From f092dc34f5fcbde6f7b8793c1f200e5803426365 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 14 Aug 2020 16:34:44 +0200 Subject: [PATCH 01/26] Force basic auth --- roles/elastic-stack/ansible-elasticsearch/tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) mode change 100644 => 100755 roles/elastic-stack/ansible-elasticsearch/tasks/main.yml diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml old mode 100644 new mode 100755 index d74a391b..7c453bad --- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml @@ -128,6 +128,7 @@ validate_certs: no status_code: 200,401 return_content: yes + force_basic_auth: yes timeout: 4 register: _result until: ( _result.json is defined) and (_result.json.status == "green") @@ -145,6 +146,7 @@ password: "{{ elasticsearch_xpack_security_password }}" body: '{ "password" : "{{ item.value["password"] }}", "roles" : {{ item.value["roles"] }} }' validate_certs: no + force_basic_auth: yes loop: "{{ elasticsearch_xpack_users|default({})|dict2items }}" register: http_response failed_when: http_response.status != 200 From 87ad1cdfaf49eef2754861fc816b769af959e146 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 14 Aug 2020 17:02:11 +0200 Subject: [PATCH 02/26] Basic auth on kibana role --- roles/elastic-stack/ansible-kibana/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) mode change 100644 => 100755 roles/elastic-stack/ansible-kibana/tasks/main.yml diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml old mode 100644 new mode 100755 index d2d06097..cf330640 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -156,6 +156,7 @@ password: "{{ elasticsearch_xpack_security_password }}" validate_certs: no status_code: 200, 404 + force_basic_auth: yes - name: Create wazuh plugin config directory file: From 707aad76add4044d39876026953bb9a1b593ce34 Mon Sep 17 00:00:00 2001 From: zenidd Date: Fri, 18 Sep 2020 15:06:21 +0200 Subject: [PATCH 03/26] Bump to Wazuh version v3.13.2 --- CHANGELOG.md | 13 +++++++++++++ .../ansible-elasticsearch/defaults/main.yml | 2 +- .../elastic-stack/ansible-kibana/defaults/main.yml | 6 +++--- .../opendistro-elasticsearch/defaults/main.yml | 4 ++-- .../opendistro/opendistro-kibana/defaults/main.yml | 4 ++-- roles/wazuh/ansible-filebeat-oss/defaults/main.yml | 2 +- roles/wazuh/ansible-filebeat/defaults/main.yml | 4 ++-- roles/wazuh/ansible-wazuh-agent/defaults/main.yml | 8 ++++---- roles/wazuh/ansible-wazuh-manager/defaults/main.yml | 6 +++--- 9 files changed, 31 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1ba466ff..405be5c4 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,19 @@ # Change Log All notable changes to this project will be documented in this file. +## [v3.13.2] + +### Added + +- Update to Wazuh v3.13.2 +- Add kibana extra ssl option ([@xr09](https://github.com/xr09)) [PR#451](https://github.com/wazuh/wazuh-ansible/pull/451) +- Force basic auth ([@xr09](https://github.com/xr09)) [PR#456](https://github.com/wazuh/wazuh-ansible/pull/456) + +### Fixed + +- Fix check_mode condition ([@manuasir](https://github.com/manuasir)) [PR#452](https://github.com/wazuh/wazuh-ansible/pull/452) +- Fixes for opendistro role ([@xr09](https://github.com/xr09)) [PR#453](https://github.com/wazuh/wazuh-ansible/pull/453) + ## [v3.13.1_7.8.0] ### Added diff --git a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml index c550bdb0..5a638104 100644 --- a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml @@ -4,7 +4,7 @@ elasticsearch_http_port: 9200 elasticsearch_network_host: 127.0.0.1 elasticsearch_reachable_host: 127.0.0.1 elasticsearch_jvm_xms: null -elastic_stack_version: 7.8.0 +elastic_stack_version: 7.9.1 elasticsearch_lower_disk_requirements: false elasticsearch_path_repo: [] diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index 434dabc2..9f15444d 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -6,8 +6,8 @@ elasticsearch_network_host: "127.0.0.1" kibana_server_host: "0.0.0.0" kibana_server_port: "5601" kibana_conf_path: /etc/kibana -elastic_stack_version: 7.8.0 -wazuh_version: 3.13.1 +elastic_stack_version: 7.9.1 +wazuh_version: 3.13.2 wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp elasticrepo: @@ -49,7 +49,7 @@ nodejs: # Build from sources build_from_sources: false -wazuh_plugin_branch: 3.13-7.8 +wazuh_plugin_branch: 3.13-7.9 #Nodejs NODE_OPTIONS node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536 diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index d9e4641a..1ece22c7 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -1,9 +1,9 @@ --- # Cluster Settings -es_version: "7.3.2" +es_version: "7.8.0" es_major_version: "7.x" -opendistro_version: 1.8.0 +opendistro_version: 1.9.0 elasticsearch_cluster_name: wazuh-cluster single_node: true diff --git a/roles/opendistro/opendistro-kibana/defaults/main.yml b/roles/opendistro/opendistro-kibana/defaults/main.yml index 2dd687bb..2c285c8d 100644 --- a/roles/opendistro/opendistro-kibana/defaults/main.yml +++ b/roles/opendistro/opendistro-kibana/defaults/main.yml @@ -15,11 +15,11 @@ kibana_server_port: "5601" kibana_server_name: "kibana" kibana_max_payload_bytes: 1048576 elastic_stack_version: 7.8.0 -wazuh_version: 3.13.1 +wazuh_version: 3.13.2 wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp # The OpenDistro package repository -kibana_opendistro_version: -1.8.0-1 # Version includes the - for RedHat family compatibility, replace with = for Debian hosts +kibana_opendistro_version: -1.9.0-1 # Version includes the - for RedHat family compatibility, replace with = for Debian hosts package_repos: yum: diff --git a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml index 1ef027e7..110cc9d7 100644 --- a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml @@ -1,7 +1,7 @@ --- filebeat_version: 7.8.0 -wazuh_template_branch: v3.13.1 +wazuh_template_branch: v3.13.2 filebeat_create_config: true diff --git a/roles/wazuh/ansible-filebeat/defaults/main.yml b/roles/wazuh/ansible-filebeat/defaults/main.yml index d9599520..a3fd803a 100644 --- a/roles/wazuh/ansible-filebeat/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat/defaults/main.yml @@ -1,7 +1,7 @@ --- -filebeat_version: 7.8.0 +filebeat_version: 7.9.1 -wazuh_template_branch: v3.13.1 +wazuh_template_branch: v3.13.2 filebeat_create_config: true diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index a9a08d02..4d9fec35 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -1,5 +1,5 @@ --- -wazuh_agent_version: 3.13.1-1 +wazuh_agent_version: 3.13.2-1 # Custom packages installation @@ -12,7 +12,7 @@ wazuh_custom_packages_installation_agent_rpm_url: "" wazuh_agent_sources_installation: enabled: false - branch: "v3.13.1" + branch: "v3.13.2" user_language: "y" user_no_stop: "y" user_install_type: "agent" @@ -67,8 +67,8 @@ wazuh_winagent_config: auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe check_md5: True md5: d0f13c0c417c74ccbad7b45f66518513 -wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.13.1-1.msi -wazuh_winagent_package_name: wazuh-agent-3.13.1-1.msi +wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.13.2-1.msi +wazuh_winagent_package_name: wazuh-agent-3.13.2-1.msi wazuh_agent_config: repo: apt: 'deb https://packages.wazuh.com/3.x/apt/ stable main' diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index e6f86739..bdc7c0e5 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -1,5 +1,5 @@ --- -wazuh_manager_version: 3.13.1-1 +wazuh_manager_version: 3.13.2-1 wazuh_manager_fqdn: "wazuh-server" wazuh_manager_package_state: present @@ -15,7 +15,7 @@ wazuh_custom_packages_installation_api_rpm_url: "https://s3-us-west-1.amazonaws. # Sources installation wazuh_manager_sources_installation: enabled: false - branch: "v3.13.1" + branch: "v3.13.2" user_language: "en" user_no_stop: "y" user_install_type: "server" @@ -40,7 +40,7 @@ wazuh_manager_sources_installation: wazuh_api_sources_installation: enabled: false - branch: "v3.13.1" + branch: "v3.13.2" update: "y" remove: "y" directory: null From 284ec681b3cb5061535275c4afea5dadca564e69 Mon Sep 17 00:00:00 2001 From: manuasir Date: Mon, 21 Sep 2020 04:11:57 +0200 Subject: [PATCH 04/26] Applied changes to service tests --- molecule/default/tests/test_default.py | 29 ++++++++++++++++++-------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/molecule/default/tests/test_default.py b/molecule/default/tests/test_default.py index e63a0bab..5d5f6655 100644 --- a/molecule/default/tests/test_default.py +++ b/molecule/default/tests/test_default.py @@ -1,16 +1,17 @@ import os import pytest import testinfra.utils.ansible_runner +import re testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') def get_wazuh_version(): - """This return the