Merge master changes

roles/elastic-stack/ansible-elasticsearch/defaults/main.yml

@@ -29,7 +29,6 @@ elasticsearch_node_ingest: true
 
 # X-Pack Security
 elasticsearch_xpack_security: false
-elasticsearch_xpack_security_user: elastic
 elasticsearch_xpack_security_password: elastic_pass
 
 node_certs_generator: false

roles/elastic-stack/ansible-kibana/defaults/main.yml

@@ -31,8 +31,6 @@ kibana_ssl_verification_mode: "full"
 elasticsearch_xpack_security_user: elastic
 elasticsearch_xpack_security_password: elastic_pass
 
-node_certs_generator: false
-node_certs_source: /usr/share/elasticsearch
 node_certs_destination: /etc/kibana/certs
 
 # CA Generation

roles/opendistro/opendistro-elasticsearch/defaults/main.yml

@@ -1,8 +1,5 @@
 ---
 # Cluster Settings
-es_version: "7.9.1"
-es_major_version: "7.x"
-
 opendistro_version: 1.11.0
 
 single_node: false
@@ -38,13 +35,8 @@ package_repos:
 opendistro_sec_plugin_conf_path: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig
 opendistro_sec_plugin_tools_path: /usr/share/elasticsearch/plugins/opendistro_security/tools
 opendistro_conf_path: /etc/elasticsearch/
-es_nodes: |-
-        {% for item in groups['es_cluster'] -%}
-          {{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %}
-        {%- endfor %}
 
 # Security password
-opendistro_security_password: admin
 opendistro_custom_user: ""
 opendistro_custom_user_role: "admin"
 
@@ -58,11 +50,6 @@ certs_gen_tool_version: 1.8
 # Url of Search Guard certificates generator tool
 certs_gen_tool_url: "https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-tlstool/{{ certs_gen_tool_version }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip"
 
-elasticrepo:
-  apt: 'https://artifacts.elastic.co/packages/7.x/apt'
-  yum: 'https://artifacts.elastic.co/packages/7.x/yum'
-  gpg: 'https://artifacts.elastic.co/GPG-KEY-opendistro'
-  key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4'
 
 opendistro_admin_password: changeme
 opendistro_kibana_password: changeme

roles/opendistro/opendistro-kibana/defaults/main.yml

@@ -2,10 +2,6 @@
 
 # Kibana configuration
 elasticsearch_http_port: 9200
-elasticsearch_nodes: |-
-        {% for item in groups['es_cluster'] -%}
-          {{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %}
-        {%- endfor %}
 elastic_api_protocol: https
 kibana_conf_path: /etc/kibana
 kibana_node_name: node-1
@@ -44,7 +40,6 @@ kibana_newsfeed_enabled: "false"
 kibana_telemetry_optin: "false"
 kibana_telemetry_enabled: "false"
 
-opendistro_security_user: elastic
 opendistro_admin_password: changeme
 opendistro_kibana_user: kibanaserver
 opendistro_kibana_password: changeme

roles/wazuh/ansible-filebeat-oss/README.md

@@ -19,7 +19,6 @@ Role Variables
 Available variables are listed below, along with default values (see `defaults/main.yml`):
 
 ```
-  filebeat_output_elasticsearch_enabled: false
   filebeat_output_elasticsearch_hosts:
     - "localhost:9200"
 

roles/wazuh/ansible-filebeat-oss/defaults/main.yml

@@ -3,9 +3,6 @@ filebeat_version: 7.9.1
 
 wazuh_template_branch: v4.0.1
 
-filebeat_create_config: true
-
-filebeat_output_elasticsearch_enabled: false
 filebeat_output_elasticsearch_hosts:
   - "localhost:9200"
 
@@ -18,8 +15,6 @@ elasticsearch_security_user: admin
 elasticsearch_security_password: changeme
 # Security plugin
 filebeat_security: true
-filebeat_security_user: admin
-filebeat_security_password: changeme
 filebeat_ssl_dir: /etc/pki/filebeat
 
 # Local path to store the generated certificates (OpenDistro security plugin)

roles/wazuh/ansible-filebeat/README.md

@@ -19,7 +19,6 @@ Role Variables
 Available variables are listed below, along with default values (see `defaults/main.yml`):
 
 ```
-  filebeat_output_elasticsearch_enabled: false
   filebeat_output_elasticsearch_hosts:
     - "localhost:9200"
 

roles/wazuh/ansible-filebeat/defaults/main.yml

@@ -5,29 +5,11 @@ wazuh_template_branch: v4.0.1
 
 filebeat_create_config: true
 
-filebeat_prospectors:
-  - input_type: log
-    paths:
-      - "/var/ossec/logs/alerts/alerts.json"
-    document_type: json
-    json.message_key: log
-    json.keys_under_root: true
-    json.overwrite_keys: true
-
 filebeat_node_name: node-1
 
-filebeat_output_elasticsearch_enabled: false
 filebeat_output_elasticsearch_hosts:
   - "localhost:9200"
 
