afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'devel' into wazuh-agent-fixes

Browse Source
This commit is contained in:
Manuel J. Bernal 2020-06-19 16:25:09 +02:00 committed by GitHub
commit 2212adb5bf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
64 changed files with 3352 additions and 159 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
CHANGELOG.md
View File

@ -1,6 +1,30 @@
# Change Log # Change Log
All notable changes to this project will be documented in this file. All notable changes to this project will be documented in this file.
## [v3.12.3_7.6.2]
### Added
- Update to Wazuh v3.12.2
- AWS S3 block to template ([@limitup](https://github.com/limitup)) [PR#404](https://github.com/wazuh/wazuh-ansible/pull/413)
### Changed
- Update Kibana optimize task parameters and command ([@jm404](https://github.com/jm404)) [PR#404](https://github.com/wazuh/wazuh-ansible/pull/412)
- Update Kibana optimize folder and owner ([@jm404](https://github.com/jm404)) [PR#404](https://github.com/wazuh/wazuh-ansible/pull/410)
## [v3.12.2_7.6.2]
### Added
- Update to Wazuh v3.12.2
### Fixed
- Adjusting Kibana plugin optimization max memory ([@Zenidd](https://github.com/Zenidd)) [PR#404](https://github.com/wazuh/wazuh-ansible/pull/404)
- Removed python-cryptography library tasks ([@Zenidd](https://github.com/Zenidd)) [PR#401](https://github.com/wazuh/wazuh-ansible/pull/401)
- Removed duplicated task block ([@manuasir](https://github.com/manuasir)) [PR#400](https://github.com/wazuh/wazuh-ansible/pull/400)
## [v3.12.0_7.6.1] ## [v3.12.0_7.6.1]
### Added ### Added

2
VERSION
View File

@ -1,2 +1,2 @@
WAZUH-ANSIBLE_VERSION="v4" WAZUH-ANSIBLE_VERSION="v4"
REVISION="31140" REVISION="31220"

9
playbooks/wazuh-manager-oss.yml Normal file
View File

@ -0,0 +1,9 @@
---
- hosts: managers
roles:
# - role: ../roles/wazuh/ansible-wazuh-manager
- role: ../roles/wazuh/ansible-filebeat-oss
filebeat_output_elasticsearch_hosts:
- "172.16.0.161:9200"
- "172.16.0.162:9200"
- "172.16.0.163:9200"

4
playbooks/wazuh-opendistro-kibana.yml Normal file
View File

@ -0,0 +1,4 @@
---
- hosts: es1
roles:
- role: ../roles/opendistro/opendistro-kibana

4
playbooks/wazuh-opendistro.yml Normal file
View File

@ -0,0 +1,4 @@
---
- hosts: es_cluster
roles:
- role: ../roles/opendistro/opendistro-elasticsearch

2
roles/elastic-stack/ansible-elasticsearch/README.md
View File

@ -134,7 +134,7 @@ It is possible to define users directly on the playbook, these must be defined o
License and copyright License and copyright
--------------------- ---------------------
WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3) WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3)
### Based on previous work from geerlingguy ### Based on previous work from geerlingguy

5
roles/elastic-stack/ansible-elasticsearch/defaults/main.yml
View File

@ -4,8 +4,9 @@ elasticsearch_http_port: 9200
elasticsearch_network_host: 127.0.0.1 elasticsearch_network_host: 127.0.0.1
elasticsearch_reachable_host: 127.0.0.1 elasticsearch_reachable_host: 127.0.0.1
elasticsearch_jvm_xms: null elasticsearch_jvm_xms: null
elastic_stack_version: 7.6.1 elastic_stack_version: 7.7.0
elasticsearch_lower_disk_requirements: false elasticsearch_lower_disk_requirements: false
elasticsearch_path_repo: []
elasticrepo: elasticrepo:
apt: 'https://artifacts.elastic.co/packages/7.x/apt' apt: 'https://artifacts.elastic.co/packages/7.x/apt'
@ -36,7 +37,7 @@ node_certs_source: /usr/share/elasticsearch
node_certs_destination: /etc/elasticsearch/certs node_certs_destination: /etc/elasticsearch/certs
# CA generation # CA generation
master_certs_path: /es_certs master_certs_path: "{{ playbook_dir }}/es_certs"
generate_CA: true generate_CA: true
ca_key_name: "" ca_key_name: ""
ca_cert_name: "" ca_cert_name: ""

10
roles/elastic-stack/ansible-elasticsearch/tasks/Debian.yml
View File

@ -18,16 +18,6 @@
- ansible_distribution == "Ubuntu" - ansible_distribution == "Ubuntu"
- ansible_distribution_major_version | int == 14 - ansible_distribution_major_version | int == 14
- name: Update and upgrade apt packages
become: true
apt:
upgrade: yes
update_cache: yes
cache_valid_time: 86400 #One day
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_major_version | int == 14
- name: Debian/Ubuntu | Add Elasticsearch GPG key. - name: Debian/Ubuntu | Add Elasticsearch GPG key.
apt_key: apt_key:
url: "{{ elasticrepo.gpg }}" url: "{{ elasticrepo.gpg }}"

13
roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml
View File

@ -102,6 +102,7 @@
state: directory state: directory
mode: 0700 mode: 0700
delegate_to: "127.0.0.1" delegate_to: "127.0.0.1"
become: no
when: when:
- node_certs_generator - node_certs_generator
@ -111,6 +112,7 @@
state: directory state: directory
mode: 0700 mode: 0700
delegate_to: "127.0.0.1" delegate_to: "127.0.0.1"
become: no
when: when:
- node_certs_generator - node_certs_generator
@ -139,6 +141,7 @@
src: "{{ master_certs_path }}/certs.zip" src: "{{ master_certs_path }}/certs.zip"
dest: "{{ master_certs_path }}/" dest: "{{ master_certs_path }}/"
delegate_to: "127.0.0.1" delegate_to: "127.0.0.1"
become: no
when: when:
- node_certs_generator - node_certs_generator
tags: tags:
@ -149,6 +152,8 @@
copy: copy:
src: "{{ item }}" src: "{{ item }}"
dest: "{{ node_certs_destination }}/" dest: "{{ node_certs_destination }}/"
owner: root
group: elasticsearch
mode: 0440 mode: 0440
with_items: with_items:
- "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key" - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key"
@ -164,6 +169,8 @@
copy: copy:
src: "{{ item }}" src: "{{ item }}"
dest: "{{ node_certs_destination }}/" dest: "{{ node_certs_destination }}/"
owner: root
group: elasticsearch
mode: 0440 mode: 0440
with_items: with_items:
- "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key" - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key"
@ -178,9 +185,11 @@
- name: Ensuring folder permissions - name: Ensuring folder permissions
file: file:
path: "{{ node_certs_destination }}/" path: "{{ node_certs_destination }}/"
mode: 0774 owner: root
group: elasticsearch
mode: 0770
state: directory state: directory
recurse: yes recurse: no
when: when:
- elasticsearch_xpack_security - elasticsearch_xpack_security
- generate_CA - generate_CA

6
roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2
View File

@ -6,6 +6,12 @@ path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch path.logs: /var/log/elasticsearch
bootstrap.memory_lock: true bootstrap.memory_lock: true
network.host: {{ elasticsearch_network_host }} network.host: {{ elasticsearch_network_host }}
{% if elasticsearch_path_repo | length>0 %}
path.repo:
{% for item in elasticsearch_path_repo %}
- {{ item }}
{% endfor %}
{% endif %}
{% if single_node %} {% if single_node %}
discovery.type: single-node discovery.type: single-node

2
roles/elastic-stack/ansible-kibana/README.md
View File

@ -37,7 +37,7 @@ Example Playbook
License and copyright License and copyright
--------------------- ---------------------
WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3) WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3)
### Based on previous work from geerlingguy ### Based on previous work from geerlingguy

8
roles/elastic-stack/ansible-kibana/defaults/main.yml
View File

@ -5,8 +5,8 @@ elasticsearch_http_port: "9200"
elasticsearch_network_host: "127.0.0.1" elasticsearch_network_host: "127.0.0.1"
kibana_server_host: "0.0.0.0" kibana_server_host: "0.0.0.0"
kibana_server_port: "5601" kibana_server_port: "5601"
elastic_stack_version: 7.6.1 elastic_stack_version: 7.7.0
wazuh_version: 3.12.0 wazuh_version: 3.12.3
wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp
elasticrepo: elasticrepo:
@ -34,7 +34,7 @@ node_certs_source: /usr/share/elasticsearch
node_certs_destination: /etc/kibana/certs node_certs_destination: /etc/kibana/certs
# CA Generation # CA Generation
master_certs_path: /es_certs master_certs_path: "{{ playbook_dir }}/es_certs"
generate_CA: true generate_CA: true
ca_cert_name: "" ca_cert_name: ""
@ -50,4 +50,4 @@ build_from_sources: false
wazuh_plugin_branch: 3.12-7.6 wazuh_plugin_branch: 3.12-7.6
#Nodejs NODE_OPTIONS #Nodejs NODE_OPTIONS
node_options: --max-old-space-size=4096 node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536