version of Wazuh.""" + """This returns the version of Wazuh.""" return "3.13.1" def test_wazuh_packages_are_installed(host): - """Test if the main packages are installed.""" + """Test the main packages are installed.""" manager = host.package("wazuh-manager") api = host.package("wazuh-api") assert manager.is_installed @@ -19,17 +20,27 @@ def test_wazuh_packages_are_installed(host): assert api.version.startswith(get_wazuh_version()) def test_wazuh_services_are_running(host): - """Test if the services are enabled and running. + """Test the services are enabled and running. When assert commands are commented, this means that the service command has a wrong exit code: https://github.com/wazuh/wazuh-ansible/issues/107 """ - manager = host.service("wazuh-manager") - api = host.service("wazuh-api") + # This currently doesn't work with out current Docker base images + # manager = host.service("wazuh-manager") + # api = host.service("wazuh-api") # assert manager.is_running - assert manager.is_running # assert api.is_running - assert api.is_running + output = host.check_output('ps aux | grep ossec | tr -s " " | cut -d" " -f11') + assert 'ossec-authd' in output + assert 'wazuh-modulesd' in output + assert 'wazuh-db' in output + assert 'ossec-execd' in output + assert 'ossec-monitord' in output + assert 'ossec-remoted' in output + assert 'ossec-logcollector' in output + assert 'ossec-analysisd' in output + assert 'ossec-syscheckd' in output + @pytest.mark.parametrize("wazuh_file, wazuh_owner, wazuh_group, wazuh_mode", [ ("/var/ossec/etc/sslmanager.cert", "root", "root", 0o640), @@ -39,14 +50,14 @@ def test_wazuh_services_are_running(host): ]) def test_wazuh_files(host, wazuh_file, wazuh_owner, wazuh_group, wazuh_mode): - """Test if Wazuh related files exist and have proper owners and mode.""" + """Test Wazuh related files exist and have proper owners and mode.""" wazuh_file_host = host.file(wazuh_file) assert wazuh_file_host.user == wazuh_owner assert wazuh_file_host.group == wazuh_group assert wazuh_file_host.mode == wazuh_mode def test_filebeat_is_installed(host): - """Test if the elasticsearch package is installed.""" + """Test the elasticsearch package is installed.""" filebeat = host.package("filebeat") assert filebeat.is_installed assert filebeat.version.startswith('7.8.0') From 40d498262f9e2c08a7b21a4de41cdad340f6e5c8 Mon Sep 17 00:00:00 2001 From: manuasir Date: Mon, 21 Sep 2020 19:15:15 +0200 Subject: [PATCH 05/26] Bump test version --- molecule/default/tests/test_default.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/molecule/default/tests/test_default.py b/molecule/default/tests/test_default.py index 5d5f6655..1b020f6a 100644 --- a/molecule/default/tests/test_default.py +++ b/molecule/default/tests/test_default.py @@ -8,7 +8,7 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( def get_wazuh_version(): """This returns the version of Wazuh.""" - return "3.13.1" + return "3.13.2" def test_wazuh_packages_are_installed(host): """Test the main packages are installed.""" @@ -60,4 +60,4 @@ def test_filebeat_is_installed(host): """Test the elasticsearch package is installed.""" filebeat = host.package("filebeat") assert filebeat.is_installed - assert filebeat.version.startswith('7.8.0') + assert filebeat.version.startswith('7.9.1') From 06441c5f1782490d345d68225abd74af5a18f78a Mon Sep 17 00:00:00 2001 From: zenidd Date: Tue, 6 Oct 2020 12:43:12 +0200 Subject: [PATCH 06/26] Update directory structure --- README.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 257d15cc..5eaa6b17 100644 --- a/README.md +++ b/README.md @@ -19,9 +19,14 @@ These playbooks install and configure Wazuh agent, manager and Elastic Stack. │ │ ├── elastic-stack │ │ │ ├── ansible-elasticsearch │ │ │ ├── ansible-kibana - │ │ + │ │ + │ │ ├── opendistro + │ │ │ ├── opendistro-elasticsearch + │ │ │ ├── opendistro-kibana + │ │ │ │ ├── wazuh │ │ │ ├── ansible-filebeat + │ │ │ ├── ansible-filebeat-oss │ │ │ ├── ansible-wazuh-manager │ │ │ ├── ansible-wazuh-agent │ │ @@ -35,6 +40,9 @@ These playbooks install and configure Wazuh agent, manager and Elastic Stack. │ │ ├── wazuh-elastic_stack-single.yml │ │ ├── wazuh-kibana.yml │ │ ├── wazuh-manager.yml + │ │ ├── wazuh-manager-oss.yml + │ │ ├── wazuh-opendistro.yml + │ │ ├── wazuh-opendistro-kibana.yml │ │ ├── README.md │ ├── VERSION From 575fcc966a80b14e57de1af8305da0478d8585b7 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Wed, 7 Oct 2020 16:59:46 +0200 Subject: [PATCH 07/26] Remove vuls integration --- roles/wazuh/ansible-wazuh-agent/defaults/main.yml | 10 ---------- .../templates/var-ossec-etc-ossec-agent.conf.j2 | 12 ------------ roles/wazuh/ansible-wazuh-manager/defaults/main.yml | 10 ---------- roles/wazuh/ansible-wazuh-manager/tasks/main.yml | 13 ------------- .../templates/var-ossec-etc-ossec-server.conf.j2 | 11 ----------- 5 files changed, 56 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 4d9fec35..88bd6ab0 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -237,16 +237,6 @@ wazuh_agent_config: java_path_win: '\\server\jre\bin\java.exe' ciscat_path: 'wodles/ciscat' ciscat_path_win: 'C:\cis-cat' - vuls: - disable: 'yes' - interval: '1d' - run_on_start: 'yes' - args: - - 'mincvss 5' - - 'antiquity-limit 20' - - 'updatenvd' - - 'nvd-year 2016' - - 'autoupdate' localfiles: debian: - format: 'syslog' diff --git a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 index a1e79db5..1077ce3d 100644 --- a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 +++ b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 @@ -296,18 +296,6 @@ {% endif %} - - {% if ansible_system == "Linux" and wazuh_agent_config.vuls.disable == 'no' %} - - no - Wazuh-VULS - /usr/bin/python /var/ossec/wodles/vuls/vuls.py{% for arg in wazuh_agent_config.vuls.args %} --{{ arg }}{% endfor %} - {{ wazuh_agent_config.vuls.interval }} - yes - {{ wazuh_agent_config.vuls.run_on_start }} - - {% endif %} - {% if ansible_system == "Linux" %} {% for localfile in wazuh_agent_config.localfiles.linux %} diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index bdc7c0e5..50c54990 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -256,16 +256,6 @@ wazuh_manager_config: update_from_year: '2010' update_interval: '1h' name: '"nvd"' - vuls: - disable: 'yes' - interval: '1d' - run_on_start: 'yes' - args: - - 'mincvss 5' - - 'antiquity-limit 20' - - 'updatenvd' - - 'nvd-year 2016' - - 'autoupdate' log_level: 3 email_level: 12 localfiles: diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml index efd71eb3..bbea6295 100644 --- a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml @@ -263,19 +263,6 @@ - init - config -- name: Linux | Vuls integration deploy (runs in background, can take a while) - command: /var/ossec/wodles/vuls/deploy_vuls.sh {{ ansible_distribution|lower }} {{ ansible_distribution_major_version|int }} - args: - creates: /var/ossec/wodles/vuls/config.toml - async: 3600 - poll: 0 - when: - - wazuh_manager_config.vuls.disable != 'yes' - - ansible_distribution in ['Redhat', 'CentOS', 'Ubuntu', 'Debian', 'Oracle', 'Amazon'] - - not ansible_check_mode - tags: - - init - - name: Configure ossec.conf template: src=var-ossec-etc-ossec-server.conf.j2 dest=/var/ossec/etc/ossec.conf diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 index 53565007..b1c48fd1 100644 --- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 +++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 @@ -374,17 +374,6 @@ {% endfor %} -{% if ansible_system == "Linux" and wazuh_manager_config.vuls.disable == 'no' %} - - no - Wazuh-VULS - /usr/bin/python /var/ossec/wodles/vuls/vuls.py{% for arg in wazuh_manager_config.vuls.args %} --{{ arg }}{% endfor %} - {{ wazuh_manager_config.vuls.interval }} - yes - {{ wazuh_manager_config.vuls.run_on_start }} - -{% endif -%} - {% if agentless_creds is defined %} {% for agentless in agentless_creds %} From 6a6fb15654577c21d02c7973a91239f88cf55735 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Wed, 7 Oct 2020 17:03:28 +0200 Subject: [PATCH 08/26] Remove vuls block from Linux tasks --- roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml index 70987a01..fdfd87a9 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml @@ -185,19 +185,6 @@ - config - api -- name: Linux | Vuls integration deploy (runs in background, can take a while) - command: /var/ossec/wodles/vuls/deploy_vuls.sh {{ ansible_distribution|lower }} {{ ansible_distribution_major_version|int }} - args: - creates: /var/ossec/wodles/vuls/config.toml - async: 3600 - poll: 0 - when: - - wazuh_agent_config.vuls.disable != 'yes' - - ansible_distribution in ['Redhat', 'CentOS', 'Ubuntu', 'Debian', 'Oracle'] - - not ansible_check_mode - tags: - - init - - name: Linux | Installing agent configuration (ossec.conf) template: src=var-ossec-etc-ossec-agent.conf.j2 dest=/var/ossec/etc/ossec.conf From 671b7333fa26e386c621d04f6027127214b6d069 Mon Sep 17 00:00:00 2001 From: zenidd Date: Thu, 8 Oct 2020 17:14:35 +0200 Subject: [PATCH 09/26] Ensure recursive /usr/share/kibana permissions before installing WUI --- roles/elastic-stack/ansible-kibana/tasks/main.yml | 8 ++++++++ roles/opendistro/opendistro-kibana/tasks/main.yml | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index 78d15630..44643ebd 100755 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -98,6 +98,14 @@ name: kibana state: started +- name: Ensuring Kibana directory owner + file: + path: "/usr/share/kibana" + state: directory + owner: kibana + group: kibana + recurse: yes + - name: Build and Install Wazuh Kibana Plugin from sources import_tasks: build_wazuh_plugin.yml when: diff --git a/roles/opendistro/opendistro-kibana/tasks/main.yml b/roles/opendistro/opendistro-kibana/tasks/main.yml index e127f2f9..ff324bf8 100755 --- a/roles/opendistro/opendistro-kibana/tasks/main.yml +++ b/roles/opendistro/opendistro-kibana/tasks/main.yml @@ -41,6 +41,14 @@ - install - configure +- name: Ensuring Kibana directory owner + file: + path: "/usr/share/kibana" + state: directory + owner: kibana + group: kibana + recurse: yes + - name: Build and Install Wazuh Kibana Plugin from sources import_tasks: build_wazuh_plugin.yml when: From 898e7ad3b87c35b6ffa0fa2bc68a4577e5029610 Mon Sep 17 00:00:00 2001 From: zenidd Date: Fri, 9 Oct 2020 18:44:32 +0200 Subject: [PATCH 10/26] Update README.md --- README.md | 291 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 291 insertions(+) diff --git a/README.md b/README.md index 5eaa6b17..f591ca1a 100644 --- a/README.md +++ b/README.md @@ -48,6 +48,297 @@ These playbooks install and configure Wazuh agent, manager and Elastic Stack. │ ├── VERSION │ ├── CHANGELOG.md +## Example custom deploy: Wazuh cluster, ODFE cluster, Kibana + +### Playbook +The hereunder example playbook deploys a complete Wazuh distributed architecture with two Wazuh nodes (master+worker), 3 ODFE nodes and a mixed ODFE and Kibana node. + +```yaml +--- +# Certificates generation + - hosts: es1 + roles: + - role: ../roles/opendistro/opendistro-elasticsearch + elasticsearch_network_host: "{{ private_ip }}" + elasticsearch_cluster_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + elasticsearch_discovery_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + perform_installation: false + become: yes + become_user: root + vars: + opendistro_standalone_installation: false + ansible_ssh_user: centos + ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem + ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' + elasticsearch_node_master: true + elasticsearch_cluster_name: wazuh + opendistro_version: 1.10.1 + opendistro_admin_password: T3stP4ssw0rd + certs_gen_tool_url: https://wazuh-demo.s3-us-west-1.amazonaws.com/search-guard-tlstool-1.7.zip + instances: + node1: + name: node-1 # Important: must be equal to elasticsearch_node_name. + ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + node2: + name: node-2 + ip: "{{ hostvars.es2.private_ip }}" + node3: + name: node-3 + ip: "{{ hostvars.es3.private_ip }}" + node4: + name: node-4 + ip: "{{ hostvars.manager.private_ip }}" + node5: + name: node-5 + ip: "{{ hostvars.worker.private_ip }}" + node6: + name: node-6 + ip: "{{ hostvars.kibana.private_ip }}" + tags: + - generate-certs + +#ODFE Cluster + - hosts: odfe_cluster + strategy: free + roles: + - role: ../roles/opendistro/opendistro-elasticsearch + elasticsearch_network_host: "{{ private_ip }}" + become: yes + become_user: root + vars: + elasticsearch_cluster_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + elasticsearch_discovery_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + opendistro_standalone_installation: false + ansible_ssh_user: centos + ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem + ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' + elasticsearch_node_master: true + elasticsearch_cluster_name: wazuh + opendistro_version: 1.10.1 + opendistro_admin_password: T3stP4ssw0rd + opendistro_custom_user_role: admin + certs_gen_tool_url: https://wazuh-demo.s3-us-west-1.amazonaws.com/search-guard-tlstool-1.7.zip + instances: + node1: + name: node-1 # Important: must be equal to elasticsearch_node_name. + ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + node2: + name: node-2 + ip: "{{ hostvars.es2.private_ip }}" + node3: + name: node-3 + ip: "{{ hostvars.es3.private_ip }}" + node4: + name: node-4 + ip: "{{ hostvars.manager.private_ip }}" + node5: + name: node-5 + ip: "{{ hostvars.worker.private_ip }}" + node6: + name: node-6 + ip: "{{ hostvars.kibana.private_ip }}" + +#Wazuh cluster + - hosts: manager + roles: + - role: "../roles/wazuh/ansible-wazuh-manager" + - role: "../roles/wazuh/ansible-filebeat-oss" + filebeat_node_name: node-4 + become: yes + become_user: root + vars: + ansible_ssh_user: "centos" + ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem + ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' + wazuh_manager_version: 3.13.2 + wazuh_manager_config: + connection: + - type: 'secure' + port: '1514' + protocol: 'tcp' + queue_size: 131072 + api: + port: "55000" + https: 'yes' + cluster: + disable: 'no' + name: 'wazuh' + node_name: 'master' + node_type: 'master' + key: 'c98b62a9b6169ac5f67dae55ae4a9088' + port: '1516' + bind_addr: '0.0.0.0' + nodes: + - '"{{ hostvars.manager.private_ip }}"' + hidden: 'no' + filebeat_version: 7.9.1 + filebeat_security: true + elasticsearch_security_user: wazuh + elasticsearch_security_password: T3stP4ssw0rd + filebeat_output_elasticsearch_hosts: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + + - hosts: worker + roles: + - role: "../roles/wazuh/ansible-wazuh-manager" + - role: "../roles/wazuh/ansible-filebeat-oss" + filebeat_node_name: node-5 + become: yes + become_user: root + vars: + wazuh_manager_config: + authd: + enable: false + port: 1515 + use_source_ip: 'no' + force_insert: 'yes' + force_time: 0 + purge: 'yes' + use_password: 'no' + limit_maxagents: 'yes' + ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH' + ssl_agent_ca: null + ssl_verify_host: 'no' + ssl_manager_cert: 'sslmanager.cert' + ssl_manager_key: 'sslmanager.key' + ssl_auto_negotiate: 'no' + connection: + - type: 'secure' + port: '1514' + protocol: 'tcp' + queue_size: 131072 + api: + port: "55000" + https: 'yes' + cluster: + disable: 'no' + name: 'wazuh' + node_name: 'worker_01' + node_type: 'worker' + key: 'c98b62a9b6169ac5f67dae55ae4a9088' + port: '1516' + bind_addr: '0.0.0.0' + nodes: + - '"{{ hostvars.manager.private_ip }}"' + hidden: 'no' + ansible_ssh_user: centos + ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem + ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' + wazuh_manager_version: 3.13.2 + filebeat_version: 7.9.1 + filebeat_security: true + elasticsearch_security_user: wazuh + elasticsearch_security_password: T3stP4ssw0rd + filebeat_output_elasticsearch_hosts: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + +#ODFE+Kibana node + - hosts: kibana + roles: + - role: "../roles/opendistro/opendistro-elasticsearch" + - role: "../roles/opendistro/opendistro-kibana" + become: yes + become_user: root + vars: + elasticsearch_jvm_xms: 2560 + elasticsearch_network_host: "{{ hostvars.kibana.private_ip }}" + elasticsearch_node_name: node-6 + opendistro_kibana_user: wazuh + opendistro_kibana_password: T3stP4ssw0rd + elasticsearch_node_master: false + elasticsearch_node_ingest: false + elasticsearch_node_data: false + elasticsearch_cluster_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + elasticsearch_discovery_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + kibana_node_name: node-6 + opendistro_standalone_installation: false + ansible_ssh_user: centos + ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem + ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' + wazuh_version: 3.13.2 + elastic_stack_version: 7.9.1 + opendistro_version: 1.10.1 + kibana_opendistro_version: -1.10.1-1 + elasticsearch_cluster_name: wazuh + kibana_opendistro_security: true + opendistro_admin_password: T3stP4ssw0rd + opendistro_custom_user: wazuh + opendistro_custom_user_role: admin + node_options: "--max-old-space-size=2048" + certs_gen_tool_url: https://wazuh-demo.s3-us-west-1.amazonaws.com/search-guard-tlstool-1.7.zip + wazuh_api_credentials: + - id: default + url: https://{{ hostvars.manager.private_ip }} + port: 55000 + user: foo + password: bar + instances: + node1: + name: node-1 # Important: must be equal to