<===

ProNotes

2026-02-03 13:52:58 
Вот пример организации установки Wazuh-агента на RHEL 8 через Ansible с учётом твоих условий.

### 1. Пример inventory.ini

```ini
[agents]
web01.example.com    ansible_host=192.168.10.21
app02.example.com    ansible_host=192.168.10.22
db03.example.com     ansible_host=192.168.10.35
backup04             ansible_host=10.55.77.88

[agents:vars]
ansible_user=admin
ansible_become=yes
ansible_become_method=sudo
# ansible_ssh_private_key_file=~/.ssh/id_rsa_ansible   # если нужен свой ключ
```

### 2. Полный playbook (wazuh-agent-deploy.yml)

```yaml
---
- name: Install and configure Wazuh agent on RHEL 8
  hosts: agents
  become: yes

  vars:
    wazuh_manager_ip: "192.168.10.10"      # ← свой IP менеджера
    wazuh_agent_group: "linux-servers"     # ← нужная группа
    wazuh_rpm_file: "wazuh-agent-4.9.0-1.x86_64.rpm"   # ← имя твоего файла в files/

    # Какие директории мониторим в режиме realtime
    fim_realtime_dirs:
      - /etc
      - /bin
      - /sbin
      - /usr/bin
      - /usr/sbin
      - /boot
      - /root
      # - /home               # раскомментируй при необходимости
      # - /var/www            # пример

  tasks:

    - name: Copy local Wazuh agent RPM to remote host
      ansible.builtin.copy:
        src: "{{ wazuh_rpm_file }}"
        dest: "/tmp/{{ wazuh_rpm_file }}"
        mode: '0644'

    - name: Install Wazuh agent package
      ansible.builtin.dnf:
        name: "/tmp/{{ wazuh_rpm_file }}"
        state: present
        disable_gpg_check: yes
      register: install_result

    - name: Remove temporary RPM file
      ansible.builtin.file:
        path: "/tmp/{{ wazuh_rpm_file }}"
        state: absent

    # ───────────────────────────────────────────────
    # Настройка ossec.conf
    # ───────────────────────────────────────────────

    - name: Set manager IP and group in ossec.conf
      ansible.builtin.lineinfile:
        path: /var/ossec/etc/ossec.conf
        regexp: '^(\s*)<address>.*</address>'
        line: '    <address>{{ wazuh_manager_ip }}</address>'
        insertafter: '<client>'
        backrefs: yes
      notify: restart wazuh-agent

    - name: Set agent group (if not exists)
      ansible.builtin.lineinfile:
        path: /var/ossec/etc/ossec.conf
        regexp: '^(\s*)<group>.*</group>'
        line: '    <group>{{ wazuh_agent_group }}</group>'
        insertafter: '<client>'
        create: yes
        mode: '0640'
        owner: root
        group: wazuh
      notify: restart wazuh-agent

    # Включаем realtime FIM через inotify
    - name: Enable realtime monitoring for selected directories
      ansible.builtin.blockinfile:
        path: /var/ossec/etc/ossec.conf
        insertafter: '</syscheck>'
        marker: "# {mark} ANSIBLE MANAGED BLOCK - realtime FIM"
        block: |
          <syscheck>
            <directories realtime="yes" report_changes="yes" check_all="yes">{{ item }}</directories>
          </syscheck>
        state: present
      loop: "{{ fim_realtime_dirs }}"
      notify: restart wazuh-agent

    # Удаляем дефолтные <directories> без realtime (опционально)
    - name: Comment out default syscheck directories (optional cleanup)
      ansible.builtin.replace:
        path: /var/ossec/etc/ossec.conf
        regexp: '^(\s*<directories check_all="yes">)'
        replace: '# \1'
      when: install_result.changed

    # ───────────────────────────────────────────────
    # Настройка inotify лимита
    # ───────────────────────────────────────────────

    - name: Set fs.inotify.max_user_watches (sysctl)
      ansible.posix.sysctl:
        name: fs.inotify.max_user_watches
        value: '524288'
        state: present
        sysctl_file: /etc/sysctl.d/98-wazuh-inotify.conf
        reload: yes

    - name: Apply sysctl settings immediately
      ansible.builtin.command: sysctl -p /etc/sysctl.d/98-wazuh-inotify.conf
      changed_when: false

    # ───────────────────────────────────────────────
    # Запуск службы
    # ───────────────────────────────────────────────

    - name: Enable and start wazuh-agent service
      ansible.builtin.systemd:
        name: wazuh-agent
        enabled: yes
        state: started
        masked: no

  handlers:

    - name: restart wazuh-agent
      ansible.builtin.systemd:
        name: wazuh-agent
        state: restarted
        enabled: yes
```

### Как использовать

1. Положи RPM-файл рядом с playbook’ом в папку `files/`
   ```
   files/
   └── wazuh-agent-4.9.0-1.x86_64.rpm
   ```

2. Отредактируй в playbook-е две главные переменные:

   ```yaml
   wazuh_manager_ip: "10.55.1.5"
   wazuh_agent_group: "prod-web"
   ```

3. Запусти:

   ```bash
   ansible-playbook -i inventory.ini wazuh-agent-deploy.yml
   ```
← Previous Next →
Back to list