From 53fbc82931aa2ad677eab593b7ae193d38d63c08 Mon Sep 17 00:00:00 2001 From: neonmei Date: Tue, 10 Nov 2020 10:45:43 -0300 Subject: [PATCH 01/16] roles/agent: reduce depth of wazuh_agent_config by extracting internal dicts to outside variables --- .../ansible-wazuh-agent/defaults/main.yml | 528 ++++++++++-------- 1 file changed, 290 insertions(+), 238 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 38ff1151..b7dcd7ce 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -32,19 +32,11 @@ wazuh_agent_sources_installation: user_agent_config_profile: null user_ca_store: "/var/ossec/wpk_root.pem" -wazuh_managers: - - address: 127.0.0.1 - port: 1514 - protocol: tcp - api_port: 55000 - api_proto: 'http' - api_user: null - max_retries: 5 - retry_interval: 5 wazuh_api_reachable_from_agent: false wazuh_profile_centos: 'centos, centos7, centos7.6' wazuh_profile_ubuntu: 'ubuntu, ubuntu18, ubuntu18.04' wazuh_auto_restart: 'yes' + wazuh_agent_authd: registration_address: 127.0.0.1 enable: false @@ -69,234 +61,294 @@ wazuh_winagent_config: md5: f9737cbd7df7104c1bee9f3e8b9ca26e wazuh_winagent_config_url: https://packages.wazuh.com/4.x/windows/wazuh-agent-4.0.0-1.msi wazuh_winagent_package_name: wazuh-agent-4.0.0-1.msi -wazuh_agent_config: - repo: - apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main' - yum: 'https://packages.wazuh.com/4.x/yum/' - gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' - key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145' - active_response: - ar_disabled: 'no' - ca_store: '/var/ossec/etc/wpk_root.pem' - ca_store_win: 'wpk_root.pem' - ca_verification: 'yes' - log_format: 'plain' - client_buffer: - disable: 'no' - queue_size: '5000' - events_per_sec: '500' - syscheck: - frequency: 43200 - scan_on_start: 'yes' - auto_ignore: 'no' - win_audit_interval: 60 - skip_nfs: 'yes' - skip_dev: 'yes' - skip_proc: 'yes' - skip_sys: 'yes' - process_priority: 10 - max_eps: 100 - sync_enabled: 'yes' - sync_interval: '5m' - sync_max_interval: '1h' - sync_max_eps: 10 - ignore: - - /etc/mtab - - /etc/hosts.deny - - /etc/mail/statistics - - /etc/random-seed - - /etc/random.seed - - /etc/adjtime - - /etc/httpd/logs - - /etc/utmpx - - /etc/wtmpx - - /etc/cups/certs - - /etc/dumpdates - - /etc/svc/volatile - ignore_linux_type: - - '.log$|.swp$' - ignore_win: - - '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$' - no_diff: - - /etc/ssl/private.key - directories: - - dirs: /etc,/usr/bin,/usr/sbin - checks: '' - - dirs: /bin,/sbin,/boot - checks: '' - win_directories: - - dirs: '%WINDIR%' - checks: 'recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$"' - - dirs: '%WINDIR%\SysNative' - checks: >- - recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$| - net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$" - - dirs: '%WINDIR%\SysNative\drivers\etc%' - checks: 'recursion_level="0"' - - dirs: '%WINDIR%\SysNative\wbem' - checks: 'recursion_level="0" restrict="WMIC.exe$"' - - dirs: '%WINDIR%\SysNative\WindowsPowerShell\v1.0' - checks: 'recursion_level="0" restrict="powershell.exe$"' - - dirs: '%WINDIR%\SysNative' - checks: 'recursion_level="0" restrict="winrm.vbs$"' - - dirs: '%WINDIR%\System32' - checks: >- - recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$| - netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$" - - dirs: '%WINDIR%\System32\drivers\etc' - checks: 'recursion_level="0"' - - dirs: '%WINDIR%\System32\wbem' - checks: 'recursion_level="0" restrict="WMIC.exe$"' - - dirs: '%WINDIR%\System32\WindowsPowerShell\v1.0' - checks: 'recursion_level="0" restrict="powershell.exe$"' - - dirs: '%WINDIR%\System32' - checks: 'recursion_level="0" restrict="winrm.vbs$"' - - dirs: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup' - checks: 'realtime="yes"' - windows_registry: - - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile' - - key: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile' - - key: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile' - - key: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile' - - key: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile' - - key: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects' - - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory' - - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder' - - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols' - arch: "both" - - key: 'HKEY_LOCAL_MACHINE\Software\Policies' - arch: "both" - - key: 'HKEY_LOCAL_MACHINE\Security' - - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' - arch: "both" - - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services' - - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs' - - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg' - - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run' - arch: "both" - - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce' - arch: "both" - - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx' - - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL' - arch: "both" - - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies' - arch: "both" - - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows' - arch: "both" - - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' - arch: "both" - - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components' - arch: "both" - windows_registry_ignore: - - key: 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets' - - key: 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users' - - key: '\Enum$' - type: "sregex" - rootcheck: - frequency: 43200 - openscap: - disable: 'yes' - timeout: 1800 - interval: '1d' - scan_on_start: 'yes' - osquery: - disable: 'yes' - run_daemon: 'yes' - bin_path_win: 'C:\Program Files\osquery\osqueryd' - log_path: '/var/log/osquery/osqueryd.results.log' - log_path_win: 'C:\Program Files\osquery\log\osqueryd.results.log' - config_path: '/etc/osquery/osquery.conf' - config_path_win: 'C:\Program Files\osquery\osquery.conf' - add_labels: 'yes' - syscollector: - disable: 'no' - interval: '1h' - scan_on_start: 'yes' - hardware: 'yes' - os: 'yes' - network: 'yes' - packages: 'yes' - ports_no: 'yes' - processes: 'yes' - sca: - enabled: 'yes' - scan_on_start: 'yes' - interval: '12h' - skip_nfs: 'yes' - day: '' - wday: '' - time: '' - cis_cat: - disable: 'yes' - install_java: 'no' - timeout: 1800 - interval: '1d' - scan_on_start: 'yes' - java_path: 'wodles/java' - java_path_win: '\\server\jre\bin\java.exe' - ciscat_path: 'wodles/ciscat' - ciscat_path_win: 'C:\cis-cat' - localfiles: - debian: - - format: 'syslog' - location: '/var/log/auth.log' - - format: 'syslog' - location: '/var/log/syslog' - - format: 'syslog' - location: '/var/log/dpkg.log' - - format: 'syslog' - location: '/var/log/kern.log' - centos: - - format: 'syslog' - location: '/var/log/messages' - - format: 'syslog' - location: '/var/log/secure' - - format: 'syslog' - location: '/var/log/maillog' - - format: 'audit' - location: '/var/log/audit/audit.log' - linux: - - format: 'syslog' - location: '/var/ossec/logs/active-responses.log' - - format: 'full_command' - command: 'last -n 20' - frequency: '360' - - format: 'command' - command: df -P - frequency: '360' - - format: 'full_command' - command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d - alias: 'netstat listening ports' - frequency: '360' - windows: - - format: 'eventlog' - location: 'Application' - - format: 'eventchannel' - location: 'Security' - query: 'Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]' - - format: 'eventlog' - location: 'System' - - format: 'syslog' - location: 'active-response\active-responses.log' - labels: - enable: false - list: - - key: Env - value: Production - enrollment: - enabled: '' - manager_address: '' - port: 1515 - agent_name: 'testname' - groups: '' - agent_address: '' - ssl_cipher: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH - server_ca_path: '' - agent_certificate_path: '' - agent_key_path: '' - authorization_pass_path : /var/ossec/etc/authd.pass - auto_method: 'no' - delay_after_enrollment: 20 - use_source_ip: 'no' +wazuh_agent_repo: + apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main' + yum: 'https://packages.wazuh.com/4.x/yum/' + gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' + key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145' + wazuh_agent_nat: false + +########################################## +### Wazuh-OSSEC +########################################## + +wazuh_agent_config_overlay: yes + +## Client +wazuh_managers: + - address: 127.0.0.1 + port: 1514 + protocol: tcp + api_port: 55000 + api_proto: 'http' + api_user: null + max_retries: 5 + retry_interval: 5 + +## Enrollment +wazuh_agent_enrollment: + enabled: '' + manager_address: '' + port: 1515 + agent_name: 'testname' + groups: '' + agent_address: '' + ssl_cipher: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH + server_ca_path: '' + agent_certificate_path: '' + agent_key_path: '' + authorization_pass_path: /var/ossec/etc/authd.pass + auto_method: 'no' + delay_after_enrollment: 20 + use_source_ip: 'no' + +## Client buffer +wazuh_agent_client_buffer: + disable: 'no' + queue_size: '5000' + events_per_sec: '500' + +## Rootcheck +wazuh_agent_rootcheck: + frequency: 43200 + +## Wodles +wazuh_agent_openscap: + disable: 'yes' + timeout: 1800 + interval: '1d' + scan_on_start: 'yes' + +wazuh_agent_cis_cat: + disable: 'yes' + install_java: 'no' + timeout: 1800 + interval: '1d' + scan_on_start: 'yes' + java_path: 'wodles/java' + java_path_win: '\\server\jre\bin\java.exe' + ciscat_path: 'wodles/ciscat' + ciscat_path_win: 'C:\cis-cat' + +wazuh_agent_osquery: + disable: 'yes' + run_daemon: 'yes' + bin_path_win: 'C:\Program Files\osquery\osqueryd' + log_path: '/var/log/osquery/osqueryd.results.log' + log_path_win: 'C:\Program Files\osquery\log\osqueryd.results.log' + config_path: '/etc/osquery/osquery.conf' + config_path_win: 'C:\Program Files\osquery\osquery.conf' + add_labels: 'yes' + +wazuh_agent_syscollector: + disable: 'no' + interval: '1h' + scan_on_start: 'yes' + hardware: 'yes' + os: 'yes' + network: 'yes' + packages: 'yes' + ports_no: 'yes' + processes: 'yes' + +## SCA +wazuh_agent_sca: + enabled: 'yes' + scan_on_start: 'yes' + interval: '12h' + skip_nfs: 'yes' + day: '' + wday: '' + time: '' + +## Syscheck +wazuh_agent_syscheck: + frequency: 43200 + scan_on_start: 'yes' + auto_ignore: 'no' + win_audit_interval: 60 + skip_nfs: 'yes' + skip_dev: 'yes' + skip_proc: 'yes' + skip_sys: 'yes' + process_priority: 10 + max_eps: 100 + sync_enabled: 'yes' + sync_interval: '5m' + sync_max_interval: '1h' + sync_max_eps: 10 + ignore: + - /etc/mtab + - /etc/hosts.deny + - /etc/mail/statistics + - /etc/random-seed + - /etc/random.seed + - /etc/adjtime + - /etc/httpd/logs + - /etc/utmpx + - /etc/wtmpx + - /etc/cups/certs + - /etc/dumpdates + - /etc/svc/volatile + ignore_linux_type: + - '.log$|.swp$' + ignore_win: + - '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$' + no_diff: + - /etc/ssl/private.key + directories: + - dirs: /etc,/usr/bin,/usr/sbin + checks: '' + - dirs: /bin,/sbin,/boot + checks: '' + win_directories: + - dirs: '%WINDIR%' + checks: 'recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$"' + - dirs: '%WINDIR%\SysNative' + checks: >- + recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$| + net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$" + - dirs: '%WINDIR%\SysNative\drivers\etc%' + checks: 'recursion_level="0"' + - dirs: '%WINDIR%\SysNative\wbem' + checks: 'recursion_level="0" restrict="WMIC.exe$"' + - dirs: '%WINDIR%\SysNative\WindowsPowerShell\v1.0' + checks: 'recursion_level="0" restrict="powershell.exe$"' + - dirs: '%WINDIR%\SysNative' + checks: 'recursion_level="0" restrict="winrm.vbs$"' + - dirs: '%WINDIR%\System32' + checks: >- + recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$| + netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$" + - dirs: '%WINDIR%\System32\drivers\etc' + checks: 'recursion_level="0"' + - dirs: '%WINDIR%\System32\wbem' + checks: 'recursion_level="0" restrict="WMIC.exe$"' + - dirs: '%WINDIR%\System32\WindowsPowerShell\v1.0' + checks: 'recursion_level="0" restrict="powershell.exe$"' + - dirs: '%WINDIR%\System32' + checks: 'recursion_level="0" restrict="winrm.vbs$"' + - dirs: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup' + checks: 'realtime="yes"' + windows_registry: + - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile' + - key: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile' + - key: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile' + - key: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile' + - key: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile' + - key: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects' + - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory' + - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder' + - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols' + arch: "both" + - key: 'HKEY_LOCAL_MACHINE\Software\Policies' + arch: "both" + - key: 'HKEY_LOCAL_MACHINE\Security' + - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' + arch: "both" + - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services' + - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs' + - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg' + - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run' + arch: "both" + - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce' + arch: "both" + - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx' + - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL' + arch: "both" + - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies' + arch: "both" + - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows' + arch: "both" + - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' + arch: "both" + - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components' + arch: "both" + windows_registry_ignore: + - key: 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets' + - key: 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users' + - key: '\Enum$' + type: "sregex" + +## Localfile +wazuh_agent_localfiles: + debian: + - format: 'syslog' + location: '/var/log/auth.log' + - format: 'syslog' + location: '/var/log/syslog' + - format: 'syslog' + location: '/var/log/dpkg.log' + - format: 'syslog' + location: '/var/log/kern.log' + centos: + - format: 'syslog' + location: '/var/log/messages' + - format: 'syslog' + location: '/var/log/secure' + - format: 'syslog' + location: '/var/log/maillog' + - format: 'audit' + location: '/var/log/audit/audit.log' + linux: + - format: 'syslog' + location: '/var/ossec/logs/active-responses.log' + - format: 'full_command' + command: 'last -n 20' + frequency: '360' + - format: 'command' + command: df -P + frequency: '360' + - format: 'full_command' + command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d + alias: 'netstat listening ports' + frequency: '360' + windows: + - format: 'eventlog' + location: 'Application' + - format: 'eventchannel' + location: 'Security' + query: 'Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]' + - format: 'eventlog' + location: 'System' + - format: 'syslog' + location: 'active-response\active-responses.log' + +## Labels +wazuh_agent_labels: + enable: false + list: + - key: Env + value: Production + +## Active response +wazuh_agent_active_response: + ar_disabled: 'no' + ca_store: '/var/ossec/etc/wpk_root.pem' + ca_store_win: 'wpk_root.pem' + ca_verification: 'yes' + +## Logging +wazuh_agent_log_format: 'plain' + +# wazuh_agent_config +wazuh_agent_config_defaults: + repo: '{{ wazuh_agent_repo }}' + active_response: '{{ wazuh_agent_active_response }}' + log_format: '{{ wazuh_agent_log_format }}' + client_buffer: '{{ wazuh_agent_client_buffer }}' + syscheck: '{{ wazuh_agent_syscheck }}' + + rootcheck: '{{ wazuh_agent_rootcheck }}' + openscap: '{{ wazuh_agent_openscap }}' + + osquery: '{{ wazuh_agent_osquery }}' + syscollector: '{{ wazuh_agent_syscollector }}' + sca: '{{ wazuh_agent_sca }}' + cis_cat: '{{ wazuh_agent_cis_cat }}' + localfiles: '{{ wazuh_agent_localfiles }}' + + labels: '{{ wazuh_agent_labels }}' + enrollment: '{{ wazuh_agent_enrollment }}' From 2a5da5f78d7eecd81c66ec9e81323ef2b8e05cd1 Mon Sep 17 00:00:00 2001 From: neonmei Date: Tue, 10 Nov 2020 10:48:12 -0300 Subject: [PATCH 02/16] roles/agent: add support for overlaying like role-distributed ansible.cfg setting for hash_behaviour --- roles/wazuh/ansible-wazuh-agent/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/main.yml b/roles/wazuh/ansible-wazuh-agent/tasks/main.yml index 25c7b955..43aa2ca3 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/main.yml @@ -1,4 +1,12 @@ --- + +- name: Overlay wazuh_agent_config on top of defaults + set_fact: + wazuh_agent_config: '{{ wazuh_agent_config_defaults | combine(config_layer, recursive=True) }}' + vars: + config_layer: '{{ wazuh_agent_config | default({}) }}' + when: wazuh_agent_config_overlay | bool + - include_tasks: "Windows.yml" when: ansible_os_family == "Windows" From aa04ebad90e2e571d9389fd38adec3134b32b2df Mon Sep 17 00:00:00 2001 From: neonmei Date: Tue, 10 Nov 2020 15:04:21 -0300 Subject: [PATCH 03/16] roles/opendistro-elasticsearch: remove unused variables --- roles/opendistro/opendistro-elasticsearch/defaults/main.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index 22709024..9d624025 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -1,8 +1,5 @@ --- # Cluster Settings -es_version: "7.9.1" -es_major_version: "7.x" - opendistro_version: 1.10.1 single_node: false @@ -44,7 +41,6 @@ es_nodes: |- {%- endfor %} # Security password -opendistro_security_password: admin opendistro_custom_user: "" opendistro_custom_user_role: "admin" From fad82ba7d171e609501c9d3e00d55de59a74fbfc Mon Sep 17 00:00:00 2001 From: neonmei Date: Tue, 10 Nov 2020 15:04:31 -0300 Subject: [PATCH 04/16] roles/opendistro-kibana: remove unused variables --- roles/opendistro/opendistro-kibana/defaults/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/opendistro/opendistro-kibana/defaults/main.yml b/roles/opendistro/opendistro-kibana/defaults/main.yml index 2974bf3d..464302aa 100644 --- a/roles/opendistro/opendistro-kibana/defaults/main.yml +++ b/roles/opendistro/opendistro-kibana/defaults/main.yml @@ -44,7 +44,6 @@ kibana_newsfeed_enabled: "false" kibana_telemetry_optin: "false" kibana_telemetry_enabled: "false" -opendistro_security_user: elastic opendistro_admin_password: changeme opendistro_kibana_user: kibanaserver opendistro_kibana_password: changeme From e90ddb73e6d05a70a0570bf3761f0dc3d2740c59 Mon Sep 17 00:00:00 2001 From: neonmei Date: Tue, 10 Nov 2020 15:05:38 -0300 Subject: [PATCH 05/16] roles/filebeat-oss: remove unused variables --- roles/wazuh/ansible-filebeat-oss/README.md | 1 - roles/wazuh/ansible-filebeat-oss/defaults/main.yml | 3 --- 2 files changed, 4 deletions(-) diff --git a/roles/wazuh/ansible-filebeat-oss/README.md b/roles/wazuh/ansible-filebeat-oss/README.md index bed47531..02311817 100644 --- a/roles/wazuh/ansible-filebeat-oss/README.md +++ b/roles/wazuh/ansible-filebeat-oss/README.md @@ -19,7 +19,6 @@ Role Variables Available variables are listed below, along with default values (see `defaults/main.yml`): ``` - filebeat_output_elasticsearch_enabled: false filebeat_output_elasticsearch_hosts: - "localhost:9200" diff --git a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml index ace9077f..44c8465e 100644 --- a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml @@ -3,9 +3,6 @@ filebeat_version: 7.9.1 wazuh_template_branch: v4.0.0 -filebeat_create_config: true - -filebeat_output_elasticsearch_enabled: false filebeat_output_elasticsearch_hosts: - "localhost:9200" From eb5e74bb0217e01003bb00d31a3cf342fa34d208 Mon Sep 17 00:00:00 2001 From: neonmei Date: Tue, 10 Nov 2020 15:06:42 -0300 Subject: [PATCH 06/16] roles/filebeat: remove unused variables --- roles/wazuh/ansible-filebeat/README.md | 1 - roles/wazuh/ansible-filebeat/defaults/main.yml | 18 +----------------- 2 files changed, 1 insertion(+), 18 deletions(-) diff --git a/roles/wazuh/ansible-filebeat/README.md b/roles/wazuh/ansible-filebeat/README.md index 416f7da0..3bbc2b32 100644 --- a/roles/wazuh/ansible-filebeat/README.md +++ b/roles/wazuh/ansible-filebeat/README.md @@ -19,7 +19,6 @@ Role Variables Available variables are listed below, along with default values (see `defaults/main.yml`): ``` - filebeat_output_elasticsearch_enabled: false filebeat_output_elasticsearch_hosts: - "localhost:9200" diff --git a/roles/wazuh/ansible-filebeat/defaults/main.yml b/roles/wazuh/ansible-filebeat/defaults/main.yml index f2c02a48..db70ffe1 100644 --- a/roles/wazuh/ansible-filebeat/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat/defaults/main.yml @@ -5,28 +5,12 @@ wazuh_template_branch: v4.0.0 filebeat_create_config: true -filebeat_prospectors: - - input_type: log - paths: - - "/var/ossec/logs/alerts/alerts.json" - document_type: json - json.message_key: log - json.keys_under_root: true - json.overwrite_keys: true - filebeat_node_name: node-1 -filebeat_output_elasticsearch_enabled: false filebeat_output_elasticsearch_hosts: - "localhost:9200" -filebeat_enable_logging: true -filebeat_log_level: debug -filebeat_log_dir: /var/log/mybeat -filebeat_log_filename: mybeat.log filebeat_ssl_dir: /etc/pki/filebeat -filebeat_ssl_certificate_file: "" -filebeat_ssl_insecure: "false" filebeat_module_package_url: https://packages.wazuh.com/4.x/filebeat filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz @@ -40,7 +24,7 @@ filebeat_xpack_security: false elasticsearch_xpack_security_user: elastic elasticsearch_xpack_security_password: elastic_pass -node_certs_generator : false +node_certs_generator: false node_certs_source: /usr/share/elasticsearch node_certs_destination: /etc/filebeat/certs From b928bc81fe324eb29e1c5ed90312987f1d1d8e4c Mon Sep 17 00:00:00 2001 From: neonmei Date: Tue, 10 Nov 2020 15:23:39 -0300 Subject: [PATCH 07/16] roles/opendistro-elasticsearch: remove unused variable elasticrepo --- roles/opendistro/opendistro-elasticsearch/defaults/main.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index 9d624025..7476410d 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -54,11 +54,6 @@ certs_gen_tool_version: 1.8 # Url of Search Guard certificates generator tool certs_gen_tool_url: "https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-tlstool/{{ certs_gen_tool_version }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip" -elasticrepo: - apt: 'https://artifacts.elastic.co/packages/7.x/apt' - yum: 'https://artifacts.elastic.co/packages/7.x/yum' - gpg: 'https://artifacts.elastic.co/GPG-KEY-opendistro' - key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4' opendistro_admin_password: changeme opendistro_kibana_password: changeme From 200efb981c66b5d9399cbb15e917c8f908896a8f Mon Sep 17 00:00:00 2001 From: neonmei Date: Tue, 10 Nov 2020 15:24:11 -0300 Subject: [PATCH 08/16] roles/opendistro-kibana: remove unused variable elasticsearch_nodes --- roles/opendistro/opendistro-kibana/defaults/main.