From 7cce8e9490421b7ddfd3144915659111a6490b89 Mon Sep 17 00:00:00 2001 From: singuliere Date: Tue, 8 Jan 2019 13:58:41 +0100 Subject: [PATCH 01/76] make agent registration delegate_to configurable Registering to the API requires the port 55000 of the wazuh manager is open. Depending on the firewall policy, it may be true from the ansible controller, reason why it was delegated to localhost in the original implementation at 6cb6d3bda84c65508881e293e3403dae94ff24cc The role should be more flexible and allow for the API call to be made from the ansible controller or the host. Implementation note: although it would be more elegant to use omit instead of inventory_hostname, it is not possible because of an ansible bug at this time https://github.com/ansible/ansible/issues/26009 Fixes: https://github.com/wazuh/wazuh-ansible/issues/126 Signed-off-by: singuliere --- roles/wazuh/ansible-wazuh-agent/defaults/main.yml | 1 + roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 56580b751..dd56cb424 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -6,6 +6,7 @@ wazuh_managers: api_port: 55000 api_proto: 'http' api_user: null +wazuh_api_reachable_from_agent: false wazuh_profile: null wazuh_auto_restart: 'yes' wazuh_agent_authd: diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml index 2d17fb168..f16e5997e 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml @@ -95,11 +95,12 @@ user: "{{ wazuh_managers.0.api_user }}" password: "{{ api_pass }}" register: newagent_api + delegate_to: "{{ 'localhost' if not wazuh_api_reachable_from_agent else inventory_hostname }}" + become: no changed_when: newagent_api.json.error == 0 when: - check_keys.stat.exists == false or check_keys.stat.size == 0 - wazuh_managers.0.address is not none - become: no tags: - config - api @@ -117,7 +118,7 @@ - wazuh_managers.0.address is not none - newagent_api.json.error == 0 register: newagentdata_api - delegate_to: localhost + delegate_to: "{{ 'localhost' if not wazuh_api_reachable_from_agent else inventory_hostname }}" become: no tags: - config From 68166a49e1465319dd0d45ec5c4b92d6fe3a15b6 Mon Sep 17 00:00:00 2001 From: limitup <17516880+limitup@users.noreply.github.com> Date: Mon, 14 Oct 2019 17:01:56 -0500 Subject: [PATCH 02/76] Update Manager templates for integrations --- .../ansible-wazuh-manager/defaults/main.yml | 20 ++++++++ .../ansible-wazuh-manager/tasks/main.yml | 10 ++++ .../var-ossec-etc-ossec-server.conf.j2 | 49 +++++++++++++++++++ .../ansible-wazuh-manager/vars/aws_creds.yml | 11 +++++ .../vars/external_API_creds.yml | 9 ++++ 5 files changed, 99 insertions(+) create mode 100644 roles/wazuh/ansible-wazuh-manager/vars/aws_creds.yml create mode 100644 roles/wazuh/ansible-wazuh-manager/vars/external_API_creds.yml diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index 170a8da56..f1ad38261 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -260,6 +260,26 @@ wazuh_manager_config: - server: null port: null format: null + integrations: + - name: 'slack' + hook_url: + alert_level: 10 + alert_format: 'json' + - name: 'pagerduty' + api_key: + alert_level: 10 + monitor_aws: + disable: 'no' + internal: '10m' + run_on_start: 'yes' + skip_on_error: 'yes' + s3: + - name: 's3-bucket-example-name' + bucket_type: 'guardduty' + path: 'path' + only_logs_after: '1970-JAN-01' + access_key: + secret_key: labels: enable: false list: diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml index a1afbb4cf..c247e60f9 100644 --- a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml @@ -200,6 +200,16 @@ tags: - config +- name: Retrieving external API Credentials + include_vars: external_API_creds.yml + tags: + - config + +- name: Retrieving AWS Credentials + include_vars: aws_creds.yml + tags: + - config + - name: Retrieving Wazuh-API User Credentials include_vars: wazuh_api_creds.yml when: diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 index 65ae38fb6..5995d79a9 100644 --- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 +++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 @@ -530,6 +530,55 @@ {% endfor %} {% endif %} +{% if wazuh_manager_config.integrations is defined %} +{% for integration in wazuh_manager_config.integrations %} +{% if integration.name is not none %} + + + {{ integration.name }} + {% if integration.hook_url is defined %} + {{ integration.hook_url }} + {% endif %} + {% if integration.api_key is defined %} + {{ integration.api_key }} + {% endif %} + {% if integration.alert_format is defined %} + {{ integration.alert_format }} + {% endif %} + {% if integration.alert_level is defined %} + {{ integration.alert_level }} + {% endif %} + {% if integration.rule_id is defined %} + {{ integration.rule_id }} + {% endif %} + +{% endif %} +{% endfor %} +{% endif %} + +{% if monitor_aws is defined %} + + + {{ monitor_aws.disable }} + {{ monitor_aws.interval }} + {{ monitor_aws.run_on_start }} + {{ monitor_aws.skip_on_error }} + {% for bucket in monitor_aws.s3 %} + + {{ bucket.name }} + {% if bucket.path is defined %} + {{ bucket.path }} + {% endif %} + {% if bucket.only_logs_after is defined %} + {{ bucket.only_logs_after }} + {% endif %} + {{ bucket.access_key }} + {{ bucket.secret_key }} + + {% endfor %} + +{% endif %} + {% if wazuh_manager_config.labels.enable == true %} {% for label in wazuh_manager_config.labels.list %} diff --git a/roles/wazuh/ansible-wazuh-manager/vars/aws_creds.yml b/roles/wazuh/ansible-wazuh-manager/vars/aws_creds.yml new file mode 100644 index 000000000..1a1649002 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/vars/aws_creds.yml @@ -0,0 +1,11 @@ +--- +monitor_aws: + disable: 'no' + interval: '10m' + run_on_start: 'yes' + skip_on_error: 'yes' + s3: + - name: 'S3_bucket' + bucket_type: 'guardduty' + access_key: '' + secret_key: '' diff --git a/roles/wazuh/ansible-wazuh-manager/vars/external_API_creds.yml b/roles/wazuh/ansible-wazuh-manager/vars/external_API_creds.yml new file mode 100644 index 000000000..2d743af00 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/vars/external_API_creds.yml @@ -0,0 +1,9 @@ +#--- +#integrations: +# - name: 'slack' +# hook_url: +# alert_level: 10 +# alert_format: 'json' +# - name: 'pagerduty' +# api_key: +# alert_level: 10 From a49f394858cb93fe902c7960e8e46a6bc9c398ac Mon Sep 17 00:00:00 2001 From: limitup <17516880+limitup@users.noreply.github.com> Date: Mon, 14 Oct 2019 17:12:43 -0500 Subject: [PATCH 03/76] Add pseudo credentials for template --- .../ansible-wazuh-manager/defaults/main.yml | 6 ++--- .../ansible-wazuh-manager/vars/aws_creds.yml | 22 +++++++++---------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index f1ad38261..a5840bec6 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -266,7 +266,7 @@ wazuh_manager_config: alert_level: 10 alert_format: 'json' - name: 'pagerduty' - api_key: + api_key: '' alert_level: 10 monitor_aws: disable: 'no' @@ -278,8 +278,8 @@ wazuh_manager_config: bucket_type: 'guardduty' path: 'path' only_logs_after: '1970-JAN-01' - access_key: - secret_key: + access_key: '' + secret_key: '' labels: enable: false list: diff --git a/roles/wazuh/ansible-wazuh-manager/vars/aws_creds.yml b/roles/wazuh/ansible-wazuh-manager/vars/aws_creds.yml index 1a1649002..6251c2929 100644 --- a/roles/wazuh/ansible-wazuh-manager/vars/aws_creds.yml +++ b/roles/wazuh/ansible-wazuh-manager/vars/aws_creds.yml @@ -1,11 +1,11 @@ ---- -monitor_aws: - disable: 'no' - interval: '10m' - run_on_start: 'yes' - skip_on_error: 'yes' - s3: - - name: 'S3_bucket' - bucket_type: 'guardduty' - access_key: '' - secret_key: '' +#--- +#monitor_aws: +# disable: 'no' +# interval: '10m' +# run_on_start: 'yes' +# skip_on_error: 'yes' +# s3: +# - name: 'S3_bucket' +# bucket_type: 'guardduty' +# access_key: '' +# secret_key: '' From dd0c0d24ad15b3d765ffc999a6704c715c05109a Mon Sep 17 00:00:00 2001 From: limitup <17516880+limitup@users.noreply.github.com> Date: Mon, 14 Oct 2019 17:25:50 -0500 Subject: [PATCH 04/76] adjust for passing strings --- roles/wazuh/ansible-wazuh-manager/defaults/main.yml | 2 +- .../wazuh/ansible-wazuh-manager/vars/external_API_creds.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index a5840bec6..f86d7bf33 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -262,7 +262,7 @@ wazuh_manager_config: format: null integrations: - name: 'slack' - hook_url: + hook_url: '' alert_level: 10 alert_format: 'json' - name: 'pagerduty' diff --git a/roles/wazuh/ansible-wazuh-manager/vars/external_API_creds.yml b/roles/wazuh/ansible-wazuh-manager/vars/external_API_creds.yml index 2d743af00..5b557fea4 100644 --- a/roles/wazuh/ansible-wazuh-manager/vars/external_API_creds.yml +++ b/roles/wazuh/ansible-wazuh-manager/vars/external_API_creds.yml @@ -1,9 +1,9 @@ #--- #integrations: # - name: 'slack' -# hook_url: -# alert_level: 10 +# hook_url: '' +# rule_id: '80102' # alert_format: 'json' # - name: 'pagerduty' -# api_key: +# api_key: '' # alert_level: 10 From 0252131041284841e1ecb68f4ea20ec93a098878 Mon Sep 17 00:00:00 2001 From: limitup <17516880+limitup@users.noreply.github.com> Date: Thu, 31 Oct 2019 08:29:11 -0500 Subject: [PATCH 05/76] Recommended changes --- .../ansible-wazuh-manager/defaults/main.yml | 21 +++++++++++-------- .../ansible-wazuh-manager/tasks/main.yml | 10 --------- .../ansible-wazuh-manager/vars/aws_creds.yml | 11 ---------- .../vars/external_API_creds.yml | 9 -------- 4 files changed, 12 insertions(+), 39 deletions(-) delete mode 100644 roles/wazuh/ansible-wazuh-manager/vars/aws_creds.yml delete mode 100644 roles/wazuh/ansible-wazuh-manager/vars/external_API_creds.yml diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index f86d7bf33..ddc620932 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -261,25 +261,28 @@ wazuh_manager_config: port: null format: null integrations: - - name: 'slack' + #slack + - name: null hook_url: '' alert_level: 10 alert_format: 'json' - - name: 'pagerduty' + rule_id: null + #pagerduty + - name: null api_key: '' - alert_level: 10 + alert_level: 12 monitor_aws: disable: 'no' internal: '10m' run_on_start: 'yes' skip_on_error: 'yes' s3: - - name: 's3-bucket-example-name' - bucket_type: 'guardduty' - path: 'path' - only_logs_after: '1970-JAN-01' - access_key: '' - secret_key: '' + - name: null + bucket_type: null + path: null + only_logs_after: null + access_key: null + secret_key: null labels: enable: false list: diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml index c247e60f9..a1afbb4cf 100644 --- a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml @@ -200,16 +200,6 @@ tags: - config -- name: Retrieving external API Credentials - include_vars: external_API_creds.yml - tags: - - config - -- name: Retrieving AWS Credentials - include_vars: aws_creds.yml - tags: - - config - - name: Retrieving Wazuh-API User Credentials include_vars: wazuh_api_creds.yml when: diff --git a/roles/wazuh/ansible-wazuh-manager/vars/aws_creds.yml b/roles/wazuh/ansible-wazuh-manager/vars/aws_creds.yml deleted file mode 100644 index 6251c2929..000000000 --- a/roles/wazuh/ansible-wazuh-manager/vars/aws_creds.yml +++ /dev/null @@ -1,11 +0,0 @@ -#--- -#monitor_aws: -# disable: 'no' -# interval: '10m' -# run_on_start: 'yes' -# skip_on_error: 'yes' -# s3: -# - name: 'S3_bucket' -# bucket_type: 'guardduty' -# access_key: '' -# secret_key: '' diff --git a/roles/wazuh/ansible-wazuh-manager/vars/external_API_creds.yml b/roles/wazuh/ansible-wazuh-manager/vars/external_API_creds.yml deleted file mode 100644 index 5b557fea4..000000000 --- a/roles/wazuh/ansible-wazuh-manager/vars/external_API_creds.yml +++ /dev/null @@ -1,9 +0,0 @@ -#--- -#integrations: -# - name: 'slack' -# hook_url: '' -# rule_id: '80102' -# alert_format: 'json' -# - name: 'pagerduty' -# api_key: '' -# alert_level: 10 From d9b693066334714840da4db0daa7bf980ecd4095 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Mon, 23 Mar 2020 18:24:27 +0100 Subject: [PATCH 06/76] Update roles/wazuh/ansible-wazuh-manager/defaults/main.yml --- roles/wazuh/ansible-wazuh-manager/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index ddc620932..819968486 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -273,7 +273,7 @@ wazuh_manager_config: alert_level: 12 monitor_aws: disable: 'no' - internal: '10m' + interval: '10m' run_on_start: 'yes' skip_on_error: 'yes' s3: From cd5a00633117dc94fda220133a71f67ab184e34a Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Tue, 24 Mar 2020 20:25:38 +0100 Subject: [PATCH 07/76] Update path for wazuh.yml --- roles/elastic-stack/ansible-kibana/tasks/main.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index efd16de52..2e39391f4 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -161,10 +161,15 @@ validate_certs: no status_code: 200, 404 +- name: Create wazuh plugin config directory + file: + path: /usr/share/kibana/optimize/wazuh/config/ + state: directory + - name: Configure Wazuh Kibana Plugin template: src: wazuh.yml.j2 - dest: /usr/share/kibana/plugins/wazuh/wazuh.yml + dest: /usr/share/kibana/optimize/wazuh/config/wazuh.yml owner: kibana group: root mode: 0644 From 9cdce6e988d697022ffe6546185157fe9befc66c Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Thu, 26 Mar 2020 14:43:47 +0100 Subject: [PATCH 08/76] Fix permissions --- roles/elastic-stack/ansible-kibana/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index 2e39391f4..276730600 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -165,6 +165,10 @@ file: path: /usr/share/kibana/optimize/wazuh/config/ state: directory + recurse: yes + owner: kibana + group: kibana + mode: '0755' - name: Configure Wazuh Kibana Plugin template: From 605ec63caf4549156b82283d199b5b470cc487ea Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Thu, 2 Apr 2020 15:03:08 +0200 Subject: [PATCH 09/76] Removed duplicated block --- .../ansible-elasticsearch/tasks/Debian.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/Debian.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/Debian.yml index 74c6bcf23..20f4231b2 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/Debian.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/Debian.yml @@ -18,16 +18,6 @@ - ansible_distribution == "Ubuntu" - ansible_distribution_major_version | int == 14 -- name: Update and upgrade apt packages - become: true - apt: - upgrade: yes - update_cache: yes - cache_valid_time: 86400 #One day - when: - - ansible_distribution == "Ubuntu" - - ansible_distribution_major_version | int == 14 - - name: Debian/Ubuntu | Add Elasticsearch GPG key. apt_key: url: "{{ elasticrepo.gpg }}" From 488508815baeedb88e8564c509c05d88ce520081 Mon Sep 17 00:00:00 2001 From: Zenidd Date: Mon, 6 Apr 2020 15:39:33 +0200 Subject: [PATCH 10/76] Removing owner:group and permissions masks to be idempotence compliant --- roles/elastic-stack/ansible-kibana/tasks/main.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index 276730600..2129c0df4 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -166,17 +166,11 @@ path: /usr/share/kibana/optimize/wazuh/config/ state: directory recurse: yes - owner: kibana - group: kibana - mode: '0755' - name: Configure Wazuh Kibana Plugin template: src: wazuh.yml.j2 dest: /usr/share/kibana/optimize/wazuh/config/wazuh.yml - owner: kibana - group: root - mode: 0644 - name: Reload systemd configuration systemd: From 2d8029d6bfab09ebd5d4f7a16a249bfd3c46fe0a Mon Sep 17 00:00:00 2001 From: Zenidd Date: Mon, 6 Apr 2020 16:41:24 +0200 Subject: [PATCH 11/76] Removing python-cryptography module --- .../ansible-wazuh-manager/tasks/RedHat.yml | 20 ------------------- 1 file changed, 20 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml b/roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml index cb0dbf5ad..2e0751fde 100644 --- a/roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml +++ b/roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml @@ -62,25 +62,6 @@ - ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6' - wazuh_manager_config.cluster.disable != 'yes' -- name: CentOS/RedHat 6 | Install python-cryptography module - pip: name=cryptography state=present - register: wazuh_manager_cryptography_package_installed - until: wazuh_manager_cryptography_package_installed is succeeded - environment: - PATH: "/opt/rh/python27/root/usr/bin:{{ ansible_env.PATH }}" - LD_LIBRARY_PATH: "/opt/rh/python27/root/usr/lib64:/opt/rh/python27/root/usr/lib" - when: - - ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6' - - wazuh_manager_config.cluster.disable != 'yes' - -- name: RedHat/CentOS/Fedora | Install python-cryptography module - package: name=python-cryptography state=present - register: wazuh_manager_cryptography_package_installed - until: wazuh_manager_cryptography_package_installed is succeeded - when: - - not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat') and ansible_distribution_major_version == '6' ) - - wazuh_manager_config.cluster.disable != 'yes' - - name: RedHat/CentOS/Fedora | Install OpenJDK 1.8 yum: name=java-1.8.0-openjdk state=present when: @@ -168,4 +149,3 @@ - ansible_distribution_major_version|int < 6 tags: - init - From 584950532f658ca0d5d1dd5c1f83b1e61708ddc5 Mon Sep 17 00:00:00 2001 From: Zenidd Date: Tue, 7 Apr 2020 11:41:00 +0200 Subject: [PATCH 12/76] Replacing Oracle Java with OpenJDK 1.8 --- .../ansible-wazuh-agent/tasks/RedHat.yml | 20 ++----------------- 1 file changed, 2 insertions(+), 18 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/RedHat.yml b/roles/wazuh/ansible-wazuh-agent/tasks/RedHat.yml index 8dbd24520..17d97c96b 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/RedHat.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/RedHat.yml @@ -27,30 +27,14 @@ - not wazuh_agent_sources_installation.enabled - not wazuh_custom_packages_installation_agent_enabled -- name: RedHat/CentOS/Fedora | download Oracle Java RPM - get_url: - url: https://download.oracle.com/otn-pub/java/jdk/8u202-b08/1961070e4c9b4e26a04e7f5a083f551e/jre-8u202-linux-x64.rpm - dest: /tmp/jre-8-linux-x64.rpm - headers: 'Cookie:oraclelicense=accept-securebackup-cookie' - register: oracle_java_task_rpm_download - until: oracle_java_task_rpm_download is succeeded +- name: RedHat/CentOS/Fedora | Install OpenJDK 1.8 + yum: name=java-1.8.0-openjdk state=present when: - wazuh_agent_config.cis_cat.disable == 'no' - wazuh_agent_config.cis_cat.install_java == 'yes' tags: - init -- name: RedHat/CentOS/Fedora | Install Oracle Java RPM - package: name=/tmp/jre-8-linux-x64.rpm state=present - register: wazuh_agent_java_package_install - until: wazuh_agent_java_package_install is succeeded - when: - - wazuh_agent_config.cis_cat.disable == 'no' - - wazuh_agent_config.cis_cat.install_java == 'yes' - - oracle_java_task_rpm_download is defined - tags: - - init - - name: Set Distribution CIS filename for RHEL5 set_fact: cis_distribution_filename: cis_rhel5_linux_rcl.txt From dbeb8b31fb18d802f23780df5f8070f946caddf9 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Tue, 7 Apr 2020 18:54:12 +0200 Subject: [PATCH 13/76] First OpenDistro default installation --- playbooks/wazuh-opendistro.yml | 4 + .../defaults/main.yml | 19 +++ .../handlers/main.yml | 3 + .../opendistro-elasticsearch/meta/main.yml | 24 ++++ .../tasks/RMRedHat.yml | 6 + .../opendistro-elasticsearch/tasks/RedHat.yml | 36 ++++++ .../opendistro-elasticsearch/tasks/main.yml | 58 +++++++++ .../templates/jvm.options.j2 | 117 ++++++++++++++++++ 8 files changed, 267 insertions(+) create mode 100644 playbooks/wazuh-opendistro.yml create mode 100644 roles/opendistro/opendistro-elasticsearch/defaults/main.yml create mode 100644 roles/opendistro/opendistro-elasticsearch/handlers/main.yml create mode 100644 roles/opendistro/opendistro-elasticsearch/meta/main.yml create mode 100644 roles/opendistro/opendistro-elasticsearch/tasks/RMRedHat.yml create mode 100644 roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml create mode 100644 roles/opendistro/opendistro-elasticsearch/tasks/main.yml create mode 100644 roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 diff --git a/playbooks/wazuh-opendistro.yml b/playbooks/wazuh-opendistro.yml new file mode 100644 index 000000000..d146ee3c2 --- /dev/null +++ b/playbooks/wazuh-opendistro.yml @@ -0,0 +1,4 @@ +--- +- hosts: 172.16.0.161 + roles: + - role: ../roles/opendistro/opendistro-elasticsearch diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml new file mode 100644 index 000000000..f6dd905b4 --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -0,0 +1,19 @@ +--- +# The OpenDistro version +opendistro_version: 1.6.0 + +# The OpenDistro package repository +package_repos: + yum: + opendistro: + baseurl: 'https://d3g5vo6xdbdb9a.cloudfront.net/yum/noarch/' + gpg: 'https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch' + elasticsearch_oss: + baseurl: 'https://artifacts.elastic.co/packages/oss-7.x/yum' + gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' + +# Security password +opendistro_security_password: admin + +# Set JVM memory limits +elasticsearch_jvm_xms: null \ No newline at end of file diff --git a/roles/opendistro/opendistro-elasticsearch/handlers/main.yml b/roles/opendistro/opendistro-elasticsearch/handlers/main.yml new file mode 100644 index 000000000..a4c1162a1 --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart elasticsearch + service: name=elasticsearch state=restarted diff --git a/roles/opendistro/opendistro-elasticsearch/meta/main.yml b/roles/opendistro/opendistro-elasticsearch/meta/main.yml new file mode 100644 index 000000000..e09933c7e --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/meta/main.yml @@ -0,0 +1,24 @@ +--- +galaxy_info: + author: Wazuh + description: Installing and maintaining Opendistro server. + company: wazuh.com + license: license (GPLv3) + min_ansible_version: 2.0 + platforms: + - name: EL + versions: + - all + - name: Ubuntu + versions: + - all + - name: Debian + versions: + - all + - name: Fedora + versions: + - all + galaxy_tags: + - web + - system + - monitoring diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RMRedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RMRedHat.yml new file mode 100644 index 000000000..469893611 --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RMRedHat.yml @@ -0,0 +1,6 @@ +--- +- name: RedHat/CentOS/Fedora | Remove Elasticsearch repository (and clean up left-over metadata) + yum_repository: + name: elastic_repo_7 + state: absent + changed_when: false diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml new file mode 100644 index 000000000..c212b007a --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -0,0 +1,36 @@ +--- + +- name: RedHat/CentOS/Fedora | Add OpenDistro repo + yum_repository: + file: opendistro + name: opendistro_repo + description: Opendistro yum repository + baseurl: "{{ package_repos.yum.opendistro.baseurl }}" + gpgkey: "{{ package_repos.yum.opendistro.gpg }}" + gpgcheck: true + changed_when: false + +- name: RedHat/CentOS/Fedora | Add Elasticsearch-oss repo + yum_repository: + file: opendistro + name: elasticsearch_oss_repo + description: Elasticsearch-oss yum repository + baseurl: "{{ package_repos.yum.elasticsearch_oss.baseurl }}" + gpgkey: "{{ package_repos.yum.elasticsearch_oss.gpg }}" + gpgcheck: true + changed_when: false + +- name: RedHat/CentOS/Fedora | Install OpenJDK 11 + yum: name=java-11-openjdk-devel state=present + +- name: RedHat/CentOS/Fedora | Install OpenDistro dependencies + yum: + name: "{{ packages }}" + vars: + packages: + - wget + - unzip + +- name: RedHat/CentOS/Fedora | Install OpenDistro + package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present + tags: install diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml new file mode 100644 index 000000000..b58afe7a4 --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -0,0 +1,58 @@ +--- +- import_tasks: RedHat.yml + when: ansible_os_family == 'RedHat' + +- import_tasks: Debian.yml + when: ansible_os_family == "Debian" + +- name: Configure OpenDistro Elasticsearch JVM memmory. + template: + src: jvm.options.j2 + dest: /etc/elasticsearch/jvm.options + owner: root + group: elasticsearch + mode: 0660 + notify: restart elasticsearch + tags: configure + +# fix in new PR (ignore_errors) + +- import_tasks: "RMRedHat.yml" + when: ansible_os_family == "RedHat" + + +- name: Ensure Elasticsearch started and enabled + service: + name: elasticsearch + enabled: true + state: started + tags: + - configure + - init + +- name: Make sure Elasticsearch is running before proceeding + wait_for: host=localhost port=9200 delay=3 timeout=400 + tags: + - configure + - init + +- import_tasks: "RMRedHat.yml" + when: ansible_os_family == "RedHat" + +- import_tasks: "RMDebian.yml" + when: ansible_os_family == "Debian" + +- name: Wait for Elasticsearch API + uri: + url: "https://localhost:9200/_cluster/health/" + user: "admin" # Default Elasticsearch user is always "elastic" + password: "{{ opendistro_security_password }}" + validate_certs: no + status_code: 200,401 + return_content: yes + timeout: 4 + register: _result + until: ( _result.json is defined) and (_result.json.status == "green") + retries: 24 + delay: 5 + diff --git a/roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 b/roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 new file mode 100644 index 000000000..c43ce4016 --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 @@ -0,0 +1,117 @@ +#jinja2: trim_blocks:False +# {{ ansible_managed }} +## JVM configuration + +################################################################ +## IMPORTANT: JVM heap size +################################################################ +## +## You should always set the min and max JVM heap +## size to the same value. For example, to set +## the heap to 4 GB, set: +## +## -Xms4g +## -Xmx4g +## +## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html +## for more information +## +################################################################ + +# Xms represents the initial size of total heap space +# Xmx represents the maximum size of total heap space + +# Xms represents the initial size of total heap space +# Xmx represents the maximum size of total heap space +{% if elasticsearch_jvm_xms is not none %} +{% if elasticsearch_jvm_xms < 32000 %} +-Xms{{ elasticsearch_jvm_xms }}m +-Xmx{{ elasticsearch_jvm_xms }}m +{% else %} +-Xms32000m +-Xmx32000m +{% endif %} +{% else %} +-Xms{% if ansible_memtotal_mb < 64000 %}{{ ((ansible_memtotal_mb|int)/2)|int }}m{% else %}32000m{% endif %} +-Xmx{% if ansible_memtotal_mb < 64000 %}{{ ((ansible_memtotal_mb|int)/2)|int }}m{% else %}32000m{% endif %} +{% endif %} + +################################################################ +## Expert settings +################################################################ +## +## All settings below this section are considered +## expert settings. Don't tamper with them unless +## you understand what you are doing +## +################################################################ + +## GC configuration +-XX:+UseConcMarkSweepGC +-XX:CMSInitiatingOccupancyFraction=75 +-XX:+UseCMSInitiatingOccupancyOnly + +## optimizations + +# pre-touch memory pages used by the JVM during initialization +-XX:+AlwaysPreTouch + +## basic + +# force the server VM +-server + +# explicitly set the stack size +-Xss1m + +# set to headless, just in case +-Djava.awt.headless=true + +# ensure UTF-8 encoding by default (e.g. filenames) +-Dfile.encoding=UTF-8 + +# use our provided JNA always versus the system one +-Djna.nosys=true + +# turn off a JDK optimization that throws away stack traces for common +# exceptions because stack traces are important for debugging +-XX:-OmitStackTraceInFastThrow + +# flags to configure Netty +-Dio.netty.noUnsafe=true +-Dio.netty.noKeySetOptimization=true +-Dio.netty.recycler.maxCapacityPerThread=0 + +# log4j 2 +-Dlog4j.shutdownHookEnabled=false +-Dlog4j2.disable.jmx=true + +## heap dumps + +# generate a heap dump when an allocation from the Java heap fails +# heap dumps are created in the working directory of the JVM +-XX:+HeapDumpOnOutOfMemoryError + +# specify an alternative path for heap dumps +# ensure the directory exists and has sufficient space +-XX:HeapDumpPath=/var/lib/elasticsearch + +## GC logging + +#-XX:+PrintGCDetails +#-XX:+PrintGCTimeStamps +#-XX:+PrintGCDateStamps +#-XX:+PrintClassHistogram +#-XX:+PrintTenuringDistribution +#-XX:+PrintGCApplicationStoppedTime + +# log GC status to a file with time stamps +# ensure the directory exists +#-Xloggc:${loggc} + +# By default, the GC log file will not rotate. +# By uncommenting the lines below, the GC log file +# will be rotated every 128MB at most 32 times. +#-XX:+UseGCLogFileRotation +#-XX:NumberOfGCLogFiles=32 +#-XX:GCLogFileSize=128M From 6e12764ff53d8ef8151644b5d9b4c95d39bf98f1 Mon Sep 17 00:00:00 2001 From: Zenidd Date: Wed, 8 Apr 2020 14:06:53 +0200 Subject: [PATCH 14/76] Setting optimize --max-old-space-size default value to 2048mb --- roles/elastic-stack/ansible-kibana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index 2ac2cde5a..43f413e67 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -50,4 +50,4 @@ build_from_sources: false wazuh_plugin_branch: 3.12-7.6 #Nodejs NODE_OPTIONS -node_options: --max-old-space-size=4096 +node_options: --max-old-space-size=2048 From 9fc2b1e3c493ecc33cf34a708b7b1362d989bb4c Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Wed, 8 Apr 2020 17:38:44 +0200 Subject: [PATCH 15/76] Added opendistro tasks and templates --- .../defaults/main.yml | 69 ++++++++++- .../opendistro-elasticsearch/tasks/RedHat.yml | 115 ++++++++++++++++++ .../opendistro-elasticsearch/tasks/main.yml | 21 +--- .../templates/elasticsearch.yml.j2 | 22 ++++ .../templates/tlsconfig.yml.j2 | 47 +++++++ 5 files changed, 257 insertions(+), 17 deletions(-) create mode 100644 roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 create mode 100644 roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index f6dd905b4..f1bff651f 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -2,6 +2,19 @@ # The OpenDistro version opendistro_version: 1.6.0 +elasticsearch_cluster_name: wazuh-cluster + +# Minimum master nodes in cluster, 2 for 3 nodes elasticsearch cluster +minimum_master_nodes: 2 + +# Elasticsearch version +es_version: "7.3.2" +es_major_version: "7.x" + +# Configure hostnames for Elasticsearch nodes +# Example es1.example.com, es2.example.com +domain_name: example.com + # The OpenDistro package repository package_repos: yum: @@ -12,8 +25,60 @@ package_repos: baseurl: 'https://artifacts.elastic.co/packages/oss-7.x/yum' gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' +populate_inventory_to_hosts_file: true + +es_plugin_bin_path: /usr/share/elasticsearch/bin/elasticsearch-plugin +es_sec_plugin_conf_path: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig +es_sec_plugin_tools_path: /usr/share/elasticsearch/plugins/opendistro_security/tools + +es_nodes: |- + {% for item in groups['es-cluster'] -%} + {{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %} + {%- endfor %} + # Security password opendistro_security_password: admin - # Set JVM memory limits -elasticsearch_jvm_xms: null \ No newline at end of file +opendistro_jvm_xms: null + +opendistro_http_port: 9200 +opendistro_network_host: 127.0.0.1 +opendistro_reachable_host: 127.0.0.1 +opendistro_jvm_xms: null +elastic_stack_version: 7.6.1 +opendistro_lower_disk_requirements: false + +elasticrepo: + apt: 'https://artifacts.elastic.co/packages/7.x/apt' + yum: 'https://artifacts.elastic.co/packages/7.x/yum' + gpg: 'https://artifacts.elastic.co/GPG-KEY-opendistro' + key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4' + +# Cluster Settings +single_node: true +opendistro_cluster_name: wazuh +opendistro_node_name: node-1 +opendistro_bootstrap_node: false +opendistro_node_master: false +opendistro_cluster_nodes: + - 127.0.0.1 +opendistro_discovery_nodes: + - 127.0.0.1 +opendistro_node_data: true +opendistro_node_ingest: true + +# X-Pack Security +opendistro_xpack_security: false +opendistro_xpack_security_user: elastic +opendistro_xpack_security_password: elastic_pass + +node_certs_generator: false +node_certs_source: /usr/share/elasticsearch +node_certs_destination: /etc/elasticsearch/certs + +# CA generation +master_certs_path: /es_certs +generate_CA: true +ca_key_name: "" +ca_cert_name: "" +ca_password: "" diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index c212b007a..64b48b7ff 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -34,3 +34,118 @@ - name: RedHat/CentOS/Fedora | Install OpenDistro package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present tags: install + +## Here we are going to use self-signed certificates for Transport (Node-Node communication) & REST API layer +## Using searchguard offline TLS tool to create node & root certificates +- name: RedHat/CentOS/Fedora | Create local temporary directory for certificates generation + local_action: + module: file + path: /tmp/opendistro-nodecerts + state: directory + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Download certificates generation tool + local_action: + module: get_url + url: https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-tlstool/1.5/search-guard-tlstool-1.5.zip + dest: /tmp/opendistro-nodecerts/search-guard-tlstool.zip + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Extract the certificates generation tool + local_action: command chdir=/tmp/opendistro-nodecerts tar -xvf search-guard-tlstool.zip + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Add the execution bit to the binary + local_action: + module: file + dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh + mode: a+x + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Prepare the certificates generation template file + local_action: + module: template + src: tlsconfig.yml + dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Generate the node & admin certificates in local + local_action: + module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Copy the node & admin certificates to Elasticsearch cluster + copy: + src: "/tmp/opendistro-nodecerts/config/{{ item }}" + dest: /etc/elasticsearch/ + mode: 0644 + with_items: + - root-ca.pem + - root-ca.key + - "{{ inventory_hostname }}.key" + - "{{ inventory_hostname }}.pem" + - "{{ inventory_hostname }}_http.key" + - "{{ inventory_hostname }}_http.pem" + - "{{ inventory_hostname }}_elasticsearch_config_snippet.yml" + - admin.key + - admin.pem + when: install.changed + +- name: RedHat/CentOS/Fedora | Copy the opendistro security configuration file to cluster + blockinfile: + block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" + dest: "{{ conf_dir }}/elasticsearch.yml" + backup: yes + insertafter: EOF + marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" + when: install.changed + +- name: RedHat/CentOS/Fedora | Prepare the opendistro security configuration file + command: sed -i 's/searchguard/opendistro_security/g' {{ conf_dir }}/elasticsearch.yml + when: install.changed + +- name: RedHat/CentOS/Fedora | Restart elasticsearch with security configuration + systemd: + name: elasticsearch + state: restarted + when: install.changed + +- name: RedHat/CentOS/Fedora | Copy the opendistro security internal users template + template: + src: internal_users.yml + dest: "{{ es_sec_plugin_conf_path }}/internal_users.yml" + mode: 0644 + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Set the Admin user password + shell: > + sed -i 's,{{ admin_password }},'$(sh {{ es_sec_plugin_tools_path }}/hash.sh -p {{ admin_password }} | tail -1)',' + {{ es_sec_plugin_conf_path }}/internal_users.yml + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Set the kibanaserver user pasword + shell: > + sed -i 's,{{ kibanaserver_password }},'$(sh {{ es_sec_plugin_tools_path }}/hash.sh -p {{ kibanaserver_password }} | tail -1)',' + {{ es_sec_plugin_conf_path }}/internal_users.yml + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Initialize the opendistro security index in elasticsearch + shell: > + sh {{ es_sec_plugin_tools_path }}/securityadmin.sh + -cacert {{ conf_dir }}/root-ca.pem + -cert {{ conf_dir }}/admin.pem + -key {{ conf_dir }}/admin.key + -cd {{ es_sec_plugin_conf_path }}/ + -nhnv -icl + -h {{ hostvars[inventory_hostname]['ip'] }} + run_once: true + when: install.changed diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index b58afe7a4..9f4c438cb 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -11,7 +11,8 @@ dest: /etc/elasticsearch/jvm.options owner: root group: elasticsearch - mode: 0660 + mode: 0644 + force: yes notify: restart elasticsearch tags: configure @@ -20,6 +21,10 @@ - import_tasks: "RMRedHat.yml" when: ansible_os_family == "RedHat" +- name: Copy Configuration File + template: src=elasticsearch.yml dest={{conf_dir}}/elasticsearch.yml group=elasticsearch mode=0644 backup=yes + register: system_change + notify: restart elasticsearch - name: Ensure Elasticsearch started and enabled service: @@ -42,17 +47,3 @@ - import_tasks: "RMDebian.yml" when: ansible_os_family == "Debian" -- name: Wait for Elasticsearch API - uri: - url: "https://localhost:9200/_cluster/health/" - user: "admin" # Default Elasticsearch user is always "elastic" - password: "{{ opendistro_security_password }}" - validate_certs: no - status_code: 200,401 - return_content: yes - timeout: 4 - register: _result - until: ( _result.json is defined) and (_result.json.status == "green") - retries: 24 - delay: 5 - diff --git a/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 new file mode 100644 index 000000000..6b025674a --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 @@ -0,0 +1,22 @@ +cluster.name: "{{ elasticsearch_cluster_name }}" + +node.name: "{{ inventory_hostname }}" + +path.data: /var/lib/elasticsearch + +path.logs: /var/log/elasticsearch + +network.host: "{{ hostvars[inventory_hostname]['ip'] }}" + +http.port: "{{ opendistro_http_port }}" + +discovery.seed_hosts: ["{{ es_nodes }}"] + +cluster.initial_master_nodes: ["{{ es_nodes }}"] + +discovery.zen.minimum_master_nodes: "{{ minimum_master_nodes }}" +opendistro_security.allow_default_init_securityindex: true +opendistro_security.audit.type: internal_elasticsearch +opendistro_security.enable_snapshot_restore_privilege: true +opendistro_security.check_snapshot_restore_write_privileges: true +opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] diff --git a/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 new file mode 100644 index 000000000..85792a6af --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 @@ -0,0 +1,47 @@ +ca: + root: + dn: CN=root.ca.{{ domain_name }},OU=CA,O={{ domain_name }}\, Inc.,DC={{ domain_name }} + keysize: 2048 + validityDays: 730 + pkPassword: none + file: root-ca.pem + +### Default values and global settings +defaults: + validityDays: 730 + pkPassword: none + # Set this to true in order to generate config and certificates for + # the HTTP interface of nodes + httpsEnabled: true + reuseTransportCertificatesForHttp: false + verifyHostnames: false + resolveHostnames: false + + +### +### Nodes +### +# +# Specify the nodes of your ES cluster here +# +nodes: +{% for item in groups['es-cluster'] %} + - name: {{ item }} + dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }} + dns: {{ item }}.{{ domain_name }} + ip: {{ hostvars[item]['ip'] }} +{% endfor %} + +### +### Clients +### +# +# Specify the clients that shall access your ES cluster with certificate authentication here +# +# At least one client must be an admin user (i.e., a super-user). Admin users can +# be specified with the attribute admin: true +# +clients: + - name: admin + dn: CN=admin.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }} + admin: true From 6b3f04f32c829c5ddfd71ac21cc8b1aa193ad03f Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Wed, 8 Apr 2020 19:56:44 +0200 Subject: [PATCH 16/76] Bump version --- CHANGELOG.md | 11 +++++++++++ VERSION | 2 +- .../ansible-elasticsearch/defaults/main.yml | 2 +- .../elastic-stack/ansible-kibana/defaults/main.yml | 4 ++-- roles/wazuh/ansible-filebeat/defaults/main.yml | 2 +- roles/wazuh/ansible-wazuh-agent/defaults/main.yml | 8 ++++---- .../wazuh/ansible-wazuh-manager/defaults/main.yml | 14 +++++++------- 7 files changed, 27 insertions(+), 16 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 520661eff..f6eb30c8a 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,17 @@ # Change Log All notable changes to this project will be documented in this file. +## [v3.12.1_7.6.2] + +### Added + +- Update to Wazuh v3.12.1 + +### Fixed +- Adjusting Kibana plugin optimization max memory ([@Zenidd](https://github.com/Zenidd)) [PR#404](https://github.com/wazuh/wazuh-ansible/pull/404) +- Removed python-cryptography library tasks ([@Zenidd](https://github.com/Zenidd)) [PR#401](https://github.com/wazuh/wazuh-ansible/pull/401) +- Removed duplicated task block ([@manuasir](https://github.com/manuasir)) [PR#400](https://github.com/wazuh/wazuh-ansible/pull/400) + ## [v3.12.0_7.6.1] ### Added diff --git a/VERSION b/VERSION index d6be89922..2856bf05c 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ WAZUH-ANSIBLE_VERSION="v4" -REVISION="31140" +REVISION="31210" diff --git a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml index e04f95278..6f2528c36 100644 --- a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml @@ -4,7 +4,7 @@ elasticsearch_http_port: 9200 elasticsearch_network_host: 127.0.0.1 elasticsearch_reachable_host: 127.0.0.1 elasticsearch_jvm_xms: null -elastic_stack_version: 7.6.1 +elastic_stack_version: 7.6.2 elasticsearch_lower_disk_requirements: false elasticrepo: diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index 43f413e67..c45711aa6 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -5,8 +5,8 @@ elasticsearch_http_port: "9200" elasticsearch_network_host: "127.0.0.1" kibana_server_host: "0.0.0.0" kibana_server_port: "5601" -elastic_stack_version: 7.6.1 -wazuh_version: 3.12.0 +elastic_stack_version: 7.6.2 +wazuh_version: 3.12.1 wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp elasticrepo: diff --git a/roles/wazuh/ansible-filebeat/defaults/main.yml b/roles/wazuh/ansible-filebeat/defaults/main.yml index 8f06aaf42..cc7de7bf4 100644 --- a/roles/wazuh/ansible-filebeat/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat/defaults/main.yml @@ -1,5 +1,5 @@ --- -filebeat_version: 7.6.1 +filebeat_version: 7.6.2 filebeat_create_config: true diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 8041962f0..0111e76c2 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -1,5 +1,5 @@ --- -wazuh_agent_version: 3.12.0-1 +wazuh_agent_version: 3.12.1-1 # Custom packages installation @@ -12,7 +12,7 @@ wazuh_custom_packages_installation_agent_rpm_url: "" wazuh_agent_sources_installation: enabled: false - branch: "v3.12.0" + branch: "v3.12.1" user_language: "y" user_no_stop: "y" user_install_type: "agent" @@ -64,8 +64,8 @@ wazuh_winagent_config: auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe check_md5: True md5: 91efaefae4e1977670eab0c768a22a93 -wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.12.0-1.msi -wazuh_winagent_package_name: wazuh-agent-3.12.0-1.msi +wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.12.1-1.msi +wazuh_winagent_package_name: wazuh-agent-3.12.1-1.msi wazuh_agent_config: repo: apt: 'deb https://packages.wazuh.com/3.x/apt/ stable main' diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index db4f8841e..f409a76c0 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -1,21 +1,21 @@ --- -wazuh_manager_version: 3.12.0-1 +wazuh_manager_version: 3.12.1-1 wazuh_manager_fqdn: "wazuh-server" wazuh_manager_package_state: present # Custom packages installation wazuh_custom_packages_installation_manager_enabled: false -wazuh_custom_packages_installation_manager_deb_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/branches/3.12/deb/var/wazuh-manager_3.12.0-0.3319fimreworksqlite_amd64.deb" -wazuh_custom_packages_installation_manager_rpm_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/branches/3.12/rpm/var/wazuh-manager-3.12.0-0.3319fimreworksqlite.x86_64.rpm" +wazuh_custom_packages_installation_manager_deb_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/" +wazuh_custom_packages_installation_manager_rpm_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/" wazuh_custom_packages_installation_api_enabled: false -wazuh_custom_packages_installation_api_deb_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/branches/3.12/deb/var/wazuh-api_3.12.0-0.3319fimreworksqlite_amd64.deb" -wazuh_custom_packages_installation_api_rpm_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/branches/3.12/rpm/var/wazuh-api-3.12.0-0.3319fimreworksqlite.x86_64.rpm" +wazuh_custom_packages_installation_api_deb_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/" +wazuh_custom_packages_installation_api_rpm_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/" # Sources installation wazuh_manager_sources_installation: enabled: false - branch: "v3.12.0" + branch: "v3.12.1" user_language: "en" user_no_stop: "y" user_install_type: "server" @@ -40,7 +40,7 @@ wazuh_manager_sources_installation: wazuh_api_sources_installation: enabled: false - branch: "v3.12.0" + branch: "v3.12.1" update: "y" remove: "y" directory: null From b57623b9163329dac64c71c31fb6535162b8de78 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Wed, 8 Apr 2020 19:59:52 +0200 Subject: [PATCH 17/76] Bump MD5 hash --- roles/wazuh/ansible-wazuh-agent/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 0111e76c2..20aaa0156 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -63,7 +63,7 @@ wazuh_winagent_config: # Adding quotes to auth_path_x86 since win_shell outputs error otherwise auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe check_md5: True - md5: 91efaefae4e1977670eab0c768a22a93 + md5: dbbb412cc3eccdccde27a68628cb2042 wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.12.1-1.msi wazuh_winagent_package_name: wazuh-agent-3.12.1-1.msi wazuh_agent_config: From 0c328081e712bd281ed464f33d9c1af3d9fd94bd Mon Sep 17 00:00:00 2001 From: Zenidd Date: Mon, 13 Apr 2020 10:35:12 +0200 Subject: [PATCH 18/76] Bump version to 3.12.2-7.6.2 --- CHANGELOG.md | 6 ++++++ VERSION | 2 +- roles/elastic-stack/ansible-kibana/defaults/main.yml | 2 +- roles/wazuh/ansible-wazuh-agent/defaults/main.yml | 10 +++++----- roles/wazuh/ansible-wazuh-manager/defaults/main.yml | 6 +++--- 5 files changed, 16 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f6eb30c8a..87fbdd09b 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,12 @@ # Change Log All notable changes to this project will be documented in this file. +## [v3.12.2_7.6.2] + +### Added + +- Update to Wazuh v3.12.2 + ## [v3.12.1_7.6.2] ### Added diff --git a/VERSION b/VERSION index 2856bf05c..22dfe1fb3 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ WAZUH-ANSIBLE_VERSION="v4" -REVISION="31210" +REVISION="31220" diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index c45711aa6..d33056123 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -6,7 +6,7 @@ elasticsearch_network_host: "127.0.0.1" kibana_server_host: "0.0.0.0" kibana_server_port: "5601" elastic_stack_version: 7.6.2 -wazuh_version: 3.12.1 +wazuh_version: 3.12.2 wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp elasticrepo: diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 20aaa0156..632c61734 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -1,5 +1,5 @@ --- -wazuh_agent_version: 3.12.1-1 +wazuh_agent_version: 3.12.2-1 # Custom packages installation @@ -12,7 +12,7 @@ wazuh_custom_packages_installation_agent_rpm_url: "" wazuh_agent_sources_installation: enabled: false - branch: "v3.12.1" + branch: "v3.12.2" user_language: "y" user_no_stop: "y" user_install_type: "agent" @@ -63,9 +63,9 @@ wazuh_winagent_config: # Adding quotes to auth_path_x86 since win_shell outputs error otherwise auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe check_md5: True - md5: dbbb412cc3eccdccde27a68628cb2042 -wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.12.1-1.msi -wazuh_winagent_package_name: wazuh-agent-3.12.1-1.msi + md5: dc64c8bee53df0430e9e03e578ba334d +wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.12.2-1.msi +wazuh_winagent_package_name: wazuh-agent-3.12.2-1.msi wazuh_agent_config: repo: apt: 'deb https://packages.wazuh.com/3.x/apt/ stable main' diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index f409a76c0..ae936e066 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -1,5 +1,5 @@ --- -wazuh_manager_version: 3.12.1-1 +wazuh_manager_version: 3.12.2-1 wazuh_manager_fqdn: "wazuh-server" wazuh_manager_package_state: present @@ -15,7 +15,7 @@ wazuh_custom_packages_installation_api_rpm_url: "https://s3-us-west-1.amazonaws. # Sources installation wazuh_manager_sources_installation: enabled: false - branch: "v3.12.1" + branch: "v3.12.2" user_language: "en" user_no_stop: "y" user_install_type: "server" @@ -40,7 +40,7 @@ wazuh_manager_sources_installation: wazuh_api_sources_installation: enabled: false - branch: "v3.12.1" + branch: "v3.12.2" update: "y" remove: "y" directory: null From ae52e6fa1f181c860bdb96a32dd2c9964cb240c5 Mon Sep 17 00:00:00 2001 From: Zenidd Date: Mon, 13 Apr 2020 11:05:12 +0200 Subject: [PATCH 19/76] Removing v3.12.1 from changelog --- CHANGELOG.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 87fbdd09b..7a102e149 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,12 +7,6 @@ All notable changes to this project will be documented in this file. - Update to Wazuh v3.12.2 -## [v3.12.1_7.6.2] - -### Added - -- Update to Wazuh v3.12.1 - ### Fixed - Adjusting Kibana plugin optimization max memory ([@Zenidd](https://github.com/Zenidd)) [PR#404](https://github.com/wazuh/wazuh-ansible/pull/404) - Removed python-cryptography library tasks ([@Zenidd](https://github.com/Zenidd)) [PR#401](https://github.com/wazuh/wazuh-ansible/pull/401) From a8d24ff3f8300a406fc7ddf23a0762acf04ff37b Mon Sep 17 00:00:00 2001 From: Zenidd Date: Mon, 13 Apr 2020 13:46:11 +0200 Subject: [PATCH 20/76] Removing precise from default vuln-detector config --- roles/wazuh/ansible-wazuh-manager/defaults/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index ae936e066..972edec17 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -236,7 +236,6 @@ wazuh_manager_config: providers: - enabled: 'no' os: - - 'precise' - 'trusty' - 'xenial' - 'bionic' From d50f89b233bc04a8da680e717193beabf95e6506 Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 14 Apr 2020 13:58:13 +0200 Subject: [PATCH 21/76] Update Kibana optimize fodler permissions and onwer --- roles/elastic-stack/ansible-kibana/tasks/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index 2129c0df4..c26741cab 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -166,11 +166,17 @@ path: /usr/share/kibana/optimize/wazuh/config/ state: directory recurse: yes + owner: kibana + group: kibana + mode: 0751 - name: Configure Wazuh Kibana Plugin template: src: wazuh.yml.j2 dest: /usr/share/kibana/optimize/wazuh/config/wazuh.yml + owner: kibana + group: kibana + mode: 0644 - name: Reload systemd configuration systemd: From ddde86e0a98b9c6caa4565aacc07cc4cb300c732 Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 14 Apr 2020 16:02:34 +0200 Subject: [PATCH 22/76] Add changed_when:False and update permissions on Wazuh Plugin --- roles/elastic-stack/ansible-kibana/tasks/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index c26741cab..c31f000ab 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -169,6 +169,7 @@ owner: kibana group: kibana mode: 0751 + changed_when: False - name: Configure Wazuh Kibana Plugin template: @@ -176,7 +177,8 @@ dest: /usr/share/kibana/optimize/wazuh/config/wazuh.yml owner: kibana group: kibana - mode: 0644 + mode: 0751 + changed_when: False - name: Reload systemd configuration systemd: From c6354e2ddc97271bfe9861eec760c33490c6077e Mon Sep 17 00:00:00 2001 From: Jose M Date: Mon, 20 Apr 2020 16:36:04 +0200 Subject: [PATCH 23/76] Update Kibana optimize task parameters and command --- roles/elastic-stack/ansible-kibana/defaults/main.yml | 2 +- roles/elastic-stack/ansible-kibana/tasks/main.yml | 2 +- wazuh-qa | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) create mode 160000 wazuh-qa diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index d33056123..00c743814 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -50,4 +50,4 @@ build_from_sources: false wazuh_plugin_branch: 3.12-7.6 #Nodejs NODE_OPTIONS -node_options: --max-old-space-size=2048 +node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536 diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index c31f000ab..220230c8c 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -136,7 +136,7 @@ - not build_from_sources - name: Kibana optimization (can take a while) - shell: NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana --optimize + shell: /usr/share/kibana/node/bin/node {{ node_options }} /usr/share/kibana/src/cli --optimize args: executable: /bin/bash become: yes diff --git a/wazuh-qa b/wazuh-qa new file mode 160000 index 000000000..a20574168 --- /dev/null +++ b/wazuh-qa @@ -0,0 +1 @@ +Subproject commit a20574168fedf0c3a69116866fc0d1a61062c21c From 7bed850905a8c89caa6c90615c6f77693b6b33b9 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Fri, 24 Apr 2020 18:07:37 +0200 Subject: [PATCH 24/76] Changes tasks --- playbooks/wazuh-opendistro.yml | 2 +- .../opendistro-elasticsearch/defaults/main.yml | 2 +- .../opendistro-elasticsearch/tasks/RedHat.yml | 12 +++--------- .../opendistro-elasticsearch/tasks/main.yml | 9 +-------- 4 files changed, 6 insertions(+), 19 deletions(-) diff --git a/playbooks/wazuh-opendistro.yml b/playbooks/wazuh-opendistro.yml index d146ee3c2..ede8ca933 100644 --- a/playbooks/wazuh-opendistro.yml +++ b/playbooks/wazuh-opendistro.yml @@ -1,4 +1,4 @@ --- -- hosts: 172.16.0.161 +- hosts: es-cluster roles: - role: ../roles/opendistro/opendistro-elasticsearch diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index f1bff651f..8c791a040 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -13,7 +13,7 @@ es_major_version: "7.x" # Configure hostnames for Elasticsearch nodes # Example es1.example.com, es2.example.com -domain_name: example.com +domain_name: wazuh.com # The OpenDistro package repository package_repos: diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index 64b48b7ff..642e7f416 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -43,20 +43,17 @@ path: /tmp/opendistro-nodecerts state: directory run_once: true - when: install.changed - name: RedHat/CentOS/Fedora | Download certificates generation tool local_action: module: get_url url: https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-tlstool/1.5/search-guard-tlstool-1.5.zip dest: /tmp/opendistro-nodecerts/search-guard-tlstool.zip - run_once: true - when: install.changed + run_once: /tmp/opendistro-nodecerts/search-guard-tlstool.zip - name: RedHat/CentOS/Fedora | Extract the certificates generation tool - local_action: command chdir=/tmp/opendistro-nodecerts tar -xvf search-guard-tlstool.zip + local_action: command chdir=/tmp/opendistro-nodecerts unzip search-guard-tlstool.zip run_once: true - when: install.changed - name: RedHat/CentOS/Fedora | Add the execution bit to the binary local_action: @@ -64,21 +61,18 @@ dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh mode: a+x run_once: true - when: install.changed - name: RedHat/CentOS/Fedora | Prepare the certificates generation template file local_action: module: template - src: tlsconfig.yml + src: ../templates/tlsconfig.yml dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml run_once: true - when: install.changed - name: RedHat/CentOS/Fedora | Generate the node & admin certificates in local local_action: module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ run_once: true - when: install.changed - name: RedHat/CentOS/Fedora | Copy the node & admin certificates to Elasticsearch cluster copy: diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index 9f4c438cb..f8727637b 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -2,9 +2,6 @@ - import_tasks: RedHat.yml when: ansible_os_family == 'RedHat' -- import_tasks: Debian.yml - when: ansible_os_family == "Debian" - - name: Configure OpenDistro Elasticsearch JVM memmory. template: src: jvm.options.j2 @@ -42,8 +39,4 @@ - init - import_tasks: "RMRedHat.yml" - when: ansible_os_family == "RedHat" - -- import_tasks: "RMDebian.yml" - when: ansible_os_family == "Debian" - + when: ansible_os_family == "RedHat" \ No newline at end of file From b91ea1c6aa05e27bede9c6afbdd912aeccd61fd7 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Mon, 27 Apr 2020 14:00:49 +0200 Subject: [PATCH 25/76] Fixed register install --- roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index 642e7f416..9558094a2 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -33,7 +33,7 @@ - name: RedHat/CentOS/Fedora | Install OpenDistro package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present - tags: install + register: install ## Here we are going to use self-signed certificates for Transport (Node-Node communication) & REST API layer ## Using searchguard offline TLS tool to create node & root certificates @@ -65,7 +65,7 @@ - name: RedHat/CentOS/Fedora | Prepare the certificates generation template file local_action: module: template - src: ../templates/tlsconfig.yml + src: opendistro/opendistro-elasticsearch/templates/tlsconfig.yml dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml run_once: true From a543fc7ed1905295d2870e21ae4c58a5315f3f0b Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Mon, 27 Apr 2020 14:31:06 +0200 Subject: [PATCH 26/76] Added condition disabled in AWS S3 block --- roles/wazuh/ansible-wazuh-manager/defaults/main.yml | 2 +- .../templates/var-ossec-etc-ossec-server.conf.j2 | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index ebb9b92f7..bc97c5419 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -366,7 +366,7 @@ wazuh_manager_config: api_key: '' alert_level: 12 monitor_aws: - disable: 'no' + disabled: 'yes' interval: '10m' run_on_start: 'yes' skip_on_error: 'yes' diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 index 30da0c50e..e7ca872ef 100644 --- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 +++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 @@ -570,10 +570,10 @@ {% endfor %} {% endif %} -{% if monitor_aws is defined %} +{% if monitor_aws is defined and monitor_aws.disabled == "no" %} - {{ monitor_aws.disable }} + {{ monitor_aws.disabled }} {{ monitor_aws.interval }} {{ monitor_aws.run_on_start }} {{ monitor_aws.skip_on_error }} From 53ad5c62ccb9b09f80f7c0b1743610346a5fc93d Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Mon, 27 Apr 2020 15:26:13 +0200 Subject: [PATCH 27/76] Fixed unzip task and added templates --- .../opendistro-elasticsearch/tasks/RedHat.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index 9558094a2..dca70b8dd 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -52,8 +52,10 @@ run_once: /tmp/opendistro-nodecerts/search-guard-tlstool.zip - name: RedHat/CentOS/Fedora | Extract the certificates generation tool - local_action: command chdir=/tmp/opendistro-nodecerts unzip search-guard-tlstool.zip - run_once: true + local_action: + module: unarchive + src: /tmp/opendistro-nodecerts/search-guard-tlstool.zip + dest: /tmp/opendistro-nodecerts/ - name: RedHat/CentOS/Fedora | Add the execution bit to the binary local_action: @@ -65,7 +67,7 @@ - name: RedHat/CentOS/Fedora | Prepare the certificates generation template file local_action: module: template - src: opendistro/opendistro-elasticsearch/templates/tlsconfig.yml + src: "templates/tlsconfig.yml.j2" dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml run_once: true @@ -112,7 +114,7 @@ - name: RedHat/CentOS/Fedora | Copy the opendistro security internal users template template: - src: internal_users.yml + src: "templates/internal_users.yml.j2" dest: "{{ es_sec_plugin_conf_path }}/internal_users.yml" mode: 0644 run_once: true From ae160cf6c33d50b0658e6071886988ee8cfbe9d8 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Wed, 29 Apr 2020 15:54:29 +0200 Subject: [PATCH 28/76] Decoupled local actions and updated SearchGuard certificate generator binary --- .../tasks/LocalActions.yml | 40 +++++++++++++++++++ .../opendistro-elasticsearch/tasks/RedHat.yml | 40 ------------------- .../opendistro-elasticsearch/tasks/main.yml | 11 ++++- 3 files changed, 49 insertions(+), 42 deletions(-) create mode 100644 roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml new file mode 100644 index 000000000..e33ce7e58 --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml @@ -0,0 +1,40 @@ +--- + +- name: RedHat/CentOS/Fedora | Create local temporary directory for certificates generation + local_action: + module: file + path: /tmp/opendistro-nodecerts + state: directory + run_once: true + +- name: RedHat/CentOS/Fedora | Download certificates generation tool + local_action: + module: get_url + url: https://releases.floragunn.com/search-guard-tlstool/1.7/search-guard-tlstool-1.7.zip + dest: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip + run_once: /tmp/opendistro-nodecerts/search-guard-tlstool.zip + +- name: RedHat/CentOS/Fedora | Extract the certificates generation tool + local_action: + module: unarchive + src: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip + dest: /tmp/opendistro-nodecerts/ + +- name: RedHat/CentOS/Fedora | Add the execution bit to the binary + local_action: + module: file + dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh + mode: a+x + run_once: true + +- name: RedHat/CentOS/Fedora | Prepare the certificates generation template file + local_action: + module: template + src: "templates/tlsconfig.yml.j2" + dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml + run_once: true + +- name: RedHat/CentOS/Fedora | Generate the node & admin certificates in local + local_action: + module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ -f + run_once: true \ No newline at end of file diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index dca70b8dd..d396960b5 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -35,46 +35,6 @@ package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present register: install -## Here we are going to use self-signed certificates for Transport (Node-Node communication) & REST API layer -## Using searchguard offline TLS tool to create node & root certificates -- name: RedHat/CentOS/Fedora | Create local temporary directory for certificates generation - local_action: - module: file - path: /tmp/opendistro-nodecerts - state: directory - run_once: true - -- name: RedHat/CentOS/Fedora | Download certificates generation tool - local_action: - module: get_url - url: https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-tlstool/1.5/search-guard-tlstool-1.5.zip - dest: /tmp/opendistro-nodecerts/search-guard-tlstool.zip - run_once: /tmp/opendistro-nodecerts/search-guard-tlstool.zip - -- name: RedHat/CentOS/Fedora | Extract the certificates generation tool - local_action: - module: unarchive - src: /tmp/opendistro-nodecerts/search-guard-tlstool.zip - dest: /tmp/opendistro-nodecerts/ - -- name: RedHat/CentOS/Fedora | Add the execution bit to the binary - local_action: - module: file - dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh - mode: a+x - run_once: true - -- name: RedHat/CentOS/Fedora | Prepare the certificates generation template file - local_action: - module: template - src: "templates/tlsconfig.yml.j2" - dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml - run_once: true - -- name: RedHat/CentOS/Fedora | Generate the node & admin certificates in local - local_action: - module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ - run_once: true - name: RedHat/CentOS/Fedora | Copy the node & admin certificates to Elasticsearch cluster copy: diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index f8727637b..728f49702 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -1,10 +1,12 @@ --- +- import_tasks: LocalActions.yml + - import_tasks: RedHat.yml when: ansible_os_family == 'RedHat' - name: Configure OpenDistro Elasticsearch JVM memmory. template: - src: jvm.options.j2 + src: "templates/jvm.options.j2" dest: /etc/elasticsearch/jvm.options owner: root group: elasticsearch @@ -19,7 +21,12 @@ when: ansible_os_family == "RedHat" - name: Copy Configuration File - template: src=elasticsearch.yml dest={{conf_dir}}/elasticsearch.yml group=elasticsearch mode=0644 backup=yes + template: + src: "templates/elasticsearch.ym.j2" + dest: "{{conf_dir}}/elasticsearch.yml" + group: elasticsearch + mode: 0644 + backup: yes register: system_change notify: restart elasticsearch From 7e47b561e0b1f235b54230b47d11c35409250737 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Wed, 29 Apr 2020 16:51:49 +0200 Subject: [PATCH 29/76] Added internal_users template --- .../templates/internal_users.yml.j2 | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 diff --git a/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 new file mode 100644 index 000000000..7bb089f32 --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 @@ -0,0 +1,21 @@ +--- +# This is the internal user database +# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh + +_meta: + type: "internalusers" + config_version: 2 + +# Define your internal users here + +admin: + hash: "{{ admin_password }}" + reserved: true + backend_roles: + - "admin" + description: "admin user" + +kibanaserver: + hash: "{{ kibanaserver_password }}" + reserved: true + description: "kibanaserver user" From 34920f5fe560fcc479581efcfb2e4c88df744960 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Wed, 29 Apr 2020 17:27:34 +0200 Subject: [PATCH 30/76] Added task to check if root ca already exist --- .../opendistro-elasticsearch/tasks/LocalActions.