diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml index 85706199..af17e528 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml @@ -76,7 +76,7 @@ mode: 0660 notify: restart elasticsearch tags: configure - + - name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.conf lineinfile: path: /etc/security/limits.conf diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index e64b71df..650692c5 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -39,7 +39,7 @@ when: - node_certs_generator -- name: Importing custom CA key +- name: Importing custom CA key copy: src: "{{ master_certs_path }}/ca/{{ ca_key_name }}" dest: "{{ node_certs_source }}/{{ ca_key_name }}" @@ -60,9 +60,10 @@ tags: xpack-security - name: Generating certificates for Elasticsearch security (generating CA) - shell: >- - /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in - {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip + command: >- + /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem + --in {{ node_certs_source }}/instances.yml + --out {{ node_certs_source }}/certs.zip when: - node_certs_generator - not xpack_certs_zip.stat.exists @@ -70,37 +71,40 @@ tags: xpack-security - name: Generating certificates for Elasticsearch security (using provided CA | Without CA Password) - shell: >- - /usr/share/elasticsearch/bin/elasticsearch-certutil cert - --ca-key {{ node_certs_source }}/{{ ca_key_name }} --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} - --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip + command: >- + /usr/share/elasticsearch/bin/elasticsearch-certutil cert + --ca-key {{ node_certs_source }}/{{ ca_key_name }} + --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} + --pem --in {{ node_certs_source }}/instances.yml + --out {{ node_certs_source }}/certs.zip when: - node_certs_generator - not xpack_certs_zip.stat.exists - not generate_CA - - ca_password == "" + - ca_password | length == 0 tags: xpack-security - name: Generating certificates for Elasticsearch security (using provided CA | Using CA Password) - shell: >- - /usr/share/elasticsearch/bin/elasticsearch-certutil cert - --ca-key {{ node_certs_source }}/{{ ca_key_name }} --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} - --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip - --ca-pass {{ca_password}} + command: >- + /usr/share/elasticsearch/bin/elasticsearch-certutil cert + --ca-key {{ node_certs_source }}/{{ ca_key_name }} + --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} + --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip + --ca-pass {{ ca_password }} when: - node_certs_generator - not xpack_certs_zip.stat.exists - not generate_CA - - ca_password != "" - tags: xpack-security - + - ca_password | length > 0 + tags: xpack-security + - name: Verify the Elastic certificates directory file: path: "{{ master_certs_path }}" state: directory mode: '0700' delegate_to: "127.0.0.1" - when: + when: - node_certs_generator - name: Verify the Certificates Authority directory @@ -109,7 +113,7 @@ state: directory mode: '0700' delegate_to: "127.0.0.1" - when: + when: - node_certs_generator - name: Copying certificates to Ansible master @@ -118,7 +122,7 @@ dest: "{{ master_certs_path }}/" flat: yes mode: 0700 - when: + when: - node_certs_generator tags: xpack-security @@ -126,39 +130,39 @@ file: state: absent path: "{{ node_certs_source }}/certs.zip" - when: + when: - node_certs_generator - + - name: Unzip generated certs.zip unarchive: - src: "{{master_certs_path}}/certs.zip" - dest: "{{master_certs_path}}/" + src: "{{ master_certs_path }}/certs.zip" + dest: "{{ master_certs_path }}/" become: true delegate_to: "127.0.0.1" - when: + when: - node_certs_generator tags: xpack-security - name: Copying node's certificate from master copy: - src: "{{item}}" - dest: "{{node_certs_destination}}/" + src: "{{ item }}" + dest: "{{ node_certs_destination }}/" with_items: - - "{{master_certs_path}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" - - "{{master_certs_path}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" - - "{{master_certs_path}}/ca/ca.crt" + - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key" + - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt" + - "{{ master_certs_path }}/ca/ca.crt" when: - generate_CA tags: xpack-security - name: Copying node's certificate from master (Custom CA) copy: - src: "{{item}}" - dest: "{{node_certs_destination}}/" - with_items: - - "{{master_certs_path}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" - - "{{master_certs_path}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" - - "{{master_certs_path}}/ca/{{ca_cert_name}}" + src: "{{ item }}" + dest: "{{ node_certs_destination }}/" + with_items: + - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key" + - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt" + - "{{ master_certs_path }}/ca/{{ ca_cert_name }}" when: - not generate_CA tags: xpack-security @@ -175,8 +179,8 @@ tags: xpack-security - name: Set elasticsearch bootstrap password - shell: >- + command: >- + set -o pipefail echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password when: - node_certs_generator - \ No newline at end of file diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index 7cd01cbd..85bd17e1 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -28,25 +28,25 @@ - name: Copying node's certificate from master copy: - src: "{{item}}" - dest: "{{node_certs_destination}}/" - with_items: - - "{{master_certs_path}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.key" - - "{{master_certs_path}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.crt" - - "{{master_certs_path}}/ca/ca.crt" + src: "{{ item }}" + dest: "{{ node_certs_destination }}/" + with_items: + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt" + - "{{ master_certs_path }}/ca/ca.crt" when: - generate_CA - filebeat_xpack_security tags: xpack-security - + - name: Copying node's certificate from master (Custom CA) copy: - src: "{{item}}" - dest: "{{node_certs_destination}}/" - with_items: - - "{{master_certs_path}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.key" - - "{{master_certs_path}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.crt" - - "{{master_certs_path}}/ca/{{ca_cert_name}}" + src: "{{ item }}" + dest: "{{ node_certs_destination }}/" + with_items: + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt" + - "{{ master_certs_path }}/ca/{{ ca_cert_name }}" when: - not generate_CA - filebeat_xpack_security