30
roles/elastic-stack/ansible-kibana/tasks/main.yml
View File

@ -28,6 +28,8 @@
copy: copy:
src: "{{ item }}" src: "{{ item }}"
dest: "{{ node_certs_destination }}/" dest: "{{ node_certs_destination }}/"
owner: root
group: kibana
mode: 0440 mode: 0440
with_items: with_items:
- "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key" - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key"
@ -42,6 +44,8 @@
copy: copy:
src: "{{ item }}" src: "{{ item }}"
dest: "{{ node_certs_destination }}/" dest: "{{ node_certs_destination }}/"
owner: root
group: kibana
mode: 0440 mode: 0440
with_items: with_items:
- "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key" - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key"
@ -52,22 +56,14 @@
- not generate_CA - not generate_CA
tags: xpack-security tags: xpack-security
- name: Ensuring certificates folder owner - name: Ensuring certificates folder owner and permissions
file: file:
path: "{{ node_certs_destination }}/" path: "{{ node_certs_destination }}/"
state: directory state: directory
recurse: yes recurse: no
owner: kibana owner: kibana
group: kibana group: kibana
when:
- kibana_xpack_security
tags: xpack-security
- name: Ensuring certificates folder owner
file:
path: "{{ node_certs_destination }}/"
mode: 0770 mode: 0770
recurse: yes
when: when:
- kibana_xpack_security - kibana_xpack_security
notify: restart kibana notify: restart kibana
@ -136,12 +132,12 @@
- not build_from_sources - not build_from_sources
- name: Kibana optimization (can take a while) - name: Kibana optimization (can take a while)
shell: NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana --optimize shell: /usr/share/kibana/node/bin/node {{ node_options }} /usr/share/kibana/src/cli --optimize
args: args:
executable: /bin/bash executable: /bin/bash
creates: /usr/share/kibana/optimize/wazuh/
become: yes become: yes
become_user: kibana become_user: kibana
changed_when: false
tags: tags:
- skip_ansible_lint - skip_ansible_lint
@ -165,14 +161,20 @@
file: file:
path: /usr/share/kibana/optimize/wazuh/config/ path: /usr/share/kibana/optimize/wazuh/config/
state: directory state: directory
recurse: yes
owner: kibana
group: kibana
mode: 0751
changed_when: False
- name: Configure Wazuh Kibana Plugin - name: Configure Wazuh Kibana Plugin
template: template:
src: wazuh.yml.j2 src: wazuh.yml.j2
dest: /usr/share/kibana/optimize/wazuh/config/wazuh.yml dest: /usr/share/kibana/optimize/wazuh/config/wazuh.yml
owner: kibana owner: kibana
group: root group: kibana
mode: 0644 mode: 0751
changed_when: False
- name: Reload systemd configuration - name: Reload systemd configuration
systemd: systemd:

58
roles/opendistro/opendistro-elasticsearch/defaults/main.yml Normal file
View File

@ -0,0 +1,58 @@
---
# The OpenDistro version
opendistro_version: 1.8.0
elasticsearch_cluster_name: wazuh-cluster
# Minimum master nodes in cluster, 2 for 3 nodes elasticsearch cluster
minimum_master_nodes: 2
# Elasticsearch version
es_version: "7.3.2"
es_major_version: "7.x"
# Configure hostnames for Elasticsearch nodes
# Example es1.example.com, es2.example.com
domain_name: wazuh.com
# The OpenDistro package repository
package_repos:
yum:
opendistro:
baseurl: 'https://d3g5vo6xdbdb9a.cloudfront.net/yum/noarch/'
gpg: 'https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch'
elasticsearch_oss:
baseurl: 'https://artifacts.elastic.co/packages/oss-7.x/yum'
gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
opendistro_sec_plugin_conf_path: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig
opendistro_sec_plugin_tools_path: /usr/share/elasticsearch/plugins/opendistro_security/tools
opendistro_conf_path: /etc/elasticsearch/
es_nodes: |-
{% for item in groups['es_cluster'] -%}
{{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %}
{%- endfor %}
# Security password
opendistro_security_password: admin
# Set JVM memory limits
opendistro_jvm_xms: null
opendistro_http_port: 9200
certs_gen_tool_version: 1.7
# Url of Search Guard certificates generator tool
certs_gen_tool_url: "https://releases.floragunn.com/search-guard-tlstool/{{ certs_gen_tool_version }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip"
elasticrepo:
apt: 'https://artifacts.elastic.co/packages/7.x/apt'
yum: 'https://artifacts.elastic.co/packages/7.x/yum'
gpg: 'https://artifacts.elastic.co/GPG-KEY-opendistro'
key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4'
opendistro_admin_password: changeme
opendistro_kibana_password: changeme
# Cluster Settings
single_node: true
opendistro_cluster_name: wazuh
local_certs_path: /tmp/opendistro-nodecerts

5
roles/opendistro/opendistro-elasticsearch/handlers/main.yml Normal file
View File

@ -0,0 +1,5 @@
---
- name: restart elasticsearch
service:
name: elasticsearch
state: restarted

24
roles/opendistro/opendistro-elasticsearch/meta/main.yml Normal file
View File

@ -0,0 +1,24 @@
---
galaxy_info:
author: Wazuh
description: Installing and maintaining Opendistro server.
company: wazuh.com
license: license (GPLv3)
min_ansible_version: 2.0
platforms:
- name: EL
versions:
- all
- name: Ubuntu
versions:
- all
- name: Debian
versions:
- all
- name: Fedora
versions:
- all
galaxy_tags:
- web
- system
- monitoring

6
roles/opendistro/opendistro-elasticsearch/tasks/RMRedHat.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: RedHat/CentOS/Fedora | Remove Elasticsearch repository (and clean up left-over metadata)
yum_repository:
name: opendistro_repo
state: absent
changed_when: false

38
roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml Normal file
View File

@ -0,0 +1,38 @@
---
- block:
- name: RedHat/CentOS/Fedora | Add OpenDistro repo
yum_repository:
file: opendistro
name: opendistro_repo
description: Opendistro yum repository
baseurl: "{{ package_repos.yum.opendistro.baseurl }}"
gpgkey: "{{ package_repos.yum.opendistro.gpg }}"
gpgcheck: true
changed_when: false
- name: RedHat/CentOS/Fedora | Add Elasticsearch-oss repo
yum_repository:
file: opendistro
name: elasticsearch_oss_repo
description: Elasticsearch-oss yum repository
baseurl: "{{ package_repos.yum.elasticsearch_oss.baseurl }}"
gpgkey: "{{ package_repos.yum.elasticsearch_oss.gpg }}"
gpgcheck: true
changed_when: false
- name: RedHat/CentOS/Fedora | Install OpenJDK 11
yum:
name: java-11-openjdk-devel
state: present
- name: RedHat/CentOS/Fedora | Install OpenDistro dependencies
yum:
name: "{{ packages }}"
vars:
packages:
- wget
- unzip
tags:
- install

72
roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml Normal file
View File

@ -0,0 +1,72 @@
---
- block:
- name: Local action | Create local temporary directory for certificates generation
file:
path: "{{ local_certs_path }}"
state: directory
- name: Local action | Check that the generation tool exists
stat:
path: "{{ local_certs_path }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip"
register: tool_package
- name: Local action | Download certificates generation tool
get_url:
url: "{{ certs_gen_tool_url }}"
dest: "{{ local_certs_path }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip"
when: not tool_package.stat.exists
- name: Local action | Extract the certificates generation tool
unarchive:
src: "{{ local_certs_path }}/search-guard-tlstool-1.7.zip"
dest: "{{ local_certs_path }}/"
- name: Local action | Add the execution bit to the binary
file:
dest: "{{ local_certs_path }}/tools/sgtlstool.sh"
mode: a+x
- name: Local action | Prepare the certificates generation template file
template:
src: "templates/tlsconfig.yml.j2"
dest: "{{ local_certs_path }}/config/tlsconfig.yml"
register: tlsconfig_template
- name: Create a directory if it does not exist
file:
path: "{{ local_certs_path }}/certs/"
state: directory
mode: '0755'
- name: Local action | Check if root CA file exists
stat:
path: "{{ local_certs_path }}/certs/root-ca.key"
register: root_ca_file
- name: Local action | Generate the node & admin certificates in local
command: >-
{{ local_certs_path }}/tools/sgtlstool.sh
-c {{ local_certs_path }}/config/tlsconfig.yml
-ca -crt
-t {{ local_certs_path }}/certs/
-f -o
when:
- not root_ca_file.stat.exists
- tlsconfig_template.changed
- name: Local action | Generate the node & admin certificates using an existing root CA
command: >-
{{ local_certs_path }}/tools/sgtlstool.sh
-c {{ local_certs_path }}/config/tlsconfig.yml
-crt
-t {{ local_certs_path }}/certs/
-f
when:
- root_ca_file.stat.exists
- tlsconfig_template.changed
run_once: true
delegate_to: localhost
tags:
- generate-certs

68
roles/opendistro/opendistro-elasticsearch/tasks/main.yml Normal file
View File

