diff --git a/CHANGELOG.md b/CHANGELOG.md index 07dbc0d..784839b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ All notable changes to this project will be documented in this file. ### Changed +- Migrated certificates and passwords changes for AMI. ([#73](https://github.com/wazuh/wazuh-virtual-machines/pull/73)) - Add a new input for wazuh-virtual-machines reference to the OVA and AMI workflows ([#70](https://github.com/wazuh/wazuh-virtual-machines/pull/70)) - Adapted repository selection in OVA generation ([#58](https://github.com/wazuh/wazuh-virtual-machines/pull/58)) - Modify the AMI GHA workflow with the new Installation Assistant logic ([#55](https://github.com/wazuh/wazuh-virtual-machines/pull/55)) diff --git a/ami/playbooks/build_ami_packages.yaml b/ami/playbooks/build_ami_packages.yaml index dd210e0..874756c 100644 --- a/ami/playbooks/build_ami_packages.yaml +++ b/ami/playbooks/build_ami_packages.yaml @@ -12,12 +12,15 @@ builder_script_name: 'builder.sh' installer_script_name: 'wazuh-install.sh' passwords_tool_script_name: 'wazuh-passwords-tool.sh' + certs_tool_script_name: 'wazuh-certs-tool.sh' passwords_file_name: 'wazuh-passwords.txt' + config_file_name: 'config.yml' ova_custom_path: 'ova/assets/' automatic_ram_script_path: 'ova/assets/custom' installation_assistant_directory: '{{ provision_path }}/wazuh-installation-assistant' + config_file_path: 'config/certificate/config_aio.yml' rpm_packages: - git @@ -120,10 +123,24 @@ dest: "/etc/.{{ passwords_tool_script_name }}" remote_src: yes + - name: Build Wazuh certs tool script + shell: "bash {{ installation_assistant_directory }}/{{ builder_script_name }} -c" - ############################### - # Edit unattended script - ############################### + - name: Copy wazuh-certs-tool script + copy: + src: "{{ installation_assistant_directory }}/{{ certs_tool_script_name }}" + dest: "/etc/.{{ certs_tool_script_name }}" + remote_src: yes + + - name: Copy config.yml file + copy: + src: "{{ installation_assistant_directory }}/{{ config_file_path }}" + dest: "/etc/{{ config_file_name }}" + remote_src: yes + + ########################################## + # Edit Wazuh installation assistant script + ########################################## - name: Add full debug replace: @@ -158,9 +175,6 @@ - name: Modify install script shell: cat {{ installation_assistant_directory }}/{{ installer_script_name }} - - name: Modify install script - shell: sed -i "s/passwords_checkPassword .*/echo/g" /etc/.{{ passwords_tool_script_name }} - ############################### # Install stage ############################### @@ -196,7 +210,7 @@ - wazuh-states-vulnerabilities - wazuh-statistics - wazuh-monitoring - + - name: Set old password fact shell: > old_password=$(cat /etc/.wazuh-install-files/{{ passwords_file_name }} | grep -P "\\'admin\\'" -A 1 | grep indexer_password | awk -F"'" '{print $2}') && echo $old_password @@ -247,9 +261,44 @@ sleep 10 done - new_password=$(ec2-metadata | grep "instance-id" | cut -d":" -f2 | tr -d " ") + bash /etc/.wazuh-certs-tool.sh -A + mv -f /etc/wazuh-certificates/wazuh-indexer.pem /etc/wazuh-indexer/certs/wazuh-indexer.pem + mv -f /etc/wazuh-certificates/wazuh-indexer-key.pem /etc/wazuh-indexer/certs/wazuh-indexer-key.pem + mv -f /etc/wazuh-certificates/admin.pem /etc/wazuh-indexer/certs/admin.pem + mv -f /etc/wazuh-certificates/admin-key.pem /etc/wazuh-indexer/certs/admin-key.pem + cp /etc/wazuh-certificates/root-ca.pem /etc/wazuh-indexer/certs/root-ca.pem + chmod 500 /etc/wazuh-indexer/certs + chmod 400 /etc/wazuh-indexer/certs/* + chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs + systemctl restart wazuh-indexer + /usr/share/wazuh-indexer/bin/indexer-security-init.sh + + mv -f /etc/wazuh-certificates/wazuh-server.pem /etc/filebeat/certs/wazuh-server.pem + mv -f /etc/wazuh-certificates/wazuh-server-key.pem /etc/filebeat/certs/wazuh-server-key.pem + cp /etc/wazuh-certificates/root-ca.pem /etc/filebeat/certs/root-ca.pem + chmod 500 /etc/filebeat/certs + chmod 400 /etc/filebeat/certs/* + chown -R root:root /etc/filebeat/certs + systemctl restart filebeat + + rm -f /var/ossec/api/configuration/security/*_key.pem + rm -f /var/ossec/api/configuration/ssl/server.* + systemctl restart wazuh-manager + + mv -f /etc/wazuh-certificates/wazuh-dashboard.pem /etc/wazuh-dashboard/certs/wazuh-dashboard.pem + mv -f /etc/wazuh-certificates/wazuh-dashboard-key.pem /etc/wazuh-dashboard/certs/wazuh-dashboard-key.pem + cp /etc/wazuh-certificates/root-ca.pem /etc/wazuh-dashboard/certs/root-ca.pem + chmod 500 /etc/wazuh-dashboard/certs + chmod 400 /etc/wazuh-dashboard/certs/* + chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs + systemctl restart wazuh-dashboard + + rm -rf /etc/wazuh-certificates /etc/.wazuh-certs-tool.sh /etc/config.yml /etc/wazuh-certificates-tool.log + + new_password=$(ec2-metadata | grep "instance-id" | cut -d":" -f2 | tr -d " "| awk '{print toupper(substr($0,1,1)) substr($0,2)}') sed -i "s/password:.*/password: ${new_password}/g" /etc/.wazuh-install-files/{{ passwords_file_name }} - bash /etc/.wazuh-passwords-tool.sh -f /etc/.wazuh-install-files/{{ passwords_file_name }} + bash /etc/.wazuh-passwords-tool.sh -a -A -au wazuh -ap wazuh -f /etc/.wazuh-install-files/{{ passwords_file_name }} + systemctl restart wazuh-dashboard rm -f /etc/.changePasswords.sh /etc/.wazuh-passwords-tool.sh /etc/.wazuh-install-files/{{ passwords_file_name }} /var/log/wazuh-passwords-tool.log rmdir /etc/.wazuh-install-files