elasticsearch_node_name. + ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + node2: + name: node-2 + ip: "{{ hostvars.es2.private_ip }}" + node3: + name: node-3 + ip: "{{ hostvars.es3.private_ip }}" + node4: + name: node-4 + ip: "{{ hostvars.manager.private_ip }}" + node5: + name: node-5 + ip: "{{ hostvars.worker.private_ip }}" + node6: + name: node-6 + ip: "{{ hostvars.kibana.private_ip }}" +``` + + +### Example inventory file + + +```ini +es1 ansible_host= private_ip= elasticsearch_node_name=node-1 +es2 ansible_host= private_ip= elasticsearch_node_name=node-2 +es3 ansible_host= private_ip= elasticsearch_node_name=node-3 opendistro_custom_user=wazuh +kibana ansible_host= private_ip= +manager ansible_host= private_ip= +worker ansible_host= private_ip= + + +[odfe_cluster] +es1 +es2 +es3 +[wui] +kibana +[managers] +manager +worker +``` + ## Branches From 5e09f85c21b7ebf06fa3413642794d004f896995 Mon Sep 17 00:00:00 2001 From: zenidd Date: Fri, 9 Oct 2020 18:44:54 +0200 Subject: [PATCH 11/26] Example ODFE-production-ready playbook --- playbooks/wazuh-odfe-production-ready.yml | 259 ++++++++++++++++++++++ 1 file changed, 259 insertions(+) create mode 100644 playbooks/wazuh-odfe-production-ready.yml diff --git a/playbooks/wazuh-odfe-production-ready.yml b/playbooks/wazuh-odfe-production-ready.yml new file mode 100644 index 00000000..588e3187 --- /dev/null +++ b/playbooks/wazuh-odfe-production-ready.yml @@ -0,0 +1,259 @@ +--- + # Certificates generation + - hosts: es1 + roles: + - role: ../roles/opendistro/opendistro-elasticsearch + elasticsearch_network_host: "{{ private_ip }}" + elasticsearch_cluster_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + elasticsearch_discovery_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + perform_installation: false + become: yes + become_user: root + vars: + opendistro_standalone_installation: false + ansible_ssh_user: centos + ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem + ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' + elasticsearch_node_master: true + elasticsearch_cluster_name: wazuh + opendistro_version: 1.10.1 + opendistro_admin_password: T3stP4ssw0rd + certs_gen_tool_url: https://wazuh-demo.s3-us-west-1.amazonaws.com/search-guard-tlstool-1.7.zip + instances: + node1: + name: node-1 # Important: must be equal to elasticsearch_node_name. + ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + node2: + name: node-2 + ip: "{{ hostvars.es2.private_ip }}" + node3: + name: node-3 + ip: "{{ hostvars.es3.private_ip }}" + node4: + name: node-4 + ip: "{{ hostvars.manager.private_ip }}" + node5: + name: node-5 + ip: "{{ hostvars.worker.private_ip }}" + node6: + name: node-6 + ip: "{{ hostvars.kibana.private_ip }}" + tags: + - generate-certs + + #ODFE Cluster + - hosts: odfe_cluster + strategy: free + roles: + - role: ../roles/opendistro/opendistro-elasticsearch + elasticsearch_network_host: "{{ private_ip }}" + become: yes + become_user: root + vars: + elasticsearch_cluster_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + elasticsearch_discovery_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + opendistro_standalone_installation: false + ansible_ssh_user: centos + ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem + ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' + elasticsearch_node_master: true + elasticsearch_cluster_name: wazuh + opendistro_version: 1.10.1 + opendistro_admin_password: T3stP4ssw0rd + opendistro_custom_user_role: admin + certs_gen_tool_url: https://wazuh-demo.s3-us-west-1.amazonaws.com/search-guard-tlstool-1.7.zip + instances: + node1: + name: node-1 # Important: must be equal to elasticsearch_node_name. + ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + node2: + name: node-2 + ip: "{{ hostvars.es2.private_ip }}" + node3: + name: node-3 + ip: "{{ hostvars.es3.private_ip }}" + node4: + name: node-4 + ip: "{{ hostvars.manager.private_ip }}" + node5: + name: node-5 + ip: "{{ hostvars.worker.private_ip }}" + node6: + name: node-6 + ip: "{{ hostvars.kibana.private_ip }}" + + #Wazuh cluster + - hosts: manager + roles: + - role: "../roles/wazuh/ansible-wazuh-manager" + - role: "../roles/wazuh/ansible-filebeat-oss" + filebeat_node_name: node-4 + become: yes + become_user: root + vars: + ansible_ssh_user: "centos" + ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem + ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' + wazuh_manager_version: 3.13.2 + wazuh_manager_config: + connection: + - type: 'secure' + port: '1514' + protocol: 'tcp' + queue_size: 131072 + api: + port: "55000" + https: 'yes' + cluster: + disable: 'no' + name: 'wazuh' + node_name: 'master' + node_type: 'master' + key: 'c98b62a9b6169ac5f67dae55ae4a9088' + port: '1516' + bind_addr: '0.0.0.0' + nodes: + - '"{{ hostvars.manager.private_ip }}"' + hidden: 'no' + filebeat_version: 7.9.1 + filebeat_security: true + elasticsearch_security_user: wazuh + elasticsearch_security_password: T3stP4ssw0rd + filebeat_output_elasticsearch_hosts: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + + - hosts: worker + roles: + - role: "../roles/wazuh/ansible-wazuh-manager" + - role: "../roles/wazuh/ansible-filebeat-oss" + filebeat_node_name: node-5 + become: yes + become_user: root + vars: + wazuh_manager_config: + authd: + enable: false + port: 1515 + use_source_ip: 'no' + force_insert: 'yes' + force_time: 0 + purge: 'yes' + use_password: 'no' + limit_maxagents: 'yes' + ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH' + ssl_agent_ca: null + ssl_verify_host: 'no' + ssl_manager_cert: 'sslmanager.cert' + ssl_manager_key: 'sslmanager.key' + ssl_auto_negotiate: 'no' + connection: + - type: 'secure' + port: '1514' + protocol: 'tcp' + queue_size: 131072 + api: + port: "55000" + https: 'yes' + cluster: + disable: 'no' + name: 'wazuh' + node_name: 'worker_01' + node_type: 'worker' + key: 'c98b62a9b6169ac5f67dae55ae4a9088' + port: '1516' + bind_addr: '0.0.0.0' + nodes: + - '"{{ hostvars.manager.private_ip }}"' + hidden: 'no' + ansible_ssh_user: centos + ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem + ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' + wazuh_manager_version: 3.13.2 + filebeat_version: 7.9.1 + filebeat_security: true + elasticsearch_security_user: wazuh + elasticsearch_security_password: T3stP4ssw0rd + filebeat_output_elasticsearch_hosts: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + + #ODFE+Kibana node + - hosts: kibana + roles: + - role: "../roles/opendistro/opendistro-elasticsearch" + - role: "../roles/opendistro/opendistro-kibana" + become: yes + become_user: root + vars: + elasticsearch_jvm_xms: 2560 + elasticsearch_network_host: "{{ hostvars.kibana.private_ip }}" + elasticsearch_node_name: node-6 + opendistro_kibana_user: wazuh + opendistro_kibana_password: T3stP4ssw0rd + elasticsearch_node_master: false + elasticsearch_node_ingest: false + elasticsearch_node_data: false + elasticsearch_cluster_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + elasticsearch_discovery_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + kibana_node_name: node-6 + opendistro_standalone_installation: false + ansible_ssh_user: centos + ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem + ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' + wazuh_version: 3.13.2 + elastic_stack_version: 7.9.1 + opendistro_version: 1.10.1 + kibana_opendistro_version: -1.10.1-1 + elasticsearch_cluster_name: wazuh + kibana_opendistro_security: true + opendistro_admin_password: T3stP4ssw0rd + opendistro_custom_user: wazuh + opendistro_custom_user_role: admin + node_options: "--max-old-space-size=2048" + certs_gen_tool_url: https://wazuh-demo.s3-us-west-1.amazonaws.com/search-guard-tlstool-1.7.zip + wazuh_api_credentials: + - id: default + url: https://{{ hostvars.manager.private_ip }} + port: 55000 + user: foo + password: bar + instances: + node1: + name: node-1 # Important: must be equal to elasticsearch_node_name. + ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + node2: + name: node-2 + ip: "{{ hostvars.es2.private_ip }}" + node3: + name: node-3 + ip: "{{ hostvars.es3.private_ip }}" + node4: + name: node-4 + ip: "{{ hostvars.manager.private_ip }}" + node5: + name: node-5 + ip: "{{ hostvars.worker.private_ip }}" + node6: + name: node-6 + ip: "{{ hostvars.kibana.private_ip }}" \ No newline at end of file From 25b2a8a946ae69f5111f17a6b8c0455ffa3b76fb Mon Sep 17 00:00:00 2001 From: zenidd Date: Thu, 15 Oct 2020 16:44:54 +0200 Subject: [PATCH 12/26] Updat README --- README.md | 491 +++++++++++++++++++++++------------------------------- 1 file changed, 207 insertions(+), 284 deletions(-) diff --git a/README.md b/README.md index f591ca1a..b6755343 100644 --- a/README.md +++ b/README.md @@ -48,18 +48,63 @@ These playbooks install and configure Wazuh agent, manager and Elastic Stack. │ ├── VERSION │ ├── CHANGELOG.md -## Example custom deploy: Wazuh cluster, ODFE cluster, Kibana + +## Example: production-ready distributed environment ### Playbook -The hereunder example playbook deploys a complete Wazuh distributed architecture with two Wazuh nodes (master+worker), 3 ODFE nodes and a mixed ODFE and Kibana node. +The hereunder example playbook uses the `wazuh-ansible` role to provision a production-ready Wazuh environment. The architecture includes 2 Wazuh nodes, 3 ODFE nodes and a mixed ODFE-Kibana node. ```yaml --- # Certificates generation - - hosts: es1 - roles: - - role: ../roles/opendistro/opendistro-elasticsearch - elasticsearch_network_host: "{{ private_ip }}" + - hosts: es1 + roles: + - role: ../roles/opendistro/opendistro-elasticsearch + elasticsearch_network_host: "{{ private_ip }}" + elasticsearch_cluster_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + elasticsearch_discovery_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + perform_installation: false + become: yes + become_user: root + vars: + elasticsearch_node_master: true + instances: + node1: + name: node-1 # Important: must be equal to elasticsearch_node_name. + ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + node2: + name: node-2 + ip: "{{ hostvars.es2.private_ip }}" + node3: + name: node-3 + ip: "{{ hostvars.es3.private_ip }}" + node4: + name: node-4 + ip: "{{ hostvars.manager.private_ip }}" + node5: + name: node-5 + ip: "{{ hostvars.worker.private_ip }}" + node6: + name: node-6 + ip: "{{ hostvars.kibana.private_ip }}" + tags: + - generate-certs + +#ODFE Cluster + - hosts: odfe_cluster + strategy: free + roles: + - role: ../roles/opendistro/opendistro-elasticsearch + elasticsearch_network_host: "{{ private_ip }}" + become: yes + become_user: root + vars: elasticsearch_cluster_nodes: - "{{ hostvars.es1.private_ip }}" - "{{ hostvars.es2.private_ip }}" @@ -68,305 +113,183 @@ The hereunder example playbook deploys a complete Wazuh distributed architecture - "{{ hostvars.es1.private_ip }}" - "{{ hostvars.es2.private_ip }}" - "{{ hostvars.es3.private_ip }}" - perform_installation: false - become: yes - become_user: root - vars: - opendistro_standalone_installation: false - ansible_ssh_user: centos - ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem - ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' - elasticsearch_node_master: true - elasticsearch_cluster_name: wazuh - opendistro_version: 1.10.1 - opendistro_admin_password: T3stP4ssw0rd - certs_gen_tool_url: https://wazuh-demo.s3-us-west-1.amazonaws.com/search-guard-tlstool-1.7.zip - instances: - node1: - name: node-1 # Important: must be equal to elasticsearch_node_name. - ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. - node2: - name: node-2 - ip: "{{ hostvars.es2.private_ip }}" - node3: - name: node-3 - ip: "{{ hostvars.es3.private_ip }}" - node4: - name: node-4 - ip: "{{ hostvars.manager.private_ip }}" - node5: - name: node-5 - ip: "{{ hostvars.worker.private_ip }}" - node6: - name: node-6 - ip: "{{ hostvars.kibana.private_ip }}" - tags: - - generate-certs + elasticsearch_node_master: true + instances: + node1: + name: node-1 # Important: must be equal to elasticsearch_node_name. + ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + node2: + name: node-2 + ip: "{{ hostvars.es2.private_ip }}" + node3: + name: node-3 + ip: "{{ hostvars.es3.private_ip }}" + node4: + name: node-4 + ip: "{{ hostvars.manager.private_ip }}" + node5: + name: node-5 + ip: "{{ hostvars.worker.private_ip }}" + node6: + name: node-6 + ip: "{{ hostvars.kibana.private_ip }}" -#ODFE Cluster - - hosts: odfe_cluster - strategy: free - roles: - - role: ../roles/opendistro/opendistro-elasticsearch - elasticsearch_network_host: "{{ private_ip }}" - become: yes - become_user: root - vars: - elasticsearch_cluster_nodes: - - "{{ hostvars.es1.private_ip }}" - - "{{ hostvars.es2.private_ip }}" - - "{{ hostvars.es3.private_ip }}" - elasticsearch_discovery_nodes: - - "{{ hostvars.es1.private_ip }}" - - "{{ hostvars.es2.private_ip }}" - - "{{ hostvars.es3.private_ip }}" - opendistro_standalone_installation: false - ansible_ssh_user: centos - ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem - ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' - elasticsearch_node_master: true - elasticsearch_cluster_name: wazuh - opendistro_version: 1.10.1 - opendistro_admin_password: T3stP4ssw0rd - opendistro_custom_user_role: admin - certs_gen_tool_url: https://wazuh-demo.s3-us-west-1.amazonaws.com/search-guard-tlstool-1.7.zip - instances: - node1: - name: node-1 # Important: must be equal to elasticsearch_node_name. - ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. - node2: - name: node-2 - ip: "{{ hostvars.es2.private_ip }}" - node3: - name: node-3 - ip: "{{ hostvars.es3.private_ip }}" - node4: - name: node-4 - ip: "{{ hostvars.manager.private_ip }}" - node5: - name: node-5 - ip: "{{ hostvars.worker.private_ip }}" - node6: - name: node-6 - ip: "{{ hostvars.kibana.private_ip }}" - -#Wazuh cluster - - hosts: manager - roles: - - role: "../roles/wazuh/ansible-wazuh-manager" - - role: "../roles/wazuh/ansible-filebeat-oss" - filebeat_node_name: node-4 - become: yes - become_user: root - vars: - ansible_ssh_user: "centos" - ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem - ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' - wazuh_manager_version: 3.13.2 - wazuh_manager_config: + #Wazuh cluster + - hosts: manager + roles: + - role: "../roles/wazuh/ansible-wazuh-manager" + - role: "../roles/wazuh/ansible-filebeat-oss" + filebeat_node_name: node-4 + become: yes + become_user: root + vars: + wazuh_manager_config: connection: - - type: 'secure' - port: '1514' - protocol: 'tcp' - queue_size: 131072 + - type: 'secure' + port: '1514' + protocol: 'tcp' + queue_size: 131072 api: - port: "55000" - https: 'yes' + https: 'yes' cluster: - disable: 'no' - name: 'wazuh' - node_name: 'master' - node_type: 'master' - key: 'c98b62a9b6169ac5f67dae55ae4a9088' - port: '1516' - bind_addr: '0.0.0.0' - nodes: - - '"{{ hostvars.manager.private_ip }}"' - hidden: 'no' - filebeat_version: 7.9.1 - filebeat_security: true - elasticsearch_security_user: wazuh - elasticsearch_security_password: T3stP4ssw0rd - filebeat_output_elasticsearch_hosts: - - "{{ hostvars.es1.private_ip }}" - - "{{ hostvars.es2.private_ip }}" - - "{{ hostvars.es3.private_ip }}" - - - hosts: worker - roles: - - role: "../roles/wazuh/ansible-wazuh-manager" - - role: "../roles/wazuh/ansible-filebeat-oss" - filebeat_node_name: node-5 - become: yes - become_user: root - vars: - wazuh_manager_config: - authd: - enable: false - port: 1515 - use_source_ip: 'no' - force_insert: 'yes' - force_time: 0 - purge: 'yes' - use_password: 'no' - limit_maxagents: 'yes' - ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH' - ssl_agent_ca: null - ssl_verify_host: 'no' - ssl_manager_cert: 'sslmanager.cert' - ssl_manager_key: 'sslmanager.key' - ssl_auto_negotiate: 'no' - connection: - - type: 'secure' - port: '1514' - protocol: 'tcp' - queue_size: 131072 - api: - port: "55000" - https: 'yes' - cluster: - disable: 'no' - name: 'wazuh' - node_name: 'worker_01' - node_type: 'worker' - key: 'c98b62a9b6169ac5f67dae55ae4a9088' - port: '1516' - bind_addr: '0.0.0.0' - nodes: - - '"{{ hostvars.manager.private_ip }}"' - hidden: 'no' - ansible_ssh_user: centos - ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem - ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' - wazuh_manager_version: 3.13.2 - filebeat_version: 7.9.1 - filebeat_security: true - elasticsearch_security_user: wazuh - elasticsearch_security_password: T3stP4ssw0rd - filebeat_output_elasticsearch_hosts: - - "{{ hostvars.es1.private_ip }}" - - "{{ hostvars.es2.private_ip }}" - - "{{ hostvars.es3.private_ip }}" - -#ODFE+Kibana node - - hosts: kibana - roles: - - role: "../roles/opendistro/opendistro-elasticsearch" - - role: "../roles/opendistro/opendistro-kibana" - become: yes - become_user: root - vars: - elasticsearch_jvm_xms: 2560 - elasticsearch_network_host: "{{ hostvars.kibana.private_ip }}" - elasticsearch_node_name: node-6 - opendistro_kibana_user: wazuh - opendistro_kibana_password: T3stP4ssw0rd - elasticsearch_node_master: false - elasticsearch_node_ingest: false - elasticsearch_node_data: false - elasticsearch_cluster_nodes: - - "{{ hostvars.es1.private_ip }}" - - "{{ hostvars.es2.private_ip }}" - - "{{ hostvars.es3.private_ip }}" - elasticsearch_discovery_nodes: - - "{{ hostvars.es1.private_ip }}" - - "{{ hostvars.es2.private_ip }}" - - "{{ hostvars.es3.private_ip }}" - kibana_node_name: node-6 - opendistro_standalone_installation: false - ansible_ssh_user: centos - ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem - ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' - wazuh_version: 3.13.2 - elastic_stack_version: 7.9.1 - opendistro_version: 1.10.1 - kibana_opendistro_version: -1.10.1-1 - elasticsearch_cluster_name: wazuh - kibana_opendistro_security: true - opendistro_admin_password: T3stP4ssw0rd - opendistro_custom_user: wazuh - opendistro_custom_user_role: admin - node_options: "--max-old-space-size=2048" - certs_gen_tool_url: https://wazuh-demo.s3-us-west-1.amazonaws.com/search-guard-tlstool-1.7.zip - wazuh_api_credentials: - - id: default - url: https://{{ hostvars.manager.private_ip }} - port: 55000 - user: foo - password: bar - instances: - node1: - name: node-1 # Important: must be equal to elasticsearch_node_name. - ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. - node2: - name: node-2 - ip: "{{ hostvars.es2.private_ip }}" - node3: - name: node-3 - ip: "{{ hostvars.es3.private_ip }}" - node4: - name: node-4 - ip: "{{ hostvars.manager.private_ip }}" - node5: - name: node-5 - ip: "{{ hostvars.worker.private_ip }}" - node6: - name: node-6 - ip: "{{ hostvars.kibana.private_ip }}" + disable: 'no' + node_name: 'master' + node_type: 'master' + nodes: + - '"{{ hostvars.manager.private_ip }}"' + hidden: 'no' + filebeat_output_elasticsearch_hosts: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + + - hosts: worker + roles: + - role: "../roles/wazuh/ansible-wazuh-manager" + - role: "../roles/wazuh/ansible-filebeat-oss" + filebeat_node_name: node-5 + become: yes + become_user: root + vars: + wazuh_manager_config: + connection: + - type: 'secure' + port: '1514' + protocol: 'tcp' + queue_size: 131072 + api: + https: 'yes' + cluster: + disable: 'no' + node_name: 'worker_01' + node_type: 'worker' + key: 'c98b62a9b6169ac5f67dae55ae4a9088' + nodes: + - '"{{ hostvars.manager.private_ip }}"' + hidden: 'no' + filebeat_output_elasticsearch_hosts: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + + #ODFE+Kibana node + - hosts: kibana + roles: + - role: "../roles/opendistro/opendistro-elasticsearch" + - role: "../roles/opendistro/opendistro-kibana" + become: yes + become_user: root + vars: + elasticsearch_network_host: "{{ hostvars.kibana.private_ip }}" + elasticsearch_node_name: node-6 + elasticsearch_node_master: false + elasticsearch_node_ingest: false + elasticsearch_node_data: false + elasticsearch_cluster_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + elasticsearch_discovery_nodes: + - "{{ hostvars.es1.private_ip }}" + - "{{ hostvars.es2.private_ip }}" + - "{{ hostvars.es3.private_ip }}" + kibana_node_name: node-6 + wazuh_api_credentials: + - id: default + url: https://{{ hostvars.manager.private_ip }} + port: 55000 + user: foo + password: bar + instances: + node1: + name: node-1 # Important: must be equal to elasticsearch_node_name. + ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + node2: + name: node-2 + ip: "{{ hostvars.es2.private_ip }}" + node3: + name: node-3 + ip: "{{ hostvars.es3.private_ip }}" + node4: + name: node-4 + ip: "{{ hostvars.manager.private_ip }}" + node5: + name: node-5 + ip: "{{ hostvars.worker.private_ip }}" + node6: + name: node-6 + ip: "{{ hostvars.kibana.private_ip }}" ``` +### Inventory file -### Example inventory file +The inventory file sets the public and private address of each node. The public addresses are used to gather facts and provision the instances while the private addresses are used for the cluster communications. +The ssh credentials used by Ansible during the provision can be specified in this file too. Another option is including them directly on the playbook. ```ini es1 ansible_host= private_ip= elasticsearch_node_name=node-1 es2 ansible_host= private_ip= elasticsearch_node_name=node-2 -es3 ansible_host= private_ip= elasticsearch_node_name=node-3 opendistro_custom_user=wazuh -kibana ansible_host= private_ip= +es3 ansible_host= private_ip= elasticsearch_node_name=node-3 +kibana ansible_host= private_ip= manager ansible_host= private_ip= -worker ansible_host= private_ip= - +worker ansible_host= private_ip= [odfe_cluster] es1 es2 es3 -[wui] -kibana -[managers] -manager -worker + +[all:vars] +ansible_ssh_user=vagrant +ansible_ssh_private_key_file=/path/to/ssh/key.pem +ansible_ssh_extra_args='-o StrictHostKeyChecking=no' +``` + +### Launching playbook + +```bash +ansible-playbook wazuh-odfe-production-ready.yml -i inventory +``` + +## Example: single-host environment + +### Playbook +The hereunder example playbook uses the `wazuh-ansible` role to provision a single-host Wazuh environment. This architecture includes all the Wazuh and ODFE components in a single node. + +```yaml + +``` + +### Launching playbook + +```bash +ansible-playbook wazuh-odfe-single.yml -i inventory ``` ## Branches - -* `stable` branch on correspond to the last Wazuh-Ansible stable version. -* `master` branch contains the latest code, be aware of possible bugs on this branch. - -## Testing - -1. Get the `wazuh-ansible` folder from the `wazuh-qa` [repository](https://github.com/wazuh/wazuh-qa/tree/master/ansible/wazuh-ansible). - -``` -git clone https://github.com/wazuh/wazuh-qa -``` - -2. Copy the `Pipfile` and the `molecule` folder into the root wazuh-ansible directory: - -``` -cp wazuh-qa/ansible/wazuh-ansible/* . -R -``` - -3. Follow these steps for launching the tests. Check the Pipfile for running different scenarios: - -``` -pip install pipenv -sudo pipenv install -pipenv run test -pipenv run agent -``` +* `master` branch on correspond to the last Wazuh-Ansible stable version. ## Contribute @@ -387,7 +310,7 @@ https://github.com/dj-wasabi/ansible-ossec-server ## License and copyright WAZUH -Copyright (C) 2016-2018 Wazuh Inc. (License GPLv2) +Copyright (C) 2016-2020 Wazuh Inc. (License GPLv2) ## Web references From 5d1f55c42477372f819b9e81a0eed9638d5d0153 Mon Sep 17 00:00:00 2001 From: zenidd Date: Thu, 15 Oct 2020 18:44:47 +0200 Subject: [PATCH 13/26] Wazuh and ODFE production ready playbook --- playbooks/wazuh-odfe-production-ready.yml | 93 +++-------------------- 1 file changed, 9 insertions(+), 84 deletions(-) diff --git a/playbooks/wazuh-odfe-production-ready.yml b/playbooks/wazuh-odfe-production-ready.yml index 588e3187..b2675834 100644 --- a/playbooks/wazuh-odfe-production-ready.yml +++ b/playbooks/wazuh-odfe-production-ready.yml @@ -1,5 +1,5 @@ --- - # Certificates generation +# Certificates generation - hosts: es1 roles: - role: ../roles/opendistro/opendistro-elasticsearch @@ -16,15 +16,7 @@ become: yes become_user: root vars: - opendistro_standalone_installation: false - ansible_ssh_user: centos - ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem - ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' elasticsearch_node_master: true - elasticsearch_cluster_name: wazuh - opendistro_version: 1.10.1 - opendistro_admin_password: T3stP4ssw0rd - certs_gen_tool_url: https://wazuh-demo.s3-us-west-1.amazonaws.com/search-guard-tlstool-1.7.zip instances: node1: name: node-1 # Important: must be equal to elasticsearch_node_name. @@ -47,7 +39,7 @@ tags: - generate-certs - #ODFE Cluster +#ODFE Cluster - hosts: odfe_cluster strategy: free roles: @@ -64,16 +56,7 @@ - "{{ hostvars.es1.private_ip }}" - "{{ hostvars.es2.private_ip }}" - "{{ hostvars.es3.private_ip }}" - opendistro_standalone_installation: false - ansible_ssh_user: centos - ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem - ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' elasticsearch_node_master: true - elasticsearch_cluster_name: wazuh - opendistro_version: 1.10.1 - opendistro_admin_password: T3stP4ssw0rd - opendistro_custom_user_role: admin - certs_gen_tool_url: https://wazuh-demo.s3-us-west-1.amazonaws.com/search-guard-tlstool-1.7.zip instances: node1: name: node-1 # Important: must be equal to elasticsearch_node_name. @@ -103,34 +86,21 @@ become: yes become_user: root vars: - ansible_ssh_user: "centos" - ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem - ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' - wazuh_manager_version: 3.13.2 wazuh_manager_config: - connection: - - type: 'secure' - port: '1514' - protocol: 'tcp' - queue_size: 131072 - api: - port: "55000" + connection: + - type: 'secure' + port: '1514' + protocol: 'tcp' + queue_size: 131072 + api: https: 'yes' - cluster: + cluster: disable: 'no' - name: 'wazuh' node_name: 'master' node_type: 'master' - key: 'c98b62a9b6169ac5f67dae55ae4a9088' - port: '1516' - bind_addr: '0.0.0.0' nodes: - '"{{ hostvars.manager.private_ip }}"' hidden: 