Merge branch 'devel' into wazuh-agent-fixes

CHANGELOG.md

@@ -1,6 +1,30 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
+
+## [v3.12.3_7.6.2]
+
+### Added
+
+- Update to Wazuh v3.12.2
+- AWS S3 block to template ([@limitup](https://github.com/limitup)) [PR#404](https://github.com/wazuh/wazuh-ansible/pull/413)
+
+### Changed
+
+- Update Kibana optimize task parameters and command ([@jm404](https://github.com/jm404)) [PR#404](https://github.com/wazuh/wazuh-ansible/pull/412)
+- Update Kibana optimize folder and owner ([@jm404](https://github.com/jm404)) [PR#404](https://github.com/wazuh/wazuh-ansible/pull/410)
+
+## [v3.12.2_7.6.2]
+
+### Added
+
+- Update to Wazuh v3.12.2
+
+### Fixed
+- Adjusting Kibana plugin optimization max memory ([@Zenidd](https://github.com/Zenidd)) [PR#404](https://github.com/wazuh/wazuh-ansible/pull/404)
+- Removed python-cryptography library tasks ([@Zenidd](https://github.com/Zenidd)) [PR#401](https://github.com/wazuh/wazuh-ansible/pull/401)
+- Removed duplicated task block ([@manuasir](https://github.com/manuasir)) [PR#400](https://github.com/wazuh/wazuh-ansible/pull/400)
+
 ## [v3.12.0_7.6.1]
 
 ### Added

VERSION

@@ -1,2 +1,2 @@
 WAZUH-ANSIBLE_VERSION="v4"
-REVISION="31140"
+REVISION="31220"

playbooks/wazuh-manager-oss.yml

@@ -0,0 +1,9 @@
+---
+- hosts: managers
+  roles:
+#    - role: ../roles/wazuh/ansible-wazuh-manager
+    - role: ../roles/wazuh/ansible-filebeat-oss
+      filebeat_output_elasticsearch_hosts:
+      - "172.16.0.161:9200"
+      - "172.16.0.162:9200"
+      - "172.16.0.163:9200"

playbooks/wazuh-opendistro-kibana.yml

@@ -0,0 +1,4 @@
+---
+- hosts: es1
+  roles:
+    - role: ../roles/opendistro/opendistro-kibana

playbooks/wazuh-opendistro.yml

@@ -0,0 +1,4 @@
+---
+- hosts: es_cluster
+  roles:
+    - role: ../roles/opendistro/opendistro-elasticsearch

roles/elastic-stack/ansible-elasticsearch/README.md

@@ -134,7 +134,7 @@ It is possible to define users directly on the playbook, these must be defined o
 License and copyright
 ---------------------
 
-WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3)
+WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3)
 
 ### Based on previous work from geerlingguy
 

roles/elastic-stack/ansible-elasticsearch/defaults/main.yml

@@ -4,8 +4,9 @@ elasticsearch_http_port: 9200
 elasticsearch_network_host: 127.0.0.1
 elasticsearch_reachable_host: 127.0.0.1
 elasticsearch_jvm_xms: null
-elastic_stack_version: 7.6.1
+elastic_stack_version: 7.7.0
 elasticsearch_lower_disk_requirements: false
+elasticsearch_path_repo: []
 
 elasticrepo:
   apt: 'https://artifacts.elastic.co/packages/7.x/apt'
@@ -36,7 +37,7 @@ node_certs_source: /usr/share/elasticsearch
 node_certs_destination: /etc/elasticsearch/certs
 
 # CA generation
-master_certs_path: /es_certs
+master_certs_path: "{{ playbook_dir }}/es_certs"
 generate_CA: true
 ca_key_name: ""
 ca_cert_name: ""

roles/elastic-stack/ansible-elasticsearch/tasks/Debian.yml

@@ -18,16 +18,6 @@
     - ansible_distribution == "Ubuntu"
     - ansible_distribution_major_version | int == 14
 
-- name: Update and upgrade apt packages
-  become: true
-  apt:
-    upgrade: yes
-    update_cache: yes
-    cache_valid_time: 86400 #One day
-  when:
-    - ansible_distribution == "Ubuntu"
-    - ansible_distribution_major_version | int == 14
-
 - name: Debian/Ubuntu | Add Elasticsearch GPG key.
   apt_key:
     url: "{{ elasticrepo.gpg }}"

roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml

@@ -102,6 +102,7 @@
     state: directory
     mode: 0700
   delegate_to: "127.0.0.1"
+  become: no
   when:
     - node_certs_generator
 
