diff --git a/Pipfile b/Pipfile deleted file mode 100644 index 6f709455..00000000 --- a/Pipfile +++ /dev/null @@ -1,35 +0,0 @@ -[[source]] -url = "https://pypi.org/simple" -verify_ssl = true -name = "pypi" - -[packages] -docker-py = "*" -ansible = "==2.7.13" -molecule = "==2.20.2" - -[dev-packages] - -[requires] -python_version = "2.7" - -[scripts] -test ="molecule test --destroy=never" -worker ="molecule test -s worker --destroy=never" -agent ="molecule test -s wazuh-agent --destroy=never" -elasticsearch ="molecule test -s elasticsearch --destroy=never" -kibana ="molecule test -s kibana --destroy=never" - -# Verify .. -verify ="molecule verify" -verify_worker ="molecule verify -s worker" -verify_agent ="molecule verify -s agent" -verify_elasticsearch ="molecule verify -s elasticsearch" -verify_kibana ="molecule verify -s kibana" - -# Destroy .. -destroy ="molecule destroy" -destroy_worker ="molecule destroy -s worker" -destroy_agent ="molecule destroy -s agent" -destroy_elasticsearch ="molecule destroy -s elasticsearch" -destroy_kibana ="molecule destroy -s kibana" diff --git a/README.md b/README.md index f684d1a8..257d15cc 100644 --- a/README.md +++ b/README.md @@ -47,6 +47,21 @@ These playbooks install and configure Wazuh agent, manager and Elastic Stack. * `master` branch contains the latest code, be aware of possible bugs on this branch. ## Testing + +1. Get the `wazuh-ansible` folder from the `wazuh-qa` [repository](https://github.com/wazuh/wazuh-qa/tree/master/ansible/wazuh-ansible). + +``` +git clone https://github.com/wazuh/wazuh-qa +``` + +2. Copy the `Pipfile` and the `molecule` folder into the root wazuh-ansible directory: + +``` +cp wazuh-qa/ansible/wazuh-ansible/* . -R +``` + +3. Follow these steps for launching the tests. Check the Pipfile for running different scenarios: + ``` pip install pipenv sudo pipenv install diff --git a/molecule/default/Dockerfile.j2 b/molecule/default/Dockerfile.j2 deleted file mode 100644 index 19692c20..00000000 --- a/molecule/default/Dockerfile.j2 +++ /dev/null @@ -1,14 +0,0 @@ -# Molecule managed - -{% if item.registry is defined %} -FROM {{ item.registry.url }}/{{ item.image }} -{% else %} -FROM {{ item.image }} -{% endif %} - -RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get upgrade -y && apt-get install -y python sudo bash ca-certificates && apt-get clean; \ - elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python2-dnf bash && dnf clean all; \ - elif [ $(command -v yum) ]; then yum makecache fast && yum update -y && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ - elif [ $(command -v zypper) ]; then zypper refresh && zypper update -y && zypper install -y python sudo bash python-xml && zypper clean -a; \ - elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ - elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates && xbps-remove -O; fi diff --git a/molecule/default/INSTALL.rst b/molecule/default/INSTALL.rst deleted file mode 100644 index e26493b8..00000000 --- a/molecule/default/INSTALL.rst +++ /dev/null @@ -1,16 +0,0 @@ -******* -Install -******* - -Requirements -============ - -* Docker Engine -* docker-py - -Install -======= - -.. code-block:: bash - - $ sudo pip install docker-py diff --git a/molecule/default/create.yml b/molecule/default/create.yml deleted file mode 100644 index 0b25ec81..00000000 --- a/molecule/default/create.yml +++ /dev/null @@ -1,85 +0,0 @@ ---- -- name: Create - hosts: localhost - connection: local - gather_facts: false - no_log: false - tasks: - - name: Log into a Docker registry - docker_login: - username: "{{ item.registry.credentials.username }}" - password: "{{ item.registry.credentials.password }}" - email: "{{ item.registry.credentials.email | default(omit) }}" - registry: "{{ item.registry.url }}" - docker_host: "{{ item.docker_host | default('unix://var/run/docker.sock') }}" - with_items: "{{ molecule_yml.platforms }}" - when: - - item.registry is defined - - item.registry.credentials is defined - - item.registry.credentials.username is defined - - - name: Create Dockerfiles from image names - template: - src: "{{ molecule_scenario_directory }}/Dockerfile.j2" - dest: "{{ molecule_ephemeral_directory }}/Dockerfile_{{ item.image | regex_replace('[^a-zA-Z0-9_]', '_') }}" - with_items: "{{ molecule_yml.platforms }}" - register: platforms - - - name: Discover local Docker images - docker_image_facts: - name: "molecule_local/{{ item.item.name }}" - docker_host: "{{ item.item.docker_host | default('unix://var/run/docker.sock') }}" - with_items: "{{ platforms.results }}" - register: docker_images - - - name: Build an Ansible compatible image - docker_image: - path: "{{ molecule_ephemeral_directory }}" - name: "molecule_local/{{ item.item.image }}" - docker_host: "{{ item.item.docker_host | default('unix://var/run/docker.sock') }}" - dockerfile: "{{ item.item.dockerfile | default(item.invocation.module_args.dest) }}" - force: "{{ item.item.force | default(true) }}" - with_items: "{{ platforms.results }}" - when: platforms.changed or docker_images.results | map(attribute='images') | select('equalto', []) | list | count >= 0 - - - name: Create docker network(s) - docker_network: - name: "main" - state: present - - - name: Sleep 5 seconds till the network gets created if it's not - # Pause for 5 minutes to build app cache. - pause: - seconds: 10 - - - name: Create molecule instance(s) - docker_container: - name: "{{ item.name }}" - docker_host: "{{ item.docker_host | default('unix://var/run/docker.sock') }}" - hostname: "{{ item.name }}" - image: "molecule_local/{{ item.image }}" - state: started - recreate: false - log_driver: json-file - command: "{{ item.command | default('bash -c \"while true; do sleep 10000; done\"') }}" - privileged: "{{ item.privileged | default(omit) }}" - volumes: "{{ item.volumes | default(omit) }}" - capabilities: "{{ item.capabilities | default(omit) }}" - exposed_ports: "{{ item.exposed_ports | default(omit) }}" - published_ports: "{{ item.published_ports | default(omit) }}" - ulimits: "{{ item.ulimits | default(omit) }}" - networks: - - name: "main" - dns_servers: "{{ item.dns_servers | default(omit) }}" - register: server - with_items: "{{ molecule_yml.platforms }}" - async: 7200 - poll: 0 - - - name: Wait for instance(s) creation to complete - async_status: - jid: "{{ item.ansible_job_id }}" - register: docker_jobs - until: docker_jobs.finished - retries: 300 - with_items: "{{ server.results }}" \ No newline at end of file diff --git a/molecule/default/destroy.yml b/molecule/default/destroy.yml deleted file mode 100644 index ddf7062b..00000000 --- a/molecule/default/destroy.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -- name: Destroy - hosts: localhost - connection: local - gather_facts: false - no_log: false - tasks: - - name: Destroy molecule instance(s) - docker_container: - name: "{{ item.name }}" - docker_host: "{{ item.docker_host | default('unix://var/run/docker.sock') }}" - state: absent - force_kill: "{{ item.force_kill | default(true) }}" - register: server - with_items: "{{ molecule_yml.platforms }}" - async: 7200 - poll: 0 - - - name: Wait for instance(s) deletion to complete - async_status: - jid: "{{ item.ansible_job_id }}" - register: docker_jobs - until: docker_jobs.finished - retries: 300 - with_items: "{{ server.results }}" - - - name: Delete docker network(s) - docker_network: - name: "{{ item }}" - docker_host: "{{ item.docker_host | default('unix://var/run/docker.sock') }}" - state: absent - with_items: "{{ molecule_yml.platforms | molecule_get_docker_networks }}" diff --git a/molecule/default/molecule.yml.template b/molecule/default/molecule.yml.template deleted file mode 100644 index f46226c2..00000000 --- a/molecule/default/molecule.yml.template +++ /dev/null @@ -1,47 +0,0 @@ ---- -dependency: - name: galaxy -driver: - name: docker -lint: - name: yamllint - enabled: false -platforms: - - name: manager_platform_ - image: imagename - command: /sbin/init - ulimits: - - nofile:262144:262144 - privileged: true - memory_reservation: 2048m -provisioner: - name: ansible - config_options: - defaults: - hash_behaviour: merge - env: - ANSIBLE_ROLES_PATH: ../../roles - lint: - name: ansible-lint - enabled: true -scenario: - name: default - test_sequence: - - lint - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - - idempotence - - side_effect - - verify - - cleanup - - destroy -verifier: - name: testinfra - lint: - name: flake8 - enabled: true diff --git a/molecule/default/playbook.yml b/molecule/default/playbook.yml deleted file mode 100644 index d4561c1b..00000000 --- a/molecule/default/playbook.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: wazuh/ansible-wazuh-manager - vars: - wazuh_manager_config: - cluster: - disable: 'no' - name: 'wazuh' - node_name: 'manager' - node_type: 'master' - key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa' - port: '1516' - bind_addr: '0.0.0.0' - nodes: - - 'manager_bionic' - hidden: 'no' - - { role: wazuh/ansible-filebeat, filebeat_output_elasticsearch_hosts: 'elasticsearch_bionic:9200' } \ No newline at end of file diff --git a/molecule/default/playbook.yml.template b/molecule/default/playbook.yml.template deleted file mode 100644 index f73659e9..00000000 --- a/molecule/default/playbook.yml.template +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: wazuh/ansible-wazuh-manager - vars: - wazuh_manager_config: - cluster: - disable: 'no' - name: 'wazuh' - node_name: 'manager' - node_type: 'master' - key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa' - port: '1516' - bind_addr: '0.0.0.0' - nodes: - - 'manager_platform' - hidden: 'no' - - { role: wazuh/ansible-filebeat, filebeat_output_elasticsearch_hosts: 'elasticsearch_platform:9200' } \ No newline at end of file diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml deleted file mode 100644 index f3dc9aac..00000000 --- a/molecule/default/prepare.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -- name: Prepare - hosts: all - gather_facts: true - tasks: - - - name: "Install Python packages for Trusty to solve trust issues" - package: - name: - - python-setuptools - - python-pip - state: latest - register: wazuh_manager_trusty_packages_installed - until: wazuh_manager_trusty_packages_installed is succeeded - when: - - ansible_distribution == "Ubuntu" - - ansible_distribution_major_version | int == 14 - - - name: "Install dependencies" - package: - name: - - curl - - net-tools - state: latest - register: wazuh_manager_dependencies_packages_installed - until: wazuh_manager_dependencies_packages_installed is succeeded - - - name: "Install (RedHat) dependencies" - package: - name: - - initscripts - state: latest - register: wazuh_manager_dependencies_packages_installed - until: wazuh_manager_dependencies_packages_installed is succeeded - when: - - ansible_os_family == 'RedHat' diff --git a/molecule/default/tests/test_default.py b/molecule/default/tests/test_default.py deleted file mode 100644 index 03fe99d4..00000000 --- a/molecule/default/tests/test_default.py +++ /dev/null @@ -1,89 +0,0 @@ -import os -import pytest - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') - - -def get_wazuh_version(): - """This return the version of Wazuh.""" - return "3.10.0" - - -def test_wazuh_packages_are_installed(host): - """Test if the main packages are installed.""" - manager = host.package("wazuh-manager") - api = host.package("wazuh-api") - - distribution = host.system_info.distribution.lower() - if distribution == 'centos': - if host.system_info.release == "7": - assert manager.is_installed - assert manager.version.startswith(get_wazuh_version()) - assert api.is_installed - assert api.version.startswith(get_wazuh_version()) - elif host.system_info.release.startswith("6"): - assert manager.is_installed - assert manager.version.startswith(get_wazuh_version()) - elif distribution == 'ubuntu': - assert manager.is_installed - assert manager.version.startswith(get_wazuh_version()) - - -def test_wazuh_services_are_running(host): - """Test if the services are enabled and running. - - When assert commands are commented, this means that the service command has - a wrong exit code: https://github.com/wazuh/wazuh-ansible/issues/107 - """ - manager = host.service("wazuh-manager") - api = host.service("wazuh-api") - - distribution = host.system_info.distribution.lower() - if distribution == 'centos': - # assert manager.is_running - assert manager.is_enabled - # assert not api.is_running - assert not api.is_enabled - elif distribution == 'ubuntu': - # assert manager.is_running - assert manager.is_enabled - # assert api.is_running - assert api.is_enabled - - -@pytest.mark.parametrize("wazuh_file, wazuh_owner, wazuh_group, wazuh_mode", [ - ("/var/ossec/etc/sslmanager.cert", "root", "root", 0o640), - ("/var/ossec/etc/sslmanager.key", "root", "root", 0o640), - ("/var/ossec/etc/rules/local_rules.xml", "root", "ossec", 0o640), - ("/var/ossec/etc/lists/audit-keys", "root", "ossec", 0o640), -]) -def test_wazuh_files(host, wazuh_file, wazuh_owner, wazuh_group, wazuh_mode): - """Test if Wazuh related files exist and have proper owners and mode.""" - wazuh_file_host = host.file(wazuh_file) - - assert wazuh_file_host.user == wazuh_owner - assert wazuh_file_host.group == wazuh_group - assert wazuh_file_host.mode == wazuh_mode - - -def test_open_ports(host): - """Test if the main port is open and the agent-auth is not open.""" - distribution = host.system_info.distribution.lower() - if distribution == 'ubuntu': - assert host.socket("tcp://0.0.0.0:1516").is_listening - assert host.socket("tcp://0.0.0.0:1515").is_listening - assert host.socket("tcp://0.0.0.0:1514").is_listening - elif distribution == 'centos': - assert host.socket("tcp://0.0.0.0:1516").is_listening - assert host.socket("tcp://127.0.0.1:1515").is_listening - assert host.socket("tcp://127.0.0.1:1514").is_listening - - -def test_filebeat_is_installed(host): - """Test if the elasticsearch package is installed.""" - filebeat = host.package("filebeat") - assert filebeat.is_installed - assert filebeat.version.startswith('7.3.2') diff --git a/molecule/elasticsearch/Dockerfile.j2 b/molecule/elasticsearch/Dockerfile.j2 deleted file mode 100644 index e6aa95d3..00000000 --- a/molecule/elasticsearch/Dockerfile.j2 +++ /dev/null @@ -1,14 +0,0 @@ -# Molecule managed - -{% if item.registry is defined %} -FROM {{ item.registry.url }}/{{ item.image }} -{% else %} -FROM {{ item.image }} -{% endif %} - -RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \ - elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash && dnf clean all; \ - elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ - elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml && zypper clean -a; \ - elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ - elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates && xbps-remove -O; fi diff --git a/molecule/elasticsearch/INSTALL.rst b/molecule/elasticsearch/INSTALL.rst deleted file mode 100644 index 6a44bde9..00000000 --- a/molecule/elasticsearch/INSTALL.rst +++ /dev/null @@ -1,22 +0,0 @@ -******* -Docker driver installation guide -******* - -Requirements -============ - -* Docker Engine - -Install -======= - -Please refer to the `Virtual environment`_ documentation for installation best -practices. If not using a virtual environment, please consider passing the -widely recommended `'--user' flag`_ when invoking ``pip``. - -.. _Virtual environment: https://virtualenv.pypa.io/en/latest/ -.