'no' - filebeat_version: 7.9.1 - filebeat_security: true - elasticsearch_security_user: wazuh - elasticsearch_security_password: T3stP4ssw0rd filebeat_output_elasticsearch_hosts: - "{{ hostvars.es1.private_ip }}" - "{{ hostvars.es2.private_ip }}" @@ -145,48 +115,21 @@ become_user: root vars: wazuh_manager_config: - authd: - enable: false - port: 1515 - use_source_ip: 'no' - force_insert: 'yes' - force_time: 0 - purge: 'yes' - use_password: 'no' - limit_maxagents: 'yes' - ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH' - ssl_agent_ca: null - ssl_verify_host: 'no' - ssl_manager_cert: 'sslmanager.cert' - ssl_manager_key: 'sslmanager.key' - ssl_auto_negotiate: 'no' connection: - type: 'secure' port: '1514' protocol: 'tcp' queue_size: 131072 api: - port: "55000" https: 'yes' cluster: disable: 'no' - name: 'wazuh' node_name: 'worker_01' node_type: 'worker' key: 'c98b62a9b6169ac5f67dae55ae4a9088' - port: '1516' - bind_addr: '0.0.0.0' nodes: - '"{{ hostvars.manager.private_ip }}"' hidden: 'no' - ansible_ssh_user: centos - ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem - ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' - wazuh_manager_version: 3.13.2 - filebeat_version: 7.9.1 - filebeat_security: true - elasticsearch_security_user: wazuh - elasticsearch_security_password: T3stP4ssw0rd filebeat_output_elasticsearch_hosts: - "{{ hostvars.es1.private_ip }}" - "{{ hostvars.es2.private_ip }}" @@ -200,11 +143,8 @@ become: yes become_user: root vars: - elasticsearch_jvm_xms: 2560 elasticsearch_network_host: "{{ hostvars.kibana.private_ip }}" elasticsearch_node_name: node-6 - opendistro_kibana_user: wazuh - opendistro_kibana_password: T3stP4ssw0rd elasticsearch_node_master: false elasticsearch_node_ingest: false elasticsearch_node_data: false @@ -217,21 +157,6 @@ - "{{ hostvars.es2.private_ip }}" - "{{ hostvars.es3.private_ip }}" kibana_node_name: node-6 - opendistro_standalone_installation: false - ansible_ssh_user: centos - ansible_ssh_private_key_file: /home/zenid/.ssh/core-dev-nv.pem - ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' - wazuh_version: 3.13.2 - elastic_stack_version: 7.9.1 - opendistro_version: 1.10.1 - kibana_opendistro_version: -1.10.1-1 - elasticsearch_cluster_name: wazuh - kibana_opendistro_security: true - opendistro_admin_password: T3stP4ssw0rd - opendistro_custom_user: wazuh - opendistro_custom_user_role: admin - node_options: "--max-old-space-size=2048" - certs_gen_tool_url: https://wazuh-demo.s3-us-west-1.amazonaws.com/search-guard-tlstool-1.7.zip wazuh_api_credentials: - id: default url: https://{{ hostvars.manager.private_ip }} From bc6e4264761e1f0162bb19392c690ea4dc6970aa Mon Sep 17 00:00:00 2001 From: zenidd Date: Thu, 15 Oct 2020 18:45:00 +0200 Subject: [PATCH 14/26] Wazuh and ODFE single node playbook --- playbooks/wazuh-odfe-single.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 playbooks/wazuh-odfe-single.yml diff --git a/playbooks/wazuh-odfe-single.yml b/playbooks/wazuh-odfe-single.yml new file mode 100644 index 00000000..ce98cfaf --- /dev/null +++ b/playbooks/wazuh-odfe-single.yml @@ -0,0 +1,21 @@ +--- +# Single node + - hosts: + become: yes + become_user: root + roles: + - role: ../roles/opendistro/opendistro-elasticsearch + - role: ../roles/wazuh/ansible-wazuh-manager + - role: ../roles/wazuh/ansible-filebeat-oss + - role: ../roles/opendistro/opendistro-kibana + vars: + single_node: true + minimum_master_nodes: 1 + elasticsearch_node_master: true + elasticsearch_network_host: + filebeat_node_name: node-1 + filebeat_output_elasticsearch_hosts: + instances: + node1: + name: node-1 # Important: must be equal to elasticsearch_node_name. + ip: \ No newline at end of file From 5696a0835496ccad39e6fb2e43a207224905e3a8 Mon Sep 17 00:00:00 2001 From: zenidd Date: Thu, 15 Oct 2020 18:46:05 +0200 Subject: [PATCH 15/26] Updating README with single node example --- README.md | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/README.md b/README.md index b6755343..c0f02bde 100644 --- a/README.md +++ b/README.md @@ -278,7 +278,42 @@ ansible-playbook wazuh-odfe-production-ready.yml -i inventory The hereunder example playbook uses the `wazuh-ansible` role to provision a single-host Wazuh environment. This architecture includes all the Wazuh and ODFE components in a single node. ```yaml +--- +# Single node + - hosts: server + become: yes + become_user: root + roles: + - role: ../roles/opendistro/opendistro-elasticsearch + - role: "../roles/wazuh/ansible-wazuh-manager" + - role: "../roles/wazuh/ansible-filebeat-oss" + - role: "../roles/opendistro/opendistro-kibana" + vars: + single_node: true + minimum_master_nodes: 1 + elasticsearch_node_master: true + elasticsearch_network_host: + filebeat_node_name: node-1 + filebeat_output_elasticsearch_hosts: + ansible_ssh_user: vagrant + ansible_ssh_private_key_file: /path/to/ssh/key.pem + ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' + instances: + node1: + name: node-1 # Important: must be equal to elasticsearch_node_name. + ip: +``` +### Inventory file + +```ini +[server] + + +[all:vars] +ansible_ssh_user=vagrant +ansible_ssh_private_key_file=/path/to/ssh/key.pem +ansible_ssh_extra_args='-o StrictHostKeyChecking=no' ``` ### Launching playbook @@ -287,6 +322,7 @@ The hereunder example playbook uses the `wazuh-ansible` role to provision a sing ansible-playbook wazuh-odfe-single.yml -i inventory ``` +After the playbooks execution ## Branches * `master` branch on correspond to the last Wazuh-Ansible stable version. From 672470344a7a81699edb0a4403c6018bd39dc5c8 Mon Sep 17 00:00:00 2001 From: zenidd Date: Thu, 15 Oct 2020 18:46:55 +0200 Subject: [PATCH 16/26] Update certs generation tool URL. Bump versions. Set variables to correct value --- .../opendistro/opendistro-elasticsearch/defaults/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index 1ece22c7..bd0d1e46 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -3,10 +3,10 @@ es_version: "7.8.0" es_major_version: "7.x" -opendistro_version: 1.9.0 +opendistro_version: 1.10.1 -elasticsearch_cluster_name: wazuh-cluster -single_node: true +single_node: false +elasticsearch_node_name: node-1 opendistro_cluster_name: wazuh elasticsearch_node_data: true elasticsearch_node_ingest: true @@ -56,7 +56,7 @@ opendistro_http_port: 9200 certs_gen_tool_version: 1.7 # Url of Search Guard certificates generator tool -certs_gen_tool_url: "https://releases.floragunn.com/search-guard-tlstool/{{ certs_gen_tool_version }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip" +certs_gen_tool_url: "https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-tlstool/{{ certs_gen_tool_version }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip" elasticrepo: apt: 'https://artifacts.elastic.co/packages/7.x/apt' From 6de730bf9762687ffe21e10b2f3392055f338521 Mon Sep 17 00:00:00 2001 From: zenidd Date: Thu, 15 Oct 2020 18:47:31 +0200 Subject: [PATCH 17/26] Avoid checking for green status on single node --- roles/opendistro/opendistro-elasticsearch/tasks/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index 7c5b3262..b429af26 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -70,6 +70,7 @@ tags: debug when: - hostvars[inventory_hostname]['private_ip'] is not defined or not hostvars[inventory_hostname]['private_ip'] + - single_node == false - name: Wait for Elasticsearch API (Private IP) uri: @@ -86,7 +87,8 @@ delay: 5 tags: debug when: - - hostvars[inventory_hostname]['private_ip'] is defined and hostvars[inventory_hostname]['private_ip'] + - hostvars[inventory_hostname]['private_ip'] is defined and hostvars[inventory_hostname]['private_ip'] + - single_node == false - import_tasks: "RMRedHat.yml" when: ansible_os_family == "RedHat" From 1e6e389ff431c57474d5dc9e51405a697bc9fa3a Mon Sep 17 00:00:00 2001 From: zenidd Date: Thu, 15 Oct 2020 18:48:05 +0200 Subject: [PATCH 18/26] Add single node option to ODFE configuration template --- .../opendistro-elasticsearch/templates/elasticsearch.yml.j2 | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 index fa98feea..96e585e2 100644 --- a/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 @@ -1,4 +1,4 @@ -cluster.name: {{ elasticsearch_cluster_name }} +cluster.name: {{ opendistro_cluster_name }} node.name: {{ elasticsearch_node_name }} path.data: /var/lib/elasticsearch path.logs: /var/log/elasticsearch @@ -6,6 +6,9 @@ network.host: {{ elasticsearch_network_host }} node.master: {{ elasticsearch_node_master|lower }} +{% if single_node == true %} +discovery.type: single-node +{% else %} cluster.initial_master_nodes: {% for item in elasticsearch_cluster_nodes %} - {{ item }} @@ -15,6 +18,7 @@ discovery.seed_hosts: {% for item in elasticsearch_discovery_nodes %} - {{ item }} {% endfor %} +{% endif %} {% if elasticsearch_node_data|lower == 'false' %} node.data: false From 0201da6f0f9c8939663b6f38604567865dbf7dfb Mon Sep 17 00:00:00 2001 From: zenidd Date: Thu, 15 Oct 2020 18:48:18 +0200 Subject: [PATCH 19/26] Bump versions --- roles/opendistro/opendistro-kibana/defaults/main.yml | 5 ++--- roles/wazuh/ansible-filebeat-oss/defaults/main.yml | 2 +- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/opendistro/opendistro-kibana/defaults/main.yml b/roles/opendistro/opendistro-kibana/defaults/main.yml index 2c285c8d..8bf679f0 100644 --- a/roles/opendistro/opendistro-kibana/defaults/main.yml +++ b/roles/opendistro/opendistro-kibana/defaults/main.yml @@ -6,7 +6,6 @@ elasticsearch_nodes: |- {% for item in groups['es_cluster'] -%} {{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %} {%- endfor %} -elasticsearch_network_host: 172.16.0.161 elastic_api_protocol: https kibana_conf_path: /etc/kibana kibana_node_name: node-1 @@ -14,12 +13,12 @@ kibana_server_host: "0.0.0.0" kibana_server_port: "5601" kibana_server_name: "kibana" kibana_max_payload_bytes: 1048576 -elastic_stack_version: 7.8.0 +elastic_stack_version: 7.9.1 wazuh_version: 3.13.2 wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp # The OpenDistro package repository -kibana_opendistro_version: -1.9.0-1 # Version includes the - for RedHat family compatibility, replace with = for Debian hosts +kibana_opendistro_version: -1.10.1-1 # Version includes the - for RedHat family compatibility, replace with = for Debian hosts package_repos: yum: diff --git a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml index 110cc9d7..d31b6057 100644 --- a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml @@ -1,5 +1,5 @@ --- -filebeat_version: 7.8.0 +filebeat_version: 7.9.1 wazuh_template_branch: v3.13.2 From dff5798a7fa8796a08c745a5f22aec6674c14c32 Mon Sep 17 00:00:00 2001 From: zenidd Date: Thu, 15 Oct 2020 18:50:50 +0200 Subject: [PATCH 20/26] Minor readme fix --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c0f02bde..557b288d 100644 --- a/README.md +++ b/README.md @@ -272,6 +272,8 @@ ansible_ssh_extra_args='-o StrictHostKeyChecking=no' ansible-playbook wazuh-odfe-production-ready.yml -i inventory ``` +After the playbook execution, Wazuh UI should be reachable through `https://:5601` + ## Example: single-host environment ### Playbook @@ -322,7 +324,7 @@ ansible_ssh_extra_args='-o StrictHostKeyChecking=no' ansible-playbook wazuh-odfe-single.yml -i inventory ``` -After the playbooks execution +After the playbook execution, Wazuh UI should be reachable through `https://:5601` ## Branches * `master` branch on correspond to the last Wazuh-Ansible stable version. From f7d191fd31c13840ff1150332b79987f8eb75886 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Pablo=20S=C3=A1ez=20Guti=C3=A9rrez?= Date: Fri, 16 Oct 2020 12:32:05 +0200 Subject: [PATCH 21/26] Update README.md Minor syntax fixes Co-authored-by: Manuel J. Bernal --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 557b288d..cb79b246 100644 --- a/README.md +++ b/README.md @@ -245,7 +245,7 @@ The hereunder example playbook uses the `wazuh-ansible` role to provision a prod The inventory file sets the public and private address of each node. The public addresses are used to gather facts and provision the instances while the private addresses are used for the cluster communications. -The ssh credentials used by Ansible during the provision can be specified in this file too. Another option is including them directly on the playbook. +The SSH credentials used by Ansible during the provision can be specified in this file too. Another option is to include them directly in the playbook. ```ini es1 ansible_host= private_ip= elasticsearch_node_name=node-1 From 8990e2864d1e070dea74ef4e899ccac1e88d67dc Mon Sep 17 00:00:00 2001 From: zenidd Date: Fri, 16 Oct 2020 14:12:14 +0200 Subject: [PATCH 22/26] Clearer inventory file description --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 557b288d..01f2533f 100644 --- a/README.md +++ b/README.md @@ -243,9 +243,10 @@ The hereunder example playbook uses the `wazuh-ansible` role to provision a prod ### Inventory file -The inventory file sets the public and private address of each node. The public addresses are used to gather facts and provision the instances while the private addresses are used for the cluster communications. - -The ssh credentials used by Ansible during the provision can be specified in this file too. Another option is including them directly on the playbook. +- The `ansible_host` variable should contain the `address/FQDN` used to gather facts and provision each node. +- The `private_ip` variable should contain the `address/FQDN` used for the internal cluster communications. +- Whether the environment is located in a local subnet, `ansible_host` and `private_ip` variables should match. +- The ssh credentials used by Ansible during the provision can be specified in this file too. Another option is including them directly on the playbook. ```ini es1 ansible_host= private_ip= elasticsearch_node_name=node-1 From 653eecca1b6b91d9a95f90af08d05f3df909e6a5 Mon Sep 17 00:00:00 2001 From: zenidd Date: Fri, 16 Oct 2020 14:12:56 +0200 Subject: [PATCH 23/26] minor syntax fix --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 01f2533f..44e834f7 100644 --- a/README.md +++ b/README.md @@ -267,7 +267,7 @@ ansible_ssh_private_key_file=/path/to/ssh/key.pem ansible_ssh_extra_args='-o StrictHostKeyChecking=no' ``` -### Launching playbook +### Launching the playbook ```bash ansible-playbook wazuh-odfe-production-ready.yml -i inventory @@ -319,7 +319,7 @@ ansible_ssh_private_key_file=/path/to/ssh/key.pem ansible_ssh_extra_args='-o StrictHostKeyChecking=no' ``` -### Launching playbook +### Launching the playbook ```bash ansible-playbook wazuh-odfe-single.yml -i inventory From c265a6db4be4ad5a6ddffd3b7b767ad0c2a0a656 Mon Sep 17 00:00:00 2001 From: zenidd Date: Fri, 16 Oct 2020 14:13:35 +0200 Subject: [PATCH 24/26] minor syntax fix2 --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 44e834f7..4fb71fa9 100644 --- a/README.md +++ b/README.md @@ -273,7 +273,7 @@ ansible_ssh_extra_args='-o StrictHostKeyChecking=no' ansible-playbook wazuh-odfe-production-ready.yml -i inventory ``` -After the playbook execution, Wazuh UI should be reachable through `https://:5601` +After the playbook execution, the Wazuh UI should be reachable through `https://:5601` ## Example: single-host environment @@ -325,7 +325,7 @@ ansible_ssh_extra_args='-o StrictHostKeyChecking=no' ansible-playbook wazuh-odfe-single.yml -i inventory ``` -After the playbook execution, Wazuh UI should be reachable through `https://:5601` +After the playbook execution, the Wazuh UI should be reachable through `https://:5601` ## Branches * `master` branch on correspond to the last Wazuh-Ansible stable version. From 58eb10c6dc74a0a03fc3f5b30ce3eeb996ddd8e3 Mon Sep 17 00:00:00 2001 From: zenidd Date: Fri, 16 Oct 2020 14:19:05 +0200 Subject: [PATCH 25/26] Fix branches description --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 4fb71fa9..c9f54929 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,10 @@ These playbooks install and configure Wazuh agent, manager and Elastic Stack. +## Branches +* `master` branch corresponds to the latest Wazuh Ansible changes. It might be unstable. +* `3.13` branch on correspond to the last Wazuh Ansible stable version. + ## Documentation * [Wazuh Ansible documentation](https://documentation.wazuh.com/current/deploying-with-ansible/index.html) @@ -327,9 +331,6 @@ ansible-playbook wazuh-odfe-single.yml -i inventory After the playbook execution, the Wazuh UI should be reachable through `https://:5601` -## Branches -* `master` branch on correspond to the last Wazuh-Ansible stable version. - ## Contribute If you want to contribute to our repository, please fork our Github repository and submit a pull request. From dbd9b1a52ad06e6bad93c51fb258e2e711705d8c Mon Sep 17 00:00:00 2001 From: zenidd Date: Mon, 19 Oct 2020 14:15:35 +0200 Subject: [PATCH 26/26] Update wazuh agent MD5 --- roles/wazuh/ansible-wazuh-agent/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 88bd6ab0..b708772b 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -66,7 +66,7 @@ wazuh_winagent_config: # Adding quotes to auth_path_x86 since win_shell outputs error otherwise auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe check_md5: True - md5: d0f13c0c417c74ccbad7b45f66518513 + md5: 101917472eef112270d83aa077b75670 wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.13.2-1.msi wazuh_winagent_package_name: wazuh-agent-3.13.2-1.msi wazuh_agent_config: