afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #382 from wazuh/feature-373-adjust-files-permissions

Browse Source 
Restrictive permissions on filebeat sensitive files
This commit is contained in:
Jose M. Garcia 2020-03-18 16:49:02 +01:00 committed by GitHub
commit 1939cc51d7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 23 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml
View File

@ -35,7 +35,7 @@
copy: copy:
src: "{{ master_certs_path }}/ca/{{ ca_key_name }}" src: "{{ master_certs_path }}/ca/{{ ca_key_name }}"
dest: "{{ node_certs_source }}/{{ ca_key_name }}" dest: "{{ node_certs_source }}/{{ ca_key_name }}"
mode: '0664' mode: 0440
when: when:
- not generate_CA - not generate_CA
- node_certs_generator - node_certs_generator
@ -45,7 +45,7 @@
copy: copy:
src: "{{ master_certs_path }}/ca/{{ ca_cert_name }}" src: "{{ master_certs_path }}/ca/{{ ca_cert_name }}"
dest: "{{ node_certs_source }}/{{ ca_cert_name }}" dest: "{{ node_certs_source }}/{{ ca_cert_name }}"
mode: '0664' mode: 0440
when: when:
- not generate_CA - not generate_CA
- node_certs_generator - node_certs_generator
@ -100,7 +100,7 @@
file: file:
path: "{{ master_certs_path }}" path: "{{ master_certs_path }}"
state: directory state: directory
mode: '0700' mode: 0700
delegate_to: "127.0.0.1" delegate_to: "127.0.0.1"
when: when:
- node_certs_generator - node_certs_generator
@ -109,7 +109,7 @@
file: file:
path: "{{ master_certs_path }}/ca/" path: "{{ master_certs_path }}/ca/"
state: directory state: directory
mode: '0700' mode: 0700
delegate_to: "127.0.0.1" delegate_to: "127.0.0.1"
when: when:
- node_certs_generator - node_certs_generator
@ -149,6 +149,7 @@
copy: copy:
src: "{{ item }}" src: "{{ item }}"
dest: "{{ node_certs_destination }}/" dest: "{{ node_certs_destination }}/"
mode: 0440
with_items: with_items:
- "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key" - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key"
- "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt" - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt"
@ -163,6 +164,7 @@
copy: copy:
src: "{{ item }}" src: "{{ item }}"
dest: "{{ node_certs_destination }}/" dest: "{{ node_certs_destination }}/"
mode: 0440
with_items: with_items:
- "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key" - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key"
- "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt" - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt"
@ -176,7 +178,7 @@
- name: Ensuring folder permissions - name: Ensuring folder permissions
file: file:
path: "{{ node_certs_destination }}/" path: "{{ node_certs_destination }}/"
mode: '0774' mode: 0774
state: directory state: directory
recurse: yes recurse: yes
when: when:

2
roles/elastic-stack/ansible-kibana/tasks/build_wazuh_plugin.yml
View File

@ -14,7 +14,7 @@
get_url: get_url:
url: "https://{{ nodejs['repo_dict'][ansible_os_family|lower] }}.{{ nodejs['repo_url_ext'] }}" url: "https://{{ nodejs['repo_dict'][ansible_os_family|lower] }}.{{ nodejs['repo_url_ext'] }}"
dest: "/tmp/setup_nodejs_repo.sh" dest: "/tmp/setup_nodejs_repo.sh"
mode: "0700" mode: 0700
- name: Execute downloaded script to install Nodejs repo - name: Execute downloaded script to install Nodejs repo
command: /tmp/setup_nodejs_repo.sh command: /tmp/setup_nodejs_repo.sh

7
roles/elastic-stack/ansible-kibana/tasks/main.yml
View File

@ -28,6 +28,7 @@
copy: copy:
src: "{{ item }}" src: "{{ item }}"
dest: "{{ node_certs_destination }}/" dest: "{{ node_certs_destination }}/"
mode: 0440
with_items: with_items:
- "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key" - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key"
- "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.crt" - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.crt"
@ -41,7 +42,7 @@
copy: copy:
src: "{{ item }}" src: "{{ item }}"
dest: "{{ node_certs_destination }}/" dest: "{{ node_certs_destination }}/"
mode: '0664' mode: 0440
with_items: with_items:
- "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key" - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key"
- "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.crt" - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.crt"
@ -65,7 +66,7 @@
- name: Ensuring certificates folder owner - name: Ensuring certificates folder owner
file: file:
path: "{{ node_certs_destination }}/" path: "{{ node_certs_destination }}/"
mode: '0770' mode: 0770
recurse: yes recurse: yes
when: when:
- kibana_xpack_security - kibana_xpack_security
@ -78,7 +79,7 @@
dest: /etc/kibana/kibana.yml dest: /etc/kibana/kibana.yml
owner: root owner: root
group: root group: root
mode: '0664' mode: 0644
notify: restart kibana notify: restart kibana
tags: configure tags: configure