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site - -.. code-block:: bash - - $ pip install 'molecule[docker]' diff --git a/molecule/elasticsearch/molecule.yml b/molecule/elasticsearch/molecule.yml deleted file mode 100644 index 11d8902f..00000000 --- a/molecule/elasticsearch/molecule.yml +++ /dev/null @@ -1,57 +0,0 @@ ---- -dependency: - name: galaxy -driver: - name: docker -lint: - name: yamllint - options: - config-data: - ignore: .virtualenv -bionics: - - name: elasticsearch_bionic - image: solita/ubuntu-systemd:bionic - command: /sbin/init - ulimits: - - nofile:262144:262144 - privileged: true - memory_reservation: 2048m -provisioner: - name: ansible - config_options: - defaults: - hash_behaviour: merge - playbooks: - docker: - create: ../default/create.yml - destroy: ../default/destroy.yml - prepare: ../default/prepare.yml - env: - ANSIBLE_ROLES_PATH: ../../roles - lint: - name: ansible-lint - enabled: true - inventory: - group_vars: - all: - elasticsearch_jvm_xms: 512 -scenario: - name: elasticsearch - test_sequence: - - lint - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - #- idempotence - - side_effect - - verify - - cleanup - - destroy -verifier: - name: testinfra - lint: - name: flake8 diff --git a/molecule/elasticsearch/molecule.yml.template b/molecule/elasticsearch/molecule.yml.template deleted file mode 100644 index baba140e..00000000 --- a/molecule/elasticsearch/molecule.yml.template +++ /dev/null @@ -1,57 +0,0 @@ ---- -dependency: - name: galaxy -driver: - name: docker -lint: - name: yamllint - options: - config-data: - ignore: .virtualenv -platforms: - - name: elasticsearch_platform_ - image: imagename - command: /sbin/init - ulimits: - - nofile:262144:262144 - privileged: true - memory_reservation: 2048m -provisioner: - name: ansible - config_options: - defaults: - hash_behaviour: merge - playbooks: - docker: - create: ../default/create.yml - destroy: ../default/destroy.yml - prepare: ../default/prepare.yml - env: - ANSIBLE_ROLES_PATH: ../../roles - lint: - name: ansible-lint - enabled: true - inventory: - group_vars: - all: - elasticsearch_jvm_xms: 512 -scenario: - name: elasticsearch - test_sequence: - - lint - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - - idempotence - - side_effect - - verify - - cleanup - - destroy -verifier: - name: testinfra - lint: - name: flake8 diff --git a/molecule/elasticsearch/playbook.yml b/molecule/elasticsearch/playbook.yml deleted file mode 100644 index 6b5c44f8..00000000 --- a/molecule/elasticsearch/playbook.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: elastic-stack/ansible-elasticsearch - elasticsearch_network_host: 'elasticsearch_bionic' diff --git a/molecule/elasticsearch/playbook.yml.template b/molecule/elasticsearch/playbook.yml.template deleted file mode 100644 index 0b2f9d5a..00000000 --- a/molecule/elasticsearch/playbook.yml.template +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: elastic-stack/ansible-elasticsearch - elasticsearch_network_host: 'elasticsearch_platform' diff --git a/molecule/elasticsearch/tests/test_default.py b/molecule/elasticsearch/tests/test_default.py deleted file mode 100644 index f4021876..00000000 --- a/molecule/elasticsearch/tests/test_default.py +++ /dev/null @@ -1,20 +0,0 @@ -import os - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') - - -def test_elasticsearch_is_installed(host): - """Test if the elasticsearch package is installed.""" - elasticsearch = host.package("elasticsearch") - assert elasticsearch.is_installed - assert elasticsearch.version.startswith('7.3.2') - - -def test_elasticsearch_is_running(host): - """Test if the services are enabled and running.""" - elasticsearch = host.service("elasticsearch") - assert elasticsearch.is_enabled - assert elasticsearch.is_running diff --git a/molecule/kibana/Dockerfile.j2 b/molecule/kibana/Dockerfile.j2 deleted file mode 100644 index e6aa95d3..00000000 --- a/molecule/kibana/Dockerfile.j2 +++ /dev/null @@ -1,14 +0,0 @@ -# Molecule managed - -{% if item.registry is defined %} -FROM {{ item.registry.url }}/{{ item.image }} -{% else %} -FROM {{ item.image }} -{% endif %} - -RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \ - elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash && dnf clean all; \ - elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ - elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml && zypper clean -a; \ - elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ - elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates && xbps-remove -O; fi diff --git a/molecule/kibana/INSTALL.rst b/molecule/kibana/INSTALL.rst deleted file mode 100644 index 6a44bde9..00000000 --- a/molecule/kibana/INSTALL.rst +++ /dev/null @@ -1,22 +0,0 @@ -******* -Docker driver installation guide -******* - -Requirements -============ - -* Docker Engine - -Install -======= - -Please refer to the `Virtual environment`_ documentation for installation best -practices. If not using a virtual environment, please consider passing the -widely recommended `'--user' flag`_ when invoking ``pip``. - -.. _Virtual environment: https://virtualenv.pypa.io/en/latest/ -.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site - -.. code-block:: bash - - $ pip install 'molecule[docker]' diff --git a/molecule/kibana/molecule.yml.template b/molecule/kibana/molecule.yml.template deleted file mode 100644 index eec8f6e3..00000000 --- a/molecule/kibana/molecule.yml.template +++ /dev/null @@ -1,40 +0,0 @@ ---- -dependency: - name: galaxy -driver: - name: docker -lint: - name: yamllint - options: - config-data: - ignore: .virtualenv -platforms: - - name: kibana_platform_ - image: imagename - command: /sbin/init - ulimits: - - nofile:262144:262144 - privileged: true - memory_reservation: 1024m -provisioner: - name: ansible - config_options: - defaults: - hash_behaviour: merge - playbooks: - docker: - create: ../default/create.yml - destroy: ../default/destroy.yml - env: - ANSIBLE_ROLES_PATH: ../../roles - lint: - name: ansible-lint - enabled: true - inventory: - group_vars: - all: - elasticsearch_jvm_xms: 256 -verifier: - name: testinfra - lint: - name: flake8 diff --git a/molecule/kibana/playbook.yml b/molecule/kibana/playbook.yml deleted file mode 100644 index 6af17723..00000000 --- a/molecule/kibana/playbook.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: elastic-stack/ansible-kibana - elasticsearch_network_host: 'elasticsearch_bionic' \ No newline at end of file diff --git a/molecule/kibana/playbook.yml.template b/molecule/kibana/playbook.yml.template deleted file mode 100644 index b166ac28..00000000 --- a/molecule/kibana/playbook.yml.template +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: elastic-stack/ansible-kibana - elasticsearch_network_host: 'elasticsearch_platform' \ No newline at end of file diff --git a/molecule/kibana/prepare.yml b/molecule/kibana/prepare.yml deleted file mode 100644 index c5592219..00000000 --- a/molecule/kibana/prepare.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -- name: Prepare - hosts: all - gather_facts: true - pre_tasks: - - - name: "Install Python packages for Trusty to solve trust issues" - package: - name: - - python-setuptools - - python-pip - state: latest - register: wazuh_manager_trusty_packages_installed - until: wazuh_manager_trusty_packages_installed is succeeded - when: - - ansible_distribution == "Ubuntu" - - ansible_distribution_major_version | int == 14 - - - name: "Install dependencies" - package: - name: - - curl - - net-tools - state: latest - register: wazuh_manager_dependencies_packages_installed - until: wazuh_manager_dependencies_packages_installed is succeeded - - - name: "Install (RedHat) dependencies" - package: - name: - - initscripts - state: latest - register: wazuh_manager_dependencies_packages_installed - until: wazuh_manager_dependencies_packages_installed is succeeded - when: - - ansible_os_family == 'RedHat' diff --git a/molecule/kibana/tests/test_default.py b/molecule/kibana/tests/test_default.py deleted file mode 100644 index ccd4d4f2..00000000 --- a/molecule/kibana/tests/test_default.py +++ /dev/null @@ -1,24 +0,0 @@ -import os - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') - - -def test_port_kibana_is_open(host): - """Test if the port 5601 is open and listening to connections.""" - host.socket("tcp://0.0.0.0:5601").is_listening - - -def test_find_correct_elasticsearch_version(host): - """Test if we find the kibana/elasticsearch version in package.json""" - kibana = host.file("/usr/share/kibana/plugins/wazuh/package.json") - assert kibana.contains("7.3.2") - - -def test_wazuh_plugin_installed(host): - """Make sure there is a plugin wazuh directory.""" - kibana = host.file("/usr/share/kibana/plugins/wazuh/") - - assert kibana.is_directory diff --git a/molecule/run_cluster_mode.sh b/molecule/run_cluster_mode.sh deleted file mode 100644 index c1a0941d..00000000 --- a/molecule/run_cluster_mode.sh +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/bash - -paths=( "molecule/default/" "molecule/worker/" "molecule/elasticsearch/" "molecule/kibana/" ) -images=( "solita/ubuntu-systemd:bionic" "solita/ubuntu-systemd:xenial" "milcom/centos7-systemd" "ubuntu:trusty" "centos:6" ) -platform=( "bionic" "xenial" "centos7" "trusty" "centos6" ) - -echo "Please select an image. " - -select IMAGE in "${images[@]}"; -do - echo "You picked $IMAGE ($REPLY)" - break -done - -index=$(($REPLY - 1)) - -if [ -z "$IMAGE" ] -then - echo "Platform not selected. Please select a platform of [bionuc, xenial or centos7]. => Aborting" - exit -else - for i in "${paths[@]}" - do - cp "$i/playbook.yml.template" "$i/playbook.yml" - sed -i "s/platform/${platform[$index]}/g" "$i/playbook.yml" - - cp "$i/molecule.yml.template" "$i/molecule.yml" - sed -i "s|imagename|${images[$index]}|g" "$i/molecule.yml" - sed -i "s/platform_/${platform[$index]}/g" "$i/molecule.yml" - - done -fi - -sudo pipenv run elasticsearch -sudo pipenv run test -sudo pipenv run worker -sudo pipenv run kibana - -sudo pipenv run destroy -sudo pipenv run destroy_worker -sudo pipenv run destroy_elasticsearch -sudo pipenv run destroy_kibana - diff --git a/molecule/wazuh-agent/Dockerfile.j2 b/molecule/wazuh-agent/Dockerfile.j2 deleted file mode 100644 index e6aa95d3..00000000 --- a/molecule/wazuh-agent/Dockerfile.j2 +++ /dev/null @@ -1,14 +0,0 @@ -# Molecule managed - -{% if item.registry is defined %} -FROM {{ item.registry.url }}/{{ item.image }} -{% else %} -FROM {{ item.image }} -{% endif %} - -RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \ - elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash && dnf clean all; \ - elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ - elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml && zypper clean -a; \ - elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ - elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates && xbps-remove -O; fi diff --git a/molecule/wazuh-agent/INSTALL.rst b/molecule/wazuh-agent/INSTALL.rst deleted file mode 100644 index 6a44bde9..00000000 --- a/molecule/wazuh-agent/INSTALL.rst +++ /dev/null @@ -1,22 +0,0 @@ -******* -Docker driver installation guide -******* - -Requirements -============ - -* Docker Engine - -Install -======= - -Please refer to the `Virtual environment`_ documentation for installation best -practices. If not using a virtual environment, please consider passing the -widely recommended `'--user' flag`_ when invoking ``pip``. - -.. _Virtual environment: https://virtualenv.pypa.io/en/latest/ -.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site - -.. code-block:: bash - - $ pip install 'molecule[docker]' diff --git a/molecule/wazuh-agent/molecule.yml b/molecule/wazuh-agent/molecule.yml deleted file mode 100644 index a0b050b1..00000000 --- a/molecule/wazuh-agent/molecule.yml +++ /dev/null @@ -1,89 +0,0 @@ ---- -dependency: - name: galaxy -driver: - name: docker - #lint: - # name: yamllint -lint: - name: yamllint - options: - config-data: - ignore: .virtualenv -platforms: - #- name: wazuh_server_centos7 - # image: milcom/centos7-systemd - # networks: - # - name: wazuh - # privileged: true - # groups: - # - manager - - name: wazuh_agent_bionic - image: ubuntu:bionic - networks: - - name: wazuh - groups: - - agent - #- name: wazuh_agent_xenial - # image: solita/ubuntu-systemd:xenial - # privileged: true - # command: /sbin/init - # networks: - # - name: wazuh - # groups: - # - agent - #- name: wazuh_agent_trusty - # image: ubuntu:trusty - # networks: - # - name: wazuh - # groups: - # - agent - #- name: wazuh_agent_centos6 - # image: centos:6 - # networks: - # - name: wazuh - # groups: - # - agent - #- name: wazuh_agent_centos7 - # image: milcom/centos7-systemd - # privileged: true - # networks: - # - name: wazuh - # groups: - # - agent -provisioner: - name: ansible - config_options: - defaults: - hash_behaviour: merge - playbooks: - docker: - create: ../default/create.yml - destroy: ../default/destroy.yml - env: - ANSIBLE_ROLES_PATH: ../../roles - inventory: - group_vars: - agent: - api_pass: password - wazuh_managers: - - address: "{{ wazuh_manager_ip }}" - port: 1514 - protocol: tcp - api_port: 55000 - api_proto: 'http' - api_user: null - wazuh_agent_authd: - enable: true - port: 1515 - ssl_agent_ca: null - ssl_agent_cert: null - ssl_agent_key: null - ssl_auto_negotiate: 'no' - lint: - name: ansible-lint - enabled: true -verifier: - name: testinfra - lint: - name: flake8 diff --git a/molecule/wazuh-agent/molecule.yml.template b/molecule/wazuh-agent/molecule.yml.template deleted file mode 100644 index a0b050b1..00000000 --- a/molecule/wazuh-agent/molecule.yml.template +++ /dev/null @@ -1,89 +0,0 @@ ---- -dependency: - name: galaxy -driver: - name: docker - #lint: - # name: yamllint -lint: - name: yamllint - options: - config-data: - ignore: .virtualenv -platforms: - #- name: wazuh_server_centos7 - # image: milcom/centos7-systemd - # networks: - # - name: wazuh - # privileged: true - # groups: - # - manager - - name: wazuh_agent_bionic - image: ubuntu:bionic - networks: - - name: wazuh - groups: - - agent - #- name: wazuh_agent_xenial - # image: solita/ubuntu-systemd:xenial - # privileged: true - # command: /sbin/init - # networks: - # - name: wazuh - # groups: - # - agent - #- name: wazuh_agent_trusty - # image: ubuntu:trusty - # networks: - # - name: wazuh - # groups: - # - agent - #- name: wazuh_agent_centos6 - # image: centos:6 - # networks: - # - name: wazuh - # groups: - # - agent - #- name: wazuh_agent_centos7 - # image: milcom/centos7-systemd - # privileged: true - # networks: - # - name: wazuh - # groups: - # - agent -provisioner: - name: ansible - config_options: - defaults: - hash_behaviour: merge - playbooks: - docker: - create: ../default/create.yml - destroy: ../default/destroy.yml - env: - ANSIBLE_ROLES_PATH: ../../roles - inventory: - group_vars: - agent: - api_pass: password - wazuh_managers: - - address: "{{ wazuh_manager_ip }}" - port: 1514 - protocol: tcp - api_port: 55000 - api_proto: 'http' - api_user: null - wazuh_agent_authd: - enable: true - port: 1515 - ssl_agent_ca: null - ssl_agent_cert: null - ssl_agent_key: null - ssl_auto_negotiate: 'no' - lint: - name: ansible-lint - enabled: true -verifier: - name: testinfra - lint: - name: flake8 diff --git a/molecule/wazuh-agent/playbook.yml b/molecule/wazuh-agent/playbook.yml deleted file mode 100644 index 4feac0c2..00000000 --- a/molecule/wazuh-agent/playbook.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: wazuh/ansible-wazuh-agent - vars: - wazuh_managers: - - address: 'manager_platform' - port: 1514 - protocol: tcp - api_port: 55000 - api_proto: 'http' - api_user: ansible - wazuh_agent_authd: - enable: true - port: 1515 - ssl_agent_ca: null - ssl_auto_negotiate: 'no' diff --git a/molecule/wazuh-agent/playbook.yml.template b/molecule/wazuh-agent/playbook.yml.template deleted file mode 100644 index 4feac0c2..00000000 --- a/molecule/wazuh-agent/playbook.yml.template +++ /dev/null @@ -1,18 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: wazuh/ansible-wazuh-agent - vars: - wazuh_managers: - - address: 'manager_platform' - port: 1514 - protocol: tcp - api_port: 55000 - api_proto: 'http' - api_user: ansible - wazuh_agent_authd: - enable: true - port: 1515 - ssl_agent_ca: null - ssl_auto_negotiate: 'no' diff --git a/molecule/wazuh-agent/prepare.yml b/molecule/wazuh-agent/prepare.yml deleted file mode 100644 index ddb1bbe1..00000000 --- a/molecule/wazuh-agent/prepare.