diff --git a/.gitignore b/.gitignore index 04c7b54b..107a85d0 100644 --- a/.gitignore +++ b/.gitignore @@ -5,4 +5,6 @@ wazuh-elastic_stack-single.yml wazuh-elastic.yml wazuh-kibana.yml wazuh-manager.yml -*.pyc \ No newline at end of file +*.pyc +Pipfile.lock +*.swp diff --git a/CHANGELOG.md b/CHANGELOG.md old mode 100644 new mode 100755 index af79a017..520661ef --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,201 @@ # Change Log All notable changes to this project will be documented in this file. +## [v3.12.0_7.6.1] + +### Added + +- Update to Wazuh v3.12.0 +- Added registration address variable to wazuh-agent playbook ([@Zenidd](https://github.com/Zenidd)) [PR#392](https://github.com/wazuh/wazuh-ansible/pull/392) + +### Changed + +- Bump NodeJS version to 10.x ([@manuasir](https://github.com/manuasir)) [PR#386](https://github.com/wazuh/wazuh-ansible/pull/386) +- Add flag to enable/disable Windows MD5 check ([@jm404](https://github.com/jm404)) [PR#383](https://github.com/wazuh/wazuh-ansible/pull/383) +- Rule paths are now relative to playbooks. ([@Zenidd ](https://github.com/Zenidd)) [PR#393](https://github.com/wazuh/wazuh-ansible/pull/393) +- Add the option to create agent groups and add an agent to 1 or more group. ([@rshad](https://github.com/rshad)) [PR#361](https://github.com/wazuh/wazuh-ansible/pull/361) + + +### Fixed + +- Removed bad formed XML comments. ([@manuasir](https://github.com/manuasir)) [PR#391](https://github.com/wazuh/wazuh-ansible/pull/391) +- NodeJS node_options variable and Kibana plugin optimization fix. ([@Zenidd](https://github.com/Zenidd)) [PR#385](https://github.com/wazuh/wazuh-ansible/pull/385) +- Restrictive permissions for certificate files. ([@Zenidd](https://github.com/Zenidd)) [PR#382](https://github.com/wazuh/wazuh-ansible/pull/382) + +## [v3.11.4_7.6.1] + +### Added + +- Update to Wazuh v3.11.4 +- Support for RHEL/CentOS 8 ([@jm404](https://github.com/jm404)) [PR#377](https://github.com/wazuh/wazuh-ansible/pull/377) + +### Changed + +- Disabled shared configuration by default ([@jm404](https://github.com/jm404)) [PR#369](https://github.com/wazuh/wazuh-ansible/pull/369) +- Add chdir argument to Wazuh Kibana Plugin installation tasks ([@jm404](https://github.com/jm404)) [PR#375](https://github.com/wazuh/wazuh-ansible/pull/375) +- Adjustments for systems without (direct) internet connection ([@joschneid](https://github.com/joschneid)) [PR#348](https://github.com/wazuh/wazuh-ansible/pull/348) + +### Fixed + +- Avoid to install Wazuh API in worker nodes ([@manuasir](https://github.com/manuasir)) [PR#371](https://github.com/wazuh/wazuh-ansible/pull/371) +- Conditionals of custom Wazuh packages installation tasks ([@rshad](https://github.com/rshad)) [PR#372](https://github.com/wazuh/wazuh-ansible/pull/372) +- Fix Ansible elastic_stack-distributed template ([@francobep](https://github.com/francobep)) [PR#352](https://github.com/wazuh/wazuh-ansible/pull/352) +- Fix manager API verification ([@Zenidd](https://github.com/Zenidd)) [PR#360](https://github.com/wazuh/wazuh-ansible/pull/360) + +## [v3.11.3_7.5.2] + +### Added + +- Update to Wazuh v3.11.3 + +### Fixed + +- Fix Wazuh Agent configuration file for RHEL 8 ([@xr09](https://github.com/xr09)) [PR#354](https://github.com/wazuh/wazuh-ansible/pull/354) +- Fix default port used in Wazuh Agent playbook ([@jm404](https://github.com/jm404)) [PR#347](https://github.com/wazuh/wazuh-ansible/pull/347) + +## [v3.11.2_7.5.1] + +### Added + +- Update to Wazuh v3.11.2 + +### Changed + +- Update templates for Python 3 compatibility ([@xr09](https://github.com/xr09)) [PR#344](https://github.com/wazuh/wazuh-ansible/pull/344) + +## [v3.11.1_7.5.1] + +### Added + +- Update to Wazuh v3.11.1 + + +## [v3.11.0_7.5.1] + +### Added + +- Update to Wazuh v3.11.0 + +- Implemented changes to configure Wazuh API using the `wazuh.yml` file ([@xr09](https://github.com/xr09)) [PR#342](https://github.com/wazuh/wazuh-ansible/pull/342) + +- Wazuh Agent registration task now explicitly notify restart ([@jm404](https://github.com/jm404)) [PR#302](https://github.com/wazuh/wazuh-ansible/pull/302) + +- Support both IP and DNS when creating elastic cluster ([@xr09](https://github.com/xr09)) [PR#252](https://github.com/wazuh/wazuh-ansible/pull/252) + +- Added config tag to the Wazuh Agent's enable task ([@xr09](https://github.com/xr09)) [PR#261](https://github.com/wazuh/wazuh-ansible/pull/261) + +- Implement task to configure Elasticsearch user on every cluster node ([@xr09](https://github.com/xr09)) [PR#270](https://github.com/wazuh/wazuh-ansible/pull/270) + +- Added SCA to Wazuh Agent and Manager installation ([@jm404](https://github.com/jm404)) [PR#260](https://github.com/wazuh/wazuh-ansible/pull/260) + +- Added support for environments with low disk space ([@xr09](https://github.com/xr09)) [PR#281](https://github.com/wazuh/wazuh-ansible/pull/281) + +- Add parameters to configure an Elasticsearch coordinating node ([@jm404](https://github.com/jm404)) [PR#292](https://github.com/wazuh/wazuh-ansible/pull/292) + + +### Changed + +- Updated Filebeat and Elasticsearch templates ([@manuasir](https://github.com/manuasir)) [PR#285](https://github.com/wazuh/wazuh-ansible/pull/285) + +- Make ossec.conf file more readable by removing trailing whitespaces ([@jm404](https://github.com/jm404)) [PR#286](https://github.com/wazuh/wazuh-ansible/pull/286) + +- Wazuh repositories can now be configured to different sources URLs ([@jm404](https://github.com/jm404)) [PR#288](https://github.com/wazuh/wazuh-ansible/pull/288) + +- Wazuh App URL is now flexible ([@jm404](https://github.com/jm404)) [PR#304](https://github.com/wazuh/wazuh-ansible/pull/304) + +- Agent installation task now does not hardcodes the "-1" sufix ([@jm404](https://github.com/jm404)) [PR#310](https://github.com/wazuh/wazuh-ansible/pull/310) + +- Enhanced task importation in Wazuh Manager role and removed deprecated warnings ([@xr09](https://github.com/xr09)) [PR#320](https://github.com/wazuh/wazuh-ansible/pull/320) + +- Wazuh API installation task have been upgraded ([@rshad](https://github.com/rshad)) [PR#330](https://github.com/wazuh/wazuh-ansible/pull/330) + +- It's now possible to install Wazuh Manager and Agent from sources ([@jm404](https://github.com/jm404)) [PR#329](https://github.com/wazuh/wazuh-ansible/pull/329) + + +### Fixed + +- Ansible upgrade from 6.x to 7.x ([@jm404](https://github.com/jm404)) [PR#252](https://github.com/wazuh/wazuh-ansible/pull/251) + +- Wazuh Agent registration using agent name has been fixed ([@jm404](https://github.com/jm404)) [PR#298](https://github.com/wazuh/wazuh-ansible/pull/298) +- Fix Wazuh repository and installation conditionals ([@jm404](https://github.com/jm404)) [PR#299](https://github.com/wazuh/wazuh-ansible/pull/299) + +- Fixed Wazuh Agent registration using an Agent's name ([@jm404](https://github.com/jm404)) [PR#334](https://github.com/wazuh/wazuh-ansible/pull/334) + + +## [v3.11.0_7.3.2] + +### Added + +- Update to Wazuh v3.11.0 + +### Changed + +- Moved molecule folder to Wazuh QA Repository [manuasir](https://github.com/manuasir) [#120ed16](https://github.com/wazuh/wazuh-ansible/commit/120ed163b6f131315848938beca65c1f1cad7f1b) + +- Refactored XPack Security configuration tasks [@jm404](https://github.com/jm404) [#246](https://github.com/wazuh/wazuh-ansible/pull/246) + +### Fixed + +- Fixed ES bootstrap password configuration [@jm404](https://github.com/jm404) [#b8803de](https://github.com/wazuh/wazuh-ansible/commit/b8803de85fb71edf090b0c076d4fe3684cd7cb36) + +## [v3.10.0_7.3.2] + +### Added + +- Update to Wazuh v3.10.0 + +### Changed + +- Updated Kibana [@jm404](https://github.com/jm404) [#237](https://github.com/wazuh/wazuh-ansible/pull/237) +- Updated agent.conf template [@moodymob](https://github.com/moodymob) [#222](https://github.com/wazuh/wazuh-ansible/pull/222) +- Improved molecule tests [@rshad](https://github.com/rshad) [#223](https://github.com/wazuh/wazuh-ansible/pull/223/files) +- Moved "run_cluster_mode.sh" script to molecule folder [@jm404](https://github.com/jm404) [#a9d2c52](https://github.com/wazuh/wazuh-ansible/commit/a9d2c5201047c273c2c4fead5a54e576111da455) + +### Fixed + +- Fixed typo in the `agent.conf` template [@joey1a2b3c](https://github.com/joey1a2b3c) [#227](https://github.com/wazuh/wazuh-ansible/pull/227) +- Updated conditionals in tasks to fix Amazon Linux installation [@jm404](https://github.com/jm404) [#229](https://github.com/wazuh/wazuh-ansible/pull/229) +- Fixed Kibana installation in Amazon Linux [@jm404](https://github.com/jm404) [#232](https://github.com/wazuh/wazuh-ansible/pull/232) +- Fixed Windows Agent installation and configuration [@jm404](https://github.com/jm404) [#234](https://github.com/wazuh/wazuh-ansible/pull/234) + +### Fixed + +- Removed registry key check on Wazuh Agent installation in windows [@jm404](https://github.com/jm404) [#265](https://github.com/wazuh/wazuh-ansible/pull/265) + +## [v3.9.5_7.2.1] + +### Added + +- Update to Wazuh v3.9.5 +- Update to Elastic Stack to v7.2.1 + +## [v3.9.4_7.2.0] + +### Added + +- Support for registring agents behind NAT [@jheikki100](https://github.com/jheikki100) [#208](https://github.com/wazuh/wazuh-ansible/pull/208) + +### Changed + +- Default protocol to TCP [@ionphractal](https://github.com/ionphractal) [#204](https://github.com/wazuh/wazuh-ansible/pull/204). + +### Fixed + +- Fixed network.host is not localhost [@rshad](https://github.com/rshad) [#204](https://github.com/wazuh/wazuh-ansible/pull/212). + +## [v3.9.3_7.2.0] + +### Added +- Update to Wazuh v3.9.3 ([rshad](https://github.com/rshad) [PR#206](https://github.com/wazuh/wazuh-ansible/pull/206#)) +- Added Versioning Control for Wazuh stack's components installation, so now it's possible to specify which package to install for wazuh-manager, wazuh-agent, Filebeat, Elasticsearch and Kibana. ([rshad](https://github.com/rshad) [PR#206](https://github.com/wazuh/wazuh-ansible/pull/206#)) +- Fixes for Molecule testing issues. Issues such as Ansible-Lint and None-Idempotent tasks. ([rshad](https://github.com/rshad) [PR#206](https://github.com/wazuh/wazuh-ansible/pull/206#)) +- Fixes for Wazuh components installations' related issues. Such issues were related to determined OS distributions such as `Ubuntu Trusty` and `CetOS 6`. ([rshad](https://github.com/rshad) [PR#206](https://github.com/wazuh/wazuh-ansible/pull/206#)) +- Created Ansible playbook and role in order to automate the uninstallation of already installed Wazuh components. ([rshad](https://github.com/rshad) [PR#206](https://github.com/wazuh/wazuh-ansible/pull/206#)) + + ## [v3.9.2_7.1.1] -### Added +### Added - Update to Wazuh v3.9.2 - Support for Elastic 7 @@ -11,13 +203,13 @@ All notable changes to this project will be documented in this file. ## [v3.9.2_6.8.0] -### Added +### Added - Update to Wazuh v3.9.2 ## [v3.9.1] -### Added +### Added - Update to Wazuh v3.9.1 - Support for ELK v6.8.0 @@ -45,7 +237,7 @@ All notable changes to this project will be documented in this file. ## [v3.8.2] -### Changed +### Changed - Update to Wazuh version v3.8.2. ([#150](https://github.com/wazuh/wazuh-ansible/pull/150)) @@ -145,4 +337,3 @@ Roles: - ansible-filebeat: This role is prepared to install filebeat on the host that runs it. - ansible-wazuh-manager: With this role we will install Wazuh manager and Wazuh API on the host that runs it. - ansible-wazuh-agent: Using this role we will install Wazuh agent on the host that runs it and is able to register it. - diff --git a/Pipfile b/Pipfile deleted file mode 100644 index 2bc7a896..00000000 --- a/Pipfile +++ /dev/null @@ -1,18 +0,0 @@ -[[source]] -url = "https://pypi.org/simple" -verify_ssl = true -name = "pypi" - -[packages] -molecule = "*" -docker-py = "*" -ansible = "*" - -[dev-packages] - -[requires] -python_version = "2.7" - -[scripts] -test ="molecule test" -agent ="molecule test -s wazuh-agent" diff --git a/README.md b/README.md index f684d1a8..257d15cc 100644 --- a/README.md +++ b/README.md @@ -47,6 +47,21 @@ These playbooks install and configure Wazuh agent, manager and Elastic Stack. * `master` branch contains the latest code, be aware of possible bugs on this branch. ## Testing + +1. Get the `wazuh-ansible` folder from the `wazuh-qa` [repository](https://github.com/wazuh/wazuh-qa/tree/master/ansible/wazuh-ansible). + +``` +git clone https://github.com/wazuh/wazuh-qa +``` + +2. Copy the `Pipfile` and the `molecule` folder into the root wazuh-ansible directory: + +``` +cp wazuh-qa/ansible/wazuh-ansible/* . -R +``` + +3. Follow these steps for launching the tests. Check the Pipfile for running different scenarios: + ``` pip install pipenv sudo pipenv install diff --git a/VERSION b/VERSION index 36af7bee..d6be8992 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -WAZUH-ANSIBLE_VERSION="v3.9.1" -REVISION="3901" +WAZUH-ANSIBLE_VERSION="v4" +REVISION="31140" diff --git a/molecule/default/Dockerfile.j2 b/molecule/default/Dockerfile.j2 deleted file mode 100644 index 19692c20..00000000 --- a/molecule/default/Dockerfile.j2 +++ /dev/null @@ -1,14 +0,0 @@ -# Molecule managed - -{% if item.registry is defined %} -FROM {{ item.registry.url }}/{{ item.image }} -{% else %} -FROM {{ item.image }} -{% endif %} - -RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get upgrade -y && apt-get install -y python sudo bash ca-certificates && apt-get clean; \ - elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python2-dnf bash && dnf clean all; \ - elif [ $(command -v yum) ]; then yum makecache fast && yum update -y && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ - elif [ $(command -v zypper) ]; then zypper refresh && zypper update -y && zypper install -y python sudo bash python-xml && zypper clean -a; \ - elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ - elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates && xbps-remove -O; fi diff --git a/molecule/default/INSTALL.rst b/molecule/default/INSTALL.rst deleted file mode 100644 index e26493b8..00000000 --- a/molecule/default/INSTALL.rst +++ /dev/null @@ -1,16 +0,0 @@ -******* -Install -******* - -Requirements -============ - -* Docker Engine -* docker-py - -Install -======= - -.. code-block:: bash - - $ sudo pip install docker-py diff --git a/molecule/default/create.yml b/molecule/default/create.yml deleted file mode 100644 index 25932aee..00000000 --- a/molecule/default/create.yml +++ /dev/null @@ -1,81 +0,0 @@ ---- -- name: Create - hosts: localhost - connection: local - gather_facts: false - no_log: false - tasks: - - name: Log into a Docker registry - docker_login: - username: "{{ item.registry.credentials.username }}" - password: "{{ item.registry.credentials.password }}" - email: "{{ item.registry.credentials.email | default(omit) }}" - registry: "{{ item.registry.url }}" - docker_host: "{{ item.docker_host | default('unix://var/run/docker.sock') }}" - with_items: "{{ molecule_yml.platforms }}" - when: - - item.registry is defined - - item.registry.credentials is defined - - item.registry.credentials.username is defined - - - name: Create Dockerfiles from image names - template: - src: "{{ molecule_scenario_directory }}/Dockerfile.j2" - dest: "{{ molecule_ephemeral_directory }}/Dockerfile_{{ item.image | regex_replace('[^a-zA-Z0-9_]', '_') }}" - with_items: "{{ molecule_yml.platforms }}" - register: platforms - - - name: Discover local Docker images - docker_image_facts: - name: "molecule_local/{{ item.item.name }}" - docker_host: "{{ item.item.docker_host | default('unix://var/run/docker.sock') }}" - with_items: "{{ platforms.results }}" - register: docker_images - - - name: Build an Ansible compatible image - docker_image: - path: "{{ molecule_ephemeral_directory }}" - name: "molecule_local/{{ item.item.image }}" - docker_host: "{{ item.item.docker_host | default('unix://var/run/docker.sock') }}" - dockerfile: "{{ item.item.dockerfile | default(item.invocation.module_args.dest) }}" - force: "{{ item.item.force | default(true) }}" - with_items: "{{ platforms.results }}" - when: platforms.changed or docker_images.results | map(attribute='images') | select('equalto', []) | list | count >= 0 - - - name: Create docker network(s) - docker_network: - name: "{{ item }}" - docker_host: "{{ item.docker_host | default('unix://var/run/docker.sock') }}" - state: present - with_items: "{{ molecule_yml.platforms | molecule_get_docker_networks }}" - - - name: Create molecule instance(s) - docker_container: - name: "{{ item.name }}" - docker_host: "{{ item.docker_host | default('unix://var/run/docker.sock') }}" - hostname: "{{ item.name }}" - image: "molecule_local/{{ item.image }}" - state: started - recreate: false - log_driver: json-file - command: "{{ item.command | default('bash -c \"while true; do sleep 10000; done\"') }}" - privileged: "{{ item.privileged | default(omit) }}" - volumes: "{{ item.volumes | default(omit) }}" - capabilities: "{{ item.capabilities | default(omit) }}" - exposed_ports: "{{ item.exposed_ports | default(omit) }}" - published_ports: "{{ item.published_ports | default(omit) }}" - ulimits: "{{ item.ulimits | default(omit) }}" - networks: "{{ item.networks | default(omit) }}" - dns_servers: "{{ item.dns_servers | default(omit) }}" - register: server - with_items: "{{ molecule_yml.platforms }}" - async: 7200 - poll: 0 - - - name: Wait for instance(s) creation to complete - async_status: - jid: "{{ item.ansible_job_id }}" - register: docker_jobs - until: docker_jobs.finished - retries: 300 - with_items: "{{ server.results }}" diff --git a/molecule/default/destroy.yml b/molecule/default/destroy.yml deleted file mode 100644 index ddf7062b..00000000 --- a/molecule/default/destroy.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -- name: Destroy - hosts: localhost - connection: local - gather_facts: false - no_log: false - tasks: - - name: Destroy molecule instance(s) - docker_container: - name: "{{ item.name }}" - docker_host: "{{ item.docker_host | default('unix://var/run/docker.sock') }}" - state: absent - force_kill: "{{ item.force_kill | default(true) }}" - register: server - with_items: "{{ molecule_yml.platforms }}" - async: 7200 - poll: 0 - - - name: Wait for instance(s) deletion to complete - async_status: - jid: "{{ item.ansible_job_id }}" - register: docker_jobs - until: docker_jobs.finished - retries: 300 - with_items: "{{ server.results }}" - - - name: Delete docker network(s) - docker_network: - name: "{{ item }}" - docker_host: "{{ item.docker_host | default('unix://var/run/docker.sock') }}" - state: absent - with_items: "{{ molecule_yml.platforms | molecule_get_docker_networks }}" diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml deleted file mode 100644 index f37858bc..00000000 --- a/molecule/default/molecule.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- -dependency: - name: galaxy -driver: - name: docker -lint: - name: yamllint - enabled: false -platforms: - - name: bionic - image: ubuntu:bionic - - name: xenial - image: solita/ubuntu-systemd:xenial - privileged: true - command: /sbin/init - - name: trusty - image: ubuntu:trusty - - name: centos6 - image: centos:6 - - name: centos7 - image: milcom/centos7-systemd - privileged: true -provisioner: - name: ansible - env: - ANSIBLE_ROLES_PATH: ../../roles - lint: - name: ansible-lint - enabled: true -scenario: - name: default - test_sequence: - - lint - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - # - idempotence - - side_effect - - verify - - cleanup - - destroy -verifier: - name: testinfra - lint: - name: flake8 - enabled: true diff --git a/molecule/default/playbook.yml b/molecule/default/playbook.yml deleted file mode 100644 index 639e6320..00000000 --- a/molecule/default/playbook.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: wazuh/ansible-wazuh-manager - -# - {role: wazuh/ansible-filebeat} #, filebeat_output_elasticsearch_hosts: 'your elastic stack server IP' -# Elasticsearch requires too much memory to test multiple containers concurrently - To Fix -# - {role: elastic-stack/ansible-elasticsearch, elasticsearch_network_host: 'localhost'} -# - {role: elastic-stack/ansible-kibana, elasticsearch_network_host: 'localhost'} diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml deleted file mode 100644 index 1aa45e29..00000000 --- a/molecule/default/prepare.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -- name: Prepare - hosts: all - gather_facts: true - tasks: - - - name: "Install Python packages for Trusty to solve trust issues" - package: - name: - - python-setuptools - - python-pip - state: latest - register: wazuh_manager_trusty_packages_installed - until: wazuh_manager_trusty_packages_installed is succeeded - when: - - ansible_distribution == "Ubuntu" - - ansible_distribution_major_version | int == 14 - - - name: "Install dependencies" - package: - name: - - curl - - net-tools - state: latest - register: wazuh_manager_dependencies_packages_installed - until: wazuh_manager_dependencies_packages_installed is succeeded diff --git a/molecule/default/tests/test_default.py b/molecule/default/tests/test_default.py deleted file mode 100644 index 16a32b85..00000000 --- a/molecule/default/tests/test_default.py +++ /dev/null @@ -1,80 +0,0 @@ -import os -import pytest - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') - - -def get_wazuh_version(): - """This return the version of Wazuh.""" - return "3.9.2" - - -def test_wazuh_packages_are_installed(host): - """Test if the main packages are installed.""" - manager = host.package("wazuh-manager") - api = host.package("wazuh-api") - - distribution = host.system_info.distribution.lower() - if distribution == 'centos': - if host.system_info.release == "7": - assert manager.is_installed - assert manager.version.startswith(get_wazuh_version()) - assert api.is_installed - assert api.version.startswith(get_wazuh_version()) - elif host.system_info.release.startswith("6"): - assert manager.is_installed - assert manager.version.startswith(get_wazuh_version()) - elif distribution == 'ubuntu': - assert manager.is_installed - assert manager.version.startswith(get_wazuh_version()) - - -def test_wazuh_services_are_running(host): - """Test if the services are enabled and running. - - When assert commands are commented, this means that the service command has - a wrong exit code: https://github.com/wazuh/wazuh-ansible/issues/107 - """ - manager = host.service("wazuh-manager") - api = host.service("wazuh-api") - - distribution = host.system_info.distribution.lower() - if distribution == 'centos': - # assert manager.is_running - assert manager.is_enabled - # assert not api.is_running - assert not api.is_enabled - elif distribution == 'ubuntu': - # assert manager.is_running - assert manager.is_enabled - # assert api.is_running - assert api.is_enabled - - -@pytest.mark.parametrize("wazuh_file, wazuh_owner, wazuh_group, wazuh_mode", [ - ("/var/ossec/etc/sslmanager.cert", "root", "root", 0o640), - ("/var/ossec/etc/sslmanager.key", "root", "root", 0o640), - ("/var/ossec/etc/rules/local_rules.xml", "root", "ossec", 0o640), - ("/var/ossec/etc/lists/audit-keys", "root", "ossec", 0o640), -]) -def test_wazuh_files(host, wazuh_file, wazuh_owner, wazuh_group, wazuh_mode): - """Test if Wazuh related files exist and have proper owners and mode.""" - wazuh_file_host = host.file(wazuh_file) - - assert wazuh_file_host.user == wazuh_owner - assert wazuh_file_host.group == wazuh_group - assert wazuh_file_host.mode == wazuh_mode - - -def test_open_ports(host): - """Test if the main port is open and the agent-auth is not open.""" - distribution = host.system_info.distribution.lower() - if distribution == 'ubuntu': - assert host.socket("tcp://0.0.0.0:1515").is_listening - assert not host.socket("tcp://0.0.0.0:1514").is_listening - elif distribution == 'centos': - assert host.socket("tcp://:::1515").is_listening - assert not host.socket("tcp://:::1514").is_listening diff --git a/molecule/wazuh-agent/Dockerfile.j2 b/molecule/wazuh-agent/Dockerfile.j2 deleted file mode 100644 index e6aa95d3..00000000 --- a/molecule/wazuh-agent/Dockerfile.j2 +++ /dev/null @@ -1,14 +0,0 @@ -# Molecule managed - -{% if item.registry is defined %} -FROM {{ item.registry.url }}/{{ item.image }} -{% else %} -FROM {{ item.image }} -{% endif %} - -RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \ - elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash && dnf clean all; \ - elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ - elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml && zypper clean -a; \ - elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ - elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates && xbps-remove -O; fi diff --git a/molecule/wazuh-agent/INSTALL.rst b/molecule/wazuh-agent/INSTALL.rst deleted file mode 100644 index 6a44bde9..00000000 --- a/molecule/wazuh-agent/INSTALL.rst +++ /dev/null @@ -1,22 +0,0 @@ -******* -Docker driver installation guide -******* - -Requirements -============ - -* Docker Engine - -Install -======= - -Please refer to the `Virtual environment`_ documentation for installation best -practices. If not using a virtual environment, please consider passing the -widely recommended `'--user' flag`_ when invoking ``pip``. - -.. _Virtual environment: https://virtualenv.pypa.io/en/latest/ -.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site - -.. code-block:: bash - - $ pip install 'molecule[docker]' diff --git a/molecule/wazuh-agent/molecule.yml b/molecule/wazuh-agent/molecule.yml deleted file mode 100644 index f64bc114..00000000 --- a/molecule/wazuh-agent/molecule.yml +++ /dev/null @@ -1,82 +0,0 @@ ---- -dependency: - name: galaxy -driver: - name: docker -lint: - name: yamllint -platforms: - - name: wazuh_server_centos7 - image: milcom/centos7-systemd - networks: - - name: wazuh - privileged: true - groups: - - manager - - name: wazuh_agent_bionic - image: ubuntu:bionic - networks: - - name: wazuh - groups: - - agent - - name: wazuh_agent_xenial - image: solita/ubuntu-systemd:xenial - privileged: true - command: /sbin/init - networks: - - name: wazuh - groups: - - agent - - name: wazuh_agent_trusty - image: ubuntu:trusty - networks: - - name: wazuh - groups: - - agent - - name: wazuh_agent_centos6 - image: centos:6 - networks: - - name: wazuh - groups: - - agent - - name: wazuh_agent_centos7 - image: milcom/centos7-systemd - privileged: true - networks: - - name: wazuh - groups: - - agent -provisioner: - name: ansible - playbooks: - docker: - create: ../default/create.yml - destroy: ../default/destroy.yml - env: - ANSIBLE_ROLES_PATH: ../../roles - inventory: - group_vars: - agent: - api_pass: password - wazuh_managers: - - address: "{{ wazuh_manager_ip }}" - port: 1514 - protocol: tcp - api_port: 55000 - api_proto: 'http' - api_user: null - wazuh_agent_authd: - enable: true - port: 1515 - ssl_agent_ca: null - ssl_agent_cert: null - ssl_agent_key: null - ssl_auto_negotiate: 'no' - - lint: - name: ansible-lint - enabled: true -verifier: - name: testinfra - lint: - name: flake8 diff --git a/molecule/wazuh-agent/playbook.yml b/molecule/wazuh-agent/playbook.yml deleted file mode 100644 index 5b869569..00000000 --- a/molecule/wazuh-agent/playbook.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- name: Converge - hosts: agent - pre_tasks: - - name: "Get ip Wazuh Manager" - shell: | - set -o pipefail - grep $(hostname) /etc/hosts | awk '{print $1}' | sort | head -n 2 | tail -n 1 - register: wazuh_manager_ip_stdout - changed_when: false - delegate_to: wazuh_server_centos7 - args: - executable: /bin/bash - - - name: "Set fact for ip address" - set_fact: - wazuh_manager_ip: "{{ wazuh_manager_ip_stdout.stdout }}" - - roles: - - role: wazuh/ansible-wazuh-agent diff --git a/molecule/wazuh-agent/prepare.yml b/molecule/wazuh-agent/prepare.yml deleted file mode 100644 index ddb1bbe1..00000000 --- a/molecule/wazuh-agent/prepare.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- -- name: Prepare - hosts: manager - gather_facts: true - tasks: - - - name: "Install dependencies" - package: - name: - - curl - - net-tools - state: latest - register: wazuh_manager_dependencies_packages_installed - until: wazuh_manager_dependencies_packages_installed is succeeded - - roles: - - role: wazuh/ansible-wazuh-manager - -- name: Prepare - hosts: agent - gather_facts: true - tasks: - - - name: "Install Python packages for Trusty to solve trust issues" - package: - name: - - python-setuptools - - python-pip - state: latest - register: wazuh_manager_trusty_packages_installed - until: wazuh_manager_trusty_packages_installed is succeeded - when: - - ansible_distribution == "Ubuntu" - - ansible_distribution_major_version | int == 14 - - - name: "Install dependencies" - package: - name: - - curl - - net-tools - state: latest - register: wazuh_agent_dependencies_packages_installed - until: wazuh_agent_dependencies_packages_installed is succeeded diff --git a/molecule/wazuh-agent/tests/test_agents.py b/molecule/wazuh-agent/tests/test_agents.py deleted file mode 100644 index 5867dc2f..00000000 --- a/molecule/wazuh-agent/tests/test_agents.py +++ /dev/null @@ -1,23 +0,0 @@ -import os -import pytest - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('agent') - - -def test_ossec_package_installed(Package): - ossec = Package('wazuh-agent') - assert ossec.is_installed - - -@pytest.mark.parametrize("wazuh_service, wazuh_owner", ( - ("ossec-agentd", "ossec"), - ("ossec-execd", "root"), - ("ossec-syscheckd", "root"), - ("wazuh-modulesd", "root"), -)) -def test_wazuh_processes_running(host, wazuh_service, wazuh_owner): - master = host.process.get(user=wazuh_owner, comm=wazuh_service) - assert master.args == "/var/ossec/bin/" + wazuh_service diff --git a/molecule/wazuh-agent/tests/test_manager.py b/molecule/wazuh-agent/tests/test_manager.py deleted file mode 100644 index 9b085b2b..00000000 --- a/molecule/wazuh-agent/tests/test_manager.py +++ /dev/null @@ -1,15 +0,0 @@ -import os - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('manager') - - -def test_agents_registered_on_manager(host): - cmd = host.run("/var/ossec/bin/manage_agents -l") - assert 'wazuh_agent_bionic' in cmd.stdout - assert 'wazuh_agent_xenial' in cmd.stdout - assert 'wazuh_agent_trusty' in cmd.stdout - assert 'wazuh_agent_centos6' in cmd.stdout - assert 'wazuh_agent_centos7' in cmd.stdout diff --git a/playbooks/wazuh-agent.yml b/playbooks/wazuh-agent.yml index 8c7eaa69..806b07c0 100644 --- a/playbooks/wazuh-agent.yml +++ b/playbooks/wazuh-agent.yml @@ -1,7 +1,7 @@ --- - hosts: roles: - - /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-wazuh-agent + - ../roles/wazuh/ansible-wazuh-agent vars: wazuh_managers: - address: @@ -11,6 +11,7 @@ api_proto: 'http' api_user: ansible wazuh_agent_authd: + registration_address: enable: true port: 1515 ssl_agent_ca: null diff --git a/playbooks/wazuh-elastic.yml b/playbooks/wazuh-elastic.yml index 0c3b0a61..6c372889 100644 --- a/playbooks/wazuh-elastic.yml +++ b/playbooks/wazuh-elastic.yml @@ -1,4 +1,5 @@ --- -- hosts: +- hosts: roles: - - {role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: 'your elasticsearch IP'} + - role: ../roles/elastic-stack/ansible-elasticsearch + elasticsearch_network_host: '' diff --git a/playbooks/wazuh-elastic_stack-distributed.yml b/playbooks/wazuh-elastic_stack-distributed.yml index 887cafbd..c0c14054 100644 --- a/playbooks/wazuh-elastic_stack-distributed.yml +++ b/playbooks/wazuh-elastic_stack-distributed.yml @@ -1,9 +1,91 @@ --- -- hosts: + +- hosts: roles: - - role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-wazuh-manager - - {role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-filebeat, filebeat_output_logstash_hosts: 'your elastic stack server IP'} -- hosts: + - role: ../roles/elastic-stack/ansible-elasticsearch + elasticsearch_network_host: + elasticsearch_node_name: node-1 + elasticsearch_bootstrap_node: true + elasticsearch_cluster_nodes: + - + - + - + elasticsearch_discovery_nodes: + - + - + - + elasticsearch_xpack_security: true + node_certs_generator: true + elasticsearch_xpack_security_password: elastic_pass + single_node: false + + vars: + instances: + node1: + name: node-1 # Important: must be equal to elasticsearch_node_name. + ip: # When unzipping, the node will search for its node name folder to get the cert. + node2: + name: node-2 + ip: + node3: + name: node-3 + ip: + +- hosts: roles: - - {role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: 'localhost'} - - {role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-kibana, elasticsearch_network_host: 'localhost'} + - role: ../roles/elastic-stack/ansible-elasticsearch + elasticsearch_network_host: + elasticsearch_node_name: node-2 + single_node: false + elasticsearch_xpack_security: true + elasticsearch_master_candidate: true + elasticsearch_discovery_nodes: + - + - + - + +- hosts: + roles: + - role: ../roles/elastic-stack/ansible-elasticsearch + elasticsearch_network_host: + elasticsearch_node_name: node-3 + single_node: false + elasticsearch_xpack_security: true + elasticsearch_master_candidate: true + elasticsearch_discovery_nodes: + - + - + - + + +# - hosts: 172.16.0.162 +# roles: +# - role: ../roles/wazuh/ansible-wazuh-manager + +# - role: ../roles/wazuh/ansible-filebeat +# filebeat_output_elasticsearch_hosts: 172.16.0.161:9200 +# filebeat_xpack_security: true +# filebeat_node_name: node-2 +# node_certs_generator: false +# elasticsearch_xpack_security_password: elastic_pass + +# - role: ../roles/elastic-stack/ansible-elasticsearch +# elasticsearch_network_host: 172.16.0.162 +# node_name: node-2 +# elasticsearch_bootstrap_node: false +# elasticsearch_master_candidate: true +# elasticsearch_discovery_nodes: +# - 172.16.0.161 +# - 172.16.0.162 +# elasticsearch_xpack_security: true +# node_certs_generator: false + + +# - hosts: 172.16.0.163 +# roles: +# - role: ../roles/elastic-stack/ansible-kibana +# kibana_xpack_security: true +# kibana_node_name: node-3 +# elasticsearch_network_host: 172.16.0.161 +# node_certs_generator: false +# elasticsearch_xpack_security_password: elastic_pass diff --git a/playbooks/wazuh-elastic_stack-single.yml b/playbooks/wazuh-elastic_stack-single.yml index ac5efaf1..aba365c9 100644 --- a/playbooks/wazuh-elastic_stack-single.yml +++ b/playbooks/wazuh-elastic_stack-single.yml @@ -1,6 +1,8 @@ --- - hosts: roles: - - {role: ../roles/wazuh/ansible-wazuh-manager} - - {role: ../roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: '0.0.0.0', single_node: true} - - { role: ../roles/elastic-stack/ansible-kibana, elasticsearch_network_host: 'localhost' } + - {role: ../roles/wazuh/ansible-wazuh-manager} + - role: ../roles/wazuh/ansible-filebeat + filebeat_output_elasticsearch_hosts: localhost:9200 + - {role: ../roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: '0.0.0.0', single_node: true} + - { role: ../roles/elastic-stack/ansible-kibana, elasticsearch_network_host: '0.0.0.0', elasticsearch_reachable_host: 'localhost' } \ No newline at end of file diff --git a/playbooks/wazuh-kibana.yml b/playbooks/wazuh-kibana.yml index e2418200..200f4891 100644 --- a/playbooks/wazuh-kibana.yml +++ b/playbooks/wazuh-kibana.yml @@ -1,4 +1,6 @@ --- -- hosts: +- hosts: roles: - - {role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-kibana, elasticsearch_network_host: 'your elasticsearch IP'} + - role: ../roles/elastic-stack/ansible-kibana + elasticsearch_network_host: + diff --git a/playbooks/wazuh-manager.yml b/playbooks/wazuh-manager.yml index d9cc667d..5ec6a50b 100644 --- a/playbooks/wazuh-manager.yml +++ b/playbooks/wazuh-manager.yml @@ -1,5 +1,8 @@ --- -- hosts: +- hosts: roles: - - role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-wazuh-manager - - {role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-filebeat, filebeat_output_elasticsearch_hosts: 'your elasticsearch IP'} + - role: ../roles/wazuh/ansible-wazuh-manager + - role: ../roles/wazuh/ansible-filebeat + filebeat_output_elasticsearch_hosts: :9200 + + diff --git a/roles/elastic-stack/ansible-elasticsearch/README.md b/roles/elastic-stack/ansible-elasticsearch/README.md index f3089e7e..c574aa9f 100644 --- a/roles/elastic-stack/ansible-elasticsearch/README.md +++ b/roles/elastic-stack/ansible-elasticsearch/README.md @@ -12,6 +12,8 @@ This role will work on: * Fedora * Debian * Ubuntu + +For the elasticsearch role with XPack security the `unzip` command must be available on the Ansible master. Role Variables -------------- @@ -46,13 +48,89 @@ Example Playbook - hosts: 172.16.0.162 roles: - - {role: ../roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: '172.16.0.162', elasticsearch_master_candidate: true, elasticsearch_cluster_nodes: ['172.16.0.162','172.16.0.163','172.16.0.161']} + - {role: ../roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: '172.16.0.162', elasticsearch_node_master: true, elasticsearch_cluster_nodes: ['172.16.0.162','172.16.0.163','172.16.0.161']} - hosts: 172.16.0.163 roles: - - {role: ../roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: '172.16.0.163', elasticsearch_master_candidate: true, elasticsearch_cluster_nodes: ['172.16.0.162','172.16.0.163','172.16.0.161']} + - {role: ../roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: '172.16.0.163', elasticsearch_node_master: true, elasticsearch_cluster_nodes: ['172.16.0.162','172.16.0.163','172.16.0.161']} ``` +- Three nodes Elasticsearch cluster with XPack security +``` +--- +- hosts: elastic-1 + roles: + - role: ../roles/elastic-stack/ansible-elasticsearch + elasticsearch_network_host: 172.16.0.111 + elasticsearch_node_name: node-1 + single_node: false + elasticsearch_node_master: true + elasticsearch_bootstrap_node: true + elasticsearch_cluster_nodes: + - 172.16.0.111 + - 172.16.0.112 + - 172.16.0.113 + elasticsearch_discovery_nodes: + - 172.16.0.111 + - 172.16.0.112 + - 172.16.0.113 + elasticsearch_xpack_security: true + node_certs_generator: true + node_certs_generator_ip: 172.16.0.111 + + vars: + instances: + node-1: + name: node-1 + ip: 172.16.0.111 + node-2: + name: node-2 + ip: 172.16.0.112 + node-3: + name: node-3 + ip: 172.16.0.113 + +- hosts: elastic-2 + roles: + - role: ../roles/elastic-stack/ansible-elasticsearch + elasticsearch_network_host: 172.16.0.112 + elasticsearch_node_name: node-2 + single_node: false + elasticsearch_xpack_security: true + elasticsearch_node_master: true + node_certs_generator_ip: 172.16.0.111 + elasticsearch_discovery_nodes: + - 172.16.0.111 + - 172.16.0.112 + - 172.16.0.113 + +- hosts: elastic-3 + roles: + - role: ../roles/elastic-stack/ansible-elasticsearch + elasticsearch_network_host: 172.16.0.113 + elasticsearch_node_name: node-3 + single_node: false + elasticsearch_xpack_security: true + elasticsearch_node_master: true + node_certs_generator_ip: 172.16.0.111 + elasticsearch_discovery_nodes: + - 172.16.0.111 + - 172.16.0.112 + - 172.16.0.113 + vars: + elasticsearch_xpack_users: + anne: + password: 'PasswordHere' + roles: '["kibana_user", "monitoring_user"]' + jack: + password: 'PasswordHere' + roles: '["superuser"]' + +``` + +It is possible to define users directly on the playbook, these must be defined on a variable `elasticsearch_xpack_users` on the last node of the cluster as in the example. + + License and copyright --------------------- diff --git a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml index 5d380b6b..e04f9527 100644 --- a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml @@ -1,12 +1,43 @@ --- -elasticsearch_cluster_name: wazuh -elasticsearch_node_name: node-1 + elasticsearch_http_port: 9200 elasticsearch_network_host: 127.0.0.1 +elasticsearch_reachable_host: 127.0.0.1 elasticsearch_jvm_xms: null -elastic_stack_version: 7.1.1 -single_node: false +elastic_stack_version: 7.6.1 +elasticsearch_lower_disk_requirements: false + +elasticrepo: + apt: 'https://artifacts.elastic.co/packages/7.x/apt' + yum: 'https://artifacts.elastic.co/packages/7.x/yum' + gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' + key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4' + +# Cluster Settings +single_node: true +elasticsearch_cluster_name: wazuh +elasticsearch_node_name: node-1 elasticsearch_bootstrap_node: false -elasticsearch_master_candidate: false +elasticsearch_node_master: false elasticsearch_cluster_nodes: - - 127.0.0.1 \ No newline at end of file + - 127.0.0.1 +elasticsearch_discovery_nodes: + - 127.0.0.1 +elasticsearch_node_data: true +elasticsearch_node_ingest: true + +# X-Pack Security +elasticsearch_xpack_security: false +elasticsearch_xpack_security_user: elastic +elasticsearch_xpack_security_password: elastic_pass + +node_certs_generator: false +node_certs_source: /usr/share/elasticsearch +node_certs_destination: /etc/elasticsearch/certs + +# CA generation +master_certs_path: /es_certs +generate_CA: true +ca_key_name: "" +ca_cert_name: "" +ca_password: "" diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/Debian.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/Debian.yml index 844da315..74c6bcf2 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/Debian.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/Debian.yml @@ -1,24 +1,52 @@ --- - name: Debian/Ubuntu | Install apt-transport-https and ca-certificates apt: - name: ['apt-transport-https', 'ca-certificates'] + name: + - apt-transport-https + - ca-certificates state: present + register: elasticsearch_ca_packages_installed + until: elasticsearch_ca_packages_installed is succeeded + +- name: Update and upgrade apt packages + become: true + apt: + upgrade: yes + update_cache: yes + cache_valid_time: 86400 #One day + when: + - ansible_distribution == "Ubuntu" + - ansible_distribution_major_version | int == 14 + +- name: Update and upgrade apt packages + become: true + apt: + upgrade: yes + update_cache: yes + cache_valid_time: 86400 #One day + when: + - ansible_distribution == "Ubuntu" + - ansible_distribution_major_version | int == 14 - name: Debian/Ubuntu | Add Elasticsearch GPG key. apt_key: - url: "https://artifacts.elastic.co/GPG-KEY-elasticsearch" + url: "{{ elasticrepo.gpg }}" + id: "{{ elasticrepo.key_id }}" state: present - name: Debian/Ubuntu | Install Elastic repo apt_repository: - repo: 'deb https://artifacts.elastic.co/packages/7.x/apt stable main' + repo: "deb {{ elasticrepo.apt }} stable main" state: present - filename: 'elastic_repo' + filename: 'elastic_repo_7' update_cache: true + changed_when: false - name: Debian/Ubuntu | Install Elasticsarch apt: name: "elasticsearch={{ elastic_stack_version }}" state: present cache_valid_time: 3600 + register: elasticsearch_main_packages_installed + until: elasticsearch_main_packages_installed is succeeded tags: install diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/RMDebian.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/RMDebian.yml index b11eec45..4fcfb44c 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/RMDebian.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/RMDebian.yml @@ -1,5 +1,6 @@ --- - name: Debian/Ubuntu | Removing Elasticsearch repository apt_repository: - repo: deb https://artifacts.elastic.co/packages/7.x/apt stable main + repo: "deb {{ elasticrepo.apt }} stable main" state: absent + changed_when: false diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/RMRedHat.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/RMRedHat.yml index 8f99b1e5..46989361 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/RMRedHat.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/RMRedHat.yml @@ -1,5 +1,6 @@ --- - name: RedHat/CentOS/Fedora | Remove Elasticsearch repository (and clean up left-over metadata) yum_repository: - name: elastic_repo + name: elastic_repo_7 state: absent + changed_when: false diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/RedHat.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/RedHat.yml index 54728b0c..62f63978 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/RedHat.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/RedHat.yml @@ -2,11 +2,12 @@ - name: RedHat/CentOS/Fedora | Install Elastic repo yum_repository: - name: elastic_repo + name: elastic_repo_7 description: Elastic repository for 7.x packages - baseurl: https://artifacts.elastic.co/packages/7.x/yum - gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch + baseurl: "{{ elasticrepo.yum }}" + gpgkey: "{{ elasticrepo.gpg }}" gpgcheck: true + changed_when: false - name: RedHat/CentOS/Fedora | Install Elasticsarch package: name=elasticsearch-{{ elastic_stack_version }} state=present diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml index bd7bc0d4..d74a391b 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml @@ -48,16 +48,6 @@ - ansible_service_mgr != "systemd" - ansible_os_family == "RedHat" -- name: Configure Elasticsearch. - template: - src: elasticsearch.yml.j2 - dest: /etc/elasticsearch/elasticsearch.yml - owner: root - group: elasticsearch - mode: 0660 - notify: restart elasticsearch - tags: configure - - name: Configure Elasticsearch JVM memmory. template: src: jvm.options.j2 @@ -69,51 +59,94 @@ tags: configure # fix in new PR (ignore_errors) -- name: Reload systemd - systemd: daemon_reload=true - ignore_errors: true + +- import_tasks: "RMRedHat.yml" + when: ansible_os_family == "RedHat" + +- import_tasks: "xpack_security.yml" when: - - not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") - - not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<')) - - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<')) + - elasticsearch_xpack_security + +- name: Configure Elasticsearch. + template: + src: elasticsearch.yml.j2 + dest: /etc/elasticsearch/elasticsearch.yml + owner: root + group: elasticsearch + mode: 0660 + notify: restart elasticsearch + tags: configure + +- name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.conf + lineinfile: + path: /etc/security/limits.conf + line: elasticsearch - memlock unlimited + create: yes + become: true + when: + - ansible_distribution == "Ubuntu" + - ansible_distribution_major_version | int == 14 + changed_when: false + +- name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.d/elasticsearch.conf + lineinfile: + path: /etc/security/limits.d/elasticsearch.conf + line: elasticsearch - memlock unlimited + create: yes + become: true + changed_when: false + when: + - ansible_distribution == "Ubuntu" + - ansible_distribution_major_version | int == 14 - name: Ensure Elasticsearch started and enabled - ignore_errors: true service: name: elasticsearch enabled: true state: started - -- name: Make sure Elasticsearch is running before proceeding - wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=300 tags: - configure - init -- name: Check for Wazuh Alerts template - uri: - url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh" - method: GET - status_code: 200, 404 - when: not elasticsearch_bootstrap_node or single_node - poll: 30 - register: wazuh_alerts_template_exits - tags: init - -- name: Installing Wazuh Alerts template - uri: - url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh" - method: PUT - status_code: 200 - body_format: json - body: "{{ lookup('template','wazuh-elastic7-template-alerts.json.j2') }}" - when: - - wazuh_alerts_template_exits.status is defined - - wazuh_alerts_template_exits.status != 200 - tags: init +- name: Make sure Elasticsearch is running before proceeding + wait_for: host={{ elasticsearch_reachable_host }} port={{ elasticsearch_http_port }} delay=3 timeout=400 + tags: + - configure + - init - import_tasks: "RMRedHat.yml" when: ansible_os_family == "RedHat" - import_tasks: "RMDebian.yml" when: ansible_os_family == "Debian" + +- name: Wait for Elasticsearch API + uri: + url: "https://{{ node_certs_generator_ip }}:{{ elasticsearch_http_port }}/_cluster/health/" + user: "elastic" # Default Elasticsearch user is always "elastic" + password: "{{ elasticsearch_xpack_security_password }}" + validate_certs: no + status_code: 200,401 + return_content: yes + timeout: 4 + register: _result + until: ( _result.json is defined) and (_result.json.status == "green") + retries: 24 + delay: 5 + when: + - elasticsearch_xpack_users is defined + +- name: Create elasticsearch users + uri: + url: "https://{{ node_certs_generator_ip }}:{{ elasticsearch_http_port }}/_security/user/{{ item.key }}" + method: POST + body_format: json + user: "elastic" + password: "{{ elasticsearch_xpack_security_password }}" + body: '{ "password" : "{{ item.value["password"] }}", "roles" : {{ item.value["roles"] }} }' + validate_certs: no + loop: "{{ elasticsearch_xpack_users|default({})|dict2items }}" + register: http_response + failed_when: http_response.status != 200 + when: + - elasticsearch_xpack_users is defined diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml new file mode 100644 index 00000000..47438f98 --- /dev/null +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -0,0 +1,197 @@ + +- name: Check if certificate exists locally + stat: + path: "{{ node_certs_destination }}/{{ elasticsearch_node_name }}.crt" + register: certificate_file_exists + +- name: Write the instances.yml file in the selected node (force = no) + template: + src: instances.yml.j2 + dest: "{{ node_certs_source }}/instances.yml" + force: no + register: instances_file_exists + tags: + - config + - xpack-security + when: + - node_certs_generator + - not certificate_file_exists.stat.exists + +- name: Update instances.yml status after generation + stat: + path: "{{ node_certs_source }}/instances.yml" + register: instances_file_exists + when: + - node_certs_generator + +- name: Check if the certificates ZIP file exists + stat: + path: "{{ node_certs_source }}/certs.zip" + register: xpack_certs_zip + when: + - node_certs_generator + +- name: Importing custom CA key + copy: + src: "{{ master_certs_path }}/ca/{{ ca_key_name }}" + dest: "{{ node_certs_source }}/{{ ca_key_name }}" + mode: 0440 + when: + - not generate_CA + - node_certs_generator + tags: xpack-security + +- name: Importing custom CA cert + copy: + src: "{{ master_certs_path }}/ca/{{ ca_cert_name }}" + dest: "{{ node_certs_source }}/{{ ca_cert_name }}" + mode: 0440 + when: + - not generate_CA + - node_certs_generator + tags: xpack-security + +- name: Generating certificates for Elasticsearch security (generating CA) + command: >- + /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem + --in {{ node_certs_source }}/instances.yml + --out {{ node_certs_source }}/certs.zip + when: + - node_certs_generator + - not xpack_certs_zip.stat.exists + - generate_CA + tags: + - xpack-security + - molecule-idempotence-notest + +- name: Generating certificates for Elasticsearch security (using provided CA | Without CA Password) + command: >- + /usr/share/elasticsearch/bin/elasticsearch-certutil cert + --ca-key {{ node_certs_source }}/{{ ca_key_name }} + --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} + --pem --in {{ node_certs_source }}/instances.yml + --out {{ node_certs_source }}/certs.zip + when: + - node_certs_generator + - not xpack_certs_zip.stat.exists + - not generate_CA + - ca_password | length == 0 + tags: + - xpack-security + - molecule-idempotence-notest + +- name: Generating certificates for Elasticsearch security (using provided CA | Using CA Password) + command: >- + /usr/share/elasticsearch/bin/elasticsearch-certutil cert + --ca-key {{ node_certs_source }}/{{ ca_key_name }} + --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} + --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip + --ca-pass {{ ca_password }} + when: + - node_certs_generator + - not xpack_certs_zip.stat.exists + - not generate_CA + - ca_password | length > 0 + tags: + - xpack-security + - molecule-idempotence-notest + +- name: Verify the Elastic certificates directory + file: + path: "{{ master_certs_path }}" + state: directory + mode: 0700 + delegate_to: "127.0.0.1" + when: + - node_certs_generator + +- name: Verify the Certificates Authority directory + file: + path: "{{ master_certs_path }}/ca/" + state: directory + mode: 0700 + delegate_to: "127.0.0.1" + when: + - node_certs_generator + +- name: Copying certificates to Ansible master + fetch: + src: "{{ node_certs_source }}/certs.zip" + dest: "{{ master_certs_path }}/" + flat: yes + mode: 0700 + when: + - node_certs_generator + tags: + - xpack-security + - molecule-idempotence-notest + +- name: Delete certs.zip in Generator node + file: + state: absent + path: "{{ node_certs_source }}/certs.zip" + when: + - node_certs_generator + tags: molecule-idempotence-notest + +- name: Unzip generated certs.zip + unarchive: + src: "{{ master_certs_path }}/certs.zip" + dest: "{{ master_certs_path }}/" + delegate_to: "127.0.0.1" + when: + - node_certs_generator + tags: + - xpack-security + - molecule-idempotence-notest + +- name: Copying node's certificate from master + copy: + src: "{{ item }}" + dest: "{{ node_certs_destination }}/" + mode: 0440 + with_items: + - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key" + - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt" + - "{{ master_certs_path }}/ca/ca.crt" + when: + - generate_CA + tags: + - xpack-security + - molecule-idempotence-notest + +- name: Copying node's certificate from master (Custom CA) + copy: + src: "{{ item }}" + dest: "{{ node_certs_destination }}/" + mode: 0440 + with_items: + - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key" + - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt" + - "{{ master_certs_path }}/ca/{{ ca_cert_name }}" + when: + - not generate_CA + tags: + - xpack-security + - molecule-idempotence-notest + +- name: Ensuring folder permissions + file: + path: "{{ node_certs_destination }}/" + mode: 0774 + state: directory + recurse: yes + when: + - elasticsearch_xpack_security + - generate_CA + tags: xpack-security + +- name: Set elasticsearch bootstrap password + shell: | + set -o pipefail + echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password + args: + executable: /bin/bash + when: + - node_certs_generator + tags: molecule-idempotence-notest diff --git a/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 b/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 index 595dd58a..0d6887f5 100644 --- a/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 @@ -15,10 +15,50 @@ cluster.initial_master_nodes: {% for item in elasticsearch_cluster_nodes %} - {{ item }} {% endfor %} -{% elif elasticsearch_master_candidate %} -node.master: true discovery.seed_hosts: -{% for item in elasticsearch_cluster_nodes %} +{% for item in elasticsearch_discovery_nodes %} + - {{ item }} +{% endfor %} +{% else %} +node.master: {{ elasticsearch_node_master|lower }} +{% if elasticsearch_node_data|lower == 'false' %} +node.data: false +{% endif %} +{% if elasticsearch_node_ingest|lower == 'false' %} +node.ingest: false +{% endif %} +discovery.seed_hosts: +{% for item in elasticsearch_discovery_nodes %} - {{ item }} {% endfor %} {% endif %} + +{% if elasticsearch_lower_disk_requirements %} +cluster.routing.allocation.disk.threshold_enabled: true +cluster.routing.allocation.disk.watermark.flood_stage: 200mb +cluster.routing.allocation.disk.watermark.low: 500mb +cluster.routing.allocation.disk.watermark.high: 300mb +{% endif %} + +{% if elasticsearch_xpack_security %} +# XPACK Security +xpack.security.enabled: true +xpack.security.transport.ssl.enabled: true +xpack.security.transport.ssl.verification_mode: certificate +xpack.security.transport.ssl.key: {{node_certs_destination}}/{{ elasticsearch_node_name }}.key +xpack.security.transport.ssl.certificate: {{node_certs_destination}}/{{ elasticsearch_node_name }}.crt +{% if generate_CA == true %} +xpack.security.transport.ssl.certificate_authorities: [ "{{ node_certs_destination }}/ca.crt" ] +{% elif generate_CA == false %} +xpack.security.transport.ssl.certificate_authorities: [ "{{ node_certs_destination }}/{{ca_cert_name}}" ] +{% endif %} +xpack.security.http.ssl.enabled: true +xpack.security.http.ssl.verification_mode: certificate +xpack.security.http.ssl.key: {{node_certs_destination}}/{{ elasticsearch_node_name }}.key +xpack.security.http.ssl.certificate: {{node_certs_destination}}/{{ elasticsearch_node_name }}.crt +{% if generate_CA == true %} +xpack.security.http.ssl.certificate_authorities: [ "{{ node_certs_destination }}/ca.crt" ] +{% elif generate_CA == false %} +xpack.security.http.ssl.certificate_authorities: [ "{{ node_certs_destination }}/{{ca_cert_name}}" ] +{% endif %} +{% endif %} diff --git a/roles/elastic-stack/ansible-elasticsearch/templates/instances.yml.j2 b/roles/elastic-stack/ansible-elasticsearch/templates/instances.yml.j2 new file mode 100644 index 00000000..b2f3bf6c --- /dev/null +++ b/roles/elastic-stack/ansible-elasticsearch/templates/instances.yml.j2 @@ -0,0 +1,17 @@ + +# {{ ansible_managed }} +# TO-DO + +{% if node_certs_generator %} +instances: +{% for (key,value) in instances.items() %} +- name: "{{ value.name }}" +{% if value.ip is defined and value.ip | length > 0 %} + ip: + - "{{ value.ip }}" +{% elif value.dns is defined and value.dns | length > 0 %} + dns: + - "{{ value.dns }}" +{% endif %} +{% endfor %} +{% endif %} diff --git a/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic6-template-alerts.json.j2 b/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic6-template-alerts.json.j2 deleted file mode 100644 index 18dda52f..00000000 --- a/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic6-template-alerts.json.j2 +++ /dev/null @@ -1,621 +0,0 @@ -{ - "order": 0, - "template": "wazuh-alerts-3.x-*", - "settings": { - "index.refresh_interval": "5s" - }, - "mappings": { - "wazuh": { - "dynamic_templates": [ - { - "string_as_keyword": { - "match_mapping_type": "string", - "mapping": { - "type": "keyword", - "doc_values": "true" - } - } - } - ], - "properties": { - "@timestamp": { - "type": "date", - "format": "dateOptionalTime" - }, - "@version": { - "type": "text" - }, - "agent": { - "properties": { - "ip": { - "type": "keyword", - "doc_values": "true" - }, - "id": { - "type": "keyword", - "doc_values": "true" - }, - "name": { - "type": "keyword", - "doc_values": "true" - } - } - }, - "manager": { - "properties": { - "name": { - "type": "keyword", - "doc_values": "true" - } - } - }, - "cluster": { - "properties": { - "name": { - "type": "keyword", - "doc_values": "true" - } - } - }, - "AlertsFile": { - "type": "keyword", - "doc_values": "true" - }, - "full_log": { - "type": "text" - }, - "previous_log": { - "type": "text" - }, - "GeoLocation": { - "properties": { - "area_code": { - "type": "long" - }, - "city_name": { - "type": "keyword", - "doc_values": "true" - }, - "continent_code": { - "type": "text" - }, - "coordinates": { - "type": "double" - }, - "country_code2": { - "type": "text" - }, - "country_code3": { - "type": "text" - }, - "country_name": { - "type": "keyword", - "doc_values": "true" - }, - "dma_code": { - "type": "long" - }, - "ip": { - "type": "keyword", - "doc_values": "true" - }, - "latitude": { - "type": "double" - }, - "location": { - "type": "geo_point" - }, - "longitude": { - "type": "double" - }, - "postal_code": { - "type": "keyword" - }, - "real_region_name": { - "type": "keyword", - "doc_values": "true" - }, - "region_name": { - "type": "keyword", - "doc_values": "true" - }, - "timezone": { - "type": "text" - } - } - }, - "host": { - "type": "keyword", - "doc_values": "true" - }, - "syscheck": { - "properties": { - "path": { - "type": "keyword", - "doc_values": "true" - }, - "sha1_before": { - "type": "keyword", - "doc_values": "true" - }, - "sha1_after": { - "type": "keyword", - "doc_values": "true" - }, - "uid_before": { - "type": "keyword", - "doc_values": "true" - }, - "uid_after": { - "type": "keyword", - "doc_values": "true" - }, - "gid_before": { - "type": "keyword", - "doc_values": "true" - }, - "gid_after": { - "type": "keyword", - "doc_values": "true" - }, - "perm_before": { - "type": "keyword", - "doc_values": "true" - }, - "perm_after": { - "type": "keyword", - "doc_values": "true" - }, - "md5_after": { - "type": "keyword", - "doc_values": "true" - }, - "md5_before": { - "type": "keyword", - "doc_values": "true" - }, - "gname_after": { - "type": "keyword", - "doc_values": "true" - }, - "gname_before": { - "type": "keyword", - "doc_values": "true" - }, - "inode_after": { - "type": "keyword", - "doc_values": "true" - }, - "inode_before": { - "type": "keyword", - "doc_values": "true" - }, - "mtime_after": { - "type": "date", - "format": "dateOptionalTime", - "doc_values": "true" - }, - "mtime_before": { - "type": "date", - "format": "dateOptionalTime", - "doc_values": "true" - }, - "uname_after": { - "type": "keyword", - "doc_values": "true" - }, - "uname_before": { - "type": "keyword", - "doc_values": "true" - }, - "size_before": { - "type": "long", - "doc_values": "true" - }, - "size_after": { - "type": "long", - "doc_values": "true" - }, - "diff": { - "type": "keyword", - "doc_values": "true" - }, - "event": { - "type": "keyword", - "doc_values": "true" - } - } - }, - "location": { - "type": "keyword", - "doc_values": "true" - }, - "message": { - "type": "text" - }, - "offset": { - "type": "keyword" - }, - "rule": { - "properties": { - "description": { - "type": "keyword", - "doc_values": "true" - }, - "groups": { - "type": "keyword", - "doc_values": "true" - }, - "level": { - "type": "long", - "doc_values": "true" - }, - "id": { - "type": "keyword", - "doc_values": "true" - }, - "cve": { - "type": "keyword", - "doc_values": "true" - }, - "info": { - "type": "keyword", - "doc_values": "true" - }, - "frequency": { - "type": "long", - "doc_values": "true" - }, - "firedtimes": { - "type": "long", - "doc_values": "true" - }, - "cis": { - "type": "keyword", - "doc_values": "true" - }, - "pci_dss": { - "type": "keyword", - "doc_values": "true" - }, - "gdpr": { - "type": "keyword", - "doc_values": "true" - }, - "gpg13": { - "type": "keyword", - "doc_values": "true" - } - } - }, - "decoder": { - "properties": { - "parent": { - "type": "keyword", - "doc_values": "true" - }, - "name": { - "type": "keyword", - "doc_values": "true" - }, - "ftscomment": { - "type": "keyword", - "doc_values": "true" - }, - "fts": { - "type": "long", - "doc_values": "true" - }, - "accumulate": { - "type": "long", - "doc_values": "true" - } - } - }, - "data": { - "properties": { - "protocol": { - "type": "keyword", - "doc_values": "true" - }, - "action": { - "type": "keyword", - "doc_values": "true" - }, - "srcip": { - "type": "keyword", - "doc_values": "true" - }, - "dstip": { - "type": "keyword", - "doc_values": "true" - }, - "srcport": { - "type": "keyword", - "doc_values": "true" - }, - "dstport": { - "type": "keyword", - "doc_values": "true" - }, - "srcuser": { - "type": "keyword", - "doc_values": "true" - }, - "dstuser": { - "type": "keyword", - "doc_values": "true" - }, - "id": { - "type": "keyword", - "doc_values": "true" - }, - "status": { - "type": "keyword", - "doc_values": "true" - }, - "data": { - "type": "keyword", - "doc_values": "true" - }, - "system_name": { - "type": "keyword", - "doc_values": "true" - }, - "url": { - "type": "keyword", - "doc_values": "true" - }, - "oscap": { - "properties": { - "check.title": { - "type": "keyword", - "doc_values": "true" - }, - "check.id": { - "type": "keyword", - "doc_values": "true" - }, - "check.result": { - "type": "keyword", - "doc_values": "true" - }, - "check.severity": { - "type": "keyword", - "doc_values": "true" - }, - "check.description": { - "type": "text" - }, - "check.rationale": { - "type": "text" - }, - "check.references": { - "type": "text" - }, - "check.identifiers": { - "type": "text" - }, - "check.oval.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.content": { - "type": "keyword", - "doc_values": "true" - }, - "scan.benchmark.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.profile.title": { - "type": "keyword", - "doc_values": "true" - }, - "scan.profile.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.score": { - "type": "double", - "doc_values": "true" - }, - "scan.return_code": { - "type": "long", - "doc_values": "true" - } - } - }, - "audit": { - "properties": { - "type": { - "type": "keyword", - "doc_values": "true" - }, - "id": { - "type": "keyword", - "doc_values": "true" - }, - "syscall": { - "type": "keyword", - "doc_values": "true" - }, - "exit": { - "type": "keyword", - "doc_values": "true" - }, - "ppid": { - "type": "keyword", - "doc_values": "true" - }, - "pid": { - "type": "keyword", - "doc_values": "true" - }, - "auid": { - "type": "keyword", - "doc_values": "true" - }, - "uid": { - "type": "keyword", - "doc_values": "true" - }, - "gid": { - "type": "keyword", - "doc_values": "true" - }, - "euid": { - "type": "keyword", - "doc_values": "true" - }, - "suid": { - "type": "keyword", - "doc_values": "true" - }, - "fsuid": { - "type": "keyword", - "doc_values": "true" - }, - "egid": { - "type": "keyword", - "doc_values": "true" - }, - "sgid": { - "type": "keyword", - "doc_values": "true" - }, - "fsgid": { - "type": "keyword", - "doc_values": "true" - }, - "tty": { - "type": "keyword", - "doc_values": "true" - }, - "session": { - "type": "keyword", - "doc_values": "true" - }, - "command": { - "type": "keyword", - "doc_values": "true" - }, - "exe": { - "type": "keyword", - "doc_values": "true" - }, - "key": { - "type": "keyword", - "doc_values": "true" - }, - "cwd": { - "type": "keyword", - "doc_values": "true" - }, - "directory.name": { - "type": "keyword", - "doc_values": "true" - }, - "directory.inode": { - "type": "keyword", - "doc_values": "true" - }, - "directory.mode": { - "type": "keyword", - "doc_values": "true" - }, - "file.name": { - "type": "keyword", - "doc_values": "true" - }, - "file.inode": { - "type": "keyword", - "doc_values": "true" - }, - "file.mode": { - "type": "keyword", - "doc_values": "true" - }, - "acct": { - "type": "keyword", - "doc_values": "true" - }, - "dev": { - "type": "keyword", - "doc_values": "true" - }, - "enforcing": { - "type": "keyword", - "doc_values": "true" - }, - "list": { - "type": "keyword", - "doc_values": "true" - }, - "old-auid": { - "type": "keyword", - "doc_values": "true" - }, - "old-ses": { - "type": "keyword", - "doc_values": "true" - }, - "old_enforcing": { - "type": "keyword", - "doc_values": "true" - }, - "old_prom": { - "type": "keyword", - "doc_values": "true" - }, - "op": { - "type": "keyword", - "doc_values": "true" - }, - "prom": { - "type": "keyword", - "doc_values": "true" - }, - "res": { - "type": "keyword", - "doc_values": "true" - }, - "srcip": { - "type": "keyword", - "doc_values": "true" - }, - "subj": { - "type": "keyword", - "doc_values": "true" - }, - "success": { - "type": "keyword", - "doc_values": "true" - } - } - } - } - }, - "program_name": { - "type": "keyword", - "doc_values": "true" - }, - "command": { - "type": "keyword", - "doc_values": "true" - }, - "type": { - "type": "text" - }, - "title": { - "type": "keyword", - "doc_values": "true" - } - } - } - } -} diff --git a/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 b/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 index 836b2cb2..0b153fd4 100644 --- a/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 +++ b/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 @@ -1,25 +1,426 @@ { "order": 0, - "index_patterns": ["wazuh-alerts-3.x-*"], + "index_patterns": [ + "wazuh-alerts-3.x-*", + "wazuh-archives-3.x-*" + ], "settings": { "index.refresh_interval": "5s", "index.number_of_shards": "3", "index.number_of_replicas": "0", "index.auto_expand_replicas": "0-1", - "index.mapping.total_fields.limit": 2000 + "index.mapping.total_fields.limit": 10000, + "index.query.default_field": [ + "GeoLocation.city_name", + "GeoLocation.continent_code", + "GeoLocation.country_code2", + "GeoLocation.country_code3", + "GeoLocation.country_name", + "GeoLocation.ip", + "GeoLocation.postal_code", + "GeoLocation.real_region_name", + "GeoLocation.region_name", + "GeoLocation.timezone", + "agent.id", + "agent.ip", + "agent.name", + "cluster.name", + "cluster.node", + "command", + "data", + "data.action", + "data.audit", + "data.audit.acct", + "data.audit.arch", + "data.audit.auid", + "data.audit.command", + "data.audit.cwd", + "data.audit.dev", + "data.audit.directory.inode", + "data.audit.directory.mode", + "data.audit.directory.name", + "data.audit.egid", + "data.audit.enforcing", + "data.audit.euid", + "data.audit.exe", + "data.audit.execve.a0", + "data.audit.execve.a1", + "data.audit.execve.a2", + "data.audit.execve.a3", + "data.audit.exit", + "data.audit.file.inode", + "data.audit.file.mode", + "data.audit.file.name", + "data.audit.fsgid", + "data.audit.fsuid", + "data.audit.gid", + "data.audit.id", + "data.audit.key", + "data.audit.list", + "data.audit.old-auid", + "data.audit.old-ses", + "data.audit.old_enforcing", + "data.audit.old_prom", + "data.audit.op", + "data.audit.pid", + "data.audit.ppid", + "data.audit.prom", + "data.audit.res", + "data.audit.session", + "data.audit.sgid", + "data.audit.srcip", + "data.audit.subj", + "data.audit.success", + "data.audit.suid", + "data.audit.syscall", + "data.audit.tty", + "data.audit.uid", + "data.aws.accountId", + "data.aws.account_id", + "data.aws.action", + "data.aws.actor", + "data.aws.aws_account_id", + "data.aws.description", + "data.aws.dstport", + "data.aws.errorCode", + "data.aws.errorMessage", + "data.aws.eventID", + "data.aws.eventName", + "data.aws.eventSource", + "data.aws.eventType", + "data.aws.id", + "data.aws.name", + "data.aws.requestParameters.accessKeyId", + "data.aws.requestParameters.bucketName", + "data.aws.requestParameters.gatewayId", + "data.aws.requestParameters.groupDescription", + "data.aws.requestParameters.groupId", + "data.aws.requestParameters.groupName", + "data.aws.requestParameters.host", + "data.aws.requestParameters.hostedZoneId", + "data.aws.requestParameters.instanceId", + "data.aws.requestParameters.instanceProfileName", + "data.aws.requestParameters.loadBalancerName", + "data.aws.requestParameters.loadBalancerPorts", + "data.aws.requestParameters.masterUserPassword", + "data.aws.requestParameters.masterUsername", + "data.aws.requestParameters.name", + "data.aws.requestParameters.natGatewayId", + "data.aws.requestParameters.networkAclId", + "data.aws.requestParameters.path", + "data.aws.requestParameters.policyName", + "data.aws.requestParameters.port", + "data.aws.requestParameters.stackId", + "data.aws.requestParameters.stackName", + "data.aws.requestParameters.subnetId", + "data.aws.requestParameters.subnetIds", + "data.aws.requestParameters.volumeId", + "data.aws.requestParameters.vpcId", + "data.aws.resource.accessKeyDetails.accessKeyId", + "data.aws.resource.accessKeyDetails.principalId", + "data.aws.resource.accessKeyDetails.userName", + "data.aws.resource.instanceDetails.instanceId", + "data.aws.resource.instanceDetails.instanceState", + "data.aws.resource.instanceDetails.networkInterfaces.privateDnsName", + "data.aws.resource.instanceDetails.networkInterfaces.publicDnsName", + "data.aws.resource.instanceDetails.networkInterfaces.subnetId", + "data.aws.resource.instanceDetails.networkInterfaces.vpcId", + "data.aws.resource.instanceDetails.tags.value", + "data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId", + "data.aws.responseElements.description", + "data.aws.responseElements.instanceId", + "data.aws.responseElements.instances.instanceId", + "data.aws.responseElements.instancesSet.items.instanceId", + "data.aws.responseElements.listeners.port", + "data.aws.responseElements.loadBalancerName", + "data.aws.responseElements.loadBalancers.vpcId", + "data.aws.responseElements.loginProfile.userName", + "data.aws.responseElements.networkAcl.vpcId", + "data.aws.responseElements.ownerId", + "data.aws.responseElements.publicIp", + "data.aws.responseElements.user.userId", + "data.aws.responseElements.user.userName", + "data.aws.responseElements.volumeId", + "data.aws.service.serviceName", + "data.aws.severity", + "data.aws.source", + "data.aws.sourceIPAddress", + "data.aws.srcport", + "data.aws.userIdentity.accessKeyId", + "data.aws.userIdentity.accountId", + "data.aws.userIdentity.userName", + "data.aws.vpcEndpointId", + "data.command", + "data.data", + "data.docker.Actor.Attributes.container", + "data.docker.Actor.Attributes.image", + "data.docker.Actor.Attributes.name", + "data.docker.Actor.ID", + "data.docker.id", + "data.docker.message", + "data.docker.status", + "data.dstip", + "data.dstport", + "data.dstuser", + "data.hardware.serial", + "data.id", + "data.integration", + "data.netinfo.iface.adapter", + "data.netinfo.iface.ipv4.address", + "data.netinfo.iface.ipv6.address", + "data.netinfo.iface.mac", + "data.netinfo.iface.name", + "data.os.architecture", + "data.os.build", + "data.os.codename", + "data.os.hostname", + "data.os.major", + "data.os.minor", + "data.os.name", + "data.os.platform", + "data.os.release", + "data.os.release_version", + "data.os.sysname", + "data.os.version", + "data.oscap.check.description", + "data.oscap.check.id", + "data.oscap.check.identifiers", + "data.oscap.check.oval.id", + "data.oscap.check.rationale", + "data.oscap.check.references", + "data.oscap.check.result", + "data.oscap.check.severity", + "data.oscap.check.title", + "data.oscap.scan.benchmark.id", + "data.oscap.scan.content", + "data.oscap.scan.id", + "data.oscap.scan.profile.id", + "data.oscap.scan.profile.title", + "data.osquery.columns.address", + "data.osquery.columns.command", + "data.osquery.columns.description", + "data.osquery.columns.dst_ip", + "data.osquery.columns.gid", + "data.osquery.columns.hostname", + "data.osquery.columns.md5", + "data.osquery.columns.path", + "data.osquery.columns.sha1", + "data.osquery.columns.sha256", + "data.osquery.columns.src_ip", + "data.osquery.columns.user", + "data.osquery.columns.username", + "data.osquery.name", + "data.osquery.pack", + "data.port.process", + "data.port.protocol", + "data.port.state", + "data.process.args", + "data.process.cmd", + "data.process.egroup", + "data.process.euser", + "data.process.fgroup", + "data.process.name", + "data.process.rgroup", + "data.process.ruser", + "data.process.sgroup", + "data.process.state", + "data.process.suser", + "data.program.architecture", + "data.program.description", + "data.program.format", + "data.program.location", + "data.program.multiarch", + "data.program.name", + "data.program.priority", + "data.program.section", + "data.program.source", + "data.program.vendor", + "data.program.version", + "data.protocol", + "data.pwd", + "data.sca", + "data.sca.check.compliance.cis", + "data.sca.check.compliance.cis_csc", + "data.sca.check.compliance.pci_dss", + "data.sca.check.compliance.hipaa", + "data.sca.check.compliance.nist_800_53", + "data.sca.check.description", + "data.sca.check.directory", + "data.sca.check.file", + "data.sca.check.id", + "data.sca.check.previous_result", + "data.sca.check.process", + "data.sca.check.rationale", + "data.sca.check.reason", + "data.sca.check.references", + "data.sca.check.registry", + "data.sca.check.remediation", + "data.sca.check.result", + "data.sca.check.status", + "data.sca.check.title", + "data.sca.description", + "data.sca.file", + "data.sca.invalid", + "data.sca.name", + "data.sca.policy", + "data.sca.policy_id", + "data.sca.scan_id", + "data.sca.total_checks", + "data.script", + "data.src_ip", + "data.src_port", + "data.srcip", + "data.srcport", + "data.srcuser", + "data.status", + "data.system_name", + "data.title", + "data.tty", + "data.uid", + "data.url", + "data.virustotal.description", + "data.virustotal.error", + "data.virustotal.found", + "data.virustotal.permalink", + "data.virustotal.scan_date", + "data.virustotal.sha1", + "data.virustotal.source.alert_id", + "data.virustotal.source.file", + "data.virustotal.source.md5", + "data.virustotal.source.sha1", + "data.vulnerability.advisories", + "data.vulnerability.bugzilla_reference", + "data.vulnerability.cve", + "data.vulnerability.cwe_reference", + "data.vulnerability.package.condition", + "data.vulnerability.package.name", + "data.vulnerability.package.version", + "data.vulnerability.reference", + "data.vulnerability.severity", + "data.vulnerability.state", + "data.vulnerability.title", + "data.win.eventdata.auditPolicyChanges", + "data.win.eventdata.auditPolicyChangesId", + "data.win.eventdata.binary", + "data.win.eventdata.category", + "data.win.eventdata.categoryId", + "data.win.eventdata.data", + "data.win.eventdata.image", + "data.win.eventdata.ipAddress", + "data.win.eventdata.ipPort", + "data.win.eventdata.keyName", + "data.win.eventdata.logonGuid", + "data.win.eventdata.logonProcessName", + "data.win.eventdata.operation", + "data.win.eventdata.parentImage", + "data.win.eventdata.processId", + "data.win.eventdata.processName", + "data.win.eventdata.providerName", + "data.win.eventdata.returnCode", + "data.win.eventdata.service", + "data.win.eventdata.status", + "data.win.eventdata.subcategory", + "data.win.eventdata.subcategoryGuid", + "data.win.eventdata.subcategoryId", + "data.win.eventdata.subjectDomainName", + "data.win.eventdata.subjectLogonId", + "data.win.eventdata.subjectUserName", + "data.win.eventdata.subjectUserSid", + "data.win.eventdata.targetDomainName", + "data.win.eventdata.targetLinkedLogonId", + "data.win.eventdata.targetLogonId", + "data.win.eventdata.targetUserName", + "data.win.eventdata.targetUserSid", + "data.win.eventdata.workstationName", + "data.win.system.channel", + "data.win.system.computer", + "data.win.system.eventID", + "data.win.system.eventRecordID", + "data.win.system.eventSourceName", + "data.win.system.keywords", + "data.win.system.level", + "data.win.system.message", + "data.win.system.opcode", + "data.win.system.processID", + "data.win.system.providerGuid", + "data.win.system.providerName", + "data.win.system.securityUserID", + "data.win.system.severityValue", + "data.win.system.userID", + "decoder.ftscomment", + "decoder.name", + "decoder.parent", + "full_log", + "host", + "id", + "input", + "location", + "manager.name", + "message", + "offset", + "predecoder.hostname", + "predecoder.program_name", + "previous_log", + "previous_output", + "program_name", + "rule.cis", + "rule.cve", + "rule.description", + "rule.gdpr", + "rule.gpg13", + "rule.groups", + "rule.id", + "rule.info", + "rule.pci_dss", + "syscheck.audit.effective_user.id", + "syscheck.audit.effective_user.name", + "syscheck.audit.group.id", + "syscheck.audit.group.name", + "syscheck.audit.login_user.id", + "syscheck.audit.login_user.name", + "syscheck.audit.process.id", + "syscheck.audit.process.name", + "syscheck.audit.process.ppid", + "syscheck.audit.user.id", + "syscheck.audit.user.name", + "syscheck.diff", + "syscheck.event", + "syscheck.gid_after", + "syscheck.gid_before", + "syscheck.gname_after", + "syscheck.gname_before", + "syscheck.inode_after", + "syscheck.inode_before", + "syscheck.md5_after", + "syscheck.md5_before", + "syscheck.path", + "syscheck.perm_after", + "syscheck.perm_before", + "syscheck.sha1_after", + "syscheck.sha1_before", + "syscheck.sha256_after", + "syscheck.sha256_before", + "syscheck.tags", + "syscheck.uid_after", + "syscheck.uid_before", + "syscheck.uname_after", + "syscheck.uname_before", + "title", + "type" + ] }, "mappings": { "dynamic_templates": [ { "string_as_keyword": { - "match_mapping_type": "string", "mapping": { - "type": "keyword", - "doc_values": "true" - } + "type": "keyword" + }, + "match_mapping_type": "string" } } ], + "date_detection": false, "properties": { "@timestamp": { "type": "date" @@ -34,42 +435,35 @@ "agent": { "properties": { "ip": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "id": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" } } }, "manager": { "properties": { "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" } } }, "cluster": { "properties": { "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" + }, + "node": { + "type": "keyword" } } }, - "AlertsFile": { - "type": "keyword", - "doc_values": "true" - }, "full_log": { - "enabled": false, - "type": "object" + "type": "text" }, "previous_log": { "type": "text" @@ -80,8 +474,7 @@ "type": "long" }, "city_name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "continent_code": { "type": "text" @@ -96,15 +489,13 @@ "type": "text" }, "country_name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "dma_code": { "type": "long" }, "ip": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "latitude": { "type": "double" @@ -119,12 +510,10 @@ "type": "keyword" }, "real_region_name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "region_name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "timezone": { "type": "text" @@ -132,110 +521,154 @@ } }, "host": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "syscheck": { "properties": { "path": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "sha1_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" + }, + "hard_links": { + "type": "keyword" }, "sha1_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "uid_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "uid_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "gid_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "gid_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "perm_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "perm_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "md5_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "md5_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "gname_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "gname_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "inode_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "inode_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "mtime_after": { "type": "date", - "format": "dateOptionalTime", - "doc_values": "true" + "format": "date_optional_time" }, "mtime_before": { "type": "date", - "format": "dateOptionalTime", - "doc_values": "true" + "format": "date_optional_time" }, "uname_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "uname_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "size_before": { - "type": "long", - "doc_values": "true" + "type": "long" }, "size_after": { - "type": "long", - "doc_values": "true" + "type": "long" }, "diff": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "event": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" + }, + "audit": { + "properties": { + "effective_user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "group": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "login_user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "process": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "ppid": { + "type": "keyword" + } + } + }, + "user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + } + } + }, + "sha256_after": { + "type": "keyword" + }, + "sha256_before": { + "type": "keyword" + }, + "tags": { + "type": "keyword" } } }, "location": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "message": { "type": "text" @@ -246,554 +679,441 @@ "rule": { "properties": { "description": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "groups": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "level": { - "type": "long", - "doc_values": "true" + "type": "long" }, "id": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "cve": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "info": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "frequency": { - "type": "long", - "doc_values": "true" + "type": "long" }, "firedtimes": { - "type": "long", - "doc_values": "true" + "type": "long" }, "cis": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "pci_dss": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "gdpr": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "gpg13": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" + }, + "hipaa": { + "type": "keyword" + }, + "nist_800_53": { + "type": "keyword" + }, + "mail": { + "type": "boolean" } } }, "predecoder": { "properties": { "program_name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "timestamp": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" + }, + "hostname": { + "type": "keyword" } } }, "decoder": { "properties": { "parent": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "ftscomment": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "fts": { - "type": "long", - "doc_values": "true" + "type": "long" }, "accumulate": { - "type": "long", - "doc_values": "true" + "type": "long" } } }, "data": { "properties": { - "protocol": { - "type": "keyword", - "doc_values": "true" - }, - "action": { - "type": "keyword", - "doc_values": "true" - }, - "srcip": { - "type": "keyword", - "doc_values": "true" - }, - "dstip": { - "type": "keyword", - "doc_values": "true" - }, - "srcport": { - "type": "keyword", - "doc_values": "true" - }, - "dstport": { - "type": "keyword", - "doc_values": "true" - }, - "srcuser": { - "type": "keyword", - "doc_values": "true" - }, - "dstuser": { - "type": "keyword", - "doc_values": "true" - }, - "id": { - "type": "keyword", - "doc_values": "true" - }, - "status": { - "type": "keyword", - "doc_values": "true" - }, - "data": { - "type": "keyword", - "doc_values": "true" - }, - "system_name": { - "type": "keyword", - "doc_values": "true" - }, - "url": { - "type": "keyword", - "doc_values": "true" - }, - "oscap": { - "properties": { - "check.title": { - "type": "keyword", - "doc_values": "true" - }, - "check.id": { - "type": "keyword", - "doc_values": "true" - }, - "check.result": { - "type": "keyword", - "doc_values": "true" - }, - "check.severity": { - "type": "keyword", - "doc_values": "true" - }, - "check.description": { - "type": "text" - }, - "check.rationale": { - "type": "text" - }, - "check.references": { - "type": "text" - }, - "check.identifiers": { - "type": "text" - }, - "check.oval.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.content": { - "type": "keyword", - "doc_values": "true" - }, - "scan.benchmark.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.profile.title": { - "type": "keyword", - "doc_values": "true" - }, - "scan.profile.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.score": { - "type": "double", - "doc_values": "true" - }, - "scan.return_code": { - "type": "long", - "doc_values": "true" - } - } - }, "audit": { "properties": { - "type": { - "type": "keyword", - "doc_values": "true" + "acct": { + "type": "keyword" }, - "id": { - "type": "keyword", - "doc_values": "true" - }, - "syscall": { - "type": "keyword", - "doc_values": "true" - }, - "exit": { - "type": "keyword", - "doc_values": "true" - }, - "ppid": { - "type": "keyword", - "doc_values": "true" - }, - "pid": { - "type": "keyword", - "doc_values": "true" + "arch": { + "type": "keyword" }, "auid": { - "type": "keyword", - "doc_values": "true" - }, - "uid": { - "type": "keyword", - "doc_values": "true" - }, - "gid": { - "type": "keyword", - "doc_values": "true" - }, - "euid": { - "type": "keyword", - "doc_values": "true" - }, - "suid": { - "type": "keyword", - "doc_values": "true" - }, - "fsuid": { - "type": "keyword", - "doc_values": "true" - }, - "egid": { - "type": "keyword", - "doc_values": "true" - }, - "sgid": { - "type": "keyword", - "doc_values": "true" - }, - "fsgid": { - "type": "keyword", - "doc_values": "true" - }, - "tty": { - "type": "keyword", - "doc_values": "true" - }, - "session": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "command": { - "type": "keyword", - "doc_values": "true" - }, - "exe": { - "type": "keyword", - "doc_values": "true" - }, - "key": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "cwd": { - "type": "keyword", - "doc_values": "true" - }, - "directory.name": { - "type": "keyword", - "doc_values": "true" - }, - "directory.inode": { - "type": "keyword", - "doc_values": "true" - }, - "directory.mode": { - "type": "keyword", - "doc_values": "true" - }, - "file.name": { - "type": "keyword", - "doc_values": "true" - }, - "file.inode": { - "type": "keyword", - "doc_values": "true" - }, - "file.mode": { - "type": "keyword", - "doc_values": "true" - }, - "acct": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "dev": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, - "enforcing": { - "type": "keyword", - "doc_values": "true" - }, - "list": { - "type": "keyword", - "doc_values": "true" - }, - "old-auid": { - "type": "keyword", - "doc_values": "true" - }, - "old-ses": { - "type": "keyword", - "doc_values": "true" - }, - "old_enforcing": { - "type": "keyword", - "doc_values": "true" - }, - "old_prom": { - "type": "keyword", - "doc_values": "true" - }, - "op": { - "type": "keyword", - "doc_values": "true" - }, - "prom": { - "type": "keyword", - "doc_values": "true" - }, - "res": { - "type": "keyword", - "doc_values": "true" - }, - "srcip": { - "type": "keyword", - "doc_values": "true" - }, - "subj": { - "type": "keyword", - "doc_values": "true" - }, - "success": { - "type": "keyword", - "doc_values": "true" - } - } - }, - "aws": { - "properties": { - "bytes": { - "type": "long", - "doc_values": "true" - }, - "dstaddr": { - "type": "ip", - "doc_values": "true" - }, - "srcaddr": { - "type": "ip", - "doc_values": "true" - }, - "end": { - "type": "date", - "doc_values": "true" - }, - "start": { - "type": "date", - "doc_values": "true" - }, - "source_ip_address": { - "type": "ip", - "doc_values": "true" - }, - "resource.instanceDetails.networkInterfaces": { + "directory": { "properties": { - "privateIpAddress": { - "type": "ip", - "doc_values": "true" + "inode": { + "type": "keyword" }, - "publicIp": { - "type": "ip", - "doc_values": "true" + "mode": { + "type": "keyword" + }, + "name": { + "type": "keyword" } } }, - "service": { + "egid": { + "type": "keyword" + }, + "enforcing": { + "type": "keyword" + }, + "euid": { + "type": "keyword" + }, + "exe": { + "type": "keyword" + }, + "execve": { "properties": { - "count": { - "type": "long", - "doc_values": "true" + "a0": { + "type": "keyword" }, - "action.networkConnectionAction.remoteIpDetails": { + "a1": { + "type": "keyword" + }, + "a2": { + "type": "keyword" + }, + "a3": { + "type": "keyword" + } + } + }, + "exit": { + "type": "keyword" + }, + "file": { + "properties": { + "inode": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "fsgid": { + "type": "keyword" + }, + "fsuid": { + "type": "keyword" + }, + "gid": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "key": { + "type": "keyword" + }, + "list": { + "type": "keyword" + }, + "old-auid": { + "type": "keyword" + }, + "old-ses": { + "type": "keyword" + }, + "old_enforcing": { + "type": "keyword" + }, + "old_prom": { + "type": "keyword" + }, + "op": { + "type": "keyword" + }, + "pid": { + "type": "keyword" + }, + "ppid": { + "type": "keyword" + }, + "prom": { + "type": "keyword" + }, + "res": { + "type": "keyword" + }, + "session": { + "type": "keyword" + }, + "sgid": { + "type": "keyword" + }, + "srcip": { + "type": "keyword" + }, + "subj": { + "type": "keyword" + }, + "success": { + "type": "keyword" + }, + "suid": { + "type": "keyword" + }, + "syscall": { + "type": "keyword" + }, + "tty": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + } + } + }, + "protocol": { + "type": "keyword" + }, + "action": { + "type": "keyword" + }, + "srcip": { + "type": "keyword" + }, + "dstip": { + "type": "keyword" + }, + "srcport": { + "type": "keyword" + }, + "dstport": { + "type": "keyword" + }, + "srcuser": { + "type": "keyword" + }, + "dstuser": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "status": { + "type": "keyword" + }, + "data": { + "type": "keyword" + }, + "system_name": { + "type": "keyword" + }, + "url": { + "type": "keyword" + }, + "oscap": { + "properties": { + "check": { + "properties": { + "description": { + "type": "text" + }, + "id": { + "type": "keyword" + }, + "identifiers": { + "type": "text" + }, + "oval": { "properties": { - "ipAddressV4": { - "type": "ip", - "doc_values": "true" - }, - "geoLocation": { - "type": "geo_point", - "doc_values": "true" + "id": { + "type": "keyword" } } + }, + "rationale": { + "type": "text" + }, + "references": { + "type": "text" + }, + "result": { + "type": "keyword" + }, + "severity": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "scan": { + "properties": { + "benchmark": { + "properties": { + "id": { + "type": "keyword" + } + } + }, + "content": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "profile": { + "properties": { + "id": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "return_code": { + "type": "long" + }, + "score": { + "type": "double" } } } } }, "type": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "netinfo": { "properties": { "iface": { "properties": { "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "mac": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "adapter": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "type": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "state": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "mtu": { - "type": "long", - "doc_values": "true" + "type": "long" }, "tx_bytes": { - "type": "long", - "doc_values": "true" + "type": "long" }, "rx_bytes": { - "type": "long", - "doc_values": "true" + "type": "long" }, "tx_errors": { - "type": "long", - "doc_values": "true" + "type": "long" }, "rx_errors": { - "type": "long", - "doc_values": "true" + "type": "long" }, "tx_dropped": { - "type": "long", - "doc_values": "true" + "type": "long" }, "rx_dropped": { - "type": "long", - "doc_values": "true" + "type": "long" }, "tx_packets": { - "type": "long", - "doc_values": "true" + "type": "long" }, "rx_packets": { - "type": "long", - "doc_values": "true" + "type": "long" }, "ipv4": { "properties": { "gateway": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "dhcp": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "address": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "netmask": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "broadcast": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "metric": { - "type": "long", - "doc_values": "true" + "type": "long" } } }, "ipv6": { "properties": { "gateway": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "dhcp": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "address": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "netmask": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "broadcast": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "metric": { - "type": "long", - "doc_values": "true" + "type": "long" } } } @@ -804,630 +1124,523 @@ "os": { "properties": { "hostname": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "architecture": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "version": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "codename": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "major": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "minor": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "build": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "platform": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "sysname": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "release": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "release_version": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" } } }, "port": { "properties": { "protocol": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "local_ip": { - "type": "ip", - "doc_values": "true" + "type": "ip" }, "local_port": { - "type": "long", - "doc_values": "true" + "type": "long" }, "remote_ip": { - "type": "ip", - "doc_values": "true" + "type": "ip" }, "remote_port": { - "type": "long", - "doc_values": "true" + "type": "long" }, "tx_queue": { - "type": "long", - "doc_values": "true" + "type": "long" }, "rx_queue": { - "type": "long", - "doc_values": "true" + "type": "long" }, "inode": { - "type": "long", - "doc_values": "true" + "type": "long" }, "state": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "pid": { - "type": "long", - "doc_values": "true" + "type": "long" }, "process": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" } } }, "hardware": { "properties": { "serial": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "cpu_name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "cpu_cores": { - "type": "long", - "doc_values": "true" + "type": "long" }, "cpu_mhz": { - "type": "double", - "doc_values": "true" + "type": "double" }, "ram_total": { - "type": "long", - "doc_values": "true" + "type": "long" }, "ram_free": { - "type": "long", - "doc_values": "true" + "type": "long" }, "ram_usage": { - "type": "long", - "doc_values": "true" + "type": "long" } } }, "program": { "properties": { "format": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "priority": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "section": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "size": { - "type": "long", - "doc_values": "true" + "type": "long" }, "vendor": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "install_time": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "version": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "architecture": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "multiarch": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "source": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "description": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "location": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" } } }, "process": { "properties": { "pid": { - "type": "long", - "doc_values": "true" + "type": "long" }, "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "state": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "ppid": { - "type": "long", - "doc_values": "true" + "type": "long" }, "utime": { - "type": "long", - "doc_values": "true" + "type": "long" }, "stime": { - "type": "long", - "doc_values": "true" + "type": "long" }, "cmd": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "args": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "euser": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "ruser": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "suser": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "egroup": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "sgroup": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "fgroup": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "rgroup": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "priority": { - "type": "long", - "doc_values": "true" + "type": "long" }, "nice": { - "type": "long", - "doc_values": "true" + "type": "long" }, "size": { - "type": "long", - "doc_values": "true" + "type": "long" }, "vm_size": { - "type": "long", - "doc_values": "true" + "type": "long" }, "resident": { - "type": "long", - "doc_values": "true" + "type": "long" }, "share": { - "type": "long", - "doc_values": "true" + "type": "long" }, "start_time": { - "type": "long", - "doc_values": "true" + "type": "long" }, "pgrp": { - "type": "long", - "doc_values": "true" + "type": "long" }, "session": { - "type": "long", - "doc_values": "true" + "type": "long" }, "nlwp": { - "type": "long", - "doc_values": "true" + "type": "long" }, "tgid": { - "type": "long", - "doc_values": "true" + "type": "long" }, "tty": { - "type": "long", - "doc_values": "true" + "type": "long" }, "processor": { - "type": "long", - "doc_values": "true" + "type": "long" } } }, "sca": { "properties": { "type": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "scan_id": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "policy": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "file": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "description": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "passed": { - "type": "integer", - "doc_values": "true" + "type": "integer" }, "failed": { - "type": "integer", - "doc_values": "true" + "type": "integer" }, "score": { - "type": "long", - "doc_values": "true" + "type": "long" }, "check": { "properties": { "id": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "title": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "description": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "rationale": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "remediation": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "compliance": { "properties": { "cis": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "cis_csc": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "pci_dss": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" + }, + "hipaa": { + "type": "keyword" + }, + "nist_800_53": { + "type": "keyword" } } }, "references": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "file": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "directory": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "registry": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "process": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "result": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "previous_result": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" + }, + "reason": { + "type": "keyword" + }, + "status": { + "type": "keyword" } } + }, + "invalid": { + "type": "keyword" + }, + "policy_id": { + "type": "keyword" + }, + "total_checks": { + "type": "keyword" } } }, - "win": { + "command": { + "type": "keyword" + }, + "integration": { + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "title": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + }, + "virustotal": { "properties": { - "system": { + "description": { + "type": "keyword" + }, + "error": { + "type": "keyword" + }, + "found": { + "type": "keyword" + }, + "malicious": { + "type": "keyword" + }, + "permalink": { + "type": "keyword" + }, + "positives": { + "type": "keyword" + }, + "scan_date": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "source": { "properties": { - "providerName": { - "type": "keyword", - "doc_values": "true" + "alert_id": { + "type": "keyword" }, - "providerGuid": { - "type": "keyword", - "doc_values": "true" + "file": { + "type": "keyword" }, - "eventSourceName": { - "type": "keyword", - "doc_values": "true" + "md5": { + "type": "keyword" }, - "securityUserID": { - "type": "keyword", - "doc_values": "true" + "sha1": { + "type": "keyword" + } + } + }, + "total": { + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "advisories": { + "type": "keyword" + }, + "bugzilla_reference": { + "type": "keyword" + }, + "cve": { + "type": "keyword" + }, + "cvss": { + "properties": { + "cvss3_score": { + "type": "keyword" }, - "userID": { - "type": "keyword", - "doc_values": "true" + "cvss_score": { + "type": "keyword" }, - "eventID": { - "type": "keyword", - "doc_values": "true" + "cvss_scoring_vector": { + "type": "keyword" + } + } + }, + "cwe_reference": { + "type": "keyword" + }, + "package": { + "properties": { + "condition": { + "type": "keyword" + }, + "name": { + "type": "keyword" }, "version": { - "type": "keyword", - "doc_values": "true" - }, - "level": { - "type": "keyword", - "doc_values": "true" - }, - "task": { - "type": "keyword", - "doc_values": "true" - }, - "opcode": { - "type": "keyword", - "doc_values": "true" - }, - "keywords": { - "type": "keyword", - "doc_values": "true" - }, - "systemTime": { - "type": "keyword", - "doc_values": "true" - }, - "eventRecordID": { - "type": "keyword", - "doc_values": "true" - }, - "processID": { - "type": "keyword", - "doc_values": "true" - }, - "threadID": { - "type": "keyword", - "doc_values": "true" - }, - "channel": { - "type": "keyword", - "doc_values": "true" - }, - "computer": { - "type": "keyword", - "doc_values": "true" - }, - "severityValue": { - "type": "keyword", - "doc_values": "true" - }, - "message": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" } } }, - "eventdata": { + "published": { + "type": "date" + }, + "reference": { + "type": "keyword" + }, + "severity": { + "type": "keyword" + }, + "state": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "aws": { + "properties": { + "bytes": { + "type": "long" + }, + "dstaddr": { + "type": "ip" + }, + "srcaddr": { + "type": "ip" + }, + "end": { + "type": "date" + }, + "start": { + "type": "date" + }, + "source_ip_address": { + "type": "ip" + }, + "service": { "properties": { - "subjectUserSid": { - "type": "keyword", - "doc_values": "true" + "count": { + "type": "long" }, - "subjectUserName": { - "type": "keyword", - "doc_values": "true" + "action.networkConnectionAction.remoteIpDetails": { + "properties": { + "ipAddressV4": { + "type": "ip" + }, + "geoLocation": { + "type": "geo_point" + } + } }, - "subjectDomainName": { - "type": "keyword", - "doc_values": "true" + "eventFirstSeen": { + "type": "date" }, - "subjectLogonId": { - "type": "keyword", - "doc_values": "true" - }, - "targetUserSid": { - "type": "keyword", - "doc_values": "true" - }, - "targetUserName": { - "type": "keyword", - "doc_values": "true" - }, - "targetDomainName": { - "type": "keyword", - "doc_values": "true" - }, - "targetLogonId": { - "type": "keyword", - "doc_values": "true" - }, - "logonType": { - "type": "keyword", - "doc_values": "true" - }, - "logonProcessName": { - "type": "keyword", - "doc_values": "true" - }, - "authenticationPackageName": { - "type": "keyword", - "doc_values": "true" - }, - "logonGuid": { - "type": "keyword", - "doc_values": "true" - }, - "keyLength": { - "type": "keyword", - "doc_values": "true" - }, - "impersonationLevel": { - "type": "keyword", - "doc_values": "true" - }, - "transactionId": { - "type": "keyword", - "doc_values": "true" - }, - "newState": { - "type": "keyword", - "doc_values": "true" - }, - "resourceManager": { - "type": "keyword", - "doc_values": "true" - }, - "processId": { - "type": "keyword", - "doc_values": "true" - }, - "processName": { - "type": "keyword", - "doc_values": "true" - }, - "data": { - "type": "keyword", - "doc_values": "true" - }, - "image": { - "type": "keyword", - "doc_values": "true" - }, - "binary": { - "type": "keyword", - "doc_values": "true" - }, - "parentImage": { - "type": "keyword", - "doc_values": "true" - }, - "categoryId": { - "type": "keyword", - "doc_values": "true" - }, - "subcategoryId": { - "type": "keyword", - "doc_values": "true" - }, - "subcategoryGuid": { - "type": "keyword", - "doc_values": "true" - }, - "auditPolicyChangesId": { - "type": "keyword", - "doc_values": "true" - }, - "category": { - "type": "keyword", - "doc_values": "true" - }, - "subcategory": { - "type": "keyword", - "doc_values": "true" - }, - "auditPolicyChanges": { - "type": "keyword", - "doc_values": "true" + "eventLastSeen": { + "type": "date" } } }, - "rmSessionEvent": { + "createdAt": { + "type": "date" + }, + "updatedAt": { + "type": "date" + }, + "resource.instanceDetails": { "properties": { - "rmSessionId": { - "type": "keyword", - "doc_values": "true" + "launchTime": { + "type": "date" }, - "uTCStartTime": { - "type": "keyword", - "doc_values": "true" + "networkInterfaces": { + "properties": { + "privateIpAddress": { + "type": "ip" + }, + "publicIp": { + "type": "ip" + } + } } } } @@ -1436,21 +1649,31 @@ } }, "program_name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "command": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "type": { "type": "text" }, "title": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "input": { + "properties": { + "type": { + "type": "keyword" + } + } + }, + "previous_output": { + "type": "keyword" } } - } + }, + "version": 1 } - diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index 298e6bd7..2ac2cde5 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -1,7 +1,53 @@ --- +kibana_node_name: node-1 + elasticsearch_http_port: "9200" elasticsearch_network_host: "127.0.0.1" kibana_server_host: "0.0.0.0" kibana_server_port: "5601" -elastic_stack_version: 7.1.1 -wazuh_version: 3.9.2 \ No newline at end of file +elastic_stack_version: 7.6.1 +wazuh_version: 3.12.0 +wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp + +elasticrepo: + apt: 'https://artifacts.elastic.co/packages/7.x/apt' + yum: 'https://artifacts.elastic.co/packages/7.x/yum' + gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' + key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4' + +# API credentials +wazuh_api_credentials: + - id: "default" + url: "http://localhost" + port: 55000 + user: "foo" + password: "bar" + +# Xpack Security +kibana_xpack_security: false + +elasticsearch_xpack_security_user: elastic +elasticsearch_xpack_security_password: elastic_pass + +node_certs_generator: false +node_certs_source: /usr/share/elasticsearch +node_certs_destination: /etc/kibana/certs + +# CA Generation +master_certs_path: /es_certs +generate_CA: true +ca_cert_name: "" + +# Nodejs +nodejs: + repo_dict: + debian: "deb" + redhat: "rpm" + repo_url_ext: "nodesource.com/setup_10.x" + +# Build from sources +build_from_sources: false +wazuh_plugin_branch: 3.12-7.6 + +#Nodejs NODE_OPTIONS +node_options: --max-old-space-size=4096 diff --git a/roles/elastic-stack/ansible-kibana/tasks/Debian.yml b/roles/elastic-stack/ansible-kibana/tasks/Debian.yml index 67081b86..281555ca 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/Debian.