@@ -111,6 +112,7 @@
     state: directory
     mode: 0700
   delegate_to: "127.0.0.1"
+  become: no
   when:
     - node_certs_generator
 
@@ -139,6 +141,7 @@
     src: "{{ master_certs_path }}/certs.zip"
     dest: "{{ master_certs_path }}/"
   delegate_to: "127.0.0.1"
+  become: no
   when:
     - node_certs_generator
   tags:
@@ -149,6 +152,8 @@
   copy:
     src: "{{ item }}"
     dest: "{{ node_certs_destination }}/"
+    owner: root
+    group: elasticsearch
     mode: 0440
   with_items:
     - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key"
@@ -164,6 +169,8 @@
   copy:
     src: "{{ item }}"
     dest: "{{ node_certs_destination }}/"
+    owner: root
+    group: elasticsearch
     mode: 0440
   with_items:
     - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key"
@@ -178,9 +185,11 @@
 - name: Ensuring folder permissions
   file:
     path: "{{ node_certs_destination }}/"
-    mode: 0774
+    owner: root
+    group: elasticsearch
+    mode: 0770
     state: directory
-    recurse: yes
+    recurse: no
   when:
     - elasticsearch_xpack_security
     - generate_CA

roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2

@@ -6,6 +6,12 @@ path.data: /var/lib/elasticsearch
 path.logs: /var/log/elasticsearch
 bootstrap.memory_lock: true
 network.host: {{ elasticsearch_network_host }}
+{% if elasticsearch_path_repo | length>0 %}
+path.repo:
+{% for item in elasticsearch_path_repo %}
+  - {{ item }}
+{% endfor %}
+{% endif %}
 
 {% if single_node %}
 discovery.type: single-node

roles/elastic-stack/ansible-kibana/README.md

@@ -37,7 +37,7 @@ Example Playbook
 License and copyright
 ---------------------
 
-WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3)
+WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3)
 
 ### Based on previous work from geerlingguy
 

roles/elastic-stack/ansible-kibana/defaults/main.yml

@@ -5,8 +5,8 @@ elasticsearch_http_port: "9200"
 elasticsearch_network_host: "127.0.0.1"
 kibana_server_host: "0.0.0.0"
 kibana_server_port: "5601"
-elastic_stack_version: 7.6.1
-wazuh_version: 3.12.0
+elastic_stack_version: 7.7.0
+wazuh_version: 3.12.3
 wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp
 
 elasticrepo:
@@ -34,7 +34,7 @@ node_certs_source: /usr/share/elasticsearch
 node_certs_destination: /etc/kibana/certs
 
 # CA Generation
-master_certs_path: /es_certs
+master_certs_path: "{{ playbook_dir }}/es_certs"
 generate_CA: true
 ca_cert_name: ""
 
@@ -50,4 +50,4 @@ build_from_sources: false
 wazuh_plugin_branch: 3.12-7.6
 
 #Nodejs NODE_OPTIONS
-node_options: --max-old-space-size=4096
+node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536

roles/elastic-stack/ansible-kibana/tasks/main.yml

@@ -28,6 +28,8 @@
   copy:
     src: "{{ item }}"
     dest: "{{ node_certs_destination }}/"
+    owner: root
+    group: kibana
     mode: 0440
   with_items:
     - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key"
@@ -42,6 +44,8 @@
   copy:
     src: "{{ item }}"
     dest: "{{ node_certs_destination }}/"
+    owner: root
+    group: kibana
     mode: 0440
   with_items:
     - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key"
@@ -52,22 +56,14 @@
     - not generate_CA
   tags: xpack-security
 
-- name: Ensuring certificates folder owner
+- name: Ensuring certificates folder owner and permissions
   file:
     path: "{{ node_certs_destination }}/"
     state: directory
-    recurse: yes
+    recurse: no
     owner: kibana
     group: kibana
-  when:
-    - kibana_xpack_security
-  tags: xpack-security
-
-- name: Ensuring certificates folder owner
-  file:
-    path: "{{ node_certs_destination }}/"
     mode: 0770
-    recurse: yes
   when:
     - kibana_xpack_security
   notify: restart kibana
@@ -136,12 +132,12 @@
     - not build_from_sources
 