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- -- name: Prepare - hosts: manager - gather_facts: true - tasks: - - - name: "Install dependencies" - package: - name: - - curl - - net-tools - state: latest - register: wazuh_manager_dependencies_packages_installed - until: wazuh_manager_dependencies_packages_installed is succeeded - - roles: - - role: wazuh/ansible-wazuh-manager - -- name: Prepare - hosts: agent - gather_facts: true - tasks: - - - name: "Install Python packages for Trusty to solve trust issues" - package: - name: - - python-setuptools - - python-pip - state: latest - register: wazuh_manager_trusty_packages_installed - until: wazuh_manager_trusty_packages_installed is succeeded - when: - - ansible_distribution == "Ubuntu" - - ansible_distribution_major_version | int == 14 - - - name: "Install dependencies" - package: - name: - - curl - - net-tools - state: latest - register: wazuh_agent_dependencies_packages_installed - until: wazuh_agent_dependencies_packages_installed is succeeded diff --git a/molecule/wazuh-agent/tests/test_agents.py b/molecule/wazuh-agent/tests/test_agents.py deleted file mode 100644 index 1846d3fe..00000000 --- a/molecule/wazuh-agent/tests/test_agents.py +++ /dev/null @@ -1,28 +0,0 @@ -import os -import pytest - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('agent') - - -def get_wazuh_version(): - """This return the version of Wazuh.""" - return "3.10.0" - - -def test_ossec_package_installed(Package): - ossec = Package('wazuh-agent') - assert ossec.is_installed - - -@pytest.mark.parametrize("wazuh_service, wazuh_owner", ( - ("ossec-agentd", "ossec"), - ("ossec-execd", "root"), - ("ossec-syscheckd", "root"), - ("wazuh-modulesd", "root"), -)) -def test_wazuh_processes_running(host, wazuh_service, wazuh_owner): - master = host.process.get(user=wazuh_owner, comm=wazuh_service) - assert master.args == "/var/ossec/bin/" + wazuh_service diff --git a/molecule/wazuh-agent/tests/test_manager.py b/molecule/wazuh-agent/tests/test_manager.py deleted file mode 100644 index 9b085b2b..00000000 --- a/molecule/wazuh-agent/tests/test_manager.py +++ /dev/null @@ -1,15 +0,0 @@ -import os - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('manager') - - -def test_agents_registered_on_manager(host): - cmd = host.run("/var/ossec/bin/manage_agents -l") - assert 'wazuh_agent_bionic' in cmd.stdout - assert 'wazuh_agent_xenial' in cmd.stdout - assert 'wazuh_agent_trusty' in cmd.stdout - assert 'wazuh_agent_centos6' in cmd.stdout - assert 'wazuh_agent_centos7' in cmd.stdout diff --git a/molecule/worker/Dockerfile.j2 b/molecule/worker/Dockerfile.j2 deleted file mode 100644 index e6aa95d3..00000000 --- a/molecule/worker/Dockerfile.j2 +++ /dev/null @@ -1,14 +0,0 @@ -# Molecule managed - -{% if item.registry is defined %} -FROM {{ item.registry.url }}/{{ item.image }} -{% else %} -FROM {{ item.image }} -{% endif %} - -RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \ - elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash && dnf clean all; \ - elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ - elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml && zypper clean -a; \ - elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ - elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates && xbps-remove -O; fi diff --git a/molecule/worker/molecule.yml.template b/molecule/worker/molecule.yml.template deleted file mode 100644 index ecfe6469..00000000 --- a/molecule/worker/molecule.yml.template +++ /dev/null @@ -1,53 +0,0 @@ ---- -dependency: - name: galaxy -driver: - name: docker -lint: - name: yamllint - options: - config-data: - ignore: .virtualenv -platforms: - - name: worker_platform_ - image: imagename - command: /sbin/init - ulimits: - - nofile:262144:262144 - privileged: true - memory_reservation: 2048m -provisioner: - name: ansible - config_options: - defaults: - hash_behaviour: merge - playbooks: - docker: - create: ../default/create.yml - destroy: ../default/destroy.yml - prepare: ../default/prepare.yml - env: - ANSIBLE_ROLES_PATH: ../../roles - lint: - name: ansible-lint - enabled: true -scenario: - name: worker - test_sequence: - - lint - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - - idempotence - - side_effect - - verify - - cleanup - - destroy -verifier: - name: testinfra - lint: - name: flake8 diff --git a/molecule/worker/playbook.yml b/molecule/worker/playbook.yml deleted file mode 100644 index a59f93f2..00000000 --- a/molecule/worker/playbook.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: wazuh/ansible-wazuh-manager - vars: - wazuh_manager_config: - cluster: - disable: 'no' - name: 'wazuh' - node_name: 'worker-01' - node_type: 'worker' - key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa' - port: '1516' - bind_addr: '0.0.0.0' - nodes: - - 'manager_bionic' - hidden: 'no' - - { role: wazuh/ansible-filebeat, filebeat_output_elasticsearch_hosts: 'elasticsearch_bionic:9200' } - - diff --git a/molecule/worker/playbook.yml.template b/molecule/worker/playbook.yml.template deleted file mode 100644 index 45b12d1d..00000000 --- a/molecule/worker/playbook.yml.template +++ /dev/null @@ -1,21 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: wazuh/ansible-wazuh-manager - vars: - wazuh_manager_config: - cluster: - disable: 'no' - name: 'wazuh' - node_name: 'worker-01' - node_type: 'worker' - key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa' - port: '1516' - bind_addr: '0.0.0.0' - nodes: - - 'manager_platform' - hidden: 'no' - - { role: wazuh/ansible-filebeat, filebeat_output_elasticsearch_hosts: 'elasticsearch_platform:9200' } - - diff --git a/molecule/worker/tests/test_default.py b/molecule/worker/tests/test_default.py deleted file mode 100644 index 4de03dc3..00000000 --- a/molecule/worker/tests/test_default.py +++ /dev/null @@ -1,85 +0,0 @@ -import os -import pytest - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') - - -def get_wazuh_version(): - """This return the version of Wazuh.""" - return "3.10.0" - - -def test_wazuh_packages_are_installed(host): - """Test if the main packages are installed.""" - manager = host.package("wazuh-manager") - api = host.package("wazuh-api") - - distribution = host.system_info.distribution.lower() - if distribution == 'centos': - if host.system_info.release == "7": - assert manager.is_installed - assert manager.version.startswith(get_wazuh_version()) - assert api.is_installed - assert api.version.startswith(get_wazuh_version()) - elif host.system_info.release.startswith("6"): - assert manager.is_installed - assert manager.version.startswith(get_wazuh_version()) - elif distribution == 'ubuntu': - assert manager.is_installed - assert manager.version.startswith(get_wazuh_version()) - - -def test_wazuh_services_are_running(host): - """Test if the services are enabled and running. - - When assert commands are commented, this means that the service command has - a wrong exit code: https://github.com/wazuh/wazuh-ansible/issues/107 - """ - manager = host.service("wazuh-manager") - api = host.service("wazuh-api") - - distribution = host.system_info.distribution.lower() - if distribution == 'centos': - # assert manager.is_running - assert manager.is_enabled - # assert not api.is_running - assert not api.is_enabled - elif distribution == 'ubuntu': - # assert manager.is_running - assert manager.is_enabled - # assert api.is_running - assert api.is_enabled - - -@pytest.mark.parametrize("wazuh_file, wazuh_owner, wazuh_group, wazuh_mode", [ - ("/var/ossec/etc/sslmanager.cert", "root", "root", 0o640), - ("/var/ossec/etc/sslmanager.key", "root", "root", 0o640), - ("/var/ossec/etc/rules/local_rules.xml", "root", "ossec", 0o640), - ("/var/ossec/etc/lists/audit-keys", "root", "ossec", 0o640), -]) -def test_wazuh_files(host, wazuh_file, wazuh_owner, wazuh_group, wazuh_mode): - """Test if Wazuh related files exist and have proper owners and mode.""" - wazuh_file_host = host.file(wazuh_file) - - assert wazuh_file_host.user == wazuh_owner - assert wazuh_file_host.group == wazuh_group - assert wazuh_file_host.mode == wazuh_mode - - -def test_open_ports(host): - """Test if the main port is open and the agent-auth is not open.""" - distribution = host.system_info.distribution.lower() - if distribution == 'ubuntu': - assert host.socket("tcp://0.0.0.0:1514").is_listening - elif distribution == 'centos': - assert host.socket("tcp://127.0.0.1:1514").is_listening - - -def test_filebeat_is_installed(host): - """Test if the elasticsearch package is installed.""" - filebeat = host.package("filebeat") - assert filebeat.is_installed - assert filebeat.version.startswith('7.3.2') diff --git a/playbooks/wazuh-elastic_stack-distributed.yml b/playbooks/wazuh-elastic_stack-distributed.yml index a422e50b..8c6bc567 100644 --- a/playbooks/wazuh-elastic_stack-distributed.yml +++ b/playbooks/wazuh-elastic_stack-distributed.yml @@ -17,16 +17,18 @@ elasticsearch_xpack_security: true node_certs_generator: true elasticsearch_xpack_security_password: elastic_pass + single_node: false vars: instances: - - name: node-1 # Important: must be equal to elasticsearch_node_name. + node1: + name: node-1 # Important: must be equal to elasticsearch_node_name. ip: # When unzipping, the node will search for its node name folder to get the cert. - - - name: node-2 + node2: + name: node-2 ip: - - - name: node-3 + node3: + name: node-3 ip: - hosts: @@ -34,6 +36,7 @@ - role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch elasticsearch_network_host: elasticsearch_node_name: node-2 + single_node: false elasticsearch_xpack_security: true elasticsearch_master_candidate: true elasticsearch_discovery_nodes: @@ -46,6 +49,7 @@ - role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch elasticsearch_network_host: elasticsearch_node_name: node-3 + single_node: false elasticsearch_xpack_security: true elasticsearch_master_candidate: true elasticsearch_discovery_nodes: diff --git a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml index ca6dd06e..f365f66a 100644 --- a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml @@ -19,15 +19,17 @@ elasticsearch_xpack_security_user: elastic elasticsearch_xpack_security_password: elastic_pass node_certs_generator: false -node_certs_generator_ip: 172.16.0.161 node_certs_source: /usr/share/elasticsearch node_certs_destination: /etc/elasticsearch/certs -# Rsync -rsync_path: /usr/bin/rsync -rsync_user: vagrant -rsync_extra_parameters: -avg -e 'ssh -o StrictHostKeyChecking=no' --rsync-path='sudo rsync' - + + +# CA generation +master_certs_path: /es_certs +generate_CA: true +ca_key_name: "" +ca_cert_name: "" +ca_password: "" diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml index 7ee77beb..af17e528 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml @@ -63,140 +63,10 @@ - import_tasks: "RMRedHat.yml" when: ansible_os_family == "RedHat" -- name: Check if certificate exists locally - stat: - path: "{{ node_certs_destination }}/{{ elasticsearch_node_name }}.crt" - register: certificate_file_exists +- import_tasks: "xpack_security.yml" when: - elasticsearch_xpack_security -- name: Write the instances.yml file in the selected node (force = no) - template: - src: instances.yml.j2 - dest: "{{ node_certs_source }}/instances.yml" - force: no - register: instances_file_exists - tags: - - config - - xpack-security - when: - - node_certs_generator - - elasticsearch_xpack_security - - not certificate_file_exists.stat.exists - -- name: Update instances.yml status after generation - stat: - path: "{{ node_certs_source }}/instances.yml" - register: instances_file_exists - when: - - node_certs_generator - - elasticsearch_xpack_security - -- name: Check if the certificates ZIP file exists - stat: - path: "{{ node_certs_source }}/certs.zip" - register: xpack_certs_zip - when: - - node_certs_generator - - elasticsearch_xpack_security - -- name: Generating certificates for Elasticsearch security - command: >- - "/usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in - {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip" - when: - - node_certs_generator - - elasticsearch_xpack_security - - not xpack_certs_zip.stat.exists - - not certificate_file_exists.stat.exists - register: certs_file_generated - tags: xpack-security - -- name: Unzip generated certs.zip - unarchive: - src: "{{ node_certs_source }}/certs.zip" - dest: "{{ node_certs_source }}/" - remote_src: yes - when: - - node_certs_generator - - elasticsearch_xpack_security - - certs_file_generated is defined - - not certificate_file_exists.stat.exists - tags: xpack-security - -- name: Copy key & certificate files in generator node (locally) - synchronize: - src: "{{ node_certs_source }}/{{ elasticsearch_node_name }}/" - dest: "{{ node_certs_destination }}/" - delegate_to: "{{ node_certs_generator_ip }}" - when: - - node_certs_generator - - elasticsearch_xpack_security - tags: xpack-security - -- name: Copy ca certificate file in generator node (locally) - synchronize: - src: "{{ node_certs_source }}/ca/" - dest: "{{ node_certs_destination }}/" - delegate_to: "{{ node_certs_generator_ip }}" - register: check_certs_permissions - when: - - node_certs_generator - - elasticsearch_xpack_security - tags: xpack-security - -- name: Importing key & certificate files from generator node - command: >- - {{ rsync_path }} {{ rsync_extra_parameters }} {{ rsync_user }}@{{ node_certs_generator_ip }}: - {{ node_certs_source }}/{{ elasticsearch_node_name }}/ {{ node_certs_destination }}/ - when: - - not node_certs_generator - - elasticsearch_xpack_security - - not certificate_file_exists.stat.exists - tags: xpack-security - -- name: Importing ca certificate file from generator node - command: >- - {{ rsync_path }} {{ rsync_extra_parameters }} {{ rsync_user }}@{{ node_certs_generator_ip }}: - {{ node_certs_source }}/ca/ {{ node_certs_destination }}/ - when: - - not node_certs_generator - - elasticsearch_xpack_security - - not certificate_file_exists.stat.exists - register: check_certs_permissions - tags: xpack-security - -- name: Ensuring certificates folder owner - file: - path: "{{ node_certs_destination }}/" - state: directory - recurse: yes - owner: elasticsearch - group: elasticsearch - when: - - check_certs_permissions is defined - - elasticsearch_xpack_security - tags: xpack-security - -- name: Ensuring certificates folder owner - file: - path: "{{ node_certs_destination }}/" - mode: '0770' - recurse: yes - when: - - check_certs_permissions is defined - - elasticsearch_xpack_security - tags: xpack-security - -- name: Remove generated certs file - file: - state: absent - path: "{{ node_certs_source }}/certs.zip*" - when: - - node_certs_generator - - elasticsearch_xpack_security - tags: xpack-security - - name: Configure Elasticsearch. template: src: elasticsearch.yml.j2 @@ -207,13 +77,6 @@ notify: restart elasticsearch tags: configure -- name: Set elasticsearch bootstrap password - shell: | - set -o pipefail - "echo '{{ elasticsearch_xpack_security_password }}' | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf 'bootstrap.password'" - when: - - elasticsearch_xpack_security - - name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.conf lineinfile: path: /etc/security/limits.conf @@ -236,20 +99,14 @@ - ansible_distribution == "Ubuntu" - ansible_distribution_major_version | int == 14 -- name: Distribution != one of [ centos 6.*, trusty ] | Reload systemd - systemd: daemon_reload=true - ignore_errors: true - when: - - not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") - - not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<')) - - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<')) - - not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<')) - - name: Ensure Elasticsearch started and enabled service: name: elasticsearch enabled: true state: started + tags: + - configure + - init - name: Make sure Elasticsearch is running before proceeding wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=400 @@ -257,32 +114,6 @@ - configure - init -- name: Check for Wazuh Alerts template (http) - uri: - url: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}/_template/wazuh" - method: GET - status_code: 200, 404 - when: - - elasticsearch_bootstrap_node or single_node - - not elasticsearch_xpack_security - poll: 30 - register: wazuh_alerts_template_exits - until: wazuh_alerts_template_exits is succeeded - tags: init - -- name: Installing Wazuh Alerts template (http) - uri: - url: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}/_template/wazuh" - method: PUT - status_code: 200 - body_format: json - body: "{{ lookup('template','wazuh-elastic7-template-alerts.json.j2') }}" - when: - - wazuh_alerts_template_exits.status is defined - - wazuh_alerts_template_exits.status != 200 - - not elasticsearch_xpack_security - tags: init - - import_tasks: "RMRedHat.yml" when: ansible_os_family == "RedHat" diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml new file mode 100644 index 00000000..d05c3241 --- /dev/null +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -0,0 +1,186 @@ + +- name: Install unzip dependency. + package: + name: unzip + state: present + delegate_to: "127.0.0.1" + when: + - node_certs_generator + +- name: Check if certificate exists locally + stat: + path: "{{ node_certs_destination }}/{{ elasticsearch_node_name }}.crt" + register: certificate_file_exists + +- name: Write the instances.yml file in the selected node (force = no) + template: + src: instances.yml.j2 + dest: "{{ node_certs_source }}/instances.yml" + force: no + register: instances_file_exists + tags: + - config + - xpack-security + when: + - node_certs_generator + - not certificate_file_exists.stat.exists + +- name: Update instances.yml status after generation + stat: + path: "{{ node_certs_source }}/instances.yml" + register: instances_file_exists + when: + - node_certs_generator + +- name: Check if the certificates ZIP file exists + stat: + path: "{{ node_certs_source }}/certs.zip" + register: xpack_certs_zip + when: + - node_certs_generator + +- name: Importing custom CA key + copy: + src: "{{ master_certs_path }}/ca/{{ ca_key_name }}" + dest: "{{ node_certs_source }}/{{ ca_key_name }}" + mode: '0664' + when: + - not generate_CA + - node_certs_generator + tags: xpack-security + +- name: Importing custom CA cert + copy: + src: "{{ master_certs_path }}/ca/{{ ca_cert_name }}" + dest: "{{ node_certs_source }}/{{ ca_cert_name }}" + mode: '0664' + when: + - not generate_CA + - node_certs_generator + tags: xpack-security + +- name: Generating certificates for Elasticsearch security (generating CA) + command: >- + /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem + --in {{ node_certs_source }}/instances.yml + --out {{ node_certs_source }}/certs.zip + when: + - node_certs_generator + - not xpack_certs_zip.stat.exists + - generate_CA + tags: xpack-security + +- name: Generating certificates for Elasticsearch security (using provided CA | Without CA Password) + command: >- + /usr/share/elasticsearch/bin/elasticsearch-certutil cert + --ca-key {{ node_certs_source }}/{{ ca_key_name }} + --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} + --pem --in {{ node_certs_source }}/instances.yml + --out {{ node_certs_source }}/certs.zip + when: + - node_certs_generator + - not xpack_certs_zip.stat.exists + - not generate_CA + - ca_password | length == 0 + tags: xpack-security + +- name: Generating certificates for Elasticsearch security (using provided CA | Using CA Password) + command: >- + /usr/share/elasticsearch/bin/elasticsearch-certutil cert + --ca-key {{ node_certs_source }}/{{ ca_key_name }} + --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} + --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip + --ca-pass {{ ca_password }} + when: + - node_certs_generator + - not xpack_certs_zip.stat.exists + - not generate_CA + - ca_password | length > 0 + tags: xpack-security + +- name: Verify the Elastic certificates directory + file: + path: "{{ master_certs_path }}" + state: directory + mode: '0700' + delegate_to: "127.0.0.1" + when: + - node_certs_generator + +- name: Verify the Certificates Authority directory + file: + path: "{{ master_certs_path }}/ca/" + state: directory + mode: '0700' + delegate_to: "127.0.0.1" + when: + - node_certs_generator + +- name: Copying certificates to Ansible master + fetch: + src: "{{ node_certs_source }}/certs.zip" + dest: "{{ master_certs_path }}/" + flat: yes + mode: 0700 + when: + - node_certs_generator + tags: xpack-security + +- name: Delete certs.zip in Generator node + file: + state: absent + path: "{{ node_certs_source }}/certs.zip" + when: + - node_certs_generator + +- name: Unzip generated certs.zip + unarchive: + src: "{{ master_certs_path }}/certs.zip" + dest: "{{ master_certs_path }}/" + become: true + delegate_to: "127.0.0.1" + when: + - node_certs_generator + tags: xpack-security + +- name: Copying node's certificate from master + copy: + src: "{{ item }}" + dest: "{{ node_certs_destination }}/" + with_items: + - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key" + - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt" + - "{{ master_certs_path }}/ca/ca.crt" + when: + - generate_CA + tags: xpack-security + +- name: Copying node's certificate from master (Custom CA) + copy: + src: "{{ item }}" + dest: "{{ node_certs_destination }}/" + with_items: + - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key" + - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt" + - "{{ master_certs_path }}/ca/{{ ca_cert_name }}" + when: + - not generate_CA + tags: xpack-security + +- name: Ensuring folder permissions + file: + path: "{{ node_certs_destination }}/" + mode: '0774' + state: directory + recurse: yes + when: + - elasticsearch_xpack_security + - generate_CA + tags: xpack-security + +- name: Set elasticsearch bootstrap password + shell: >- + set -o pipefail; + echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password + when: + - node_certs_generator diff --git a/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 b/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 index f851e900..3cd386da 100644 --- a/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 @@ -34,12 +34,19 @@ xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.key: {{node_certs_destination}}/{{ elasticsearch_node_name }}.key -xpack.security.transport.ssl.certificate: {{node_certs_destination}}/{{ elasticsearch_node_name }}.crt +xpack.security.transport.ssl.certificate: {{node_certs_destination}}/{{ elasticsearch_node_name }}.crt +{% if generate_CA == true %} xpack.security.transport.ssl.certificate_authorities: [ "{{ node_certs_destination }}/ca.crt" ] - +{% elif generate_CA == false %} +xpack.security.transport.ssl.certificate_authorities: [ "{{ node_certs_destination }}/{{ca_cert_name}}" ] +{% endif %} xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode: certificate xpack.security.http.ssl.key: {{node_certs_destination}}/{{ elasticsearch_node_name }}.key xpack.security.http.ssl.certificate: {{node_certs_destination}}/{{ elasticsearch_node_name }}.crt +{% if generate_CA == true %} xpack.security.http.ssl.certificate_authorities: [ "{{ node_certs_destination }}/ca.crt" ] +{% elif generate_CA == false %} +xpack.security.http.ssl.certificate_authorities: [ "{{ node_certs_destination }}/{{ca_cert_name}}" ] +{% endif %} {% endif %} \ No newline at end of file diff --git a/roles/elastic-stack/ansible-elasticsearch/templates/instances.yml.j2 b/roles/elastic-stack/ansible-elasticsearch/templates/instances.yml.j2 index 6279c380..c74b1700 100644 --- a/roles/elastic-stack/ansible-elasticsearch/templates/instances.yml.j2 +++ b/roles/elastic-stack/ansible-elasticsearch/templates/instances.yml.j2 @@ -4,10 +4,10 @@ {% if node_certs_generator %} instances: -{% for node in instances %} -- name: "{{ node.name }}" +{% for (key,value) in instances.iteritems() %} +- name: "{{ value.name }}" ip: - - "{{ node.ip }}" + - "{{ value.ip }}" {% endfor %} -{% endif %} \ No newline at end of file +{% endif %} diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index 06c2c6af..25525d89 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -15,13 +15,10 @@ elasticsearch_xpack_security_user: elastic elasticsearch_xpack_security_password: elastic_pass node_certs_generator: false -node_certs_generator_ip: 172.16.0.161 node_certs_source: /usr/share/elasticsearch node_certs_destination: /etc/kibana/certs -# Rsync -rsync_path: /usr/bin/rsync -rsync_user: vagrant -rsync_extra_parameters: -avg -e 'ssh -o StrictHostKeyChecking=no' --rsync-path='sudo rsync' - -kibana_plugin_install_ignore_error: true \ No newline at end of file +# CA Generation +master_certs_path: /es_certs +generate_CA: true +ca_cert_name: "" diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index c7c7f551..b49cef4e 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -15,54 +15,31 @@ - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<')) - not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<')) -- name: Check if certificate exists locally - stat: - path: "{{ node_certs_destination }}/{{ kibana_node_name }}.crt" - register: certificate_file_exists - when: - - kibana_xpack_security - -- name: Copy key & certificate files in generator node (locally) - synchronize: - src: "{{ node_certs_source }}/{{ kibana_node_name }}/" - dest: "{{ node_certs_destination }}/" - delegate_to: "{{ node_certs_generator_ip }}" - when: - - node_certs_generator - - kibana_xpack_security - - not certificate_file_exists.stat.exists +- name: Copying node's certificate from master + copy: + src: "{{item}}" + dest: "{{node_certs_destination}}/" + with_items: + - "{{master_certs_path}}/{{kibana_node_name}}/{{ kibana_node_name }}.key" + - "{{master_certs_path}}/{{kibana_node_name}}/{{ kibana_node_name }}.crt" + - "{{master_certs_path}}/ca/ca.crt" tags: xpack-security - -- name: Copy ca certificate file in generator node (locally) - synchronize: - src: "{{ node_certs_source }}/ca/" - dest: "{{ node_certs_destination }}/" - delegate_to: "{{ node_certs_generator_ip }}" when: - - node_certs_generator - kibana_xpack_security - - not certificate_file_exists.stat.exists - tags: xpack-security + - generate_CA -- name: Importing key & certificate files from generator node - command: >- - {{ rsync_path }} {{ rsync_extra_parameters }} {{ rsync_user }}@{{ node_certs_generator_ip }}: - {{ node_certs_source }}/{{ kibana_node_name }}/ {{ node_certs_destination }}/ +- name: Copying node's certificate from master (Custom CA) + copy: + src: "{{item}}" + dest: "{{node_certs_destination}}/" + mode: '0664' + with_items: + - "{{master_certs_path}}/{{kibana_node_name}}/{{ kibana_node_name }}.key" + - "{{master_certs_path}}/{{kibana_node_name}}/{{ kibana_node_name }}.crt" + - "{{master_certs_path}}/ca/{{ca_cert_name}}" when: - - not node_certs_generator - kibana_xpack_security - - not certificate_file_exists.stat.exists - tags: xpack-security - -- name: Importing ca certificate file from generator node - command: >- - {{ rsync_path }} {{ rsync_extra_parameters }} {{ rsync_user }}@{{ node_certs_generator_ip }}: - {{ node_certs_source }}/ca/ {{ node_certs_destination }}/ - when: - - not node_certs_generator - - kibana_xpack_security - - not certificate_file_exists.stat.exists - register: check_certs_permissions + - not generate_CA tags: xpack-security - name: Ensuring certificates folder owner @@ -73,7 +50,6 @@ owner: kibana group: kibana when: - - check_certs_permissions is defined - kibana_xpack_security tags: xpack-security @@ -83,7 +59,6 @@ mode: '0770' recurse: yes when: - - check_certs_permissions is defined - kibana_xpack_security notify: restart kibana tags: xpack-security @@ -94,7 +69,7 @@ dest: /etc/kibana/kibana.yml owner: root group: root - mode: 0664 + mode: '0664' notify: restart kibana tags: configure diff --git a/roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 b/roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 index 76a3c2c4..0f2ef606 100644 --- a/roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 +++ b/roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 @@ -109,6 +109,10 @@ elasticsearch.username: "{{ elasticsearch_xpack_security_user }}" elasticsearch.password: "{{ elasticsearch_xpack_security_password }}" server.ssl.enabled: true server.ssl.key: "{{node_certs_destination}}/{{ kibana_node_name }}.key" -server.ssl.certificate: "{{node_certs_destination}}/{{ kibana_node_name }}.crt" +server.ssl.certificate: "{{node_certs_destination}}/{{ kibana_node_name }}.crt" +{% if generate_CA == true %} elasticsearch.ssl.certificateAuthorities: ["{{ node_certs_destination }}/ca.crt"] +{% elif generate_CA == false %} +elasticsearch.ssl.certificateAuthorities: ["{{ node_certs_destination }}/{{ca_cert_name}}"] +{% endif %} {% endif %} \ No newline at end of file diff --git a/roles/wazuh/ansible-filebeat/defaults/main.yml b/roles/wazuh/ansible-filebeat/defaults/main.yml index 180308a6..d38565d9 100644 --- a/roles/wazuh/ansible-filebeat/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat/defaults/main.yml @@ -28,6 +28,11 @@ filebeat_ssl_certificate_file: "" filebeat_ssl_key_file: "" filebeat_ssl_insecure: "false" +filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz +filebeat_module_package_path: /tmp/ +filebeat_module_destination: /usr/share/filebeat/module +filebeat_module_folder: /usr/share/filebeat/module/wazuh + # Xpack Security filebeat_xpack_security: false @@ -35,16 +40,13 @@ elasticsearch_xpack_security_user: elastic elasticsearch_xpack_security_password: elastic_pass node_certs_generator : false -node_certs_generator_ip: 172.16.0.161 node_certs_source: /usr/share/elasticsearch node_certs_destination: /etc/filebeat/certs -# Rsync -rsync_path: /usr/bin/rsync -rsync_user: vagrant -rsync_extra_parameters: -avg -e 'ssh -o StrictHostKeyChecking=no' --rsync-path='sudo rsync' -filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz -filebeat_module_package_path: /root/ -filebeat_module_destination: /usr/share/filebeat/module -filebeat_module_folder: /usr/share/filebeat/module/wazuh \ No newline at end of file +# CA Generation +master_certs_path: /es_certs +generate_CA: true +ca_cert_name: "" + + diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index d9dc11c2..85bd17e1 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -26,65 +26,39 @@ tags: - init -- name: Check if certificate exists locally - stat: - path: "{{ node_certs_destination }}/{{ filebeat_node_name }}.crt" - register: certificate_file_exists - when: - - filebeat_xpack_security - -- name: Copy key & certificate files in generator node (locally) - synchronize: - src: "{{ node_certs_source }}/{{ filebeat_node_name }}/" +- name: Copying node's certificate from master + copy: + src: "{{ item }}" dest: "{{ node_certs_destination }}/" - delegate_to: "{{ node_certs_generator_ip }}" + with_items: + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt" + - "{{ master_certs_path }}/ca/ca.crt" when: - - node_certs_generator + - generate_CA - filebeat_xpack_security - - not certificate_file_exists.stat.exists tags: xpack-security -- name: Copy ca certificate file in generator node (locally) - synchronize: - src: "{{ node_certs_source }}/ca/" +- name: Copying node's certificate from master (Custom CA) + copy: + src: "{{ item }}" dest: "{{ node_certs_destination }}/" - delegate_to: "{{ node_certs_generator_ip }}" + with_items: + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt" + - "{{ master_certs_path }}/ca/{{ ca_cert_name }}" when: - - node_certs_generator + - not generate_CA - filebeat_xpack_security - - not certificate_file_exists.stat.exists - register: check_certs_permissions tags: xpack-security -- name: Importing key & certificate files from generator node - command: >- - {{ rsync_path }} {{ rsync_extra_parameters }} {{ rsync_user }}@{{ node_certs_generator_ip }}: - {{ node_certs_source }}/{{ filebeat_node_name }}/ {{ node_certs_destination }}/ - when: - - not node_certs_generator - - filebeat_xpack_security - - not certificate_file_exists.stat.exists - tags: xpack-security - -- name: Importing ca certificate file from generator node - command: >- - {{ rsync_path }} {{ rsync_extra_parameters }} {{ rsync_user }}@{{ node_certs_generator_ip }}: - {{ node_certs_source }}/ca/ {{ node_certs_destination }}/ - when: - - not node_certs_generator - - filebeat_xpack_security - - not certificate_file_exists.stat.exists - register: check_certs_permissions - tags: xpack-security - -- name: Ensuring certificates folder owner +- name: Ensuring folder & certs permissions file: path: "{{ node_certs_destination }}/" - mode: '0770' + mode: '0774' + state: directory recurse: yes - when: - - check_certs_permissions is defined - filebeat_xpack_security tags: xpack-security diff --git a/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 b/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 index 0a47af9d..466d9a89 100644 --- a/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 +++ b/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 @@ -57,8 +57,14 @@ output.elasticsearch: username: {{ elasticsearch_xpack_security_user }} password: {{ elasticsearch_xpack_security_password }} protocol: https +{% if generate_CA == true %} ssl.certificate_authorities: - {{node_certs_destination}}/ca.crt +{% elif generate_CA == false %} + ssl.certificate_authorities: + - {{node_certs_destination}}/{{ca_cert_name}} +{% endif %} + ssl.certificate: "{{node_certs_destination}}/{{ filebeat_node_name }}.crt" ssl.key: "{{node_certs_destination}}/{{ filebeat_node_name }}.key" {% endif %}