@ -0,0 +1,68 @@
---
- import_tasks: local_actions.yml
- import_tasks: RedHat.yml
when: ansible_os_family == 'RedHat'
- name: Install OpenDistro
package:
name: opendistroforelasticsearch-{{ opendistro_version }}
state: present
register: install
tags: install
- name: Remove elasticsearch configuration file
file:
path: "{{ opendistro_conf_path }}/elasticsearch.yml"
state: absent
when: install.changed
tags: install
- name: Copy Configuration File
blockinfile:
block: "{{ lookup('template', 'elasticsearch.yml.j2') }}"
dest: "{{ opendistro_conf_path }}/elasticsearch.yml"
create: true
group: elasticsearch
mode: 0640
marker: "## {mark} Opendistro general settings ##"
when: install.changed
tags: install
- import_tasks: security_actions.yml
- name: Configure OpenDistro Elasticsearch JVM memmory.
template:
src: "templates/jvm.options.j2"
dest: /etc/elasticsearch/jvm.options
owner: root
group: elasticsearch
mode: 0644
force: yes
notify: restart elasticsearch
tags: install
- name: Ensure Elasticsearch started and enabled
service:
name: elasticsearch
enabled: true
state: started
- name: Wait for Elasticsearch API
uri:
url: "https://{{ es_nodes.split(',')[0].split('\"')[0] }}:9200/_cluster/health/"
user: "admin" # Default OpenDistro user is always "admin"
password: "{{ opendistro_admin_password }}"
validate_certs: no
status_code: 200,401
return_content: yes
timeout: 4
register: _result
until: ( _result.json is defined) and (_result.json.status == "green")
retries: 24
delay: 5
tags: debug
- import_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat"

79
roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml Normal file
View File

@ -0,0 +1,79 @@
- block:
- name: Remove demo certs
file:
path: "{{ item }}"
state: absent
with_items:
- "{{ opendistro_conf_path }}/kirk.pem"
- "{{ opendistro_conf_path }}/kirk-key.pem"
- "{{ opendistro_conf_path }}/esnode.pem"
- "{{ opendistro_conf_path }}/esnode-key.pem"
- name: Copy the node & admin certificates to Elasticsearch cluster
copy:
src: "{{ local_certs_path }}/certs/{{ item }}"
dest: /etc/elasticsearch/
mode: 0644
with_items:
- root-ca.pem
- root-ca.key
- "{{ inventory_hostname }}.key"
- "{{ inventory_hostname }}.pem"
- "{{ inventory_hostname }}_http.key"
- "{{ inventory_hostname }}_http.pem"
- "{{ inventory_hostname }}_elasticsearch_config_snippet.yml"
- admin.key
- admin.pem
- name: Copy the OpenDistro security configuration file to cluster
blockinfile:
block: "{{ lookup('file', '{{ local_certs_path }}/certs/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}"
dest: "{{ opendistro_conf_path }}/elasticsearch.yml"
insertafter: EOF
marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##"
- name: Prepare the OpenDistro security configuration file
replace:
path: "{{ opendistro_conf_path }}/elasticsearch.yml"
regexp: 'searchguard'
replace: 'opendistro_security'
tags: local
- name: Restart elasticsearch with security configuration
systemd:
name: elasticsearch
state: restarted
- name: Copy the OpenDistro security internal users template
template:
src: "templates/internal_users.yml.j2"
dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml"
mode: 0644
run_once: true
- name: Set the Admin user password
shell: >
sed -i 's,{{ opendistro_admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }} | tail -1)','
{{ opendistro_sec_plugin_conf_path }}/internal_users.yml
run_once: true
- name: Set the kibanaserver role/user pasword
shell: >
sed -i 's,{{ opendistro_kibana_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }} | tail -1)','
{{ opendistro_sec_plugin_conf_path }}/internal_users.yml
run_once: true
- name: Initialize the OpenDistro security index in elasticsearch
command: >
{{ opendistro_sec_plugin_tools_path }}/securityadmin.sh
-cacert {{ opendistro_conf_path }}/root-ca.pem
-cert {{ opendistro_conf_path }}/admin.pem
-key {{ opendistro_conf_path }}/admin.key
-cd {{ opendistro_sec_plugin_conf_path }}/
-nhnv -icl
-h {{ hostvars[inventory_hostname]['ip'] }}
run_once: true
tags:
- security
when: install.changed

22
roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 Normal file
View File

@ -0,0 +1,22 @@
cluster.name: "{{ opendistro_cluster_name }}"
node.name: "{{ inventory_hostname }}"
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: "{{ hostvars[inventory_hostname]['ip'] }}"
http.port: "{{ opendistro_http_port }}"
discovery.seed_hosts: ["{{ es_nodes }}"]
cluster.initial_master_nodes: ["{{ es_nodes }}"]
discovery.zen.minimum_master_nodes: "{{ minimum_master_nodes }}"
opendistro_security.allow_default_init_securityindex: true
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]

21
roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 Normal file
View File

@ -0,0 +1,21 @@
---
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
_meta:
type: "internalusers"
config_version: 2
# Define your internal users here
admin:
hash: "{{ opendistro_admin_password }}"
reserved: true
backend_roles:
- "admin"
description: "admin user"
kibanaserver:
hash: "{{ opendistro_kibana_password }}"
reserved: true
description: "kibanaserver user"

117
roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 Normal file
View File

@ -0,0 +1,117 @@
#jinja2: trim_blocks:False
# {{ ansible_managed }}
## JVM configuration
################################################################
## IMPORTANT: JVM heap size
################################################################
##
## You should always set the min and max JVM heap
## size to the same value. For example, to set
## the heap to 4 GB, set:
##
## -Xms4g
## -Xmx4g
##
## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html
## for more information
##
################################################################
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
{% if opendistro_jvm_xms is not none %}
{% if opendistro_jvm_xms < 32000 %}
-Xms{{ opendistro_jvm_xms }}m
-Xmx{{ opendistro_jvm_xms }}m
{% else %}
-Xms32000m
-Xmx32000m
{% endif %}
{% else %}
-Xms{% if ansible_memtotal_mb < 64000 %}{{ ((ansible_memtotal_mb|int)/2)|int }}m{% else %}32000m{% endif %}
-Xmx{% if ansible_memtotal_mb < 64000 %}{{ ((ansible_memtotal_mb|int)/2)|int }}m{% else %}32000m{% endif %}
{% endif %}
################################################################
## Expert settings
################################################################
##
## All settings below this section are considered
## expert settings. Don't tamper with them unless
## you understand what you are doing
##
################################################################
## GC configuration
-XX:+UseConcMarkSweepGC
-XX:CMSInitiatingOccupancyFraction=75
-XX:+UseCMSInitiatingOccupancyOnly
## optimizations
# pre-touch memory pages used by the JVM during initialization
-XX:+AlwaysPreTouch
## basic
# force the server VM
-server
# explicitly set the stack size
-Xss1m
# set to headless, just in case
-Djava.awt.headless=true
# ensure UTF-8 encoding by default (e.g. filenames)
-Dfile.encoding=UTF-8
# use our provided JNA always versus the system one
-Djna.nosys=true
# turn off a JDK optimization that throws away stack traces for common
# exceptions because stack traces are important for debugging
-XX:-OmitStackTraceInFastThrow
# flags to configure Netty
-Dio.netty.noUnsafe=true
-Dio.netty.noKeySetOptimization=true
-Dio.netty.recycler.maxCapacityPerThread=0
# log4j 2
-Dlog4j.shutdownHookEnabled=false
-Dlog4j2.disable.jmx=true
## heap dumps
# generate a heap dump when an allocation from the Java heap fails
# heap dumps are created in the working directory of the JVM
-XX:+HeapDumpOnOutOfMemoryError
# specify an alternative path for heap dumps
# ensure the directory exists and has sufficient space
-XX:HeapDumpPath=/var/lib/elasticsearch
## GC logging
#-XX:+PrintGCDetails
#-XX:+PrintGCTimeStamps
#-XX:+PrintGCDateStamps
#-XX:+PrintClassHistogram
#-XX:+PrintTenuringDistribution
#-XX:+PrintGCApplicationStoppedTime
# log GC status to a file with time stamps
# ensure the directory exists
#-Xloggc:${loggc}
# By default, the GC log file will not rotate.
# By uncommenting the lines below, the GC log file
# will be rotated every 128MB at most 32 times.
#-XX:+UseGCLogFileRotation
#-XX:NumberOfGCLogFiles=32
#-XX:GCLogFileSize=128M

61
roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 Normal file
View File

@ -0,0 +1,61 @@
ca:
root:
dn: CN=root.ca.{{ domain_name }},OU=CA,O={{ domain_name }}\, Inc.,DC={{ domain_name }}
keysize: 2048
validityDays: 730
pkPassword: none
file: root-ca.pem
### Default values and global settings
defaults:
validityDays: 730
pkPassword: none
# Set this to true in order to generate config and certificates for
# the HTTP interface of nodes
httpsEnabled: true
reuseTransportCertificatesForHttp: false
verifyHostnames: false
resolveHostnames: false
###
### Nodes
###
#
# Specify the nodes of your ES cluster here
#
nodes:
{% for item in groups['es_cluster'] %}
- name: {{ item }}
dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }}
dns: {{ item }}.{{ domain_name }}
ip: {{ hostvars[item]['ip'] }}
{% endfor %}
{% if groups['kibana'] is defined and groups['kibana']|length > 0 %}
{% for item in groups['kibana'] %}
- name: {{ item }}
dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }}
dns: {{ item }}.{{ domain_name }}
ip: {{ hostvars[item]['ip'] }}
{% endfor %}
{% endif %}
{% if groups['managers'] is defined and groups['managers']|length > 0 %}
{% for item in groups['managers'] %}
- name: {{ item }}
dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }}
dns: {{ item }}.{{ domain_name }}
ip: {{ hostvars[item]['ip'] }}
{% endfor %}
{% endif %}
###
### Clients
###
#
# Specify the clients that shall access your ES cluster with certificate authentication here
#
# At least one client must be an admin user (i.e., a super-user). Admin users can
# be specified with the attribute admin: true
#
clients:
- name: admin
dn: CN=admin.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }}
admin: true

