Fix tests after password encryption

.github/workflows/cluster.yml

@@ -82,7 +82,7 @@ jobs:
               cd /home/lme-user/LME/testing/v2/installers && \
               python3 ./azure/build_azure_linux_network.py \
                 -g pipe-${{ env.UNIQUE_ID }} \
-                -s 0.0.0.0/0 \
+                -s ${{ env.IP_ADDRESS }}/32 \
                 -vs Standard_D8_v4 \
                 -l centralus \
                 -ast 23:00 \
@@ -251,7 +251,7 @@ jobs:
         env:
           ES_PASSWORD: ${{ env.ES_PASSWORD }}
         run: |
-          sleep 120
+          sleep 360
           cd testing/v2/development
           docker compose -p ${{ env.UNIQUE_ID }} exec -T pipeline bash -c "
               ssh -o StrictHostKeyChecking=no lme-user@${{ env.AZURE_IP }} \
@@ -265,9 +265,7 @@ jobs:
         run: |
           cd testing/v2/development
           docker compose -p ${{ env.UNIQUE_ID }} exec -T pipeline bash -c "
-            cd /home/lme-user/LME/testing/v2/installers && \
-            IP_ADDRESS=\$(cat pipe-${{ env.UNIQUE_ID }}.ip.txt) && \
-            ssh lme-user@\$IP_ADDRESS  'cd /home/lme-user/LME/testing/tests && \
+            ssh lme-user@${{ env.AZURE_IP }} 'cd /home/lme-user/LME/testing/tests && \
             echo ELASTIC_PASSWORD=\"$ES_PASSWORD\" >> .env && \
             echo KIBANA_PASSWORD=\"$KIBANA_PASSWORD\" >> .env && \
             echo elastic=\"$ES_PASSWORD\" >> .env && \
@@ -282,14 +280,12 @@ jobs:
         run: |
           cd testing/v2/development
           docker compose -p ${{ env.UNIQUE_ID }} exec -T pipeline bash -c "
-            cd /home/lme-user/LME/testing/v2/installers && \
-            IP_ADDRESS=\$(cat pipe-${{ env.UNIQUE_ID }}.ip.txt) && \
-            ssh lme-user@\$IP_ADDRESS  'cd /home/lme-user/LME/testing/tests && \
+            ssh lme-user@${{ env.AZURE_IP }} 'cd /home/lme-user/LME/testing/tests && \
             echo ELASTIC_PASSWORD=\"$ES_PASSWORD\" >> .env && \
             echo KIBANA_PASSWORD=\"$KIBANA_PASSWORD\" >> .env && \
             echo elastic=\"$ES_PASSWORD\" >> .env && \
             source venv/bin/activate && \
-            pytest -v  selenium_tests/'
+            pytest -v selenium_tests/'
           "
 
       - name: Cleanup Azure resources
@@ -311,4 +307,4 @@ jobs:
         run: |
           cd testing/v2/development
           docker compose -p ${{ env.UNIQUE_ID }} down
-          docker system prune -af
+          docker system prune -af

.github/workflows/linux_only.yml

@@ -16,6 +16,7 @@ jobs:
       ES_PASSWORD: ""
       KIBANA_PASSWORD: ""
       AZURE_IP: ""
+      IP_ADDRESS: ""
 
     steps:
     - name: Checkout repository
@@ -26,6 +27,9 @@ jobs:
         cd testing/v2/development
         echo "HOST_UID=$(id -u)" > .env
         echo "HOST_GID=$(id -g)" >> .env
+        PUBLIC_IP=$(curl -s https://api.ipify.org)
+        echo "IP_ADDRESS=$PUBLIC_IP" >> $GITHUB_ENV
+
 
     - name: Start pipeline container
       run: |
@@ -57,7 +61,7 @@ jobs:
             cd /home/lme-user/LME/testing/v2/installers && \
             python3 ./azure/build_azure_linux_network.py \
               -g pipe-${{ env.UNIQUE_ID }} \
-              -s 0.0.0.0/0 \
+              -s ${{ env.IP_ADDRESS }}/32 \
               -vs Standard_E4d_v4 \
               -l westus \
               -ast 23:00 \

README.md

@@ -20,10 +20,11 @@ Ubuntu 22.04 server running podman containers setup as podman quadlets controlle
 ### Required Ports:
 Ports required are as follows:
  - Elasticsearch: *9200*
- - Kibana: 443
+ - Kibana: 443,5601 
  - Wazuh: *1514,1515,1516,55000,514*
  - Agent: *8220*
 
+**Kibana NOTE**: 5601 is the default port, and we've set kibana to listen on 443 as well
 
 ### Diagram: 
 
@@ -106,7 +107,7 @@ You can run this installer to run the total install in ansible.
 ```bash
 sudo apt update && sudo apt install -y ansible
 # cd ~/LME-PRIV/lme-2-arch # Or path to your clone of this repo
-ansible-playbook install_lme_local.yml
+ansible-playbook ./scripts/install_lme_local.yml
 ```
 This assumes that you have the repo in `~/LME/`. 
 
