From d6c8e068c7f60895d13ee1d230d0503af0cbc4fd Mon Sep 17 00:00:00 2001 From: George Matthews Date: Tue, 12 May 2026 15:05:19 +0100 Subject: [PATCH 1/2] Add ansible lint --- .github/workflows/lint.yaml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .github/workflows/lint.yaml diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml new file mode 100644 index 00000000..648cd9b8 --- /dev/null +++ b/.github/workflows/lint.yaml @@ -0,0 +1,30 @@ +name: OS Builders PR + +on: + push: + branches: + - main + pull_request: + branches: + - main + +jobs: + lint: + name: Ansible Lint + runs-on: ubuntu-latest + permissions: + contents: read + packages: read + # To report GitHub Actions status checks + statuses: write + + steps: + - uses: actions/checkout@v4 + with: + # super-linter needs the full git history to get the + # list of files that changed across commits + fetch-depth: 0 + submodules: true + + - name: Run ansible-lint + uses: ansible/ansible-lint@5fac056c45595896c973fbde871f01f6cb14d74c From 4c129b35278f5dd77a0641a653b3250a6f8153ff Mon Sep 17 00:00:00 2001 From: George Matthews Date: Tue, 12 May 2026 15:35:34 +0100 Subject: [PATCH 2/2] Fix Linting --- .../roles/tidy_image/tasks/logrotate.yml | 13 +- os_builders/roles/tidy_image/tasks/main.yml | 40 ++-- os_builders/roles/tidy_image/tasks/reboot.yml | 2 - .../tidy_image/tasks/remove_host_ssh_keys.yml | 2 +- .../tidy_image/tasks/remove_shell_history.yml | 4 +- .../roles/tidy_image/tasks/run_pakiti.yml | 2 +- .../roles/tidy_image/tasks/run_quattor.yml | 6 +- .../roles/tidy_image/tasks/set_locale.yml | 50 +++-- os_builders/roles/tidy_image/tasks/wazuh.yml | 8 +- .../vm_baseline/tasks/add_user_security.yml | 2 +- os_builders/roles/vm_baseline/tasks/cron.yml | 9 +- .../vm_baseline/tasks/disable_selinux.yml | 4 +- .../roles/vm_baseline/tasks/locale.yml | 1 - os_builders/roles/vm_baseline/tasks/main.yml | 24 +-- .../roles/vm_baseline/tasks/pakiti.yml | 23 +-- .../vm_baseline/tasks/qemu-guest-agent.yml | 6 +- .../roles/vm_baseline/tasks/rsyslog.yml | 6 +- os_builders/roles/vm_baseline/tasks/ssh.yml | 22 +- .../ukscienceca/install_ukscienceca_rocky.yml | 12 +- .../install_ukscienceca_ubuntu.yml | 10 +- .../roles/vm_baseline/tasks/update.yml | 18 +- os_builders/roles/vm_baseline/tasks/wazuh.yml | 191 +++++++++--------- .../tasks/wazuh/install_wazuh_rocky.yml | 6 +- .../tasks/wazuh/install_wazuh_ubuntu.yml | 2 +- 24 files changed, 227 insertions(+), 236 deletions(-) diff --git a/os_builders/roles/tidy_image/tasks/logrotate.yml b/os_builders/roles/tidy_image/tasks/logrotate.yml index 5231cb64..20db58a6 100644 --- a/os_builders/roles/tidy_image/tasks/logrotate.yml +++ b/os_builders/roles/tidy_image/tasks/logrotate.yml @@ -1,24 +1,23 @@ - name: Remove duplicate /etc/logrotate.d/btmp - file: + ansible.builtin.file: path: "/etc/logrotate.d/btmp" state: absent - when: ansible_distribution == "Rocky" + when: ansible_distribution == "Rocky" become: true - name: Remove duplicate /etc/logrotate.d/wtmp - file: + ansible.builtin.file: path: "/etc/logrotate.d/wtmp" state: absent - when: ansible_distribution == "Rocky" + when: ansible_distribution == "Rocky" become: true - - name: Clear Audit log - shell: "logrotate -f /etc/logrotate.conf" + ansible.builtin.shell: "logrotate -f /etc/logrotate.conf" become: true - name: Cleanout /var/log/*.gz - file: + ansible.builtin.file: path: "/var/log/*.gz" state: absent become: true diff --git a/os_builders/roles/tidy_image/tasks/main.yml b/os_builders/roles/tidy_image/tasks/main.yml index b63cb022..72c809f0 100644 --- a/os_builders/roles/tidy_image/tasks/main.yml +++ b/os_builders/roles/tidy_image/tasks/main.yml @@ -5,38 +5,38 @@ ansible.builtin.meta: flush_handlers - name: Check if we are in a container from the GitHub workflows - become: true ansible.builtin.command: "cat /proc/self/cgroup" register: in_container_check + become: true -- name: set_fact for checking container +- name: Set_fact for checking container ansible.builtin.set_fact: in_container: "{{ in_container_check.stdout != '0::/' }}" -- include_tasks: reboot.yml +- ansible.builtin.include_tasks: reboot.yml when: in_container -- include_tasks: get_package_facts.yml -- include_tasks: run_quattor.yml +- ansible.builtin.include_tasks: get_package_facts.yml +- ansible.builtin.include_tasks: run_quattor.yml when: ansible_distribution == "Rocky" -- include_tasks: get_package_facts.yml -- include_tasks: cleanout_tmp.yml -- include_tasks: cleanout_rc_directories.yml -- include_tasks: cleanup_network_conf.yml -- include_tasks: set_locale.yml -- include_tasks: wazuh.yml -- include_tasks: cleanup_quattor.yml +- ansible.builtin.include_tasks: get_package_facts.yml +- ansible.builtin.include_tasks: cleanout_tmp.yml +- ansible.builtin.include_tasks: cleanout_rc_directories.yml +- ansible.builtin.include_tasks: cleanup_network_conf.yml +- ansible.builtin.include_tasks: set_locale.yml +- ansible.builtin.include_tasks: wazuh.yml +- ansible.builtin.include_tasks: cleanup_quattor.yml when: ansible_distribution == "Rocky" -- include_tasks: run_pakiti.yml -- include_tasks: cleanup_users.yml -- include_tasks: cleanup_old_kernels.yml -- include_tasks: remove_host_ssh_keys.yml -- include_tasks: cleanup_packages.yml +- ansible.builtin.include_tasks: run_pakiti.yml +- ansible.builtin.include_tasks: cleanup_users.yml +- ansible.builtin.include_tasks: cleanup_old_kernels.yml +- ansible.builtin.include_tasks: remove_host_ssh_keys.yml +- ansible.builtin.include_tasks: cleanup_packages.yml # Cleanup history of build -- include_tasks: logrotate.yml -- include_tasks: clear_audit_log.yml -- include_tasks: remove_shell_history.yml +- ansible.builtin.include_tasks: logrotate.yml +- ansible.builtin.include_tasks: clear_audit_log.yml +- ansible.builtin.include_tasks: remove_shell_history.yml - name: Mark next boot as first boot ansible.builtin.file: diff --git a/os_builders/roles/tidy_image/tasks/reboot.yml b/os_builders/roles/tidy_image/tasks/reboot.yml index d2c274c6..30cc800c 100644 --- a/os_builders/roles/tidy_image/tasks/reboot.yml +++ b/os_builders/roles/tidy_image/tasks/reboot.yml @@ -4,5 +4,3 @@ post_reboot_delay: 30 connect_timeout: 3600 become: true - - \ No newline at end of file diff --git a/os_builders/roles/tidy_image/tasks/remove_host_ssh_keys.yml b/os_builders/roles/tidy_image/tasks/remove_host_ssh_keys.yml index a7084f27..60184a33 100644 --- a/os_builders/roles/tidy_image/tasks/remove_host_ssh_keys.yml +++ b/os_builders/roles/tidy_image/tasks/remove_host_ssh_keys.yml @@ -1,5 +1,5 @@ - name: Cleanout Host SSH Keys - file: + ansible.builtin.file: path: "/etc/ssh/*key*" state: absent become: true diff --git a/os_builders/roles/tidy_image/tasks/remove_shell_history.yml b/os_builders/roles/tidy_image/tasks/remove_shell_history.yml index 1b702582..38261862 100644 --- a/os_builders/roles/tidy_image/tasks/remove_shell_history.yml +++ b/os_builders/roles/tidy_image/tasks/remove_shell_history.yml @@ -1,11 +1,11 @@ - name: Cleanout Host SSH Keys - file: + ansible.builtin.file: path: "/home/*/.bash_history" state: absent become: true - name: Cleanout Host SSH Keys - file: + ansible.builtin.file: path: "/root/.bash_history" state: absent become: true diff --git a/os_builders/roles/tidy_image/tasks/run_pakiti.yml b/os_builders/roles/tidy_image/tasks/run_pakiti.yml index bf10cb4e..b41fb113 100644 --- a/os_builders/roles/tidy_image/tasks/run_pakiti.yml +++ b/os_builders/roles/tidy_image/tasks/run_pakiti.yml @@ -1,5 +1,5 @@ - name: Run pakiti - command: + ansible.builtin.command: cmd: "pakiti2-client" become: true when: in_container diff --git a/os_builders/roles/tidy_image/tasks/run_quattor.yml b/os_builders/roles/tidy_image/tasks/run_quattor.yml index 2f74ecb1..3b2b01a0 