62
roles/opendistro/opendistro-kibana/defaults/main.yml Normal file
View File

@ -0,0 +1,62 @@
---
elasticsearch_http_port: 9200
elasticsearch_nodes: |-
{% for item in groups['es_cluster'] -%}
{{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %}
{%- endfor %}
elasticsearch_network_host: 172.16.0.161
elastic_api_protocol: https
kibana_conf_path: /etc/kibana
kibana_server_host: "0.0.0.0"
kibana_server_port: "5601"
kibana_server_name: "kibana"
kibana_max_payload_bytes: 1048576
elastic_stack_version: 7.7.0
wazuh_version: 3.12.3
wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp
# The OpenDistro package repository
package_repos:
yum:
opendistro:
baseurl: 'https://d3g5vo6xdbdb9a.cloudfront.net/yum/noarch/'
gpg: 'https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch'
elasticsearch_oss:
baseurl: 'https://artifacts.elastic.co/packages/oss-7.x/yum'
gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
# API credentials
wazuh_api_credentials:
- id: "default"
url: "http://localhost"
port: 55000
user: "foo"
password: "bar"
# opendistro Security
kibana_opendistro_security: true
kibana_newsfeed_enabled: "false"
kibana_telemetry_optin: "false"
kibana_telemetry_enabled: "false"
opendistro_security_user: elastic
opendistro_admin_password: changeme
opendistro_kibana_user: kibanaserver
opendistro_kibana_password: changeme
local_certs_path: /tmp/opendistro-nodecerts
# Nodejs
nodejs:
repo_dict:
debian: "deb"
redhat: "rpm"
repo_url_ext: "nodesource.com/setup_10.x"
# Build from sources
build_from_sources: false
wazuh_plugin_branch: 3.12-7.6
#Nodejs NODE_OPTIONS
node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536

3
roles/opendistro/opendistro-kibana/handlers/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
- name: restart kibana
service: name=kibana state=restarted

6
roles/opendistro/opendistro-kibana/tasks/RMRedHat.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: Remove Elasticsearch repository (and clean up left-over metadata)
yum_repository:
name: opendistro_repo
state: absent
changed_when: false

23
roles/opendistro/opendistro-kibana/tasks/RedHat.yml Normal file
View File

@ -0,0 +1,23 @@
---
- block:
- name: RedHat/CentOS/Fedora | Add OpenDistro repo
yum_repository:
file: opendistro
name: opendistro_repo
description: Opendistro yum repository
baseurl: "{{ package_repos.yum.opendistro.baseurl }}"
gpgkey: "{{ package_repos.yum.opendistro.gpg }}"
gpgcheck: true
- name: RedHat/CentOS/Fedora | Add Elasticsearch-oss repo
yum_repository:
file: opendistro
name: elasticsearch_oss_repo
description: Elasticsearch-oss yum repository
baseurl: "{{ package_repos.yum.elasticsearch_oss.baseurl }}"
gpgkey: "{{ package_repos.yum.elasticsearch_oss.gpg }}"
gpgcheck: true
tags:
- install

76
roles/opendistro/opendistro-kibana/tasks/build_wazuh_plugin.yml Normal file
View File

@ -0,0 +1,76 @@
---
- name: Ensure the Git package is present
package:
name: git
state: present
- name: Modify repo url if host is in Debian family
set_fact:
node_js_repo_type: deb
when:
- ansible_os_family | lower == "debian"
- name: Download script to install Nodejs repository
get_url:
url: "https://{{ nodejs['repo_dict'][ansible_os_family|lower] }}.{{ nodejs['repo_url_ext'] }}"
dest: "/tmp/setup_nodejs_repo.sh"
mode: 0700
- name: Execute downloaded script to install Nodejs repo
command: /tmp/setup_nodejs_repo.sh
register: node_repo_installation_result
changed_when: false
- name: Install Nodejs
package:
name: nodejs
state: present
- name: Install yarn dependency to build the Wazuh Kibana Plugin
# Using shell due to errors when evaluating text between @ with command
shell: "npm install -g {{ 'yarn' }}{{ '@' }}{{ '1.10.1'}}" # noqa 305
register: install_yarn_result
changed_when: install_yarn_result == 0
- name: Remove old wazuh-kibana-app git directory
file:
path: /tmp/app
state: absent
changed_when: false
- name: Clone wazuh-kibana-app repository # Using command as git module doesn't cover single-branch nor depth
command: git clone https://github.com/wazuh/wazuh-kibana-app -b {{ wazuh_plugin_branch }} --single-branch --depth=1 app # noqa 303
register: clone_app_repo_result
changed_when: false
args:
chdir: "/tmp"
- name: Executing yarn to build the package
command: "{{ item }}"
with_items:
- "yarn"
- "yarn build"
register: yarn_execution_result
changed_when: false
args:
chdir: "/tmp/app/"
- name: Obtain name of generated package
shell: "find ./ -name 'wazuh-*.zip' -printf '%f\\n'"
register: wazuhapp_package_name
changed_when: false
args:
chdir: "/tmp/app/build"
- name: Install Wazuh Plugin (can take a while)
shell: NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana-plugin install file:///tmp/app/build/{{ wazuhapp_package_name.stdout }}
args:
executable: /bin/bash
creates: /usr/share/kibana/plugins/wazuh/package.json
chdir: /usr/share/kibana
become: yes
become_user: kibana
notify: restart kibana
tags:
- install
- skip_ansible_lint

133
roles/opendistro/opendistro-kibana/tasks/main.yml Normal file
View File

@ -0,0 +1,133 @@
---
- name: Stopping early, trying to compile Wazuh Kibana Plugin on Debian 10 is not possible
fail:
msg: "It's not possible to compile the Wazuh Kibana plugin on Debian 10 due to: https://github.com/wazuh/wazuh-kibana-app/issues/1924"
when:
- build_from_sources
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "10"
- import_tasks: RedHat.yml
when: ansible_os_family == 'RedHat'
- name: Reload systemd
systemd:
daemon_reload: true
ignore_errors: true
when:
- not (ansible_distribution == "Amazon" and ansible_distribution_version == "(Karoo)")
- not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<'))
- not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<'))
- not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<'))
- name: Install Kibana
package:
name: opendistroforelasticsearch-kibana
state: present
register: install
tags: install
- name: Remove Kibana configuration file
file:
path: "{{ kibana_conf_path }}/kibana.yml"
state: absent
when: install.changed
tags: install
- import_tasks: security_actions.yml
- name: Copy Configuration File
blockinfile:
block: "{{ lookup('template', 'opendistro_kibana.yml.j2') }}"
dest: "{{ kibana_conf_path }}/kibana.yml"
create: true
group: kibana
owner: kibana
mode: 0640
marker: "## {mark} Kibana general settings ##"
notify: restart kibana
tags:
- install
- configure
- name: Build and Install Wazuh Kibana Plugin from sources
import_tasks: build_wazuh_plugin.yml
when:
- build_from_sources is defined
- build_from_sources
- name: Install Wazuh Plugin (can take a while)
shell: >-
NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana-plugin install
{{ wazuh_app_url }}-{{ wazuh_version }}_{{ elastic_stack_version }}.zip
args:
executable: /bin/bash
creates: /usr/share/kibana/plugins/wazuh/package.json
chdir: /usr/share/kibana
become: yes
become_user: kibana
notify: restart kibana
tags:
- install
- skip_ansible_lint
when:
- not build_from_sources
- name: Kibana optimization (can take a while)
shell: /usr/share/kibana/node/bin/node {{ node_options }} /usr/share/kibana/src/cli --optimize
args:
executable: /bin/bash
become: yes
become_user: kibana
changed_when: false
tags:
- skip_ansible_lint
- name: Wait for Elasticsearch port
wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }}
- name: Select correct API protocol
set_fact:
elastic_api_protocol: "{% if kibana_opendistro_security is defined and kibana_opendistro_security %}https{% else %}http{% endif %}"
- name: Attempting to delete legacy Wazuh index if exists
uri:
url: "{{ elastic_api_protocol }}://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}/.wazuh"
method: DELETE
user: "admin"
password: "{{ opendistro_admin_password }}"
validate_certs: no
status_code: 200, 404
- name: Create wazuh plugin config directory
file:
path: /usr/share/kibana/optimize/wazuh/config/
state: directory
recurse: yes
owner: kibana
group: kibana
mode: 0751
changed_when: False
- name: Configure Wazuh Kibana Plugin
template:
src: wazuh.yml.j2
dest: /usr/share/kibana/optimize/wazuh/config/wazuh.yml
owner: kibana
group: kibana
mode: 0751
changed_when: False
- name: Reload systemd configuration
systemd:
daemon_reload: true
- name: Ensure Kibana started and enabled
service:
name: kibana
enabled: true
state: started
- import_tasks: RMRedHat.yml
when: ansible_os_family == 'RedHat'

13
roles/opendistro/opendistro-kibana/tasks/security_actions.yml Normal file
View File

@ -0,0 +1,13 @@
- block:
- name: Copy the certificates from local to the Kibana instance
copy:
src: "{{ local_certs_path }}/certs/{{ item }}"
dest: /usr/share/kibana
mode: 0644
with_items:
- "{{ inventory_hostname }}_http.key"
- "{{ inventory_hostname }}_http.pem"
tags:
- security
when: install.changed

38
roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 Normal file
View File

@ -0,0 +1,38 @@
# {{ ansible_managed }}
# Description:
# Default Kibana configuration for Open Distro.
server.port: {{ kibana_server_port }}
#server.basePath: ""
server.maxPayloadBytes: {{ kibana_max_payload_bytes }}
server.name: {{ kibana_server_name }}
server.host: {{ kibana_server_host }}
{% if kibana_opendistro_security %}
elasticsearch.hosts: "https://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}"
{% else %}
elasticsearch.hosts: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}"
{% endif %}
elasticsearch.username: {{ opendistro_kibana_user }}
elasticsearch.password: {{ opendistro_kibana_password }}
elasticsearch.ssl.verificationMode: none
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opendistro_security.multitenancy.enabled: false # FIXME: should be enabled starting with Wazuh App v3.13
opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
opendistro_security.readonly_mode.roles: ["kibana_read_only"]
# OpenDistro Security
{% if kibana_opendistro_security %}
server.ssl.enabled: true
server.ssl.certificate: "/usr/share/kibana/{{ inventory_hostname }}_http.pem"
server.ssl.key: "/usr/share/kibana//{{ inventory_hostname }}_http.key"
{% endif %}
newsfeed.enabled: {{ kibana_newsfeed_enabled }}
telemetry.optIn: {{ kibana_telemetry_optin }}
telemetry.enabled: {{ kibana_telemetry_enabled }}

134
roles/opendistro/opendistro-kibana/templates/wazuh.yml.j2 Normal file
View File

@ -0,0 +1,134 @@
---
#
# Wazuh app - App configuration file
# Copyright (C) 2015-2019 Wazuh, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Find more information about this on the LICENSE file.
#
# ======================== Wazuh app configuration file ========================
#
# Please check the documentation for more information on configuration options:
# https://documentation.wazuh.com/current/installation-guide/index.html
#
# Also, you can check our repository:
# https://github.com/wazuh/wazuh-kibana-app
#
# ------------------------------- Index patterns -------------------------------
#
# Default index pattern to use.
#pattern: wazuh-alerts-3.x-*
#
# ----------------------------------- Checks -----------------------------------
#
# Defines which checks must to be consider by the healthcheck
# step once the Wazuh app starts. Values must to be true or false.
#checks.pattern : true
#checks.template: true
#checks.api : true
#checks.setup : true
#
# --------------------------------- Extensions ---------------------------------
#
# Defines which extensions should be activated when you add a new API entry.
# You can change them after Wazuh app starts.
# Values must to be true or false.
#extensions.pci : true
#extensions.gdpr : true
#extensions.hipaa : true
#extensions.nist : true
#extensions.audit : true
#extensions.oscap : false
#extensions.ciscat : false
#extensions.aws : false
#extensions.virustotal: false
#extensions.osquery : false
#extensions.docker : false
#
# ---------------------------------- Time out ----------------------------------
#
# Defines maximum timeout to be used on the Wazuh app requests.
# It will be ignored if it is bellow 1500.
# It means milliseconds before we consider a request as failed.
# Default: 20000
#timeout: 20000
#
# ------------------------------ Advanced indices ------------------------------
#
# Configure .wazuh indices shards and replicas.
#wazuh.shards : 1
#wazuh.replicas : 0
#
# --------------------------- Index pattern selector ---------------------------
#
# Defines if the user is allowed to change the selected
# index pattern directly from the Wazuh app top menu.
# Default: true
#ip.selector: true
#
# List of index patterns to be ignored
#ip.ignore: []
#
# -------------------------------- X-Pack RBAC ---------------------------------
#
# Custom setting to enable/disable built-in X-Pack RBAC security capabilities.
# Default: enabled
#xpack.rbac.enabled: true
#
# ------------------------------ wazuh-monitoring ------------------------------
#
# Custom setting to enable/disable wazuh-monitoring indices.
# Values: true, false, worker
# If worker is given as value, the app will show the Agents status
# visualization but won't insert data on wazuh-monitoring indices.
# Default: true
#wazuh.monitoring.enabled: true
#
# Custom setting to set the frequency for wazuh-monitoring indices cron task.
# Default: 900 (s)
#wazuh.monitoring.frequency: 900
#
# Configure wazuh-monitoring-3.x-* indices shards and replicas.
#wazuh.monitoring.shards: 2
#wazuh.monitoring.replicas: 0
#
# Configure wazuh-monitoring-3.x-* indices custom creation interval.
# Values: h (hourly), d (daily), w (weekly), m (monthly)
# Default: d
#wazuh.monitoring.creation: d
#
# Default index pattern to use for Wazuh monitoring
#wazuh.monitoring.pattern: wazuh-monitoring-3.x-*
#
#
# ------------------------------- App privileges --------------------------------
#admin: true
#
# ------------------------------- App logging level -----------------------------
# Set the logging level for the Wazuh App log files.
# Default value: info
# Allowed values: info, debug
#logs.level: info
#
#-------------------------------- API entries -----------------------------------
#The following configuration is the default structure to define an API entry.
#
#hosts:
# - <id>:
# url: http(s)://<url>
# port: <port>
# user: <user>
# password: <password>
hosts:
{% for api in wazuh_api_credentials %}
- {{ api['id'] }}:
url: {{ api['url'] }}
port: {{ api['port'] }}
user: {{ api['user'] }}
password: {{ api['password'] }}
{% endfor %}

39
roles/wazuh/ansible-filebeat-oss/README.md Normal file
View File

@ -0,0 +1,39 @@
Ansible Role: Filebeat for Elastic Stack
------------------------------------
An Ansible Role that installs [Filebeat-oss](https://www.elastic.co/products/beats/filebeat), this can be used in conjunction with [ansible-wazuh-manager](https://github.com/wazuh/wazuh-ansible/ansible-wazuh-server).
Requirements
------------
This role will work on:
* Red Hat
* CentOS
* Fedora
* Debian
* Ubuntu
Role Variables
--------------
Available variables are listed below, along with default values (see `defaults/main.yml`):
```
filebeat_output_elasticsearch_enabled: false
filebeat_output_elasticsearch_hosts:
- "localhost:9200"
```
License and copyright
---------------------
WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3)
### Based on previous work from geerlingguy
- https://github.com/geerlingguy/ansible-role-filebeat
### Modified by Wazuh
The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem.

30
roles/wazuh/ansible-filebeat-oss/defaults/main.yml Normal file
View File

@ -0,0 +1,30 @@
---
filebeat_version: 7.7.0
filebeat_create_config: true
filebeat_output_elasticsearch_enabled: false
filebeat_output_elasticsearch_hosts:
- "localhost:9200"
filebeat_module_package_url: https://packages.wazuh.com/3.x/filebeat
filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz
filebeat_module_package_path: /tmp/
filebeat_module_destination: /usr/share/filebeat/module
filebeat_module_folder: /usr/share/filebeat/module/wazuh
elasticsearch_security_user: admin
elasticsearch_security_password: changeme
# Security plugin
filebeat_security: true
filebeat_security_user: admin
filebeat_security_password: changeme
filebeat_ssl_dir: /etc/pki/filebeat
# Local path to store the generated certificates (OpenDistro security plugin)
local_certs_path: /tmp/opendistro-nodecerts
elasticrepo:
apt: 'https://artifacts.elastic.co/packages/oss-7.x/apt'
yum: 'https://artifacts.elastic.co/packages/oss-7.x/yum'
gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4'

3
roles/wazuh/ansible-filebeat-oss/handlers/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
- name: restart filebeat
service: name=filebeat state=restarted

29
roles/wazuh/ansible-filebeat-oss/meta/main.yml Normal file
View File

@ -0,0 +1,29 @@
---
dependencies: []
galaxy_info:
author: Wazuh
description: Installing and maintaining Filebeat-oss.
company: wazuh.com
license: license (GPLv3)
min_ansible_version: 2.0
platforms:
- name: EL
versions:
- 6
- 7
- name: Fedora
versions:
- all
- name: Debian
versions:
- jessie
- name: Ubuntu
versions:
- precise
- trusty
- xenial
galaxy_tags:
- web
- system
- monitoring

22
roles/wazuh/ansible-filebeat-oss/tasks/Debian.yml Normal file
View File

@ -0,0 +1,22 @@
---
- name: Debian/Ubuntu | Install apt-transport-https and ca-certificates
apt:
name:
- apt-transport-https
- ca-certificates
state: present
register: filebeat_ca_packages_install
until: filebeat_ca_packages_install is succeeded
- name: Debian/Ubuntu | Add Elasticsearch apt key.
apt_key:
url: "{{ elasticrepo.gpg }}"
id: "{{ elasticrepo.key_id }}"
state: present
- name: Debian/Ubuntu | Add Filebeat-oss repository.
apt_repository:
repo: "deb {{ elasticrepo.apt }} stable main"
state: present
update_cache: true
changed_when: false

6
roles/wazuh/ansible-filebeat-oss/tasks/RMDebian.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: Debian/Ubuntu | Remove Filebeat repository (and clean up left-over metadata)
apt_repository:
repo: "deb {{ elasticrepo.apt }} stable main"
state: absent
changed_when: false

6
roles/wazuh/ansible-filebeat-oss/tasks/RMRedHat.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: RedHat/CentOS/Fedora | Remove Filebeat repository (and clean up left-over metadata)
yum_repository:
name: elastic_oss-repo_7
state: absent
changed_when: false

9
roles/wazuh/ansible-filebeat-oss/tasks/RedHat.yml Normal file
View File

@ -0,0 +1,9 @@
---
- name: RedHat/CentOS/Fedora/Amazon Linux | Install Filebeats repo
yum_repository:
name: elastic_oss-repo_7
description: Elastic repository for 7.x packages
baseurl: "{{ elasticrepo.yum }}"
gpgkey: "{{ elasticrepo.gpg }}"
gpgcheck: true
changed_when: false

