diff --git a/roles/install_agent/README.md b/roles/install_agent/README.md index cfbe7a4..61b1cd4 100644 --- a/roles/install_agent/README.md +++ b/roles/install_agent/README.md @@ -33,11 +33,12 @@ Requirements An API key is required to use this role. It is considered best practice to create a specific 'API user' role for this purpose. The API user requires the following permissions: -- Read site info -- Read group info (if the scope is set to group) -- Download agent packages -- Read the site or group registration token -- Read agent information +- Endpoints -> View +- Accounts -> View +- Agent Packages -> View +- Groups -> View (If the scope is set to "group") +- Roles -> View +- Sites -> View ### GPG Key (Linux only) You need to provide the gpg key to validate the package signatures correctly. You obtain the download link from the Sentinelone Help page: "**How to Install on a Linux Endpoint with Yum**". diff --git a/roles/install_agent/tasks/Linux.yml b/roles/install_agent/tasks/Linux.yml index 99ad08b..32d5519 100644 --- a/roles/install_agent/tasks/Linux.yml +++ b/roles/install_agent/tasks/Linux.yml @@ -27,7 +27,6 @@ - name: "Block: RPM based systems" when: pkg_format == "rpm" block: - - name: "Linux: Copy gpg key to remote server" ansible.builtin.copy: src: "{{ gpg_key }}" @@ -53,22 +52,21 @@ - name: "Block: DEB based systems" when: pkg_format == "deb" + become: true block: - name: "Install gpg" ansible.builtin.apt: name: gpg update_cache: true - - name: "Linux: Copy gpg key to remote server" + - name: "Linux: Install GPG key to trusted.gpg.d" ansible.builtin.copy: src: "{{ gpg_key }}" - dest: "{{ remote_gpg_key_path }}" + dest: /etc/apt/trusted.gpg.d/sentinelone.gpg + owner: root + group: root mode: "0644" - - name: "Linux: Import GPG key for apt" - ansible.builtin.apt_key: - file: "{{ remote_gpg_key_path }}" - - name: "Linux: Install deb agent package {{ remote_pkg_path }}" ansible.builtin.apt: deb: "{{ remote_pkg_path }}" diff --git a/roles/install_agent/tasks/main.yml b/roles/install_agent/tasks/main.yml index a3863e5..ff4228e 100644 --- a/roles/install_agent/tasks/main.yml +++ b/roles/install_agent/tasks/main.yml @@ -31,6 +31,7 @@ or sentinelagent_service.exists | default(false) else false }}" - name: "Download agent to localhost. Version: {{ agent_version }}" + become: false sva.sentinelone.sentinelone_download_agent: console_url: "{{ console_url }}" token: "{{ api_token }}" @@ -47,6 +48,7 @@ - name: "Block: Get registration token from API" run_once: true + become: false block: - name: "Get siteid" ansible.builtin.uri: @@ -94,7 +96,7 @@ - name: "Set endpoint URI to get the correct registration token" ansible.builtin.set_fact: - reg_token_uri: "{{ \"groups/{{ groupid }}/token\" if group is defined else \"sites/{{ siteid }}/token\" }}" + reg_token_uri: "{{ 'groups/' ~ groupid ~ '/token' if group is defined else 'sites/' ~ siteid ~ '/token' }}" - name: "Get registration token" ansible.builtin.uri: @@ -117,6 +119,7 @@ ansible.builtin.include_tasks: "{{ custom_os_family }}.yml" - name: "Remove agent install package from localhost" + become: false ansible.builtin.file: path: "{{ return_download_agent.original_message.full_path }}" state: absent @@ -124,6 +127,7 @@ when: not agent_installed - name: "Fail if new client does not appear in management console" + become: false ansible.builtin.uri: url: "{{ api_url }}agents?siteIds={{ siteid }}&computerName={{ ansible_hostname | urlencode }}&isActive=true" method: GET @@ -136,6 +140,6 @@ register: registrationstatus delegate_to: localhost no_log: "{{ hide_sensitive }}" - until: ((registrationstatus.json.data | length) > 0) and (registrationstatus.status == 200) + until: (registrationstatus.json.data | default([]) | length > 0) and (registrationstatus.status | default(0) == 200) retries: "{{ check_console_retries }}" delay: "{{ check_console_retry_delay }}"