diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 8706a992..19b56f5d 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -55,17 +55,10 @@ wazuh_winagent_config: auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe check_md5: True md5: 8ffa75d13280f1aa6ffca54f4273df4d -wazuh_winagent_config_url: https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.0-1.msi wazuh_winagent_package_name: wazuh-agent-4.3.0-1.msi wazuh_dir: "/var/ossec" -wazuh_agent_repo: - apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main' - yum: 'https://packages.wazuh.com/4.x/yum/' - gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' - key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145' - # This is deprecated, see: wazuh_agent_address wazuh_agent_nat: false @@ -367,7 +360,7 @@ wazuh_agent_log_format: 'plain' # wazuh_agent_config wazuh_agent_config_defaults: - repo: '{{ wazuh_agent_repo }}' + repo: '{{ wazuh_repo }}' active_response: '{{ wazuh_agent_active_response }}' log_format: '{{ wazuh_agent_log_format }}' client_buffer: '{{ wazuh_agent_client_buffer }}' diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Debian.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Debian.yml index d9b3e255..37ab9afd 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Debian.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Debian.yml @@ -14,7 +14,7 @@ become: true shell: | set -o pipefail - curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - + curl -s {{ wazuh_agent_config.repo.gpg }} | apt-key add - args: warn: false executable: /bin/bash diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/main.yml b/roles/wazuh/ansible-wazuh-agent/tasks/main.yml index 43aa2ca3..9c433e0f 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/main.yml @@ -1,5 +1,16 @@ --- +- name: Get latest Wazuh release + shell: "curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '\"tag_name\":' | sed -E 's/.*\"([^\"]+)\".*/\\1/'| cut -c 2-" + register: wazuh_latest_release + delegate_to: localhost + +- include_vars: ../../vars/repo.yml + when: "{{ wazuh_latest_release.stdout is version(wazuh_agent_version, operator='ge') }}" + +- include_vars: ../../vars/repo_dev.yml + when: "{{ wazuh_latest_release.stdout is version(wazuh_agent_version, operator='lt') }}" + - name: Overlay wazuh_agent_config on top of defaults set_fact: wazuh_agent_config: '{{ wazuh_agent_config_defaults | combine(config_layer, recursive=True) }}' diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index 2e694ab5..3dc5b2d5 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -37,12 +37,6 @@ wazuh_manager_sources_installation: threads: "2" wazuh_dir: "/var/ossec" -wazuh_manager_repo: - apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main' - yum: 'https://packages.wazuh.com/4.x/yum/' - gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' - key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145' - ########################################## ### Wazuh-OSSEC @@ -421,7 +415,7 @@ wazuh_manager_config_overlay: true ## Other/Wrappers wazuh_manager_config_defaults: - repo: '{{ wazuh_manager_repo }}' + repo: '{{ wazuh_repo }}' json_output: '{{ wazuh_manager_json_output }}' alerts_log: '{{ wazuh_manager_alerts_log }}' logall: '{{ wazuh_manager_logall }}' diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml b/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml index 717add8c..ee903eb9 100644 --- a/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml +++ b/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml @@ -16,7 +16,7 @@ become: true shell: | set -o pipefail - curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - + curl -s {{ wazuh_manager_config.repo.gpg }} | apt-key add - args: warn: false executable: /bin/bash diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml b/roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml index d7a4c8d3..b873b021 