-filebeat_enable_logging: true
-filebeat_log_level: debug
-filebeat_log_dir: /var/log/mybeat
-filebeat_log_filename: mybeat.log
-filebeat_ssl_dir: /etc/pki/filebeat
-filebeat_ssl_certificate_file: ""
-filebeat_ssl_insecure: "false"
-
 filebeat_module_package_url: https://packages.wazuh.com/4.x/filebeat
 filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz
 filebeat_module_package_path: /tmp/
@@ -40,11 +22,8 @@ filebeat_xpack_security: false
 elasticsearch_xpack_security_user: elastic
 elasticsearch_xpack_security_password: elastic_pass
 
-node_certs_generator : false
-node_certs_source: /usr/share/elasticsearch
 node_certs_destination: /etc/filebeat/certs
 
-
 # CA Generation
 master_certs_path: "{{ playbook_dir }}/es_certs"
 generate_CA: true

roles/wazuh/ansible-wazuh-agent/defaults/main.yml

@@ -32,19 +32,11 @@ wazuh_agent_sources_installation:
   user_agent_config_profile: null
   user_ca_store: "/var/ossec/wpk_root.pem"
 
-wazuh_managers:
-  - address: 127.0.0.1
-    port: 1514
-    protocol: tcp
-    api_port: 55000
-    api_proto: 'http'
-    api_user: null
-    max_retries: 5
-    retry_interval: 5
 wazuh_api_reachable_from_agent: false
 wazuh_profile_centos: 'centos, centos7, centos7.6'
 wazuh_profile_ubuntu: 'ubuntu, ubuntu18, ubuntu18.04'
 wazuh_auto_restart: 'yes'
+
 wazuh_agent_authd:
   registration_address: 127.0.0.1
   enable: false
@@ -69,23 +61,110 @@ wazuh_winagent_config:
   md5: f2444d89dab2c4c31bbdef454c95eb28
 wazuh_winagent_config_url: https://packages.wazuh.com/4.x/windows/wazuh-agent-4.0.1-1.msi
 wazuh_winagent_package_name: wazuh-agent-4.0.1-1.msi
-wazuh_agent_config:
+
-  repo:
+wazuh_agent_repo:
   apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main'
   yum: 'https://packages.wazuh.com/4.x/yum/'
   gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
   key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145'
-  active_response:
+
-    ar_disabled: 'no'
+wazuh_agent_nat: false
-    ca_store: '/var/ossec/etc/wpk_root.pem'
+
-    ca_store_win: 'wpk_root.pem'
+##########################################
-    ca_verification: 'yes'
+### Wazuh
-  log_format: 'plain'
+##########################################
-  client_buffer:
+
+wazuh_agent_config_overlay: yes
+
+## Client
+wazuh_managers:
+  - address: 127.0.0.1
+    port: 1514
+    protocol: tcp
+    api_port: 55000
+    api_proto: 'http'
+    api_user: null
+    max_retries: 5
+    retry_interval: 5
+
+## Enrollment
+wazuh_agent_enrollment:
+  enabled: ''
+  manager_address: ''
+  port: 1515
+  agent_name: 'testname'
+  groups: ''
+  agent_address: ''
+  ssl_cipher: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
+  server_ca_path: ''
+  agent_certificate_path: ''
+  agent_key_path: ''
+  authorization_pass_path: /var/ossec/etc/authd.pass
+  auto_method: 'no'
+  delay_after_enrollment: 20
+  use_source_ip: 'no'
+
+## Client buffer
+wazuh_agent_client_buffer:
   disable: 'no'
   queue_size: '5000'
   events_per_sec: '500'
-  syscheck:
+
+## Rootcheck
+wazuh_agent_rootcheck:
+  frequency: 43200
+
+## Wodles
+wazuh_agent_openscap:
+  disable: 'yes'
+  timeout: 1800
+  interval: '1d'
+  scan_on_start: 'yes'
+
+wazuh_agent_cis_cat:
+  disable: 'yes'
+  install_java: 'no'
+  timeout: 1800
+  interval: '1d'
+  scan_on_start: 'yes'
+  java_path: 'wodles/java'
+  java_path_win: '\\server\jre\bin\java.exe'
+  ciscat_path: 'wodles/ciscat'
+  ciscat_path_win: 'C:\cis-cat'
+
+wazuh_agent_osquery:
+  disable: 'yes'
+  run_daemon: 'yes'
+  bin_path_win: 'C:\Program Files\osquery\osqueryd'
+  log_path: '/var/log/osquery/osqueryd.results.log'
+  log_path_win: 'C:\Program Files\osquery\log\osqueryd.results.log'
+  config_path: '/etc/osquery/osquery.conf'
+  config_path_win: 'C:\Program Files\osquery\osquery.conf'
+  add_labels: 'yes'
+
+wazuh_agent_syscollector:
+  disable: 'no'
+  interval: '1h'
+  scan_on_start: 'yes'
+  hardware: 'yes'
+  os: 'yes'
+  network: 'yes'
+  packages: 'yes'
+  ports_no: 'yes'
+  processes: 'yes'
+
+## SCA