 - name: Kibana optimization (can take a while)
-  shell: NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana --optimize
+  shell: /usr/share/kibana/node/bin/node {{ node_options }} /usr/share/kibana/src/cli --optimize
   args:
     executable: /bin/bash
+    creates: /usr/share/kibana/optimize/wazuh/
   become: yes
   become_user: kibana
-  changed_when: false
   tags:
     - skip_ansible_lint
 
@@ -165,14 +161,20 @@
   file:
     path: /usr/share/kibana/optimize/wazuh/config/
     state: directory
+    recurse: yes
+    owner: kibana
+    group: kibana
+    mode: 0751
+  changed_when: False
 
 - name: Configure Wazuh Kibana Plugin
   template:
     src: wazuh.yml.j2
     dest: /usr/share/kibana/optimize/wazuh/config/wazuh.yml
     owner: kibana
-    group: root
-    mode: 0644
+    group: kibana
+    mode: 0751
+  changed_when: False
 
 - name: Reload systemd configuration
   systemd:

roles/opendistro/opendistro-elasticsearch/defaults/main.yml

@@ -0,0 +1,58 @@
+---
+# The OpenDistro version
+opendistro_version: 1.8.0
+elasticsearch_cluster_name: wazuh-cluster
+
+# Minimum master nodes in cluster, 2 for 3 nodes elasticsearch cluster
+minimum_master_nodes: 2
+
+# Elasticsearch version
+es_version: "7.3.2"
+es_major_version: "7.x"
+
+# Configure hostnames for Elasticsearch nodes
+# Example es1.example.com, es2.example.com
+domain_name: wazuh.com
+
+# The OpenDistro package repository
+package_repos:
+  yum:
+    opendistro:
+      baseurl: 'https://d3g5vo6xdbdb9a.cloudfront.net/yum/noarch/'
+      gpg: 'https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch'
+    elasticsearch_oss:
+      baseurl: 'https://artifacts.elastic.co/packages/oss-7.x/yum'
+      gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
+
+opendistro_sec_plugin_conf_path: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig
+opendistro_sec_plugin_tools_path: /usr/share/elasticsearch/plugins/opendistro_security/tools
+opendistro_conf_path: /etc/elasticsearch/
+es_nodes: |-
+        {% for item in groups['es_cluster'] -%}
+          {{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %}
+        {%- endfor %}
+
+# Security password
+opendistro_security_password: admin
+# Set JVM memory limits
+opendistro_jvm_xms: null
+
+opendistro_http_port: 9200
+
+certs_gen_tool_version: 1.7
+# Url of Search Guard certificates generator tool
+certs_gen_tool_url: "https://releases.floragunn.com/search-guard-tlstool/{{ certs_gen_tool_version }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip"
+
+elasticrepo:
+  apt: 'https://artifacts.elastic.co/packages/7.x/apt'
+  yum: 'https://artifacts.elastic.co/packages/7.x/yum'
+  gpg: 'https://artifacts.elastic.co/GPG-KEY-opendistro'
+  key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4'
+
+opendistro_admin_password: changeme
+opendistro_kibana_password: changeme
+# Cluster Settings
+single_node: true
+opendistro_cluster_name: wazuh
+
+local_certs_path: /tmp/opendistro-nodecerts

roles/opendistro/opendistro-elasticsearch/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart elasticsearch
+  service:
+    name: elasticsearch
+    state: restarted

roles/opendistro/opendistro-elasticsearch/meta/main.yml

@@ -0,0 +1,24 @@
+---
+galaxy_info:
+  author: Wazuh
+  description: Installing and maintaining Opendistro server.
+  company: wazuh.com
+  license: license (GPLv3)
+  min_ansible_version: 2.0
+  platforms:
+    - name: EL
+      versions:
+        - all
+    - name: Ubuntu
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+    - name: Fedora
+      versions:
+        - all
+  galaxy_tags:
+    - web
+    - system
+    - monitoring

roles/opendistro/opendistro-elasticsearch/tasks/RMRedHat.yml

@@ -0,0 +1,6 @@
+---
+- name: RedHat/CentOS/Fedora | Remove Elasticsearch repository (and clean up left-over metadata)
+  yum_repository:
+    name: opendistro_repo
+    state: absent
+  changed_when: false