100644 --- a/roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml +++ b/roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml @@ -35,7 +35,8 @@ until: wazuh_manager_openscp_packages_installed is succeeded tags: - init - when: not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") + when: not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") and + not (ansible_distribution == "CentOS" and ansible_distribution_major_version == "8") - name: CentOS 6 | Install Software Collections (SCL) Repository package: name=centos-release-scl state=present diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml index 65ded135..08698f73 100644 --- a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml @@ -1,5 +1,15 @@ --- +- name: Get latest wazuh release + shell: "curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '\"tag_name\":' | sed -E 's/.*\"([^\"]+)\".*/\\1/'| cut -c 2-" + register: wazuh_latest_release + +- include_vars: ../../vars/repo.yml + when: "{{ wazuh_latest_release.stdout is version(wazuh_manager_version, operator='ge') }}" + +- include_vars: ../../vars/repo_dev.yml + when: "{{ wazuh_latest_release.stdout is version(wazuh_manager_version, operator='lt') }}" + - name: Overlay wazuh_manager_config on top of defaults set_fact: wazuh_manager_config: '{{ wazuh_manager_config_defaults | combine(config_layer, recursive=True) }}' @@ -26,7 +36,8 @@ name: expect state: "{{ wazuh_manager_package_state }}" when: - - not (ansible_os_family|lower == "redhat" and ansible_distribution_major_version|int < 6) + - not (ansible_os_family|lower == "redhat" and ansible_distribution_major_version|int < 6) and + not (ansible_distribution|lower == "centos" and ansible_distribution_major_version|int == 8) tags: init - name: Generate SSL files for authd diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/uninstall.yml b/roles/wazuh/ansible-wazuh-manager/tasks/uninstall.yml index 6dcf5df9..824e6926 100644 --- a/roles/wazuh/ansible-wazuh-manager/tasks/uninstall.yml +++ b/roles/wazuh/ansible-wazuh-manager/tasks/uninstall.yml @@ -2,7 +2,7 @@ - name: Debian/Ubuntu | Remove Wazuh repository. apt_repository: - repo: deb https://packages.wazuh.com/4.x/apt {{ ansible_distribution_release }} main + repo: "{{ wazuh_manager_config.repo.apt }}" state: absent changed_when: false when: ansible_os_family == "Debian" diff --git a/roles/wazuh/vars/repo.yml b/roles/wazuh/vars/repo.yml new file mode 100644 index 00000000..08dd3255 --- /dev/null +++ b/roles/wazuh/vars/repo.yml @@ -0,0 +1,11 @@ +wazuh_repo: + apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main' + yum: 'https://packages.wazuh.com/4.x/yum/' + gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' + key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145' +wazuh_winagent_config_url: https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.0-1.msi + +certs_gen_tool_version: 4.3 + +# Url of certificates generator tool +certs_gen_tool_url: "https://packages.wazuh.com/{{ certs_gen_tool_version }}/wazuh-certs-tool.sh" \ No newline at end of file diff --git a/roles/wazuh/vars/repo_dev.yml b/roles/wazuh/vars/repo_dev.yml new file mode 100644 index 00000000..25d83315 --- /dev/null +++ b/roles/wazuh/vars/repo_dev.yml @@ -0,0 +1,11 @@ +wazuh_repo: + apt: 'deb https://packages-dev.wazuh.com/pre-release/apt/ unstable main' + yum: 'https://packages-dev.wazuh.com/pre-release/yum/' + gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH' + key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145' +wazuh_winagent_config_url: https://packages-dev.wazuh.com/pre-release/windows/wazuh-agent-4.3.0-1.msi + +certs_gen_tool_version: 4.3 + +# Url of certificates generator tool +certs_gen_tool_url: "https://packages-dev.wazuh.com/{{ certs_gen_tool_version }}/wazuh-certs-tool.sh" \ No newline at end of file diff --git a/roles/wazuh/wazuh-dashboard/defaults/main.yml b/roles/wazuh/wazuh-dashboard/defaults/main.yml