22
roles/wazuh/ansible-filebeat-oss/tasks/config.yml Normal file
View File

@ -0,0 +1,22 @@
---
- block:
- name: Copy Filebeat configuration.
template:
src: filebeat.yml.j2
dest: "/etc/filebeat/filebeat.yml"
owner: root
group: root
mode: 0400
notify: restart filebeat
- name: Copy Elasticsearch template.
template:
src: elasticsearch.yml.j2
dest: "/etc/filebeat/wazuh-template.json"
owner: root
group: root
mode: 0400
notify: restart filebeat
tags:
- configure

67
roles/wazuh/ansible-filebeat-oss/tasks/main.yml Normal file
View File

@ -0,0 +1,67 @@
---
- include_tasks: RedHat.yml
when: ansible_os_family == 'RedHat'
- include_tasks: Debian.yml
when: ansible_os_family == 'Debian'
- name: Install Filebeat
package:
name: filebeat
state: present
register: install
tags:
- install
- init
- name: Checking if Filebeat Module folder file exists
stat:
path: "{{ filebeat_module_folder }}"
register: filebeat_module_folder
- name: Download Filebeat module package
get_url:
url: "{{ filebeat_module_package_url }}/{{ filebeat_module_package_name }}"
dest: "{{ filebeat_module_package_path }}"
when: not filebeat_module_folder.stat.exists
- name: Unpack Filebeat module package
unarchive:
src: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
dest: "{{ filebeat_module_destination }}"
remote_src: yes
when: not filebeat_module_folder.stat.exists
- name: Setting 0755 permission for Filebeat module folder
file: dest={{ filebeat_module_folder }} mode=u=rwX,g=rwX,o=rwX recurse=yes
when: not filebeat_module_folder.stat.exists
- name: Checking if Filebeat Module package file exists
stat:
path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
register: filebeat_module_package
when: filebeat_module_package is not defined
- name: Delete Filebeat module package file
file:
state: absent
path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
when: filebeat_module_package.stat.exists
- import_tasks: config.yml
notify: restart filebeat
- include_tasks: security_actions.yml
when: filebeat_security
- name: Ensure Filebeat is started and enabled at boot.
service:
name: filebeat
state: started
enabled: true
- include_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat"
- include_tasks: "RMDebian.yml"
when: ansible_os_family == "Debian"

28
roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml Normal file
View File

@ -0,0 +1,28 @@
- block:
- name: Ensure Filebeat SSL key pair directory exists.
file:
path: "{{ filebeat_ssl_dir }}"
state: directory
- name: Copy the certificates from local to the Manager instance
copy:
src: "{{ local_certs_path }}/certs/{{ item }}"
dest: "{{ filebeat_ssl_dir }}"
mode: 0644
with_items:
- "{{ inventory_hostname }}.key"
- "{{ inventory_hostname }}.pem"
- "root-ca.pem"
- name: Ensuring folder & certs permissions
file:
path: "{{ filebeat_ssl_dir }}/"
mode: 0774
state: directory
recurse: yes
tags:
- security
when:
- filebeat_security

1800
roles/wazuh/ansible-filebeat-oss/templates/elasticsearch.yml.j2 Normal file
View File

File diff suppressed because it is too large Load Diff

32
roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 Normal file
View File

@ -0,0 +1,32 @@
# Wazuh - Filebeat configuration file
# Wazuh - Filebeat configuration file
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: false
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false
# Send events directly to Elasticsearch
output.elasticsearch:
hosts: {{ filebeat_output_elasticsearch_hosts | to_json }}
{% if filebeat_security %}
username: {{ elasticsearch_security_user }}
password: {{ elasticsearch_security_password }}
protocol: https
ssl.certificate_authorities:
- {{ filebeat_ssl_dir }}/root-ca.pem
ssl.certificate: "{{ filebeat_ssl_dir }}/{{ inventory_hostname }}.pem"
ssl.key: "{{ filebeat_ssl_dir }}/{{ inventory_hostname }}.key"
{% endif %}
# Optional. Send events to Logstash instead of Elasticsearch
#output.logstash.hosts: ["YOUR_LOGSTASH_SERVER_IP:5000"]

2
roles/wazuh/ansible-filebeat/README.md
View File

@ -28,7 +28,7 @@ Available variables are listed below, along with default values (see `defaults/m
License and copyright License and copyright
--------------------- ---------------------
WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3) WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3)
### Based on previous work from geerlingguy ### Based on previous work from geerlingguy

6
roles/wazuh/ansible-filebeat/defaults/main.yml
View File

@ -1,5 +1,5 @@
--- ---
filebeat_version: 7.6.1 filebeat_version: 7.7.0
filebeat_create_config: true filebeat_create_config: true
@ -22,10 +22,8 @@ filebeat_enable_logging: true
filebeat_log_level: debug filebeat_log_level: debug
filebeat_log_dir: /var/log/mybeat filebeat_log_dir: /var/log/mybeat
filebeat_log_filename: mybeat.log filebeat_log_filename: mybeat.log
filebeat_ssl_dir: /etc/pki/filebeat filebeat_ssl_dir: /etc/pki/filebeat
filebeat_ssl_certificate_file: "" filebeat_ssl_certificate_file: ""
filebeat_ssl_key_file: ""
filebeat_ssl_insecure: "false" filebeat_ssl_insecure: "false"
filebeat_module_package_url: https://packages.wazuh.com/3.x/filebeat filebeat_module_package_url: https://packages.wazuh.com/3.x/filebeat
@ -46,7 +44,7 @@ node_certs_destination: /etc/filebeat/certs
# CA Generation # CA Generation
master_certs_path: /es_certs master_certs_path: "{{ playbook_dir }}/es_certs"
generate_CA: true generate_CA: true
ca_cert_name: "" ca_cert_name: ""

19
roles/wazuh/ansible-filebeat/tasks/config.yml
View File

@ -18,22 +18,3 @@
mode: 0400 mode: 0400
notify: restart filebeat notify: restart filebeat
tags: configure tags: configure
- name: Ensure Filebeat SSL key pair directory exists.
file:
path: "{{ filebeat_ssl_dir }}"
state: directory
when: filebeat_ssl_key_file
tags: configure
- name: Copy SSL key and cert for filebeat.
copy:
src: "{{ item }}"
dest: "{{ filebeat_ssl_dir }}/{{ item | basename }}"
mode: 0400
with_items:
- "{{ filebeat_ssl_key_file }}"
- "{{ filebeat_ssl_certificate_file }}"
notify: restart filebeat
when: filebeat_ssl_key_file and filebeat_ssl_certificate_file
tags: configure

11
roles/wazuh/ansible-filebeat/tasks/main.yml
View File

@ -30,6 +30,8 @@
copy: copy:
src: "{{ item }}" src: "{{ item }}"
dest: "{{ node_certs_destination }}/" dest: "{{ node_certs_destination }}/"
owner: root
group: root
mode: 0440 mode: 0440
with_items: with_items:
- "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key"
@ -44,6 +46,8 @@
copy: copy:
src: "{{ item }}" src: "{{ item }}"
dest: "{{ node_certs_destination }}/" dest: "{{ node_certs_destination }}/"
owner: root
group: root
mode: 0440 mode: 0440
with_items: with_items:
- "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key"
@ -57,9 +61,9 @@
- name: Ensuring folder & certs permissions - name: Ensuring folder & certs permissions
file: file:
path: "{{ node_certs_destination }}/" path: "{{ node_certs_destination }}/"
mode: 0774 mode: 0770
state: directory state: directory
recurse: yes recurse: no
when: when:
- filebeat_xpack_security - filebeat_xpack_security
tags: xpack-security tags: xpack-security
@ -69,14 +73,13 @@
path: "{{ filebeat_module_folder }}" path: "{{ filebeat_module_folder }}"
register: filebeat_module_folder register: filebeat_module_folder
- name: Download Filebeat module package - name: Download Filebeat module package
get_url: get_url:
url: "{{ filebeat_module_package_url }}/{{ filebeat_module_package_name }}" url: "{{ filebeat_module_package_url }}/{{ filebeat_module_package_name }}"
dest: "{{ filebeat_module_package_path }}" dest: "{{ filebeat_module_package_path }}"
when: not filebeat_module_folder.stat.exists when: not filebeat_module_folder.stat.exists
- name: Unpakcing Filebeat module package - name: Unpack Filebeat module package
unarchive: unarchive:
src: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" src: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
dest: "{{ filebeat_module_destination }}" dest: "{{ filebeat_module_destination }}"

3
roles/wazuh/ansible-filebeat/tests/requirements.yml
View File

@ -1,3 +0,0 @@
---
- src: geerlingguy.java
- src: geerlingguy.elasticsearch

20
roles/wazuh/ansible-filebeat/tests/test.yml
View File

@ -1,20 +0,0 @@
---
- hosts: all
pre_tasks:
- name: Update apt cache.
apt:
cache_valid_time: 600
when: ansible_os_family == 'Debian'
- name: Install test dependencies (RedHat).
package: name=which state=present
when: ansible_os_family == 'RedHat'
- name: Install test dependencies.
package: name=curl state=present
roles:
- geerlingguy.java
- geerlingguy.elasticsearch
- role_under_test