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml index e33ce7e58..432a44238 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml @@ -34,7 +34,14 @@ dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml run_once: true +- name: RedHat/CentOS/Fedora | Check if root CA file exists + local_action: + module: stat + path: /tmp/opendistro-nodecerts/config/root-ca.key + register: root_ca_file + - name: RedHat/CentOS/Fedora | Generate the node & admin certificates in local local_action: - module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ -f - run_once: true \ No newline at end of file + module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ -f -o + run_once: true + when: root_ca_file.stat.exists == False \ No newline at end of file From 7269b15041d6417cfc5d7a2a221bbd4d421d7cf0 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Wed, 29 Apr 2020 18:01:11 +0200 Subject: [PATCH 31/76] Modified several variables --- .../defaults/main.yml | 31 +++---------------- .../opendistro-elasticsearch/tasks/RedHat.yml | 24 +++++++------- .../opendistro-elasticsearch/tasks/main.yml | 4 +-- .../templates/elasticsearch.yml.j2 | 2 +- .../templates/jvm.options.j2 | 8 ++--- 5 files changed, 23 insertions(+), 46 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index 8c791a040..bca544e6a 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -1,7 +1,6 @@ --- # The OpenDistro version opendistro_version: 1.6.0 - elasticsearch_cluster_name: wazuh-cluster # Minimum master nodes in cluster, 2 for 3 nodes elasticsearch cluster @@ -25,12 +24,9 @@ package_repos: baseurl: 'https://artifacts.elastic.co/packages/oss-7.x/yum' gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' -populate_inventory_to_hosts_file: true - -es_plugin_bin_path: /usr/share/elasticsearch/bin/elasticsearch-plugin -es_sec_plugin_conf_path: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig -es_sec_plugin_tools_path: /usr/share/elasticsearch/plugins/opendistro_security/tools - +opendistro_sec_plugin_conf_path: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig +opendistro_sec_plugin_tools_path: /usr/share/elasticsearch/plugins/opendistro_security/tools +opendistro_conf_path: /etc/elasticsearch/ es_nodes: |- {% for item in groups['es-cluster'] -%} {{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %} @@ -42,11 +38,6 @@ opendistro_security_password: admin opendistro_jvm_xms: null opendistro_http_port: 9200 -opendistro_network_host: 127.0.0.1 -opendistro_reachable_host: 127.0.0.1 -opendistro_jvm_xms: null -elastic_stack_version: 7.6.1 -opendistro_lower_disk_requirements: false elasticrepo: apt: 'https://artifacts.elastic.co/packages/7.x/apt' @@ -54,6 +45,7 @@ elasticrepo: gpg: 'https://artifacts.elastic.co/GPG-KEY-opendistro' key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4' +opendistro_admin_password: Test@123 # Cluster Settings single_node: true opendistro_cluster_name: wazuh @@ -67,18 +59,3 @@ opendistro_discovery_nodes: opendistro_node_data: true opendistro_node_ingest: true -# X-Pack Security -opendistro_xpack_security: false -opendistro_xpack_security_user: elastic -opendistro_xpack_security_password: elastic_pass - -node_certs_generator: false -node_certs_source: /usr/share/elasticsearch -node_certs_destination: /etc/elasticsearch/certs - -# CA generation -master_certs_path: /es_certs -generate_CA: true -ca_key_name: "" -ca_cert_name: "" -ca_password: "" diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index d396960b5..b2170af10 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -56,14 +56,14 @@ - name: RedHat/CentOS/Fedora | Copy the opendistro security configuration file to cluster blockinfile: block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" - dest: "{{ conf_dir }}/elasticsearch.yml" + dest: "{{ opendistro_conf_path }}/elasticsearch.yml" backup: yes insertafter: EOF marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" when: install.changed - name: RedHat/CentOS/Fedora | Prepare the opendistro security configuration file - command: sed -i 's/searchguard/opendistro_security/g' {{ conf_dir }}/elasticsearch.yml + command: sed -i 's/searchguard/opendistro_security/g' {{ opendistro_conf_path }}/elasticsearch.yml when: install.changed - name: RedHat/CentOS/Fedora | Restart elasticsearch with security configuration @@ -75,32 +75,32 @@ - name: RedHat/CentOS/Fedora | Copy the opendistro security internal users template template: src: "templates/internal_users.yml.j2" - dest: "{{ es_sec_plugin_conf_path }}/internal_users.yml" + dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" mode: 0644 run_once: true when: install.changed - name: RedHat/CentOS/Fedora | Set the Admin user password shell: > - sed -i 's,{{ admin_password }},'$(sh {{ es_sec_plugin_tools_path }}/hash.sh -p {{ admin_password }} | tail -1)',' - {{ es_sec_plugin_conf_path }}/internal_users.yml + sed -i 's,{{ admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ admin_password }} | tail -1)',' + {{ opendistro_sec_plugin_conf_path }}/internal_users.yml run_once: true when: install.changed - name: RedHat/CentOS/Fedora | Set the kibanaserver user pasword shell: > - sed -i 's,{{ kibanaserver_password }},'$(sh {{ es_sec_plugin_tools_path }}/hash.sh -p {{ kibanaserver_password }} | tail -1)',' - {{ es_sec_plugin_conf_path }}/internal_users.yml + sed -i 's,{{ kibanaserver_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ kibanaserver_password }} | tail -1)',' + {{ opendistro_sec_plugin_conf_path }}/internal_users.yml run_once: true when: install.changed - name: RedHat/CentOS/Fedora | Initialize the opendistro security index in elasticsearch shell: > - sh {{ es_sec_plugin_tools_path }}/securityadmin.sh - -cacert {{ conf_dir }}/root-ca.pem - -cert {{ conf_dir }}/admin.pem - -key {{ conf_dir }}/admin.key - -cd {{ es_sec_plugin_conf_path }}/ + sh {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh + -cacert {{ opendistro_conf_path }}/root-ca.pem + -cert {{ opendistro_conf_path }}/admin.pem + -key {{ opendistro_conf_path }}/admin.key + -cd {{ opendistro_sec_plugin_conf_path }}/ -nhnv -icl -h {{ hostvars[inventory_hostname]['ip'] }} run_once: true diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index 728f49702..bdfb6be8c 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -22,8 +22,8 @@ - name: Copy Configuration File template: - src: "templates/elasticsearch.ym.j2" - dest: "{{conf_dir}}/elasticsearch.yml" + src: "templates/elasticsearch.yml.j2" + dest: "{{opendistro_conf_path}}/elasticsearch.yml" group: elasticsearch mode: 0644 backup: yes diff --git a/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 index 6b025674a..58a8ece29 100644 --- a/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 @@ -1,4 +1,4 @@ -cluster.name: "{{ elasticsearch_cluster_name }}" +cluster.name: "{{ opendistro_cluster_name }}" node.name: "{{ inventory_hostname }}" diff --git a/roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 b/roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 index c43ce4016..de69125c2 100644 --- a/roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 +++ b/roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 @@ -23,10 +23,10 @@ # Xms represents the initial size of total heap space # Xmx represents the maximum size of total heap space -{% if elasticsearch_jvm_xms is not none %} -{% if elasticsearch_jvm_xms < 32000 %} --Xms{{ elasticsearch_jvm_xms }}m --Xmx{{ elasticsearch_jvm_xms }}m +{% if opendistro_jvm_xms is not none %} +{% if opendistro_jvm_xms < 32000 %} +-Xms{{ opendistro_jvm_xms }}m +-Xmx{{ opendistro_jvm_xms }}m {% else %} -Xms32000m -Xmx32000m From 883ef93af72ff75f718e079800df3c3f8f995573 Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 30 Apr 2020 12:22:59 +0200 Subject: [PATCH 32/76] Bump version to 3.12.3_7.6.2 --- roles/elastic-stack/ansible-kibana/defaults/main.yml | 2 +- roles/wazuh/ansible-wazuh-agent/defaults/main.yml | 8 ++++---- roles/wazuh/ansible-wazuh-manager/defaults/main.yml | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index 00c743814..d1ddb8e17 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -6,7 +6,7 @@ elasticsearch_network_host: "127.0.0.1" kibana_server_host: "0.0.0.0" kibana_server_port: "5601" elastic_stack_version: 7.6.2 -wazuh_version: 3.12.2 +wazuh_version: 3.12.3 wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp elasticrepo: diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 632c61734..fac17bbb0 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -1,5 +1,5 @@ --- -wazuh_agent_version: 3.12.2-1 +wazuh_agent_version: 3.12.3-1 # Custom packages installation @@ -12,7 +12,7 @@ wazuh_custom_packages_installation_agent_rpm_url: "" wazuh_agent_sources_installation: enabled: false - branch: "v3.12.2" + branch: "v3.12.3" user_language: "y" user_no_stop: "y" user_install_type: "agent" @@ -64,8 +64,8 @@ wazuh_winagent_config: auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe check_md5: True md5: dc64c8bee53df0430e9e03e578ba334d -wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.12.2-1.msi -wazuh_winagent_package_name: wazuh-agent-3.12.2-1.msi +wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.12.3-1.msi +wazuh_winagent_package_name: wazuh-agent-3.12.3-1.msi wazuh_agent_config: repo: apt: 'deb https://packages.wazuh.com/3.x/apt/ stable main' diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index bc97c5419..b4bc040d5 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -1,5 +1,5 @@ --- -wazuh_manager_version: 3.12.2-1 +wazuh_manager_version: 3.12.3-1 wazuh_manager_fqdn: "wazuh-server" wazuh_manager_package_state: present @@ -15,7 +15,7 @@ wazuh_custom_packages_installation_api_rpm_url: "https://s3-us-west-1.amazonaws. # Sources installation wazuh_manager_sources_installation: enabled: false - branch: "v3.12.2" + branch: "v3.12.3" user_language: "en" user_no_stop: "y" user_install_type: "server" @@ -40,7 +40,7 @@ wazuh_manager_sources_installation: wazuh_api_sources_installation: enabled: false - branch: "v3.12.2" + branch: "v3.12.3" update: "y" remove: "y" directory: null From 6b36e63f1c3b5c7d94b2592686be32ff8dc114fb Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 30 Apr 2020 12:23:09 +0200 Subject: [PATCH 33/76] Update CHANGELOG.md --- CHANGELOG.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7a102e149..c9b8803d7 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,19 @@ # Change Log All notable changes to this project will be documented in this file. + +## [v3.12.3_7.6.2] + +### Added + +- Update to Wazuh v3.12.2 +- AWS S3 block to template ([@limitup](https://github.com/limitup)) [PR#404](https://github.com/wazuh/wazuh-ansible/pull/413) + +### Changed + +- Update Kibana optimize task parameters and command ([@jm404](https://github.com/jm404)) [PR#404](https://github.com/wazuh/wazuh-ansible/pull/412) +- Update Kibana optimize folder and owner ([@jm404](https://github.com/jm404)) [PR#404](https://github.com/wazuh/wazuh-ansible/pull/410) + ## [v3.12.2_7.6.2] ### Added From e354359e38179228c992bac695b1e03919d03fb0 Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 30 Apr 2020 12:25:55 +0200 Subject: [PATCH 34/76] Update Agent Windows MD5 --- roles/wazuh/ansible-wazuh-agent/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index fac17bbb0..1baf8bdb0 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -63,7 +63,7 @@ wazuh_winagent_config: # Adding quotes to auth_path_x86 since win_shell outputs error otherwise auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe check_md5: True - md5: dc64c8bee53df0430e9e03e578ba334d + md5: 4ae4e930d3ae9d572b07cd9e7207d783 wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.12.3-1.msi wazuh_winagent_package_name: wazuh-agent-3.12.3-1.msi wazuh_agent_config: From 12090632a78621730b976e4b770f64fd7ad84459 Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 30 Apr 2020 17:01:24 +0200 Subject: [PATCH 35/76] Delete "alert_new_files" occurrences --- roles/wazuh/ansible-wazuh-agent/defaults/main.yml | 1 - .../templates/var-ossec-etc-ossec-agent.conf.j2 | 1 - roles/wazuh/ansible-wazuh-manager/defaults/main.yml | 3 --- 3 files changed, 5 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 1baf8bdb0..dac051a47 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -86,7 +86,6 @@ wazuh_agent_config: frequency: 43200 scan_on_start: 'yes' auto_ignore: 'no' - alert_new_files: 'yes' win_audit_interval: 60 skip_nfs: 'yes' skip_dev: 'yes' diff --git a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 index ee71769e5..2ee7f97d7 100644 --- a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 +++ b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 @@ -201,7 +201,6 @@ {% if wazuh_agent_config.syscheck is defined %} no - {{ wazuh_agent_config.syscheck.frequency }} {% if ansible_system == "Linux" %} {{ wazuh_agent_config.syscheck.scan_on_start }} diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index b4bc040d5..a046addf6 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -152,7 +152,6 @@ wazuh_manager_config: frequency: 43200 scan_on_start: 'yes' auto_ignore: 'no' - alert_new_files: 'yes' ignore: - /etc/mtab - /etc/hosts.deny @@ -389,7 +388,6 @@ wazuh_manager_config: # syscheck: # frequency: 43200 # scan_on_start: 'yes' - # alert_new_files: 'yes' # ignore: # - /etc/mtab # - /etc/mnttab @@ -420,7 +418,6 @@ wazuh_manager_config: # frequency: 43200 # scan_on_start: 'yes' # auto_ignore: 'no' - # alert_new_files: 'yes' # windows_registry: # - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile' # arch: 'both' From c99d554e2f2fd0dd3ecfb8d55156e120ef56379e Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 30 Apr 2020 17:57:01 +0200 Subject: [PATCH 36/76] Delete alert_new_files references in jinja templates --- .../templates/var-ossec-etc-ossec-server.conf.j2 | 1 - .../templates/var-ossec-etc-shared-agent.conf.j2 | 1 - 2 files changed, 2 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 index e7ca872ef..535650079 100644 --- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 +++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 @@ -294,7 +294,6 @@ {{ wazuh_manager_config.syscheck.disable }} - {{ wazuh_manager_config.syscheck.alert_new_files }} {{ wazuh_manager_config.syscheck.frequency }} {{ wazuh_manager_config.syscheck.scan_on_start }} diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 index f300f22ae..78893385b 100644 --- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 +++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 @@ -7,7 +7,6 @@ {% if agent_config.syscheck.auto_ignore is defined %} {{ agent_config.syscheck.auto_ignore }} {% endif %} - {{ agent_config.syscheck.alert_new_files }} {{ agent_config.syscheck.frequency }} {{ agent_config.syscheck.scan_on_start }} From 100ea616edd1786510c6d4af0e9af9d1a2cc1ce9 Mon Sep 17 00:00:00 2001 From: Jose M Date: Fri, 1 May 2020 20:08:50 +0200 Subject: [PATCH 37/76] Remove alert_new_files from ossec.conf template --- .../templates/var-ossec-etc-ossec-server.conf.j2 | 1 - .../templates/var-ossec-etc-shared-agent.conf.j2 | 1 - 2 files changed, 2 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 index e7ca872ef..535650079 100644 --- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 +++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 @@ -294,7 +294,6 @@ {{ wazuh_manager_config.syscheck.disable }} - {{ wazuh_manager_config.syscheck.alert_new_files }} {{ wazuh_manager_config.syscheck.frequency }} {{ wazuh_manager_config.syscheck.scan_on_start }} diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 index f300f22ae..78893385b 100644 --- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 +++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 @@ -7,7 +7,6 @@ {% if agent_config.syscheck.auto_ignore is defined %} {{ agent_config.syscheck.auto_ignore }} {% endif %} - {{ agent_config.syscheck.alert_new_files }} {{ agent_config.syscheck.frequency }} {{ agent_config.syscheck.scan_on_start }} From d19c8e70e14bef35815e1188a415e25438d25e52 Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 6 May 2020 15:17:01 +0200 Subject: [PATCH 38/76] Delete wazuh-qa --- wazuh-qa | 1 - 1 file changed, 1 deletion(-) delete mode 160000 wazuh-qa diff --git a/wazuh-qa b/wazuh-qa deleted file mode 160000 index a20574168..000000000 --- a/wazuh-qa +++ /dev/null @@ -1 +0,0 @@ -Subproject commit a20574168fedf0c3a69116866fc0d1a61062c21c From e899b1c6020efd1d87291e1294ced56f9ca34cf4 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Wed, 6 May 2020 17:33:53 +0200 Subject: [PATCH 39/76] WIP: Testing first secured cluster deployment --- .../opendistro-elasticsearch/tasks/RedHat.yml | 75 ----------- .../opendistro-elasticsearch/tasks/main.yml | 125 +++++++++++++++--- 2 files changed, 107 insertions(+), 93 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index b2170af10..b33181935 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -30,78 +30,3 @@ packages: - wget - unzip - -- name: RedHat/CentOS/Fedora | Install OpenDistro - package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present - register: install - - -- name: RedHat/CentOS/Fedora | Copy the node & admin certificates to Elasticsearch cluster - copy: - src: "/tmp/opendistro-nodecerts/config/{{ item }}" - dest: /etc/elasticsearch/ - mode: 0644 - with_items: - - root-ca.pem - - root-ca.key - - "{{ inventory_hostname }}.key" - - "{{ inventory_hostname }}.pem" - - "{{ inventory_hostname }}_http.key" - - "{{ inventory_hostname }}_http.pem" - - "{{ inventory_hostname }}_elasticsearch_config_snippet.yml" - - admin.key - - admin.pem - when: install.changed - -- name: RedHat/CentOS/Fedora | Copy the opendistro security configuration file to cluster - blockinfile: - block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" - dest: "{{ opendistro_conf_path }}/elasticsearch.yml" - backup: yes - insertafter: EOF - marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" - when: install.changed - -- name: RedHat/CentOS/Fedora | Prepare the opendistro security configuration file - command: sed -i 's/searchguard/opendistro_security/g' {{ opendistro_conf_path }}/elasticsearch.yml - when: install.changed - -- name: RedHat/CentOS/Fedora | Restart elasticsearch with security configuration - systemd: - name: elasticsearch - state: restarted - when: install.changed - -- name: RedHat/CentOS/Fedora | Copy the opendistro security internal users template - template: - src: "templates/internal_users.yml.j2" - dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" - mode: 0644 - run_once: true - when: install.changed - -- name: RedHat/CentOS/Fedora | Set the Admin user password - shell: > - sed -i 's,{{ admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ admin_password }} | tail -1)',' - {{ opendistro_sec_plugin_conf_path }}/internal_users.yml - run_once: true - when: install.changed - -- name: RedHat/CentOS/Fedora | Set the kibanaserver user pasword - shell: > - sed -i 's,{{ kibanaserver_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ kibanaserver_password }} | tail -1)',' - {{ opendistro_sec_plugin_conf_path }}/internal_users.yml - run_once: true - when: install.changed - -- name: RedHat/CentOS/Fedora | Initialize the opendistro security index in elasticsearch - shell: > - sh {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh - -cacert {{ opendistro_conf_path }}/root-ca.pem - -cert {{ opendistro_conf_path }}/admin.pem - -key {{ opendistro_conf_path }}/admin.key - -cd {{ opendistro_sec_plugin_conf_path }}/ - -nhnv -icl - -h {{ hostvars[inventory_hostname]['ip'] }} - run_once: true - when: install.changed diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index bdfb6be8c..bf7c6e065 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -4,6 +4,110 @@ - import_tasks: RedHat.yml when: ansible_os_family == 'RedHat' +- name: Install OpenDistro + package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present + register: install + +- name: Copy the node & admin certificates to Elasticsearch cluster + copy: + src: "/tmp/opendistro-nodecerts/config/{{ item }}" + dest: /etc/elasticsearch/ + mode: 0644 + with_items: + - root-ca.pem + - root-ca.key + - "{{ inventory_hostname }}.key" + - "{{ inventory_hostname }}.pem" + - "{{ inventory_hostname }}_http.key" + - "{{ inventory_hostname }}_http.pem" + - "{{ inventory_hostname }}_elasticsearch_config_snippet.yml" + - admin.key + - admin.pem + when: install.changed + +- name: Remove demo certs + file: + path: "{{ item }}" + state: absent + with_items: + - "{{opendistro_conf_path}}/kirk.pem" + - "{{opendistro_conf_path}}/kirk-key.pem" + - "{{opendistro_conf_path}}/esnode.pem" + - "{{opendistro_conf_path}}/esnode-key.pem" + when: install.changed + +- name: Remove elasticsearch configuration file + file: + path: "{{opendistro_conf_path}}/elasticsearch.yml" + state: absent + when: install.changed + +- name: Copy Configuration File + blockinfile: + block: "{{ lookup('template', 'elasticsearch.yml.j2') }}" + dest: "{{ opendistro_conf_path }}/elasticsearch.yml" + create: true + group: elasticsearch + mode: 0640 + marker: "## {mark} Opendistro general settings ##" + when: install.changed + +- name: Copy the opendistro security configuration file to cluster + blockinfile: + block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" + dest: "{{ opendistro_conf_path }}/elasticsearch.yml" + insertafter: EOF + marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" + when: install.changed + +- name: Prepare the opendistro security configuration file + replace: + path: "{{ opendistro_conf_path }}/elasticsearch.yml" + regexp: 'searchguard' + replace: 'opendistro_security' + tags: local + when: install.changed + +- name: Restart elasticsearch with security configuration + systemd: + name: elasticsearch + state: restarted + when: install.changed + +- name: Copy the opendistro security internal users template + template: + src: "templates/internal_users.yml.j2" + dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" + mode: 0644 + run_once: true + when: install.changed + +- name: Set the Admin user password + shell: > + sed -i 's,{{ admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ admin_password }} | tail -1)',' + {{ opendistro_sec_plugin_conf_path }}/internal_users.yml + run_once: true + when: install.changed + +- name: Set the kibanaserver user pasword + shell: > + sed -i 's,{{ kibanaserver_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ kibanaserver_password }} | tail -1)',' + {{ opendistro_sec_plugin_conf_path }}/internal_users.yml + run_once: true + when: install.changed + +- name: Initialize the opendistro security index in elasticsearch + shell: > + sh {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh + -cacert {{ opendistro_conf_path }}/root-ca.pem + -cert {{ opendistro_conf_path }}/admin.pem + -key {{ opendistro_conf_path }}/admin.key + -cd {{ opendistro_sec_plugin_conf_path }}/ + -nhnv -icl + -h {{ hostvars[inventory_hostname]['ip'] }} + run_once: true + when: install.changed + - name: Configure OpenDistro Elasticsearch JVM memmory. template: src: "templates/jvm.options.j2" @@ -13,22 +117,7 @@ mode: 0644 force: yes notify: restart elasticsearch - tags: configure - -# fix in new PR (ignore_errors) - -- import_tasks: "RMRedHat.yml" - when: ansible_os_family == "RedHat" - -- name: Copy Configuration File - template: - src: "templates/elasticsearch.yml.j2" - dest: "{{opendistro_conf_path}}/elasticsearch.yml" - group: elasticsearch - mode: 0644 - backup: yes - register: system_change - notify: restart elasticsearch + tags: opendistro - name: Ensure Elasticsearch started and enabled service: @@ -36,13 +125,13 @@ enabled: true state: started tags: - - configure + - opendistro - init - name: Make sure Elasticsearch is running before proceeding wait_for: host=localhost port=9200 delay=3 timeout=400 tags: - - configure + - opendistro - init - import_tasks: "RMRedHat.yml" From 5fd4988a888e207dc25320019ef0b37d57e5e0f3 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Thu, 7 May 2020 14:40:58 +0200 Subject: [PATCH 40/76] Fixed typo --- roles/opendistro/opendistro-elasticsearch/tasks/main.yml | 2 +- .../opendistro-elasticsearch/templates/internal_users.yml.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index bf7c6e065..88ad87119 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -84,7 +84,7 @@ - name: Set the Admin user password shell: > - sed -i 's,{{ admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ admin_password }} | tail -1)',' + sed -i 's,{{ opendistro_admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }} | tail -1)',' {{ opendistro_sec_plugin_conf_path }}/internal_users.yml run_once: true when: install.changed diff --git a/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 index 7bb089f32..f39bbf509 100644 --- a/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 +++ b/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 @@ -9,7 +9,7 @@ _meta: # Define your internal users here admin: - hash: "{{ admin_password }}" + hash: "{{ opendistro_admin_password }}" reserved: true backend_roles: - "admin" From 77c30c3bf0e496138bb29024de8bf41765fc7adb Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Thu, 7 May 2020 14:50:01 +0200 Subject: [PATCH 41/76] Added Kibana admin password --- roles/opendistro/opendistro-elasticsearch/defaults/main.yml | 3 ++- roles/opendistro/opendistro-elasticsearch/tasks/main.yml | 2 +- .../opendistro-elasticsearch/templates/internal_users.yml.j2 | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index bca544e6a..b71b67de7 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -45,7 +45,8 @@ elasticrepo: gpg: 'https://artifacts.elastic.co/GPG-KEY-opendistro' key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4' -opendistro_admin_password: Test@123 +opendistro_admin_password: changeme +opendistro_kibana_password: changeme # Cluster Settings single_node: true opendistro_cluster_name: wazuh diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index 88ad87119..7174a27f5 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -91,7 +91,7 @@ - name: Set the kibanaserver user pasword shell: > - sed -i 's,{{ kibanaserver_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ kibanaserver_password }} | tail -1)',' + sed -i 's,{{ opendistro_kibana_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }} | tail -1)',' {{ opendistro_sec_plugin_conf_path }}/internal_users.yml run_once: true when: install.changed diff --git a/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 index f39bbf509..471a5c286 100644 --- a/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 +++ b/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 @@ -16,6 +16,6 @@ admin: description: "admin user" kibanaserver: - hash: "{{ kibanaserver_password }}" + hash: "{{ opendistro_kibana_password }}" reserved: true description: "kibanaserver user" From 0c04b22b0f8b49a36e6af4be2d7c6cec3ac1e864 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Thu, 7 May 2020 19:12:43 +0200 Subject: [PATCH 42/76] Checking API status --- .../opendistro-elasticsearch/tasks/main.yml | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index 7174a27f5..ea56183eb 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -128,11 +128,20 @@ - opendistro - init -- name: Make sure Elasticsearch is running before proceeding - wait_for: host=localhost port=9200 delay=3 timeout=400 - tags: - - opendistro - - init +- name: Wait for Elasticsearch API + uri: + url: "https://{{ es_nodes.split(',')[0].split('\"')[0] }}:9200/_cluster/health/" + user: "admin" # Default OpenDistro user is always "admin" + password: "{{ opendistro_admin_password }}" + validate_certs: no + status_code: 200,401 + return_content: yes + timeout: 4 + register: _result + until: ( _result.json is defined) and (_result.json.status == "green") + retries: 24 + delay: 5 + tags: debug - import_tasks: "RMRedHat.yml" when: ansible_os_family == "RedHat" \ No newline at end of file From e83c6f8d86cf1d34701bd16ab6bbd2a99bf0bd88 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Thu, 7 May 2020 20:03:39 +0200 Subject: [PATCH 43/76] Refactor of production ready actions --- .../tasks/LocalActions.yml | 82 ++++++++-------- .../opendistro-elasticsearch/tasks/RedHat.yml | 58 ++++++------ .../tasks/SecurityActions.yml | 88 ++++++++++++++++++ .../opendistro-elasticsearch/tasks/main.yml | 93 ++----------------- 4 files changed, 168 insertions(+), 153 deletions(-) create mode 100644 roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml index 432a44238..8ff56b649 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml @@ -1,47 +1,51 @@ --- +- block: -- name: RedHat/CentOS/Fedora | Create local temporary directory for certificates generation - local_action: - module: file - path: /tmp/opendistro-nodecerts - state: directory - run_once: true + - name: Local action | Create local temporary directory for certificates generation + local_action: + module: file + path: /tmp/opendistro-nodecerts + state: directory + run_once: true + + - name: Local action | Download certificates generation tool + local_action: + module: get_url + url: https://releases.floragunn.com/search-guard-tlstool/1.7/search-guard-tlstool-1.7.zip + dest: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip + run_once: /tmp/opendistro-nodecerts/search-guard-tlstool.zip -- name: RedHat/CentOS/Fedora | Download certificates generation tool - local_action: - module: get_url - url: https://releases.floragunn.com/search-guard-tlstool/1.7/search-guard-tlstool-1.7.zip - dest: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip - run_once: /tmp/opendistro-nodecerts/search-guard-tlstool.zip + - name: Local action | Extract the certificates generation tool + local_action: + module: unarchive + src: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip + dest: /tmp/opendistro-nodecerts/ -- name: RedHat/CentOS/Fedora | Extract the certificates generation tool - local_action: - module: unarchive - src: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip - dest: /tmp/opendistro-nodecerts/ + - name: Local action | Add the execution bit to the binary + local_action: + module: file + dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh + mode: a+x + run_once: true -- name: RedHat/CentOS/Fedora | Add the execution bit to the binary - local_action: - module: file - dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh - mode: a+x - run_once: true + - name: Local action | Prepare the certificates generation