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/Debian.yml @@ -1,24 +1,32 @@ --- - name: Debian/Ubuntu | Install apt-transport-https and ca-certificates apt: - name: ['apt-transport-https', 'ca-certificates'] + name: + - apt-transport-https + - ca-certificates state: present + register: kibana_installing_ca_package + until: kibana_installing_ca_package is succeeded - name: Debian/Ubuntu | Add Elasticsearch GPG key apt_key: - url: "https://artifacts.elastic.co/GPG-KEY-elasticsearch" + url: "{{ elasticrepo.gpg }}" + id: "{{ elasticrepo.key_id }}" state: present - name: Debian/Ubuntu | Install Elastic repo apt_repository: - repo: 'deb https://artifacts.elastic.co/packages/7.x/apt stable main' + repo: "deb {{ elasticrepo.apt }} stable main" state: present - filename: 'elastic_repo' + filename: 'elastic_repo_7' update_cache: true + changed_when: false - name: Debian/Ubuntu | Install Kibana apt: name: "kibana={{ elastic_stack_version }}" state: present cache_valid_time: 3600 + register: installing_kibana_package + until: installing_kibana_package is succeeded tags: install diff --git a/roles/elastic-stack/ansible-kibana/tasks/RMDebian.yml b/roles/elastic-stack/ansible-kibana/tasks/RMDebian.yml index b11eec45..4fcfb44c 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/RMDebian.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/RMDebian.yml @@ -1,5 +1,6 @@ --- - name: Debian/Ubuntu | Removing Elasticsearch repository apt_repository: - repo: deb https://artifacts.elastic.co/packages/7.x/apt stable main + repo: "deb {{ elasticrepo.apt }} stable main" state: absent + changed_when: false diff --git a/roles/elastic-stack/ansible-kibana/tasks/RMRedHat.yml b/roles/elastic-stack/ansible-kibana/tasks/RMRedHat.yml index 8f66f9a7..0da555b3 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/RMRedHat.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/RMRedHat.yml @@ -1,5 +1,6 @@ --- - name: Remove Elasticsearch repository (and clean up left-over metadata) yum_repository: - name: elastic_repo + name: elastic_repo_7 state: absent + changed_when: false diff --git a/roles/elastic-stack/ansible-kibana/tasks/RedHat.yml b/roles/elastic-stack/ansible-kibana/tasks/RedHat.yml index 1d35d139..7acdec09 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/RedHat.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/RedHat.yml @@ -1,12 +1,15 @@ --- - name: RedHat/CentOS/Fedora | Install Elastic repo yum_repository: - name: elastic_repo + name: elastic_repo_7 description: Elastic repository for 7.x packages - baseurl: https://artifacts.elastic.co/packages/7.x/yum - gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch + baseurl: "{{ elasticrepo.yum }}" + gpgkey: "{{ elasticrepo.gpg }}" gpgcheck: true + changed_when: false - name: RedHat/CentOS/Fedora | Install Kibana package: name=kibana-{{ elastic_stack_version }} state=present + register: installing_kibana_package + until: installing_kibana_package is succeeded tags: install diff --git a/roles/elastic-stack/ansible-kibana/tasks/build_wazuh_plugin.yml b/roles/elastic-stack/ansible-kibana/tasks/build_wazuh_plugin.yml new file mode 100644 index 00000000..b7ceb87f --- /dev/null +++ b/roles/elastic-stack/ansible-kibana/tasks/build_wazuh_plugin.yml @@ -0,0 +1,76 @@ +--- + - name: Ensure the Git package is present + package: + name: git + state: present + + - name: Modify repo url if host is in Debian family + set_fact: + node_js_repo_type: deb + when: + - ansible_os_family | lower == "debian" + + - name: Download script to install Nodejs repository + get_url: + url: "https://{{ nodejs['repo_dict'][ansible_os_family|lower] }}.{{ nodejs['repo_url_ext'] }}" + dest: "/tmp/setup_nodejs_repo.sh" + mode: 0700 + + - name: Execute downloaded script to install Nodejs repo + command: /tmp/setup_nodejs_repo.sh + register: node_repo_installation_result + changed_when: false + + - name: Install Nodejs + package: + name: nodejs + state: present + + - name: Install yarn dependency to build the Wazuh Kibana Plugin + # Using shell due to errors when evaluating text between @ with command + shell: "npm install -g {{ 'yarn' }}{{ '@' }}{{ '1.10.1'}}" # noqa 305 + register: install_yarn_result + changed_when: install_yarn_result == 0 + + - name: Remove old wazuh-kibana-app git directory + file: + path: /tmp/app + state: absent + changed_when: false + + - name: Clone wazuh-kibana-app repository # Using command as git module doesn't cover single-branch nor depth + command: git clone https://github.com/wazuh/wazuh-kibana-app -b {{ wazuh_plugin_branch }} --single-branch --depth=1 app # noqa 303 + register: clone_app_repo_result + changed_when: false + args: + chdir: "/tmp" + + - name: Executing yarn to build the package + command: "{{ item }}" + with_items: + - "yarn" + - "yarn build" + register: yarn_execution_result + changed_when: false + args: + chdir: "/tmp/app/" + + - name: Obtain name of generated package + shell: "find ./ -name 'wazuh-*.zip' -printf '%f\\n'" + register: wazuhapp_package_name + changed_when: false + args: + chdir: "/tmp/app/build" + + - name: Install Wazuh Plugin (can take a while) + shell: NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana-plugin install file:///tmp/app/build/{{ wazuhapp_package_name.stdout }} + args: + executable: /bin/bash + creates: /usr/share/kibana/plugins/wazuh/package.json + chdir: /usr/share/kibana + become: yes + become_user: kibana + notify: restart kibana + tags: + - install + - skip_ansible_lint diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index 43e369c8..27673060 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -1,22 +1,77 @@ --- + +- name: Stopping early, trying to compile Wazuh Kibana Plugin on Debian 10 is not possible + fail: + msg: "It's not possible to compile the Wazuh Kibana plugin on Debian 10 due to: https://github.com/wazuh/wazuh-kibana-app/issues/1924" + when: + - build_from_sources + - ansible_distribution == "Debian" + - ansible_distribution_major_version == "10" + - import_tasks: RedHat.yml when: ansible_os_family == 'RedHat' - import_tasks: Debian.yml when: ansible_os_family == 'Debian' -- name: Make sure Elasticsearch is running before proceeding. - wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=300 - tags: configure - ignore_errors: true - - name: Reload systemd - systemd: daemon_reload=true + systemd: + daemon_reload: true ignore_errors: true when: - - not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") + - not (ansible_distribution == "Amazon" and ansible_distribution_version == "(Karoo)") - not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<')) - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<')) + - not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<')) + +- name: Copying node's certificate from master + copy: + src: "{{ item }}" + dest: "{{ node_certs_destination }}/" + mode: 0440 + with_items: + - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key" + - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.crt" + - "{{ master_certs_path }}/ca/ca.crt" + tags: xpack-security + when: + - kibana_xpack_security + - generate_CA + +- name: Copying node's certificate from master (Custom CA) + copy: + src: "{{ item }}" + dest: "{{ node_certs_destination }}/" + mode: 0440 + with_items: + - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key" + - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.crt" + - "{{ master_certs_path }}/ca/{{ ca_cert_name }}" + when: + - kibana_xpack_security + - not generate_CA + tags: xpack-security + +- name: Ensuring certificates folder owner + file: + path: "{{ node_certs_destination }}/" + state: directory + recurse: yes + owner: kibana + group: kibana + when: + - kibana_xpack_security + tags: xpack-security + +- name: Ensuring certificates folder owner + file: + path: "{{ node_certs_destination }}/" + mode: 0770 + recurse: yes + when: + - kibana_xpack_security + notify: restart kibana + tags: xpack-security - name: Kibana configuration template: @@ -24,38 +79,110 @@ dest: /etc/kibana/kibana.yml owner: root group: root - mode: 0664 + mode: 0644 notify: restart kibana tags: configure - name: Checking Wazuh-APP version - shell: "grep -c -E 'version.*{{ elastic_stack_version }}' /usr/share/kibana/plugins/wazuh/package.json | xargs echo" + shell: >- + grep -c -E 'version.*{{ elastic_stack_version }}' /usr/share/kibana/plugins/wazuh/package.json args: + executable: /bin/bash removes: /usr/share/kibana/plugins/wazuh/package.json register: wazuh_app_verify changed_when: false - tags: install + failed_when: + - wazuh_app_verify.rc != 0 + - wazuh_app_verify.rc != 1 - name: Removing old Wazuh-APP - command: /usr/share/kibana/bin/kibana-plugin remove wazuh - when: wazuh_app_verify.stdout == "0" + command: /usr/share/kibana/bin/kibana-plugin --allow-root remove wazuh + when: wazuh_app_verify.rc == 1 tags: install - name: Removing bundles - file: path=/usr/share/kibana/optimize/bundles state=absent - when: wazuh_app_verify.stdout == "0" + file: + path: /usr/share/kibana/optimize/bundles + state: absent + when: wazuh_app_verify.rc == 1 tags: install -- name: Install Wazuh-APP (can take a while) - shell: "/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-{{ wazuh_version }}_{{ elastic_stack_version }}.zip" - environment: - NODE_OPTIONS: "--max-old-space-size=3072" +- name: Explicitly starting Kibana to generate "wazuh-" + service: + name: kibana + state: started + +- name: Build and Install Wazuh Kibana Plugin from sources + import_tasks: build_wazuh_plugin.yml + when: + - build_from_sources is defined + - build_from_sources + +- name: Install Wazuh Plugin (can take a while) + shell: >- + NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana-plugin install + {{ wazuh_app_url }}-{{ wazuh_version }}_{{ elastic_stack_version }}.zip args: + executable: /bin/bash creates: /usr/share/kibana/plugins/wazuh/package.json + chdir: /usr/share/kibana + become: yes + become_user: kibana notify: restart kibana - tags: install + tags: + - install + - skip_ansible_lint + when: + - not build_from_sources -- name: Ensure Kibana started and enabled +- name: Kibana optimization (can take a while) + shell: NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana --optimize + args: + executable: /bin/bash + become: yes + become_user: kibana + changed_when: false + tags: + - skip_ansible_lint + +- name: Wait for Elasticsearch port + wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} + +- name: Select correct API protocol + set_fact: + elastic_api_protocol: "{% if kibana_xpack_security %}https{% else %}http{% endif %}" + +- name: Attempting to delete legacy Wazuh index if exists + uri: + url: "{{ elastic_api_protocol }}://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}/.wazuh" + method: DELETE + user: "{{ elasticsearch_xpack_security_user }}" + password: "{{ elasticsearch_xpack_security_password }}" + validate_certs: no + status_code: 200, 404 + +- name: Create wazuh plugin config directory + file: + path: /usr/share/kibana/optimize/wazuh/config/ + state: directory + recurse: yes + owner: kibana + group: kibana + mode: '0755' + +- name: Configure Wazuh Kibana Plugin + template: + src: wazuh.yml.j2 + dest: /usr/share/kibana/optimize/wazuh/config/wazuh.yml + owner: kibana + group: root + mode: 0644 + +- name: Reload systemd configuration + systemd: + daemon_reload: true + +- name: Ensure Kibana is started and enabled service: name: kibana enabled: true diff --git a/roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 b/roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 index edd1b4b4..0f2ef606 100644 --- a/roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 +++ b/roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 @@ -19,7 +19,11 @@ server.host: {{ kibana_server_host }} #server.name: "your-hostname" # The URL of the Elasticsearch instance to use for all your queries. +{% if kibana_xpack_security %} +elasticsearch.hosts: "https://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" +{% else %} elasticsearch.hosts: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" +{% endif %} # When this setting's value is true Kibana uses the hostname specified in the server.host # setting. When the value of this setting is false, Kibana uses the hostname of the host @@ -98,3 +102,17 @@ elasticsearch.hosts: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_h # Set the interval in milliseconds to sample system and process performance # metrics. Minimum is 100ms. Defaults to 5000. #ops.interval: 5000 + +# Xpack Security +{% if kibana_xpack_security %} +elasticsearch.username: "{{ elasticsearch_xpack_security_user }}" +elasticsearch.password: "{{ elasticsearch_xpack_security_password }}" +server.ssl.enabled: true +server.ssl.key: "{{node_certs_destination}}/{{ kibana_node_name }}.key" +server.ssl.certificate: "{{node_certs_destination}}/{{ kibana_node_name }}.crt" +{% if generate_CA == true %} +elasticsearch.ssl.certificateAuthorities: ["{{ node_certs_destination }}/ca.crt"] +{% elif generate_CA == false %} +elasticsearch.ssl.certificateAuthorities: ["{{ node_certs_destination }}/{{ca_cert_name}}"] +{% endif %} +{% endif %} \ No newline at end of file diff --git a/roles/elastic-stack/ansible-kibana/templates/wazuh.yml.j2 b/roles/elastic-stack/ansible-kibana/templates/wazuh.yml.j2 new file mode 100644 index 00000000..1cbc9e2d --- /dev/null +++ b/roles/elastic-stack/ansible-kibana/templates/wazuh.yml.j2 @@ -0,0 +1,134 @@ +--- +# +# Wazuh app - App configuration file +# Copyright (C) 2015-2019 Wazuh, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Find more information about this on the LICENSE file. +# +# ======================== Wazuh app configuration file ======================== +# +# Please check the documentation for more information on configuration options: +# https://documentation.wazuh.com/current/installation-guide/index.html +# +# Also, you can check our repository: +# https://github.com/wazuh/wazuh-kibana-app +# +# ------------------------------- Index patterns ------------------------------- +# +# Default index pattern to use. +#pattern: wazuh-alerts-3.x-* +# +# ----------------------------------- Checks ----------------------------------- +# +# Defines which checks must to be consider by the healthcheck +# step once the Wazuh app starts. Values must to be true or false. +#checks.pattern : true +#checks.template: true +#checks.api : true +#checks.setup : true +# +# --------------------------------- Extensions --------------------------------- +# +# Defines which extensions should be activated when you add a new API entry. +# You can change them after Wazuh app starts. +# Values must to be true or false. +#extensions.pci : true +#extensions.gdpr : true +#extensions.hipaa : true +#extensions.nist : true +#extensions.audit : true +#extensions.oscap : false +#extensions.ciscat : false +#extensions.aws : false +#extensions.virustotal: false +#extensions.osquery : false +#extensions.docker : false +# +# ---------------------------------- Time out ---------------------------------- +# +# Defines maximum timeout to be used on the Wazuh app requests. +# It will be ignored if it is bellow 1500. +# It means milliseconds before we consider a request as failed. +# Default: 20000 +#timeout: 20000 +# +# ------------------------------ Advanced indices ------------------------------ +# +# Configure .wazuh indices shards and replicas. +#wazuh.shards : 1 +#wazuh.replicas : 0 +# +# --------------------------- Index pattern selector --------------------------- +# +# Defines if the user is allowed to change the selected +# index pattern directly from the Wazuh app top menu. +# Default: true +#ip.selector: true +# +# List of index patterns to be ignored +#ip.ignore: [] +# +# -------------------------------- X-Pack RBAC --------------------------------- +# +# Custom setting to enable/disable built-in X-Pack RBAC security capabilities. +# Default: enabled +#xpack.rbac.enabled: true +# +# ------------------------------ wazuh-monitoring ------------------------------ +# +# Custom setting to enable/disable wazuh-monitoring indices. +# Values: true, false, worker +# If worker is given as value, the app will show the Agents status +# visualization but won't insert data on wazuh-monitoring indices. +# Default: true +#wazuh.monitoring.enabled: true +# +# Custom setting to set the frequency for wazuh-monitoring indices cron task. +# Default: 900 (s) +#wazuh.monitoring.frequency: 900 +# +# Configure wazuh-monitoring-3.x-* indices shards and replicas. +#wazuh.monitoring.shards: 2 +#wazuh.monitoring.replicas: 0 +# +# Configure wazuh-monitoring-3.x-* indices custom creation interval. +# Values: h (hourly), d (daily), w (weekly), m (monthly) +# Default: d +#wazuh.monitoring.creation: d +# +# Default index pattern to use for Wazuh monitoring +#wazuh.monitoring.pattern: wazuh-monitoring-3.x-* +# +# +# ------------------------------- App privileges -------------------------------- +#admin: true +# +# ------------------------------- App logging level ----------------------------- +# Set the logging level for the Wazuh App log files. +# Default value: info +# Allowed values: info, debug +#logs.level: info +# +#-------------------------------- API entries ----------------------------------- +#The following configuration is the default structure to define an API entry. +# +#hosts: +# - : +# url: http(s):// +# port: +# user: +# password: + +hosts: +{% for api in wazuh_api_credentials %} + - {{ api['id'] }}: + url: {{ api['url'] }} + port: {{ api['port'] }} + user: {{ api['user'] }} + password: {{ api['password'] }} +{% endfor %} diff --git a/roles/wazuh/ansible-filebeat/defaults/main.yml b/roles/wazuh/ansible-filebeat/defaults/main.yml index a00cbbb4..8f06aaf4 100644 --- a/roles/wazuh/ansible-filebeat/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat/defaults/main.yml @@ -1,4 +1,6 @@ --- +filebeat_version: 7.6.1 + filebeat_create_config: true filebeat_prospectors: @@ -10,6 +12,8 @@ filebeat_prospectors: json.keys_under_root: true json.overwrite_keys: true +filebeat_node_name: node-1 + filebeat_output_elasticsearch_enabled: false filebeat_output_elasticsearch_hosts: - "localhost:9200" @@ -23,3 +27,31 @@ filebeat_ssl_dir: /etc/pki/filebeat filebeat_ssl_certificate_file: "" filebeat_ssl_key_file: "" filebeat_ssl_insecure: "false" + +filebeat_module_package_url: https://packages.wazuh.com/3.x/filebeat +filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz +filebeat_module_package_path: /tmp/ +filebeat_module_destination: /usr/share/filebeat/module +filebeat_module_folder: /usr/share/filebeat/module/wazuh + +# Xpack Security +filebeat_xpack_security: false + +elasticsearch_xpack_security_user: elastic +elasticsearch_xpack_security_password: elastic_pass + +node_certs_generator : false +node_certs_source: /usr/share/elasticsearch +node_certs_destination: /etc/filebeat/certs + + +# CA Generation +master_certs_path: /es_certs +generate_CA: true +ca_cert_name: "" + +elasticrepo: + apt: 'https://artifacts.elastic.co/packages/7.x/apt' + yum: 'https://artifacts.elastic.co/packages/7.x/yum' + gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' + key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4' diff --git a/roles/wazuh/ansible-filebeat/tasks/Debian.yml b/roles/wazuh/ansible-filebeat/tasks/Debian.yml index 95b31e0e..a87bb2bf 100644 --- a/roles/wazuh/ansible-filebeat/tasks/Debian.yml +++ b/roles/wazuh/ansible-filebeat/tasks/Debian.yml @@ -1,17 +1,22 @@ --- - name: Debian/Ubuntu | Install apt-transport-https and ca-certificates apt: - name: ['apt-transport-https', 'ca-certificates'] + name: + - apt-transport-https + - ca-certificates state: present - + register: filebeat_ca_packages_install + until: filebeat_ca_packages_install is succeeded - name: Debian/Ubuntu | Add Elasticsearch apt key. apt_key: - url: https://artifacts.elastic.co/GPG-KEY-elasticsearch + url: "{{ elasticrepo.gpg }}" + id: "{{ elasticrepo.key_id }}" state: present - name: Debian/Ubuntu | Add Filebeat repository. apt_repository: - repo: 'deb https://artifacts.elastic.co/packages/7.x/apt stable main' + repo: "deb {{ elasticrepo.apt }} stable main" state: present update_cache: true + changed_when: false diff --git a/roles/wazuh/ansible-filebeat/tasks/RMDebian.yml b/roles/wazuh/ansible-filebeat/tasks/RMDebian.yml index f027d4f9..25a33909 100644 --- a/roles/wazuh/ansible-filebeat/tasks/RMDebian.yml +++ b/roles/wazuh/ansible-filebeat/tasks/RMDebian.yml @@ -1,5 +1,6 @@ --- - name: Debian/Ubuntu | Remove Filebeat repository (and clean up left-over metadata) apt_repository: - repo: deb https://artifacts.elastic.co/packages/7.x/apt stable main + repo: "deb {{ elasticrepo.apt }} stable main" state: absent + changed_when: false diff --git a/roles/wazuh/ansible-filebeat/tasks/RMRedHat.yml b/roles/wazuh/ansible-filebeat/tasks/RMRedHat.yml index c9bceab0..1cf84081 100644 --- a/roles/wazuh/ansible-filebeat/tasks/RMRedHat.yml +++ b/roles/wazuh/ansible-filebeat/tasks/RMRedHat.yml @@ -1,5 +1,6 @@ --- - name: RedHat/CentOS/Fedora | Remove Filebeat repository (and clean up left-over metadata) yum_repository: - name: elastic_repo + name: elastic_repo_7 state: absent + changed_when: false diff --git a/roles/wazuh/ansible-filebeat/tasks/RedHat.yml b/roles/wazuh/ansible-filebeat/tasks/RedHat.yml index e4ddd652..23948b37 100644 --- a/roles/wazuh/ansible-filebeat/tasks/RedHat.yml +++ b/roles/wazuh/ansible-filebeat/tasks/RedHat.yml @@ -1,8 +1,9 @@ --- - name: RedHat/CentOS/Fedora/Amazon Linux | Install Filebeats repo yum_repository: - name: elastic_repo - description: Elastic repository for 6.x packages - baseurl: https://artifacts.elastic.co/packages/7.x/yum - gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch + name: elastic_repo_7 + description: Elastic repository for 7.x packages + baseurl: "{{ elasticrepo.yum }}" + gpgkey: "{{ elasticrepo.gpg }}" gpgcheck: true + changed_when: false diff --git a/roles/wazuh/ansible-filebeat/tasks/config.yml b/roles/wazuh/ansible-filebeat/tasks/config.yml index ce63503d..d45b06e8 100644 --- a/roles/wazuh/ansible-filebeat/tasks/config.yml +++ b/roles/wazuh/ansible-filebeat/tasks/config.yml @@ -5,7 +5,7 @@ dest: "/etc/filebeat/filebeat.yml" owner: root group: root - mode: 0644 + mode: 0400 notify: restart filebeat tags: configure @@ -15,7 +15,7 @@ dest: "/etc/filebeat/wazuh-template.json" owner: root group: root - mode: 0644 + mode: 0400 notify: restart filebeat tags: configure @@ -30,7 +30,7 @@ copy: src: "{{ item }}" dest: "{{ filebeat_ssl_dir }}/{{ item | basename }}" - mode: 0644 + mode: 0400 with_items: - "{{ filebeat_ssl_key_file }}" - "{{ filebeat_ssl_certificate_file }}" diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index 94cd5765..4948c252 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -1,17 +1,107 @@ --- -- import_tasks: RedHat.yml +- include_tasks: RedHat.yml when: ansible_os_family == 'RedHat' -- import_tasks: Debian.yml +- include_tasks: Debian.yml when: ansible_os_family == 'Debian' -- name: Install Filebeat. - package: name=filebeat state=present +- name: CentOS/RedHat | Install Filebeat. + package: name=filebeat-{{ filebeat_version }} state=present + register: filebeat_installing_package + until: filebeat_installing_package is succeeded + when: + - ansible_distribution in ['CentOS','RedHat', 'Amazon'] tags: - install +- name: Debian/Ubuntu | Install Filebeat. + apt: + name: filebeat={{ filebeat_version }} + state: present + cache_valid_time: 3600 + register: filebeat_installing_package_debian + until: filebeat_installing_package_debian is succeeded + when: + - not (ansible_distribution in ['CentOS','RedHat', 'Amazon']) + tags: + - init + +- name: Copying node's certificate from master + copy: + src: "{{ item }}" + dest: "{{ node_certs_destination }}/" + mode: 0440 + with_items: + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt" + - "{{ master_certs_path }}/ca/ca.crt" + when: + - generate_CA + - filebeat_xpack_security + tags: xpack-security + +- name: Copying node's certificate from master (Custom CA) + copy: + src: "{{ item }}" + dest: "{{ node_certs_destination }}/" + mode: 0440 + with_items: + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt" + - "{{ master_certs_path }}/ca/{{ ca_cert_name }}" + when: + - not generate_CA + - filebeat_xpack_security + tags: xpack-security + +- name: Ensuring folder & certs permissions + file: + path: "{{ node_certs_destination }}/" + mode: 0774 + state: directory + recurse: yes + when: + - filebeat_xpack_security + tags: xpack-security + +- name: Checking if Filebeat Module folder file exists + stat: + path: "{{ filebeat_module_folder }}" + register: filebeat_module_folder + + +- name: Download Filebeat module package + get_url: + url: "{{ filebeat_module_package_url }}/{{ filebeat_module_package_name }}" + dest: "{{ filebeat_module_package_path }}" + when: not filebeat_module_folder.stat.exists + +- name: Unpakcing Filebeat module package + unarchive: + src: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" + dest: "{{ filebeat_module_destination }}" + remote_src: yes + when: not filebeat_module_folder.stat.exists + +- name: Setting 0755 permission for Filebeat module folder + file: dest={{ filebeat_module_folder }} mode=u=rwX,g=rwX,o=rwX recurse=yes + when: not filebeat_module_folder.stat.exists + +- name: Checking if Filebeat Module package file exists + stat: + path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" + register: filebeat_module_package + when: filebeat_module_package is not defined + +- name: Delete Filebeat module package file + file: + state: absent + path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" + when: filebeat_module_package.stat.exists + - import_tasks: config.yml when: filebeat_create_config + notify: restart filebeat - name: Reload systemd systemd: daemon_reload=yes @@ -20,6 +110,7 @@ - not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") - not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<')) - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<')) + - not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<')) - name: Ensure Filebeat is started and enabled at boot. service: @@ -27,8 +118,8 @@ state: started enabled: true -- import_tasks: "RMRedHat.yml" +- include_tasks: "RMRedHat.yml" when: ansible_os_family == "RedHat" -- import_tasks: "RMDebian.yml" +- include_tasks: "RMDebian.yml" when: ansible_os_family == "Debian" diff --git a/roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 b/roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 index 11ef6176..88d50c3f 100644 --- a/roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 +++ b/roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 @@ -1,25 +1,456 @@ { "order": 0, - "index_patterns": ["wazuh-alerts-3.x-*"], + "index_patterns": [ + "wazuh-alerts-3.x-*", + "wazuh-archives-3.x-*" + ], "settings": { "index.refresh_interval": "5s", "index.number_of_shards": "3", "index.number_of_replicas": "0", "index.auto_expand_replicas": "0-1", - "index.mapping.total_fields.limit": 2000 + "index.mapping.total_fields.limit": 10000, + "index.query.default_field": [ + "GeoLocation.city_name", + "GeoLocation.continent_code", + "GeoLocation.country_code2", + "GeoLocation.country_code3", + "GeoLocation.country_name", + "GeoLocation.ip", + "GeoLocation.postal_code", + "GeoLocation.real_region_name", + "GeoLocation.region_name", + "GeoLocation.timezone", + "agent.id", + "agent.ip", + "agent.name", + "cluster.name", + "cluster.node", + "command", + "data", + "data.action", + "data.audit", + "data.audit.acct", + "data.audit.arch", + "data.audit.auid", + "data.audit.command", + "data.audit.cwd", + "data.audit.dev", + "data.audit.directory.inode", + "data.audit.directory.mode", + "data.audit.directory.name", + "data.audit.egid", + "data.audit.enforcing", + "data.audit.euid", + "data.audit.exe", + "data.audit.execve.a0", + "data.audit.execve.a1", + "data.audit.execve.a2", + "data.audit.execve.a3", + "data.audit.exit", + "data.audit.file.inode", + "data.audit.file.mode", + "data.audit.file.name", + "data.audit.fsgid", + "data.audit.fsuid", + "data.audit.gid", + "data.audit.id", + "data.audit.key", + "data.audit.list", + "data.audit.old-auid", + "data.audit.old-ses", + "data.audit.old_enforcing", + "data.audit.old_prom", + "data.audit.op", + "data.audit.pid", + "data.audit.ppid", + "data.audit.prom", + "data.audit.res", + "data.audit.session", + "data.audit.sgid", + "data.audit.srcip", + "data.audit.subj", + "data.audit.success", + "data.audit.suid", + "data.audit.syscall", + "data.audit.tty", + "data.audit.uid", + "data.aws.accountId", + "data.aws.account_id", + "data.aws.action", + "data.aws.actor", + "data.aws.aws_account_id", + "data.aws.description", + "data.aws.dstport", + "data.aws.errorCode", + "data.aws.errorMessage", + "data.aws.eventID", + "data.aws.eventName", + "data.aws.eventSource", + "data.aws.eventType", + "data.aws.id", + "data.aws.name", + "data.aws.requestParameters.accessKeyId", + "data.aws.requestParameters.bucketName", + "data.aws.requestParameters.gatewayId", + "data.aws.requestParameters.groupDescription", + "data.aws.requestParameters.groupId", + "data.aws.requestParameters.groupName", + "data.aws.requestParameters.host", + "data.aws.requestParameters.hostedZoneId", + "data.aws.requestParameters.instanceId", + "data.aws.requestParameters.instanceProfileName", + "data.aws.requestParameters.loadBalancerName", + "data.aws.requestParameters.loadBalancerPorts", + "data.aws.requestParameters.masterUserPassword", + "data.aws.requestParameters.masterUsername", + "data.aws.requestParameters.name", + "data.aws.requestParameters.natGatewayId", + "data.aws.requestParameters.networkAclId", + "data.aws.requestParameters.path", + "data.aws.requestParameters.policyName", + "data.aws.requestParameters.port", + "data.aws.requestParameters.stackId", + "data.aws.requestParameters.stackName", + "data.aws.requestParameters.subnetId", + "data.aws.requestParameters.subnetIds", + "data.aws.requestParameters.volumeId", + "data.aws.requestParameters.vpcId", + "data.aws.resource.accessKeyDetails.accessKeyId", + "data.aws.resource.accessKeyDetails.principalId", + "data.aws.resource.accessKeyDetails.userName", + "data.aws.resource.instanceDetails.instanceId", + "data.aws.resource.instanceDetails.instanceState", + "data.aws.resource.instanceDetails.networkInterfaces.privateDnsName", + "data.aws.resource.instanceDetails.networkInterfaces.publicDnsName", + "data.aws.resource.instanceDetails.networkInterfaces.subnetId", + "data.aws.resource.instanceDetails.networkInterfaces.vpcId", + "data.aws.resource.instanceDetails.tags.value", + "data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId", + "data.aws.responseElements.description", + "data.aws.responseElements.instanceId", + "data.aws.responseElements.instances.instanceId", + "data.aws.responseElements.instancesSet.items.instanceId", + "data.aws.responseElements.listeners.port", + "data.aws.responseElements.loadBalancerName", + "data.aws.responseElements.loadBalancers.vpcId", + "data.aws.responseElements.loginProfile.userName", + "data.aws.responseElements.networkAcl.vpcId", + "data.aws.responseElements.ownerId", + "data.aws.responseElements.publicIp", + "data.aws.responseElements.user.userId", + "data.aws.responseElements.user.userName", + "data.aws.responseElements.volumeId", + "data.aws.service.serviceName", + "data.aws.severity", + "data.aws.source", + "data.aws.sourceIPAddress", + "data.aws.srcport", + "data.aws.userIdentity.accessKeyId", + "data.aws.userIdentity.accountId", + "data.aws.userIdentity.userName", + "data.aws.vpcEndpointId", + "data.command", + "data.data", + "data.docker.Actor.Attributes.container", + "data.docker.Actor.Attributes.image", + "data.docker.Actor.Attributes.name", + "data.docker.Actor.ID", + "data.docker.id", + "data.docker.message", + "data.docker.status", + "data.dstip", + "data.dstport", + "data.dstuser", + "data.extra_data", + "data.hardware.serial", + "data.id", + "data.integration", + "data.netinfo.iface.adapter", + "data.netinfo.iface.ipv4.address", + "data.netinfo.iface.ipv6.address", + "data.netinfo.iface.mac", + "data.netinfo.iface.name", + "data.os.architecture", + "data.os.build", + "data.os.codename", + "data.os.hostname", + "data.os.major", + "data.os.minor", + "data.os.name", + "data.os.platform", + "data.os.release", + "data.os.release_version", + "data.os.sysname", + "data.os.version", + "data.oscap.check.description", + "data.oscap.check.id", + "data.oscap.check.identifiers", + "data.oscap.check.oval.id", + "data.oscap.check.rationale", + "data.oscap.check.references", + "data.oscap.check.result", + "data.oscap.check.severity", + "data.oscap.check.title", + "data.oscap.scan.benchmark.id", + "data.oscap.scan.content", + "data.oscap.scan.id", + "data.oscap.scan.profile.id", + "data.oscap.scan.profile.title", + "data.osquery.columns.address", + "data.osquery.columns.command", + "data.osquery.columns.description", + "data.osquery.columns.dst_ip", + "data.osquery.columns.gid", + "data.osquery.columns.hostname", + "data.osquery.columns.md5", + "data.osquery.columns.path", + "data.osquery.columns.sha1", + "data.osquery.columns.sha256", + "data.osquery.columns.src_ip", + "data.osquery.columns.user", + "data.osquery.columns.username", + "data.osquery.name", + "data.osquery.pack", + "data.port.process", + "data.port.protocol", + "data.port.state", + "data.process.args", + "data.process.cmd", + "data.process.egroup", + "data.process.euser", + "data.process.fgroup", + "data.process.name", + "data.process.rgroup", + "data.process.ruser", + "data.process.sgroup", + "data.process.state", + "data.process.suser", + "data.program.architecture", + "data.program.description", + "data.program.format", + "data.program.location", + "data.program.multiarch", + "data.program.name", + "data.program.priority", + "data.program.section", + "data.program.source", + "data.program.vendor", + "data.program.version", + "data.protocol", + "data.pwd", + "data.sca", + "data.sca.check.compliance.cis", + "data.sca.check.compliance.cis_csc", + "data.sca.check.compliance.pci_dss", + "data.sca.check.compliance.hipaa", + "data.sca.check.compliance.nist_800_53", + "data.sca.check.description", + "data.sca.check.directory", + "data.sca.check.file", + "data.sca.check.id", + "data.sca.check.previous_result", + "data.sca.check.process", + "data.sca.check.rationale", + "data.sca.check.reason", + "data.sca.check.references", + "data.sca.check.registry", + "data.sca.check.remediation", + "data.sca.check.result", + "data.sca.check.status", + "data.sca.check.title", + "data.sca.description", + "data.sca.file", + "data.sca.invalid", + "data.sca.name", + "data.sca.policy", + "data.sca.policy_id", + "data.sca.scan_id", + "data.sca.total_checks", + "data.script", + "data.src_ip", + "data.src_port", + "data.srcip", + "data.srcport", + "data.srcuser", + "data.status", + "data.system_name", + "data.title", + "data.tty", + "data.uid", + "data.url", + "data.virustotal.description", + "data.virustotal.error", + "data.virustotal.found", + "data.virustotal.permalink", + "data.virustotal.scan_date", + "data.virustotal.sha1", + "data.virustotal.source.alert_id", + "data.virustotal.source.file", + "data.virustotal.source.md5", + "data.virustotal.source.sha1", + "data.vulnerability.advisories", + "data.vulnerability.bugzilla_reference", + "data.vulnerability.cve", + "data.vulnerability.cvss.cvss2.base_score", + "data.vulnerability.cvss.cvss2.exploitability_score", + "data.vulnerability.cvss.cvss2.impact_score", + "data.vulnerability.cvss.cvss2.vector.access_complexity", + "data.vulnerability.cvss.cvss2.vector.attack_vector", + "data.vulnerability.cvss.cvss2.vector.authentication", + "data.vulnerability.cvss.cvss2.vector.availability", + "data.vulnerability.cvss.cvss2.vector.confidentiality_impact", + "data.vulnerability.cvss.cvss2.vector.integrity_impact", + "data.vulnerability.cvss.cvss2.vector.privileges_required", + "data.vulnerability.cvss.cvss2.vector.scope", + "data.vulnerability.cvss.cvss2.vector.user_interaction", + "data.vulnerability.cvss.cvss3.base_score", + "data.vulnerability.cvss.cvss3.exploitability_score", + "data.vulnerability.cvss.cvss3.impact_score", + "data.vulnerability.cvss.cvss3.vector.access_complexity", + "data.vulnerability.cvss.cvss3.vector.attack_vector", + "data.vulnerability.cvss.cvss3.vector.authentication", + "data.vulnerability.cvss.cvss3.vector.availability", + "data.vulnerability.cvss.cvss3.vector.confidentiality_impact", + "data.vulnerability.cvss.cvss3.vector.integrity_impact", + "data.vulnerability.cvss.cvss3.vector.privileges_required", + "data.vulnerability.cvss.cvss3.vector.scope", + "data.vulnerability.cvss.cvss3.vector.user_interaction", + "data.vulnerability.cwe_reference", + "data.vulnerability.package.architecture", + "data.vulnerability.package.condition", + "data.vulnerability.package.generated_cpe", + "data.vulnerability.package.name", + "data.vulnerability.package.version", + "data.vulnerability.rationale", + "data.vulnerability.reference", + "data.vulnerability.severity", + "data.vulnerability.state", + "data.vulnerability.title", + "data.win.eventdata.auditPolicyChanges", + "data.win.eventdata.auditPolicyChangesId", + "data.win.eventdata.binary", + "data.win.eventdata.category", + "data.win.eventdata.categoryId", + "data.win.eventdata.data", + "data.win.eventdata.image", + "data.win.eventdata.ipAddress", + "data.win.eventdata.ipPort", + "data.win.eventdata.keyName", + "data.win.eventdata.logonGuid", + "data.win.eventdata.logonProcessName", + "data.win.eventdata.operation", + "data.win.eventdata.parentImage", + "data.win.eventdata.processId", + "data.win.eventdata.processName", + "data.win.eventdata.providerName", + "data.win.eventdata.returnCode", + "data.win.eventdata.service", + "data.win.eventdata.status", + "data.win.eventdata.subcategory", + "data.win.eventdata.subcategoryGuid", + "data.win.eventdata.subcategoryId", + "data.win.eventdata.subjectDomainName", + "data.win.eventdata.subjectLogonId", + "data.win.eventdata.subjectUserName", + "data.win.eventdata.subjectUserSid", + "data.win.eventdata.targetDomainName", + "data.win.eventdata.targetLinkedLogonId", + "data.win.eventdata.targetLogonId", + "data.win.eventdata.targetUserName", + "data.win.eventdata.targetUserSid", + "data.win.eventdata.workstationName", + "data.win.system.channel", + "data.win.system.computer", + "data.win.system.eventID", + "data.win.system.eventRecordID", + "data.win.system.eventSourceName", + "data.win.system.keywords", + "data.win.system.level", + "data.win.system.message", + "data.win.system.opcode", + "data.win.system.processID", + "data.win.system.providerGuid", + "data.win.system.providerName", + "data.win.system.securityUserID", + "data.win.system.severityValue", + "data.win.system.userID", + "decoder.ftscomment", + "decoder.name", + "decoder.parent", + "full_log", + "host", + "id", + "input", + "location", + "manager.name", + "message", + "offset", + "predecoder.hostname", + "predecoder.program_name", + "previous_log", + "previous_output", + "program_name", + "rule.cis", + "rule.cve", + "rule.description", + "rule.gdpr", + "rule.gpg13", + "rule.groups", + "rule.id", + "rule.info", + "rule.pci_dss", + "rule.hipaa", + "rule.nist_800_53", + "syscheck.audit.effective_user.id", + "syscheck.audit.effective_user.name", + "syscheck.audit.group.id", + "syscheck.audit.group.name", + "syscheck.audit.login_user.id", + "syscheck.audit.login_user.name", + "syscheck.audit.process.id", + "syscheck.audit.process.name", + "syscheck.audit.process.ppid", + "syscheck.audit.user.id", + "syscheck.audit.user.name", + "syscheck.diff", + "syscheck.event", + "syscheck.gid_after", + "syscheck.gid_before", + "syscheck.gname_after", + "syscheck.gname_before", + "syscheck.inode_after", + "syscheck.inode_before", + "syscheck.md5_after", + "syscheck.md5_before", + "syscheck.path", + "syscheck.perm_after", + "syscheck.perm_before", + "syscheck.sha1_after", + "syscheck.sha1_before", + "syscheck.sha256_after", + "syscheck.sha256_before", + "syscheck.tags", + "syscheck.uid_after", + "syscheck.uid_before", + "syscheck.uname_after", + "syscheck.uname_before", + "title", + "type" + ] }, "mappings": { "dynamic_templates": [ { "string_as_keyword": { - "match_mapping_type": "string", "mapping": { - "type": "keyword", - "doc_values": "true" - } + "type": "keyword" + }, + "match_mapping_type": "string" } } ], + "date_detection": false, "properties": { "@timestamp": { "type": "date" @@ -34,42 +465,35 @@ "agent": { "properties": { "ip": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "id": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" } } }, "manager": { "properties": { "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" } } }, "cluster": { "properties": { "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" + }, + "node": { + "type": "keyword" } } }, - "AlertsFile": { - "type": "keyword", - "doc_values": "true" - }, "full_log": { - "enabled": false, - "type": "object" + "type": "text" }, "previous_log": { "type": "text" @@ -80,8 +504,7 @@ "type": "long" }, "city_name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "continent_code": { "type": "text" @@ -96,15 +519,13 @@ "type": "text" }, "country_name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "dma_code": { "type": "long" }, "ip": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "latitude": { "type": "double" @@ -119,12 +540,10 @@ "type": "keyword" }, "real_region_name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "region_name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "timezone": { "type": "text" @@ -132,110 +551,151 @@ } }, "host": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "syscheck": { "properties": { "path": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "sha1_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "sha1_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "uid_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "uid_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "gid_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "gid_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "perm_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "perm_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "md5_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "md5_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "gname_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "gname_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "inode_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "inode_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "mtime_after": { "type": "date", - "format": "dateOptionalTime", - "doc_values": "true" + "format": "date_optional_time" }, "mtime_before": { "type": "date", - "format": "dateOptionalTime", - "doc_values": "true" + "format": "date_optional_time" }, "uname_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "uname_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "size_before": { - "type": "long", - "doc_values": "true" + "type": "long" }, "size_after": { - "type": "long", - "doc_values": "true" + "type": "long" }, "diff": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "event": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" + }, + "audit": { + "properties": { + "effective_user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "group": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "login_user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "process": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "ppid": { + "type": "keyword" + } + } + }, + "user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + } + } + }, + "sha256_after": { + "type": "keyword" + }, + "sha256_before": { + "type": "keyword" + }, + "tags": { + "type": "keyword" } } }, "location": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "message": { "type": "text" @@ -246,554 +706,444 @@ "rule": { "properties": { "description": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "groups": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "level": { - "type": "long", - "doc_values": "true" + "type": "long" }, "id": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "cve": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "info": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "frequency": { - "type": "long", - "doc_values": "true" + "type": "long" }, "firedtimes": { - "type": "long", - "doc_values": "true" + "type": "long" }, "cis": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "pci_dss": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "gdpr": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "gpg13": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" + }, + "hipaa": { + "type": "keyword" + }, + "nist_800_53": { + "type": "keyword" + }, + "mail": { + "type": "boolean" } } }, "predecoder": { "properties": { "program_name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "timestamp": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" + }, + "hostname": { + "type": "keyword" } } }, "decoder": { "properties": { "parent": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "ftscomment": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "fts": { - "type": "long", - "doc_values": "true" + "type": "long" }, "accumulate": { - "type": "long", - "doc_values": "true" + "type": "long" } } }, "data": { "properties": { - "protocol": { - "type": "keyword", - "doc_values": "true" - }, - "action": { - "type": "keyword", - "doc_values": "true" - }, - "srcip": { - "type": "keyword", - "doc_values": "true" - }, - "dstip": { - "type": "keyword", - "doc_values": "true" - }, - "srcport": { - "type": "keyword", - "doc_values": "true" - }, - "dstport": { - "type": "keyword", - "doc_values": "true" - }, - "srcuser": { - "type": "keyword", - "doc_values": "true" - }, - "dstuser": { - "type": "keyword", - "doc_values": "true" - }, - "id": { - "type": "keyword", - "doc_values": "true" - }, - "status": { - "type": "keyword", - "doc_values": "true" - }, - "data": { - "type": "keyword", - "doc_values": "true" - }, - "system_name": { - "type": "keyword", - "doc_values": "true" - }, - "url": { - "type": "keyword", - "doc_values": "true" - }, - "oscap": { - "properties": { - "check.title": { - "type": "keyword", - "doc_values": "true" - }, - "check.id": { - "type": "keyword", - "doc_values": "true" - }, - "check.result": { - "type": "keyword", - "doc_values": "true" - }, - "check.severity": { - "type": "keyword", - "doc_values": "true" - }, - "check.description": { - "type": "text" - }, - "check.rationale": { - "type": "text" - }, - "check.references": { - "type": "text" - }, - "check.identifiers": { - "type": "text" - }, - "check.oval.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.content": { - "type": "keyword", - "doc_values": "true" - }, - "scan.benchmark.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.profile.title": { - "type": "keyword", - "doc_values": "true" - }, - "scan.profile.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.score": { - "type": "double", - "doc_values": "true" - }, - "scan.return_code": { - "type": "long", - "doc_values": "true" - } - } - }, "audit": { "properties": { - "type": { - "type": "keyword", - "doc_values": "true" + "acct": { + "type": "keyword" }, - "id": { - "type": "keyword", - "doc_values": "true" - }, - "syscall": { - "type": "keyword", - "doc_values": "true" - }, - "exit": { - "type": "keyword", - "doc_values": "true" - }, - "ppid": { - "type": "keyword", - "doc_values": "true" - }, - "pid": { - "type": "keyword", - "doc_values": "true" + "arch": { + "type": "keyword" }, "auid": { - "type": "keyword", - "doc_values": "true" - }, - "uid": { - "type": "keyword", - "doc_values": "true" - }, - "gid": { - "type": "keyword", - "doc_values": "true" - }, - "euid": { - "type": "keyword", - "doc_values": "true" - }, - "suid": { - "type": "keyword", - "doc_values": "true" - }, - "fsuid": { - "type": "keyword", - "doc_values": "true" - }, - "egid": { - "type": "keyword", - "doc_values": "true" - }, - "sgid": { - "type": "keyword", - "doc_values": "true" - }, - "fsgid": { - "type": "keyword", - "doc_values": "true" - }, - "tty": { - "type": "keyword", - "doc_values": "true" - }, - "session": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "command": { - "type": "keyword", - "doc_values": "true" - }, - "exe": { - "type": "keyword", - "doc_values": "true" - }, - "key": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "cwd": { - "type": "keyword", - "doc_values": "true" - }, - "directory.name": { - "type": "keyword", - "doc_values": "true" - }, - "directory.inode": { - "type": "keyword", - "doc_values": "true" - }, - "directory.mode": { - "type": "keyword", - "doc_values": "true" - }, - "file.name": { - "type": "keyword", - "doc_values": "true" - }, - "file.inode": { - "type": "keyword", - "doc_values": "true" - }, - "file.mode": { - "type": "keyword", - "doc_values": "true" - }, - "acct": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "dev": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, - "enforcing": { - "type": "keyword", - "doc_values": "true" - }, - "list": { - "type": "keyword", - "doc_values": "true" - }, - "old-auid": { - "type": "keyword", - "doc_values": "true" - }, - "old-ses": { - "type": "keyword", - "doc_values": "true" - }, - "old_enforcing": { - "type": "keyword", - "doc_values": "true" - }, - "old_prom": { - "type": "keyword", - "doc_values": "true" - }, - "op": { - "type": "keyword", - "doc_values": "true" - }, - "prom": { - "type": "keyword", - "doc_values": "true" - }, - "res": { - "type": "keyword", - "doc_values": "true" - }, - "srcip": { - "type": "keyword", - "doc_values": "true" - }, - "subj": { - "type": "keyword", - "doc_values": "true" - }, - "success": { - "type": "keyword", - "doc_values": "true" - } - } - }, - "aws": { - "properties": { - "bytes": { - "type": "long", - "doc_values": "true" - }, - "dstaddr": { - "type": "ip", - "doc_values": "true" - }, - "srcaddr": { - "type": "ip", - "doc_values": "true" - }, - "end": { - "type": "date", - "doc_values": "true" - }, - "start": { - "type": "date", - "doc_values": "true" - }, - "source_ip_address": { - "type": "ip", - "doc_values": "true" - }, - "resource.instanceDetails.networkInterfaces": { + "directory": { "properties": { - "privateIpAddress": { - "type": "ip", - "doc_values": "true" + "inode": { + "type": "keyword" }, - "publicIp": { - "type": "ip", - "doc_values": "true" + "mode": { + "type": "keyword" + }, + "name": { + "type": "keyword" } } }, - "service": { + "egid": { + "type": "keyword" + }, + "enforcing": { + "type": "keyword" + }, + "euid": { + "type": "keyword" + }, + "exe": { + "type": "keyword" + }, + "execve": { "properties": { - "count": { - "type": "long", - "doc_values": "true" + "a0": { + "type": "keyword" }, - "action.networkConnectionAction.remoteIpDetails": { + "a1": { + "type": "keyword" + }, + "a2": { + "type": "keyword" + }, + "a3": { + "type": "keyword" + } + } + }, + "exit": { + "type": "keyword" + }, + "file": { + "properties": { + "inode": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "fsgid": { + "type": "keyword" + }, + "fsuid": { + "type": "keyword" + }, + "gid": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "key": { + "type": "keyword" + }, + "list": { + "type": "keyword" + }, + "old-auid": { + "type": "keyword" + }, + "old-ses": { + "type": "keyword" + }, + "old_enforcing": { + "type": "keyword" + }, + "old_prom": { + "type": "keyword" + }, + "op": { + "type": "keyword" + }, + "pid": { + "type": "keyword" + }, + "ppid": { + "type": "keyword" + }, + "prom": { + "type": "keyword" + }, + "res": { + "type": "keyword" + }, + "session": { + "type": "keyword" + }, + "sgid": { + "type": "keyword" + }, + "srcip": { + "type": "keyword" + }, + "subj": { + "type": "keyword" + }, + "success": { + "type": "keyword" + }, + "suid": { + "type": "keyword" + }, + "syscall": { + "type": "keyword" + }, + "tty": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + } + } + }, + "protocol": { + "type": "keyword" + }, + "action": { + "type": "keyword" + }, + "srcip": { + "type": "keyword" + }, + "dstip": { + "type": "keyword" + }, + "srcport": { + "type": "keyword" + }, + "dstport": { + "type": "keyword" + }, + "srcuser": { + "type": "keyword" + }, + "dstuser": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "status": { + "type": "keyword" + }, + "data": { + "type": "keyword" + }, + "extra_data": { + "type": "keyword" + }, + "system_name": { + "type": "keyword" + }, + "url": { + "type": "keyword" + }, + "oscap": { + "properties": { + "check": { + "properties": { + "description": { + "type": "text" + }, + "id": { + "type": "keyword" + }, + "identifiers": { + "type": "text" + }, + "oval": { "properties": { - "ipAddressV4": { - "type": "ip", - "doc_values": "true" - }, - "geoLocation": { - "type": "geo_point", - "doc_values": "true" + "id": { + "type": "keyword" } } + }, + "rationale": { + "type": "text" + }, + "references": { + "type": "text" + }, + "result": { + "type": "keyword" + }, + "severity": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "scan": { + "properties": { + "benchmark": { + "properties": { + "id": { + "type": "keyword" + } + } + }, + "content": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "profile": { + "properties": { + "id": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "return_code": { + "type": "long" + }, + "score": { + "type": "double" } } } } }, "type": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "netinfo": { "properties": { "iface": { "properties": { "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "mac": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "adapter": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "type": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "state": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "mtu": { - "type": "long", - "doc_values": "true" + "type": "long" }, "tx_bytes": { - "type": "long", - "doc_values": "true" + "type": "long" }, "rx_bytes": { - "type": "long", - "doc_values": "true" + "type": "long" }, "tx_errors": { - "type": "long", - "doc_values": "true" + "type": "long" }, "rx_errors": { - "type": "long", - "doc_values": "true" + "type": "long" }, "tx_dropped": { - "type": "long", - "doc_values": "true" + "type": "long" }, "rx_dropped": { - "type": "long", - "doc_values": "true" + "type": "long" }, "tx_packets": { - "type": "long", - "doc_values": "true" + "type": "long" }, "rx_packets": { - "type": "long", - "doc_values": "true" + "type": "long" }, "ipv4": { "properties": { "gateway": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "dhcp": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "address": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "netmask": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "broadcast": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "metric": { - "type": "long", - "doc_values": "true" + "type": "long" } } }, "ipv6": { "properties": { "gateway": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "dhcp": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "address": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "netmask": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "broadcast": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "metric": { - "type": "long", - "doc_values": "true" + "type": "long" } } } @@ -804,630 +1154,614 @@ "os": { "properties": { "hostname": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "architecture": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "version": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "codename": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "major": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "minor": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "build": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "platform": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "sysname": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "release": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "release_version": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" } } }, "port": { "properties": { "protocol": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "local_ip": { - "type": "ip", - "doc_values": "true" + "type": "ip" }, "local_port": { - "type": "long", - "doc_values": "true" + "type": "long" }, "remote_ip": { - "type": "ip", - "doc_values": "true" + "type": "ip" }, "remote_port": { - "type": "long", - "doc_values": "true" + "type": "long" }, "tx_queue": { - "type": "long", - "doc_values": "true" + "type": "long" }, "rx_queue": { - "type": "long", - "doc_values": "true" + "type": "long" }, "inode": { - "type": "long", - "doc_values": "true" + "type": "long" }, "state": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "pid": { - "type": "long", - "doc_values": "true" + "type": "long" }, "process": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" } } }, "hardware": { "properties": { "serial": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "cpu_name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "cpu_cores": { - "type": "long", - "doc_values": "true" + "type": "long" }, "cpu_mhz": { - "type": "double", - "doc_values": "true" + "type": "double" }, "ram_total": { - "type": "long", - "doc_values": "true" + "type": "long" }, "ram_free": { - "type": "long", - "doc_values": "true" + "type": "long" }, "ram_usage": { - "type": "long", - "doc_values": "true" + "type": "long" } } }, "program": { "properties": { "format": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "priority": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "section": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "size": { - "type": "long", - "doc_values": "true" + "type": "long" }, "vendor": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "install_time": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "version": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "architecture": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "multiarch": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "source": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "description": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "location": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" } } }, "process": { "properties": { "pid": { - "type": "long", - "doc_values": "true" + "type": "long" }, "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "state": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "ppid": { - "type": "long", - "doc_values": "true" + "type": "long" }, "utime": { - "type": "long", - "doc_values": "true" + "type": "long" }, "stime": { - "type": "long", - "doc_values": "true" + "type": "long" }, "cmd": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "args": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "euser": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "ruser": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "suser": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "egroup": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "sgroup": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "fgroup": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "rgroup": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "priority": { - "type": "long", - "doc_values": "true" + "type": "long" }, "nice": { - "type": "long", - "doc_values": "true" + "type": "long" }, "size": { - "type": "long", - "doc_values": "true" + "type": "long" }, "vm_size": { - "type": "long", - "doc_values": "true" + "type": "long" }, "resident": { - "type": "long", - "doc_values": "true" + "type": "long" }, "share": { - "type": "long", - "doc_values": "true" + "type": "long" }, "start_time": { - "type": "long", - "doc_values": "true" + "type": "long" }, "pgrp": { - "type": "long", - "doc_values": "true" + "type": "long" }, "session": { - "type": "long", - "doc_values": "true" + "type": "long" }, "nlwp": { - "type": "long", - "doc_values": "true" + "type": "long" }, "tgid": { - "type": "long", - "doc_values": "true" + "type": "long" }, "tty": { - "type": "long", - "doc_values": "true" + "type": "long" }, "processor": { - "type": "long", - "doc_values": "true" + "type": "long" } } }, "sca": { "properties": { "type": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "scan_id": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "policy": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "file": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "description": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "passed": { - "type": "integer", - "doc_values": "true" + "type": "integer" }, "failed": { - "type": "integer", - "doc_values": "true" + "type": "integer" }, "score": { - "type": "long", - "doc_values": "true" + "type": "long" }, "check": { "properties": { "id": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "title": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "description": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "rationale": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "remediation": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "compliance": { "properties": { "cis": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "cis_csc": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "pci_dss": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" + }, + "hipaa": { + "type": "keyword" + }, + "nist_800_53": { + "type": "keyword" } } }, "references": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "file": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "directory": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "registry": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "process": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "result": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "previous_result": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" + }, + "reason": { + "type": "keyword" + }, + "status": { + "type": "keyword" } } + }, + "invalid": { + "type": "keyword" + }, + "policy_id": { + "type": "keyword" + }, + "total_checks": { + "type": "keyword" } } }, - "win": { + "command": { + "type": "keyword" + }, + "integration": { + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "title": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + }, + "virustotal": { "properties": { - "system": { + "description": { + "type": "keyword" + }, + "error": { + "type": "keyword" + }, + "found": { + "type": "keyword" + }, + "malicious": { + "type": "keyword" + }, + "permalink": { + "type": "keyword" + }, + "positives": { + "type": "keyword" + }, + "scan_date": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "source": { "properties": { - "providerName": { - "type": "keyword", - "doc_values": "true" + "alert_id": { + "type": "keyword" }, - "providerGuid": { - "type": "keyword", - "doc_values": "true" + "file": { + "type": "keyword" }, - "eventSourceName": { - "type": "keyword", - "doc_values": "true" + "md5": { + "type": "keyword" }, - "securityUserID": { - "type": "keyword", - "doc_values": "true" + "sha1": { + "type": "keyword" + } + } + }, + "total": { + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "advisories": { + "type": "keyword" + }, + "bugzilla_reference": { + "type": "keyword" + }, + "cve": { + "type": "keyword" + }, + "cvss": { + "properties": { + "cvss2": { + "properties": { + "base_score": { + "type": "keyword" + }, + "exploitability_score": { + "type": "keyword" + }, + "impact_score": { + "type": "keyword" + }, + "vector": { + "properties": { + "access_complexity": { + "type": "keyword" + }, + "attack_vector": { + "type": "keyword" + }, + "authentication": { + "type": "keyword" + }, + "availability": { + "type": "keyword" + }, + "confidentiality_impact": { + "type": "keyword" + }, + "integrity_impact": { + "type": "keyword" + }, + "privileges_required": { + "type": "keyword" + }, + "scope": { + "type": "keyword" + }, + "user_interaction": { + "type": "keyword" + } + } + } + } }, - "userID": { - "type": "keyword", - "doc_values": "true" + "cvss3": { + "properties": { + "base_score": { + "type": "keyword" + }, + "exploitability_score": { + "type": "keyword" + }, + "impact_score": { + "type": "keyword" + }, + "vector": { + "properties": { + "access_complexity": { + "type": "keyword" + }, + "attack_vector": { + "type": "keyword" + }, + "authentication": { + "type": "keyword" + }, + "availability": { + "type": "keyword" + }, + "confidentiality_impact": { + "type": "keyword" + }, + "integrity_impact": { + "type": "keyword" + }, + "privileges_required": { + "type": "keyword" + }, + "scope": { + "type": "keyword" + }, + "user_interaction": { + "type": "keyword" + } + } + } + } + } + } + }, + "cwe_reference": { + "type": "keyword" + }, + "package": { + "properties": { + "architecture": { + "type": "keyword" }, - "eventID": { - "type": "keyword", - "doc_values": "true" + "condition": { + "type": "keyword" + }, + "generated_cpe": { + "type": "keyword" + }, + "name": { + "type": "keyword" }, "version": { - "type": "keyword", - "doc_values": "true" - }, - "level": { - "type": "keyword", - "doc_values": "true" - }, - "task": { - "type": "keyword", - "doc_values": "true" - }, - "opcode": { - "type": "keyword", - "doc_values": "true" - }, - "keywords": { - "type": "keyword", - "doc_values": "true" - }, - "systemTime": { - "type": "keyword", - "doc_values": "true" - }, - "eventRecordID": { - "type": "keyword", - "doc_values": "true" - }, - "processID": { - "type": "keyword", - "doc_values": "true" - }, - "threadID": { - "type": "keyword", - "doc_values": "true" - }, - "channel": { - "type": "keyword", - "doc_values": "true" - }, - "computer": { - "type": "keyword", - "doc_values": "true" - }, - "severityValue": { - "type": "keyword", - "doc_values": "true" - }, - "message": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" } } }, - "eventdata": { + "published": { + "type": "date" + }, + "updated": { + "type": "date" + }, + "rationale": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "severity": { + "type": "keyword" + }, + "state": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "aws": { + "properties": { + "bytes": { + "type": "long" + }, + "dstaddr": { + "type": "ip" + }, + "srcaddr": { + "type": "ip" + }, + "end": { + "type": "date" + }, + "start": { + "type": "date" + }, + "source_ip_address": { + "type": "ip" + }, + "service": { "properties": { - "subjectUserSid": { - "type": "keyword", - "doc_values": "true" + "count": { + "type": "long" }, - "subjectUserName": { - "type": "keyword", - "doc_values": "true" + "action.networkConnectionAction.remoteIpDetails": { + "properties": { + "ipAddressV4": { + "type": "ip" + }, + "geoLocation": { + "type": "geo_point" + } + } }, - "subjectDomainName": { - "type": "keyword", - "doc_values": "true" + "eventFirstSeen": { + "type": "date" }, - "subjectLogonId": { - "type": "keyword", - "doc_values": "true" - }, - "targetUserSid": { - "type": "keyword", - "doc_values": "true" - }, - "targetUserName": { - "type": "keyword", - "doc_values": "true" - }, - "targetDomainName": { - "type": "keyword", - "doc_values": "true" - }, - "targetLogonId": { - "type": "keyword", - "doc_values": "true" - }, - "logonType": { - "type": "keyword", - "doc_values": "true" - }, - "logonProcessName": { - "type": "keyword", - "doc_values": "true" - }, - "authenticationPackageName": { - "type": "keyword", - "doc_values": "true" - }, - "logonGuid": { - "type": "keyword", - "doc_values": "true" - }, - "keyLength": { - "type": "keyword", - "doc_values": "true" - }, - "impersonationLevel": { - "type": "keyword", - "doc_values": "true" - }, - "transactionId": { - "type": "keyword", - "doc_values": "true" - }, - "newState": { - "type": "keyword", - "doc_values": "true" - }, - "resourceManager": { - "type": "keyword", - "doc_values": "true" - }, - "processId": { - "type": "keyword", - "doc_values": "true" - }, - "processName": { - "type": "keyword", - "doc_values": "true" - }, - "data": { - "type": "keyword", - "doc_values": "true" - }, - "image": { - "type": "keyword", - "doc_values": "true" - }, - "binary": { - "type": "keyword", - "doc_values": "true" - }, - "parentImage": { - "type": "keyword", - "doc_values": "true" - }, - "categoryId": { - "type": "keyword", - "doc_values": "true" - }, - "subcategoryId": { - "type": "keyword", - "doc_values": "true" - }, - "subcategoryGuid": { - "type": "keyword", - "doc_values": "true" - }, - "auditPolicyChangesId": { - "type": "keyword", - "doc_values": "true" - }, - "category": { - "type": "keyword", - "doc_values": "true" - }, - "subcategory": { - "type": "keyword", - "doc_values": "true" - }, - "auditPolicyChanges": { - "type": "keyword", - "doc_values": "true" + "eventLastSeen": { + "type": "date" } } }, - "rmSessionEvent": { + "createdAt": { + "type": "date" + }, + "updatedAt": { + "type": "date" + }, + "resource.instanceDetails": { "properties": { - "rmSessionId": { - "type": "keyword", - "doc_values": "true" + "launchTime": { + "type": "date" }, - "uTCStartTime": { - "type": "keyword", - "doc_values": "true" + "networkInterfaces": { + "properties": { + "privateIpAddress": { + "type": "ip" + }, + "publicIp": { + "type": "ip" + } + } } } } @@ -1436,20 +1770,31 @@ } }, "program_name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "command": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "type": { "type": "text" }, "title": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "input": { + "properties": { + "type": { + "type": "keyword" + } + } + }, + "previous_output": { + "type": "keyword" } } - } -} \ No newline at end of file + }, + "version": 1 +} diff --git a/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 b/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 index 8e6287ec..da87ec8d 100644 --- a/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 +++ b/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 @@ -1,58 +1,39 @@ # Wazuh - Filebeat configuration file -filebeat.inputs: - - type: log - paths: - - '/var/ossec/logs/alerts/alerts.json' +# Wazuh - Filebeat configuration file +filebeat.modules: + - module: wazuh + alerts: + enabled: true + archives: + enabled: false setup.template.json.enabled: true -setup.template.json.path: "/etc/filebeat/wazuh-template.json" -setup.template.json.name: "wazuh" +setup.template.json.path: '/etc/filebeat/wazuh-template.json' +setup.template.json.name: 'wazuh' setup.template.overwrite: true +setup.ilm.enabled: false -processors: - - decode_json_fields: - fields: ['message'] - process_array: true - max_depth: 200 - target: '' - overwrite_keys: true - - drop_fields: - fields: ['message', 'ecs', 'beat', 'input_type', 'tags', 'count', '@version', 'log', 'offset', 'type', 'host'] - - rename: - fields: - - from: "data.aws.sourceIPAddress" - to: "@src_ip" - ignore_missing: true - fail_on_error: false - when: - regexp: - data.aws.sourceIPAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b - - rename: - fields: - - from: "data.srcip" - to: "@src_ip" - ignore_missing: true - fail_on_error: false - when: - regexp: - data.srcip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b - - rename: - fields: - - from: "data.win.eventdata.ipAddress" - to: "@src_ip" - ignore_missing: true - fail_on_error: false - when: - regexp: - data.win.eventdata.ipAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b # Send events directly to Elasticsearch output.elasticsearch: hosts: {{ filebeat_output_elasticsearch_hosts | to_json }} - #pipeline: geoip - indices: - - index: 'wazuh-alerts-3.x-%{+yyyy.MM.dd}' + +{% if filebeat_xpack_security %} + username: {{ elasticsearch_xpack_security_user }} + password: {{ elasticsearch_xpack_security_password }} + protocol: https +{% if generate_CA == true %} + ssl.certificate_authorities: + - {{node_certs_destination}}/ca.crt +{% elif generate_CA == false %} + ssl.certificate_authorities: + - {{node_certs_destination}}/{{ca_cert_name}} +{% endif %} + + ssl.certificate: "{{node_certs_destination}}/{{ filebeat_node_name }}.crt" + ssl.key: "{{node_certs_destination}}/{{ filebeat_node_name }}.key" +{% endif %} # Optional. Send events to Logstash instead of Elasticsearch #output.logstash.hosts: ["YOUR_LOGSTASH_SERVER_IP:5000"] \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-agent/README.md b/roles/wazuh/ansible-wazuh-agent/README.md index 703c247b..e43ddb87 100644 --- a/roles/wazuh/ansible-wazuh-agent/README.md +++ b/roles/wazuh/ansible-wazuh-agent/README.md @@ -32,16 +32,17 @@ The following is an example of how this role can be used: wazuh_managers: - address: 127.0.0.1 port: 1514 - protocol: udp + protocol: tcp api_port: 55000 api_proto: 'http' api_user: 'ansible' wazuh_agent_authd: + registration_address: 127.0.0.1 enable: true port: 1515 ssl_agent_ca: null ssl_auto_negotiate: 'no' - + License and copyright --------------------- diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index e95707e6..8041962f 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -1,16 +1,53 @@ --- +wazuh_agent_version: 3.12.0-1 + + +# Custom packages installation + +wazuh_custom_packages_installation_agent_enabled: false +wazuh_custom_packages_installation_agent_deb_url: "" +wazuh_custom_packages_installation_agent_rpm_url: "" + +# Sources installation + +wazuh_agent_sources_installation: + enabled: false + branch: "v3.12.0" + user_language: "y" + user_no_stop: "y" + user_install_type: "agent" + user_dir: "/var/ossec" + user_delete_dir: "y" + user_enable_active_response: "y" + user_enable_syscheck: "y" + user_enable_rootcheck: "y" + user_enable_openscap: "y" + user_enable_sca: "y" + user_enable_authd: "y" + user_generate_authd_cert: "n" + user_update: "y" + user_binaryinstall: null + user_agent_server_ip: "YOUR_MANAGER_IP" + user_agent_server_name: null + user_agent_config_profile: null + user_ca_store: "/var/ossec/wpk_root.pem" + wazuh_managers: - address: 127.0.0.1 port: 1514 - protocol: tcp + protocol: udp api_port: 55000 api_proto: 'http' api_user: null -wazuh_profile: null +wazuh_profile_centos: 'centos, centos7, centos7.6' +wazuh_profile_ubuntu: 'ubuntu, ubuntu18, ubuntu18.04' wazuh_auto_restart: 'yes' wazuh_agent_authd: + registration_address: 127.0.0.1 enable: false port: 1515 + agent_name: null + groups: [] ssl_agent_ca: null ssl_agent_cert: null ssl_agent_key: null @@ -19,15 +56,22 @@ wazuh_notify_time: '10' wazuh_time_reconnect: '60' wazuh_crypto_method: 'aes' wazuh_winagent_config: - install_dir: 'C:\Program Files\ossec-agent\' - install_dir_x86: 'C:\Program Files (x86)\ossec-agent\' - auth_path: C:\'Program Files'\ossec-agent\agent-auth.exe + download_dir: C:\ + install_dir: C:\Program Files\ossec-agent\ + install_dir_x86: C:\Program Files (x86)\ossec-agent\ + auth_path: C:\Program Files\ossec-agent\agent-auth.exe + # Adding quotes to auth_path_x86 since win_shell outputs error otherwise auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe - version: '3.9.2' - revision: '1' - repo: https://packages.wazuh.com/3.x/windows/ - md5: 43936e7bc7eb51bd186f47dac4a6f477 + check_md5: True + md5: 91efaefae4e1977670eab0c768a22a93 +wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.12.0-1.msi +wazuh_winagent_package_name: wazuh-agent-3.12.0-1.msi wazuh_agent_config: + repo: + apt: 'deb https://packages.wazuh.com/3.x/apt/ stable main' + yum: 'https://packages.wazuh.com/3.x/yum/' + gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' + key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145' active_response: ar_disabled: 'no' ca_store: '/var/ossec/etc/wpk_root.pem' @@ -43,10 +87,17 @@ wazuh_agent_config: scan_on_start: 'yes' auto_ignore: 'no' alert_new_files: 'yes' - remove_old_diff: 'yes' - restart_audit: 'yes' - win_audit_interval: 300 + win_audit_interval: 60 skip_nfs: 'yes' + skip_dev: 'yes' + skip_proc: 'yes' + skip_sys: 'yes' + process_priority: 10 + max_eps: 100 + sync_enabled: 'yes' + sync_interval: '5m' + sync_max_interval: '1h' + sync_max_eps: 10 ignore: - /etc/mtab - /etc/hosts.deny @@ -60,114 +111,47 @@ wazuh_agent_config: - /etc/cups/certs - /etc/dumpdates - /etc/svc/volatile - - /sys/kernel/security - - /sys/kernel/debug + ignore_linux_type: + - '.log$|.swp$' ignore_win: - '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$' no_diff: - /etc/ssl/private.key directories: - dirs: /etc,/usr/bin,/usr/sbin - checks: 'check_all="yes"' - - dirs: /bin,/sbin - checks: 'check_all="yes"' + checks: '' + - dirs: /bin,/sbin,/boot + checks: '' win_directories: - - dirs: '%WINDIR%\regedit.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\system.ini' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\win.ini' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\at.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\attrib.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\cacls.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\cmd.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\drivers\etc' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\eventcreate.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\ftp.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\lsass.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\net.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\net1.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\netsh.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\reg.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\regedt32.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\regsvr32.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\runas.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\sc.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\schtasks.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\sethc.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\subst.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\wbem\WMIC.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\WindowsPowerShell\v1.0\powershell.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\SysNative\winrm.vbs' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\at.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\attrib.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\cacls.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\cmd.exe' - checks: 'check_all="yes"' + - dirs: '%WINDIR%' + checks: 'recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$"' + - dirs: '%WINDIR%\SysNative' + checks: >- + recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$| + net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$" + - dirs: '%WINDIR%\SysNative\drivers\etc%' + checks: 'recursion_level="0"' + - dirs: '%WINDIR%\SysNative\wbem' + checks: 'recursion_level="0" restrict="WMIC.exe$"' + - dirs: '%WINDIR%\SysNative\WindowsPowerShell\v1.0' + checks: 'recursion_level="0" restrict="powershell.exe$"' + - dirs: '%WINDIR%\SysNative' + checks: 'recursion_level="0" restrict="winrm.vbs$"' + - dirs: '%WINDIR%\System32' + checks: >- + recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$| + netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$" - dirs: '%WINDIR%\System32\drivers\etc' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\eventcreate.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\ftp.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\net.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\net1.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\netsh.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\reg.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\regedit.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\regedt32.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\regsvr32.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\runas.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\sc.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\schtasks.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\sethc.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\subst.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\wbem\WMIC.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe' - checks: 'check_all="yes"' - - dirs: '%WINDIR%\System32\winrm.vbs' - checks: 'check_all="yes"' + checks: 'recursion_level="0"' + - dirs: '%WINDIR%\System32\wbem' + checks: 'recursion_level="0" restrict="WMIC.exe$"' + - dirs: '%WINDIR%\System32\WindowsPowerShell\v1.0' + checks: 'recursion_level="0" restrict="powershell.exe$"' + - dirs: '%WINDIR%\System32' + checks: 'recursion_level="0" restrict="winrm.vbs$"' - dirs: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup' - checks: 'check_all="yes" realtime="yes"' + checks: 'realtime="yes"' + windows_registry: - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile' - key: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile' @@ -210,18 +194,18 @@ wazuh_agent_config: rootcheck: frequency: 43200 openscap: - disable: 'no' + disable: 'yes' timeout: 1800 interval: '1d' scan_on_start: 'yes' osquery: disable: 'yes' run_daemon: 'yes' - bin_path_win: 'C:\ProgramData\osquery\osqueryd' + bin_path_win: 'C:\Program Files\osquery\osqueryd' log_path: '/var/log/osquery/osqueryd.results.log' - log_path_win: 'C:\ProgramData\osquery\log\osqueryd.results.log' + log_path_win: 'C:\Program Files\osquery\log\osqueryd.results.log' config_path: '/etc/osquery/osquery.conf' - config_path_win: 'C:\ProgramData\osquery\osquery.conf' + config_path_win: 'C:\Program Files\osquery\osquery.conf' add_labels: 'yes' syscollector: disable: 'no' @@ -233,20 +217,24 @@ wazuh_agent_config: packages: 'yes' ports_no: 'yes' processes: 'yes' + sca: + enabled: 'yes' + scan_on_start: 'yes' + interval: '12h' + skip_nfs: 'yes' + day: '' + wday: '' + time: '' cis_cat: disable: 'yes' - install_java: 'yes' + install_java: 'no' timeout: 1800 interval: '1d' scan_on_start: 'yes' - java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin' + java_path: 'wodles/java' java_path_win: '\\server\jre\bin\java.exe' - ciscat_path: '/var/ossec/wodles/ciscat' + ciscat_path: 'wodles/ciscat' ciscat_path_win: 'C:\cis-cat' - content: - - type: 'xccdf' - path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml' - profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server' vuls: disable: 'yes' interval: '1d' @@ -279,16 +267,16 @@ wazuh_agent_config: linux: - format: 'syslog' location: '/var/ossec/logs/active-responses.log' - - format: 'command' - command: df -P -x squashfs -x tmpfs -x devtmpfs - frequency: '360' - - format: 'full_command' - command: ss -nutal | awk '{print $1,$5,$6;}' | sort -b | column -t - alias: 'netstat listening ports' - frequency: '360' - format: 'full_command' command: 'last -n 20' frequency: '360' + - format: 'command' + command: df -P + frequency: '360' + - format: 'full_command' + command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d + alias: 'netstat listening ports' + frequency: '360' windows: - format: 'eventlog' location: 'Application' @@ -304,3 +292,4 @@ wazuh_agent_config: list: - key: Env value: Production +wazuh_agent_nat: false diff --git a/roles/wazuh/ansible-wazuh-agent/handlers/main.yml b/roles/wazuh/ansible-wazuh-agent/handlers/main.yml index bb84954e..1858906b 100644 --- a/roles/wazuh/ansible-wazuh-agent/handlers/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/handlers/main.yml @@ -2,5 +2,5 @@ - name: restart wazuh-agent service: name=wazuh-agent state=restarted enabled=yes -- name: restart wazuh-agent windows +- name: Windows | Restart Wazuh Agent win_service: name=OssecSvc start_mode=auto state=restarted diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Debian.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Debian.yml index 48e45685..9c12fdbf 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Debian.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Debian.yml @@ -20,17 +20,27 @@ when: - ansible_distribution == "Ubuntu" - ansible_distribution_major_version | int == 14 + - not wazuh_agent_sources_installation.enabled + - not wazuh_custom_packages_installation_agent_enabled - name: Debian/Ubuntu | Installing Wazuh repository key - apt_key: url=https://packages.wazuh.com/key/GPG-KEY-WAZUH + apt_key: + url: "{{ wazuh_agent_config.repo.gpg }}" + id: "{{ wazuh_agent_config.repo.key_id }}" when: - not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14) + - not wazuh_agent_sources_installation.enabled + - not wazuh_custom_packages_installation_agent_enabled - name: Debian/Ubuntu | Add Wazuh repositories apt_repository: - repo: 'deb https://packages.wazuh.com/3.x/apt/ stable main' + filename: wazuh_repo + repo: "{{ wazuh_agent_config.repo.apt }}" state: present update_cache: true + when: + - not wazuh_agent_sources_installation.enabled + - not wazuh_custom_packages_installation_agent_enabled - name: Debian/Ubuntu | Set Distribution CIS filename for debian set_fact: diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml index 79eefffc..b09b704f 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml @@ -1,14 +1,40 @@ --- -- import_tasks: "RedHat.yml" +- include_tasks: "RedHat.yml" when: ansible_os_family == "RedHat" -- import_tasks: "Debian.yml" +- include_tasks: "Debian.yml" when: ansible_os_family == "Debian" -- name: Linux | Install wazuh-agent - package: name=wazuh-agent state=present +- include_tasks: "installation_from_sources.yml" + when: + - wazuh_agent_sources_installation.enabled + +- include_tasks: "installation_from_custom_packages.yml" + when: + - wazuh_custom_packages_installation_agent_enabled + +- name: Linux CentOS/RedHat | Install wazuh-agent + package: + name: wazuh-agent-{{ wazuh_agent_version }} + state: present async: 90 - poll: 15 + poll: 30 + when: + - ansible_os_family|lower == "redhat" + - not wazuh_agent_sources_installation.enabled + - not wazuh_custom_packages_installation_agent_enabled + tags: + - init + +- name: Linux Debian | Install wazuh-agent + apt: + name: "wazuh-agent={{ wazuh_agent_version }}" + state: present + cache_valid_time: 3600 + when: + - ansible_os_family|lower != "redhat" + - not wazuh_agent_sources_installation.enabled + - not wazuh_custom_packages_installation_agent_enabled tags: - init when: not ansible_check_mode @@ -40,28 +66,39 @@ - name: Linux | Register agent (via authd) shell: > /var/ossec/bin/agent-auth - -A {{ agent_name }} - -m {{ wazuh_managers.0.address }} + {% if wazuh_agent_authd.agent_name is defined and wazuh_agent_authd.agent_name != None %} + -A {{ wazuh_agent_authd.agent_name }} + {% endif %} + -m {{ wazuh_agent_authd.registration_address }} -p {{ wazuh_agent_authd.port }} - {% if authd_pass is defined %}-P {{ authd_pass }}{% endif %} - {% if wazuh_agent_authd.ssl_agent_ca is not none %} + {% if wazuh_agent_nat %} -I "any" {% endif %} + {% if authd_pass is defined %} -P {{ authd_pass }} {% endif %} + {% if wazuh_agent_authd.ssl_agent_ca is defined and wazuh_agent_authd.ssl_agent_ca != None %} -v "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}" + {% endif %} + {% if wazuh_agent_authd.ssl_agent_cert is defined and wazuh_agent_authd.ssl_agent_cert != None %} -x "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_cert | basename }}" + {% endif %} + {% if wazuh_agent_authd.ssl_agent_key is defined and wazuh_agent_authd.ssl_agent_key != None %} -k "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_key | basename }}" {% endif %} - {% if wazuh_agent_authd.ssl_auto_negotiate == 'yes' %}-a{% endif %} + {% if wazuh_agent_authd.ssl_auto_negotiate == 'yes' %} -a {% endif %} + {% if wazuh_agent_authd.groups is defined and wazuh_agent_authd.groups | length > 0 %} + -G "{{ wazuh_agent_authd.groups | join(',') }}" + {% endif %} register: agent_auth_output + notify: restart wazuh-agent vars: agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ ansible_hostname }}{% endif %}" when: - not check_keys.stat.exists or check_keys.stat.size == 0 - - wazuh_managers.0.address is not none + - wazuh_agent_authd.registration_address is not none - name: Linux | Verify agent registration shell: echo {{ agent_auth_output }} | grep "Valid key created" when: - not check_keys.stat.exists or check_keys.stat.size == 0 - - wazuh_managers.0.address is not none + - wazuh_agent_authd.registration_address is not none when: wazuh_agent_authd.enable tags: @@ -76,7 +113,7 @@ - name: Linux | Create the agent key via rest-API uri: - url: "{{ wazuh_managers.0.api_proto }}://{{ wazuh_managers.0.address }}:{{ wazuh_managers.0.api_port }}/agents/" + url: "{{ wazuh_managers.0.api_proto }}://{{ wazuh_agent_authd.registration_address }}:{{ wazuh_managers.0.api_port }}/agents/" validate_certs: false method: POST body: '{"name":"{{ agent_name }}"}' @@ -87,18 +124,21 @@ user: "{{ wazuh_managers.0.api_user }}" password: "{{ api_pass }}" register: newagent_api + notify: restart wazuh-agent # changed_when: newagent_api.json.error == 0 vars: agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ inventory_hostname }}{% endif %}" when: - not check_keys.stat.exists or check_keys.stat.size == 0 - - wazuh_managers.0.address is not none + - wazuh_agent_authd.registration_address is not none become: false ignore_errors: true - name: Linux | Retieve new agent data via rest-API uri: - url: "{{ wazuh_managers.0.api_proto }}://{{ wazuh_managers.0.address }}:{{ wazuh_managers.0.api_port }}/agents/{{ newagent_api.json.data.id }}" + url: >- + "{{ wazuh_managers.0.api_proto }}://{{ wazuh_agent_authd.registration_address + }}:{{ wazuh_managers.0.api_port }}/agents/{{ newagent_api.json.data.id }}" validate_certs: false method: GET return_content: true @@ -106,7 +146,7 @@ password: "{{ api_pass }}" when: - not check_keys.stat.exists or check_keys.stat.size == 0 - - wazuh_managers.0.address is not none + - wazuh_agent_authd.registration_address is not none - newagent_api.json.error == 0 register: newagentdata_api delegate_to: localhost @@ -117,14 +157,14 @@ environment: OSSEC_ACTION: i OSSEC_AGENT_NAME: '{{ newagentdata_api.json.data.name }}' - OSSEC_AGENT_IP: '{{ newagentdata_api.json.data.ip }}' + OSSEC_AGENT_IP: '{% if wazuh_agent_nat %}any{% else %}{{ newagentdata_api.json.data.ip }}{% endif %}' OSSEC_AGENT_ID: '{{ newagent_api.json.data.id }}' OSSEC_AGENT_KEY: '{{ newagent_api.json.data.key }}' OSSEC_ACTION_CONFIRMED: y register: manage_agents_output when: - not check_keys.stat.exists or check_keys.stat.size == 0 - - wazuh_managers.0.address is not none + - wazuh_agent_authd.registration_address is not none - newagent_api.changed notify: restart wazuh-agent @@ -174,9 +214,14 @@ name: wazuh-agent enabled: true state: started + tags: config -- import_tasks: "RMRedHat.yml" - when: ansible_os_family == "RedHat" +- include_tasks: "RMRedHat.yml" + when: + - ansible_os_family == "RedHat" + - not wazuh_agent_sources_installation.enabled -- import_tasks: "RMDebian.yml" - when: ansible_os_family == "Debian" +- include_tasks: "RMDebian.yml" + when: + - ansible_os_family == "Debian" + - not wazuh_agent_sources_installation.enabled diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/RedHat.yml b/roles/wazuh/ansible-wazuh-agent/tasks/RedHat.yml index 33382e28..8dbd2452 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/RedHat.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/RedHat.yml @@ -1,36 +1,31 @@ --- -- name: RedHat/CentOS/Fedora | Install Wazuh repo - yum_repository: - name: wazuh_repo - description: Wazuh repository - baseurl: https://packages.wazuh.com/3.x/yum/ - gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH - gpgcheck: true - changed_when: false - when: - - ansible_distribution_major_version|int > 5 - - name: RedHat/CentOS 5 | Install Wazuh repo yum_repository: name: wazuh_repo description: Wazuh repository - baseurl: https://packages.wazuh.com/3.x/yum/5/ - gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH-5 + baseurl: "{{ wazuh_agent_config.repo.yum }}5/" + gpgkey: "{{ wazuh_agent_config.repo.gpg }}-5" gpgcheck: true changed_when: false when: - - ansible_distribution_major_version|int == 5 + - (ansible_facts['os_family']|lower == 'redhat') and (ansible_distribution|lower != 'amazon') + - (ansible_distribution_major_version|int <= 5) + - not wazuh_agent_sources_installation.enabled + - not wazuh_custom_packages_installation_agent_enabled + register: repo_v5_installed -- name: AmazonLinux | Install Wazuh repo +- name: RedHat/CentOS/Fedora | Install Wazuh repo yum_repository: name: wazuh_repo description: Wazuh repository - baseurl: https://packages.wazuh.com/3.x/yum/ - gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH + baseurl: "{{ wazuh_agent_config.repo.yum }}" + gpgkey: "{{ wazuh_agent_config.repo.gpg }}" gpgcheck: true changed_when: false when: - - ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA" + - repo_v5_installed is skipped + - not wazuh_agent_sources_installation.enabled + - not wazuh_custom_packages_installation_agent_enabled - name: RedHat/CentOS/Fedora | download Oracle Java RPM get_url: diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml index 6a8a93ac..38b4e8ac 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml @@ -4,54 +4,53 @@ path: C:\Program Files (x86) register: check_path -- name: "Set Win Path" +- name: Windows | Set Win Path (x86) set_fact: - wazuh_agent_win_path: "{% wazuh_winagent_config.install_dir_x86 if check_path.stat.exists else wazuh_winagent_config.install_dir %}" - -- name: Windows | Get current installed version - win_shell: "{% if check_path.stat.exists %}{{ wazuh_winagent_config.install_dir_x86 }}{% else %} - {{ wazuh_winagent_config.install_dir }}{% endif %}ossec-agent.exe -h" - args: - removes: "{% if check_path.stat.exists %}{{ wazuh_winagent_config.install_dir_x86 }}{% else %} - {{ wazuh_winagent_config.install_dir }}{% endif %}ossec-agent.exe" - register: agent_version - failed_when: false - changed_when: false - -- name: Windows | Check Wazuh agent version installed - set_fact: correct_version=true + wazuh_agent_win_path: "{{ wazuh_winagent_config.install_dir_x86 }}" + wazuh_agent_win_auth_path: "{{ wazuh_winagent_config.auth_path_x86 }}" when: - - agent_version.stdout is defined - - wazuh_winagent_config.version in agent_version.stdout + - check_path.stat.exists -- name: Windows | Downloading windows Wazuh agent installer - win_get_url: - dest: C:\wazuh-agent-installer.msi - url: "{{ wazuh_winagent_config.repo }}wazuh-agent-{{ wazuh_winagent_config.version }}-{{ wazuh_winagent_config.revision }}.msi" +- name: Windows | Set Win Path (x64) + set_fact: + wazuh_agent_win_path: "{{ wazuh_winagent_config.install_dir }}" + wazuh_agent_win_auth_path: "{{ wazuh_winagent_config.auth_path }}" when: - - correct_version is not defined + - not check_path.stat.exists -- name: Windows | Verify the downloaded Wazuh agent installer +- name: Windows | Check if Wazuh installer is already downloaded win_stat: - path: C:\wazuh-agent-installer.msi + path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}" + register: wazuh_package_downloaded + +- name: Windows | Download Wazuh Agent package + win_get_url: + url: "{{ wazuh_winagent_config_url }}" + dest: "{{ wazuh_winagent_config.download_dir }}" + when: + - not wazuh_package_downloaded.stat.exists + +- name: Windows | Verify the Wazuh Agent installer + win_stat: + path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}" get_checksum: true checksum_algorithm: md5 - register: installer_md5 - when: - - correct_version is not defined + register: wazuh_agent_status failed_when: - - installer_md5.stat.checksum != wazuh_winagent_config.md5 - -- name: Windows | Install Wazuh agent - win_package: - path: C:\wazuh-agent-installer.msi + - wazuh_agent_status.stat.checksum != wazuh_winagent_config.md5 when: - - correct_version is not defined + - wazuh_winagent_config.check_md5 + + +- name: Windows | Install Agent if not already installed + win_package: + path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}" + state: present - name: Windows | Check if client.keys exists - win_stat: path="{{ wazuh_agent_win_path }}" + win_stat: + path: "{{ wazuh_agent_win_path }}client.keys" register: check_windows_key - notify: restart wazuh-agent windows tags: - config @@ -62,27 +61,30 @@ - name: Windows | Register agent win_shell: > - {% if check_path.stat.exists %}{{ wazuh_winagent_config.auth_path_x86 }}{% else %} - {{ wazuh_winagent_config.auth_path }}{% endif %} - -m {{ wazuh_managers.0.address }} + {{ wazuh_agent_win_auth_path }} + -m {{ wazuh_agent_authd.registration_address }} -p {{ wazuh_agent_authd.port }} + {% if wazuh_agent_authd.agent_name is defined %}-A {{ wazuh_agent_authd.agent_name }} {% endif %} {% if authd_pass is defined %} -P {{ authd_pass }}{% endif %} - args: - chdir: "{{ wazuh_agent_win_path }}" register: agent_auth_output - notify: restart wazuh-agent windows + notify: Windows | Restart Wazuh Agent when: - wazuh_agent_authd.enable - not check_windows_key.stat.exists or check_windows_key.stat.size == 0 - - wazuh_managers.0.address is not none + - wazuh_agent_authd.registration_address is not none tags: - config +- name: Windows | Check if ossec folder is accessible + win_file: + path: "{{ wazuh_agent_win_path }}" + state: directory + - name: Windows | Installing agent configuration (ossec.conf) - win_template: + template: src: var-ossec-etc-ossec-agent.conf.j2 dest: "{{ wazuh_agent_win_path }}ossec.conf" - notify: restart wazuh-agent windows + notify: Windows | Restart Wazuh Agent tags: - config @@ -90,11 +92,11 @@ win_template: src: var-ossec-etc-local-internal-options.conf.j2 dest: "{{ wazuh_agent_win_path }}local_internal_options.conf" - notify: restart wazuh-agent windows + notify: Windows | Restart Wazuh Agent tags: - config - name: Windows | Delete downloaded Wazuh agent installer file win_file: - path: C:\wazuh-agent-installer.msi + path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}" state: absent diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/installation_from_custom_packages.yml b/roles/wazuh/ansible-wazuh-agent/tasks/installation_from_custom_packages.yml new file mode 100644 index 00000000..aa50004f --- /dev/null +++ b/roles/wazuh/ansible-wazuh-agent/tasks/installation_from_custom_packages.yml @@ -0,0 +1,28 @@ +--- + - name: Install Wazuh Agent from .deb packages + apt: + deb: "{{ wazuh_custom_packages_installation_agent_deb_url }}" + state: present + when: + - ansible_os_family|lower == "debian" + - wazuh_custom_packages_installation_agent_enabled + + - name: Install Wazuh Agent from .rpm packages | yum + yum: + name: "{{ wazuh_custom_packages_installation_agent_rpm_url }}" + state: present + when: + - ansible_os_family|lower == "redhat" + - wazuh_custom_packages_installation_agent_enabled + - not (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") + - not (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8") + + - name: Install Wazuh Agent from .rpm packages | dnf + dnf: + name: "{{ wazuh_custom_packages_installation_agent_rpm_url }}" + state: present + when: + - ansible_os_family|lower == "redhat" + - wazuh_custom_packages_installation_agent_enabled + - (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") or + (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8") \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/installation_from_sources.yml b/roles/wazuh/ansible-wazuh-agent/tasks/installation_from_sources.yml new file mode 100644 index 00000000..73b3e6ce --- /dev/null +++ b/roles/wazuh/ansible-wazuh-agent/tasks/installation_from_sources.yml @@ -0,0 +1,99 @@ +--- + - name: Install dependencies to build Wazuh packages + package: + name: + - make + - gcc + - automake + - autoconf + - libtool + - tar + state: present + + - name: Removing old files + file: + path: "/tmp/{{ wazuh_agent_sources_installation.branch }}.tar.gz" + state: absent + + - name: Removing old folders + file: + path: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}" + state: absent + + - name: Installing policycoreutils-python (RedHat families) + package: + name: + - policycoreutils-python + when: + - ansible_os_family|lower == "redhat" + + - name: Installing policycoreutils-python-utils (Debian families) + package: + name: + - libc6-dev + - curl + - policycoreutils + when: + - ansible_os_family|lower == "debian" + + - name: Download required packages from github.com/wazuh/wazuh + get_url: + url: "https://github.com/wazuh/wazuh/archive/{{ wazuh_agent_sources_installation.branch }}.tar.gz" + dest: "/tmp/{{ wazuh_agent_sources_installation.branch }}.tar.gz" + delegate_to: "{{ inventory_hostname }}" + changed_when: false + + - name: Create folder to extract Wazuh branch + file: + path: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}" + state: directory + changed_when: false + + - name: Extract downloaded Wazuh branch from Github # Using shell instead of unarchive due to that module not working properlyh with --strip + command: >- + tar -xzvf /tmp/{{ wazuh_agent_sources_installation.branch }}.tar.gz + --strip 1 + --directory /tmp/wazuh-{{ wazuh_agent_sources_installation.branch }} + register: wazuh_untar + changed_when: false + args: + warn: false + + - name: Clean remaining files from others builds + command: "make -C src {{ item }}" + args: + chdir: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}/src/" + with_items: + - "clean" + - "clean-deps" + register: clean_result + changed_when: clean_result.rc == 0 + failed_when: false + + - name: Render the "preloaded-vars.conf" file + template: + src: "templates/preloaded_vars_agent.conf.j2" + dest: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}/etc/preloaded-vars.conf" + owner: root + group: root + mode: 0644 + changed_when: false + + - name: Executing "install.sh" script to build and install the Wazuh Agent + shell: ./install.sh > /tmp/build_agent_log.txt + register: installation_result + changed_when: installation_result == 0 + args: + chdir: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}" + + - name: Cleanup downloaded files + file: + path: "/tmp/{{ wazuh_agent_sources_installation.branch }}.tar.gz" + state: absent + changed_when: false + + - name: Cleanup created folders + file: + path: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}" + state: absent + changed_when: false \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/main.yml b/roles/wazuh/ansible-wazuh-agent/tasks/main.yml index 4b919bc5..25c7b955 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/main.yml @@ -1,6 +1,6 @@ --- -- import_tasks: "Windows.yml" +- include_tasks: "Windows.yml" when: ansible_os_family == "Windows" -- import_tasks: "Linux.yml" +- include_tasks: "Linux.yml" when: ansible_system == "Linux" diff --git a/roles/wazuh/ansible-wazuh-agent/templates/preloaded_vars_agent.conf.j2 b/roles/wazuh/ansible-wazuh-agent/templates/preloaded_vars_agent.conf.j2 new file mode 100644 index 00000000..0887b367 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-agent/templates/preloaded_vars_agent.conf.j2 @@ -0,0 +1,7 @@ +{% for key, value in wazuh_agent_sources_installation.items() %} +{% if "user_" in key %} +{% if value is defined and value is not none %} +{{ key|upper }}="{{ value }}" +{% endif %} +{% endif %} +{% endfor %} \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 index 7d7e139d..ee71769e 100644 --- a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 +++ b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 @@ -1,4 +1,4 @@ -#jinja2: trim_blocks: False +#jinja2: lstrip_blocks: True {{ wazuh_agent_config.client_buffer.disable }} {{ wazuh_agent_config.client_buffer.queue_size }} {{ wazuh_agent_config.client_buffer.events_per_sec }} - - {{ wazuh_agent_config.log_format }} - - - - {{ wazuh_agent_config.active_response.ar|default('no') }} - {% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.active_response.ca_store_win }}{% else %}{{ wazuh_agent_config.active_response.ca_store }}{% endif %} - {{ wazuh_agent_config.active_response.ca_verification }} - {% if wazuh_agent_config.rootcheck is defined %} no {% if ansible_system == "Linux" %} - yes yes yes yes @@ -65,16 +58,9 @@ /var/ossec/etc/shared/rootkit_files.txt /var/ossec/etc/shared/rootkit_trojans.txt - /var/ossec/etc/shared/system_audit_rcl.txt - /var/ossec/etc/shared/system_audit_ssh.txt - {% if cis_distribution_filename is defined %} - /var/ossec/etc/shared/{{ cis_distribution_filename }} - {% endif %} yes {% endif %} - {% if ansible_os_family == "Windows" %} - ./shared/win_audit_rcl.txt ./shared/win_applications_rcl.txt ./shared/win_malware_rcl.txt {% endif %} @@ -82,95 +68,10 @@ {% endif %} - - {% if wazuh_agent_config.syscheck is defined %} - - no - - - {{ wazuh_agent_config.syscheck.frequency }} - {% if ansible_system == "Linux" %} - - /etc,/usr/bin,/usr/sbin - /bin,/sbin,/boot - {{ wazuh_agent_config.syscheck.auto_ignore }} - {{ wazuh_agent_config.syscheck.scan_on_start }} - {% endif %} - - - {% if wazuh_agent_config.syscheck.directories is defined and ansible_os_family == "Linux" %} - {% for directory in wazuh_agent_config.syscheck.directories %} - {{ directory.dirs }} - {% endfor %} - {% endif %} - - - {% if wazuh_agent_config.syscheck.win_directories is defined and ansible_os_family == "Windows" %} - {% for directory in wazuh_agent_config.syscheck.win_directories %} - {{ directory.dirs }} - {% endfor %} - {% endif %} - - - {% if wazuh_agent_config.syscheck.ignore is defined and ansible_system == "Linux" %} - {% for ignore in wazuh_agent_config.syscheck.ignore %} - {{ ignore }} - {% endfor %} - {% endif %} - - {% if wazuh_agent_config.syscheck.ignore is defined and ansible_system == "Windows" %} - {% for ignore in wazuh_agent_config.syscheck.ignore_win %} - {{ ignore }} - {% endfor %} - {% endif %} - - {% if ansible_system == "Linux" %} - - {% for no_diff in wazuh_agent_config.syscheck.no_diff %} - {{ no_diff }} - {% endfor %} - - {{ wazuh_agent_config.syscheck.skip_nfs }} - {% endif %} - - {{ wazuh_agent_config.syscheck.remove_old_diff }} - - {% if ansible_system == "Linux"%} - - {{ wazuh_agent_config.syscheck.restart_audit }} - {% endif %} - - {% if ansible_os_family == "Windows" %} - {% for registry_key in wazuh_agent_config.syscheck.windows_registry %} - {% if registry_key.arch is defined %} - {{ registry_key.key }} - {% else %} - {{ registry_key.key }} - {% endif %} - {% endfor %} - {% endif %} - - {% if ansible_os_family == "Windows" %} - {% for registry_key in wazuh_agent_config.syscheck.windows_registry_ignore %} - {% if registry_key.type is defined %} - {{ registry_key.key }} - {% else %} - {{ registry_key.key }} - {% endif %} - {% endfor %} - {% endif %} - - {% if ansible_os_family == "Windows" %} - - {{ wazuh_agent_config.syscheck.win_audit_interval }} - {% endif %} - - {% endif %} - - {% if ansible_system == "Linux" and wazuh_agent_config.openscap.disable == 'no' %} + {% if ansible_system == "Linux" %} - no + {{ wazuh_agent_config.openscap.disable }} {{ wazuh_agent_config.openscap.timeout }} {{ wazuh_agent_config.openscap.interval }} {{ wazuh_agent_config.openscap.scan_on_start }} @@ -190,23 +91,33 @@ {% endif %} {% elif ansible_distribution == 'CentOS' %} - {% if ansible_distribution_major_version == '7' %} + {% if ansible_distribution_major_version == '8' %} + {# Policy not available #} + {% elif ansible_distribution_major_version == '7' %} + xccdf_org.ssgproject.content_profile_pci-dss + xccdf_org.ssgproject.content_profile_common + {% elif ansible_distribution_major_version == '6' %} - {% endif %} xccdf_org.ssgproject.content_profile_pci-dss xccdf_org.ssgproject.content_profile_common + {% endif %} {% elif ansible_distribution == 'RedHat' %} - {% if ansible_distribution_major_version == '7' %} + {% if ansible_distribution_major_version == '8' %} + {# Policy not available #} + {% elif ansible_distribution_major_version == '7' %} + xccdf_org.ssgproject.content_profile_pci-dss + xccdf_org.ssgproject.content_profile_common + {% elif ansible_distribution_major_version == '6' %} - {% endif %} xccdf_org.ssgproject.content_profile_pci-dss xccdf_org.ssgproject.content_profile_common + {% endif %} {% if ansible_distribution_major_version == '7' %} {% elif ansible_distribution_major_version == '6' %} @@ -221,9 +132,8 @@ {% endif %} - {% if wazuh_agent_config.cis_cat.disable == 'no' %} - no + {{ wazuh_agent_config.cis_cat.disable }} {{ wazuh_agent_config.cis_cat.timeout }} {{ wazuh_agent_config.cis_cat.interval }} {{ wazuh_agent_config.cis_cat.scan_on_start }} @@ -235,15 +145,7 @@ {{ wazuh_agent_config.cis_cat.java_path }} {% endif %} {% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.cis_cat.ciscat_path_win }}{% else %}{{ wazuh_agent_config.cis_cat.ciscat_path }}{% endif %} - {% if ansible_system == "Linux" %} - {% for benchmark in wazuh_agent_config.cis_cat.content %} - - {{ benchmark.profile }} - - {% endfor %} - {% endif %} - {% endif %} @@ -270,6 +172,126 @@ {{ wazuh_agent_config.syscollector.processes }} + + {% if wazuh_agent_config.sca.enabled | length > 0 %} + {{ wazuh_agent_config.sca.enabled }} + {% endif %} + {% if wazuh_agent_config.sca.scan_on_start | length > 0 %} + {{ wazuh_agent_config.sca.scan_on_start }} + {% endif %} + {% if wazuh_agent_config.sca.interval | length > 0 %} + {{ wazuh_agent_config.sca.interval }} + {% endif %} + {% if wazuh_agent_config.sca.skip_nfs | length > 0 %} + yes + {% endif %} + {% if wazuh_agent_config.sca.day | length > 0 %} + yes + {% endif %} + {% if wazuh_agent_config.sca.wday | length > 0 %} + yes + {% endif %} + {% if wazuh_agent_config.sca.time | length > 0 %} + + {% endif %} + + + + + {% if wazuh_agent_config.syscheck is defined %} + + no + + {{ wazuh_agent_config.syscheck.frequency }} + {% if ansible_system == "Linux" %} + {{ wazuh_agent_config.syscheck.scan_on_start }} + + {% if wazuh_agent_config.syscheck.directories is defined and ansible_system == "Linux" %} + {% for directory in wazuh_agent_config.syscheck.directories %} + {{ directory.dirs }} + {% endfor %} + {% endif %} + {% endif %} + + + {% if wazuh_agent_config.syscheck.win_directories is defined and ansible_system == "Windows" %} + {% for directory in wazuh_agent_config.syscheck.win_directories %} + {{ directory.dirs }} + {% endfor %} + {% endif %} + + + {% if wazuh_agent_config.syscheck.ignore is defined and ansible_system == "Linux" %} + {% for ignore in wazuh_agent_config.syscheck.ignore %} + {{ ignore }} + {% endfor %} + {% endif %} + + + {% if wazuh_agent_config.syscheck.ignore_linux_type is defined %} + {% for ignore in wazuh_agent_config.syscheck.ignore_linux_type %} + {{ ignore }} + {% endfor %} + {% endif %} + + {% if wazuh_agent_config.syscheck.ignore is defined and ansible_system == "Windows" %} + {% for ignore in wazuh_agent_config.syscheck.ignore_win %} + {{ ignore }} + {% endfor %} + {% endif %} + + {% if ansible_system == "Linux" %} + + {% for no_diff in wazuh_agent_config.syscheck.no_diff %} + {{ no_diff }} + {% endfor %} + + {{ wazuh_agent_config.syscheck.skip_nfs }} + {{ wazuh_agent_config.syscheck.skip_dev }} + {{ wazuh_agent_config.syscheck.skip_proc }} + {{ wazuh_agent_config.syscheck.skip_sys }} + {% endif %} + + {% if ansible_os_family == "Windows" %} + {% for registry_key in wazuh_agent_config.syscheck.windows_registry %} + {% if registry_key.arch is defined %} + {{ registry_key.key }} + {% else %} + {{ registry_key.key }} + {% endif %} + {% endfor %} + {% endif %} + + {% if ansible_os_family == "Windows" %} + {% for registry_key in wazuh_agent_config.syscheck.windows_registry_ignore %} + {% if registry_key.type is defined %} + {{ registry_key.key }} + {% else %} + {{ registry_key.key }} + {% endif %} + {% endfor %} + {% endif %} + + {% if ansible_os_family == "Windows" %} + + {{ wazuh_agent_config.syscheck.win_audit_interval }} + {% endif %} + + + {{ wazuh_agent_config.syscheck.process_priority }} + + + {{ wazuh_agent_config.syscheck.max_eps }} + + + + {{ wazuh_agent_config.syscheck.sync_enabled }} + {{ wazuh_agent_config.syscheck.sync_interval }} + {{ wazuh_agent_config.syscheck.sync_max_interval }} + {{ wazuh_agent_config.syscheck.sync_max_eps }} + + + {% endif %} {% if ansible_system == "Linux" and wazuh_agent_config.vuls.disable == 'no' %} @@ -284,68 +306,72 @@ {% endif %} - {% if ansible_system == "Linux" %} - {% for localfile in wazuh_agent_config.localfiles.linux %} - - {{ localfile.format }} + {% if ansible_system == "Linux" %} + {% for localfile in wazuh_agent_config.localfiles.linux %} + + + {{ localfile.format }} {% if localfile.format == 'command' or localfile.format == 'full_command' %} - {{ localfile.command }} - {{ localfile.frequency }} - {% if localfile.alias is defined %} - {{ localfile.alias }} - {% endif %} - {% else %} - {{ localfile.location }} + {{ localfile.command }} + {{ localfile.frequency }} + {% if localfile.alias is defined %} + {{ localfile.alias }} {% endif %} - + {% else %} + {{ localfile.location }} + {% endif %} + {% endfor %} {% endif %} - {% if ansible_os_family == "Debian" %} - {% for localfile in wazuh_agent_config.localfiles.debian %} - - {{ localfile.format }} + {% if ansible_os_family == "Debian" %} + {% for localfile in wazuh_agent_config.localfiles.debian %} + + + {{ localfile.format }} {% if localfile.format == 'command' or localfile.format == 'full_command' %} - {{ localfile.command }} - {{ localfile.frequency }} - {% if localfile.alias is defined %} - {{ localfile.alias }} - {% endif %} - {% else %} - {{ localfile.location }} - {% endif %} - + {{ localfile.command }} + {{ localfile.frequency }} + {% if localfile.alias is defined %} + {{ localfile.alias }} + {% endif %} + {% else %} + {{ localfile.location }} + {% endif %} + {% endfor %} {% endif %} - {% if ansible_os_family == "RedHat" %} - {% for localfile in wazuh_agent_config.localfiles.centos %} - - {{ localfile.format }} + {% if ansible_os_family == "RedHat" %} + {% for localfile in wazuh_agent_config.localfiles.centos %} + + + {{ localfile.format }} {% if localfile.format == 'command' or localfile.format == 'full_command' %} - {{ localfile.command }} - {{ localfile.frequency }} - {% if localfile.alias is defined %} - {{ localfile.alias }} - {% endif %} + {{ localfile.command }} + {{ localfile.frequency }} + {% if localfile.alias is defined %} + {{ localfile.alias }} + {% endif %} {% else %} - {{ localfile.location }} - {% endif %} - + {{ localfile.location }} + {% endif %} + {% endfor %} {% endif %} - {% if ansible_os_family == "Windows" %} - {% for localfile in wazuh_agent_config.localfiles.windows %} - - {{ localfile.format }} - {% if localfile.format == 'eventchannel' %} - {{ localfile.location }} - {{ localfile.query}} - {% else %} - {{ localfile.location }} - {% endif %} - + {% if ansible_os_family == "Windows" %} + {% for localfile in wazuh_agent_config.localfiles.windows %} + + + {{ localfile.format }} + {% if localfile.format == 'eventchannel' %} + {{ localfile.location }} + {{ localfile.query}} + {% else %} + {{ localfile.location }} + {% endif %} + {% endfor %} {% endif %} @@ -357,4 +383,14 @@ {% endif %} + + {{ wazuh_agent_config.active_response.ar_disabled|default('no') }} + {% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.active_response.ca_store_win }}{% else %}{{ wazuh_agent_config.active_response.ca_store }}{% endif %} + {{ wazuh_agent_config.active_response.ca_verification }} + + + + {{ wazuh_agent_config.log_format }} + + diff --git a/roles/wazuh/ansible-wazuh-manager/README.md b/roles/wazuh/ansible-wazuh-manager/README.md index 19b1eae9..199e7810 100644 --- a/roles/wazuh/ansible-wazuh-manager/README.md +++ b/roles/wazuh/ansible-wazuh-manager/README.md @@ -20,7 +20,7 @@ This role has some variables which you can or need to override. ``` wazuh_manager_fqdn: ~ wazuh_manager_config: [] -wazuh_agent_configs: [] +shared_agent_config: [] ``` Vault variables @@ -157,7 +157,7 @@ wazuh_manager_config: level: 6 timeout: 600 -wazuh_agent_configs: +shared_agent_config: - type: os type_value: linux frequency_check: 79200 diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index 8cf7ef58..db4f8841 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -1,8 +1,70 @@ --- +wazuh_manager_version: 3.12.0-1 + wazuh_manager_fqdn: "wazuh-server" -wazuh_manager_package_state: latest +wazuh_manager_package_state: present + +# Custom packages installation +wazuh_custom_packages_installation_manager_enabled: false +wazuh_custom_packages_installation_manager_deb_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/branches/3.12/deb/var/wazuh-manager_3.12.0-0.3319fimreworksqlite_amd64.deb" +wazuh_custom_packages_installation_manager_rpm_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/branches/3.12/rpm/var/wazuh-manager-3.12.0-0.3319fimreworksqlite.x86_64.rpm" +wazuh_custom_packages_installation_api_enabled: false +wazuh_custom_packages_installation_api_deb_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/branches/3.12/deb/var/wazuh-api_3.12.0-0.3319fimreworksqlite_amd64.deb" +wazuh_custom_packages_installation_api_rpm_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/branches/3.12/rpm/var/wazuh-api-3.12.0-0.3319fimreworksqlite.x86_64.rpm" + +# Sources installation +wazuh_manager_sources_installation: + enabled: false + branch: "v3.12.0" + user_language: "en" + user_no_stop: "y" + user_install_type: "server" + user_dir: "/var/ossec" + user_delete_dir: null + user_enable_active_response: null + user_enable_syscheck: "y" + user_enable_rootcheck: "y" + user_enable_openscap: "y" + user_enable_authd: "y" + user_generate_authd_cert: null + user_update: "y" + user_binaryinstall: null + user_enable_email: "n" + user_auto_start: "y" + user_email_address: null + user_email_smpt: null + user_enable_syslog: "n" + user_white_list: "n" + user_ca_store: null + threads: "2" + +wazuh_api_sources_installation: + enabled: false + branch: "v3.12.0" + update: "y" + remove: "y" + directory: null + port: 55000 + https: "n" + authd: null + proxy: null + country: null + state: null + locality: null + org_name: null + org_unit: null + common_name: null + password: null + +wazuh_api_user: + - "foo:$apr1$/axqZYWQ$Xo/nz/IG3PdwV82EnfYKh/" wazuh_manager_config: + repo: + apt: 'deb https://packages.wazuh.com/3.x/apt/ stable main' + yum: 'https://packages.wazuh.com/3.x/yum/' + gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' + key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145' json_output: 'yes' alerts_log: 'yes' logall: 'no' @@ -33,9 +95,7 @@ wazuh_manager_config: port: '1516' bind_addr: '0.0.0.0' nodes: - - '172.17.0.2' - - '172.17.0.3' - - '172.17.0.4' + - 'manager' hidden: 'no' connection: - type: 'secure' @@ -45,26 +105,29 @@ wazuh_manager_config: authd: enable: true port: 1515 - use_source_ip: 'yes' + use_source_ip: 'no' force_insert: 'yes' force_time: 0 - purge: 'no' + purge: 'yes' use_password: 'no' + limit_maxagents: 'yes' + ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH' ssl_agent_ca: null ssl_verify_host: 'no' - ssl_manager_cert: '/var/ossec/etc/sslmanager.cert' - ssl_manager_key: '/var/ossec/etc/sslmanager.key' + ssl_manager_cert: 'sslmanager.cert' + ssl_manager_key: 'sslmanager.key' ssl_auto_negotiate: 'no' email_notification: 'no' mail_to: - 'admin@example.net' - mail_smtp_server: localhost - mail_from: wazuh-server@example.com + mail_smtp_server: smtp.example.wazuh.com + mail_from: ossecm@example.wazuh.com mail_maxperhour: 12 mail_queue_size: 131072 + email_log_source: 'alerts.log' extra_emails: - enable: false - mail_to: 'admin@example.net' + mail_to: 'recipient@example.wazuh.com' format: full level: 7 event_location: null @@ -76,7 +139,7 @@ wazuh_manager_config: - enable: false category: 'syscheck' title: 'Daily report: File changes' - email_to: 'admin@example.net' + email_to: 'recipient@example.wazuh.com' location: null group: null rule: null @@ -103,26 +166,33 @@ wazuh_manager_config: - /etc/cups/certs - /etc/dumpdates - /etc/svc/volatile - - /sys/kernel/security - - /sys/kernel/debug + ignore_linux_type: + - '.log$|.swp$' no_diff: - /etc/ssl/private.key directories: - dirs: /etc,/usr/bin,/usr/sbin - checks: 'check_all="yes"' + checks: '' - dirs: /bin,/sbin,/boot - checks: 'check_all="yes"' + checks: '' auto_ignore_frequency: frequency: 'frequency="10"' timeframe: 'timeframe="3600"' value: 'no' skip_nfs: 'yes' - remove_old_diff: 'yes' - restart_audit: 'yes' + skip_dev: 'yes' + skip_proc: 'yes' + skip_sys: 'yes' + process_priority: 10 + max_eps: 100 + sync_enabled: 'yes' + sync_interval: '5m' + sync_max_interval: '1h' + sync_max_eps: 10 rootcheck: frequency: 43200 openscap: - disable: 'no' + disable: 'yes' timeout: 1800 interval: '1d' scan_on_start: 'yes' @@ -134,10 +204,6 @@ wazuh_manager_config: scan_on_start: 'yes' java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin' ciscat_path: 'wodles/ciscat' - content: - - type: 'xccdf' - path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml' - profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server' osquery: disable: 'yes' run_daemon: 'yes' @@ -154,20 +220,44 @@ wazuh_manager_config: packages: 'yes' ports_no: 'yes' processes: 'yes' - vul_detector: - disable: 'yes' + sca: + enabled: 'yes' + scan_on_start: 'yes' + interval: '12h' + skip_nfs: 'yes' + day: '' + wday: '' + time: '' + vulnerability_detector: + enabled: 'no' interval: '5m' ignore_time: '6h' run_on_start: 'yes' - ubuntu: - disable: 'yes' - update_interval: '1h' - redhat: - disable: 'yes' - update_interval: '1h' - debian: - disable: 'yes' - update_interval: '1h' + providers: + - enabled: 'no' + os: + - 'precise' + - 'trusty' + - 'xenial' + - 'bionic' + update_interval: '1h' + name: '"canonical"' + - enabled: 'no' + os: + - 'wheezy' + - 'stretch' + - 'jessie' + - 'buster' + update_interval: '1h' + name: '"debian"' + - enabled: 'no' + update_from_year: '2010' + update_interval: '1h' + name: '"redhat"' + - enabled: 'no' + update_from_year: '2010' + update_interval: '1h' + name: '"nvd"' vuls: disable: 'yes' interval: '1d' @@ -178,19 +268,20 @@ wazuh_manager_config: - 'updatenvd' - 'nvd-year 2016' - 'autoupdate' - log_level: 1 + log_level: 3 email_level: 12 localfiles: common: - format: 'command' - command: df -P -x squashfs -x tmpfs -x devtmpfs + command: df -P frequency: '360' - format: 'full_command' - command: ss -nutal | awk '{print $1,$5,$6;}' | sort -b | column -t + command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d alias: 'netstat listening ports' frequency: '360' - format: 'full_command' command: 'last -n 20' + frequency: '360' - format: 'syslog' location: '/var/ossec/logs/active-responses.log' debian: @@ -213,20 +304,16 @@ wazuh_manager_config: location: '/var/log/audit/audit.log' globals: - '127.0.0.1' - - '192.168.2.1' + - '^localhost.localdomain$' + - '127.0.0.53' commands: - name: 'disable-account' executable: 'disable-account.sh' expect: 'user' timeout_allowed: 'yes' - # - name: 'restart-ossec' - # executable: 'restart-ossec.sh' - # expect: '' - # timeout_allowed: 'no' - - name: 'win_restart-ossec' - executable: 'restart-ossec.cmd' + - name: 'restart-ossec' + executable: 'restart-ossec.sh' expect: '' - timeout_allowed: 'no' - name: 'firewall-drop' executable: 'firewall-drop.sh' expect: 'srcip' @@ -243,6 +330,10 @@ wazuh_manager_config: executable: 'route-null.cmd' expect: 'srcip' timeout_allowed: 'yes' + - name: 'win_route-null-2012' + executable: 'route-null-2012.cmd' + expect: 'srcip' + timeout_allowed: 'yes' - name: 'netsh' executable: 'netsh.cmd' expect: 'srcip' @@ -254,6 +345,10 @@ wazuh_manager_config: ruleset: rules_path: 'custom_ruleset/rules/' decoders_path: 'custom_ruleset/decoders/' + cdb_lists: + - 'audit-keys' + - 'security-eventchannel' + - 'amazon/aws-eventnames' rule_exclude: - '0215-policy_rules.xml' syslog_outputs: @@ -266,51 +361,58 @@ wazuh_manager_config: - key: Env value: Production -wazuh_agent_configs: - - type: os - type_value: Linux - syscheck: - frequency: 43200 - scan_on_start: 'yes' - auto_ignore: 'no' - alert_new_files: 'yes' - ignore: - - /etc/mtab - - /etc/mnttab - - /etc/hosts.deny - - /etc/mail/statistics - - /etc/svc/volatile - no_diff: - - /etc/ssl/private.key - rootcheck: - frequency: 43200 - cis_distribution_filename: null - localfiles: - - format: 'syslog' - location: '/var/log/messages' - - format: 'syslog' - location: '/var/log/secure' - - format: 'syslog' - location: '/var/log/maillog' - - format: 'apache' - location: '/var/log/httpd/error_log' - - format: 'apache' - location: '/var/log/httpd/access_log' - - format: 'apache' - location: '/var/ossec/logs/active-responses.log' - - type: os - type_value: Windows - syscheck: - frequency: 43200 - scan_on_start: 'yes' - auto_ignore: 'no' - alert_new_files: 'yes' - windows_registry: - - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile' - arch: 'both' - - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder' - localfiles: - - location: 'Security' - format: 'eventchannel' - - location: 'System' - format: 'eventlog' +# shared_agent_config: + # - type: os + # type_value: Linux + # syscheck: + # frequency: 43200 + # scan_on_start: 'yes' + # alert_new_files: 'yes' + # ignore: + # - /etc/mtab + # - /etc/mnttab + # - /etc/hosts.deny + # - /etc/mail/statistics + # - /etc/svc/volatile + # no_diff: + # - /etc/ssl/private.key + # rootcheck: + # frequency: 43200 + # cis_distribution_filename: null + # localfiles: + # - format: 'syslog' + # location: '/var/log/messages' + # - format: 'syslog' + # location: '/var/log/secure' + # - format: 'syslog' + # location: '/var/log/maillog' + # - format: 'apache' + # location: '/var/log/httpd/error_log' + # - format: 'apache' + # location: '/var/log/httpd/access_log' + # - format: 'apache' + # location: '/var/ossec/logs/active-responses.log' + # - type: os + # type_value: Windows + # syscheck: + # frequency: 43200 + # scan_on_start: 'yes' + # auto_ignore: 'no' + # alert_new_files: 'yes' + # windows_registry: + # - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile' + # arch: 'both' + # - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder' + # localfiles: + # - location: 'Security' + # format: 'eventchannel' + # - location: 'System' + # format: 'eventlog' + +nodejs: + repo_dict: + debian: "deb" + redhat: "rpm" + repo_url_ext: "nodesource.com/setup_10.x" + +agent_groups: [] # groups to create diff --git a/roles/wazuh/ansible-wazuh-manager/handlers/main.yml b/roles/wazuh/ansible-wazuh-manager/handlers/main.yml index 0fac45a1..f422b85d 100644 --- a/roles/wazuh/ansible-wazuh-manager/handlers/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/handlers/main.yml @@ -1,7 +1,4 @@ --- -- name: rebuild cdb_lists - command: /var/ossec/bin/ossec-makelists - - name: restart wazuh-manager service: name: wazuh-manager @@ -12,6 +9,4 @@ service: name: wazuh-api state: restarted - enabled: true - when: - - not (ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' and ansible_distribution_major_version|int < 6) + enabled: true \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml b/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml index 9e9a94d7..da27042f 100644 --- a/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml +++ b/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml @@ -7,6 +7,7 @@ - gnupg state: present cache_valid_time: 3600 + install_recommends: false register: wazuh_manager_https_packages_installed until: wazuh_manager_https_packages_installed is succeeded @@ -22,43 +23,28 @@ when: - ansible_distribution == "Ubuntu" - ansible_distribution_major_version | int == 14 + - not wazuh_manager_sources_installation.enabled or not wazuh_api_sources_installation.enabled + - not wazuh_custom_packages_installation_manager_enabled or not wazuh_custom_packages_installation_api_enabled - name: Debian/Ubuntu | Installing Wazuh repository key - apt_key: url=https://packages.wazuh.com/key/GPG-KEY-WAZUH + apt_key: + url: "{{ wazuh_manager_config.repo.gpg }}" + id: "{{ wazuh_manager_config.repo.key_id }}" when: - not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14) + - not wazuh_manager_sources_installation.enabled or not wazuh_api_sources_installation.enabled + - not wazuh_custom_packages_installation_manager_enabled or not wazuh_custom_packages_installation_api_enabled - name: Debian/Ubuntu | Add Wazuh repositories apt_repository: - repo: 'deb https://packages.wazuh.com/3.x/apt/ stable main' + filename: wazuh_repo + repo: "{{ wazuh_manager_config.repo.apt }}" state: present update_cache: true changed_when: false - -- name: Debian/Ubuntu | Installing NodeJS repository key (Ubuntu 14) - become: true - shell: | - set -o pipefail - curl -s https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add - - args: - warn: false - executable: /bin/bash - changed_when: false when: - - ansible_distribution == "Ubuntu" - - ansible_distribution_major_version | int == 14 - -- name: Debian/Ubuntu | Installing NodeJS repository key - apt_key: url=https://deb.nodesource.com/gpgkey/nodesource.gpg.key - when: - - not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14) - -- name: Debian/Ubuntu | Add NodeSource repositories for Node.js - apt_repository: - repo: "deb https://deb.nodesource.com/node_6.x {{ ansible_distribution_release }} main" - state: present - update_cache: true - changed_when: false + - not wazuh_manager_sources_installation.enabled or not wazuh_api_sources_installation.enabled + - not wazuh_custom_packages_installation_manager_enabled or not wazuh_custom_packages_installation_api_enabled - name: Debian/Ubuntu | Set Distribution CIS filename for Debian/Ubuntu set_fact: @@ -82,16 +68,16 @@ - init - name: Debian/Ubuntu | Install OpenScap - package: - name: "{{ item }}" + apt: + name: + - libopenscap8 + - xsltproc state: present cache_valid_time: 3600 + install_recommends: false register: wazuh_manager_openscap_installed until: wazuh_manager_openscap_installed is succeeded when: wazuh_manager_config.openscap.disable == 'no' - with_items: - - libopenscap8 - - xsltproc tags: - init @@ -110,3 +96,40 @@ changed_when: false tags: - config + +- name: Debian/Ubuntu | Install wazuh-manager + apt: + name: + - "wazuh-manager={{ wazuh_manager_version }}" + state: present + cache_valid_time: 3600 + install_recommends: false + register: wazuh_manager_main_packages_installed + until: wazuh_manager_main_packages_installed is succeeded + tags: init + when: + - not wazuh_manager_sources_installation.enabled + - not wazuh_custom_packages_installation_manager_enabled + +- include_tasks: "installation_from_sources.yml" + when: + - wazuh_manager_sources_installation.enabled or wazuh_api_sources_installation.enabled + +- include_tasks: "installation_from_custom_packages.yml" + when: + - wazuh_custom_packages_installation_manager_enabled or wazuh_custom_packages_installation_api_enabled + +- name: Debian/Ubuntu | Install wazuh-api + apt: + name: + - "wazuh-api={{ wazuh_manager_version }}" + state: present + cache_valid_time: 3600 + install_recommends: false + register: wazuh_manager_main_packages_installed + until: wazuh_manager_main_packages_installed is succeeded + tags: init + when: + - not wazuh_api_sources_installation.enabled + - not wazuh_custom_packages_installation_manager_enabled + - wazuh_manager_config.cluster.node_type == "master" \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml b/roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml index 7540e142..cb0dbf5a 100644 --- a/roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml +++ b/roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml @@ -1,69 +1,36 @@ --- -- name: RedHat/CentOS | Install Nodejs repo +- name: RedHat/CentOS 5 | Install Wazuh repo yum_repository: - name: NodeJS - description: NodeJS-$releasever - baseurl: https://rpm.nodesource.com/pub_6.x/el/{{ ansible_distribution_major_version }}/x86_64 - gpgkey: https://rpm.nodesource.com/pub/el/NODESOURCE-GPG-SIGNING-KEY-EL + name: wazuh_repo + description: Wazuh repository + baseurl: "{{ wazuh_manager_config.repo.yum }}5/" + gpgkey: "{{ wazuh_manager_config.repo.gpg }}-5" gpgcheck: true changed_when: false when: - - ansible_distribution_major_version|int > 5 - -- name: Fedora | Install Nodejs repo - yum_repository: - name: NodeJS - description: NodeJS-$releasever - baseurl: https://rpm.nodesource.com/pub_6.x/fc/$releasever/x86_64 - gpgkey: https://rpm.nodesource.com/pub/el/NODESOURCE-GPG-SIGNING-KEY-EL - gpgcheck: true - when: ansible_distribution == 'Fedora' - -- name: AmazonLinux | Get Nodejs - shell: | - set -o pipefail - curl --silent --location https://rpm.nodesource.com/setup_8.x | bash - - args: - warn: false - executable: /bin/bash - when: - - ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA" - -- name: AmazonLinux | Install Nodejs repo - yum: - name: nodejs - state: present - register: wazuh_manager_amz_node_packages_installed - until: wazuh_manager_amz_node_packages_installed is succeeded - when: - - ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA" + - (ansible_os_family|lower == 'redhat') and (ansible_distribution|lower != 'amazon') + - (ansible_distribution_major_version|int <= 5) + - not wazuh_manager_sources_installation.enabled or not wazuh_api_sources_installation.enabled + - not wazuh_custom_packages_installation_manager_enabled or not wazuh_custom_packages_installation_api_enabled + register: repo_v5_manager_installed - name: RedHat/CentOS/Fedora | Install Wazuh repo yum_repository: name: wazuh_repo description: Wazuh repository - baseurl: https://packages.wazuh.com/3.x/yum/ - gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH + baseurl: "{{ wazuh_manager_config.repo.yum }}" + gpgkey: "{{ wazuh_manager_config.repo.gpg }}" gpgcheck: true changed_when: false when: - - (ansible_distribution_major_version|int > 5) or (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") - -- name: RedHat/CentOS 5 | Install Wazuh repo - yum_repository: - name: wazuh_repo - description: Wazuh repository - baseurl: https://packages.wazuh.com/3.x/yum/5/ - gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH - gpgcheck: true - when: - - ansible_distribution_major_version|int == 5 + - repo_v5_manager_installed is skipped + - not wazuh_manager_sources_installation.enabled or not wazuh_api_sources_installation.enabled + - not wazuh_custom_packages_installation_manager_enabled or not wazuh_custom_packages_installation_api_enabled - name: RedHat/CentOS/Fedora | Install openscap package: name={{ item }} state=present with_items: - openscap-scanner - - openssl register: wazuh_manager_openscp_packages_installed until: wazuh_manager_openscp_packages_installed is succeeded tags: @@ -143,3 +110,62 @@ cis_distribution_filename: cis_rhel7_linux_rcl.txt when: - ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA" + +- name: CentOS/RedHat/Amazon | Install wazuh-manager + package: + name: "wazuh-manager-{{ wazuh_manager_version }}" + state: "{{ wazuh_manager_package_state }}" + register: wazuh_manager_main_packages_installed + until: wazuh_manager_main_packages_installed is succeeded + when: + - ansible_os_family|lower == "redhat" + - not wazuh_manager_sources_installation.enabled + - not wazuh_custom_packages_installation_manager_enabled + tags: + - init + +- include_tasks: "../tasks/installation_from_sources.yml" + when: + - wazuh_manager_sources_installation.enabled or wazuh_api_sources_installation.enabled + +- include_tasks: "../tasks/installation_from_custom_packages.yml" + when: + - wazuh_custom_packages_installation_manager_enabled or wazuh_custom_packages_installation_api_enabled + +- name: CentOS/RedHat/Amazon | Install wazuh-api + package: + name: "wazuh-api-{{ wazuh_manager_version }}" + state: "{{ wazuh_manager_package_state }}" + register: wazuh_api_main_packages_installed + until: wazuh_api_main_packages_installed is succeeded + when: + - ansible_os_family|lower == "redhat" + - not wazuh_api_sources_installation.enabled + - not wazuh_custom_packages_installation_api_enabled + - wazuh_manager_config.cluster.node_type == "master" + tags: + - init + +- name: CentOS/RedHat 6 | Enabling python2.7 and sqlite3 + replace: + path: /etc/init.d/wazuh-manager + regexp: 'echo -n "Starting Wazuh-manager: "' + replace: 'echo -n "Starting Wazuh-manager (EL6): "; source /opt/rh/python27/enable; export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/var/ossec/framework/lib' + when: + - ansible_distribution in ['CentOS', 'RedHat', 'Amazon'] and ansible_distribution_major_version|int == 6 + - wazuh_manager_config.cluster.disable != 'yes' + +- name: Install expect (EL5) + package: + name: "{{ item }}" + state: "{{ wazuh_manager_package_state }}" + with_items: + - expect + register: wazuh_manager_main_packages_installed + until: wazuh_manager_main_packages_installed is succeeded + when: + - ansible_os_family|lower == "RedHat" + - ansible_distribution_major_version|int < 6 + tags: + - init + diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_custom_packages.yml b/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_custom_packages.yml new file mode 100644 index 00000000..0dc9808d --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_custom_packages.yml @@ -0,0 +1,61 @@ +--- + - block: + - name: Install Wazuh Manager from .deb packages + apt: + deb: "{{ wazuh_custom_packages_installation_manager_deb_url }}" + state: present + when: + - wazuh_custom_packages_installation_manager_enabled + + - name: Install Wazuh API from .deb packages + apt: + deb: "{{ wazuh_custom_packages_installation_api_deb_url }}" + state: present + when: + - wazuh_custom_packages_installation_api_enabled + - wazuh_manager_config.cluster.node_type == "master" + + when: + - ansible_os_family|lower == "debian" + + - block: + - name: Install Wazuh Manager from .rpm packages | yum + yum: + name: "{{ wazuh_custom_packages_installation_manager_rpm_url }}" + state: present + when: + - wazuh_custom_packages_installation_manager_enabled + - not (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") + - not (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8") + + - name: Install Wazuh Manager from .rpm packages | dnf + dnf: + name: "{{ wazuh_custom_packages_installation_manager_rpm_url }}" + state: present + when: + - wazuh_custom_packages_installation_manager_enabled + - (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") or + (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8") + + - name: Install Wazuh API from .rpm packages | yum + yum: + name: "{{ wazuh_custom_packages_installation_api_rpm_url }}" + state: present + when: + - wazuh_custom_packages_installation_api_enabled + - not (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") + - not (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8") + - wazuh_manager_config.cluster.node_type == "master" + + - name: Install Wazuh API from .rpm packages | dnf + dnf: + name: "{{ wazuh_custom_packages_installation_api_rpm_url }}" + state: present + when: + - wazuh_custom_packages_installation_api_enabled + - (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") or + (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8") + - wazuh_manager_config.cluster.node_type == "master" + + when: + - ansible_os_family|lower == "redhat" \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml b/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml new file mode 100644 index 00000000..e019d2f9 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml @@ -0,0 +1,185 @@ +--- +# Wazuh Manager + - name: Check if Wazuh Manager is already installed + stat: + path: /var/ossec/bin/ossec-control + register: wazuh_ossec_control + + - name: Installing Wazuh Manager from sources + block: + - name: Install dependencies to build Wazuh packages + package: + name: + - make + - gcc + - automake + - autoconf + - libtool + - tar + state: present + + - name: Removing old files + file: + path: "/tmp/{{ wazuh_manager_sources_installation.branch }}.tar.gz" + state: absent + + - name: Removing old folders + file: + path: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}" + state: absent + + - name: Installing policycoreutils-python (RedHat families) + package: + name: + - policycoreutils-python + when: + - ansible_os_family|lower == "redhat" + + - name: Installing policycoreutils-python-utils (Debian families) + package: + name: + - libc6-dev + - curl + - policycoreutils + when: + - ansible_os_family|lower == "debian" + + - name: Remove old repository folder + file: + path: /tmp/wazuh-{{ wazuh_manager_sources_installation.branch }} + state: absent + + - name: Download required packages from github.com/wazuh/wazuh + get_url: + url: "https://github.com/wazuh/wazuh/archive/{{ wazuh_manager_sources_installation.branch }}.tar.gz" + dest: "/tmp/{{ wazuh_manager_sources_installation.branch }}.tar.gz" + delegate_to: "{{ inventory_hostname }}" + + - name: Create folder to extract Wazuh branch + file: + path: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}" + state: directory + + # When downloading "v3.11.0" extracted folder name is 3.11.0. + + # Explicitly creating the folder with proper naming and striping first level in .tar.gz file + + - name: Extract downloaded Wazuh branch from Github # Using shell instead of unarchive due to that module not working properlyh with --strip + command: >- + tar -xzvf /tmp/{{ wazuh_manager_sources_installation.branch }}.tar.gz + --strip 1 + --directory /tmp/wazuh-{{ wazuh_manager_sources_installation.branch }} + register: wazuh_untar + changed_when: wazuh_untar.rc ==0 + args: + warn: false + + - name: Clean remaining files from others builds + command: "make -C src {{ item }}" + args: + chdir: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}/src/" + with_items: + - "clean" + - "clean-deps" + register: clean_result + changed_when: clean_result.rc == 0 + failed_when: false + + - name: Render the "preloaded-vars.conf" file + template: + src: "templates/preloaded_vars_manager.conf.j2" + dest: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}/etc/preloaded-vars.conf" + owner: root + group: root + mode: 0644 + + - name: Executing "install.sh" script to build and install the Wazuh Manager + shell: ./install.sh > /tmp/build_wazuh_manager_log.txt + register: installation_result + changed_when: installation_result == 0 + args: + chdir: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}" + + - name: Cleanup downloaded files + file: + path: "/tmp/{{ wazuh_manager_sources_installation.branch }}.tar.gz" + state: absent + + - name: Cleanup created folders + file: + path: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}" + state: absent + + when: + - not wazuh_ossec_control.stat.exists + - wazuh_manager_sources_installation.enabled + tags: + - manager + +# Wazuh API + + - name: Check if Wazuh API is already installed + stat: + path: /var/ossec/api/app.js + register: wazuh_api + when: + - wazuh_manager_config.cluster.node_type == "master" + + - name: Install Wazuh API from sources + block: + - name: Install dependencies to build Wazuh packages + package: + name: + - make + - gcc + - automake + - autoconf + - libtool + - tar + state: present + + - name: Explicitly installing npm for Debian hosts + package: + name: npm + state: present + when: + - ansible_distribution == "Debian" + + - name: Ensure Git is present in the host + package: + name: git + state: present + + - name: Remove old repository folder + file: + path: /tmp/wazuh-api + state: absent + + - name: Download the Wazuh API repository + git: + repo: 'https://github.com/wazuh/wazuh-api.git' + version: "{{ wazuh_api_sources_installation.branch }}" + dest: /tmp/wazuh-api + + - name: Configure Wazuh API installation + template: + src: "templates/preloaded_vars_api.conf.j2" + dest: "/tmp/wazuh-api/configuration/preloaded_vars.conf" + owner: root + group: root + mode: 0644 + + - name: Execute Wazuh API installation script + shell: ./install_api.sh > /tmp/build_wazuh_api_log.txt + register: install_api + changed_when: install_api.rc == 0 + args: + chdir: "/tmp/wazuh-api" + notify: + - restart wazuh-api + when: + - not wazuh_api.stat.exists + - wazuh_api_sources_installation.enabled + - wazuh_manager_config.cluster.node_type == "master" + tags: + - api \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml index 07f6ff0a..2621a563 100644 --- a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml @@ -1,43 +1,58 @@ --- -- import_tasks: "RedHat.yml" +- name: "Install dependencies" + package: + name: + - unzip + - openssl + - tar + state: present + +- name: Check if NodeJS service exists + stat: + path: /usr/bin/node + register: node_service_status + +- name: Install NodeJS repository + block: + - name: Download NodeJS repository script + get_url: + url: "https://{{ nodejs['repo_dict'][ansible_os_family|lower] }}.{{ nodejs['repo_url_ext'] }}" + dest: /etc/nodejs.sh + mode: 0775 + changed_when: false + + - name: Run NodeJS bash script + command: sh /etc/nodejs.sh + register: nodejs_script + changed_when: nodejs_script.rc == 0 + when: + - not node_service_status.stat.exists + - wazuh_manager_config.cluster.node_type == "master" + +- name: Installing NodeJS + package: + name: nodejs + state: present + register: nodejs_service_is_installed + until: nodejs_service_is_installed is succeeded + when: + - wazuh_manager_config.cluster.node_type == "master" + + tags: init + +- include_tasks: "RedHat.yml" when: (ansible_os_family == "RedHat" and ansible_distribution_major_version|int > 5) or (ansible_os_family == "RedHat" and ansible_distribution == "Amazon") -- import_tasks: "Debian.yml" +- include_tasks: "Debian.yml" when: ansible_os_family == "Debian" -- name: Install wazuh-manager, wazuh-api and expect - package: pkg={{ item }} state={{ wazuh_manager_package_state }} - with_items: - - wazuh-manager - - wazuh-api - - expect - register: wazuh_manager_main_packages_installed - until: wazuh_manager_main_packages_installed is succeeded +- name: Install expect + package: + name: expect + state: "{{ wazuh_manager_package_state }}" when: - - not (ansible_distribution in ['CentOS','RedHat'] and ansible_distribution_major_version|int < 6) - tags: - - init - -- name: CentOS/RedHat 6 | Enabling python2.7 and sqlite3 - replace: - path: /etc/init.d/wazuh-manager - regexp: 'echo -n "Starting Wazuh-manager: "' - replace: 'echo -n "Starting Wazuh-manager (EL6): "; source /opt/rh/python27/enable; export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/var/ossec/framework/lib' - when: - - ansible_distribution in ['CentOS', 'RedHat'] and ansible_distribution_major_version|int == 6 - - wazuh_manager_config.cluster.disable != 'yes' - -- name: Install wazuh-manager and expect (EL5) - package: pkg={{ item }} state={{ wazuh_manager_package_state }} - with_items: - - wazuh-manager - - expect - register: wazuh_manager_main_packages_installed - until: wazuh_manager_main_packages_installed is succeeded - when: - - ansible_distribution in ['CentOS','RedHat'] and ansible_distribution_major_version|int < 6 - tags: - - init + - not (ansible_os_family|lower == "redhat" and ansible_distribution_major_version|int < 6) + tags: init - name: Generate SSL files for authd command: "openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:1825 -keyout sslmanager.key -out sslmanager.cert -subj /CN={{ wazuh_manager_fqdn }}/" @@ -46,12 +61,12 @@ chdir: /var/ossec/etc/ tags: - config - when: not wazuh_manager_config.authd.ssl_agent_ca is not none + when: wazuh_manager_config.authd.ssl_agent_ca is not none - name: Copy CA, SSL key and cert for authd copy: src: "{{ item }}" - dest: "/var/ossec/etc/{{ item | basename }}" + dest: "/var/ossec/etc/{{ item }}" mode: 0644 with_items: - "{{ wazuh_manager_config.authd.ssl_agent_ca }}" @@ -148,6 +163,8 @@ tags: - init - config + when: + - shared_agent_config is defined - name: Installing the config.js (api configuration) template: src=var-ossec-api-configuration-config.js.j2 @@ -156,6 +173,9 @@ group=ossec mode=0740 notify: restart wazuh-api + when: + - wazuh_manager_config.cluster.node_type == "master" + tags: - init - config @@ -181,17 +201,6 @@ tags: - config -- name: Retrieving Wazuh-API User Credentials - include_vars: wazuh_api_creds.yml - when: - - not (ansible_distribution in ['CentOS','RedHat'] and ansible_distribution_major_version|int < 6) - tags: - - config - -- name: Retrieving CDB lists - include_vars: cdb_lists.yml - tags: - - config - name: Check if syslog output is enabled set_fact: syslog_output=true @@ -262,7 +271,7 @@ poll: 0 when: - wazuh_manager_config.vuls.disable != 'yes' - - ansible_distribution in ['Redhat', 'CentOS', 'Ubuntu', 'Debian', 'Oracle'] + - ansible_distribution in ['Redhat', 'CentOS', 'Ubuntu', 'Debian', 'Oracle', 'Amazon'] - not ansible_check_mode tags: - init @@ -304,7 +313,7 @@ notify: restart wazuh-api when: - wazuh_api_user is defined - - not (ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' and ansible_distribution_major_version|int < 6) + - wazuh_manager_config.cluster.node_type == "master" tags: - config @@ -326,54 +335,37 @@ tags: - config -- name: CDB Lists - template: - src: cdb_lists.j2 - dest: "/var/ossec/etc/lists/{{ item.name }}" - owner: root - group: ossec - mode: 0640 - no_log: true - register: wazuh_manager_cdb_lists - until: wazuh_manager_cdb_lists is succeeded - notify: - - rebuild cdb_lists - - restart wazuh-manager - with_items: - - "{{ cdb_lists }}" - when: - - cdb_lists is defined - - cdb_lists is iterable - tags: - - config - -- name: Ensure Wazuh Manager, wazuh API service is started and enabled +- name: Ensure Wazuh Manager service is started and enabled. service: - name: "{{ item }}" - enabled: true - state: started - with_items: - - wazuh-manager - - wazuh-api - tags: - - config - environment: - LD_LIBRARY_PATH: "$LD_LIBRARY_PATH:/var/ossec/framework/lib" - when: - - not (ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' and ansible_distribution_major_version|int < 6) - -- name: Ensure Wazuh Manager is started and enabled (EL5) - service: - name: wazuh-manager + name: "wazuh-manager" enabled: true state: started tags: - config + +- name: Ensure Wazuh API service is started and enabled. + service: + name: "wazuh-api" + enabled: true + state: started + when: wazuh_manager_config.cluster.node_type == "master" + tags: + - config + +- name: Create agent groups + command: "/var/ossec/bin/agent_groups -a -g {{ item }} -q" + with_items: + - "{{ agent_groups }}" when: - - ansible_distribution in ['CentOS', 'RedHat'] and ansible_distribution_major_version|int < 6 + - ( agent_groups is defined) and ( agent_groups|length > 0) + tags: molecule-idempotence-notest -- import_tasks: "RMRedHat.yml" - when: ansible_os_family == "RedHat" +- include_tasks: "RMRedHat.yml" + when: + - ansible_os_family == "RedHat" or ansible_os_family == "Amazon" + - not wazuh_manager_sources_installation.enabled -- import_tasks: "RMDebian.yml" - when: ansible_os_family == "Debian" +- include_tasks: "RMDebian.yml" + when: + - ansible_os_family == "Debian" + - not wazuh_manager_sources_installation.enabled diff --git a/roles/wazuh/ansible-wazuh-manager/templates/preloaded_vars_api.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/preloaded_vars_api.conf.j2 new file mode 100644 index 00000000..198178c8 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/templates/preloaded_vars_api.conf.j2 @@ -0,0 +1,7 @@ +{% for key, value in wazuh_api_sources_installation.items() %} +{% if "enabled" not in key and "branch" not in key %} +{% if value is defined and value is not none %} +{{ key|upper }}="{{ value }}" +{% endif %} +{% endif %} +{% endfor %} \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-manager/templates/preloaded_vars_manager.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/preloaded_vars_manager.conf.j2 new file mode 100644 index 00000000..3dacef92 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/templates/preloaded_vars_manager.conf.j2 @@ -0,0 +1,7 @@ +{% for key, value in wazuh_manager_sources_installation.items() %} +{% if "user_" in key %} +{% if value is defined and value is not none %} +{{ key|upper }}="{{ value }}" +{% endif %} +{% endif %} +{% endfor %} diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 index 65ae38fb..998900b2 100644 --- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 +++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 @@ -1,4 +1,4 @@ -#jinja2: trim_blocks: False +#jinja2: lstrip_blocks: True + + {{ wazuh_manager_config.log_format }} + + {% if wazuh_manager_config.extra_emails is defined %} {% for mail in wazuh_manager_config.extra_emails %} {% if mail.enable == true %} @@ -57,16 +62,17 @@ {% endfor %} {% endif %} - - - {{ wazuh_manager_config.log_format }} - - {% for connection in wazuh_manager_config.connection %} - + +{% for connection in wazuh_manager_config.connection %} + {{ connection.type }} - {% if connection.port is defined %}{{ connection.port }}{% endif %} - {% if connection.protocol is defined %}{{ connection.protocol }}{% endif %} + {% if connection.port is defined %} + {{ connection.port }} + {% endif %} + {% if connection.protocol is defined %} + {{ connection.protocol }} + {% endif %} {% if connection.allowed_ips is defined %} {% for allowed_ip in connection.allowed_ips %} {{ allowed_ip }} @@ -77,11 +83,17 @@ {{ denied_ip }} {% endfor %} {% endif %} - {% if connection.local_ip is defined %}{{ connection.local_ip }}{% endif %} - {% if connection.ipv6 is defined %}{{ connection.ipv6 }}{% endif %} - {% if connection.queue_size is defined %}{{connection.queue_size}}{% endif %} + {% if connection.local_ip is defined %} + {{ connection.local_ip }} + {% endif %} + {% if connection.ipv6 is defined %} + {{ connection.ipv6 }} + {% endif %} + {% if connection.queue_size is defined %} + {{connection.queue_size}} + {% endif %} - {% endfor %} +{% endfor %} {% if wazuh_manager_config.reports is defined %} {% for report in wazuh_manager_config.reports %} @@ -102,11 +114,9 @@ {% endfor %} {% endif %} - no - yes yes yes yes @@ -118,13 +128,8 @@ {{ wazuh_manager_config.rootcheck.frequency }} - /var/ossec/etc/shared/default/rootkit_files.txt - /var/ossec/etc/shared/default/rootkit_trojans.txt - /var/ossec/etc/shared/default/system_audit_rcl.txt - /var/ossec/etc/shared/default/system_audit_ssh.txt - {% if cis_distribution_filename is defined %} - /var/ossec/etc/shared/default/{{ cis_distribution_filename }} - {% endif %} + /var/ossec/etc/rootcheck/rootkit_files.txt + /var/ossec/etc/rootcheck/rootkit_trojans.txt yes @@ -151,23 +156,33 @@ {% endif %} {% elif ansible_distribution == 'CentOS' %} - {% if ansible_distribution_major_version == '7' %} + {% if ansible_distribution_major_version == '8' %} + {# Policy not available #} + {% elif ansible_distribution_major_version == '7' %} + xccdf_org.ssgproject.content_profile_pci-dss + xccdf_org.ssgproject.content_profile_common + {% elif ansible_distribution_major_version == '6' %} - {% endif %} xccdf_org.ssgproject.content_profile_pci-dss xccdf_org.ssgproject.content_profile_common + {% endif %} {% elif ansible_distribution == 'RedHat' %} - {% if ansible_distribution_major_version == '7' %} + {% if ansible_distribution_major_version == '8' %} + {# Policy not available #} + {% elif ansible_distribution_major_version == '7' %} + xccdf_org.ssgproject.content_profile_pci-dss + xccdf_org.ssgproject.content_profile_common + {% elif ansible_distribution_major_version == '6' %} - {% endif %} xccdf_org.ssgproject.content_profile_pci-dss xccdf_org.ssgproject.content_profile_common + {% endif %} {% if ansible_distribution_major_version == '7' %} {% elif ansible_distribution_major_version == '6' %} @@ -193,11 +208,6 @@ {{ wazuh_manager_config.cis_cat.java_path }} {% endif %} {{ wazuh_manager_config.cis_cat.ciscat_path }} - {% for benchmark in wazuh_manager_config.cis_cat.content %} - - {{ benchmark.profile }} - - {% endfor %} @@ -222,35 +232,73 @@ {{ wazuh_manager_config.syscollector.processes }} - - {{ wazuh_manager_config.vul_detector.disable }} - {{ wazuh_manager_config.vul_detector.interval }} - {{ wazuh_manager_config.vul_detector.ignore_time }} - {{ wazuh_manager_config.vul_detector.run_on_start }} - - {{ wazuh_manager_config.vul_detector.ubuntu.disable }} - {{ wazuh_manager_config.vul_detector.ubuntu.update_interval }} - - - {{ wazuh_manager_config.vul_detector.redhat.disable }} - {{ wazuh_manager_config.vul_detector.redhat.update_interval }} - - - {{ wazuh_manager_config.vul_detector.debian.disable }} - {{ wazuh_manager_config.vul_detector.debian.update_interval }} - - + + {% if wazuh_manager_config.sca.enabled | length > 0 %} + {{ wazuh_manager_config.sca.enabled }} + {% endif %} + {% if wazuh_manager_config.sca.scan_on_start | length > 0 %} + {{ wazuh_manager_config.sca.scan_on_start }} + {% endif %} + {% if wazuh_manager_config.sca.interval | length > 0 %} + {{ wazuh_manager_config.sca.interval }} + {% endif %} + {% if wazuh_manager_config.sca.skip_nfs | length > 0 %} + yes + {% endif %} + {% if wazuh_manager_config.sca.day | length > 0 %} + yes + {% endif %} + {% if wazuh_manager_config.sca.wday | length > 0 %} + yes + {% endif %} + {% if wazuh_manager_config.sca.time | length > 0 %} + + {% endif %} + + + + {% if wazuh_manager_config.vulnerability_detector.enabled is defined %} + {{ wazuh_manager_config.vulnerability_detector.enabled }} + {% endif %} + {% if wazuh_manager_config.vulnerability_detector.interval is defined %} + {{ wazuh_manager_config.vulnerability_detector.interval }} + {% endif %} + {% if wazuh_manager_config.vulnerability_detector.ignore_time is defined %} + {{ wazuh_manager_config.vulnerability_detector.ignore_time }} + {% endif %} + {% if wazuh_manager_config.vulnerability_detector.run_on_start is defined %} + {{ wazuh_manager_config.vulnerability_detector.run_on_start }} + {% endif %} + {% if wazuh_manager_config.vulnerability_detector.providers is defined %} + {% for provider_ in wazuh_manager_config.vulnerability_detector.providers %} + + {% if provider_.enabled is defined %} + {{ provider_.enabled }} + {% endif %} + {% if provider_.os is defined %} + {% for os_ in provider_.os %} + {{ os_ }} + {% endfor %} + {% endif %} + {% if provider_.update_from_year is defined %} + {{ provider_.update_from_year }} + {% endif %} + {% if provider_.update_interval is defined %} + {{ provider_.update_interval }} + {% endif %} + + {% endfor %} + {% endif %} + {{ wazuh_manager_config.syscheck.disable }} - {{ wazuh_manager_config.syscheck.auto_ignore }} {{ wazuh_manager_config.syscheck.alert_new_files }} - {{ wazuh_manager_config.syscheck.frequency }} {{ wazuh_manager_config.syscheck.scan_on_start }} - + {% if wazuh_manager_config.syscheck.auto_ignore_frequency is defined %} {{wazuh_manager_config.syscheck.auto_ignore_frequency.value }} {% endif %} @@ -269,24 +317,44 @@ {% endfor %} {% endif %} + + {% if wazuh_manager_config.syscheck.ignore_linux_type is defined %} + {% for ignore in wazuh_manager_config.syscheck.ignore_linux_type %} + {{ ignore }} + {% endfor %} + {% endif %} + + {% for no_diff in wazuh_manager_config.syscheck.no_diff %} {{ no_diff }} {% endfor %} - {% if wazuh_manager_config.syscheck.skip_nfs is defined %} {{ wazuh_manager_config.syscheck.skip_nfs }} {% endif %} - - - {% if wazuh_manager_config.syscheck.remove_old_diff is defined %} - {{ wazuh_manager_config.syscheck.remove_old_diff }} + {% if wazuh_manager_config.syscheck.skip_dev is defined %} + {{ wazuh_manager_config.syscheck.skip_dev }} + {% endif %} + {% if wazuh_manager_config.syscheck.skip_proc is defined %} + {{ wazuh_manager_config.syscheck.skip_proc }} + {% endif %} + {% if wazuh_manager_config.syscheck.skip_sys is defined %} + {{ wazuh_manager_config.syscheck.skip_sys }} {% endif %} - - {% if wazuh_manager_config.syscheck.restart_audit is defined %} - {{ wazuh_manager_config.syscheck.restart_audit }} - {% endif %} + + {{ wazuh_manager_config.syscheck.process_priority }} + + + {{ wazuh_manager_config.syscheck.max_eps }} + + + + {{ wazuh_manager_config.syscheck.sync_enabled }} + {{ wazuh_manager_config.syscheck.sync_interval }} + {{ wazuh_manager_config.syscheck.sync_max_interval }} + {{ wazuh_manager_config.syscheck.sync_max_eps }} + @@ -295,73 +363,19 @@ {% endfor %} - {% for command in wazuh_manager_config.commands %} - - {{ command.name }} - {{ command.executable }} - {{ command.expect }} - {{ command.timeout_allowed }} - - {% endfor %} +{% for command in wazuh_manager_config.commands %} - - - ruleset/decoders - ruleset/rules - {% if wazuh_manager_config.rule_exclude is defined %} - {% for rule in wazuh_manager_config.rule_exclude %} - {{ rule }} - {% endfor %} - {% endif %} - {% if cdb_lists is defined %} - {% for list in cdb_lists %} - etc/lists/{{ list.name }} - {% endfor %} + + {{ command.name }} + {{ command.executable }} + {{ command.expect }} + {% if command.timeout_allowed is defined %} + {{ command.timeout_allowed }} {% endif %} + +{% endfor %} - - etc/decoders - etc/rules - - -{% if wazuh_manager_config.authd.enable == true %} - - no - {% if wazuh_manager_config.authd.port is not none %}{{wazuh_manager_config.authd.port}}{% else %}1515{% endif %} - {% if wazuh_manager_config.authd.use_source_ip is not none %}{{wazuh_manager_config.authd.use_source_ip}}{% endif %} - {% if wazuh_manager_config.authd.force_insert is not none %}{{wazuh_manager_config.authd.force_insert}}{% endif %} - {% if wazuh_manager_config.authd.force_time is not none %}{{wazuh_manager_config.authd.force_time}}{% endif %} - {% if wazuh_manager_config.authd.purge is not none %}{{wazuh_manager_config.authd.purge}}{% endif %} - {% if wazuh_manager_config.authd.use_password is not none %}{{wazuh_manager_config.authd.use_password}}{% endif %} - {% if wazuh_manager_config.authd.ssl_agent_ca is not none %}/var/ossec/etc/{{wazuh_manager_config.authd.ssl_agent_ca | basename}}{% endif %} - {% if wazuh_manager_config.authd.ssl_verify_host is not none %}{{wazuh_manager_config.authd.ssl_verify_host}}{% endif %} - {% if wazuh_manager_config.authd.ssl_manager_cert is not none %}/var/ossec/etc/{{wazuh_manager_config.authd.ssl_manager_cert | basename}}{% endif %} - {% if wazuh_manager_config.authd.ssl_manager_key is not none %}/var/ossec/etc/{{wazuh_manager_config.authd.ssl_manager_key | basename}}{% endif %} - {% if wazuh_manager_config.authd.ssl_auto_negotiate is not none %}{{wazuh_manager_config.authd.ssl_auto_negotiate}}{% endif %} - -{% endif %} - - - - {{ wazuh_manager_config.cluster.disable }} - {{ wazuh_manager_config.cluster.name }} - {{ wazuh_manager_config.cluster.node_name }} - {{ wazuh_manager_config.cluster.node_type }} - {{ wazuh_manager_config.cluster.key }} - {% if wazuh_manager_config.cluster.interval is defined %} - {{ wazuh_manager_config.cluster.interval }} - {% endif %} - {{ wazuh_manager_config.cluster.port }} - {{ wazuh_manager_config.cluster.bind_addr }} - - {% for node in wazuh_manager_config.cluster.nodes %} - {{ node }} - {% endfor %} - - {{ wazuh_manager_config.cluster.hidden }} - - - {% if ansible_system == "Linux" and wazuh_manager_config.vuls.disable == 'no' %} +{% if ansible_system == "Linux" and wazuh_manager_config.vuls.disable == 'no' %} no Wazuh-VULS @@ -370,7 +384,7 @@ yes {{ wazuh_manager_config.vuls.run_on_start }} - {% endif %} +{% endif -%} {% if agentless_creds is defined %} {% for agentless in agentless_creds %} @@ -383,11 +397,8 @@ {{ agentless.arguments }} {% endif %} - {% endfor %} -{% endif %} - - +{% endif -%} {% if wazuh_manager_config.active_responses is defined %} {% for response in wazuh_manager_config.active_responses %} @@ -403,10 +414,11 @@ {%if response.repeated_offenders is defined %}{{ response.repeated_offenders }}{% endif %} {% endfor %} -{% endif %} +{% endif -%} {% for localfile in wazuh_manager_config.localfiles.common %} + {{ localfile.format }} {% if localfile.format == 'command' or localfile.format == 'full_command' %} @@ -429,7 +441,7 @@ {% endif %} {% endif %} {% if localfile.format == 'json' and localfile.labels is defined %} - {% for key, value in localfile.labels.iteritems() %} + {% for key, value in localfile.labels.items() %} {% endfor %} {% endif %} @@ -444,44 +456,7 @@ {% if ansible_os_family == "Debian" %} {% for localfile in wazuh_manager_config.localfiles.debian %} - - {{ localfile.format }} - {% if localfile.format == 'command' or localfile.format == 'full_command' %} - {{ localfile.command }} - {% if localfile.alias is defined %} - {{ localfile.alias }} - {% endif %} - {% if localfile.frequency is defined %} - {{ localfile.frequency }} - {% endif %} - {% else %} - {{ localfile.location }} - {% if localfile.format == 'eventchannel' %} - {% if localfile.only_future_events is defined %} - {{ localfile.only_future_events }} - {% endif %} - {% if localfile.query is defined %} - {{ localfile.query }} - {% endif %} - {% endif %} - {% endif %} - {% if localfile.format == 'json' and localfile.labels is defined %} - {% for key, value in localfile.labels.iteritems() %} - - {% endfor %} - {% endif %} - {% if localfile.target is defined %} - {{ localfile.target }} - {% endif %} - {% if localfile.out_format is defined %} - {{ localfile.out_format }} - {% endif %} - -{% endfor %} -{% endif %} -{% if ansible_os_family == "RedHat" %} -{% for localfile in wazuh_manager_config.localfiles.centos %} {{ localfile.format }} {% if localfile.format == 'command' or localfile.format == 'full_command' %} @@ -504,7 +479,7 @@ {% endif %} {% endif %} {% if localfile.format == 'json' and localfile.labels is defined %} - {% for key, value in localfile.labels.iteritems() %} + {% for key, value in localfile.labels.items() %} {% endfor %} {% endif %} @@ -516,7 +491,46 @@ {% endif %} {% endfor %} -{% endif %} +{% endif -%} + +{% if ansible_os_family == "RedHat" %} +{% for localfile in wazuh_manager_config.localfiles.centos %} + + + {{ localfile.format }} + {% if localfile.format == 'command' or localfile.format == 'full_command' %} + {{ localfile.command }} + {% if localfile.alias is defined %} + {{ localfile.alias }} + {% endif %} + {% if localfile.frequency is defined %} + {{ localfile.frequency }} + {% endif %} + {% else %} + {{ localfile.location }} + {% if localfile.format == 'eventchannel' %} + {% if localfile.only_future_events is defined %} + {{ localfile.only_future_events }} + {% endif %} + {% if localfile.query is defined %} + {{ localfile.query }} + {% endif %} + {% endif %} + {% endif %} + {% if localfile.format == 'json' and localfile.labels is defined %} + {% for key, value in localfile.labels.items() %} + + {% endfor %} + {% endif %} + {% if localfile.target is defined %} + {{ localfile.target }} + {% endif %} + {% if localfile.out_format is defined %} + {{ localfile.out_format }} + {% endif %} + +{% endfor %} +{% endif -%} {% if wazuh_manager_config.syslog_outputs is defined %} {% for syslog_output in wazuh_manager_config.syslog_outputs %} @@ -538,4 +552,91 @@ {% endif %} + + + + ruleset/decoders + ruleset/rules + {% if wazuh_manager_config.rule_exclude is defined %} + {% for rule in wazuh_manager_config.rule_exclude %} + {{ rule }} + {% endfor %} + {% endif %} + {% if wazuh_manager_config.ruleset.cdb_lists is defined %} + {% for list in wazuh_manager_config.ruleset.cdb_lists %} + etc/lists/{{ list }} + {% endfor %} + {% endif %} + + + etc/decoders + etc/rules + + +{% if wazuh_manager_config.authd.enable == true %} + + no + {% if wazuh_manager_config.authd.port is not none %} + {{wazuh_manager_config.authd.port}} + {% else %} + 1515 + {% endif %} + {% if wazuh_manager_config.authd.use_source_ip is not none %} + {{wazuh_manager_config.authd.use_source_ip}} + {% endif %} + {% if wazuh_manager_config.authd.force_insert is not none %} + {{wazuh_manager_config.authd.force_insert}} + {% endif %} + {% if wazuh_manager_config.authd.force_time is not none %} + {{wazuh_manager_config.authd.force_time}} + {% endif %} + {% if wazuh_manager_config.authd.purge is not none %} + {{wazuh_manager_config.authd.purge}} + {% endif %} + {% if wazuh_manager_config.authd.use_password is not none %} + {{wazuh_manager_config.authd.use_password}} + {% endif %} + {% if wazuh_manager_config.authd.limit_maxagents is not none %} + {{wazuh_manager_config.authd.limit_maxagents}} + {% endif %} + {% if wazuh_manager_config.authd.ciphers is not none %} + {{wazuh_manager_config.authd.ciphers}} + {% endif %} + {% if wazuh_manager_config.authd.ssl_agent_ca is not none %} + /var/ossec/etc/{{wazuh_manager_config.authd.ssl_agent_ca | basename}} + {% endif %} + {% if wazuh_manager_config.authd.ssl_verify_host is not none %} + {{wazuh_manager_config.authd.ssl_verify_host}} + {% endif %} + {% if wazuh_manager_config.authd.ssl_manager_cert is not none %} + /var/ossec/etc/{{wazuh_manager_config.authd.ssl_manager_cert | basename}} + {% endif %} + {% if wazuh_manager_config.authd.ssl_manager_key is not none %} + /var/ossec/etc/{{wazuh_manager_config.authd.ssl_manager_key | basename}} + {% endif %} + {% if wazuh_manager_config.authd.ssl_auto_negotiate is not none %} + {{wazuh_manager_config.authd.ssl_auto_negotiate}} + {% endif %} + +{% endif %} + + + {{ wazuh_manager_config.cluster.disable }} + {{ wazuh_manager_config.cluster.name }} + {{ wazuh_manager_config.cluster.node_name }} + {{ wazuh_manager_config.cluster.node_type }} + {{ wazuh_manager_config.cluster.key }} + {% if wazuh_manager_config.cluster.interval is defined %} + {{ wazuh_manager_config.cluster.interval }} + {% endif %} + {{ wazuh_manager_config.cluster.port }} + {{ wazuh_manager_config.cluster.bind_addr }} + + {% for node in wazuh_manager_config.cluster.nodes %} + {{ node }} + {% endfor %} + + {{ wazuh_manager_config.cluster.hidden }} + + diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 index 4ae5a145..f300f22a 100644 --- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 +++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 @@ -1,12 +1,13 @@ #jinja2: trim_blocks: False -{% if wazuh_agent_configs is defined %} -{% for agent_config in wazuh_agent_configs %} +{% if shared_agent_config is defined %} +{% for agent_config in shared_agent_config %} {% if agent_config.syscheck is defined %} + {% if agent_config.syscheck.auto_ignore is defined %} {{ agent_config.syscheck.auto_ignore }} + {% endif %} {{ agent_config.syscheck.alert_new_files }} - {{ agent_config.syscheck.frequency }} {{ agent_config.syscheck.scan_on_start }} @@ -66,7 +67,7 @@ {% endif %} {% endif %} {% if localfile.format == 'json' and localfile.labels is defined %} - {% for key, value in localfile.labels.iteritems() %} + {% for key, value in localfile.labels.items() %} {% endfor %} {% endif %} diff --git a/roles/wazuh/ansible-wazuh-manager/vars/cdb_lists.yml b/roles/wazuh/ansible-wazuh-manager/vars/cdb_lists.yml deleted file mode 100644 index 8e904e14..00000000 --- a/roles/wazuh/ansible-wazuh-manager/vars/cdb_lists.yml +++ /dev/null @@ -1,87 +0,0 @@ ---- -cdb_lists: - - name: 'audit-keys' - content: | - audit-wazuh-w:write - audit-wazuh-r:read - audit-wazuh-a:attribute - audit-wazuh-x:execute - audit-wazuh-c:command - - name: 'aws-source' - content: | - ec2.amazonaws.com: - elasticloadbalancing.amazonaws.com: - iam.amazonaws.com: - signin.amazonaws.com: - kms.amazonaws.com: - s3.amazonaws.com: - - name: 'aws-eventnames' - content: | - AddUserToGroup: - AllocateAddress: - AssociateAddress: - AssociateDhcpOptions: - AssociateRouteTable: - AttachGroupPolicy: - AttachNetworkInterface: - AttachRolePolicy: - AttachUserPolicy: - AttachVolume: - AuthorizeSecurityGroupIngress: - ConsoleLogin: - CopySnapshot: - CreateAccountAlias: - CreateGroup: - CreateImage: - CreateLoadBalancer: - CreatePlacementGroup: - CreatePolicy: - CreateRole: - CreateRouteTable: - CreateSecurityGroup: - CreateSnapshot: - CreateSubnet: - CreateTags: - CreateUser: - CreateVolume: - CreateVpc: - DeleteAccountAlias: - DeleteLoadBalancer: - DeletePlacementGroup: - DeleteSecurityGroup: - DeleteSnapshot: - DeleteTags: - DeleteUser: - DeleteVolume: - DeregisterImage: - DetachGroupPolicy: - DetachNetworkInterface: - DetachRolePolicy: - DetachVolume: - DisableKey: - DisassociateAddress: - DisassociateAddress: - DisassociateRouteTable: - GetGroup: - ListAliases: - ListGroups: - ListUsers: - ModifyImageAttribute: - ModifyInstanceAttribute: - ModifyNetworkInterfaceAttribute: - ModifySnapshotAttribute: - ModifySubnetAttribute: - ModifyVolumeAttribute: - MonitorInstances: - RebootInstances: - RegisterImage: - RemoveUserFromGroup: - RevokeSecurityGroupIngress: - RunInstances: - StartInstances: - StopInstances: - TerminateInstances: - UnmonitorInstances: - UpdateAccessKey: - UpdateAccountPasswordPolicy: - UpdateInstanceAlias: diff --git a/roles/wazuh/ansible-wazuh-manager/vars/wazuh_api_creds.yml b/roles/wazuh/ansible-wazuh-manager/vars/wazuh_api_creds.yml deleted file mode 100644 index 2d5f8c73..00000000 --- a/roles/wazuh/ansible-wazuh-manager/vars/wazuh_api_creds.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -wazuh_api_user: - - "foo:$apr1$/axqZYWQ$Xo/nz/IG3PdwV82EnfYKh/"