Merge pull request #717 from stackhpc/wazuh-remote-commands-fix

Fix custom sca policies remote checks

Author: markgoddard

etc/kayobe/ansible/wazuh-agent.yml

@@ -5,3 +5,35 @@
   tasks:
     - import_role:
         name: "wazuh-ansible/wazuh-ansible/roles/wazuh/ansible-wazuh-agent"
+  post_tasks:
+    - name: Check if custom SCA policies directory exists
+      stat:
+        path: "{{ local_custom_sca_policies_path }}"
+      register: custom_sca_policies_folder
+      delegate_to: localhost
+
+    - name: Gather list of custom SCA policies
+      find:
+        paths: "{{ local_custom_sca_policies_path }}"
+        patterns: '*.yml'
+      delegate_to: localhost
+      register: custom_sca_policies
+      when: custom_sca_policies_folder.stat.exists
+
+    - name: Allow Wazuh agents to execute commands in SCA policies sent from the Wazuh manager
+      become: yes
+      blockinfile:
+        path: "/var/ossec/etc/local_internal_options.conf"
+        state: present
+        owner: wazuh
+        group: wazuh
+        block: sca.remote_commands=1
+      when: custom_sca_policies.files | length > 0
+      notify:
+        - Restart wazuh-agent
+
+  handlers:
+    - name: Restart wazuh-agent
+      service:
+        name: wazuh-agent
+        state: restarted

etc/kayobe/ansible/wazuh-manager.yml

@@ -32,16 +32,7 @@
           delegate_to: localhost
           register: custom_sca_policies
           when: custom_sca_policies_folder.stat.exists
-
-        - name: Allow Wazuh agents to execute commands in SCA policies sent from the Wazuh manager
-          blockinfile:
-            path: "/var/ossec/etc/local_internal_options.conf"
-            state: present
-            owner: wazuh
-            group: wazuh
-            block: |
-              sca.remote_commands=1
-          when: custom_sca_policies.files | length > 0
+          become: no
 
         - name: Copy custom SCA policy files to Wazuh manager
           copy:
@@ -112,7 +103,6 @@
     - name: Perform health check against filebeat
       command: filebeat test output
       changed_when: false
-      become: true
       retries: 2
 
   handlers:

etc/kayobe/inventory/group_vars/all/wazuh

@@ -0,0 +1,3 @@
+---
+# Ansible custom SCA policies directory
+local_custom_sca_policies_path: "{{ kayobe_env_config_path }}/wazuh/custom_sca_policies"

etc/kayobe/inventory/group_vars/wazuh-manager/wazuh-manager

@@ -24,9 +24,6 @@ local_certs_path: "{{ playbook_dir }}/wazuh/certificates"
 # Ansible control host custom certificates directory
 local_custom_certs_path: "{{ playbook_dir }}/wazuh/custom_certificates"
 
-# Ansible custom SCA policies directory
-local_custom_sca_policies_path: "{{ kayobe_env_config_path }}/wazuh/custom_sca_policies"
-
 # Indexer variables
 indexer_node_name: "{{ inventory_hostname }}"
 

releasenotes/notes/fix-wazuh-custom-sca-policies-f16c7f0eae8265a5.yaml

@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    When using custom SCA policies for Wazuh, the agents are now correctly
+    configured to allow commands to be executed from the manager.