12
roles/wazuh/ansible-wazuh-agent/defaults/main.yml
View File

@ -1,5 +1,5 @@
--- ---
wazuh_agent_version: 3.12.0-1 wazuh_agent_version: 3.12.3-1
# Custom packages installation # Custom packages installation
@ -12,7 +12,7 @@ wazuh_custom_packages_installation_agent_rpm_url: ""
wazuh_agent_sources_installation: wazuh_agent_sources_installation:
enabled: false enabled: false
branch: "v3.12.0" branch: "v3.12.3"
user_language: "y" user_language: "y"
user_no_stop: "y" user_no_stop: "y"
user_install_type: "agent" user_install_type: "agent"
@ -39,6 +39,7 @@ wazuh_managers:
api_port: 55000 api_port: 55000
api_proto: 'http' api_proto: 'http'
api_user: null api_user: null
wazuh_api_reachable_from_agent: false
wazuh_profile_centos: 'centos, centos7, centos7.6' wazuh_profile_centos: 'centos, centos7, centos7.6'
wazuh_profile_ubuntu: 'ubuntu, ubuntu18, ubuntu18.04' wazuh_profile_ubuntu: 'ubuntu, ubuntu18, ubuntu18.04'
wazuh_auto_restart: 'yes' wazuh_auto_restart: 'yes'
@ -63,9 +64,9 @@ wazuh_winagent_config:
# Adding quotes to auth_path_x86 since win_shell outputs error otherwise # Adding quotes to auth_path_x86 since win_shell outputs error otherwise
auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe
check_md5: True check_md5: True
md5: 91efaefae4e1977670eab0c768a22a93 md5: 4ae4e930d3ae9d572b07cd9e7207d783
wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.12.0-1.msi wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.12.3-1.msi
wazuh_winagent_package_name: wazuh-agent-3.12.0-1.msi wazuh_winagent_package_name: wazuh-agent-3.12.3-1.msi
wazuh_agent_config: wazuh_agent_config:
repo: repo:
apt: 'deb https://packages.wazuh.com/3.x/apt/ stable main' apt: 'deb https://packages.wazuh.com/3.x/apt/ stable main'
@ -86,7 +87,6 @@ wazuh_agent_config:
frequency: 43200 frequency: 43200
scan_on_start: 'yes' scan_on_start: 'yes'
auto_ignore: 'no' auto_ignore: 'no'
alert_new_files: 'yes'
win_audit_interval: 60 win_audit_interval: 60
skip_nfs: 'yes' skip_nfs: 'yes'
skip_dev: 'yes' skip_dev: 'yes'

20
roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml
View File

@ -131,14 +131,15 @@
user: "{{ wazuh_managers.0.api_user }}" user: "{{ wazuh_managers.0.api_user }}"
password: "{{ api_pass }}" password: "{{ api_pass }}"
register: newagent_api register: newagent_api
notify: restart wazuh-agent delegate_to: "{{ 'localhost' if not wazuh_api_reachable_from_agent else inventory_hostname }}"
vars: become: no
agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ inventory_hostname }}{% endif %}" changed_when: newagent_api.json.error == 0
when: when:
- not check_keys.stat.exists or check_keys.stat.size == 0 - not check_keys.stat.exists or check_keys.stat.size == 0
- wazuh_agent_authd.registration_address is not none - wazuh_managers.0.address is not none
become: false tags:
ignore_errors: true - config
- api
- name: Linux | Retrieve new agent data via rest-API - name: Linux | Retrieve new agent data via rest-API
uri: uri:
@ -155,8 +156,11 @@
- wazuh_agent_authd.registration_address is not none - wazuh_agent_authd.registration_address is not none
- newagent_api.json.error == 0 - newagent_api.json.error == 0
register: newagentdata_api register: newagentdata_api
delegate_to: localhost delegate_to: "{{ 'localhost' if not wazuh_api_reachable_from_agent else inventory_hostname }}"
become: false become: no
tags:
- config
- api
- name: Linux | Register agent (via rest-API) - name: Linux | Register agent (via rest-API)
command: /var/ossec/bin/manage_agents command: /var/ossec/bin/manage_agents

20
roles/wazuh/ansible-wazuh-agent/tasks/RedHat.yml
View File

@ -27,30 +27,14 @@
- not wazuh_agent_sources_installation.enabled - not wazuh_agent_sources_installation.enabled
- not wazuh_custom_packages_installation_agent_enabled - not wazuh_custom_packages_installation_agent_enabled
- name: RedHat/CentOS/Fedora | download Oracle Java RPM - name: RedHat/CentOS/Fedora | Install OpenJDK 1.8
get_url: yum: name=java-1.8.0-openjdk state=present
url: https://download.oracle.com/otn-pub/java/jdk/8u202-b08/1961070e4c9b4e26a04e7f5a083f551e/jre-8u202-linux-x64.rpm
dest: /tmp/jre-8-linux-x64.rpm
headers: 'Cookie:oraclelicense=accept-securebackup-cookie'
register: oracle_java_task_rpm_download
until: oracle_java_task_rpm_download is succeeded
when: when:
- wazuh_agent_config.cis_cat.disable == 'no' - wazuh_agent_config.cis_cat.disable == 'no'
- wazuh_agent_config.cis_cat.install_java == 'yes' - wazuh_agent_config.cis_cat.install_java == 'yes'
tags: tags:
- init - init
- name: RedHat/CentOS/Fedora | Install Oracle Java RPM
package: name=/tmp/jre-8-linux-x64.rpm state=present
register: wazuh_agent_java_package_install
until: wazuh_agent_java_package_install is succeeded
when:
- wazuh_agent_config.cis_cat.disable == 'no'
- wazuh_agent_config.cis_cat.install_java == 'yes'
- oracle_java_task_rpm_download is defined
tags:
- init
- name: Set Distribution CIS filename for RHEL5 - name: Set Distribution CIS filename for RHEL5
set_fact: set_fact:
cis_distribution_filename: cis_rhel5_linux_rcl.txt cis_distribution_filename: cis_rhel5_linux_rcl.txt

1
roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
View File

@ -201,7 +201,6 @@
{% if wazuh_agent_config.syscheck is defined %} {% if wazuh_agent_config.syscheck is defined %}
<syscheck> <syscheck>
<disabled>no</disabled> <disabled>no</disabled>
<!-- <alert_new_files>{{ wazuh_agent_config.syscheck.alert_new_files }}</alert_new_files> -->
<frequency>{{ wazuh_agent_config.syscheck.frequency }}</frequency> <frequency>{{ wazuh_agent_config.syscheck.frequency }}</frequency>
{% if ansible_system == "Linux" %} {% if ansible_system == "Linux" %}
<scan_on_start>{{ wazuh_agent_config.syscheck.scan_on_start }}</scan_on_start> <scan_on_start>{{ wazuh_agent_config.syscheck.scan_on_start }}</scan_on_start>

2
roles/wazuh/ansible-wazuh-manager/README.md
View File

@ -218,7 +218,7 @@ Including an example of how to use your role (for instance, with variables passe
License and copyright License and copyright
--------------------- ---------------------
WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3) WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3)
### Based on previous work from dj-wasabi ### Based on previous work from dj-wasabi

41
roles/wazuh/ansible-wazuh-manager/defaults/main.yml
View File

@ -1,21 +1,21 @@
--- ---
wazuh_manager_version: 3.12.0-1 wazuh_manager_version: 3.12.3-1
wazuh_manager_fqdn: "wazuh-server" wazuh_manager_fqdn: "wazuh-server"
wazuh_manager_package_state: present wazuh_manager_package_state: present
# Custom packages installation # Custom packages installation
wazuh_custom_packages_installation_manager_enabled: false wazuh_custom_packages_installation_manager_enabled: false
wazuh_custom_packages_installation_manager_deb_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/branches/3.12/deb/var/wazuh-manager_3.12.0-0.3319fimreworksqlite_amd64.deb" wazuh_custom_packages_installation_manager_deb_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/"
wazuh_custom_packages_installation_manager_rpm_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/branches/3.12/rpm/var/wazuh-manager-3.12.0-0.3319fimreworksqlite.x86_64.rpm" wazuh_custom_packages_installation_manager_rpm_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/"
wazuh_custom_packages_installation_api_enabled: false wazuh_custom_packages_installation_api_enabled: false
wazuh_custom_packages_installation_api_deb_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/branches/3.12/deb/var/wazuh-api_3.12.0-0.3319fimreworksqlite_amd64.deb" wazuh_custom_packages_installation_api_deb_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/"
wazuh_custom_packages_installation_api_rpm_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/branches/3.12/rpm/var/wazuh-api-3.12.0-0.3319fimreworksqlite.x86_64.rpm" wazuh_custom_packages_installation_api_rpm_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/"
# Sources installation # Sources installation
wazuh_manager_sources_installation: wazuh_manager_sources_installation:
enabled: false enabled: false
branch: "v3.12.0" branch: "v3.12.3"
user_language: "en" user_language: "en"
user_no_stop: "y" user_no_stop: "y"
user_install_type: "server" user_install_type: "server"
@ -40,7 +40,7 @@ wazuh_manager_sources_installation:
wazuh_api_sources_installation: wazuh_api_sources_installation:
enabled: false enabled: false
branch: "v3.12.0" branch: "v3.12.3"
update: "y" update: "y"
remove: "y" remove: "y"
directory: null directory: null
@ -152,7 +152,6 @@ wazuh_manager_config:
frequency: 43200 frequency: 43200
scan_on_start: 'yes' scan_on_start: 'yes'
auto_ignore: 'no' auto_ignore: 'no'
alert_new_files: 'yes'
ignore: ignore:
- /etc/mtab - /etc/mtab
- /etc/hosts.deny - /etc/hosts.deny
@ -236,7 +235,6 @@ wazuh_manager_config:
providers: providers:
- enabled: 'no' - enabled: 'no'
os: os:
- 'precise'
- 'trusty' - 'trusty'
- 'xenial' - 'xenial'
- 'bionic' - 'bionic'
@ -355,6 +353,29 @@ wazuh_manager_config:
- server: null - server: null
port: null port: null
format: null format: null
integrations:
#slack
- name: null
hook_url: '<hook_url>'
alert_level: 10
alert_format: 'json'
rule_id: null
#pagerduty
- name: null
api_key: '<api_key>'
alert_level: 12
monitor_aws:
disabled: 'yes'
interval: '10m'
run_on_start: 'yes'
skip_on_error: 'yes'
s3:
- name: null
bucket_type: null
path: null
only_logs_after: null
access_key: null
secret_key: null
labels: labels:
enable: false enable: false
list: list:
@ -367,7 +388,6 @@ wazuh_manager_config:
# syscheck: # syscheck:
# frequency: 43200 # frequency: 43200
# scan_on_start: 'yes' # scan_on_start: 'yes'
# alert_new_files: 'yes'
# ignore: # ignore:
# - /etc/mtab # - /etc/mtab
# - /etc/mnttab # - /etc/mnttab
@ -398,7 +418,6 @@ wazuh_manager_config:
# frequency: 43200 # frequency: 43200
# scan_on_start: 'yes' # scan_on_start: 'yes'
# auto_ignore: 'no' # auto_ignore: 'no'
# alert_new_files: 'yes'
# windows_registry: # windows_registry:
# - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile' # - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
# arch: 'both' # arch: 'both'