template file + local_action: + module: template + src: "templates/tlsconfig.yml.j2" + dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml + run_once: true -- name: RedHat/CentOS/Fedora | Prepare the certificates generation template file - local_action: - module: template - src: "templates/tlsconfig.yml.j2" - dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml - run_once: true + - name: Local action | Check if root CA file exists + local_action: + module: stat + path: /tmp/opendistro-nodecerts/config/root-ca.key + register: root_ca_file -- name: RedHat/CentOS/Fedora | Check if root CA file exists - local_action: - module: stat - path: /tmp/opendistro-nodecerts/config/root-ca.key - register: root_ca_file + - name: Local action | Generate the node & admin certificates in local + local_action: + module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ -f -o + run_once: true + when: root_ca_file.stat.exists == False -- name: RedHat/CentOS/Fedora | Generate the node & admin certificates in local - local_action: - module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ -f -o - run_once: true - when: root_ca_file.stat.exists == False \ No newline at end of file + tags: + - generate-certs \ No newline at end of file diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index b33181935..684595448 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -1,32 +1,36 @@ --- +- block: -- name: RedHat/CentOS/Fedora | Add OpenDistro repo - yum_repository: - file: opendistro - name: opendistro_repo - description: Opendistro yum repository - baseurl: "{{ package_repos.yum.opendistro.baseurl }}" - gpgkey: "{{ package_repos.yum.opendistro.gpg }}" - gpgcheck: true - changed_when: false + - name: RedHat/CentOS/Fedora | Add OpenDistro repo + yum_repository: + file: opendistro + name: opendistro_repo + description: Opendistro yum repository + baseurl: "{{ package_repos.yum.opendistro.baseurl }}" + gpgkey: "{{ package_repos.yum.opendistro.gpg }}" + gpgcheck: true + changed_when: false -- name: RedHat/CentOS/Fedora | Add Elasticsearch-oss repo - yum_repository: - file: opendistro - name: elasticsearch_oss_repo - description: Elasticsearch-oss yum repository - baseurl: "{{ package_repos.yum.elasticsearch_oss.baseurl }}" - gpgkey: "{{ package_repos.yum.elasticsearch_oss.gpg }}" - gpgcheck: true - changed_when: false + - name: RedHat/CentOS/Fedora | Add Elasticsearch-oss repo + yum_repository: + file: opendistro + name: elasticsearch_oss_repo + description: Elasticsearch-oss yum repository + baseurl: "{{ package_repos.yum.elasticsearch_oss.baseurl }}" + gpgkey: "{{ package_repos.yum.elasticsearch_oss.gpg }}" + gpgcheck: true + changed_when: false -- name: RedHat/CentOS/Fedora | Install OpenJDK 11 - yum: name=java-11-openjdk-devel state=present + - name: RedHat/CentOS/Fedora | Install OpenJDK 11 + yum: name=java-11-openjdk-devel state=present -- name: RedHat/CentOS/Fedora | Install OpenDistro dependencies - yum: - name: "{{ packages }}" - vars: - packages: - - wget - - unzip + - name: RedHat/CentOS/Fedora | Install OpenDistro dependencies + yum: + name: "{{ packages }}" + vars: + packages: + - wget + - unzip + + tags: + - install \ No newline at end of file diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml new file mode 100644 index 000000000..c6323fdea --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml @@ -0,0 +1,88 @@ +- block: + + - name: Remove demo certs + file: + path: "{{ item }}" + state: absent + with_items: + - "{{opendistro_conf_path}}/kirk.pem" + - "{{opendistro_conf_path}}/kirk-key.pem" + - "{{opendistro_conf_path}}/esnode.pem" + - "{{opendistro_conf_path}}/esnode-key.pem" + when: install.changed + + - name: Copy the node & admin certificates to Elasticsearch cluster + copy: + src: "/tmp/opendistro-nodecerts/config/{{ item }}" + dest: /etc/elasticsearch/ + mode: 0644 + with_items: + - root-ca.pem + - root-ca.key + - "{{ inventory_hostname }}.key" + - "{{ inventory_hostname }}.pem" + - "{{ inventory_hostname }}_http.key" + - "{{ inventory_hostname }}_http.pem" + - "{{ inventory_hostname }}_elasticsearch_config_snippet.yml" + - admin.key + - admin.pem + when: install.changed + + - name: Copy the opendistro security configuration file to cluster + blockinfile: + block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" + dest: "{{ opendistro_conf_path }}/elasticsearch.yml" + insertafter: EOF + marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" + when: install.changed + + - name: Prepare the opendistro security configuration file + replace: + path: "{{ opendistro_conf_path }}/elasticsearch.yml" + regexp: 'searchguard' + replace: 'opendistro_security' + tags: local + when: install.changed + + - name: Restart elasticsearch with security configuration + systemd: + name: elasticsearch + state: restarted + when: install.changed + + - name: Copy the opendistro security internal users template + template: + src: "templates/internal_users.yml.j2" + dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" + mode: 0644 + run_once: true + when: install.changed + + - name: Set the Admin user password + shell: > + sed -i 's,{{ opendistro_admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }} | tail -1)',' + {{ opendistro_sec_plugin_conf_path }}/internal_users.yml + run_once: true + when: install.changed + + - name: Set the kibanaserver user pasword + shell: > + sed -i 's,{{ opendistro_kibana_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }} | tail -1)',' + {{ opendistro_sec_plugin_conf_path }}/internal_users.yml + run_once: true + when: install.changed + + - name: Initialize the opendistro security index in elasticsearch + shell: > + sh {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh + -cacert {{ opendistro_conf_path }}/root-ca.pem + -cert {{ opendistro_conf_path }}/admin.pem + -key {{ opendistro_conf_path }}/admin.key + -cd {{ opendistro_sec_plugin_conf_path }}/ + -nhnv -icl + -h {{ hostvars[inventory_hostname]['ip'] }} + run_once: true + when: install.changed + + tags: + - production_ready diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index ea56183eb..94f4ab918 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -1,4 +1,5 @@ --- + - import_tasks: LocalActions.yml - import_tasks: RedHat.yml @@ -7,40 +8,14 @@ - name: Install OpenDistro package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present register: install - -- name: Copy the node & admin certificates to Elasticsearch cluster - copy: - src: "/tmp/opendistro-nodecerts/config/{{ item }}" - dest: /etc/elasticsearch/ - mode: 0644 - with_items: - - root-ca.pem - - root-ca.key - - "{{ inventory_hostname }}.key" - - "{{ inventory_hostname }}.pem" - - "{{ inventory_hostname }}_http.key" - - "{{ inventory_hostname }}_http.pem" - - "{{ inventory_hostname }}_elasticsearch_config_snippet.yml" - - admin.key - - admin.pem - when: install.changed - -- name: Remove demo certs - file: - path: "{{ item }}" - state: absent - with_items: - - "{{opendistro_conf_path}}/kirk.pem" - - "{{opendistro_conf_path}}/kirk-key.pem" - - "{{opendistro_conf_path}}/esnode.pem" - - "{{opendistro_conf_path}}/esnode-key.pem" - when: install.changed + tags: install - name: Remove elasticsearch configuration file file: path: "{{opendistro_conf_path}}/elasticsearch.yml" state: absent when: install.changed + tags: install - name: Copy Configuration File blockinfile: @@ -51,62 +26,9 @@ mode: 0640 marker: "## {mark} Opendistro general settings ##" when: install.changed + tags: install -- name: Copy the opendistro security configuration file to cluster - blockinfile: - block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" - dest: "{{ opendistro_conf_path }}/elasticsearch.yml" - insertafter: EOF - marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" - when: install.changed - -- name: Prepare the opendistro security configuration file - replace: - path: "{{ opendistro_conf_path }}/elasticsearch.yml" - regexp: 'searchguard' - replace: 'opendistro_security' - tags: local - when: install.changed - -- name: Restart elasticsearch with security configuration - systemd: - name: elasticsearch - state: restarted - when: install.changed - -- name: Copy the opendistro security internal users template - template: - src: "templates/internal_users.yml.j2" - dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" - mode: 0644 - run_once: true - when: install.changed - -- name: Set the Admin user password - shell: > - sed -i 's,{{ opendistro_admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }} | tail -1)',' - {{ opendistro_sec_plugin_conf_path }}/internal_users.yml - run_once: true - when: install.changed - -- name: Set the kibanaserver user pasword - shell: > - sed -i 's,{{ opendistro_kibana_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }} | tail -1)',' - {{ opendistro_sec_plugin_conf_path }}/internal_users.yml - run_once: true - when: install.changed - -- name: Initialize the opendistro security index in elasticsearch - shell: > - sh {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh - -cacert {{ opendistro_conf_path }}/root-ca.pem - -cert {{ opendistro_conf_path }}/admin.pem - -key {{ opendistro_conf_path }}/admin.key - -cd {{ opendistro_sec_plugin_conf_path }}/ - -nhnv -icl - -h {{ hostvars[inventory_hostname]['ip'] }} - run_once: true - when: install.changed +- import_tasks: SecurityActions.yml - name: Configure OpenDistro Elasticsearch JVM memmory. template: @@ -117,16 +39,13 @@ mode: 0644 force: yes notify: restart elasticsearch - tags: opendistro + tags: install - name: Ensure Elasticsearch started and enabled service: name: elasticsearch enabled: true state: started - tags: - - opendistro - - init - name: Wait for Elasticsearch API uri: From 3c6e08c7cf0ecf5890555cf6bde5fc07a0c24bfd Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Fri, 8 May 2020 14:43:30 +0200 Subject: [PATCH 44/76] Modified task, from shell to command module --- .../opendistro-elasticsearch/tasks/SecurityActions.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml index c6323fdea..765285aa7 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml @@ -73,8 +73,8 @@ when: install.changed - name: Initialize the opendistro security index in elasticsearch - shell: > - sh {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh + command: > + {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh -cacert {{ opendistro_conf_path }}/root-ca.pem -cert {{ opendistro_conf_path }}/admin.pem -key {{ opendistro_conf_path }}/admin.key From d7be137e6e2f3791d0a18d968348c690897f995b Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Fri, 8 May 2020 15:54:23 +0200 Subject: [PATCH 45/76] Ansible linting compliant variables --- .../opendistro-elasticsearch/tasks/SecurityActions.yml | 8 ++++---- roles/opendistro/opendistro-elasticsearch/tasks/main.yml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml index 765285aa7..390df69cb 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml @@ -5,10 +5,10 @@ path: "{{ item }}" state: absent with_items: - - "{{opendistro_conf_path}}/kirk.pem" - - "{{opendistro_conf_path}}/kirk-key.pem" - - "{{opendistro_conf_path}}/esnode.pem" - - "{{opendistro_conf_path}}/esnode-key.pem" + - "{{ opendistro_conf_path }}/kirk.pem" + - "{{ opendistro_conf_path }}/kirk-key.pem" + - "{{ opendistro_conf_path }}/esnode.pem" + - "{{ opendistro_conf_path }}/esnode-key.pem" when: install.changed - name: Copy the node & admin certificates to Elasticsearch cluster diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index 94f4ab918..6547b03a2 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -12,7 +12,7 @@ - name: Remove elasticsearch configuration file file: - path: "{{opendistro_conf_path}}/elasticsearch.yml" + path: "{{ opendistro_conf_path }}/elasticsearch.yml" state: absent when: install.changed tags: install From 8fd684927581a0bb7c969a3728fa7b7ce0d9f0ad Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Fri, 8 May 2020 15:55:13 +0200 Subject: [PATCH 46/76] Tasks in YAML format --- roles/opendistro/opendistro-elasticsearch/handlers/main.yml | 3 ++- roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml | 3 ++- roles/opendistro/opendistro-elasticsearch/tasks/main.yml | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/handlers/main.yml b/roles/opendistro/opendistro-elasticsearch/handlers/main.yml index a4c1162a1..c2836edcd 100644 --- a/roles/opendistro/opendistro-elasticsearch/handlers/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/handlers/main.yml @@ -1,3 +1,4 @@ --- - name: restart elasticsearch - service: name=elasticsearch state=restarted + service: name=elasticsearch + state: restarted diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index 684595448..3511c7c4c 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -22,7 +22,8 @@ changed_when: false - name: RedHat/CentOS/Fedora | Install OpenJDK 11 - yum: name=java-11-openjdk-devel state=present + yum: name=java-11-openjdk-devel + state: present - name: RedHat/CentOS/Fedora | Install OpenDistro dependencies yum: diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index 6547b03a2..fbc9dea67 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -6,7 +6,8 @@ when: ansible_os_family == 'RedHat' - name: Install OpenDistro - package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present + package: name=opendistroforelasticsearch-{{ opendistro_version }} + state: present register: install tags: install From 9152d07ac1b7780f96bff074b91d5822f0f0125e Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Fri, 8 May 2020 15:56:00 +0200 Subject: [PATCH 47/76] When statement at block level --- .../opendistro-elasticsearch/tasks/SecurityActions.yml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml index 390df69cb..8572d864a 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml @@ -9,7 +9,6 @@ - "{{ opendistro_conf_path }}/kirk-key.pem" - "{{ opendistro_conf_path }}/esnode.pem" - "{{ opendistro_conf_path }}/esnode-key.pem" - when: install.changed - name: Copy the node & admin certificates to Elasticsearch cluster copy: @@ -26,7 +25,6 @@ - "{{ inventory_hostname }}_elasticsearch_config_snippet.yml" - admin.key - admin.pem - when: install.changed - name: Copy the opendistro security configuration file to cluster blockinfile: @@ -34,7 +32,6 @@ dest: "{{ opendistro_conf_path }}/elasticsearch.yml" insertafter: EOF marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" - when: install.changed - name: Prepare the opendistro security configuration file replace: @@ -42,13 +39,11 @@ regexp: 'searchguard' replace: 'opendistro_security' tags: local - when: install.changed - name: Restart elasticsearch with security configuration systemd: name: elasticsearch state: restarted - when: install.changed - name: Copy the opendistro security internal users template template: @@ -56,21 +51,18 @@ dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" mode: 0644 run_once: true - when: install.changed - name: Set the Admin user password shell: > sed -i 's,{{ opendistro_admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }} | tail -1)',' {{ opendistro_sec_plugin_conf_path }}/internal_users.yml run_once: true - when: install.changed - name: Set the kibanaserver user pasword shell: > sed -i 's,{{ opendistro_kibana_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }} | tail -1)',' {{ opendistro_sec_plugin_conf_path }}/internal_users.yml run_once: true - when: install.changed - name: Initialize the opendistro security index in elasticsearch command: > @@ -82,7 +74,7 @@ -nhnv -icl -h {{ hostvars[inventory_hostname]['ip'] }} run_once: true - when: install.changed tags: - production_ready + when: install.changed \ No newline at end of file From a2fe75775e3cab2ef2d4bd246f8379245f066a3e Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Fri, 8 May 2020 18:43:01 +0200 Subject: [PATCH 48/76] Added new variables --- .../defaults/main.yml | 13 ++++-------- .../tasks/LocalActions.yml | 20 +++++++++---------- .../tasks/SecurityActions.yml | 4 ++-- 3 files changed, 16 insertions(+), 21 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index b71b67de7..9103b4ade 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -39,6 +39,9 @@ opendistro_jvm_xms: null opendistro_http_port: 9200 +# Url of Search Guard certificates generator tool +certs_gen_tool_url: https://releases.floragunn.com/search-guard-tlstool/1.7/search-guard-tlstool-1.7.zip + elasticrepo: apt: 'https://artifacts.elastic.co/packages/7.x/apt' yum: 'https://artifacts.elastic.co/packages/7.x/yum' @@ -50,13 +53,5 @@ opendistro_kibana_password: changeme # Cluster Settings single_node: true opendistro_cluster_name: wazuh -opendistro_node_name: node-1 -opendistro_bootstrap_node: false -opendistro_node_master: false -opendistro_cluster_nodes: - - 127.0.0.1 -opendistro_discovery_nodes: - - 127.0.0.1 -opendistro_node_data: true -opendistro_node_ingest: true +local_certs_path: /tmp/opendistro-nodecerts \ No newline at end of file diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml index 8ff56b649..50d4016c8 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml @@ -4,27 +4,27 @@ - name: Local action | Create local temporary directory for certificates generation local_action: module: file - path: /tmp/opendistro-nodecerts + path: {{ local_certs_path }} state: directory run_once: true - name: Local action | Download certificates generation tool local_action: module: get_url - url: https://releases.floragunn.com/search-guard-tlstool/1.7/search-guard-tlstool-1.7.zip - dest: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip - run_once: /tmp/opendistro-nodecerts/search-guard-tlstool.zip + url: "{{ certs_gen_tool_url }}" + dest: "{{ local_certs_path }}/search-guard-tlstool-1.7.zip" + run_once: "{{ local_certs_path }}/search-guard-tlstool.zip" - name: Local action | Extract the certificates generation tool local_action: module: unarchive - src: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip - dest: /tmp/opendistro-nodecerts/ + src: "{{ local_certs_path }}/search-guard-tlstool-1.7.zip" + dest: "{{ local_certs_path }}/" - name: Local action | Add the execution bit to the binary local_action: module: file - dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh + dest: "{{ local_certs_path }}/tools/sgtlstool.sh" mode: a+x run_once: true @@ -32,18 +32,18 @@ local_action: module: template src: "templates/tlsconfig.yml.j2" - dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml + dest: "{{ local_certs_path }}/config/tlsconfig.yml" run_once: true - name: Local action | Check if root CA file exists local_action: module: stat - path: /tmp/opendistro-nodecerts/config/root-ca.key + path: "{{ local_certs_path }}/config/root-ca.key" register: root_ca_file - name: Local action | Generate the node & admin certificates in local local_action: - module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ -f -o + module: command {{ local_certs_path }}/tools/sgtlstool.sh -c {{ local_certs_path }}/config/tlsconfig.yml -ca -crt -t {{ local_certs_path }}/config/ -f -o run_once: true when: root_ca_file.stat.exists == False diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml index 8572d864a..3c8293f5a 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml @@ -12,7 +12,7 @@ - name: Copy the node & admin certificates to Elasticsearch cluster copy: - src: "/tmp/opendistro-nodecerts/config/{{ item }}" + src: "{{ local_certs_path }}/config/{{ item }}" dest: /etc/elasticsearch/ mode: 0644 with_items: @@ -28,7 +28,7 @@ - name: Copy the opendistro security configuration file to cluster blockinfile: - block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" + block: "{{ lookup('file', '{{ local_certs_path }}/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" dest: "{{ opendistro_conf_path }}/elasticsearch.yml" insertafter: EOF marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" From 459ac4631034c75a4e3f9c9963d9bb742edd6c92 Mon Sep 17 00:00:00 2001 From: Jose M Date: Fri, 8 May 2020 20:05:28 +0200 Subject: [PATCH 49/76] Fix API from sources installation conditional --- .../ansible-wazuh-manager/tasks/installation_from_sources.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml b/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml index e019d2f9b..2fa00fe70 100644 --- a/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml +++ b/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml @@ -123,7 +123,7 @@ path: /var/ossec/api/app.js register: wazuh_api when: - - wazuh_manager_config.cluster.node_type == "master" + - wazuh_manager_config.cluster.node_type == "master" or wazuh_manager_config.cluster.node_type == "worker" - name: Install Wazuh API from sources block: From cf14f400ba417965a8fdf98f71faaa1c9072f88c Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Fri, 8 May 2020 20:44:30 +0200 Subject: [PATCH 50/76] Linting and improving variables --- roles/opendistro/opendistro-elasticsearch/defaults/main.yml | 3 ++- roles/opendistro/opendistro-elasticsearch/handlers/main.yml | 5 +++-- .../opendistro-elasticsearch/tasks/LocalActions.yml | 6 +++--- roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml | 5 +++-- roles/opendistro/opendistro-elasticsearch/tasks/main.yml | 5 +++-- 5 files changed, 14 insertions(+), 10 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index 9103b4ade..0c8f8f1f8 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -39,8 +39,9 @@ opendistro_jvm_xms: null opendistro_http_port: 9200 +certs_gen_tool_version: 1.7 # Url of Search Guard certificates generator tool -certs_gen_tool_url: https://releases.floragunn.com/search-guard-tlstool/1.7/search-guard-tlstool-1.7.zip +certs_gen_tool_url: "https://releases.floragunn.com/search-guard-tlstool/{{ certs_gen_tool_version }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip" elasticrepo: apt: 'https://artifacts.elastic.co/packages/7.x/apt' diff --git a/roles/opendistro/opendistro-elasticsearch/handlers/main.yml b/roles/opendistro/opendistro-elasticsearch/handlers/main.yml index c2836edcd..95f5868b6 100644 --- a/roles/opendistro/opendistro-elasticsearch/handlers/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/handlers/main.yml @@ -1,4 +1,5 @@ --- - name: restart elasticsearch - service: name=elasticsearch - state: restarted + service: + name: elasticsearch + state: restarted diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml index 50d4016c8..603796169 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml @@ -4,7 +4,7 @@ - name: Local action | Create local temporary directory for certificates generation local_action: module: file - path: {{ local_certs_path }} + path: "{{ local_certs_path }}" state: directory run_once: true @@ -12,8 +12,8 @@ local_action: module: get_url url: "{{ certs_gen_tool_url }}" - dest: "{{ local_certs_path }}/search-guard-tlstool-1.7.zip" - run_once: "{{ local_certs_path }}/search-guard-tlstool.zip" + dest: "{{ local_certs_path }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip" + run_once: true - name: Local action | Extract the certificates generation tool local_action: diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index 3511c7c4c..1a2eed56a 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -22,8 +22,9 @@ changed_when: false - name: RedHat/CentOS/Fedora | Install OpenJDK 11 - yum: name=java-11-openjdk-devel - state: present + yum: + name: java-11-openjdk-devel + state: present - name: RedHat/CentOS/Fedora | Install OpenDistro dependencies yum: diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index fbc9dea67..d8f51f812 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -6,8 +6,9 @@ when: ansible_os_family == 'RedHat' - name: Install OpenDistro - package: name=opendistroforelasticsearch-{{ opendistro_version }} - state: present + package: + name: opendistroforelasticsearch-{{ opendistro_version }} + state: present register: install tags: install From 9742c4984cb929d99733ffe8cee77ebae90933b5 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Mon, 11 May 2020 13:56:03 +0200 Subject: [PATCH 51/76] Changed task description --- .../opendistro-elasticsearch/tasks/SecurityActions.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml index 3c8293f5a..056af1e4a 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml @@ -26,14 +26,14 @@ - admin.key - admin.pem - - name: Copy the opendistro security configuration file to cluster + - name: Copy the OpenDistrosecurity configuration file to cluster blockinfile: block: "{{ lookup('file', '{{ local_certs_path }}/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" dest: "{{ opendistro_conf_path }}/elasticsearch.yml" insertafter: EOF marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" - - name: Prepare the opendistro security configuration file + - name: Prepare the OpenDistrosecurity configuration file replace: path: "{{ opendistro_conf_path }}/elasticsearch.yml" regexp: 'searchguard' @@ -45,7 +45,7 @@ name: elasticsearch state: restarted - - name: Copy the opendistro security internal users template + - name: Copy the OpenDistrosecurity internal users template template: src: "templates/internal_users.yml.j2" dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" @@ -58,13 +58,13 @@ {{ opendistro_sec_plugin_conf_path }}/internal_users.yml run_once: true - - name: Set the kibanaserver user pasword + - name: Set the kibanaserver role/user pasword shell: > sed -i 's,{{ opendistro_kibana_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }} | tail -1)',' {{ opendistro_sec_plugin_conf_path }}/internal_users.yml run_once: true - - name: Initialize the opendistro security index in elasticsearch + - name: Initialize the OpenDistrosecurity index in elasticsearch command: > {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh -cacert {{ opendistro_conf_path }}/root-ca.pem From eb9925a901a70f70da61aec99b0309fac4348658 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Mon, 11 May 2020 15:18:11 +0200 Subject: [PATCH 52/76] Fixed variables and renamed files --- .../tasks/{LocalActions.yml => local_actions.yml} | 0 roles/opendistro/opendistro-elasticsearch/tasks/main.yml | 4 ++-- .../tasks/{SecurityActions.yml => security_actions.yml} | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) rename roles/opendistro/opendistro-elasticsearch/tasks/{LocalActions.yml => local_actions.yml} (100%) rename roles/opendistro/opendistro-elasticsearch/tasks/{SecurityActions.yml => security_actions.yml} (90%) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml similarity index 100% rename from roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml rename to roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index d8f51f812..c89412082 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -1,6 +1,6 @@ --- -- import_tasks: LocalActions.yml +- import_tasks: local_actions.yml - import_tasks: RedHat.yml when: ansible_os_family == 'RedHat' @@ -30,7 +30,7 @@ when: install.changed tags: install -- import_tasks: SecurityActions.yml +- import_tasks: security_actions.yml - name: Configure OpenDistro Elasticsearch JVM memmory. template: diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml similarity index 90% rename from roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml rename to roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml index 056af1e4a..1fee6fefc 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml @@ -26,14 +26,14 @@ - admin.key - admin.pem - - name: Copy the OpenDistrosecurity configuration file to cluster + - name: Copy the OpenDistro security configuration file to cluster blockinfile: block: "{{ lookup('file', '{{ local_certs_path }}/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" dest: "{{ opendistro_conf_path }}/elasticsearch.yml" insertafter: EOF marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" - - name: Prepare the OpenDistrosecurity configuration file + - name: Prepare the OpenDistro security configuration file replace: path: "{{ opendistro_conf_path }}/elasticsearch.yml" regexp: 'searchguard' @@ -45,7 +45,7 @@ name: elasticsearch state: restarted - - name: Copy the OpenDistrosecurity internal users template + - name: Copy the OpenDistro security internal users template template: src: "templates/internal_users.yml.j2" dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" @@ -64,7 +64,7 @@ {{ opendistro_sec_plugin_conf_path }}/internal_users.yml run_once: true - - name: Initialize the OpenDistrosecurity index in elasticsearch + - name: Initialize the OpenDistro security index in elasticsearch command: > {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh -cacert {{ opendistro_conf_path }}/root-ca.pem From fdc3b0f55cd1f774523232b517aef462207e7d0a Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Thu, 14 May 2020 18:13:53 +0200 Subject: [PATCH 53/76] Lint changes --- roles/opendistro/opendistro-elasticsearch/handlers/main.yml | 2 +- roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml | 2 +- .../opendistro-elasticsearch/tasks/local_actions.yml | 6 +++--- roles/opendistro/opendistro-elasticsearch/tasks/main.yml | 4 ++-- roles/wazuh/ansible-filebeat/tasks/main.yml | 1 - roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml | 2 +- 6 files changed, 8 insertions(+), 9 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/handlers/main.yml b/roles/opendistro/opendistro-elasticsearch/handlers/main.yml index 95f5868b6..3cfaa6b00 100644 --- a/roles/opendistro/opendistro-elasticsearch/handlers/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: restart elasticsearch - service: + service: name: elasticsearch state: restarted diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index 1a2eed56a..f018c9f7f 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -23,7 +23,7 @@ - name: RedHat/CentOS/Fedora | Install OpenJDK 11 yum: - name: java-11-openjdk-devel + name: java-11-openjdk-devel state: present - name: RedHat/CentOS/Fedora | Install OpenDistro dependencies diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml index 603796169..d48570468 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml @@ -7,7 +7,7 @@ path: "{{ local_certs_path }}" state: directory run_once: true - + - name: Local action | Download certificates generation tool local_action: module: get_url @@ -37,7 +37,7 @@ - name: Local action | Check if root CA file exists local_action: - module: stat + module: stat path: "{{ local_certs_path }}/config/root-ca.key" register: root_ca_file @@ -45,7 +45,7 @@ local_action: module: command {{ local_certs_path }}/tools/sgtlstool.sh -c {{ local_certs_path }}/config/tlsconfig.yml -ca -crt -t {{ local_certs_path }}/config/ -f -o run_once: true - when: root_ca_file.stat.exists == False + when: not root_ca_file.stat.exists tags: - generate-certs \ No newline at end of file diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index c89412082..9df1e01cb 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -7,7 +7,7 @@ - name: Install OpenDistro package: - name: opendistroforelasticsearch-{{ opendistro_version }} + name: opendistroforelasticsearch-{{ opendistro_version }} state: present register: install tags: install @@ -18,7 +18,7 @@ state: absent when: install.changed tags: install - + - name: Copy Configuration File blockinfile: block: "{{ lookup('template', 'elasticsearch.yml.j2') }}" diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index 4948c2524..4dcd8da5d 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -69,7 +69,6 @@ path: "{{ filebeat_module_folder }}" register: filebeat_module_folder - - name: Download Filebeat module package get_url: url: "{{ filebeat_module_package_url }}/{{ filebeat_module_package_name }}" diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml index e93428607..2c4e2f5e1 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml @@ -127,7 +127,7 @@ become: no changed_when: newagent_api.json.error == 0 when: - - check_keys.stat.exists == false or check_keys.stat.size == 0 + - not check_keys.stat.exists or check_keys.stat.size == 0 - wazuh_managers.0.address is not none tags: - config From 930125cc86b84914dc3ccf36f2f6371053be9a79 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Thu, 21 May 2020 22:32:36 +0200 Subject: [PATCH 54/76] WIP: First Kibana working approach --- playbooks/wazuh-opendistro-kibana.yml | 4 + .../defaults/main.yml | 4 +- .../tasks/RMRedHat.yml | 2 +- .../templates/tlsconfig.yml.j2 | 9 +- .../opendistro-kibana/defaults/main.yml | 60 ++++++++ .../opendistro-kibana/handlers/main.yml | 3 + .../opendistro-kibana/tasks/RMRedHat.yml | 6 + .../opendistro-kibana/tasks/RedHat.yml | 23 +++ .../tasks/build_wazuh_plugin.yml | 76 ++++++++++ .../opendistro-kibana/tasks/main.yml | 62 ++++++++ .../tasks/security_actions.yml | 13 ++ .../templates/opendistro_kibana.yml.j2 | 36 +++++ .../opendistro-kibana/templates/wazuh.yml.j2 | 134 ++++++++++++++++++ 13 files changed, 428 insertions(+), 4 deletions(-) create mode 100644 playbooks/wazuh-opendistro-kibana.yml create mode 100644 roles/opendistro/opendistro-kibana/defaults/main.yml create mode 100644 roles/opendistro/opendistro-kibana/handlers/main.yml create mode 100644 roles/opendistro/opendistro-kibana/tasks/RMRedHat.yml create mode 100644 roles/opendistro/opendistro-kibana/tasks/RedHat.yml create mode 100644 roles/opendistro/opendistro-kibana/tasks/build_wazuh_plugin.yml create mode 100644 roles/opendistro/opendistro-kibana/tasks/main.yml create mode 100644 roles/opendistro/opendistro-kibana/tasks/security_actions.yml create mode 100644 roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 create mode 100644 roles/opendistro/opendistro-kibana/templates/wazuh.yml.j2 diff --git a/playbooks/wazuh-opendistro-kibana.yml b/playbooks/wazuh-opendistro-kibana.yml new file mode 100644 index 000000000..fa3600c14 --- /dev/null +++ b/playbooks/wazuh-opendistro-kibana.yml @@ -0,0 +1,4 @@ +--- +- hosts: es1 + roles: + - role: ../roles/opendistro/opendistro-kibana diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index 0c8f8f1f8..231401236 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -16,8 +16,8 @@ domain_name: wazuh.com # The OpenDistro package repository package_repos: - yum: - opendistro: + yum: + opendistro: baseurl: 'https://d3g5vo6xdbdb9a.cloudfront.net/yum/noarch/' gpg: 'https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch' elasticsearch_oss: diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RMRedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RMRedHat.yml index 469893611..31f0416a9 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RMRedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RMRedHat.yml @@ -1,6 +1,6 @@ --- - name: RedHat/CentOS/Fedora | Remove Elasticsearch repository (and clean up left-over metadata) yum_repository: - name: elastic_repo_7 + name: opendistro_repo state: absent changed_when: false diff --git a/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 index 85792a6af..f5ee89bc9 100644 --- a/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 +++ b/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 @@ -31,7 +31,14 @@ nodes: dns: {{ item }}.