6
roles/wazuh/ansible-filebeat/tasks/config.yml
View File

@ -5,7 +5,7 @@
dest: "/etc/filebeat/filebeat.yml" dest: "/etc/filebeat/filebeat.yml"
owner: root owner: root
group: root group: root
mode: 0644 mode: 0400
notify: restart filebeat notify: restart filebeat
tags: configure tags: configure
@ -15,7 +15,7 @@
dest: "/etc/filebeat/wazuh-template.json" dest: "/etc/filebeat/wazuh-template.json"
owner: root owner: root
group: root group: root
mode: 0644 mode: 0400
notify: restart filebeat notify: restart filebeat
tags: configure tags: configure
@ -30,7 +30,7 @@
copy: copy:
src: "{{ item }}" src: "{{ item }}"
dest: "{{ filebeat_ssl_dir }}/{{ item | basename }}" dest: "{{ filebeat_ssl_dir }}/{{ item | basename }}"
mode: 0644 mode: 0400
with_items: with_items:
- "{{ filebeat_ssl_key_file }}" - "{{ filebeat_ssl_key_file }}"
- "{{ filebeat_ssl_certificate_file }}" - "{{ filebeat_ssl_certificate_file }}"

4
roles/wazuh/ansible-filebeat/tasks/main.yml
View File

@ -30,6 +30,7 @@
copy: copy:
src: "{{ item }}" src: "{{ item }}"
dest: "{{ node_certs_destination }}/" dest: "{{ node_certs_destination }}/"
mode: 0440
with_items: with_items:
- "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key"
- "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt" - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt"
@ -43,6 +44,7 @@
copy: copy:
src: "{{ item }}" src: "{{ item }}"
dest: "{{ node_certs_destination }}/" dest: "{{ node_certs_destination }}/"
mode: 0440
with_items: with_items:
- "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key"
- "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt" - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt"
@ -55,7 +57,7 @@
- name: Ensuring folder & certs permissions - name: Ensuring folder & certs permissions
file: file:
path: "{{ node_certs_destination }}/" path: "{{ node_certs_destination }}/"
mode: '0774' mode: 0774
state: directory state: directory
recurse: yes recurse: yes
when: when:

2
roles/wazuh/ansible-wazuh-agent/tasks/installation_from_sources.yml
View File

@ -76,7 +76,7 @@
dest: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}/etc/preloaded-vars.conf" dest: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}/etc/preloaded-vars.conf"
owner: root owner: root
group: root group: root
mode: '644' mode: 0644
changed_when: false changed_when: false
- name: Executing "install.sh" script to build and install the Wazuh Agent - name: Executing "install.sh" script to build and install the Wazuh Agent

4
roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml
View File

@ -91,7 +91,7 @@
dest: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}/etc/preloaded-vars.conf" dest: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}/etc/preloaded-vars.conf"
owner: root owner: root
group: root group: root
mode: '644' mode: 0644
- name: Executing "install.sh" script to build and install the Wazuh Manager - name: Executing "install.sh" script to build and install the Wazuh Manager
shell: ./install.sh > /tmp/build_wazuh_manager_log.txt shell: ./install.sh > /tmp/build_wazuh_manager_log.txt
@ -167,7 +167,7 @@
dest: "/tmp/wazuh-api/configuration/preloaded_vars.conf" dest: "/tmp/wazuh-api/configuration/preloaded_vars.conf"
owner: root owner: root
group: root group: root
mode: '644' mode: 0644
- name: Execute Wazuh API installation script - name: Execute Wazuh API installation script
shell: ./install_api.sh > /tmp/build_wazuh_api_log.txt shell: ./install_api.sh > /tmp/build_wazuh_api_log.txt

2
roles/wazuh/ansible-wazuh-manager/tasks/main.yml
View File

@ -18,7 +18,7 @@
get_url: get_url:
url: "https://{{ nodejs['repo_dict'][ansible_os_family|lower] }}.{{ nodejs['repo_url_ext'] }}" url: "https://{{ nodejs['repo_dict'][ansible_os_family|lower] }}.{{ nodejs['repo_url_ext'] }}"
dest: /etc/nodejs.sh dest: /etc/nodejs.sh
mode: '0775' mode: 0775
changed_when: false changed_when: false
- name: Run NodeJS bash script - name: Run NodeJS bash script