20
roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml
View File

@ -62,25 +62,6 @@
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6' - ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes' - wazuh_manager_config.cluster.disable != 'yes'
- name: CentOS/RedHat 6 | Install python-cryptography module
pip: name=cryptography state=present
register: wazuh_manager_cryptography_package_installed
until: wazuh_manager_cryptography_package_installed is succeeded
environment:
PATH: "/opt/rh/python27/root/usr/bin:{{ ansible_env.PATH }}"
LD_LIBRARY_PATH: "/opt/rh/python27/root/usr/lib64:/opt/rh/python27/root/usr/lib"
when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes'
- name: RedHat/CentOS/Fedora | Install python-cryptography module
package: name=python-cryptography state=present
register: wazuh_manager_cryptography_package_installed
until: wazuh_manager_cryptography_package_installed is succeeded
when:
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat') and ansible_distribution_major_version == '6' )
- wazuh_manager_config.cluster.disable != 'yes'
- name: RedHat/CentOS/Fedora | Install OpenJDK 1.8 - name: RedHat/CentOS/Fedora | Install OpenJDK 1.8
yum: name=java-1.8.0-openjdk state=present yum: name=java-1.8.0-openjdk state=present
when: when:
@ -168,4 +149,3 @@
- ansible_distribution_major_version|int < 6 - ansible_distribution_major_version|int < 6
tags: tags:
- init - init

2
roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml
View File

@ -123,7 +123,7 @@
path: /var/ossec/api/app.js path: /var/ossec/api/app.js
register: wazuh_api register: wazuh_api
when: when:
- wazuh_manager_config.cluster.node_type == "master" - wazuh_manager_config.cluster.node_type == "master" or wazuh_manager_config.cluster.node_type == "worker"
- name: Install Wazuh API from sources - name: Install Wazuh API from sources
block: block:

8
roles/wazuh/ansible-wazuh-manager/tasks/main.yml
View File

@ -106,7 +106,7 @@
- name: Installing the local_rules.xml (default local_rules.xml) - name: Installing the local_rules.xml (default local_rules.xml)
template: src=var-ossec-rules-local_rules.xml.j2 template: src=var-ossec-rules-local_rules.xml.j2
dest=/var/ossec/etc/rules/local_rules.xml dest=/var/ossec/etc/rules/local_rules.xml
owner=root owner=ossec
group=ossec group=ossec
mode=0640 mode=0640
notify: restart wazuh-manager notify: restart wazuh-manager
@ -118,7 +118,7 @@
- name: Adding local rules files - name: Adding local rules files
copy: src="{{ wazuh_manager_config.ruleset.rules_path }}" copy: src="{{ wazuh_manager_config.ruleset.rules_path }}"
dest=/var/ossec/etc/rules/ dest=/var/ossec/etc/rules/
owner=root owner=ossec
group=ossec group=ossec
mode=0640 mode=0640
notify: restart wazuh-manager notify: restart wazuh-manager
@ -130,7 +130,7 @@
- name: Installing the local_decoder.xml - name: Installing the local_decoder.xml
template: src=var-ossec-rules-local_decoder.xml.j2 template: src=var-ossec-rules-local_decoder.xml.j2
dest=/var/ossec/etc/decoders/local_decoder.xml dest=/var/ossec/etc/decoders/local_decoder.xml
owner=root owner=ossec
group=ossec group=ossec
mode=0640 mode=0640
notify: restart wazuh-manager notify: restart wazuh-manager
@ -142,7 +142,7 @@
- name: Adding local decoders files - name: Adding local decoders files
copy: src="{{ wazuh_manager_config.ruleset.decoders_path }}" copy: src="{{ wazuh_manager_config.ruleset.decoders_path }}"
dest=/var/ossec/etc/decoders/ dest=/var/ossec/etc/decoders/
owner=root owner=ossec
group=ossec group=ossec
mode=0640 mode=0640
notify: restart wazuh-manager notify: restart wazuh-manager

50
roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
View File

@ -294,7 +294,6 @@
<!-- File integrity monitoring --> <!-- File integrity monitoring -->
<syscheck> <syscheck>
<disabled>{{ wazuh_manager_config.syscheck.disable }}</disabled> <disabled>{{ wazuh_manager_config.syscheck.disable }}</disabled>
<alert_new_files>{{ wazuh_manager_config.syscheck.alert_new_files }}</alert_new_files>
<frequency>{{ wazuh_manager_config.syscheck.frequency }}</frequency> <frequency>{{ wazuh_manager_config.syscheck.frequency }}</frequency>
<scan_on_start>{{ wazuh_manager_config.syscheck.scan_on_start }}</scan_on_start> <scan_on_start>{{ wazuh_manager_config.syscheck.scan_on_start }}</scan_on_start>
@ -544,6 +543,55 @@
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if wazuh_manager_config.integrations is defined %}
{% for integration in wazuh_manager_config.integrations %}
{% if integration.name is not none %}
<!-- Integration with {{ integration.name }} -->
<integration>
<name>{{ integration.name }}</name>
{% if integration.hook_url is defined %}
<hook_url>{{ integration.hook_url }}</hook_url>
{% endif %}
{% if integration.api_key is defined %}
<api_key>{{ integration.api_key }}</api_key>
{% endif %}
{% if integration.alert_format is defined %}
<alert_format>{{ integration.alert_format }}</alert_format>
{% endif %}
{% if integration.alert_level is defined %}
<level>{{ integration.alert_level }}</level>
{% endif %}
{% if integration.rule_id is defined %}
<rule_id>{{ integration.rule_id }}</rule_id>
{% endif %}
</integration>
{% endif %}
{% endfor %}
{% endif %}
{% if monitor_aws is defined and monitor_aws.disabled == "no" %}
<!-- S3 -->
<wodle name="aws-s3">
<disabled>{{ monitor_aws.disabled }}</disabled>
<interval>{{ monitor_aws.interval }}</interval>
<run_on_start>{{ monitor_aws.run_on_start }}</run_on_start>
<skip_on_error>{{ monitor_aws.skip_on_error }}</skip_on_error>
{% for bucket in monitor_aws.s3 %}
<bucket type="{{ bucket.bucket_type }}">
<name>{{ bucket.name }}</name>
{% if bucket.path is defined %}
<path>{{ bucket.path }}</path>
{% endif %}
{% if bucket.only_logs_after is defined %}
<only_logs_after>{{ bucket.only_logs_after }}</only_logs_after>
{% endif %}
<access_key>{{ bucket.access_key }}</access_key>
<secret_key>{{ bucket.secret_key }}</secret_key>
</bucket>
{% endfor %}
</wodle>
{% endif %}
{% if wazuh_manager_config.labels.enable == true %} {% if wazuh_manager_config.labels.enable == true %}
<labels> <labels>
{% for label in wazuh_manager_config.labels.list %} {% for label in wazuh_manager_config.labels.list %}

1
roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2
View File

@ -7,7 +7,6 @@
{% if agent_config.syscheck.auto_ignore is defined %} {% if agent_config.syscheck.auto_ignore is defined %}
<auto_ignore>{{ agent_config.syscheck.auto_ignore }}</auto_ignore> <auto_ignore>{{ agent_config.syscheck.auto_ignore }}</auto_ignore>
{% endif %} {% endif %}
<alert_new_files>{{ agent_config.syscheck.alert_new_files }}</alert_new_files>
<frequency>{{ agent_config.syscheck.frequency }}</frequency> <frequency>{{ agent_config.syscheck.frequency }}</frequency>
<scan_on_start>{{ agent_config.syscheck.scan_on_start }}</scan_on_start> <scan_on_start>{{ agent_config.syscheck.scan_on_start }}</scan_on_start>