{{ domain_name }} ip: {{ hostvars[item]['ip'] }} {% endfor %} - +{% if groups['kibana'] is defined and groups['kibana']|length > 0 %} +{% for item in groups['kibana'] %} + - name: {{ item }} + dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }} + dns: {{ item }}.{{ domain_name }} + ip: {{ hostvars[item]['ip'] }} +{% endfor %} +{% endif %} ### ### Clients ### diff --git a/roles/opendistro/opendistro-kibana/defaults/main.yml b/roles/opendistro/opendistro-kibana/defaults/main.yml new file mode 100644 index 000000000..6bbf5015a --- /dev/null +++ b/roles/opendistro/opendistro-kibana/defaults/main.yml @@ -0,0 +1,60 @@ +--- + +elasticsearch_http_port: "9200" +elasticsearch_network_host: |- + {% for item in groups['kibana'] -%} + {{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %} + {%- endfor %} + +kibana_conf_path: /etc/kibana +kibana_server_host: "0.0.0.0" +kibana_server_port: "5601" +kibana_server_name: "kibana" +kibana_max_payload_bytes: 1048576 +opendistro_version: 7.6.1 +wazuh_version: 3.12.3 +wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp + +# The OpenDistro package repository +package_repos: + yum: + opendistro: + baseurl: 'https://d3g5vo6xdbdb9a.cloudfront.net/yum/noarch/' + gpg: 'https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch' + elasticsearch_oss: + baseurl: 'https://artifacts.elastic.co/packages/oss-7.x/yum' + gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' + + +# API credentials +wazuh_api_credentials: + - id: "default" + url: "http://localhost" + port: 55000 + user: "foo" + password: "bar" + +# opendistro Security +kibana_opendistro_security: true +kibana_newsfeed_enabled: "false" +kibana_telemetry_optin: "false" +kibana_telemetry_enabled: "false" + +opendistro_security_user: elastic +opendistro_kibana_user: kibanaserver +opendistro_kibana_password: changeme +local_certs_path: /tmp/opendistro-nodecerts + +# Nodejs +nodejs: + repo_dict: + debian: "deb" + redhat: "rpm" + repo_url_ext: "nodesource.com/setup_10.x" + +# Build from sources +build_from_sources: false +wazuh_plugin_branch: 3.12-7.6 + +#Nodejs NODE_OPTIONS +node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536 diff --git a/roles/opendistro/opendistro-kibana/handlers/main.yml b/roles/opendistro/opendistro-kibana/handlers/main.yml new file mode 100644 index 000000000..55ea3d3c1 --- /dev/null +++ b/roles/opendistro/opendistro-kibana/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart kibana + service: name=kibana state=restarted diff --git a/roles/opendistro/opendistro-kibana/tasks/RMRedHat.yml b/roles/opendistro/opendistro-kibana/tasks/RMRedHat.yml new file mode 100644 index 000000000..959c70e99 --- /dev/null +++ b/roles/opendistro/opendistro-kibana/tasks/RMRedHat.yml @@ -0,0 +1,6 @@ +--- +- name: Remove Elasticsearch repository (and clean up left-over metadata) + yum_repository: + name: opendistro_repo + state: absent + changed_when: false diff --git a/roles/opendistro/opendistro-kibana/tasks/RedHat.yml b/roles/opendistro/opendistro-kibana/tasks/RedHat.yml new file mode 100644 index 000000000..d2dbc4ec9 --- /dev/null +++ b/roles/opendistro/opendistro-kibana/tasks/RedHat.yml @@ -0,0 +1,23 @@ +--- +- block: + + - name: RedHat/CentOS/Fedora | Add OpenDistro repo + yum_repository: + file: opendistro + name: opendistro_repo + description: Opendistro yum repository + baseurl: "{{ package_repos.yum.opendistro.baseurl }}" + gpgkey: "{{ package_repos.yum.opendistro.gpg }}" + gpgcheck: true + + - name: RedHat/CentOS/Fedora | Add Elasticsearch-oss repo + yum_repository: + file: opendistro + name: elasticsearch_oss_repo + description: Elasticsearch-oss yum repository + baseurl: "{{ package_repos.yum.elasticsearch_oss.baseurl }}" + gpgkey: "{{ package_repos.yum.elasticsearch_oss.gpg }}" + gpgcheck: true + + tags: + - install \ No newline at end of file diff --git a/roles/opendistro/opendistro-kibana/tasks/build_wazuh_plugin.yml b/roles/opendistro/opendistro-kibana/tasks/build_wazuh_plugin.yml new file mode 100644 index 000000000..b7ceb87f1 --- /dev/null +++ b/roles/opendistro/opendistro-kibana/tasks/build_wazuh_plugin.yml @@ -0,0 +1,76 @@ +--- + - name: Ensure the Git package is present + package: + name: git + state: present + + - name: Modify repo url if host is in Debian family + set_fact: + node_js_repo_type: deb + when: + - ansible_os_family | lower == "debian" + + - name: Download script to install Nodejs repository + get_url: + url: "https://{{ nodejs['repo_dict'][ansible_os_family|lower] }}.{{ nodejs['repo_url_ext'] }}" + dest: "/tmp/setup_nodejs_repo.sh" + mode: 0700 + + - name: Execute downloaded script to install Nodejs repo + command: /tmp/setup_nodejs_repo.sh + register: node_repo_installation_result + changed_when: false + + - name: Install Nodejs + package: + name: nodejs + state: present + + - name: Install yarn dependency to build the Wazuh Kibana Plugin + # Using shell due to errors when evaluating text between @ with command + shell: "npm install -g {{ 'yarn' }}{{ '@' }}{{ '1.10.1'}}" # noqa 305 + register: install_yarn_result + changed_when: install_yarn_result == 0 + + - name: Remove old wazuh-kibana-app git directory + file: + path: /tmp/app + state: absent + changed_when: false + + - name: Clone wazuh-kibana-app repository # Using command as git module doesn't cover single-branch nor depth + command: git clone https://github.com/wazuh/wazuh-kibana-app -b {{ wazuh_plugin_branch }} --single-branch --depth=1 app # noqa 303 + register: clone_app_repo_result + changed_when: false + args: + chdir: "/tmp" + + - name: Executing yarn to build the package + command: "{{ item }}" + with_items: + - "yarn" + - "yarn build" + register: yarn_execution_result + changed_when: false + args: + chdir: "/tmp/app/" + + - name: Obtain name of generated package + shell: "find ./ -name 'wazuh-*.zip' -printf '%f\\n'" + register: wazuhapp_package_name + changed_when: false + args: + chdir: "/tmp/app/build" + + - name: Install Wazuh Plugin (can take a while) + shell: NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana-plugin install file:///tmp/app/build/{{ wazuhapp_package_name.stdout }} + args: + executable: /bin/bash + creates: /usr/share/kibana/plugins/wazuh/package.json + chdir: /usr/share/kibana + become: yes + become_user: kibana + notify: restart kibana + tags: + - install + - skip_ansible_lint diff --git a/roles/opendistro/opendistro-kibana/tasks/main.yml b/roles/opendistro/opendistro-kibana/tasks/main.yml new file mode 100644 index 000000000..c68200cc7 --- /dev/null +++ b/roles/opendistro/opendistro-kibana/tasks/main.yml @@ -0,0 +1,62 @@ +--- + +- name: Stopping early, trying to compile Wazuh Kibana Plugin on Debian 10 is not possible + fail: + msg: "It's not possible to compile the Wazuh Kibana plugin on Debian 10 due to: https://github.com/wazuh/wazuh-kibana-app/issues/1924" + when: + - build_from_sources + - ansible_distribution == "Debian" + - ansible_distribution_major_version == "10" + +- import_tasks: RedHat.yml + when: ansible_os_family == 'RedHat' + +- name: Reload systemd + systemd: + daemon_reload: true + ignore_errors: true + when: + - not (ansible_distribution == "Amazon" and ansible_distribution_version == "(Karoo)") + - not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<')) + - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<')) + - not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<')) + +- name: Install Kibana + package: + name: opendistroforelasticsearch-kibana + state: present + register: install + tags: install + + +- name: Remove Kibana configuration file + file: + path: "{{ kibana_conf_path }}/kibana.yml" + state: absent + when: install.changed + tags: install + +- import_tasks: security_actions.yml + +- name: Copy Configuration File + blockinfile: + block: "{{ lookup('template', 'opendistro_kibana.yml.j2') }}" + dest: "{{ kibana_conf_path }}/kibana.yml" + create: true + group: root + mode: 0640 + marker: "## {mark} Kibana general settings ##" + notify: restart kibana + + tags: + - install + - configure + +- name: Ensure Kibana started and enabled + service: + name: kibana + enabled: true + state: started + +- import_tasks: RMRedHat.yml + when: ansible_os_family == 'RedHat' diff --git a/roles/opendistro/opendistro-kibana/tasks/security_actions.yml b/roles/opendistro/opendistro-kibana/tasks/security_actions.yml new file mode 100644 index 000000000..96b787c94 --- /dev/null +++ b/roles/opendistro/opendistro-kibana/tasks/security_actions.yml @@ -0,0 +1,13 @@ +- block: + + - name: Copy the certificates from local to the Kibana instance + copy: + src: "{{ local_certs_path }}/config/{{ item }}" + dest: /usr/share/kibana + mode: 0644 + with_items: + - "{{ inventory_hostname }}_http.key" + - "{{ inventory_hostname }}_http.pem" + tags: + - production_ready + when: install.changed \ No newline at end of file diff --git a/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 b/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 new file mode 100644 index 000000000..c526fcdaf --- /dev/null +++ b/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 @@ -0,0 +1,36 @@ +# {{ ansible_managed }} +# Description: +# Default Kibana configuration for Open Distro. +server.port: {{ kibana_server_port }} + +#server.basePath: "" +server.maxPayloadBytes: {{ kibana_max_payload_bytes }} +server.name: {{ kibana_server_name }} +server.host: {{ kibana_server_host }} +{% if kibana_opendistro_security %} +elasticsearch.hosts: "https://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" +{% else %} +elasticsearch.hosts: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" +{% endif %} + +elasticsearch.username: {{ opendistro_kibana_user }} +elasticsearch.password: {{ opendistro_kibana_password }} +elasticsearch.ssl.verificationMode: none + +elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"] +opendistro_security.multitenancy.enabled: true +opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"] +opendistro_security.readonly_mode.roles: ["kibana_read_only"] + +# OpenDistro Security +{% if kibana_opendistro_security %} +server.ssl.enabled: true +server.ssl.certificate: "/usr/share/kibana/{{ inventory_hostname }}_http.pem" +server.ssl.key: "/usr/share/kibana//{{ inventory_hostname }}_http.key" +{% endif %} + +newsfeed.enabled: {{ kibana_newsfeed_enabled }} +telemetry.optIn: {{ kibana_telemetry_optin }} +telemetry.enabled: {{ kibana_telemetry_enabled }} + + diff --git a/roles/opendistro/opendistro-kibana/templates/wazuh.yml.j2 b/roles/opendistro/opendistro-kibana/templates/wazuh.yml.j2 new file mode 100644 index 000000000..1cbc9e2d6 --- /dev/null +++ b/roles/opendistro/opendistro-kibana/templates/wazuh.yml.j2 @@ -0,0 +1,134 @@ +--- +# +# Wazuh app - App configuration file +# Copyright (C) 2015-2019 Wazuh, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Find more information about this on the LICENSE file. +# +# ======================== Wazuh app configuration file ======================== +# +# Please check the documentation for more information on configuration options: +# https://documentation.wazuh.com/current/installation-guide/index.html +# +# Also, you can check our repository: +# https://github.com/wazuh/wazuh-kibana-app +# +# ------------------------------- Index patterns ------------------------------- +# +# Default index pattern to use. +#pattern: wazuh-alerts-3.x-* +# +# ----------------------------------- Checks ----------------------------------- +# +# Defines which checks must to be consider by the healthcheck +# step once the Wazuh app starts. Values must to be true or false. +#checks.pattern : true +#checks.template: true +#checks.api : true +#checks.setup : true +# +# --------------------------------- Extensions --------------------------------- +# +# Defines which extensions should be activated when you add a new API entry. +# You can change them after Wazuh app starts. +# Values must to be true or false. +#extensions.pci : true +#extensions.gdpr : true +#extensions.hipaa : true +#extensions.nist : true +#extensions.audit : true +#extensions.oscap : false +#extensions.ciscat : false +#extensions.aws : false +#extensions.virustotal: false +#extensions.osquery : false +#extensions.docker : false +# +# ---------------------------------- Time out ---------------------------------- +# +# Defines maximum timeout to be used on the Wazuh app requests. +# It will be ignored if it is bellow 1500. +# It means milliseconds before we consider a request as failed. +# Default: 20000 +#timeout: 20000 +# +# ------------------------------ Advanced indices ------------------------------ +# +# Configure .wazuh indices shards and replicas. +#wazuh.shards : 1 +#wazuh.replicas : 0 +# +# --------------------------- Index pattern selector --------------------------- +# +# Defines if the user is allowed to change the selected +# index pattern directly from the Wazuh app top menu. +# Default: true +#ip.selector: true +# +# List of index patterns to be ignored +#ip.ignore: [] +# +# -------------------------------- X-Pack RBAC --------------------------------- +# +# Custom setting to enable/disable built-in X-Pack RBAC security capabilities. +# Default: enabled +#xpack.rbac.enabled: true +# +# ------------------------------ wazuh-monitoring ------------------------------ +# +# Custom setting to enable/disable wazuh-monitoring indices. +# Values: true, false, worker +# If worker is given as value, the app will show the Agents status +# visualization but won't insert data on wazuh-monitoring indices. +# Default: true +#wazuh.monitoring.enabled: true +# +# Custom setting to set the frequency for wazuh-monitoring indices cron task. +# Default: 900 (s) +#wazuh.monitoring.frequency: 900 +# +# Configure wazuh-monitoring-3.x-* indices shards and replicas. +#wazuh.monitoring.shards: 2 +#wazuh.monitoring.replicas: 0 +# +# Configure wazuh-monitoring-3.x-* indices custom creation interval. +# Values: h (hourly), d (daily), w (weekly), m (monthly) +# Default: d +#wazuh.monitoring.creation: d +# +# Default index pattern to use for Wazuh monitoring +#wazuh.monitoring.pattern: wazuh-monitoring-3.x-* +# +# +# ------------------------------- App privileges -------------------------------- +#admin: true +# +# ------------------------------- App logging level ----------------------------- +# Set the logging level for the Wazuh App log files. +# Default value: info +# Allowed values: info, debug +#logs.level: info +# +#-------------------------------- API entries ----------------------------------- +#The following configuration is the default structure to define an API entry. +# +#hosts: +# - : +# url: http(s):// +# port: +# user: +# password: + +hosts: +{% for api in wazuh_api_credentials %} + - {{ api['id'] }}: + url: {{ api['url'] }} + port: {{ api['port'] }} + user: {{ api['user'] }} + password: {{ api['password'] }} +{% endfor %} From f43b885dc81b8cc278094c5c5692a3ec6cafab31 Mon Sep 17 00:00:00 2001 From: Pablo Escobar Date: Fri, 22 May 2020 19:28:05 +0200 Subject: [PATCH 55/76] fix permission override and broken idempotence --- .../ansible-elasticsearch/tasks/xpack_security.yml | 2 +- roles/wazuh/ansible-filebeat/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index 47438f98d..1233fde43 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -180,7 +180,7 @@ path: "{{ node_certs_destination }}/" mode: 0774 state: directory - recurse: yes + recurse: no when: - elasticsearch_xpack_security - generate_CA diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index 4948c2524..29732104c 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -59,7 +59,7 @@ path: "{{ node_certs_destination }}/" mode: 0774 state: directory - recurse: yes + recurse: no when: - filebeat_xpack_security tags: xpack-security From be973340addc998c8eba9720ca35827b3b73e4d3 Mon Sep 17 00:00:00 2001 From: Pablo Escobar Date: Sat, 23 May 2020 00:18:10 +0200 Subject: [PATCH 56/76] allow elasticsearch to readh the ca file --- .../ansible-elasticsearch/tasks/xpack_security.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index 1233fde43..47063c4e9 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -149,6 +149,8 @@ copy: src: "{{ item }}" dest: "{{ node_certs_destination }}/" + owner: root + group: elasticsearch mode: 0440 with_items: - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key" @@ -164,6 +166,8 @@ copy: src: "{{ item }}" dest: "{{ node_certs_destination }}/" + owner: root + group: elasticsearch mode: 0440 with_items: - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key" @@ -178,6 +182,8 @@ - name: Ensuring folder permissions file: path: "{{ node_certs_destination }}/" + owner: root + group: elasticsearch mode: 0774 state: directory recurse: no From 18d69f8b67ed5d35f007d7aa33dcf2a25baee97b Mon Sep 17 00:00:00 2001 From: Pablo Escobar Date: Sat, 23 May 2020 00:48:38 +0200 Subject: [PATCH 57/76] fix for kibana --- roles/elastic-stack/ansible-kibana/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index 220230c8c..122b64883 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -56,7 +56,7 @@ file: path: "{{ node_certs_destination }}/" state: directory - recurse: yes + recurse: no owner: kibana group: kibana when: @@ -67,7 +67,7 @@ file: path: "{{ node_certs_destination }}/" mode: 0770 - recurse: yes + recurse: no when: - kibana_xpack_security notify: restart kibana From 57c2a9bb760da8c12eddcd836eec1b993155af48 Mon Sep 17 00:00:00 2001 From: Pablo Escobar Date: Sat, 23 May 2020 01:23:25 +0200 Subject: [PATCH 58/76] fix permissions for kibana --- roles/elastic-stack/ansible-kibana/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index 122b64883..b9dde1fe4 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -28,6 +28,8 @@ copy: src: "{{ item }}" dest: "{{ node_certs_destination }}/" + owner: root + group: kibana mode: 0440 with_items: - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key" @@ -42,6 +44,8 @@ copy: src: "{{ item }}" dest: "{{ node_certs_destination }}/" + owner: root + group: kibana mode: 0440 with_items: - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key" From c11cdfcf05966ce94dc9bb7c9cd8a4e5b747b371 Mon Sep 17 00:00:00 2001 From: Pablo Escobar Date: Sat, 23 May 2020 01:40:26 +0200 Subject: [PATCH 59/76] only execute kibana optimization during initial installation --- roles/elastic-stack/ansible-kibana/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index 220230c8c..093aafa6a 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -139,6 +139,7 @@ shell: /usr/share/kibana/node/bin/node {{ node_options }} /usr/share/kibana/src/cli --optimize args: executable: /bin/bash + creates: /usr/share/kibana/optimize/wazuh/ become: yes become_user: kibana changed_when: false From d9f7e79b7dc9d61b9002b8c05b52ad4215c98235 Mon Sep 17 00:00:00 2001 From: Pablo Escobar Date: Sat, 23 May 2020 13:20:19 +0200 Subject: [PATCH 60/76] always use 0770 for the certs folder --- .../ansible-elasticsearch/tasks/xpack_security.yml | 2 +- roles/elastic-stack/ansible-kibana/tasks/main.yml | 4 ++-- roles/wazuh/ansible-filebeat/tasks/main.yml | 6 +++++- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index 47063c4e9..0d9740d4f 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -184,7 +184,7 @@ path: "{{ node_certs_destination }}/" owner: root group: elasticsearch - mode: 0774 + mode: 0770 state: directory recurse: no when: diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index b9dde1fe4..cb7f3c55d 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -56,13 +56,14 @@ - not generate_CA tags: xpack-security -- name: Ensuring certificates folder owner +- name: Ensuring certificates folder owner and permissions file: path: "{{ node_certs_destination }}/" state: directory recurse: no owner: kibana group: kibana + mode: 0770 when: - kibana_xpack_security tags: xpack-security @@ -70,7 +71,6 @@ - name: Ensuring certificates folder owner file: path: "{{ node_certs_destination }}/" - mode: 0770 recurse: no when: - kibana_xpack_security diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index 29732104c..5a15926d1 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -30,6 +30,8 @@ copy: src: "{{ item }}" dest: "{{ node_certs_destination }}/" + owner: root + group: root mode: 0440 with_items: - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" @@ -44,6 +46,8 @@ copy: src: "{{ item }}" dest: "{{ node_certs_destination }}/" + owner: root + group: root mode: 0440 with_items: - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" @@ -57,7 +61,7 @@ - name: Ensuring folder & certs permissions file: path: "{{ node_certs_destination }}/" - mode: 0774 + mode: 0770 state: directory recurse: no when: From 5d211c3b41bc50fcbef3f0d8d13dfe46d13acfc3 Mon Sep 17 00:00:00 2001 From: Pablo Escobar Date: Sat, 23 May 2020 13:22:00 +0200 Subject: [PATCH 61/76] apply kibana certs permissions in a single task --- roles/elastic-stack/ansible-kibana/tasks/main.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index cb7f3c55d..e4f8b7330 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -66,14 +66,6 @@ mode: 0770 when: - kibana_xpack_security - tags: xpack-security - -- name: Ensuring certificates folder owner - file: - path: "{{ node_certs_destination }}/" - recurse: no - when: - - kibana_xpack_security notify: restart kibana tags: xpack-security From 3d94c5d159dfd9483e7e526d417df7d530dc145b Mon Sep 17 00:00:00 2001 From: Pablo Escobar Date: Sat, 23 May 2020 13:46:49 +0200 Subject: [PATCH 62/76] remove unneded option changed_when --- roles/elastic-stack/ansible-kibana/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index 093aafa6a..321e22682 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -142,7 +142,6 @@ creates: /usr/share/kibana/optimize/wazuh/ become: yes become_user: kibana - changed_when: false tags: - skip_ansible_lint From 44ca014cc1db8a618214002c12985e8a2bc96e35 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Tue, 26 May 2020 16:10:41 +0200 Subject: [PATCH 63/76] Trim spaces --- roles/opendistro/opendistro-elasticsearch/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index c89412082..9df1e01cb 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -7,7 +7,7 @@ - name: Install OpenDistro package: - name: opendistroforelasticsearch-{{ opendistro_version }} + name: opendistroforelasticsearch-{{ opendistro_version }} state: present register: install tags: install @@ -18,7 +18,7 @@ state: absent when: install.changed tags: install - + - name: Copy Configuration File blockinfile: block: "{{ lookup('template', 'elasticsearch.yml.j2') }}" From f21a7e9c1c231094be70b4b7fb354bb78b4fda4f Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Tue, 26 May 2020 21:06:16 +0200 Subject: [PATCH 64/76] - Refactoring security local actions - Added Filebeat OSS repositories --- playbooks/wazuh-manager-oss.yml | 8 + roles/opendistro/hosts | 49 + .../tasks/local_actions.yml | 28 +- .../opendistro-kibana/tasks/main.yml | 3 +- roles/wazuh/filebeat-oss/defaults/main.yml | 57 + roles/wazuh/filebeat-oss/handlers/main.yml | 3 + roles/wazuh/filebeat-oss/meta/main.yml | 29 + roles/wazuh/filebeat-oss/tasks/Debian.yml | 22 + roles/wazuh/filebeat-oss/tasks/RMDebian.yml | 6 + roles/wazuh/filebeat-oss/tasks/RMRedHat.yml | 6 + roles/wazuh/filebeat-oss/tasks/RedHat.yml | 9 + roles/wazuh/filebeat-oss/tasks/config.yml | 39 + roles/wazuh/filebeat-oss/tasks/main.yml | 125 ++ .../filebeat-oss/tasks/security_actions.yml | 11 + .../templates/elasticsearch.yml.j2 | 1800 +++++++++++++++++ .../filebeat-oss/templates/filebeat.yml.j2 | 39 + .../wazuh/filebeat-oss/tests/requirements.yml | 3 + roles/wazuh/filebeat-oss/tests/test.yml | 20 + 18 files changed, 2246 insertions(+), 11 deletions(-) create mode 100644 playbooks/wazuh-manager-oss.yml create mode 100644 roles/opendistro/hosts create mode 100644 roles/wazuh/filebeat-oss/defaults/main.yml create mode 100644 roles/wazuh/filebeat-oss/handlers/main.yml create mode 100644 roles/wazuh/filebeat-oss/meta/main.yml create mode 100644 roles/wazuh/filebeat-oss/tasks/Debian.yml create mode 100644 roles/wazuh/filebeat-oss/tasks/RMDebian.yml create mode 100644 roles/wazuh/filebeat-oss/tasks/RMRedHat.yml create mode 100644 roles/wazuh/filebeat-oss/tasks/RedHat.yml create mode 100644 roles/wazuh/filebeat-oss/tasks/config.yml create mode 100644 roles/wazuh/filebeat-oss/tasks/main.yml create mode 100644 roles/wazuh/filebeat-oss/tasks/security_actions.yml create mode 100644 roles/wazuh/filebeat-oss/templates/elasticsearch.yml.j2 create mode 100644 roles/wazuh/filebeat-oss/templates/filebeat.yml.j2 create mode 100644 roles/wazuh/filebeat-oss/tests/requirements.yml create mode 100644 roles/wazuh/filebeat-oss/tests/test.yml diff --git a/playbooks/wazuh-manager-oss.yml b/playbooks/wazuh-manager-oss.yml new file mode 100644 index 000000000..5cb9b4bd5 --- /dev/null +++ b/playbooks/wazuh-manager-oss.yml @@ -0,0 +1,8 @@ +--- +- hosts: + roles: + - role: ../roles/wazuh/ansible-wazuh-manager + - role: ../roles/wazuh/filebeat-oss + filebeat_output_elasticsearch_hosts: 172.16.0.161:9200 + + diff --git a/roles/opendistro/hosts b/roles/opendistro/hosts new file mode 100644 index 000000000..bd3b73e70 --- /dev/null +++ b/roles/opendistro/hosts @@ -0,0 +1,49 @@ +# This is the default ansible 'hosts' file. +# +# It should live in /etc/ansible/hosts +# +# - Comments begin with the '#' character +# - Blank lines are ignored +# - Groups of hosts are delimited by [header] elements +# - You can enter hostnames or ip addresses +# - A hostname/ip can be a member of multiple groups + +# Ex 1: Ungrouped hosts, specify before any group headers. + +## green.example.com +## blue.example.com +## 192.168.100.1 +## 192.168.100.10 + +# Ex 2: A collection of hosts belonging to the 'webservers' group +#[elasticsearch_first + + +es1 ansible_host=172.16.0.161 ansible_user=vagrant ip=172.16.0.161 +es2 ansible_host=172.16.0.162 ansible_user=vagrant ip=172.16.0.162 +es3 ansible_host=172.16.0.163 ansible_user=vagrant ip=172.16.0.163 +manager1 ansible_host=172.16.1.250 ansible_user=vagrant ip=172.16.1.250 + +[managers] +manager1 + +[es-cluster] +es1 +es2 +es3 +manager1 + +[kibana] +es1 + +[single-host] +172.16.1.15 ansible_ssh_user=vagrant +[elastic-cluster] +172.16.0.161 ansible_ssh_user=vagrant +172.16.0.162 ansible_ssh_user=vagrant +172.16.0.163 ansible_ssh_user=vagrant +[agents] +172.16.0.131 ansible_ssh_user=vagrant +172.16.0.132 ansible_ssh_user=vagrant +# If you have multiple hosts following a pattern you can specify +# them like this: diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml index 603796169..b6995e5cc 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml @@ -6,14 +6,12 @@ module: file path: "{{ local_certs_path }}" state: directory - run_once: true - + - name: Local action | Download certificates generation tool local_action: module: get_url url: "{{ certs_gen_tool_url }}" dest: "{{ local_certs_path }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip" - run_once: true - name: Local action | Extract the certificates generation tool local_action: @@ -26,26 +24,36 @@ module: file dest: "{{ local_certs_path }}/tools/sgtlstool.sh" mode: a+x - run_once: true - name: Local action | Prepare the certificates generation template file local_action: module: template src: "templates/tlsconfig.yml.j2" dest: "{{ local_certs_path }}/config/tlsconfig.yml" - run_once: true + + + - name: Create a directory if it does not exist + file: + path: "{{ local_certs_path }}/certs/" + state: directory + mode: '0755' + delegate_to: localhost - name: Local action | Check if root CA file exists local_action: - module: stat - path: "{{ local_certs_path }}/config/root-ca.key" + module: stat + path: "{{ local_certs_path }}/certs/root-ca.key" register: root_ca_file - name: Local action | Generate the node & admin certificates in local local_action: - module: command {{ local_certs_path }}/tools/sgtlstool.sh -c {{ local_certs_path }}/config/tlsconfig.yml -ca -crt -t {{ local_certs_path }}/config/ -f -o - run_once: true - when: root_ca_file.stat.exists == False + module: command {{ local_certs_path }}/tools/sgtlstool.sh -c {{ local_certs_path }}/config/tlsconfig.yml -ca -crt -t {{ local_certs_path }}/certs/ -f -o + when: not root_ca_file.stat.exists + - name: Local action | Generate the node & admin certificates using an existing root CA + local_action: + module: command {{ local_certs_path }}/tools/sgtlstool.sh -c {{ local_certs_path }}/config/tlsconfig.yml -ca -crt -t {{ local_certs_path }}/certs/ -f + when: root_ca_file.stat.exists + run_once: true tags: - generate-certs \ No newline at end of file diff --git a/roles/opendistro/opendistro-kibana/tasks/main.yml b/roles/opendistro/opendistro-kibana/tasks/main.yml index c68200cc7..2d29e0cbe 100644 --- a/roles/opendistro/opendistro-kibana/tasks/main.yml +++ b/roles/opendistro/opendistro-kibana/tasks/main.yml @@ -43,7 +43,8 @@ block: "{{ lookup('template', 'opendistro_kibana.yml.j2') }}" dest: "{{ kibana_conf_path }}/kibana.yml" create: true - group: root + group: kibana + owner: kibana mode: 0640 marker: "## {mark} Kibana general settings ##" notify: restart kibana diff --git a/roles/wazuh/filebeat-oss/defaults/main.yml b/roles/wazuh/filebeat-oss/defaults/main.yml new file mode 