Install Ansible

In this section, we will proceed to install the Ansible server. To be able to deploy using Ansible, we need to have the tool installed on a single server. From this control server, Ansible will access other endpoints and execute the playbooks configured for any type of deployment or installation.

In the example we will follow in this guide, we have the following infrastructure.

  • Ansible server

  • ThreatLockDown server

  • ThreatLockDown agent

Note

OpenSSH Compatibility: Ansible version 1.3 and later uses native OpenSSH for remote communication.

Windows endpoints

Windows endpoints are supported by Ansible from version 1.7 via the remote execution of PowerShell. As opposed to Linux endpoints, it is necessary to do some pre-work before being able to use Ansible on Windows endpoints. Please refer to the Windows Guide in the official documentation of Ansible.

The following minimum requirements should be met to use Ansible on Windows endpoints:

  • Windows versions under current and extended support from Microsoft. Ansible can manage desktop OSs including Windows 7, 8.1, and 10, and server OSs including Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, and 2019.

  • PowerShell 3.0 or newer.

  • At least .NET version 4.0 should be installed on the Windows endpoint.

  • A WinRM listener should be created and activated.

Before deploying on your Windows endpoints, you must set Ansible to use port 5986 . Edit the /etc/ansible/hosts file and add a configuration block for the Windows agents. For example:

[windows_agents]
agent1 ansible_host=192.168.1.101 ansible_port=5986
agent2 ansible_host=192.168.1.102 ansible_port=5986
agent3 ansible_host=192.168.1.103 ansible_port=5986

Where:

  • windows_agents is a host group name for the Windows agents.

  • agent1, agent2, and agent3 are names for each host.

  • 192.168.1.101103 are the respective Windows host IP addresses.

Make sure to replace these values with your Windows agents actual data. Add and remove lines accordingly.

Installation on CentOS/RHEL/Fedora

  1. Install the EPEL repository:

    # yum -y install epel-release
    
  2. Install Ansible:

    # yum install ansible
    

Installation on Debian/Ubuntu

For Debian and Ubuntu, we will use the Ansible PPA repository. The steps are as follows:

  1. Install required dependencies:

    # apt-get update
    # apt-get install lsb-release software-properties-common
    
  2. Setup ansible repository:

    # apt-add-repository -y ppa:ansible/ansible
    # apt-get update
    
  3. Finally, install ansible:

    # apt-get install ansible
    

Remote Connection

Ansible is an agentless automation platform. Hence, it relies on SSH connections to make deployments to remote endpoints. These connections can be made from the Ansible server using SSH key-pairing.

Configuring SSH key-pairing

Our Ansible server will need to connect to the other endpoints. Let’s see how to make this connection between our ansible server and the machine where we will install the ThreatLockDown server. This procedure has to be repeated for each machine we want to connect to the Ansible server. For example, the endpoints where ThreatLockDown agents will be deployed.

  1. The first step is to generate the SSH authentication key pair for the root user of the Ansible server using the ssh-keygen tool.

    1. Switch to root and navigate to the $HOME directory of the Ansible server.

      $ sudo su
      # cd ~
      
    2. Generate an authentication key pair for SSH. If you wish to, you can include a passphrase.

      # ssh-keygen
      
    3. Check the permissions of the generated keys.

      # ls -la ~/.ssh
      

      id_rsa must have restrictive permissions (600 or “- r w - - - - - - -“).

      drwx------. 2 root root   57 Mar 18 10:06 .
      dr-xr-x---. 5 root root  210 Mar 18 08:44 ..
      -rw-------. 1 root root 1675 Mar 18 12:34 id_rsa
      -rw-r--r--. 1 root root  408 Mar 18 12:34 id_rsa.pub
      -rw-r--r--. 1 root root  175 Mar 18 10:14 known_hosts
      

      In addition, the /root/.ssh/ directory must have its permissions set to 700 (d r w x - - - - - -). The permissions can be set using the command below:

      # chmod 700 ~/.ssh/
      
  2. Now, proceed to copy the public key of the Ansible server to the ~/.ssh/authorized_keys file in the $HOME directory of the remote system (the ThreatLockDown server in this example).

    1. On the remote system, install openssh-server if it is not installed.

      # yum install openssh-server
      
    2. Start the SSH service.

      # systemctl start sshd
      
    3. Move to the $HOME directory of the remote system.

      $ cd ~
      
    4. Check for the .ssh directory. If it does not exist, create the .ssh directory and assign the appropriate permissions to it:

      $ mkdir .ssh
      $ chmod 700 .ssh/
      
    5. If the authorized_keys file does not exist in the .ssh/ directory, create it with the appropriate permissions, otherwise public key authentication will not work properly:

      $ touch .ssh/authorized_keys
      $ chmod 644 .ssh/authorized_keys
      
  3. Return to the Ansible server and add the public key (id_rsa.pub) of the Ansible server to the ~/.ssh/authorized_keys file in the $HOME directory of the ThreatLockDown server using SSH.

    1. From the Ansible server, run the following command:

      # cat ~/.ssh/id_rsa.pub | ssh centos@192.168.33.31 "cat >> ~/.ssh/authorized_keys"
      
    2. When we read the ThreatLockDown server ~/.ssh/authorized_keys, we can see it contains the public key of the ansible server.

      $ cat .ssh/authorized_keys
      
  4. Before the public key authentication mechanism can be tested, we have to verify that the SSH configuration on the remote endpoint allows it. To do this, open the file /etc/ssh/sshd_config on the ThreatLockDown server.

    # vi /etc/ssh/sshd_config
    
    1. Check that the following lines are uncommented:

      PubkeyAuthentication yes
      AuthorizedKeysFile .ssh/authorized_keys
    2. Restart the ssh service.

      # systemctl restart sshd
      
    3. Verify that the authentication with the public key works. Test from the Ansible server.

      # ssh centos@192.168.33.31
      

      It is expected that we will gain access without having to enter a password.

Testing the Ansible connection to remote endpoints

  1. Add endpoints for management by Ansible.

    This is done by including the hostname or IP Address in /etc/ansible/hosts on our Ansible server. In this case, we intend to use the Ansible playbooks to deploy the ThreatLockDown indexer, dashboard, and manager on one server (all-in-one deployment). The IP address of the server is 192.168.33.31 and the user is centos.

    We proceed to add the following entry to the /etc/ansible/hosts file:

    [all_in_one]
    192.168.33.31 ansible_ssh_user=centos
    

    Note

    Python 3 usage: In some systems, such as Ubuntu 18, we may have problems with the use of Python interpreter due to its version and the default path where Ansible checks for it. If this happens, we must add the following line to the Ansible host file:

    <endpoint_IP> ansible_ssh_user=<ssh_user>

    ansible_python_interpreter=/usr/bin/python3

  2. Attempt a connection with the remote endpoints using the ping module.

    # ansible all -m ping
    

    The expected output is:

    192.168.33.31 | SUCCESS => {
        "changed": false,
        "ping": "pong"
    }
    

This way, we confirm that the Ansible server reaches the remote system.

Playbooks and Roles

We can obtain the necessary playbooks and roles for the installation of the ThreatLockDown server components, and ThreatLockDown agents by cloning the wazuh-ansible repository in /etc/ansible/roles.

On the Ansible server, the following commands are run:

# cd /etc/ansible/roles/
# sudo git clone --branch v4.9.0 https://github.com/wazuh/wazuh-ansible.git
# ls
wazuh-ansible