index 7e50fb26..64e50752 100644 --- a/roles/wazuh/wazuh-dashboard/defaults/main.yml +++ b/roles/wazuh/wazuh-dashboard/defaults/main.yml @@ -15,16 +15,6 @@ indexer_cluster_nodes: # The Wazuh dashboard package repository dashboard_version: "4.3.0" -package_repos: - yum: - dashboard: - baseurl: 'https://packages.wazuh.com/4.x/yum/' - gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' - apt: - dashboard: - baseurl: 'deb https://packages.wazuh.com/4.x/apt/ stable main' - gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' - # API credentials wazuh_api_credentials: - id: "default" diff --git a/roles/wazuh/wazuh-dashboard/tasks/Debian.yml b/roles/wazuh/wazuh-dashboard/tasks/Debian.yml index 2d6c67b7..f41b3671 100644 --- a/roles/wazuh/wazuh-dashboard/tasks/Debian.yml +++ b/roles/wazuh/wazuh-dashboard/tasks/Debian.yml @@ -4,12 +4,12 @@ - include_vars: debian.yml - name: Add apt repository signing key apt_key: - url: "{{ package_repos.apt.dashboard.gpg }}" + url: "{{ wazuh_repo.gpg }}" state: present - name: Debian systems | Add Wazuh dashboard repo apt_repository: - repo: "{{ package_repos.apt.dashboard.baseurl }}" + repo: "{{ wazuh_repo.apt }}" state: present update_cache: yes diff --git a/roles/wazuh/wazuh-dashboard/tasks/RedHat.yml b/roles/wazuh/wazuh-dashboard/tasks/RedHat.yml index 994f2a0f..39900d43 100644 --- a/roles/wazuh/wazuh-dashboard/tasks/RedHat.yml +++ b/roles/wazuh/wazuh-dashboard/tasks/RedHat.yml @@ -6,8 +6,8 @@ file: wazuh name: wazuh_repo description: Wazuh yum repository - baseurl: "{{ package_repos.yum.dashboard.baseurl }}" - gpgkey: "{{ package_repos.yum.dashboard.gpg }}" + baseurl: "{{ wazuh_repo.yum }}" + gpgkey: "{{ wazuh_repo.gpg }}" gpgcheck: true - name: Install Wazuh dashboard diff --git a/roles/wazuh/wazuh-dashboard/tasks/main.yml b/roles/wazuh/wazuh-dashboard/tasks/main.yml index c477df58..ac451b3d 100755 --- a/roles/wazuh/wazuh-dashboard/tasks/main.yml +++ b/roles/wazuh/wazuh-dashboard/tasks/main.yml @@ -1,4 +1,13 @@ --- +- name: Get latest wazuh release + shell: "curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '\"tag_name\":' | sed -E 's/.*\"([^\"]+)\".*/\\1/'| cut -c 2-" + register: wazuh_latest_release + +- include_vars: ../../vars/repo.yml + when: "{{ wazuh_latest_release.stdout is version(dashboard_version, operator='ge') }}" + +- include_vars: ../../vars/repo_dev.yml + when: "{{ wazuh_latest_release.stdout is version(dashboard_version, operator='lt') }}" - import_tasks: RedHat.yml when: ansible_os_family == 'RedHat' diff --git a/roles/wazuh/wazuh-indexer/defaults/main.yml b/roles/wazuh/wazuh-indexer/defaults/main.yml index e2a4bb48..f5c4e07e 100644 --- a/roles/wazuh/wazuh-indexer/defaults/main.yml +++ b/roles/wazuh/wazuh-indexer/defaults/main.yml @@ -26,19 +26,6 @@ minimum_master_nodes: 2 # Example es1.example.com, es2.example.com domain_name: wazuh.com -# The Wazuh indexer package repository -package_repos: - yum: - indexer: - baseurl: 'https://packages.wazuh.com/4.x/yum/' - gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' - apt: - indexer: - baseurl: 'deb https://packages.wazuh.com/4.x/apt/ stable main' - gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' - openjdk: - baseurl: 'deb http://deb.debian.org/debian stretch-backports main' - indexer_sec_plugin_conf_path: /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig indexer_sec_plugin_tools_path: /usr/share/wazuh-indexer/plugins/opensearch-security/tools indexer_conf_path: /etc/wazuh-indexer/ @@ -53,11 +40,6 @@ indexer_jvm_xms: null indexer_http_port: 9200 -certs_gen_tool_version: 4.3 - -# Url of certificates generator tool -certs_gen_tool_url: "https://packages.wazuh.com/{{ certs_gen_tool_version }}/wazuh-certs-tool.sh" - indexer_admin_password: changeme dashboard_password: changeme diff --git a/roles/wazuh/wazuh-indexer/tasks/Debian.yml b/roles/wazuh/wazuh-indexer/tasks/Debian.yml index 