When the agent registers, the API call to get information about it delegate_to: localhost.
When the wazuh manager is behind a firewall that does not allow the ansible controller access to the API port 55000, the call will timeout and the registration will fail.
It looks this delegation was added here:
https://github.com/wazuh/wazuh-ansible/commit/6cb6d3bda84c65508881e293e3403dae94ff24cc#diff-f382f2db5d2e651b16fc4b92ec32e988R90
The Linux | Create the agent key via rest-API
task was previously doing the same. That has since been changed as well. I think this was just missed.
Hi @singuliere and @paulcalabro I'm the one to blame for that code. :)
If you go ahead and remove that line, you're assuming that the client you're trying to register is able to reach the wazuh-api.
IMHO from a security point of view, it's better to allow the ansible controller to reach the wazuh-api than let every single client connect to the api. The API should be protected and isolated from managed hosts because it can be used for malicious operations.
For example. in my company, our wazuh clients cannot reach the api because the manager is running on procteded network behind a firewall; in this case, your registration logic won't work for our scenario.
What we can do is let the user choose what kind of registration logic wants (ansible-manager -> wazuh-API or wazuh-client -> wazuh-API) .
Let me think about a proper solution... :thinking:
That's a fair argument for keeping it. I think I expected the registration to occur from the agent b/c of how the authd registration functions. But, your approach is more secure. If this could be made configurable to address networking constraints, it would be ideal.
@angystardust thanks for the explanation, it makes perfect sense. It currently is inconsistent (because 689bb8ff35b38fa8258f82db219a4d2565dc5239 removed one delegate_to and not the other) and I wrongly assumed the right solution was the one matching my own use case.
Since @paulcalabro seems to agree with the idea of making it configurable, I'll amend the pull request accordingly.
Most helpful comment
Hi @singuliere and @paulcalabro I'm the one to blame for that code. :)
If you go ahead and remove that line, you're assuming that the client you're trying to register is able to reach the wazuh-api.
IMHO from a security point of view, it's better to allow the ansible controller to reach the wazuh-api than let every single client connect to the api. The API should be protected and isolated from managed hosts because it can be used for malicious operations.
For example. in my company, our wazuh clients cannot reach the api because the manager is running on procteded network behind a firewall; in this case, your registration logic won't work for our scenario.
What we can do is let the user choose what kind of registration logic wants (ansible-manager -> wazuh-API or wazuh-client -> wazuh-API) .
Let me think about a proper solution... :thinking: