ubuntu': + assert host.socket("tcp://0.0.0.0:1514").is_listening + elif distribution == 'centos': + assert host.socket("tcp://127.0.0.1:1514").is_listening + + +def test_filebeat_is_installed(host): + """Test if the elasticsearch package is installed.""" + filebeat = host.package("filebeat") + assert filebeat.is_installed + assert filebeat.version.startswith('7.2.1') diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index 6041c64dc..8c7c1f169 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -35,9 +35,7 @@ wazuh_manager_config: port: '1516' bind_addr: '0.0.0.0' nodes: - - '172.17.0.2' - - '172.17.0.3' - - '172.17.0.4' + - 'manager' hidden: 'no' connection: - type: 'secure' diff --git a/run_cluster_mode.sh b/run_cluster_mode.sh new file mode 100644 index 000000000..c1a0941d9 --- /dev/null +++ b/run_cluster_mode.sh @@ -0,0 +1,43 @@ +#!/bin/bash + +paths=( "molecule/default/" "molecule/worker/" "molecule/elasticsearch/" "molecule/kibana/" ) +images=( "solita/ubuntu-systemd:bionic" "solita/ubuntu-systemd:xenial" "milcom/centos7-systemd" "ubuntu:trusty" "centos:6" ) +platform=( "bionic" "xenial" "centos7" "trusty" "centos6" ) + +echo "Please select an image. " + +select IMAGE in "${images[@]}"; +do + echo "You picked $IMAGE ($REPLY)" + break +done + +index=$(($REPLY - 1)) + +if [ -z "$IMAGE" ] +then + echo "Platform not selected. Please select a platform of [bionuc, xenial or centos7]. => Aborting" + exit +else + for i in "${paths[@]}" + do + cp "$i/playbook.yml.template" "$i/playbook.yml" + sed -i "s/platform/${platform[$index]}/g" "$i/playbook.yml" + + cp "$i/molecule.yml.template" "$i/molecule.yml" + sed -i "s|imagename|${images[$index]}|g" "$i/molecule.yml" + sed -i "s/platform_/${platform[$index]}/g" "$i/molecule.yml" + + done +fi + +sudo pipenv run elasticsearch +sudo pipenv run test +sudo pipenv run worker +sudo pipenv run kibana + +sudo pipenv run destroy +sudo pipenv run destroy_worker +sudo pipenv run destroy_elasticsearch +sudo pipenv run destroy_kibana +