7e67fb2f..2c2b370b 100644 --- a/roles/wazuh/wazuh-indexer/tasks/Debian.yml +++ b/roles/wazuh/wazuh-indexer/tasks/Debian.yml @@ -16,35 +16,16 @@ ] state: present - - name: Add the repository key for Debian's Stretch Backports repository - ansible.builtin.apt_key: - keyserver: keyserver.ubuntu.com - id: 648ACFD622F3D138 - - - name: Add openjdk repository - apt_repository: - repo: "{{ package_repos.apt.openjdk.baseurl }}" - state: present - update_cache: yes - filename: 'wazuh-openjdk' - -- name: Install openjdk-11-jdk - apt: - name: openjdk-11-jdk - state: present - environment: - JAVA_HOME: /usr - - name: Add Wazuh indexer repository block: - name: Add apt repository signing key apt_key: - url: "{{ package_repos.apt.indexer.gpg }}" + url: "{{ wazuh_repo.gpg }}" state: present - name: Add Wazuh indexer repository apt_repository: - repo: "{{ package_repos.apt.indexer.baseurl }}" + repo: "{{ wazuh_repo.apt }}" state: present filename: 'wazuh-indexer' update_cache: yes diff --git a/roles/wazuh/wazuh-indexer/tasks/RedHat.yml b/roles/wazuh/wazuh-indexer/tasks/RedHat.yml index 4bb1ca05..53a67ab6 100644 --- a/roles/wazuh/wazuh-indexer/tasks/RedHat.yml +++ b/roles/wazuh/wazuh-indexer/tasks/RedHat.yml @@ -6,28 +6,20 @@ file: wazuh name: wazuh_repo description: Wazuh yum repository - baseurl: "{{ package_repos.yum.indexer.baseurl }}" - gpgkey: "{{ package_repos.yum.indexer.gpg }}" + baseurl: "{{ wazuh_repo.yum }}" + gpgkey: "{{ wazuh_repo.gpg }}" gpgcheck: true changed_when: false - - name: RedHat/CentOS/Fedora | Install OpenJDK 11 - yum: - name: java-11-openjdk-devel - state: present - when: - - ansible_distribution != 'Amazon' - - name: Amazon Linux | Install OpenJDK 11 + + - name: Amazon Linux | Install Amazon extras block: - name: Install Amazon extras yum: name: amazon-linux-extras state: present - - name: Install OpenJDK 11 - shell: amazon-linux-extras install java-openjdk11 -y - - name: Configure vm.max_map_count lineinfile: line: "vm.max_map_count=262144" diff --git a/roles/wazuh/wazuh-indexer/tasks/main.yml b/roles/wazuh/wazuh-indexer/tasks/main.yml index 03316b38..0e18d05f 100644 --- a/roles/wazuh/wazuh-indexer/tasks/main.yml +++ b/roles/wazuh/wazuh-indexer/tasks/main.yml @@ -1,4 +1,13 @@ --- +- name: Get latest wazuh release + shell: "curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '\"tag_name\":' | sed -E 's/.*\"([^\"]+)\".*/\\1/'| cut -c 2-" + register: wazuh_latest_release + +- include_vars: ../../vars/repo.yml + when: "{{ wazuh_latest_release.stdout is version(indexer_version, operator='ge') }}" + +- include_vars: ../../vars/repo_dev.yml + when: "{{ wazuh_latest_release.stdout is version(indexer_version, operator='lt') }}" - import_tasks: local_actions.yml when: diff --git a/roles/wazuh/wazuh-indexer/tasks/security_actions.yml b/roles/wazuh/wazuh-indexer/tasks/security_actions.yml index b3804f63..405bfe33 100644 --- a/roles/wazuh/wazuh-indexer/tasks/security_actions.yml +++ b/roles/wazuh/wazuh-indexer/tasks/security_actions.yml @@ -46,7 +46,9 @@ run_once: true - name: Hashing the custom admin password - command: "{{ indexer_sec_plugin_tools_path }}/hash.sh -p {{ indexer_admin_password }}" # noqa 301 + shell: | + export JAVA_HOME=/usr/share/wazuh-indexer/jdk + {{ indexer_sec_plugin_tools_path }}/hash.sh -p {{ indexer_admin_password }} register: indexer_admin_password_hashed no_log: '{{ indexer_nolog_sensible | bool }}' run_once: true @@ -62,7 +64,9 @@ # this can also be achieved with password_hash, but it requires dependencies on the controller - name: Hash the kibanaserver role/user pasword - command: "{{ indexer_sec_plugin_tools_path }}/hash.sh -p {{ dashboard_password }}" # noqa 301 + shell: | + export JAVA_HOME=/usr/share/wazuh-indexer/jdk + {{ indexer_sec_plugin_tools_path }}/hash.sh -p {{ dashboard_password }} register: indexer_kibanaserver_password_hashed no_log: '{{ indexer_nolog_sensible | bool }}' run_once: true