100644 index 000000000..4ed761562 --- /dev/null +++ b/roles/wazuh/filebeat-oss/defaults/main.yml @@ -0,0 +1,57 @@ +--- +filebeat_version: 7.6.2 + +filebeat_create_config: true + +filebeat_prospectors: + - input_type: log + paths: + - "/var/ossec/logs/alerts/alerts.json" + document_type: json + json.message_key: log + json.keys_under_root: true + json.overwrite_keys: true + +filebeat_node_name: node-1 + +filebeat_output_elasticsearch_enabled: false +filebeat_output_elasticsearch_hosts: + - "localhost:9200" + +filebeat_enable_logging: true +filebeat_log_level: debug +filebeat_log_dir: /var/log/mybeat +filebeat_log_filename: mybeat.log + +filebeat_ssl_dir: /etc/pki/filebeat +filebeat_ssl_certificate_file: "" +filebeat_ssl_key_file: "" +filebeat_ssl_insecure: "false" + +filebeat_module_package_url: https://packages.wazuh.com/3.x/filebeat +filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz +filebeat_module_package_path: /tmp/ +filebeat_module_destination: /usr/share/filebeat/module +filebeat_module_folder: /usr/share/filebeat/module/wazuh + +# Opendistro Security +filebeat_opendistro_security: false + +elasticsearch_opendistro_security_user: elastic +elasticsearch_opendistro_security_password: elastic_pass + +node_certs_generator : false +node_certs_source: /usr/share/elasticsearch +node_certs_destination: /etc/filebeat/certs + + +# CA Generation +master_certs_path: /es_certs +generate_CA: true +ca_cert_name: "" + +elasticrepo: + apt: 'https://artifacts.elastic.co/packages/oss-7.x/apt' + yum: 'https://artifacts.elastic.co/packages/oss-7.x/yum' + gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' + key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4' diff --git a/roles/wazuh/filebeat-oss/handlers/main.yml b/roles/wazuh/filebeat-oss/handlers/main.yml new file mode 100644 index 000000000..96e15a224 --- /dev/null +++ b/roles/wazuh/filebeat-oss/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart filebeat + service: name=filebeat state=restarted diff --git a/roles/wazuh/filebeat-oss/meta/main.yml b/roles/wazuh/filebeat-oss/meta/main.yml new file mode 100644 index 000000000..240b2d083 --- /dev/null +++ b/roles/wazuh/filebeat-oss/meta/main.yml @@ -0,0 +1,29 @@ +--- +dependencies: [] + +galaxy_info: + author: Wazuh + description: Installing and maintaining filebeat server. + company: wazuh.com + license: license (GPLv3) + min_ansible_version: 2.0 + platforms: + - name: EL + versions: + - 6 + - 7 + - name: Fedora + versions: + - all + - name: Debian + versions: + - jessie + - name: Ubuntu + versions: + - precise + - trusty + - xenial + galaxy_tags: + - web + - system + - monitoring diff --git a/roles/wazuh/filebeat-oss/tasks/Debian.yml b/roles/wazuh/filebeat-oss/tasks/Debian.yml new file mode 100644 index 000000000..a87bb2bfa --- /dev/null +++ b/roles/wazuh/filebeat-oss/tasks/Debian.yml @@ -0,0 +1,22 @@ +--- +- name: Debian/Ubuntu | Install apt-transport-https and ca-certificates + apt: + name: + - apt-transport-https + - ca-certificates + state: present + register: filebeat_ca_packages_install + until: filebeat_ca_packages_install is succeeded + +- name: Debian/Ubuntu | Add Elasticsearch apt key. + apt_key: + url: "{{ elasticrepo.gpg }}" + id: "{{ elasticrepo.key_id }}" + state: present + +- name: Debian/Ubuntu | Add Filebeat repository. + apt_repository: + repo: "deb {{ elasticrepo.apt }} stable main" + state: present + update_cache: true + changed_when: false diff --git a/roles/wazuh/filebeat-oss/tasks/RMDebian.yml b/roles/wazuh/filebeat-oss/tasks/RMDebian.yml new file mode 100644 index 000000000..25a33909d --- /dev/null +++ b/roles/wazuh/filebeat-oss/tasks/RMDebian.yml @@ -0,0 +1,6 @@ +--- +- name: Debian/Ubuntu | Remove Filebeat repository (and clean up left-over metadata) + apt_repository: + repo: "deb {{ elasticrepo.apt }} stable main" + state: absent + changed_when: false diff --git a/roles/wazuh/filebeat-oss/tasks/RMRedHat.yml b/roles/wazuh/filebeat-oss/tasks/RMRedHat.yml new file mode 100644 index 000000000..1cf840814 --- /dev/null +++ b/roles/wazuh/filebeat-oss/tasks/RMRedHat.yml @@ -0,0 +1,6 @@ +--- +- name: RedHat/CentOS/Fedora | Remove Filebeat repository (and clean up left-over metadata) + yum_repository: + name: elastic_repo_7 + state: absent + changed_when: false diff --git a/roles/wazuh/filebeat-oss/tasks/RedHat.yml b/roles/wazuh/filebeat-oss/tasks/RedHat.yml new file mode 100644 index 000000000..23948b37e --- /dev/null +++ b/roles/wazuh/filebeat-oss/tasks/RedHat.yml @@ -0,0 +1,9 @@ +--- +- name: RedHat/CentOS/Fedora/Amazon Linux | Install Filebeats repo + yum_repository: + name: elastic_repo_7 + description: Elastic repository for 7.x packages + baseurl: "{{ elasticrepo.yum }}" + gpgkey: "{{ elasticrepo.gpg }}" + gpgcheck: true + changed_when: false diff --git a/roles/wazuh/filebeat-oss/tasks/config.yml b/roles/wazuh/filebeat-oss/tasks/config.yml new file mode 100644 index 000000000..d45b06e84 --- /dev/null +++ b/roles/wazuh/filebeat-oss/tasks/config.yml @@ -0,0 +1,39 @@ +--- +- name: Copy Filebeat configuration. + template: + src: filebeat.yml.j2 + dest: "/etc/filebeat/filebeat.yml" + owner: root + group: root + mode: 0400 + notify: restart filebeat + tags: configure + +- name: Copy Elasticsearch template. + template: + src: elasticsearch.yml.j2 + dest: "/etc/filebeat/wazuh-template.json" + owner: root + group: root + mode: 0400 + notify: restart filebeat + tags: configure + +- name: Ensure Filebeat SSL key pair directory exists. + file: + path: "{{ filebeat_ssl_dir }}" + state: directory + when: filebeat_ssl_key_file + tags: configure + +- name: Copy SSL key and cert for filebeat. + copy: + src: "{{ item }}" + dest: "{{ filebeat_ssl_dir }}/{{ item | basename }}" + mode: 0400 + with_items: + - "{{ filebeat_ssl_key_file }}" + - "{{ filebeat_ssl_certificate_file }}" + notify: restart filebeat + when: filebeat_ssl_key_file and filebeat_ssl_certificate_file + tags: configure diff --git a/roles/wazuh/filebeat-oss/tasks/main.yml b/roles/wazuh/filebeat-oss/tasks/main.yml new file mode 100644 index 000000000..df3a428b7 --- /dev/null +++ b/roles/wazuh/filebeat-oss/tasks/main.yml @@ -0,0 +1,125 @@ +--- +- include_tasks: RedHat.yml + when: ansible_os_family == 'RedHat' + +- include_tasks: Debian.yml + when: ansible_os_family == 'Debian' + +- name: CentOS/RedHat | Install Filebeat. + package: name=filebeat-{{ filebeat_version }} state=present + register: filebeat_installing_package + until: filebeat_installing_package is succeeded + when: + - ansible_distribution in ['CentOS','RedHat', 'Amazon'] + tags: + - install + +- name: Debian/Ubuntu | Install Filebeat. + apt: + name: filebeat={{ filebeat_version }} + state: present + cache_valid_time: 3600 + register: filebeat_installing_package_debian + until: filebeat_installing_package_debian is succeeded + when: + - not (ansible_distribution in ['CentOS','RedHat', 'Amazon']) + tags: + - init + +- name: Copying node's certificate from master + copy: + src: "{{ item }}" + dest: "{{ node_certs_destination }}/" + mode: 0440 + with_items: + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt" + - "{{ master_certs_path }}/ca/ca.crt" + when: + - generate_CA + - filebeat_opendistro_security + tags: opendistro-security + +- name: Copying node's certificate from master (Custom CA) + copy: + src: "{{ item }}" + dest: "{{ node_certs_destination }}/" + mode: 0440 + with_items: + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt" + - "{{ master_certs_path }}/ca/{{ ca_cert_name }}" + when: + - not generate_CA + - filebeat_opendistro_security + tags: opendistro-security + +- name: Ensuring folder & certs permissions + file: + path: "{{ node_certs_destination }}/" + mode: 0774 + state: directory + recurse: yes + when: + - filebeat_xpack_security + tags: xpack-security + +- name: Checking if Filebeat Module folder file exists + stat: + path: "{{ filebeat_module_folder }}" + register: filebeat_module_folder + + +- name: Download Filebeat module package + get_url: + url: "{{ filebeat_module_package_url }}/{{ filebeat_module_package_name }}" + dest: "{{ filebeat_module_package_path }}" + when: not filebeat_module_folder.stat.exists + +- name: Unpakcing Filebeat module package + unarchive: + src: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" + dest: "{{ filebeat_module_destination }}" + remote_src: yes + when: not filebeat_module_folder.stat.exists + +- name: Setting 0755 permission for Filebeat module folder + file: dest={{ filebeat_module_folder }} mode=u=rwX,g=rwX,o=rwX recurse=yes + when: not filebeat_module_folder.stat.exists + +- name: Checking if Filebeat Module package file exists + stat: + path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" + register: filebeat_module_package + when: filebeat_module_package is not defined + +- name: Delete Filebeat module package file + file: + state: absent + path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" + when: filebeat_module_package.stat.exists + +- import_tasks: config.yml + when: filebeat_create_config + notify: restart filebeat + +- name: Reload systemd + systemd: daemon_reload=yes + ignore_errors: true + when: + - not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") + - not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<')) + - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<')) + - not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<')) + +- name: Ensure Filebeat is started and enabled at boot. + service: + name: filebeat + state: started + enabled: true + +- include_tasks: "RMRedHat.yml" + when: ansible_os_family == "RedHat" + +- include_tasks: "RMDebian.yml" + when: ansible_os_family == "Debian" diff --git a/roles/wazuh/filebeat-oss/tasks/security_actions.yml b/roles/wazuh/filebeat-oss/tasks/security_actions.yml new file mode 100644 index 000000000..6b11bc9a3 --- /dev/null +++ b/roles/wazuh/filebeat-oss/tasks/security_actions.yml @@ -0,0 +1,11 @@ +- block: + + - name: Copy certificates and root-ca to Filebeat + copy: + src: "{{ local_certs_path }}/config/{{ item }}" + dest: /etc/filebeat/ + mode: 0644 + with_items: + - root-ca.pem + - "{{ inventory_hostname }}.key" + - "{{ inventory_hostname }}.pem" \ No newline at end of file diff --git a/roles/wazuh/filebeat-oss/templates/elasticsearch.yml.j2 b/roles/wazuh/filebeat-oss/templates/elasticsearch.yml.j2 new file mode 100644 index 000000000..88d50c3f1 --- /dev/null +++ b/roles/wazuh/filebeat-oss/templates/elasticsearch.yml.j2 @@ -0,0 +1,1800 @@ +{ + "order": 0, + "index_patterns": [ + "wazuh-alerts-3.x-*", + "wazuh-archives-3.x-*" + ], + "settings": { + "index.refresh_interval": "5s", + "index.number_of_shards": "3", + "index.number_of_replicas": "0", + "index.auto_expand_replicas": "0-1", + "index.mapping.total_fields.limit": 10000, + "index.query.default_field": [ + "GeoLocation.city_name", + "GeoLocation.continent_code", + "GeoLocation.country_code2", + "GeoLocation.country_code3", + "GeoLocation.country_name", + "GeoLocation.ip", + "GeoLocation.postal_code", + "GeoLocation.real_region_name", + "GeoLocation.region_name", + "GeoLocation.timezone", + "agent.id", + "agent.ip", + "agent.name", + "cluster.name", + "cluster.node", + "command", + "data", + "data.action", + "data.audit", + "data.audit.acct", + "data.audit.arch", + "data.audit.auid", + "data.audit.command", + "data.audit.cwd", + "data.audit.dev", + "data.audit.directory.inode", + "data.audit.directory.mode", + "data.audit.directory.name", + "data.audit.egid", + "data.audit.enforcing", + "data.audit.euid", + "data.audit.exe", + "data.audit.execve.a0", + "data.audit.execve.a1", + "data.audit.execve.a2", + "data.audit.execve.a3", + "data.audit.exit", + "data.audit.file.inode", + "data.audit.file.mode", + "data.audit.file.name", + "data.audit.fsgid", + "data.audit.fsuid", + "data.audit.gid", + "data.audit.id", + "data.audit.key", + "data.audit.list", + "data.audit.old-auid", + "data.audit.old-ses", + "data.audit.old_enforcing", + "data.audit.old_prom", + "data.audit.op", + "data.audit.pid", + "data.audit.ppid", + "data.audit.prom", + "data.audit.res", + "data.audit.session", + "data.audit.sgid", + "data.audit.srcip", + "data.audit.subj", + "data.audit.success", + "data.audit.suid", + "data.audit.syscall", + "data.audit.tty", + "data.audit.uid", + "data.aws.accountId", + "data.aws.account_id", + "data.aws.action", + "data.aws.actor", + "data.aws.aws_account_id", + "data.aws.description", + "data.aws.dstport", + "data.aws.errorCode", + "data.aws.errorMessage", + "data.aws.eventID", + "data.aws.eventName", + "data.aws.eventSource", + "data.aws.eventType", + "data.aws.id", + "data.aws.name", + "data.aws.requestParameters.accessKeyId", + "data.aws.requestParameters.bucketName", + "data.aws.requestParameters.gatewayId", + "data.aws.requestParameters.groupDescription", + "data.aws.requestParameters.groupId", + "data.aws.requestParameters.groupName", + "data.aws.requestParameters.host", + "data.aws.requestParameters.hostedZoneId", + "data.aws.requestParameters.instanceId", + "data.aws.requestParameters.instanceProfileName", + "data.aws.requestParameters.loadBalancerName", + "data.aws.requestParameters.loadBalancerPorts", + "data.aws.requestParameters.masterUserPassword", + "data.aws.requestParameters.masterUsername", + "data.aws.requestParameters.name", + "data.aws.requestParameters.natGatewayId", + "data.aws.requestParameters.networkAclId", + "data.aws.requestParameters.path", + "data.aws.requestParameters.policyName", + "data.aws.requestParameters.port", + "data.aws.requestParameters.stackId", + "data.aws.requestParameters.stackName", + "data.aws.requestParameters.subnetId", + "data.aws.requestParameters.subnetIds", + "data.aws.requestParameters.volumeId", + "data.aws.requestParameters.vpcId", + "data.aws.resource.accessKeyDetails.accessKeyId", + "data.aws.resource.accessKeyDetails.principalId", + "data.aws.resource.accessKeyDetails.userName", + "data.aws.resource.instanceDetails.instanceId", + "data.aws.resource.instanceDetails.instanceState", + "data.aws.resource.instanceDetails.networkInterfaces.privateDnsName", + "data.aws.resource.instanceDetails.networkInterfaces.publicDnsName", + "data.aws.resource.instanceDetails.networkInterfaces.subnetId", + "data.aws.resource.instanceDetails.networkInterfaces.vpcId", + "data.aws.resource.instanceDetails.tags.value", + "data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId", + "data.aws.responseElements.description", + "data.aws.responseElements.instanceId", + "data.aws.responseElements.instances.instanceId", + "data.aws.responseElements.instancesSet.items.instanceId", + "data.aws.responseElements.listeners.port", + "data.aws.responseElements.loadBalancerName", + "data.aws.responseElements.loadBalancers.vpcId", + "data.aws.responseElements.loginProfile.userName", + "data.aws.responseElements.networkAcl.vpcId", + "data.aws.responseElements.ownerId", + "data.aws.responseElements.publicIp", + "data.aws.responseElements.user.userId", + "data.aws.responseElements.user.userName", + "data.aws.responseElements.volumeId", + "data.aws.service.serviceName", + "data.aws.severity", + "data.aws.source", + "data.aws.sourceIPAddress", + "data.aws.srcport", + "data.aws.userIdentity.accessKeyId", + "data.aws.userIdentity.accountId", + "data.aws.userIdentity.userName", + "data.aws.vpcEndpointId", + "data.command", + "data.data", + "data.docker.Actor.Attributes.container", + "data.docker.Actor.Attributes.image", + "data.docker.Actor.Attributes.name", + "data.docker.Actor.ID", + "data.docker.id", + "data.docker.message", + "data.docker.status", + "data.dstip", + "data.dstport", + "data.dstuser", + "data.extra_data", + "data.hardware.serial", + "data.id", + "data.integration", + "data.netinfo.iface.adapter", + "data.netinfo.iface.ipv4.address", + "data.netinfo.iface.ipv6.address", + "data.netinfo.iface.mac", + "data.netinfo.iface.name", + "data.os.architecture", + "data.os.build", + "data.os.codename", + "data.os.hostname", + "data.os.major", + "data.os.minor", + "data.os.name", + "data.os.platform", + "data.os.release", + "data.os.release_version", + "data.os.sysname", + "data.os.version", + "data.oscap.check.description", + "data.oscap.check.id", + "data.oscap.check.identifiers", + "data.oscap.check.oval.id", + "data.oscap.check.rationale", + "data.oscap.check.references", + "data.oscap.check.result", + "data.oscap.check.severity", + "data.oscap.check.title", + "data.oscap.scan.benchmark.id", + "data.oscap.scan.content", + "data.oscap.scan.id", + "data.oscap.scan.profile.id", + "data.oscap.scan.profile.title", + "data.osquery.columns.address", + "data.osquery.columns.command", + "data.osquery.columns.description", + "data.osquery.columns.dst_ip", + "data.osquery.columns.gid", + "data.osquery.columns.hostname", + "data.osquery.columns.md5", + "data.osquery.columns.path", + "data.osquery.columns.sha1", + "data.osquery.columns.sha256", + "data.osquery.columns.src_ip", + "data.osquery.columns.user", + "data.osquery.columns.username", + "data.osquery.name", + "data.osquery.pack", + "data.port.process", + "data.port.protocol", + "data.port.state", + "data.process.args", + "data.process.cmd", + "data.process.egroup", + "data.process.euser", + "data.process.fgroup", + "data.process.name", + "data.process.rgroup", + "data.process.ruser", + "data.process.sgroup", + "data.process.state", + "data.process.suser", + "data.program.architecture", + "data.program.description", + "data.program.format", + "data.program.location", + "data.program.multiarch", + "data.program.name", + "data.program.priority", + "data.program.section", + "data.program.source", + "data.program.vendor", + "data.program.version", + "data.protocol", + "data.pwd", + "data.sca", + "data.sca.check.compliance.cis", + "data.sca.check.compliance.cis_csc", + "data.sca.check.compliance.pci_dss", + "data.sca.check.compliance.hipaa", + "data.sca.check.compliance.nist_800_53", + "data.sca.check.description", + "data.sca.check.directory", + "data.sca.check.file", + "data.sca.check.id", + "data.sca.check.previous_result", + "data.sca.check.process", + "data.sca.check.rationale", + "data.sca.check.reason", + "data.sca.check.references", + "data.sca.check.registry", + "data.sca.check.remediation", + "data.sca.check.result", + "data.sca.check.status", + "data.sca.check.title", + "data.sca.description", + "data.sca.file", + "data.sca.invalid", + "data.sca.name", + "data.sca.policy", + "data.sca.policy_id", + "data.sca.scan_id", + "data.sca.total_checks", + "data.script", + "data.src_ip", + "data.src_port", + "data.srcip", + "data.srcport", + "data.srcuser", + "data.status", + "data.system_name", + "data.title", + "data.tty", + "data.uid", + "data.url", + "data.virustotal.description", + "data.virustotal.error", + "data.virustotal.found", + "data.virustotal.permalink", + "data.virustotal.scan_date", + "data.virustotal.sha1", + "data.virustotal.source.alert_id", + "data.virustotal.source.file", + "data.virustotal.source.md5", + "data.virustotal.source.sha1", + "data.vulnerability.advisories", + "data.vulnerability.bugzilla_reference", + "data.vulnerability.cve", + "data.vulnerability.cvss.cvss2.base_score", + "data.vulnerability.cvss.cvss2.exploitability_score", + "data.vulnerability.cvss.cvss2.impact_score", + "data.vulnerability.cvss.cvss2.vector.access_complexity", + "data.vulnerability.cvss.cvss2.vector.attack_vector", + "data.vulnerability.cvss.cvss2.vector.authentication", + "data.vulnerability.cvss.cvss2.vector.availability", + "data.vulnerability.cvss.cvss2.vector.confidentiality_impact", + "data.vulnerability.cvss.cvss2.vector.integrity_impact", + "data.vulnerability.cvss.cvss2.vector.privileges_required", + "data.vulnerability.cvss.cvss2.vector.scope", + "data.vulnerability.cvss.cvss2.vector.user_interaction", + "data.vulnerability.cvss.cvss3.base_score", + "data.vulnerability.cvss.cvss3.exploitability_score", + "data.vulnerability.cvss.cvss3.impact_score", + "data.vulnerability.cvss.cvss3.vector.access_complexity", + "data.vulnerability.cvss.cvss3.vector.attack_vector", + "data.vulnerability.cvss.cvss3.vector.authentication", + "data.vulnerability.cvss.cvss3.vector.availability", + "data.vulnerability.cvss.cvss3.vector.confidentiality_impact", + "data.vulnerability.cvss.cvss3.vector.integrity_impact", + "data.vulnerability.cvss.cvss3.vector.privileges_required", + "data.vulnerability.cvss.cvss3.vector.scope", + "data.vulnerability.cvss.cvss3.vector.user_interaction", + "data.vulnerability.cwe_reference", + "data.vulnerability.package.architecture", + "data.vulnerability.package.condition", + "data.vulnerability.package.generated_cpe", + "data.vulnerability.package.name", + "data.vulnerability.package.version", + "data.vulnerability.rationale", + "data.vulnerability.reference", + "data.vulnerability.severity", + "data.vulnerability.state", + "data.vulnerability.title", + "data.win.eventdata.auditPolicyChanges", + "data.win.eventdata.auditPolicyChangesId", + "data.win.eventdata.binary", + "data.win.eventdata.category", + "data.win.eventdata.categoryId", + "data.win.eventdata.data", + "data.win.eventdata.image", + "data.win.eventdata.ipAddress", + "data.win.eventdata.ipPort", + "data.win.eventdata.keyName", + "data.win.eventdata.logonGuid", + "data.win.eventdata.logonProcessName", + "data.win.eventdata.operation", + "data.win.eventdata.parentImage", + "data.win.eventdata.processId", + "data.win.eventdata.processName", + "data.win.eventdata.providerName", + "data.win.eventdata.returnCode", + "data.win.eventdata.service", + "data.win.eventdata.status", + "data.win.eventdata.subcategory", + "data.win.eventdata.subcategoryGuid", + "data.win.eventdata.subcategoryId", + "data.win.eventdata.subjectDomainName", + "data.win.eventdata.subjectLogonId", + "data.win.eventdata.subjectUserName", + "data.win.eventdata.subjectUserSid", + "data.win.eventdata.targetDomainName", + "data.win.eventdata.targetLinkedLogonId", + "data.win.eventdata.targetLogonId", + "data.win.eventdata.targetUserName", + "data.win.eventdata.targetUserSid", + "data.win.eventdata.workstationName", + "data.win.system.channel", + "data.win.system.computer", + "data.win.system.eventID", + "data.win.system.eventRecordID", + "data.win.system.eventSourceName", + "data.win.system.keywords", + "data.win.system.level", + "data.win.system.message", + "data.win.system.opcode", + "data.win.system.processID", + "data.win.system.providerGuid", + "data.win.system.providerName", + "data.win.system.securityUserID", + "data.win.system.severityValue", + "data.win.system.userID", + "decoder.ftscomment", + "decoder.name", + "decoder.parent", + "full_log", + "host", + "id", + "input", + "location", + "manager.name", + "message", + "offset", + "predecoder.hostname", + "predecoder.program_name", + "previous_log", + "previous_output", + "program_name", + "rule.cis", + "rule.cve", + "rule.description", + "rule.gdpr", + "rule.gpg13", + "rule.groups", + "rule.id", + "rule.info", + "rule.pci_dss", + "rule.hipaa", + "rule.nist_800_53", + "syscheck.audit.effective_user.id", + "syscheck.audit.effective_user.name", + "syscheck.audit.group.id", + "syscheck.audit.group.name", + "syscheck.audit.login_user.id", + "syscheck.audit.login_user.name", + "syscheck.audit.process.id", + "syscheck.audit.process.name", + "syscheck.audit.process.ppid", + "syscheck.audit.user.id", + "syscheck.audit.user.name", + "syscheck.diff", + "syscheck.event", + "syscheck.gid_after", + "syscheck.gid_before", + "syscheck.gname_after", + "syscheck.gname_before", + "syscheck.inode_after", + "syscheck.inode_before", + "syscheck.md5_after", + "syscheck.md5_before", + "syscheck.path", + "syscheck.perm_after", + "syscheck.perm_before", + "syscheck.sha1_after", + "syscheck.sha1_before", + "syscheck.sha256_after", + "syscheck.sha256_before", + "syscheck.tags", + "syscheck.uid_after", + "syscheck.uid_before", + "syscheck.uname_after", + "syscheck.uname_before", + "title", + "type" + ] + }, + "mappings": { + "dynamic_templates": [ + { + "string_as_keyword": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false, + "properties": { + "@timestamp": { + "type": "date" + }, + "timestamp": { + "type": "date", + "format": "date_optional_time||epoch_millis" + }, + "@version": { + "type": "text" + }, + "agent": { + "properties": { + "ip": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "manager": { + "properties": { + "name": { + "type": "keyword" + } + } + }, + "cluster": { + "properties": { + "name": { + "type": "keyword" + }, + "node": { + "type": "keyword" + } + } + }, + "full_log": { + "type": "text" + }, + "previous_log": { + "type": "text" + }, + "GeoLocation": { + "properties": { + "area_code": { + "type": "long" + }, + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "text" + }, + "coordinates": { + "type": "double" + }, + "country_code2": { + "type": "text" + }, + "country_code3": { + "type": "text" + }, + "country_name": { + "type": "keyword" + }, + "dma_code": { + "type": "long" + }, + "ip": { + "type": "keyword" + }, + "latitude": { + "type": "double" + }, + "location": { + "type": "geo_point" + }, + "longitude": { + "type": "double" + }, + "postal_code": { + "type": "keyword" + }, + "real_region_name": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "text" + } + } + }, + "host": { + "type": "keyword" + }, + "syscheck": { + "properties": { + "path": { + "type": "keyword" + }, + "sha1_before": { + "type": "keyword" + }, + "sha1_after": { + "type": "keyword" + }, + "uid_before": { + "type": "keyword" + }, + "uid_after": { + "type": "keyword" + }, + "gid_before": { + "type": "keyword" + }, + "gid_after": { + "type": "keyword" + }, + "perm_before": { + "type": "keyword" + }, + "perm_after": { + "type": "keyword" + }, + "md5_after": { + "type": "keyword" + }, + "md5_before": { + "type": "keyword" + }, + "gname_after": { + "type": "keyword" + }, + "gname_before": { + "type": "keyword" + }, + "inode_after": { + "type": "keyword" + }, + "inode_before": { + "type": "keyword" + }, + "mtime_after": { + "type": "date", + "format": "date_optional_time" + }, + "mtime_before": { + "type": "date", + "format": "date_optional_time" + }, + "uname_after": { + "type": "keyword" + }, + "uname_before": { + "type": "keyword" + }, + "size_before": { + "type": "long" + }, + "size_after": { + "type": "long" + }, + "diff": { + "type": "keyword" + }, + "event": { + "type": "keyword" + }, + "audit": { + "properties": { + "effective_user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "group": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "login_user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "process": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "ppid": { + "type": "keyword" + } + } + }, + "user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + } + } + }, + "sha256_after": { + "type": "keyword" + }, + "sha256_before": { + "type": "keyword" + }, + "tags": { + "type": "keyword" + } + } + }, + "location": { + "type": "keyword" + }, + "message": { + "type": "text" + }, + "offset": { + "type": "keyword" + }, + "rule": { + "properties": { + "description": { + "type": "keyword" + }, + "groups": { + "type": "keyword" + }, + "level": { + "type": "long" + }, + "id": { + "type": "keyword" + }, + "cve": { + "type": "keyword" + }, + "info": { + "type": "keyword" + }, + "frequency": { + "type": "long" + }, + "firedtimes": { + "type": "long" + }, + "cis": { + "type": "keyword" + }, + "pci_dss": { + "type": "keyword" + }, + "gdpr": { + "type": "keyword" + }, + "gpg13": { + "type": "keyword" + }, + "hipaa": { + "type": "keyword" + }, + "nist_800_53": { + "type": "keyword" + }, + "mail": { + "type": "boolean" + } + } + }, + "predecoder": { + "properties": { + "program_name": { + "type": "keyword" + }, + "timestamp": { + "type": "keyword" + }, + "hostname": { + "type": "keyword" + } + } + }, + "decoder": { + "properties": { + "parent": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "ftscomment": { + "type": "keyword" + }, + "fts": { + "type": "long" + }, + "accumulate": { + "type": "long" + } + } + }, + "data": { + "properties": { + "audit": { + "properties": { + "acct": { + "type": "keyword" + }, + "arch": { + "type": "keyword" + }, + "auid": { + "type": "keyword" + }, + "command": { + "type": "keyword" + }, + "cwd": { + "type": "keyword" + }, + "dev": { + "type": "keyword" + }, + "directory": { + "properties": { + "inode": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "egid": { + "type": "keyword" + }, + "enforcing": { + "type": "keyword" + }, + "euid": { + "type": "keyword" + }, + "exe": { + "type": "keyword" + }, + "execve": { + "properties": { + "a0": { + "type": "keyword" + }, + "a1": { + "type": "keyword" + }, + "a2": { + "type": "keyword" + }, + "a3": { + "type": "keyword" + } + } + }, + "exit": { + "type": "keyword" + }, + "file": { + "properties": { + "inode": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "fsgid": { + "type": "keyword" + }, + "fsuid": { + "type": "keyword" + }, + "gid": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "key": { + "type": "keyword" + }, + "list": { + "type": "keyword" + }, + "old-auid": { + "type": "keyword" + }, + "old-ses": { + "type": "keyword" + }, + "old_enforcing": { + "type": "keyword" + }, + "old_prom": { + "type": "keyword" + }, + "op": { + "type": "keyword" + }, + "pid": { + "type": "keyword" + }, + "ppid": { + "type": "keyword" + }, + "prom": { + "type": "keyword" + }, + "res": { + "type": "keyword" + }, + "session": { + "type": "keyword" + }, + "sgid": { + "type": "keyword" + }, + "srcip": { + "type": "keyword" + }, + "subj": { + "type": "keyword" + }, + "success": { + "type": "keyword" + }, + "suid": { + "type": "keyword" + }, + "syscall": { + "type": "keyword" + }, + "tty": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + } + } + }, + "protocol": { + "type": "keyword" + }, + "action": { + "type": "keyword" + }, + "srcip": { + "type": "keyword" + }, + "dstip": { + "type": "keyword" + }, + "srcport": { + "type": "keyword" + }, + "dstport": { + "type": "keyword" + }, + "srcuser": { + "type": "keyword" + }, + "dstuser": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "status": { + "type": "keyword" + }, + "data": { + "type": "keyword" + }, + "extra_data": { + "type": "keyword" + }, + "system_name": { + "type": "keyword" + }, + "url": { + "type": "keyword" + }, + "oscap": { + "properties": { + "check": { + "properties": { + "description": { + "type": "text" + }, + "id": { + "type": "keyword" + }, + "identifiers": { + "type": "text" + }, + "oval": { + "properties": { + "id": { + "type": "keyword" + } + } + }, + "rationale": { + "type": "text" + }, + "references": { + "type": "text" + }, + "result": { + "type": "keyword" + }, + "severity": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "scan": { + "properties": { + "benchmark": { + "properties": { + "id": { + "type": "keyword" + } + } + }, + "content": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "profile": { + "properties": { + "id": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "return_code": { + "type": "long" + }, + "score": { + "type": "double" + } + } + } + } + }, + "type": { + "type": "keyword" + }, + "netinfo": { + "properties": { + "iface": { + "properties": { + "name": { + "type": "keyword" + }, + "mac": { + "type": "keyword" + }, + "adapter": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "state": { + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "tx_bytes": { + "type": "long" + }, + "rx_bytes": { + "type": "long" + }, + "tx_errors": { + "type": "long" + }, + "rx_errors": { + "type": "long" + }, + "tx_dropped": { + "type": "long" + }, + "rx_dropped": { + "type": "long" + }, + "tx_packets": { + "type": "long" + }, + "rx_packets": { + "type": "long" + }, + "ipv4": { + "properties": { + "gateway": { + "type": "keyword" + }, + "dhcp": { + "type": "keyword" + }, + "address": { + "type": "keyword" + }, + "netmask": { + "type": "keyword" + }, + "broadcast": { + "type": "keyword" + }, + "metric": { + "type": "long" + } + } + }, + "ipv6": { + "properties": { + "gateway": { + "type": "keyword" + }, + "dhcp": { + "type": "keyword" + }, + "address": { + "type": "keyword" + }, + "netmask": { + "type": "keyword" + }, + "broadcast": { + "type": "keyword" + }, + "metric": { + "type": "long" + } + } + } + } + } + } + }, + "os": { + "properties": { + "hostname": { + "type": "keyword" + }, + "architecture": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "version": { + "type": "keyword" + }, + "codename": { + "type": "keyword" + }, + "major": { + "type": "keyword" + }, + "minor": { + "type": "keyword" + }, + "build": { + "type": "keyword" + }, + "platform": { + "type": "keyword" + }, + "sysname": { + "type": "keyword" + }, + "release": { + "type": "keyword" + }, + "release_version": { + "type": "keyword" + } + } + }, + "port": { + "properties": { + "protocol": { + "type": "keyword" + }, + "local_ip": { + "type": "ip" + }, + "local_port": { + "type": "long" + }, + "remote_ip": { + "type": "ip" + }, + "remote_port": { + "type": "long" + }, + "tx_queue": { + "type": "long" + }, + "rx_queue": { + "type": "long" + }, + "inode": { + "type": "long" + }, + "state": { + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "process": { + "type": "keyword" + } + } + }, + "hardware": { + "properties": { + "serial": { + "type": "keyword" + }, + "cpu_name": { + "type": "keyword" + }, + "cpu_cores": { + "type": "long" + }, + "cpu_mhz": { + "type": "double" + }, + "ram_total": { + "type": "long" + }, + "ram_free": { + "type": "long" + }, + "ram_usage": { + "type": "long" + } + } + }, + "program": { + "properties": { + "format": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "priority": { + "type": "keyword" + }, + "section": { + "type": "keyword" + }, + "size": { + "type": "long" + }, + "vendor": { + "type": "keyword" + }, + "install_time": { + "type": "keyword" + }, + "version": { + "type": "keyword" + }, + "architecture": { + "type": "keyword" + }, + "multiarch": { + "type": "keyword" + }, + "source": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "location": { + "type": "keyword" + } + } + }, + "process": { + "properties": { + "pid": { + "type": "long" + }, + "name": { + "type": "keyword" + }, + "state": { + "type": "keyword" + }, + "ppid": { + "type": "long" + }, + "utime": { + "type": "long" + }, + "stime": { + "type": "long" + }, + "cmd": { + "type": "keyword" + }, + "args": { + "type": "keyword" + }, + "euser": { + "type": "keyword" + }, + "ruser": { + "type": "keyword" + }, + "suser": { + "type": "keyword" + }, + "egroup": { + "type": "keyword" + }, + "sgroup": { + "type": "keyword" + }, + "fgroup": { + "type": "keyword" + }, + "rgroup": { + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "nice": { + "type": "long" + }, + "size": { + "type": "long" + }, + "vm_size": { + "type": "long" + }, + "resident": { + "type": "long" + }, + "share": { + "type": "long" + }, + "start_time": { + "type": "long" + }, + "pgrp": { + "type": "long" + }, + "session": { + "type": "long" + }, + "nlwp": { + "type": "long" + }, + "tgid": { + "type": "long" + }, + "tty": { + "type": "long" + }, + "processor": { + "type": "long" + } + } + }, + "sca": { + "properties": { + "type": { + "type": "keyword" + }, + "scan_id": { + "type": "keyword" + }, + "policy": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "file": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "passed": { + "type": "integer" + }, + "failed": { + "type": "integer" + }, + "score": { + "type": "long" + }, + "check": { + "properties": { + "id": { + "type": "keyword" + }, + "title": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "rationale": { + "type": "keyword" + }, + "remediation": { + "type": "keyword" + }, + "compliance": { + "properties": { + "cis": { + "type": "keyword" + }, + "cis_csc": { + "type": "keyword" + }, + "pci_dss": { + "type": "keyword" + }, + "hipaa": { + "type": "keyword" + }, + "nist_800_53": { + "type": "keyword" + } + } + }, + "references": { + "type": "keyword" + }, + "file": { + "type": "keyword" + }, + "directory": { + "type": "keyword" + }, + "registry": { + "type": "keyword" + }, + "process": { + "type": "keyword" + }, + "result": { + "type": "keyword" + }, + "previous_result": { + "type": "keyword" + }, + "reason": { + "type": "keyword" + }, + "status": { + "type": "keyword" + } + } + }, + "invalid": { + "type": "keyword" + }, + "policy_id": { + "type": "keyword" + }, + "total_checks": { + "type": "keyword" + } + } + }, + "command": { + "type": "keyword" + }, + "integration": { + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "title": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + }, + "virustotal": { + "properties": { + "description": { + "type": "keyword" + }, + "error": { + "type": "keyword" + }, + "found": { + "type": "keyword" + }, + "malicious": { + "type": "keyword" + }, + "permalink": { + "type": "keyword" + }, + "positives": { + "type": "keyword" + }, + "scan_date": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "source": { + "properties": { + "alert_id": { + "type": "keyword" + }, + "file": { + "type": "keyword" + }, + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + } + } + }, + "total": { + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "advisories": { + "type": "keyword" + }, + "bugzilla_reference": { + "type": "keyword" + }, + "cve": { + "type": "keyword" + }, + "cvss": { + "properties": { + "cvss2": { + "properties": { + "base_score": { + "type": "keyword" + }, + "exploitability_score": { + "type": "keyword" + }, + "impact_score": { + "type": "keyword" + }, + "vector": { + "properties": { + "access_complexity": { + "type": "keyword" + }, + "attack_vector": { + "type": "keyword" + }, + "authentication": { + "type": "keyword" + }, + "availability": { + "type": "keyword" + }, + "confidentiality_impact": { + "type": "keyword" + }, + "integrity_impact": { + "type": "keyword" + }, + "privileges_required": { + "type": "keyword" + }, + "scope": { + "type": "keyword" + }, + "user_interaction": { + "type": "keyword" + } + } + } + } + }, + "cvss3": { + "properties": { + "base_score": { + "type": "keyword" + }, + "exploitability_score": { + "type": "keyword" + }, + "impact_score": { + "type": "keyword" + }, + "vector": { + "properties": { + "access_complexity": { + "type": "keyword" + }, + "attack_vector": { + "type": "keyword" + }, + "authentication": { + "type": "keyword" + }, + "availability": { + "type": "keyword" + }, + "confidentiality_impact": { + "type": "keyword" + }, + "integrity_impact": { + "type": "keyword" + }, + "privileges_required": { + "type": "keyword" + }, + "scope": { + "type": "keyword" + }, + "user_interaction": { + "type": "keyword" + } + } + } + } + } + } + }, + "cwe_reference": { + "type": "keyword" + }, + "package": { + "properties": { + "architecture": { + "type": "keyword" + }, + "condition": { + "type": "keyword" + }, + "generated_cpe": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "published": { + "type": "date" + }, + "updated": { + "type": "date" + }, + "rationale": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "severity": { + "type": "keyword" + }, + "state": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "aws": { + "properties": { + "bytes": { + "type": "long" + }, + "dstaddr": { + "type": "ip" + }, + "srcaddr": { + "type": "ip" + }, + "end": { + "type": "date" + }, + "start": { + "type": "date" + }, + "source_ip_address": { + "type": "ip" + }, + "service": { + "properties": { + "count": { + "type": "long" + }, + "action.networkConnectionAction.remoteIpDetails": { + "properties": { + "ipAddressV4": { + "type": "ip" + }, + "geoLocation": { + "type": "geo_point" + } + } + }, + "eventFirstSeen": { + "type": "date" + }, + "eventLastSeen": { + "type": "date" + } + } + }, + "createdAt": { + "type": "date" + }, + "updatedAt": { + "type": "date" + }, + "resource.instanceDetails": { + "properties": { + "launchTime": { + "type": "date" + }, + "networkInterfaces": { + "properties": { + "privateIpAddress": { + "type": "ip" + }, + "publicIp": { + "type": "ip" + } + } + } + } + } + } + } + } + }, + "program_name": { + "type": "keyword" + }, + "command": { + "type": "keyword" + }, + "type": { + "type": "text" + }, + "title": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "input": { + "properties": { + "type": { + "type": "keyword" + } + } + }, + "previous_output": { + "type": "keyword" + } + } + }, + "version": 1 +} diff --git a/roles/wazuh/filebeat-oss/templates/filebeat.yml.j2 b/roles/wazuh/filebeat-oss/templates/filebeat.yml.j2 new file mode 100644 index 000000000..747d2da67 --- /dev/null +++ b/roles/wazuh/filebeat-oss/templates/filebeat.yml.j2 @@ -0,0 +1,39 @@ +# Wazuh - Filebeat configuration file + +# Wazuh - Filebeat configuration file +filebeat.modules: + - module: wazuh + alerts: + enabled: true + archives: + enabled: false + +setup.template.json.enabled: true +setup.template.json.path: '/etc/filebeat/wazuh-template.json' +setup.template.json.name: 'wazuh' +setup.template.overwrite: true +setup.ilm.enabled: false + + +# Send events directly to Elasticsearch +output.elasticsearch: + hosts: {{ filebeat_output_elasticsearch_hosts | to_json }} + +{% if filebeat_opendistro_security %} + username: {{ elasticsearch_opendistro_security_user }} + password: {{ elasticsearch_opendistro_security_password }} + protocol: https +{% if generate_CA == true %} + ssl.certificate_authorities: + - {{node_certs_destination}}/ca.crt +{% elif generate_CA == false %} + ssl.certificate_authorities: + - {{node_certs_destination}}/{{ca_cert_name}} +{% endif %} + + ssl.certificate: "{{node_certs_destination}}/{{ filebeat_node_name }}.crt" + ssl.key: "{{node_certs_destination}}/{{ filebeat_node_name }}.key" +{% endif %} + +# Optional. Send events to Logstash instead of Elasticsearch +#output.logstash.hosts: ["YOUR_LOGSTASH_SERVER_IP:5000"] \ No newline at end of file diff --git a/roles/wazuh/filebeat-oss/tests/requirements.yml b/roles/wazuh/filebeat-oss/tests/requirements.yml new file mode 100644 index 000000000..63d857e23 --- /dev/null +++ b/roles/wazuh/filebeat-oss/tests/requirements.yml @@ -0,0 +1,3 @@ +--- +- src: geerlingguy.java +- src: geerlingguy.elasticsearch diff --git a/roles/wazuh/filebeat-oss/tests/test.yml b/roles/wazuh/filebeat-oss/tests/test.yml new file mode 100644 index 000000000..3a4c8f218 --- /dev/null +++ b/roles/wazuh/filebeat-oss/tests/test.yml @@ -0,0 +1,20 @@ +--- +- hosts: all + + pre_tasks: + - name: Update apt cache. + apt: + cache_valid_time: 600 + when: ansible_os_family == 'Debian' + + - name: Install test dependencies (RedHat). + package: name=which state=present + when: ansible_os_family == 'RedHat' + + - name: Install test dependencies. + package: name=curl state=present + + roles: + - geerlingguy.java + - geerlingguy.elasticsearch + - role_under_test From 668eaacf96359c6d7760b68d1b711cb475568a62 Mon Sep 17 00:00:00 2001 From: Zenidd Date: Fri, 29 May 2020 12:25:18 +0200 Subject: [PATCH 65/76] Replacing root owner with ossec for local decoders/rules --- roles/wazuh/ansible-wazuh-manager/tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml index eaabdb770..71914578c 100644 --- a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml @@ -106,7 +106,7 @@ - name: Installing the local_rules.xml (default local_rules.xml) template: src=var-ossec-rules-local_rules.xml.j2 dest=/var/ossec/etc/rules/local_rules.xml - owner=root + owner=ossec group=ossec mode=0640 notify: restart wazuh-manager @@ -118,7 +118,7 @@ - name: Adding local rules files copy: src="{{ wazuh_manager_config.ruleset.rules_path }}" dest=/var/ossec/etc/rules/ - owner=root + owner=ossec group=ossec mode=0640 notify: restart wazuh-manager @@ -130,7 +130,7 @@ - name: Installing the local_decoder.xml template: src=var-ossec-rules-local_decoder.xml.j2 dest=/var/ossec/etc/decoders/local_decoder.xml - owner=root + owner=ossec group=ossec mode=0640 notify: restart wazuh-manager @@ -142,7 +142,7 @@ - name: Adding local decoders files copy: src="{{ wazuh_manager_config.ruleset.decoders_path }}" dest=/var/ossec/etc/decoders/ - owner=root + owner=ossec group=ossec mode=0640 notify: restart wazuh-manager From 79d58c39172ec0eb89c6f193155d4e7e04dfff47 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Thu, 4 Jun 2020 21:17:33 +0200 Subject: [PATCH 66/76] Added support for Filebeat-oss and several improvements --- playbooks/wazuh-manager-oss.yml | 13 +- playbooks/wazuh-opendistro.yml | 2 +- .../ansible-elasticsearch/README.md | 2 +- .../ansible-elasticsearch/defaults/main.yml | 2 +- roles/elastic-stack/ansible-kibana/README.md | 2 +- .../ansible-kibana/defaults/main.yml | 2 +- roles/opendistro/hosts | 49 ------- .../defaults/main.yml | 4 +- .../tasks/local_actions.yml | 43 +++--- .../tasks/security_actions.yml | 7 +- .../templates/tlsconfig.yml.j2 | 11 +- .../opendistro-kibana/defaults/main.yml | 10 +- .../opendistro-kibana/tasks/main.yml | 76 ++++++++++- .../tasks/security_actions.yml | 4 +- .../templates/opendistro_kibana.yml.j2 | 4 +- roles/wazuh/ansible-filebeat-oss/README.md | 39 ++++++ .../ansible-filebeat-oss/defaults/main.yml | 30 +++++ .../handlers/main.yml | 0 .../meta/main.yml | 2 +- .../tasks/Debian.yml | 2 +- .../tasks/RMDebian.yml | 0 .../tasks/RMRedHat.yml | 2 +- .../tasks/RedHat.yml | 2 +- .../ansible-filebeat-oss/tasks/config.yml | 22 +++ .../wazuh/ansible-filebeat-oss/tasks/main.yml | 70 ++++++++++ .../tasks/security_actions.yml | 29 ++++ .../templates/elasticsearch.yml.j2 | 0 .../templates/filebeat.yml.j2 | 19 +-- roles/wazuh/ansible-filebeat/README.md | 2 +- .../wazuh/ansible-filebeat/defaults/main.yml | 4 +- roles/wazuh/ansible-filebeat/tasks/config.yml | 21 +-- roles/wazuh/ansible-filebeat/tasks/main.yml | 2 +- .../ansible-filebeat/tests/requirements.yml | 3 - roles/wazuh/ansible-filebeat/tests/test.yml | 20 --- roles/wazuh/ansible-wazuh-manager/README.md | 2 +- roles/wazuh/filebeat-oss/defaults/main.yml | 57 -------- roles/wazuh/filebeat-oss/tasks/config.yml | 39 ------ roles/wazuh/filebeat-oss/tasks/main.yml | 125 ------------------ .../filebeat-oss/tasks/security_actions.yml | 11 -- .../wazuh/filebeat-oss/tests/requirements.yml | 3 - roles/wazuh/filebeat-oss/tests/test.yml | 20 --- 41 files changed, 340 insertions(+), 417 deletions(-) delete mode 100644 roles/opendistro/hosts create mode 100644 roles/wazuh/ansible-filebeat-oss/README.md create mode 100644 roles/wazuh/ansible-filebeat-oss/defaults/main.yml rename roles/wazuh/{filebeat-oss => ansible-filebeat-oss}/handlers/main.yml (100%) rename roles/wazuh/{filebeat-oss => ansible-filebeat-oss}/meta/main.yml (88%) rename roles/wazuh/{filebeat-oss => ansible-filebeat-oss}/tasks/Debian.yml (91%) rename roles/wazuh/{filebeat-oss => ansible-filebeat-oss}/tasks/RMDebian.yml (100%) rename roles/wazuh/{filebeat-oss => ansible-filebeat-oss}/tasks/RMRedHat.yml (84%) rename roles/wazuh/{filebeat-oss => ansible-filebeat-oss}/tasks/RedHat.yml (89%) create mode 100644 roles/wazuh/ansible-filebeat-oss/tasks/config.yml create mode 100644 roles/wazuh/ansible-filebeat-oss/tasks/main.yml create mode 100644 roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml rename roles/wazuh/{filebeat-oss => ansible-filebeat-oss}/templates/elasticsearch.yml.j2 (100%) rename roles/wazuh/{filebeat-oss => ansible-filebeat-oss}/templates/filebeat.yml.j2 (57%) delete mode 100644 roles/wazuh/ansible-filebeat/tests/requirements.yml delete mode 100644 roles/wazuh/ansible-filebeat/tests/test.yml delete mode 100644 roles/wazuh/filebeat-oss/defaults/main.yml delete mode 100644 roles/wazuh/filebeat-oss/tasks/config.yml delete mode 100644 roles/wazuh/filebeat-oss/tasks/main.yml delete mode 100644 roles/wazuh/filebeat-oss/tasks/security_actions.yml delete mode 100644 roles/wazuh/filebeat-oss/tests/requirements.yml delete mode 100644 roles/wazuh/filebeat-oss/tests/test.yml diff --git a/playbooks/wazuh-manager-oss.yml b/playbooks/wazuh-manager-oss.yml index 5cb9b4bd5..3dc6346d5 100644 --- a/playbooks/wazuh-manager-oss.yml +++ b/playbooks/wazuh-manager-oss.yml @@ -1,8 +1,9 @@ --- -- hosts: +- hosts: managers roles: - - role: ../roles/wazuh/ansible-wazuh-manager - - role: ../roles/wazuh/filebeat-oss - filebeat_output_elasticsearch_hosts: 172.16.0.161:9200 - - +# - role: ../roles/wazuh/ansible-wazuh-manager + - role: ../roles/wazuh/ansible-filebeat-oss + filebeat_output_elasticsearch_hosts: + - "172.16.0.161:9200" + - "172.16.0.162:9200" + - "172.16.0.163:9200" \ No newline at end of file diff --git a/playbooks/wazuh-opendistro.yml b/playbooks/wazuh-opendistro.yml index ede8ca933..271dfa5b4 100644 --- a/playbooks/wazuh-opendistro.yml +++ b/playbooks/wazuh-opendistro.yml @@ -1,4 +1,4 @@ --- -- hosts: es-cluster +- hosts: es_cluster roles: - role: ../roles/opendistro/opendistro-elasticsearch diff --git a/roles/elastic-stack/ansible-elasticsearch/README.md b/roles/elastic-stack/ansible-elasticsearch/README.md index c574aa9f8..f37d3ceca 100644 --- a/roles/elastic-stack/ansible-elasticsearch/README.md +++ b/roles/elastic-stack/ansible-elasticsearch/README.md @@ -134,7 +134,7 @@ It is possible to define users directly on the playbook, these must be defined o License and copyright --------------------- -WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3) +WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3) ### Based on previous work from geerlingguy diff --git a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml index 6f2528c36..019179fc0 100644 --- a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml @@ -4,7 +4,7 @@ elasticsearch_http_port: 9200 elasticsearch_network_host: 127.0.0.1 elasticsearch_reachable_host: 127.0.0.1 elasticsearch_jvm_xms: null -elastic_stack_version: 7.6.2 +elastic_stack_version: 7.7.0 elasticsearch_lower_disk_requirements: false elasticrepo: diff --git a/roles/elastic-stack/ansible-kibana/README.md b/roles/elastic-stack/ansible-kibana/README.md index 593cf3191..28978761c 100644 --- a/roles/elastic-stack/ansible-kibana/README.md +++ b/roles/elastic-stack/ansible-kibana/README.md @@ -37,7 +37,7 @@ Example Playbook License and copyright --------------------- -WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3) +WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3) ### Based on previous work from geerlingguy diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index d1ddb8e17..b4bf0c88c 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -5,7 +5,7 @@ elasticsearch_http_port: "9200" elasticsearch_network_host: "127.0.0.1" kibana_server_host: "0.0.0.0" kibana_server_port: "5601" -elastic_stack_version: 7.6.2 +elastic_stack_version: 7.7.0 wazuh_version: 3.12.3 wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp diff --git a/roles/opendistro/hosts b/roles/opendistro/hosts deleted file mode 100644 index bd3b73e70..000000000 --- a/roles/opendistro/hosts +++ /dev/null @@ -1,49 +0,0 @@ -# This is the default ansible 'hosts' file. -# -# It should live in /etc/ansible/hosts -# -# - Comments begin with the '#' character -# - Blank lines are ignored -# - Groups of hosts are delimited by [header] elements -# - You can enter hostnames or ip addresses -# - A hostname/ip can be a member of multiple groups - -# Ex 1: Ungrouped hosts, specify before any group headers. - -## green.example.com -## blue.example.com -## 192.168.100.1 -## 192.168.100.10 - -# Ex 2: A collection of hosts belonging to the 'webservers' group -#[elasticsearch_first - - -es1 ansible_host=172.16.0.161 ansible_user=vagrant ip=172.16.0.161 -es2 ansible_host=172.16.0.162 ansible_user=vagrant ip=172.16.0.162 -es3 ansible_host=172.16.0.163 ansible_user=vagrant ip=172.16.0.163 -manager1 ansible_host=172.16.1.250 ansible_user=vagrant ip=172.16.1.250 - -[managers] -manager1 - -[es-cluster] -es1 -es2 -es3 -manager1 - -[kibana] -es1 - -[single-host] -172.16.1.15 ansible_ssh_user=vagrant -[elastic-cluster] -172.16.0.161 ansible_ssh_user=vagrant -172.16.0.162 ansible_ssh_user=vagrant -172.16.0.163 ansible_ssh_user=vagrant -[agents] -172.16.0.131 ansible_ssh_user=vagrant -172.16.0.132 ansible_ssh_user=vagrant -# If you have multiple hosts following a pattern you can specify -# them like this: diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index 231401236..aa6830338 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -1,6 +1,6 @@ --- # The OpenDistro version -opendistro_version: 1.6.0 +opendistro_version: 1.8.0 elasticsearch_cluster_name: wazuh-cluster # Minimum master nodes in cluster, 2 for 3 nodes elasticsearch cluster @@ -28,7 +28,7 @@ opendistro_sec_plugin_conf_path: /usr/share/elasticsearch/plugins/opendistro_sec opendistro_sec_plugin_tools_path: /usr/share/elasticsearch/plugins/opendistro_security/tools opendistro_conf_path: /etc/elasticsearch/ es_nodes: |- - {% for item in groups['es-cluster'] -%} + {% for item in groups['es_cluster'] -%} {{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %} {%- endfor %} diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml index b6995e5cc..edaf9ef83 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml @@ -2,36 +2,36 @@ - block: - name: Local action | Create local temporary directory for certificates generation - local_action: - module: file + file: path: "{{ local_certs_path }}" state: directory + - name: Local action | Check that the generation tool exists + stat: + path: "{{ local_certs_path }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip" + register: tool_package + - name: Local action | Download certificates generation tool - local_action: - module: get_url + get_url: url: "{{ certs_gen_tool_url }}" dest: "{{ local_certs_path }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip" + when: not tool_package.stat.exists - name: Local action | Extract the certificates generation tool - local_action: - module: unarchive + unarchive: src: "{{ local_certs_path }}/search-guard-tlstool-1.7.zip" dest: "{{ local_certs_path }}/" - name: Local action | Add the execution bit to the binary - local_action: - module: file + file: dest: "{{ local_certs_path }}/tools/sgtlstool.sh" mode: a+x - name: Local action | Prepare the certificates generation template file - local_action: - module: template + template: src: "templates/tlsconfig.yml.j2" dest: "{{ local_certs_path }}/config/tlsconfig.yml" - - name: Create a directory if it does not exist file: path: "{{ local_certs_path }}/certs/" @@ -40,20 +40,29 @@ delegate_to: localhost - name: Local action | Check if root CA file exists - local_action: - module: stat + stat: path: "{{ local_certs_path }}/certs/root-ca.key" register: root_ca_file - name: Local action | Generate the node & admin certificates in local - local_action: - module: command {{ local_certs_path }}/tools/sgtlstool.sh -c {{ local_certs_path }}/config/tlsconfig.yml -ca -crt -t {{ local_certs_path }}/certs/ -f -o + command: >- + {{ local_certs_path }}/tools/sgtlstool.sh + -c {{ local_certs_path }}/config/tlsconfig.yml + -ca -crt + -t {{ local_certs_path }}/certs/ + -f -o when: not root_ca_file.stat.exists - name: Local action | Generate the node & admin certificates using an existing root CA - local_action: - module: command {{ local_certs_path }}/tools/sgtlstool.sh -c {{ local_certs_path }}/config/tlsconfig.yml -ca -crt -t {{ local_certs_path }}/certs/ -f + command: >- + {{ local_certs_path }}/tools/sgtlstool.sh + -c {{ local_certs_path }}/config/tlsconfig.yml + -crt + -t {{ local_certs_path }}/certs/ + -f when: root_ca_file.stat.exists + run_once: true + delegate_to: localhost tags: - generate-certs \ No newline at end of file diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml index 1fee6fefc..ea48874ef 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml @@ -1,5 +1,4 @@ - block: - - name: Remove demo certs file: path: "{{ item }}" @@ -12,7 +11,7 @@ - name: Copy the node & admin certificates to Elasticsearch cluster copy: - src: "{{ local_certs_path }}/config/{{ item }}" + src: "{{ local_certs_path }}/certs/{{ item }}" dest: /etc/elasticsearch/ mode: 0644 with_items: @@ -28,7 +27,7 @@ - name: Copy the OpenDistro security configuration file to cluster blockinfile: - block: "{{ lookup('file', '{{ local_certs_path }}/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" + block: "{{ lookup('file', '{{ local_certs_path }}/certs/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" dest: "{{ opendistro_conf_path }}/elasticsearch.yml" insertafter: EOF marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" @@ -76,5 +75,5 @@ run_once: true tags: - - production_ready + - security when: install.changed \ No newline at end of file diff --git a/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 index f5ee89bc9..0f7671e29 100644 --- a/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 +++ b/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 @@ -17,7 +17,6 @@ defaults: verifyHostnames: false resolveHostnames: false - ### ### Nodes ### @@ -25,7 +24,7 @@ defaults: # Specify the nodes of your ES cluster here # nodes: -{% for item in groups['es-cluster'] %} +{% for item in groups['es_cluster'] %} - name: {{ item }} dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }} dns: {{ item }}.{{ domain_name }} @@ -39,6 +38,14 @@ nodes: ip: {{ hostvars[item]['ip'] }} {% endfor %} {% endif %} +{% if groups['managers'] is defined and groups['managers']|length > 0 %} +{% for item in groups['managers'] %} + - name: {{ item }} + dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }} + dns: {{ item }}.{{ domain_name }} + ip: {{ hostvars[item]['ip'] }} +{% endfor %} +{% endif %} ### ### Clients ### diff --git a/roles/opendistro/opendistro-kibana/defaults/main.yml b/roles/opendistro/opendistro-kibana/defaults/main.yml index 6bbf5015a..611eabdd5 100644 --- a/roles/opendistro/opendistro-kibana/defaults/main.yml +++ b/roles/opendistro/opendistro-kibana/defaults/main.yml @@ -1,17 +1,18 @@ --- -elasticsearch_http_port: "9200" -elasticsearch_network_host: |- +elasticsearch_http_port: 9200 +elasticsearch_nodes: |- {% for item in groups['kibana'] -%} {{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %} {%- endfor %} - +elasticsearch_network_host: 172.16.0.161 +elastic_api_protocol: https kibana_conf_path: /etc/kibana kibana_server_host: "0.0.0.0" kibana_server_port: "5601" kibana_server_name: "kibana" kibana_max_payload_bytes: 1048576 -opendistro_version: 7.6.1 +elastic_stack_version: 7.7.0 wazuh_version: 3.12.3 wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp @@ -41,6 +42,7 @@ kibana_telemetry_optin: "false" kibana_telemetry_enabled: "false" opendistro_security_user: elastic +opendistro_admin_password: changeme opendistro_kibana_user: kibanaserver opendistro_kibana_password: changeme local_certs_path: /tmp/opendistro-nodecerts diff --git a/roles/opendistro/opendistro-kibana/tasks/main.yml b/roles/opendistro/opendistro-kibana/tasks/main.yml index 2d29e0cbe..94a646f81 100644 --- a/roles/opendistro/opendistro-kibana/tasks/main.yml +++ b/roles/opendistro/opendistro-kibana/tasks/main.yml @@ -28,7 +28,6 @@ register: install tags: install - - name: Remove Kibana configuration file file: path: "{{ kibana_conf_path }}/kibana.yml" @@ -48,11 +47,82 @@ mode: 0640 marker: "## {mark} Kibana general settings ##" notify: restart kibana - tags: - install - configure +- name: Build and Install Wazuh Kibana Plugin from sources + import_tasks: build_wazuh_plugin.yml + when: + - build_from_sources is defined + - build_from_sources + +- name: Install Wazuh Plugin (can take a while) + shell: >- + NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana-plugin install + {{ wazuh_app_url }}-{{ wazuh_version }}_{{ elastic_stack_version }}.zip + args: + executable: /bin/bash + creates: /usr/share/kibana/plugins/wazuh/package.json + chdir: /usr/share/kibana + become: yes + become_user: kibana + notify: restart kibana + tags: + - install + - skip_ansible_lint + when: + - not build_from_sources + +- name: Kibana optimization (can take a while) + shell: /usr/share/kibana/node/bin/node {{ node_options }} /usr/share/kibana/src/cli --optimize + args: + executable: /bin/bash + become: yes + become_user: kibana + changed_when: false + tags: + - skip_ansible_lint + +- name: Wait for Elasticsearch port + wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} + +- name: Select correct API protocol + set_fact: + elastic_api_protocol: "{% if kibana_xpack_security %}https{% else %}http{% endif %}" + +- name: Attempting to delete legacy Wazuh index if exists + uri: + url: "{{ elastic_api_protocol }}://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}/.wazuh" + method: DELETE + user: "admin" + password: "{{ opendistro_admin_password }}" + validate_certs: no + status_code: 200, 404 + +- name: Create wazuh plugin config directory + file: + path: /usr/share/kibana/optimize/wazuh/config/ + state: directory + recurse: yes + owner: kibana + group: kibana + mode: 0751 + changed_when: False + +- name: Configure Wazuh Kibana Plugin + template: + src: wazuh.yml.j2 + dest: /usr/share/kibana/optimize/wazuh/config/wazuh.yml + owner: kibana + group: kibana + mode: 0751 + changed_when: False + +- name: Reload systemd configuration + systemd: + daemon_reload: true + - name: Ensure Kibana started and enabled service: name: kibana @@ -60,4 +130,4 @@ state: started - import_tasks: RMRedHat.yml - when: ansible_os_family == 'RedHat' + when: ansible_os_family == 'RedHat' \ No newline at end of file diff --git a/roles/opendistro/opendistro-kibana/tasks/security_actions.yml b/roles/opendistro/opendistro-kibana/tasks/security_actions.yml index 96b787c94..be63c9ea1 100644 --- a/roles/opendistro/opendistro-kibana/tasks/security_actions.yml +++ b/roles/opendistro/opendistro-kibana/tasks/security_actions.yml @@ -2,12 +2,12 @@ - name: Copy the certificates from local to the Kibana instance copy: - src: "{{ local_certs_path }}/config/{{ item }}" + src: "{{ local_certs_path }}/certs/{{ item }}" dest: /usr/share/kibana mode: 0644 with_items: - "{{ inventory_hostname }}_http.key" - "{{ inventory_hostname }}_http.pem" tags: - - production_ready + - security when: install.changed \ No newline at end of file diff --git a/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 b/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 index c526fcdaf..702de5e20 100644 --- a/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 +++ b/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 @@ -8,9 +8,9 @@ server.maxPayloadBytes: {{ kibana_max_payload_bytes }} server.name: {{ kibana_server_name }} server.host: {{ kibana_server_host }} {% if kibana_opendistro_security %} -elasticsearch.hosts: "https://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" +elasticsearch.hosts: "https://{{ elasticsearch_nodes }}:{{ elasticsearch_http_port }}" {% else %} -elasticsearch.hosts: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" +elasticsearch.hosts: "http://{{ elasticsearch_nodes }}:{{ elasticsearch_http_port }}" {% endif %} elasticsearch.username: {{ opendistro_kibana_user }} diff --git a/roles/wazuh/ansible-filebeat-oss/README.md b/roles/wazuh/ansible-filebeat-oss/README.md new file mode 100644 index 000000000..bed47531f --- /dev/null +++ b/roles/wazuh/ansible-filebeat-oss/README.md @@ -0,0 +1,39 @@ +Ansible Role: Filebeat for Elastic Stack +------------------------------------ + +An Ansible Role that installs [Filebeat-oss](https://www.elastic.co/products/beats/filebeat), this can be used in conjunction with [ansible-wazuh-manager](https://github.com/wazuh/wazuh-ansible/ansible-wazuh-server). + +Requirements +------------ + +This role will work on: + * Red Hat + * CentOS + * Fedora + * Debian + * Ubuntu + +Role Variables +-------------- + +Available variables are listed below, along with default values (see `defaults/main.yml`): + +``` + filebeat_output_elasticsearch_enabled: false + filebeat_output_elasticsearch_hosts: + - "localhost:9200" + +``` + +License and copyright +--------------------- + +WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3) + +### Based on previous work from geerlingguy + + - https://github.com/geerlingguy/ansible-role-filebeat + +### Modified by Wazuh + +The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem. diff --git a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml new file mode 100644 index 000000000..7603fd516 --- /dev/null +++ b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml @@ -0,0 +1,30 @@ +--- +filebeat_version: 7.7.0 + +filebeat_create_config: true + +filebeat_output_elasticsearch_enabled: false +filebeat_output_elasticsearch_hosts: + - "localhost:9200" + +filebeat_module_package_url: https://packages.wazuh.com/3.x/filebeat +filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz +filebeat_module_package_path: /tmp/ +filebeat_module_destination: /usr/share/filebeat/module +filebeat_module_folder: /usr/share/filebeat/module/wazuh +elasticsearch_security_user: admin +elasticsearch_security_password: changeme +# Security plugin +filebeat_security: true +filebeat_security_user: admin +filebeat_security_password: changeme +filebeat_ssl_dir: /etc/pki/filebeat + +# Local path to store the generated certificates (OpenDistro security plugin) +local_certs_path: /tmp/opendistro-nodecerts + +elasticrepo: + apt: 'https://artifacts.elastic.co/packages/oss-7.x/apt' + yum: 'https://artifacts.elastic.co/packages/oss-7.x/yum' + gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' + key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4' diff --git a/roles/wazuh/filebeat-oss/handlers/main.yml b/roles/wazuh/ansible-filebeat-oss/handlers/main.yml similarity index 100% rename from roles/wazuh/filebeat-oss/handlers/main.yml rename to roles/wazuh/ansible-filebeat-oss/handlers/main.yml diff --git a/roles/wazuh/filebeat-oss/meta/main.yml b/roles/wazuh/ansible-filebeat-oss/meta/main.yml similarity index 88% rename from roles/wazuh/filebeat-oss/meta/main.yml rename to roles/wazuh/ansible-filebeat-oss/meta/main.yml index 240b2d083..4fd7e9000 100644 --- a/roles/wazuh/filebeat-oss/meta/main.yml +++ b/roles/wazuh/ansible-filebeat-oss/meta/main.yml @@ -3,7 +3,7 @@ dependencies: [] galaxy_info: author: Wazuh - description: Installing and maintaining filebeat server. + description: Installing and maintaining Filebeat-oss. company: wazuh.com license: license (GPLv3) min_ansible_version: 2.0 diff --git a/roles/wazuh/filebeat-oss/tasks/Debian.yml b/roles/wazuh/ansible-filebeat-oss/tasks/Debian.yml similarity index 91% rename from roles/wazuh/filebeat-oss/tasks/Debian.yml rename to roles/wazuh/ansible-filebeat-oss/tasks/Debian.yml index a87bb2bfa..33c94cf6c 100644 --- a/roles/wazuh/filebeat-oss/tasks/Debian.yml +++ b/roles/wazuh/ansible-filebeat-oss/tasks/Debian.yml @@ -14,7 +14,7 @@ id: "{{ elasticrepo.key_id }}" state: present -- name: Debian/Ubuntu | Add Filebeat repository. +- name: Debian/Ubuntu | Add Filebeat-oss repository. apt_repository: repo: "deb {{ elasticrepo.apt }} stable main" state: present diff --git a/roles/wazuh/filebeat-oss/tasks/RMDebian.yml b/roles/wazuh/ansible-filebeat-oss/tasks/RMDebian.yml similarity index 100% rename from roles/wazuh/filebeat-oss/tasks/RMDebian.yml rename to roles/wazuh/ansible-filebeat-oss/tasks/RMDebian.yml diff --git a/roles/wazuh/filebeat-oss/tasks/RMRedHat.yml b/roles/wazuh/ansible-filebeat-oss/tasks/RMRedHat.yml similarity index 84% rename from roles/wazuh/filebeat-oss/tasks/RMRedHat.yml rename to roles/wazuh/ansible-filebeat-oss/tasks/RMRedHat.yml index 1cf840814..8565894ef 100644 --- a/roles/wazuh/filebeat-oss/tasks/RMRedHat.yml +++ b/roles/wazuh/ansible-filebeat-oss/tasks/RMRedHat.yml @@ -1,6 +1,6 @@ --- - name: RedHat/CentOS/Fedora | Remove Filebeat repository (and clean up left-over metadata) yum_repository: - name: elastic_repo_7 + name: elastic_oss-repo_7 state: absent changed_when: false diff --git a/roles/wazuh/filebeat-oss/tasks/RedHat.yml b/roles/wazuh/ansible-filebeat-oss/tasks/RedHat.yml similarity index 89% rename from roles/wazuh/filebeat-oss/tasks/RedHat.yml rename to roles/wazuh/ansible-filebeat-oss/tasks/RedHat.yml index 23948b37e..74873acad 100644 --- a/roles/wazuh/filebeat-oss/tasks/RedHat.yml +++ b/roles/wazuh/ansible-filebeat-oss/tasks/RedHat.yml @@ -1,7 +1,7 @@ --- - name: RedHat/CentOS/Fedora/Amazon Linux | Install Filebeats repo yum_repository: - name: elastic_repo_7 + name: elastic_oss-repo_7 description: Elastic repository for 7.x packages baseurl: "{{ elasticrepo.yum }}" gpgkey: "{{ elasticrepo.gpg }}" diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/config.yml b/roles/wazuh/ansible-filebeat-oss/tasks/config.yml new file mode 100644 index 000000000..f64c8ceba --- /dev/null +++ b/roles/wazuh/ansible-filebeat-oss/tasks/config.yml @@ -0,0 +1,22 @@ +--- +- block: + - name: Copy Filebeat configuration. + template: + src: filebeat.yml.j2 + dest: "/etc/filebeat/filebeat.yml" + owner: root + group: root + mode: 0400 + notify: restart filebeat + + - name: Copy Elasticsearch template. + template: + src: elasticsearch.yml.j2 + dest: "/etc/filebeat/wazuh-template.json" + owner: root + group: root + mode: 0400 + notify: restart filebeat + + tags: + - configure \ No newline at end of file diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/main.yml b/roles/wazuh/ansible-filebeat-oss/tasks/main.yml new file mode 100644 index 000000000..e9c3ead63 --- /dev/null +++ b/roles/wazuh/ansible-filebeat-oss/tasks/main.yml @@ -0,0 +1,70 @@ +--- +- include_tasks: RedHat.yml + when: ansible_os_family == 'RedHat' + +- include_tasks: Debian.yml + when: ansible_os_family == 'Debian' + +- name: Install Filebeat + package: + name: filebeat + state: present + register: install + tags: + - install + - init + +- include_tasks: security_actions.yml + when: ansible_os_family == 'RedHat' + +- name: Checking if Filebeat Module folder file exists + stat: + path: "{{ filebeat_module_folder }}" + register: filebeat_module_folder + +- name: Download Filebeat module package + get_url: + url: "{{ filebeat_module_package_url }}/{{ filebeat_module_package_name }}" + dest: "{{ filebeat_module_package_path }}" + when: not filebeat_module_folder.stat.exists + +- name: Unpack Filebeat module package + unarchive: + src: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" + dest: "{{ filebeat_module_destination }}" + remote_src: yes + when: not filebeat_module_folder.stat.exists + +- name: Setting 0755 permission for Filebeat module folder + file: dest={{ filebeat_module_folder }} mode=u=rwX,g=rwX,o=rwX recurse=yes + when: not filebeat_module_folder.stat.exists + +- name: Checking if Filebeat Module package file exists + stat: + path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" + register: filebeat_module_package + when: filebeat_module_package is not defined + +- name: Delete Filebeat module package file + file: + state: absent + path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" + when: filebeat_module_package.stat.exists + +- import_tasks: config.yml + notify: restart filebeat + +- include_tasks: security_actions.yml + when: filebeat_security + +- name: Ensure Filebeat is started and enabled at boot. + service: + name: filebeat + state: started + enabled: true + +- include_tasks: "RMRedHat.yml" + when: ansible_os_family == "RedHat" + +- include_tasks: "RMDebian.yml" + when: ansible_os_family == "Debian" diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml b/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml new file mode 100644 index 000000000..1af67c842 --- /dev/null +++ b/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml @@ -0,0 +1,29 @@ +- block: + + - name: Ensure Filebeat SSL key pair directory exists. + file: + path: "{{ filebeat_ssl_dir }}" + state: directory + + - name: Copy the certificates from local to the Manager instance + copy: + src: "{{ local_certs_path }}/certs/{{ item }}" + dest: "{{ filebeat_ssl_dir }}" + mode: 0644 + with_items: + - "{{ inventory_hostname }}.key" + - "{{ inventory_hostname }}.pem" + - "root-ca.pem" + + - name: Ensuring folder & certs permissions + file: + path: "{{ filebeat_ssl_dir }}/" + mode: 0774 + state: directory + recurse: yes + + tags: + - security + when: + - filebeat_security + - install.changed \ No newline at end of file diff --git a/roles/wazuh/filebeat-oss/templates/elasticsearch.yml.j2 b/roles/wazuh/ansible-filebeat-oss/templates/elasticsearch.yml.j2 similarity index 100% rename from roles/wazuh/filebeat-oss/templates/elasticsearch.yml.j2 rename to roles/wazuh/ansible-filebeat-oss/templates/elasticsearch.yml.j2 diff --git a/roles/wazuh/filebeat-oss/templates/filebeat.yml.j2 b/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 similarity index 57% rename from roles/wazuh/filebeat-oss/templates/filebeat.yml.j2 rename to roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 index 747d2da67..67a99347d 100644 --- a/roles/wazuh/filebeat-oss/templates/filebeat.yml.j2 +++ b/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 @@ -14,25 +14,18 @@ setup.template.json.name: 'wazuh' setup.template.overwrite: true setup.ilm.enabled: false - # Send events directly to Elasticsearch output.elasticsearch: hosts: {{ filebeat_output_elasticsearch_hosts | to_json }} -{% if filebeat_opendistro_security %} - username: {{ elasticsearch_opendistro_security_user }} - password: {{ elasticsearch_opendistro_security_password }} +{% if filebeat_security %} + username: {{ elasticsearch_security_user }} + password: {{ elasticsearch_security_password }} protocol: https -{% if generate_CA == true %} - ssl.certificate_authorities: - - {{node_certs_destination}}/ca.crt -{% elif generate_CA == false %} ssl.certificate_authorities: - - {{node_certs_destination}}/{{ca_cert_name}} -{% endif %} - - ssl.certificate: "{{node_certs_destination}}/{{ filebeat_node_name }}.crt" - ssl.key: "{{node_certs_destination}}/{{ filebeat_node_name }}.key" + - {{ filebeat_ssl_dir }}/root-ca.pem + ssl.certificate: "{{ filebeat_ssl_dir }}/{{ inventory_hostname }}.pem" + ssl.key: "{{ filebeat_ssl_dir }}/{{ inventory_hostname }}.key" {% endif %} # Optional. Send events to Logstash instead of Elasticsearch diff --git a/roles/wazuh/ansible-filebeat/README.md b/roles/wazuh/ansible-filebeat/README.md index ad588e649..416f7da0e 100644 --- a/roles/wazuh/ansible-filebeat/README.md +++ b/roles/wazuh/ansible-filebeat/README.md @@ -28,7 +28,7 @@ Available variables are listed below, along with default values (see `defaults/m License and copyright --------------------- -WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3) +WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3) ### Based on previous work from geerlingguy diff --git a/roles/wazuh/ansible-filebeat/defaults/main.yml b/roles/wazuh/ansible-filebeat/defaults/main.yml index cc7de7bf4..0f9c0021c 100644 --- a/roles/wazuh/ansible-filebeat/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat/defaults/main.yml @@ -1,5 +1,5 @@ --- -filebeat_version: 7.6.2 +filebeat_version: 7.7.0 filebeat_create_config: true @@ -22,10 +22,8 @@ filebeat_enable_logging: true filebeat_log_level: debug filebeat_log_dir: /var/log/mybeat filebeat_log_filename: mybeat.log - filebeat_ssl_dir: /etc/pki/filebeat filebeat_ssl_certificate_file: "" -filebeat_ssl_key_file: "" filebeat_ssl_insecure: "false" filebeat_module_package_url: https://packages.wazuh.com/3.x/filebeat diff --git a/roles/wazuh/ansible-filebeat/tasks/config.yml b/roles/wazuh/ansible-filebeat/tasks/config.yml index d45b06e84..2b0b7edad 100644 --- a/roles/wazuh/ansible-filebeat/tasks/config.yml +++ b/roles/wazuh/ansible-filebeat/tasks/config.yml @@ -17,23 +17,4 @@ group: root mode: 0400 notify: restart filebeat - tags: configure - -- name: Ensure Filebeat SSL key pair directory exists. - file: - path: "{{ filebeat_ssl_dir }}" - state: directory - when: filebeat_ssl_key_file - tags: configure - -- name: Copy SSL key and cert for filebeat. - copy: - src: "{{ item }}" - dest: "{{ filebeat_ssl_dir }}/{{ item | basename }}" - mode: 0400 - with_items: - - "{{ filebeat_ssl_key_file }}" - - "{{ filebeat_ssl_certificate_file }}" - notify: restart filebeat - when: filebeat_ssl_key_file and filebeat_ssl_certificate_file - tags: configure + tags: configure \ No newline at end of file diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index 4948c2524..3e47db379 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -76,7 +76,7 @@ dest: "{{ filebeat_module_package_path }}" when: not filebeat_module_folder.stat.exists -- name: Unpakcing Filebeat module package +- name: Unpack Filebeat module package unarchive: src: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" dest: "{{ filebeat_module_destination }}" diff --git a/roles/wazuh/ansible-filebeat/tests/requirements.yml b/roles/wazuh/ansible-filebeat/tests/requirements.yml deleted file mode 100644 index 63d857e23..000000000 --- a/roles/wazuh/ansible-filebeat/tests/requirements.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- src: geerlingguy.java -- src: geerlingguy.elasticsearch diff --git a/roles/wazuh/ansible-filebeat/tests/test.yml b/roles/wazuh/ansible-filebeat/tests/test.yml deleted file mode 100644 index 3a4c8f218..000000000 --- a/roles/wazuh/ansible-filebeat/tests/test.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- hosts: all - - pre_tasks: - - name: Update apt cache. - apt: - cache_valid_time: 600 - when: ansible_os_family == 'Debian' - - - name: Install test dependencies (RedHat). - package: name=which state=present - when: ansible_os_family == 'RedHat' - - - name: Install test dependencies. - package: name=curl state=present - - roles: - - geerlingguy.java - - geerlingguy.elasticsearch - - role_under_test diff --git a/roles/wazuh/ansible-wazuh-manager/README.md b/roles/wazuh/ansible-wazuh-manager/README.md index 199e78100..ac52363d9 100644 --- a/roles/wazuh/ansible-wazuh-manager/README.md +++ b/roles/wazuh/ansible-wazuh-manager/README.md @@ -218,7 +218,7 @@ Including an example of how to use your role (for instance, with variables passe License and copyright --------------------- -WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3) +WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3) ### Based on previous work from dj-wasabi diff --git a/roles/wazuh/filebeat-oss/defaults/main.yml b/roles/wazuh/filebeat-oss/defaults/main.yml deleted file mode 100644 index 4ed761562..000000000 --- a/roles/wazuh/filebeat-oss/defaults/main.yml +++ /dev/null @@ -1,57 +0,0 @@ ---- -filebeat_version: 7.6.2 - -filebeat_create_config: true - -filebeat_prospectors: - - input_type: log - paths: - - "/var/ossec/logs/alerts/alerts.json" - document_type: json - json.message_key: log - json.keys_under_root: true - json.overwrite_keys: true - -filebeat_node_name: node-1 - -filebeat_output_elasticsearch_enabled: false -filebeat_output_elasticsearch_hosts: - - "localhost:9200" - -filebeat_enable_logging: true -filebeat_log_level: debug -filebeat_log_dir: /var/log/mybeat -filebeat_log_filename: mybeat.log - -filebeat_ssl_dir: /etc/pki/filebeat -filebeat_ssl_certificate_file: "" -filebeat_ssl_key_file: "" -filebeat_ssl_insecure: "false" - -filebeat_module_package_url: https://packages.wazuh.com/3.x/filebeat -filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz -filebeat_module_package_path: /tmp/ -filebeat_module_destination: /usr/share/filebeat/module -filebeat_module_folder: /usr/share/filebeat/module/wazuh - -# Opendistro Security -filebeat_opendistro_security: false - -elasticsearch_opendistro_security_user: elastic -elasticsearch_opendistro_security_password: elastic_pass - -node_certs_generator : false -node_certs_source: /usr/share/elasticsearch -node_certs_destination: /etc/filebeat/certs - - -# CA Generation -master_certs_path: /es_certs -generate_CA: true -ca_cert_name: "" - -elasticrepo: - apt: 'https://artifacts.elastic.co/packages/oss-7.x/apt' - yum: 'https://artifacts.elastic.co/packages/oss-7.x/yum' - gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' - key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4' diff --git a/roles/wazuh/filebeat-oss/tasks/config.yml b/roles/wazuh/filebeat-oss/tasks/config.yml deleted file mode 100644 index d45b06e84..000000000 --- a/roles/wazuh/filebeat-oss/tasks/config.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -- name: Copy Filebeat configuration. - template: - src: filebeat.yml.j2 - dest: "/etc/filebeat/filebeat.yml" - owner: root - group: root - mode: 0400 - notify: restart filebeat - tags: configure - -- name: Copy Elasticsearch template. - template: - src: elasticsearch.yml.j2 - dest: "/etc/filebeat/wazuh-template.json" - owner: root - group: root - mode: 0400 - notify: restart filebeat - tags: configure - -- name: Ensure Filebeat SSL key pair directory exists. - file: - path: "{{ filebeat_ssl_dir }}" - state: directory - when: filebeat_ssl_key_file - tags: configure - -- name: Copy SSL key and cert for filebeat. - copy: - src: "{{ item }}" - dest: "{{ filebeat_ssl_dir }}/{{ item | basename }}" - mode: 0400 - with_items: - - "{{ filebeat_ssl_key_file }}" - - "{{ filebeat_ssl_certificate_file }}" - notify: restart filebeat - when: filebeat_ssl_key_file and filebeat_ssl_certificate_file - tags: configure diff --git a/roles/wazuh/filebeat-oss/tasks/main.yml b/roles/wazuh/filebeat-oss/tasks/main.yml deleted file mode 100644 index df3a428b7..000000000 --- a/roles/wazuh/filebeat-oss/tasks/main.yml +++ /dev/null @@ -1,125 +0,0 @@ ---- -- include_tasks: RedHat.yml - when: ansible_os_family == 'RedHat' - -- include_tasks: Debian.yml - when: ansible_os_family == 'Debian' - -- name: CentOS/RedHat | Install Filebeat. - package: name=filebeat-{{ filebeat_version }} state=present - register: filebeat_installing_package - until: filebeat_installing_package is succeeded - when: - - ansible_distribution in ['CentOS','RedHat', 'Amazon'] - tags: - - install - -- name: Debian/Ubuntu | Install Filebeat. - apt: - name: filebeat={{ filebeat_version }} - state: present - cache_valid_time: 3600 - register: filebeat_installing_package_debian - until: filebeat_installing_package_debian is succeeded - when: - - not (ansible_distribution in ['CentOS','RedHat', 'Amazon']) - tags: - - init - -- name: Copying node's certificate from master - copy: - src: "{{ item }}" - dest: "{{ node_certs_destination }}/" - mode: 0440 - with_items: - - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" - - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt" - - "{{ master_certs_path }}/ca/ca.crt" - when: - - generate_CA - - filebeat_opendistro_security - tags: opendistro-security - -- name: Copying node's certificate from master (Custom CA) - copy: - src: "{{ item }}" - dest: "{{ node_certs_destination }}/" - mode: 0440 - with_items: - - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" - - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt" - - "{{ master_certs_path }}/ca/{{ ca_cert_name }}" - when: - - not generate_CA - - filebeat_opendistro_security - tags: opendistro-security - -- name: Ensuring folder & certs permissions - file: - path: "{{ node_certs_destination }}/" - mode: 0774 - state: directory - recurse: yes - when: - - filebeat_xpack_security - tags: xpack-security - -- name: Checking if Filebeat Module folder file exists - stat: - path: "{{ filebeat_module_folder }}" - register: filebeat_module_folder - - -- name: Download Filebeat module package - get_url: - url: "{{ filebeat_module_package_url }}/{{ filebeat_module_package_name }}" - dest: "{{ filebeat_module_package_path }}" - when: not filebeat_module_folder.stat.exists - -- name: Unpakcing Filebeat module package - unarchive: - src: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" - dest: "{{ filebeat_module_destination }}" - remote_src: yes - when: not filebeat_module_folder.stat.exists - -- name: Setting 0755 permission for Filebeat module folder - file: dest={{ filebeat_module_folder }} mode=u=rwX,g=rwX,o=rwX recurse=yes - when: not filebeat_module_folder.stat.exists - -- name: Checking if Filebeat Module package file exists - stat: - path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" - register: filebeat_module_package - when: filebeat_module_package is not defined - -- name: Delete Filebeat module package file - file: - state: absent - path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" - when: filebeat_module_package.stat.exists - -- import_tasks: config.yml - when: filebeat_create_config - notify: restart filebeat - -- name: Reload systemd - systemd: daemon_reload=yes - ignore_errors: true - when: - - not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") - - not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<')) - - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<')) - - not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<')) - -- name: Ensure Filebeat is started and enabled at boot. - service: - name: filebeat - state: started - enabled: true - -- include_tasks: "RMRedHat.yml" - when: ansible_os_family == "RedHat" - -- include_tasks: "RMDebian.yml" - when: ansible_os_family == "Debian" diff --git a/roles/wazuh/filebeat-oss/tasks/security_actions.yml b/roles/wazuh/filebeat-oss/tasks/security_actions.yml deleted file mode 100644 index 6b11bc9a3..000000000 --- a/roles/wazuh/filebeat-oss/tasks/security_actions.yml +++ /dev/null @@ -1,11 +0,0 @@ -- block: - - - name: Copy certificates and root-ca to Filebeat - copy: - src: "{{ local_certs_path }}/config/{{ item }}" - dest: /etc/filebeat/ - mode: 0644 - with_items: - - root-ca.pem - - "{{ inventory_hostname }}.key" - - "{{ inventory_hostname }}.pem" \ No newline at end of file diff --git a/roles/wazuh/filebeat-oss/tests/requirements.yml b/roles/wazuh/filebeat-oss/tests/requirements.yml deleted file mode 100644 index 63d857e23..000000000 --- a/roles/wazuh/filebeat-oss/tests/requirements.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- src: geerlingguy.java -- src: geerlingguy.elasticsearch diff --git a/roles/wazuh/filebeat-oss/tests/test.yml b/roles/wazuh/filebeat-oss/tests/test.yml deleted file mode 100644 index 3a4c8f218..000000000 --- a/roles/wazuh/filebeat-oss/tests/test.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- hosts: all - - pre_tasks: - - name: Update apt cache. - apt: - cache_valid_time: 600 - when: ansible_os_family == 'Debian' - - - name: Install test dependencies (RedHat). - package: name=which state=present - when: ansible_os_family == 'RedHat' - - - name: Install test dependencies. - package: name=curl state=present - - roles: - - geerlingguy.java - - geerlingguy.elasticsearch - - role_under_test From 1062cddf06e4212df464e86d57db820c240814e5 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 10 Jun 2020 19:01:09 +0200 Subject: [PATCH 67/76] Use variable kibana_opendistro_security --- roles/opendistro/opendistro-kibana/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/opendistro/opendistro-kibana/tasks/main.yml b/roles/opendistro/opendistro-kibana/tasks/main.yml index 94a646f81..013648dbe 100644 --- a/roles/opendistro/opendistro-kibana/tasks/main.yml +++ b/roles/opendistro/opendistro-kibana/tasks/main.yml @@ -89,7 +89,7 @@ - name: Select correct API protocol set_fact: - elastic_api_protocol: "{% if kibana_xpack_security %}https{% else %}http{% endif %}" + elastic_api_protocol: "{% if kibana_opendistro_security is defined and kibana_opendistro_security %}https{% else %}http{% endif %}" - name: Attempting to delete legacy Wazuh index if exists uri: From 1a5f74eec0e7df4f14cbc210cda73ee4b3e29f01 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 10 Jun 2020 19:01:33 +0200 Subject: [PATCH 68/76] Use group es_cluster --- roles/opendistro/opendistro-kibana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/opendistro/opendistro-kibana/defaults/main.yml b/roles/opendistro/opendistro-kibana/defaults/main.yml index 611eabdd5..428880ee5 100644 --- a/roles/opendistro/opendistro-kibana/defaults/main.yml +++ b/roles/opendistro/opendistro-kibana/defaults/main.yml @@ -2,7 +2,7 @@ elasticsearch_http_port: 9200 elasticsearch_nodes: |- - {% for item in groups['kibana'] -%} + {% for item in groups['es_cluster'] -%} {{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %} {%- endfor %} elasticsearch_network_host: 172.16.0.161 From 473decb3fd9cb948cb40c64af9ed911eda44d933 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Thu, 11 Jun 2020 19:02:40 +0200 Subject: [PATCH 69/76] Use elasticsearch_network_host --- .../opendistro-kibana/templates/opendistro_kibana.yml.j2 | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 b/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 index 702de5e20..0a1f37cbf 100644 --- a/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 +++ b/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 @@ -7,10 +7,12 @@ server.port: {{ kibana_server_port }} server.maxPayloadBytes: {{ kibana_max_payload_bytes }} server.name: {{ kibana_server_name }} server.host: {{ kibana_server_host }} + + {% if kibana_opendistro_security %} -elasticsearch.hosts: "https://{{ elasticsearch_nodes }}:{{ elasticsearch_http_port }}" +elasticsearch.hosts: "https://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" {% else %} -elasticsearch.hosts: "http://{{ elasticsearch_nodes }}:{{ elasticsearch_http_port }}" +elasticsearch.hosts: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" {% endif %} elasticsearch.username: {{ opendistro_kibana_user }} From be21ad434ec4a84e94901dc7fcae0ad96fa33736 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 12 Jun 2020 13:20:23 +0200 Subject: [PATCH 70/76] Disable multitenancy until 3.13 fix --- .../opendistro-kibana/templates/opendistro_kibana.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 b/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 index 0a1f37cbf..40dd9d6c0 100644 --- a/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 +++ b/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 @@ -20,7 +20,7 @@ elasticsearch.password: {{ opendistro_kibana_password }} elasticsearch.ssl.verificationMode: none elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"] -opendistro_security.multitenancy.enabled: true +opendistro_security.multitenancy.enabled: false # FIXME: should be enabled starting with Wazuh App v3.13 opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"] opendistro_security.readonly_mode.roles: ["kibana_read_only"] From bbbc656985534404605b6ee2c1bd5cb9df8d08f5 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 12 Jun 2020 17:36:18 +0200 Subject: [PATCH 71/76] Make cert generation idempotent --- .../opendistro-elasticsearch/tasks/local_actions.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml index edaf9ef83..6885276d9 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml @@ -31,13 +31,13 @@ template: src: "templates/tlsconfig.yml.j2" dest: "{{ local_certs_path }}/config/tlsconfig.yml" + register: tlsconfig_template - name: Create a directory if it does not exist file: path: "{{ local_certs_path }}/certs/" state: directory mode: '0755' - delegate_to: localhost - name: Local action | Check if root CA file exists stat: @@ -51,7 +51,9 @@ -ca -crt -t {{ local_certs_path }}/certs/ -f -o - when: not root_ca_file.stat.exists + when: + - not root_ca_file.stat.exists + - tlsconfig_template.changed - name: Local action | Generate the node & admin certificates using an existing root CA command: >- @@ -60,7 +62,9 @@ -crt -t {{ local_certs_path }}/certs/ -f - when: root_ca_file.stat.exists + when: + - root_ca_file.stat.exists + - tlsconfig_template.changed run_once: true delegate_to: localhost From 68cfc2fb10ef71721c4690334c978795c3306692 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 12 Jun 2020 17:37:02 +0200 Subject: [PATCH 72/76] Remove extra include_tasks --- roles/wazuh/ansible-filebeat-oss/tasks/main.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/main.yml b/roles/wazuh/ansible-filebeat-oss/tasks/main.yml index e9c3ead63..2c5d3de18 100644 --- a/roles/wazuh/ansible-filebeat-oss/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat-oss/tasks/main.yml @@ -14,9 +14,6 @@ - install - init -- include_tasks: security_actions.yml - when: ansible_os_family == 'RedHat' - - name: Checking if Filebeat Module folder file exists stat: path: "{{ filebeat_module_folder }}" From 0b456a25f0d2217af8785091e904c0c2ef93c2ac Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 12 Jun 2020 17:38:17 +0200 Subject: [PATCH 73/76] Remove flag to allow exec on deleted cert --- roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml b/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml index 1af67c842..dfea91ee6 100644 --- a/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml +++ b/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml @@ -26,4 +26,3 @@ - security when: - filebeat_security - - install.changed \ No newline at end of file From a3ef437df4867cacbe3a062b7970a027af67e5dc Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 16 Jun 2020 17:14:28 +0200 Subject: [PATCH 74/76] Use relative path by default for certs --- roles/elastic-stack/ansible-elasticsearch/defaults/main.yml | 2 +- roles/elastic-stack/ansible-kibana/defaults/main.yml | 2 +- roles/wazuh/ansible-filebeat/defaults/main.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml index 6f2528c36..279283c26 100644 --- a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml @@ -36,7 +36,7 @@ node_certs_source: /usr/share/elasticsearch node_certs_destination: /etc/elasticsearch/certs # CA generation -master_certs_path: /es_certs +master_certs_path: "{{ playbook_dir }}/es_certs" generate_CA: true ca_key_name: "" ca_cert_name: "" diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index d1ddb8e17..e3164ec09 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -34,7 +34,7 @@ node_certs_source: /usr/share/elasticsearch node_certs_destination: /etc/kibana/certs # CA Generation -master_certs_path: /es_certs +master_certs_path: "{{ playbook_dir }}/es_certs" generate_CA: true ca_cert_name: "" diff --git a/roles/wazuh/ansible-filebeat/defaults/main.yml b/roles/wazuh/ansible-filebeat/defaults/main.yml index cc7de7bf4..78b6b3c77 100644 --- a/roles/wazuh/ansible-filebeat/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat/defaults/main.yml @@ -46,7 +46,7 @@ node_certs_destination: /etc/filebeat/certs # CA Generation -master_certs_path: /es_certs +master_certs_path: "{{ playbook_dir }}/es_certs" generate_CA: true ca_cert_name: "" From 76f2442cbefdcb6e05e4b41c582da99bcfbbcee5 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Tue, 16 Jun 2020 17:22:23 +0200 Subject: [PATCH 75/76] Always prevent become for local tasks --- .../ansible-elasticsearch/tasks/xpack_security.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index 47438f98d..01ef86e80 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -102,6 +102,7 @@ state: directory mode: 0700 delegate_to: "127.0.0.1" + become: no when: - node_certs_generator @@ -111,6 +112,7 @@ state: directory mode: 0700 delegate_to: "127.0.0.1" + become: no when: - node_certs_generator @@ -139,6 +141,7 @@ src: "{{ master_certs_path }}/certs.zip" dest: "{{ master_certs_path }}/" delegate_to: "127.0.0.1" + become: no when: - node_certs_generator tags: From 7a7def1626c069e63539dac9d491376662d6303c Mon Sep 17 00:00:00 2001 From: Jani Heikkine Date: Thu, 18 Jun 2020 17:14:06 +0200 Subject: [PATCH 76/76] add support to configure path.repo option required for backups/snapshots --- roles/elastic-stack/ansible-elasticsearch/defaults/main.yml | 1 + .../ansible-elasticsearch/templates/elasticsearch.yml.j2 | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml index 279283c26..cc0f81502 100644 --- a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml @@ -6,6 +6,7 @@ elasticsearch_reachable_host: 127.0.0.1 elasticsearch_jvm_xms: null elastic_stack_version: 7.6.2 elasticsearch_lower_disk_requirements: false +elasticsearch_path_repo: [] elasticrepo: apt: 'https://artifacts.elastic.co/packages/7.x/apt' diff --git a/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 b/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 index 0d6887f58..184bc4b4b 100644 --- a/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 @@ -6,6 +6,12 @@ path.data: /var/lib/elasticsearch path.logs: /var/log/elasticsearch bootstrap.memory_lock: true network.host: {{ elasticsearch_network_host }} +{% if elasticsearch_path_repo | length>0 %} +path.repo: +{% for item in elasticsearch_path_repo %} + - {{ item }} +{% endfor %} +{% endif %} {% if single_node %} discovery.type: single-node