@@ -116,7 +117,6 @@ ansible-playbook ./scripts/install_lme_local.yml -e "clone_dir=/path/to/clone/di
 ```
 
 This also assumes your user can sudo without a password. If you need to input a password when you sudo, you can run it with the `-K` flag and it will prompt you for a password. 
-There is a step that will fail, this is expected, it is checking for podman secrets to see if they exist... on an intial install none will exist :) 
 
 #### Steps performed in automated install: 
 TODO finalize this with more words 
@@ -133,9 +133,7 @@ TODO finalize this with more words
 
 1. `/opt/lme` will be owned by the lmed user, all lme services will run and execute as lmed, and this ensures least privilege in lmed's execution because lmed is a non-admin,unprivileged user.
 
-3. [this script](/scripts/set_sysctl_limits.sh) is executed via ansible AND  will change unprivileged ports to start at 80, to allow kibana to listen on 443 from a user run container. If this is not desired, we will be publishing steps to setup firewall rules using ufw//iptables to manage the firewall on this host at a later time. 
-
-4. the master password will be stored at `/etc/lme/pass.sh` and owned by root, while service user passwords will be stored at `/etc/lme/vault/`
+2. the master password will be stored at `/etc/lme/pass.sh` and owned by root, while service user passwords will be stored at `/etc/lme/vault/`
 
 
 ### Verification post install:
@@ -156,15 +154,13 @@ sudo -i journalctl -xu lme.service
 #try resetting failed: 
 sudo -i systemctl  reset-failed lme*
 sudo -i systemctl  restart lme.service
-```
 
-2. Check you can connect to elasticsearch
-```bash
-#substitute your password below:
-curl -k -u elastic:$(sudo -i ansible-vault view /etc/lme/vault/$(sudo -i podman secret ls | grep elastic | awk '{print $1}') | tr -d '\n') https://localhost:9200
+#also try inspecting container logs: 
+#CONTAINER_NAME=lme-elasticsearch
+sudo -i podman logs -f $CONTAINER_NAME
 ```
 
-3. Check conatiners are running:
+2. Check conatiners are running and healthy:
 ```bash
 sudo -i podman ps --format "{{.Names}} {{.Status}}"
 ```  
@@ -176,11 +172,19 @@ lme-kibana Up 2 hours (healthy)
 lme-wazuh-manager Up About an hour
 lme-fleet-server Up 50 minutes
 ```
+We are working on getting health check commands for wazuh and fleet, currently they are not integrated
+
+3. Check you can connect to elasticsearch
+```bash
+#substitute your password below:
+curl -k -u elastic:$(sudo -i ansible-vault view /etc/lme/vault/$(sudo -i podman secret ls | grep elastic | awk '{print $1}') | tr -d '\n') https://localhost:9200
+```
 
 4. Check you can connect to kibana
+You can use an ssh proxy to forward a local port to the remote linux host
 ```bash
-#connect via ssh
-ssh -L 8080:localhost:443 [YOUR-LINUX-SERVER]
+#connect via ssh if you need to 
+ssh -L 8080:localhost:5601 [YOUR-LINUX-SERVER]
 #go to browser:
 #https://localhost:8080
 ```

scripts/install_lme_local.yml → ansible/install_lme_local.yml

@@ -244,7 +244,6 @@
       set_fact:
         ansible_env: "{{ ansible_env | combine({'PATH': ansible_env.PATH ~ ':/nix/var/nix/profiles/default/bin'}) }}"
 
-
     - name: Update PATH in user's profile
       lineinfile:
         path: "~/.profile"
@@ -291,7 +290,9 @@
       args:
         executable: /bin/bash
       ignore_errors: true
-
+      #only fail on a real error
+      failed_when: result.rc != 0 and (result.rc == 1 and result.changed == false)
+
     - name: Set podman secret passwords
       shell: |
         source /root/.profile 
@@ -306,7 +307,8 @@
         - wazuh_api
         - wazuh
       become: yes
-      when: result is failed
+      ## only run this when
+      when: result.rc == 1 
 
 - name: Install Quadlets
   hosts: localhost