Closed teddytpc1 closed 1 year ago
To solve this issue, some requirements have been satisfied:
vagrant
.pywinrm
package in my machine.
[windows]
<ip_address>
[windows:vars] ansible_user=vagrant ansible_password=vagrant ansible_connection=winrm ansible_winrm_server_cert_validation=ignore ansible_ssh_port=5986
- Downloaded the [WinRM configuration script](https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1) and executed in the Windows system.
## Development
### Variables
Some new variables have been added to perform this issue, regarding the third task of the issue:
- In `roles/wazuh/vars/repo.yml`:
```yaml
wazuh_winagent_sha512_url: "https://packages.wazuh.com/4.x/checksums/wazuh/{{ wazuh_agent_version }}/wazuh-agent-{{ wazuh_agent_version }}-1.msi.sha512"
roles/wazuh/vars/repo_pre-release.yml
:
wazuh_winagent_sha512_url: "https://packages-dev.wazuh.com/pre-release/checksums/wazuh/{{ wazuh_agent_version }}/wazuh-agent-{{ wazuh_agent_version }}-1.msi.sha512"
New tasks have been added to the Windows.yml
file. These tasks replace the MD5 verification with the SHA512 verification. Now, the checksum is not hardcoded, but obtained by a downloaded file.
- name: Windows | Download SHA512 checksum file
win_get_url:
url: "{{ wazuh_winagent_sha512_url }}"
dest: "{{ wazuh_winagent_config.download_dir }}"
when:
- wazuh_winagent_config.check_sha512
- name: Extract checksum from SHA512 file
win_shell: Get-Content "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}.sha512" | ForEach-Object { $_.Split(' ')[0] }
register: extracted_checksum
when:
- wazuh_winagent_config.check_sha512
- name: Windows | Verify the Wazuh Agent installer
win_stat:
path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}"
get_checksum: true
checksum_algorithm: sha512
register: wazuh_agent_status
failed_when:
- wazuh_agent_status.stat.checksum != extracted_checksum.stdout_lines[0]
when:
- wazuh_winagent_config.check_sha512
Is necessary to close https://github.com/wazuh/wazuh-automation/issues/1266 to close this issue.
Description
Currently, the Windows agent deployment provides a MD5 check. To update the MD5 checksum we need the package. This causes delays in the
wazuh-ansible
tag because we need to update it with the correct value and is error-prone.To avoid this, we need to change the MD5 with the SHA512 that is available in the
packages.wazuh.com
andpackages-dev.wazuh.com
depending on the repo used to install the package. e.g.:And perform the check using that file.
Tasks
check_md5
andmd5
variables and its related Ansible tasks.check_sha512
(boolean, default: true) in theroles/wazuh/ansible-wazuh-agent/defaults/main.yml
file.roles/wazuh/vars/repo.yml
androles/wazuh/vars/repo_pre-release.yml
files.Validation