100644 --- a/os_builders/roles/tidy_image/tasks/run_quattor.yml +++ b/os_builders/roles/tidy_image/tasks/run_quattor.yml @@ -1,5 +1,5 @@ -- name: run quattor - shell: "quattor-fetch && quattor-configure --all --verbose" +- name: Run quattor + ansible.builtin.shell: "quattor-fetch && quattor-configure --all --verbose" ignore_errors: true - when: ansible_distribution == "Rocky" + when: ansible_distribution == "Rocky" become: true diff --git a/os_builders/roles/tidy_image/tasks/set_locale.yml b/os_builders/roles/tidy_image/tasks/set_locale.yml index 628756ae..3b827115 100644 --- a/os_builders/roles/tidy_image/tasks/set_locale.yml +++ b/os_builders/roles/tidy_image/tasks/set_locale.yml @@ -1,68 +1,66 @@ -# - name: set locale to set -# set_fact: +# - name: Set locale to set +# ansible.builtin.set_fact: # config_system_locale: "en_GB.UTF-8" # config_system_language: "en_GB.UTF-8" -- name: set locale to set - set_fact: +- name: Set locale to set + ansible.builtin.set_fact: config_system_locale: "en_US.UTF-8" config_system_language: "en_US.UTF-8" -- name: check if locale exists - shell: "locale -a | grep -i {{ config_system_locale | regex_replace('-', '') | quote }}" +- name: Check if locale exists + ansible.builtin.shell: "locale -a | grep -i {{ config_system_locale | regex_replace('-', '') | quote }}" register: found_locale - changed_when: no - failed_when: no + changed_when: false + failed_when: false become: true -- name: create locale - command: "localedef -i {{ config_system_locale | regex_replace('(.*)\\..*', '\\1') | quote }} -f {{ config_system_locale | regex_replace('.*\\.(.*)', '\\1') | quote }} {{ config_system_locale | quote }}" +- name: Create locale + ansible.builtin.command: "localedef -i {{ config_system_locale | regex_replace('(.*)\\..*', '\\1') | quote }} -f {{ config_system_locale | regex_replace('.*\\.(.*)', '\\1') | quote }} {{ config_system_locale | quote }}" when: not ansible_check_mode and found_locale.rc != 0 become: true -- name: check if language exists - shell: "locale -a | grep -i {{ config_system_language | regex_replace('-', '') | quote }}" +- name: Check if language exists + ansible.builtin.shell: "locale -a | grep -i {{ config_system_language | regex_replace('-', '') | quote }}" register: found_language - changed_when: no - failed_when: no + changed_when: false + failed_when: false become: true -- name: create language - command: "localedef -i {{ config_system_language | regex_replace('(.*)\\..*', '\\1') | quote }} -f {{ config_system_language | regex_replace('.*\\.(.*)', '\\1') | quote }} {{ config_system_language | quote }}" +- name: Create language + ansible.builtin.command: "localedef -i {{ config_system_language | regex_replace('(.*)\\..*', '\\1') | quote }} -f {{ config_system_language | regex_replace('.*\\.(.*)', '\\1') | quote }} {{ config_system_language | quote }}" when: not ansible_check_mode and found_language.rc != 0 become: true -- name: configure locale +- name: Configure locale block: - name: Get current locale and language configuration - command: localectl status + ansible.builtin.command: localectl status register: locale_status changed_when: false become: true - name: Parse 'LANG' from current locale and language configuration - set_fact: + ansible.builtin.set_fact: locale_lang: "{{ locale_status.stdout | regex_search('LANG=([^\n]+)', '\\1') | first }}" - name: Parse 'LANGUAGE' from current locale and language configuration - set_fact: + ansible.builtin.set_fact: locale_language: "{{ locale_status.stdout | regex_search('LANGUAGE=([^\n]+)', '\\1') | default([locale_lang], true) | first }}" - name: Configure locale to '{{ config_system_locale }}' and language to '{{ config_system_language }}' - command: localectl set-locale LANG={{ config_system_locale }} LANGUAGE={{ config_system_language }} + ansible.builtin.command: localectl