+wazuh_agent_sca:
+  enabled: 'yes'
+  scan_on_start: 'yes'
+  interval: '12h'
+  skip_nfs: 'yes'
+  day: ''
+  wday: ''
+  time: ''
+
+## Syscheck
+wazuh_agent_syscheck:
   frequency: 43200
   scan_on_start: 'yes'
   auto_ignore: 'no'
@@ -153,7 +232,6 @@ wazuh_agent_config:
       checks: 'recursion_level="0" restrict="winrm.vbs$"'
     - dirs: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup'
       checks: 'realtime="yes"'
-
   windows_registry:
     - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
     - key: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'
@@ -193,51 +271,9 @@ wazuh_agent_config:
     - key: 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users'
     - key: '\Enum$'
       type: "sregex"
-  rootcheck:
+
-    frequency: 43200
+## Localfile
-  openscap:
+wazuh_agent_localfiles:
-    disable: 'yes'
-    timeout: 1800
-    interval: '1d'
-    scan_on_start: 'yes'
-  osquery:
-    disable: 'yes'
-    run_daemon: 'yes'
-    bin_path_win: 'C:\Program Files\osquery\osqueryd'
-    log_path: '/var/log/osquery/osqueryd.results.log'
-    log_path_win: 'C:\Program Files\osquery\log\osqueryd.results.log'
-    config_path: '/etc/osquery/osquery.conf'
-    config_path_win: 'C:\Program Files\osquery\osquery.conf'
-    add_labels: 'yes'
-  syscollector:
-    disable: 'no'
-    interval: '1h'
-    scan_on_start: 'yes'
-    hardware: 'yes'
-    os: 'yes'
-    network: 'yes'
-    packages: 'yes'
-    ports_no: 'yes'
-    processes: 'yes'
-  sca:
-    enabled: 'yes'
-    scan_on_start: 'yes'
-    interval: '12h'
-    skip_nfs: 'yes'
-    day: ''
-    wday: ''
-    time: ''
-  cis_cat:
-    disable: 'yes'
-    install_java: 'no'
-    timeout: 1800
-    interval: '1d'
-    scan_on_start: 'yes'
-    java_path: 'wodles/java'
-    java_path_win: '\\server\jre\bin\java.exe'
-    ciscat_path: 'wodles/ciscat'
-    ciscat_path_win: 'C:\cis-cat'
-  localfiles:
   debian:
     - format: 'syslog'
       location: '/var/log/auth.log'
@@ -279,24 +315,40 @@ wazuh_agent_config:
       location: 'System'
     - format: 'syslog'
       location: 'active-response\active-responses.log'
-  labels:
+
+## Labels
+wazuh_agent_labels:
   enable: false
   list:
     - key: Env
       value: Production
-  enrollment:
+
-    enabled: ''
+## Active response
-    manager_address: ''
+wazuh_agent_active_response:
-    port: 1515
+  ar_disabled: 'no'
-    agent_name: 'testname'
+  ca_store: '/var/ossec/etc/wpk_root.pem'
-    groups: ''
+  ca_store_win: 'wpk_root.pem'
-    agent_address: ''
+  ca_verification: 'yes'
-    ssl_cipher: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
+
-    server_ca_path: ''
+## Logging
-    agent_certificate_path: ''
+wazuh_agent_log_format: 'plain'
-    agent_key_path: ''
+
-    authorization_pass_path : /var/ossec/etc/authd.pass
+# wazuh_agent_config
-    auto_method: 'no'
+wazuh_agent_config_defaults:
-    delay_after_enrollment: 20
+  repo: '{{ wazuh_agent_repo }}'
-    use_source_ip: 'no'
+  active_response: '{{ wazuh_agent_active_response }}'
-wazuh_agent_nat: false
+  log_format: '{{ wazuh_agent_log_format }}'
+  client_buffer: '{{ wazuh_agent_client_buffer }}'
+  syscheck: '{{ wazuh_agent_syscheck }}'
+
+  rootcheck: '{{ wazuh_agent_rootcheck }}'
+  openscap: '{{ wazuh_agent_openscap }}'
+
+  osquery: '{{ wazuh_agent_osquery }}'
+  syscollector: '{{ wazuh_agent_syscollector }}'
+  sca: '{{ wazuh_agent_sca }}'
+  cis_cat: '{{ wazuh_agent_cis_cat }}'
+  localfiles: '{{ wazuh_agent_localfiles }}'
+
+  labels: '{{ wazuh_agent_labels }}'
+  enrollment: '{{ wazuh_agent_enrollment }}'

roles/wazuh/ansible-wazuh-agent/tasks/main.yml

@@ -1,4 +1,12 @@
 ---
+
+- name: Overlay wazuh_agent_config on top of defaults
+  set_fact:
+    wazuh_agent_config: '{{ wazuh_agent_config_defaults | combine(config_layer, recursive=True) }}'
+  vars:
+    config_layer: '{{ wazuh_agent_config | default({}) }}'
+  when: wazuh_agent_config_overlay | bool
+
 - include_tasks: "Windows.yml"
   when: ansible_os_family == "Windows"