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/roles/opendistro/opendistro-kibana/defaults/main.yml b/roles/opendistro/opendistro-kibana/defaults/main.yml index 464302aa..170e72b5 100644 --- a/roles/opendistro/opendistro-kibana/defaults/main.yml +++ b/roles/opendistro/opendistro-kibana/defaults/main.yml @@ -2,10 +2,6 @@ # Kibana configuration elasticsearch_http_port: 9200 -elasticsearch_nodes: |- - {% for item in groups['es_cluster'] -%} - {{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %} - {%- endfor %} elastic_api_protocol: https kibana_conf_path: /etc/kibana kibana_node_name: node-1 From 04e242e2071c303cf083966140a64ab2f1beb647 Mon Sep 17 00:00:00 2001 From: neonmei Date: Tue, 10 Nov 2020 15:24:52 -0300 Subject: [PATCH 09/16] roles/filebeat-oss: remove unused variables filebeat_security_user and filebeat_security_password --- roles/wazuh/ansible-filebeat-oss/defaults/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml index 44c8465e..e77112c8 100644 --- a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml @@ -15,8 +15,6 @@ elasticsearch_security_user: admin elasticsearch_security_password: changeme # Security plugin filebeat_security: true -filebeat_security_user: admin -filebeat_security_password: changeme filebeat_ssl_dir: /etc/pki/filebeat # Local path to store the generated certificates (OpenDistro security plugin) From 1d93181625a2bb80b7b74491d32003aeb7c00326 Mon Sep 17 00:00:00 2001 From: neonmei Date: Tue, 10 Nov 2020 15:25:41 -0300 Subject: [PATCH 10/16] roles/filebeat: remove unused variables node_certs_generator and node_certs_source --- roles/wazuh/ansible-filebeat/defaults/main.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/roles/wazuh/ansible-filebeat/defaults/main.yml b/roles/wazuh/ansible-filebeat/defaults/main.yml index db70ffe1..9369e7b7 100644 --- a/roles/wazuh/ansible-filebeat/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat/defaults/main.yml @@ -24,11 +24,8 @@ filebeat_xpack_security: false elasticsearch_xpack_security_user: elastic elasticsearch_xpack_security_password: elastic_pass -node_certs_generator: false -node_certs_source: /usr/share/elasticsearch node_certs_destination: /etc/filebeat/certs - # CA Generation master_certs_path: "{{ playbook_dir }}/es_certs" generate_CA: true From 1511649944a95b930f414ec20a1b9d6f7746ab49 Mon Sep 17 00:00:00 2001 From: neonmei Date: Tue, 10 Nov 2020 15:52:29 -0300 Subject: [PATCH 11/16] roles/elasticsearch: remove unused variable elasticsearch_xpack_security_user --- roles/elastic-stack/ansible-elasticsearch/defaults/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml index 5a638104..3556489d 100644 --- a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml @@ -27,9 +27,8 @@ elasticsearch_discovery_nodes: elasticsearch_node_data: true elasticsearch_node_ingest: true -# X-Pack Security +# X-Pack Security elasticsearch_xpack_security: false -elasticsearch_xpack_security_user: elastic elasticsearch_xpack_security_password: elastic_pass node_certs_generator: false From e466b3c35e3f1ce328adeca5d467b6f57766e8db Mon Sep 17 00:00:00 2001 From: neonmei Date: Tue, 10 Nov 2020 15:52:58 -0300 Subject: [PATCH 12/16] roles/kibana: remove unused variables node_certs_generator and node_certs_source --- roles/elastic-stack/ansible-kibana/defaults/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index 35bae043..014910d7 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -31,8 +31,6 @@ kibana_ssl_verification_mode: "full" elasticsearch_xpack_security_user: elastic elasticsearch_xpack_security_password: elastic_pass -node_certs_generator: false -node_certs_source: /usr/share/elasticsearch node_certs_destination: /etc/kibana/certs # CA Generation From f5f80aa588b206781bd3fb927f85b96ea8fd7b6a Mon Sep 17 00:00:00 2001 From: neonmei Date: Tue, 10 Nov 2020 15:53:21 -0300 Subject: [PATCH 13/16] roles/opendistro-elasticsearch: remove unused variable es_nodes --- roles/opendistro/opendistro-elasticsearch/defaults/main.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index 7476410d..cfe22df8 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -35,10 +35,6 @@ package_repos: opendistro_sec_plugin_conf_path: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig opendistro_sec_plugin_tools_path: /usr/share/elasticsearch/plugins/opendistro_security/tools opendistro_conf_path: /etc/elasticsearch/ -es_nodes: |- - {% for item in groups['es_cluster'] -%} - {{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %} - {%- endfor %} # Security password opendistro_custom_user: "" From 36e235c877f5b3551b7d3489c418c8e7de7526a0 Mon Sep 17 00:00:00 2001 From: neonmei Date: Tue, 10 Nov 2020 15:53:43 -0300 Subject: [PATCH 14/16] roles/filebeat: remove unused variable filebeat_ssl_dir --- roles/wazuh/ansible-filebeat/defaults/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/wazuh/ansible-filebeat/defaults/main.yml b/roles/wazuh/ansible-filebeat/defaults/main.yml index 9369e7b7..99dd3358 100644 --- a/roles/wazuh/ansible-filebeat/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat/defaults/main.yml @@ -10,8 +10,6 @@ filebeat_node_name: node-1 filebeat_output_elasticsearch_hosts: - "localhost:9200" -filebeat_ssl_dir: /etc/pki/filebeat - filebeat_module_package_url: https://packages.wazuh.com/4.x/filebeat filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz filebeat_module_package_path: /tmp/ From f902bd52699cabbf6ef2647734d0926756a82cdc Mon Sep 17 00:00:00 2001 From: neonmei Date: Fri, 13 Nov 2020 12:07:26 -0300 Subject: [PATCH 15/16] roles/wazuh-agent: update comment at role defaults --- roles/wazuh/ansible-wazuh-agent/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index b7dcd7ce..86c1e21f 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -71,7 +71,7 @@ wazuh_agent_repo: wazuh_agent_nat: false ########################################## -### Wazuh-OSSEC +### Wazuh ########################################## wazuh_agent_config_overlay: yes From b2f9bc9901f635758c13aff2d76c17434da137b8 Mon Sep 17 00:00:00 2001 From: neonmei Date: Fri, 13 Nov 2020 14:01:01 -0300 Subject: [PATCH 16/16] roles/elastic-stack: update jvm.options template per upstream elasticsearch updates --- .../templates/jvm.options.j2 | 41 +++++++++++++++---- 1 file changed, 32 insertions(+), 9 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/templates/jvm.options.j2 b/roles/elastic-stack/ansible-elasticsearch/templates/jvm.options.j2 index c43ce401..320bd579 100644 --- a/roles/elastic-stack/ansible-elasticsearch/templates/jvm.options.j2 +++ b/roles/elastic-stack/ansible-elasticsearch/templates/jvm.options.j2 @@ -47,9 +47,22 @@ ################################################################ ## GC configuration --XX:+UseConcMarkSweepGC --XX:CMSInitiatingOccupancyFraction=75 --XX:+UseCMSInitiatingOccupancyOnly +8-13:-XX:+UseConcMarkSweepGC +8-13:-XX:CMSInitiatingOccupancyFraction=75 +8-13:-XX:+UseCMSInitiatingOccupancyOnly + +## G1GC Configuration +# NOTE: G1 GC is only supported on JDK version 10 or later +# to use G1GC, uncomment the next two lines and update the version on the +# following three lines to your version of the JDK +# 10-13:-XX:-UseConcMarkSweepGC +# 10-13:-XX:-UseCMSInitiatingOccupancyOnly +14-:-XX:+UseG1GC +14-:-XX:G1ReservePercent=25 +14-:-XX:InitiatingHeapOccupancyPercent=30 + +## JVM temporary directory +-Djava.io.tmpdir=${ES_TMPDIR} ## optimizations @@ -96,14 +109,24 @@ # ensure the directory exists and has sufficient space -XX:HeapDumpPath=/var/lib/elasticsearch +# specify an alternative path for JVM fatal error logs +-XX:ErrorFile=/var/log/elasticsearch/hs_err_pid%p.log + ## GC logging -#-XX:+PrintGCDetails -#-XX:+PrintGCTimeStamps -#-XX:+PrintGCDateStamps -#-XX:+PrintClassHistogram -#-XX:+PrintTenuringDistribution -#-XX:+PrintGCApplicationStoppedTime +## JDK 8 GC logging + +# 8:-XX:+PrintGCDetails +# 8:-XX:+PrintGCDateStamps +# 8:-XX:+PrintTenuringDistribution +# 8:-XX:+PrintGCApplicationStoppedTime +# 8:-Xloggc:/var/log/elasticsearch/gc.log +# 8:-XX:+UseGCLogFileRotation +# 8:-XX:NumberOfGCLogFiles=32 +# 8:-XX:GCLogFileSize=64m + +# JDK 9+ GC logging +# 9-:-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/elasticsearch/gc.log:utctime,pid,tags:filecount=32,filesize=64m # log GC status to a file with time stamps # ensure the directory exists