set-locale LANG={{ config_system_locale }} LANGUAGE={{ config_system_language }} become: true - name: Set locale keymap - command: localectl set-keymap gb + ansible.builtin.command: localectl set-keymap gb when: ansible_distribution == "Rocky" become: true when: in_container - # - name: Set locale keymap -# command: loadkeys uk +# ansible.builtin.command: loadkeys uk # when: ansible_distribution == "Ubuntu" - # - name: Set locale x11 keymap -# command: localeclt set-x11-keymap gb +# ansible.builtin.command: localeclt set-x11-keymap gb # when: ansible_distribution == "Rocky" diff --git a/os_builders/roles/tidy_image/tasks/wazuh.yml b/os_builders/roles/tidy_image/tasks/wazuh.yml index ab5bc26b..422aa215 100644 --- a/os_builders/roles/tidy_image/tasks/wazuh.yml +++ b/os_builders/roles/tidy_image/tasks/wazuh.yml @@ -1,18 +1,16 @@ - name: Set wazuh package name variable - set_fact: + ansible.builtin.set_fact: wazuh_package_name: "wazuh-agent" - name: Stop wazuh-agent service - become: true ansible.builtin.command: cmd: "systemctl stop wazuh-agent.service" - when: wazuh_package_name in ansible_facts.packages ignore_errors: True become: true - when: in_container + when: wazuh_package_name in ansible_facts.packages or in_container - name: Clean Wazuh agent history - file: + ansible.builtin.file: path: "/var/ossec/etc/client.keys" state: absent become: true diff --git a/os_builders/roles/vm_baseline/tasks/add_user_security.yml b/os_builders/roles/vm_baseline/tasks/add_user_security.yml index 58cdce16..54a9d241 100644 --- a/os_builders/roles/vm_baseline/tasks/add_user_security.yml +++ b/os_builders/roles/vm_baseline/tasks/add_user_security.yml @@ -25,5 +25,5 @@ dest: /etc/security/pwquality.conf owner: root group: root - mode: '0644' + mode: "0644" become: true diff --git a/os_builders/roles/vm_baseline/tasks/cron.yml b/os_builders/roles/vm_baseline/tasks/cron.yml index 0fc6bf31..996ab39f 100644 --- a/os_builders/roles/vm_baseline/tasks/cron.yml +++ b/os_builders/roles/vm_baseline/tasks/cron.yml @@ -1,15 +1,14 @@ - - name: Install cron on Ubuntu - apt: + ansible.builtin.apt: name: "cron" state: present - update_cache: yes + update_cache: true when: ansible_distribution == "Ubuntu" become: true - name: Install cron on RL - yum: + ansible.builtin.dnf: name: "cronie" state: present - when: ansible_distribution == "Rocky" + when: ansible_distribution == "Rocky" become: true diff --git a/os_builders/roles/vm_baseline/tasks/disable_selinux.yml b/os_builders/roles/vm_baseline/tasks/disable_selinux.yml index dd7422f3..aebb527d 100644 --- a/os_builders/roles/vm_baseline/tasks/disable_selinux.yml +++ b/os_builders/roles/vm_baseline/tasks/disable_selinux.yml @@ -1,9 +1,9 @@ - name: Ensure SELinux is set to permissive mode for Wazuh ansible.builtin.lineinfile: path: /etc/selinux/config - regexp: '^SELINUX=' + regexp: "^SELINUX=" line: SELINUX=permissive state: present create: true when: ansible_distribution == "Rocky" - become: true \ No newline at end of file + become: true diff --git a/os_builders/roles/vm_baseline/tasks/locale.yml b/os_builders/roles/vm_baseline/tasks/locale.yml index 8ffb1192..0a5d47b3 100644 --- a/os_builders/roles/vm_baseline/tasks/locale.yml +++ b/os_builders/roles/vm_baseline/tasks/locale.yml @@ -15,4 +15,3 @@ state: present become: true when: ansible_os_family == "RedHat" - \ No newline at end of file diff --git a/os_builders/roles/vm_baseline/tasks/main.yml b/os_builders/roles/vm_baseline/tasks/main.yml index 261584bd..a9ef8513 100644 --- a/os_builders/roles/vm_baseline/tasks/main.yml +++ b/os_builders/roles/vm_baseline/tasks/main.yml @@ -1,17 +1,17 @@ -- include_tasks: update.yml -- include_tasks: get-package-facts.yml +- ansible.builtin.include_tasks: update.yml +- ansible.builtin.include_tasks: get-package-facts.yml -- include_tasks: cron.yml -- include_tasks: locale.yml +- ansible.builtin.include_tasks: cron.yml +- ansible.builtin.include_tasks: locale.yml -- include_tasks: ssh.yml -- include_tasks: rsyslog.yml -- include_tasks: wazuh.yml +- ansible.builtin.include_tasks: ssh.yml +- ansible.builtin.include_tasks: rsyslog.yml +- ansible.builtin.include_tasks: wazuh.yml # Include Pakiti last, so it will report on the state of a complete system -- include_tasks: ukescienceca.yml -- include_tasks: pakiti.yml -- include_tasks: qemu-guest-agent.yml +- ansible.builtin.include_tasks: ukescienceca.yml +- ansible.builtin.include_tasks: pakiti.yml +- ansible.builtin.include_tasks: qemu-guest-agent.yml -- include_tasks: disable_selinux.yml -- include_tasks: add_user_security.yml +- ansible.builtin.include_tasks: disable_selinux.yml +- ansible.builtin.include_tasks: add_user_security.yml diff --git a/os_builders/roles/vm_baseline/tasks/pakiti.yml b/os_builders/roles/vm_baseline/tasks/pakiti.yml index 85d09462..165590d0 100644 --- a/os_builders/roles/vm_baseline/tasks/pakiti.yml +++ b/os_builders/roles/vm_baseline/tasks/pakiti.yml @@ -1,53 +1,53 @@ - name: Copy Pakiti RPM - copy: + ansible.builtin.copy: src: "files/pakiti-client-2.1.4-3.RAL.noarch.rpm" dest: "/tmp/pakiti-client-2.1.4-3.RAL.noarch.rpm" - name: Install Pakiti on Ubuntu using Alien block: - name: Enable Universe for Alien - apt_repository: + ansible.builtin.apt_repository: repo: "{{ item }}" loop: - "deb http://archive.ubuntu.com/ubuntu/ {{ansible_distribution_release}} main" - "deb http://archive.ubuntu.com/ubuntu/ {{ansible_distribution_release}} universe" - name: Install Alien for Pakiti - apt: + ansible.builtin.apt: name: alien state: present update_cache: yes - name: Install Pakiti using Alien - command: + ansible.builtin.command: cmd: "alien --install /tmp/pakiti-client-2.1.4-3.RAL.noarch.rpm" - name: Remove Alien - apt: + ansible.builtin.apt: name: alien state: absent - name: Remove universe repository - apt_repository: + ansible.builtin.apt_repository: repo: "deb http://archive.ubuntu.com/ubuntu/ {{ansible_distribution_release}} universe" state: absent - name: Update apt-cache - apt: + ansible.builtin.apt: update_cache: yes when: ansible_distribution == "Ubuntu" and 'pakiti-client' not in ansible_facts.packages become: true - name: Install Pakiti on RL - yum: + ansible.builtin.dnf: name: "/tmp/pakiti-client-2.1.4-3.RAL.noarch.rpm" state: present disable_gpg_check: true - when: ansible_distribution == "Rocky" + when: ansible_distribution == "Rocky" become: true - name: Ensure pakiti config directory exists - file: + ansible.builtin.file: path: "/etc/pakiti2" state: directory owner: root @@ -55,9 +55,8 @@ mode: 0644 become: true - - name: Copy pakiti config file - copy: + ansible.builtin.copy: src: "etc/pakiti2/pakiti2-client.conf" dest: "/etc/pakiti2/pakiti2-client.conf" owner: root diff --git a/os_builders/roles/vm_baseline/tasks/qemu-guest-agent.yml b/os_builders/roles/vm_baseline/tasks/qemu-guest-agent.yml index bfc7f4d3..39a31029 100644 --- a/os_builders/roles/vm_baseline/tasks/qemu-guest-agent.yml +++ b/os_builders/roles/vm_baseline/tasks/qemu-guest-agent.yml @@ -1,5 +1,5 @@ - name: Install Qemu Guest Agent on Ubuntu - apt: + ansible.builtin.apt: name: qemu-guest-agent state: present update_cache: yes @@ -7,7 +7,7 @@ become: true - name: Install Qemu Guest Agent on RL - yum: + ansible.builtin.dnf: name: "qemu-guest-agent" state: present when: ansible_distribution == "Rocky" @@ -17,4 +17,4 @@ ansible.builtin.systemd_service: name: qemu-guest-agent.service enabled: true - become: true \ No newline at end of file + become: true diff --git a/os_builders/roles/vm_baseline/tasks/rsyslog.yml b/os_builders/roles/vm_baseline/tasks/rsyslog.yml index 5b95d888..1c2e5265 100644 --- a/os_builders/roles/vm_baseline/tasks/rsyslog.yml +++ b/os_builders/roles/vm_baseline/tasks/rsyslog.yml @@ -1,11 +1,11 @@ - name: Ensure rsyslog is installed - package: + ansible.builtin.package: name: rsyslog state: present become: true - name: Copy rsyslog.conf - copy: + ansible.builtin.copy: src: "etc/rsyslog.conf" dest: "/etc/rsyslog.conf" owner: root @@ -14,7 +14,7 @@ become: true - name: Copy rsyslog.d - copy: + ansible.builtin.copy: src: "rsyslog.d" dest: "/etc/rsyslog.d" owner: root diff --git a/os_builders/roles/vm_baseline/tasks/ssh.yml b/os_builders/roles/vm_baseline/tasks/ssh.yml index 2662da3a..48537cef 100644 --- a/os_builders/roles/vm_baseline/tasks/ssh.yml +++ b/os_builders/roles/vm_baseline/tasks/ssh.yml @@ -1,23 +1,23 @@ - name: Install openssh-server - package: + ansible.builtin.package: name: openssh-server state: present become: true - name: Install wget - package: + ansible.builtin.package: name: wget state: present become: true - name: Enable root login for authorized admins block: - - debug: + - ansible.builtin.debug: msg: "ROOT_PASSWORD is undefined, disabling password based login. Please set it in your environment." when: not lookup('env', 'ROOT_PASSWORD') - name: Enable root account - user: + ansible.builtin.user: name: cloud state: present shell: /bin/bash @@ -25,7 +25,7 @@ password: "{{ lookup('env', 'ROOT_PASSWORD', default='!') }}" - name: Ensure cloud sudoers.d directory exists - file: + ansible.builtin.file: path: "/etc/sudoers.d" state: directory owner: root @@ -33,14 +33,14 @@ mode: 0440 - name: Add cloud user to sudoers - copy: + ansible.builtin.copy: dest: /etc/sudoers.d/cloud-team-user content: "cloud ALL=(ALL) NOPASSWD:ALL" mode: 0440 become: true - name: Ensure cloud home directory exists - file: + ansible.builtin.file: path: "/home/cloud/.ssh" state: directory owner: cloud @@ -49,7 +49,7 @@ become: true - name: Copy authorized cloud admin keys into cloud's authorized_keys - copy: + ansible.builtin.copy: src: "authorized_keys" dest: "/home/cloud/.ssh/authorized_keys" owner: cloud @@ -58,7 +58,7 @@ become: true - name: Copy authorized key update script in - copy: + ansible.builtin.copy: src: "update_keys.sh" dest: "/usr/local/sbin/update_keys.sh" owner: root @@ -66,8 +66,8 @@ mode: 0700 become: true -# ensure that cron is installed -- include_tasks: cron.yml +- name: Ensure that cron is installed + ansible.builtin.include_tasks: cron.yml - name: Update admin keys periodically ansible.builtin.cron: diff --git a/os_builders/roles/vm_baseline/tasks/ukscienceca/install_ukscienceca_rocky.yml b/os_builders/roles/vm_baseline/tasks/ukscienceca/install_ukscienceca_rocky.yml index 29cef164..d4cadf3b 100644 --- a/os_builders/roles/vm_baseline/tasks/ukscienceca/install_ukscienceca_rocky.yml +++ b/os_builders/roles/vm_baseline/tasks/ukscienceca/install_ukscienceca_rocky.yml @@ -1,5 +1,5 @@ -- name: add CA repo - yum_repository: +- name: Add CA repo + ansible.builtin.yum_repository: name: eScienceCAs file: eScienceCAs description: "Repository to install the UK eScience (and other IGTF) CA certs from" @@ -10,9 +10,9 @@ become: true - name: Install UK eScience Packages - yum: + ansible.builtin.dnf: name: - - ca_UKeScienceRoot-2007 - - ca_UKeScienceCA-2B + - ca_UKeScienceRoot-2007 + - ca_UKeScienceCA-2B state: present - become: true \ No newline at end of file + become: true diff --git a/os_builders/roles/vm_baseline/tasks/ukscienceca/install_ukscienceca_ubuntu.yml b/os_builders/roles/vm_baseline/tasks/ukscienceca/install_ukscienceca_ubuntu.yml index 27d841ed..08dc8781 100644 --- a/os_builders/roles/vm_baseline/tasks/ukscienceca/install_ukscienceca_ubuntu.yml +++ b/os_builders/roles/vm_baseline/tasks/ukscienceca/install_ukscienceca_ubuntu.yml @@ -4,7 +4,7 @@ update_cache: true state: present become: true - + - name: Add EU Grid PMA repo ansible.builtin.deb822_repository: name: eu-grid-pma @@ -19,12 +19,12 @@ ansible.builtin.apt: name: ca-ukescienceroot-2007 state: present - update_cache: yes + update_cache: true become: true - name: Install UK eScience CA ansible.builtin.apt: - name: ca-ukescienceca-2b + name: ca-ukescienceca-2b state: present - update_cache: yes - become: true \ No newline at end of file + update_cache: true + become: true diff --git a/os_builders/roles/vm_baseline/tasks/update.yml b/os_builders/roles/vm_baseline/tasks/update.yml index 43b79a18..462b782a 100644 --- a/os_builders/roles/vm_baseline/tasks/update.yml +++ b/os_builders/roles/vm_baseline/tasks/update.yml @@ -1,13 +1,13 @@ - name: Error for unknown distributions - fail: + ansible.builtin.fail: msg: "Unknown distribution {{ ansible_distribution }}" when: ansible_distribution != "Rocky" and ansible_distribution != "Ubuntu" - name: Install system updates for RL systems - yum: + ansible.builtin.dnf: name: "*" state: latest - update_cache: yes + update_cache: true when: ansible_distribution == "Rocky" register: result until: result is not failed @@ -18,9 +18,9 @@ - name: Install system updates for Ubuntu systems ansible.builtin.apt: upgrade: dist - update_cache: yes - autoremove: yes - autoclean: yes + update_cache: true + autoremove: true + autoclean: true when: ansible_distribution == 'Ubuntu' register: result until: result is not failed @@ -29,9 +29,9 @@ become: true - name: get IP - shell: hostname -I + ansible.builtin.shell: hostname -I register: my_hostname - name: print IP - debug: - msg: "{{ my_hostname }}" \ No newline at end of file + ansible.builtin.debug: + msg: "{{ my_hostname }}" diff --git a/os_builders/roles/vm_baseline/tasks/wazuh.yml b/os_builders/roles/vm_baseline/tasks/wazuh.yml index a24102ed..a21bd335 100644 --- a/os_builders/roles/vm_baseline/tasks/wazuh.yml +++ b/os_builders/roles/vm_baseline/tasks/wazuh.yml @@ -1,4 +1,4 @@ -- name: install pip +- name: Install pip ansible.builtin.apt: name: python3-pip state: present @@ -21,98 +21,99 @@ ansible.builtin.include_tasks: wazuh/install_wazuh_rocky.yml when: ansible_distribution == "Rocky" -- name: configure wazuh-agent +- name: Configure wazuh-agent block: - - name: build wazuh groups list - set_fact: - wazuh_groups: - - "default" - - "cloud" - - "{{ ansible_distribution | lower }}" - - "{{ ansible_facts['os_family'] | lower}}" - - name: build wazuh extra json - set_fact: - wazuh_extra_json: - groups: "{{ wazuh_groups }}" - labels: - image_build_date: "{{ ansible_date_time.iso8601 }}" - - - name: Ensure wazuh-agent extra directory exists - file: - path: "/var/ossec/etc/extra" - state: directory - owner: root - group: root - mode: 0644 - - - name: write out wazuh extra config - copy: - dest: /var/ossec/etc/extra/01-ansible-baseline.json - content: "{{ wazuh_extra_json }}" - - - name: Copy wazuh client enrichment script - copy: - src: "wazuh/enrich-wazuh-agent.py" - dest: "/var/ossec/bin/enrich-wazuh-agent.py" - owner: root - group: wazuh - mode: 0754 - - - name: Ensure wazuh-agent drop in config directory exists - file: - path: "/etc/systemd/system/wazuh-agent.service.d" - state: directory - owner: root - group: root - mode: 0644 - - - name: Copy wazuh drop in unit - copy: - src: "wazuh/preexec.conf" - dest: "/etc/systemd/system/wazuh-agent.service.d/preexec.conf" - owner: root - group: root - mode: 0644 - - - name: Copy wazuh config template - copy: - src: "wazuh/ossec.template" - dest: "/var/ossec/etc/ossec.template" - owner: root - group: wazuh - mode: 0754 - - - name: Copy wazuh local internal config - copy: - src: "wazuh/local_internal_options.conf" - dest: "/var/ossec/etc/local_internal_options.conf" - owner: root - group: wazuh - mode: 0750 - - - name: Update template file with groups - replace: - path: "/var/ossec/etc/ossec.template" - regexp: 'AGENT_GROUPS' - replace: "{{ wazuh_groups | join(',') }}" - - - name: Enable wazuh-agent service - become: true - ansible.builtin.command: - cmd: "systemctl