Playbooks/Install_Wazuh_Ubuntu_Server.yaml

@@ -0,0 +1,31 @@
+---
+- name: Install Wazuh Agent on Ubuntu
+  hosts: ubuntu_hosts
+  become: yes  # Run tasks with sudo
+
+  tasks:
+    - name: Download Wazuh Agent Debian package
+      get_url:
+        url: "https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.6.0-1_amd64.deb"
+        dest: "/tmp/wazuh-agent_4.6.0-1_amd64.deb"
+
+    - name: Install Wazuh Agent using dpkg
+      apt:
+        deb: "/tmp/wazuh-agent_4.6.0-1_amd64.deb"
+
+    - name: Set Wazuh Manager and Agent Group
+      lineinfile:
+        path: /var/ossec/etc/ossec.conf
+        regexp: '^\s*<client>'
+        line: |
+          <client>
+            <server-ip>wazuh.hagood.us</server-ip>
+            <agent_group>Servers,Ubuntu,Linux</agent_group>
+          </client>
+        backup: yes
+
+    - name: Reload Systemd and Enable/Start Wazuh Agent
+      systemd:
+        name: wazuh-agent
+        state: restarted
+        enabled: yes

Playbooks/Install_Wazuh_Ubuntu_Workstation.yaml

@@ -0,0 +1,31 @@
+---
+- name: Install Wazuh Agent on Ubuntu
+  hosts: ubuntu_hosts
+  become: yes  # Run tasks with sudo
+
+  tasks:
+    - name: Download Wazuh Agent Debian package
+      get_url:
+        url: "https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.6.0-1_amd64.deb"
+        dest: "/tmp/wazuh-agent_4.6.0-1_amd64.deb"
+
+    - name: Install Wazuh Agent using dpkg
+      apt:
+        deb: "/tmp/wazuh-agent_4.6.0-1_amd64.deb"
+
+    - name: Set Wazuh Manager and Agent Group
+      lineinfile:
+        path: /var/ossec/etc/ossec.conf
+        regexp: '^\s*<client>'
+        line: |
+          <client>
+            <server-ip>wazuh.hagood.us</server-ip>
+            <agent_group>Workstations,Ubuntu,Linux</agent_group>
+          </client>
+        backup: yes
+
+    - name: Reload Systemd and Enable/Start Wazuh Agent
+      systemd:
+        name: wazuh-agent
+        state: restarted
+        enabled: yes

Playbooks/Install_Wazuh_Win_Server.yaml

@@ -0,0 +1,21 @@
+---
+- name: Install Wazuh Agent and Start Service
+  hosts: windows
+  gather_facts: false
+  tasks:
+    - name: Download Wazuh Agent MSI
+      win_shell: |
+        Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.6.0-1.msi -OutFile $env:temp\wazuh-agent
+      args:
+        executable: powershell.exe
+
+    - name: Install Wazuh Agent
+      win_shell: |
+        msiexec.exe /i $env:temp\wazuh-agent /q WAZUH_MANAGER='wazuh.hagood.us' WAZUH_AGENT_GROUP='Windows,Servers' WAZUH_REGISTRATION_SERVER='wazuh.hagood.us'
+      args:
+        executable: powershell.exe
+
+    - name: Start Wazuh Service
+      win_shell: "Start-Service -Name WazuhSvc"
+      args:
+        executable: powershell.exe

Playbooks/Install_Wazuh_Win_Workstation.yaml

@@ -0,0 +1,21 @@
+---
+- name: Install Wazuh Agent and Start Service
+  hosts: windows
+  gather_facts: false
+  tasks:
+    - name: Download Wazuh Agent MSI
+      win_shell: |
+        Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.6.0-1.msi -OutFile $env:temp\wazuh-agent
+      args:
+        executable: powershell.exe
+
+    - name: Install Wazuh Agent
+      win_shell: |
+        msiexec.exe /i $env:temp\wazuh-agent /q WAZUH_MANAGER='wazuh.hagood.us' WAZUH_AGENT_GROUP='Windows,Workstations' WAZUH_REGISTRATION_SERVER='wazuh.hagood.us'
+      args:
+        executable: powershell.exe
+
+    - name: Start Wazuh Service
+      win_shell: "Start-Service -Name WazuhSvc"
+      args:
+        executable: powershell.exe

Playbooks/Inventory.yaml

@@ -1,15 +1,66 @@
 [test1]
 automationtest ansible_host=10.50.150.77
 
-
+#Servers
 [ControlNode]
 ansible.ad.hagood.us 
 
-[PreProd]
-preprod.ad.hagood.us
+[Linux]
+App02.ad.hagood.us
+avahi.ad.hagood.us
+caddy.ad.hagood.us
+Docker01.ad.hagood.us
+gogs.ad.hagood.us
+pterodactly.ad.hagood.us
+Plex.ad.hagood.us
+wazuh.ad.hagood.us
+Web02.ad.hagood.us
+wings.ad.hagood.us
+
+[Linux:children]
+PiHole
+LinuxWorkStations
+
+[LinuxWorkStations]
+VM02.ad.hagood.us
+VM03.ad.hagood.us
+
+[PiHole]
+pihole01.ad.hagood.us
+pihole02.ad.hagood.us
+pihole03.ad.hagood.us
+
+[Windows]
+app01.ad.hagood.us
+EntCA.ad.hagood.us
+radius.ad.hagood.us
+rds2.ad.hagood.us
+torrent.ad.hagood.us
+sql01.ad.hagood.us
+#web01.ad.hagood.us
+FS1.ad.hagood.us
+
+[Windows:children]
+DomainControllers
+WinWorkStations
+
+[DomainControllers]
+DC01.ad.hagood.us
+DC02.ad.hagood.us
+DC03.ad.hagood.us
+
+[WinWorkStations]
+VM01.ad.hagood.us
+Chris1.ad.hagood.us
+
+[MacOS]
+
+
+[RedHat]
+rhel9-1.ad.hagood.us
 
-[Infrastructure]
-infrastructure.ad.hagood.us
+# Figure these out later
+[Other]
+Homeassistant.hagood.us
+powerchute.ad.hagood.us
 
-[Prod]
-prod.ad.hagood.us

Playbooks/Ubuntu_updates.yaml

@@ -8,14 +8,6 @@
       ansible.builtin.apt:
         upgrade: dist
         update_cache: yes
-    
-    - name: Install updates from pre-production systems
-      apt:
-        name: "{{ item.split('=')[0] }}"
-        version: "{{ item.split('=')[1] }}"
-        state: latest
-      with_lines:
-        - cat /local/path/to/updates.txt
 
     - name: Check if a reboot is required.
       ansible.builtin.stat:

Playbooks/Updates_with_reporting.yaml

@@ -0,0 +1,26 @@
+---
+- hosts: all
+  gather_facts: yes
+  become: yes
+
+  tasks:
+    - name: Perform a dist-upgrade.
+      ansible.builtin.apt:
+        update_cache: yes      
+        upgrade: dist
+      register: apt_result
+      ignore_errors: yes
+
+    - name: Check if a reboot is required.
+      ansible.builtin.stat:
+        path: /var/run/reboot-required
+        get_md5: no
+      register: reboot_required_file
+
+    - name: Reboot the server (if required).
+      ansible.builtin.reboot:
+      when: reboot_required_file.stat.exists == true
+
+    - name: Remove dependencies that are no longer required.
+      ansible.builtin.apt:
+        autoremove: yes

Playbooks/Windows_Updates.yaml

@@ -0,0 +1,19 @@
+---
+- hosts: all
+  gather_facts: yes
+  become: yes
+
+  tasks:
+    - name: Install Windows updates
+      ansible.windows.win_updates:
+        category_names:
+          - SecurityUpdates
+          - CriticalUpdates
+          - UpdateRollups
+          - DefinitionUpdates
+          - Updates
+        reboot: true
+        reboot_timeout: 3600
+      register: win_update
+      when: apply_win_updates == true
+    

inventory.ini

@@ -0,0 +1,72 @@
+[ControlNode]
+ansible.ad.hagood.us
+
+[Linux]
+App02.ad.hagood.us
+avahi.ad.hagood.us
+caddy.ad.hagood.us
+Docker01.ad.hagood.us
+gogs.ad.hagood.us
+pterodactly.ad.hagood.us
+Plex.ad.hagood.us
+wazuh.ad.hagood.us
+Web02.ad.hagood.us
+wings.ad.hagood.us
+
+[Linux:children]
+PiHole
+LinuxWorkStations
+
+[LinuxWorkStations]
+VM02.ad.hagood.us
+VM03.ad.hagood.us
+
+[PiHole]
+pihole01.ad.hagood.us
+pihole02.ad.hagood.us
+pihole03.ad.hagood.us
+
+[Windows]
+app01.ad.hagood.us
+EntCA.ad.hagood.us
+radius.ad.hagood.us
+rds2.ad.hagood.us
+torrent.ad.hagood.us
+sql01.ad.hagood.us
+#web01.ad.hagood.us
+FS1.ad.hagood.us
+
+[Windows:children]
+DomainControllers
+WinWorkStations
+Test
+
+[DomainControllers]
+DC01.ad.hagood.us
+DC02.ad.hagood.us
+DC03.ad.hagood.us
+
+[WinWorkStations]
+VM01.ad.hagood.us
+Chris1.ad.hagood.us
+
+[Test]
+rds2.ad.hagood.us
+
+[Windows:vars]
+ansible_port=5985
+ansible_connection=winrm
+ansible_winrm_server_cert_validation=ignore
+ansible_user=ansible@ad.hagood.us
+ansible_password=@nsible
+
+[MacOS]
+ChrisHagoodsMBP.ad.hagood.us
+
+[RedHat]
+rhel9-1.ad.hagood.us
+
+# Figure these out later
+[Other]
+Homeassistant.hagood.us
+powerchute.ad.hagood.us