deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 02:43:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #6133 from konstruktoid/installationansible

Browse Source 
more generic, but still very basic, ansible task examples.
This commit is contained in:
Daniel Simpson
2020-03-18 05:32:02 -07:00
committed by GitHub
parent 47740fd407 459af1ae6b
commit 3fd4969b8e
1 changed files with 33 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
View File

@ -1,6 +1,6 @@
--- ---
title: Deploy Microsoft Defender ATP for Linux with Ansible title: Deploy Microsoft Defender ATP for Linux with Ansible
ms.reviewer: ms.reviewer:
description: Describes how to deploy Microsoft Defender ATP for Linux using Ansible. description: Describes how to deploy Microsoft Defender ATP for Linux using Ansible.
keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
@ -14,7 +14,7 @@ author: dansimp
ms.localizationpriority: medium ms.localizationpriority: medium
manager: dansimp manager: dansimp
audience: ITPro audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
ms.topic: conceptual ms.topic: conceptual
--- ---
@ -36,14 +36,14 @@ This topic describes how to deploy Microsoft Defender ATP for Linux using Ansibl
Before you get started, please see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version. Before you get started, please see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
- Ansible needs to be installed on at least on one computer (we will call it the master). - Ansible needs to be installed on at least on one computer (we will call it the master).
- Passwordless SSH must be configured for the root user between the master and all clients. - SSH must be configured for an administrator account between the master and all clients, and it is recommended be configured with public key authentication.
- The following software must be installed on all clients: - The following software must be installed on all clients:
- Python-apt - curl
- Curl - python-apt
- Unzip - unzip
- All hosts must be listed in the following format in the `/etc/ansible/hosts` file: - All hosts must be listed in the following format in the `/etc/ansible/hosts` file:
```bash ```bash
[servers] [servers]
host1 ansible_ssh_host=10.171.134.39 host1 ansible_ssh_host=10.171.134.39
@ -67,7 +67,7 @@ Download the onboarding package from Microsoft Defender Security Center:
![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-linux-2.png) ![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-linux-2.png)
4. From a command prompt, verify that you have the file. Extract the contents of the archive: 4. From a command prompt, verify that you have the file. Extract the contents of the archive:
```bash ```bash
$ ls -l $ ls -l
total 8 total 8
@ -79,12 +79,11 @@ Download the onboarding package from Microsoft Defender Security Center:
## Create Ansible YAML files ## Create Ansible YAML files
Create subtask or role files that contribute to an actual task. Create the following files under the `/etc/ansible/roles` directory. Create subtask or role files that contribute to an actual task. First create the `copy_onboarding_pkg.yml` file under the `/etc/ansible/roles` directory:
- Copy the onboarding package to all client machines: - Copy the onboarding package to all client machines:
```bash ```bash
$ cat /etc/ansible/roles/copy_onboarding_pkg.yml
- name: Copy the zip file - name: Copy the zip file
copy: copy:
src: /root/WindowsDefenderATPOnboardingPackage.zip src: /root/WindowsDefenderATPOnboardingPackage.zip
@ -92,29 +91,33 @@ Create subtask or role files that contribute to an actual task. Create the follo
owner: root owner: root
group: root group: root
mode: '0644' mode: '0644'
- name: Add Microsoft apt signing key
apt_key:
url: https://packages.microsoft.com/keys/microsoft.asc
state: present
when: ansible_os_family == "Debian"
``` ```
- Create a `setup.sh` script that operates on the onboarding file: - Create the `setup.sh` script that operates on the onboarding file, in this example located in the `/root` directory:
```bash ```bash
$ cat /root/setup.sh
#!/bin/bash #!/bin/bash
# We assume WindowsDefenderATPOnboardingPackage.zip is stored in /root
cd /root || exit 1
# Unzip the archive and create the onboarding file # Unzip the archive and create the onboarding file
mkdir -p /etc/opt/microsoft/mdatp/ mkdir -p /etc/opt/microsoft/mdatp/
unzip WindowsDefenderATPOnboardingPackage.zip unzip WindowsDefenderATPOnboardingPackage.zip
cp mdatp_onboard.json /etc/opt/microsoft/mdatp/mdatp_onboard.json cp mdatp_onboard.json /etc/opt/microsoft/mdatp/mdatp_onboard.json
# get the GPG key
curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/
``` ```
- Create the onboarding file: - Create the onboarding task, `onboarding_setup.yml`, under the `/etc/ansible/roles` directory:
```bash ```bash
$ cat setup_blob.yml - name: Register mdatp_onboard.json
stat: path=/etc/opt/microsoft/mdatp/mdatp_onboard.json
register: mdatp_onboard
- name: Copy the setup script file - name: Copy the setup script file
copy: copy:
src: /root/setup.sh src: /root/setup.sh
@ -124,7 +127,8 @@ Create subtask or role files that contribute to an actual task. Create the follo
mode: '0744' mode: '0744'
- name: Run a script to create the onboarding file - name: Run a script to create the onboarding file
script: /root/setup.sh script: /root/setup.sh
when: not mdatp_onboard.stat.exists
``` ```
- Add the Microsoft Defender ATP repository and key. - Add the Microsoft Defender ATP repository and key.
@ -142,28 +146,22 @@ Create subtask or role files that contribute to an actual task. Create the follo
> [!NOTE] > [!NOTE]
> In case of Oracle Linux, replace *[distro]* with “rhel”. > In case of Oracle Linux, replace *[distro]* with “rhel”.
- For apt-based distributions use the following YAML file:
```bash ```bash
$ cat add_apt_repo.yml - name: Add Microsoft apt repository for MDATP
- name: Add Microsoft repository for MDATP
apt_repository: apt_repository:
repo: deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/[distro]/[version]/prod [channel] main repo: deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/[distro]/[version]/prod [channel] main
update_cache: yes update_cache: yes
state: present state: present
filename: microsoft-[channel].list filename: microsoft-[channel].list
when: ansible_os_family == "Debian"
- name: Add Microsoft APT key - name: Add Microsoft APT key
apt_key: apt_key:
keyserver: https://packages.microsoft.com/ keyserver: https://packages.microsoft.com/
id: BC528686B50D79E339D3721CEB3E94ADBE1229C id: BC528686B50D79E339D3721CEB3E94ADBE1229C
``` when: ansible_os_family == "Debian"
- For yum-based distributions use the following YAML file: - name: Add Microsoft yum repository for MDATP
```bash
$ cat add_yum_repo.yml
- name: Add Microsoft repository for MDATP
yum_repository: yum_repository:
name: packages-microsoft-com-prod-[channel] name: packages-microsoft-com-prod-[channel]
description: Microsoft Defender ATP description: Microsoft Defender ATP
@ -171,6 +169,7 @@ Create subtask or role files that contribute to an actual task. Create the follo
baseurl: https://packages.microsoft.com/[distro]/[version]/[channel]/ baseurl: https://packages.microsoft.com/[distro]/[version]/[channel]/
gpgcheck: yes gpgcheck: yes
enabled: Yes enabled: Yes
when: ansible_os_family == "RedHat"
``` ```
- Create the actual install/uninstall YAML files under `/etc/ansible/playbooks`. - Create the actual install/uninstall YAML files under `/etc/ansible/playbooks`.