enable wazuh-agent.service" - ignore_errors: true - - - name: get service facts - ansible.builtin.service_facts: - - - name: Stop wazuh-agent service - become: true - ansible.builtin.command: - cmd: "systemctl stop wazuh-agent.service" - ignore_errors: true - - - name: Clean Wazuh agent history - file: - path: "/var/ossec/etc/client.keys" - state: absent - become: true \ No newline at end of file + - name: Build wazuh groups list + ansible.builtin.set_fact: + wazuh_groups: + - "default" + - "cloud" + - "{{ ansible_distribution | lower }}" + - "{{ ansible_facts['os_family'] | lower}}" + + - name: Build wazuh extra json + ansible.builtin.set_fact: + wazuh_extra_json: + groups: "{{ wazuh_groups }}" + labels: + image_build_date: "{{ ansible_date_time.iso8601 }}" + + - name: Ensure wazuh-agent extra directory exists + ansible.builtin.file: + path: "/var/ossec/etc/extra" + state: directory + owner: root + group: root + mode: 0644 + + - name: Write out wazuh extra config + ansible.builtin.copy: + dest: /var/ossec/etc/extra/01-ansible-baseline.json + content: "{{ wazuh_extra_json }}" + + - name: Copy wazuh client enrichment script + ansible.builtin.copy: + src: "wazuh/enrich-wazuh-agent.py" + dest: "/var/ossec/bin/enrich-wazuh-agent.py" + owner: root + group: wazuh + mode: 0754 + + - name: Ensure wazuh-agent drop in config directory exists + ansible.builtin.file: + path: "/etc/systemd/system/wazuh-agent.service.d" + state: directory + owner: root + group: root + mode: 0644 + + - name: Copy wazuh drop in unit + ansible.builtin.copy: + src: "wazuh/preexec.conf" + dest: "/etc/systemd/system/wazuh-agent.service.d/preexec.conf" + owner: root + group: root + mode: 0644 + + - name: Copy wazuh config template + ansible.builtin.copy: + src: "wazuh/ossec.template" + dest: "/var/ossec/etc/ossec.template" + owner: root + group: wazuh + mode: 0754 + + - name: Copy wazuh local internal config + ansible.builtin.copy: + src: "wazuh/local_internal_options.conf" + dest: "/var/ossec/etc/local_internal_options.conf" + owner: root + group: wazuh + mode: 0750 + + - name: Update template file with groups + ansible.builtin.replace: + path: "/var/ossec/etc/ossec.template" + regexp: "AGENT_GROUPS" + replace: "{{ wazuh_groups | join(',') }}" + + - name: Enable wazuh-agent service + become: true + ansible.builtin.command: + cmd: "systemctl enable wazuh-agent.service" + ignore_errors: true + + - name: Get service facts + ansible.builtin.service_facts: + + - name: Stop wazuh-agent service + become: true + ansible.builtin.command: + cmd: "systemctl stop wazuh-agent.service" + ignore_errors: true + + - name: Clean Wazuh agent history + ansible.builtin.file: + path: "/var/ossec/etc/client.keys" + state: absent + become: true diff --git a/os_builders/roles/vm_baseline/tasks/wazuh/install_wazuh_rocky.yml b/os_builders/roles/vm_baseline/tasks/wazuh/install_wazuh_rocky.yml index 4297a8f1..f141ccac 100644 --- a/os_builders/roles/vm_baseline/tasks/wazuh/install_wazuh_rocky.yml +++ b/os_builders/roles/vm_baseline/tasks/wazuh/install_wazuh_rocky.yml @@ -1,5 +1,5 @@ -- name: add wazuh repo - yum_repository: +- name: Add wazuh repo + ansible.builtin.yum_repository: name: wazuh file: wazuh description: "Repository to install wazuh" @@ -10,7 +10,7 @@ become: true - name: Install wazuh - yum: + ansible.builtin.dnf: name: - wazuh-agent-4.14.* state: present diff --git a/os_builders/roles/vm_baseline/tasks/wazuh/install_wazuh_ubuntu.yml b/os_builders/roles/vm_baseline/tasks/wazuh/install_wazuh_ubuntu.yml index af94413a..dc38aa04 100644 --- a/os_builders/roles/vm_baseline/tasks/wazuh/install_wazuh_ubuntu.yml +++ b/os_builders/roles/vm_baseline/tasks/wazuh/install_wazuh_ubuntu.yml @@ -20,7 +20,7 @@ name: wazuh-agent=4.14.* state: present allow_downgrade: true - update_cache: yes + update_cache: true become: true - name: Remove Wazuh repo